ipsilon/login/authkrb.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

#!/usr/bin/python
#
# Copyright (C) 2014  Simo Sorce <simo@redhat.com>
#
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from ipsilon.login.common import LoginPageBase, LoginManagerBase
import cherrypy


class Krb(LoginPageBase):

    def root(self, *args, **kwargs):
        # Someone typed manually or a robot is walking th tree.
        # Redirect to default page
        return self.lm.redirect_to_path(self.lm.path)


class KrbAuth(LoginPageBase):

    def root(self, *args, **kwargs):
        # If we can get here, we must be authenticated and remote_user
        # was set. Check the session has a use set already or error.
        if self.user and self.user.name:
            return self.lm.auth_successful(self.user.name)
        else:
            return self.lm.auth_failed()


class KrbError(LoginPageBase):

    def root(self, *args, **kwargs):
        cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
        # If we have no negotiate header return whatever mod_auth_kerb
        # generated and wait for the next request

        if not 'WWW-Authenticate' in cherrypy.request.headers:
            cherrypy.response.status = 401

            if self.lm.next_login:
                return self.lm.next_login.page.root(*args, **kwargs)

            conturl = '%s/login' % self.basepath
            return self._template('login/krb.html',
                                  title='Kerberos Login',
                                  cont=conturl)

        # If we get here, negotiate failed
        return self.lm.auth_failed()


class LoginManager(LoginManagerBase):

    def __init__(self, *args, **kwargs):
        super(LoginManager, self).__init__(*args, **kwargs)
        self.name = 'krb'
        self.path = 'krb/negotiate'
        self.page = None
        self.description = """
Kereros Negotiate authentication plugin. Relies on the mod_auth_kerb apache
plugin for actual authentication. """

    def get_tree(self, site):
        self.page = Krb(site, self)
        self.page.__dict__['negotiate'] = KrbAuth(site, self)
        self.page.__dict__['unauthorized'] = KrbError(site, self)
        return self.page