#!/bin/bash
set -u
#==============================================================================
# This Helix Core trigger script makes SSO the default.
# This is done by adding new users to the SSO group (as defined in the Helix
# Authentication Extension), and setting an unusable P4PASSWD. This one
# trigger script is referenced twice in the Triggers table, once as a form-save
# trigger and once as a form-commit trigger. The p4d server fires a form-save
# trigger after the form (in this case a user spec/form) has been validated
# as acceptable by the server, but before the form has been committed to the
# database. The form-commit trigger fires after a form has been committed
# to the database.
# Sample Triggers table entries (both entries required):
#
# SSO_default form-save user "/p4/common/site/bin/triggers/SSO_default.sh %formfile% {ssogroupname|none}"
# SSO_default form-commit user "/p4/common/site/bin/triggers/SSO_default.sh %formfile% {ssogroupname|none}"
# Workflow:
#
# The form-save trigger adds new users to the SSO group, and uses the 'p4 key'
# command to indicate they should have an unusable P4PASSWD set. The
# form-commit trigger sets the unusable P4PASSWD.
#
# If "none" is specified as the second argument for the SSO group name, no group
# addition is done. This is to accommodate sites that default to HAS as opposed to
# explicitly opting users in via SSO group membership.
#
# The form-save trigger fires when user spec form is about to be updated on
# the server. If a spec form is saved for a new P4USER not yet known to p4d,
# add them to the SSO group, and then set a key named:
#
# SetUnusableP4PASSWD-<User>.
#
# It is possible to add a user name to a group even before the user account is
# created, so that is handled in the form-save call.
#
# The form-commit trigger fires after the form is committed to the p4d
# server. If the SetUnusableP4PASSWD-<User> key is set for the user (it having
# been set in the form-save trigger), run 'p4 passwd' to set an unusable UUID
# password. In the form-commit trigger, the account exists in p4d so we can
# run the 'p4 passwd' command (which isn't possible in the form-save trigger
# as the user doesn't yet exist in p4d at that point).
#==============================================================================
# Declarations and Environment
declare ThisScript=${0##*/}
declare ThisUser=
declare Version=2.1.1
declare FormFile=${1:-UnsetFormFile}
declare Log="${LOGS:-/tmp}/${ThisScript%.sh}.log"
declare SSOGroup=${2:-UnsetGroupName}
declare Password=
declare PasswordFile=
declare GroupSpecFile=
declare User=
declare UserSetPasswordKey=
declare -i Debug=0
declare -i ErrorCount=0
#==============================================================================
# Local Functions
function msg () { echo -e "$*"; }
function errmsg () { msg "\\nError: ${1:-Unknown Error}\\n"; ErrorCount+=1; }
function bail () { errmsg "${1:-Unknown Error}"; exit "${ErrorCount}"; }
function dbg () { [[ "$Debug" -eq 0 ]] || msg "DEBUG: $*"; }
#==============================================================================
# Main Program
# Capture all output to a log; display nothing, not even errors.
touch "$Log" || bail "Could not init log [$Log] for $ThisScript."
exec >>"$Log"
exec 2>&1
ThisUser=$(id -n -u)
msg "Started $ThisScript v$Version as $ThisUser@${HOSTNAME%%.*} on $(date)."
# Set umask so temp files are 600 perms (read/writable only by owner).
umask 177
[[ "$FormFile" == "UnsetFormFile" ]] && \
bail "Bad Usage: Parameter 1 [FormFile] not passed in."
[[ -r "$FormFile" ]] ||\
bail "Form file passed in does not exist."
[[ "$SSOGroup" == "UnsetGroupName" ]] && \
bail "Bad Usage: Parameter 2 [SSOGroup] not passed in."
# Check that a User field exists, indicating the form file is likely valid.
if grep -q ^User: "$FormFile"; then
User=$(grep ^User: "$FormFile"|awk '{print $2}')
UserSetPasswordKey="SetUnusableP4PASSWD-$User"
if p4 user --exists -o "$User" > /dev/null; then
msg "User [$User] already exists; not adding to SSO."
if [[ "$(p4 key "$UserSetPasswordKey")" == "YES" ]]; then
msg "Key detected: $UserSetPasswordKey"
PasswordFile=$(mktemp)
Password=$(uuidgen)
if echo -e "$Password\\n$Password" > "$PasswordFile"; then
if p4 passwd "$User" < "$PasswordFile"; then
msg "SSO user [$User] now has unusable P4PASSWD."
if p4 key -d "$UserSetPasswordKey"; then
msg "Key cleared: $UserSetPasswordKey"
else
errmsg "Failed to clear key: $UserSetPasswordKey"
fi
else
errmsg "Failed to set UUID P4PASSWD for user [$User]."
fi
else
errmsg "Failed to create temp password file for user [$User]."
fi
rm -f "$PasswordFile"
else
msg "UserSetPasswordKey not detected. Ignoring user [$User]."
fi
else
if [[ "$SSOGroup" != "none" ]]; then
GroupSpecFile=$(mktemp)
if p4 group -o "$SSOGroup" | grep -v ^# | sed -e :a -e '/^\n*$/{$d;N;};/\n$/ba' > "$GroupSpecFile"; then
if [[ -s "$GroupSpecFile" ]]; then
if echo -e "\\t$User" >> "$GroupSpecFile"; then
if p4 -s group -i < "$GroupSpecFile"; then
msg "User [$User] added to SSO group [$SSOGroup]."
if p4 key "$UserSetPasswordKey" YES; then
msg "Key set so form-commit trigger sets unusable P4PASSWD for SSO user [$User]."
else
errmsg "Failed to set key $UserSetPasswordKey."
fi
else
errmsg "Failed to load this spec file for group [$SSOGroup]:$(grep -v '^#' "$GroupSpecFile")"
fi
else
errmsg "Could not add user [$User] to SSO Group [$SSOGroup]."
fi
else
errmsg "Failed to generate a valid group spec file for group [$SSOGroup]."
fi
else
errmsg "Could not generate group spec file for SSO group [$SSOGroup]."
fi
rm -f "$GroupSpecFile"
fi
fi
else
msg "Form file [$FormFile] has no User field. Ignoring it."
fi
dbg "Normal exit."
exit 0
| # | Change | User | Description | Committed | |
|---|---|---|---|---|---|
| #7 | 30002 | C. Thomas Tyler |
Fixed support for HAS "opt out" model in SSO_default.sh. Fixed bug where triggers did not work as expected of 'none' was specified for the SSO group, as needed to support the "Opt out" model for the Helix Authentication extension. Fixed doc issue to prevent accidental misconfiguration of pasting in literal values in the sample. #review-30003 |
||
| #6 | 29152 | C. Thomas Tyler |
Fixed typos in output messages and comments. No behavior changes. |
||
| #5 | 29134 | Mark Zinthefer | Updated version, corrected some of the comments. | ||
| #4 | 29128 | Mark Zinthefer | New SSO script version. | ||
| #3 | 29094 | C. Thomas Tyler | Fixed typo in output. | ||
| #2 | 29093 | C. Thomas Tyler |
Tweaked logging to continuously append. #review-29092 |
||
| #1 | 29091 | C. Thomas Tyler |
Added sample trigger to make SSO with the Helix Authentication Service the default for new users accounts. Behaviors: * Add users to an SSO group. * Generate an unusuable P4PASSWD (using uuidgen). #review-29092 @robert_cowahm @nathan_fiedler @andy_boutte |