Beispiel #1
0
    def __call__(self, environ, start_response):
        logger.debug('KerberosWSGIExecutioner.__call__:')
        user_ccache=environ.get('KRB5CCNAME')

        object.__setattr__(
            self, 'headers',
            [('Content-Type', '%s; charset=utf-8' % self.content_type)]
        )

        if user_ccache is None:

            status = HTTP_STATUS_SERVER_ERROR

            logger.error(
                '%s: %s', status,
                'KerberosWSGIExecutioner.__call__: '
                'KRB5CCNAME not defined in HTTP request environment')

            return self.marshal(None, CCacheError())

        try:
            self.create_context(ccache=user_ccache)
            response = super(KerberosWSGIExecutioner, self).__call__(
                environ, start_response)
        except PublicError as e:
            status = HTTP_STATUS_SUCCESS
            response = status.encode('utf-8')
            start_response(status, self.headers)
            return [self.marshal(None, e)]
        finally:
            destroy_context()
        return response
Beispiel #2
0
    def __call__(self, environ, start_response):
        self.debug('KerberosWSGIExecutioner.__call__:')
        user_ccache=environ.get('KRB5CCNAME')

        headers = [('Content-Type', '%s; charset=utf-8' % self.content_type)]

        if user_ccache is None:

            status = HTTP_STATUS_SERVER_ERROR

            self.log.error(
                '%s: %s', status,
                'KerberosWSGIExecutioner.__call__: '
                'KRB5CCNAME not defined in HTTP request environment')

            return self.marshal(None, CCacheError())
        try:
            self.create_context(ccache=user_ccache)
            response = super(KerberosWSGIExecutioner, self).__call__(
                environ, start_response)
            session_data = getattr(context, 'session_data', None)
            if (session_data is None and self.env.context != 'lite'):
                self.finalize_kerberos_acquisition(
                    'xmlserver', user_ccache, environ, start_response, headers)
        except PublicError as e:
            status = HTTP_STATUS_SUCCESS
            response = status
            start_response(status, headers)
            return self.marshal(None, e)
        finally:
            destroy_context()
        return response
Beispiel #3
0
    def __call__(self, environ, start_response):
        '''
        '''

        self.debug('WSGI xmlserver.__call__:')
        user_ccache = environ.get('KRB5CCNAME')
        headers = [('Content-Type', 'text/xml; charset=utf-8')]
        if user_ccache is None:
            self.internal_error(
                environ, start_response,
                'xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment'
            )
            return self.marshal(None, CCacheError())
        try:
            self.create_context(ccache=user_ccache)
            response = super(xmlserver, self).__call__(environ, start_response)
            if getattr(context, 'session_data', None) is None and \
              self.env.context != 'lite':
                self.finalize_kerberos_acquisition('xmlserver', user_ccache,
                                                   environ, start_response,
                                                   headers)
        except PublicError, e:
            status = HTTP_STATUS_SUCCESS
            response = status
            start_response(status, headers)
            return self.marshal(None, e)
Beispiel #4
0
    def __call__(self, environ, start_response):
        self.debug('KerberosWSGIExecutioner.__call__:')
        user_ccache = environ.get('KRB5CCNAME')

        self.headers = [('Content-Type',
                         '%s; charset=utf-8' % self.content_type)]

        if user_ccache is None:

            status = HTTP_STATUS_SERVER_ERROR

            self.log.error(
                '%s: %s', status, 'KerberosWSGIExecutioner.__call__: '
                'KRB5CCNAME not defined in HTTP request environment')

            return self.marshal(None, CCacheError())

        logout_cookie = getattr(context, 'logout_cookie', None)
        if logout_cookie:
            self.headers.append(('IPASESSION', logout_cookie))

        try:
            self.create_context(ccache=user_ccache)
            response = super(KerberosWSGIExecutioner,
                             self).__call__(environ, start_response)
        except PublicError as e:
            status = HTTP_STATUS_SUCCESS
            response = status.encode('utf-8')
            start_response(status, self.headers)
            return self.marshal(None, e)
        finally:
            destroy_context()
        return response
Beispiel #5
0
    def kinit(self, user, realm, password, ccache_name):
        # get http service ccache as an armor for FAST to enable OTP authentication
        armor_principal = str(
            krb5_format_service_principal_name('HTTP', self.api.env.host,
                                               realm))
        keytab = paths.IPA_KEYTAB
        armor_name = "%sA_%s" % (krbccache_prefix, user)
        armor_path = os.path.join(krbccache_dir, armor_name)

        self.debug('Obtaining armor ccache: principal=%s keytab=%s ccache=%s',
                   armor_principal, keytab, armor_path)

        try:
            ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB, armor_path)
        except gssapi.exceptions.GSSError as e:
            raise CCacheError(message=unicode(e))

        # Format the user as a kerberos principal
        principal = krb5_format_principal_name(user, realm)

        try:
            ipautil.kinit_password(principal,
                                   password,
                                   ccache_name,
                                   armor_ccache_name=armor_path)

            self.debug('Cleanup the armor ccache')
            ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
                        env={'KRB5CCNAME': armor_path},
                        raiseonerr=False)
        except RuntimeError as e:
            if ('kinit: Cannot read password while '
                    'getting initial credentials') in str(e):
                raise PasswordExpired(principal=principal, message=unicode(e))
            elif ('kinit: Client\'s entry in database'
                  ' has expired while getting initial credentials') in str(e):
                raise KrbPrincipalExpired(principal=principal,
                                          message=unicode(e))
            elif ('kinit: Clients credentials have been revoked '
                  'while getting initial credentials') in str(e):
                raise UserLocked(principal=principal, message=unicode(e))
            raise InvalidSessionPassword(principal=principal,
                                         message=unicode(e))
Beispiel #6
0
    def __call__(self, environ, start_response):
        '''
        '''

        self.debug('WSGI jsonserver_kerb.__call__:')

        user_ccache = environ.get('KRB5CCNAME')
        if user_ccache is None:
            self.internal_error(
                environ, start_response,
                'jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request environment'
            )
            return self.marshal(None, CCacheError())
        self.create_context(ccache=user_ccache)

        try:
            response = super(jsonserver_kerb,
                             self).__call__(environ, start_response)
        finally:
            destroy_context()

        return response