1 # Copyright (C) 2014 Simo Sorce <simo@redhat.com>
3 # see file 'COPYING' for use and warranty information
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation, either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 from ipsilon.login.common import LoginPageBase, LoginManagerBase, \
20 from ipsilon.util.plugin import PluginObject
21 from ipsilon.util.user import UserSession
22 from string import Template
28 class GSSAPI(LoginPageBase):
30 def root(self, *args, **kwargs):
31 # Someone typed manually or a robot is walking th tree.
32 # Redirect to default page
33 return self.lm.redirect_to_path(self.lm.path)
36 class GSSAPIAuth(LoginPageBase):
38 def root(self, *args, **kwargs):
39 trans = self.get_valid_transaction('login', **kwargs)
40 # If we can get here, we must be authenticated and remote_user
41 # was set. Check the session has a user set already or error.
44 self.user = us.get_user()
45 if not self.user.is_anonymous:
46 principal = cherrypy.request.wsgi_environ.get('GSS_NAME', None)
48 userdata = {'gssapi_principal_name': principal}
50 userdata = {'gssapi_principal_name': self.user.name}
51 return self.lm.auth_successful(trans, self.user.name,
54 return self.lm.auth_failed(trans)
57 class GSSAPIError(LoginPageBase):
59 def root(self, *args, **kwargs):
60 cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers,
61 severity=logging.DEBUG)
62 # If we have no negotiate header return whatever mod_auth_gssapi
63 # generated and wait for the next request
65 if 'WWW-Authenticate' not in cherrypy.request.headers:
66 cherrypy.response.status = 401
68 next_login = self.lm.next_login()
70 return next_login.page.root(*args, **kwargs)
72 conturl = '%s/login' % self.basepath
73 return self._template('login/gssapi.html',
77 # If we get here, negotiate failed
78 trans = self.get_valid_transaction('login', **kwargs)
79 return self.lm.auth_failed(trans)
82 class LoginManager(LoginManagerBase):
84 def __init__(self, *args, **kwargs):
85 super(LoginManager, self).__init__(*args, **kwargs)
87 self.path = 'gssapi/negotiate'
89 self.description = """
90 GSSAPI Negotiate authentication plugin. Relies on the mod_auth_gssapi
91 apache plugin for actual authentication. """
92 self.new_config(self.name)
94 def get_tree(self, site):
95 self.page = GSSAPI(site, self)
96 self.page.__dict__['negotiate'] = GSSAPIAuth(site, self)
97 self.page.__dict__['unauthorized'] = GSSAPIError(site, self)
98 self.page.__dict__['failed'] = GSSAPIError(site, self)
104 <Location /${instance}/login/gssapi/negotiate>
106 AuthName "GSSAPI Single Sign On Login"
108 GssapiSSLonly $gssapisslonly
112 ErrorDocument 401 /${instance}/login/gssapi/unauthorized
113 ErrorDocument 500 /${instance}/login/gssapi/failed
118 class Installer(LoginManagerInstaller):
120 def __init__(self, *pargs):
121 super(Installer, self).__init__()
125 def install_args(self, group):
126 group.add_argument('--gssapi', choices=['yes', 'no'], default='no',
127 help='Configure GSSAPI authentication')
128 group.add_argument('--gssapi-httpd-keytab',
129 default='/etc/httpd/conf/http.keytab',
130 help='Kerberos keytab location for HTTPD')
132 def configure(self, opts):
133 if opts['gssapi'] != 'yes':
136 confopts = {'instance': opts['instance']}
138 if os.path.exists(opts['gssapi_httpd_keytab']):
139 confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
140 opts['gssapi_httpd_keytab'])
142 raise Exception('Keytab not found')
144 if opts['secure'] == 'no':
145 confopts['gssapisslonly'] = 'Off'
147 confopts['gssapisslonly'] = 'On'
149 tmpl = Template(CONF_TEMPLATE)
150 hunk = tmpl.substitute(**confopts) # pylint: disable=star-args
151 with open(opts['httpd_conf'], 'a') as httpd_conf:
152 httpd_conf.write(hunk)
154 # Add configuration data to database
155 po = PluginObject(*self.pargs)
159 # Update global config, put 'gssapi' always first
162 if 'gssapi' not in ph.enabled:
164 enabled.extend(ph.enabled)
165 enabled.insert(0, 'gssapi')
166 ph.save_enabled(enabled)