summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore3
-rw-r--r--example.cfg27
-rwxr-xr-xsession_app.py (renamed from session_app.py.publish)65
3 files changed, 60 insertions, 35 deletions
diff --git a/.gitignore b/.gitignore
index 27fb390..c9055c8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
__pycache__
-session_app.py
*.keytab
*.log
.*.swp
WORKHERE
+dev.cfg
+prod.cfg
diff --git a/example.cfg b/example.cfg
new file mode 100644
index 0000000..c7c7bd2
--- /dev/null
+++ b/example.cfg
@@ -0,0 +1,27 @@
+# SESSION_CONFIG file
+# Run with:
+# SESSION_CONFIG=example.cfg FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0 --port 5000
+HOSTNAME = "d2-03a.ipa.internal.com"
+# These don't seem to work when running "flask run", so they might only be used by uwsgi.
+LISTEN_HOST = "0.0.0.0"
+LISTEN_PORT = "5000"
+
+DEBUG=True
+
+LDAP_URI = "ldaps://ipa.internal.com:636"
+LDAP_USER_BASE = "cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
+LDAP_GROUP_BASE = "cn=groups,cn=accounts,dc=ipa,dc=internal,dc=com"
+LDAP_USER_MATCH_ATTRIB = "uid"
+LDAP_USER_DISPLAY_ATTRIB = "uid"
+LDAP_USER_ATTRIB_MEMBEROF = "memberof"
+LDAP_GROUP_DISPLAY_ATTRIB = "cn"
+LDAP_BIND_DN = "uid=domainjoin,cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
+LDAP_BIND_PASSWORD = "examplepassword"
+LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB = "krbPrincipalName"
+SESSION_DURATION_MINUTES = 2
+
+KRB5_SERVICE = "HTTP"
+# keytab from `/usr/sbin/ipa-getkeytab -p HTTP/d2-03a.ipa.example.com -k session.keytab`
+KRB5_KTNAME = "./session.keytab"
+# Define this variable if you want it to be used.
+KRB5_TRACE = "./kerberos.log"
diff --git a/session_app.py.publish b/session_app.py
index 18bf5f1..847df19 100755
--- a/session_app.py.publish
+++ b/session_app.py
@@ -10,10 +10,13 @@
# future: https://code.tutsplus.com/tutorials/flask-authentication-with-ldap--cms-23101
# better timeout session: https://stackoverflow.com/a/49891626/3569534
# store "formdata" in session for changing the basic auth to form data for the ldap login https://stackoverflow.com/a/56904875/3569534
+# requires_session similar to requires_auth (kerberos) return to the passed function, from https://github.com/ArtemAngelchev/flask-basicauth-ldap/blob/master/flask_basicauth_ldap.py
# modify url from urlparse https://stackoverflow.com/a/21629125/3569534
+# _unauthorized_kerberos meta redirect from https://billstclair.com/html-redirect2.html
+# preserve POST with code 307 https://stackoverflow.com/a/15480983/3569534
# Improve:
-# move all configs to config file
-# move all references to references section
+# remove session info, when logging out?
+# provide web page for adjusting settings like ldap uri
# Run:
# FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0
# Dependencies:
@@ -22,32 +25,24 @@
from flask import Flask, Response, redirect, url_for, render_template, request, _request_ctx_stack as stack, make_response, session
from flask_kerberos import init_kerberos, requires_authentication, _unauthorized, _forbidden, _gssapi_authenticate
-import kerberos
from functools import wraps
-import binascii, datetime
-import os
-import session_ldap
from urllib.parse import urlparse
+import kerberos, binascii, datetime, os
+import session_ldap
-DEBUG=True
app = Flask(__name__)
-app.config.from_object(__name__)
-app.debug=True
+if 'SESSION_CONFIG' in os.environ:
+ conf_file=os.environ['SESSION_CONFIG']
+else:
+ conf_file="dev.cfg"
+app.config.from_pyfile(conf_file, silent=False)
+#app.config.from_object(__name__)
+if 'DEBUG' in app.config and app.config['DEBUG']:
+ app.debug=True
secret_key_value = os.urandom(24)
secret_key_value_hex_encoded = binascii.hexlify(secret_key_value)
app.config['SECRET_KEY'] = secret_key_value_hex_encoded
-app.config['LDAP_URI'] = "ldaps://ipa.internal.com:636"
-app.config['LDAP_USER_BASE'] = "cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
-app.config['LDAP_GROUP_BASE'] = "cn=groups,cn=accounts,dc=ipa,dc=internal,dc=com"
-app.config['LDAP_USER_MATCH_ATTRIB'] = "uid"
-app.config['LDAP_USER_DISPLAY_ATTRIB'] = "uid"
-app.config['LDAP_USER_ATTRIB_MEMBEROF'] = "memberof"
-app.config['LDAP_GROUP_NAME_ATTRIB'] = "cn"
-app.config['LDAP_BIND_DN'] = "uid=domainjoin,cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
-app.config['LDAP_BIND_PASSWORD'] = "bulkpassword"
-app.config['LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB'] = "krbPrincipalName"
-app.config['minutes'] = 2
-app.permanent_session_lifetime=datetime.timedelta(minutes=app.config['minutes'])
+app.permanent_session_lifetime=datetime.timedelta(minutes=app.config['SESSION_DURATION_MINUTES'])
def requires_session(function):
'''
@@ -67,8 +62,6 @@ def requires_session(function):
if session['user'] != c_user:
return Response("Wrong user for this session!.",401)
