1) Added support for Kerberos authentication, using SPNEGO to forward the Kerberos tickets through a browser. Fixes #5457

2) Fixed incorrect log information for AUTHENTICATION_SOURCES. Fixes #5829
2025-02-25 18:55:31 -06:00 · 2021-01-14 13:46:48 +05:30
parent 9a47e574e3
commit 6ead597b43
22 changed files with 474 additions and 40 deletions
--- a/web/pgadmin/browser/init.py
+++ b/web/pgadmin/browser/init.py
@@ -29,7 +29,7 @@ from flask_security.recoverable import reset_password_token_status, \
    generate_reset_password_token, update_password
 from flask_security.signals import reset_password_instructions_sent
 from flask_security.utils import config_value, do_flash, get_url, \
-    get_message, slash_url_suffix, login_user, send_mail
+    get_message, slash_url_suffix, login_user, send_mail, logout_user
 from flask_security.views import _security, _commit, _ctx
 from werkzeug.datastructures import MultiDict

@@ -47,7 +47,8 @@ from pgadmin.utils.master_password import validate_master_password, \
    set_masterpass_check_text, cleanup_master_password, get_crypt_key, \
    set_crypt_key, process_masterpass_disabled
 from pgadmin.model import User
-from pgadmin.utils.constants import MIMETYPE_APP_JS, PGADMIN_NODE
+from pgadmin.utils.constants import MIMETYPE_APP_JS, PGADMIN_NODE,\
+    INTERNAL, KERBEROS

 try:
    from flask_security.views import default_render_json
@@ -280,7 +281,8 @@ class BrowserModule(PgAdminModule):
                'browser.check_master_password',
                'browser.set_master_password',
                'browser.reset_master_password',
-                'browser.lock_layout']
+                'browser.lock_layout'
+                ]


 blueprint = BrowserModule(MODULE_NAME, __name__)
@@ -539,6 +541,12 @@ class BrowserPluginModule(PgAdminModule):


 def _get_logout_url():
+    if config.SERVER_MODE and\
+            session['_auth_source_manager_obj']['current_source'] == \
+            KERBEROS:
+        return '{0}?next={1}'.format(url_for(
+            'authenticate.kerberos_logout'), url_for(BROWSER_INDEX))
+
    return '{0}?next={1}'.format(
        url_for('security.logout'), url_for(BROWSER_INDEX))

@@ -664,13 +672,18 @@ def index():
    auth_only_internal = False
    auth_source = []

+    session['allow_save_password'] = True
+
    if config.SERVER_MODE:
        if len(config.AUTHENTICATION_SOURCES) == 1\
-                and 'internal' in config.AUTHENTICATION_SOURCES:
+                and INTERNAL in config.AUTHENTICATION_SOURCES:
            auth_only_internal = True
        auth_source = session['_auth_source_manager_obj'][
            'source_friendly_name']

+        if session['_auth_source_manager_obj']['current_source'] == KERBEROS:
+            session['allow_save_password'] = False
+
    response = Response(render_template(
        MODULE_NAME + "/index.html",
        username=current_user.username,
@@ -1086,7 +1099,7 @@ if hasattr(config, 'SECURITY_RECOVERABLE') and config.SECURITY_RECOVERABLE:
            # Check the Authentication source of the User
            user = User.query.filter_by(
                email=form.data['email'],
-                auth_source=current_app.PGADMIN_DEFAULT_AUTH_SOURCE
+                auth_source=INTERNAL
            ).first()

            if user is None: