public function execute()
{
global $wgAuth;
global $wgOpenStackManagerLDAPUsername;
global $wgOpenStackManagerLDAPUserPassword;
$user = new OpenStackNovaUser($wgOpenStackManagerLDAPUsername);
$userNova = OpenStackNovaController::newFromUser($user);
$projects = OpenStackNovaProject::getAllProjects();
# HACK (please fix): Keystone doesn't deliver services and endpoints unless
# a project token is returned, so we need to feed it a project. Ideally this
# should be configurable, and not hardcoded like this.
$userNova->setProject('bastion');
$userNova->authenticate($wgOpenStackManagerLDAPUsername, $wgOpenStackManagerLDAPUserPassword);
$regions = $userNova->getRegions('compute');
foreach ($regions as $region) {
$this->output("Running region : " . $region . "\n");
foreach ($projects as $project) {
$projectName = $project->getProjectName();
$this->output("Running project : " . $projectName . "\n");
$userNova->setProject($projectName);
$userNova->setRegion($region);
$instances = $userNova->getInstances();
if (!$instances) {
$wgAuth->printDebug("No instance, continuing", NONSENSITIVE);
continue;
}
foreach ($instances as $instance) {
$this->output("Updating instance : " . $instance->getInstanceId() . "\n");
$instance->editArticle($userNova);
}
}
}
$this->output("Done.\n");
}
function execute()
{
$this->params = $this->extractRequestParams();
$this->userLDAP = new OpenStackNovaUser();
switch ($this->params['subaction']) {
case 'getall':
if (isset($this->params['project'])) {
$projects = array(OpenStackNovaProject::getProjectByName($this->params['project']));
} else {
$projects = OpenStackNovaProject::getAllProjects();
}
$data = array();
foreach ($projects as $project) {
$project->fetchProjectInfo();
if (!$project->loaded) {
continue;
}
$projectName = $project->getProjectName();
$data[$projectName]['members'] = $project->getMembers();
$data[$projectName]['roles'] = array();
foreach ($project->getRoles() as $role) {
$roleName = $role->getRoleName();
$data[$projectName]['roles'][$roleName] = array('members' => $role->getMembers());
$this->getResult()->setIndexedTagName($data[$projectName]['roles'][$roleName]['members'], 'member');
}
$this->getResult()->setIndexedTagName($data[$projectName]['members'], 'member');
$this->getResult()->setIndexedTagName($data[$projectName]['roles'], 'roles');
}
$this->getResult()->addValue(null, $this->getModuleName(), $data);
break;
case 'getuser':
$data = array();
if ($this->params['username']) {
$user = new OpenStackNovaUser($this->params['username']);
} else {
$user = $this->userLDAP;
}
$projectNames = $user->getProjects();
foreach ($projectNames as $projectName) {
$project = OpenStackNovaProject::getProjectByName($projectName);
$project->fetchProjectInfo();
if (!$project->loaded) {
continue;
}
$projectName = $project->getProjectName();
$data[$projectName] = array();
$data[$projectName]['roles'] = array();
foreach ($project->getRoles() as $role) {
if ($role->userInRole($user)) {
$data[$projectName]['roles'][] = $role->getRoleName();
}
}
$this->getResult()->setIndexedTagName($data[$projectName]['roles'], 'role');
}
$this->getResult()->setIndexedTagName($data, 'project');
$this->getResult()->addValue(null, $this->getModuleName(), $data);
break;
}
}
public function execute()
{
global $wgAuth;
global $wgOpenStackManagerLDAPUsername;
global $wgOpenStackManagerLDAPUserPassword;
if ($this->hasOption('all-instances')) {
if ($this->hasOption('region')) {
$this->error("--all-instances cannot be used with --region.\n", true);
}
$instancelist = array();
$user = new OpenStackNovaUser($wgOpenStackManagerLDAPUsername);
$userNova = OpenStackNovaController::newFromUser($user);
$projects = OpenStackNovaProject::getAllProjects();
$userNova->setProject('bastion');
$userNova->authenticate($wgOpenStackManagerLDAPUsername, $wgOpenStackManagerLDAPUserPassword);
$regions = $userNova->getRegions('compute');
foreach ($regions as $region) {
foreach ($projects as $project) {
$projectName = $project->getProjectName();
$userNova->setProject($projectName);
$userNova->setRegion($region);
$instances = $userNova->getInstances();
if ($instances) {
foreach ($instances as $instance) {
$instancelist[] = array($region, $instance->getInstanceName(), $projectName);
}
}
}
}
} elseif ($this->hasOption('name')) {
if (!$this->hasOption('region')) {
$this->error("--name requires --region.\n", true);
}
if (!$this->hasOption('project')) {
$this->error("--name requires --project.\n", true);
}
$instancelist = array(array($this->getOption('region'), $this->getOption('name'), $this->getOption('project')));
} else {
$this->error("Must specify either --name or --all-instances.\n", true);
}
if (!class_exists('OpenStackNovaHost')) {
$this->error("Couldn't find OpenStackNovaHost class.\n", true);
}
OpenStackNovaLdapConnection::connect();
foreach ($instancelist as $instancepair) {
list($instanceregion, $instancename, $instanceproject) = $instancepair;
$host = OpenStackNovaHost::getHostByNameAndProject($instancename, $instanceproject, $instanceregion);
if (!$host) {
print "Skipping {$instancename}.{$instanceproject}.{$instanceregion}; not found.\n";
continue;
}
print "\nFor instance {$instancename} in region {$instanceregion} and project {$instanceproject}:\n\n";
$namefqdn = $instancename . '.' . $instanceproject . '.' . $instanceregion . '.' . 'wmflabs';
$host->addAssociatedDomain($namefqdn);
}
}
public function execute()
{
$projects = OpenStackNovaProject::getAllProjects();
foreach ($projects as $project) {
$projectName = $project->getProjectName();
$project->fetchProjectInfo();
$this->output("Running project : " . $projectName . "\n");
$project->editArticle();
}
$this->output("Done.\n");
}
public function execute()
{
global $wgOpenStackManagerLDAPUsername;
global $wgOpenStackManagerServiceGroupPrefix;
$user = new OpenStackNovaUser($wgOpenStackManagerLDAPUsername);
$projects = OpenStackNovaProject::getAllProjects();
$failedSync = false;
$attempt_count = 0;
$synced_count = 0;
$failed_count = 0;
/**
* @var $project OpenStackNovaProject
*/
foreach ($projects as $project) {
// actually load the project info from ldap
// (getAllProjects() doesn't do this)
$project->fetchProjectInfo();
$projectName = $project->getProjectName();
$serviceGroups = $project->getServiceGroups();
foreach ($serviceGroups as $serviceGroup) {
$fullGroupName = $serviceGroup->getGroupName();
if (strpos($fullGroupName, $wgOpenStackManagerServiceGroupPrefix, 0) === 0) {
$groupName = substr($fullGroupName, strlen($wgOpenStackManagerServiceGroupPrefix));
} else {
$groupName = $fullGroupName;
}
$groupMembers = $serviceGroup->getMembers();
if (empty($groupMembers)) {
continue;
}
$originalMember = $groupMembers[0];
$retval = OpenStackNovaServiceGroup::createServiceGroup($groupName, $project, $this->updateMemberName($originalMember, $project));
$attempt_count++;
if ($retval) {
$this->output("Succeeded copying service group {$groupName} in {$projectName}\n");
$synced_count++;
foreach ($groupMembers as $member) {
if ($member === $originalMember) {
continue;
}
$serviceGroup->addMember($this->updateMemberName($member, $project));
}
} else {
$this->output("Failed copying service group {$groupName} in {$projectName}\n");
$failedSync = true;
$failed_count++;
}
}
}
$this->output("{$attempt_count} service groups were synced, {$synced_count} changed, {$failed_count} failed.\n");
$this->output("Done.\n");
// return true if there were no failed syncs
return !$failedSync;
}
public function run()
{
$projects = OpenStackNovaProject::getAllProjects();
foreach ($projects as $project) {
$this->getResult()->addValue(array('query', $this->getModuleName()), null, $project->getName());
}
if (defined('ApiResult::META_CONTENT')) {
$this->getResult()->addIndexedTagName(array('query', $this->getModuleName()), 'project');
} else {
$this->getResult()->setIndexedTagName_internal(array('query', $this->getModuleName()), 'project');
}
}
/**
* Default action
* @return void
*/
function listInstances()
{
$this->setHeaders();
$this->getOutput()->addModules('ext.openstack.Instance');
$projects = OpenStackNovaProject::getProjectsByName($this->userLDAP->getProjects());
$instanceOut = '';
$ownedProjects = array();
$instanceCount = 0;
foreach ($projects as $project) {
$projectName = $project->getProjectName();
$instancesInProject = 0;
if ($this->userLDAP->inRole('projectadmin', $projectName)) {
$ownedProjects[] = $projectName;
}
$projectactions = array('projectadmin' => array());
$regions = '';
$this->userNova->setProject($projectName);
foreach ($this->userNova->getRegions('compute') as $region) {
$regionactions = array();
$thisCount = 0;
$instances = $this->getInstances($projectName, $region, $thisCount);
$instancesInProject += $thisCount;
if ($thisCount > 0) {
$regions .= $this->createRegionSection($region, $projectName, $regionactions, $instances);
}
}
if ($instancesInProject) {
$instanceOut .= $this->createProjectSection($projectName, $projectactions, $regions);
$instanceCount += $instancesInProject;
} else {
}
}
$out = '';
if ($ownedProjects) {
$this->getOutput()->setPagetitle($this->msg('openstackmanager-ownedprojects', count($ownedProjects)));
foreach ($ownedProjects as $ownedProject) {
$projectNameOut = $this->createResourceLink($ownedProject);
$out .= $projectNameOut . " ";
}
} else {
$this->getOutput()->setPagetitle($this->msg('openstackmanager-noownedprojects'));
}
if ($instanceCount) {
$out .= Html::rawElement('h1', array(), $this->msg('openstackmanager-ownedinstances', $instanceCount)->text());
$out .= $instanceOut;
} else {
$out .= Html::rawElement('h1', array(), $this->msg('openstackmanager-noownedinstances')->text());
}
$this->getOutput()->addHTML($out);
}
public function execute()
{
global $wgAuth;
global $wgOpenStackManagerLDAPUsername;
global $wgOpenStackManagerLDAPUserPassword;
$user = new OpenStackNovaUser($wgOpenStackManagerLDAPUsername);
$userNova = OpenStackNovaController::newFromUser($user);
$projects = OpenStackNovaProject::getAllProjects();
# HACK (please fix): Keystone doesn't deliver services and endpoints unless
# a project token is returned, so we need to feed it a project. Ideally this
# should be configurable, and not hardcoded like this.
$userNova->setProject('bastion');
$userNova->authenticate($wgOpenStackManagerLDAPUsername, $wgOpenStackManagerLDAPUserPassword);
$regions = $userNova->getRegions('compute');
foreach ($regions as $region) {
$this->output("Running region: " . $region . "\n");
foreach ($projects as $project) {
$projectName = $project->getProjectName();
$this->output("Running project: " . $projectName . "\n");
$userNova->setProject($projectName);
$userNova->setRegion($region);
$instances = $userNova->getInstances();
if (!$instances) {
$wgAuth->printDebug("No instance, continuing", NONSENSITIVE);
continue;
}
foreach ($instances as $instance) {
$host = $instance->getHost();
if (!$host) {
$this->output("Skipping instance due to missing host entry: " . $instance->getInstanceId() . "\n");
continue;
}
$this->output("Renaming instance: " . $instance->getInstanceId() . "\n");
$ot = Title::newFromText($instance->getInstanceId(), NS_NOVA_RESOURCE);
$nt = Title::newFromText($host->getFullyQualifiedHostName(), NS_NOVA_RESOURCE);
$ot->moveTo($nt, false, 'Maintenance script move from id to fqdn.');
}
}
}
$this->output("Done.\n");
}
public function execute()
{
global $wgOpenStackManagerLDAPUsername;
$user = new OpenStackNovaUser($wgOpenStackManagerLDAPUsername);
$projects = OpenStackNovaProject::getAllProjects();
$failedSync = false;
$attempt_count = 0;
$synced_count = 0;
$failed_count = 0;
/**
* @var $project OpenStackNovaProject
*/
foreach ($projects as $project) {
// actually load the project info from ldap
// (getAllProjects() doesn't do this)
$project->fetchProjectInfo();
$projectName = $project->getProjectName();
$retval = $project->syncProjectGroupMembers();
$attempt_count++;
// -1: failure
// 0: no change
// 1: successful sync
if ($retval != 0) {
