From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 24 Jun 2025 13:44:08 +0000 (+0000)
Subject: API: Remove Kerberos authentication
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4593be6438af52e20389f0b8756b87c6f43fa943;p=pbs.git

API: Remove Kerberos authentication

This is not suitable for us any more and we will try to migrate to a
unique way that is only using the JWT tokens.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/api/auth.py b/src/api/auth.py
index 25ce20fb..535abe7e 100644
--- a/src/api/auth.py
+++ b/src/api/auth.py
@@ -149,72 +149,6 @@ def get_principal(token):
 
 	return principal
 
-def kerberos_auth(request: fastapi.Request):
-	"""
-		Implements the server side authentication
-	"""
-	# Set keytab to use
-	os.environ["KRB5_KTNAME"] = KERBEROS_KEYTAB
-
-	# Fetch the Authorization header
-	auth_header = request.headers.get("Authorization")
-
-	# Fail if there was no or an invalid header
-	if not auth_header or not auth_header.startswith("Negotiate "):
-		raise fastapi.HTTPException(401, "Missing or invalid Authorization header",
-            headers={ "WWW-Authenticate" : "Negotiate" })
-
-	# Extract the token
-	token = auth_header.removeprefix("Negotiate ")
-
-	try:
-		# Initialise the server session
-		result, context = kerberos.authGSSServerInit("HTTP")
-
-		# Fail if we could not initialize the context
-		if not result == kerberos.AUTH_GSS_COMPLETE:
-			raise fastapi.HTTPException(500, "Kerberos Initialization failed: %s" % result)
-
-		# Check the received authentication header
-		result = kerberos.authGSSServerStep(context, token)
-
-		# If this was not successful, we return an error
-		if not result == kerberos.AUTH_GSS_COMPLETE:
-			raise fastapi.HTTPException(401, "Authentication failed")
-
-		# Fetch the server response
-		response = kerberos.authGSSServerResponse(context)
-
-		# Return the user who just authenticated
-		username = kerberos.authGSSServerUserName(context)
-
-	# Raise any errors
-	except kerberos.GSSError as e:
-		raise fastapi.HTTPException(500, "%s" % e) from e
-
-	finally:
-		# Cleanup
-		kerberos.authGSSServerClean(context)
-
-	return username, response
-
-@router.post("/kerberos")
-async def auth(auth = fastapi.Depends(kerberos_auth)) -> fastapi.responses.JSONResponse:
-	principal, server_response = auth
-
-	# Make the response the response
-	data = generate_auth_response(principal)
-
-	# Serialize the JSON response
-	response = fastapi.responses.JSONResponse(
-		content=data.model_dump(),
-		headers={
-			"WWW-Authenticate" : "Negotiate %s" % server_response,
-		},
-	)
-
-	return response
-
 @router.post("/user")
 async def auth_user(credentials: fastapi.security.OAuth2PasswordRequestForm =
 		fastapi.Depends()) -> fastapi.responses.JSONResponse: