Vinzenz Feenstra has uploaded a new change for review. Change subject: Adjusting the ovirt-guest-agent to the new way of SSO ......................................................................
Adjusting the ovirt-guest-agent to the new way of SSO Change-Id: Ib47739dc4fea825c116c8404a1b65cdb66ed2ebb Signed-off-by: Vinzenz Feenstra <[email protected]> --- M gdm-plugin/Makefile.am M kdm-plugin/Makefile.am M ovirt-guest-agent.spec M ovirt-guest-agent/CredServer.py M pam-ovirt-cred/Makefile.am M pam-ovirt-cred/cred_channel.c R pam-ovirt-cred/ovirtcred.pam M pam-ovirt-cred/pam_ovirt_cred.c 8 files changed, 54 insertions(+), 74 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-guest-agent refs/changes/02/15502/1 diff --git a/gdm-plugin/Makefile.am b/gdm-plugin/Makefile.am index 84ac10d..46522a5 100644 --- a/gdm-plugin/Makefile.am +++ b/gdm-plugin/Makefile.am @@ -3,14 +3,12 @@ NULL = -PAM_SERVICE_NAME = gdm-ovirtcred - extensiondir = $(extensionsdatadir)/ovirtcred extension_DATA = page.ui AM_CPPFLAGS = \ -DPLUGINDATADIR=\""$(extensiondir)"\" \ - -DGDM_OVIRTCRED_EXTENSION_SERVICE_NAME=\""$(PAM_SERVICE_NAME)"\" \ + -DGDM_OVIRTCRED_EXTENSION_SERVICE_NAME=\""ovirtcred"\" \ $(DISABLE_DEPRECATED_CFLAGS) \ $(GTK_CFLAGS) \ $(GDM_PLUGIN_CFLAGS) \ @@ -27,18 +25,10 @@ gdm-ovirtcred-extension.h \ gdm-ovirtcred-extension.c -$(PAM_SERVICE_NAME): $(PAM_SERVICE_NAME).pam - cp $(PAM_SERVICE_NAME).pam $(PAM_SERVICE_NAME) - -pamdir = $(PAM_PREFIX)/pam.d -pam_DATA = $(PAM_SERVICE_NAME) - EXTRA_DIST = \ $(extension_DATA) \ - $(PAM_SERVICE_NAME).pam \ $(NULL) MAINTAINERCLEANFILES = \ *~ \ - $(PAM_SERVICE_NAME) \ Makefile.in diff --git a/kdm-plugin/Makefile.am b/kdm-plugin/Makefile.am index ba1b5fb..9399e6b 100644 --- a/kdm-plugin/Makefile.am +++ b/kdm-plugin/Makefile.am @@ -1,6 +1,4 @@ -PAM_SERVICE_NAME = kdm-ovirtcred - dist_noinst_DATA = \ src/CMakeLists.txt \ src/kgreet_ovirtcred.h \ @@ -18,17 +16,9 @@ install-exec-hook: make -C src install DESTDIR=$(DESTDIR) -$(PAM_SERVICE_NAME): $(PAM_SERVICE_NAME).pam - cp $(PAM_SERVICE_NAME).pam $(PAM_SERVICE_NAME) - -pamdir = $(PAM_PREFIX)/pam.d -pam_DATA = $(PAM_SERVICE_NAME) - EXTRA_DIST = \ - $(PAM_SERVICE_NAME).pam \ credentials.xml \ $(NULL) CLEANFILES = \ - *~ \ - $(PAM_SERVICE_NAME) + *~ diff --git a/ovirt-guest-agent.spec b/ovirt-guest-agent.spec index 0f6688a..bf1fff7 100644 --- a/ovirt-guest-agent.spec +++ b/ovirt-guest-agent.spec @@ -191,15 +191,12 @@ %files pam-module +%config %{_sysconfdir}/pam.d/ovirtcred %{_moduledir}/pam_ovirt_cred.so %exclude %{_moduledir}/pam_ovirt_cred.a %exclude %{_moduledir}/pam_ovirt_cred.la - %files gdm-plugin -# This is intentionally NOT 'noreplace' If this is modified by an user, -# this actually might break it. -%config %{_sysconfdir}/pam.d/gdm-ovirtcred %{_datadir}/icons/hicolor/*/*/*.png %dir %{_datadir}/gdm/simple-greeter/extensions/ovirtcred %{_datadir}/gdm/simple-greeter/extensions/ovirtcred/page.ui @@ -209,9 +206,6 @@ %exclude %{_libdir}/gdm/simple-greeter/extensions/libovirtcred.la %files kdm-plugin -# This is intentionally NOT 'noreplace' If this is modified by an user, -# this actually might break it. -%config %{_sysconfdir}/pam.d/kdm-ovirtcred %attr (755,root,root) %{_libdir}/kde4/kgreet_ovirtcred.so %changelog diff --git a/ovirt-guest-agent/CredServer.py b/ovirt-guest-agent/CredServer.py index 6e67dd9..9187280 100644 --- a/ovirt-guest-agent/CredServer.py +++ b/ovirt-guest-agent/CredServer.py @@ -128,8 +128,8 @@ @dbus.service.signal(dbus_interface='org.ovirt.vdsm.Credentials', signature='s') - def UserAuthenticated(self, token): - logging.info("Emitting user authenticated signal (%s)." % (token)) + def UserAuthenticated(self, authSvc): + logging.info("Emitting user authenticated signal (%s)." % (authSvc)) class CredChannel(threading.Thread): @@ -224,16 +224,16 @@ logging.info("Incomming connection from user: %d process: %d", cred.uid, cred.pid) - token = conn.recv(1024) - if not token: + authSvc = conn.recv(1024) + if not authSvc: return - if str(token) == self._credentials[0]: - logging.info("Sending user's credential (token: %s)", token) + if str(authSvc) == self._credentials[0]: + logging.info("Sending user's credential (authSvc: %s)", authSvc) conn.send(self._credentials[1]) else: - logging.warning("Unexpect token was received (token: %s)", - token) + logging.warning("Unexpect authSvc was received (authSvc: %s)", + authSvc) conn.close() @@ -268,11 +268,11 @@ if self._cred_channel is None: self._cred_channel = CredChannel() self._cred_channel.set_allowed([0]) - token = str(random.randint(100000, 999999)) - logging.debug("Token: %s", token) + authSvc = 'ovirtcred' + logging.debug("Auth Service: %s", authSvc) logging.info("Opening credentials channel...") - self._cred_channel.start((token, credentials)) - self._dbus.UserAuthenticated(token) + self._cred_channel.start((authSvc, credentials)) + self._dbus.UserAuthenticated(authSvc) self._cred_channel.join() logging.info("Credentials channel was closed.") self._cred_channel = None diff --git a/pam-ovirt-cred/Makefile.am b/pam-ovirt-cred/Makefile.am index 9a0d7e9..ecad03d 100644 --- a/pam-ovirt-cred/Makefile.am +++ b/pam-ovirt-cred/Makefile.am @@ -11,4 +11,19 @@ pam_ovirt_cred.c \ cred_channel.c -CLEANFILES = *~ +PAM_SERVICE_NAME=ovirtcred +$(PAM_SERVICE_NAME): $(PAM_SERVICE_NAME).pam + cp $(PAM_SERVICE_NAME).pam $(PAM_SERVICE_NAME) + +pamdir = $(PAM_PREFIX)/pam.d +pam_DATA = $(PAM_SERVICE_NAME) + +EXTRA_DIST = \ + $(PAM_SERVICE_NAME).pam \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + $(PAM_SERVICE_NAME) \ + Makefile.in \ + $(NULL) diff --git a/pam-ovirt-cred/cred_channel.c b/pam-ovirt-cred/cred_channel.c index 8acf54b..7fbac86 100644 --- a/pam-ovirt-cred/cred_channel.c +++ b/pam-ovirt-cred/cred_channel.c @@ -42,7 +42,7 @@ _pam_drop(*username); return -1; } - + domain = strchr(*username, '@'); if (domain != NULL) { *domain = '\0'; @@ -75,9 +75,8 @@ } static int do_acquire_user_credentials(int sock, - const char *ticket, - char* creds, - size_t *creds_len) + char* creds, + size_t *creds_len) { struct sockaddr_un remote; struct timeval timeout; @@ -94,20 +93,20 @@ D(("connect() failed.")); return -1; } - + if (set_sock_non_blocking(sock) == -1) { return -1; } - + char const * auth_service = "ovirtcred"; do { - ret = send(sock, ticket, strlen(ticket), 