function execute()
{
$this->params = $this->extractRequestParams();
$this->userLDAP = new OpenStackNovaUser();
switch ($this->params['subaction']) {
case 'getall':
if (isset($this->params['project'])) {
$projects = array(OpenStackNovaProject::getProjectByName($this->params['project']));
} else {
$projects = OpenStackNovaProject::getAllProjects();
}
$data = array();
foreach ($projects as $project) {
$project->fetchProjectInfo();
if (!$project->loaded) {
continue;
}
$projectName = $project->getProjectName();
$data[$projectName]['members'] = $project->getMembers();
$data[$projectName]['roles'] = array();
foreach ($project->getRoles() as $role) {
$roleName = $role->getRoleName();
$data[$projectName]['roles'][$roleName] = array('members' => $role->getMembers());
$this->getResult()->setIndexedTagName($data[$projectName]['roles'][$roleName]['members'], 'member');
}
$this->getResult()->setIndexedTagName($data[$projectName]['members'], 'member');
$this->getResult()->setIndexedTagName($data[$projectName]['roles'], 'roles');
}
$this->getResult()->addValue(null, $this->getModuleName(), $data);
break;
case 'getuser':
$data = array();
if ($this->params['username']) {
$user = new OpenStackNovaUser($this->params['username']);
} else {
$user = $this->userLDAP;
}
$projectNames = $user->getProjects();
foreach ($projectNames as $projectName) {
$project = OpenStackNovaProject::getProjectByName($projectName);
$project->fetchProjectInfo();
if (!$project->loaded) {
continue;
}
$projectName = $project->getProjectName();
$data[$projectName] = array();
$data[$projectName]['roles'] = array();
foreach ($project->getRoles() as $role) {
if ($role->userInRole($user)) {
$data[$projectName]['roles'][] = $role->getRoleName();
}
}
$this->getResult()->setIndexedTagName($data[$projectName]['roles'], 'role');
}
$this->getResult()->setIndexedTagName($data, 'project');
$this->getResult()->addValue(null, $this->getModuleName(), $data);
break;
}
}
function execute($par)
{
if (!$this->getUser()->isLoggedIn()) {
$this->notLoggedIn();
return;
}
$this->userLDAP = new OpenStackNovaUser();
if (!$this->userLDAP->exists()) {
$this->noCredentials();
return;
}
$this->checkTwoFactor();
$action = $this->getRequest()->getVal('action');
$this->projectName = $this->getRequest()->getText('project');
$this->project = OpenStackNovaProject::getProjectByName($this->projectName);
$region = $this->getRequest()->getVal('region');
$this->userNova = OpenStackNovaController::newFromUser($this->userLDAP);
$this->userNova->setProject($this->projectName);
$this->userNova->setRegion($region);
if ($action === "create") {
if (!$this->userLDAP->inProject($this->projectName)) {
$this->notInProject($this->projectName);
return;
}
$this->createProxy();
} elseif ($action === "delete") {
if (!$this->userLDAP->inProject($this->projectName)) {
$this->notInProject($this->project);
return;
}
$this->deleteProxy();
} elseif ($action === "modify") {
if (!$this->userLDAP->inProject($this->projectName)) {
$this->notInProject($this->project);
return;
}
$this->modifyProxy();
} else {
$this->listProxies();
}
}
public function run()
{
global $wgOpenStackManagerLDAPUsername;
global $wgOpenStackManagerLDAPUserPassword;
global $wgMemc;
$params = $this->extractRequestParams();
$project = OpenStackNovaProject::getProjectByName($params['project']);
if (!$project) {
// This shouldn't be possible since the API should enforce valid names
$this->dieUsage('Invalid project specified.', 'badproject');
}
$key = wfMemcKey('openstackmanager', 'apilistnovainstances', $params['region'], $params['project']);
$instancesInfo = $wgMemc->get($key);
if ($instancesInfo === false) {
$user = new OpenStackNovaUser($wgOpenStackManagerLDAPUsername);
$userNova = OpenStackNovaController::newFromUser($user);
$userNova->authenticate($wgOpenStackManagerLDAPUsername, $wgOpenStackManagerLDAPUserPassword);
$userNova->setProject($project->getName());
$userNova->setRegion($params['region']);
// validated by API
$instances = $userNova->getInstances();
$instancesInfo = array();
foreach ($instances as $instance) {
$instancesInfo[] = array('name' => $instance->getInstanceName(), 'state' => $instance->getInstanceState(), 'ip' => $instance->getInstancePrivateIPs(), 'id' => $instance->getInstanceId(), 'floatingip' => $instance->getInstancePublicIPs(), 'securitygroups' => $instance->getSecurityGroups(), 'imageid' => $instance->getImageId());
}
}
// Cache info for 1 minute, not caching for longer since we do not invalidate
$wgMemc->set($key, $instancesInfo, 1 * 60);
foreach ($instancesInfo as $info) {
// UGH I hate XML
$this->getResult()->setIndexedTagName($info['securitygroups'], 'group');
$this->getResult()->setIndexedTagName($info['ip'], 'ip');
$this->getResult()->setIndexedTagName($info['floatingip'], 'floatingip');
$this->getResult()->addValue(array('query', $this->getModuleName()), null, $info);
}
if (defined('ApiResult::META_CONTENT')) {
$this->getResult()->addIndexedTagName(array('query', $this->getModuleName()), 'instance');
} else {
$this->getResult()->setIndexedTagName_internal(array('query', $this->getModuleName()), 'instance');
}
}
function execute()
{
$this->params = $this->extractRequestParams();
switch ($this->params['subaction']) {
case 'getservicegroups':
$project = OpenStackNovaProject::getProjectByName($this->params['project']);
$project->fetchServiceGroups();
$serviceGroups = $project->getServiceGroups();
$data = array();
foreach ($serviceGroups as $serviceGroup) {
$serviceGroupName = $serviceGroup->getGroupName();
if ($this->params['shellmembers']) {
$data[$serviceGroupName]['members'] = $serviceGroup->getUidMembers();
} else {
$data[$serviceGroupName]['members'] = $serviceGroup->getMembers();
}
$this->getResult()->setIndexedTagName($data[$serviceGroupName]['members'], 'member');
}
$this->getResult()->addValue(null, $this->getModuleName(), $data);
break;
}
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryDeleteMemberSubmit( $formData, $entryPoint = 'internal' ) {
$projectname = $formData['projectname'];
if ( $projectname ) {
$project = OpenStackNovaProject::getProjectByName( $projectname );
if ( ! $project ) {
$this->getOutput()->addWikiMsg( 'openstackmanager-nonexistentproject' );
return true;
}
$role = OpenStackNovaRole::getProjectRoleByName( $formData['rolename'], $project );
} else {
$role = OpenStackNovaRole::getGlobalRoleByName( $formData['rolename'] );
}
if ( ! $role ) {
$this->getOutput()->addWikiMsg( 'openstackmanager-nonexistentrole' );
return true;
}
foreach ( $formData['members'] as $member ) {
$success = $role->deleteMember( $member );
if ( $success ) {
$this->getOutput()->addWikiMsg( 'openstackmanager-removedfrom', $member, $formData['rolename'] );
} else {
$this->getOutput()->addWikiMsg( 'openstackmanager-failedtoremove', $member, $formData['rolename'] );
}
}
$out = '<br />';
$returnto = Title::newFromText( $formData['returnto'] );
$out .= Linker::link( $returnto, wfMsgHtml( 'openstackmanager-backprojectlist' ) );
$this->getOutput()->addHTML( $out );
return true;
}
/**
* Define who gets notifications for an event.
*
* @param $event EchoEvent to get implicitly subscribed users for
* @param &$users array to append implicitly subscribed users to.
* @return bool true in all cases
*/
function efOpenStackGetDefaultNotifiedUsers($event, &$users)
{
if ($event->getType() == 'osm-instance-build-completed' || $event->getType() == 'osm-instance-deleted') {
$extra = $event->getExtra();
foreach (OpenStackNovaProject::getProjectByName($extra['projectName'])->getRoles() as $role) {
if ($role->getRoleName() == 'projectadmin') {
foreach ($role->getMembers() as $roleMember) {
$roleMemberUser = User::newFromName($roleMember);
$users[$roleMemberUser->getId()] = $roleMemberUser;
}
}
}
} elseif ($event->getType() == 'osm-instance-reboot-completed') {
// Only notify the person who initiated the reboot.
$users[$event->getAgent()->getId()] = $event->getAgent();
} elseif ($event->getType() == 'osm-projectmembers-add') {
$extra = $event->getExtra();
$users[$extra['userAdded']] = User::newFromId($extra['userAdded']);
}
unset($users[0]);
return true;
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryConfigureProjectSubmit($formData, $entryPoint = 'internal')
{
$project = OpenStackNovaProject::getProjectByName($formData['projectname']);
if (!$project) {
$this->getOutput()->addWikiMsg('openstackmanager-nonexistentproject');
return true;
}
$vols = array();
if ($formData['homedirs']) {
$vols[] = "home";
}
if ($formData['storage']) {
$vols[] = "project";
}
$homedirPattern = $formData['serviceuserhome'];
if ($project->setVolumeSettings($vols) && $project->setServiceGroupHomedirPattern($homedirPattern)) {
$this->getOutput()->addWikiMsg('openstackmanager-configureproject-success');
} else {
$this->getOutput()->addWikiMsg('openstackmanager-configureproject-failed');
}
$out = Linker::link($this->getPageTitle(), $this->msg('openstackmanager-backprojectlist')->escaped());
$this->getOutput()->addHTML($out);
return true;
}
/**
* Deletes a sudo policy based on the policy name.
*
* @static
* @param $sudoername
* @param $projectName
* @return bool
*/
static function deleteSudoer($sudoername, $projectName)
{
global $wgAuth;
global $wgMemc;
OpenStackNovaLdapConnection::connect();
$project = OpenStackNovaProject::getProjectByName($projectName);
$sudoer = new OpenStackNovaSudoer($sudoername, $project);
if (!$sudoer) {
$wgAuth->printDebug("Sudoer {$sudoername} does not exist", NONSENSITIVE);
return false;
}
$dn = $sudoer->sudoerDN;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $dn);
if ($success) {
$wgAuth->printDebug("Successfully deleted sudoer {$sudoername}", NONSENSITIVE);
$key = wfMemcKey('openstackmanager', 'sudoerinfo', $projectName . $sudoername);
$wgMemc->delete($key);
return true;
} else {
$wgAuth->printDebug("Failed to delete sudoer {$sudoername}", NONSENSITIVE);
return false;
}
}
/**
* @param $role
* @param string $projectname
* @return bool
*/
function inRole( $role, $projectname='', $strict=false ) {
global $wgAuth;
global $wgOpenStackManagerLDAPRolesIntersect;
if ( $this->inGlobalRole( $role ) ) {
# If roles intersect, or we wish to explicitly check
# project role, we can't return here.
if ( !$wgOpenStackManagerLDAPRolesIntersect && !$strict ) {
return true;
}
} else {
if ( $wgOpenStackManagerLDAPRolesIntersect ) {
return false;
}
}
if ( $projectname ) {
# Check project specific role
$project = OpenStackNovaProject::getProjectByName( $projectname );
if ( ! $project ) {
return false;
}
$filter = "(&(cn=$role)(member=$this->userDN))";
$result = LdapAuthenticationPlugin::ldap_search( $wgAuth->ldapconn, $project->projectDN, $filter );
if ( $result ) {
$entries = LdapAuthenticationPlugin::ldap_get_entries( $wgAuth->ldapconn, $result );
if ( $entries ) {
if ( $entries['count'] == "0" ) {
$wgAuth->printDebug( "Couldn't find the user in role: $role", NONSENSITIVE );
return false;
} else {
return true;
}
} else {
return false;
}
} else {
return false;
}
}
return false;
}
/**
* @param $role
* @param string $projectname
* @return bool
*/
function inRole($role, $projectname)
{
global $wgAuth;
global $wgMemc;
if (!$projectname) {
return false;
}
$key = wfMemcKey('openstackmanager', "projectrole-{$projectname}-{$role}", $this->userDN);
$cacheLength = 3600;
$inRole = $wgMemc->get($key);
if (is_int($inRole)) {
return (bool) $inRole;
}
$ret = false;
# Check project specific role
$project = OpenStackNovaProject::getProjectByName($projectname);
if (!$project) {
$wgMemc->set($key, 0, $cacheLength);
return false;
}
$filter = "(&(cn={$role})(roleoccupant={$this->userDN}))";
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $project->projectDN, $filter);
if ($result) {
$entries = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if ($entries) {
if ($entries['count'] == "0") {
$wgAuth->printDebug("Couldn't find the user in role: {$role}", NONSENSITIVE);
} else {
$ret = true;
}
}
}
$wgMemc->set($key, (int) $ret, $cacheLength);
return $ret;
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryDeleteMemberSubmit( $formData, $entryPoint = 'internal' ) {
$project = OpenStackNovaProject::getProjectByName( $formData['projectname'] );
if ( ! $project ) {
$this->getOutput()->addWikiMsg( 'openstackmanager-nonexistentproject' );
return true;
}
foreach ( $formData['members'] as $member ) {
$success = $project->deleteMember( $member );
if ( $success ) {
$project->editArticle();
$this->getOutput()->addWikiMsg( 'openstackmanager-removedfrom', $member, $formData['projectname'] );
} else {
$this->getOutput()->addWikiMsg( 'openstackmanager-failedtoremove', $member, $formData['projectname'] );
}
}
$out = '<br />';
$out .= Linker::link( $this->getTitle(), wfMsgHtml( 'openstackmanager-backprojectlist' ) );
$this->getOutput()->addHTML( $out );
return true;
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryModifySubmit($formData, $entryPoint = 'internal')
{
$sudoer = OpenStackNovaSudoer::getSudoerByName($formData['sudoername'], $formData['project']);
if ($sudoer) {
if ($formData['commands']) {
$commands = explode("\n", $formData['commands']);
} else {
$commands = array();
}
if ($formData['options']) {
$options = explode("\n", $formData['options']);
} else {
$options = array();
}
if ($formData['requirepassword']) {
$options[] = 'authenticate';
} else {
$options[] = '!authenticate';
}
$projectName = $formData['project'];
$project = OpenStackNovaProject::getProjectByName($projectName);
$projectuids = $project->getMemberUids();
$projectserviceusers = $project->getServiceUsers();
$projectGroup = "%" . $project->getProjectGroup()->getProjectGroupName();
$users = $this->removeALLFromUserKeys($formData['users']);
$formerusers = $sudoer->getSudoerUsers();
foreach ($formerusers as $candidate) {
# Anything in this list that isn't a user or ALL
# wasn't exposed to user selection so needs to stay.
if ($candidate != $projectGroup) {
if (!in_array($candidate, $projectuids) && !in_array($candidate, $projectserviceusers)) {
$users[] = $candidate;
}
}
}
$runasusers = $this->removeALLFromRunAsUserKeys($formData['runas']);
foreach ($sudoer->getSudoerRunAsUsers() as $candidate) {
if ($candidate != $projectGroup && $candidate != 'ALL') {
if (!in_array($candidate, $projectuids) && !in_array($candidate, $projectserviceusers)) {
$runasusers[] = $candidate;
}
}
}
$success = $sudoer->modifySudoer($users, $runasusers, $commands, $options);
if (!$success) {
$this->getOutput()->addWikiMsg('openstackmanager-modifysudoerfailed');
return true;
}
$this->getOutput()->addWikiMsg('openstackmanager-modifiedsudoer');
} else {
$this->getOutput()->addWikiMsg('openstackmanager-nonexistantsudoer');
}
$out = '<br />';
$out .= Linker::link($this->getPageTitle(), $this->msg('openstackmanager-backsudoerlist')->escaped());
$this->getOutput()->addHTML($out);
return true;
}
/**
* @param $formData
* @param string $entryPoint
* @return bool
*/
function tryRemoveServiceGroupSubmit($formData, $entryPoint = 'internal')
{
$project = OpenStackNovaProject::getProjectByName($formData['projectname']);
$success = $project->deleteServiceGroup($formData['groupname'], $project);
if ($success) {
$this->getOutput()->addWikiMsg('openstackmanager-removedservicegroup');
} else {
$this->getOutput()->addWikiMsg('openstackmanager-removeservicegroupfailed');
}
$out = '<br />';
$out .= Linker::link($this->getPageTitle(), $this->msg('openstackmanager-backservicegrouplist')->escaped());
$this->getOutput()->addHTML($out);
return true;
}
