sdk/pam/arvados_pam/auth_event.py

   1 import arvados
   2 import syslog
   3
   4 def auth_log(msg):
   5     """Log an authentication result to syslogd"""
   6     syslog.openlog(facility=syslog.LOG_AUTH)
   7     syslog.syslog('arvados_pam: ' + msg)
   8     syslog.closelog()
   9
  10 class AuthEvent(object):
  11     def __init__(self, config, service, client_host, username, token):
  12         self.config = config
  13         self.service = service
  14         self.client_host = client_host
  15         self.username = username
  16         self.token = token
  17
  18         self.api_host = None
  19         self.vm_uuid = None
  20         self.user = None
  21
  22     def can_login(self):
  23         """Return truthy IFF credentials should be accepted."""
  24         ok = False
  25         try:
  26             self.api_host = self.config['arvados_api_host']
  27             self.arv = arvados.api('v1', host=self.api_host, token=self.token,
  28                                    insecure=self.config.get('insecure', False),
  29                                    cache=False)
  30
  31             vmname = self.config['virtual_machine_hostname']
  32             vms = self.arv.virtual_machines().list(filters=[['hostname','=',vmname]]).execute()
  33             if vms['items_available'] > 1:
  34                 raise Exception("lookup hostname %s returned %d records" % (vmname, vms['items_available']))
  35             if vms['items_available'] == 0:
  36                 raise Exception("lookup hostname %s not found" % vmname)
  37             vm = vms['items'][0]
  38             if vm['hostname'] != vmname:
  39                 raise Exception("lookup hostname %s returned hostname %s" % (vmname, vm['hostname']))
  40             self.vm_uuid = vm['uuid']
  41
  42             self.user = self.arv.users().current().execute()
  43
  44             filters = [
  45                 ['link_class','=','permission'],
  46                 ['name','=','can_login'],
  47                 ['head_uuid','=',self.vm_uuid],
  48                 ['tail_uuid','=',self.user['uuid']]]
  49             for l in self.arv.links().list(filters=filters, limit=10000).execute()['items']:
  50                 if (l['properties']['username'] == self.username and
  51                     l['tail_uuid'] == self.user['uuid'] and
  52                     l['head_uuid'] == self.vm_uuid and
  53                     l['link_class'] == 'permission' and
  54                     l['name'] == 'can_login'):
  55                     return self._report(True)
  56
  57             return self._report(False)
  58
  59         except Exception as e:
  60             return self._report(e)
  61
  62     def _report(self, result):
  63         """Log the result. Return truthy IFF result is True.
  64
  65         result must be True, False, or an exception.
  66         """
  67         self.result = result
  68         auth_log(self.message())
  69         return result == True
  70
  71     def message(self):
  72         """Return a log message describing the event and its outcome."""
  73         if isinstance(self.result, Exception):
  74             outcome = 'Error: ' + repr(self.result)
  75         elif self.result == True:
  76             outcome = 'Allow'
  77         else:
  78             outcome = 'Deny'
  79
  80         if len(self.token) > 40:
  81             log_token = self.token[0:15]
  82         else:
  83             log_token = '<invalid>'
  84
  85         log_label = [self.service, self.api_host, self.vm_uuid, self.client_host, self.username, log_token]
  86         if self.user:
  87             log_label += [self.user.get('uuid'), self.user.get('full_name')]
  88         return str(log_label) + ': ' + outcome