ipsilon/login/authkrb.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

# Copyright (C) 2014  Simo Sorce <simo@redhat.com>
#
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from ipsilon.login.common import LoginPageBase, LoginManagerBase, \
    LoginManagerInstaller
from ipsilon.util.plugin import PluginObject
from ipsilon.util.user import UserSession
from string import Template
import cherrypy
import os


class Krb(LoginPageBase):

    def root(self, *args, **kwargs):
        # Someone typed manually or a robot is walking th tree.
        # Redirect to default page
        return self.lm.redirect_to_path(self.lm.path)


class KrbAuth(LoginPageBase):

    def root(self, *args, **kwargs):
        trans = self.get_valid_transaction('login', **kwargs)
        # If we can get here, we must be authenticated and remote_user
        # was set. Check the session has a user set already or error.
        us = UserSession()
        us.remote_login()
        self.user = us.get_user()
        if not self.user.is_anonymous:
            userdata = {'krb_principal_name': self.user.name}
            return self.lm.auth_successful(trans, self.user.name,
                                           'krb', userdata)
        else:
            return self.lm.auth_failed(trans)


class KrbError(LoginPageBase):

    def root(self, *args, **kwargs):
        cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
        # If we have no negotiate header return whatever mod_auth_gssapi
        # generated and wait for the next request

        if 'WWW-Authenticate' not in cherrypy.request.headers:
            cherrypy.response.status = 401

            next_login = self.lm.next_login()
            if next_login:
                return next_login.page.root(*args, **kwargs)

            conturl = '%s/login' % self.basepath
            return self._template('login/krb.html',
                                  title='Kerberos Login',
                                  cont=conturl)

        # If we get here, negotiate failed
        trans = self.get_valid_transaction('login', **kwargs)
        return self.lm.auth_failed(trans)


class LoginManager(LoginManagerBase):

    def __init__(self, *args, **kwargs):
        super(LoginManager, self).__init__(*args, **kwargs)
        self.name = 'krb'
        self.path = 'krb/negotiate'
        self.page = None
        self.description = """
Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi
apache plugin for actual authentication. """
        self.new_config(self.name)

    def get_tree(self, site):
        self.page = Krb(site, self)
        self.page.__dict__['negotiate'] = KrbAuth(site, self)
        self.page.__dict__['unauthorized'] = KrbError(site, self)
        self.page.__dict__['failed'] = KrbError(site, self)
        return self.page


CONF_TEMPLATE = """

<Location /${instance}/login/krb/negotiate>
  AuthType GSSAPI
  AuthName "GSSAPI Single Sign On Login"
  $keytab
  GssapiSSLonly $gssapisslonly
  GssapiLocalName on
  Require valid-user

  ErrorDocument 401 /${instance}/login/krb/unauthorized
  ErrorDocument 500 /${instance}/login/krb/failed
</Location>
"""


class Installer(LoginManagerInstaller):

    def __init__(self, *pargs):
        super(Installer, self).__init__()
        self.name = 'krb'
        self.pargs = pargs

    def install_args(self, group):
        group.add_argument('--krb', choices=['yes', 'no'], default='no',
                           help='Configure Kerberos authentication')
        group.add_argument('--krb-httpd-keytab',
                           default='/etc/httpd/conf/http.keytab',
                           help='Kerberos keytab location for HTTPD')

    def configure(self, opts):
        if opts['krb'] != 'yes':
            return

        confopts = {'instance': opts['instance']}

        if os.path.exists(opts['krb_httpd_keytab']):
            confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
                opts['krb_httpd_keytab'])
        else:
            raise Exception('Keytab not found')

        if opts['secure'] == 'no':
            confopts['gssapisslonly'] = 'Off'
        else:
            confopts['gssapisslonly'] = 'On'

        tmpl = Template(CONF_TEMPLATE)
        hunk = tmpl.substitute(**confopts)  # pylint: disable=star-args
        with open(opts['httpd_conf'], 'a') as httpd_conf:
            httpd_conf.write(hunk)

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'krb'
        po.wipe_data()

        # Update global config, put 'krb' always first
        ph = self.pargs[0]
        ph.refresh_enabled()
        if 'krb' not in ph.enabled:
            enabled = []
            enabled.extend(ph.enabled)
            enabled.insert(0, 'krb')
            ph.save_enabled(enabled)