From b3acc85cc5d7f0ae440e2b9895d062e501594cf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Tue, 8 Jun 2021 06:52:56 +0000 Subject: [PATCH] Kerberos fixes --- pinecrypt/server/api/utils/firewall.py | 13 ++++++------- pinecrypt/server/const.py | 2 +- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/pinecrypt/server/api/utils/firewall.py b/pinecrypt/server/api/utils/firewall.py index be0fb91..2376adc 100644 --- a/pinecrypt/server/api/utils/firewall.py +++ b/pinecrypt/server/api/utils/firewall.py @@ -99,17 +99,16 @@ def authenticate(optional=False): req.env["PATH_INFO"], req.context["remote"]["addr"]) raise falcon.HTTPUnauthorized("Unauthorized", "No Kerberos ticket offered, are you sure you've logged in with domain user account?", - ["Negotiate"]) + challenges=["Negotiate"]) else: logger.debug("No credentials offered while attempting to access %s from %s", req.env["PATH_INFO"], req.context["remote"]["addr"]) - #falcon 3.0 login fix - raise falcon.HTTPUnauthorized(title="Unauthorized", description="Please authenticate", challenges=("Basic",)) + raise falcon.HTTPUnauthorized("Unauthorized", "Please authenticate", challenges=["Basic"]) if kerberized: if not req.auth.startswith("Negotiate "): raise falcon.HTTPUnauthorized("Unauthorized", - "Bad header, expected Negotiate", ["Negotiate"]) + "Bad header, expected Negotiate", challenges=["Negotiate"]) os.environ["KRB5_KTNAME"] = const.KERBEROS_KEYTAB @@ -163,7 +162,7 @@ def authenticate(optional=False): else: if not req.auth.startswith("Basic "): - raise falcon.HTTPUnauthorized("Forbidden", "Bad header, expected Basic", ("Basic",)) + raise falcon.HTTPUnauthorized("Unauthorized", "Bad header, expected Basic", challenges=["Basic"]) basic, token = req.auth.split(" ", 1) user, passwd = b64decode(token).decode("utf-8").split(":", 1) @@ -186,7 +185,7 @@ def authenticate(optional=False): except ldap.INVALID_CREDENTIALS: logger.critical("LDAP bind authentication failed for user %s from %s", repr(upn), req.context["remote"]["addr"]) - raise falcon.HTTPUnauthorized( + raise falcon.HTTPUnauthorized("Unauthorized", description="Please authenticate with %s domain account username" % const.KERBEROS_REALM, challenges=["Basic"]) @@ -197,7 +196,7 @@ def authenticate(optional=False): try: req.context["user"] = User.objects.get(user) except User.DoesNotExist: - raise falcon.HTTPUnauthorized("Unauthorized", "Invalid credentials", ("Basic",)) + raise falcon.HTTPUnauthorized("Unauthorized", "Invalid credentials", challenges=["Basic"]) retval = func(resource, req, resp, *args, **kwargs) if conn: diff --git a/pinecrypt/server/const.py b/pinecrypt/server/const.py index c698e76..3669d12 100644 --- a/pinecrypt/server/const.py +++ b/pinecrypt/server/const.py @@ -110,7 +110,7 @@ TOKEN_LIFETIME = 3600 * 24 TOKEN_OVERWRITE_PERMITTED = os.getenv("TOKEN_OVERWRITE_PERMITTED") # TODO: Check if we don't have base or servers -AUTHENTICATION_BACKENDS = set(["ldap"]) +AUTHENTICATION_BACKENDS = set(["ldap", "kerberos"]) MAIL_SUFFIX = os.getenv("MAIL_SUFFIX") KERBEROS_KEYTAB = os.getenv("KERBEROS_KEYTAB", "/server-secrets/krb5.keytab")