/** * @param $formData * @param string $entryPoint * @return bool */ function tryModifySubmit( $formData, $entryPoint = 'internal' ) { $sudoer = OpenStackNovaSudoer::getSudoerByName( $formData['sudoername'] ); if ( $sudoer ) { if ( $formData['users'] ) { $users = explode( ',', $formData['users'] ); } else { $users = array(); } if ( $formData['hosts'] ) { $hosts = explode( ',', $formData['hosts'] ); } else { $hosts = array(); } if ( $formData['commands'] ) { $commands = explode( ',', $formData['commands'] ); } else { $commands = array(); } if ( $formData['options'] ) { $options = explode( ',', $formData['options'] ); } else { $options = array(); } $success = $sudoer->modifySudoer( $users, $hosts, $commands, $options ); if ( ! $success ) { $this->getOutput()->addWikiMsg( 'openstackmanager-modifysudoerfailed' ); return true; } $this->getOutput()->addWikiMsg( 'openstackmanager-modifiedsudoer' ); } else { $this->getOutput()->addWikiMsg( 'openstackmanager-nonexistantsudoer' ); } $out = '<br />'; $out .= Linker::link( $this->getTitle(), wfMsgHtml( 'openstackmanager-backsudoerlist' ) ); $this->getOutput()->addHTML( $out ); return true; }
/** * @param $formData * @param string $entryPoint * @return bool */ function tryModifySubmit($formData, $entryPoint = 'internal') { $sudoer = OpenStackNovaSudoer::getSudoerByName($formData['sudoername'], $formData['project']); if ($sudoer) { if ($formData['commands']) { $commands = explode("\n", $formData['commands']); } else { $commands = array(); } if ($formData['options']) { $options = explode("\n", $formData['options']); } else { $options = array(); } if ($formData['requirepassword']) { $options[] = 'authenticate'; } else { $options[] = '!authenticate'; } $projectName = $formData['project']; $project = OpenStackNovaProject::getProjectByName($projectName); $projectuids = $project->getMemberUids(); $projectserviceusers = $project->getServiceUsers(); $projectGroup = "%" . $project->getProjectGroup()->getProjectGroupName(); $users = $this->removeALLFromUserKeys($formData['users']); $formerusers = $sudoer->getSudoerUsers(); foreach ($formerusers as $candidate) { # Anything in this list that isn't a user or ALL # wasn't exposed to user selection so needs to stay. if ($candidate != $projectGroup) { if (!in_array($candidate, $projectuids) && !in_array($candidate, $projectserviceusers)) { $users[] = $candidate; } } } $runasusers = $this->removeALLFromRunAsUserKeys($formData['runas']); foreach ($sudoer->getSudoerRunAsUsers() as $candidate) { if ($candidate != $projectGroup && $candidate != 'ALL') { if (!in_array($candidate, $projectuids) && !in_array($candidate, $projectserviceusers)) { $runasusers[] = $candidate; } } } $success = $sudoer->modifySudoer($users, $runasusers, $commands, $options); if (!$success) { $this->getOutput()->addWikiMsg('openstackmanager-modifysudoerfailed'); return true; } $this->getOutput()->addWikiMsg('openstackmanager-modifiedsudoer'); } else { $this->getOutput()->addWikiMsg('openstackmanager-nonexistantsudoer'); } $out = '<br />'; $out .= Linker::link($this->getPageTitle(), $this->msg('openstackmanager-backsudoerlist')->escaped()); $this->getOutput()->addHTML($out); return true; }
/** * @static * @param $groupName * @param $project OpenStackNovaProject * @param $initialUser * @return null|OpenStackNovaServiceGroup */ static function createServiceGroup($inGroupName, $project, $initialUser) { global $wgAuth; global $wgOpenStackManagerLDAPUser; global $wgOpenStackManagerLDAPDefaultShell; global $wgOpenStackManagerLDAPServiceGroupBaseDN; global $wgMemc; OpenStackNovaLdapConnection::connect(); $projectPrefix = $project->getProjectName() . '.'; # We don't want naming collisions between service groups and actual groups # or users. So, prepend $projectPrefix to the requested group name. if (strpos($inGroupName, $projectPrefix, 0) === 0) { # The user was clever and already added the prefix. $groupName = $inGroupName; $simpleGroupName = substr($inGroupName, strlen($projectPrefix)); } else { $groupName = $projectPrefix . $inGroupName; $simpleGroupName = $inGroupName; } if ($initialUser) { $user = new OpenStackNovaUser($initialUser); if (!$user->userDN) { $wgAuth->printDebug("Unable to find initial user {$initialUser} for new group {$groupName}", NONSENSITIVE); return null; } $initialUserDN = $user->userDN; } $key = wfMemcKey('openstackmanager', 'servicegroup', $groupName); $wgMemc->delete($key); $group = array(); $group['objectclass'][] = 'posixgroup'; $group['objectclass'][] = 'groupofnames'; $group['cn'] = $groupName; $groupdn = 'cn=' . $groupName . ',' . $wgOpenStackManagerLDAPServiceGroupBaseDN; $group['gidnumber'] = OpenStackNovaUser::getNextIdNumber($wgAuth, 'gidnumber'); $group['member'] = array(); if ($initialUser) { $group['member'][] = $initialUserDN; } $success = LdapAuthenticationPlugin::ldap_add($wgAuth->ldapconn, $groupdn, $group); if ($success) { $wgAuth->printDebug("Successfully added service group {$groupdn}", NONSENSITIVE); } else { $wgAuth->printDebug("Failed to add service group {$groupdn}", NONSENSITIVE); return null; } # stamp out regular expressions! $homeDir = $project->getServiceGroupHomedirPattern(); $homeDir = str_ireplace('%u', $simpleGroupName, $homeDir); $homeDir = str_ireplace('%p', $projectPrefix, $homeDir); # Now create the special SG member $newGroup = self::getServiceGroupByName($groupName, $project); $userdn = $newGroup->getSpecialUserDN(); $user = array(); $user['objectclass'][] = 'shadowaccount'; $user['objectclass'][] = 'posixaccount'; $user['objectclass'][] = 'person'; $user['objectclass'][] = 'top'; $user['loginshell'] = $wgOpenStackManagerLDAPDefaultShell; $user['homedirectory'] = $homeDir; $user['uidnumber'] = $group['gidnumber']; $user['gidnumber'] = $group['gidnumber']; $user['uid'] = $groupName; $user['sn'] = $groupName; $user['cn'] = $groupName; $success = LdapAuthenticationPlugin::ldap_add($wgAuth->ldapconn, $userdn, $user); if ($success) { $wgAuth->printDebug("Successfully created service user {$userdn}", NONSENSITIVE); } else { $wgAuth->printDebug("Failed to create service user {$userdn}", NONSENSITIVE); return null; } # Create Sudo policy so that the service user can chown files in its homedir if (OpenStackNovaSudoer::createSudoer($groupName . '-chmod', $project->getProjectName(), array($groupName), array(), array('/bin/chown -R ' . $groupName . '\\:' . $groupName . ' ' . $homeDir), array('!authenticate'))) { $wgAuth->printDebug("Successfully created chmod sudo policy for {$groupName}", NONSENSITIVE); } else { $wgAuth->printDebug("Failed to creat chmod sudo policy for {$groupName}", NONSENSITIVE); } # Create Sudo policy so that members of the group can sudo as the service user if (OpenStackNovaSudoer::createSudoer('runas-' . $groupName, $project->getProjectName(), array("%" . $groupName), array($groupName), array('ALL'), array('!authenticate'))) { $wgAuth->printDebug("Successfully created run-as sudo policy for {$groupName}", NONSENSITIVE); } else { $wgAuth->printDebug("Failed to creat run-as sudo policy for {$groupName}", NONSENSITIVE); } return $newGroup; }
/** * Deletes a project based on project name. This function will also delete all roles * associated with the project. * * @param $projectname String * @return bool */ static function deleteProject($projectname) { global $wgAuth; OpenStackNovaLdapConnection::connect(); $project = new OpenStackNovaProject($projectname); if (!$project) { return false; } $dn = $project->projectDN; # Projects can have roles as sub-entries, we need to delete them first $result = LdapAuthenticationPlugin::ldap_list($wgAuth->ldapconn, $dn, 'objectclass=*'); $roles = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); array_shift($roles); foreach ($roles as $role) { $roledn = $role['dn']; $success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $roledn); if ($success) { $wgAuth->printDebug("Successfully deleted role {$roledn}", NONSENSITIVE); } else { $wgAuth->printDebug("Failed to delete role {$roledn}", NONSENSITIVE); } } # Projects can have a separate group entry. If so, delete it now. if (OpenStackNovaProject::useProjectGroup()) { OpenStackNovaProjectGroup::deleteProjectGroup($projectname); } # Projects have a sudo OU and sudoers entries below that OU, we must delete them first $sudoers = OpenStackNovaSudoer::getAllSudoersByProject($project->getProjectName()); foreach ($sudoers as $sudoer) { $success = OpenStackNovaSudoer::deleteSudoer($sudoer->getSudoerName(), $project->getProjectName()); if ($success) { $wgAuth->printDebug("Successfully deleted sudoer " . $sudoer->getSudoerName(), NONSENSITIVE); } else { $wgAuth->printDebug("Failed to delete sudoer " . $sudoer->getSudoerName(), NONSENSITIVE); } } $success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $project->getSudoersDN()); if ($success) { $wgAuth->printDebug("Successfully deleted sudoers OU " . $project->getSudoersDN(), NONSENSITIVE); } else { $wgAuth->printDebug("Failed to delete sudoers OU " . $project->getSudoersDN(), NONSENSITIVE); } # And, we need to clean up service groups. $servicegroups = $project->getServiceGroups(); foreach ($servicegroups as $group) { $groupName = $group->groupName; $success = OpenStackNovaServiceGroup::deleteServiceGroup($groupName, $project); if ($success) { $wgAuth->printDebug("Successfully deleted service group " . $groupName, NONSENSITIVE); } else { $wgAuth->printDebug("Failed to delete servie group " . $groupName, NONSENSITIVE); } } $success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $dn); if ($success) { $wgAuth->printDebug("Successfully deleted project {$projectname}", NONSENSITIVE); return true; } else { $wgAuth->printDebug("Failed to delete project {$projectname}", NONSENSITIVE); return false; } }