$this->output(($retval ? "Succeeded" : "Failed") . " syncing members for project {$projectName} and group " . $project->projectGroup->getProjectGroupName());
if ($retval < 0) {
$failedSync = true;
$failed_count++;
} else {
$synced_count++;
}
}
// echo "\nproject member DNs:\n";
// print_r( $project->getMemberDNs() );
// echo "\nproject group member DNs:\n";
// print_r( $projectGroup->getMemberDNs() );
}
$this->output("{$attempt_count} project groups were synced, {$synced_count} changed, {$failed_count} failed.\n");
$this->output("Done.\n");
// return true if there were no failed syncs
return !$failedSync;
}
function execute()
{
$this->params = $this->extractRequestParams();
switch ($this->params['subaction']) {
case 'getservicegroups':
$project = OpenStackNovaProject::getProjectByName($this->params['project']);
$project->fetchServiceGroups();
$serviceGroups = $project->getServiceGroups();
$data = array();
foreach ($serviceGroups as $serviceGroup) {
$serviceGroupName = $serviceGroup->getGroupName();
if ($this->params['shellmembers']) {
$data[$serviceGroupName]['members'] = $serviceGroup->getUidMembers();
} else {
$data[$serviceGroupName]['members'] = $serviceGroup->getMembers();
}
$this->getResult()->setIndexedTagName($data[$serviceGroupName]['members'], 'member');
}
$this->getResult()->addValue(null, $this->getModuleName(), $data);
break;
}
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryConfigureProjectSubmit($formData, $entryPoint = 'internal')
{
$project = OpenStackNovaProject::getProjectByName($formData['projectname']);
if (!$project) {
$this->getOutput()->addWikiMsg('openstackmanager-nonexistentproject');
return true;
}
$vols = array();
if ($formData['homedirs']) {
$vols[] = "home";
}
if ($formData['storage']) {
$vols[] = "project";
}
$homedirPattern = $formData['serviceuserhome'];
if ($project->setVolumeSettings($vols) && $project->setServiceGroupHomedirPattern($homedirPattern)) {
$this->getOutput()->addWikiMsg('openstackmanager-configureproject-success');
} else {
$this->getOutput()->addWikiMsg('openstackmanager-configureproject-failed');
}
$out = Linker::link($this->getPageTitle(), $this->msg('openstackmanager-backprojectlist')->escaped());
$this->getOutput()->addHTML($out);
return true;
}
/**
* @return bool
*/
function listSecurityGroups()
{
$this->setHeaders();
$this->getOutput()->addModuleStyles('ext.openstack');
$this->getOutput()->setPagetitle($this->msg('openstackmanager-securitygrouplist'));
if ($this->userCanExecute($this->getUser())) {
$projects = OpenStackNovaProject::getAllProjects();
} else {
$projects = OpenStackNovaProject::getProjectsByName($this->userLDAP->getProjects());
}
$this->showProjectFilter($projects);
$projectfilter = $this->getProjectFilter();
if (!$projectfilter) {
$this->getOutput()->addWikiMsg('openstackmanager-setprojectfilter');
return null;
}
$out = '';
foreach ($projects as $project) {
$projectName = $project->getProjectName();
if (!in_array($projectName, $projectfilter)) {
continue;
}
$projectactions = array('projectadmin' => array());
$regions = '';
$this->userNova->setProject($projectName);
foreach ($this->userNova->getRegions('compute') as $region) {
$this->userNova->setRegion($region);
$regionactions = array('projectadmin' => array($this->createActionLink('openstackmanager-createnewsecuritygroup', array('action' => 'create', 'project' => $projectName, 'region' => $region))));
$securityGroups = $this->getSecurityGroups($projectName, $region);
$regions .= $this->createRegionSection($region, $projectName, $regionactions, $securityGroups);
}
$out .= $this->createProjectSection($projectName, $projectactions, $regions);
}
$this->getOutput()->addHTML($out);
return true;
}
public function getAllowedParams()
{
return array('project' => array(ApiBase::PARAM_TYPE => OpenStackNovaProject::getAllProjectNames(), ApiBase::PARAM_REQUIRED => true), 'region' => array(ApiBase::PARAM_TYPE => $this->getRegions(), ApiBase::PARAM_REQUIRED => true));
}
/**
* Deletes a sudo policy based on the policy name.
*
* @static
* @param $sudoername
* @param $projectName
* @return bool
*/
static function deleteSudoer($sudoername, $projectName)
{
global $wgAuth;
global $wgMemc;
OpenStackNovaLdapConnection::connect();
$project = OpenStackNovaProject::getProjectByName($projectName);
$sudoer = new OpenStackNovaSudoer($sudoername, $project);
if (!$sudoer) {
$wgAuth->printDebug("Sudoer {$sudoername} does not exist", NONSENSITIVE);
return false;
}
$dn = $sudoer->sudoerDN;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $dn);
if ($success) {
$wgAuth->printDebug("Successfully deleted sudoer {$sudoername}", NONSENSITIVE);
$key = wfMemcKey('openstackmanager', 'sudoerinfo', $projectName . $sudoername);
$wgMemc->delete($key);
return true;
} else {
$wgAuth->printDebug("Failed to delete sudoer {$sudoername}", NONSENSITIVE);
return false;
}
}
/**
* Default action
* @return void
*/
function listInstances()
{
global $wgOpenStackManagerReadOnlyRegions;
$this->setHeaders();
$this->getOutput()->addModules('ext.openstack.Instance');
$this->getOutput()->setPagetitle($this->msg('openstackmanager-instancelist'));
if ($this->getUser()->isAllowed('listall')) {
$projects = OpenStackNovaProject::getAllProjects();
} else {
$projects = OpenStackNovaProject::getProjectsByName($this->userLDAP->getProjects());
}
$this->showProjectFilter($projects);
$projectfilter = $this->getProjectFilter();
if (!$projectfilter) {
$this->getOutput()->addWikiMsg('openstackmanager-setprojectfilter');
return null;
}
$out = '';
foreach ($projects as $project) {
$projectName = $project->getProjectName();
if (!in_array($projectName, $projectfilter)) {
continue;
}
$projectactions = array('projectadmin' => array());
$regions = '';
$this->userNova->setProject($projectName);
foreach ($this->userNova->getRegions('compute') as $region) {
if (in_array($region, $wgOpenStackManagerReadOnlyRegions)) {
$regionactions = array('projectadmin' => array($this->msg('openstackmanager-creationdisabled')));
} else {
$regionactions = array('projectadmin' => array($this->createActionLink('openstackmanager-createinstance', array('action' => 'create', 'project' => $projectName, 'region' => $region))));
}
$instances = $this->getInstances($projectName, $region);
$regions .= $this->createRegionSection($region, $projectName, $regionactions, $instances);
}
$out .= $this->createProjectSection($projectName, $projectactions, $regions);
}
$this->getOutput()->addHTML($out);
}
/**
* @param $role
* @param string $projectname
* @return bool
*/
function inRole( $role, $projectname='', $strict=false ) {
global $wgAuth;
global $wgOpenStackManagerLDAPRolesIntersect;
if ( $this->inGlobalRole( $role ) ) {
# If roles intersect, or we wish to explicitly check
# project role, we can't return here.
if ( !$wgOpenStackManagerLDAPRolesIntersect && !$strict ) {
return true;
}
} else {
if ( $wgOpenStackManagerLDAPRolesIntersect ) {
return false;
}
}
if ( $projectname ) {
# Check project specific role
$project = OpenStackNovaProject::getProjectByName( $projectname );
if ( ! $project ) {
return false;
}
$filter = "(&(cn=$role)(member=$this->userDN))";
$result = LdapAuthenticationPlugin::ldap_search( $wgAuth->ldapconn, $project->projectDN, $filter );
if ( $result ) {
$entries = LdapAuthenticationPlugin::ldap_get_entries( $wgAuth->ldapconn, $result );
if ( $entries ) {
if ( $entries['count'] == "0" ) {
$wgAuth->printDebug( "Couldn't find the user in role: $role", NONSENSITIVE );
return false;
} else {
return true;
}
} else {
return false;
}
} else {
return false;
}
}
return false;
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryDeleteMemberSubmit( $formData, $entryPoint = 'internal' ) {
$project = OpenStackNovaProject::getProjectByName( $formData['projectname'] );
if ( ! $project ) {
$this->getOutput()->addWikiMsg( 'openstackmanager-nonexistentproject' );
return true;
}
foreach ( $formData['members'] as $member ) {
$success = $project->deleteMember( $member );
if ( $success ) {
$project->editArticle();
$this->getOutput()->addWikiMsg( 'openstackmanager-removedfrom', $member, $formData['projectname'] );
} else {
$this->getOutput()->addWikiMsg( 'openstackmanager-failedtoremove', $member, $formData['projectname'] );
}
}
$out = '<br />';
$out .= Linker::link( $this->getTitle(), wfMsgHtml( 'openstackmanager-backprojectlist' ) );
$this->getOutput()->addHTML( $out );
return true;
}
public static function removeUserFromBastionProject($user, &$group)
{
global $wgOpenStackManagerRemoveUserFromBastionProjectOnShellDisable;
global $wgOpenStackManagerRemoveUserFromAllProjectsOnShellDisable;
global $wgOpenStackManagerBastionProjectName;
// Check whether after removing the group the user would still
// have the loginviashell permission.
foreach ($user->getEffectiveGroups() as $g) {
// Ignore the group that will be removed.
if ($g === $group) {
continue;
}
// If the user still has the loginviashell permission, we
// can immediately return.
if (User::groupHasPermission($g, 'loginviashell')) {
return true;
}
}
// At this point we know that the user will not have the
// loginviashell permission after the group is removed so we
// can remove him from the bastion projects if the
// configuration requires that.
