#!/bin/bash
set -u
#==============================================================================
# This Helix Core trigger script makes SSO the default.
# This is done by adding new users to the SSO group (as defined in the Helix
# Authentication Extension), and setting an unusable P4PASSWD. This one
# trigger script is referenced twice in the Triggers table, once as a form-save
# trigger and once as a form-commit trigger. The p4d server fires a form-save
# trigger after the form (in this case a user spec/form) has been validated
# as acceptable by the server, but before the form has been committed to the
# database. The form-commit trigger fires after a form has been committed
# to the database.
# Sample Triggers table entries (both entries required):
#
# SSO_default form-save user "/p4/common/site/bin/triggers/SSO_default.sh %formfile% {ssogroupname|none}"
# SSO_default form-commit user "/p4/common/site/bin/triggers/SSO_default.sh %formfile% {ssogroupname|none}"
# Workflow:
#
# The form-save trigger adds new users to the SSO group, and uses the 'p4 key'
# command to indicate they should have an unusable P4PASSWD set. The
# form-commit trigger sets the unusable P4PASSWD.
#
# If "none" is specified as the second argument for the SSO group name, no group
# addition is done. This is to accommodate sites that default to HAS as opposed to
# explicitly opting users in via SSO group membership.
#
# The form-save trigger fires when user spec form is about to be updated on
# the server. If a spec form is saved for a new P4USER not yet known to p4d,
# add them to the SSO group, and then set a key named:
#
# SetUnusableP4PASSWD-<User>.
#
# It is possible to add a user name to a group even before the user account is
# created, so that is handled in the form-save call.
#
# The form-commit trigger fires after the form is committed to the p4d
# server. If the SetUnusableP4PASSWD-<User> key is set for the user (it having
# been set in the form-save trigger), run 'p4 passwd' to set an unusable UUID
# password. In the form-commit trigger, the account exists in p4d so we can
# run the 'p4 passwd' command (which isn't possible in the form-save trigger
# as the user doesn't yet exist in p4d at that point).
#==============================================================================
# Declarations and Environment
declare ThisScript=${0##*/}
declare ThisUser=
declare Version=2.1.0
declare FormFile=${1:-UnsetFormFile}
declare Log="${LOGS:-/tmp}/${ThisScript%.sh}.log"
declare SSOGroup=${2:-UnsetGroupName}
declare Password=
declare PasswordFile=
declare GroupSpecFile=
declare User=
declare UserSetPasswordKey=
declare -i Debug=0
declare -i ErrorCount=0
#==============================================================================
# Local Functions
function msg () { echo -e "$*"; }
function errmsg () { msg "\\nError: ${1:-Unknown Error}\\n"; ErrorCount+=1; }
function bail () { errmsg "${1:-Unknown Error}"; exit "${ErrorCount}"; }
function dbg () { [[ "$Debug" -eq 0 ]] || msg "DEBUG: $*"; }
#==============================================================================
# Main Program
# Capture all output to a log; display nothing, not even errors.
touch "$Log" || bail "Could not init log [$Log] for $ThisScript."
exec >>"$Log"
exec 2>&1
ThisUser=$(id -n -u)
msg "Started $ThisScript v$Version as $ThisUser@${HOSTNAME%%.*} on $(date)."
# Set umask so temp files are 600 perms (read/writable only by owner).
umask 177
[[ "$FormFile" == "UnsetFormFile" ]] && \
bail "Bad Ussage: Parameter 1 [FormFile] not passed in."
[[ -r "$FormFile" ]] ||\
bail "Form file passed in does not exist."
[[ "$SSOGroup" == "UnsetGroupName" ]] && \
bail "Bad Usage: Parameter 2 [SSOGroup] not passed in."
# Check that a User field exists, indicating the form file is likely valid.
if grep -q ^User: "$FormFile"; then
User=$(grep ^User: "$FormFile"|awk '{print $2}')
UserSetPasswordKey="SetUnusableP4PASSWD-$User"
if p4 user --exists -o "$User" > /dev/null; then
msg "User [$User] already exists; not adding to SSO."
if [[ "$(p4 key "$UserSetPasswordKey")" == "YES" ]]; then
msg "Key detected: $UserSetPasswordKey"
PasswordFile=$(mktemp)
Password=$(uuidgen)
if echo -e "$Password\\n$Password" > "$PasswordFile"; then
if p4 passwd "$User" < "$PasswordFile"; then
msg "SSO user [$User] now has unusable P4PASSWD."
if p4 key -d "$UserSetPasswordKey"; then
msg "Key cleared: $UserSetPasswordKey"
else
errmsg "Failed to clear key: $UserSetPasswordKey"
fi
else
errmsg "Failed to set UUID P4PASSWD for user [$User]."
fi
else
errmsg "Failed to create temp passwordfile for user [$User]."
fi
rm -f "$PasswordFile"
else
msg "UserSetPasswordKey not detected. Ignoring user [$User]."
fi
else
if [[ "$SSOGroup" != "none" ]]; then
GroupSpecFile=$(mktemp)
if p4 group -o "$SSOGroup" | grep -v ^# | sed -e :a -e '/^\n*$/{$d;N;};/\n$/ba' > "$GroupSpecFile"; then
if [[ -s "$GroupSpecFile" ]]; then
if echo -e "\\t$User" >> "$GroupSpecFile"; then
if p4 -s group -i < "$GroupSpecFile"; then
msg "User [$User] added to SSO group [$SSOGroup]."
if p4 key "$UserSetPasswordKey" YES; then
msg "Key set so form-commit trigger sets unusable P4PASSWD for SSO user [$User]."
else
errmsg "Failed to set key $UserSetPasswordKey."
fi
else
errmsg "Failed to load this spec file for group [$SSOGroup]:$(grep -v '^#' "$GroupSpecFile")"
fi
else
errmsg "Couuld not add user [$User] to SSO Group [$SSOGroup]."
fi
else
errmsg "Failed to generate a valid group spec file for group [$SSOGroup]."
fi
else
errmsg "Could not generate group spec file for SSO group [$SSOGroup]."
fi
rm -f "$GroupSpecFile"
fi
fi
else
msg "Form file [$FormFile] has no User field. Ignoring it."
fi
dbg "Normal exit."
exit 0
| # | Change | User | Description | Committed | |
|---|---|---|---|---|---|
| #3 | 30043 | C. Thomas Tyler |
Released SDP 2023.2.30041 (2023/12/22). Copy Up using 'p4 copy -r -b perforce_software-sdp-dev'. |
||
| #2 | 29205 | C. Thomas Tyler |
Released SDP 2022.1.29203 (2022/11/22). Copy Up using 'p4 copy -r -b perforce_software-sdp-dev'. |
||
| #1 | 29143 | C. Thomas Tyler |
Released SDP 2022.1.29141 (2022/10/29). Copy Up using 'p4 copy -r -b perforce_software-sdp-dev'. |
||
| //guest/perforce_software/sdp/dev/Unsupported/Samples/triggers/SSO_default.sh | |||||
| #5 | 29134 | Mark Zinthefer | Updated version, corrected some of the comments. | ||
| #4 | 29128 | Mark Zinthefer | New SSO script version. | ||
| #3 | 29094 | C. Thomas Tyler | Fixed typo in output. | ||
| #2 | 29093 | C. Thomas Tyler |
Tweaked logging to continuously append. #review-29092 |
||
| #1 | 29091 | C. Thomas Tyler |
Added sample trigger to make SSO with the Helix Authentication Service the default for new users accounts. Behaviors: * Add users to an SSO group. * Generate an unusuable P4PASSWD (using uuidgen). #review-29092 @robert_cowahm @nathan_fiedler @andy_boutte |
||