From b89bae847c0319cbafcd8a0b4d0e75c33d0d0fbe Mon Sep 17 00:00:00 2001 From: Malthe Borch Date: Tue, 13 Sep 2016 13:11:20 +0200 Subject: [PATCH] Fix subrequest auth via request caching --- docs/CHANGES.txt | 5 +++++ netsight/windowsauthplugin/plugin.py | 23 ++++++++++++++++------- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/docs/CHANGES.txt b/docs/CHANGES.txt index 8299e39..544ea65 100644 --- a/docs/CHANGES.txt +++ b/docs/CHANGES.txt @@ -1,6 +1,11 @@ 2.3.2 (unreleased) ------------------ +- Fix support for subrequest authentication. The credentials must be + cached on the parent request because the authorization ticket is + only valid during a limited time window. + [malthe] + - Allow PAS plugin loading to continue in debug mode (development) with an error warning if the kerberos library cannot be loaded on unix. [fredvd] diff --git a/netsight/windowsauthplugin/plugin.py b/netsight/windowsauthplugin/plugin.py index 29db33f..d64f9a4 100644 --- a/netsight/windowsauthplugin/plugin.py +++ b/netsight/windowsauthplugin/plugin.py @@ -11,6 +11,7 @@ from zExceptions import Forbidden from zLOG import LOG, ERROR, DEBUG, INFO +from zope.annotation.interfaces import IAnnotations import sys import urlparse @@ -34,6 +35,9 @@ import interface +KEY = "netsight.windowsauthplugin.credentials" + + class WindowsauthpluginHelper( BasePlugin ): """Multi-plugin to do Kerberos based SSO @@ -94,14 +98,18 @@ def authenticateCredentials( self, credentials ): return None request = self.REQUEST - response = request.RESPONSE - remote_host = request.getClientAddr() - # We are actually already authenticated... maybe we are in a subrequest - if request.get('AUTHENTICATED_USER', None) is not None: - username = request.AUTHENTICATED_USER.getName() - return username, username + # This request may be a subrequest which is supposed to + # leverage the same authentication information as the parent + # request. + request = request.get('PARENT_REQUEST', request) + cache = IAnnotations(request) + value = cache.get(KEY) + if value is not None: + return value + response = request.RESPONSE + remote_host = request.getClientAddr() ticket = credentials['ticket'] if WINDOWS: @@ -155,7 +163,8 @@ def authenticateCredentials( self, credentials ): response = request.RESPONSE pas_instance.updateCredentials(request, response, username, '') - return username, username + value = cache[KEY] = username, username + return value security.declarePrivate( 'extractCredentials' )