diff options
author | Rob Crittenden <rcritten@redhat.com> | 2015-04-28 15:16:54 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2015-04-28 17:30:07 -0400 |
commit | 68b9e1d3138784c3793f0a04c411f14168748692 (patch) | |
tree | 3dee03d42c9f7234b09b272ca5a1865ba0b7529c /ipsilon | |
parent | 32863be5e39b0d031fafebe7391180d29967fa50 (diff) | |
download | ipsilon-68b9e1d3138784c3793f0a04c411f14168748692.tar.gz ipsilon-68b9e1d3138784c3793f0a04c411f14168748692.tar.xz ipsilon-68b9e1d3138784c3793f0a04c411f14168748692.zip |
Change references to authkrb plugin to authgssapi
With the switch to mod_auth_gssapi we aren't limited to only
negotiated Kerberos so name the plugin to reflect this.
https://fedorahosted.org/ipsilon/ticket/114
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipsilon')
-rw-r--r-- | ipsilon/helpers/ipa.py | 24 | ||||
-rw-r--r-- | ipsilon/login/authgssapi.py | 58 | ||||
-rw-r--r-- | ipsilon/providers/saml2/auth.py | 2 | ||||
-rw-r--r-- | ipsilon/providers/saml2idp.py | 2 |
4 files changed, 43 insertions, 43 deletions
diff --git a/ipsilon/helpers/ipa.py b/ipsilon/helpers/ipa.py index 2caddb3..5c01faa 100644 --- a/ipsilon/helpers/ipa.py +++ b/ipsilon/helpers/ipa.py @@ -93,10 +93,10 @@ class Installer(EnvHelpersInstaller): raise Exception('No IPA tools found!') # Check if we already have a keytab for HTTP - if 'krb_httpd_keytab' in opts: - msg = "Searching for keytab in: %s" % opts['krb_httpd_keytab'] + if 'gssapi_httpd_keytab' in opts: + msg = "Searching for keytab in: %s" % opts['gssapi_httpd_keytab'] print >> sys.stdout, msg, - if os.path.exists(opts['krb_httpd_keytab']): + if os.path.exists(opts['gssapi_httpd_keytab']): print >> sys.stdout, "... Found!" return else: @@ -105,7 +105,7 @@ class Installer(EnvHelpersInstaller): msg = "Searching for keytab in: %s" % HTTPD_IPA_KEYTAB print >> sys.stdout, msg, if os.path.exists(HTTPD_IPA_KEYTAB): - opts['krb_httpd_keytab'] = HTTPD_IPA_KEYTAB + opts['gssapi_httpd_keytab'] = HTTPD_IPA_KEYTAB print >> sys.stdout, "... Found!" return else: @@ -167,11 +167,11 @@ class Installer(EnvHelpersInstaller): try: msg = "Trying to fetch keytab[%s] for %s" % ( - opts['krb_httpd_keytab'], princ) + opts['gssapi_httpd_keytab'], princ) print >> sys.stdout, msg, subprocess.check_output([IPA_GETKEYTAB, '-s', server, '-p', princ, - '-k', opts['krb_httpd_keytab']], + '-k', opts['gssapi_httpd_keytab']], stderr=subprocess.STDOUT) except subprocess.CalledProcessError, e: # unfortunately this one is fatal @@ -182,12 +182,12 @@ class Installer(EnvHelpersInstaller): # Fixup permissions so only the ipsilon user can read these files pw = pwd.getpwnam(HTTPD_USER) - os.chown(opts['krb_httpd_keytab'], pw.pw_uid, pw.pw_gid) + os.chown(opts['gssapi_httpd_keytab'], pw.pw_uid, pw.pw_gid) def configure_server(self, opts): if opts['ipa'] != 'yes' and opts['ipa'] != 'auto': return - if opts['ipa'] != 'yes' and opts['krb'] == 'no': + if opts['ipa'] != 'yes' and opts['gssapi'] == 'no': return self.logger = logging.getLogger() @@ -196,12 +196,12 @@ class Installer(EnvHelpersInstaller): self.get_keytab(opts) - # Forcibly use krb then pam modules + # Forcibly use gssapi then pam modules if 'lm_order' not in opts: opts['lm_order'] = [] - opts['krb'] = 'yes' - if 'krb' not in opts['lm_order']: - opts['lm_order'].insert(0, 'krb') + opts['gssapi'] = 'yes' + if 'gssapi' not in opts['lm_order']: + opts['lm_order'].insert(0, 'gssapi') opts['form'] = 'yes' if not any(lm in opts['lm_order'] for lm in ('form', 'pam')): opts['lm_order'].append('form') diff --git a/ipsilon/login/authgssapi.py b/ipsilon/login/authgssapi.py index dbb531a..97c3834 100644 --- a/ipsilon/login/authgssapi.py +++ b/ipsilon/login/authgssapi.py @@ -24,7 +24,7 @@ import cherrypy import os -class Krb(LoginPageBase): +class GSSAPI(LoginPageBase): def root(self, *args, **kwargs): # Someone typed manually or a robot is walking th tree. @@ -32,7 +32,7 @@ class Krb(LoginPageBase): return self.lm.redirect_to_path(self.lm.path) -class KrbAuth(LoginPageBase): +class GSSAPIAuth(LoginPageBase): def root(self, *args, **kwargs): trans = self.get_valid_transaction('login', **kwargs) @@ -44,16 +44,16 @@ class KrbAuth(LoginPageBase): if not self.user.is_anonymous: principal = cherrypy.request.wsgi_environ.get('GSS_NAME', None) if principal: - userdata = {'krb_principal_name': principal} + userdata = {'gssapi_principal_name': principal} else: - userdata = {'krb_principal_name': self.user.name} + userdata = {'gssapi_principal_name': self.user.name} return self.lm.auth_successful(trans, self.user.name, - 'krb', userdata) + 'gssapi', userdata) else: return self.lm.auth_failed(trans) -class KrbError(LoginPageBase): +class GSSAPIError(LoginPageBase): def root(self, *args, **kwargs): cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers) @@ -68,8 +68,8 @@ class KrbError(LoginPageBase): return next_login.page.root(*args, **kwargs) conturl = '%s/login' % self.basepath - return self._template('login/krb.html', - title='Kerberos Login', + return self._template('login/gssapi.html', + title='GSSAPI Login', cont=conturl) # If we get here, negotiate failed @@ -81,25 +81,25 @@ class LoginManager(LoginManagerBase): def __init__(self, *args, **kwargs): super(LoginManager, self).