X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Flogin%2Fauthform.py;h=b61d4c9b23b8d2c52992fc8bfa51144665bf4534;hp=85b31bd5eb980b374120247751c935e2d85ad6ea;hb=426f03dffc8f648a12b5f8a4b2ab30c8b4498be3;hpb=25b8eaf83e681a9322cffe61aad5254bcbe0c917 diff --git a/ipsilon/login/authform.py b/ipsilon/login/authform.py old mode 100755 new mode 100644 index 85b31bd..b61d4c9 --- a/ipsilon/login/authform.py +++ b/ipsilon/login/authform.py @@ -1,30 +1,23 @@ -#!/usr/bin/python -# -# Copyright (C) 2014 Simo Sorce -# -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from ipsilon.login.common import LoginFormBase, LoginManagerBase -from ipsilon.login.common import FACILITY +# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING + +from ipsilon.login.common import LoginFormBase, LoginManagerBase, \ + LoginManagerInstaller from ipsilon.util.plugin import PluginObject from ipsilon.util.user import UserSession +from ipsilon.util import config as pconfig from string import Template import cherrypy import subprocess +# Translate PAM errors into more human-digestible values and eventually +# other languages. +PAM_AUTH_ERRORS = { + "Authentication token is no longer valid; new one required": + "Password is expired", + "Authentication failure": + "Authentication failure", +} + class Form(LoginFormBase): @@ -33,14 +26,15 @@ class Form(LoginFormBase): us.remote_login() user = us.get_user() if not user.is_anonymous: - return self.lm.auth_successful(user.name, 'password') + return self.lm.auth_successful(self.trans, user.name, 'password') else: - try: - error = cherrypy.request.headers['EXTERNAL_AUTH_ERROR'] - except KeyError: - error = "Unknown error using external authentication" - cherrypy.log.error("Error: %s" % error) - return self.lm.auth_failed() + error = cherrypy.request.wsgi_environ.get( + 'EXTERNAL_AUTH_ERROR', + 'Unknown error using external authentication' + ) + error = PAM_AUTH_ERRORS.get(error, error) + cherrypy.log.error("Error: %s" % error) + return self.lm.auth_failed(self.trans, error) class LoginManager(LoginManagerBase): @@ -50,35 +44,25 @@ class LoginManager(LoginManagerBase): self.name = 'form' self.path = 'form' self.page = None + self.service_name = 'form' self.description = """ Form based login Manager. Relies on mod_intercept_form_submit plugin for actual authentication. """ - self._options = { - 'service name': [ - """ The name of the PAM service used to authenticate. """, - 'string', - 'remote' - ], - 'help text': [ - """ The text shown to guide the user at login time. """, - 'string', - 'Insert your Username and Password and then submit.' - ], - 'username text': [ - """ The text shown to ask for the username in the form. """, - 'string', - 'Username' - ], - 'password text': [ - """ The text shown to ask for the password in the form. """, - 'string', - 'Password' - ], - } - - @property - def service_name(self): - return self.get_config_value('service name') + self.new_config( + self.name, + pconfig.String( + 'username text', + 'Text used to ask for the username at login time.', + 'Username'), + pconfig.String( + 'password text', + 'Text used to ask for the password at login time.', + 'Password'), + pconfig.String( + 'help text', + 'Text used to guide the user at login time.', + 'Insert your Username and Password and then submit.') + ) @property def help_text(self): @@ -112,11 +96,12 @@ LoadModule authnz_pam_module modules/mod_authnz_pam.so """ -class Installer(object): +class Installer(LoginManagerInstaller): - def __init__(self): + def __init__(self, *pargs): + super(Installer, self).__init__() self.name = 'form' - self.ptype = 'login' + self.pargs = pargs def install_args(self, group): group.add_argument('--form', choices=['yes', 'no'], default='no', @@ -124,7 +109,7 @@ class Installer(object): group.add_argument('--form-service', action='store', default='remote', help='PAM service name to use for authentication') - def configure(self, opts): + def configure(self, opts, changes): if opts['form'] != 'yes': return @@ -132,27 +117,19 @@ class Installer(object): 'service': opts['form_service']} tmpl = Template(CONF_TEMPLATE) - hunk = tmpl.substitute(**confopts) # pylint: disable=star-args + hunk = tmpl.substitute(**confopts) with open(opts['httpd_conf'], 'a') as httpd_conf: httpd_conf.write(hunk) # Add configuration data to database - po = PluginObject() + po = PluginObject(*self.pargs) po.name = 'form' po.wipe_data() - po.wipe_config_values(FACILITY) + po.wipe_config_values() - # Update global config, put 'krb' always first - po.name = 'global' - globalconf = po.get_plugin_config(FACILITY) - if 'order' in globalconf: - order = globalconf['order'].split(',') - else: - order = [] - order.append('form') - globalconf['order'] = ','.join(order) - po.set_config(globalconf) - po.save_plugin_config(FACILITY) + # Update global config to add login plugin + po.is_enabled = True + po.save_enabled_state() # for selinux enabled platforms, ignore if it fails just report try: