Kerberos fixes

This commit is contained in:
Lauri Võsandi 2021-06-08 06:52:56 +00:00
parent 0b731b246d
commit b3acc85cc5
2 changed files with 7 additions and 8 deletions

View File

@ -99,17 +99,16 @@ def authenticate(optional=False):
req.env["PATH_INFO"], req.context["remote"]["addr"])
raise falcon.HTTPUnauthorized("Unauthorized",
"No Kerberos ticket offered, are you sure you've logged in with domain user account?",
["Negotiate"])
challenges=["Negotiate"])
else:
logger.debug("No credentials offered while attempting to access %s from %s",
req.env["PATH_INFO"], req.context["remote"]["addr"])
#falcon 3.0 login fix
raise falcon.HTTPUnauthorized(title="Unauthorized", description="Please authenticate", challenges=("Basic",))
raise falcon.HTTPUnauthorized("Unauthorized", "Please authenticate", challenges=["Basic"])
if kerberized:
if not req.auth.startswith("Negotiate "):
raise falcon.HTTPUnauthorized("Unauthorized",
"Bad header, expected Negotiate", ["Negotiate"])
"Bad header, expected Negotiate", challenges=["Negotiate"])
os.environ["KRB5_KTNAME"] = const.KERBEROS_KEYTAB
@ -163,7 +162,7 @@ def authenticate(optional=False):
else:
if not req.auth.startswith("Basic "):
raise falcon.HTTPUnauthorized("Forbidden", "Bad header, expected Basic", ("Basic",))
raise falcon.HTTPUnauthorized("Unauthorized", "Bad header, expected Basic", challenges=["Basic"])
basic, token = req.auth.split(" ", 1)
user, passwd = b64decode(token).decode("utf-8").split(":", 1)
@ -186,7 +185,7 @@ def authenticate(optional=False):
except ldap.INVALID_CREDENTIALS:
logger.critical("LDAP bind authentication failed for user %s from %s",
repr(upn), req.context["remote"]["addr"])
raise falcon.HTTPUnauthorized(
raise falcon.HTTPUnauthorized("Unauthorized",
description="Please authenticate with %s domain account username" % const.KERBEROS_REALM,
challenges=["Basic"])
@ -197,7 +196,7 @@ def authenticate(optional=False):
try:
req.context["user"] = User.objects.get(user)
except User.DoesNotExist:
raise falcon.HTTPUnauthorized("Unauthorized", "Invalid credentials", ("Basic",))
raise falcon.HTTPUnauthorized("Unauthorized", "Invalid credentials", challenges=["Basic"])
retval = func(resource, req, resp, *args, **kwargs)
if conn:

View File

@ -110,7 +110,7 @@ TOKEN_LIFETIME = 3600 * 24
TOKEN_OVERWRITE_PERMITTED = os.getenv("TOKEN_OVERWRITE_PERMITTED")
# TODO: Check if we don't have base or servers
AUTHENTICATION_BACKENDS = set(["ldap"])
AUTHENTICATION_BACKENDS = set(["ldap", "kerberos"])
MAIL_SUFFIX = os.getenv("MAIL_SUFFIX")
KERBEROS_KEYTAB = os.getenv("KERBEROS_KEYTAB", "/server-secrets/krb5.keytab")