Add Kerberos Negotiate auth plugin

This plugin depends on the proper configuration of mod_auth_kerb The mod_auth_kerb plugin should be configured with a <Location> directive like the folowing: <Location /idp/login/krb/negotiate> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms $REALM_NAME Krb5KeyTab $KEYTAB_NAME KrbSaveCredentials off KrbConstrainedDelegation off Require valid-user ErrorDocument 401 /idp/login/krb/unauthorized </Location> Signed-off-by: Simo Sorce <simo@redhat.com>
author: Simo Sorce <simo@redhat.com> 2014-01-20 16:14:52 -0500
committer: Simo Sorce <simo@redhat.com> 2014-01-24 17:32:21 -0500
commit: d0a1541e095b9cee6468eeea07a950264753dd39 (patch)
tree: c316fb8ccf9ce2742414d14262c396478358a747
parent: 26af9d1958608fb0237e2d1dd8b1b15d8cb862b7 (diff)
download: ipsilon-d0a1541e095b9cee6468eeea07a950264753dd39.tar.gz
ipsilon-d0a1541e095b9cee6468eeea07a950264753dd39.tar.xz
ipsilon-d0a1541e095b9cee6468eeea07a950264753dd39.zip
2 files changed, 100 insertions, 0 deletions
diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py
new file mode 100755
index 0000000..b6ff99c
--- /dev/null
+++ b/ipsilon/login/authkrb.py
@@ -0,0 +1,80 @@
+#!/usr/bin/python
+#
+# Copyright (C) 2014  Simo Sorce <simo@redhat.com>
+#
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipsilon.login.common import LoginPageBase, LoginManagerBase
+import cherrypy
+
+
+class Krb(LoginPageBase):
+
+    def root(self, *args, **kwargs):
+        # Someone typed manually or a robot is walking th tree.
+        # Redirect to default page
+        return self.lm.redirect_to_path(self.lm.path)
+
+
+class KrbAuth(LoginPageBase):
+
+    def root(self, *args, **kwargs):
+        # If we can get here, we must be authenticated and remote_user
+        # was set. Check the session has a use set already or error.
+        if self.user and self.user.name:
+            return self.lm.auth_successful(self.user.name)
+        else:
+            return self.lm.auth_failed()
+
+
+class KrbError(LoginPageBase):
+
+    def root(self, *args, **kwargs):
+        cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
+        # If we have no negotiate header return whatever mod_auth_kerb
+        # generated and wait for the next request
+
+        if not 'WWW-Authenticate' in cherrypy.request.headers:
+            cherrypy.response.status = 401
+
+            if self.lm.next_login:
+                return self.lm.next_login.page.root(*args, **kwargs)
+
+            conturl = '%s/login' % self.basepath
+            return self._template('login/krb.html',
+                                  title='Kerberos Login',
+                                  cont=conturl)
+
+        # If we get here, negotiate failed
+        return self.lm.auth_failed()
+
+
+class LoginManager(LoginManagerBase):
+
+    def __init__(self, *args, **kwargs):
+        super(LoginManager, self).__init__(*args, **kwargs)
+        self.name = 'krb'
+        self.path = 'krb/negotiate'
+        self.page = None
+        self.description = """
+Kereros Negotiate authentication plugin. Relies on the mod_auth_kerb apache
+plugin for actual authentication. """
+
+    def get_tree(self, site):
+        self.page = Krb(site, self)
+        self.page.__dict__['negotiate'] = KrbAuth(site, self)
+        self.page.__dict__['unauthorized'] = KrbError(site, self)
+        return self.page
diff --git a/templates/login/krb.html b/templates/login/krb.html
new file mode 100644
index 0000000..1f9107b
--- /dev/null
+++ b/templates/login/krb.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8"></meta>
+    <title>{{ title }}</title>
+    <link href="{{ basepath }}/ui/ipsilon.css" type="text/css" rel="stylesheet"></link>
+    <link href="{{ basepath }}/ui/favicon.ico" type="image/ico" rel="icon"></link>
+</head>
+<body>
+    <div id="container">
+        <div id="logo">
+            <p>Ipsilon</p>
+        </div>
+        <div id="login">
+            <p>Press <a href="{{ cont }}">here</a> if your browser does not
+               redirect you in a few seconds</a>
+        </div>
+    </div>
+</body>
+</html>
author	Simo Sorce <simo@redhat.com>	2014-01-20 16:14:52 -0500
committer	Simo Sorce <simo@redhat.com>	2014-01-24 17:32:21 -0500
commit	d0a1541e095b9cee6468eeea07a950264753dd39 (patch)
tree	c316fb8ccf9ce2742414d14262c396478358a747
parent	26af9d1958608fb0237e2d1dd8b1b15d8cb862b7 (diff)
download	ipsilon-d0a1541e095b9cee6468eeea07a950264753dd39.tar.gz ipsilon-d0a1541e095b9cee6468eeea07a950264753dd39.tar.xz ipsilon-d0a1541e095b9cee6468eeea07a950264753dd39.zip