Ovirt devel - Aug 2008 - [PATCH] Add username/password authentication for browsing from non-kerberized hosts

Once again, apologies for the attachment.

Also, apologies for the comments in wui-devel.ks which wrap past 80 chars.

Please help me test this. Build a new appliance with this patch, ssh to the
appliance, set a new ipa password for ovirtadmin, and then kdestroy. If you
launch browser after that, you should get authorization requested dialog from
firefox, and (following entry of correct username/password) get redirected back
to dashboard.

Goodnight!
Steve

-------------- next part --------------
>From 49410330dd46413b30c1ed29ec86cc73c6cf2f41 Mon Sep 17 00:00:00 2001
From: Steve Linabery <slinabery at redhat.com>
Date: Thu, 14 Aug 2008 02:41:17 -0500
Subject: [PATCH] Add username/password authentication for browsing from
non-kerberized hosts

Add cookie-based session support and migration file.

New login controller.
---
 wui-appliance/wui-devel.ks                  |    7 +++++
 wui/conf/ovirt-wui.conf                     |    6 ++--
 wui/src/app/controllers/application.rb      |   15 +++++-----
 wui/src/app/controllers/login_controller.rb |   39 +++++++++++++++++++++++++++
 wui/src/config/environment.rb               |    2 +-
 wui/src/db/migrate/013_create_sessions.rb   |   35 ++++++++++++++++++++++++
 6 files changed, 92 insertions(+), 12 deletions(-)
 create mode 100644 wui/src/app/controllers/login_controller.rb
 create mode 100644 wui/src/db/migrate/013_create_sessions.rb

diff --git a/wui-appliance/wui-devel.ks b/wui-appliance/wui-devel.ks
index e36f3a7..5c334d1 100644
--- a/wui-appliance/wui-devel.ks
+++ b/wui-appliance/wui-devel.ks
@@ -152,6 +152,13 @@ start() {
 	ipa-server-install -r PRIV.OVIRT.ORG -p @password@ -P @password@ -a @password@
\
 	  --hostname management.priv.ovirt.org -u dirsrv -U
 
+        # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=459061
+        # note: this has to happen after ipa-server-install or the templating
feature
+        # in ipa-server-install chokes on the characters in the regexp we add
here.
+        sed -i -e 's#<Proxy \*>#<ProxyMatch
^.*/ipa/ui.*$>#' /etc/httpd/conf.d/ipa.conf
+        sed -i -e 's#</Proxy>#</ProxyMatch>#'
/etc/httpd/conf.d/ipa.conf
+        sed -i -e 's/^/#/' /etc/httpd/conf.d/ipa-rewrite.conf
+	/usr/sbin/apachectl restart
 	# now create the ovirtadmin user
 	echo @password@|kinit admin
 	# change max username length policy
diff --git a/wui/conf/ovirt-wui.conf b/wui/conf/ovirt-wui.conf
index f56ce81..63e1dc4 100644
--- a/wui/conf/ovirt-wui.conf
+++ b/wui/conf/ovirt-wui.conf
@@ -2,11 +2,11 @@ NameVirtualHost *:80
 <VirtualHost *:80>
 ProxyRequests Off
 
-<Proxy *>
+<ProxyMatch ^.*/ovirt/login.*$>
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate on
-  KrbMethodK5Passwd off
+  KrbMethodK5Passwd on
   KrbServiceName HTTP
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
@@ -26,7 +26,7 @@ ProxyRequests Off
   RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
 
   # RequestHeader unset Authorization
-</Proxy>
+</ProxyMatch>
 
 Alias /ovirt/stylesheets "/usr/share/ovirt-wui/public/stylesheets"
 Alias /ovirt/images "/usr/share/ovirt-wui/public/images"
diff --git a/wui/src/app/controllers/application.rb
b/wui/src/app/controllers/application.rb
index eacf6f3..53d0aa6 100644
--- a/wui/src/app/controllers/application.rb
+++ b/wui/src/app/controllers/application.rb
@@ -32,17 +32,16 @@ class ApplicationController < ActionController::Base
   before_filter :pre_show, :only => [:show, :show_vms, :show_users, 
                                      :show_hosts, :show_storage]
   before_filter :authorize_admin, :only => [:new, :create, :edit, :update,
:destroy]
+  before_filter :is_logged_in
 
-  def get_login_user
-    if ENV["RAILS_ENV"] != 'test'
-        user_from_principal(request.env["HTTP_X_FORWARDED_USER"])
-    else
-        'ovirtadmin'
+  def is_logged_in
+    if session[:user] == nil
+      redirect_to :controller => "login", :action =>
"login"
     end
   end
-  
-  def user_from_principal(principal)
-    principal.split('@')[0]
+
+  def get_login_user
+    session[:user]
   end
 
   def set_perms(hwpool)
diff --git a/wui/src/app/controllers/login_controller.rb
b/wui/src/app/controllers/login_controller.rb
new file mode 100644
index 0000000..5babb43
--- /dev/null
+++ b/wui/src/app/controllers/login_controller.rb
@@ -0,0 +1,39 @@
+# 
+# Copyright (C) 2008 Red Hat, Inc.
+# Written by Steve Linabery <slinabery at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA  02110-1301, USA.  A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+# Filters added to this controller apply to all controllers in the application.
+# Likewise, all the methods added will be available for all controllers.
+
+class LoginController < ActionController::Base
+
+  before_filter :is_logged_in, :except => :login
+  def login
+    myUser = "ovirtadmin"
+    if ENV["RAILS_ENV"] != "test"
+      myUser =
user_from_principal(request.env["HTTP_X_FORWARDED_USER"])
+    end
+    session[:user] = myUser
+    redirect_to :controller => "dashboard"
+  end
+
+  def user_from_principal(principal)
+    principal.split('@')[0]
+  end
+
+end
diff --git a/wui/src/config/environment.rb b/wui/src/config/environment.rb
index 379dcf4..d14899a 100644
--- a/wui/src/config/environment.rb
+++ b/wui/src/config/environment.rb
@@ -44,7 +44,7 @@ Rails::Initializer.run do |config|
 
   # Use the database for sessions instead of the file system
   # (create the session table with 'rake db:sessions:create')
-  # config.action_controller.session_store = :active_record_store
+  config.action_controller.session_store = :active_record_store
   config.action_controller.session = {
   :session_key => "_ovirt_session_id",
   :secret => "a covert ovirt phrase or some such" 
diff --git a/wui/src/db/migrate/013_create_sessions.rb
b/wui/src/db/migrate/013_create_sessions.rb
new file mode 100644
index 0000000..9eca543
--- /dev/null
+++ b/wui/src/db/migrate/013_create_sessions.rb
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2008 Red Hat, Inc.
+# Written by Steve Linabery <slinabery at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA  02110-1301, USA.  A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+class CreateSessions < ActiveRecord::Migration
+  def self.up
+    create_table :sessions do |t|
+      t.string :session_id, :null => false
+      t.text :data
+      t.timestamps
+    end
+
+    add_index :sessions, :session_id
+    add_index :sessions, :updated_at
+  end
+
+  def self.down
+    drop_table :sessions
+  end
+end
-- 
1.5.5.2

Steve Linabery wrote:
> Also, apologies for the comments in wui-devel.ks which wrap past 80 chars.
no apologies, use \ :)
 
> Please help me test this. Build a new appliance with this patch, ssh to the
appliance, set a new ipa password for ovirtadmin, and then kdestroy. If you
launch browser after that, you should get authorization requested dialog from
firefox, and (following entry of correct username/password) get redirected back
to dashboard.
works as advertised, so ACK

Comments:
- when to expire the session?
- and related: do we need explicit logout action?
> diff --git a/wui-appliance/wui-devel.ks b/wui-appliance/wui-devel.ks
> +	/usr/sbin/apachectl restart
why not  service httpd reload ?

Overall, ACK -works for me.  Couple notes/tweaks below.

On Thu, 2008-08-14 at 02:45 -0500, Steve Linabery wrote:
> Once again, apologies for the attachment.
> 
> Also, apologies for the comments in wui-devel.ks which wrap past 80 chars.
> 
> Please help me test this. Build a new appliance with this patch, ssh to the
appliance, set a new ipa password for ovirtadmin, and then kdestroy. If you
launch browser after that, you should get authorization requested dialog from
firefox, and (following entry of correct username/password) get redirected back
to dashboard.
> 
> Goodnight!
> Steve
> 
diff --git a/wui/src/app/controllers/application.rb
b/wui/src/app/controllers/application.rb
index eacf6f3..53d0aa6 100644
--- a/wui/src/app/controllers/application.rb
+++ b/wui/src/app/controllers/application.rb
@@ -32,17 +32,16 @@ class ApplicationController < ActionController::Base
   before_filter :pre_show, :only => [:show, :show_vms, :show_users, 
                                      :show_hosts, :show_storage]
   before_filter :authorize_admin, :only => [:new, :create, :edit, :update,
:destroy]
+  before_filter :is_logged_in
 
-  def get_login_user
-    if ENV["RAILS_ENV"] != 'test'
-        user_from_principal(request.env["HTTP_X_FORWARDED_USER"])
-    else
-        'ovirtadmin'
+  def is_logged_in
+    if session[:user] == nil
+      redirect_to :controller => "login", :action =>
"login"

we may want to change this next rev, since we don't really want a
redirect while the user is logged in and just reauthing


diff --git a/wui/src/app/controllers/login_controller.rb
b/wui/src/app/controllers/login_controller.rb
+  before_filter :is_logged_in, :except => :login
+  def login
+    myUser = "ovirtadmin"
+    if ENV["RAILS_ENV"] != "test"
+      myUser =
user_from_principal(request.env["HTTP_X_FORWARDED_USER"])
+    end
+    session[:user] = myUser

To combine this with what I did in my earlier patch (which I will
regenerate w/o the env test) and to make it more succinct, I would
suggest changing the above block to:
session[:user] = (ENV["RAILS_ENV"] == "production") ?
user_from_principal(request.env["HTTP_X_FORWARDED_USER"]) :
"ovirtadmin"

+    redirect_to :controller => "dashboard"

Same comment as in application.rb for the redirect

-j
> _______________________________________________
> Ovirt-devel mailing list
> Ovirt-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/ovirt-devel