# otherwise, everything is good!
- #return Response(f"session user: {s_user}<br/>cookie user: {c_user}", 200)
- # return to the passed function, from https://github.com/ArtemAngelchev/flask-basicauth-ldap/blob/master/flask_basicauth_ldap.py
return function(*args,**kwargs)
# catch-all
return Response("requires session",401)
@@ -120,7 +113,7 @@ def requires_authn_kerberos(function):
connection=conn,
user_dn=this_user,
user_attrib_memberof=app.config['LDAP_USER_ATTRIB_MEMBEROF'],
- group_name_attrib=app.config['LDAP_GROUP_NAME_ATTRIB'],
+ group_name_attrib=app.config['LDAP_GROUP_DISPLAY_ATTRIB'],
group_base=app.config['LDAP_GROUP_BASE']
)
#print(f"DEBUG: groups {groups}")
@@ -188,7 +181,7 @@ def requires_authn_ldap(function):
connection=ll,
user_dn=this_user,
user_attrib_memberof=app.config['LDAP_USER_ATTRIB_MEMBEROF'],
- group_name_attrib=app.config['LDAP_GROUP_NAME_ATTRIB'],
+ group_name_attrib=app.config['LDAP_GROUP_DISPLAY_ATTRIB'],
group_base=app.config['LDAP_GROUP_BASE']
)
print(f"DEBUG: user {shortuser} has groups {groups}")
@@ -201,7 +194,6 @@ def _unauthorized_kerberos():
'''
Indicate that authentication is required
'''
- # from https://billstclair.com/html-redirect2.html
return Response(f'<meta http-equiv="Refresh" content="4; url={url_for("login_ldap")}">Unauthorized! No kerberos auth provided. Trying <a href="{url_for("login_ldap")}">ldap</a> automatically in a moment.', 401, {'WWW-Authenticate': 'Negotiate'})
def _unauthorized_ldap():
@@ -335,7 +327,6 @@ def handle_login_ldap_from_non_ldap(request):
if 'logintype' in request.form:
logintype = request.form['logintype']
if "ldap" == logintype:
- # preserve POST with code 307 https://stackoverflow.com/a/15480983/3569534
return redirect(url_for("login_ldap"), code=307)
else:
return f"Authentication method {logintype} not supported yet.",400
@@ -343,7 +334,7 @@ def handle_login_ldap_from_non_ldap(request):
@app.route("/logout")
@app.route("/logout/")
def logout():
- resp = Response(f"logged out")
+ resp = Response(f'<meta http-equiv="Refresh" content="1; url={url_for("index")}">logged out')
# Doing anything with session here leaves a cookie.
#session['user']=""
resp.set_cookie('user','',expires=0)
@@ -373,10 +364,16 @@ def login_basic():
# session.permanent = True
# session['end_time'] = datetime.datetime.now()+app.permanent_session_lifetime
-# keytab from `/usr/sbin/ipa-getkeytab -p HTTP/d2-03a.ipa.example.com -k session.keytab`
-os.environ['KRB5_KTNAME'] = "./session.keytab"
-os.environ['KRB5_TRACE'] = "./kerberos.log"
-init_kerberos(app, hostname="d2-03a.ipa.internal.com", service="HTTP")
+os.environ['KRB5_KTNAME'] = app.config['KRB5_KTNAME']
+if 'KRB5_TRACE' in app.config:
+ os.environ['KRB5_TRACE'] = app.config['KRB5_TRACE']
+
+init_kerberos(app, hostname=app.config['HOSTNAME'], service=app.config['KRB5_SERVICE'])
if __name__ == '__main__':
- init_kerberos(app, hostname="d2-03a.ipa.internal.com", service="HTTP")
- app.run(host='0.0.0.0',debug=True)
+ #init_kerberos(app, hostname=app.config['HOSTNAME'], service=app.config['KRB5_SERVICE'])
+ print("should listen to ",app.config['LISTEN_HOST'])
+ app.run(
+ host=app.config['LISTEN_HOST'],
+ port=app.config['LISTEN_PORT'],
+ debug=app.config['DEBUG']
+ )
bgstack15