hub: Authenticate any responses from the server

author Michael Tremer <michael.tremer@ipfire.org>

Wed, 5 Oct 2022 15:45:50 +0000 (15:45 +0000)

committer Michael Tremer <michael.tremer@ipfire.org>

Wed, 5 Oct 2022 15:45:50 +0000 (15:45 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Wed, 5 Oct 2022 15:45:50 +0000 (15:45 +0000)
committer Michael Tremer <michael.tremer@ipfire.org>
Wed, 5 Oct 2022 15:45:50 +0000 (15:45 +0000)
diff --git a/src/pakfire/hub.py b/src/pakfire/hub.py

index cbf116e4885e387df74a033cb973a40f1dadec83..77c143090ad255d522bd7f031ab92563016803c4 100644 (file)
--- a/src/pakfire/hub.py
+++ b/src/pakfire/hub.py
@@ -88,10 +88,12 @@ class Hub(object):
                 if authenticate:
                         krb5_context = self._setup_krb5_context(url)
  
+                       # Fetch the Kerberos client response
+                       krb5_client_response = kerberos.authGSSClientResponse(krb5_context)
+
                         # Set the Negotiate header
                         headers |= {
-                               "Authorization" :
-                                       "Negotiate %s" % kerberos.authGSSClientResponse(krb5_context),
+                               "Authorization" : "Negotiate %s" % krb5_client_response,
                         }
  
                 # Make the request
@@ -114,6 +116,30 @@ class Hub(object):
  
                 # XXX Do we have to catch any errors here?
  
+               # Perform mutual authentication
+               if authenticate:
+                       for header in res.headers.get_list("WWW-Authenticate"):
+                               # Skip anything that isn't a Negotiate header
+                               if not header.startswith("Negotiate "):
+                                       continue
+
+                               # Fetch the server response
+                               krb5_server_response = header.removeprefix("Negotiate ")
+
+                               # Validate the server response
+                               result = kerberos.authGSSClientStep(krb5_context, krb5_server_response)
+                               if not result == kerberos.AUTH_GSS_COMPLETE:
+                                       raise RuntimeError("Could not verify the Kerberos server response")
+
+                               log.debug("Kerberos Server Response validating succeeded")
+
+                               # Call this so that we won't end in the else block
+                               break
+
+                       # If there were no headers
+                       else:
+                               raise RuntimeError("Mutual authentication failed")
+
                 # Decode JSON response
                 if res.body:
                         return json.loads(res.body)
author	Michael Tremer <michael.tremer@ipfire.org>
	Wed, 5 Oct 2022 15:45:50 +0000 (15:45 +0000)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Wed, 5 Oct 2022 15:45:50 +0000 (15:45 +0000)