OpenNebula

#new: openid support

#openid->enabled

#  turns openid on or off

#openid->auto_register

#  global setting for auto registering new users

#  if false, user who is not registered (not in OpenNebula user base)

#  will be refused in authorization

#  if true, OpenNebula user will be created

#openid->case_sensitive

#  global setting for case sensivity

#  if true, same user written in different case will be treated as different users

#  different OpenID servers might have different settings on their side

#  better check it beforehand and make server-specific settings

#openid->servers

#  list of servers to show in OpenID dropdown list

#  server-specific settings also go here

#openid->servers->addr

#  url of OpenID server

#  precisely, all that goes before user name

#openid->servers->auto_register

#openid->servers->case_sensitive

#  same as above, but server-specific

#openid->enforce_serverlist

#  if true, only users from servers listed in openid->servers are allowed

#  all other OpenID authorities are forbidden

#  if false, "Other" option appears in OpenID dropdown list and any authority is allowed

#openid->autocheck_servers

#  list of servers for which claimed identities are checked

#  immediate OpenID requests are sent to listed authorities

#  if any identity is claimed on the server and available in immediate mode,

#  it appears on the claimed identities list

:openid:

    :enabled: true

    :servers:

        - :addr: http://openid.mail.ru/

          :case_sensitive: true

          :auto_register: false

        - :addr: http://openid.yandex.ru/

          :case_sensitive: false

          :auto_register: true

    :auto_register: false

    :case_sensitive: false

    :autocheck_servers:

        - http://openid.mail.ru/

        - http://openid.yandex.ru/

    :enforce_serverlist: true

#login_tabs

{

    width: 400px;

    min-height: 300px;

    font-size: 1em;

    margin-left: auto;

    margin-right: auto;

    position: relative;

    top: 30px;

}

#login_tabs div.content

{

    margin-left: 30px;

    padding-top: 0px;

}

#login_tabs input#login_btn, #login_tabs input#openid_login_btn {

    margin-right: 20px;

}

div#login, div#openid_login {

    margin-bottom: 40px;

#openid_serverlist {

    text-align: left;

    line-height: 150%;

}

    font-size:0.8em !important;

input#login_btn, input#openid_login_btn {

input#login_btn:hover, input#openid_login_btn:hover {

}

var identities_found;

function oidResponse(identity, error)

{

    if (!error) {

        $("#openid_serverlist").append("<li><a href='#' onclick='openidLogin(" + '"' + identity + '"' + "); return false'>" + decodeURIComponent(identity) + "</a></li>");

        if (!identities_found) {

            identities_found = true;

            $("#identities_none").hide();

            $("#identities_link").click();

        }

    }

}

function openidLogin(identity)

{

    $("#openid_url").val(identity);

    $("#openid_form").submit();

}

function loadIdentList(count_resp)

{

    $("#openid_serverlist").empty();

    if(count_resp["error"] == true) {

        alert("Error occured");

        return;

    }

    var servercnt = count_resp["count"];

    var tab_ident = document.getElementById("tab_auth_identities");

    for(var i = 0; i < servercnt; i++) {

        var openid_frame = document.createElement("iframe");

        openid_frame.style = "width: 0px; height: 0px; display: none;";

        tab_ident.appendChild(openid_frame);

        openid_frame.src = "openid_info?action=getserver&id=" + i;

    }

}

$(document).ready(function() {

    $("#openid_login_btn").click(function () {

    var openid_prefix = "";

    var openid_pref_sel = $("#openid_prefix");

    if(openid_pref_sel.length) {

        openid_prefix = openid_pref_sel.val();

        if(openid_prefix.toLowerCase() == "other")

                openid_prefix = "";

    }

        $("#openid_url").val(openid_prefix + $("#openid_ident").val());

        $("#openid_form").submit();

        return false;

    });

    $("#login_tabs").tabs();

    $.ajax({

        url: "openid_info",

        data: { action: "servercount" },

        type: "GET",

        dataType : "json",

        success: loadIdentList,

        error: function( jqXHR, textStatus, errorThrown ) {

            alert( "Error occured getting OpenID identity list. " + textStatus + "\nAdditional information: " + errorThrown);

        }

    });

});

        if(this.USER.AUTH_DRIVER == "openid_stub"){

            this.USER.AUTH_DRIVER = "OpenID";

            this.USER.NAME = decodeURIComponent(this.USER.NAME); //unescape(this.USER.NAME);

        }

require 'sinatra'

require 'omniauth'

require 'omniauth-openid'

require 'openid/store/filesystem'

require 'openid/store/memory'

require 'uri'

require 'securerandom'

module OmniAuth

    module Strategies

        class OpenID

            def identifier

                i = options.identifier ||

                    request.params[options.identifier_param.to_s]

                return nil if i.empty?

                if $settings.config[:openid][:enforce_serverlist] == false ||

                   $settings.config[:openid][:servers].nil? ||

                   $settings.config[:openid][:servers].empty?

