[Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms
Tomas Babej
tbabej at redhat.com
Thu Nov 15 12:24:26 UTC 2012
On 11/15/2012 12:41 PM, Petr Vobornik wrote:
> On 11/15/2012 11:54 AM, Tomas Babej wrote:
>> Hi,
>>
>> This is server part of #3252.
>>
>> When user from other realm than FreeIPA's tries to use Web UI
>> (login via forms-based auth or with valid trusted realm ticket),
>> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
>> is returned.
>>
>> Also, the support for usernames of the form user at SERVER.REALM
>> or user at server.realm was added.
>>
>> https://fedorahosted.org/freeipa/ticket/3252
>>
>> Tomas
>>
>
>> + # allows login in the form user at SERVER_REALM or
>> FIXME:user at server_realm
>
> The comment may not be clear for other people. I would be more verbose
> about the FIXME.
>
>> + parts = user.split("@")
>> + if len(parts) > 1:
>> + if parts[1].upper()==self.api.env.realm:
>
> I don't think we wanted to do this hard-check of realm. Personally
> I'am not against it because it's better to fail at login than at
> subsequent command (which will happen). Anyway it should be commented.
>
>> + user=parts[0]
>> + else:
>> + return self.unauthorized(environ, start_response,
>> '', 'denied')
>
I expanded the comments, please check if you find them appropriate now.
Tomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0023-2-Add-detection-for-users-from-trusted-invalid-realms.patch
Type: text/x-patch
Size: 3085 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121115/1c9f7cd0/attachment.bin>
More information about the Freeipa-devel
mailing list