def _gssapi_authenticate(token):
'''
Performs GSSAPI Negotiate Authentication
On success also stashes the server response token for mutual authentication
at the top of request context with the name kerberos_token, along with the
authenticated user principal with the name kerberos_user.
@param token: GSSAPI Authentication Token
@type token: str
@returns gssapi return code or None on failure
@rtype: int or None
'''
state = None
ctx = stack.top
try:
rc, state = kerberos.authGSSServerInit(_SERVICE_NAME)
if rc != kerberos.AUTH_GSS_COMPLETE:
return None
rc = kerberos.authGSSServerStep(state, token)
if rc == kerberos.AUTH_GSS_COMPLETE:
ctx.kerberos_token = kerberos.authGSSServerResponse(state)
ctx.kerberos_user = kerberos.authGSSServerUserName(state)
return rc
elif rc == kerberos.AUTH_GSS_CONTINUE:
return kerberos.AUTH_GSS_CONTINUE
else:
return None
except kerberos.GSSError:
return None
finally:
if state:
kerberos.authGSSServerClean(state)
def _gssapi_authenticate(token):
'''
Performs GSSAPI Negotiate Authentication
On success also stashes the server response token for mutual authentication
at the top of request context with the name kerberos_token, along with the
authenticated user principal with the name kerberos_user.
@param token: GSSAPI Authentication Token
@type token: str
@returns gssapi return code or None on failure
@rtype: int or None
'''
state = None
ctx = stack.top
try:
rc, state = kerberos.authGSSServerInit(_SERVICE_NAME)
if rc != kerberos.AUTH_GSS_COMPLETE:
return None
rc = kerberos.authGSSServerStep(state, token)
if rc == kerberos.AUTH_GSS_COMPLETE:
ctx.kerberos_token = kerberos.authGSSServerResponse(state)
ctx.kerberos_user = kerberos.authGSSServerUserName(state)
return rc
elif rc == kerberos.AUTH_GSS_CONTINUE:
return kerberos.AUTH_GSS_CONTINUE
else:
return None
except kerberos.GSSError:
return None
finally:
if state:
kerberos.authGSSServerClean(state)
def auth_negotiate(self, auth_header, callback):
"""
Perform Negotiate (GSSAPI/SSO) authentication via Kerberos.
"""
auth_str = auth_header.split()[1]
# Initialize Kerberos Context
context = None
try:
result, context = kerberos.authGSSServerInit(
self.settings['sso_service'])
if result is not kerberos.AUTH_GSS_COMPLETE:
raise tornado.web.HTTPError(500, "Kerberos Init failed")
result = kerberos.authGSSServerStep(context, auth_str)
if result is kerberos.AUTH_GSS_COMPLETE:
gss_string = kerberos.authGSSServerResponse(context)
self.set_header('WWW-Authenticate', f"Negotiate {gss_string}")
else: # Fall back to Basic auth
self.auth_basic(auth_header, callback)
# NOTE: The user we get from Negotiate is a full UPN (user@REALM)
user = kerberos.authGSSServerUserName(context)
except (kerberos.GSSError, pywintypes_error) as e:
logging.error(f"Kerberos Error: {e}")
raise tornado.web.HTTPError(500, "Kerberos Init failed")
finally:
if context:
kerberos.authGSSServerClean(context)
callback(user)
def _gssapi_authenticate(token, service_name=None):
"""
Performs GSSAPI Negotiate Authentication
On success also stashes the server response token for mutual authentication
at the top of request context with the name kerberos_token, along with the
authenticated user principal with the name kerberos_user.
:param token: GSSAPI Authentication Token
:type token: str
:param service_name: Service name for example - "*****@*****.**"
:type service_name: str
:returns gssapi return code or None on failure
:rtype: int or None
"""
state = None
service_name = service_name or _service_name
try:
logger.debug(f'Kerberos: service name is {service_name}')
result, state = kerberos.authGSSServerInit(service_name)
if result != kerberos.AUTH_GSS_COMPLETE:
return None
logger.debug(f'Kerberos: state is {state}')
result = kerberos.authGSSServerStep(state, token)
if result == kerberos.AUTH_GSS_COMPLETE:
_kerberos_token.set(kerberos.authGSSServerResponse(state))
_kerberos_user.set(kerberos.authGSSServerUserName(state))
return result
elif result == kerberos.AUTH_GSS_CONTINUE:
return kerberos.AUTH_GSS_CONTINUE
else:
return None
except (kerberos.GSSError, pywintypes_error) as error:
logger.debug(f'Kerberos: {error}')
return None
finally:
if state:
kerberos.authGSSServerClean(state)
response = ""
round = 0
while sres == k.AUTH_GSS_CONTINUE or cres == k.AUTH_GSS_CONTINUE:
if cres == k.AUTH_GSS_CONTINUE:
cres = k.authGSSClientStep(client, response)
if cres == -1:
print("clientstep error")
break
response = k.authGSSClientResponse(client)
if sres == k.AUTH_GSS_CONTINUE:
sres = k.authGSSServerStep(server, response)
if sres == -1:
print( "serverstep error")
break
response = k.authGSSServerResponse(server)
print( "round:", round)
print( "server status :", sres)
print( "client status :", cres)
round += 1
if sres == k.AUTH_GSS_COMPLETE and cres == k.AUTH_GSS_COMPLETE:
print( "client: my username:"******"server: who authenticated to me:", k.authGSSServerUserName(server))
print( "server: my spn:", k.authGSSServerTargetName(server))
print( "********* encryption test ***********")
err=k.authGSSClientWrap(client, encodestring(b("Hello")))
if err == 1:
encstring=k.authGSSClientResponse(client)
print( "encstring:", encstring, encodestring(b("Hello")))
response = ""
counter = 0
while server_response == kerberos.AUTH_GSS_CONTINUE or client_response == kerberos.AUTH_GSS_CONTINUE:
if client_response == kerberos.AUTH_GSS_CONTINUE:
client_response = kerberos.authGSSClientStep(client, response)
if client_response == -1:
print("Client step error")
break
response = kerberos.authGSSClientResponse(client)
if server_response == kerberos.AUTH_GSS_CONTINUE:
server_response = kerberos.authGSSServerStep(server, response)
if server_response == -1:
print("Server step error")
break
response = kerberos.authGSSServerResponse(server)
print("Counter: ", counter)
print("Server status: ", server_response)
print("Client status: ", client_response)
counter += 1
if server_response == kerberos.AUTH_GSS_COMPLETE and client_response == kerberos.AUTH_GSS_COMPLETE:
print("client: my username:"******"server: who authenticated to me:",
kerberos.authGSSServerUserName(server))
print("server: my spn:", kerberos.authGSSServerTargetName(server))
else:
print("failed!")
response = ""
round = 0
while sres == k.AUTH_GSS_CONTINUE or cres == k.AUTH_GSS_CONTINUE:
if cres == k.AUTH_GSS_CONTINUE:
cres = k.authGSSClientStep(client, response)
if cres == -1:
print("clientstep error")
break
response = k.authGSSClientResponse(client)
if sres == k.AUTH_GSS_CONTINUE:
sres = k.authGSSServerStep(server, response)
if sres == -1:
print("serverstep error")
break
response = k.authGSSServerResponse(server)
print("round:", round)
print("server status :", sres)
print("client status :", cres)
round += 1
if sres == k.AUTH_GSS_COMPLETE and cres == k.AUTH_GSS_COMPLETE:
print("client: my username:"******"server: who authenticated to me:", k.authGSSServerUserName(server))
print("server: my spn:", k.authGSSServerTargetName(server))
print("********* encryption test ***********")
err = k.authGSSClientWrap(client, encodestring(b("Hello")))
if err == 1:
encstring = k.authGSSClientResponse(client)
print("encstring:", encstring, encodestring(b("Hello")))
