The branch, build-main has been updated via 2b634eef55315243b77ad07cd81d2c8e722e2542 (commit) from 3d70999fd322b0d4ae0724ea9e6d7a2598286e57 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: debian/changelog | 2 + sbin/x2gobroker-authservice | 96 +++++++++++++++++++++++++++++++++++-------- x2gobroker/authservice.py | 81 ++++-------------------------------- 3 files changed, 90 insertions(+), 89 deletions(-) The diff of changes is: diff --git a/debian/changelog b/debian/changelog index b8a12d7..d3ab329 100644 --- a/debian/changelog +++ b/debian/changelog @@ -16,6 +16,8 @@ x2gobroker (0.0.1.1-0~x2go1) UNRELEASED; urgency=low - x2gobroker-pubkeyauthorizer: no logging-to-file support anymore. (Fixes: #175). - Fix name of get() method for /pubkeys/ URL path. (Fixes: #176). + - Move AuthService server code fully into x2gobroker-authservice + daemon script. * /debian/control: + Fix --root parameter in DEB_PYTHON_INSTALL_ARGS. + Let bin:package x2gobroker-authservice depend on python-x2gobroker (of the diff --git a/sbin/x2gobroker-authservice b/sbin/x2gobroker-authservice index 5f0bd13..534a532 100755 --- a/sbin/x2gobroker-authservice +++ b/sbin/x2gobroker-authservice @@ -26,12 +26,10 @@ import sys import setproctitle import argparse import logging - -try: - import x2gobroker.authservice -except ImportError: - sys.path.insert(0, os.path.join(os.getcwd(), '..')) - import x2gobroker.authservice +import asyncore +import socket +import getpass +import logging.config PROG_NAME = os.path.basename(sys.argv[0]) PROG_OPTIONS = sys.argv[1:] @@ -40,23 +38,89 @@ setproctitle.setproctitle("%s %s" % (PROG_NAME, " ".join(PROG_OPTIONS))) from x2gobroker import __VERSION__ from x2gobroker import __AUTHOR__ + +class AuthService(asyncore.dispatcher_with_send): + + def __init__(self, socketfile, owner='root', group_owner='root', permissions='0660'): + asyncore.dispatcher_with_send.__init__(self) + self.create_socket(socket.AF_UNIX, socket.SOCK_STREAM) + self.set_reuse_addr() + self.bind(socketfile) + os.chown(socketfile, getpwnam(owner).pw_uid, getgrnam(group_owner).gr_gid) + os.chmod(socketfile, int(permissions, 8)) + self.listen(1) + + def handle_accept(self): + conn, _ = self.accept() + AuthClient(conn) + + +def loop(): + asyncore.loop() + + +# normally this would go into defaults.py, however, we do not want to pull in defaults.py here as that will create +# unwanted logfiles (access.log, broker.log, error.log) when x2gobroker-authservice is installed as standalone service +if os.environ.has_key('X2GOBROKER_DEBUG'): + X2GOBROKER_DEBUG = ( os.environ['X2GOBROKER_DEBUG'].lower() in ('1', 'on', 'true', 'yes', ) ) +else: + X2GOBROKER_DEBUG = False +if os.environ.has_key('X2GOBROKER_TESTSUITE'): + X2GOBROKER_TESTSUITE = ( os.environ['X2GOBROKER_TESTSUITE'].lower() in ('1', 'on', 'true', 'yes', ) ) +else: + X2GOBROKER_TESTSUITE = False +if os.environ.has_key('X2GOBROKER_DAEMON_USER'): + X2GOBROKER_DAEMON_USER=os.environ['X2GOBROKER_DAEMON_USER'] +else: + X2GOBROKER_DAEMON_USER="x2gobroker" +if os.environ.has_key('X2GOBROKER_AUTHSERVICE_LOGCONFIG'): + X2GOBROKER_AUTHSERVICE_LOGCONFIG=os.environ['X2GOBROKER_AUTHSERVICE_LOGCONFIG'] +else: + X2GOBROKER_AUTHSERVICE_LOGCONFIG="/etc/x2go/broker/x2gobroker-authservice-logger.conf" +if os.environ.has_key('X2GOBROKER_AUTHSERVICE_SOCKET'): + X2GOBROKER_AUTHSERVICE_SOCKET=os.environ['X2GOBROKER_AUTHSERVICE_SOCKET'] +else: + X2GOBROKER_AUTHSERVICE_SOCKET="/run/x2gobroker/x2gobroker-authservice.socket" + +# standalone daemon mode (x2gobroker-authservice as daemon) or interactive mode (called from the cmdline)? +if getpass.getuser() in (X2GOBROKER_DAEMON_USER, 'root'): + + # we run in standalone daemon mode, so let's use the system configuration for logging + logging.config.fileConfig(X2GOBROKER_AUTHSERVICE_LOGCONFIG) + + # create authservice logger + logger_authservice = logging.getLogger('authservice') + +else: + logger_root = logging.getLogger() + stderr_handler = logging.StreamHandler(sys.stderr) + stderr_handler.setFormatter(logging.Formatter(fmt='%(asctime)s - %(name)s - %(levelname)s - %(message)s', datefmt='')) + + # all loggers stream to stderr... + logger_root.addHandler(stderr_handler) + + logger_authservice = logging.getLogger('authservice') + logger_authservice.addHandler(stderr_handler) + logger_authservice.propagate = 0 + + # raise log level to DEBUG if requested... -if x2gobroker.authservice.X2GOBROKER_DEBUG and not x2gobroker.authservice.X2GOBROKER_TESTSUITE: - x2gobroker.authservice.logger_authservice.setLevel(logging.DEBUG) +if X2GOBROKER_DEBUG and not X2GOBROKER_TESTSUITE: + logger_authservice.setLevel(logging.DEBUG) -x2gobroker.authservice.logger_authservice.info('X2Go Session Broker ({version}), written by {author}'.format(version=__VERSION__, author=__AUTHOR__)) -x2gobroker.authservice.logger_authservice.info('Setting up the PAM authentication service\'s environment...') -x2gobroker.authservice.logger_authservice.info(' X2GOBROKER_DEBUG: {value}'.format(value=x2gobroker.authservice.X2GOBROKER_DEBUG)) -x2gobroker.authservice.logger_authservice.info(' X2GOBROKER_AUTHSERVICE_SOCKET: {value}'.format(value=x2gobroker.authservice.X2GOBROKER_AUTHSERVICE_SOCKET)) +logger_authservice.info('X2Go Session Broker ({version}), written by {author}'.format(version=__VERSION__, author=__AUTHOR__)) +logger_authservice.info('Setting up the PAM authentication service\'s environment...') +logger_authservice.info(' X2GOBROKER_DEBUG: {value}'.format(value=X2GOBROKER_DEBUG)) +logger_authservice.info(' X2GOBROKER_AUTHSERVICE_SOCKET: {value}'.format(value=X2GOBROKER_AUTHSERVICE_SOCKET)) # check effective UID the broker runs as and complain appropriately... if os.geteuid() != 0: - x2gobroker.authservice.logger_authservice.warn('X2Go Session Broker\'s PAM authentication service should run with root privileges to guarantee proper access to all PAM modules.') + logger_authservice.warn('X2Go Session Broker\'s PAM authentication service should run with root privileges to guarantee proper access to all PAM modules.') if __name__ == '__main__': common_options = [ - {'args':['-s','--socket-file'], 'default': x2gobroker.authservice.X2GOBROKER_AUTHSERVICE_SOCKET, 'metavar': 'AUTHSOCKET', 'help': 'socket file for AuthService communication', }, + {'args':['-s','--socket-file'], 'default': X2GOBROKER_AUTHSERVICE_SOCKET, 'metavar': 'AUTHSOCKET', 'help': 'socket file for AuthService communication', }, {'args':['-o','--owner'], 'default': 'root', 'help': 'owner of the AuthService socket file', }, {'args':['-g','--group'], 'default': 'root', 'help': 'group ownership of the AuthService socket file', }, {'args':['-p','--permissions'], 'default': '0660', 'help': 'set these file permissions for the AuthService socket file', }, @@ -76,8 +140,8 @@ if __name__ == '__main__': cmdline_args = p.parse_args() socket_file = cmdline_args.socket_file - x2gobroker.authservice.AuthService(socket_file, owner=cmdline_args.owner, group_owner=cmdline_args.group, permissions=cmdline_args.permissions) + AuthService(socket_file, owner=cmdline_args.owner, group_owner=cmdline_args.group, permissions=cmdline_args.permissions) try: - x2gobroker.authservice.loop() + loop() except KeyboardInterrupt: pass diff --git a/x2gobroker/authservice.py b/x2gobroker/authservice.py index 0f97a29..ae1518a 100644 --- a/x2gobroker/authservice.py +++ b/x2gobroker/authservice.py @@ -22,58 +22,13 @@ import os import asyncore -import pam import socket import getpass -import logging -import logging.config -from pwd import getpwnam -from grp import getgrnam +# X2Go Session Broker modules +import x2gobroker.defaults +from x2gobroker.loggers import logger_broker -# normally this would go into defaults.py, however, we do not want to pull in defaults.py here as that will create -# unwanted logfiles (access.log, broker.log, error.log) when x2gobroker-authservice is installed as standalone service -if os.environ.has_key('X2GOBROKER_DEBUG'): - X2GOBROKER_DEBUG = ( os.environ['X2GOBROKER_DEBUG'].lower() in ('1', 'on', 'true', 'yes', ) ) -else: - X2GOBROKER_DEBUG = False -if os.environ.has_key('X2GOBROKER_TESTSUITE'): - X2GOBROKER_TESTSUITE = ( os.environ['X2GOBROKER_TESTSUITE'].lower() in ('1', 'on', 'true', 'yes', ) ) -else: - X2GOBROKER_TESTSUITE = False -if os.environ.has_key('X2GOBROKER_DAEMON_USER'): - X2GOBROKER_DAEMON_USER=os.environ['X2GOBROKER_DAEMON_USER'] -else: - X2GOBROKER_DAEMON_USER="x2gobroker" -if os.environ.has_key('X2GOBROKER_AUTHSERVICE_LOGCONFIG'): - X2GOBROKER_AUTHSERVICE_LOGCONFIG=os.environ['X2GOBROKER_AUTHSERVICE_LOGCONFIG'] -else: - X2GOBROKER_AUTHSERVICE_LOGCONFIG="/etc/x2go/broker/x2gobroker-authservice-logger.conf" -if os.environ.has_key('X2GOBROKER_AUTHSERVICE_SOCKET'): - X2GOBROKER_AUTHSERVICE_SOCKET=os.environ['X2GOBROKER_AUTHSERVICE_SOCKET'] -else: - X2GOBROKER_AUTHSERVICE_SOCKET="/run/x2gobroker/x2gobroker-authservice.socket" - -# standalone daemon mode (x2gobroker-authservice as daemon) or interactive mode (called from the cmdline)? -if getpass.getuser() in (X2GOBROKER_DAEMON_USER, 'root'): - - # we run in standalone daemon mode, so let's use the system configuration for logging - logging.config.fileConfig(X2GOBROKER_AUTHSERVICE_LOGCONFIG) - - # create authservice logger - logger_authservice = logging.getLogger('authservice') - -else: - logger_root = logging.getLogger() - stderr_handler = logging.StreamHandler(sys.stderr) - stderr_handler.setFormatter(logging.Formatter(fmt='%(asctime)s - %(name)s - %(levelname)s - %(message)s', datefmt='')) - - # all loggers stream to stderr... - logger_root.addHandler(stderr_handler) - - logger_authservice = logging.getLogger('authservice') - logger_authservice.addHandler(stderr_handler) - logger_authservice.propagate = 0 class AuthClient(asyncore.dispatcher_with_send): @@ -103,36 +58,16 @@ class AuthClient(asyncore.dispatcher_with_send): self.close() -class AuthService(asyncore.dispatcher_with_send): - - def __init__(self, socketfile, owner='root', group_owner='root', permissions='0660'): - asyncore.dispatcher_with_send.__init__(self) - self.create_socket(socket.AF_UNIX, socket.SOCK_STREAM) - self.set_reuse_addr() - self.bind(socketfile) - os.chown(socketfile, getpwnam(owner).pw_uid, getgrnam(group_owner).gr_gid) - os.chmod(socketfile, int(permissions, 8)) - self.listen(1) - - def handle_accept(self): - conn, _ = self.accept() - AuthClient(conn) - - -def loop(): - asyncore.loop() - - def authenticate(username, password, service="x2gobroker"): s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) - logger_authservice.debug('connecting to authentication service socket {socket}'.format(socket=X2GOBROKER_AUTHSERVICE_SOCKET)) - s.connect(X2GOBROKER_AUTHSERVICE_SOCKET) - logger_authservice.debug('sending username={username}, password=<hidden>, service={service} to authentication service'.format(username=username, service=service)) + logger_broker.debug('connecting to authentication service socket {socket}'.format(socket=x2gobroker.defaults.X2GOBROKER_AUTHSERVICE_SOCKET)) + s.connect(x2gobroker.defaults.X2GOBROKER_AUTHSERVICE_SOCKET) + logger_broker.debug('sending username={username}, password=<hidden>, service={service} to authentication service'.format(username=username, service=service)) s.send('{username} {password} {service}\n'.format(username=username, password=password, service=service)) result = s.recv(1024) s.close() if result.startswith('ok'): - logger_authservice.info('authentication against PAM service »{service}« succeeded for user »{username}«'.format(username=username, service=service)) + logger_broker.info('authentication against PAM service »{service}« succeeded for user »{username}«'.format(username=username, service=service)) return True - logger_authservice.info('authentication against service »{service}« failed for user »{username}«'.format(username=username, service=service)) + logger_broker.info('authentication against service »{service}« failed for user »{username}«'.format(username=username, service=service)) return False hooks/post-receive -- x2gobroker.git (HTTP(S) Session broker for X2Go) This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "x2gobroker.git" (HTTP(S) Session broker for X2Go).