[Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI

Jakub Hrozek Fri, 29 Oct 2010 08:05:57 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://fedorahosted.org/freeipa/ticket/154


The second patch removes the /ipatest section that has been commented
out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-)

I also have two questions:
 1) how should exceptions be handled? In the patch, I only explicitly
handle exceptions that could happen very easily (like, password being
wrong, or the LDAP server down..). Anything else would just trigger 500
Server Error..

 2) When playing with the migration command line plugin, I noticed that
it can only handle RFC2307bis groups (member: dn) and has the
objectclass for groups hardcoded to
"(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))". I think
it would be worthwile (and easy, too!) to modify the plugin to accept
also RFC2307 schema and allow specifying a different objectclass
(posixGroup might come handy..). Thoughts?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzK4oYACgkQHsardTLnvCUANACgwidrGVAya9a/eZ42mg0whdXH
cLAAoMnUui/dhEL1Q5chdbXbqlSz1yz2
=n8X6
-----END PGP SIGNATURE-----

From 35b17154a9ed29692cdbb7b5e6d6270bc3e60622 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Fri, 29 Oct 2010 09:38:17 -0400
Subject: [PATCH 1/2] Rewrite the migration page using WSGI

---
 install/conf/ipa-rewrite.conf  |    3 +-
 install/conf/ipa.conf          |    4 +-
 install/migration/index.html   |    2 +-
 install/migration/migration.py |   45 ++++++++++++++++++++++++++++++++-------
 ipa.spec.in                    |    1 -
 5 files changed, 41 insertions(+), 14 deletions(-)

diff --git a/install/conf/ipa-rewrite.conf b/install/conf/ipa-rewrite.conf
index ef49430..f6bc9d0 100644
--- a/install/conf/ipa-rewrite.conf
+++ b/install/conf/ipa-rewrite.conf
@@ -3,8 +3,7 @@
 RewriteEngine on
 
 # By default forward all requests to /ipa. If you don't want IPA
-# to be the default on your web server comment this line out. You will
-# need to modify ipa_webgui.cfg as well.
+# to be the default on your web server comment this line out.
 RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301]
 
 # Redirect to the fully-qualified hostname. Not redirecting to secure
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 91e8373..19a4f6d 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -125,8 +125,8 @@ Alias /ipa/migration "/usr/share/ipa/migration"
     AllowOverride None
     Satisfy Any
     Allow from all
-    AddHandler mod_python .py
-    PythonHandler mod_python.publisher
+    Options ExecCGI
+    AddHandler wsgi-script .py
 </Directory>
 
 
diff --git a/install/migration/index.html b/install/migration/index.html
index b3ea46b..43a6483 100644
--- a/install/migration/index.html
+++ b/install/migration/index.html
@@ -23,7 +23,7 @@ Upon successful login your Kerberos account will be activated.
 </p>
 <div class="migration_form">
 <div class="migration_form_inner">
-<form action="migration.py/bind" method="post">
+<form action="migration.py" method="post">
     <div class="migration_form_title">
         <span>Password Migration</span>
     </div>
diff --git a/install/migration/migration.py b/install/migration/migration.py
index bf12c5c..eeabd21 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -20,13 +20,24 @@
 Password migration script
 """
 
+import errno
 import ldap
-from mod_python import apache, util
-
+import cgi
+import wsgiref
 
 BASE_DN = ''
 LDAP_URI = 'ldap://localhost:389'
 
+def wsgi_redirect(start_response, loc):
+    start_response('302 Found', [('Location', loc)])
+    return []
+
+def get_ui_url(environ):
+    full_url = wsgiref.util.request_uri(environ)
+    index = full_url.rfind(environ.get('SCRIPT_NAME',''))
+    if index == -1:
+        raise ValueError('Cannot strip the script URL from full URL "%s"' % full_url)
+    return full_url[:index] + "/ipa/ui"
 
 def get_base_dn():
     """
@@ -48,20 +59,38 @@ def get_base_dn():
     except (IndexError, KeyError):
         return ''
 
