Project

General

Profile

Task #6384 » nico_pam.py

Nico César, 06/22/2015 08:44 PM

 
1
import syslog
2
import sys
3
sys.argv=['']
4
import arvados
5
import os
6

    
7
def auth_log(msg):
8
 """Send errors to default auth log"""
9
 syslog.openlog(facility=syslog.LOG_AUTH)
10
 #syslog.openlog()
11
 syslog.syslog("libpam python Logged: " + msg)
12
 syslog.closelog()
13

    
14

    
15
def check_arvados_token(requested_username, token):
16
    auth_log("%s %s" % (requested_username, token))
17
    ARVADOS_API_HOST='4xphq.arvadosapi.com' ## FIXME replace with puppet
18
    # BUG: hostname stored on the API is just "foo.shell", not "foo.shell.zzzzz.arvadosapi.com"!
19
    my_hostname='shell' ## FIXME replace with puppet
20

    
21
    try:    
22
	arv = arvados.api('v1',host=ARVADOS_API_HOST, token=token, cache=None)
23
    except Exception as e:
24
	auth_log(str(e))
25
	return False
26

    
27
    try:
28
	matches = arv.virtual_machines().list(filters=[['hostname','=',my_hostname]]).execute()['items']
29
    except Exception as e:
30
	auth_log(str(e))
31
	return False
32

    
33

    
34
    if len(matches) != 1:
35
        auth_log("libpam_arvados could not dertermine vm uuid for '%s'" % my_hostname)
36
        return False
37
        
38
    this_vm_uuid = matches[0]['uuid']
39
    auth_log("this_vm_uuid: %s" % this_vm_uuid)
40
    client_user_uuid = arv.users().current().execute()['uuid']
41

    
42
    filters = [
43
            ['link_class','=','permission'],
44
            ['name','=','can_login'],
45
            ['head_uuid','=',this_vm_uuid],
46
            ['tail_uuid','=',client_user_uuid]]
47

    
48
    for l in arv.links().list(filters=filters).execute()['items']:
49
         if requested_username == l['properties']['username']:
50
             return  True
51
    return False
52

    
53

    
54
def pam_sm_authenticate(pamh, flags, argv):
55
 try:
56
  user = pamh.get_user()
57
 except pamh.exception, e:
58
  return e.pam_result
59
 
60
 if not user:
61
  return pamh.PAM_USER_UNKNOWN
62
  
63
 try:
64
  resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, ''))
65
 except pamh.exception, e:
66
  return e.pam_result
67

    
68
 try:
69
  check = check_arvados_token(user, resp.resp)
70
 except Exception as e:
71
  auth_log(str(e))
72
  return False
73

    
74
 if not check:
75
  auth_log("Auth failed Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
76
  return pamh.PAM_AUTH_ERR
77

    
78
 auth_log("Success! Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
79
 return pamh.PAM_SUCCESS
80

    
81
def pam_sm_setcred(pamh, flags, argv):
82
 return pamh.PAM_SUCCESS
83

    
84
def pam_sm_acct_mgmt(pamh, flags, argv):
85
 return pamh.PAM_SUCCESS
86

    
87
def pam_sm_open_session(pamh, flags, argv):
88
 return pamh.PAM_SUCCESS
89

    
90
def pam_sm_close_session(pamh, flags, argv):
91
 return pamh.PAM_SUCCESS
92

    
93
def pam_sm_chauthtok(pamh, flags, argv):
94
 return pamh.PAM_SUCCESS
(2-2/2)