Alex Dehnert [Sun, 7 Jul 2013 04:27:57 +0000 (00:27 -0400)]
Scripts auth: don't activate on 127.0.0.1 either
The scripts auth module has long delegated to the standard Django auth when the
hostname was localhost, in order to ignore local dev server instances. This
makes it also delegate to standard Django for 127.0.0.1 as well. I'm not sure
why this hadn't come up before now... A quick look at the Django codebase
suggests this isn't a recent change.
Alex Dehnert [Mon, 24 Dec 2012 08:28:00 +0000 (03:28 -0500)]
Set a password of UNUSABLE_PASSWORD
* Changes ScriptsRemoteUserBackend's configure_user method to set the default
password to UNUSABLE_PASSWORD instead of ScriptsSSLAuth. UNUSABLE_PASSWORD
displays in the admin as "Password: None", instead of an ugly error message.
This should fix "Unknown password hashing algorithm" errors for users
correctly created in the future. (ASA-#132)
* Adds a migration to change current users with passwords of "" or
"ScriptsSSLAuth" to a password of UNUSABLE_PASSWORD ("!"). This will fix
ASA-#132 and the symptoms of ASA-#133 for already-existent users.
Alex Dehnert [Sun, 16 Sep 2012 01:53:40 +0000 (21:53 -0400)]
Wrappers for safely calling commands in a new PAG
The usual mechanism for starting a new PAG is pagsh(1). Unfortunately, because
it basically just execvp(3) /bin/sh passing the appropriate arguments, it isn't
immediately obvious how to safely pass arguments that may contain shell
metacharacters. By using the shell's exec and taking advantage of the fact that
later arguments to /bin/sh end up in $@ we can safely avoid shell
metacharacters. We wrap subprocess.check_{call,output} in
pag_check_{call,output}, which perform appropriate contortions to establish the
PAG before safely executing the passed commands without evaluating any
metacharacters.
Alex Dehnert [Sun, 18 Dec 2011 05:49:59 +0000 (00:49 -0500)]
Function to create an MIT user with LDAP data
This adds a function get_or_create_mit_user. As with the "get_or_create"
methods on managers, this returns an object satisfying some conditions,
creating it if necessary. In this case, we return a User object that's
populated using data from MIT's LDAP. If the user does not exist and
cannot be found in LDAP, we raise an exception.