ipsilon/login/authgssapi.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING

from ipsilon.login.common import LoginPageBase, LoginManagerBase, \
    LoginManagerInstaller
from ipsilon.util.plugin import PluginObject
from ipsilon.util.user import UserSession
from string import Template
import cherrypy
import os
import logging


class GSSAPI(LoginPageBase):

    def root(self, *args, **kwargs):
        # Someone typed manually or a robot is walking th tree.
        # Redirect to default page
        return self.lm.redirect_to_path(self.lm.path)


class GSSAPIAuth(LoginPageBase):

    def root(self, *args, **kwargs):
        trans = self.get_valid_transaction('login', **kwargs)
        # If we can get here, we must be authenticated and remote_user
        # was set. Check the session has a user set already or error.
        us = UserSession()
        us.remote_login()
        self.user = us.get_user()
        if not self.user.is_anonymous:
            principal = cherrypy.request.wsgi_environ.get('GSS_NAME', None)
            if principal:
                userdata = {'gssapi_principal_name': principal}
            else:
                userdata = {'gssapi_principal_name': self.user.name}
            return self.lm.auth_successful(trans, self.user.name,
                                           'gssapi', userdata)
        else:
            return self.lm.auth_failed(trans)


class GSSAPIError(LoginPageBase):

    def root(self, *args, **kwargs):
        cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers,
                           severity=logging.DEBUG)
        # If we have no negotiate header return whatever mod_auth_gssapi
        # generated and wait for the next request

        if 'WWW-Authenticate' not in cherrypy.request.headers:
            cherrypy.response.status = 401

            next_login = self.lm.next_login()
            if next_login:
                return next_login.page.root(*args, **kwargs)

            conturl = '%s/login' % self.basepath
            return self._template('login/gssapi.html',
                                  title='GSSAPI Login',
                                  cont=conturl)

        # If we get here, negotiate failed
        trans = self.get_valid_transaction('login', **kwargs)
        return self.lm.auth_failed(trans)


class LoginManager(LoginManagerBase):

    def __init__(self, *args, **kwargs):
        super(LoginManager, self).__init__(*args, **kwargs)
        self.name = 'gssapi'
        self.path = 'gssapi/negotiate'
        self.page = None
        self.description = """
GSSAPI Negotiate authentication plugin. Relies on the mod_auth_gssapi
apache plugin for actual authentication. """
        self.new_config(self.name)

    def get_tree(self, site):
        self.page = GSSAPI(site, self)
        self.page.__dict__['negotiate'] = GSSAPIAuth(site, self)
        self.page.__dict__['unauthorized'] = GSSAPIError(site, self)
        self.page.__dict__['failed'] = GSSAPIError(site, self)
        return self.page


CONF_TEMPLATE = """

<Location /${instance}/login/gssapi/negotiate>
  AuthType GSSAPI
  AuthName "GSSAPI Single Sign On Login"
  $keytab
  GssapiSSLonly $gssapisslonly
  GssapiLocalName on
  Require valid-user

  ErrorDocument 401 /${instance}/login/gssapi/unauthorized
  ErrorDocument 500 /${instance}/login/gssapi/failed
</Location>
"""


class Installer(LoginManagerInstaller):

    def __init__(self, *pargs):
        super(Installer, self).__init__()
        self.name = 'gssapi'
        self.pargs = pargs

    def install_args(self, group):
        group.add_argument('--gssapi', choices=['yes', 'no'], default='no',
                           help='Configure GSSAPI authentication')
        group.add_argument('--gssapi-httpd-keytab',
                           default='/etc/httpd/conf/http.keytab',
                           help='Kerberos keytab location for HTTPD')

    def configure(self, opts, changes):
        if opts['gssapi'] != 'yes':
            return

        confopts = {'instance': opts['instance']}

        if os.path.exists(opts['gssapi_httpd_keytab']):
            confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
                opts['gssapi_httpd_keytab'])
        else:
            raise Exception('Keytab not found')

        if opts['secure'] == 'no':
            confopts['gssapisslonly'] = 'Off'
        else:
            confopts['gssapisslonly'] = 'On'

        tmpl = Template(CONF_TEMPLATE)
        hunk = tmpl.substitute(**confopts)
        with open(opts['httpd_conf'], 'a') as httpd_conf:
            httpd_conf.write(hunk)

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'gssapi'
        po.wipe_data()

        # Update global config, put 'gssapi' always first
        ph = self.pargs[0]
        ph.refresh_enabled()
        if 'gssapi' not in ph.enabled:
            enabled = []
            enabled.extend(ph.enabled)
            enabled.insert(0, 'gssapi')
            ph.save_enabled(enabled)