Change references to authkrb plugin to authgssapirename_krb

With the switch to mod_auth_gssapi we aren't limited to only
negotiated Kerberos so name the plugin to reflect this.

https://fedorahosted.org/ipsilon/ticket/114

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

18 files changed, 73 insertions, 76 deletions

diff --git a/README b/README
index 8b4f291..9bde0cc 100644
--- a/README
+++ b/README
@@ -28,7 +28,7 @@ Prerequisites:
 - A keytab if Kerberos authentication is desired
 - An unprivileged user to run the Ipsilon code (defaults to 'ipsilon')
 
-Currently there are only two available authentication modules, Kerberos and
+Currently there are only two available authentication modules, GSSAPI and
 PAM. The Kerberos module uses mod_auth_gssapi (which it will configure for
 you at install time), the Pam module simply uses the PAM stack with a default service
 name set to 'remote'.
@@ -39,7 +39,7 @@ not work properly. Please use a different PAM module, like pam_sss, pam_ldap,
 etc..
 
 Before you run the install script make sure to create an administrative user
-that can be authenticated either via PAM or Kerberos. The default name the
+that can be authenticated either via PAM or GSSAPI. The default name the
 installation script expects is 'admin' but that can be changed with the command
 line option named --admin-user
 
@@ -50,9 +50,10 @@ name is referenced and resolved by remote clients.
 
 Other options are available by running ipsilon-server-install --help
 
-To install a server that allow both Kerberos and PAM authentication use:
+To install a server that allow both GSSAPI (Kerberos) and PAM authentication
+use:
 
- $ ipsilon-server-install --krb=yes --pam=yes
+ $ ipsilon-server-install --gssapi=yes --pam=yes
 
 This command will generate a default instance called 'idp' (you can change the
 default name using the --instance switch). Multiple instance can be installed
diff --git a/contrib/fedora/ipsilon.spec b/contrib/fedora/ipsilon.spec
index 335c61b..1127944 100644
--- a/contrib/fedora/ipsilon.spec
+++ b/contrib/fedora/ipsilon.spec
@@ -78,7 +78,7 @@ Client install tools
 summary:        IPA helpers
 Group:          System Environment/Base
 License:        GPLv3+
-Requires:       %{name}-authkrb = %{version}-%{release}
+Requires:       %{name}-authgssapi = %{version}-%{release}
 Requires:       %{name}-authform = %{version}-%{release}
 %if 0%{?rhel}
 Requires:       ipa-client
@@ -182,7 +182,7 @@ BuildArch:      noarch
 Provides a login plugin to authenticate against the local PAM stack
 
 
-%package authkrb
+%package authgssapi
 Summary:        mod_auth_gssapi based login plugin
 Group:          System Environment/Base
 License:        GPLv3+
@@ -190,7 +190,7 @@ Requires:       %{name} = %{version}-%{release}
 Requires:       mod_auth_gssapi
 BuildArch:      noarch
 
-%description authkrb
+%description authgssapi
 Provides a login plugin to allow authentication via the mod_auth_gssapi
 Apache module.
 
@@ -352,9 +352,9 @@ fi
 %files authpam
 %{python2_sitelib}/ipsilon/login/authpam*
 
-%files authkrb
-%{python2_sitelib}/ipsilon/login/authkrb*
-%{_datadir}/ipsilon/templates/login/krb.html
+%files authgssapi
+%{python2_sitelib}/ipsilon/login/authgssapi*
+%{_datadir}/ipsilon/templates/login/gssapi.html
 
 %files authldap
 %{python2_sitelib}/ipsilon/login/authldap*
diff --git a/examples/apache.conf b/examples/apache.conf
index 19ebb0d..cacbf70 100644
--- a/examples/apache.conf
+++ b/examples/apache.conf
@@ -3,20 +3,16 @@ WSGIScriptAlias /idp /usr/libexec/ipsilon.py
 WSGIDaemonProcess idp maximum-requests=2 user=ipsilon group=ipsilon
 WSGIProcessGroup idp
 
-<Location /idp/login/krb/negotiate>
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms IPA.DEV.LAN
-  Krb5KeyTab /etc/httpd/conf/http.keytab
-  KrbSaveCredentials off
-  KrbConstrainedDelegation off
-  KrbLocalUserMapping On
+<Location /idp/login/gssapi/negotiate>
+  AuthType GSSAPI
+  AuthName "GSSAPI Single Sign On Login"
+  GssapiCredStore /etc/httpd/conf/http.keytab
+  GssapiSSLonly On
+  GssapiLocalName on
   Require valid-user
 
-  ErrorDocument 401 /idp/login/krb/unauthorized
+  ErrorDocument 401 /idp/login/gssapi/unauthorized
+  ErrorDocument 500 /idp/login/gssapi/failed
 </Location>
 
 <Directory /usr/libexec>
diff --git a/ipsilon/helpers/ipa.py b/ipsilon/helpers/ipa.py
index 2caddb3..5c01faa 100644
--- a/ipsilon/helpers/ipa.py
+++ b/ipsilon/helpers/ipa.py
@@ -93,10 +93,10 @@ class Installer(EnvHelpersInstaller):
                 raise Exception('No IPA tools found!')
 
         # Check if we already have a keytab for HTTP
-        if 'krb_httpd_keytab' in opts:
-            msg = "Searching for keytab in: %s" % opts['krb_httpd_keytab']
+        if 'gssapi_httpd_keytab' in opts:
+            msg = "Searching for keytab in: %s" % opts['gssapi_httpd_keytab']
             print >> sys.stdout, msg,
-            if os.path.exists(opts['krb_httpd_keytab']):
+            if os.path.exists(opts['gssapi_httpd_keytab']):
                 print >> sys.stdout, "... Found!"
                 return
             else:
@@ -105,7 +105,7 @@ class Installer(EnvHelpersInstaller):
         msg = "Searching for keytab in: %s" % HTTPD_IPA_KEYTAB
         print >> sys.stdout, msg,
         if os.path.exists(HTTPD_IPA_KEYTAB):
-            opts['krb_httpd_keytab'] = HTTPD_IPA_KEYTAB
+            opts['gssapi_httpd_keytab'] = HTTPD_IPA_KEYTAB
             print >> sys.stdout, "... Found!"
             return
         else:
@@ -167,11 +167,11 @@ class Installer(EnvHelpersInstaller):
 
         try:
             msg = "Trying to fetch keytab[%s] for %s" % (
-                  opts['krb_httpd_keytab'], princ)
+                  opts['gssapi_httpd_keytab'], princ)
             print >> sys.stdout, msg,
             subprocess.check_output([IPA_GETKEYTAB,
                                      '-s', server, '-p', princ,
-                                     '-k', opts['krb_httpd_keytab']],
+                                     '-k', opts['gssapi_httpd_keytab']],
                                     stderr=subprocess.STDOUT)
         except subprocess.CalledProcessError, e:
             # unfortunately this one is fatal
@@ -182,12 +182,12 @@ class Installer(EnvHelpersInstaller):
 
         # Fixup permissions so only the ipsilon user can read these files
         pw = pwd.getpwnam(HTTPD_USER)
-        os.chown(opts['krb_httpd_keytab'], pw.pw_uid, pw.pw_gid)
+        os.chown(opts['gssapi_httpd_keytab'], pw.pw_uid, pw.pw_gid)
 
     def configure_server(self, opts):
         if opts['ipa'] != 'yes' and opts['ipa'] != 'auto':
             return
-        if opts['ipa'] != 'yes' and opts['krb'] == 'no':
+        if opts['ipa'] != 'yes' and opts['gssapi'] == 'no':
             return
 
         self.logger = logging.getLogger()
@@ -196,12 +196,12 @@ class Installer(EnvHelpersInstaller):
 
         self.get_keytab(opts)
 
-        # Forcibly use krb then pam modules
+        # Forcibly use gssapi then pam modules
         if 'lm_order' not in opts:
             opts['lm_order'] = []
-        opts['krb'] = 'yes'
-        if 'krb' not in opts['lm_order']:
-            opts['lm_order'].insert(0, 'krb')
+        opts['gssapi'] = 'yes'
+        if 'gssapi' not in opts['lm_order']:
+            opts['lm_order'].insert(0, 'gssapi')
         opts['form'] = 'yes'
         if not any(lm in opts['lm_order'] for lm in ('form', 'pam')):
             opts['lm_order'].append('form')
diff --git a/ipsilon/login/authgssapi.py b/ipsilon/login/authgssapi.py
index dbb531a..97c3834 100644
--- a/ipsilon/login/authgssapi.py
+++ b/ipsilon/login/authgssapi.py
@@ -24,7 +24,7 @@ import cherrypy
 import os
 
 
-class Krb(LoginPageBase):
+class GSSAPI(LoginPageBase):
 
     def root(self, *args, **kwargs):
         # Someone typed manually or a robot is walking th tree.
@@ -32,7 +32,7 @@ class Krb(LoginPageBase):
         return self.lm.redirect_to_path(self.lm.path)
 
 
-class KrbAuth(LoginPageBase):
+class GSSAPIAuth(LoginPageBase):
 
     def root(self, *args, **kwargs):
         trans = self.get_valid_transaction('login', **kwargs)
@@ -44,16 +44,16 @@ class KrbAuth(LoginPageBase):
         if not self.user.is_anonymous:
             principal = cherrypy.request.wsgi_environ.get('GSS_NAME', None)
             if principal:
-                userdata = {'krb_principal_name': principal}
+                userdata = {'gssapi_principal_name': principal}
             else:
-                userdata = {'krb_principal_name': self.user.name}
+                userdata = {'gssapi_principal_name': self.user.name}
             return self.lm.auth_successful(trans, self.user.name,
-                                           'krb', userdata)
+                                           'gssapi', userdata)
         else:
             return self.lm.auth_failed(trans)
 
 
-class KrbError(LoginPageBase):
+class GSSAPIError(LoginPageBase):
 
     def root(self, *args, **kwargs):
         cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
@@ -68,8 +68,8 @@ class KrbError(LoginPageBase):
                 return next_login.page.root(*args, **kwargs)
 
             conturl = '%s/login' % self.basepath
-            return self._template('login/krb.html',
-                                  title='Kerberos Login',
+            return self._template('login/gssapi.html',
+                                  title='GSSAPI Login',
                                   cont=conturl)
 
         # If we get here, negotiate failed
@@ -81,25 +81,25 @@ class LoginManager(LoginManagerBase):
 
     def __init__(self, *args, **kwargs):
         super(LoginManager, self).__init__(*args, **kwargs)
-        self.name = 'krb'
-        self.path = 'krb/negotiate'
+        self.name = 'gssapi'
+        self.path = 'gssapi/negotiate'
         self.page = None
         self.description = """
-Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi
+GSSAPI Negotiate authentication plugin. Relies on the mod_auth_gssapi
 apache plugin for actual authentication. """
         self.new_config(self.name)
 
     def get_tree(self, site):
-        self.page = Krb(site, self)
-        self.page.__dict__['negotiate'] = KrbAuth(site, self)
-        self.page.__dict__['unauthorized'] = KrbError(site, self)
-        self.page.__dict__['failed'] = KrbError(site, self)
+        self.page = GSSAPI(site, self)
+        self.page.__dict__['negotiate'] = GSSAPIAuth(site, self)
+        self.page.__dict__['unauthorized'] = GSSAPIError(site, self)
+        self.page.__dict__['failed'] = GSSAPIError(site, self)
         return self.page
 
 
 CONF_TEMPLATE = """
 
-<Location /${instance}/login/krb/negotiate>
+<Location /${instance}/login/gssapi/negotiate>
   AuthType GSSAPI
   AuthName "GSSAPI Single Sign On Login"
   $keytab
@@ -107,8 +107,8 @@ CONF_TEMPLATE = """
   GssapiLocalName on
   Require valid-user
 
-  ErrorDocument 401 /${instance}/login/krb/unauthorized
-  ErrorDocument 500 /${instance}/login/krb/failed
+  ErrorDocument 401 /${instance}/login/gssapi/unauthorized
+  ErrorDocument 500 /${instance}/login/gssapi/failed
 </Location>
 """
 
@@ -117,25 +117,25 @@ class Installer(LoginManagerInstaller):
 
     def __init__(self, *pargs):
         super(Installer, self).__init__()
-        self.name = 'krb'
+        self.name = 'gssapi'
         self.pargs = pargs
 
     def install_args(self, group):
-        group.add_argument('--krb', choices=['yes', 'no'], default='no',
-                           help='Configure Kerberos authentication')
-        group.add_argument('--krb-httpd-keytab',
+        group.add_argument('--gssapi', choices=['yes', 'no'], default='no',
+                           help='Configure GSSAPI authentication')
+        group.add_argument('--gssapi-httpd-keytab',
                            default='/etc/httpd/conf/http.keytab',
                            help='Kerberos keytab location for HTTPD')
 
     def configure(self, opts):
-        if opts['krb'] != 'yes':
+        if opts['gssapi'] != 'yes':
             return
 
         confopts = {'instance': opts['instance']}
 
-        if os.path.exists(opts['krb_httpd_keytab']):
+        if os.path.exists(opts['gssapi_httpd_keytab']):
             confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
-                opts['krb_httpd_keytab'])
+                opts['gssapi_httpd_keytab'])
         else:
             raise Exception('Keytab not found')
 
@@ -151,14 +151,14 @@ class Installer(LoginManagerInstaller):
 
         # Add configuration data to database
         po = PluginObject(*self.pargs)
-        po.name = 'krb'
+        po.name = 'gssapi'
         po.wipe_data()
 
