| blob | 19e62e2f29518e15f8f95f56747c03259f762c71 |
1 #!/usr/bin/python
2 # -*- encoding: utf-8; py-indent-offset: 4 -*-
3 # +------------------------------------------------------------------+
4 # | ____ _ _ __ __ _ __ |
5 # | / ___| |__ ___ ___| | __ | \/ | |/ / |
6 # | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
7 # | | |___| | | | __/ (__| < | | | | . \ |
8 # | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
9 # | |
10 # | Copyright Mathias Kettner 2014 mk@mathias-kettner.de |
11 # +------------------------------------------------------------------+
12 #
13 # This file is part of Check_MK.
14 # The official homepage is at http://mathias-kettner.de/check_mk.
15 #
16 # check_mk is free software; you can redistribute it and/or modify it
17 # under the terms of the GNU General Public License as published by
18 # the Free Software Foundation in version 2. check_mk is distributed
19 # in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
20 # out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
21 # PARTICULAR PURPOSE. See the GNU General Public License for more de-
22 # tails. You should have received a copy of the GNU General Public
23 # License along with GNU Make; see the file COPYING. If not, write
24 # to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
25 # Boston, MA 02110-1301 USA.
27 # TODO: Rework connection management and multiplexing
29 import time
30 import os
31 import traceback
32 import copy
35 import six
50 DualListChoice,
51 TextAscii,
52 DropdownChoice,
53 )
61 user_attribute_registry,
62 user_connector_registry,
63 )
65 # Datastructures and functions needed before plugins can be loaded
68 # Custom user attributes
69 user_attributes = {}
70 builtin_user_attribute_names = []
72 # Connection configuration
73 connection_dict = {}
74 # Connection object dictionary
75 g_connections = {}
79 # Load all userdb plugins
87 # Cleanup eventual still open connections
91 global loaded_with_language
93 return
97 # This must be set after plugin loading to make broken plugins raise
98 # exceptions all the time and not only the first time (when the plugins
99 # are loaded).
103 # Cleans up at the end of a request: Cleanup eventual open connections
109 # Returns a list of two part tuples where the first element is the unique
110 # connection id and the second element the connector specification dict
112 connections = []
115 # htpasswd connector is enabled by default and always executed first
120 continue
125 continue
128 return connections
142 # When at least one LDAP connection is defined and active a sync is possible
151 # Old Check_MK used a static "ldap" connector id for all LDAP users.
152 # Since Check_MK now supports multiple LDAP connections, the ID has
153 # been changed to "default". But only transform this when there is
154 # no connection existing with the id LDAP.
158 return connection_id
161 # Returns the connection object of the requested connection id. This function
162 # maintains a cache that for a single connection_id only one object per request
163 # is created.
173 return connection
176 # Returns a list of connection specific locked attributes
181 # Returns a list of connection specific multisite attributes
186 # Returns a list of connection specific non contact attributes
199 new_user = {
202 }
204 # Apply the default user profile
206 return new_user
217 # Call the sync function for this new user
229 return True
236 return True
241 # This function is called very often during regular page loads so it has to be efficient
242 # even when having a lot of users.
243 #
244 # When using the multisite authentication with just by WATO created users it would be
245 # easy, but we also need to deal with users which are only existant in the htpasswd
246 # file and don't have a profile directory yet.
249 return True
279 return timed_out
284 return
296 # userdb.need_to_change_pw returns either False or the reason description why the
297 # password needs to be changed
306 # The age of the password is unknown. Assume the user has just set
307 # the password to have the first access after enabling password aging
308 # as starting point for the password period. This bewares all users
309 # from needing to set a new password after enabling aging.
