From 5a23afaeeb1c54ccfb86e20b1f35c0215635536a Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: May 04 2017 14:02:58 +0000 Subject: Make proxyuser consistent between ssl and krb Currently, krb would expect a krb principal where ssl expects a username. This makes krb use the username, but also accept the krb_principal for backwards compatibility. Signed-off-by: Patrick Uiterwijk --- diff --git a/koji/auth.py b/koji/auth.py index 3cba331..105f998 100644 --- a/koji/auth.py +++ b/koji/auth.py @@ -328,10 +328,14 @@ class Session(object): login_principal = cprinc.name user_id = self.getUserIdFromKerberos(login_principal) if not user_id: - if context.opts.get('LoginCreatesUser'): - user_id = self.createUserFromKerberos(login_principal) - else: - raise koji.AuthError('Unknown Kerberos principal: %s' % login_principal) + user_id = self.getUserId(login_principal) + if not user_id: + # Only do autocreate if we also couldn't find by username AND the proxyuser + # looks like a krb5 principal + if context.opts.get('LoginCreatesUser') and '@' in login_principal: + user_id = self.createUserFromKerberos(login_principal) + else: + raise koji.AuthError('Unknown Kerberos principal: %s' % login_principal) self.checkLoginAllowed(user_id) @@ -575,6 +579,19 @@ class Session(object): #for compatibility return self.host_id + def getUserId(self, username): + """Return the user ID associated with a particular username. If no user + with the given username if found, return None.""" + c = context.cnx.cursor() + q = """SELECT id FROM users WHERE name = %(username)s""" + c.execute(q, locals()) + r = c.fetchone() + c.close() + if r: + return r[0] + else: + return None + def getUserIdFromKerberos(self, krb_principal): """Return the user ID associated with a particular Kerberos principal. If no user with the given princpal if found, return None."""