From 8a0c39f4dd62ffb3c6730fd4da770d775786c50e Mon Sep 17 00:00:00 2001 From: Tomas Kopecek Date: Oct 10 2019 15:05:06 +0000 Subject: PR#1419: checking kerberos prinicipal instead of username in GSSAPI authentication Merges #1419 https://pagure.io/koji/pull-request/1419 Fixes: #1400 https://pagure.io/koji/issue/1400 username - principal name mapping of GSSAPI authentication --- diff --git a/hub/httpd.conf b/hub/httpd.conf index 8a741d7..208a29c 100644 --- a/hub/httpd.conf +++ b/hub/httpd.conf @@ -55,3 +55,13 @@ Alias /kojifiles "/mnt/koji/" # In this case, you will need to enable these options globally (in ssl.conf): # SSLVerifyClient require # SSLVerifyDepth 10 + +# uncomment this to enable authentication via GSSAPI +# +# AuthType GSSAPI +# GssapiSSLonly Off +# GssapiLocalName Off +# AuthName "GSSAPI Single Sign On Login" +# GssapiCredStore keytab:/etc/koji.keytab +# Require valid-user +# diff --git a/hub/hub.conf b/hub/hub.conf index 452d023..ba365ed 100644 --- a/hub/hub.conf +++ b/hub/hub.conf @@ -25,6 +25,8 @@ KojiDir = /mnt/koji ## Allowed Kerberos Realms separated by ','. ## Default value "*" indicates any Realm is allowed # AllowedKrbRealms = * +## TODO: this option should be removed in future release +# DisableGSSAPIProxyDNFallback = False ## end Kerberos auth configuration diff --git a/hub/kojixmlrpc.py b/hub/kojixmlrpc.py index 9f2dd3c..7b91e15 100644 --- a/hub/kojixmlrpc.py +++ b/hub/kojixmlrpc.py @@ -422,6 +422,8 @@ def load_config(environ): ['ProxyPrincipals', 'string', ''], ['HostPrincipalFormat', 'string', None], ['AllowedKrbRealms', 'string', '*'], + # TODO: this option should be removed in future release + ['DisableGSSAPIProxyDNFallback', 'boolean', False], ['DNUsernameComponent', 'string', 'CN'], ['ProxyDNs', 'string', ''], diff --git a/koji/auth.py b/koji/auth.py index d281319..2399698 100644 --- a/koji/auth.py +++ b/koji/auth.py @@ -398,7 +398,9 @@ class Session(object): if self.logged_in: raise koji.AuthError("Already logged in") + # we use REMOTE_USER to identify user if context.environ.get('REMOTE_USER'): + # it is kerberos principal rather than user's name. username = context.environ.get('REMOTE_USER') client_dn = username authtype = koji.AUTHTYPE_GSSAPI @@ -414,17 +416,38 @@ class Session(object): authtype = koji.AUTHTYPE_SSL if proxyuser: - proxy_dns = [dn.strip() for dn in context.opts.get('ProxyDNs', '').split('|')] + if authtype == koji.AUTHTYPE_GSSAPI: + delimiter = ',' + proxy_opt = 'ProxyPrincipals' + else: + delimiter = '|' + proxy_opt = 'ProxyDNs' + proxy_dns = [dn.strip() for dn in context.opts.get(proxy_opt, '').split(delimiter)] + + # backwards compatible for GSSAPI. + # in old way, proxy user whitelist is ProxyDNs. + # TODO: this should be removed in future release + if authtype == koji.AUTHTYPE_GSSAPI and not context.opts.get( + 'DisableGSSAPIProxyDNFallback', False): + proxy_dns += [dn.strip() for dn in + context.opts.get('ProxyDNs', '').split('|')] + if client_dn in proxy_dns: - # the SSL-authenticated user authorized to login other users + # the user authorized to login other users username = proxyuser else: raise koji.AuthError('%s is not authorized to login other users' % client_dn) - user_id = self.getUserId(username) + if authtype == koji.AUTHTYPE_GSSAPI and '@' in username: + user_id = self.getUserIdFromKerberos(username) + else: + user_id = self.getUserId(username) if not user_id: if context.opts.get('LoginCreatesUser'): - user_id = self.createUser(username) + if authtype == koji.AUTHTYPE_GSSAPI and '@' in username: + user_id = self.createUserFromKerberos(username) + else: + user_id = self.createUser(username) else: raise koji.AuthError('Unknown user: %s' % username)