Commit Graph

15 Commits

Author SHA1 Message Date
Martin Babinsky
f8d7e37a09 Allow login to WebUI using Kerberos aliases/enterprise principals
The logic of the extraction/validation of principal from the request and
subsequent authentication was simplified and most of the guesswork will
be done by KDC during kinit. This also allows principals from trusted
domains to login via rpcserver.

https://fedorahosted.org/freeipa/ticket/6343

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-08 15:56:11 +01:00
Simo Sorce
c894ebefc5 Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Christian Heimes
7fef9cbec7 Fix Python 3 bugs discovered by pylint
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.

Fix some renamed modules, module members and functions.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Martin Basti
72d5499c5a pylint: supress false positive no-member errors
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.

https://fedorahosted.org/freeipa/ticket/5615

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-02 14:57:36 +01:00
Martin Babinsky
d726da3ba2 uninstallation: more robust check for master removal from topology
When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.

https://fedorahosted.org/freeipa/ticket/5584

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-21 18:12:42 +01:00
Michael Simacek
bdccebbcdb Rewrap errors in get_principal to CCacheError
Causes nicer error message when kerberos credentials are not available.

https://fedorahosted.org/freeipa/ticket/5272

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-09-22 13:29:55 +02:00
Jan Cholasta
23507e6124 Alias "unicode" to "str" under Python 3
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-09-17 11:08:43 +02:00
Michael Simacek
aad73fad60 Port from python-krbV to python-gssapi
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.

- Removed Backend.krb and KRB5_CCache classes
  They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
  in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
  Using api.env.realm instead of krbV call

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-08-26 09:41:36 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Jan Cholasta
77bb4b5177 Pylint cleanup.
Add more dynamic attribute info to IPATypeChecker in make-lint. Remove
unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26.

https://fedorahosted.org/freeipa/ticket/3379
2013-01-29 15:39:49 +01:00
Simo Sorce
03fc5c3d73 Fix ticket checks when using either s4u2proxy or a delegated krbtgt
When using s4u2proxy the only ticket we can access via direct krb5 calls is
the HTTP/ ticket which was saved in the ccache as evidence ticket.
This ticket is later used by GSSAPI as evidence to obtain an ldap ticket.

This works by chance, we shouldn't use calls to get_credentials just to
verify ticket expiration dates, but I realize this is a limitation of the
current krbV bindings and we have no other way around at the moment.

Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to
us. In that case the ccache will contain only a krbtgt, so as a fallback
we check that.

Checking the ldap/ ticket is never really useful. When s4u2proxy is used,
trying to check the ldap/ ticket will fail because we do not have it yet
on the first authentication before a session is estalished, and doing it
later is not useful.

When we have a krbtgt we could go and grap a ldap/ ticket directy, but
again that makes little sense. In general all tickets will have the same
expiration date (which deopends on the original krbtgt) so checking one
is sufficient.

Fixes: http://fedorahosted.org/freeipa/ticket/2472
2012-03-01 00:56:01 -05:00
John Dennis
ee780df13c Implement password based session login
* Adjust URL's
  - rename /ipa/login -> /ipa/session/login_kerberos
  - add /ipa/session/login_password

* Adjust Kerberos protection on URL's in ipa.conf

* Bump VERSION in httpd ipa.conf to pick up session changes.

* Adjust login URL in ipa.js

* Add InvalidSessionPassword to errors.py

* Rename krblogin class to login_kerberos for consistency with
  new login_password class

* Implement login_password.kinit() method which invokes
  /usr/bin/kinit as a subprocess

* Add login_password class for WSGI dispatch, accepts POST
  application/x-www-form-urlencoded user & password
  parameters. We form the Kerberos principal from the server's
  realm.

* Add function  krb5_unparse_ccache()

* Refactor code to share common code

* Clean up use of ccache names, be consistent

* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
  with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
  bind_ipa_ccache() now sets environment KRB5CCNAME variable.
  release_ipa_ccache() now clears environment KRB5CCNAME variable.

* ccache names should now support any ccache storage scheme,
  not just FILE based ccaches

* Add utilies to return HTTP status from wsgi handlers,
  use constants for HTTP status code for consistency.
  Use utilies for returning from wsgi handlers rather than
  duplicated code.

* Add KerberosSession.finalize_kerberos_acquisition() method
  so different login handlers can share common code.

* add Requires: krb5-workstation to server (server now calls kinit)

* Fix test_rpcserver.py to use new dispatch inside route() method

https://fedorahosted.org/freeipa/ticket/2095
2012-02-27 05:57:43 -05:00
John Dennis
059a90702e Implement session activity timeout
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a "rolling"
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
timeout. The expiration is still constrained by the credential
expiration in all cases. The session expiration behavior is
configurable based on the session_auth_duration_type.

* Reduced the default session_auth_duration from 1 hour to 20 minutes.

* Replaced the sesssion write_timestamp with the access_timestamp and
  update the access_timestamp whenever the session data is created,
  retrieved, or written.

* Modify set_session_expiration_time to handle both an inactivity
  timeout and a fixed duration.

* Introduce  KerberosSession as a mixin class to share session
  duration functionality with all classes manipulating session data
  with Kerberos auth. This is both the non-RPC login class and the RPC
  classes.

* Update make-lint to handle new classes.

* Added session_auth_duration_type config item.

* Updated default.conf.5 man page for new session_auth_duration_type item.

* Removed these unused config items: mount_xmlserver,
  mount_jsonserver, webui_assets_dir

https://fedorahosted.org/freeipa/ticket/2392
2012-02-27 05:55:15 -05:00
John Dennis
9753fd4230 Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
2012-02-27 05:54:29 -05:00
John Dennis
bba4ccb3a0 add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:

* Add a session manager to support cookie based sessions which
  stores session data in a memcached entry.

* Add ipalib/krb_utils.py which contains functions to parse ccache
  names, format principals, format KRB timestamps, and a KRB_CCache
  class which reads ccache entry and allows one to extract information
  such as the principal, credentials, credential timestamps, etc.

* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
  that all kerberos items are co-located.

* Modify javascript in ipa.js so that the IPA.command() RPC call
  checks for authentication needed error response and if it receives
  it sends a GET request to /ipa/login URL to refresh credentials.

* Add session_auth_duration config item to constants.py, used to
  configure how long a session remains valid.

* Add parse_time_duration utility to ipalib/util.py. Used to parse the
  session_auth_duration config item.

* Update the default.conf.5 man page to document session_auth_duration
  config item (also added documentation for log_manager config items
  which had been inadvertantly omitted from a previous commit).

* Add SessionError object to ipalib/errors.py

* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
  /ipa/login

* Add SessionCCache class to session.py to manage temporary Kerberos
  ccache file in effect for the duration of an RPC command.

* Adds a krblogin plugin used to implement the /ipa/login
  handler. login handler sets the session expiration time, currently
  60 minutes or the expiration of the TGT, whichever is shorter. It
  also copies the ccache provied by mod_auth_kerb into the session
  data.  The json handler will later extract and validate the ccache
  belonging to the session.

* Refactored the WSGI handlers so that json and xlmrpc could have
  independent behavior, this also moves where create and destroy
  context occurs, now done in the individual handler rather than the
  parent class.

* The json handler now looks up the session data, validates the ccache
  bound to the session, if it's expired replies with authenicated
  needed error.

* Add documentation to session.py. Fully documents the entire process,
  got questions, read the doc.

* Add exclusions to make-lint as needed.
2012-02-09 13:20:45 -06:00