def _gssapi_authenticate(token):
'''
Performs GSSAPI Negotiate Authentication
On success also stashes the server response token for mutual authentication
at the top of request context with the name kerberos_token, along with the
authenticated user principal with the name kerberos_user.
@param token: GSSAPI Authentication Token
@type token: str
@returns gssapi return code or None on failure
@rtype: int or None
'''
state = None
ctx = stack.top
try:
rc, state = kerberos.authGSSServerInit(_SERVICE_NAME)
if rc != kerberos.AUTH_GSS_COMPLETE:
return None
rc = kerberos.authGSSServerStep(state, token)
if rc == kerberos.AUTH_GSS_COMPLETE:
ctx.kerberos_token = kerberos.authGSSServerResponse(state)
ctx.kerberos_user = kerberos.authGSSServerUserName(state)
return rc
elif rc == kerberos.AUTH_GSS_CONTINUE:
return kerberos.AUTH_GSS_CONTINUE
else:
return None
except kerberos.GSSError:
return None
finally:
if state:
kerberos.authGSSServerClean(state)
def _gssapi_authenticate(token):
'''
Performs GSSAPI Negotiate Authentication
On success also stashes the server response token for mutual authentication
at the top of request context with the name kerberos_token, along with the
authenticated user principal with the name kerberos_user.
@param token: GSSAPI Authentication Token
@type token: str
@returns gssapi return code or None on failure
@rtype: int or None
'''
state = None
ctx = stack.top
try:
rc, state = kerberos.authGSSServerInit(_SERVICE_NAME)
if rc != kerberos.AUTH_GSS_COMPLETE:
return None
rc = kerberos.authGSSServerStep(state, token)
if rc == kerberos.AUTH_GSS_COMPLETE:
ctx.kerberos_token = kerberos.authGSSServerResponse(state)
ctx.kerberos_user = kerberos.authGSSServerUserName(state)
return rc
elif rc == kerberos.AUTH_GSS_CONTINUE:
return kerberos.AUTH_GSS_CONTINUE
else:
return None
except kerberos.GSSError:
return None
finally:
if state:
kerberos.authGSSServerClean(state)
def auth_negotiate(self, auth_header, callback):
"""
Perform Negotiate (GSSAPI/SSO) authentication via Kerberos.
"""
auth_str = auth_header.split()[1]
# Initialize Kerberos Context
context = None
try:
result, context = kerberos.authGSSServerInit(
self.settings['sso_service'])
if result is not kerberos.AUTH_GSS_COMPLETE:
raise tornado.web.HTTPError(500, "Kerberos Init failed")
result = kerberos.authGSSServerStep(context, auth_str)
if result is kerberos.AUTH_GSS_COMPLETE:
gss_string = kerberos.authGSSServerResponse(context)
self.set_header('WWW-Authenticate', f"Negotiate {gss_string}")
else: # Fall back to Basic auth
self.auth_basic(auth_header, callback)
# NOTE: The user we get from Negotiate is a full UPN (user@REALM)
user = kerberos.authGSSServerUserName(context)
except (kerberos.GSSError, pywintypes_error) as e:
logging.error(f"Kerberos Error: {e}")
raise tornado.web.HTTPError(500, "Kerberos Init failed")
finally:
if context:
kerberos.authGSSServerClean(context)
callback(user)
def _gssapi_authenticate(token, service_name=None):
"""
Performs GSSAPI Negotiate Authentication
On success also stashes the server response token for mutual authentication
at the top of request context with the name kerberos_token, along with the
authenticated user principal with the name kerberos_user.
:param token: GSSAPI Authentication Token
:type token: str
:param service_name: Service name for example - "*****@*****.**"
:type service_name: str
:returns gssapi return code or None on failure
:rtype: int or None
"""
state = None
service_name = service_name or _service_name
try:
logger.debug(f'Kerberos: service name is {service_name}')
result, state = kerberos.authGSSServerInit(service_name)
if result != kerberos.AUTH_GSS_COMPLETE:
return None
logger.debug(f'Kerberos: state is {state}')
result = kerberos.authGSSServerStep(state, token)
if result == kerberos.AUTH_GSS_COMPLETE:
_kerberos_token.set(kerberos.authGSSServerResponse(state))
_kerberos_user.set(kerberos.authGSSServerUserName(state))
return result
elif result == kerberos.AUTH_GSS_CONTINUE:
return kerberos.AUTH_GSS_CONTINUE
else:
return None
except (kerberos.GSSError, pywintypes_error) as error:
logger.debug(f'Kerberos: {error}')
return None
finally:
if state:
kerberos.authGSSServerClean(state)
return base64.decodestring(stringvalue)
def encodestring(bytesvalue):
return base64.encodestring(bytesvalue)
def b(stringvalue):
return stringvalue
def u(stringvalue):
return stringvalue.decode("utf-8")
flags=k.GSS_C_CONF_FLAG|k.GSS_C_INTEG_FLAG|k.GSS_C_MUTUAL_FLAG|k.GSS_C_SEQUENCE_FLAG
errc, client = k.authGSSClientInit("test@vm-win7-kraemer", gssflags=flags)
# to run a kerberos enabled server under my account i set as domain admin:
# setspn -A test/vm-win7-kraemer MYDOMAIN\kraemer
# (might have to wait a few minutes before all DCs in active directory pick it up)
errs, server = k.authGSSServerInit("test@vm-win7-kraemer")
cres = sres= k.AUTH_GSS_CONTINUE
response = ""
round = 0
while sres == k.AUTH_GSS_CONTINUE or cres == k.AUTH_GSS_CONTINUE:
if cres == k.AUTH_GSS_CONTINUE:
cres = k.authGSSClientStep(client, response)
if cres == -1:
print("clientstep error")
break
response = k.authGSSClientResponse(client)
if sres == k.AUTH_GSS_CONTINUE:
sres = k.authGSSServerStep(server, response)
if sres == -1:
import sys
# Platform-specific Kerberos requirements
if sys.platform == 'win32':
import kerberos_sspi as kerberos
else:
import kerberos
flags = kerberos.GSS_C_CONF_FLAG | kerberos.GSS_C_INTEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
client_errors, client = kerberos.authGSSClientInit(
"*****@*****.**", gssflags=flags)
server_errors, server = kerberos.authGSSServerInit(
"*****@*****.**")
client_response = server_response = kerberos.AUTH_GSS_CONTINUE
response = ""
counter = 0
while server_response == kerberos.AUTH_GSS_CONTINUE or client_response == kerberos.AUTH_GSS_CONTINUE:
if client_response == kerberos.AUTH_GSS_CONTINUE:
client_response = kerberos.authGSSClientStep(client, response)
if client_response == -1:
print("Client step error")
break
response = kerberos.authGSSClientResponse(client)
if server_response == kerberos.AUTH_GSS_CONTINUE:
server_response = kerberos.authGSSServerStep(server, response)
if server_response == -1:
def b(stringvalue):
return stringvalue
def u(stringvalue):
return stringvalue.decode("utf-8")
flags = k.GSS_C_CONF_FLAG | k.GSS_C_INTEG_FLAG | k.GSS_C_MUTUAL_FLAG | k.GSS_C_SEQUENCE_FLAG
errc, client = k.authGSSClientInit("test@vm-win7-kraemer", gssflags=flags)
# to run a kerberos enabled server under my account i set as domain admin:
# setspn -A test/vm-win7-kraemer MYDOMAIN\kraemer
# (might have to wait a few minutes before all DCs in active directory pick it up)
errs, server = k.authGSSServerInit("test@vm-win7-kraemer")
cres = sres = k.AUTH_GSS_CONTINUE
response = ""
round = 0
while sres == k.AUTH_GSS_CONTINUE or cres == k.AUTH_GSS_CONTINUE:
if cres == k.AUTH_GSS_CONTINUE:
cres = k.authGSSClientStep(client, response)
if cres == -1:
print("clientstep error")
break
response = k.authGSSClientResponse(client)
if sres == k.AUTH_GSS_CONTINUE:
sres = k.authGSSServerStep(server, response)
if sres == -1: