def add_tracker_admin(configuration, cert_id, vgrid_name, tracker_dir, output_objects): """Add new Trac issue tracker owner""" cgi_tracker_var = os.path.join(tracker_dir, 'var') if not os.path.isdir(cgi_tracker_var): output_objects.append( {'object_type': 'text', 'text' : 'No tracker (%s) for %s %s - skipping tracker admin rights' \ % (tracker_dir, configuration.site_vgrid_label, vgrid_name) }) return (output_objects, returnvalues.SYSTEM_ERROR) try: admin_user = distinguished_name_to_user(cert_id) admin_id = admin_user.get(configuration.trac_id_field, 'unknown_id') # Give admin rights to owner using trac-admin command: # trac-admin tracker_dir deploy cgi_tracker_bin perms_cmd = [configuration.trac_admin_path, cgi_tracker_var, 'permission', 'add', admin_id, 'TRAC_ADMIN'] configuration.logger.info('provide admin rights to owner: %s' % \ perms_cmd) proc = subprocess.Popen(perms_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) proc.wait() if proc.returncode != 0: raise Exception("tracker permissions %s failed: %s (%d)" % \ (perms_cmd, proc.stdout.read(), proc.returncode)) return True except Exception, exc: output_objects.append( {'object_type': 'error_text', 'text' : 'Could not give %s tracker admin rights: %s' % (cert_id, exc) }) return False
def parse_contents(user_data): """Extract users from data dump - We simply catch all occurences of anything looking like a DN (/ABC=bla bla/DEF=more words/...) """ users = [] for user_creds in re.findall('/[a-zA-Z]+=[^<]+', user_data): user_dict = distinguished_name_to_user(user_creds) users.append(user_dict) return users
if len(sys.argv) < 2: usage() sys.exit(1) script = sys.argv[1] query = '' method = 'GET' run_as_dn = '/C=DK/ST=NA/L=NA/O=NBI/OU=NA/CN=Test User/[email protected]' if sys.argv[2:]: method = sys.argv[2] if sys.argv[:3]: query = sys.argv[3] if sys.argv[:4]: run_as_dn = sys.argv[4] run_as_user = distinguished_name_to_user(run_as_dn) extra_environment = { 'REQUEST_METHOD': method, 'SERVER_PROTOCOL': 'HTTP/1.1', 'GATEWAY_INTERFACE': 'CGI/1.1', 'PATH': '/bin:/usr/bin:/usr/local/bin', 'REMOTE_ADDR': '127.0.0.1', 'SSL_CLIENT_S_DN': run_as_user['distinguished_name'], 'SSL_CLIENT_S_DN_C': run_as_user['country'], 'SSL_CLIENT_S_DN_O': run_as_user['organization'], 'SSL_CLIENT_S_DN_OU': run_as_user['organizational_unit'], 'SSL_CLIENT_S_DN_L': run_as_user['locality'], 'SSL_CLIENT_S_DN_CN': run_as_user['full_name'], 'SSL_CLIENT_I_DN': '/C=DK/ST=Denmark/O=IMADA/OU=MiG/CN=MiGCA', 'SSL_CLIENT_I_DN_C': 'DK',
def main(client_id, user_arguments_dict): """Main function used by front end""" (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False, op_menu=False) client_dir = client_id_dir(client_id) defaults = signature()[1] (validate_status, accepted) = validate_input(user_arguments_dict, defaults, output_objects, allow_rejects=False) if not validate_status: return (accepted, returnvalues.CLIENT_ERROR) title_entry = find_entry(output_objects, 'title') title_entry['text'] = '%s certificate request' % configuration.short_title title_entry['skipmenu'] = True form_fields = ['full_name', 'organization', 'email', 'country', 'state', 'password', 'verifypassword', 'comment'] title_entry['style'] = themed_styles(configuration) title_entry['javascript'] = cert_js_helpers(form_fields) output_objects.append({'object_type': 'html_form', 'text':''' <div id="contextual_help"> <div class="help_gfx_bubble"><!-- graphically connect field with help text --></div> <div class="help_message"><!-- filled by js --></div> </div> ''' }) header_entry = {'object_type': 'header', 'text' : 'Welcome to the %s certificate request page' % \ configuration.short_title} output_objects.append(header_entry) # Please note that base_dir must end in slash to avoid access to other # user dirs when own name is a prefix of another user name base_dir = os.path.abspath(os.path.join(configuration.user_home, client_dir)) + os.sep user_fields = {'full_name': '', 'organization': '', 'email': '', 'state': '', 'country': '', 'password': '', 'verifypassword': ''} if not os.path.isdir(base_dir) and client_id: # Redirect to extcert page with certificate requirement but without # changing access method (CGI vs. WSGI). extcert_url = os.environ['REQUEST_URI'].replace('-sid', '-bin') extcert_url = os.path.join(os.path.dirname(extcert_url), 'extcert.py') extcert_link = {'object_type': 'link', 'destination': extcert_url, 'text': 'Sign up with existing certificate (%s)' % client_id} output_objects.append({'object_type': 'warning', 'text' : 'Apparently you already have a suitable %s certificate that you may sign up with:' % \ configuration.short_title }) output_objects.append(extcert_link) output_objects.append({'object_type': 'warning', 'text' : 'However, if you want a dedicated %s certificate you can still request one below:' % \ configuration.short_title }) elif client_id: for entry in (title_entry, header_entry): entry['text'] = entry['text'].replace('request', 'request / renew') output_objects.append({'object_type': 'html_form', 'text' : '''<p> Apparently you already have a valid %s certificate, but if it is about to expire you can renew it by posting the form below. Renewal with changed fields is <span class=mandatory>not</span> supported, so all fields including your original password must remain unchanged for renew to work. Otherwise it results in a request for a new account and certificate without access to your old files, jobs and privileges.