def webathena_kerberos_login(request: HttpRequest, user_profile: UserProfile, cred: Optional[str]=REQ(default=None)) -> HttpResponse: global kerberos_alter_egos if cred is None: return json_error(_("Could not find Kerberos credential")) if not user_profile.realm.webathena_enabled: return json_error(_("Webathena login not enabled")) try: parsed_cred = ujson.loads(cred) user = parsed_cred["cname"]["nameString"][0] if user in kerberos_alter_egos: user = kerberos_alter_egos[user] assert(user == user_profile.email.split("@")[0]) ccache = make_ccache(parsed_cred) except Exception: return json_error(_("Invalid Kerberos cache")) # TODO: Send these data via (say) rabbitmq try: api_key = get_api_key(user_profile) subprocess.check_call(["ssh", settings.PERSONAL_ZMIRROR_SERVER, "--", "/home/zulip/python-zulip-api/zulip/integrations/zephyr/process_ccache", user, api_key, base64.b64encode(ccache).decode("utf-8")]) except Exception: logging.exception("Error updating the user's ccache") return json_error(_("We were unable to setup mirroring for you")) return json_success()
def webathena_kerberos_login(request, user_profile, cred=REQ(default=None)): # type: (HttpRequest, UserProfile, text_type) -> HttpResponse if cred is None: return json_error(_("Could not find Kerberos credential")) if not user_profile.realm.webathena_enabled: return json_error(_("Webathena login not enabled")) try: parsed_cred = ujson.loads(cred) user = parsed_cred["cname"]["nameString"][0] if user == "golem": # Hack for an mit.edu user whose Kerberos username doesn't # match what he zephyrs as user = "******" assert (user == user_profile.email.split("@")[0]) ccache = make_ccache(parsed_cred) except Exception: return json_error(_("Invalid Kerberos cache")) # TODO: Send these data via (say) rabbitmq try: subprocess.check_call([ "ssh", settings.PERSONAL_ZMIRROR_SERVER, "--", "/home/zulip/zulip/bots/process_ccache", force_str(user), force_str(user_profile.api_key), force_str(base64.b64encode(ccache)) ]) except Exception: logging.exception("Error updating the user's ccache") return json_error(_("We were unable to setup mirroring for you")) return json_success()
def webathena_kerberos_login(request, user_profile, cred=REQ(default=None)): # type: (HttpRequest, UserProfile, Text) -> HttpResponse if cred is None: return json_error(_("Could not find Kerberos credential")) if not user_profile.realm.webathena_enabled: return json_error(_("Webathena login not enabled")) try: parsed_cred = ujson.loads(cred) user = parsed_cred["cname"]["nameString"][0] if user == "golem": # Hack for an mit.edu user whose Kerberos username doesn't # match what he zephyrs as user = "******" assert(user == user_profile.email.split("@")[0]) ccache = make_ccache(parsed_cred) except Exception: return json_error(_("Invalid Kerberos cache")) # TODO: Send these data via (say) rabbitmq try: subprocess.check_call(["ssh", settings.PERSONAL_ZMIRROR_SERVER, "--", "/home/zulip/zulip/bots/process_ccache", force_str(user), force_str(user_profile.api_key), force_str(base64.b64encode(ccache))]) except Exception: logging.exception("Error updating the user's ccache") return json_error(_("We were unable to setup mirroring for you")) return json_success()
def webathena_kerberos_login(request: HttpRequest, user_profile: UserProfile, cred: Text=REQ(default=None)) -> HttpResponse: global kerberos_alter_egos if cred is None: return json_error(_("Could not find Kerberos credential")) if not user_profile.realm.webathena_enabled: return json_error(_("Webathena login not enabled")) try: parsed_cred = ujson.loads(cred) user = parsed_cred["cname"]["nameString"][0] if user in kerberos_alter_egos: user = kerberos_alter_egos[user] assert(user == user_profile.email.split("@")[0]) ccache = make_ccache(parsed_cred) except Exception: return json_error(_("Invalid Kerberos cache")) # TODO: Send these data via (say) rabbitmq try: subprocess.check_call(["ssh", settings.PERSONAL_ZMIRROR_SERVER, "--", "/home/zulip/python-zulip-api/zulip/integrations/zephyr/process_ccache", force_str(user), force_str(user_profile.api_key), force_str(base64.b64encode(ccache))]) except Exception: logging.exception("Error updating the user's ccache") return json_error(_("We were unable to setup mirroring for you")) return json_success()
def webathena_kerberos_login( request: HttpRequest, user_profile: UserProfile, cred: Optional[str] = REQ(default=None) ) -> HttpResponse: global kerberos_alter_egos if cred is None: return json_error(_("Could not find Kerberos credential")) if not user_profile.realm.webathena_enabled: return json_error(_("Webathena login not enabled")) try: parsed_cred = orjson.loads(cred) user = parsed_cred["cname"]["nameString"][0] if user in kerberos_alter_egos: user = kerberos_alter_egos[user] assert (user == user_profile.email.split("@")[0]) # Limit characters in usernames to valid MIT usernames # This is important for security since DNS is not secure. assert (re.match(r'^[a-z0-9_.-]+$', user) is not None) ccache = make_ccache(parsed_cred) # 'user' has been verified to contain only benign characters that won't # help with shell injection. user = mark_sanitized(user) # 'ccache' is only written to disk by the script and used as a kerberos # credential cache file. ccache = mark_sanitized(ccache) except Exception: return json_error(_("Invalid Kerberos cache")) # TODO: Send these data via (say) rabbitmq try: api_key = get_api_key(user_profile) command = [ "/home/zulip/python-zulip-api/zulip/integrations/zephyr/process_ccache", user, api_key, base64.b64encode(ccache).decode("utf-8"), ] subprocess.check_call([ "ssh", settings.PERSONAL_ZMIRROR_SERVER, "--", " ".join(map(shlex.quote, command)) ]) except subprocess.CalledProcessError: logging.exception("Error updating the user's ccache", stack_info=True) return json_error(_("We were unable to setup mirroring for you")) return json_success()