From 5a23afaeeb1c54ccfb86e20b1f35c0215635536a Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: May 04 2017 14:02:58 +0000
Subject: Make proxyuser consistent between ssl and krb
Currently, krb would expect a krb principal where ssl expects a username.
This makes krb use the username, but also accept the krb_principal for
backwards compatibility.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
diff --git a/koji/auth.py b/koji/auth.py
index 3cba331..105f998 100644
--- a/koji/auth.py
+++ b/koji/auth.py
@@ -328,10 +328,14 @@ class Session(object):
login_principal = cprinc.name
user_id = self.getUserIdFromKerberos(login_principal)
if not user_id:
- if context.opts.get('LoginCreatesUser'):
- user_id = self.createUserFromKerberos(login_principal)
- else:
- raise koji.AuthError('Unknown Kerberos principal: %s' % login_principal)
+ user_id = self.getUserId(login_principal)
+ if not user_id:
+ # Only do autocreate if we also couldn't find by username AND the proxyuser
+ # looks like a krb5 principal
+ if context.opts.get('LoginCreatesUser') and '@' in login_principal:
+ user_id = self.createUserFromKerberos(login_principal)
+ else:
+ raise koji.AuthError('Unknown Kerberos principal: %s' % login_principal)
self.checkLoginAllowed(user_id)
@@ -575,6 +579,19 @@ class Session(object):
#for compatibility
return self.host_id
+ def getUserId(self, username):
+ """Return the user ID associated with a particular username. If no user
+ with the given username if found, return None."""
+ c = context.cnx.cursor()
+ q = """SELECT id FROM users WHERE name = %(username)s"""
+ c.execute(q, locals())
+ r = c.fetchone()
+ c.close()
+ if r:
+ return r[0]
+ else:
+ return None
+
def getUserIdFromKerberos(self, krb_principal):
"""Return the user ID associated with a particular Kerberos principal.
If no user with the given princpal if found, return None."""