1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
'''
Created on Jul 6, 2010
@author: leifj
'''
from django.contrib.auth.decorators import login_required
from coip.multiresponse import respond_to, json_response, render403
from coip.apps.membership.models import Membership, add_member
from django.core.exceptions import ObjectDoesNotExist
from coip.apps.name.models import NameLink, lookup, Name
from django.contrib.auth.models import User
from django.shortcuts import get_object_or_404
from coip.apps.userprofile.models import UserProfile
from django.db.models import Q
from coip.extensions.templatetags.userdisplay import userdisplay
import subprocess
import re
from tempfile import NamedTemporaryFile
from coip.apps.userprofile.forms import AddSSHKeyForm, AddCertificateForm
from django.http import HttpResponseRedirect
def _add_sshkey(name,keyfile):
p = subprocess.Popen(['ssh-keygen','-l','-f',keyfile.name],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
(out,err) = p.communicate()
code = p.wait()
if code != 0:
raise Exception("Unable to fingerprint ssh key: %d - %s" % (code,err))
parts = out.split()
fp = re.sub(':','',parts[1])
p = subprocess.Popen(['ssh-keygen','-e','-f',keyfile.name],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
(out,err) = p.communicate()
code = p.wait()
if code != 0:
raise Exception("Unable to import ssh key: %d - %s" % (code,err))
id = out
username = "sshkey:%s" % fp
user,created = User.objects.get_or_create(username=username)
profile = user.get_profile()
if created:
profile.type = UserProfile.SSHKEY
profile.home = name
profile.display = "SSH Key (%s)" % (fp)
profile.identifier = id
add_member(profile.home,user)
profile.save()
def _add_gridcert(name,keyfile):
p = subprocess.Popen(['openssl','x509','-noout','-fingerprint','-sha1','-in',keyfile.name],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
(out,err) = p.communicate()
code = p.wait()
if code != 0:
raise Exception("Unable to fingerprint X509 certificate: %d - %s" % (code,err))
parts = out.split('=')
fp = re.sub(':','',parts[1].lower())
p = subprocess.Popen(['openssl','x509','-outform','PEM','-in',keyfile.name],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
(out,err) = p.communicate()
code = p.wait()
if code != 0:
raise Exception("Unable to import X509 certificate: %d - %s" % (code,err))
id = out
username = "x509:%s" % fp
user,created = User.objects.get_or_create(username=username)
profile = user.get_profile()
if created:
profile.type = UserProfile.X509
profile.home = name
profile.display = "X509 Certificate (%s)" % (fp)
profile.identifier = id
add_member(profile.home,user)
profile.save()
def home_name(user,short=None,autocreate=False):
if short == None:
short = user.username
urn = lookup("urn",True)
anyuser = lookup("system:anyuser",True)
urn.setacl(anyuser,'rl')
home = lookup('user:'+user.username,autocreate=autocreate)
add_member(home,user,hidden=True)
home.setpacl(home, "rwlida")
home.setacl(home,"rwlia") #don't allow users to delete or reset acls on their home, nor invite members - that would be confusing as hell
home.short = short
home.save()
return home
@login_required
def home(request):
memberships = []
try:
memberships = Membership.objects.filter(user=request.user,hidden=False)
except ObjectDoesNotExist:
pass
user = request.user
profile = user.get_profile()
if profile.home == None:
cn = user.get_full_name()
if not cn:
cn = user.username
profile.home = home_name(user, short=cn, autocreate=True)
names = [(link.src,link.data) for link in NameLink.objects.filter(dst__memberships__user=request.user,type=NameLink.access_control,data__contains='i').all()]
return respond_to(request, {'text/html': 'apps/userprofile/home.html'},{'memberships': memberships,'names': names})
@login_required
def add_sshkey(request,id=None):
name = None
if id == None:
name = request.user.get_profile().home
else:
name = get_object_or_404(Name,pk=id)
if name == None:
return render403(request, "Homeless user.")
if not name.has_permission(request.user,'i'):
return render403(request,"You do not have permission to manage aliases here.")
if not name.parent or name.parent.value != 'user':
return render403(request,"This is the wrong place for that.")
if request.method == 'POST':
form = AddSSHKeyForm(request.POST)
if form.is_valid():
sshkey = form.cleaned_data['sshkey']
keyfile = NamedTemporaryFile()
keyfile.write(sshkey)
keyfile.seek(0)
_add_sshkey(name, keyfile)
keyfile.close()
return HttpResponseRedirect("/user/home")
else:
form = AddSSHKeyForm()
return respond_to(request,{'text/html':'apps/userprofile/sshkey.html'},{'form':form})
@login_required
def add_cert(request,id=None):
name = None
if id == None:
name = request.user.get_profile().home
else:
name = get_object_or_404(Name,pk=id)
if name == None:
return render403(request, "Homeless user.")
if not name.has_permission(request.user,'i'):
return render403(request,"You do not have permission to manage aliases here.")
if not name.parent or name.parent.value != 'user':
return render403(request,"This is the wrong place for that.")
if request.method == 'POST':
form = AddCertificateForm(request.POST)
if form.is_valid():
certificate = form.cleaned_data['certificate']
keyfile = NamedTemporaryFile()
keyfile.write(certificate)
keyfile.seek(0)
_add_gridcert(name, keyfile)
keyfile.close()
return HttpResponseRedirect("/user/home")
else:
form = AddCertificateForm()
return respond_to(request,{'text/html':'apps/userprofile/cert.html'},{'form':form})
@login_required
def add_alias(request,id=None):
name = None
if id == None:
name = request.user.get_profile().home
else:
name = get_object_or_404(Name,pk=id)
if name == None:
return render403(request, "Homeless user.")
if not name.has_permission(request.user,'i'):
return render403(request,"You do not have permission to manage aliases here.")
if not name.parent or name.parent.value != 'user':
return render403(request,"This is the wrong place for that.")
return respond_to(request,{'text/html':'apps/userprofile/addalias.html'})
@login_required
def search(request):
list = []
if request.REQUEST.has_key('term'):
term = request.REQUEST['term']
list = [{'label': userdisplay(user),'value': user.id}
for user in User.objects.filter(Q(username__contains=term) |
Q(profile__display_name__contains=term) |
Q(profile__identifier__contains=term) |
Q(first_name__contains=term) |
Q(last_name__contains=term))]
return json_response(list)
@login_required
def info(request,username):
user = get_object_or_404(User,username=username)
return json_response({'username': user.username});
|