</p>''' % \ configuration.short_title}) user_fields.update(distinguished_name_to_user(client_id)) user_fields.update({ 'valid_name_chars': html_escape(valid_name_chars), 'valid_password_chars': html_escape(valid_password_chars), 'password_min_len': password_min_len, 'password_max_len': password_max_len, 'site': configuration.short_title }) output_objects.append({'object_type': 'html_form', 'text' : """ Please enter your information in at least the <span class=mandatory>mandatory</span> fields below and press the Send button to submit the certificate request to the %(site)s administrators. <p class='criticaltext highlight_message'> IMPORTANT: Please help us verify your identity by providing Organization and Email data that we can easily validate!<br /> That is, if You're a student/employee at KU, please enter institute acronym (NBI, DIKU, etc.) in the Organization field and use your corresponding [email protected] or USER@*.ku.dk address in the Email field. </p> <hr /> <div class=form_container> <!-- use post here to avoid field contents in URL --> <form method=post action=reqcertaction.py onSubmit='return validate_form();'> <table> <tr><td class='mandatory label'>Full name</td><td><input id='full_name_field' type=text name=cert_name value='%(full_name)s' /></td><td class=fill_space><br /></td></tr> <tr><td class='mandatory label'>Email address</td><td><input id='email_field' type=text name=email value='%(email)s' /> </td><td class=fill_space><br /></td></tr> <tr><td class='mandatory label'>Organization</td><td><input id='organization_field' type=text name=org value='%(organization)s' /></td><td class=fill_space><br /></td></tr> <tr><td class='mandatory label'>Two letter country-code</td><td><input id='country_field' type=text name=country maxlength=2 value='%(country)s' /></td><td class=fill_space><br /></td></tr> <tr><td class='optional label'>State</td><td><input id='state_field' type=text name=state value='%(state)s' /> </td><td class=fill_space><br /></td></tr> <tr><td class='mandatory label'>Password</td><td><input id='password_field' type=password name=password maxlength=%(password_max_len)s value='%(password)s' /> </td><td class=fill_space><br /></td></tr> <tr><td class='mandatory label'>Verify password</td><td><input id='verifypassword_field' type=password name=verifypassword maxlength=%(password_max_len)s value='%(verifypassword)s' /></td><td class=fill_space><br /></td></tr> <tr><td class='optional label'>Optional comment or reason why you should<br />be granted a %(site)s certificate:</td><td><textarea id='comment_field' rows=4 name=comment></textarea></td><td class=fill_space><br /></td></tr> <tr><td class='label'><!-- empty area --></td><td><input id='submit_button' type=submit value=Send /></td><td class=fill_space><br /></td></tr> </table> </form> </div> <hr /> <br /> <div class='warn_message'>Please note that passwords may be accessible to the %(site)s administrators!</div> <br /> <!-- Hidden help text --> <div id='help_text'> <div id='full_name_help'>Your full name, restricted to the characters in '%(valid_name_chars)s'</div> <div id='organization_help'>Organization name or acronym matching email</div> <div id='email_help'>Email address associated with your organization if at all possible</div> <div id='country_help'>Country code of your organization and on the form DE/DK/GB/US/.. , <a href='http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.html'>help</a></div> <div id='state_help'>Optional state of your organization, please just leave empty unless it is in the US or similar</div> <div id='password_help'>Password is restricted to the characters in '%(valid_password_chars)s and must be %(password_min_len)s to %(password_max_len)s characters long'</div> <div id='verifypassword_help'>Please repeat password</div> <div id='comment_help'>Optional, but a short informative comment may help us verify your certificate needs and thus speed up our response.</div> </div> """ % user_fields}) return (output_objects, returnvalues.OK)
