use GSS_NAME instead of REMOTE_USER for GSSAPI auth

jira: https://projects.engineering.redhat.com/browse/BST-475
2019-04-17 12:22:54 +00:00 · 2019-04-17 12:22:54 +00:00 · 4a3dc40147
commit 4a3dc40147
parent 0fa9eb08d6
3 changed files with 34 additions and 6 deletions
--- a/hub/hub.conf
+++ b/hub/hub.conf
@ -25,6 +25,8 @@ KojiDir = /mnt/koji
 ## Allowed Kerberos Realms separated by ','.
 ## Default value "*" indicates any Realm is allowed
 # AllowedKrbRealms = *
+## default realm to support multiple realms
+# DefaultRealm = EXAMPLE.COM

 ## end Kerberos auth configuration

--- a/hub/kojixmlrpc.py
+++ b/hub/kojixmlrpc.py
@ -422,6 +422,7 @@ def load_config(environ):
        ['ProxyPrincipals', 'string', ''],
        ['HostPrincipalFormat', 'string', None],
        ['AllowedKrbRealms', 'string', '*'],
+        ['DefaultRealm', 'string', None],

        ['DNUsernameComponent', 'string', 'CN'],
        ['ProxyDNs', 'string', ''],
--- a/koji/auth.py
+++ b/koji/auth.py
@ -398,8 +398,21 @@ class Session(object):
        if self.logged_in:
            raise koji.AuthError("Already logged in")

-        if context.environ.get('REMOTE_USER'):
-            username = context.environ.get('REMOTE_USER')
+        # we use GSS_NAME(krb_principal) to identify user
+        if context.environ.get('GSS_NAME'):
+            # it is kerberos principal rather than user's name.
+            username = context.environ.get('GSS_NAME')
+            # to support multipal realms, replace realm part with the default one.
+            atidx = username.find('@')
+            if atidx == -1:
+                raise koji.AuthError(
+                    'invalid Kerberos principal: %s' % username)
+            default_realm = context.opts.get('DefaultRealm')
+            if not default_realm:
+                raise koji.ConfigurationError(
+                    'DefaultRealm is not specified. Please contact the'
+                    ' administrator.')
+            username = username[:atidx] + '@' + default_realm
            client_dn = username
            authtype = koji.AUTHTYPE_GSSAPI
        else:
@ -414,17 +427,29 @@ class Session(object):
            authtype = koji.AUTHTYPE_SSL

        if proxyuser:
-            proxy_dns = [dn.strip() for dn in context.opts.get('ProxyDNs', '').split('|')]
+            if authtype == koji.AUTHTYPE_GSSAPI:
+                delimiter = ','
+                proxy_opt = 'ProxyPrincipals'
+            else:
+                delimiter = '|'
+                proxy_opt = 'ProxyDNs'
+            proxy_dns = [dn.strip() for dn in context.opts.get(proxy_opt, '').split(delimiter)]
            if client_dn in proxy_dns:
-                # the SSL-authenticated user authorized to login other users
+                # the user authorized to login other users
                username = proxyuser
            else:
                raise koji.AuthError('%s is not authorized to login other users' % client_dn)

-        user_id = self.getUserId(username)
+        if authtype == koji.AUTHTYPE_GSSAPI:
+            user_id = self.getUserIdFromKerberos(username)
+        else:
+            user_id = self.getUserId(username)
        if not user_id:
            if context.opts.get('LoginCreatesUser'):
-                user_id = self.createUser(username)
+                if authtype == koji.AUTHTYPE_GSSAPI:
+                    user_id = self.createUserFromKerberos(username)
+                else:
+                    user_id = self.createUser(username)
            else:
                raise koji.AuthError('Unknown user: %s' % username)