URL: https://github.com/freeipa/freeipa/pull/560 Author: dkupka Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully Action: opened
PR body: """ When mod_lookup_identity is unable to match user by certificate (and username) it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos ticket and doesn't set KRB5CCNAME environment variable. x509_login.__call__ now returns 401 in such case to indicate that request was not authenticated. https://pagure.io/freeipa/issue/6225 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/560/head:pr560 git checkout pr560
From e8b656116af07572a7b5bf78665e7f8a5463d49a Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Thu, 9 Mar 2017 12:28:26 +0100 Subject: [PATCH] rpcserver: x509_login: Handle unsuccessful certificate login gracefully When mod_lookup_identity is unable to match user by certificate (and username) it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos ticket and doesn't set KRB5CCNAME environment variable. x509_login.__call__ now returns 401 in such case to indicate that request was not authenticated. https://pagure.io/freeipa/issue/6225 --- ipaserver/rpcserver.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 65b8998..fb59296 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -832,6 +832,18 @@ class login_kerberos(KerberosLogin): class login_x509(KerberosLogin): key = '/session/login_x509' + def __call__(self, environ, start_response): + self.debug('WSGI login_x509.__call__:') + + try: + environ['KRB5CCNAME'] + except KeyError: + return self.unauthorized( + environ, start_response, 'KRB5CCNAME not set', + 'Authentication failed') + + super(login_x509, self).__call__(environ, start_response) + class login_password(Backend, KerberosSession):
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code