def main(client_id, user_arguments_dict, environ=None): """Main function used by front end""" if environ is None: environ = os.environ (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False, op_menu=False) logger = configuration.logger logger.info('%s: args: %s' % (op_name, user_arguments_dict)) prefilter_map = {} output_objects.append({'object_type': 'header', 'text' : 'Automatic %s sign up' % \ configuration.short_title }) identity = extract_client_openid(configuration, environ, lookup_dn=False) if client_id and client_id == identity: login_type = 'cert' base_url = configuration.migserver_https_cert_url elif identity: login_type = 'oid' base_url = configuration.migserver_https_oid_url for name in ('openid.sreg.cn', 'openid.sreg.fullname', 'openid.sreg.full_name'): prefilter_map[name] = filter_commonname else: output_objects.append( {'object_type': 'error_text', 'text': 'Missing user credentials'}) return (output_objects, returnvalues.CLIENT_ERROR) defaults = signature(login_type)[1] (validate_status, accepted) = validate_input( user_arguments_dict, defaults, output_objects, allow_rejects=False, prefilter_map=prefilter_map) if not validate_status: logger.warning('%s invalid input: %s' % (op_name, accepted)) return (accepted, returnvalues.CLIENT_ERROR) logger.debug('Accepted arguments: %s' % accepted) # Unfortunately OpenID redirect does not use POST if login_type != 'oid' and not correct_handler('POST'): output_objects.append( {'object_type': 'error_text', 'text' : 'Only accepting POST requests to prevent unintended updates'}) return (output_objects, returnvalues.CLIENT_ERROR) admin_email = configuration.admin_email openid_names, oid_extras = [], {} # Extract raw values if login_type == 'cert': uniq_id = accepted['cert_id'][-1].strip() raw_name = accepted['cert_name'][-1].strip() country = accepted['country'][-1].strip() state = accepted['state'][-1].strip() org = accepted['org'][-1].strip() org_unit = '' role = ','.join([i for i in accepted['role'] if i]) locality = '' timezone = '' email = accepted['email'][-1].strip() raw_login = None elif login_type == 'oid': uniq_id = accepted['openid.sreg.nickname'][-1].strip() or \ accepted['openid.sreg.short_id'][-1].strip() raw_name = accepted['openid.sreg.fullname'][-1].strip() or \ accepted['openid.sreg.full_name'][-1].strip() country = accepted['openid.sreg.country'][-1].strip() state = accepted['openid.sreg.state'][-1].strip() org = accepted['openid.sreg.o'][-1].strip() or \ accepted['openid.sreg.organization'][-1].strip() org_unit = accepted['openid.sreg.ou'][-1].strip() or \ accepted['openid.sreg.organizational_unit'][-1].strip() # We may receive multiple roles role = ','.join([i for i in accepted['openid.sreg.role'] if i]) locality = accepted['openid.sreg.locality'][-1].strip() timezone = accepted['openid.sreg.timezone'][-1].strip() email = accepted['openid.sreg.email'][-1].strip() # Fix case of values: # force name to capitalized form (henrik karlsen -> Henrik Karlsen) # please note that we get utf8 coded bytes here and title() treats such # chars as word termination. Temporarily force to unicode. try: full_name = force_utf8(force_unicode(raw_name).title()) except Exception: logger.warning("could not use unicode form to capitalize full name") full_name = raw_name.title() country = country.upper() state = state.upper() email = email.lower() if login_type == 'oid': # Remap some oid attributes if on kit format with faculty in # organization and institute in organizational_unit. We can add them # as different fields as long as we make sure the x509 fields are # preserved. # We do that to allow autocreate updating existing cert users. if org_unit not in ('', 'NA'): org_unit = org_unit.upper() oid_extras['faculty'] = org oid_extras['institute'] = org_unit org = org_unit.upper() org_unit = 'NA' # Stay on virtual host - extra useful while we test dual OpenID base_url = environ.get('REQUEST_URI', base_url).split('?')[0].replace('autocreate', 'fileman') raw_login = None for oid_provider in configuration.user_openid_providers: openid_prefix = oid_provider.rstrip('/') + '/' if identity.startswith(openid_prefix): raw_login = identity.replace(openid_prefix, '') break if raw_login: openid_names.append(raw_login) # we should have the proxy file read... proxy_content = accepted['proxy_upload'][-1] # keep comment to a single line comment = accepted['comment'][-1].replace('\n', ' ') # single quotes break command line format - remove comment = comment.replace("'", ' ') user_dict = { 'short_id': uniq_id, 'full_name': full_name, 'organization': org, 'organizational_unit': org_unit, 'locality': locality, 'state': state, 'country': country, 'email': email, 'role': role, 'timezone': timezone, 'password': '', 'comment': '%s: %s' % ('Existing certificate', comment), 'openid_names': openid_names, } user_dict.update(oid_extras) # We must receive some ID from the provider if not uniq_id and not email: output_objects.append( {'object_type': 'error_text', 'text' : 'No ID information received!'}) if accepted.get('openid.sreg.required', '') and \ identity: # Stay on virtual host - extra useful while we test dual OpenID url = environ.get('REQUEST_URI', base_url).split('?')