Thursday, December 11, 2008

Single Signon Between Mediawiki And Rails

I was fully anticipating this to be a really nasty endaevor. As it turns out, it really wasnt all that bad. Not that I got the gist of how to do this from a page on the case.edu wiki, which described how to do it between two php apps, and made it happen on Rails. First step is to make a media wiki authentication module. Something like:

<?php
  require_once('AuthPlugin.php');
  class RailsAuthPlugin extends AuthPlugin {

  //return whether $username is a valid username
  function userExists($username) {
  //since the username will be passed from our external source, this will probably 
  //always be true
  //however, the security paranoid says to check the data
  //you could do an LDAP verify here, just to be safe

  return true; //or return false if the username is invalid
  }

  //whether the given username and password authenticate
  function authenticate($username, $password) {
    //the external authentication actually handles this part, but we still need a security 
    //check
    //this form element will be set by our login script.  this security check is important!
    global $wgLoginFormKey;

    return isset($_POST[$wgLoginFormKey]);
  }

  //The authorization is external, so autocreate accounts as necessary
  function autoCreate() {
    return true;
  }

  //tell MediaWiki to not look in its database for user authentication and that our 
  //authentication method is all that counts
  function strict() {
    return true;
  }

  //this function gets called when the user is created
  //$user is an instance of the User class (see includes/User.php)
  function initUser(&$user) {
    //unless you want the person to be nameless, you should probably populate info about 
    //this user here
    //we do some LDAP queries to populate their name and e-mail

    $this_username = trim($user->getName()); 

    $theData = ""; # this could be some callback to Rails to get the email address of the user.

   $user->setEmail($theData);

    $theData = ""; # this could be some callback to Rails to get the name of the user

    $user->setRealName($theData);

    //if using MediaWiki 1.5, we can set some e-mail options
    $user->mEmailAuthenticated = wfTimestampNow();

    //turn on e-mail notifications by default
    $user->setOption('enotifwatchlistpages', 1);
    $user->setOption('enotifusertalkpages', 1);
    $user->setOption('enotifminoredits', 1);
    $user->setOption('enotifrevealaddr', 1);

  }

  //if using MediaWiki 1.5, we have a new function to modify the UI template!
  function modifyUITemplate(&$template) {
    //disable the mail new password box
    $template->set("useemail", false);

    //disable 'remember me' box
    $template->set("remember", false);

    $template->set("create", false);

    $template->set("domain", true);
  }
}
?>
Then add these lines to LocalSettings.php:

$wgCookieDomain = '.mydomain.com';
$wgLoginFormKey = "insert_secret_key_here"; 
require_once("extensions/RailsAuthPlugin.php"); # or whatever you named your extention
$wgAuth = new RailsAuthPlugin(); # or whatever you named the class
Then on the rails app, you want it to essentially authenticate on the backend whenever a user authenticates to the rails application. I have an after_filter on login that handles this, and here’s what it looks like:
def check_wiki
  if logged_in?
    begin
      require 'net/http'
      require 'uri'
      require 'cgi'

      cookie_domain = '.my_domain.com'
      #
      # Note that wpPassword can be anything, and the value of the my_secret_key
      # is irrelevant as well that parameter name needs to equal the value 
      # of $wgLoginFormKey from LocalSettings.php
      data = "wpName=#{CGI::escape(current_user.login)}" 
      data = data + "&\wpPassword=lygernoob" 
      data = data + "&wpLoginattempt=Log%20in" 
      data = data + "&my_secret_key=true" 

      headers = {
        'Content-Type' => 'application/x-www-form-urlencoded'
      }

      http = Net::HTTP.new('wiki.mydomain.com', 80)
      path = "/index.php?title=Special:UserLogin&returnto=Main_Page" 
      resp, data = http.post(path,data,headers)

      returned_cookies = resp['set-cookie'].split(',')
      returned_cookies.each do |b|
        b.strip!
        if b =~ /^([A-Za-z0-9_]+)\=([A-Za-z0-9_]+)/
          cookie_name, cookie_value = [$1, $2]
          cookies[cookie_name] = {:value => cookie_value, 
                                  :expires => 30.days.from_now, 
                                  :domain => cookie_domain, :path => '/'}
        end
      end
    rescue
    end
  end
end

