1
|
import syslog
|
2
|
import sys
|
3
|
sys.argv=['']
|
4
|
import arvados
|
5
|
import os
|
6
|
|
7
|
def auth_log(msg):
|
8
|
"""Send errors to default auth log"""
|
9
|
syslog.openlog(facility=syslog.LOG_AUTH)
|
10
|
#syslog.openlog()
|
11
|
syslog.syslog("libpam python Logged: " + msg)
|
12
|
syslog.closelog()
|
13
|
|
14
|
|
15
|
def check_arvados_token(requested_username, token):
|
16
|
auth_log("%s %s" % (requested_username, token))
|
17
|
ARVADOS_API_HOST='4xphq.arvadosapi.com' ## FIXME replace with puppet
|
18
|
# BUG: hostname stored on the API is just "foo.shell", not "foo.shell.zzzzz.arvadosapi.com"!
|
19
|
my_hostname='shell' ## FIXME replace with puppet
|
20
|
|
21
|
try:
|
22
|
arv = arvados.api('v1',host=ARVADOS_API_HOST, token=token, cache=None)
|
23
|
except Exception as e:
|
24
|
auth_log(str(e))
|
25
|
return False
|
26
|
|
27
|
try:
|
28
|
matches = arv.virtual_machines().list(filters=[['hostname','=',my_hostname]]).execute()['items']
|
29
|
except Exception as e:
|
30
|
auth_log(str(e))
|
31
|
return False
|
32
|
|
33
|
|
34
|
if len(matches) != 1:
|
35
|
auth_log("libpam_arvados could not dertermine vm uuid for '%s'" % my_hostname)
|
36
|
return False
|
37
|
|
38
|
this_vm_uuid = matches[0]['uuid']
|
39
|
auth_log("this_vm_uuid: %s" % this_vm_uuid)
|
40
|
client_user_uuid = arv.users().current().execute()['uuid']
|
41
|
|
42
|
filters = [
|
43
|
['link_class','=','permission'],
|
44
|
['name','=','can_login'],
|
45
|
['head_uuid','=',this_vm_uuid],
|
46
|
['tail_uuid','=',client_user_uuid]]
|
47
|
|
48
|
for l in arv.links().list(filters=filters).execute()['items']:
|
49
|
if requested_username == l['properties']['username']:
|
50
|
return True
|
51
|
return False
|
52
|
|
53
|
|
54
|
def pam_sm_authenticate(pamh, flags, argv):
|
55
|
try:
|
56
|
user = pamh.get_user()
|
57
|
except pamh.exception, e:
|
58
|
return e.pam_result
|
59
|
|
60
|
if not user:
|
61
|
return pamh.PAM_USER_UNKNOWN
|
62
|
|
63
|
try:
|
64
|
resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, ''))
|
65
|
except pamh.exception, e:
|
66
|
return e.pam_result
|
67
|
|
68
|
try:
|
69
|
check = check_arvados_token(user, resp.resp)
|
70
|
except Exception as e:
|
71
|
auth_log(str(e))
|
72
|
return False
|
73
|
|
74
|
if not check:
|
75
|
auth_log("Auth failed Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
|
76
|
return pamh.PAM_AUTH_ERR
|
77
|
|
78
|
auth_log("Success! Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
|
79
|
return pamh.PAM_SUCCESS
|
80
|
|
81
|
def pam_sm_setcred(pamh, flags, argv):
|
82
|
return pamh.PAM_SUCCESS
|
83
|
|
84
|
def pam_sm_acct_mgmt(pamh, flags, argv):
|
85
|
return pamh.PAM_SUCCESS
|
86
|
|
87
|
def pam_sm_open_session(pamh, flags, argv):
|
88
|
return pamh.PAM_SUCCESS
|
89
|
|
90
|
def pam_sm_close_session(pamh, flags, argv):
|
91
|
return pamh.PAM_SUCCESS
|
92
|
|
93
|
def pam_sm_chauthtok(pamh, flags, argv):
|
94
|
return pamh.PAM_SUCCESS
|