diff options
author | David Kupka <dkupka@redhat.com> | 2017-03-09 12:28:26 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-03-15 10:34:44 +0100 |
commit | 70889d4d5e7e2bd65ab1d4a28e5eda4a51c9b0c0 (patch) | |
tree | b736646c23dafe13d7187f21b47d333535d939d8 | |
parent | e20ad9c251d9118959e501cd49997662de8cdbfc (diff) | |
download | freeipa-70889d4d5e7e2bd65ab1d4a28e5eda4a51c9b0c0.tar.gz freeipa-70889d4d5e7e2bd65ab1d4a28e5eda4a51c9b0c0.tar.xz freeipa-70889d4d5e7e2bd65ab1d4a28e5eda4a51c9b0c0.zip |
rpcserver: x509_login: Handle unsuccessful certificate login gracefully
When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-rw-r--r-- | ipaserver/rpcserver.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index fa15742d5..be4e3916b 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -834,6 +834,16 @@ class login_kerberos(KerberosLogin): class login_x509(KerberosLogin): key = '/session/login_x509' + def __call__(self, environ, start_response): + self.debug('WSGI login_x509.__call__:') + + if 'KRB5CCNAME' not in environ: + return self.unauthorized( + environ, start_response, 'KRB5CCNAME not set', + 'Authentication failed') + + super(login_x509, self).__call__(environ, start_response) + class login_password(Backend, KerberosSession): |