openshift-origin-auth-remote-user 1.2.3

data/COPYRIGHT

@@ -0,0 +1 @@
+Copyright 2012 Red Hat, Inc. and/or its affiliates.

data/Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+
+gemspec

data/LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README-KERB

@@ -0,0 +1,66 @@
+#The Broker side of the configuration requires the mod_auth_kerb package to be
+#installed.
+
+#Apart from that you must also have a kerberos kdc setup.  The service host
+#needs to have a service principle added for the OpenShift broker proxy (httpd)
+#server.  Once a service principle is created, you'll want to add it to the kdc
+#keytab file.  Once added to the kdc keytab file, you'll want to extract the
+#keytab file to the OpenShift broker proxy and point to this extracted keytab
+#file in the OpenShift broker proxy httpd configuration file.
+
+Steps to perform on the kdc:
+1) #install the krb packages
+yum install krb5-workstation krb5-server krb5-libs
+
+2) #create the principle db
+kdb5_util create -s
+
+3) #add the service principle
+kadmin.local -q "addprinc HTTP/www.example.com"
+
+4) #add a user principle
+kadmin
+kadmin: addprinc user@EXAMPLE.COM
+
+5) #add the service principle to the kdc keytab
+kadmin
+kadmin: ktadd HTTP/www.example.com
+
+6) #configure the OpenShift broker proxy krb5 client, you can use something similar to the following:
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = EXAMPLE.COM
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ forwardable = yes
+ allow_weak_crypto = yes
+ default_keytab_name = FILE:/var/www/openshift/broker/http/conf.d/http.keytab
+
+[realms]
+ EXAMPLE.COM = {
+  kdc = kerberos.example.com
+  admin_server = kerberos.example.com
+  default_domain = EXAMPLE.COM
+ }
+
+[domain_realm]
+ example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
+
+7) #make sure you can run kinit HTTP/www.example.com successfully.  If you can, it's time to extract the keytab file for the service principle on the OpenShift broker.
+kadmin
+kadmin: ktadd -k /var/www/openshift/broker/httpd/conf.d/http.keytab HTTP/www.example.com
+
+8) #change the ownership of the keytab so it's readable by the httpd process
+chown apache.apache /var/www/openshift/broker/httpd/conf.d/http.keytab
+
+9) #use the provided openshift-origin-auth-remote-user-kerberos.conf.sample file (change if necessary to reflect your service principle service name), rename the sample file (take off the .sample extension)
+mv openshift-origin-auth-remote-user-kerberos.conf.sample openshift-origin-auth-remote-user-kerberos.conf
+
+10) #restart the OpenShift broker service
+service openshift-broker restart

data/README-LDAP

@@ -0,0 +1,25 @@
+#You can setup an ldap server by doing the following:
+
+#install openldap
+yum install openldap*
+
+#stop the ldap service if it's running
+service slapd stop
+
+#import the user ldiff
+slapadd -l ldap-user-sample.ldiff
+
+#change the ownership of /var/lib/ldap
+chown -R ldap.ldap /var/lib/ldap
+
+#start the ldap service
+service slapd start
+
+
+#Now that the ldap service is running, rename the sample httpd configuration file:
+mv openshift-origin-auth-remote-user-ldap.sample openshift-origin-auth-remote-user-ldap.conf
+
+#Change the AuthLDAPURL hostname to reflect the actual hostname or IP address of your ldap server
+#Restart the OpenShift Broker
+
+service openshift-broker restart

data/README.md

@@ -0,0 +1,3 @@
+Notice of Export Control Law
+
+This software distribution includes cryptographic software that is subject to the U.S. Export Administration Regulations (the "*EAR*") and other U.S. and foreign laws and may not be exported, re-exported or transferred (a) to any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR (currently, Cuba, Iran, North Korea, Sudan & Syria); (b) to any prohibited destination or to any end user who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government; or (c) for use in connection with the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, or sounding rockets, or unmanned air vehicle systems.You may not download this software or technical information if you are located in one of these countries or otherwise subject to these restrictions. You may not provide this software or technical information to individuals or entities located in one of these countries or otherwise subject to these restrictions. You are also responsible for compliance with foreign law requirements applicable to the import, export and use of this software and technical information.

data/Rakefile

@@ -0,0 +1,11 @@
+#require "bundler/gem_tasks"
+require 'rake'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  sh "/usr/bin/mongo localhost/openshift_origin_broker_test --eval 'db.addUser(\"openshift\", \"mooo\")'"
+  t.libs << 'test'
+  t.warning = false
+  t.verbose = true
+  t.test_files = FileList['test/**/*_test.rb']
+end

data/conf/openshift-origin-auth-remote-user-basic.conf.sample

@@ -0,0 +1,37 @@
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authz_user_module modules/mod_authz_user.so
+
+<Location /broker>
+    AuthName "OpenShift"
+    AuthType Basic
+    AuthUserFile /etc/openshift/htpasswd
+    require valid-user
+
+    # The node->broker auth is handled in the Ruby code
+    BrowserMatchNoCase ^OpenShift passthrough
+    Allow from env=passthrough
+
+    # Console traffic will hit the local port.  mod_proxy will set this header automatically.
+    SetEnvIf X-Forwarded-For "^$" local_traffic=1
+    # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
+    SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
+    Allow from env=local_traffic
+
+    Order Deny,Allow
+    Deny from all
+    Satisfy any
+</Location>
+
+# The following APIs do not require auth:
+<Location /broker/rest/application_templates*>
+    Allow from all
+</Location>
+
+<Location /broker/rest/cartridges*>
+    Allow from all
+</Location>
+
+<Location /broker/rest/api*>
+    Allow from all
+</Location>

data/conf/openshift-origin-auth-remote-user-kerberos.conf.sample

@@ -0,0 +1,41 @@
+# Provided by the mod_auth_kerb package
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule auth_kerb_module modules/mod_auth_kerb.so
+<Location /broker>
+    AuthName "OpenShift"
+    AuthType Kerberos
+    KrbMethodNegotiate On
+    KrbMethodK5Passwd On
+    KrbServiceName HTTP/www.example.com
+    KrbAuthRealms EXAMPLE.COM
+    Krb5KeyTab /var/www/openshift/broker/httpd/conf.d/http.keytab
+    require valid-user
+
+    # The node->broker auth is handled in the Ruby code
+    BrowserMatchNoCase ^OpenShift passthrough
+    Allow from env=passthrough
+
+    # Console traffic will hit the local port.  mod_proxy will set this header automatically.
+    SetEnvIf X-Forwarded-For "^$" local_traffic=1
+    # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
+    SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
+    Allow from env=local_traffic
+
+    Order Deny,Allow
+    Deny from all
+    Satisfy any
+</Location>
+
+# The following APIs do not require auth:
+<Location /broker/rest/application_templates*>
+    Allow from all
+</Location>
+
+<Location /broker/rest/cartridges*>
+    Allow from all
+</Location>
+
+<Location /broker/rest/api*>
+    Allow from all
+</Location>

data/conf/openshift-origin-auth-remote-user-ldap.conf.sample

@@ -0,0 +1,46 @@
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule ldap_module modules/mod_ldap.so
+LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+
+# By default the LDAPCacheTTL directive is set to 600 seconds.  If you want to
+# effectively disable LDAP caching in mod_ldap, set the directive to 0. There
+# is a performance trade-off, but disabling the cache will make things like
+# password changes effective immediately.
+# http://httpd.apache.org/docs/2.4/mod/mod_ldap.html
+# LDAPCacheTTL 0
+
+<Location /broker>
+    AuthName "OpenShift"
+    AuthType Basic
+    AuthBasicProvider ldap
+    AuthLDAPURL "ldap://ldap.example.com:389/ou=People,dc=my-domain,dc=com?uid?sub?(objectClass=*)"
+    require valid-user
+
+    # The node->broker auth is handled in the Ruby code
+    BrowserMatchNoCase ^OpenShift passthrough
+    Allow from env=passthrough
+
+    # Console traffic will hit the local port.  mod_proxy will set this header automatically.
+    SetEnvIf X-Forwarded-For "^$" local_traffic=1
+    # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
+    SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
+    Allow from env=local_traffic
+
+    Order Deny,Allow
+    Deny from all
+    Satisfy any
+</Location>
+
+# The following APIs do not require auth:
+<Location /broker/rest/application_templates*>
+    Allow from all
+</Location>
+
+<Location /broker/rest/cartridges*>
+    Allow from all
+</Location>
+
+<Location /broker/rest/api*>
+    Allow from all
+</Location>

