[Scripts/git/.git] / __init__.py

import os
import subprocess
import tempfile
import ldap
import ldap.filter

from django.contrib.auth.backends import RemoteUserBackend
from django.contrib.auth.hashers import UNUSABLE_PASSWORD
from django.contrib.auth.middleware import RemoteUserMiddleware
from django.contrib.auth.views import login
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.http import HttpResponseRedirect
from django.contrib import auth
from django.core.exceptions import ObjectDoesNotExist
from django.core.validators import URLValidator, ValidationError

from django.conf import settings

def zephyr(msg, clas='message', instance='log', rcpt='nobody',):
    proc = subprocess.Popen(
        ['zwrite', '-d', '-n', '-c', clas, '-i', instance, rcpt, ],
        stdin=subprocess.PIPE, stdout=subprocess.PIPE
    )
    proc.communicate(msg)

def UrlOrAfsValidator(value):
    if value.startswith('/mit/') or value.startswith('/afs/'):
        return
    else:
        try:
            URLValidator()(value)
        except ValidationError:
            raise ValidationError('Provide a valid URL or AFS path')

def pag_check_helper(fn, args, aklog=False, ccname=None, **kwargs):
    if 'executable' in kwargs:
        raise ValueError('"executable" not supported with pag_check_*')

    env = None
    if 'env' in kwargs:
        env = kwargs['env']
        del kwargs['env']
    if ccname:
        if env is not None:
            env = dict(env)
        else:
            env = dict(os.environ)
        env['KRB5CCNAME'] = ccname

    pagsh_cmd = 'exec "$@"'
    if aklog: pagsh_cmd = "aklog && " + pagsh_cmd
    args = ['pagsh', '-c', pagsh_cmd, 'exec', ] + args

    return fn(args, env=env, **kwargs)

def pag_check_call(args, **kwargs):
    return pag_check_helper(subprocess.check_call, args, **kwargs)
def pag_check_output(args, **kwargs):
    return pag_check_helper(subprocess.check_output, args, **kwargs)

def kinit(keytab=None, principal=None, autodelete=True, ):
    if not keytab:
        keytab = settings.KRB_KEYTAB
    if not principal:
        principal = settings.KRB_PRINCIPAL
    assert keytab and principal
    fd = tempfile.NamedTemporaryFile(mode='rb', prefix="krb5cc_djmit_", delete=autodelete, )
    env = dict(KRB5CCNAME=fd.name)
    kinit_cmd = ['kinit', '-k', '-t', keytab, principal, ]
    subprocess.check_call(kinit_cmd, env=env)
    return fd

class ScriptsRemoteUserMiddleware(RemoteUserMiddleware):
    header = 'SSL_CLIENT_S_DN_Email'

class ScriptsRemoteUserBackend(RemoteUserBackend):
    def clean_username(self, username, ):
        if '@' in username:
            name, domain = username.split('@')
            assert domain.upper() == 'MIT.EDU'
            return name
        else:
            return username
    def configure_user(self, user, ):
        username = user.username
        user.password = UNUSABLE_PASSWORD
        con = ldap.open('ldap-too.mit.edu')
        con.simple_bind_s("", "")
        dn = "dc=mit,dc=edu"
        fields = ['cn', 'sn', 'givenName', 'mail', ]
        userfilter = ldap.filter.filter_format('uid=%s', [username])
        result = con.search_s('dc=mit,dc=edu', ldap.SCOPE_SUBTREE, userfilter, fields)
        if len(result) == 1:
            user.first_name = result[0][1]['givenName'][0]
            user.last_name = result[0][1]['sn'][0]
            try:
                user.email = result[0][1]['mail'][0]
            except KeyError:
                user.email = username + '@mit.edu'
            try:
                user.groups.add(auth.models.Group.objects.get(name='mit'))
            except ObjectDoesNotExist:
                print "Failed to retrieve mit group"
        else:
            raise ValueError, ("Could not find user with username '%s' (filter '%s')"%(username, userfilter))
        try:
            user.groups.add(auth.models.Group.objects.get(name='autocreated'))
        except ObjectDoesNotExist:
            print "Failed to retrieve autocreated group"
        user.save()
        return user

def get_or_create_mit_user(username, ):
    """
    Given an MIT username, return a Django user object for them.
    If necessary, create (and save) the Django user for them.
    If the MIT user doesn't exist, raises ValueError.
    """
    user, created = auth.models.User.objects.get_or_create(username=username, )
    if created:
        backend = ScriptsRemoteUserBackend()
        # Raises ValueError if the user doesn't exist
        try:
            return backend.configure_user(user), created
        except ValueError:
            user.delete()
            raise
    else:
        return user, created

def scripts_login(request, **kwargs):
    host = request.META['HTTP_HOST'].split(':')[0]
    if host == 'localhost':
        return login(request, **kwargs)
    elif request.META['SERVER_PORT'] == '444':
        if request.user.is_authenticated():
            # They're already authenticated --- go ahead and redirect
            if 'redirect_field_name' in kwargs:
                redirect_field_name = kwargs['redirect_field_names']
            else:
                from django.contrib.auth import REDIRECT_FIELD_NAME
                redirect_field_name = REDIRECT_FIELD_NAME
            redirect_to = request.REQUEST.get(redirect_field_name, '')
            if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
                redirect_to = settings.LOGIN_REDIRECT_URL
            return HttpResponseRedirect(redirect_to)
        else:
            return login(request, **kwargs)
    else:
        # Move to port 444
        redirect_to = "https://%s:444%s" % (host, request.META['REQUEST_URI'], )
        return HttpResponseRedirect(redirect_to)
Commit	Line	Data
20e2c5bc	1	import os
aec307d9	2	import subprocess
be3f03e7	3	import tempfile
aec307d9 AD	4	import ldap
	5	import ldap.filter
	6
e2ce65b9	7	from django.contrib.auth.backends import RemoteUserBackend
c6b6a6b9 AD	8	from django.contrib.auth.hashers import UNUSABLE_PASSWORD
c6b6a6b9 AD	9	from django.contrib.auth.middleware import RemoteUserMiddleware
2e0bd8fa AD	10	from django.contrib.auth.views import login
	11	from django.contrib.auth import REDIRECT_FIELD_NAME
	12	from django.http import HttpResponseRedirect
e2ce65b9 AD	13	from django.contrib import auth
e2ce65b9 AD	14	from django.core.exceptions import ObjectDoesNotExist
6650ee78 AD	15	from django.core.validators import URLValidator, ValidationError
6650ee78 AD	16
be3f03e7	17	from django.conf import settings
e2ce65b9	18
aec307d9 AD	19	def zephyr(msg, clas='message', instance='log', rcpt='nobody',):
	20	proc = subprocess.Popen(
	21	['zwrite', '-d', '-n', '-c', clas, '-i', instance, rcpt, ],
	22	stdin=subprocess.PIPE, stdout=subprocess.PIPE
	23	)
	24	proc.communicate(msg)
e2ce65b9	25
6650ee78 AD	26	def UrlOrAfsValidator(value):
	27	if value.startswith('/mit/') or value.startswith('/afs/'):
	28	return
	29	else:
	30	try:
	31	URLValidator()(value)
	32	except ValidationError:
	33	raise ValidationError('Provide a valid URL or AFS path')
	34
20e2c5bc AD	35	def pag_check_helper(fn, args, aklog=False, ccname=None, **kwargs):
	36	if 'executable' in kwargs:
	37	raise ValueError('"executable" not supported with pag_check_*')
	38
	39	env = None
	40	if 'env' in kwargs:
	41	env = kwargs['env']
	42	del kwargs['env']
	43	if ccname:
	44	if env is not None:
	45	env = dict(env)
	46	else:
	47	env = dict(os.environ)
	48	env['KRB5CCNAME'] = ccname
	49
	50	pagsh_cmd = 'exec "$@"'
	51	if aklog: pagsh_cmd = "aklog && " + pagsh_cmd
	52	args = ['pagsh', '-c', pagsh_cmd, 'exec', ] + args
	53
	54	return fn(args, env=env, **kwargs)
	55
	56	def pag_check_call(args, **kwargs):
	57	return pag_check_helper(subprocess.check_call, args, **kwargs)
	58	def pag_check_output(args, **kwargs):
