kiwitcms
diff --git a/‎README.rst‎
Lines changed: 29 additions & 36 deletions b/‎README.rst‎
Lines changed: 29 additions & 36 deletions
diff --git a/‎setup.py‎
Lines changed: 32 additions & 0 deletions b/‎setup.py‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎social_auth_kerberos/__init__.py‎ b/‎social_auth_kerberos/__init__.py‎
diff --git a/‎social_auth_kerberos/backend.py‎
Lines changed: 93 additions & 0 deletions b/‎social_auth_kerberos/backend.py‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎tcms/auth/kerberos.py‎
Lines changed: 0 additions & 107 deletions b/‎tcms/auth/kerberos.py‎
Lines changed: 0 additions & 107 deletions
@@ -1,50 +1,43 @@
-Kerberos authentication backend for Kiwi TCMS
-=============================================
+Kerberos authentication backend for Python Social Auth
+======================================================
 
-.. image:: https://travis-ci.org/kiwitcms/kiwitcms-auth-kerberos.svg?branch=master
-    :target: https://travis-ci.org/kiwitcms/kiwitcms-auth-kerberos
+.. image:: https://travis-ci.org/kiwitcms/python-social-auth-kerberos.svg?branch=master
+    :target: https://travis-ci.org/kiwitcms/python-social-auth-kerberos
 
-.. image:: https://coveralls.io/repos/github/kiwitcms/kiwitcms-auth-kerberos/badge.svg?branch=master
-   :target: https://coveralls.io/github/kiwitcms/kiwitcms-auth-kerberos?branch=master
+.. image:: https://coveralls.io/repos/github/kiwitcms/python-social-auth-kerberos/badge.svg?branch=master
+   :target: https://coveralls.io/github/kiwitcms/python-social-auth-kerberos?branch=master
 
 Introduction
 ------------
 
-TODO:
+This package provides Kerberos backend for Python Social Auth. It can be used to
+enable passwordless authentication inside a Django app or any other application
+that supports Python Social Auth. This is a pure Python implementation which doesn't
+depend on Apache ``mod_auth_kerb``.
 
-- package this backend and publish to PyPI
-- enable testing
-- why there are 2 classes for kerberos backend? which one if the real deal
-  maybe 'tcms.auth.kerberos.ModAuthKerbBackend' ????
-- check-out https://github.com/kiwitcms/Kiwi/issues/240
+First
+`configure PSA <https://python-social-auth.readthedocs.io/en/latest/configuration/index.html>`_
+and then the following settings::
 
 
-This package provides passwordless authentication for Kiwi TCMS via Kerberos.
-This is turned off by default because most organizations do not use it. To enable
-configure the following settings::
-
-    MIDDLEWARE += [
-        'django.contrib.auth.middleware.RemoteUserMiddleware',
-    ]
-
-    AUTHENTICATION_BACKENDS += [
-        'tcms.auth.kerberos.ModAuthKerbBackend',
+    AUTHENTICATION_BACKENDS = [
+        'social_auth_kerberos.backend.KerberosAuth',
+        'django.contrib.auth.backends.ModelBackend',
     ]
+    
+    SOCIAL_AUTH_KRB5_KEYTAB = '/tmp/your-application.keytab'
 
-    KRB5_REALM='YOUR-DOMAIN.COM'
-
-
-Also modify Kiwi TCMS ``Dockerfile`` to include the following lines::
-
-    RUN yum -y install krb5-devel mod_auth_kerb
-    RUN pip install kerberos
-    COPY ./auth_kerb.conf /etc/httpd/conf.d/
-
-Where ``auth_kerb.conf`` is your Kerberos configuration file for Apache!
-More information about it can be found
-`here <https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/2/html/HTTP_Connectors_Load_Balancing_Guide/ch10s02s03.html>`_.
+For more information about Kerberos see:
+* `How to configure Firefox for kerberos <https://people.redhat.com/mikeb/negotiate/>`_
+* `How to configure kerberos on Fedora <https://fedoraproject.org/wiki/Kerberos_KDC_Quickstart_Guide>`_
+* `How to generate a keytab file
+  <https://docs.tibco.com/pub/spotfire_server/7.6.1/doc/html/tsas_admin_help/GUID-27726F6E-569C-4704-8433-5CCC0232EC79.html>`_
 
 .. warning::
 