data/conf/openshift-origin-auth-remote-user.conf.example

@@ -0,0 +1 @@
+TRUSTED_HEADER="REMOTE_USER"

data/config/initializers/openshift-origin-auth-remote-user.rb

@@ -0,0 +1,16 @@
+require 'openshift-origin-common'
+
+Broker::Application.configure do
+  conf_file = File.join(OpenShift::Config::PLUGINS_DIR, File.basename(__FILE__, '.rb') + '.conf')
+  if Rails.env.development?
+    dev_conf_file = File.join(OpenShift::Config::PLUGINS_DIR, File.basename(__FILE__, '.rb') + '-dev.conf')
+    if File.exist? dev_conf_file
+      conf_file = dev_conf_file
+    else
+      Rails.logger.info "Development configuration for #{File.basename(__FILE__, '.rb')} not found. Using production configuration."
+    end
+  end
+  conf = OpenShift::Config.new(conf_file)
+
+  config.auth[:trusted_header] = conf.get("TRUSTED_HEADER", "REMOTE_USER")
+end

data/config/routes.rb

@@ -0,0 +1,9 @@
+Rails.application.routes.draw do
+=begin
+  scope "/rest" do
+    constraints(:ip => %r(127.0.\d+.\d+)) do
+      resource :accounts, :only => [:create], :controller => :account
+    end
+  end
+=end
+end

data/lib/openshift-origin-auth-remote-user.rb

@@ -0,0 +1,8 @@
+module OpenShift
+  module RemoteUserAuthServiceModule
+    require 'remote_user_auth_engine' if defined?(Rails) && Rails::VERSION::MAJOR == 3
+  end
+end
+
+require "openshift/remote_user_auth_service.rb"
+OpenShift::AuthService.provider=OpenShift::RemoteUserAuthService

data/lib/openshift/remote_user_auth_service.rb

@@ -0,0 +1,40 @@
+require 'rubygems'
+require 'openshift-origin-controller'
+require 'date'
+
+module OpenShift
+  class RemoteUserAuthService < OpenShift::AuthService
+
+    def initialize
+      super
+
+      @trusted_header = @auth_info[:trusted_header]
+    end
+
+    # The base_controller will actually pass in a password but it can't be
+    # trusted.  REMOTE_USER must only be set if the web server has verified the
+    # password.
+    def authenticate(request, login=nil, password=nil)
+      if request.headers['User-Agent'] == "OpenShift"
+        # password == iv, login == key
+        return validate_broker_key(password, login)
+      else
+        authenticated_user = request.env[@trusted_header]
+        raise OpenShift::AccessDeniedException if authenticated_user.nil?
+        return {:username => authenticated_user, :auth_method => :login}
+      end
+    end
+
+    # This is only called by the legacy controller and should be removed as
+    # soon as all clients have been ported.
+    def login(request, params, cookies)
+      if params['broker_auth_key'] && params['broker_auth_iv']
+        return validate_broker_key(params['broker_auth_iv'], params['broker_auth_key'])
+      else
+        username = request.env[@trusted_header]
+        Rails.logger.debug("Found" + username)
+        return authenticate(request, username)
+      end
+    end
+  end
+end

