[Freeipa-devel] [freeipa PR#560][opened] rpcserver: x509_login: Handle unsuccessful certificate login gracefully

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/560
Author: dkupka
 Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login 
gracefully
Action: opened

PR body:
"""
When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.

https://pagure.io/freeipa/issue/6225
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/560/head:pr560
git checkout pr560

From e8b656116af07572a7b5bf78665e7f8a5463d49a Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Thu, 9 Mar 2017 12:28:26 +0100
Subject: [PATCH] rpcserver: x509_login: Handle unsuccessful certificate login
 gracefully

When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.

https://pagure.io/freeipa/issue/6225
---
 ipaserver/rpcserver.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 65b8998..fb59296 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -832,6 +832,18 @@ class login_kerberos(KerberosLogin):
 class login_x509(KerberosLogin):
     key = '/session/login_x509'
 
+    def __call__(self, environ, start_response):
+        self.debug('WSGI login_x509.__call__:')
+
+        try:
+            environ['KRB5CCNAME']
+        except KeyError:
+            return self.unauthorized(
+                environ, start_response, 'KRB5CCNAME not set',
+                'Authentication failed')
+
+        super(login_x509, self).__call__(environ, start_response)
+
 
 class login_password(Backend, KerberosSession):
 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code