quantum/nginx-krbauth
1
0
Fork 0
mirror of https://github.com/quantum5/nginx-krbauth.git synced 2025-07-26 19:54:13 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add some rate limiting logic

Browse source
This commit is contained in:
Quantum 2025-07-20 17:38:02 -04:00
parent c0395eb97a
commit b9d6630b1a
2 changed files with 13 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
nginx_krbauth.py
View file

@ -11,6 +11,8 @@ from typing import Optional
import gssapi
import ldap
from flask import Flask, Response, redirect, request
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
from gssapi.exceptions import BadMechanismError, GSSError, GeneralError
from ldap.filter import escape_filter_chars
from werkzeug.routing import Rule
@ -20,6 +22,10 @@ app.logger.setLevel(logging.INFO)
app.url_map.add(Rule('/krbauth', endpoint='krbauth.auth'))
app.url_map.add(Rule('/krbauth/check', endpoint='krbauth.check'))
LIMITER_STORAGE = os.environ.get('KRBAUTH_LIMITER_STORAGE', 'memory://')
LIMITER_FREQUENCY = os.environ.get('KRBAUTH_LIMITER_FREQUENCY', '3/minute')
limiter = Limiter(get_remote_address, app=app, storage_uri=LIMITER_STORAGE)
timestamp = struct.Struct('!q')
hmac_digest = hashlib.sha512
digest_size = hmac_digest().digest_size
@ -140,7 +146,7 @@ def auth_spnego(context: Context, next_url: str) -> Response:
)
result = ldap_ctx.search_s(LDAP_SEARCH_BASE, ldap.SCOPE_SUBTREE, ldap_filter, ['cn'])
if not result:
return make_401('Failed to authenticate', krb5_name=krb5_name)
return make_401('Authentication failed', krb5_name=krb5_name)
app.logger.info('Authenticated via Kerberos as: %s, %s', krb5_name, result[0][0])
else:
app.logger.info('Authenticated via Kerberos as: %s', krb5_name)
@ -164,16 +170,16 @@ def auth_basic(context: Context, next_url: str) -> Response:
try:
ldap_ctx.bind_s(dn, password)
except ldap.INVALID_CREDENTIALS:
return make_401('Failed to authenticate to LDAP', dn=dn)
return make_401('Authentication failed', dn=dn)
if context.ldap_group:
if not ldap_ctx.search_s(dn, ldap.SCOPE_BASE, '(memberof=%s)' % (
escape_filter_chars(context.ldap_group),
)):
return make_401('Failed to authenticate to LDAP', dn=dn, group=context.ldap_group)
app.logger.info('Authenticated via LDAP as: %s in %s', dn, context.ldap_group)
return make_401('Authentication failed', dn=dn, group=context.ldap_group)
app.logger.info('Authenticated via LDAP as: %s in %s from %s', dn, context.ldap_group, request.remote_addr)
else:
app.logger.info('Authenticated via LDAP as: %s', dn)
app.logger.info('Authenticated via LDAP as: %s from %s', dn, request.remote_addr)
return auth_success(context, next_url)
@ -186,6 +192,7 @@ def check_tls() -> bool:
@app.endpoint('krbauth.auth')
@limiter.limit(LIMITER_FREQUENCY)
def auth() -> Response:
next_url = request.args.get('next', '/')
context = Context.from_request()

2
setup.py
View file

@ -9,7 +9,7 @@ setup(
name='nginx_krbauth',
version='0.0.4',
py_modules=['nginx_krbauth'],
install_requires=['flask', 'gssapi', 'python-ldap'],
install_requires=['flask', 'gssapi', 'python-ldap', 'flask-limiter'],
author='quantum',
author_email='quantum2048@gmail.com',