From 216a565a725c3072212cff7ecddbd148bbf766d4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 2 Sep 2023 12:32:28 +0000 Subject: [PATCH] auth: Revert back to authentication using a web form Using Kerberos authentication for this part seems to be more complicated than necessary and does not provide any benefits. Signed-off-by: Michael Tremer --- src/templates/login.html | 57 ++++++++++++++++++++++++++-------------- src/web/auth.py | 25 +++++++++++------- src/web/base.py | 6 ++++- 3 files changed, 59 insertions(+), 29 deletions(-) diff --git a/src/templates/login.html b/src/templates/login.html index f0bb492..51c4d3a 100644 --- a/src/templates/login.html +++ b/src/templates/login.html @@ -1,29 +1,48 @@ {% extends "base.html" %} -{% block title %}{{ _("Log In") }}{% end block %} +{% block title %}{{ _("Sign In") }}{% end block %} -{% block container %} -
-
-
-

{{ _("Log In") }}

+{% block body %} +
+
+
+
+

{{ _("Sign In") }}

- {% if failed %} -

{{ _("Login failed") }}

- {% end %} +
+ {% raw xsrf_form_html() %} - - {% raw xsrf_form_html() %} +
+

+ + + + +

+
- +
+

+ + + + +

+
- - - -
+
+

+ +

+
+ +
-
+ {% end %} diff --git a/src/web/auth.py b/src/web/auth.py index 76a9c6b..622147a 100644 --- a/src/web/auth.py +++ b/src/web/auth.py @@ -9,18 +9,25 @@ from . import base log = logging.getLogger("pbs.web.auth") class LoginHandler(base.KerberosAuthMixin, base.BaseHandler): - def get(self): - username = self.get_authenticated_user() - if not username: - # Ask to authenticate - self.authenticate_redirect() - return + def get(self, username=None, failed=False): + if self.current_user: + raise tornado.web.HTTPError(403, "Already logged in") + + self.render("login.html", username=username, failed=failed) + + @base.ratelimit(requests=10, minutes=5) + def post(self): + # Fetch credentials + username = self.get_argument("username") + password = self.get_argument("password") - # Strip the realm - username, delim, realm = username.partition("@") + # Try to authenticate the user + if not self._auth_with_credentials(username, password): + return self.get(username=username, failed=True) + # If the authentication was successful, we create a new session with self.db.transaction(): - # Otherwise fetch the authenticated user + # Fetch the authenticated user user = self.backend.users.get_by_name(username) if not user: raise tornado.web.HTTPError(500, "Could not find user %s" % username) diff --git a/src/web/base.py b/src/web/base.py index dbfc74b..15dd79a 100644 --- a/src/web/base.py +++ b/src/web/base.py @@ -61,7 +61,7 @@ class KerberosAuthMixin(object): return # Perform GSS API Negotiation - if auth_header.startswith("Negotiate"): + if auth_header.startswith("Negotiate "): return self._auth_negotiate(auth_header) # Perform Basic Authentication @@ -128,6 +128,10 @@ class KerberosAuthMixin(object): except: raise tornado.web.HTTPError(400, "Authorization data was malformed") + # Authenticate against Kerberos + return self._auth_with_credentials(username, password) + + def _auth_with_credentials(self, username, password): # Check the credentials against the Kerberos database try: kerberos.checkPassword(username, password, -- 2.39.2