$username = $user->getName();
if ($wgOpenStackManagerRemoveUserFromAllProjectsOnShellDisable) {
// Get a users projects
$userLDAP = new OpenStackNovaUser($username);
foreach ($userLDAP->getProjects() as $projectName) {
// Remove the user from the project
$project = new OpenStackNovaProject($projectName);
$project->deleteMember($username);
}
} elseif ($wgOpenStackManagerRemoveUserFromBastionProjectOnShellDisable) {
// Remove the user from the bastion project
$project = new OpenStackNovaProject($wgOpenStackManagerBastionProjectName);
if (in_array($username, $project->getMembers())) {
$project->deleteMember($username);
}
}
return true;
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryRemoveServiceGroupSubmit($formData, $entryPoint = 'internal')
{
$project = OpenStackNovaProject::getProjectByName($formData['projectname']);
$success = $project->deleteServiceGroup($formData['groupname'], $project);
if ($success) {
$this->getOutput()->addWikiMsg('openstackmanager-removedservicegroup');
} else {
$this->getOutput()->addWikiMsg('openstackmanager-removeservicegroupfailed');
}
$out = '<br />';
$out .= Linker::link($this->getPageTitle(), $this->msg('openstackmanager-backservicegrouplist')->escaped());
$this->getOutput()->addHTML($out);
return true;
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryModifySubmit($formData, $entryPoint = 'internal')
{
$sudoer = OpenStackNovaSudoer::getSudoerByName($formData['sudoername'], $formData['project']);
if ($sudoer) {
if ($formData['commands']) {
$commands = explode("\n", $formData['commands']);
} else {
$commands = array();
}
if ($formData['options']) {
$options = explode("\n", $formData['options']);
} else {
$options = array();
}
if ($formData['requirepassword']) {
$options[] = 'authenticate';
} else {
$options[] = '!authenticate';
}
$projectName = $formData['project'];
$project = OpenStackNovaProject::getProjectByName($projectName);
$projectuids = $project->getMemberUids();
$projectserviceusers = $project->getServiceUsers();
$projectGroup = "%" . $project->getProjectGroup()->getProjectGroupName();
$users = $this->removeALLFromUserKeys($formData['users']);
$formerusers = $sudoer->getSudoerUsers();
foreach ($formerusers as $candidate) {
# Anything in this list that isn't a user or ALL
# wasn't exposed to user selection so needs to stay.
if ($candidate != $projectGroup) {
if (!in_array($candidate, $projectuids) && !in_array($candidate, $projectserviceusers)) {
$users[] = $candidate;
}
}
}
$runasusers = $this->removeALLFromRunAsUserKeys($formData['runas']);
foreach ($sudoer->getSudoerRunAsUsers() as $candidate) {
if ($candidate != $projectGroup && $candidate != 'ALL') {
if (!in_array($candidate, $projectuids) && !in_array($candidate, $projectserviceusers)) {
$runasusers[] = $candidate;
}
}
}
$success = $sudoer->modifySudoer($users, $runasusers, $commands, $options);
if (!$success) {
$this->getOutput()->addWikiMsg('openstackmanager-modifysudoerfailed');
return true;
}
$this->getOutput()->addWikiMsg('openstackmanager-modifiedsudoer');
} else {
$this->getOutput()->addWikiMsg('openstackmanager-nonexistantsudoer');
}
$out = '<br />';
$out .= Linker::link($this->getPageTitle(), $this->msg('openstackmanager-backsudoerlist')->escaped());
$this->getOutput()->addHTML($out);
return true;
}
/**
* Define who gets notifications for an event.
*
* @param $event EchoEvent to get implicitly subscribed users for
* @param &$users array to append implicitly subscribed users to.
* @return bool true in all cases
*/
function efOpenStackGetDefaultNotifiedUsers($event, &$users)
{
if ($event->getType() == 'osm-instance-build-completed' || $event->getType() == 'osm-instance-deleted') {
$extra = $event->getExtra();
foreach (OpenStackNovaProject::getProjectByName($extra['projectName'])->getRoles() as $role) {
if ($role->getRoleName() == 'projectadmin') {
foreach ($role->getMembers() as $roleMember) {
$roleMemberUser = User::newFromName($roleMember);
$users[$roleMemberUser->getId()] = $roleMemberUser;
}
}
}
} elseif ($event->getType() == 'osm-instance-reboot-completed') {
// Only notify the person who initiated the reboot.
