Flask sessions, with kerberos auth
I was fiddling around with Flask again, and came across the Flask-Kerberos library which includes an example of how to protect an endpoint with kerberos! I have started messing around with this tutorial, as well as with tutorials on how to use sessions and cookies, so that the session protection is required for certain endpoints and the kerberos auth is only required at login time. My work-in-progress repository is session_app on Gitlab. This Flask library has great tricks inside it, like setting maximum session time! I still have to add a login form and a POST endpoint for basic auth with ldap. And I hope to add usergroup logic to be able to enforce arbitrary group membership. So far, it's just been an experiment with no real purpose; just playing and learning. But if I ever come up with a need to protect endpoints with sessions, kerberos, and eventually ldap, I'll be ready! Here's my notes on how to interact with the app so far:
Start server in a separate shell session.
$ FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0
Reset any cookies and kerberos tickets.
$ kdestroy -A
$ rm ~/cookiejar.txt
Try visiting protected page without authorization.
$ curl -L http://d2-03a.ipa.example.com:5000/protected -b ~/cookiejar.txt -c ~/cookiejar.txt
requires session
Get kerberos ticket and then visit login url. This /login redirects to /login/kerberos by default.
$ kinit ${USER}
$ klist
Ticket cache: FILE:/tmp/krb5cc_960600001_Hjgmv7lby2
Default principal: bgstack15@IPA.EXAMPLE.COM
Valid starting Expires Service principal
06/20/21 16:04:10 06/21/21 16:04:07 krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM
06/20/21 16:04:15 06/21/21 16:04:07 HTTP/d2-03a.ipa.example.com@IPA.EXAMPLE.COM
$ curl -L http://d2-03a.ipa.example.com:5000/login --negotiate -u ':' -b ~/cookiejar.txt -c ~/cookiejar.txt
<meta http-equiv="Refresh" content="1; url=/protected/">success with kerberos
Visit protected page now that we have a session.
$ cat ~/cookiejar.txt
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
d2-03a.ipa.example.com FALSE / FALSE 0 user "bgstack15@IPA.EXAMPLE.COM"
d2-03a.ipa.example.com FALSE / FALSE 0 type kerberos
d2-03a.ipa.example.com FALSE / FALSE 0 timestamp 2021-06-20T20:06:15Z
#HttpOnly_d2-03a.ipa.example.com FALSE / FALSE 1624219691 session eyJfcGVybWFuZW50Ijp0cnVlLCJlbmRfdGltZSI6IjIwMjEtMDYtMjBUMjA6MDY6MTVaIiwidXNlciI6ImJnaXJ0b25ASVBBLlNNSVRIMTIyLkNPTSJ9.YM-fsw.ZeI4ec-d7D64IEJ9Ab4RfpXfLt4
$ curl -L http://d2-03a.ipa.example.com:5000/protected -b ~/cookiejar.txt -c ~/cookiejar.txt
<html>
<title>View Session Cookie</title>
Username: bgstack15@IPA.EXAMPLE.COM<br/>
Session expires: 2021-06-20T20:06:15Z<br/>
Logged in through: kerberos
</html>
2021-06-20 ldap basic auth, and a login form are still pending.
As a bonus, I also learned how to display UTC time for right now, in a standard format, in python:
now_str = datetime.datetime.strftime(datetime.datetime.now(datetime.timezone.utc),"%FT%TZ")
You can configure a Mozilla-based browser to accept certain domains for kerberos authentication: Share your browser prefs.js! (search for "kerberos" on that page).
Comments