You’ll also want to add some stuff to the rails logout routine:
cookies.delete 'wikiToken', {:domain => '.mydomain.com'}
cookies.delete 'wiki_session', {:domain => '.mydomain.com'}
cookies.delete 'wikiUserID', {:domain => '.mydomain.com'}
cookies.delete 'wikiUserName', {:domain => '.mydomain.com'}
And you’ll probably want to redirect the login and logout pages on your mediawiki to your Rails instance. But that’s really about all it takes. Single-signon between your Rails user database and Mediawiki. Fun fun fun.

Thursday, March 06, 2008

The Tag Lyger Campaign

I’ve begun a quest of sorts. And I need help in making this endaevor more of a reality. Please join me in the “Tag Lyger’s page with filthy del.icio.us tags” campaign. So far, I’m the only participant, participation is easy though.

Login or Register for a del.icio.us account, then Post a post to Lyger’s page:

http://attrition.org/~lyger

and tag it with something foul. I’ve been focusing on glassdildos and dirty sanchez, which you can join along with, or make up your own!

See the lyger del.icio.us page for all the tags so far.

It’s fun, it helps a good cause, and it reduces my overall stress level, which in turn reduces my bloodpressure, which in turn keeps me alive just a LITTLE BIT LONGER to deal with Jericho’s gnikcuf tickets.

Monday, March 03, 2008

Clever Spammers

I’ve run into a significant problem today with some SPAM.

Messages began pouring into my employer somewhere around two weeks ago, flooding user accounts with crap. I mean flooding, like, can’t delete quick enough, or “no time for love Dr. Jones” flooding. Initially I ignored the report, as we haven’t had a significant spam problem in a long time. Spamassassin coupled with RBL’s and other paid and free resources has done an incredible job over the past 10 years, so I naturally assumed I had a user issue here. But today when people inside my department, who are less likely to fall prey to an accident, started getting slammed like Tabitha Stevens in San Fernando Jones and the Temple of Poon.

I finally started paying attention, and I’m glad I did. Hundreds of thousands of messages per day were pooring into the mail servers, destined for real users and all but a small percentage were being passed by the filters. I dug a bit deeper and found:


64.191.105
64.191.106
64.191.123
64.191.124
64.191.51
66.197.134
66.197.147
66.197.180
66.197.224
66.197.229
66.197.249
66.197.253 

Fascinating I thought. Similar class C’s, but two different class B’s. A whois shows more details:

64.191.105


Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
Julestynes Services JULESTYNES (NET-64-191-105-0-1)
                               64.191.105.0 - 64.191.105.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.106

Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
hillside web partners HILLSIDEWEB (NET-64-191-106-0-1)
                               64.191.106.0 - 64.191.106.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.123

Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
Blue Yellow Web Partners BLUEYELLOWWEB (NET-64-191-123-0-1)
                               64.191.123.0 - 64.191.123.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.124

Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
qartfz enterprise QARTFZ (NET-64-191-124-0-1)
                               64.191.124.0 - 64.191.124.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.51

Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
Forest bay net services FORESTBAYNETSVC (NET-64-191-51-0-1)
                               64.191.51.0 - 64.191.51.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.134

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
three g web partners THREEGWEB (NET-66-197-134-0-1)
                               66.197.134.0 - 66.197.134.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.147

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
Sparkspart Industries SPARKSPART (NET-66-197-147-0-1)
                               66.197.147.0 - 66.197.147.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.180

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
Ktgbs Operations KTGBS (NET-66-197-180-0-1)
                               66.197.180.0 - 66.197.180.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.224

