wip

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
goauthentik · rissson · Feb 29, 2024 · Feb 29, 2024 · Feb 29, 2024 · Feb 29, 2024
commit 6a1e1935062f0cb30bbf172faf8fe788c0dea95c
@@ -1,114 +1,114 @@
 """authentik Kerberos Authentication Backend"""

 import gssapi
 from django.http import HttpRequest
 from structlog.stdlib import get_logger

 from authentik.core.auth import InbuiltBackend
 from authentik.core.models import User
 from authentik.lib.generators import generate_id
 from authentik.sources.kerberos.models import (
    KerberosSource,
    Krb5ConfContext,
    UserKerberosSourceConnection,
 )

 LOGGER = get_logger()


 class KerberosBackend(InbuiltBackend):
    """Authenticate users against Kerberos realm"""

    def authenticate(self, request: HttpRequest, **kwargs):
        """Try to authenticate a user via kerberos"""
        if "password" not in kwargs or "username" not in kwargs:
            return None
        username = kwargs.pop("username")
        realm = None
        if "@" in username:
            username, realm = username.rsplit("@", 1)

        user, source = self.auth_user(username, realm, **kwargs)
        if user:
            self.set_method("kerberos", request, source=source)
            return user
        return None

    def auth_user(
        self, username: str, realm: str | None, password: str, **filters
    ) -> tuple[User | None, KerberosSource | None]:
        sources = KerberosSource.objects.filter(enabled=True, password_login_enabled=True)
        user = User.objects.filter(usersourceconnection__source__in=sources, **filters).first()

        if user is not None:
            # User found, let's get its connections for the sources that are available
            user_source_connections = UserKerberosSourceConnection.objects.filter(
                user=user, source__in=sources
             )
         elif realm is not None:
             user_source_connections = UserKerberosSourceConnection.objects.filter(
-                source__in=sources, identifier__iexact=f"{username}@{realm}"
+                source__in=sources, identifier=f"{username}@{realm}"
             )
         # no realm specified, we can't do anything
         else:
            user_source_connections = UserKerberosSourceConnection.objects.none()

        if not user_source_connections.exists():
            LOGGER.debug("no kerberos source found for user", username=username)
            return None, None

        for user_source_connection in user_source_connections.prefetch_related().select_related(
            "source__kerberossource"
        ):
            # User either has an unusable password,
            # or has a password, but couldn't be authenticated by ModelBackend
            # This means we check with a kinit to see if the Kerberos password has changed
            if self.auth_user_by_kinit(user_source_connection, password):
                # Password was successful in kinit to Kerberos, so we save it in database
                LOGGER.debug(
                    "Updating user's password in DB",
                    source=user_source_connection.source,
                    user=user_source_connection.user,
                )
                if (
                    user_source_connection.source.kerberossource.password_login_update_internal_password
                ):
                    user_source_connection.user.set_password(password)
                    user_source_connection.user.save()
                return user, user_source_connection.source
            # Password doesn't match, onto next source
            LOGGER.debug(
                "failed to kinit, password invalid",
                source=user_source_connection.source,
                user=user_source_connection.user,
            )
        # No source with valid password found
        LOGGER.debug("no valid kerberos source found for user", user=user)
        return None, None

    def auth_user_by_kinit(
        self, user_source_connection: UserKerberosSourceConnection, password: str
    ) -> bool:
        """Attempt authentication by kinit to the source."""
        LOGGER.debug(
            "Attempting to kinit as user",
            user=user_source_connection.user,
            source=user_source_connection.source,
            principal=user_source_connection.identifier,
        )

        with Krb5ConfContext(user_source_connection.source.kerberossource):
            name = gssapi.raw.import_name(
                user_source_connection.identifier.encode(), gssapi.raw.NameType.kerberos_principal
            )
            try:
                # Use a temporary credentials cache to not interfere with whatever is defined
                # elsewhere
                gssapi.raw.ext_krb5.krb5_ccache_name(f"MEMORY:{generate_id(12)}".encode())
                gssapi.raw.ext_password.acquire_cred_with_password(name, password.encode())
                # Restore the credentials cache to what it was before
                gssapi.raw.ext_krb5.krb5_ccache_name(None)
                return True
            except gssapi.exceptions.GSSError as exc:
                LOGGER.warning("failed to kinit", exc=exc)
        return False
@@ -33,88 +33,88 @@
    manager: PropertyMappingManager

    def __init__(self, source: KerberosSource):
        self._source = source
        self._connection = self._source.connection()
        self._messages = []
        self._logger = get_logger().bind(source=self._source, syncer=self.__class__.__name__)
        self.mapper = SourceMapper(self._source)
        self.manager = self.mapper.get_manager(User, ["principal"])

    @staticmethod
    def name() -> str:
        """UI name for the type of object this class synchronizes"""
        return "users"

    @property
    def messages(self) -> list[str]:
        """Get all UI messages"""
        return self._messages

    def message(self, *args, **kwargs):
        """Add message that is later added to the System Task and shown to the user"""
        formatted_message = " ".join(args)
        self._messages.append(formatted_message)
        self._logger.warning(*args, **kwargs)

    def _sync_principal(self, principal: str) -> bool:
        try:
            defaults = self.mapper.build_object_properties(
                object_type=User, manager=self.manager, user=None, request=None, principal=principal
            )
            self._logger.debug("Writing user with attributes", **defaults)
            if "username" not in defaults:
                raise IntegrityError("Username was not set by propertymappings")
            ak_user, created = self.update_or_create_user(principal, defaults)
        except PropertyMappingExpressionException as exc:
            raise StopSync(exc, None, exc.mapping) from exc
        except SkipObjectException:
            return False
        except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
            Event.new(
                EventAction.CONFIGURATION_ERROR,
                message=(f"Failed to create user: {str(exc)} "),
                source=self._source,
                principal=principal,
            ).save()
            return False
        self._logger.debug("Synced User", user=ak_user.username, created=created)
        return True

    def update_or_create_user(self, principal: str, data: dict[str, Any]) -> tuple[User, bool]:
        """
        Same as django's update_or_create but correctly update attributes by merging dicts,
         and create a UserKerberosSourceConnection object if needed
         """
         user_source_connection = UserKerberosSourceConnection.objects.filter(
-            source=self._source, identifier__iexact=principal
+            source=self._source, identifier=principal
         ).first()
 
         # TODO: handle groups

        # User doesn't exists
        if not user_source_connection:
            with transaction.atomic():
                user = User.objects.create(**data)
                if user.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
                    user.set_unusable_password()
                    user.save()
                user_source_connection = UserKerberosSourceConnection.objects.create(
                    source=self._source, user=user, identifier=principal
                )
            return user, True

        user_source_connection.user.update_attributes(data)
        return user_source_connection.user, False

    def sync(self) -> int:
        """Iterate over all Kerberos users and create authentik_core.User instances"""
        if not self._source.enabled or not self._source.sync_users:
            self.message("Source is disabled or user syncing is disabled for this Source")
            return -1

        user_count = 0
        with Krb5ConfContext(self._source):
            for principal in self._connection.principals():
                if self._sync_principal(principal):
                    user_count += 1
        return user_count