d817c646bd
* sources: introduce new property mappings per-user and group Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * sources/ldap: migrate to new property mappings Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint-fix and make gen Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * web changes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * update tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * remove flatten for generic implem Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * rework migration Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint-fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix migrations Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * re-add field migration to property mappings Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix migrations Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * more migrations fixes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * easy fixes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * migrate to propertymappingmanager Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * ruff and small fixes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * move mapping things into a separate class Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * migrations: use using(db_alias) Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * migrations: use built-in variable Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add docs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add release notes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix login reverse Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * refactor source flow manager matching Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * kerberos sync with mode matching Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * finish frontend Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Optimised images with calibre/image-actions * make web Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add test for internal password update Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix sync tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix filter Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * switch to blueprints property mappings, improvements to frontend Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * some more small fixes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix reverse Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * properly deal with password changes signals Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * actually deal with it properly Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * update docs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint-fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * blueprints: realm as group: make it non default Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * small fixes and improvements Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix title Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add password backend to default flow Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * link docs page properly, add in admin interface, add suggestions for how to apply changes to a fleet of machines Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add troubleshooting Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix default flow pass backend Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix flaky spnego tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * properly convert gssapi name to python str Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix unpickable types Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * make sure the last server token is returned to the client Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/developer-docs/setup/full-dev-environment.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/browser.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update website/docs/users-sources/sources/protocols/kerberos/index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * more docs review Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix missing library Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix missing library again Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix web import Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix sync Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix sync v2 Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix sync v3 Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> --------- Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
117 lines
4.8 KiB
Python
117 lines
4.8 KiB
Python
"""authentik Kerberos Authentication Backend"""
|
|
|
|
import gssapi
|
|
from django.http import HttpRequest
|
|
from structlog.stdlib import get_logger
|
|
|
|
from authentik.core.auth import InbuiltBackend
|
|
from authentik.core.models import User
|
|
from authentik.lib.generators import generate_id
|
|
from authentik.sources.kerberos.models import (
|
|
KerberosSource,
|
|
Krb5ConfContext,
|
|
UserKerberosSourceConnection,
|
|
)
|
|
|
|
LOGGER = get_logger()
|
|
|
|
|
|
class KerberosBackend(InbuiltBackend):
|
|
"""Authenticate users against Kerberos realm"""
|
|
|
|
def authenticate(self, request: HttpRequest, **kwargs):
|
|
"""Try to authenticate a user via kerberos"""
|
|
if "password" not in kwargs or "username" not in kwargs:
|
|
return None
|
|
username = kwargs.pop("username")
|
|
realm = None
|
|
if "@" in username:
|
|
username, realm = username.rsplit("@", 1)
|
|
|
|
user, source = self.auth_user(username, realm, **kwargs)
|
|
if user:
|
|
self.set_method("kerberos", request, source=source)
|
|
return user
|
|
return None
|
|
|
|
def auth_user(
|
|
self, username: str, realm: str | None, password: str, **filters
|
|
) -> tuple[User | None, KerberosSource | None]:
|
|
sources = KerberosSource.objects.filter(enabled=True)
|
|
user = User.objects.filter(usersourceconnection__source__in=sources, **filters).first()
|
|
|
|
if user is not None:
|
|
# User found, let's get its connections for the sources that are available
|
|
user_source_connections = UserKerberosSourceConnection.objects.filter(
|
|
user=user, source__in=sources
|
|
)
|
|
elif realm is not None:
|
|
user_source_connections = UserKerberosSourceConnection.objects.filter(
|
|
source__in=sources, identifier=f"{username}@{realm}"
|
|
)
|
|
# no realm specified, we can't do anything
|
|
else:
|
|
user_source_connections = UserKerberosSourceConnection.objects.none()
|
|
|
|
if not user_source_connections.exists():
|
|
LOGGER.debug("no kerberos source found for user", username=username)
|
|
return None, None
|
|
|
|
for user_source_connection in user_source_connections.prefetch_related().select_related(
|
|
"source__kerberossource"
|
|
):
|
|
# User either has an unusable password,
|
|
# or has a password, but couldn't be authenticated by ModelBackend
|
|
# This means we check with a kinit to see if the Kerberos password has changed
|
|
if self.auth_user_by_kinit(user_source_connection, password):
|
|
# Password was successful in kinit to Kerberos, so we save it in database
|
|
if (
|
|
user_source_connection.source.kerberossource.password_login_update_internal_password
|
|
):
|
|
LOGGER.debug(
|
|
"Updating user's password in DB",
|
|
source=user_source_connection.source,
|
|
user=user_source_connection.user,
|
|
)
|
|
user_source_connection.user.set_password(
|
|
password, sender=user_source_connection.source
|
|
)
|
|
user_source_connection.user.save()
|
|
return user, user_source_connection.source
|
|
# Password doesn't match, onto next source
|
|
LOGGER.debug(
|
|
"failed to kinit, password invalid",
|
|
source=user_source_connection.source,
|
|
user=user_source_connection.user,
|
|
)
|
|
# No source with valid password found
|
|
LOGGER.debug("no valid kerberos source found for user", user=user)
|
|
return None, None
|
|
|
|
def auth_user_by_kinit(
|
|
self, user_source_connection: UserKerberosSourceConnection, password: str
|
|
) -> bool:
|
|
"""Attempt authentication by kinit to the source."""
|
|
LOGGER.debug(
|
|
"Attempting to kinit as user",
|
|
user=user_source_connection.user,
|
|
source=user_source_connection.source,
|
|
principal=user_source_connection.identifier,
|
|
)
|
|
|
|
with Krb5ConfContext(user_source_connection.source.kerberossource):
|
|
name = gssapi.raw.import_name(
|
|
user_source_connection.identifier.encode(), gssapi.raw.NameType.kerberos_principal
|
|
)
|
|
try:
|
|
# Use a temporary credentials cache to not interfere with whatever is defined
|
|
# elsewhere
|
|
gssapi.raw.ext_krb5.krb5_ccache_name(f"MEMORY:{generate_id(12)}".encode())
|
|
gssapi.raw.ext_password.acquire_cred_with_password(name, password.encode())
|
|
# Restore the credentials cache to what it was before
|
|
gssapi.raw.ext_krb5.krb5_ccache_name(None)
|
|
return True
|
|
except gssapi.exceptions.GSSError as exc:
|
|
LOGGER.warning("failed to kinit", exc=exc)
|
|
return False
|