From d1026c0df750724c39ba8094c008b5d72cd0044c Mon Sep 17 00:00:00 2001 From: Chenxiong Qi Date: Thu, 24 Oct 2019 14:39:43 +0800 Subject: [PATCH] Do not drop realm from user's kerberos principal name Save the realm and just keep the variable there for any further possible use. Signed-off-by: Chenxiong Qi --- module_build_service/auth.py | 18 +++++++++++++----- tests/test_auth.py | 6 +++--- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/module_build_service/auth.py b/module_build_service/auth.py index f5f432d5..2d92acd3 100644 --- a/module_build_service/auth.py +++ b/module_build_service/auth.py @@ -132,12 +132,20 @@ def get_user_oidc(request): def get_user_kerberos(request): - remote_user = request.environ.get("REMOTE_USER") - if not remote_user: - raise Unauthorized("REMOTE_USER is not properly set in the request.") + remote_name = request.environ.get("REMOTE_USER") + if not remote_name: + # When Kerberos authentication is enabled, MBS expects the + # authentication is done by a specific Apache module which sets + # REMOTE_USER properly. + raise Unauthorized("No REMOTE_USER is set.") - # Remove the realm - username, _ = remote_user.split("@") + try: + username, realm = remote_name.split("@") + except ValueError: + raise Unauthorized("Value of REMOTE_NAME is not in format username@REALM") + + # Currently, MBS does not handle the realm to authorize user. Just keep it + # here for any possible further use. # If the user is part of the whitelist, then the group membership check is skipped if username in conf.allowed_users: diff --git a/tests/test_auth.py b/tests/test_auth.py index af4d2b62..b72fe5de 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -217,10 +217,10 @@ class TestAuthModule: module_build_service.auth.get_user(request) assert str(cm.value) == "OIDC_REQUIRED_SCOPE must be set in server config." - @pytest.mark.parametrize("remote_username", ["", None]) - def test_get_user_kerberos_unauthorized(self, remote_username): + @pytest.mark.parametrize("remote_name", ["", None, "someone"]) + def test_get_user_kerberos_unauthorized(self, remote_name): request = Mock() - request.environ.get.return_value = remote_username + request.environ.get.return_value = remote_name with pytest.raises(module_build_service.errors.Unauthorized): module_build_service.auth.get_user_kerberos(request)