Merge #681 Add Kerberos + LDAP Authentication

2026-04-26 03:32:10 +08:00 · 2017-09-15 16:10:22 +00:00
parent a2d89ae18d 0f6d7a55c5
commit fa8ac2001d
7 changed files with 468 additions and 22 deletions
--- a/module_build_service/config.py
+++ b/module_build_service/config.py
@@ -26,6 +26,7 @@

 import imp
 import os
+import re

 from os import sys

@@ -72,7 +73,7 @@ def init_config(app):
        if 'MBS_CONFIG_SECTION' in app.request.environ:
            config_section = app.request.environ['MBS_CONFIG_SECTION']
    # TestConfiguration shall only be used for running tests, otherwise...
-    if any(['nosetests' in arg or 'noserunner.py' in arg or 'py.test' in arg or 'pytest.py' in arg for arg in sys.argv]):
+    if any(['nosetests' in arg or 'noserunner.py' in arg or 'py.test' in arg or 'pytest' in arg for arg in sys.argv]):
        config_section = 'TestConfiguration'
        from conf import config
        config_module = config
@@ -366,6 +367,29 @@ class Config(object):
            'type': list,
            'default': ['/etc/module-build-service/yum.conf', 'conf/yum.conf'],
            'desc': 'List of yum config file paths in order of preference.'},
+        'auth_method': {
+            'type': str,
+            'default': 'oidc',
+            'desc': 'Authentiation method to MBS. Options are oidc or kerberos'},
+        'kerberos_http_host': {
+            'type': str,
+            'default': '',
+            'desc': ('Hardcodes the HTTP host MBS identifies as in Kerberos. If this isn\'t set, '
+                     'it will be derived dynamically.')},
+        'kerberos_keytab': {
+            'type': str,
+            'default': '',
+            'desc': ('Overrides the use of the environment variable KRB5_KTNAME, which specifies '
+                     'the location to the Kerberos keytab for authentication.')},
+        'ldap_uri': {
+            'type': str,
+            'default': '',
+            'desc': 'LDAP URI to query for group information when using Kerberos authentication'},
+        'ldap_groups_dn': {
+            'type': str,
+            'default': '',
+            'desc': ('The distinguished name of the container or organizational unit containing '
+                     'the groups in LDAP')}
    }

    def __init__(self, conf_section_obj):
@@ -496,3 +520,26 @@ class Config(object):
        if i < 0:
            raise ValueError('NUM_CONCURRENT_BUILDS must be >= 0')
        self._num_concurrent_builds = i
+
+    def _setifok_auth_method(self, s):
+        s = str(s)
+        if s.lower() not in ('oidc', 'kerberos'):
+            raise ValueError('Unsupported authentication method')
+        self._auth_method = s.lower()
+
+    def _setifok_kerberos_keytab(self, s):
+        keytab = str(s)
+        if keytab:
+            keytab = os.path.expanduser(keytab)
+            if not os.path.exists(keytab):
+                raise ValueError('The path set for KERBEROS_KEYTAB does not exist')
+
+        self._kerberos_keytab = keytab
+
+    def _setifok_ldap_uri(self, s):
+        ldap_uri = str(s)
+
+        if ldap_uri and not re.match(r'^(?:ldap(?:s)?:\/\/.+)$', ldap_uri):
+            raise ValueError('LDAP_URI is invalid. It must start with "ldap://" or "ldaps://"')
+
+        self._ldap_uri = ldap_uri