[Calypso] [PATCH 3/3] Add GSSAPI/Kerberos authentication via Negotiate
Guido Günther
agx at sigxcpu.org
Fri Apr 8 15:42:40 PDT 2016
When the service name is set via the servicename config option and
pykerberos is installed allow authentication via the negotiate header.
Since this is not using basic auth and its on top of all other
authenciation schemes its not implemented as an acl module. This will
also allow us to make the whole negotiate auth be connection based in
the future.
The current code results in the user being "user at REALM" so in case of
using "acl.personal=True" the directories need to be name like this as
well so we want to add a user to principal mapping at one point.
This has been succesfully tested with iceowl.
---
README | 22 ++++++++++++
calypso/__init__.py | 42 ++++++++++++++++------
calypso/acl/nopwd.py | 2 +-
calypso/gssapi.py | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 152 insertions(+), 12 deletions(-)
create mode 100644 calypso/gssapi.py
diff --git a/README b/README
index 11a8c23..f79d693 100644
--- a/README
+++ b/README
@@ -60,3 +60,25 @@ Given a set of files with VCALENDAR or VCARD entries, you can import them with:
$ calypso --import private/test <filenames...>
This will update any changed entries and add any new ones.
+
+Kerberos via GSSAPI support
+---------------------------
+For Kerberos authentication generate a keytab on your KDC and put the
+exported keytab on your calypso server into */etc/krb.keytab* so it
+looks like:
+
+ # ktutil -k /etc/krb5.keytab list
+ /etc/krb5.keytab:
+
+ Vno Type Principal Aliases
+ 1 aes256-cts-hmac-sha1-96 HTTP/foo.example.com at EXAMPLE.COM
+ 1 des3-cbc-sha1 HTTP/foo.example.com at EXAMPLE.COM
+ 1 arcfour-hmac-md5 HTTP/foo.example.com at EXAMPLE.COM
+
+the put the service name to use into ~/.config/calypso/config:
+
+ [server]
+ servicename=HTTP at foo.example.com
+
+and install the pykerberos module. You should then be able to authenticate
+via Kerberos using GSSAPI.
diff --git a/calypso/__init__.py b/calypso/__init__.py
index 38a08d7..40987dd 100644
--- a/calypso/__init__.py
+++ b/calypso/__init__.py
@@ -53,13 +53,14 @@ except ImportError:
import BaseHTTPServer as server
# pylint: enable=F0401
-from . import acl, config, webdav, xmlutils, paths
+from . import acl, config, webdav, xmlutils, paths, gssapi
log = logging.getLogger()
ch = logging.StreamHandler()
formatter = logging.Formatter("%(message)s")
ch.setFormatter (formatter)
log.addHandler(ch)
+negotiate = gssapi.Negotiate(log)
VERSION = "1.5"
@@ -67,25 +68,29 @@ def _check(request, function):
"""Check if user has sufficient rights for performing ``request``."""
# ``_check`` decorator can access ``request`` protected functions
# pylint: disable=W0212
+ owner = user = password = None
+ negotiate_success = False
- authorization = request.headers.get("Authorization", None)
- if authorization:
- challenge = authorization.lstrip("Basic").strip().encode("ascii")
- plain = request._decode(base64.b64decode(challenge))
- user, password = plain.split(":")
- else:
- user = password = None
-
- owner = None
if request._collection:
owner = request._collection.owner
+ authorization = request.headers.get("Authorization", None)
+ if authorization:
+ if authorization.startswith("Basic"):
+ challenge = authorization.lstrip("Basic").strip().encode("ascii")
+ plain = request._decode(base64.b64decode(challenge))
+ user, password = plain.split(":")
+ elif negotiate.enabled():
+ user, negotiate_success = negotiate.try_aaa(authorization, request, owner)
