/**
* Update the Start of Authority record. This should be called on
* the change of any object in the domain
*
* @return bool
*/
function updateSOA()
{
global $wgAuth;
$domain = array();
$domain['soarecord'] = OpenStackNovaDomain::generateSOA();
$success = LdapAuthenticationPlugin::ldap_modify($wgAuth->ldapconn, $this->domainDN, $domain);
if ($success) {
$wgAuth->printDebug("Successfully modified soarecord for " . $this->domainDN, NONSENSITIVE);
$this->fetchDomainInfo();
return true;
} else {
$wgAuth->printDebug("Failed to modify soarecord for " . $this->domainDN, NONSENSITIVE);
return false;
}
}
/**
* Modify a new sudoer based on users, hosts, commands, and options.
*
* @param $users
* @param $hosts
* @param $commands
* @param $options
* @return boolean
*/
function modifySudoer( $users, $hosts, $commands, $options ) {
global $wgAuth;
$sudoer = array();
foreach ( $users as $user ) {
$sudoer['sudouser'][] = $user;
}
foreach ( $hosts as $host ) {
$sudoer['sudohost'][] = $host;
}
foreach ( $commands as $command ) {
$sudoer['sudocommand'][] = $command;
}
foreach ( $options as $option ) {
$sudoer['sudooption'][] = $option;
}
$success = LdapAuthenticationPlugin::ldap_modify( $wgAuth->ldapconn, $this->sudoerDN, $sudoer );
if ( $success ) {
$wgAuth->printDebug( "Successfully modified sudoer $this->sudoerDN", NONSENSITIVE );
return true;
} else {
$wgAuth->printDebug( "Failed to modify sudoer $this->sudoerDN", NONSENSITIVE );
return false;
}
}
/**
* Add a member to this project based on username
*
* @param $username string
* @return bool
*/
function addMember($username)
{
global $wgAuth;
$members = array();
if (isset($this->projectGroupInfo[0]['member'])) {
$members = $this->projectGroupInfo[0]['member'];
array_shift($members);
}
$user = new OpenStackNovaUser($username);
if (!$user->userDN) {
$wgAuth->printDebug("Failed to find userDN in addMember", NONSENSITIVE);
return false;
}
$members[] = $user->userDN;
$values = array();
$values['member'] = $members;
$success = LdapAuthenticationPlugin::ldap_modify($wgAuth->ldapconn, $this->projectGroupDN, $values);
if ($success) {
$this->fetchProjectGroupInfo(true);
$wgAuth->printDebug("Successfully added {$user->userDN} to {$this->projectGroupDN}", NONSENSITIVE);
return true;
} else {
$wgAuth->printDebug("Failed to add {$user->userDN} to {$this->projectGroupDN}: " . ldap_error($wgAuth->ldapconn), NONSENSITIVE);
return false;
}
}
function deleteUser($username)
{
global $wgAuth;
global $wgMemc;
if (isset($this->sudoerInfo[0]['sudouser'])) {
$sudousers = $this->sudoerInfo[0]['sudouser'];
array_shift($sudousers);
$index = array_search($username, $sudousers);
if ($index === false) {
$wgAuth->printDebug("Failed to find userDN in sudouser list", NONSENSITIVE);
return false;
}
unset($sudousers[$index]);
$values = array();
$values['sudouser'] = array();
foreach ($sudousers as $sudouser) {
$values['sudouser'][] = $sudouser;
}
$success = LdapAuthenticationPlugin::ldap_modify($wgAuth->ldapconn, $this->sudoerDN, $values);
if ($success) {
$key = wfMemcKey('openstackmanager', 'sudoerinfo', $this->project->getProjectName() . $this->sudoername);
$wgMemc->delete($key);
return true;
}
}
return false;
}
/**
* Update user information in LDAP
* Return true if successful.
*
* @param User $user
* @return bool
*/
public function updateExternalDB($user)
{
global $wgMemc;
$this->printDebug("Entering updateExternalDB", NONSENSITIVE);
if (!$this->getConf('UpdateLDAP') || $this->getSessionDomain() == 'local') {
$this->printDebug("Either the user is using a local domain, or the wiki isn't allowing updates", NONSENSITIVE);
// We don't handle local preferences, but we don't want the
// wiki to return an error.
return true;
}
$writer = $this->getConf('WriterDN');
if (!$writer) {
$this->printDebug("The wiki doesn't have wgLDAPWriterDN set", NONSENSITIVE);
// We can't modify LDAP preferences if we don't have a user
// capable of editing LDAP attributes.
return false;
}
$this->email = $user->getEmail();
$this->realname = $user->getRealName();
$this->nickname = $user->getOption('nickname');
$this->lang = $user->getOption('language');
if ($this->connect()) {
$this->userdn = $this->getSearchString($user->getName());
$this->printDebug("Binding as the writerDN", NONSENSITIVE);
$bind = $this->bindAs($writer, $this->getConf('WriterPassword'));
if (!$bind) {
return false;
}
$values = array();
if (is_string($this->email)) {
$values["mail"] = $this->email;
}
if (is_string($this->nickname)) {
$values["displayname"] = $this->nickname;
}
if (is_string($this->realname)) {
$values["cn"] = $this->realname;
}
if (is_string($this->lang)) {
$values["preferredlanguage"] = $this->lang;
}
if (count($values) && LdapAuthenticationPlugin::ldap_modify($this->ldapconn, $this->userdn, $values)) {
// We changed the user, we need to invalidate the memcache key
$key = wfMemcKey('ldapauthentication', 'userinfo', $this->userdn);
$wgMemc->delete($key);
$this->printDebug("Successfully modified the user's attributes", NONSENSITIVE);
LdapAuthenticationPlugin::ldap_unbind($this->ldapconn);
return true;
}
$this->printDebug("Failed to modify the user's attributes", NONSENSITIVE);
LdapAuthenticationPlugin::ldap_unbind($this->ldapconn);
}
return false;
}
/**
* Hook to add objectclasses and attributes for users that already exist, but have
* missing information.
*
* @static
* @param $auth
* @return bool
*/
static function LDAPSetNovaInfo( $auth ) {
global $wgMemc;
OpenStackNovaLdapConnection::connect();
$result = LdapAuthenticationPlugin::ldap_read( $auth->ldapconn, $auth->userInfo[0]['dn'], '(objectclass=*)', array( 'secretkey', 'accesskey', 'objectclass' ) );
$userInfo = LdapAuthenticationPlugin::ldap_get_entries( $auth->ldapconn, $result );
if ( !isset( $userInfo[0]['accesskey'] ) or !isset( $userInfo[0]['secretkey'] ) ) {
$objectclasses = $userInfo[0]['objectclass'];
# First entry is a count
array_shift( $objectclasses );
if ( !in_array( 'novauser', $objectclasses ) ) {
$values['objectclass'] = array();
# ldap_modify for objectclasses requires the array indexes be sequential.
# It is stupid, yes.
foreach ( $objectclasses as $objectclass ) {
$values['objectclass'][] = $objectclass;
}
$values['objectclass'][] = 'novauser';
}
$values['accesskey'] = OpenStackNovaUser::uuid4();
$values['secretkey'] = OpenStackNovaUser::uuid4();
$values['isnovaadmin'] = 'FALSE';
$success = LdapAuthenticationPlugin::ldap_modify( $auth->ldapconn, $auth->userdn, $values );
if ( $success ) {
$key = wfMemcKey( 'ldapauthentication', 'userinfo', $auth->userdn );
$wgMemc->delete( $key );
$auth->printDebug( "Successfully modified the user's nova attributes", NONSENSITIVE );
return true;
} else {
$auth->printDebug( "Failed to modify the user's nova attributes.", NONSENSITIVE );
# Always return true, other hooks should still run, even if this fails
return true;
}
} else {
$auth->printDebug( "User has accesskey and secretkey set.", NONSENSITIVE );
return true;
}
}
/**
* @param $key
* @return bool
*/
function deleteKeypair($key)
{
global $wgAuth;
global $wgMemc;
if (isset($this->userInfo[0]['sshpublickey'])) {
$keypairs = $this->userInfo[0]['sshpublickey'];
array_shift($keypairs);
$index = array_search($key, $keypairs);
if ($index === false) {
$wgAuth->printDebug("Unable to find the sshpublickey to be deleted", NONSENSITIVE);
return false;
}
unset($keypairs[$index]);
$values = array();
$values['sshpublickey'] = array();
foreach ($keypairs as $keypair) {
$values['sshpublickey'][] = $keypair;
}
$success = LdapAuthenticationPlugin::ldap_modify($wgAuth->ldapconn, $this->userDN, $values);
if ($success) {
$wgAuth->printDebug("Successfully deleted the user's sshpublickey", NONSENSITIVE);
$key = wfMemcKey('ldapauthentication', "userinfo", $this->userDN);
$wgAuth->printDebug("Deleting memcache key: {$key}.", NONSENSITIVE);
$wgMemc->delete($key);
$this->fetchUserInfo();
return true;
} else {
$wgAuth->printDebug("Failed to delete the user's sshpublickey", NONSENSITIVE);
return false;
}
} else {
$wgAuth->printDebug("User does not have a sshpublickey attribute", NONSENSITIVE);
return false;
}
}
/**
* Replace all arecords on this host with $ip.
*
* @param $ip
* @return bool
*/
function setARecord($ip)
{
global $wgAuth;
$values = array('arecord' => array($ip));
$success = LdapAuthenticationPlugin::ldap_modify($wgAuth->ldapconn, $this->hostDN, $values);
if ($success) {
$wgAuth->printDebug("Successfully set {$ip} on {$this->hostDN}", NONSENSITIVE);
$this->getDomain()->updateSOA();
$this->fetchHostInfo();
return true;
} else {
$wgAuth->printDebug("Failed to set {$ip} on {$this->hostDN}", NONSENSITIVE);
return false;
}
}
/**
* Update puppet classes and variables for this host.
*
* @param $puppetinfo
* @return bool
*/
function modifyPuppetConfiguration($puppetinfo)
{
global $wgAuth;
global $wgOpenStackManagerPuppetOptions;
$hostEntry = array();
if ($wgOpenStackManagerPuppetOptions['enabled']) {
if (isset($puppetinfo['classes'])) {
foreach ($puppetinfo['classes'] as $class) {
$hostEntry['puppetclass'][] = $class;
}
}
if (isset($puppetinfo['variables'])) {
foreach ($puppetinfo['variables'] as $variable => $value) {
$hostEntry['puppetvar'][] = $variable . '=' . $value;
}
}
$oldpuppetinfo = $this->getPuppetConfiguration();
if (isset($oldpuppetinfo['puppetvar'])) {
$wgAuth->printDebug("Checking for preexisting variables", NONSENSITIVE);
foreach ($oldpuppetinfo['puppetvar'] as $variable => $value) {
$wgAuth->printDebug("Found {$variable}", NONSENSITIVE);
if ($variable === "instanceproject" || $variable === "instancename") {
$hostEntry['puppetvar'][] = $variable . '=' . $value;
}
}
}
if ($hostEntry) {
$success = LdapAuthenticationPlugin::ldap_modify($wgAuth->ldapconn, $this->hostDN, $hostEntry);
if ($success) {
$this->fetchHostInfo();
$wgAuth->printDebug("Successfully modified puppet configuration for host", NONSENSITIVE);
return true;
} else {
$wgAuth->printDebug("Failed to modify puppet configuration for host", NONSENSITIVE);
return false;
}
} else {
$wgAuth->printDebug("No hostEntry when trying to modify puppet configuration", NONSENSITIVE);
return false;
}
}
return false;
}
/**
* Add a member to this project based on username
*
* @param $username string
* @return bool
*/
function addMember($username)
{
global $wgAuth;
global $wgMemc;
$key = wfMemcKey('openstackmanager', 'projectuidsandmembers', $this->projectname);
$wgMemc->delete($key);
$members = array();
if (isset($this->projectInfo[0]['member'])) {
$members = $this->projectInfo[0]['member'];
array_shift($members);
}
$user = new OpenStackNovaUser($username);
if (!$user->userDN) {
$wgAuth->printDebug("Failed to find userDN in addMember", NONSENSITIVE);
return false;
}
$members[] = $user->userDN;
$values = array();
$values['member'] = $members;
$success = LdapAuthenticationPlugin::ldap_modify($wgAuth->ldapconn, $this->projectDN, $values);
if ($success) {
// If we successfully added the member to this Project, then
// also add the member to the corresponding ProjectGroup.
$this->projectGroup->addMember($username);
$this->fetchProjectInfo(true);
$wgAuth->printDebug("Successfully added {$user->userDN} to {$this->projectDN}", NONSENSITIVE);
$this->editArticle();
return true;
} else {
$wgAuth->printDebug("Failed to add {$user->userDN} to {$this->projectDN}: " . ldap_error($wgAuth->ldapconn), NONSENSITIVE);
return false;
}
}
