Ask for authentication when credentials are expired instead of redirecting

See gssapi/mod_auth_gssapi#316

Signed-off-by: Aurélien Bompard <[email protected]>

Author: abompard

flask_mod_auth_gssapi/ext.py

@@ -2,7 +2,7 @@
 import os
 
 import gssapi
-from flask import abort, current_app, g, redirect, request
+from flask import abort, current_app, g, make_response, request
 
 _log = logging.getLogger(__name__)
 
@@ -41,7 +41,7 @@ def _gssapi_check(self):
         ccache_type, _sep, ccache_location = ccache.partition(":")
         if ccache_type == "FILE" and not os.path.exists(ccache_location):
             _log.warning("Delegated credentials not found: %r", ccache_location)
-            return self._clear_session()
+            return self._authenticate()
 
         gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
         try:
@@ -59,21 +59,27 @@ def _gssapi_check(self):
             lifetime = 0
         if lifetime <= 0:
             _log.info("Credential lifetime has expired.")
-            return self._clear_session()
+            if ccache_type == "FILE":
+                try:
+                    os.remove(ccache_location)
+                except OSError as e:
+                    _log.warning(
+                        "Could not remove expired credential at %s: %s",
+                        ccache_location,
+                        e,
+                    )
+            return self._authenticate()
 
         g.gss_name = gss_name
         g.gss_creds = creds
         g.principal = gss_name.display_as(gssapi.NameType.kerberos_principal)
         g.username = g.principal.split("@")[0]
 
-    def _clear_session(self):
-        """Unset mod_auth_gssapi's session cookie and redirect to the same URL"""
-        if request.method in ("POST", "PUT", "DELETE"):
-            self.abort(
-                401, "Re-authentication is necessary, please try your request again."
-            )
-        response = redirect(request.url)
-        response.headers[current_app.config["MOD_AUTH_GSSAPI_SESSION_HEADER"]] = (
-            "MagBearerToken="
-        )
+    def _authenticate(self):
+        """Unset mod_auth_gssapi's session cookie and restart GSSAPI authentication"""
+        _log.debug("Clearing the session and asking for re-authentication.")
+        response = make_response("Re-authentication is necessary.", 401)
+        response.headers["WWW-Authenticate"] = "Negotiate"
+        session_header = current_app.config["MOD_AUTH_GSSAPI_SESSION_HEADER"]
+        response.headers[session_header] = "MagBearerToken="
         return response

tests/conftest.py

@@ -1,3 +1,5 @@
+from types import SimpleNamespace
+
 import pytest
 from flask import Flask
 
@@ -15,3 +17,16 @@ def app():
 @pytest.fixture
 def wsgi_env():
     return {"KRB5CCNAME": "/tmp/ignore", "GSS_NAME": "[email protected]"}  # noqa: S108
+
+
+@pytest.fixture
+def credential(mocker):
+    creds_factory = mocker.patch("gssapi.Credentials")
+    cred = creds_factory.return_value = SimpleNamespace(lifetime=10)
+    return cred
+
+
+@pytest.fixture
+def expired_credential(credential):
+    credential.lifetime = 0
+    return credential

tests/test_ext.py

@@ -1,10 +1,11 @@
 import logging
-from types import SimpleNamespace
+import os
+import stat
 
 import pytest
 from flask import Flask, g
 from gssapi.raw.exceptions import ExpiredCredentialsError
-from werkzeug.exceptions import Forbidden, InternalServerError, Unauthorized
+from werkzeug.exceptions import Forbidden, InternalServerError
 
 from flask_mod_auth_gssapi import FlaskModAuthGSSAPI
 
@@ -45,29 +46,17 @@ def test_no_cache(app, wsgi_env):
             assert g.username is None
 
 
-def test_expired(app, wsgi_env, caplog, mocker):
-    creds_factory = mocker.patch("gssapi.Credentials")
-    creds_factory.return_value = SimpleNamespace(lifetime=0)
+def test_expired(app, wsgi_env, caplog, expired_credential, tmp_path):
+    ccache_path = tmp_path.joinpath("ccache")
+    open(ccache_path, "w").close()  # Create the file
+    wsgi_env["KRB5CCNAME"] = f"FILE:{ccache_path.as_posix()}"
     caplog.set_level(logging.INFO)
     client = app.test_client()
     response = client.get("/someplace", environ_base=wsgi_env)
-    assert response.status_code == 302
-    assert response.headers["location"] == "http://localhost/someplace"
+    assert response.status_code == 401
+    assert response.headers["www-authenticate"] == "Negotiate"
     assert caplog.messages == ["Credential lifetime has expired."]
-
-
-def test_expired_unsafe_method(app, wsgi_env, mocker):
-    creds_factory = mocker.patch("gssapi.Credentials")
-    creds_factory.return_value = SimpleNamespace(lifetime=0)
-    with app.test_request_context("/someplace", method="POST", environ_base=wsgi_env):
-        with pytest.raises(Unauthorized) as excinfo:
-            app.preprocess_request()
-            assert g.principal is None
-            assert g.username is None
-    assert (
-        excinfo.value.description
-        == "Re-authentication is necessary, please try your request again."
-    )
+    assert not os.path.exists(ccache_path)
 
 
 def test_expired_exception(app, wsgi_env, mocker, caplog):
@@ -85,14 +74,29 @@ def lifetime(self):
         response = client.get("/someplace", environ_base=wsgi_env)
     except ExpiredCredentialsError:
         pytest.fail("Did not catch ExpiredCredentialsError on cred.lifetime")
-    assert response.status_code == 302
-    assert response.headers["location"] == "http://localhost/someplace"
+    assert response.status_code == 401
+    assert response.headers["www-authenticate"] == "Negotiate"
     assert caplog.messages == ["Credential lifetime has expired."]
 
 
-def test_nominal(app, wsgi_env, mocker):
-    creds_factory = mocker.patch("gssapi.Credentials")
-    creds_factory.return_value = SimpleNamespace(lifetime=10)
+def test_expired_cant_remove(app, wsgi_env, caplog, expired_credential, tmp_path):
+    ccaches_dir = tmp_path.joinpath("ccaches")
+    os.makedirs(ccaches_dir)
+    ccache_path = ccaches_dir.joinpath("ccache")
+    open(ccache_path, "w").close()  # Create the file
+    os.chmod(ccaches_dir, stat.S_IRUSR | stat.S_IXUSR)  # Prevent writing to this dir
+    wsgi_env["KRB5CCNAME"] = f"FILE:{ccache_path.as_posix()}"
+    client = app.test_client()
+    response = client.get("/someplace", environ_base=wsgi_env)
+    assert response.status_code == 401
+    assert response.headers["www-authenticate"] == "Negotiate"
+    assert caplog.messages == [
+        f"Could not remove expired credential at {ccache_path.as_posix()}: "
+        f"[Errno 13] Permission denied: '{ccache_path.as_posix()}'"
+    ]
+
+
+def test_nominal(app, wsgi_env, credential):
     with app.test_request_context("/", environ_base=wsgi_env):
         app.preprocess_request()
         assert g.principal == "[email protected]"
@@ -122,6 +126,6 @@ def test_ccache_not_found(app, wsgi_env, caplog, mocker):
     # caplog.set_level(logging.INFO)
     client = app.test_client()
     response = client.get("/someplace", environ_base=wsgi_env)
-    assert response.status_code == 302
-    assert response.headers["location"] == "http://localhost/someplace"
+    assert response.status_code == 401
+    assert response.headers["www-authenticate"] == "Negotiate"
     assert caplog.messages == ["Delegated credentials not found: '/tmp/does-not-exist'"]