[api] Introduce a configuration option to enable and disable kerberos…

… mode easily Before this was handled via the principal configuration. With this change OBS admins can keep the principal configuration and use the 'kerberos_mode' flag instead.
openSUSE · Apr 19, 2017 · f828d0c · f828d0c
1 parent 77644b3
commit f828d0c
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 11 deletions.
diff --git a/src/api/app/controllers/application_controller.rb b/src/api/app/controllers/application_controller.rb
@@ -306,7 +306,7 @@ def gather_exception_defaults(opt)
 
     if @status == 401
       unless response.headers["WWW-Authenticate"]
-        if CONFIG['kerberos_service_principal']
+        if CONFIG['kerberos_mode']
           response.headers["WWW-Authenticate"] = 'Negotiate'
         else
           response.headers["WWW-Authenticate"] = 'basic realm="API login"'

diff --git a/src/api/app/controllers/webui/webui_controller.rb b/src/api/app/controllers/webui/webui_controller.rb
@@ -104,7 +104,7 @@ def valid_xml_id(rawid)
   protected
 
   def require_login
-    if CONFIG['kerberos_service_principal']
+    if CONFIG['kerberos_mode']
       kerberos_auth
     else
       if User.current.nil? || User.current.is_nobody?
@@ -165,7 +165,7 @@ def authenticator
   end
 
   def kerberos_auth
-    return true unless CONFIG['kerberos_service_principal'] && (User.current.nil? || User.current.is_nobody?)
+    return true unless CONFIG['kerberos_mode'] && (User.current.nil? || User.current.is_nobody?)
 
     authorization = authenticator.authorization_infos || []
     if authorization[0].to_s != "Negotiate"

diff --git a/src/api/app/helpers/webui/webui_helper.rb b/src/api/app/helpers/webui/webui_helper.rb
@@ -379,7 +379,7 @@ def possibly_empty_ul(html_opts, &block)
   end
 
   def can_register
-    return false if CONFIG['kerberos_service_principal']
+    return false if CONFIG['kerberos_mode']
     return true if User.current.try(:is_admin?)
 
     begin

diff --git a/src/api/config/options.yml.example b/src/api/config/options.yml.example
@@ -34,11 +34,6 @@ frontend_protocol: https
 #external_frontend_port: 443
 #external_frontend_protocol: https
 
-# Kerberos authentication
-#kerberos_keytab: "/etc/krb5.keytab"
-#kerberos_service_principal: "HTTP/hostname.example.com@EXAMPLE.COM"
-#kerberos_realm: "EXAMPLE.COM"
-
 extended_backend_log: false
 
 # proxy_auth_mode can be :off, :on or :simulate
@@ -50,6 +45,16 @@ proxy_auth_mode: :off
 proxy_auth_test_user: coolguy
 proxy_auth_test_email: coolguy@example.com
 
+### Kerberos configuration
+
+# can be true or false
+kerberos_mode: false
+
+#kerberos_keytab: "/etc/krb5.keytab"
+#kerberos_service_principal: "HTTP/hostname.example.com@EXAMPLE.COM"
+#kerberos_realm: "EXAMPLE.COM"
+
+
 #schema_location
 
 #version

diff --git a/src/api/lib/authenticator.rb b/src/api/lib/authenticator.rb
@@ -104,6 +104,10 @@ def authorization_infos
   def initialize_krb_session
     principal = CONFIG['kerberos_service_principal']
 
+    if principal.blank?
+      raise AuthenticationRequiredError, 'Kerberos configuration is broken. Principal is empty.'
+    end
+
     unless CONFIG['kerberos_realm']
       CONFIG['kerberos_realm'] = principal.rpartition("@")[2]
     end
@@ -202,13 +206,12 @@ def extract_proxy_user
 
   def extract_auth_user
     authorization = authorization_infos
-
     # privacy! logger.debug( "AUTH: #{authorization.inspect}" )
     if authorization
       # logger.debug( "AUTH2: #{authorization}" )
       if authorization[0] == "Basic"
         extract_basic_user authorization
-      elsif authorization[0] == "Negotiate" && CONFIG['kerberos_service_principal']
+      elsif authorization[0] == "Negotiate" && CONFIG['kerberos_mode']
         extract_krb_user authorization
       else
         Rails.logger.debug "Unsupported authentication string '#{authorization[0]}' received."