3 # Copyright (C) 2014 Simo Sorce <simo@redhat.com>
5 # see file 'COPYING' for use and warranty information
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation, either version 3 of the License, or
10 # (at your option) any later version.
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <http://www.gnu.org/licenses/>.
20 from ipsilon.login.common import LoginPageBase, LoginManagerBase
21 from ipsilon.login.common import FACILITY
22 from ipsilon.util.plugin import PluginObject
23 from string import Template
28 class Krb(LoginPageBase):
30 def root(self, *args, **kwargs):
31 # Someone typed manually or a robot is walking th tree.
32 # Redirect to default page
33 return self.lm.redirect_to_path(self.lm.path)
36 class KrbAuth(LoginPageBase):
38 def root(self, *args, **kwargs):
39 # If we can get here, we must be authenticated and remote_user
40 # was set. Check the session has a user set already or error.
41 if self.user and self.user.name:
42 userdata = {'krb_principal_name': self.user.name}
43 return self.lm.auth_successful(self.user.name, userdata)
45 return self.lm.auth_failed()
48 class KrbError(LoginPageBase):
50 def root(self, *args, **kwargs):
51 cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
52 # If we have no negotiate header return whatever mod_auth_kerb
53 # generated and wait for the next request
55 if not 'WWW-Authenticate' in cherrypy.request.headers:
56 cherrypy.response.status = 401
58 if self.lm.next_login:
59 return self.lm.next_login.page.root(*args, **kwargs)
61 conturl = '%s/login' % self.basepath
62 return self._template('login/krb.html',
63 title='Kerberos Login',
66 # If we get here, negotiate failed
67 return self.lm.auth_failed()
70 class LoginManager(LoginManagerBase):
72 def __init__(self, *args, **kwargs):
73 super(LoginManager, self).__init__(*args, **kwargs)
75 self.path = 'krb/negotiate'
77 self.description = """
78 Kereros Negotiate authentication plugin. Relies on the mod_auth_kerb apache
79 plugin for actual authentication. """
81 def get_tree(self, site):
82 self.page = Krb(site, self)
83 self.page.__dict__['negotiate'] = KrbAuth(site, self)
84 self.page.__dict__['unauthorized'] = KrbError(site, self)
90 <Location /idp/login/krb/negotiate>
92 AuthName "Kerberos Login"
98 KrbSaveCredentials off
99 KrbConstrainedDelegation off
100 # KrbLocalUserMapping On
103 ErrorDocument 401 /idp/login/krb/unauthorized
108 class Installer(object):
114 def install_args(self, group):
115 group.add_argument('--krb', choices=['yes', 'no'], default='no',
116 help='Configure Kerberos authentication')
117 group.add_argument('--krb-realms',
118 help='Allowed Kerberos Auth Realms')
119 group.add_argument('--krb-httpd-keytab',
120 default='/etc/httpd/conf/http.keytab',
121 help='Kerberos keytab location for HTTPD')
123 def configure(self, opts):
124 if opts['krb'] != 'yes':
127 keytab = ' # Krb5KeyTab - No Keytab provided'
128 if opts['krb_httpd_keytab'] is None:
129 if os.path.exists('/etc/httpd/conf/http.keytab'):
130 keytab = ' Krb5KeyTab /etc/httpd/conf/http.keytab'
132 if os.path.exists(opts['krb_httpd_keytab']):
133 keytab = ' Krb5KeyTab %s' % opts['krb_httpd_keytab']
135 raise Exception('Keytab not found')
137 if opts['krb_realms'] is None:
138 realms = ' # KrbAuthRealms - Any trusted realm is allowed'
140 realms = ' KrbAuthRealms %s' % opts['krb_realms']
142 tmpl = Template(CONF_TEMPLATE)
143 hunk = tmpl.substitute(keytab=keytab, realms=realms)
144 with open(opts['httpd_conf'], 'a') as httpd_conf:
145 httpd_conf.write(hunk)
147 # Add configuration data to database
152 # Update global config, put 'krb' always first
154 globalconf = po.get_plugin_config(FACILITY)
155 if 'order' in globalconf:
156 order = globalconf['order'].split(',')
159 order.insert(0, 'krb')
160 globalconf['order'] = ','.join(order)
161 po.set_config(globalconf)
162 po.save_plugin_config(FACILITY)