1 files changed, 47 insertions, 11 deletions

diff --git a/session_app.py.publish b/session_app.py.publish
index b09cb59..ac37e17 100755
--- a/session_app.py.publish
+++ b/session_app.py.publish
@@ -14,7 +14,6 @@
 # Improve:
 #    move all configs to config file
 #    move all references to references section
-#    accept a bind credential so we can perform lookups of users who match "uid=%s" under a base.
 # Run:
 #    FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0
 # Dependencies:
@@ -41,10 +40,12 @@ app.config['LDAP_URI'] = "ldaps://ipa.internal.com:636"
 app.config['LDAP_USER_BASE'] = "cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
 app.config['LDAP_GROUP_BASE'] = "cn=groups,cn=accounts,dc=ipa,dc=internal,dc=com"
 app.config['LDAP_USER_MATCH_ATTRIB'] = "uid"
+app.config['LDAP_USER_DISPLAY_ATTRIB'] = "uid"
 app.config['LDAP_USER_ATTRIB_MEMBEROF'] = "memberof"
 app.config['LDAP_GROUP_NAME_ATTRIB'] = "cn"
 app.config['LDAP_BIND_DN'] = "uid=domainjoin,cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
 app.config['LDAP_BIND_PASSWORD'] = "bulkpassword"
+app.config['LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB'] = "krbPrincipalName"
 app.config['minutes'] = 2
 app.permanent_session_lifetime=datetime.timedelta(minutes=app.config['minutes'])
 
@@ -93,7 +94,19 @@ def requires_authn_kerberos(function):
          token = ''.join(header.split()[1:])
          rc = _gssapi_authenticate(token)
          if rc == kerberos.AUTH_GSS_COMPLETE:
-            response = function(ctx.kerberos_user, *args, **kwargs)
+            # if ldap config options are set, then do kerberos -> short username resolution
+            user = ctx.kerberos_user
+            if 'LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB' in app.config:
+               user = session_ldap.get_ldap_attrib_from_krbPrincipalName(
+                  server_uri=get_next_ldap_server(app),
+                  bind_dn=app.config['LDAP_BIND_DN'],
+                  bind_pw=app.config['LDAP_BIND_PASSWORD'],
+                  search_base=app.config['LDAP_USER_BASE'],
+                  user_attrib=app.config['LDAP_USER_DISPLAY_ATTRIB'],
+                  user_krbPrincipalName=user,
+                  krbPrincipalName_attrib=app.config['LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB']
+               )
+            response = function(user, *args, **kwargs)
             response = make_response(response)
             if ctx.kerberos_token is not None:
                response.headers['WWW-Authenticate'] = ' '.join(['negotiate', ctx.kerberos_token])
@@ -131,9 +144,29 @@ def requires_authn_ldap(function):
          username = request.form['username']
          pw = request.form['password']
       #print(f"DEBUG: requires_authn_ldap with username={username} and pw={pw}")
-      ll = ldap_login(username,pw)
+      # learn dn of user
+      this_uri = get_next_ldap_server(app)
+      this_user = session_ldap.list_matching_users(
+         server_uri=this_uri,
+         bind_dn=app.config['LDAP_BIND_DN'],
+         bind_pw=app.config['LDAP_BIND_PASSWORD'],
+         user_base=app.config['LDAP_USER_BASE'],
+         username=username,
+         user_match_attrib=app.config['LDAP_USER_MATCH_ATTRIB']
+      )
+      # list_matching_users always returns list, so if it contains <> 1 we are in trouble
+      if len(this_user) != 1:
+         print(f"WARNING: cannot determine unique user for {app.config['LDAP_USER_MATCH_ATTRIB']}={username} which returned {tihs_user}")
+         return _unauthorized_ldap()
+      this_user = this_user[0]
+      print(f"DEBUG: requires_authn_ldap: found in ldap the username {this_user}")
+      ll = ldap_login(this_user,pw)
       if ll:
-         return function(ll.user,*args, **kwargs)
+         shortuser = session_ldap.get_ldap_username_attrib_from_dn(
+            authenticated_user=ll,
+            user_match_attrib=app.config['LDAP_USER_DISPLAY_ATTRIB']
+         )
+         return function(shortuser,*args, **kwargs)
       else:
          return _unauthorized_ldap()
    return decorated
@@ -185,9 +218,8 @@ def login(user="None"):
       if request.authorization:
          return redirect(url_for("login_basic"),code=307)
       return handle_login_ldap_from_non_ldap(request)
-      
-def ldap_login(username,password):
-   #print(f"DEBUG: Trying user {username} with pw '{password}'")
+
+def get_next_ldap_server(app):
    # on first ldap_login attempt, cache this lookup result:
    if 'LDAP_HOSTS' not in app.config:
       this_domain = urlparse(app.config['LDAP_URI']).hostname
@@ -205,12 +237,16 @@ def ldap_login(username,password):
    if up.port:
       this_netloc += f":{up.port}"
    this_uri = up._replace(netloc=this_netloc).geturl()
+   return this_uri
+
+def ldap_login(username,password):
+   #print(f"DEBUG: Trying user {username} with pw '{password}'")
+   this_uri = get_next_ldap_server(app)
    # Perform the ldap interactions
    user = session_ldap.authenticated_user(
-         this_uri,
-         app.config['LDAP_USER_FORMAT'],
-         username,
-         password
+         server_uri=this_uri,
+         user_dn=username,
+         password=password
       )
    if user:
       return user