                    srv_in_list = true

                else

                    srv_in_list = $settings.config[:openid][:servers].any? { |srv| i.start_with?(srv[:addr])}

                end

                srv_in_list ? i : nil

            end

        end

    end

end

helpers do

    def openid_consumer

        #@openid_consumer ||= OpenID::Consumer.new(session, OpenID::Store::Filesystem.new("#{File.dirname(__FILE__)}/tmp/openid"))  

        @openid_consumer ||= OpenID::Consumer.new(session, OpenID::Store::Memory.new)   

    end

    def root_url

        request.url.match(/(^.*\/{2}[^\/]*)/)[1]

    end

end

use OmniAuth::Builder do

  #provider :open_id, :store => OpenID::Store::Filesystem.new('/tmp')

  provider :open_id

end

post '/auth/open_id/callback' do

    #Defaults

    srv_case = false

    srv_autoreg = true

    #Get OmniAuth OpenID auth data and settings from config

    auth = request.env['omniauth.auth']

    #Extract claimed identity, make server-specific settings, if possible

    username = auth['uid']

    username = URI.decode_www_form_component(username)

    username_friendly = username

    srv_case ||= settings.config[:openid][:case_sensitive]

    srv_autoreg = settings.config[:openid][:auto_register] unless settings.config[:openid][:auto_register].nil?

    #Delete server name and slashes to get friendly display name

    if settings.config[:openid][:servers] &&

       (srv = settings.config[:openid][:servers].detect { |srv| username.start_with?(srv[:addr]) })

        username_friendly = username[srv[:addr].length..-1].chomp '/'

        srv_case = srv[:case_sensitive] unless srv[:case_sensitive].nil?

        srv_autoreg = srv[:auto_register] unless srv[:auto_register].nil?

    end

    #encode username to store as OpenNebula user

    username.downcase! unless srv_case

    username_encoded = URI.encode_www_form_component(username)

    #Check if user exists

    client = OpenNebula::Client.new

    userpool = OpenNebula::UserPool.new(client)

    userpool.info

    user_id = userpool["/USER_POOL/USER[NAME='#{username_encoded}']/ID"]

    #If it does, get user and pass to session constructor

    #Otherwise - create user first

    if user_id.nil?

        if srv_autoreg

            xml = OpenNebula::User.build_xml

            user = OpenNebula::User.new(xml, client)

            user.allocate(username_encoded, SecureRandom.hex, 'openid_stub')

        else

            user = nil

            err_msg = "This OpenID user can't access system"

            redirect "/?openid_error=#{err_msg}"

        end

    else

        user = OpenNebula::User.new_with_id(user_id.to_i, client)

    end

    #Build session with found or newly created user

    build_session(user, username_friendly)

    redirect '/'

end

get '/auth/failure' do

    #Redirect to login page with OpenID error box displayed

    redirect "/?openid_error=#{params['message']}"

end

get '/openid_info' do

    case request["action"].downcase

    when "servercount" then

        unless settings.config[:openid][:autocheck_servers].nil?

            response = {"count" => settings.config[:openid][:autocheck_servers].length, "error" => false}

        else

            response = {"error" => true}

        end

    when "getserver" then

        unless settings.config[:openid][:autocheck_servers].nil? || request["id"].nil? || settings.config[:openid][:autocheck_servers][request["id"].to_i].nil?

              openid = params[:openid_identifier]

              begin

                  oidreq = openid_consumer.begin(settings.config[:openid][:autocheck_servers][request["id"].to_i])

              rescue OpenID::DiscoveryFailure => why

                  content_type 'text/html', :charset => 'utf-8'

                  return erb :_openid_check, :locals => {:openid_error => true, :identifier => why}

              else

                  redirect oidreq.redirect_url(root_url, root_url + "/openid_info/return", true)

              end

        else

            content_type 'text/html', :charset => 'utf-8'

            return erb :_openid_check, :locals => {:openid_error => true, :identifier => "No server found"}

        end

    else

        response = {"error" => true}

    end

    response.to_json

end

get '/openid_info/return' do

    content_type 'text/html', :charset => 'utf-8'

    oidresp = openid_consumer.complete(params, request.url)

    ident = oidresp.display_identifier

    unless oidresp.status == OpenID::Consumer::SUCCESS

        openid_error = true

        ident = oidresp.status.to_s

    else

        openid_error = false

    end

    erb :_openid_check, :locals => {:openid_error => openid_error, :identifier => ident}

end

# Enable OpenID, if required

if settings.config[:openid][:enabled]

  require 'sunstone-openid'

  require 'opennebula'

  include OpenNebula

end

$settings = settings

    def build_session(openid_user = nil, openid_display_name = nil)

        if openid_user

            user = openid_user

            begin

                result = $cloud_auth.auth(request.env, params)

            rescue Exception => e

                logger.error { e.message }

                return [500, ""]

            end

            if result.nil?

                logger.info { "Unauthorized login attempt" }

                return [401, ""]

            end

        end

        rc = user.info

        if OpenNebula.is_error?(rc)

            logger.error { rc.message }

            return [500, ""]

        end

        session[:user]         = user['NAME']

        session[:user_id]      = user['ID']

        session[:user_gid]     = user['GID']

        session[:user_gname]   = user['GNAME']

        session[:ip]           = request.ip

        session[:remember]     = params[:remember]

        if openid_display_name

            session[:display_name] = openid_display_name

        else

            session[:display_name] = user[DISPLAY_NAME_XPATH] || user['NAME']

        end

        #User IU options initialization

        #Load options either from user settings or default config.