-
-def bind(req, username, password):
+def bind(username, password):
     base_dn = get_base_dn()
     if not base_dn:
-        util.redirect(req, '/ipa/migration/error.html')
+        raise IOError(errno.EIO, 'Cannot get Base DN')
     bind_dn = 'uid=%s,cn=users,cn=accounts,%s' % (username, base_dn)
     try:
         conn = ldap.initialize(LDAP_URI)
         conn.simple_bind_s(bind_dn, password)
     except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM,
             ldap.NO_SUCH_OBJECT):
-        util.redirect(req, '/ipa/migration/invalid.html')
+        raise IOError(errno.EPERM, 'Invalid LDAP credentials for user %s' % username)
     except ldap.LDAPError:
-        util.redirect(req, '/ipa/migration/error.html')
+        raise IOError(errno.EIO, 'Bind error')
+
     conn.unbind_s()
-    util.redirect(req, '/ipa/ui')
+
+def application(environ, start_response):
+    if environ.get('REQUEST_METHOD', None) != 'POST':
+        return wsgi_redirect(start_response, 'index.html')
+
+    form_data = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ)
+    if not form_data.has_key('username') or not form_data.has_key('password'):
+        return wsgi_redirect(start_response, 'invalid.html')
+
+    try:
+        bind(form_data['username'].value, form_data['password'].value)
+    except IOError as err:
+        if err.errno == errno.EPERM:
+            return wsgi_redirect(start_response, 'invalid.html')
+        if err.errno == errno.EIO:
+            return wsgi_redirect(start_response, 'error.html')
+
+    ui_url = get_ui_url(environ)
+    return wsgi_redirect(start_response, ui_url)
 
diff --git a/ipa.spec.in b/ipa.spec.in
index ee5db47..15e40de 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -74,7 +74,6 @@ Requires: krb5-server-ldap
 Requires: cyrus-sasl-gssapi
 Requires: ntp
 Requires: httpd
-Requires: mod_python
 Requires: mod_wsgi
 Requires: mod_auth_kerb
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
-- 
1.7.2.3

From ec97e37112d245399651b4c2a8af5dea0088dbf1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Fri, 29 Oct 2010 09:49:05 -0400
Subject: [PATCH 2/2] Remove some more mod_python references

---
 install/conf/ipa.conf |   21 ---------------------
 install/tools/README  |    2 +-
 2 files changed, 1 insertions(+), 22 deletions(-)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 19a4f6d..1806018 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -128,24 +128,3 @@ Alias /ipa/migration "/usr/share/ipa/migration"
     Options ExecCGI
     AddHandler wsgi-script .py
 </Directory>
-
-
-#Alias /ipatest "/usr/share/ipa/ipatest"
-#<Directory "/usr/share/ipa/ipatest">
-#  AuthType Kerberos
-#  AuthName "Kerberos Login"
-#  KrbMethodNegotiate on
-#  KrbMethodK5Passwd off
-#  KrbServiceName HTTP
-#  KrbAuthRealms $REALM
-#  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-#  KrbSaveCredentials on
-#  Require valid-user
-#  ErrorDocument 401 /ipa/errors/unauthorized.html
-#
-#  SetHandler mod_python
-#  PythonHandler test_mod_python
-#
-#  PythonDebug Off
-#
-#</Directory>
diff --git a/install/tools/README b/install/tools/README
index a52cede..219e74c 100644
--- a/install/tools/README
+++ b/install/tools/README
@@ -15,7 +15,7 @@ openssl-devel
 nspr-devel
 nss-devel
 mozldap-devel
-mod_python
+mod_wsgi
 gcc
 python-ldap
 TurboGears
-- 
1.7.2.3

jhrozek-freeipa-0002-Rewrite-the-migration-page-using-WSGI.patch.sig
Description: PGP signature

jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch.sig
Description: PGP signature

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI

Reply via email to