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
Saturn Net Services STRNNET (NET-66-197-224-0-1)
                               66.197.224.0 - 66.197.224.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.229

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
Beedolak Networks BEEDOLAK (NET-66-197-229-0-1)
                               66.197.229.0 - 66.197.229.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.249

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
JSBLX Services JSBLXSERVICES (NET-66-197-249-0-1)
                               66.197.249.0 - 66.197.249.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.253

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
DDLSA information systems DDLSA (NET-66-197-253-0-1)
                               66.197.253.0 - 66.197.253.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

So clearly I become keenly interested in “Network Operations Center Inc.” and I kick off an abuse mail:

 
It would appear that multiple dummy organizations leasing IP space from your  
HOSTNOC-2BLK and  HOSTNOC-3BLK and potentially others are SPAMing our 
organization, rendering some people's accounts practically inaccessible.  

All the samples attached originate from class C's you have sold/leased or 
otherwise delegated.  Were I a gambler, I'd likely bet that this is no 
coincidence.  Please address the matter.

Interestingly, every single mailhost had an SPF record setup, and all were passing spam checks. I banned both /17 networks from getting to our mailserver, and after a couple hours:

 
Mar  3 14:40:01 redacted postfix/smtpd[28234]: NOQUEUE: reject: RCPT from 
  mx-173.tiepart.com[66.197.180.173]: 554 <mx-173.tiepart.com[66.197.180.173]>: 
  Client host rejected: GO AWAY; from=<e@tiepart.com> to=<REDACT@REDACTED.NET> 
  proto=ESMTP helo=<mx-173.tiepart.com>
Mar  3 14:40:01 redacted postfix/smtpd[28144]: NOQUEUE: reject: RCPT from 
  mailserv150.pissmall.com[64.191.123.150]: 554 <mailserv150.pissmall.com[64.191.123.150]>: 
  Client host rejected: GO AWAY; from=<a@pissmall.com> to=<REDACT@REDACTED.NET> 
  proto=ESMTP helo=<mailserv150.pissmall.com>

MMMMMM. PISSMALL.COM. About 200,000 of those. Meanwhile, “Network Operations Center Inc.” turns out to be burst.net, an apparently legit company according to their response:


Hello.

Thank you for your report.

We have contacted our direct client regarding your report and expect a prompt response, 
including action against the abuser.

If you have any questions, please let us know.

Most sophisticated spamming operation I’ve seen. SPF records, real registered domains, links to those real domains, real email accounts, all hosted here in the US, scattered across multiple class B networks, but seemingly all hosted at a single company.

Tuesday, February 05, 2008

Box Of Shit

Thanks for the box of shit Jericho. Christmas came late this year.

This arrived a couple days ago. Since I actually have a job, I couldn’t be home to receive the package. And since the post office operates only during hours where most productive citizens are at work, I had to sit outside the postoffice and call in late for work to receive the fucking thing.

As you can see, it was clearly fucking worth it.

It came with a lovely DVD player remote, the kind that comes with the $36.99 walmart DVD players. I’ve always kept mine for fear of someday needing the damned things. Jericho’s solution to “Donate” the fucking things is a far greater idea. I’m thinking of sending mine to the next Postal victim.

Speaking of which, why couldn’t he fucking send this shit off to some postal victim. I guess I’m just reading this wrong. Well, in thinking more of it, I most certainly am reading this wrong…

Included in the care package were 6 rubbers. There’s a hidden message here I just wasn’t initially picking up one. I believe it is as follows

  1. Let’s get drunk (bottlecaps)
  2. Turn me on (remote)
  3. And screw… (rubbers)
  4. And screw… (more rubbers)
  5. Cleanup (swab)
  6. Cuddle on the Couch and watch Season 1 of Sex in the City (remote again)
  7. Screw… (yep, rubbers)
  8. Get some late nite chinese (fortune cookie)
  9. and screw

I suspect this phone cord is a bondage proposition. Which doesn’t really surprise me in the least considering what a slave driver he is.

I counted every bottlecap. 41. I suspect there was a message there, but 28 bottlecaps fell out of the loosely taped box in transit. The keychain/finger cuffs is most CERTAINLY a sexual proposition.

Regardless, it’s nice to receive mail. Even if it’s a box of crap. Could have been ziplocked catshit, so I guess I made out OK this year.

Monday, February 04, 2008

Coder Expectations

Programming is, in several aspects, both a technical skill and art, as well as an endless expectations refactoring effort.

For instance, I have a project where I’m being asked to implement a mediawiki instance within a RoR application. People, I believe, have learned to accept my answer that an integration between RoR and MediaWiki is impossible. They wanted the mediawiki content to appear in a tab inside the application, and appear to be a part of the existing site. Short of some crazy hacks involving parsing an external wiki’s HTML output, and inserting content into it’s database via the rails app, or doing some nasty iframe crud, I can’t see how on earth I could manage this.

So, instead people now want me to find a RoR wiki, and import the contents of these mediawiki’s into the new RoR one.

Sure. Except there isn’t a reliable way to parse mediawiki’s meta language, and things like templates and the like make it a near impossibility. Getting a wiki up on rails isn’t a problem, it’s getting the data from another wiki that’s the problem. Not going to happen.

So, now I get to explain this. And I’m guaranteed to make people unhappy. They may even seek an outside opinion. Fine. Any “Yes” answer they receive will invariably involve hacking something up fierce, and that is not the kinda thing I commit myself to. Yuk.

Sunday, February 03, 2008

Sortable Scriptaculous

OK, figured out what was up. In the rails helper you either need to identify the ID of a scrollable container element, or ‘window’. I tried the scrollable div, and that didn’t work. Well it worked but the behavior of it was strange.

Instead, do scroll: “window”

Works like a champ in every browser I’ve tried.

So, I guess scriptaculous doesn’t suck, I do. What else is new.

Scriptaculous Is Almost As Annoying As Jericho

So I have a need for a sortable drag and drop list. Since I’m using rails, I clearly favor using scriptaculous for this. Utilizing the rails helpers, I tell it that I want it as a tree, and scrollable. Utilizing Safari, all seems well. Except trying to drag the goddamned elements through a scrolling viewport.

Assuming I’d fux0red up, or that the rails helpers were borked, I fire up Firefox to test with. Firefox will have nothing of it, throwing a huge goddamned error and not allowing the drag and drop. Pissy that I am, I throw my piece of shit mighty mouse into my monitor.

After a trip to staples, and a $300 monitor later, I’m at it again.

I fire up Opera, and holy-shit-jobs, it works. Except that on any sizeable list, Opera slows to a crawl on the drag and drop. Pissed off, but unwilling to spend another $300, I change the code to make my lists more precise, which will later prove to be a pain in the ass, but it’s fucking better than nothing I guess.

I rarely have a need for something like this, but I’d have thought that a library that’s beyond a 1.0 release would fucking work consistently.

Jericho Rules

Ok, so I take it all back. almost all…he’s still a pain in my nads.

Thursday, January 31, 2008

Jericho Is A Pain

Jericho is a pain in my balls. I’m gradually learning ‘Jerichese’, a requirement for parsing his fucking tickets. In a sick and sadistic fashion, he derives pleasure from filling my trac queue with garbage. Then, he has the sack to tell me how he’s shipping me a facking bag of ziplocked cat shit. Is he really? OF COURSE HE IS.

Cat shit is the least of my fucking problems though. Backend is slow, this isn’t working, that isn’t working, run this custom query, run that custom query. I have a custom query for you. It’s right there, tied to the back of my scrotum, just underneath the hooks you have lodged in there to keep me at bay.

But lucky me, I’m sneaking this blog in on his server. HEH. FACKER. Time to close some more bullshit tickets. Or not close them and say I did.