$users[$event->getAgent()->getId()] = $event->getAgent();
} elseif ($event->getType() == 'osm-projectmembers-add') {
$extra = $event->getExtra();
$users[$extra['userAdded']] = User::newFromId($extra['userAdded']);
}
unset($users[0]);
return true;
}
/**
* @return void
*/
function listPuppetGroups()
{
$this->setHeaders();
$this->getOutput()->setPagetitle($this->msg('openstackmanager-puppetgrouplist'));
$this->getOutput()->addModuleStyles('ext.openstack');
if ($this->getUser()->isAllowed('listall')) {
$projects = OpenStackNovaProject::getAllProjects();
} else {
$projects = OpenStackNovaProject::getProjectsByName($this->userLDAP->getProjects());
}
$this->showProjectFilter($projects);
$projectfilter = $this->getProjectFilter();
if (!$projectfilter) {
$this->getOutput()->addWikiMsg('openstackmanager-setprojectfilter');
return null;
}
$out = '';
foreach ($projects as $project) {
$projectName = $project->getProjectName();
if ($projectfilter && !in_array($projectName, $projectfilter)) {
continue;
}
$actions = array('projectadmin' => array());
$actions['projectadmin'][] = $this->createActionLink('openstackmanager-createpuppetgroup', array('action' => 'create', 'project' => $projectName));
$out .= $this->createProjectSection($projectName, $actions, $this->getPuppetGroupOutput(OpenStackNovaPuppetGroup::getGroupList($projectName)));
}
$action = '';
$showlinks = $this->userCanExecute($this->getUser());
if ($showlinks) {
$action = $this->createActionLink('openstackmanager-createpuppetgroup', array('action' => 'create'));
$action = Html::rawElement('span', array('id' => 'novaaction'), "[{$action}]");
}
$allProjectsMsg = Html::rawElement('span', array('class' => 'mw-customtoggle-allprojects', 'id' => 'novaproject'), $this->msg('openstackmanager-puppetallprojects')->escaped());
$out .= Html::rawElement('h2', array(), "{$allProjectsMsg} {$action}");
$groupsOut = $this->getPuppetGroupOutput(OpenStackNovaPuppetGroup::getGroupList(), $showlinks);
$out .= Html::rawElement('div', array('class' => 'mw-collapsible', 'id' => 'mw-customcollapsible-allprojects'), $groupsOut);
$this->getOutput()->addHTML($out);
}
public function execute()
{
global $wgOpenStackManagerLDAPUsername;
global $wgAuth;
$user = new OpenStackNovaUser($wgOpenStackManagerLDAPUsername);
$projects = OpenStackNovaProject::getAllProjects();
$failedSync = false;
$attempt_count = 0;
$synced_count = 0;
$failed_count = 0;
/**
* @var $project OpenStackNovaProject
*/
foreach ($projects as $project) {
// actually load the project info from ldap
// (getAllProjects() doesn't do this)
$project->fetchProjectInfo();
$projectName = $project->getProjectName();
$oldServiceGroupOUDN = 'ou=groups,' . $project->getProjectDN();
$oldServiceUserOUDN = 'ou=people,' . $project->getProjectDN();
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $oldServiceGroupOUDN, '(objectclass=groupofnames)');
if ($result) {
$this->serviceGroups = array();
$groupList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if (isset($groupList)) {
array_shift($groupList);
foreach ($groupList as $groupEntry) {
$deleteme = "cn=" . $groupEntry['cn'][0] . "," . $oldServiceGroupOUDN;
print "needs deleting: " . $deleteme . "...";
$attempt_count++;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme);
if ($success) {
$synced_count++;
print "done.\n";
} else {
$failed_count++;
print "FAILED\n";
}
}
}
}
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $oldServiceUserOUDN, '(objectclass=person)');
if ($result) {
$this->serviceGroups = array();
$groupList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if (isset($groupList)) {
array_shift($groupList);
foreach ($groupList as $groupEntry) {
$deleteme = "uid=" . $groupEntry['cn'][0] . "," . $oldServiceUserOUDN;
print "user needs deleting: " . $deleteme . "...";
$attempt_count++;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme);
if ($success) {
$synced_count++;
print "done.\n";
} else {
$failed_count++;
print "FAILED\n";
}
}
}
}
$deleteme = $oldServiceGroupOUDN;
print "ou needs deleting: " . $deleteme . "...";
$attempt_count++;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme);
if ($success) {
$synced_count++;
print "done.\n";
} else {
$failed_count++;
print "FAILED\n";
