[Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
Alexander Bokovoy
abokovoy at redhat.com
Fri Aug 5 13:19:37 UTC 2016
On Fri, 05 Aug 2016, Tibor Dudlak wrote:
>Hi,
>
>I have extended my previous patch for authentication with user
>certificate/smartcard. This patch includes patches and plugin described
>here: http://www.freeipa.org/page/V4/External_Authentication/Setup
>Page also contains steps to configure and test this feature. Once this
>patch is merged and released we will simplify this page to not confuse
>customers.
>Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764
>
>Thanks.
>
>--
>Tibor Dudlák
>Intern - Identity management Special Projects
>Red Hat
>From e22843f6ab1556528b307951fbcc2476a61a417f Mon Sep 17 00:00:00 2001
>From: Tiboris <tibor.dudlak at gmail.com>
>Date: Fri, 5 Aug 2016 11:47:06 +0200
>Subject: [PATCH] Added support for authentication with user certificate
>
>https://fedorahosted.org/freeipa/ticket/5764
>---
> freeipa.spec.in | 5 +
> install/conf/ipa.conf | 14 +++
> install/ui/src/freeipa/plugins/cert_auth.js | 179 ++++++++++++++++++++++++++++
> ipaserver/plugins/xmlserver.py | 3 +-
> ipaserver/rpcserver.py | 5 +
> 5 files changed, 205 insertions(+), 1 deletion(-)
> create mode 100644 install/ui/src/freeipa/plugins/cert_auth.js
>
>diff --git a/freeipa.spec.in b/freeipa.spec.in
>index 135e9c980011c6c2730c6c29a3c22098e48270d5..2b95b83613ca3720c95f255f7f64dc029195452c 100644
>--- a/freeipa.spec.in
>+++ b/freeipa.spec.in
>@@ -817,6 +817,8 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
>
> # Web UI plugin dir
> mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
>+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
>+install install/ui/src/freeipa/plugins/cert_auth.js %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
>
> # DNSSEC config
> mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
>@@ -1210,6 +1212,9 @@ fi
> %{_usr}/share/ipa/ui/js/freeipa/app.js
> %{_usr}/share/ipa/ui/js/freeipa/core.js
> %dir %{_usr}/share/ipa/ui/js/plugins
>+%dir %{_usr}/share/ipa/ui/js/plugins-dist
>+%dir %{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
>+%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
Can you rename plugins-dist to something like 'plugins.d'?
This would be more in line with other parts where multiple additions
supposed to come and also in line with other projects where a drop-in
directory is supported.
> %dir %{_usr}/share/ipa/ui/images
> %{_usr}/share/ipa/ui/images/*.jpg
> %{_usr}/share/ipa/ui/images/*.png
>diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
>index 3e7435903b2ad8c4ae5bfc48c0c9fca733757d5d..c37819ff2bd2c045404a383631435ad6c24fdaa3 100644
>--- a/install/conf/ipa.conf
>+++ b/install/conf/ipa.conf
>@@ -77,6 +77,20 @@ WSGIScriptReloading Off
> Header always append Content-Security-Policy "frame-ancestors 'none'"
> </Location>
>
>+# Login with user certificate/smartcard configuration
>+<Location "/ipa/session/login_x509">
>+ AuthType none
>+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
>+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
>+ GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
>+ GssapiImpersonate On
>+ NSSVerifyClient require
>+ NSSUserName SSL_CLIENT_CERT
>+ LookupUserByCertificate On
>+ WSGIProcessGroup ipa
>+ WSGIApplicationGroup ipa
>+</Location>
>+
> # Turn off Apache authentication for sessions
> <Location "/ipa/session/json">
> Satisfy Any
>diff --git a/install/ui/src/freeipa/plugins/cert_auth.js b/install/ui/src/freeipa/plugins/cert_auth.js
>new file mode 100644
>index 0000000000000000000000000000000000000000..282883d6fe82258405afb167dd61b5d6b0f1a7bd
>--- /dev/null
>+++ b/install/ui/src/freeipa/plugins/cert_auth.js
>@@ -0,0 +1,179 @@
>+/* Authors:
>+ * Petr Vobornik <pvoborni at redhat.com>
>+ * Tibor Dudlák <tdudlak at redhat.com>
>+ *
>+ * Copyright (C) 2016 Red Hat
>+ * see file 'COPYING' for use and warranty information
>+ *
>+ * This program is free software; you can redistribute it and/or modify
>+ * it under the terms of the GNU General Public License as published by
>+ * the Free Software Foundation, either version 3 of the License, or
>+ * (at your option) any later version.
>+ *
>+ * This program is distributed in the hope that it will be useful,
>+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
>+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>+ * GNU General Public License for more details.
