From cabb3ee499f2e2c5c7e1bf54571307610ddb2500 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Nov 16 2016 17:35:39 +0000 Subject: Implement realm checks for Kerberos authentication With this patch, we allow disabling accepting anonymous tickets at Koji, and for admins to specify which realms are allowed to contact the system in the case of a trust relationship. These checks are ignored if a user is explicitly created with the particular principal, since the checks only happen in the createUserFromKerberos call. Signed-off-by: Patrick Uiterwijk --- diff --git a/hub/hub.conf b/hub/hub.conf index f1e40c1..7b76fba 100644 --- a/hub/hub.conf +++ b/hub/hub.conf @@ -21,6 +21,10 @@ KojiDir = /mnt/koji # ProxyPrincipals = koji/kojiweb@EXAMPLE.COM ## format string for host principals (%s = hostname) # HostPrincipalFormat = compile/%s@EXAMPLE.COM +## Whether to allow anonymous tickets (principal WELLKNOWN/ANONYMOUS or realm WELLKNOWN:ANONYMOUS) +# AllowAnonymousKrb = False +## Which realms to allow access (this is ignored if explicitly set on a user) +# AllowedKrbRealms = EXAMPLE.COM|MYDOMAIN.COM ## end Kerberos auth configuration diff --git a/koji/auth.py b/koji/auth.py index 3dbe1cc..12cd2ec 100644 --- a/koji/auth.py +++ b/koji/auth.py @@ -638,10 +638,19 @@ class Session(object): """Create a new user, based on the Kerberos principal. Their username will be everything before the "@" in the principal. Return the ID of the newly created user.""" - atidx = krb_principal.find('@') - if atidx == -1: - raise koji.AuthError, 'invalid Kerberos principal: %s' % krb_principal - user_name = krb_principal[:atidx] + principal = krb_principal.rsplit('@', 1) + if len(principal) != 2 or len(principal[1]) < 1: + # We didn't have a realm + raise koji.AuthError, 'Unparseable principal' + user_name, realm = principal + if user_name == 'WELLKNOWN/ANONYMOUS' and not context.opts.get('AllowAnonymousKrb', False): + raise koji.AuthError, 'Anonymous tickets not allowed' + if realm == 'WELLKNOWN:ANONYMOUS' and not context.opts.get('AllowAnonymousKrb', False): + raise koji.AuthError, 'Anonymous realm not allowed' + allowed_realms = context.opts.get('AllowedKrbRealms', None) + if allowed_realms is not None: + if not realm in allowed_realms.split('|'): + raise koji.AuthError, 'Realm %s is not allowed' %s % realm # check if user already exists c = context.cnx.cursor()