From 00ef3951514889791a11318124c271309d8b4958 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Fri, 4 Sep 2015 16:01:00 +0200
Subject: [PATCH] check and refresh user auth info upon each request
---
pcs/cluster.py | 2 ++
pcs/utils.py | 2 ++
pcsd/auth.rb | 16 ++++++++++++----
pcsd/test/test_auth.rb | 1 +
4 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/pcs/cluster.py b/pcs/cluster.py
index d2a80a8..5a2128a 100644
--- a/pcs/cluster.py
+++ b/pcs/cluster.py
@@ -235,6 +235,8 @@ def auth_nodes_do(nodes, username, password, force, local):
'local': local,
}
output, retval = utils.run_pcsdcli('auth', pcsd_data)
+ if retval == 0 and output['status'] == 'access_denied':
+ utils.err('Access denied')
if retval == 0 and output['status'] == 'ok' and output['data']:
failed = False
try:
diff --git a/pcs/utils.py b/pcs/utils.py
index c91b50e..757c159 100644
--- a/pcs/utils.py
+++ b/pcs/utils.py
@@ -803,6 +803,8 @@ def call_local_pcsd(argv, interactive_auth=False, std_in=None):
return [['Unable to communicate with pcsd'], 1, '', '']
if output_json['status'] == 'bad_command':
return [['Command not allowed'], 1, '', '']
+ if output_json['status'] == 'access_denied':
+ return [['Access denied'], 1, '', '']
if output_json['status'] != "ok" or not output_json["data"]:
return [['Unable to communicate with pcsd'], 1, '', '']
try:
diff --git a/pcsd/auth.rb b/pcsd/auth.rb
index 22d7868..53712ed 100644
--- a/pcsd/auth.rb
+++ b/pcsd/auth.rb
@@ -19,7 +19,7 @@ class PCSAuth
def self.validUser(username, password, generate_token = false)
$logger.info("Attempting login by '#{username}'")
- if not Rpam.auth(username,password, :service => "pcsd")
+ if not Rpam.auth(username, password, :service => "pcsd")
$logger.info("Failed login by '#{username}' (bad username or password)")
return nil
end
@@ -59,7 +59,7 @@ class PCSAuth
return [true, stdout.join(' ').split(nil)]
end
- def self.isUserAllowedToLogin(username)
+ def self.isUserAllowedToLogin(username, log_success=true)
success, groups = getUsersGroups(username)
if not success
$logger.info(
@@ -73,7 +73,9 @@ class PCSAuth
)
return false
end
- $logger.info("Successful login by '#{username}'")
+ if log_success
+ $logger.info("Successful login by '#{username}'")
+ end
return true
end
@@ -131,7 +133,13 @@ class PCSAuth
end
def self.isLoggedIn(session)
- return session[:username] != nil
+ username = session[:username]
+ if (username != nil) and isUserAllowedToLogin(username, false)
+ success, groups = getUsersGroups(username)
+ session[:usergroups] = success ? groups : []
+ return true
+ end
+ return false
end
def self.getSuperuserSession()
--
1.9.1