pinecrypt
/
pinecrypt-gateway-backend
2
1
Fork 0
Code Issues 10 Pull Requests Projects Activity

Kerberos fixes

This commit is contained in:
Lauri Võsandi 2021-06-08 06:52:56 +00:00
parent 0b731b246d
commit b3acc85cc5
2 changed files with 7 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pinecrypt/server/api/utils/firewall.py
View File

@ -99,17 +99,16 @@ def authenticate(optional=False):
req.env["PATH_INFO"], req.context["remote"]["addr"]) req.env["PATH_INFO"], req.context["remote"]["addr"])
raise falcon.HTTPUnauthorized("Unauthorized", raise falcon.HTTPUnauthorized("Unauthorized",
"No Kerberos ticket offered, are you sure you've logged in with domain user account?", "No Kerberos ticket offered, are you sure you've logged in with domain user account?",
["Negotiate"]) challenges=["Negotiate"])
else: else:
logger.debug("No credentials offered while attempting to access %s from %s", logger.debug("No credentials offered while attempting to access %s from %s",
req.env["PATH_INFO"], req.context["remote"]["addr"]) req.env["PATH_INFO"], req.context["remote"]["addr"])
#falcon 3.0 login fix raise falcon.HTTPUnauthorized("Unauthorized", "Please authenticate", challenges=["Basic"])
raise falcon.HTTPUnauthorized(title="Unauthorized", description="Please authenticate", challenges=("Basic",))
if kerberized: if kerberized:
if not req.auth.startswith("Negotiate "): if not req.auth.startswith("Negotiate "):
raise falcon.HTTPUnauthorized("Unauthorized", raise falcon.HTTPUnauthorized("Unauthorized",
"Bad header, expected Negotiate", ["Negotiate"]) "Bad header, expected Negotiate", challenges=["Negotiate"])
os.environ["KRB5_KTNAME"] = const.KERBEROS_KEYTAB os.environ["KRB5_KTNAME"] = const.KERBEROS_KEYTAB
@ -163,7 +162,7 @@ def authenticate(optional=False):
else: else:
if not req.auth.startswith("Basic "): if not req.auth.startswith("Basic "):
raise falcon.HTTPUnauthorized("Forbidden", "Bad header, expected Basic", ("Basic",)) raise falcon.HTTPUnauthorized("Unauthorized", "Bad header, expected Basic", challenges=["Basic"])
basic, token = req.auth.split(" ", 1) basic, token = req.auth.split(" ", 1)
user, passwd = b64decode(token).decode("utf-8").split(":", 1) user, passwd = b64decode(token).decode("utf-8").split(":", 1)
@ -186,7 +185,7 @@ def authenticate(optional=False):
except ldap.INVALID_CREDENTIALS: except ldap.INVALID_CREDENTIALS:
logger.critical("LDAP bind authentication failed for user %s from %s", logger.critical("LDAP bind authentication failed for user %s from %s",
repr(upn), req.context["remote"]["addr"]) repr(upn), req.context["remote"]["addr"])
raise falcon.HTTPUnauthorized( raise falcon.HTTPUnauthorized("Unauthorized",
description="Please authenticate with %s domain account username" % const.KERBEROS_REALM, description="Please authenticate with %s domain account username" % const.KERBEROS_REALM,
challenges=["Basic"]) challenges=["Basic"])
@ -197,7 +196,7 @@ def authenticate(optional=False):
try: try:
req.context["user"] = User.objects.get(user) req.context["user"] = User.objects.get(user)
except User.DoesNotExist: except User.DoesNotExist:
raise falcon.HTTPUnauthorized("Unauthorized", "Invalid credentials", ("Basic",)) raise falcon.HTTPUnauthorized("Unauthorized", "Invalid credentials", challenges=["Basic"])
retval = func(resource, req, resp, *args, **kwargs) retval = func(resource, req, resp, *args, **kwargs)
if conn: if conn:

2
pinecrypt/server/const.py
View File

@ -110,7 +110,7 @@ TOKEN_LIFETIME = 3600 * 24
TOKEN_OVERWRITE_PERMITTED = os.getenv("TOKEN_OVERWRITE_PERMITTED") TOKEN_OVERWRITE_PERMITTED = os.getenv("TOKEN_OVERWRITE_PERMITTED")
# TODO: Check if we don't have base or servers # TODO: Check if we don't have base or servers
AUTHENTICATION_BACKENDS = set(["ldap"]) AUTHENTICATION_BACKENDS = set(["ldap", "kerberos"])
MAIL_SUFFIX = os.getenv("MAIL_SUFFIX") MAIL_SUFFIX = os.getenv("MAIL_SUFFIX")
KERBEROS_KEYTAB = os.getenv("KERBEROS_KEYTAB", "/server-secrets/krb5.keytab") KERBEROS_KEYTAB = os.getenv("KERBEROS_KEYTAB", "/server-secrets/krb5.keytab")