-        # Update global config, put 'krb' always first
+        # Update global config, put 'gssapi' always first
         ph = self.pargs[0]
         ph.refresh_enabled()
-        if 'krb' not in ph.enabled:
+        if 'gssapi' not in ph.enabled:
             enabled = []
             enabled.extend(ph.enabled)
-            enabled.insert(0, 'krb')
+            enabled.insert(0, 'gssapi')
             ph.save_enabled(enabled)
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index bdcb9b8..521e0c0 100644
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -197,7 +197,7 @@ class AuthenticateRequest(ProviderPageBase):
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
             nameid = '_' + uuid.uuid4().hex
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
-            nameid = us.get_data('user', 'krb_principal_name')
+            nameid = us.get_data('user', 'gssapi_principal_name')
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
             nameid = us.get_user().email
             if not nameid:
diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py
index cec3e88..a507c7e 100644
--- a/ipsilon/providers/saml2idp.py
+++ b/ipsilon/providers/saml2idp.py
@@ -433,7 +433,7 @@ class Installer(ProviderInstaller):
         validity = int(opts['saml2_metadata_validity'])
         meta = IdpMetadataGenerator(url, cert,
                                     timedelta(validity))
-        if 'krb' in opts and opts['krb'] == 'yes':
+        if 'gssapi' in opts and opts['gssapi'] == 'yes':
             meta.meta.add_allowed_name_format(
                 lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
 
diff --git a/tests/attrs.py b/tests/attrs.py
index 4a3c8d8..b4d8a99 100755
--- a/tests/attrs.py
+++ b/tests/attrs.py
@@ -42,7 +42,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'secure': 'no',
          'testauth': 'yes',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}
 
diff --git a/tests/fconf.py b/tests/fconf.py
index 409c975..79e7ed7 100755
--- a/tests/fconf.py
+++ b/tests/fconf.py
@@ -52,7 +52,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'secure': 'no',
          'testauth': 'yes',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}
 
diff --git a/tests/ldap.py b/tests/ldap.py
index 52676d3..d144f89 100755
--- a/tests/ldap.py
+++ b/tests/ldap.py
@@ -25,7 +25,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'instance': '${NAME}',
          'secure': 'no',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'ldap': 'yes',
          'ldap_server_url': 'ldap://${ADDRESS}:45389/',
diff --git a/tests/openid.py b/tests/openid.py
index ebc92ba..dfff299 100755
--- a/tests/openid.py
+++ b/tests/openid.py
@@ -44,7 +44,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'openid': 'yes',
          'openid_extensions': 'Attribute Exchange,Simple Registration,Teams',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}
 
diff --git a/tests/pgdb.py b/tests/pgdb.py
index ae4b47c..984bcee 100755
--- a/tests/pgdb.py
+++ b/tests/pgdb.py
@@ -46,7 +46,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'secure': 'no',
          'testauth': 'yes',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}
 
diff --git a/tests/test1.py b/tests/test1.py
index 3e0cfc2..d4716bc 100755
--- a/tests/test1.py
+++ b/tests/test1.py
@@ -41,7 +41,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'secure': 'no',
          'testauth': 'yes',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}
 
diff --git a/tests/testlogout.py b/tests/testlogout.py
index 5018066..cdf4f0b 100755
--- a/tests/testlogout.py
+++ b/tests/testlogout.py
@@ -42,7 +42,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'secure': 'no',
          'testauth': 'yes',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}
 
diff --git a/tests/testmapping.py b/tests/testmapping.py
index d5e5dd0..b2ee012 100755
--- a/tests/testmapping.py
+++ b/tests/testmapping.py
@@ -28,7 +28,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'secure': 'no',
          'testauth': 'yes',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}
 
diff --git a/tests/testnameid.py b/tests/testnameid.py
index a47e44b..adc0c08 100755
--- a/tests/testnameid.py
+++ b/tests/testnameid.py
@@ -27,7 +27,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'secure': 'no',
          'testauth': 'yes',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}
 
diff --git a/tests/testrest.py b/tests/testrest.py
index 24a7092..7f472b7 100755
--- a/tests/testrest.py
+++ b/tests/testrest.py
@@ -26,7 +26,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'secure': 'no',
          'testauth': 'yes',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}
 
diff --git a/tests/trans.py b/tests/trans.py
index d7551b3..fbffa00 100755
--- a/tests/trans.py
+++ b/tests/trans.py
@@ -42,7 +42,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}',
          'secure': 'no',
          'testauth': 'yes',
          'pam': 'no',
-         'krb': 'no',
+         'gssapi': 'no',
          'ipa': 'no',
          'server_debugging': 'True'}