URL: https://github.com/freeipa/freeipa/pull/560
Author: dkupka
 Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login 
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/560/head:pr560
git checkout pr560
From e9b675f2858986300fb55db6ec40a70be8ed33f1 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Thu, 9 Mar 2017 12:28:26 +0100
Subject: [PATCH] rpcserver: x509_login: Handle unsuccessful certificate login

When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.

 ipaserver/rpcserver.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index fa15742..be4e391 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -834,6 +834,16 @@ class login_kerberos(KerberosLogin):
 class login_x509(KerberosLogin):
     key = '/session/login_x509'
+    def __call__(self, environ, start_response):
+        self.debug('WSGI login_x509.__call__:')
+        if 'KRB5CCNAME' not in environ:
+            return self.unauthorized(
+                environ, start_response, 'KRB5CCNAME not set',
+                'Authentication failed')
+        super(login_x509, self).__call__(environ, start_response)
 class login_password(Backend, KerberosSession):
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to