/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryModifySubmit( $formData, $entryPoint = 'internal' ) {
$sudoer = OpenStackNovaSudoer::getSudoerByName( $formData['sudoername'] );
if ( $sudoer ) {
if ( $formData['users'] ) {
$users = explode( ',', $formData['users'] );
} else {
$users = array();
}
if ( $formData['hosts'] ) {
$hosts = explode( ',', $formData['hosts'] );
} else {
$hosts = array();
}
if ( $formData['commands'] ) {
$commands = explode( ',', $formData['commands'] );
} else {
$commands = array();
}
if ( $formData['options'] ) {
$options = explode( ',', $formData['options'] );
} else {
$options = array();
}
$success = $sudoer->modifySudoer( $users, $hosts, $commands, $options );
if ( ! $success ) {
$this->getOutput()->addWikiMsg( 'openstackmanager-modifysudoerfailed' );
return true;
}
$this->getOutput()->addWikiMsg( 'openstackmanager-modifiedsudoer' );
} else {
$this->getOutput()->addWikiMsg( 'openstackmanager-nonexistantsudoer' );
}
$out = '<br />';
$out .= Linker::link( $this->getTitle(), wfMsgHtml( 'openstackmanager-backsudoerlist' ) );
$this->getOutput()->addHTML( $out );
return true;
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryModifySubmit($formData, $entryPoint = 'internal')
{
$sudoer = OpenStackNovaSudoer::getSudoerByName($formData['sudoername'], $formData['project']);
if ($sudoer) {
if ($formData['commands']) {
$commands = explode("\n", $formData['commands']);
} else {
$commands = array();
}
if ($formData['options']) {
$options = explode("\n", $formData['options']);
} else {
$options = array();
}
if ($formData['requirepassword']) {
$options[] = 'authenticate';
} else {
$options[] = '!authenticate';
}
$projectName = $formData['project'];
$project = OpenStackNovaProject::getProjectByName($projectName);
$projectuids = $project->getMemberUids();
$projectserviceusers = $project->getServiceUsers();
$projectGroup = "%" . $project->getProjectGroup()->getProjectGroupName();
$users = $this->removeALLFromUserKeys($formData['users']);
$formerusers = $sudoer->getSudoerUsers();
foreach ($formerusers as $candidate) {
# Anything in this list that isn't a user or ALL
# wasn't exposed to user selection so needs to stay.
if ($candidate != $projectGroup) {
if (!in_array($candidate, $projectuids) && !in_array($candidate, $projectserviceusers)) {
$users[] = $candidate;
}
}
}
$runasusers = $this->removeALLFromRunAsUserKeys($formData['runas']);
foreach ($sudoer->getSudoerRunAsUsers() as $candidate) {
if ($candidate != $projectGroup && $candidate != 'ALL') {
if (!in_array($candidate, $projectuids) && !in_array($candidate, $projectserviceusers)) {
$runasusers[] = $candidate;
}
}
}
$success = $sudoer->modifySudoer($users, $runasusers, $commands, $options);
if (!$success) {
$this->getOutput()->addWikiMsg('openstackmanager-modifysudoerfailed');
return true;
}
$this->getOutput()->addWikiMsg('openstackmanager-modifiedsudoer');
} else {
$this->getOutput()->addWikiMsg('openstackmanager-nonexistantsudoer');
}
$out = '<br />';
$out .= Linker::link($this->getPageTitle(), $this->msg('openstackmanager-backsudoerlist')->escaped());
$this->getOutput()->addHTML($out);
return true;
}
/**
* @static
* @param $groupName
* @param $project OpenStackNovaProject
* @param $initialUser
* @return null|OpenStackNovaServiceGroup
*/
static function createServiceGroup($inGroupName, $project, $initialUser)
{
global $wgAuth;
global $wgOpenStackManagerLDAPUser;
global $wgOpenStackManagerLDAPDefaultShell;
global $wgOpenStackManagerLDAPServiceGroupBaseDN;
global $wgMemc;
OpenStackNovaLdapConnection::connect();
$projectPrefix = $project->getProjectName() . '.';
# We don't want naming collisions between service groups and actual groups
# or users. So, prepend $projectPrefix to the requested group name.
if (strpos($inGroupName, $projectPrefix, 0) === 0) {
# The user was clever and already added the prefix.
$groupName = $inGroupName;
$simpleGroupName = substr($inGroupName, strlen($projectPrefix));
} else {
$groupName = $projectPrefix . $inGroupName;
$simpleGroupName = $inGroupName;
}
if ($initialUser) {
$user = new OpenStackNovaUser($initialUser);
if (!$user->userDN) {
$wgAuth->printDebug("Unable to find initial user {$initialUser} for new group {$groupName}", NONSENSITIVE);
return null;
}
$initialUserDN = $user->userDN;
}
$key = wfMemcKey('openstackmanager', 'servicegroup', $groupName);
$wgMemc->delete($key);
$group = array();
$group['objectclass'][] = 'posixgroup';
$group['objectclass'][] = 'groupofnames';
$group['cn'] = $groupName;
$groupdn = 'cn=' . $groupName . ',' . $wgOpenStackManagerLDAPServiceGroupBaseDN;
$group['gidnumber'] = OpenStackNovaUser::getNextIdNumber($wgAuth, 'gidnumber');
$group['member'] = array();
if ($initialUser) {
$group['member'][] = $initialUserDN;
}
$success = LdapAuthenticationPlugin::ldap_add($wgAuth->ldapconn, $groupdn, $group);
if ($success) {
$wgAuth->printDebug("Successfully added service group {$groupdn}", NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to add service group {$groupdn}", NONSENSITIVE);
return null;
}
# stamp out regular expressions!
$homeDir = $project->getServiceGroupHomedirPattern();
$homeDir = str_ireplace('%u', $simpleGroupName, $homeDir);
$homeDir = str_ireplace('%p', $projectPrefix, $homeDir);
# Now create the special SG member
$newGroup = self::getServiceGroupByName($groupName, $project);
$userdn = $newGroup->getSpecialUserDN();
$user = array();
$user['objectclass'][] = 'shadowaccount';
$user['objectclass'][] = 'posixaccount';
$user['objectclass'][] = 'person';
$user['objectclass'][] = 'top';
$user['loginshell'] = $wgOpenStackManagerLDAPDefaultShell;
$user['homedirectory'] = $homeDir;
$user['uidnumber'] = $group['gidnumber'];
$user['gidnumber'] = $group['gidnumber'];
$user['uid'] = $groupName;
$user['sn'] = $groupName;
$user['cn'] = $groupName;
$success = LdapAuthenticationPlugin::ldap_add($wgAuth->ldapconn, $userdn, $user);
if ($success) {
$wgAuth->printDebug("Successfully created service user {$userdn}", NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to create service user {$userdn}", NONSENSITIVE);
return null;
}
# Create Sudo policy so that the service user can chown files in its homedir
if (OpenStackNovaSudoer::createSudoer($groupName . '-chmod', $project->getProjectName(), array($groupName), array(), array('/bin/chown -R ' . $groupName . '\\:' . $groupName . ' ' . $homeDir), array('!authenticate'))) {
$wgAuth->printDebug("Successfully created chmod sudo policy for {$groupName}", NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to creat chmod sudo policy for {$groupName}", NONSENSITIVE);
}
# Create Sudo policy so that members of the group can sudo as the service user
if (OpenStackNovaSudoer::createSudoer('runas-' . $groupName, $project->getProjectName(), array("%" . $groupName), array($groupName), array('ALL'), array('!authenticate'))) {
$wgAuth->printDebug("Successfully created run-as sudo policy for {$groupName}", NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to creat run-as sudo policy for {$groupName}", NONSENSITIVE);
}
return $newGroup;
}
/**
* Deletes a project based on project name. This function will also delete all roles
* associated with the project.
*
* @param $projectname String
* @return bool
*/
static function deleteProject($projectname)
{
global $wgAuth;
OpenStackNovaLdapConnection::connect();
$project = new OpenStackNovaProject($projectname);
if (!$project) {
return false;
}
$dn = $project->projectDN;
# Projects can have roles as sub-entries, we need to delete them first
$result = LdapAuthenticationPlugin::ldap_list($wgAuth->ldapconn, $dn, 'objectclass=*');
$roles = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
array_shift($roles);
foreach ($roles as $role) {
$roledn = $role['dn'];
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $roledn);
if ($success) {
$wgAuth->printDebug("Successfully deleted role {$roledn}", NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to delete role {$roledn}", NONSENSITIVE);
}
}
# Projects can have a separate group entry. If so, delete it now.
if (OpenStackNovaProject::useProjectGroup()) {
OpenStackNovaProjectGroup::deleteProjectGroup($projectname);
}
# Projects have a sudo OU and sudoers entries below that OU, we must delete them first
$sudoers = OpenStackNovaSudoer::getAllSudoersByProject($project->getProjectName());
foreach ($sudoers as $sudoer) {
$success = OpenStackNovaSudoer::deleteSudoer($sudoer->getSudoerName(), $project->getProjectName());
if ($success) {
$wgAuth->printDebug("Successfully deleted sudoer " . $sudoer->getSudoerName(), NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to delete sudoer " . $sudoer->getSudoerName(), NONSENSITIVE);
}
}
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $project->getSudoersDN());
if ($success) {
$wgAuth->printDebug("Successfully deleted sudoers OU " . $project->getSudoersDN(), NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to delete sudoers OU " . $project->getSudoersDN(), NONSENSITIVE);
}
# And, we need to clean up service groups.
$servicegroups = $project->getServiceGroups();
foreach ($servicegroups as $group) {
$groupName = $group->groupName;
$success = OpenStackNovaServiceGroup::deleteServiceGroup($groupName, $project);
if ($success) {
$wgAuth->printDebug("Successfully deleted service group " . $groupName, NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to delete servie group " . $groupName, NONSENSITIVE);
}
}
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $dn);
if ($success) {
$wgAuth->printDebug("Successfully deleted project {$projectname}", NONSENSITIVE);
return true;
} else {
$wgAuth->printDebug("Failed to delete project {$projectname}", NONSENSITIVE);
return false;
}
}