	59	return pag_check_helper(subprocess.check_output, args, **kwargs)
	60
be3f03e7 AD	61	def kinit(keytab=None, principal=None, autodelete=True, ):
	62	if not keytab:
	63	keytab = settings.KRB_KEYTAB
	64	if not principal:
	65	principal = settings.KRB_PRINCIPAL
	66	assert keytab and principal
	67	fd = tempfile.NamedTemporaryFile(mode='rb', prefix="krb5cc_djmit_", delete=autodelete, )
	68	env = dict(KRB5CCNAME=fd.name)
	69	kinit_cmd = ['kinit', '-k', '-t', keytab, principal, ]
	70	subprocess.check_call(kinit_cmd, env=env)
	71	return fd
	72
e2ce65b9 AD	73	class ScriptsRemoteUserMiddleware(RemoteUserMiddleware):
	74	header = 'SSL_CLIENT_S_DN_Email'
	75
	76	class ScriptsRemoteUserBackend(RemoteUserBackend):
	77	def clean_username(self, username, ):
	78	if '@' in username:
	79	name, domain = username.split('@')
	80	assert domain.upper() == 'MIT.EDU'
	81	return name
	82	else:
	83	return username
	84	def configure_user(self, user, ):
	85	username = user.username
c6b6a6b9	86	user.password = UNUSABLE_PASSWORD
abab96a3	87	con = ldap.open('ldap-too.mit.edu')
e2ce65b9 AD	88	con.simple_bind_s("", "")
	89	dn = "dc=mit,dc=edu"
	90	fields = ['cn', 'sn', 'givenName', 'mail', ]
aec307d9 AD	91	userfilter = ldap.filter.filter_format('uid=%s', [username])
aec307d9 AD	92	result = con.search_s('dc=mit,dc=edu', ldap.SCOPE_SUBTREE, userfilter, fields)
e2ce65b9 AD	93	if len(result) == 1:
	94	user.first_name = result[0][1]['givenName'][0]
	95	user.last_name = result[0][1]['sn'][0]
23bea0e4 GT	96	try:
	97	user.email = result[0][1]['mail'][0]
	98	except KeyError:
	99	user.email = username + '@mit.edu'
e2ce65b9 AD	100	try:
	101	user.groups.add(auth.models.Group.objects.get(name='mit'))
	102	except ObjectDoesNotExist:
	103	print "Failed to retrieve mit group"
aec307d9 AD	104	else:
aec307d9 AD	105	raise ValueError, ("Could not find user with username '%s' (filter '%s')"%(username, userfilter))
e2ce65b9 AD	106	try:
	107	user.groups.add(auth.models.Group.objects.get(name='autocreated'))
	108	except ObjectDoesNotExist:
	109	print "Failed to retrieve autocreated group"
aec307d9	110	user.save()
e2ce65b9	111	return user
2e0bd8fa	112
d4bd5af8 AD	113	def get_or_create_mit_user(username, ):
	114	"""
	115	Given an MIT username, return a Django user object for them.
	116	If necessary, create (and save) the Django user for them.
	117	If the MIT user doesn't exist, raises ValueError.
	118	"""
	119	user, created = auth.models.User.objects.get_or_create(username=username, )
	120	if created:
	121	backend = ScriptsRemoteUserBackend()
	122	# Raises ValueError if the user doesn't exist
	123	try:
	124	return backend.configure_user(user), created
	125	except ValueError:
	126	user.delete()
	127	raise
	128	else:
	129	return user, created
	130
2e0bd8fa	131	def scripts_login(request, **kwargs):
4df1aef4 AD	132	host = request.META['HTTP_HOST'].split(':')[0]
4df1aef4 AD	133	if host == 'localhost':
2e0bd8fa AD	134	return login(request, **kwargs)
	135	elif request.META['SERVER_PORT'] == '444':
	136	if request.user.is_authenticated():
	137	# They're already authenticated --- go ahead and redirect
	138	if 'redirect_field_name' in kwargs:
	139	redirect_field_name = kwargs['redirect_field_names']
	140	else:
	141	from django.contrib.auth import REDIRECT_FIELD_NAME
	142	redirect_field_name = REDIRECT_FIELD_NAME
	143	redirect_to = request.REQUEST.get(redirect_field_name, '')
	144	if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
	145	redirect_to = settings.LOGIN_REDIRECT_URL
	146	return HttpResponseRedirect(redirect_to)
	147	else:
	148	return login(request, **kwargs)
	149	else:
	150	# Move to port 444
2e0bd8fa AD	151	redirect_to = "https://%s:444%s" % (host, request.META['REQUEST_URI'], )
2e0bd8fa AD	152	return HttpResponseRedirect(redirect_to)