API: Remove Kerberos authentication

This is not suitable for us any more and we will try to migrate to a
unique way that is only using the JWT tokens.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/api/auth.py b/src/api/auth.py
index 25ce20fbb49f31169369b643e043bc531eacf163..535abe7e42f9319c849b3efa46501e477419ac25 100644 (file)
--- a/src/api/auth.py
+++ b/src/api/auth.py
@@ -149,72 +149,6 @@ def get_principal(token):
 
        return principal
 
-def kerberos_auth(request: fastapi.Request):
-       """
-               Implements the server side authentication
-       """
-       # Set keytab to use
-       os.environ["KRB5_KTNAME"] = KERBEROS_KEYTAB
-
-       # Fetch the Authorization header
-       auth_header = request.headers.get("Authorization")
-
-       # Fail if there was no or an invalid header
-       if not auth_header or not auth_header.startswith("Negotiate "):
-               raise fastapi.HTTPException(401, "Missing or invalid Authorization header",
-            headers={ "WWW-Authenticate" : "Negotiate" })
-
-       # Extract the token
-       token = auth_header.removeprefix("Negotiate ")
-
-       try:
-               # Initialise the server session
-               result, context = kerberos.authGSSServerInit("HTTP")
-
-               # Fail if we could not initialize the context
-               if not result == kerberos.AUTH_GSS_COMPLETE:
-                       raise fastapi.HTTPException(500, "Kerberos Initialization failed: %s" % result)
-
-               # Check the received authentication header
-               result = kerberos.authGSSServerStep(context, token)
-
-               # If this was not successful, we return an error
-               if not result == kerberos.AUTH_GSS_COMPLETE:
-                       raise fastapi.HTTPException(401, "Authentication failed")
-
-               # Fetch the server response
-               response = kerberos.authGSSServerResponse(context)
-
-               # Return the user who just authenticated
-               username = kerberos.authGSSServerUserName(context)
-
-       # Raise any errors
-       except kerberos.GSSError as e:
-               raise fastapi.HTTPException(500, "%s" % e) from e
-
-       finally:
-               # Cleanup
-               kerberos.authGSSServerClean(context)
-
-       return username, response
-
-@router.post("/kerberos")
-async def auth(auth = fastapi.Depends(kerberos_auth)) -> fastapi.responses.JSONResponse:
-       principal, server_response = auth
-
-       # Make the response the response
-       data = generate_auth_response(principal)
-
-       # Serialize the JSON response
-       response = fastapi.responses.JSONResponse(
-               content=data.model_dump(),
-               headers={
-                       "WWW-Authenticate" : "Negotiate %s" % server_response,
-               },
-       )
-
-       return response
-
 @router.post("/user")
 async def auth_user(credentials: fastapi.security.OAuth2PasswordRequestForm =
                fastapi.Depends()) -> fastapi.responses.JSONResponse: