Mercurial > p > roundup > code

changeset 6053:380dec305c28

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add config option 'http_auth_convert_realm_to_lowercase'
author Ralf Schlatterbeck <rsc@runtux.com>
date Mon, 13 Jan 2020 09:36:40 +0100
parents 302eceff0c49
children ffaf89a4a9d9
files CHANGES.txt roundup/cgi/client.py roundup/configuration.py
diffstat 3 files changed, 26 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES.txt	Sun Jan 12 19:28:46 2020 +0000
+++ b/CHANGES.txt	Mon Jan 13 09:36:40 2020 +0100
@@ -40,6 +40,16 @@
   (current 4.4.1). The pull request has been around for a
   while. (Patch: Paul Spooren; templates merged by Christof Meerwald;
   other merged by John Rouillard)
+- Add config option 'http_auth_convert_realm_to_lowercase'
+  If usernames consist of a name and a domain/realm part of the form
+  user@realm and we're using REMOTE_USER for authentication (e.g. via
+  Kerberos), convert the realm part of the incoming REMOTE_USER to
+  lowercase before matching against the roundup username. This allows
+  roundup usernames to be lowercase (including the realm) and still
+  follow the Kerberos convention of using an uppercase realm. In
+  addition this is compatible with Active Directory which stores the
+  username with realm as UserPrincipalName in lowercase.
+
 
 Fixed:
 
--- a/roundup/cgi/client.py	Sun Jan 12 19:28:46 2020 +0000
+++ b/roundup/cgi/client.py	Mon Jan 13 09:36:40 2020 +0100
@@ -1001,10 +1001,14 @@
 
         user = None
         # first up, try http authorization if enabled
-        if self.instance.config['WEB_HTTP_AUTH']:
+        cfg = self.instance.config
+        if cfg.WEB_HTTP_AUTH:
             if 'REMOTE_USER' in self.env:
                 # we have external auth (e.g. by Apache)
                 user = self.env['REMOTE_USER']
+                if cfg.WEB_HTTP_AUTH_CONVERT_REALM_TO_LOWERCASE and '@' in user:
+                    u, d = user.split ('@', 1)
+                    user = '@'.join ((u, d.lower()))
             elif self.env.get('HTTP_AUTHORIZATION', ''):
                 # try handling Basic Auth ourselves
                 auth = self.env['HTTP_AUTHORIZATION']
--- a/roundup/configuration.py	Sun Jan 12 19:28:46 2020 +0000
+++ b/roundup/configuration.py	Mon Jan 13 09:36:40 2020 +0100
@@ -828,6 +828,17 @@
             "variables supplied by your web server (in that order).\n"
             "Set this option to 'no' if you do not wish to use HTTP Basic\n"
             "Authentication in your web interface."),
+        (BooleanOption, 'http_auth_convert_realm_to_lowercase', "no",
+            "If usernames consist of a name and a domain/realm part of\n"
+            "the form user@realm and we're using REMOTE_USER for\n"
+            "authentication (e.g. via Kerberos), convert the realm part\n"
+            "of the incoming REMOTE_USER to lowercase before matching\n"
+            "against the roundup username. This allows roundup usernames\n"
+            "to be lowercase (including the realm) and still follow the\n"
+            "Kerberos convention of using an uppercase realm. In\n"
+            "addition this is compatible with Active Directory which\n"
+            "stores the username with realm as UserPrincipalName in\n"
+            "lowercase."),
         (IntegerNumberGeqZeroOption, 'login_attempts_min', "3",
             "Limit login attempts per user per minute to this number.\n"
             "By default the 4th login attempt in a minute will notify\n"
Roundup Issue Tracker: http://roundup-tracker.org/