X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Flogin%2Fauthkrb.py;h=6fc0c534479285c23cdf26bcceb395041c7f0305;hp=af659e76acc404bd77eada6a7a6aadcb38166b62;hb=7e33a3a2df613ecdfd49d621f7cc7a6424d4f96f;hpb=f47a95ba1df58ccf9784c47beeaa0702c469b3e1 diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py old mode 100755 new mode 100644 index af659e7..6fc0c53 --- a/ipsilon/login/authkrb.py +++ b/ipsilon/login/authkrb.py @@ -1,5 +1,3 @@ -#!/usr/bin/python -# # Copyright (C) 2014 Simo Sorce # # see file 'COPYING' for use and warranty information @@ -17,9 +15,10 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -from ipsilon.login.common import LoginPageBase, LoginManagerBase -from ipsilon.login.common import FACILITY +from ipsilon.login.common import LoginPageBase, LoginManagerBase, \ + LoginManagerInstaller from ipsilon.util.plugin import PluginObject +from ipsilon.util.user import UserSession from string import Template import cherrypy import os @@ -36,27 +35,33 @@ class Krb(LoginPageBase): class KrbAuth(LoginPageBase): def root(self, *args, **kwargs): + trans = self.get_valid_transaction('login', **kwargs) # If we can get here, we must be authenticated and remote_user # was set. Check the session has a user set already or error. - if self.user and self.user.name: + us = UserSession() + us.remote_login() + self.user = us.get_user() + if not self.user.is_anonymous: userdata = {'krb_principal_name': self.user.name} - return self.lm.auth_successful(self.user.name, userdata) + return self.lm.auth_successful(trans, self.user.name, + 'krb', userdata) else: - return self.lm.auth_failed() + return self.lm.auth_failed(trans) class KrbError(LoginPageBase): def root(self, *args, **kwargs): cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers) - # If we have no negotiate header return whatever mod_auth_kerb + # If we have no negotiate header return whatever mod_auth_gssapi # generated and wait for the next request if 'WWW-Authenticate' not in cherrypy.request.headers: cherrypy.response.status = 401 - if self.lm.next_login: - return self.lm.next_login.page.root(*args, **kwargs) + next_login = self.lm.next_login() + if next_login: + return next_login.page.root(*args, **kwargs) conturl = '%s/login' % self.basepath return self._template('login/krb.html', @@ -64,7 +69,8 @@ class KrbError(LoginPageBase): cont=conturl) # If we get here, negotiate failed - return self.lm.auth_failed() + trans = self.get_valid_transaction('login', **kwargs) + return self.lm.auth_failed(trans) class LoginManager(LoginManagerBase): @@ -75,8 +81,9 @@ class LoginManager(LoginManagerBase): self.path = 'krb/negotiate' self.page = None self.description = """ -Kereros Negotiate authentication plugin. Relies on the mod_auth_kerb apache -plugin for actual authentication. """ +Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi +apache plugin for actual authentication. """ + self.new_config(self.name) def get_tree(self, site): self.page = Krb(site, self) @@ -89,16 +96,11 @@ plugin for actual authentication. """ CONF_TEMPLATE = """ - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - $realms + AuthType GSSAPI + AuthName "GSSAPI Single Sign On Login" $keytab - KrbSaveCredentials off - KrbConstrainedDelegation off - # KrbLocalUserMapping On + GssapiSSLonly $gssapisslonly + GssapiLocalName on Require valid-user ErrorDocument 401 /${instance}/login/krb/unauthorized @@ -107,17 +109,16 @@ CONF_TEMPLATE = """ """ -class Installer(object): +class Installer(LoginManagerInstaller): - def __init__(self): + def __init__(self, *pargs): + super(Installer, self).__init__() self.name = 'krb' - self.ptype = 'login' + self.pargs = pargs def install_args(self, group): group.add_argument('--krb', choices=['yes', 'no'], default='no', help='Configure Kerberos authentication') - group.add_argument('--krb-realms', - help='Allowed Kerberos Auth Realms') group.add_argument('--krb-httpd-keytab', default='/etc/httpd/conf/http.keytab', help='Kerberos keytab location for HTTPD') @@ -129,14 +130,15 @@ class Installer(object): confopts = {'instance': opts['instance']} if os.path.exists(opts['krb_httpd_keytab']): - confopts['keytab'] = ' Krb5KeyTab %s' % opts['krb_httpd_keytab'] + confopts['keytab'] = 'GssapiCredStore keytab:%s' % ( + opts['krb_httpd_keytab']) else: raise Exception('Keytab not found') - if opts['krb_realms'] is None: - confopts['realms'] = ' # KrbAuthRealms - Any realm is allowed' + if opts['secure'] == 'no': + confopts['gssapisslonly'] = 'Off' else: - confopts['realms'] = ' KrbAuthRealms %s' % opts['krb_realms'] + confopts['gssapisslonly'] = 'On' tmpl = Template(CONF_TEMPLATE) hunk = tmpl.substitute(**confopts) # pylint: disable=star-args @@ -144,18 +146,15 @@ class Installer(object): httpd_conf.write(hunk) # Add configuration data to database - po = PluginObject() + po = PluginObject(*self.pargs) po.name = 'krb' po.wipe_data() # Update global config, put 'krb' always first - po.name = 'global' - globalconf = po.get_plugin_config(FACILITY) - if 'order' in globalconf: - order = globalconf['order'].split(',') - else: - order = [] - order.insert(0, 'krb') - globalconf['order'] = ','.join(order) - po.set_config(globalconf) - po.save_plugin_config(FACILITY) + ph = self.pargs[0] + ph.refresh_enabled() + if 'krb' not in ph.enabled: + enabled = [] + enabled.extend(ph.enabled) + enabled.insert(0, 'krb') + ph.save_enabled(enabled)