quantum/nginx-krbauth
1
0
Fork 0
mirror of https://github.com/quantum5/nginx-krbauth.git synced 2025-07-26 19:54:13 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add some hardening

Browse source
This commit is contained in:
Quantum 2025-07-20 16:22:05 -04:00
parent 3d755031e4
commit 5557530ff9
1 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
nginx_krbauth.py
View file

@ -12,6 +12,7 @@ import gssapi
import ldap
from flask import Flask, Response, redirect, request
from gssapi.exceptions import BadMechanismError, GSSError, GeneralError
from ldap.filter import escape_filter_chars
from werkzeug.routing import Rule
app = Flask(__name__)
@ -132,10 +133,13 @@ def auth_spnego(context: Context, next_url: str) -> Response:
ldap_ctx = ldap.initialize(LDAP_SERVER)
if LDAP_BIND_DN and LDAP_BIND_AUTHTOK:
ldap_ctx.bind_s(LDAP_BIND_DN, LDAP_BIND_AUTHTOK, ldap.AUTH_SIMPLE)
ldap_filter = '(&(memberOf=%s)(krbPrincipalName=%s))' % (context.ldap_group, krb5_name)
ldap_filter = '(&(memberOf=%s)(krbPrincipalName=%s))' % (
escape_filter_chars(context.ldap_group),
escape_filter_chars(krb5_name),
)
result = ldap_ctx.search_s(LDAP_SEARCH_BASE, ldap.SCOPE_SUBTREE, ldap_filter, ['cn'])
if not result:
return make_401('Did not find LDAP group member', krb5_name=krb5_name)
return make_401('Failed to authenticate', krb5_name=krb5_name)
app.logger.info('Authenticated via Kerberos as: %s, %s', krb5_name, result[0][0])
else:
app.logger.info('Authenticated via Kerberos as: %s', krb5_name)
@ -162,8 +166,10 @@ def auth_basic(context: Context, next_url: str) -> Response:
return make_401('Failed to authenticate to LDAP', dn=dn)
if context.ldap_group:
if not ldap_ctx.search_s(dn, ldap.SCOPE_BASE, '(memberof=%s)' % (context.ldap_group,)):
return make_401('Did not find LDAP group member', dn=dn, group=context.ldap_group)
if not ldap_ctx.search_s(dn, ldap.SCOPE_BASE, '(memberof=%s)' % (
escape_filter_chars(context.ldap_group),
)):
return make_401('Failed to authenticate to LDAP', dn=dn, group=context.ldap_group)
app.logger.info('Authenticated via LDAP as: %s in %s', dn, context.ldap_group)
else:
app.logger.info('Authenticated via LDAP as: %s', dn)