web UI auth: decouple auth_user from session

Sessions are processed in web UI part only. Pcsd backend does not work with sessions so it only gets who is logged in and not the whole session.
ClusterLabs · Feb 15, 2016 · bc6ad90 · bc6ad90
1 parent b9e7f06
commit bc6ad90
Show file tree

Hide file tree

Showing 10 changed files with 525 additions and 490 deletions.
diff --git a/pcsd/auth.rb b/pcsd/auth.rb
@@ -47,7 +47,7 @@ def self.validUser(username, password, generate_token = false)
 
   def self.getUsersGroups(username)
     stdout, stderr, retval = run_cmd(
-      getSuperuserSession, "id", "-Gn", username
+      getSuperuserAuth(), "id", "-Gn", username
     )
     if retval != 0
       $logger.info(
@@ -94,41 +94,43 @@ def self.validToken(token)
     return false
   end
 
-  def self.loginByToken(session, cookies)
+  def self.loginByToken(cookies)
+    auth_user = {}
     if username = validToken(cookies["token"])
       if SUPERUSER == username
         if cookies['CIB_user'] and cookies['CIB_user'].strip != ''
-          session[:username] = cookies['CIB_user']
+          auth_user[:username] = cookies['CIB_user']
           if cookies['CIB_user_groups'] and cookies['CIB_user_groups'].strip != ''
-            session[:usergroups] = cookieUserDecode(
+            auth_user[:usergroups] = cookieUserDecode(
               cookies['CIB_user_groups']
             ).split(nil)
           else
-            session[:usergroups] = []
+            auth_user[:usergroups] = []
           end
         else
-          session[:username] = SUPERUSER
+          auth_user[:username] = SUPERUSER
-          session[:usergroups] = []
+          auth_user[:usergroups] = []
         end
-        return true
+        return auth_user
       else
-        session[:username] = username
+        auth_user[:username] = username
         success, groups = getUsersGroups(username)
-        session[:usergroups] = success ? groups : []
+        auth_user[:usergroups] = success ? groups : []
-        return true
+        return auth_user
       end
     end
-    return false
+    return nil
   end
 
-  def self.loginByPassword(session, username, password)
+  def self.loginByPassword(username, password)
     if validUser(username, password)
-      session[:username] = username
+      auth_user = {}
+      auth_user[:username] = username
       success, groups = getUsersGroups(username)
-      session[:usergroups] = success ? groups : []
+      auth_user[:usergroups] = success ? groups : []
-      return true
+      return auth_user
     end
-    return false
+    return nil
   end
 
   def self.isLoggedIn(session)
@@ -141,7 +143,7 @@ def self.isLoggedIn(session)
     return false
   end
 
-  def self.getSuperuserSession()
+  def self.getSuperuserAuth()
     return {
       :username => SUPERUSER,
       :usergroups => [],
@@ -162,5 +164,17 @@ def self.cookieUserEncode(text)
   def self.cookieUserDecode(text)
     return Base64.decode64(text)
   end
+
+  def self.sessionToAuthUser(session)
+    return {
+      :username => session[:username],
+      :usergroups => session[:usergroups],
+    }
+  end
+
+  def self.authUserToSession(auth_user, session)
+    session[:username] = auth_user[:username]
+    session[:usergroups] = auth_user[:usergroups]
+  end
 end
 
diff --git a/pcsd/cfgsync.rb b/pcsd/cfgsync.rb
@@ -425,15 +425,15 @@ def self.save(data)
 
 
   class ConfigPublisher
-    def initialize(session, configs, nodes, cluster_name, tokens={})
+    def initialize(auth_user, configs, nodes, cluster_name, tokens={})
       @configs = configs
       @nodes = nodes
       @cluster_name = cluster_name
       @published_configs_names = @configs.collect { |cfg|
         cfg.class.name
       }
       @additional_tokens = tokens
-      @session = session
+      @auth_user = auth_user
     end
 
     def send(force=false)
@@ -451,7 +451,7 @@ def send(force=false)
       @nodes.each { |node|
         threads << Thread.new {
           code, out = send_request_with_token(
-            @session, node, 'set_configs', true, data, true, nil, 30,
+            @auth_user, node, 'set_configs', true, data, true, nil, 30,
             @additional_tokens
           )
           if 200 == code
@@ -535,11 +535,11 @@ def get_old_local_configs(node_response, published_configs_names)
 
