Redirects cause mutual authentication to fail #12

bewing · 2019-02-11T22:29:04Z

If you have a server that issues a redirect, to another page (Eg, Gitlab EE has a specific page to handle authenticating Kerberos and creating a session), requests-gssapi will attempt to authenticate both the original 302, and the page that is returned. This will either cause a failure because the context is already complete, or a failure because the second page doesn't process the challenge and return another token.

This appears to be related to requests/requests-kerberos#64

import logging

import requests_gssapi

logger = logging.getLogger(__name__)

logging.basicConfig(level=logging.DEBUG)

r = requests.get(
    "http://localhost.localdomain/auth/spnego",
    auth=requests_gssapi.HTTPSPNego(),
    verify=False)

DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost.localdomain:80
DEBUG:urllib3.connectionpool:http://localhost.localdomain:80 "GET /auth/spnego HTTP/1.1" 401 1524
DEBUG:requests_gssapi.gssapi_:handle_401(): Handling: 401
DEBUG:requests_gssapi.gssapi_:authenticate_user(): Authorization header: Negotiate <redacted>
DEBUG:urllib3.connectionpool:http://localhost.localdomain:80 "GET /auth/spnego HTTP/1.1" 302 0
DEBUG:requests_gssapi.gssapi_:authenticate_user(): returning <Response [302]>
DEBUG:requests_gssapi.gssapi_:handle_401(): returning <Response [302]>
DEBUG:requests_gssapi.gssapi_:handle_response(): returning <Response [302]>
DEBUG:requests_gssapi.gssapi_:handle_response() has seen 0 401 responses
DEBUG:requests_gssapi.gssapi_:handle_other(): Handling: 302
DEBUG:requests_gssapi.gssapi_:handle_other(): Authenticating the server
DEBUG:requests_gssapi.gssapi_:authenticate_server(): Authenticate header: <redacted>
DEBUG:requests_gssapi.gssapi_:authenticate_server(): returning <Response [302]>
DEBUG:requests_gssapi.gssapi_:handle_other(): returning <Response [302]>
DEBUG:requests_gssapi.gssapi_:handle_response(): returning <Response [302]>
DEBUG:urllib3.connectionpool:http://localhost.localdomain:80 "GET /admin/ HTTP/1.1" 302 226
DEBUG:requests_gssapi.gssapi_:handle_other(): Handling: 302
ERROR:requests_gssapi.gssapi_:handle_other(): Mutual authentication failed
Traceback (most recent call last):
  File "/home/bewing/.PyCharm2018.2/config/scratches/scratch_4.py", line 14, in <module>
    verify=False)
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests/sessions.py", line 668, in send
    history = [resp for resp in gen] if allow_redirects else []
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests/sessions.py", line 668, in <listcomp>
    history = [resp for resp in gen] if allow_redirects else []
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests/sessions.py", line 247, in resolve_redirects
    **adapter_kwargs
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests/sessions.py", line 653, in send
    r = dispatch_hook('response', hooks, r, **kwargs)
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests/hooks.py", line 31, in dispatch_hook
    _hook_data = hook(hook_data, **kwargs)
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests_gssapi/gssapi_.py", line 288, in handle_response
    _r = self.handle_other(response)
  File "/home/bewing/.pyenv/versions/3.6.6/envs/requests-gssapi/lib/python3.6/site-packages/requests_gssapi/gssapi_.py", line 240, in handle_other
    "Unable to authenticate {0}".format(response))
requests_gssapi.exceptions.MutualAuthenticationError: Unable to authenticate <Response [302]>

Process finished with exit code 1

frozencemetery · 2019-02-20T21:01:05Z

Analysis conducted by the requests-kerberos folks suggests this is inherent in the requests model. Unfortunately I'm not aware of anything that makes our codebase different in this regard.

It's probably best to turn off mutual authentication here. This shouldn't be any risk if you're over TLS already.

This also explicitly disables mutual authentication, which seems to be causing issues with redirects to /start and friends. Context: https://fedoraproject.org/wiki/Changes/kerberos-in-python-modernization requests/requests-kerberos#64 pythongssapi/requests-gssapi#12 pythongssapi/requests-gssapi@498da2e Fixes #263 Signed-off-by: Ernestas Kulik <ekulik@redhat.com>

frozencemetery · 2020-08-07T19:57:40Z

Closing since mutual auth is disabled by default now, and I can't do anything else about it.

frozencemetery added the blocked label Feb 20, 2019

ernestask mentioned this issue Oct 5, 2019

Move to python-requests-gssapi abrt/retrace-server#263

Closed

ernestask mentioned this issue Oct 7, 2019

Switch to requests-gssapi abrt/retrace-server#264

Merged

frozencemetery closed this as completed Aug 7, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Redirects cause mutual authentication to fail #12

Redirects cause mutual authentication to fail #12

bewing commented Feb 11, 2019

frozencemetery commented Feb 20, 2019

frozencemetery commented Aug 7, 2020

Redirects cause mutual authentication to fail #12

Redirects cause mutual authentication to fail #12

Comments

bewing commented Feb 11, 2019

frozencemetery commented Feb 20, 2019

frozencemetery commented Aug 7, 2020