+
# Also send UNAUTHORIZED if there's no collection. Otherwise one
# could probe the server for (non-)existing collections.
- if request.server.acl.has_right(owner, user, password):
+ if request.server.acl.has_right(owner, user, password) or negotiate_success:
function(request, context={"user": user, "user-agent": request.headers.get("User-Agent", None)})
else:
request.send_calypso_response(client.UNAUTHORIZED, 0)
+ if negotiate.enabled():
+ request.send_header("WWW-Authenticate", "Negotiate")
request.send_header(
"WWW-Authenticate",
'Basic realm="Calypso CalDAV/CardDAV server - password required"')
@@ -138,6 +143,21 @@ class CollectionHTTPHandler(server.BaseHTTPRequestHandler):
timeout = 90
server_version = "Calypso/%s" % VERSION
+ queued_headers = {}
+
+ def queue_header(self, keyword, value):
+ self.queued_headers[keyword] = value
+
+ def end_headers(self):
+ """
+ Send out all queued headers and invoke or super classes
+ end_header.
+ """
+ if self.queued_headers:
+ for keyword, val in self.queued_headers.items():
+ self.send_header(keyword, val)
+ self.queued_headers = {}
+ return server.BaseHTTPRequestHandler.end_headers(self)
def address_string(self):
return str(self.client_address[0])
diff --git a/calypso/acl/nopwd.py b/calypso/acl/nopwd.py
index 4ef84ba..9a8bbca 100644
--- a/calypso/acl/nopwd.py
+++ b/calypso/acl/nopwd.py
@@ -29,7 +29,7 @@ log = logging.getLogger()
def has_right(owner, user, password):
"""Check if ``user`` is valid."""
- log.debug("owner %s user %s", owner, user)
+ log.debug("owner '%s' user '%s'", owner, user)
if user == owner or not PERSONAL:
return True
return False
diff --git a/calypso/gssapi.py b/calypso/gssapi.py
new file mode 100644
index 0000000..a1f3d84
--- /dev/null
+++ b/calypso/gssapi.py
@@ -0,0 +1,98 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of Calypso - CalDAV/CardDAV/WebDAV Server
+# Copyright © 2016 Guido Günther <agx at sigxcpu.org>
+#
+# This library is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Calypso. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Gssapi module.
+
+This module handles kerberos authenticatien via gssapi
+"""
+
+import os
+
+from . import config
+from acl import nopwd
+
+# pylint: disable=F0401
+try:
+ import kerberos as krb
+except ImportError:
+ krb = None
+# pylint: disable=F0401
+
+
+class Negotiate(object):
+ _gssapi = False
+
+ def __init__(self, log):
+ self.log = log
+ try:
+ self.servicename = os.path.expanduser(config.get("server",
+ "servicename"))
+ except:
+ self.servicename = None
+
+ if self.servicename and krb:
+ self._gssapi = True
+
+ def enabled(self):
+ return self._gssapi
+
+ def try_aaa(self, authorization, request, owner):
+ """Perform authentication and authorization"""
+ user, success = self.step(authorization, request)
+ if success:
+ return user, nopwd.has_right(owner, user, None)
+ return user, False
+
+ def step(self, authorization, request):
+ """
+ Try to authenticate the client and if succesful authenticate
+ ourself to the client.
+ """
+ user = None
+
+ if not self.enabled():
+ return (None, False)
+
+ try:
+ (neg, challenge) = authorization.split()
+ if neg.lower().strip() != 'negotiate':
+ return (None, False)
+
+ self.log.debug("Negotiate header found, trying Kerberos")
+ result, context = krb.authGSSServerInit(self.servicename)
+ result = krb.authGSSServerStep(context, challenge)
+
+ if result == -1:
+ return (None, False)
+
+ response = krb.authGSSServerResponse(context)
+ # Client authenticated successfully, so authenticate to the client:
+ request.queue_header("www-authenticate",
+ "negotiate " + response)
+ user = krb.authGSSServerUserName(context)
+
+ self.log.debug("Negotiate: found user %s" % user)
+ result = krb.authGSSServerClean(context)
+ if result != 1:
+ self.log.error("Failed to cleanup gss context")
+ return (user, True)
+ except krb.GSSError as err:
+ self.log.error("gssapi error: %s", err)
+
+ return None, False
--
2.8.0.rc3
More information about the Calypso
mailing list