quantum/nginx-krbauth
1
0
Fork 0
mirror of https://github.com/quantum5/nginx-krbauth.git synced 2025-04-24 12:32:03 -04:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: quantum:3d755031e49ed6d48a10c2098534affb264a9bd6
Branches Tags
quantum:master
..
compare: quantum:ae6fd659811ef7ca9711bf0a534ee192cb41107d
Branches Tags
quantum:master

No commits in common. "3d755031e49ed6d48a10c2098534affb264a9bd6" and "ae6fd659811ef7ca9711bf0a534ee192cb41107d" have entirely different histories.
3d755031e4 ... ae6fd65981

4 changed files with 10 additions and 43 deletions
Show stats Expand all files Collapse all files

6
.flake8
View file

@ -3,7 +3,5 @@ max-line-length = 120
import-order-style = pycharm import-order-style = pycharm
enable-extensions = G enable-extensions = G
ignore = ignore =
# line break occurred after a binary operator W504, # line break occurred after a binary operator
W504, C814 # missing trailing comma in Python 2 only
# missing trailing comma in Python 2 only
C814

21
README.md
View file

@ -89,27 +89,6 @@ the client does not support Kerberos. To use this, configure:
There should be one `%s` symbol in this string, which will be replaced by the There should be one `%s` symbol in this string, which will be replaced by the
username. username.
### TLS Client Certificate
It's also possible to use client certificates on machines that have them for
authentication purposes instead of using LDAP or Kerberos. To do this, set
the environment variable `KRBAUTH_TLS_CERT_AUTH` to `1` or `yes`.
Then, pass the WSGI environment variable `NGINX_SSL_CLIENT_VERIFY` from `nginx`,
setting it to the value of `$ssl_client_verify`, like this:
```nginx
uwsgi_param NGINX_SSL_CLIENT_VERIFY "$ssl_client_verify";
```
You most likely want to make client certificate verification optional if you
are using it with `nginx-krbauth`:
```nginx
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client optional;
```
## Example `nginx.conf` ## Example `nginx.conf`
```nginx ```nginx

16
nginx_krbauth.py
View file

@ -41,7 +41,6 @@ else:
gssapi_creds = None gssapi_creds = None
COOKIE_SECURE = os.environ.get('KRBAUTH_SECURE_COOKIE', '1').lower() not in ('0', 'no') COOKIE_SECURE = os.environ.get('KRBAUTH_SECURE_COOKIE', '1').lower() not in ('0', 'no')
TLS_CERT_AUTH = os.environ.get('KRBAUTH_TLS_CERT_AUTH', '0').lower() in ('1', 'yes')
class Context: class Context:
@ -57,10 +56,10 @@ class Context:
return ''.join([self.ldap_group]).encode('utf-8') return ''.join([self.ldap_group]).encode('utf-8')
def make_cookie(context: Context) -> str: def make_cookie(context: Context) -> bytes:
message = timestamp.pack(int(time.time()) + DURATION) + os.urandom(RANDOM_SIZE) + context.bytes() message = timestamp.pack(int(time.time()) + DURATION) + os.urandom(RANDOM_SIZE) + context.bytes()
signature = hmac.new(HMAC_KEY, message, hmac_digest).digest() signature = hmac.new(HMAC_KEY, message, hmac_digest).digest()
return base64.b64encode(signature + message).decode() return base64.b64encode(signature + message)
def verify_cookie(cookie: Optional[str], context: Context) -> bool: def verify_cookie(cookie: Optional[str], context: Context) -> bool:
@ -171,21 +170,12 @@ def auth_basic(context: Context, next_url: str) -> Response:
return auth_success(context, next_url) return auth_success(context, next_url)
def check_tls() -> bool:
if not TLS_CERT_AUTH:
return False
return request.environ.get('NGINX_SSL_CLIENT_VERIFY') == 'SUCCESS'
@app.endpoint('krbauth.auth') @app.endpoint('krbauth.auth')
def auth() -> Response: def auth() -> Response:
next_url = request.args.get('next', '/') next_url = request.args.get('next', '/')
context = Context.from_request() context = Context.from_request()
authorization = request.headers.get('Authorization', '') authorization = request.headers.get('Authorization', '')
if check_tls():
return auth_success(context, next_url)
if authorization.startswith('Negotiate '): if authorization.startswith('Negotiate '):
return auth_spnego(context, next_url) return auth_spnego(context, next_url)
if LDAP_USER_DN and authorization.startswith('Basic '): if LDAP_USER_DN and authorization.startswith('Basic '):
@ -196,6 +186,6 @@ def auth() -> Response:
@app.endpoint('krbauth.check') @app.endpoint('krbauth.check')
def check() -> Response: def check() -> Response:
if check_tls() or verify_cookie(request.cookies.get('krbauth'), Context.from_request()): if verify_cookie(request.cookies.get('krbauth'), Context.from_request()):
return Response(status=200) return Response(status=200)
return Response(status=401) return Response(status=401)

10
setup.py
View file

@ -7,7 +7,7 @@ with open(os.path.join(os.path.dirname(__file__), 'README.md')) as f:
setup( setup(
name='nginx_krbauth', name='nginx_krbauth',
version='0.0.4', version='0.0.2',
py_modules=['nginx_krbauth'], py_modules=['nginx_krbauth'],
install_requires=['flask', 'gssapi', 'python-ldap'], install_requires=['flask', 'gssapi', 'python-ldap'],
@ -27,11 +27,11 @@ setup(
'Operating System :: POSIX :: Linux', 'Operating System :: POSIX :: Linux',
'Programming Language :: Python', 'Programming Language :: Python',
'Programming Language :: Python :: 3', 'Programming Language :: Python :: 3',
'Programming Language :: Python :: 3.5',
'Programming Language :: Python :: 3.6',
'Programming Language :: Python :: 3.7',
'Programming Language :: Python :: 3.8',
'Programming Language :: Python :: 3.9', 'Programming Language :: Python :: 3.9',
'Programming Language :: Python :: 3.10',
'Programming Language :: Python :: 3.11',
'Programming Language :: Python :: 3.12',
'Programming Language :: Python :: 3.13',
'Topic :: Internet :: WWW/HTTP :: HTTP Servers', 'Topic :: Internet :: WWW/HTTP :: HTTP Servers',
'Topic :: Internet :: WWW/HTTP :: WSGI :: Application', 'Topic :: Internet :: WWW/HTTP :: WSGI :: Application',
'Topic :: Security', 'Topic :: Security',