+++ /dev/null
-import syslog
-import sys
-sys.argv=['']
-import arvados
-import os
-
-def auth_log(msg):
- """Send errors to default auth log"""
- syslog.openlog(facility=syslog.LOG_AUTH)
- #syslog.openlog()
- syslog.syslog("libpam python Logged: " + msg)
- syslog.closelog()
-
-
-def check_arvados_token(requested_username, token):
- auth_log("%s %s" % (requested_username, token))
-
- try:
- f=file('/etc/default/arvados_pam')
- config=dict([l.split('=') for l in f.readlines() if not l.startswith('#') or l.strip()==""])
- arvados_api_host=config['ARVADOS_API_HOST'].strip()
- hostname=config['HOSTNAME'].strip()
- except Exception as e:
- auth_log("problem getting default values %s" % e)
- return False
-
- try:
- arv = arvados.api('v1',host=arvados_api_host, token=token, cache=None)
- except Exception as e:
- auth_log(str(e))
- return False
-
- try:
- matches = arv.virtual_machines().list(filters=[['hostname','=',hostname]]).execute()['items']
- except Exception as e:
- auth_log(str(e))
- return False
-
-
- if len(matches) != 1:
- auth_log("libpam_arvados could not determine vm uuid for '%s'" % hostname)
- return False
-
- this_vm_uuid = matches[0]['uuid']
- auth_log("this_vm_uuid: %s" % this_vm_uuid)
- client_user_uuid = arv.users().current().execute()['uuid']
-
- filters = [
- ['link_class','=','permission'],
- ['name','=','can_login'],
- ['head_uuid','=',this_vm_uuid],
- ['tail_uuid','=',client_user_uuid]]
-
- for l in arv.links().list(filters=filters).execute()['items']:
- if requested_username == l['properties']['username']:
- return True
- return False
-
-
-def pam_sm_authenticate(pamh, flags, argv):
- try:
- user = pamh.get_user()
- except pamh.exception, e:
- return e.pam_result
-
- if not user:
- return pamh.PAM_USER_UNKNOWN
-
- try:
- resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, ''))
- except pamh.exception, e:
- return e.pam_result
-
- try:
- check = check_arvados_token(user, resp.resp)
- except Exception as e:
- auth_log(str(e))
- return False
-
- if not check:
- auth_log("Auth failed Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
- return pamh.PAM_AUTH_ERR
-
- auth_log("Success! Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
- return pamh.PAM_SUCCESS
-
-def pam_sm_setcred(pamh, flags, argv):
- return pamh.PAM_SUCCESS
-
-def pam_sm_acct_mgmt(pamh, flags, argv):
- return pamh.PAM_SUCCESS
-
-def pam_sm_open_session(pamh, flags, argv):
- return pamh.PAM_SUCCESS
-
-def pam_sm_close_session(pamh, flags, argv):
- return pamh.PAM_SUCCESS
-
-def pam_sm_chauthtok(pamh, flags, argv):
- return pamh.PAM_SUCCESS