nico_pam.py - Arvados

Task #6384 » nico_pam.py

Nico César, 06/22/2015 08:44 PM

    
      import syslog

      import sys

      sys.argv=['']

      import arvados

      import os

      def auth_log(msg):

       """Send errors to default auth log"""

       syslog.openlog(facility=syslog.LOG_AUTH)

       #syslog.openlog()

       syslog.syslog("libpam python Logged: " + msg)

       syslog.closelog()

      def check_arvados_token(requested_username, token):

          auth_log("%s %s" % (requested_username, token))

          ARVADOS_API_HOST='4xphq.arvadosapi.com' ## FIXME replace with puppet

          # BUG: hostname stored on the API is just "foo.shell", not "foo.shell.zzzzz.arvadosapi.com"!

          my_hostname='shell' ## FIXME replace with puppet

          try:    

      	arv = arvados.api('v1',host=ARVADOS_API_HOST, token=token, cache=None)

          except Exception as e:

      	auth_log(str(e))

      	return False

          try:

      	matches = arv.virtual_machines().list(filters=[['hostname','=',my_hostname]]).execute()['items']

          except Exception as e:

      	auth_log(str(e))

      	return False

          if len(matches) != 1:

              auth_log("libpam_arvados could not dertermine vm uuid for '%s'" % my_hostname)

              return False

          this_vm_uuid = matches[0]['uuid']

          auth_log("this_vm_uuid: %s" % this_vm_uuid)

          client_user_uuid = arv.users().current().execute()['uuid']

          filters = [

                  ['link_class','=','permission'],

                  ['name','=','can_login'],

                  ['head_uuid','=',this_vm_uuid],

                  ['tail_uuid','=',client_user_uuid]]

          for l in arv.links().list(filters=filters).execute()['items']:

               if requested_username == l['properties']['username']:

                   return  True

          return False

      def pam_sm_authenticate(pamh, flags, argv):

       try:

        user = pamh.get_user()

       except pamh.exception, e:

        return e.pam_result

       if not user:

        return pamh.PAM_USER_UNKNOWN

       try:

        resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, ''))

       except pamh.exception, e:

        return e.pam_result

       try:

        check = check_arvados_token(user, resp.resp)

       except Exception as e:

        auth_log(str(e))

        return False

       if not check:

        auth_log("Auth failed Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))

        return pamh.PAM_AUTH_ERR

       auth_log("Success! Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))

       return pamh.PAM_SUCCESS

      def pam_sm_setcred(pamh, flags, argv):

       return pamh.PAM_SUCCESS

      def pam_sm_acct_mgmt(pamh, flags, argv):

       return pamh.PAM_SUCCESS

      def pam_sm_open_session(pamh, flags, argv):

       return pamh.PAM_SUCCESS

      def pam_sm_close_session(pamh, flags, argv):

       return pamh.PAM_SUCCESS

      def pam_sm_chauthtok(pamh, flags, argv):

       return pamh.PAM_SUCCESS

« Previous
1
2
Next »

(2-2/2)

Project

General

Profile

Arvados

Task #6384 » nico_pam.py