Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 595626 Details for
Bug 831937
[RFE] Support web server provided authentication for REST API
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch to allow web server level preauthentication
pulp_bz831937_preauth.diff (text/plain), 5.00 KB, created by
Nick Coghlan
on 2012-07-02 05:41:25 UTC
(
hide
)
Description:
Patch to allow web server level preauthentication
Filename:
MIME Type:
Creator:
Nick Coghlan
Created:
2012-07-02 05:41:25 UTC
Size:
5.00 KB
patch
obsolete
>diff --git a/src/pulp/server/LDAPConnection.py b/src/pulp/server/LDAPConnection.py >index 084e328..32457a2 100644 >--- a/src/pulp/server/LDAPConnection.py >+++ b/src/pulp/server/LDAPConnection.py >@@ -100,12 +100,12 @@ class LDAPConnection: > except ldap.LDAPError, e: > log.error("Failed to delete user with dn %s to the ldap server" % dn) > >- def authenticate_user(self, base, username, password, filter=None): >+ def authenticate_user(self, base, username, password=None, filter=None): > """ > @param base: The base DN of the ldap server > Ex: dc=example,dc=com > @param username: Userid to be validated in ldap server >- @param password: password credentials for userid >+ @param password: password credentials for userid (None = don't validate) > @param filter: Optional additional LDAP filter to use when > searching for the user. Ex: (gidNumber=200) > >@@ -113,18 +113,18 @@ class LDAPConnection: > bind succeeds; else returns None > """ > user = self.lookup_user(base, username, filter=filter) >- if user: >+ if user is None: >+ return None >+ if password is not None: > userdn = user[0] > try: > self.lconn.simple_bind_s(userdn, password) > log.info("Found user with id %s with matching credentials" % >- username) >- return self._add_from_ldap(username, user) >+ username) > except: > log.info("Invalid credentials for %s" % username) > return None >- else: >- return None >+ return self._add_from_ldap(username, user) > > def _add_from_ldap(self, username, userdata): > """ >diff --git a/src/pulp/server/auth/authentication.py b/src/pulp/server/auth/authentication.py >index 306b85d..f123333 100644 >--- a/src/pulp/server/auth/authentication.py >+++ b/src/pulp/server/auth/authentication.py >@@ -80,14 +80,8 @@ def _check_username_password_ldap(username, password=None): > ldap_tls = config.getboolean('ldap', 'tls') > ldap_server = LDAPConnection(server=ldap_uri, tls=ldap_tls) > ldap_server.connect() >- user = None >- if password is not None: >- user = ldap_server.authenticate_user(ldap_base, username, password, >- filter=ldap_filter) >- else: >- user = _user_api.user(username) >- if user is None: >- return None >+ user = ldap_server.authenticate_user(ldap_base, username, password, >+ filter=ldap_filter) > return user > > >diff --git a/src/pulp/server/webservices/controllers/decorators.py b/src/pulp/server/webservices/controllers/decorators.py >index b676991..dea45b3 100644 >--- a/src/pulp/server/webservices/controllers/decorators.py >+++ b/src/pulp/server/webservices/controllers/decorators.py >@@ -83,13 +83,22 @@ def auth_required(operation=None, super_user_only=False): > # XXX jesus h christ: is this some god awful shit > # please, please refactor this into ... something ... anything! > user = None >- # first, try username:password authentication >- username, password = http.username_password() >+ # Support web server level authentication of users >+ username = http.request_info("REMOTE_USER") > if username is not None: >- user = check_username_password(username, password) >+ # Omitting the password = assume preauthenticated >+ user = check_username_password(username) > if user is None: >- return self.unauthorized(user_pass_fail_msg) >- # second, try certificate authentication >+ # User is not in the local database, nor in LDAP >+ return self.unauthorized(author_fail_msg) >+ # Fall back to internal username:password authentication >+ if user is None: >+ username, password = http.username_password() >+ if username is not None: >+ user = check_username_password(username, password) >+ if user is None: >+ return self.unauthorized(user_pass_fail_msg) >+ # Next try certificate authentication > if user is None: > cert_pem = http.ssl_client_cert() > if cert_pem is not None: >@@ -98,7 +108,8 @@ def auth_required(operation=None, super_user_only=False): > if user is None: > # second, check consumer certificate > user = check_consumer_cert(cert_pem) >- # third, check oauth credentials >+ # Finally, check oauth credentials >+ # Nested to reflect the fact this also needs cert_pem > if user is None: > auth = http.http_authorization() > username = http.request_info('HTTP_PULP_USER')
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=595626">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 831937
: 595626