311 return False
314 return False
336 # Old vs:
337 #ListChoice(
338 # title = _('Automatic User Synchronization'),
339 # help = _('By default the users are synchronized automatically in several situations. '
340 # 'The sync is started when opening the "Users" page in configuration and '
341 # 'during each page rendering. Each connector can then specify if it wants to perform '
342 # 'any actions. For example the LDAP connector will start the sync once the cached user '
343 # 'information are too old.'),
344 # default_value = [ 'wato_users', 'page', 'wato_pre_activate_changes', 'wato_snapshot_pushed' ],
345 # choices = [
346 # ('page', _('During regular page processing')),
347 # ('wato_users', _('When opening the users\' configuration page')),
348 # ('wato_pre_activate_changes', _('Before activating the changed configuration')),
349 # ('wato_snapshot_pushed', _('On a remote site, when it receives a new configuration')),
350 # ],
351 # allow_empty = True,
352 #),
355 # legacy compat - disabled
356 return None
359 # legacy compat - all connections
362 return val
366 """Dropdown for choosing a multisite user"""
384 return elements
393 #.
394 # .--User Session--------------------------------------------------------.
395 # | _ _ ____ _ |
396 # | | | | |___ ___ _ __ / ___| ___ ___ ___(_) ___ _ __ |
397 # | | | | / __|/ _ \ '__| \___ \ / _ \/ __/ __| |/ _ \| '_ \ |
398 # | | |_| \__ \ __/ | ___) | __/\__ \__ \ | (_) | | | | |
399 # | \___/|___/\___|_| |____/ \___||___/___/_|\___/|_| |_| |
400 # | |
401 # +----------------------------------------------------------------------+
402 # | When single users sessions are activated, a user an only login once |
403 # | a time. In case a user tries to login a second time, an error is |
404 # | shown to the later login. |
405 # | |
406 # | To make this feature possible a session ID is computed during login, |
407 # | saved in the users cookie and stored in the user profile together |
408 # | with the current time as "last activity" timestamp. This timestamp |
409 # | is updated during each user activity in the GUI. |
410 # | |
411 # | Once a user logs out or the "last activity" is older than the |
412 # | configured session timeout, the session is invalidated. The user |
413 # | can then login again from the same client or another one. |
414 # '----------------------------------------------------------------------'
433 return False
456 # Creates a new user login session (if single user session mode is enabled) and
457 # returns the session_id of the new session.
464 return session_id
467 # Creates a random session id for the user and returns it.
472 # Updates the current session of the user and returns the session_id or only
473 # returns an empty string when single user session mode is not enabled.
490 # Saves the current session_id and the current time (last activity)
495 # Returns either None (when no session_id available) or a two element
496 # tuple where the first element is the sesssion_id and the second the
497 # timestamp of the last activity.
504 return None
510 #.
511 # .-Users----------------------------------------------------------------.
512 # | _ _ |
513 # | | | | |___ ___ _ __ ___ |
514 # | | | | / __|/ _ \ '__/ __| |
515 # | | |_| \__ \ __/ | \__ \ |
516 # | \___/|___/\___|_| |___/ |
517 # | |
518 # +----------------------------------------------------------------------+
523 from_config):
551 # TODO: Legacy plugin API. Converts to new internal structure. Drop this with 1.6 or later.
553 vs,
562 # FIXME: The classmethods "name" and "topic" shadow the arguments from the function scope.
563 # Any use off "name" and "topic" inside the class will result in a NameError.
564 attr_name = name
565 attr_topic = topic
569 _name = attr_name
570 _valuespec = vs
573 @classmethod
577 @classmethod
581 @classmethod
593 )
604 # Note: the lock will be released on next save_users() call or at
605 # end of page request automatically.
611 # First load monitoring contacts from Check_MK's world. If this is
612 # the first time, then the file will be empty, which is no problem.
613 # Execfile will the simply leave contacts = {} unchanged.
616 # Now load information about users from the GUI config world
620 # Merge them together. Monitoring users not known to Multisite
621 # will be added later as normal users.
622 result = {}
624 # Transform user IDs which were stored with a wrong type
632 # Convert non unicode mail addresses
636 # This loop is only neccessary if someone has edited
637 # contacts.mk manually. But we want to support that as
638 # far as possible.
640 # Transform user IDs which were stored with a wrong type
650 # Passwords are read directly from the apache htpasswd-file.
651 # That way heroes of the command line will still be able to
652 # change passwords with htpasswd. Users *only* appearing
653 # in htpasswd will also be loaded and assigned to the role
654 # they are getting according to the multisite old-style
655 # configuration variables.
663 # FIXME TODO: Consolidate with htpasswd user connector
679 # Create entry if this is an admin user
680 new_user = {
684 }
686 # Make sure that the user has an alias
688 # Other unknown entries will silently be dropped. Sorry...
690 # Now read the serials, only process for existing users
700 # Now read the user specific files
706 # read special values from own files
715 ]:
720 # read automation secrets and add them to existing
721 # users or create new users automatically
733 }
735 # populate the users cache
738 return result
750 return default
768 users = []
772 return users
782 # Execute user connector save hooks
791 # Release the lock to make other threads access possible again asap
792 # This lock is set by load_users() only in the case something is expected
793 # to be written (like during user syncs, wato, ...)
796 # populate the users cache
797 # TODO: Can we clean this up?
800 # Call the users_saved hook
808 # TODO: Isn't this needed only while generating the contacts.mk?
809 # Check this and move it to the right place
813 # Add custom macros
820 return updated_profiles
823 # Write user specific files
832 # authentication secret for local processes
839 # Write out user attributes which are written to dedicated files in the user
840 # profile directory. The primary reason to have separate files, is to reduce
841 # the amount of data to be loaded during regular page processing
854 # Write out the last seent time
861 # During deletion of users we don't delete files which might contain user settings
862 # and e.g. customized views which are not easy to reproduce. We want to keep the
863 # files which are the result of a lot of work even when e.g. the LDAP sync deletes
864 # a user by accident. But for some internal files it is ok to delete them.
865 #
866 # Be aware: The user_exists() function relies on these files to be deleted.
868 profile_files_to_delete = [
872 ]
878 continue
897 non_contact_attributes_cache = {}
898 multisite_attributes_cache = {}
908 # Remove multisite keys in contacts.
909 # TODO: Clean this up. Just improved the performance, but still have no idea what its actually doing...
913 user,
918 # Only allow explicitely defined attributes to be written to multisite config
919 users = {}
926 # Check_MK's monitoring contacts
930 contacts,
933 # GUI specific user configuration
937 users,
941 # User attributes not to put into contact definitions for Check_MK
959 # User attributes to put into multisite configuration
976 # Write out the users serials
1004 }
1009 # Only save contact AND multisite attributes to the profile. Not the
1010 # infos that are stored in the custom attribute files.
1011 cache = {}
1026 # No cached profile present. Load all users to get the users data
1042 #.
1043 # .-Roles----------------------------------------------------------------.
1044 # | ____ _ |
1045 # | | _ \ ___ | | ___ ___ |
1046 # | | |_) / _ \| |/ _ \/ __| |
1047 # | | _ < (_) | | __/\__ \ |
1048 # | |_| \_\___/|_|\___||___/ |
1049 # | |
1050 # +----------------------------------------------------------------------+
1058 )
1060 # Make sure that "general." is prefixed to the general permissions
1061 # (due to a code change that converted "use" into "general.use", etc.
1062 # TODO: Can't we drop this? This seems to be from very early days of the GUI
1069 # Reflect the data in the roles dict kept in the config module needed
1070 # for instant changes in current page while saving modified roles.
1071 # Otherwise the hooks would work with old data when using helper
1072 # functions from the config module
1073 # TODO: load_roles() should not update global structures
1076 return roles
1080 """Returns a role dictionary containing the bultin default roles"""
1081 builtin_role_names = {
1085 }
1087 rid: {
1092 }
1095 #.
1096 # .-Groups---------------------------------------------------------------.
1097 # | ____ |
1098 # | / ___|_ __ ___ _ _ _ __ ___ |
1099 # | | | _| '__/ _ \| | | | '_ \/ __| |
1100 # | | |_| | | | (_) | |_| | |_) \__ \ |
1101 # | \____|_| \___/ \__,_| .__/|___/ |
1102 # | |_| |
1103 # +----------------------------------------------------------------------+
1104 # TODO: Contact groups are fine here, but service / host groups?
1111 # Merge information from Check_MK and Multisite worlds together
1112 groups = {}
1121 return groups
1125 """Load group information from Check_MK world"""
1126 group_specs = {
1130 }
1136 # Now load information from the Web world
1137 group_specs = {
1141 }
1161 #.
1162 # .-Custom-Attrs.--------------------------------------------------------.
1163 # | ____ _ _ _ _ |
1164 # | / ___| _ ___| |_ ___ _ __ ___ / \ | |_| |_ _ __ ___ |
1165 # | | | | | | / __| __/ _ \| '_ ` _ \ _____ / _ \| __| __| '__/ __| |
1166 # | | |__| |_| \__ \ || (_) | | | | | |_____/ ___ \ |_| |_| | \__ \_ |
1167 # | \____\__,_|___/\__\___/|_| |_| |_| /_/ \_\__|\__|_| |___(_) |
1168 # | |
1169 # +----------------------------------------------------------------------+
1170 # | Mange custom attributes of users (in future hosts etc.) |
1171 # '----------------------------------------------------------------------'
1183 # TODO: This method uses LegacyUserAttribute(). Use another class for
1184 # this kind of attribute
1187 vs,
1193 )
1203 #.
1204 # .--ConnectorCfg--------------------------------------------------------.
1205 # | ____ _ ____ __ |
1206 # | / ___|___ _ __ _ __ ___ ___| |_ ___ _ __ / ___|/ _| __ _ |
1207 # | | | / _ \| '_ \| '_ \ / _ \/ __| __/ _ \| '__| | | |_ / _` | |
1208 # | | |__| (_) | | | | | | | __/ (__| || (_) | | | |___| _| (_| | |
1209 # | \____\___/|_| |_|_| |_|\___|\___|\__\___/|_| \____|_| \__, | |
1210 # | |___/ |
1211 # +----------------------------------------------------------------------+
1212 # | The user can enable and configure a list of user connectors which |
1213 # | are then used by the userdb to fetch user / group information from |
1214 # | external sources like LDAP servers. |
1215 # '----------------------------------------------------------------------'
1225 base_dir = multisite_dir
1234 #.
1235 # .-Hooks----------------------------------------------------------------.
1236 # | _ _ _ |
1237 # | | | | | ___ ___ | | _____ |
1238 # | | |_| |/ _ \ / _ \| |/ / __| |
1239 # | | _ | (_) | (_) | <\__ \ |
1240 # | |_| |_|\___/ \___/|_|\_\___/ |
1241 # | |
1242 # +----------------------------------------------------------------------+
1245 # This hook is called to validate the login credentials provided by a user
1249 # None -> User unknown, means continue with other connectors
1250 # '<user_id>' -> success
1251 # False -> failed
1253 username = result
1258 # Check whether or not the user exists (and maybe create it)
1262 # A CME not assigned with the current sites customer
1263 # is not allowed to login
1265 return False
1267 # Now, after successfull login (and optional user account
1268 # creation), check whether or not the user is locked.
1269 # In e.g. htpasswd connector this is checked by validating the
1270 # password against the hash in the htpasswd file prefixed with
1271 # a "!". But when using other conectors it might be neccessary
1272 # to validate the user "locked" attribute.
1277 return result
1280 return result
1288 # Hook function can be registered here to be executed during saving of the
1289 # new user construct
1296 raise
1301 # This function registers general stuff, which is independet of the single
1302 # connectors to each page load. It is exectued AFTER all other connections jobs.
1304 # Working around the problem that the auth.php file needed for multisite based
1305 # authorization of external addons might not exist when setting up a new installation
1306 # We assume: Each user must visit this login page before using the multisite based
1307 # authorization. So we can easily create the file here if it is missing.
1308 # This is a good place to replace old api based files in the future.
1313 # Create initial auth.serials file, same issue as auth.php above
1320 """This function is called by the GUI cron job once a minute.
1322 Errors are logged to var/log/web.log. """
1324 return
1329 return
1335 # Legacy option config.userdb_automatic_sync defaulted to "master".
1336 # Can be: None: (no sync), "all": all sites sync, "master": only master site sync
1337 # Take that option into account for compatibility reasons.
1338 # For remote sites in distributed setups, the default is to do no sync.
1347 user_sync_default = global_user_sync
1349 return user_sync_default
1353 # use global option as default for reading legacy options and on remote site
1354 # for reading the value set by the WATO master site
1366 return False
1368 return True
1384 raise
1395 kwargs = {}
1416 continue
1430 return True