From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 5 Oct 2022 15:45:50 +0000 (+0000)
Subject: hub: Authenticate any responses from the server
X-Git-Tag: 0.9.28~280
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=24622c9155b7bb21ebfd4ca6a27c9d0816b6826a;p=pakfire.git

hub: Authenticate any responses from the server

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/pakfire/hub.py b/src/pakfire/hub.py
index cbf116e48..77c143090 100644
--- a/src/pakfire/hub.py
+++ b/src/pakfire/hub.py
@@ -88,10 +88,12 @@ class Hub(object):
 		if authenticate:
 			krb5_context = self._setup_krb5_context(url)
 
+			# Fetch the Kerberos client response
+			krb5_client_response = kerberos.authGSSClientResponse(krb5_context)
+
 			# Set the Negotiate header
 			headers |= {
-				"Authorization" :
-					"Negotiate %s" % kerberos.authGSSClientResponse(krb5_context),
+				"Authorization" : "Negotiate %s" % krb5_client_response,
 			}
 
 		# Make the request
@@ -114,6 +116,30 @@ class Hub(object):
 
 		# XXX Do we have to catch any errors here?
 
+		# Perform mutual authentication
+		if authenticate:
+			for header in res.headers.get_list("WWW-Authenticate"):
+				# Skip anything that isn't a Negotiate header
+				if not header.startswith("Negotiate "):
+					continue
+
+				# Fetch the server response
+				krb5_server_response = header.removeprefix("Negotiate ")
+
+				# Validate the server response
+				result = kerberos.authGSSClientStep(krb5_context, krb5_server_response)
+				if not result == kerberos.AUTH_GSS_COMPLETE:
+					raise RuntimeError("Could not verify the Kerberos server response")
+
+				log.debug("Kerberos Server Response validating succeeded")
+
+				# Call this so that we won't end in the else block
+				break
+
+			# If there were no headers
+			else:
+				raise RuntimeError("Mutual authentication failed")
+
 		# Decode JSON response
 		if res.body:
 			return json.loads(res.body)