#!/bin/bash set -u #============================================================================== # This Helix Core trigger script makes SSO the default. # This is done by adding new users to the SSO group (as defined in the Helix # Authentication Extension), and setting an unusable P4PASSWD. This one # trigger script is referenced twice in the Triggers table, once as a form-save # trigger and once as a form-commit trigger. The p4d server fires a form-save # trigger after the form (in this case a user spec/form) has been validated # as acceptable by the server, but before the form has been committed to the # database. The form-commit trigger fires after a form has been committed # to the database. # Sample Triggers table entries (both entries required): # # SSO_default form-save user "/p4/common/site/bin/triggers/SSO_default.sh %formfile% {ssogroupname|none}" # SSO_default form-commit user "/p4/common/site/bin/triggers/SSO_default.sh %formfile% {ssogroupname|none}" # Workflow: # # The form-save trigger adds new users to the SSO group, and uses the 'p4 key' # command to indicate they should have an unusable P4PASSWD set. The # form-commit trigger sets the unusable P4PASSWD. # # If "none" is specified as the second argument for the SSO group name, no group # addition is done. This is to accommodate sites that default to HAS as opposed to # explicitly opting users in via SSO group membership. # # The form-save trigger fires when user spec form is about to be updated on # the server. If a spec form is saved for a new P4USER not yet known to p4d, # add them to the SSO group, and then set a key named: # # SetUnusableP4PASSWD-<User>. # # It is possible to add a user name to a group even before the user account is # created, so that is handled in the form-save call. # # The form-commit trigger fires after the form is committed to the p4d # server. If the SetUnusableP4PASSWD-<User> key is set for the user (it having # been set in the form-save trigger), run 'p4 passwd' to set an unusable UUID # password. In the form-commit trigger, the account exists in p4d so we can # run the 'p4 passwd' command (which isn't possible in the form-save trigger # as the user doesn't yet exist in p4d at that point). #============================================================================== # Declarations and Environment declare ThisScript=${0##*/} declare ThisUser= declare Version=2.1.1 declare FormFile=${1:-UnsetFormFile} declare Log="${LOGS:-/tmp}/${ThisScript%.sh}.log" declare SSOGroup=${2:-UnsetGroupName} declare Password= declare PasswordFile= declare GroupSpecFile= declare User= declare UserSetPasswordKey= declare -i Debug=0 declare -i ErrorCount=0 #============================================================================== # Local Functions function msg () { echo -e "$*"; } function errmsg () { msg "\\nError: ${1:-Unknown Error}\\n"; ErrorCount+=1; } function bail () { errmsg "${1:-Unknown Error}"; exit "${ErrorCount}"; } function dbg () { [[ "$Debug" -eq 0 ]] || msg "DEBUG: $*"; } #============================================================================== # Main Program # Capture all output to a log; display nothing, not even errors. touch "$Log" || bail "Could not init log [$Log] for $ThisScript." exec >>"$Log" exec 2>&1 ThisUser=$(id -n -u) msg "Started $ThisScript v$Version as $ThisUser@${HOSTNAME%%.*} on $(date)." # Set umask so temp files are 600 perms (read/writable only by owner). umask 177 [[ "$FormFile" == "UnsetFormFile" ]] && \ bail "Bad Usage: Parameter 1 [FormFile] not passed in." [[ -r "$FormFile" ]] ||\ bail "Form file passed in does not exist." [[ "$SSOGroup" == "UnsetGroupName" ]] && \ bail "Bad Usage: Parameter 2 [SSOGroup] not passed in." # Check that a User field exists, indicating the form file is likely valid. if grep -q ^User: "$FormFile"; then User=$(grep ^User: "$FormFile"|awk '{print $2}') UserSetPasswordKey="SetUnusableP4PASSWD-$User" if p4 user --exists -o "$User" > /dev/null; then msg "User [$User] already exists; not adding to SSO." if [[ "$(p4 key "$UserSetPasswordKey")" == "YES" ]]; then msg "Key detected: $UserSetPasswordKey" PasswordFile=$(mktemp) Password=$(uuidgen) if echo -e "$Password\\n$Password" > "$PasswordFile"; then if p4 passwd "$User" < "$PasswordFile"; then msg "SSO user [$User] now has unusable P4PASSWD." if p4 key -d "$UserSetPasswordKey"; then msg "Key cleared: $UserSetPasswordKey" else errmsg "Failed to clear key: $UserSetPasswordKey" fi else errmsg "Failed to set UUID P4PASSWD for user [$User]." fi else errmsg "Failed to create temp password file for user [$User]." fi rm -f "$PasswordFile" else msg "UserSetPasswordKey not detected. Ignoring user [$User]." fi else if [[ "$SSOGroup" != "none" ]]; then GroupSpecFile=$(mktemp) if p4 group -o "$SSOGroup" | grep -v ^# | sed -e :a -e '/^\n*$/{$d;N;};/\n$/ba' > "$GroupSpecFile"; then if [[ -s "$GroupSpecFile" ]]; then if echo -e "\\t$User" >> "$GroupSpecFile"; then if p4 -s group -i < "$GroupSpecFile"; then msg "User [$User] added to SSO group [$SSOGroup]." if p4 key "$UserSetPasswordKey" YES; then msg "Key set so form-commit trigger sets unusable P4PASSWD for SSO user [$User]." else errmsg "Failed to set key $UserSetPasswordKey." fi else errmsg "Failed to load this spec file for group [$SSOGroup]:$(grep -v '^#' "$GroupSpecFile")" fi else errmsg "Could not add user [$User] to SSO Group [$SSOGroup]." fi else errmsg "Failed to generate a valid group spec file for group [$SSOGroup]." fi else errmsg "Could not generate group spec file for SSO group [$SSOGroup]." fi rm -f "$GroupSpecFile" fi fi else msg "Form file [$FormFile] has no User field. Ignoring it." fi dbg "Normal exit." exit 0
# | Change | User | Description | Committed | |
---|---|---|---|---|---|
#3 | 30043 | C. Thomas Tyler |
Released SDP 2023.2.30041 (2023/12/22). Copy Up using 'p4 copy -r -b perforce_software-sdp-dev'. |
||
#2 | 29205 | C. Thomas Tyler |
Released SDP 2022.1.29203 (2022/11/22). Copy Up using 'p4 copy -r -b perforce_software-sdp-dev'. |
||
#1 | 29143 | C. Thomas Tyler |
Released SDP 2022.1.29141 (2022/10/29). Copy Up using 'p4 copy -r -b perforce_software-sdp-dev'. |
||
//guest/perforce_software/sdp/dev/Unsupported/Samples/triggers/SSO_default.sh | |||||
#5 | 29134 | Mark Zinthefer | Updated version, corrected some of the comments. | ||
#4 | 29128 | Mark Zinthefer | New SSO script version. | ||
#3 | 29094 | C. Thomas Tyler | Fixed typo in output. | ||
#2 | 29093 | C. Thomas Tyler |
Tweaked logging to continuously append. #review-29092 |
||
#1 | 29091 | C. Thomas Tyler |
Added sample trigger to make SSO with the Helix Authentication Service the default for new users accounts. Behaviors: * Add users to an SSO group. * Generate an unusuable P4PASSWD (using uuidgen). #review-29092 @robert_cowahm @nathan_fiedler @andy_boutte |