        # - LANG

        # - WSS CONECTION

        # - TABLE ORDER

        if user['TEMPLATE/LANG']

            session[:lang] = user['TEMPLATE/LANG']

        else

            session[:lang] = $conf[:lang]

        end

        if user['TEMPLATE/VNC_WSS']

            session[:vnc_wss] = user['TEMPLATE/VNC_WSS']

        else

            wss = $conf[:vnc_proxy_support_wss]

            #limit to yes,no options

            session[:vnc_wss] = (wss == true || wss == "yes" || wss == "only" ?

                             "yes" : "no")

        end

        if user['TEMPLATE/TABLE_ORDER']

            session[:table_order] = user['TEMPLATE/TABLE_ORDER']

        else

            session[:table_order] = $conf[:table_order]

        end

        if user['TEMPLATE/DEFAULT_VIEW']

            session[:default_view] = user['TEMPLATE/DEFAULT_VIEW']

        else

            session[:default_view] = $views_config.available_views(session[:user], session[:user_gname]).first

        end

        #end user options

        if params[:remember] == "true"

            env['rack.session.options'][:expire_after] = 30*60*60*24-1

        return [204, ""]

    unless request.path=='/login' || request.path=='/' || request.path=='/vnc' || (settings.config[:openid][:enabled] && (request.path == '/auth/open_id' || request.path == '/auth/open_id/callback' || request.path == '/auth/failure' || request.path == '/openid_info' || request.path == '/openid_info/return'))

Sinatra::Application.run! if(!defined?(WITH_RACKUP))

<form id="login_form">

    <div class="content">

        Username

        <input type="text" size="15" name="username" id="username" class="box"/>

        Password

        <input type="password" size="15" name="password" id="password" class="box"/>

        <br />

        <input type="checkbox" id="check_remember" />

        <label id="label_remember" for="check_remember">Keep me logged in</label>

        <input type="submit" id="login_btn" value="" />

        <img src="images/ajax-loader.gif" alt="retrieving" id="login_spinner" />

    </div>

    <div id="error_box" class="hidden alert-box alert" style="display: none">

        <span id="error_message"></span>

    </div>

</form>

<%openid_error = params["openid_error"]?'style="margin-top: 100px"':'style="display: none"'%>

<form id="openid_form" method="POST" action="/auth/open_id">

      <div class="content" >

          <% if settings.config[:openid][:servers] && settings.config[:openid][:servers].any? %>

              OpenID server

              <br />

              <select class="box" id="openid_prefix">

                  <% settings.config[:openid][:servers].each do |openid_server| %>

                      <option><%=openid_server[:addr]%></option>

                  <% end %>

                  <% unless settings.config[:openid][:enforce_serverlist] %>

                <option>Other</option>

                  <% end %>

              </select>

    <% end %>

          Identity

          <input type="text" size="15" id="openid_ident" class="box"/>

          <input type="hidden" name="openid_url" id="openid_url">

          <br />

          <input type="submit" id="openid_login_btn" value="" />

      </div>

  <div id="openid_error_box" class="hidden alert-box alert" <%=openid_error%>>

    <span id="openid_error_message">OpenID error: <%=params["openid_error"]%></span>

  </div>

</form>

<!DOCTYPE html><head><script type="text/javascript">

    parent.oidResponse(<%="'#{identifier}'"%>, <%=openid_error.to_s%>);

</script></head></html>

    <script type="text/javascript" src="vendor/4.0/jquery-ui-1.10.3/js/jquery-ui-1.10.3.custom.min.js"></script>

    <link rel="stylesheet" type="text/css" href="vendor/4.0/jquery-ui-1.10.3/css/smoothness/jquery-ui-1.10.3.custom.min.css" />

    <script type="text/javascript" src="js/openid.js"></script>

<% unless settings.config[:openid][:enabled] %>

  <% if settings.config[:auth] == "x509" %>

    <%= erb :_login_x509 %>

  <% else %>

    <%= erb :_login_standard %>

  <% end %>

  <div id="wrapper">

    <div id="logo_sunstone" style="background: url(<%=$views_config.logo%>) no-repeat center; background-size: 355px;"></div>

    <div id="login_tabs">

      <ul>

        <li><a href="#tab_auth_local">Local auth</a></li>

        <li><a href="#tab_auth_openid">OpenID</a></li>

        <li><a id="identities_link" href="#tab_auth_identities">Claimed Identities</a></li>

      </ul>

      <div id="tab_auth_local">

        <%= erb :_login_standard_new %>

      </div>

      <div id="tab_auth_openid">

        <%= erb :_openid %>

      </div>

      <div id="tab_auth_identities">

        <span id="identities_none">No identities</span>

        <ul id="openid_serverlist"></ul>

      </div>

    </div>

  </div>

<% end %>