0); + ret = send(sock, auth_service, strlen(auth_service), 0); } while ((ret == -1) && (errno == EINTR)); if (ret == -1) { D(("send() failed.")); return -1; } - + do { FD_ZERO(&rfds); FD_SET(sock, &rfds); @@ -115,7 +114,7 @@ timeout.tv_usec = 0; ret = select(sock + 1, &rfds, NULL, NULL, &timeout); } while ((ret == -1) && (errno == EINTR)); - + if (ret == -1) { D(("select() failed.")); return -1; @@ -123,7 +122,7 @@ D(("recv() timeout.")); return -1; } - + if (FD_ISSET(sock, &rfds)) { do { ret = recv(sock, creds, *creds_len, 0); @@ -134,14 +133,13 @@ D(("recv() failed.")); return -1; } - + *creds_len = ret; return 0; } -int acquire_user_credentials(const char *ticket, - char **username, +int acquire_user_credentials(char **username, char **password) { char creds[0x100]; @@ -154,11 +152,11 @@ D(("socket() failed.")); return -1; } - - ret = do_acquire_user_credentials(sock, ticket, creds, &creds_len); - + + ret = do_acquire_user_credentials(sock, creds, &creds_len); + close(sock); - + if (ret == 0) { ret = parse_credentials_buffer(creds, creds_len, username, password); if (ret != 0) { @@ -167,7 +165,7 @@ } else { D((" %s (errno = %d)", strerror(errno), errno)); } - + _pam_overwrite_n(creds, creds_len); return ret; diff --git a/kdm-plugin/kdm-ovirtcred.pam b/pam-ovirt-cred/ovirtcred.pam similarity index 100% rename from kdm-plugin/kdm-ovirtcred.pam rename to pam-ovirt-cred/ovirtcred.pam diff --git a/pam-ovirt-cred/pam_ovirt_cred.c b/pam-ovirt-cred/pam_ovirt_cred.c index 6cdb5fa..811cda5 100644 --- a/pam-ovirt-cred/pam_ovirt_cred.c +++ b/pam-ovirt-cred/pam_ovirt_cred.c @@ -10,15 +10,13 @@ #include <security/pam_modules.h> #include <security/pam_ext.h> -extern int acquire_user_credentials(const char *ticket, - char **username, - char **password); +extern int acquire_user_credentials(char **username, + char **password); PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { - const char *ticket = NULL; char *username = NULL; char *password = NULL; int retval; @@ -26,15 +24,10 @@ D(("called.")); /* I'm not too familiar with PAM conversation, so I use the pam_get_user - function in order to get the ticket that will be send when acquiring + function in order to get the auth_service that will be send when acquiring the user's credentials. */ - retval = pam_get_user(pamh, &ticket, "Token?"); - if (retval != PAM_SUCCESS) { - D(("get user returned error: %s", pam_strerror(pamh, retval))); - goto cleanup; - } - - if (acquire_user_credentials(ticket, &username, &password) != 0) { + + if (acquire_user_credentials(&username, &password) != 0) { D(("failed to acquire user's credentials")); retval = PAM_USER_UNKNOWN; goto cleanup; @@ -53,7 +46,7 @@ retval = PAM_USER_UNKNOWN; goto cleanup; } - + retval = PAM_SUCCESS; cleanup: @@ -84,4 +77,4 @@ NULL, }; -#endif /* PAM_STATIC */ +#endif /* PAM_STATIC */ -- To view, visit http://gerrit.ovirt.org/15502 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib47739dc4fea825c116c8404a1b65cdb66ed2ebb Gerrit-PatchSet: 1 Gerrit-Project: ovirt-guest-agent Gerrit-Branch: master Gerrit-Owner: Vinzenz Feenstra <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