}
$deleteme = $oldServiceUserOUDN;
print "ou needs deleting: " . $deleteme . "...";
$attempt_count++;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme);
if ($success) {
$synced_count++;
print "done.\n";
} else {
$failed_count++;
print "FAILED\n";
}
}
$this->output("{$attempt_count} items needed cleanup. {$synced_count} removed, {$failed_count} failed.\n");
$this->output("Done.\n");
return $failed_count == 0;
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryDeleteMemberSubmit( $formData, $entryPoint = 'internal' ) {
$projectname = $formData['projectname'];
if ( $projectname ) {
$project = OpenStackNovaProject::getProjectByName( $projectname );
if ( ! $project ) {
$this->getOutput()->addWikiMsg( 'openstackmanager-nonexistentproject' );
return true;
}
$role = OpenStackNovaRole::getProjectRoleByName( $formData['rolename'], $project );
} else {
$role = OpenStackNovaRole::getGlobalRoleByName( $formData['rolename'] );
}
if ( ! $role ) {
$this->getOutput()->addWikiMsg( 'openstackmanager-nonexistentrole' );
return true;
}
foreach ( $formData['members'] as $member ) {
$success = $role->deleteMember( $member );
if ( $success ) {
$this->getOutput()->addWikiMsg( 'openstackmanager-removedfrom', $member, $formData['rolename'] );
} else {
$this->getOutput()->addWikiMsg( 'openstackmanager-failedtoremove', $member, $formData['rolename'] );
}
}
$out = '<br />';
$returnto = Title::newFromText( $formData['returnto'] );
$out .= Linker::link( $returnto, wfMsgHtml( 'openstackmanager-backprojectlist' ) );
$this->getOutput()->addHTML( $out );
return true;
}
/**
* Deletes a project based on project name. This function will also delete all roles
* associated with the project.
*
* @param $projectname String
* @return bool
*/
static function deleteProject($projectname)
{
global $wgAuth;
OpenStackNovaLdapConnection::connect();
$project = new OpenStackNovaProject($projectname);
if (!$project) {
return false;
}
$dn = $project->projectDN;
# Projects can have roles as sub-entries, we need to delete them first
$result = LdapAuthenticationPlugin::ldap_list($wgAuth->ldapconn, $dn, 'objectclass=*');
$roles = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
array_shift($roles);
foreach ($roles as $role) {
$roledn = $role['dn'];
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $roledn);
if ($success) {
$wgAuth->printDebug("Successfully deleted role {$roledn}", NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to delete role {$roledn}", NONSENSITIVE);
}
}
# Projects can have a separate group entry. If so, delete it now.
if (OpenStackNovaProject::useProjectGroup()) {
OpenStackNovaProjectGroup::deleteProjectGroup($projectname);
}
# Projects have a sudo OU and sudoers entries below that OU, we must delete them first
$sudoers = OpenStackNovaSudoer::getAllSudoersByProject($project->getProjectName());
foreach ($sudoers as $sudoer) {
$success = OpenStackNovaSudoer::deleteSudoer($sudoer->getSudoerName(), $project->getProjectName());
if ($success) {
$wgAuth->printDebug("Successfully deleted sudoer " . $sudoer->getSudoerName(), NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to delete sudoer " . $sudoer->getSudoerName(), NONSENSITIVE);
}
}
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $project->getSudoersDN());
if ($success) {
$wgAuth->printDebug("Successfully deleted sudoers OU " . $project->getSudoersDN(), NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to delete sudoers OU " . $project->getSudoersDN(), NONSENSITIVE);
}
# And, we need to clean up service groups.
$servicegroups = $project->getServiceGroups();
foreach ($servicegroups as $group) {
$groupName = $group->groupName;
$success = OpenStackNovaServiceGroup::deleteServiceGroup($groupName, $project);
if ($success) {
$wgAuth->printDebug("Successfully deleted service group " . $groupName, NONSENSITIVE);
} else {
$wgAuth->printDebug("Failed to delete servie group " . $groupName, NONSENSITIVE);
}
}
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $dn);
if ($success) {
$wgAuth->printDebug("Successfully deleted project {$projectname}", NONSENSITIVE);
return true;
} else {
$wgAuth->printDebug("Failed to delete project {$projectname}", NONSENSITIVE);
return false;
}
}
