From: Simo Sorce Date: Mon, 20 Jan 2014 21:14:52 +0000 (-0500) Subject: Add Kerberos Negotiate auth plugin X-Git-Tag: v0.2.2~121 X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=commitdiff_plain;h=d0a1541e095b9cee6468eeea07a950264753dd39 Add Kerberos Negotiate auth plugin This plugin depends on the proper configuration of mod_auth_kerb The mod_auth_kerb plugin should be configured with a directive like the folowing: AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms $REALM_NAME Krb5KeyTab $KEYTAB_NAME KrbSaveCredentials off KrbConstrainedDelegation off Require valid-user ErrorDocument 401 /idp/login/krb/unauthorized Signed-off-by: Simo Sorce --- diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py new file mode 100755 index 0000000..b6ff99c --- /dev/null +++ b/ipsilon/login/authkrb.py @@ -0,0 +1,80 @@ +#!/usr/bin/python +# +# Copyright (C) 2014 Simo Sorce +# +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipsilon.login.common import LoginPageBase, LoginManagerBase +import cherrypy + + +class Krb(LoginPageBase): + + def root(self, *args, **kwargs): + # Someone typed manually or a robot is walking th tree. + # Redirect to default page + return self.lm.redirect_to_path(self.lm.path) + + +class KrbAuth(LoginPageBase): + + def root(self, *args, **kwargs): + # If we can get here, we must be authenticated and remote_user + # was set. Check the session has a use set already or error. + if self.user and self.user.name: + return self.lm.auth_successful(self.user.name) + else: + return self.lm.auth_failed() + + +class KrbError(LoginPageBase): + + def root(self, *args, **kwargs): + cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers) + # If we have no negotiate header return whatever mod_auth_kerb + # generated and wait for the next request + + if not 'WWW-Authenticate' in cherrypy.request.headers: + cherrypy.response.status = 401 + + if self.lm.next_login: + return self.lm.next_login.page.root(*args, **kwargs) + + conturl = '%s/login' % self.basepath + return self._template('login/krb.html', + title='Kerberos Login', + cont=conturl) + + # If we get here, negotiate failed + return self.lm.auth_failed() + + +class LoginManager(LoginManagerBase): + + def __init__(self, *args, **kwargs): + super(LoginManager, self).__init__(*args, **kwargs) + self.name = 'krb' + self.path = 'krb/negotiate' + self.page = None + self.description = """ +Kereros Negotiate authentication plugin. Relies on the mod_auth_kerb apache +plugin for actual authentication. """ + + def get_tree(self, site): + self.page = Krb(site, self) + self.page.__dict__['negotiate'] = KrbAuth(site, self) + self.page.__dict__['unauthorized'] = KrbError(site, self) + return self.page diff --git a/templates/login/krb.html b/templates/login/krb.html new file mode 100644 index 0000000..1f9107b --- /dev/null +++ b/templates/login/krb.html @@ -0,0 +1,20 @@ + + + + + {{ title }} + + + + +

Ipsilon

+ +