1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
# Copyright (C) 2014 Ipsilon Contributors see COPYING for license
from ipsilon.login.common import LoginPageBase, LoginManagerBase, \
LoginManagerInstaller
from ipsilon.util.plugin import PluginObject
from ipsilon.util.user import UserSession
from string import Template
import cherrypy
import os
import logging
class GSSAPI(LoginPageBase):
def root(self, *args, **kwargs):
# Someone typed manually or a robot is walking th tree.
# Redirect to default page
return self.lm.redirect_to_path(self.lm.path)
class GSSAPIAuth(LoginPageBase):
def root(self, *args, **kwargs):
trans = self.get_valid_transaction('login', **kwargs)
# If we can get here, we must be authenticated and remote_user
# was set. Check the session has a user set already or error.
us = UserSession()
us.remote_login()
self.user = us.get_user()
if not self.user.is_anonymous:
principal = cherrypy.request.wsgi_environ.get('GSS_NAME', None)
if principal:
userdata = {'gssapi_principal_name': principal}
else:
userdata = {'gssapi_principal_name': self.user.name}
return self.lm.auth_successful(trans, self.user.name,
'gssapi', userdata)
else:
return self.lm.auth_failed(trans)
class GSSAPIError(LoginPageBase):
def root(self, *args, **kwargs):
cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers,
severity=logging.DEBUG)
# If we have no negotiate header return whatever mod_auth_gssapi
# generated and wait for the next request
if 'WWW-Authenticate' not in cherrypy.request.headers:
cherrypy.response.status = 401
next_login = self.lm.next_login()
if next_login:
return next_login.page.root(*args, **kwargs)
conturl = '%s/login' % self.basepath
return self._template('login/gssapi.html',
title='GSSAPI Login',
cont=conturl)
# If we get here, negotiate failed
trans = self.get_valid_transaction('login', **kwargs)
return self.lm.auth_failed(trans)
class LoginManager(LoginManagerBase):
def __init__(self, *args, **kwargs):
super(LoginManager, self).__init__(*args, **kwargs)
self.name = 'gssapi'
self.path = 'gssapi/negotiate'
self.page = None
self.description = """
GSSAPI Negotiate authentication plugin. Relies on the mod_auth_gssapi
apache plugin for actual authentication. """
self.new_config(self.name)
def get_tree(self, site):
self.page = GSSAPI(site, self)
self.page.__dict__['negotiate'] = GSSAPIAuth(site, self)
self.page.__dict__['unauthorized'] = GSSAPIError(site, self)
self.page.__dict__['failed'] = GSSAPIError(site, self)
return self.page
CONF_TEMPLATE = """
<Location /${instance}/login/gssapi/negotiate>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
$keytab
GssapiSSLonly $gssapisslonly
GssapiLocalName on
Require valid-user
ErrorDocument 401 /${instance}/login/gssapi/unauthorized
ErrorDocument 500 /${instance}/login/gssapi/failed
</Location>
"""
class Installer(LoginManagerInstaller):
def __init__(self, *pargs):
super(Installer, self).__init__()
self.name = 'gssapi'
self.pargs = pargs
def install_args(self, group):
group.add_argument('--gssapi', choices=['yes', 'no'], default='no',
help='Configure GSSAPI authentication')
group.add_argument('--gssapi-httpd-keytab',
default='/etc/httpd/conf/http.keytab',
help='Kerberos keytab location for HTTPD')
def configure(self, opts):
if opts['gssapi'] != 'yes':
return
confopts = {'instance': opts['instance']}
if os.path.exists(opts['gssapi_httpd_keytab']):
confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
opts['gssapi_httpd_keytab'])
else:
raise Exception('Keytab not found')
if opts['secure'] == 'no':
confopts['gssapisslonly'] = 'Off'
else:
confopts['gssapisslonly'] = 'On'
tmpl = Template(CONF_TEMPLATE)
hunk = tmpl.substitute(**confopts)
with open(opts['httpd_conf'], 'a') as httpd_conf:
httpd_conf.write(hunk)
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'gssapi'
po.wipe_data()
# Update global config, put 'gssapi' always first
ph = self.pargs[0]
ph.refresh_enabled()
if 'gssapi' not in ph.enabled:
enabled = []
enabled.extend(ph.enabled)
enabled.insert(0, 'gssapi')
ph.save_enabled(enabled)
|