-    Unless Kerberos authentication is configured and fully-operational the
-    XML-RPC method `Auth.login_krbv()` will not work!
+    USE AT YOUR OWN RISK!
+    
+    This module has been tested manually with Kiwi TCMS. Automated tests
+    do not exist because we can't quite figure out how to use
+    `gssapi-console <https://github.com/pythongssapi/gssapi-console>`_ as part of
+    unit tests! If you do figure it out a pull request will be greatly appreciated!
@@ -0,0 +1,32 @@
+# pylint: disable=missing-docstring
+
+from setuptools import setup, find_packages
+
+
+def get_long_description():
+    with open('README.rst', 'r') as file:
+        return file.read()
+
+
+setup(
+    name='social-auth-kerberos',
+    version='0.2.1',
+    description='Kerberos authentication backend for Python Social Auth',
+    long_description=get_long_description(),
+    author='Kiwi TCMS',
+    author_email='info@kiwitcms.org',
+    url='https://github.com/kiwitcms/python-social-auth-kerberos/',
+    license='GPLv2+',
+    keywords='social auth, kerberos',
+    install_requires=['social-auth-core', 'gssapi'],
+    packages=['social_auth_kerberos'],
+    classifiers=[
+        'Development Status :: 4 - Beta',
+        'Topic :: Internet',
+        'Environment :: Web Environment',
+        'Intended Audience :: Developers',
+        'License :: OSI Approved :: GNU General Public License v2 or later (GPLv2+)',
+        'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.6',
+    ],
+)
@@ -0,0 +1,93 @@
+import base64
+import gssapi
+
+from social_core.backends.base import BaseAuth
+from social_core.exceptions import AuthException
+
+
+class KerberosAuth(BaseAuth):
+    _krb5 = {}
+    name = 'kerberos'
+
+    def start(self):
+        response = self.strategy.html('Authorization Required')
+        response.status_code = 401
+        response['WWW-Authenticate'] = 'Negotiate'
+
+        # browser didn't send negotiation token
+        if 'HTTP_AUTHORIZATION' not in self.strategy.request.META:
+            # this will keep a reference to the current user b/c
+            # kerberos auth is a stateful protocol while HTTP is stateless.
+            context_id = "%d@%d" % (hash(repr(self.strategy.request.META)),
+                                    id(self.strategy.request))
+            self.strategy.request.session['_krb5'] = context_id
+            self._krb5[context_id] = None
+            return response
+
+        token = self.strategy.request.META['HTTP_AUTHORIZATION']
+        token = token.split('Negotiate')[-1].strip()
+        token = base64.b64decode(token)
+
+        context_id = self.strategy.request.session.get('_krb5', None)
+        if self._krb5[context_id] is None:
+            keytab_path = self.strategy.setting('SOCIAL_AUTH_KRB5_KEYTAB')
+            creds = gssapi.Credentials(usage='accept',
+                                       store={'keytab': keytab_path})
+            self._krb5[context_id] = gssapi.SecurityContext(creds=creds)
+
+        server_token = self._krb5[context_id].step(token)
+        response = self.strategy.redirect(self.redirect_uri)
+
+        if server_token is not None:
+            server_token_hex = base64.b64encode(server_token).decode()
+            response['WWW-Authenticate'] = 'Negotiate %s' % server_token_hex
+
+        return response
+
+    def auth_complete(self, *args, **kwargs):
+        """Completes loging process, must return user instance"""
+        try:
+            context_id = self.strategy.request.session.get('_krb5', None)
+
+            if context_id not in self._krb5:
+                raise AuthException(self.name, 'Authentication failed. context_id not found!')
+
+            if not self._krb5[context_id].complete:
+                raise AuthException(self.name, 'Authentication failed')
+
+            kwargs.update({
+                'response': {
+                    'krb5_initiator': str(self._krb5[context_id].initiator_name),
+                },
+                'backend': self,
+            })
+        finally:
+            if context_id in self._krb5:
+                del self._krb5[context_id]
+
+            if '_krb5' in self.strategy.request.session:
+                del self.strategy.request.session['_krb5']
+
+        return self.strategy.authenticate(*args, **kwargs)
+
+    def auth_allowed(self, response, details):
+        """Return True if the user should be allowed to authenticate"""
+        return 'krb5_initiator' in response
+
+    def get_user_id(self, details, response):
+        """Return a unique ID for the current user, by default from server
+        response."""
+        return response['krb5_initiator']
+
+    def get_user_details(self, response):
+        """Return user details"""
+        email = response['krb5_initiator'].split('/')[-1].lower()
+        username = email.split('@')[0]
+
+        return {
+            'username': username,
+            'email': email,
+            'fullname': '',
+            'first_name': '',
+            'last_name': ''
+        }