Skip to content

Latest commit

 

History

History
96 lines (76 loc) · 4.79 KB

File metadata and controls

96 lines (76 loc) · 4.79 KB

Bundled Trac plugins

hzforge ships three Trac plugins under plugins/. Each is a single source tree built into a py2.py3-none-any universal wheel (one artifact runs on both the Python 2.7 Trac 1.0.x stack today and the Python 3.6 Trac 1.6 stack post-migration) and installed system-wide, so a single install in site-packages serves every Trac env on the host via [trac.plugins] entry-point discovery.

Plugin Package Version Role
plugins/mysqlauthz hubzero-trac-mysqlauthz 2.4.5 Authorization — IPermissionStore + IPermissionGroupProvider against the HUBzero CMS MySQL DB
plugins/cmsauth hubzero-trac-cmsauth 1.0.6 Authentication — single sign-on against the HUBzero CMS (subclass of trac.web.auth.LoginModule)
plugins/macros hubzero-trac-macros 0.1.1 Two wiki macros ([[image]], [[link]]) used by forge tool wikis

mysqlauthz — authorization

Reads users, groups, and per-project Trac permissions from the CMS MySQL DB (jos_users, jos_xgroups, jos_xgroups_members, jos_trac_*_permission, jos_trac_project, …). Connection params come from /etc/hubzero.conf + configuration.php. Forked from upstream 2.2.5; the 2.2.5→2.4.x jump is real behavior change (parameterized SQL, a connection-management rewrite, the 2011-broken get_permission_groups query fix).

Operational knob: [hubzero] fail_closed (default false). When true, a CMS DB exception or unresolved project_id raises TracError (HTTP 500) instead of silently degrading to an empty permission set — useful where you'd rather a page fail loudly than quietly hide admin functions during a DB outage. Either way, an operator-visible [!] HUBzero DB unreachable banner appears in the metanav for logged-in users after a recent DB error and auto-clears on the next clean query.

cmsauth — single sign-on

Replaces Apache LDAP-Basic auth at /tools/<env>/login with HUBzero CMS SSO via the /api/v1.1/members/currentuser endpoint. A single Component, HubzeroSSOLoginModule, thinly subclasses trac.web.auth.LoginModule and reuses all of Trac's own auth_cookie/trac_auth machinery; it overrides only the hooks that need to know about HUBzero. Enable per env in trac.ini:

[components]
hubzero_cmsauth.* = enabled
trac.web.auth.LoginModule = disabled

hzforge enable-cmsauth <env> does this and carves the env out of the LDAP <LocationMatch> in one step. Notable options (all under [hubzero_cmsauth]):

Option Default Meaning
api_path /api/v1.1/members/currentuser CMS endpoint returning the current user's profile
verify_tls true validate the CMS API cert; set false only for self-signed dev hubs
recheck_interval_seconds 0 (off) when positive, periodically re-validate the session against the CMS and invalidate trac_auth on a CMS-side rename/deactivation

One CMS API call per browser session (login only) — subsequent requests use Trac's local trac_auth fast path.

macros — wiki macros

[[image <name>]] and [[link <path> <text>]], env-agnostic (URLs built from self.env.abs_href()). Replaces the legacy per-env plugins/image.py / link.py copies; hzforge upgrade-trac enables the system-wide plugin and disables the per-env files. 0.1.1 fixed a stored XSS carried over from upstream — both macros now HTML-escape all wiki-author-controlled input before emitting markup.

Building and installing

cd plugins/<name>
make test-all                 # pytest on Py3.6 AND Py2.7 (no tox; see the plugin README)
python3 -m build --wheel      # -> dist/<name>-<ver>-py2.py3-none-any.whl

Install with umask 022 (root's default 0077 makes site-packages unreadable to the apache user, breaking Trac under mod_wsgi) and --no-deps (the wheels deliberately omit Trac from install_requires so a routine reinstall can't upgrade the host's Trac out from under the running daemons):

sudo sh -c 'umask 022 && pip2 install --no-deps --upgrade dist/<wheel>'
sudo sh -c 'umask 022 && pip3 install --no-deps --upgrade dist/<wheel>'

For a same-version reinstall, pip uninstall first — pip 9 (the Py2 default) skips --force-reinstall of an already-installed version. After installing, recycle the mod_wsgi daemon (touch /opt/trac/wsgi/hubtrac.wsgi, or systemctl reload httpd).

Security review (2026-05-30)

All three plugins + the installer went through a full adversarial review. Fixes shipped: the cmsauth open-redirect (/\evil.com backslash bypass) and the macros stored XSS were the two criticals; mysqlauthz was confirmed free of SQL injection and authorization-scoping bugs (its SQL is fully parameterized, including the dynamic IN() clause, and every read is scoped by trac_project_id). The current versions above include every fix.