-- or --
* git clone ssh://yourlogin@git.onelab.eu/git/myslice.git
-* edit myslice/config.py and enter the details of your manifold backend
+* edit/create myslice/myslice.ini and enter the details of your manifold backend
$ apt-get install python-django-south
* init django
* all the local material for this deployment gets into /etc/unfold/
* I could not find a way to have client-auth without server auth;
- this is totally weird, and stupid, but just so
+ this is totally weird, and stupid, but that's how it is
so there is a need to install a (probably self-signed) cert
and related key in
/etc/unfold/myslice.cert
key=/etc/unfold/myslice.key
cert=/etc/unfold/myslice.cert
+# provide a hostname as the first arg to this command
+# (otherwise we use hostname)
if [[ -n "$@" ]] ; then hostname=$1; shift; else hostname=$(hostname); fi
function init_trusted_roots () {
--- /dev/null
+# see also unfold.conf
+# see also unfold-initi-ssl.sh
+#
+# NOTE on packaging
+#
+# this is not enabled by default because it would prevent apache from
+# starting up properly when /etc/unfold/trusted_roots is empty
+#
+# So on debian you would typically need to run
+# a2ensite unfold-ssl.conf
+# unfold-init-ssl.sh
+# service apache2 restart
+#
+# This port is configured with client-certificate *required*
+# corresponding trusted roots (e.g. ple.gid and plc.gid) should be
+# configured in /etc/unfold/trusted_roots
+#
+
+<VirtualHost *:443>
+ WSGIDaemonProcess unfold-ssl processes=2 threads=25
+ WSGIProcessGroup unfold-ssl
+ CustomLog ${APACHE_LOG_DIR}/myslice-ssl-access.log common
+ ErrorLog ${APACHE_LOG_DIR}/myslice-ssl-error.log
+ WSGIScriptAlias / /usr/share/unfold/apache/unfold.wsgi
+ <Directory /usr/share/unfold/apache/>
+ <Files unfold.wsgi>
+ Order deny,allow
+ Allow from all
+ </Files>
+ </Directory>
+ Alias /static/ /usr/share/unfold/static/
+ <Directory /usr/share/unfold/static>
+ Order deny,allow
+ Allow from all
+ </Directory>
+
+ SSLEngine on
+ SSLVerifyClient require
+ SSLVerifyDepth 5
+# make this a symlink to /etc/sfa/trusted_roots if that makes sense in your env.
+ SSLCACertificatePath /etc/unfold/trusted_roots
+# see init-ssl.sh for how to create self-signed stuff in here
+ SSLCertificateFile /etc/unfold/myslice.cert
+ SSLCertificateKeyFile /etc/unfold/myslice.key
+
+# SSLOptions +StdEnvVars +ExportCertData
+ SSLOptions +StdEnvVars
+</VirtualHost>
+# see also unfold-ssl.conf
+
<VirtualHost *:80>
WSGIDaemonProcess unfold processes=2 threads=25
WSGIProcessGroup unfold
Allow from all
</Directory>
</VirtualHost>
-
-# This port (not necessarily well picked) is configured
-# with client-certificate required
-# corresponding trusted roots (e.g. ple.gid and plc.gid) should be
-# configured in /etc/unfold/trusted_roots
-# check Jordan's email and pointer to trac, although we do not want
-# this to be optional on that port
-
-<VirtualHost *:443>
- WSGIDaemonProcess unfold-ssl processes=2 threads=25
- WSGIProcessGroup unfold-ssl
- CustomLog ${APACHE_LOG_DIR}/myslice-ssl-access.log common
- ErrorLog ${APACHE_LOG_DIR}/myslice-ssl-error.log
- WSGIScriptAlias / /usr/share/unfold/apache/unfold.wsgi
- <Directory /usr/share/unfold/apache/>
- <Files unfold.wsgi>
- Order deny,allow
- Allow from all
- </Files>
- </Directory>
- Alias /static/ /usr/share/unfold/static/
- <Directory /usr/share/unfold/static>
- Order deny,allow
- Allow from all
- </Directory>
-
- SSLEngine on
- SSLVerifyClient require
- SSLVerifyDepth 5
-# make this a symlink to /etc/sfa/trusted_roots if that makes sense in your env.
- SSLCACertificatePath /etc/unfold/trusted_roots
-# see init-ssl.sh for how to create self-signed stuff in here
- SSLCertificateFile /etc/unfold/myslice.cert
- SSLCertificateKeyFile /etc/unfold/myslice.key
-
-# SSLOptions +StdEnvVars +ExportCertData
- SSLOptions +StdEnvVars
-</VirtualHost>
apache/unfold.conf /etc/apache2/sites-available
manage.py usr/share/unfold/
usr/bin/unfold-init-ssl.sh
+etc/unfold/trusted_roots
+var/unfold
#!/bin/bash
+# tmp - (or?)
+set -x
# if this requires a service to be running, add something like this
# update-rc.d unfold defaults
[ -d /var/unfold ] || mkdir /var/unfold
chown -R www-data.www-data /var/unfold
chmod -R 700 /var/unfold
-# upgrading from older packages -- temporary
-[ -f /usr/share/unfold/myslice.sqlite3 ] && mv -f /usr/share/unfold/myslice.sqlite3 /var/unfold
-rm -f /etc/apache2/sites*/myslice.conf
# upgrading end
/usr/share/unfold/manage.py syncdb
/usr/share/unfold/manage.py migrate
-a2dissite default
+# be ready, enable ssl
+a2enmod ssl
+# disable defaults; jessie seems to come with 000-default instead of just default
+# not quite sure about ssl, disable every possible combination
+for site in default default-ssl; do
+ for prefix in "" "000-"; do
+ s=${prefix}${site}
+ a2dissite $s || :
+ done
+done
a2ensite unfold.conf
+# create a server-side cert/key and passes on gids to rehash them
+# because we do not enable ssl by default it is maybe not quite right to call this
+# at install-time anymore, although it should not hurt either
+unfold-init-ssl.sh
+# restart in any case
service apache2 restart
# Manifold API Python interface
import copy, xmlrpclib
-from myslice.config import Config
+from myslice.configengine import ConfigEngine
from django.contrib import messages
from manifoldresult import ManifoldResult, ManifoldCode, ManifoldException
self.trace = []
self.calls = {}
self.multicall = False
- config = Config()
- self.url = config.manifold_url()
+ self.url = ConfigEngine().manifold_url()
self.server = xmlrpclib.Server(self.url, verbose=False, allow_none=True)
def __repr__ (self): return "ManifoldAPI[%s]"%self.url
return _execute_query(request, query, manifold_api_session_auth)
def execute_admin_query(request, query):
- config = Config()
- admin_user, admin_password = config.manifold_admin_user_password()
+ admin_user, admin_password = ConfigEngine().manifold_admin_user_password()
admin_auth = {'AuthMethod': 'password', 'Username': admin_user, 'AuthString': admin_password}
return _execute_query(request, query, admin_auth)
from manifold.manifoldapi import ManifoldAPI
from manifold.manifoldresult import ManifoldException
from manifold.util.log import Log
-from myslice.config import Config
+from myslice.configengine import ConfigEngine
debug=False
#debug=True
# We allow some requests to use the ADMIN user account
if (manifold_query.get_from() == 'local:user' and manifold_query.get_action() == 'create') \
or (manifold_query.get_from() == 'local:platform' and manifold_query.get_action() == 'get'):
- admin_user, admin_password = Config().manifold_admin_user_password()
+ admin_user, admin_password = ConfigEngine().manifold_admin_user_password()
manifold_api_session_auth = {'AuthMethod': 'password', 'Username': admin_user, 'AuthString': admin_password}
else:
print request.session['manifold']
from ConfigParser import RawConfigParser
from myslice.settings import ROOT
-# as this code suggests, you have the option to override these defaults
+#
+# DO NOT EDIT !!!
+#
+# This file does not contain any user-modifiable data
+#
+# te defaults here are, well, only default values,
+# and, you have the option to override them
# by writing a file myslice/myslice.ini
# that looks like this
#[manifold]
#url = http://manifold.pl.sophia.inria.fr:7080/
#admin_user = admin
#admin_password = admin
+#[googlemap]
+#api_key=theapikeyasprovidedbygoogle
# use a singleton instead of staticmethods
from manifold.util.singleton import Singleton
-class Config(object):
+class ConfigEngine(object):
__metaclass__ = Singleton
# the OpenLab-wide backend as managed by UPMC
def __init__ (self):
parser = RawConfigParser ()
parser.add_section('manifold')
- parser.set ('manifold', 'url', Config.default_manifold_url)
- parser.set ('manifold', 'admin_user', Config.default_manifold_admin_user)
- parser.set ('manifold', 'admin_password', Config.default_manifold_admin_password)
+ parser.set ('manifold', 'url', ConfigEngine.default_manifold_url)
+ parser.set ('manifold', 'admin_user', ConfigEngine.default_manifold_admin_user)
+ parser.set ('manifold', 'admin_password', ConfigEngine.default_manifold_admin_password)
parser.add_section('googlemap')
parser.set ('googlemap','api_key', None)
parser.read (os.path.join(ROOT,'myslice/myslice.ini'))
--- /dev/null
+asd
\ No newline at end of file
This prevents information leaking to potential attackers. If you want to provide an error message in this case, you can subclass PasswordResetForm
and use the password_reset_form argument.
-Users flagged with an unusable password (see set_unusable_password() aren't allowed to request a password reset to prevent misuse when using an external
+Users flagged with an unusable password - see set_unusable_password() - aren't allowed to request a password reset to prevent misuse when using an external
authentication source like LDAP. Note that they won't receive any error message since this would expose their account's existence but no mail will be sent either.
More Detail: https://docs.djangoproject.com/en/dev/topics/auth/default/#topics-auth-creating-users
from portal.forms import PasswordResetForm, SetPasswordForm
from django.contrib.auth.tokens import default_token_generator
from django.contrib.sites.models import get_current_site
-from django.contrib.auth.hashers import UNUSABLE_PASSWORD, identify_hasher
+from django.contrib.auth.hashers import identify_hasher
##
import os.path, re
from django.utils.translation import ugettext_lazy as _
from django.contrib.auth.tokens import default_token_generator
from django.contrib.auth import authenticate, get_user_model
-# TODO: Remove these automated forms and use html templates and views like any other page !
-# ERROR ImportError: cannot import name UNUSABLE_PASSWORD
-# XXX This is not compatible with Django 1.6.1
-# Ref: https://github.com/dot2code/varnish-bans-manager/issues/8
-from django.contrib.auth.hashers import UNUSABLE_PASSWORD, identify_hasher
from django.contrib.sites.models import get_current_site
from django.utils.http import int_to_base36
from django.template import loader
+# TODO: Remove these automated forms and use html templates and views like any other page !
+from django.contrib.auth.hashers import identify_hasher
+# adapted from https://sourcegraph.com/github.com/fusionbox/django-authtools/symbols/python/authtools/forms
+
+def is_password_unusable(pw):
+ # like Django's is_password_usable, but only checks for unusable
+ # passwords, not invalidly encoded passwords too.
+ try:
+ # 1.5
+ from django.contrib.auth.hashers import UNUSABLE_PASSWORD
+ return pw == UNUSABLE_PASSWORD
+ except ImportError:
+ # 1.6
+ from django.contrib.auth.hashers import UNUSABLE_PASSWORD_PREFIX
+ return pw.startswith(UNUSABLE_PASSWORD_PREFIX)
+
if not any(user.is_active for user in self.users_cache):
# none of the filtered users are active
raise forms.ValidationError(self.error_messages['unknown'])
- if any((user.password == UNUSABLE_PASSWORD)
- for user in self.users_cache):
+ if any(is_password_unusable(user.password) for user in self.users_cache):
raise forms.ValidationError(self.error_messages['unusable'])
return email
from manifold.manifoldresult import ManifoldResult
from ui.topmenu import topmenu_items, the_user
-from myslice.config import Config
+from myslice.configengine import ConfigEngine
class HomeView (FreeAccessView):
# expose this so we can mention the backend URL on the welcome page
def default_env (self):
- config=Config()
return {
- 'MANIFOLD_URL':config.manifold_url(),
+ 'MANIFOLD_URL':ConfigEngine().manifold_url(),
}
def post (self,request):
from plugins.querytable import QueryTable
-from myslice.config import Config
+from myslice.configengine import ConfigEngine
# View for 1 platform and its details
class PlatformView(FreeAccessView):
from plugins.lists.simplelist import SimpleList
from plugins.slicestat import SliceStat
-from myslice.config import Config
+from myslice.configengine import ConfigEngine
# View for 1 platform and its details
class ResourceView(FreeAccessView):
togglable = True,
query = resource_query,
query_all = resource_query,
- googlemap_api_key = Config().googlemap_api_key(),
+ googlemap_api_key = ConfigEngine().googlemap_api_key(),
checkboxes = False,
# center on Paris
#latitude = 49.,
from plugins.messages import Messages
from plugins.slicestat import SliceStat
-from myslice.config import Config
+from myslice.configengine import ConfigEngine
tmp_default_slice='ple.upmc.myslicedemo'
page.add_js_chunks ('$(function() { messages.debug("sliceview: jQuery version " + $.fn.jquery); });')
page.add_js_chunks ('$(function() { messages.debug("sliceview: users turned %s"); });'%("on" if do_query_users else "off"))
page.add_js_chunks ('$(function() { messages.debug("sliceview: leases turned %s"); });'%("on" if do_query_leases else "off"))
- config=Config()
- page.add_js_chunks ('$(function() { messages.debug("manifold URL %s"); });'%(config.manifold_url()))
+ page.add_js_chunks ('$(function() { messages.debug("manifold URL %s"); });'%(ConfigEngine().manifold_url()))
metadata = page.get_metadata()
resource_md = metadata.details_by_object('resource')
query = sq_resource,
query_all = query_resource_all,
# this key is the one issued by google
- googlemap_api_key = Config().googlemap_api_key(),
+ googlemap_api_key = ConfigEngine().googlemap_api_key(),
# the key to use at init-time
init_key = main_query_init_key,
checkboxes = True,
# xxx somehow this does not seem to show up in debian packaging
scripts = [ 'apache/unfold-init-ssl.sh' ],
data_files = [
- ( '/usr/share/unfold/static/js', glob ('static/js/*')),
- ( '/usr/share/unfold/static/css', glob ('static/css/*')),
- ( '/usr/share/unfold/static/img', glob ('static/img/*')),
- ( '/usr/share/unfold/static/fonts', glob ('static/fonts/*')),
- ( '/usr/share/unfold/templates', glob ('templates/*')),
- ( 'apache', [ 'apache/unfold.conf', 'apache/unfold.wsgi' ]),
+ ( '/usr/share/unfold/static/js', glob ('static/js/*')),
+ ( '/usr/share/unfold/static/css', glob ('static/css/*')),
+ ( '/usr/share/unfold/static/img', glob ('static/img/*')),
+ ( '/usr/share/unfold/static/fonts', glob ('static/fonts/*')),
+ ( '/usr/share/unfold/templates', glob ('templates/*')),
+ ( 'apache', [ 'apache/unfold.conf', 'apache/unfold-ssl.conf', 'apache/unfold.wsgi' ]),
+ ( '/etc/unfold/trusted_roots', []),
+ ( '/var/unfold', []),
])
from unfold.prelude import Prelude
-from myslice.config import Config
+from myslice.configengine import ConfigEngine
# decorator to deflect calls on this Page to its prelude
def to_prelude (method):
self.add_js_init_chunks("var MANIFOLD_METADATA =" + self.get_metadata().to_json() + ";\n")
def expose_js_manifold_config (self):
- config=Config()
- self.add_js_init_chunks(config.manifold_js_export())
+ self.add_js_init_chunks(ConfigEngine().manifold_js_export())
#################### requirements/prelude management
# just forward to self.prelude - see decorator above