>+ *
>+ * You should have received a copy of the GNU General Public License
>+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
>+*/
>+/*
>+ Plugin to add a button with aside text to FreeiPA login screen
>+
>+ Tested against FreeIPA 4.4
>+
>+ Limitation: only one such plugin can be installed - one can override
>+ functionality of the other
>+ */
>+
>+// we can also depend on other plugin
>+define([
>+ 'dojo/Deferred',
>+ 'dojo/dom-construct',
>+ 'dojo/_base/declare',
>+ 'freeipa/jquery',
>+ 'freeipa/_base/Spec_mod',
>+ 'freeipa/ipa',
>+ 'freeipa/auth',
>+ 'freeipa/phases',
>+ 'freeipa/reg',
>+ 'freeipa/plugins/login',
>+ 'freeipa/widgets/LoginScreen',
>+ ],
>+ function(Deferred, construct, declare, $, SpecMod, IPA, auth, phases,
>+ reg, mod_login, LoginScreen) {
>+
>+
>+var exp = {}; // module object (export)
>+
>+exp.CustomLoginScreen = declare([LoginScreen], {
>+
>+ crtauth_btn_node: null,
>+
>+ auth_failed: "Authentication with personal certificate failed",
>+
>+ msg: "<p><i class=\"fa fa-info-circle\"></i> To login with <strong>Smart Card</strong>," +
>+ "please make sure you have valid personal certificate. </p>",
>+
>+ login_url: '/ipa/session/login_x509',
>+
>+ render_buttons: function(container) {
>+ // add button node to DOM
>+ this.crtauth_btn_node = IPA.button({
>+ name: 'crtauth',
>+ title:"Login using personal certificate",
>+ label: "Smart Card Login",
>+ button_class: 'btn btn-link',
>+ click: this.crt_login.bind(this)
>+ })[0];
>+
>+ // similar to jquery.append(node, container)
>+ construct.place(this.crtauth_btn_node, container);
>+ construct.place(document.createTextNode(" "), container);
>+
>+ // call base class method to create other buttons
>+ this.inherited(arguments);
>+ },
>+
>+ crt_login: function() {
>+ // add custom auth login here
>+ this.lookup_credentials().then(function(status) {
>+ if (status === 200) {
>+ this.emit('logged_in');
>+ } else {
>+ var val_summary = this.get_widget('validation');
>+ val_summary.add_error('login', this.auth_failed);
>+ }
>+ }.bind(this));
>+ },
>+
>+ lookup_credentials: function() {
>+ var status;
>+ var d = new Deferred();
>+
>+ function error_handler(xhr, text_status, error_thrown) {
>+ d.resolve(xhr.status);
>+ IPA.hide_activity_icon();
>+ }
>+
>+ function success_handler(data, text_status, xhr) {
>+ auth.current.set_authenticated(true, 'kerberos');
>+ d.resolve(xhr.status);
>+ IPA.hide_activity_icon();
>+ }
>+
>+ var request = {
>+ url: this.login_url,
>+ cache: false,
>+ type: "GET",
>+ success: success_handler,
>+ error: error_handler
>+ };
>+ IPA.display_activity_icon();
>+ $.ajax(request);
>+
>+ return d.promise;
>+ },
>+
>+ show_login_view: function() {
>+
>+ this.inherited(arguments);
>+ // make sure that crtauth button is also shown when switching from sync form
>+ // a bit of hack because, we need to use the exact buttons which were defined
>+ // in original LoginScreen -> does't scale if some button is added in later
>+ // versions
>+ this.set_visible_buttons(['crtauth', 'sync', 'login']);
>+ },
>+
>+ set_login_aside_text: function() {
>+ // allow to set aside text (the text on right side with help text)
>+
>+ // generate original
>+ this.inherited(arguments);
>+
>+ // add own
>+ var aside = this.aside;
>+ aside += this.msg;
>+ this.set('aside', aside);
>+
>+ //alternative solution:
>+ // $(this.aside_node).append($("<p/>", { text: "My text"}));
>+ }
>+});
>+
>+
>+exp.replace_login_screen_spec = function(entity) {
>+
>+ var mod = new SpecMod();
>+
>+ var diff = {
>+ $replace: [
>+ [
>+ 'widgets',
>+ [[{ name: 'login_screen'},
>+ {
>+ $type: 'custom_login_screen',
>+ name: 'login_screen'
>+ }]]
>+ ]
>+ ]
>+ };
>+ mod.mod(mod_login.facet_spec, diff);
>+};
>+
>+exp.override = function() {
>+
>+ exp.replace_login_screen_spec();
>+};
>+
>+exp.register = function() {
>+ var w = reg.widget;
>+ w.register('custom_login_screen', exp.CustomLoginScreen );
>+};
>+
>+phases.on('registration', exp.register);
>+phases.on('customization', exp.override);
>+
>+return exp;
>+});
>diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
>index d8fe24e0cb407603e9898e934229c9373f3c8b62..1843c0568543951f2c817616d9e988deaab47056 100644
>--- a/ipaserver/plugins/xmlserver.py
>+++ b/ipaserver/plugins/xmlserver.py
>@@ -28,12 +28,13 @@ register = Registry()
>
>
> if api.env.context in ('server', 'lite'):
>- from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
>+ from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_x509, login_password, change_password, sync_token, xmlserver_session
> register()(wsgi_dispatch)
> register()(xmlserver)
> register()(jsonserver_kerb)
> register()(jsonserver_session)
> register()(login_kerberos)
>+ register()(login_x509)
> register()(login_password)
> register()(change_password)
> register()(sync_token)
>diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
>index d036f3c27521f17709672b830d5aa58167c76b34..a181ecfcb1d01b1c2dd5ee6cb9721d69be8c1863 100644
>--- a/ipaserver/rpcserver.py
>+++ b/ipaserver/rpcserver.py
>@@ -876,6 +876,11 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
>
> return self.finalize_kerberos_acquisition('login_kerberos', user_ccache_name, environ, start_response)
>
>+
>+class login_x509(login_kerberos, KerberosSession, HTTP_Status):
>+ key = '/session/login_x509'
>+
>+
> class login_password(Backend, KerberosSession, HTTP_Status):
>
> content_type = 'text/plain'
>--
>2.7.4
>
>--
>Manage your subscription for the Freeipa-devel mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-devel
>Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list