From 24e5c0cb4563724d60448e46498d198f2a03cd67 Mon Sep 17 00:00:00 2001
From: Tomas Kopecek <tkopecek@redhat.com>
Date: Mon, 20 Sep 2021 11:31:25 +0200
Subject: [PATCH] further fixes (will be squashed before merge)

---
 hub/hub.conf         | 3 +++
 hub/kojixmlrpc.py    | 1 +
 koji/auth.py         | 6 ++++++
 www/kojiweb/index.py | 3 +++
 4 files changed, 13 insertions(+)

diff --git a/hub/hub.conf b/hub/hub.conf
index 7aabe7c6..220cab9c 100644
--- a/hub/hub.conf
+++ b/hub/hub.conf
@@ -54,6 +54,9 @@ KojiDir = /mnt/koji
 
 ##  Other options  ##
 LoginCreatesUser = On
+# Clients with ProxyPrincipals can use different method for proxying user than GSSAPI. In such case
+# it need to be explicitely allowed via ProxyAuthType.
+# ProxyAuthType = Off
 KojiWebURL = http://kojiweb.example.com/koji
 # The domain name that will be appended to Koji usernames
 # when creating email notifications
diff --git a/hub/kojixmlrpc.py b/hub/kojixmlrpc.py
index 1263c7d1..324de87e 100644
--- a/hub/kojixmlrpc.py
+++ b/hub/kojixmlrpc.py
@@ -427,6 +427,7 @@ def load_config(environ):
         ['CheckClientIP', 'boolean', True],
 
         ['LoginCreatesUser', 'boolean', True],
+        ['ProxyAuthType', 'boolean', False],
         ['KojiWebURL', 'string', 'http://localhost.localdomain/koji'],
         ['EmailDomain', 'string', None],
         ['NotifyOnSuccess', 'boolean', True],
diff --git a/koji/auth.py b/koji/auth.py
index f6345b0b..fd9fd4a7 100644
--- a/koji/auth.py
+++ b/koji/auth.py
@@ -324,6 +324,9 @@ class Session(object):
         value for different handling. Typical case is proxying kerberos user via
         web ui which itself is authenticated via SSL certificate. (See kojiweb
         for usage).
+
+        proxyauthtype is working only if ProxyAuthType option is set to 'On' in
+        the hub.conf
         """
         if self.logged_in:
             raise koji.AuthError("Already logged in")
@@ -373,6 +376,9 @@ class Session(object):
 
         # in this point we can continue with proxied user in same way as if it is not proxied
         if proxyauthtype is not None:
+            if not context.opts['ProxyAuthType']:
+                raise koji.AuthError("Proxy must use same auth mechanism as hub "
+                                     "(behaviour can be overriden via ProxyAuthType hub option)")
             if proxyauthtype not in (koji.AUTHTYPE_GSSAPI, koji.AUTHTYPE_SSL):
                 raise koji.AuthError(
                     "Proxied authtype %s is not valid for sslLogin" % proxyauthtype)
diff --git a/www/kojiweb/index.py b/www/kojiweb/index.py
index 4805a1b1..b5e0122e 100644
--- a/www/kojiweb/index.py
+++ b/www/kojiweb/index.py
@@ -301,6 +301,9 @@ def login(environ, page=None):
                 'presenting this page')
 
         username = principal
+    else:
+        raise koji.AuthError(
+            'configuration error: set WebAuthType or on of WebPrincipal/WebCert options')
 
     ## This now is how we proxy the user to the hub
     if options['WebCert']: