Skip to content

Commit

Permalink
[frontend] fix krb auth for services
Browse files Browse the repository at this point in the history 
Resolves: rhbz#1380820
  • Loading branch information
@praiskup
praiskup committed Oct 5, 2016
1 parent bf8913e commit a999c6a
Showing 1 changed file with 17 additions and 3 deletions.
20 changes: 17 additions & 3 deletions frontend/coprs_frontend/coprs/views/misc.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,18 @@ def fed_raw_name(oidname):
.replace("http://", "")


def krb_strip_realm(fullname):
return re.sub(r'@.*', '', fullname)
def krb_straighten_username(krb_remote_user):
# Input should look like 'USERNAME@REALM.TLD', strip realm.
username = re.sub(r'@.*', '', krb_remote_user)

# But USERNAME part can consist of USER/DOMAIN.TLD.
# TODO: Do we need more clever thing here?
username = re.sub('/', '_', username)

# Based on restrictions for project name: "letters, digits, underscores,
# dashes and dots", it is worth limitting the username here, too.
# TODO: Store this pattern on one place.
return username if re.match(r"^[\w.-]+$", username) else None


@app.before_request
Expand Down Expand Up @@ -135,7 +145,11 @@ def krb5_login(name):
return flask.render_template("403.html", message=nocred), 403

krb_username = flask.request.environ['REMOTE_USER']
username = krb_strip_realm(krb_username)
app.logger.info("krb5 " + krb_username)
username = krb_straighten_username(krb_username)
if not username:
message = "invalid krb5 username: " + krb_username
return flask.render_template("403.html", message=message), 403

krb_login = (
models.Krb5Login.query
Expand Down

0 comments on commit a999c6a

Please sign in to comment.