 
   class ConfigFetcher
-    def initialize(session, config_classes, nodes, cluster_name)
+    def initialize(auth_user, config_classes, nodes, cluster_name)
       @config_classes = config_classes
       @nodes = nodes
       @cluster_name = cluster_name
-      @session = session
+      @auth_user = auth_user
     end
 
     def fetch_all()
@@ -591,7 +591,7 @@ def get_configs_cluster(nodes, cluster_name)
       nodes.each { |node|
         threads << Thread.new {
           code, out = send_request_with_token(
-            @session, node, 'get_configs', false, data
+            @auth_user, node, 'get_configs', false, data
           )
           if 200 == code
             begin
@@ -700,13 +700,13 @@ def self.save_sync_new_version(config, nodes, cluster_name, fetch_on_conflict, t
     else
       # we run in a cluster so we need to sync the config
       publisher = ConfigPublisher.new(
-        PCSAuth.getSuperuserSession(), [config], nodes, cluster_name, tokens
+        PCSAuth.getSuperuserAuth(), [config], nodes, cluster_name, tokens
       )
       old_configs, node_responses = publisher.publish()
       if old_configs.include?(config.class.name)
         if fetch_on_conflict
           fetcher = ConfigFetcher.new(
-            PCSAuth.getSuperuserSession(), [config.class], nodes, cluster_name
+            PCSAuth.getSuperuserAuth(), [config.class], nodes, cluster_name
           )
           cfgs_to_save, _ = fetcher.fetch()
           cfgs_to_save.each { |cfg_to_save|
@@ -751,7 +751,7 @@ def self.save_sync_new_tokens(config, new_tokens, nodes, cluster_name)
     end
     # we run in a cluster so we need to sync the config
     publisher = ConfigPublisher.new(
-      PCSAuth.getSuperuserSession(), [config_new], nodes, cluster_name,
+      PCSAuth.getSuperuserAuth(), [config_new], nodes, cluster_name,
       new_tokens
     )
     old_configs, node_responses = publisher.publish()
@@ -761,7 +761,7 @@ def self.save_sync_new_tokens(config, new_tokens, nodes, cluster_name)
     end
     # get tokens from all nodes and merge them
     fetcher = ConfigFetcher.new(
-      PCSAuth.getSuperuserSession(), [config_new.class], nodes, cluster_name
+      PCSAuth.getSuperuserAuth(), [config_new.class], nodes, cluster_name
     )
     fetched_tokens = fetcher.fetch_all()[config_new.class.name]
     config_new = Cfgsync::merge_tokens_files(config, fetched_tokens, new_tokens)

diff --git a/pcsd/cluster_entity.rb b/pcsd/cluster_entity.rb
@@ -1018,7 +1018,7 @@ def initialize
       @pcsd_enabled = false
     end
 
-    def self.load_current_node(session, crm_dom=nil)
+    def self.load_current_node(crm_dom=nil)
       node = ClusterEntity::Node.new
       node.corosync = corosync_running?
       node.corosync_enabled = corosync_enabled?

diff --git a/pcsd/fenceagent.rb b/pcsd/fenceagent.rb
@@ -1,4 +1,4 @@
-def getFenceAgents(session, fence_agent = nil)
+def getFenceAgents(auth_user, fence_agent = nil)
   fence_agent_list = {}
   agents = Dir.glob('/usr/sbin/fence_' + '*')
   agents.each { |a|
@@ -7,7 +7,7 @@ def getFenceAgents(session, fence_agent = nil)
     next if fa.name == "fence_ack_manual"
 
     if fence_agent and a.sub(/.*\//,"") == fence_agent.sub(/.*:/,"")
-      required_options, optional_options, advanced_options, info = getFenceAgentMetadata(session, fa.name)
+      required_options, optional_options, advanced_options, info = getFenceAgentMetadata(auth_user, fa.name)
       fa.required_options = required_options
       fa.optional_options = optional_options
       fa.advanced_options = advanced_options
@@ -18,7 +18,7 @@ def getFenceAgents(session, fence_agent = nil)
   fence_agent_list
 end
 
-def getFenceAgentMetadata(session, fenceagentname)
+def getFenceAgentMetadata(auth_user, fenceagentname)
   options_required = {}
   options_optional = {}
   options_advanced = {
@@ -43,7 +43,7 @@ def getFenceAgentMetadata(session, fenceagentname)
     return [options_required, options_optional, options_advanced]
   end
   stdout, stderr, retval = run_cmd(
-    session, "/usr/sbin/#{fenceagentname}", '-o', 'metadata'
+    auth_user, "/usr/sbin/#{fenceagentname}", '-o', 'metadata'
   )
   metadata = stdout.join
   begin