api: Better error message when confronted with NTLM

2017-05-08 10:26:11 +00:00 · 2017-05-08 10:26:11 +00:00 · 4e41655532
parent 545febf3d0
commit 4e41655532
2 changed files with 6 additions and 0 deletions
--- a/certidude/auth.py
+++ b/certidude/auth.py
@ -46,6 +46,8 @@ def authenticate(optional=False):
                context.step(b64decode(token))
            except TypeError: # base64 errors
                raise falcon.HTTPBadRequest("Bad request", "Malformed token")
+            except gssapi.raw.exceptions.BadMechanismError:
+                raise falcon.HTTPBadRequest("Bad request", "Unsupported authentication mechanism (NTLM?) was offered. Please make sure you've logged into the computer with domain user account. The web interface should not prompt for username or password.")

            username, domain = str(context.initiator_name).split("@")

--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@ -887,6 +887,10 @@ def test_cli_setup_authority():
    assert "No Kerberos ticket offered" in r.text, r.text
    r = requests.get("http://ca.example.lan/api/", headers={"Authorization": "Negotiate blerrgh"})
    assert r.status_code == 400, r.text
+    assert "Malformed token" in r.text
+    r = requests.get("http://ca.example.lan/api/", headers={"Authorization": "Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKADk4AAAADw=="})
+    assert r.status_code == 400, r.text
+    assert "Unsupported authentication mechanism (NTLM" in r.text
    r = requests.get("http://ca.example.lan/api/", auth=auth)
    assert r.status_code == 200, r.text