#!/usr/bin/python # # SWAMI - Simple Web Authentication Management Interface # # Currently, .htaccess files provide simple directory-based auth using # the 'Basic Auth' technique. This is nice, as far as it goes. The only # problem is that writing .htaccess files... sucks. So the idea here is to # 1) allow the user (presumably the site owner/admin) to create and destroy # .htaccess files in any subdir of the managed tree # 2) let the user manage associated htpasswd/htgroup files # # Now more RESTful wrt groups/users # /swami.cgi/user # gets the list of users, shows the form to add/remove/modify them # POST action=post, username=, password=[, confirm-password=] # adds username/password to the list; fail if password != confirm-password # POST action=put, username=, ... # replace the list of username/passwords with the ones in username and password # (preserve ordering) # /swami.cgi/user/ # show the form to chnage the user's password # POST action=put/post, password=[, confirm-password=] # sets password, possibly creating user too; fail if password != confirm-password # POST action=delete # deletes the user # /swami.cgi/: # gets the list of groups, shows the form to add/remove/modify them # POST action=post, groupname=, usernames= # add the groupname with usernames to the list # POST action=put, groupname=, usernames=, ... # replace the list with the ones in groupname/members # /swami.cgi/group/ # show users of this group. Show the form to add/remove them # POST action=post, usernames= # POST action=post, username=, ... # add usernames to this group # POST action=put, usernames= # POST action=put, username=, ... # set the usernames in this group # POST action=delete # delete the group # /swami.cgi/group// # show form to add/remove this user from this group # POST action=put/post # add the username to the group # POST action=delete # delete the username from the group import os import sys import crypt import random import string import pyward from xreadlines import xreadlines # You might want to modify these if you're running swami in more than one place HTPASSWD = '/home/pj/.swami.htpasswd' HTGROUP = '/home/pj/.swami.htgroup' ###### Code starts here class HTPasswd(object): def __init__(self, filename): self.filename = filename self._data = {} if not os.path.exists(filename): # doesn't exist, so create it with some defaults self.set('admin','admin') self.save() else: datafile = open(filename, "r") for line in xreadlines(datafile): line = line.strip() # skip blank lines if not line: continue # skip trash lines try: user, epass = line.split(':') self._data[user] = epass except: sys.stderr.write("Bad line in %s: %s" % (filename, line)) datafile.close() if not os.access(filename, os.W_OK): raise Exception("No write access to %s" % filename) def clear(self): self._data = {} def users(self): return self._data.keys() def set(self, username, password): # set username's password ## first generate a decent salt saltchoice = string.ascii_letters + string.digits salt = random.choice(saltchoice) + random.choice(saltchoice) # now crypt() things self._data[username] = crypt.crypt(password, salt) def remove(self, username): del self._data[username] def save(self): datafile = open(self.filename, 'w') for user in self._data.keys(): epass = self._data[user] datafile.write(user+':'+epass+'\n') datafile.close() class HTGroup(object): def __init__(self, filename): self.filename = filename self._data = {} if not os.path.exists(filename): # doesn't exist, so create it with some defaults self.set('swami-admin',['admin']) self.save() else: datafile = open(filename, 'r') for line in xreadlines(datafile): line = line.strip() # skip blank lines if not line: continue (group, users) = line.split(':') self._data[group] = users.split() datafile.close() if not os.access(filename, os.W_OK): raise Exception("No write access to %s" % filename) def groups(self): return self._data.keys() def set(self, group, users): self._data[group] = users def get(self, group): return self._data[group] def getUser(self, user): return [g for g in self._data.keys() if user in self._data[g]] def add(self, group, users): for u in users: if u not in self._data[group]: self._data[group].append(u) def rmusers(self, group, users): for u in users: try: self._data[group].remove(u) except ValueError: pass def remove(self, group): try: del self._data[group] except ValueError: pass def save(self): datafile = open(self.filename, 'w') for user in self._data.keys(): datafile.write(user+': '+' '.join(self._data[user])+'\n') datafile.close() ### Web framework stuff # Some defaults: basic security and put a header on every page class MyRESTNode(RESTNode): def __init__(self): self.user = None def _isAllowedTo(self, action): return action == 'GET' or self.user == User or IsAdminUser def _display(self, headers, bodytext): Header = 'users' % (BaseURL) Header += ' - groups' % (BaseURL) # FIXME: Later #Header += ' - htaccess' % (BaseURL) Header += '\n
\n' return RESTNode._display(self, headers, Header+bodytext) # Actual nodes class UserNode(MyRESTNode): def __init__(self, user, passdb): MyRESTNode.__init__(self) self.user = user self.passdb = passdb def GET(self, query, body): if self.user in self.users(): output = """
""" buttontext = "change" else: output = 'This user currently does not exist.' buttontext = "create" output += """\n

\n

Set password to and again .
\n""" % buttontext return output def PUT(self, query, body): password = body.getfirst('password') confirm = body.getfirst('confirm_password', password) if password != confirm: output = "Passwords don't match for user %s! Try again.

" % self.user else: passdb.set(self.user, password) passdb.save() output = "Password set.

" return output + self.GET(query, body) POST = PUT def DELETE(self, query, body): self.passdb.remove(self.user) self.passdb.save() return self.GET(query, body) class UserListNode(MyRESTNode, HTPasswd): def __init__(self): MyRESTNode.__init__(self) HTPasswd.__init__(self, HTPASSWD) def makeChild(self, childname): return UserNode(childname, self) def GET(self, query, body): output = """ Current users:

""" for u in self.users(): output += '%s ' % (BaseURL, u, u) output += """

Add a user named with password and again .
""" return output def PUT(self, query, body): self.clear() return self.POST(query, body) def POST(self, query, body): users = body.getlist('username') passwds = body.getlist('password') confirms = body.getlist('confirm_password') for i in range(len(users)): if not hasPermsTo('PUT', "/user/"+users[i]): output = "No perms to modify %s.

" % users[i] elif (i < len(confirms)) and (confirms[i] != passwds[i]): output = "Passwords don't match for user %s! Try again.

" % users[i] else: self.set(users[i], passwds[i]) self.save() return output + self.GET(query, body) DELETE = GET class GroupUserNode(MyRESTNode): def __init__(self, db, group, user): MyRESTNode.__init__(self) self.db = db self.group = group self.user = user def mod(self, query, body, how): how(self.group, [self.user]) self.db.save() return self.GET(query, body) def PUT(self, query, body): return self.mod(query, body, self.db.set) POST = PUT def DELETE(self, query, body): return self.mod(query, body, self.db.rmusers) def GET(self, query, body): userlink = 'user ' % (BaseURL, self.user) output = '

' if not self.user in self.db.get(self.group): output += ' %s to ' % userlink else: output += """ %s from """ % userlink output += 'this group.\n
' % (BaseURL, self.group) return output class GroupNode(MyRESTNode): def __init__(self, group, db): MyRESTNode.__init__(self) self.group = group self.db = db def makeChild(self, piece): return GroupUserNode(self.db, self.group, piece) def mod(self, query, body, how): newuserlist = body.getfirst('usernames','').split() newuserlist += body.getlist('username') mod(self.group, newuserlist) self.db.save() return self.GET(query, body) def PUT(self, query, body): return self.mod(query, body, self.db.set) def POST(self, query, body): return self.mod(query, body, self.db.add) def DELETE(self, query, body): self.db.remove(group) self.db.save() return self.GET(query, body) def GET(self, query, body): if self.group not in self.db.groups(): output = "This group does not exist." else: output = "Members of this group:

" for u in self.db.get(self.group): output += '%s ' % (BaseURL, u, u) output += """

Add a member:
""" return output class GroupListNode(MyRESTNode, HTGroup): def __init__(self): HTGroup.__init__(self, HTGROUP) MyRESTNode.__init__(self) def makeChild(self, piece): return GroupNode(piece, self) def PUT(self, query, body): self.clear() return self.POST(query, body) def POST(self, query, body): groups = body.getlist('groupname') userlists = body.getlist('usernames') for i in range(len(groups)): group = groups[i] users = userlists[i].strip().split() self.set(group, users) self.save() return self.GET(query, body) def GET(self, query, body): output = "Groups:

" for g in self.groups(): output += '%s: ' % (BaseURL, g, g) for u in self.get(g): output += '%s ' % (BaseURL, g, u, u) output += '
' output += """

Add a group named with (space separated) members
""" return output class Root(MyRESTNode): childClasses = { 'user': UserListNode, 'group': GroupListNode } def GET(self, query, body): return '' ## Actual execution path # global values used above User = os.environ.get('REMOTE_USER', 'admin'); BaseURL = os.environ.get('SCRIPT_NAME') IsAdminUser = User in HTGroup(HTGROUP).get('swami-admin') dispatch_cgi(Root())