From ae738cc3987a281386ed928f9131cf7a7dbdda64 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 16 Jun 2014 12:25:30 -0400 Subject: [PATCH] Add External form auth plugin This plugin uses mod_intercept_form_submit to perform authentication. Signed-off-by: Simo Sorce Reviewed-by: Patrick Uiterwijk --- contrib/fedora/ipsilon.spec | 1 + ipsilon/login/authform.py | 189 ++++++++++++++++++++++++++++++++++++ ipsilon/util/page.py | 4 +- 3 files changed, 192 insertions(+), 2 deletions(-) create mode 100755 ipsilon/login/authform.py diff --git a/contrib/fedora/ipsilon.spec b/contrib/fedora/ipsilon.spec index cca9937..2e8c361 100644 --- a/contrib/fedora/ipsilon.spec +++ b/contrib/fedora/ipsilon.spec @@ -15,6 +15,7 @@ Requires: ipsilon-tools = %{version}-%{release} Requires: lasso-python Requires: mod_wsgi Requires: mod_auth_kerb +Requires: mod_intercept_form_submit Requires: python-cherrypy Requires: python-jinja2 Requires: python-lxml diff --git a/ipsilon/login/authform.py b/ipsilon/login/authform.py new file mode 100755 index 0000000..bd06b60 --- /dev/null +++ b/ipsilon/login/authform.py @@ -0,0 +1,189 @@ +#!/usr/bin/python +# +# Copyright (C) 2014 Simo Sorce +# +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipsilon.login.common import LoginPageBase, LoginManagerBase +from ipsilon.login.common import FACILITY +from ipsilon.util.plugin import PluginObject +from ipsilon.util.user import UserSession +from string import Template +import cherrypy +import subprocess + + +class Form(LoginPageBase): + + def GET(self, *args, **kwargs): + context = self.create_tmpl_context() + # pylint: disable=star-args + return self._template('login/pam.html', **context) + + def POST(self, *args, **kwargs): + us = UserSession() + us.remote_login() + user = us.get_user() + if not user.is_anonymous: + return self.lm.auth_successful(user.name) + else: + try: + error = cherrypy.request.headers['EXTERNAL_AUTH_ERROR'] + except KeyError: + error = "Unknown error using external authentication" + cherrypy.log.error("Error: %s" % error) + return self.lm.auth_failed() + + def root(self, *args, **kwargs): + op = getattr(self, cherrypy.request.method, self.GET) + if callable(op): + return op(*args, **kwargs) + + def create_tmpl_context(self, **kwargs): + next_url = None + if self.lm.next_login is not None: + next_url = self.lm.next_login.path + + context = { + "title": 'Login', + "action": '%s/login/form' % self.basepath, + "service_name": self.lm.service_name, + "username_text": self.lm.username_text, + "password_text": self.lm.password_text, + "description": self.lm.help_text, + "next_url": next_url, + } + context.update(kwargs) + return context + + +class LoginManager(LoginManagerBase): + + def __init__(self, *args, **kwargs): + super(LoginManager, self).__init__(*args, **kwargs) + self.name = 'form' + self.path = 'form' + self.page = None + self.description = """ +Form based login Manager. Relies on mod_intercept_form_submit plugin for + actual authentication. """ + self._options = { + 'service name': [ + """ The name of the PAM service used to authenticate. """, + 'string', + 'remote' + ], + 'help text': [ + """ The text shown to guide the user at login time. """, + 'string', + 'Insert your Username and Password and then submit.' + ], + 'username text': [ + """ The text shown to ask for the username in the form. """, + 'string', + 'Username' + ], + 'password text': [ + """ The text shown to ask for the password in the form. """, + 'string', + 'Password' + ], + } + + @property + def service_name(self): + return self.get_config_value('service name') + + @property + def help_text(self): + return self.get_config_value('help text') + + @property + def username_text(self): + return self.get_config_value('username text') + + @property + def password_text(self): + return self.get_config_value('password text') + + def get_tree(self, site): + self.page = Form(site, self) + return self.page + + +CONF_TEMPLATE = """ +LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so +LoadModule authnz_pam_module modules/mod_authnz_pam.so + + + InterceptFormPAMService ${service} + InterceptFormLogin login_name + InterceptFormPassword login_password + # InterceptFormLoginSkip admin + # InterceptFormClearRemoteUserForSkipped on + InterceptFormPasswordRedact on + +""" + + +class Installer(object): + + def __init__(self): + self.name = 'form' + self.ptype = 'login' + + def install_args(self, group): + group.add_argument('--form', choices=['yes', 'no'], default='no', + help='Configure External Form authentication') + group.add_argument('--form-service', action='store', default='remote', + help='PAM service name to use for authentication') + + def configure(self, opts): + if opts['form'] != 'yes': + return + + confopts = {'instance': opts['instance'], + 'service': opts['form_service']} + + tmpl = Template(CONF_TEMPLATE) + hunk = tmpl.substitute(**confopts) # pylint: disable=star-args + with open(opts['httpd_conf'], 'a') as httpd_conf: + httpd_conf.write(hunk) + + # Add configuration data to database + po = PluginObject() + po.name = 'form' + po.wipe_data() + po.wipe_config_values(FACILITY) + + # Update global config, put 'krb' always first + po.name = 'global' + globalconf = po.get_plugin_config(FACILITY) + if 'order' in globalconf: + order = globalconf['order'].split(',') + else: + order = [] + order.append('form') + globalconf['order'] = ','.join(order) + po.set_config(globalconf) + po.save_plugin_config(FACILITY) + + # for selinux enabled platforms, ignore if it fails just report + try: + subprocess.call(['/usr/sbin/setsebool', '-P', + 'httpd_mod_auth_pam=on']) + except Exception: # pylint: disable=broad-except + pass diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py index e90ec2d..aad91fc 100755 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -40,7 +40,7 @@ class Page(object): self._site = site self.basepath = cherrypy.config.get('base.mount', "") self.user = None - self.form = form + self._is_form_page = form def _compare_urls(self, url1, url2): u1 = unquote(url1) @@ -58,7 +58,7 @@ class Page(object): if callable(op) and getattr(self, args[0]+'.exposed', None): return op(*args[1:], **kwargs) else: - if self.form: + if self._is_form_page: self._debug("method: %s" % cherrypy.request.method) op = getattr(self, cherrypy.request.method, None) if callable(op): -- 2.20.1