[0].replace('autocreate', 'logout') output_objects.append( {'object_type': 'text', 'text': '''Please note that sign-up for OpenID access does not work if you are already signed in with your OpenID provider - and that appears to be the case now. You probably have to reload this page after you explicitly '''}) output_objects.append( {'object_type': 'link', 'destination': url, 'target': '_blank', 'text': "Logout" }) return (output_objects, returnvalues.CLIENT_ERROR) if login_type == 'cert': user_dict['expire'] = int(time.time() + cert_valid_days * 24 * 60 * 60) try: distinguished_name_to_user(uniq_id) user_dict['distinguished_name'] = uniq_id except: output_objects.append({'object_type': 'error_text', 'text' : '''Illegal Distinguished name: Please note that the distinguished name must be a valid certificate DN with multiple "key=val" fields separated by "/". '''}) return (output_objects, returnvalues.CLIENT_ERROR) elif login_type == 'oid': user_dict['expire'] = int(time.time() + oid_valid_days * 24 * 60 * 60) fill_distinguished_name(user_dict) uniq_id = user_dict['distinguished_name'] # If server allows automatic addition of users with a CA validated cert # we create the user immediately and skip mail if login_type == 'cert' and configuration.auto_add_cert_user or \ login_type == 'oid' and configuration.auto_add_oid_user: fill_user(user_dict) logger.info('create user: %s' % user_dict) # Now all user fields are set and we can begin adding the user db_path = os.path.join(configuration.mig_server_home, user_db_filename) try: create_user(user_dict, configuration.config_file, db_path, ask_renew=False, default_renew=True) if configuration.site_enable_griddk and \ accepted['proxy_upload'] != ['']: # save the file, display expiration date proxy_out = handle_proxy(proxy_content, uniq_id, configuration) output_objects.extend(proxy_out) except Exception, err: logger.error('create failed for %s: %s' % (uniq_id, err)) output_objects.append( {'object_type': 'error_text', 'text' : '''Could not create the user account for you: Please report this problem to the grid administrators (%s).''' % \ admin_email}) return (output_objects, returnvalues.SYSTEM_ERROR) output_objects.append({'object_type': 'html_form', 'text' : '''Created the user account for you - please open <a href="%s">your personal page</a> to proceed using it. ''' % base_url}) return (output_objects, returnvalues.OK)
def create_tracker( configuration, client_id, vgrid_name, tracker_dir, scm_dir, output_objects, repair=False ): """Create new Trac issue tracker bound to SCM repository if given""" logger = configuration.logger kind = 'member' tracker_alias = 'vgridtracker' admin_user = distinguished_name_to_user(client_id) admin_email = admin_user.get('email', '*****@*****.**') admin_id = admin_user.get(configuration.trac_id_field, 'unknown_id') server_url = configuration.migserver_https_default_url if tracker_dir.find('private') > -1: kind = 'owner' tracker_alias = 'vgridownertracker' server_url = configuration.migserver_https_default_url elif tracker_dir.find('public') > -1: kind = 'public' tracker_alias = 'vgridpublictracker' server_url = configuration.migserver_http_url tracker_url = os.path.join(server_url, tracker_alias, vgrid_name) # Trac init is documented at http://trac.edgewall.org/wiki/TracAdmin target_tracker_var = os.path.join(tracker_dir, 'var') target_tracker_conf = os.path.join(target_tracker_var, 'conf') target_tracker_conf_file = os.path.join(target_tracker_conf, 'trac.ini') tracker_db = 'sqlite:db/trac.db' # NB: deploy command requires an empty directory target # We create a lib dir where it creates cgi-bin and htdocs subdirs # and we then symlink both a parent cgi-bin and wsgi-bin to it target_tracker_deploy = os.path.join(tracker_dir, 'lib') target_tracker_bin = os.path.join(target_tracker_deploy, 'cgi-bin') target_tracker_cgi_link = os.path.join(tracker_dir, 'cgi-bin') target_tracker_wsgi_link = os.path.join(tracker_dir, 'wsgi-bin') target_tracker_gvcache = os.path.join(target_tracker_var, 'gvcache') target_tracker_downloads = os.path.join(target_tracker_var, 'downloads') target_tracker_log = os.path.join(target_tracker_var, 'log') target_tracker_log_file = os.path.join(target_tracker_log, 'trac.log') repo_base = 'repo' target_scm_repo = os.path.join(scm_dir, repo_base) project_name = '%s %s project tracker' % (vgrid_name, kind) create_cmd = None create_status = True # Trac requires this for certain versions of setuptools # http://trac.edgewall.org/wiki/setuptools admin_env = os.environ.copy() admin_env["PKG_RESOURCES_CACHE_ZIP_MANIFESTS"] = "1" try: # Create tracker directory if not repair or not os.path.isdir(tracker_dir): logger.info('create tracker dir: %s' % tracker_dir) os.mkdir(tracker_dir) else: logger.info('write enable tracker dir: %s' % tracker_dir) os.chmod(tracker_dir, 0755) # Create Trac project that uses local storage. # In this way modification to one vgrid tracker will not affect others. if not repair or not os.path.isdir(target_tracker_var): # Init tracker with trac-admin command: # trac-admin tracker_dir initenv projectname db respostype repospath create_cmd = [configuration.trac_admin_path, target_tracker_var, 'initenv', vgrid_name, tracker_db, 'hg', target_scm_repo] # Trac may fail silently if ini file is missing if configuration.trac_ini_path and \ os.path.exists(configuration.trac_ini_path): create_cmd.append('--inherit=%s' % configuration.trac_ini_path) # IMPORTANT: trac commands are quite verbose and will cause trouble # if the stdout/err is not handled (Popen vs call) logger.info('create tracker project: %s' % create_cmd) proc = subprocess.Popen(create_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=admin_env) proc.wait() if proc.returncode != 0: raise Exception("tracker creation %s failed: %s (%d)" % \ (create_cmd, proc.stdout.read(), proc.returncode)) # We want to customize generated project trac.ini with project info conf = ConfigParser.SafeConfigParser() conf.read(target_tracker_conf_file) conf_overrides = { 'trac': { 'base_url': tracker_url, }, 'project': { 'admin': admin_email, 'descr': project_name, 'footer': "", 'url': tracker_url, }, 'header_logo': { 'height': -1, 'width': -1, 'src': os.path.join(server_url, 'images', 'site-logo.png'), 'link': '', }, } if configuration.smtp_server: (from_name, from_addr) = parseaddr(configuration.smtp_sender) from_name += ": %s %s project tracker" % (vgrid_name, kind) conf_overrides['notification'] = { 'smtp_from': from_addr, 'smtp_from_name': from_name, 'smtp_server': configuration.smtp_server, 'smtp_enabled': True, } for (section, options) in conf_overrides.items(): if not conf.has_section(section): conf.add_section(section) for (key, val) in options.items(): conf.set(section, key, str(val)) project_conf = open(target_tracker_conf_file, "w") project_conf.write("# -*- coding: utf-8 -*-\n") # dump entire conf file for section in conf.sections(): project_conf.write("\n[%s]\n" % section) for option in conf.options(section): project_conf.write("%s = %s\n" % (option, conf.get(section, option))) project_conf.close() if not repair or not os.path.isdir(target_tracker_deploy): # Some plugins require DB changes so we always force DB update here # Upgrade environment using trac-admin command: # trac-admin tracker_dir upgrade upgrade_cmd = [configuration.trac_admin_path, target_tracker_var, 'upgrade'] logger.info('upgrade project tracker database: %s' % upgrade_cmd) proc = subprocess.Popen(upgrade_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=admin_env) proc.wait() if proc.returncode != 0: raise Exception("tracker 1st upgrade db %s failed: %s (%d)" % \ (upgrade_cmd, proc.stdout.read(), proc.returncode)) # Create cgi-bin with scripts using trac-admin command: # trac-admin tracker_dir deploy target_tracker_bin deploy_cmd = [configuration.trac_admin_path, target_tracker_var, 'deploy', target_tracker_deploy] logger.info('deploy tracker project: %s' % deploy_cmd) proc = subprocess.Popen(deploy_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=admin_env) proc.wait() if proc.returncode != 0: raise Exception("tracker deployment %s failed: %s (%d)" % \ (deploy_cmd, proc.stdout.read(), proc.returncode)) if not repair or not os.path.isdir(target_tracker_cgi_link): os.chmod(target_tracker_var, 0755) os.symlink(target_tracker_bin, target_tracker_cgi_link) if not repair or not os.path.isdir(target_tracker_wsgi_link): os.chmod(target_tracker_var, 0755) os.symlink(target_tracker_bin, target_tracker_wsgi_link) if not repair or not os.path.isdir(target_tracker_gvcache): os.chmod(target_tracker_var, 0755) os.mkdir(target_tracker_gvcache) if not repair or not os.path.isdir(target_tracker_downloads): os.chmod(target_tracker_var, 0755) os.mkdir(target_tracker_downloads) if not repair or not os.path.isfile(target_tracker_log_file): os.chmod(target_tracker_log, 0755) open(target_tracker_log_file, 'w').close() if not repair or create_cmd: # Give admin rights to creator using trac-admin command: # trac-admin tracker_dir permission add ADMIN_ID PERMISSION perms_cmd = [configuration.trac_admin_path, target_tracker_var, 'permission', 'add', admin_id, 'TRAC_ADMIN'] logger.info('provide admin rights to creator: %s' % perms_cmd) proc = subprocess.Popen(perms_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) proc.wait() if proc.returncode != 0: raise Exception("tracker permissions %s failed: %s (%d)" % \ (perms_cmd, proc.stdout.read(), proc.returncode)) # Customize Wiki front page using trac-admin commands: # trac-admin tracker_dir wiki export WikiStart tracinfo.txt # trac-admin tracker_dir wiki import AboutTrac tracinfo.txt # trac-admin tracker_dir wiki import WikiStart welcome.txt # trac-admin tracker_dir wiki import SiteStyle style.txt settings = {'vgrid_name': vgrid_name, 'kind': kind, 'cap_kind': kind.capitalize(), 'server_url': server_url, 'css_wikipage': 'SiteStyle', '_label': configuration.site_vgrid_label} if kind == 'public': settings['access_limit'] = "public" settings['login_info'] = """ This %(access_limit)s page requires you to register to get a login. The owners of the %(_label)s will then need to give you access as they see fit. """ % settings else: settings['access_limit'] = "private" settings['login_info'] = """ These %(access_limit)s pages use your certificate for login. This means that you just need to click [/login login] to ''automatically'' sign in with your certificate ID. Owners of a %(_label)s can login and access the [/admin Admin] menu where they can configure fine grained access permissions for all other users with access to the tracker. Please contact the owners of this %(_label)s if you require greater tracker access. """ % settings intro_text = \ """= %(cap_kind)s %(vgrid_name)s Project Tracker = Welcome to the ''%(access_limit)s'' %(kind)s project management site for the '''%(vgrid_name)s''' %(_label)s. It interfaces with the corresponding code repository for the %(_label)s and provides a number of tools to help software development and project management. == Quick Intro == This particular page is a Wiki page which means that all ''authorized'' %(vgrid_name)s users can edit it. Generally wou need to [/login login] at the top of the page to get access to most of the features here. The navigation menu provides buttons to access * this [/wiki Wiki] with customizable contents * a [/roadmap Project Roadmap] with goals and progress * the [/browser Code Browser] with access to the %(kind)s SCM repository * the [/report Ticket Overview] page with pending tasks or issues * ... and so on. %(login_info)s == Look and Feel == The look and feel of this project tracker can be customized with ordinary CSS through the %(css_wikipage)s Wiki page. Simply create that page and go ahead with style changes as you see fit. == Limitations == For security reasons all project trackers are quite locked down to avoid abuse. This implies a number of restrictions on the freedom to fully tweak them e.g. by installing additional plugins or modifying the core configuration. == Further Information == Please see TitleIndex for a complete list of local wiki pages or refer to TracIntro for additional information and help on using Trac. """ % settings style_text = """/* CSS settings for %(cap_kind)s %(vgrid_name)s project tracker. Uncomment or add your style rules below to modify the look and feel of all the tracker pages. The example rules target the major page sections, but you can view the full page source to find additional style targets. */ /* body { background: #ccc; background: transparent url('/images/pattern.png'); color: #000; margin: 0; padding: 0; } #banner,#main,#footer { background: white; border: 1px solid black; border-radius: 4px; -moz-border-radius: 4px; padding: 8px; margin: 4px; } #main { /* Prevent footer overlap with menu */ min-height: 500px; } #ctxnav,#mainnav { margin: 4px; } #header { } #logo img { } */ """ % settings trac_fd, wiki_fd = NamedTemporaryFile(), NamedTemporaryFile() style_fd = NamedTemporaryFile() trac_tmp, wiki_tmp = trac_fd.name, wiki_fd.name style_tmp = style_fd.name trac_fd.close() wiki_fd.write(intro_text) wiki_fd.flush() style_fd.write(style_text) style_fd.flush() for (act, page, path) in [('export', 'WikiStart', trac_tmp), ('import', 'TracIntro', trac_tmp), ('import', 'WikiStart', wiki_tmp), ('import', 'SiteStyle', style_tmp)]: wiki_cmd = [configuration.trac_admin_path, target_tracker_var, 'wiki', act, page, path] logger.info('wiki %s %s: %s' % (act, page, wiki_cmd)) proc = subprocess.Popen(wiki_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) proc.wait() if proc.returncode != 0: raise Exception("tracker wiki %s failed: %s (%d)" % \ (perms_cmd, proc.stdout.read(), proc.returncode)) wiki_fd.close() # Some plugins require DB changes so we always force DB update here # Upgrade environment using trac-admin command: # trac-admin tracker_dir upgrade upgrade_cmd = [configuration.trac_admin_path, target_tracker_var, 'upgrade'] logger.info('upgrade project tracker database: %s' % upgrade_cmd) proc = subprocess.Popen(upgrade_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=admin_env) proc.wait() if proc.returncode != 0: raise Exception("tracker 2nd upgrade db %s failed: %s (%d)" % \ (upgrade_cmd, proc.stdout.read(), proc.returncode)) if repair: # Touch WSGI scripts to force reload of running instances for name in os.listdir(target_tracker_wsgi_link): os.utime(os.path.join(target_tracker_wsgi_link, name), None) except Exception, exc: create_status = False logger.error('create %s tracker failed: %s' % \ (configuration.site_vgrid_label, exc)) output_objects.append({'object_type': 'error_text', 'text' : 'Could not create %s tracker: %s' % (configuration.site_vgrid_label, exc)})
def main(client_id, user_arguments_dict): """Main function used by front end""" (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False) defaults = signature()[1] (validate_status, accepted) = validate_input_and_cert( user_arguments_dict, defaults, output_objects, client_id, configuration, allow_rejects=False, require_user=False ) if not validate_status: return (accepted, returnvalues.CLIENT_ERROR) title_entry = find_entry(output_objects, 'title') title_entry['text'] = '%s certificate sign up' % configuration.short_title title_entry['skipmenu'] = True form_fields = ['cert_id', 'cert_name', 'organization', 'email', 'country', 'state', 'comment'] title_entry['style'] = themed_styles(configuration) title_entry['javascript'] = cert_js_helpers(form_fields) output_objects.append({'object_type': 'html_form', 'text':''' <div id="contextual_help"> <div class="help_gfx_bubble"><!