Add Kerberos Negotiate auth plugin

This plugin depends on the proper configuration of mod_auth_kerb

The mod_auth_kerb plugin should be configured with a <Location> directive
like the folowing:

<Location /idp/login/krb/negotiate>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM_NAME
  Krb5KeyTab $KEYTAB_NAME
  KrbSaveCredentials off
  KrbConstrainedDelegation off
  Require valid-user

  ErrorDocument 401 /idp/login/krb/unauthorized
</Location>

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 80 insertions, 0 deletions

diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py
new file mode 100755
index 0000000..b6ff99c
--- /dev/null
+++ b/ipsilon/login/authkrb.py
@@ -0,0 +1,80 @@
+#!/usr/bin/python
+#
+# Copyright (C) 2014  Simo Sorce <simo@redhat.com>
+#
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipsilon.login.common import LoginPageBase, LoginManagerBase
+import cherrypy
+
+
+class Krb(LoginPageBase):
+
+    def root(self, *args, **kwargs):
+        # Someone typed manually or a robot is walking th tree.
+        # Redirect to default page
+        return self.lm.redirect_to_path(self.lm.path)
+
+
+class KrbAuth(LoginPageBase):
+
+    def root(self, *args, **kwargs):
+        # If we can get here, we must be authenticated and remote_user
+        # was set. Check the session has a use set already or error.
+        if self.user and self.user.name:
+            return self.lm.auth_successful(self.user.name)
+        else:
+            return self.lm.auth_failed()
+
+
+class KrbError(LoginPageBase):
+
+    def root(self, *args, **kwargs):
+        cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
+        # If we have no negotiate header return whatever mod_auth_kerb
+        # generated and wait for the next request
+
+        if not 'WWW-Authenticate' in cherrypy.request.headers:
+            cherrypy.response.status = 401
+
+            if self.lm.next_login:
+                return self.lm.next_login.page.root(*args, **kwargs)
+
+            conturl = '%s/login' % self.basepath
+            return self._template('login/krb.html',
+                                  title='Kerberos Login',
+                                  cont=conturl)
+
+        # If we get here, negotiate failed
+        return self.lm.auth_failed()
+
+
+class LoginManager(LoginManagerBase):
+
+    def __init__(self, *args, **kwargs):
+        super(LoginManager, self).__init__(*args, **kwargs)
+        self.name = 'krb'
+        self.path = 'krb/negotiate'
+        self.page = None
+        self.description = """
+Kereros Negotiate authentication plugin. Relies on the mod_auth_kerb apache
+plugin for actual authentication. """
+
+    def get_tree(self, site):
+        self.page = Krb(site, self)
+        self.page.__dict__['negotiate'] = KrbAuth(site, self)
+        self.page.__dict__['unauthorized'] = KrbError(site, self)
+        return self.page