Add webathena authentication button for Zephyr users.
This shows up when you're not running a Zephyr mirroring bot and lets you use Webathena to have us run it. Obviously needs more docs. Current problems include: * supervisorctl reload ends up recreating /var/run/supervisor.sock with the wrong permissions, so it only works once in a row before you need to chmod that. * /etc/supervisor/conf.d needs to be humbug-writeable; this is a clear local root vulnerability * This uses SSH and thus is kinda slow. (imported from commit 7029979615ffd50b10f126ce2cf9a85a5eefd7a2)
This commit is contained in:
Tim Abbott
parent
2ee0b3a079
commit
43ca7b3d3b
35
bots/process_ccache
Executable file
35
bots/process_ccache
Executable file
|
|
@ -0,0 +1,35 @@
|
|||
#!/usr/bin/python
|
||||
import sys
|
||||
import os
|
||||
import subprocess
|
||||
import base64
|
||||
|
||||
short_user = sys.argv[1]
|
||||
api_key = sys.argv[2]
|
||||
ccache_data_encoded = sys.argv[3]
|
||||
|
||||
# Update the Kerberos ticket cache file
|
||||
program_name = "zmirror-%s" % (short_user,)
|
||||
with file("/home/humbug/ccache/%s" % (program_name,), "w") as f:
|
||||
f.write(base64.b64decode(ccache_data_encoded))
|
||||
|
||||
# Setup API key
|
||||
api_key_path = "/home/humbug/api-keys/%s" % (program_name,)
|
||||
file(api_key_path, "w").write(api_key + "\n")
|
||||
|
||||
# Setup supervisord configuration
|
||||
supervisor_path = "/etc/supervisor/conf.d/%s.conf" % (program_name,)
|
||||
template = "/home/humbug/humbug/bots/zmirror_private.conf.template"
|
||||
template_data = file(template).read()
|
||||
session_path = "/home/humbug/zephyr_sessions/%s" % (program_name,)
|
||||
file(supervisor_path, "w").write(template_data.replace("USERNAME", short_user))
|
||||
|
||||
# Delete your session
|
||||
subprocess.check_call(["rm", "-f", session_path])
|
||||
# Update your supervisor config, which may restart your mirror
|
||||
subprocess.check_call(["supervisorctl", "reread"])
|
||||
subprocess.check_call(["supervisorctl", "update"])
|
||||
# Restart your mirror, in case it wasn't restarted by the previous
|
||||
# (Otherwise if the mirror lost subs, this would do nothing)
|
||||
# TODO: check whether we JUST restarted it first
|
||||
subprocess.check_call(["supervisorctl", "restart", program_name])
|
||||
11
bots/zmirror_private.conf.template
Normal file
11
bots/zmirror_private.conf.template
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
[program:zmirror-USERNAME]
|
||||
command=python /home/humbug/humbug/bots/zephyr_mirror_backend.py --root-path=/home/humbug/humbug/bots --user=USERNAME --enable-log=/home/humbug/logs/mirror-log-%(program_name)s --use-sessions --session-path=/home/humbug/zephyr_sessions/%(program_name)s --api-key-file=/home/humbug/api-keys/%(program_name)s
|
||||
priority=200 ; the relative start priority (default 999)
|
||||
autostart=true ; start at supervisord start (default: true)
|
||||
autorestart=true ; whether/when to restart (default: unexpected)
|
||||
stopsignal=TERM ; signal used to kill process (default TERM)
|
||||
stopwaitsecs=30 ; max num secs to wait b4 SIGKILL (default 10)
|
||||
user=humbug ; setuid to this UNIX account to run the program
|
||||
redirect_stderr=true ; redirect proc stderr to stdout (default false)
|
||||
stdout_logfile=/var/log/humbug/%(program_name)s.log ; stdout log path, NONE for none; default AUTO
|
||||
environment=HOME="/home/humbug",USER="humbug",KRB5CCNAME="/home/humbug/ccache/%(program_name)s"
|
||||
Loading…
Reference in a new issue