-- graphically connect field with help text--></div> <div class="help_message"><!-- filled by js --></div> </div> ''' }) header_entry = {'object_type': 'header', 'text' : 'Welcome to the %s certificate sign up page' % \ configuration.short_title} output_objects.append(header_entry) # Redirect to reqcert page without certificate requirement but without # changing access method (CGI vs. WSGI). certreq_url = os.environ['REQUEST_URI'].replace('-bin', '-sid') certreq_url = os.path.join(os.path.dirname(certreq_url), 'reqcert.py') certreq_link = {'object_type': 'link', 'destination': certreq_url, 'text': 'Request a new %s certificate' % \ configuration.short_title } new_user = distinguished_name_to_user(client_id) # If cert auto create is on, add user without admin interaction if configuration.auto_add_cert_user == False: extcertaction = 'extcertaction.py' else: extcertaction = 'autocreate.py' output_objects.append({'object_type': 'html_form', 'text' : """ This page is used to sign up for %(site)s with an existing certificate from a Certificate Authority (CA) allowed for %(site)s. You can use it if you already have a x509 certificate from another accepted CA. In this way you can simply use your existing certificate for %(site)s access instead of requesting a new one. <br /> The page tries to auto load any certificate your browser provides and fill in the fields accordingly, but in case it can't guess all <span class=mandatory>mandatory</span> fields, you still need to fill in those.<br /> Please enter any missing information below and press the Send button to submit the external certificate sign up request to the %(site)s administrators. <p class='criticaltext highlight_message'>IMPORTANT: Please help us verify your identity by providing Organization and Email data that we can easily validate!<br /> That is, if You're a student/employee at KU, please enter institute acronym (NBI, DIKU, etc.) in the Organization field and use your corresponding [email protected] or USER@*.ku.dk address in the Email field.</p> <hr /> <div class=form_container> <!-- use post here to avoid field contents in URL --> <form method=post action=%(extcertaction)s onSubmit='return validate_form();'> <table> <tr><td class='mandatory label'>Certificate DN</td><td><input id='cert_id_field' type=text size=%(dn_max_len)s maxlength=%(dn_max_len)s name=cert_id value='%(client_id)s' /></td><td class=fill_space></td></tr> <tr><td class='mandatory label'>Full name</td><td><input id='cert_name_field' type=text name=cert_name value='%(common_name)s' /></td><td class=fill_space></td></tr> <tr><td class='mandatory label'>Email address</td><td><input id='email_field' type=text name=email value='%(email)s' /></td><td class=fill_space></td></tr> <tr><td class='mandatory label'>Organization</td><td><input id='organization_field' type=text name=org value='%(org)s' /></td><td class=fill_space></td></tr> <tr><td class='mandatory label'>Two letter country-code</td><td><input id='country_field' type=text name=country maxlength=2 value='%(country)s' /></td><td class=fill_space></td></tr> <tr><td class='optional label'>State</td><td><input id='state_field' type=text name=state value='%(state)s' /></td><td class=fill_space></td></tr> <tr><td class='optional label'>Comment or reason why you should<br />be granted a %(site)s certificate:</td><td><textarea id='comment_field' rows=4 name=comment></textarea></td><td class=fill_space></td></tr> <tr><td class='label'><!-- empty area --></td><td><input id='submit_button' type='submit' value='Send' /></td><td class=fill_space></td></tr> </table> </form> </div> <!-- Hidden help text --> <div id='help_text'> <div id='cert_id_help'>Must be the exact Distinguished Name (DN) of your certificate</div> <div id='cert_name_help'>Your full name, restricted to the characters in '%(valid_name_chars)s'</div> <div id='organization_help'>Organization name or acronym matching email</div> <div id='email_help'>Email address associated with your organization if at all possible</div> <div id='country_help'>Country code of your organization and on the form DE/DK/GB/US/.. , <a href='http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.html'>help</a></div> <div id='state_help'>Optional state of your organization, please just leave empty unless it is in the US or similar</div> <div id='comment_help'>Optional, but a short informative comment may help us verify your certificate needs and thus speed up our response.</div> </div> """ % { 'extcertaction': extcertaction, 'valid_name_chars': valid_name_chars, 'client_id': client_id, 'dn_max_len': dn_max_len, 'common_name': new_user.get('full_name', ''), 'org': new_user.get('organization', ''), 'email': new_user.get('email', ''), 'state': new_user.get('state', ''), 'country': new_user.get('country', ''), 'site': configuration.short_title, }}) return (output_objects, returnvalues.OK)
