URL: https://github.com/freeipa/freeipa/pull/560 Author: dkupka Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/560/head:pr560 git checkout pr560
From e9b675f2858986300fb55db6ec40a70be8ed33f1 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Thu, 9 Mar 2017 12:28:26 +0100 Subject: [PATCH] rpcserver: x509_login: Handle unsuccessful certificate login gracefully When mod_lookup_identity is unable to match user by certificate (and username) it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos ticket and doesn't set KRB5CCNAME environment variable. x509_login.__call__ now returns 401 in such case to indicate that request was not authenticated. https://pagure.io/freeipa/issue/6225 --- ipaserver/rpcserver.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index fa15742..be4e391 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -834,6 +834,16 @@ class login_kerberos(KerberosLogin): class login_x509(KerberosLogin): key = '/session/login_x509' + def __call__(self, environ, start_response): + self.debug('WSGI login_x509.__call__:') + + if 'KRB5CCNAME' not in environ: + return self.unauthorized( + environ, start_response, 'KRB5CCNAME not set', + 'Authentication failed') + + super(login_x509, self).__call__(environ, start_response) + class login_password(Backend, KerberosSession):
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code