Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ws: Add 'LoginTo' cockpit.conf option #5658

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 25 additions & 16 deletions doc/man/cockpit.conf.xml
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,15 @@ ProtocolHeader = X-Forwarded-Proto
<term><option>LoginTitle</option></term>
<listitem><para>Set the browser title for the login screen.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>LoginTo</option></term>
<listitem>
<para>When set to <literal>true</literal> the <emphasis>Connect to</emphasis> option
on the login screen is visible and allows logging into another server. If this
option is not specified then it will be automatically detected based on whether
the <command>cockpit-ssh</command> process is available or not.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>MaxStartups</option></term>
<listitem><para>Same as the <command>sshd</command> configuration option by the same name.
Expand Down Expand Up @@ -122,33 +131,33 @@ ProtocolHeader = X-Forwarded-Proto
</refsect1>

<refsect1 id="cockpit-conf-oauth">
<title>OAuth</title>
<para>Cockpit can be configured to support the <ulink url="https://tools.ietf.org/html/rfc6749#section-4.2">
<title>OAuth</title>
<para>Cockpit can be configured to support the <ulink url="https://tools.ietf.org/html/rfc6749#section-4.2">
implicit grant</ulink> OAuth authorization flow. When successful the resulting oauth
token will be passed to cockpit-ws using the <literal>Bearer</literal> auth-scheme.
For a login to be successful, cockpit will also need a to be configured to verify
and allow <literal>Bearer</literal> tokens.</para>
<variablelist>
<varlistentry>
<term><option>URL</option></term>
<listitem>
<variablelist>
<varlistentry>
<term><option>URL</option></term>
<listitem>
<para>This is the url that cockpit will redirect the users browser to when it needs
to obtain an oauth token. Cockpit will add a redirect_uri parameter to the url with
the location of where the oauth provider should redirect to once a token has been
obtained.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>ErrorParam</option></term>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<term><option>ErrorParam</option></term>
<listitem>
<para>When a oauth provider redirects a user back to cockpit, look for this parameter
in the querystring or fragment portion of the url to find a error message. When not
provided it will default to <literal>error_description</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>TokenParam</option></term>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<term><option>TokenParam</option></term>
<listitem>
<para>When a oauth provider redirects a user back to cockpit, look for this parameter
in the querystring or fragment portion of the url to find the access token. When not
provided it will default to <literal>access_token</literal></para>
Expand Down
32 changes: 26 additions & 6 deletions src/ws/cockpithandlers.c
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,30 @@ add_oauth_to_environment (JsonObject *environment)
}
}

static void
add_page_to_environment (JsonObject *object)
{
static gint page_login_to = -1;
JsonObject *page;
const gchar *value;

page = json_object_new ();

value = cockpit_conf_string ("WebService", "LoginTitle");
if (value)
json_object_set_string_member (page, "title", value);

if (page_login_to < 0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This if seems unnecessary, page_login_to is always -1.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a static variable. It keeps the last value set.

{
page_login_to = cockpit_conf_bool ("WebService", "LoginTo",
g_file_test (cockpit_ws_ssh_program,
G_FILE_TEST_IS_EXECUTABLE));
}

json_object_set_boolean_member (page, "connect", page_login_to);
json_object_set_object_member (object, "page", page);
}

static GBytes *
build_environment (GHashTable *os_release)
{
Expand All @@ -263,17 +287,13 @@ build_environment (GHashTable *os_release)
GByteArray *buffer;
GBytes *bytes;
JsonObject *object;
const gchar *title;
const gchar *value;
gchar *hostname;
JsonObject *osr;
const gchar *value;
gint i;

object = json_object_new ();

title = cockpit_conf_string ("WebService", "LoginTitle");
if (title)
json_object_set_string_member (object, "title", title);
add_page_to_environment (object);

hostname = g_malloc0 (HOST_NAME_MAX + 1);
gethostname (hostname, HOST_NAME_MAX);
Expand Down
11 changes: 6 additions & 5 deletions src/ws/login.js
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ var phantom_checkpoint = phantom_checkpoint || function () { };
setup_path_globals (window.location.pathname);

// Setup title
var title = environment.title;
var title = environment.page.title;
if (!title)
title = environment.hostname;
document.title = title;
Expand Down Expand Up @@ -397,21 +397,22 @@ var phantom_checkpoint = phantom_checkpoint || function () { };
}

function show_form(in_conversation) {
var option_state = id("option-group").getAttribute("data-state");
var connectable = environment.page.connect;
var expanded = id("option-group").getAttribute("data-state");
id("login-wait-validating").style.display = "none";
id("login").style.visibility = 'visible';
id("login").style.display = "block";
id("user-group").style.display = in_conversation ? "none" : "block";
id("password-group").style.display = in_conversation ? "none" : "block";
id("option-group").style.display = in_conversation ? "none" : "block";
id("option-group").style.display = !connectable || in_conversation ? "none" : "block";
id("conversation-group").style.display = in_conversation ? "block" : "none";
id("login-button-text").textContent = "Log In";
id("login-password-input").value = '';

if (in_conversation) {
if (!connectable || in_conversation) {
id("server-group").style.display = "none";
} else {
id("server-group").style.display = option_state ? "block" : "none";
id("server-group").style.display = expanded ? "block" : "none";
}


Expand Down
24 changes: 24 additions & 0 deletions test/verify/check-login
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,30 @@ account required pam_succeed_if.so user ingroup %s""" % m.get_admin_group
except subprocess.CalledProcessError:
pass

# Change login screen options
b.logout()
b.wait_visible("#option-group")
m.execute("printf '[WebService]\nLoginTo = false\n' > /etc/cockpit/cockpit.conf")
m.restart_cockpit()
b.open("/system")
b.wait_present("#option-group")
b.wait_not_visible("#option-group")

# Default options be to display these options
m.execute("rm /etc/cockpit/cockpit.conf")
m.restart_cockpit()
b.open("/system")
b.wait_present("#option-group")
b.wait_visible("#option-group")

# And now we remove cockpit-ssh which affects the default
if m.image not in [ "continuous-atomic", "fedora-atomic", "rhel-atomic" ]:
m.execute("rm -f /usr/libexec/cockpit-ssh /usr/lib/cockpit/cockpit-ssh")
m.restart_cockpit()
b.open("/system")
b.wait_present("#option-group")
b.wait_not_visible("#option-group")

self.allow_journal_messages ("Returning error-response ... with reason .*",
"pam_unix\(cockpit:auth\): authentication failure; .*",
"pam_unix\(cockpit:auth\): check pass; user unknown",
Expand Down