sys.exit(1) if args: user_dict['full_name'] = args[0] try: user_dict['organization'] = args[1] user_dict['state'] = args[2] user_dict['country'] = args[3] user_dict['email'] = args[4] except IndexError: # Ignore missing optional arguments pass elif user_id: user_dict = distinguished_name_to_user(user_id) else: print 'Please enter the details for the user to be removed:' user_dict['full_name'] = raw_input('Full Name: ').title() user_dict['organization'] = raw_input('Organization: ') user_dict['state'] = raw_input('State: ') user_dict['country'] = raw_input('2-letter Country Code: ') user_dict['email'] = raw_input('Email: ') if not user_dict.has_key('distinguished_name'): fill_distinguished_name(user_dict) fill_user(user_dict) # Now all user fields are set and we can begin deleting the user
def main(client_id, user_arguments_dict): """Main function used by front end""" (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False) output_objects.append({'object_type': 'header', 'text' : '%s external certificate sign up' % \ configuration.short_title }) defaults = signature()[1] (validate_status, accepted) = validate_input_and_cert( user_arguments_dict, defaults, output_objects, client_id, configuration, allow_rejects=False, require_user=False ) if not validate_status: logger.warning('%s invalid input: %s' % (op_name, accepted)) return (accepted, returnvalues.CLIENT_ERROR) if not correct_handler('POST'): output_objects.append( {'object_type': 'error_text', 'text' : 'Only accepting POST requests to prevent unintended updates'}) return (output_objects, returnvalues.CLIENT_ERROR) admin_email = configuration.admin_email smtp_server = configuration.smtp_server user_pending = os.path.abspath(configuration.user_pending) cert_id = accepted['cert_id'][-1].strip() # force name to capitalized form (henrik karlsen -> Henrik Karlsen) # please note that we get utf8 coded bytes here and title() treats such # chars as word termination. Temporarily force to unicode. raw_name = accepted['cert_name'][-1].strip() try: cert_name = force_utf8(force_unicode(raw_name).title()) except Exception: cert_name = raw_name.title() country = accepted['country'][-1].strip().upper() state = accepted['state'][-1].strip().title() org = accepted['org'][-1].strip() # lower case email address email = accepted['email'][-1].strip().lower() # keep comment to a single line comment = accepted['comment'][-1].replace('\n', ' ') # single quotes break command line format - remove comment = comment.replace("'", ' ') is_diku_email = False is_diku_org = False if email.find('@diku.dk') != -1: is_diku_email = True if 'DIKU' == org.upper(): # Consistent upper casing org = org.upper() is_diku_org = True if is_diku_org != is_diku_email: output_objects.append({'object_type': 'error_text', 'text' : '''Illegal email and organization combination: Please read and follow the instructions in red on the request page! If you are a DIKU student with only a @*.ku.dk address please just use KU as organization. As long as you state that you want the certificate for DIKU purposes in the comment field, you will be given access to the necessary resources anyway. '''}) return (output_objects, returnvalues.CLIENT_ERROR) try: distinguished_name_to_user(cert_id) except: output_objects.append({'object_type': 'error_text', 'text' : '''Illegal Distinguished name: Please note that the distinguished name must be a valid certificate DN with multiple "key=val" fields separated by "/". '''}) return (output_objects, returnvalues.CLIENT_ERROR) user_dict = { 'distinguished_name': cert_id, 'full_name': cert_name, 'organization': org, 'state': state, 'country': country, 'email': email, 'password': '', 'comment': '%s: %s' % ('Existing certificate', comment), 'expire': int(time.time() + cert_valid_days * 24 * 60 * 60), 'openid_names': [], } fill_distinguished_name(user_dict) user_id = user_dict['distinguished_name'] if configuration.user_openid_providers and configuration.user_openid_alias: user_dict['openid_names'] += \ [user_dict[configuration.user_openid_alias]] logger.info('got extcert request: %s' % user_dict) # If server allows automatic addition of users with a CA validated cert # we create the user immediately and skip mail if configuration.auto_add_cert_user: fill_user(user_dict) # Now all user fields are set and we can begin adding the user db_path = os.path.join(configuration.mig_server_home, user_db_filename) try: create_user(user_dict, configuration.config_file, db_path, ask_renew=False) except Exception, err: logger.error('Failed to create user with existing cert %s: %s' % (cert_id, err)) output_objects.append( {'object_type': 'error_text', 'text' : '''Could not create the user account for you: Please report this problem to the grid administrators (%s).''' % \ admin_email}) return (output_objects, returnvalues.SYSTEM_ERROR) output_objects.append({'object_type': 'text', 'text' : '''Created the user account for you: Please use the navigation menu to the left to proceed using it. '''}) return (output_objects, returnvalues.OK)