data/lib/remote_user_auth_engine.rb

@@ -0,0 +1,7 @@
+require 'openshift-origin-controller'
+require 'rails'
+
+module OpenShift
+  class RemoteUserAuthServiceEngine < ::Rails::Engine
+  end
+end

data/openshift-origin-auth-remote-user.gemspec

@@ -0,0 +1,33 @@
+# -*- encoding: utf-8 -*-
+config_dir  = File.join(File.join("config", "**"), "*")
+$:.push File.expand_path("../lib", __FILE__)
+lib_dir  = File.join(File.join("lib", "**"), "*")
+test_dir  = File.join(File.join("test", "**"), "*")
+bin_dir  = File.join("bin","*")
+conf_dir  = File.join(File.join("conf", "**"), "*")
+spec_file = "rubygem-openshift-origin-auth-remote-user.spec"
+
+Gem::Specification.new do |s|
+  s.name        = "openshift-origin-auth-remote-user"
+  s.version     = `rpm -q --define 'rhel 7' --qf "%{version}\n" --specfile #{spec_file}`.split[0]
+  s.license     = `rpm -q --define 'rhel 7' --qf "%{license}\n" --specfile #{spec_file}`.split[0]
+  s.authors     = ["Brenton Leanhardt"]
+  s.email       = ["bleanhar@redhat.com"]
+  s.homepage    = `rpm -q --define 'rhel 7' --qf "%{url}\n" --specfile #{spec_file}`.split[0]
+  s.summary     = `rpm -q --define 'rhel 7' --qf "%{description}\n" --specfile #{spec_file}`.split[0]
+  s.description = `rpm -q --define 'rhel 7' --qf "%{description}\n" --specfile #{spec_file}`.split[0]
+
+  s.rubyforge_project = "openshift-origin-auth-remote-user"
+
+  s.files       = Dir[lib_dir] + Dir[bin_dir] + Dir[conf_dir] + Dir[config_dir]
+  s.test_files  = Dir[test_dir]
+  s.executables = Dir[bin_dir].map {|binary| File.basename(binary)}
+  s.files       += %w(README.md Rakefile Gemfile rubygem-openshift-origin-auth-remote-user.spec openshift-origin-auth-remote-user.gemspec LICENSE COPYRIGHT README-LDAP README-KERB)
+  s.require_paths = ["lib"]
+
+  s.add_dependency('openshift-origin-controller')
+  s.add_dependency('json')
+  s.add_development_dependency('rake', '>= 0.8.7', '<= 0.9.2.2')
+  s.add_development_dependency('bundler')
+  s.add_development_dependency('mocha')
+end

data/rubygem-openshift-origin-auth-remote-user.spec

@@ -0,0 +1,110 @@
+%define brokerdir %{_var}/www/openshift/broker
+
+%if 0%{?fedora}%{?rhel} <= 6
+    %global scl ruby193
+    %global scl_prefix ruby193-
+%endif
+%{!?scl:%global pkg_name %{name}}
+%{?scl:%scl_package rubygem-%{gem_name}}
+%global gem_name openshift-origin-auth-remote-user
+%global rubyabi 1.9.1
+
+Summary:        OpenShift plugin for remote-user authentication
+Name:           rubygem-%{gem_name}
+Version: 1.2.3
+Release:        1%{?dist}
+Group:          Development/Languages
+License:        ASL 2.0
+URL:            http://openshift.redhat.com
+Source0:        rubygem-%{gem_name}-%{version}.tar.gz
+Requires:       %{?scl:%scl_prefix}ruby(abi) = %{rubyabi}
+Requires:       %{?scl:%scl_prefix}ruby
+Requires:       %{?scl:%scl_prefix}rubygems
+Requires:       rubygem(openshift-origin-common)
+Requires:       %{?scl:%scl_prefix}rubygem(json)
+Requires:       openshift-broker
+
+%if 0%{?fedora}%{?rhel} <= 6
+BuildRequires:  ruby193-build
+BuildRequires:  scl-utils-build
+%endif
+BuildRequires:  %{?scl:%scl_prefix}ruby(abi) = %{rubyabi}
+BuildRequires:  %{?scl:%scl_prefix}ruby 
+BuildRequires:  %{?scl:%scl_prefix}rubygems
+BuildRequires:  %{?scl:%scl_prefix}rubygems-devel
+BuildArch:      noarch
+Provides:       rubygem(%{gem_name}) = %version
+
+%description
+Provides a remote-user auth service based plugin
+
+%prep
+%setup -q
+
+%build
+%{?scl:scl enable %scl - << \EOF}
+mkdir -p ./%{gem_dir}
+# Create the gem as gem install only works on a gem file
+gem build %{gem_name}.gemspec
+export CONFIGURE_ARGS="--with-cflags='%{optflags}'"
+# gem install compiles any C extensions and installs into a directory
+# We set that to be a local directory so that we can move it into the
+# buildroot in %%install
+gem install -V \
+        --local \
+        --install-dir ./%{gem_dir} \
+        --bindir ./%{_bindir} \
+        --force \
+        --rdoc \
+        %{gem_name}-%{version}.gem
+%{?scl:EOF}
+
+%install
+mkdir -p %{buildroot}%{gem_dir}
+cp -a ./%{gem_dir}/* %{buildroot}%{gem_dir}/
+
+# Add documents/examples
+mkdir -p %{buildroot}%{_docdir}/%{name}-%{version}/
+cp -r doc/* %{buildroot}%{_docdir}/%{name}-%{version}/
+
+mkdir -p %{buildroot}%{brokerdir}/httpd/conf.d
+install -m 755 conf/%{gem_name}-basic.conf.sample %{buildroot}%{brokerdir}/httpd/conf.d
+install -m 755 conf/%{gem_name}-ldap.conf.sample %{buildroot}%{brokerdir}/httpd/conf.d
+install -m 755 conf/%{gem_name}-kerberos.conf.sample %{buildroot}%{brokerdir}/httpd/conf.d
+
+mkdir -p %{buildroot}/etc/openshift/plugins.d
+cp conf/openshift-origin-auth-remote-user.conf.example %{buildroot}/etc/openshift/plugins.d/openshift-origin-auth-remote-user.conf.example
+
+%clean
+rm -rf %{buildroot}
+
+%files
+%defattr(-,root,root,-)
+%doc %{gem_docdir}
+%doc %{_docdir}/%{name}-%{version}
+%{gem_instdir}
+%{gem_spec}
+%{gem_cache}
+%{brokerdir}/httpd/conf.d/%{gem_name}-basic.conf.sample
+%{brokerdir}/httpd/conf.d/%{gem_name}-ldap.conf.sample
+%{brokerdir}/httpd/conf.d/%{gem_name}-kerberos.conf.sample
+/etc/openshift/plugins.d/openshift-origin-auth-remote-user.conf.example
+
+%changelog
+* Wed Dec 05 2012 Adam Miller <admiller@redhat.com> 1.2.3-1
+- updated gemspecs so they work with scl rpm spec files. (tdawson@redhat.com)
+
+* Thu Nov 29 2012 Adam Miller <admiller@redhat.com> 1.2.2-1
+- add oo-ruby (dmcphers@redhat.com)
+
+* Sat Nov 17 2012 Adam Miller <admiller@redhat.com> 1.2.1-1
+- bump_minor_versions for sprint 21 (admiller@redhat.com)
+
+* Wed Nov 14 2012 Adam Miller <admiller@redhat.com> 1.1.2-1
+- add config to gemspec (dmcphers@redhat.com)
+- Moving plugins to Rails 3.2.8 engine (kraman@gmail.com)
+- getting specs up to 1.9 sclized (dmcphers@redhat.com)
+- specifying rake gem version range (abhgupta@redhat.com)
+
+* Thu Nov 01 2012 Adam Miller <admiller@redhat.com> 1.1.1-1
+- bump_minor_versions for sprint 20 (admiller@redhat.com)