ManageIQ · chessbyte · Oct 2, 2015 · Aug 24, 2015
@@ -65,6 +65,9 @@ gem "jbuilder",                       "~>2.3.1"
 gem "paperclip",                      "~>4.3.0"
 gem "rails-i18n",                                                     :git => "git://github.com/svenfuchs/rails-i18n.git", :branch => "master"
 
+# Needed by External Auth
+gem "ruby-dbus"
+
 # Not vendored and not required
 gem "ancestry",                       "~>2.1.0",   :require => false
 gem "aws-sdk",                        "~>1.56.0",  :require => false

@@ -501,14 +501,17 @@ def rbac_group_user_lookup_field_changed
 
   def rbac_group_user_lookup
     rbac_group_user_lookup_field_changed
+    auth = get_vmdb_config[:authentication]
     if @edit[:new][:user].nil? || @edit[:new][:user] == ""
       add_flash(_("%s must be entered to perform LDAP Group Look Up") % "User", :error)
     end
-    if @edit[:new][:user_id].nil? || @edit[:new][:user_id] == ""
-      add_flash(_("%s must be entered to perform LDAP Group Look Up") % "Username", :error)
-    end
-    if @edit[:new][:user_pwd].nil? || @edit[:new][:user_pwd] == ""
-      add_flash(_("%s must be entered to perform LDAP Group Look Up") % "User Password", :error)
+    if auth[:mode] != "httpd"
+      if @edit[:new][:user_id].nil? || @edit[:new][:user_id] == ""
+        add_flash(_("%s must be entered to perform LDAP Group Look Up") % "Username", :error)
+      end
+      if @edit[:new][:user_pwd].nil? || @edit[:new][:user_pwd] == ""
+        add_flash(_("%s must be entered to perform LDAP Group Look Up") % "User Password", :error)
+      end
     end
     if @flash_array != nil
       render :update do |page|                    # Use JS to update the display
@@ -518,7 +521,13 @@ def rbac_group_user_lookup
       @record = MiqGroup.find_by_id(@edit[:group_id])
       @sb[:roles] = @edit[:roles]
       begin
-        @edit[:ldap_groups_by_user] = MiqGroup.get_ldap_groups_by_user(@edit[:new][:user],@edit[:new][:user_id],@edit[:new][:user_pwd]) # Get the users from the DB
+        if auth[:mode] == "httpd"
+          @edit[:ldap_groups_by_user] = MiqGroup.get_httpd_groups_by_user(@edit[:new][:user])
+        else
+          @edit[:ldap_groups_by_user] = MiqGroup.get_ldap_groups_by_user(@edit[:new][:user],
+                                                                         @edit[:new][:user_id],
+                                                                         @edit[:new][:user_pwd])
+        end
       rescue StandardError => bang
         @edit[:ldap_groups_by_user] = Array.new
         add_flash(_("Error during '%s': ") % "LDAP Group Look Up" << bang.message, :error)

@@ -125,6 +125,24 @@ def self.get_ldap_groups_by_user(user, bind_dn, bind_pwd)
     ldap.get_memberships(user_obj, auth[:group_memberships_max_depth])
   end
 
+  def self.get_httpd_groups_by_user(user)
+    require "dbus"
+
+    username = user.kind_of?(self) ? user.userid : user
+
+    sysbus = DBus.system_bus
+    ifp_service   = sysbus["org.freedesktop.sssd.infopipe"]
+    ifp_object    = ifp_service.object "/org/freedesktop/sssd/infopipe"
+    ifp_object.introspect
+    ifp_interface = ifp_object["org.freedesktop.sssd.infopipe"]
+    begin
+      user_groups = ifp_interface.GetUserGroups(user)
+    rescue => err
+      raise "Unable to get groups for user #{username} - #{err}"
+    end
+    user_groups.first
+  end
+
   def get_user_scope(options={})
     scope = self.filters.kind_of?(MiqUserScope) ? self.filters : MiqUserScope.hash_to_scope(self.filters)
 

@@ -109,7 +109,29 @@
             %h3
               = _("LDAP Group Look Up")
             .form-horizontal
-              .form-group
+              .form-group#user_id_ext_auth_form_group
+                %label.col-md-2.control-label
+                  = _("User to Look Up")
+                .col-md-8
+                  = text_field_tag("user",
+                                   @edit[:new][:user],
+                                   :maxlength         => 255,
+                                   :class => "form-control",
+                                   "data-miq_observe" => {:interval => '.5',
+                                                          :url      => url}.to_json)
+                .col-md-12{:align => "right", :valign => "bottom"}
+                  = link_to("Retrieve",
+                            {:action => "rbac_group_user_lookup",
+                             :button => "submit",
+                             :id     => "#{@edit[:group_id] || "new"}"},
+                             :class => "btn btn-primary",
+                             :alt   => _("LDAP Group Lookup"),
+                             "data-miq_sparkle_on"  => true,
+                             "data-miq_sparkle_off" => true,
+                             :remote                => true,
+                             :title                 => _("LDAP Group Lookup"))
+
+              .form-group#user_id_form_group
                 %label.col-md-2.control-label
                   = _("User to Look Up")
                 .col-md-8
@@ -120,7 +142,7 @@
                                    "data-miq_observe" => {:interval => '.5',
                                                           :url      => url}.to_json)
 
-              .form-group
+              .form-group#user_name_form_group
                 %label.col-md-2.control-label
                   = _("Username")
                 .col-md-8
@@ -131,7 +153,7 @@
                                    "data-miq_observe" => {:interval => '.5',
                                                           :url      => url}.to_json)
 
-              .form-group
+              .form-group#user_password_form_group
                 %label.col-md-2.control-label
                   = _("Password")
                 .col-md-8
@@ -216,3 +238,14 @@
                                     :checkboxes     => true})
 :javascript
   miq_tabs_init('#rbac_group_tabs');
+%script{:type => "text/javascript"}
+  - if get_vmdb_config[:authentication][:mode] == "httpd"
+    $('#user_id_ext_auth_form_group').show();
+    $('#user_id_form_group').hide();
+    $('#user_name_form_group').hide();
+    $('#user_password_form_group').hide();
+  - else
+    $('#user_id_ext_auth_form_group').hide();
+    $('#user_id_form_group').show();
+    $('#user_name_form_group').show();
+    $('#user_password_form_group').show();
@@ -79,6 +79,30 @@
     end
   end
 
+  describe "#get_ldap_groups_by_user_with_ext_auth" do
+    before do
+      require "dbus"
+      sysbus = double('sysbus')
+      ifp_service = double('ifp_service')
+      ifp_object  = double('ifp_object')
+      @ifp_interface = double('ifp_interface')
+
+      DBus.stub(:system_bus).and_return(sysbus)
+      sysbus.stub(:[]).with("org.freedesktop.sssd.infopipe").and_return(ifp_service)
+      ifp_service.stub(:object).with("/org/freedesktop/sssd/infopipe").and_return(ifp_object)
+      ifp_object.stub(:introspect)
+      ifp_object.stub(:[]).with("org.freedesktop.sssd.infopipe").and_return(@ifp_interface)
+    end
+
+    it "should return groups by user name with external authentication" do
+      memberships = [%w(foo bar)]
+
+      @ifp_interface.stub(:GetUserGroups).with('user').and_return(memberships)
+
+      MiqGroup.get_httpd_groups_by_user('user').should == memberships.first
+    end
+  end
+
   describe "#get_ldap_groups_by_user" do
     before do
       stub_server_configuration(:authentication => {:group_memberships_max_depth => 1})