__init__(*args, **kwargs) - self.name = 'krb' - self.path = 'krb/negotiate' + self.name = 'gssapi' + self.path = 'gssapi/negotiate' self.page = None self.description = """ -Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi +GSSAPI Negotiate authentication plugin. Relies on the mod_auth_gssapi apache plugin for actual authentication. """ self.new_config(self.name) def get_tree(self, site): - self.page = Krb(site, self) - self.page.__dict__['negotiate'] = KrbAuth(site, self) - self.page.__dict__['unauthorized'] = KrbError(site, self) - self.page.__dict__['failed'] = KrbError(site, self) + self.page = GSSAPI(site, self) + self.page.__dict__['negotiate'] = GSSAPIAuth(site, self) + self.page.__dict__['unauthorized'] = GSSAPIError(site, self) + self.page.__dict__['failed'] = GSSAPIError(site, self) return self.page CONF_TEMPLATE = """ -<Location /${instance}/login/krb/negotiate> +<Location /${instance}/login/gssapi/negotiate> AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" $keytab @@ -107,8 +107,8 @@ CONF_TEMPLATE = """ GssapiLocalName on Require valid-user - ErrorDocument 401 /${instance}/login/krb/unauthorized - ErrorDocument 500 /${instance}/login/krb/failed + ErrorDocument 401 /${instance}/login/gssapi/unauthorized + ErrorDocument 500 /${instance}/login/gssapi/failed </Location> """ @@ -117,25 +117,25 @@ class Installer(LoginManagerInstaller): def __init__(self, *pargs): super(Installer, self).__init__() - self.name = 'krb' + self.name = 'gssapi' self.pargs = pargs def install_args(self, group): - group.add_argument('--krb', choices=['yes', 'no'], default='no', - help='Configure Kerberos authentication') - group.add_argument('--krb-httpd-keytab', + group.add_argument('--gssapi', choices=['yes', 'no'], default='no', + help='Configure GSSAPI authentication') + group.add_argument('--gssapi-httpd-keytab', default='/etc/httpd/conf/http.keytab', help='Kerberos keytab location for HTTPD') def configure(self, opts): - if opts['krb'] != 'yes': + if opts['gssapi'] != 'yes': return confopts = {'instance': opts['instance']} - if os.path.exists(opts['krb_httpd_keytab']): + if os.path.exists(opts['gssapi_httpd_keytab']): confopts['keytab'] = 'GssapiCredStore keytab:%s' % ( - opts['krb_httpd_keytab']) + opts['gssapi_httpd_keytab']) else: raise Exception('Keytab not found') @@ -151,14 +151,14 @@ class Installer(LoginManagerInstaller): # Add configuration data to database po = PluginObject(*self.pargs) - po.name = 'krb' + po.name = 'gssapi' po.wipe_data() - # Update global config, put 'krb' always first + # Update global config, put 'gssapi' always first ph = self.pargs[0] ph.refresh_enabled() - if 'krb' not in ph.enabled: + if 'gssapi' not in ph.enabled: enabled = [] enabled.extend(ph.enabled) - enabled.insert(0, 'krb') + enabled.insert(0, 'gssapi') ph.save_enabled(enabled) diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index bdcb9b8..521e0c0 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -197,7 +197,7 @@ class AuthenticateRequest(ProviderPageBase): elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: nameid = '_' + uuid.uuid4().hex elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: - nameid = us.get_data('user', 'krb_principal_name') + nameid = us.get_data('user', 'gssapi_principal_name') elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL: nameid = us.get_user().email if not nameid: diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py index cec3e88..a507c7e 100644 --- a/ipsilon/providers/saml2idp.py +++ b/ipsilon/providers/saml2idp.py @@ -433,7 +433,7 @@ class Installer(ProviderInstaller): validity = int(opts['saml2_metadata_validity']) meta = IdpMetadataGenerator(url, cert, timedelta(validity)) - if 'krb' in opts and opts['krb'] == 'yes': + if 'gssapi' in opts and opts['gssapi'] == 'yes': meta.meta.add_allowed_name_format( lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS) |