Created
June 6, 2014 10:17
-
-
Save jrha/7e27fe739deebc45c887 to your computer and use it in GitHub Desktop.
Kerberised CGI Wrapper for Aquilon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/env python2 | |
import cgi | |
import socket | |
import time | |
from os import environ | |
KNC_SOCKET_PATH = '/var/quattor/run/sockets/kncsock' | |
def recv_timeout(the_socket,timeout=2): | |
#make socket non blocking | |
the_socket.setblocking(0) | |
#total data partwise in an array | |
total_data=[]; | |
data=''; | |
#beginning time | |
begin=time.time() | |
while 1: | |
#if you got some data, then break after timeout | |
if total_data and time.time()-begin > timeout: | |
break | |
#if you got no data at all, wait a little longer, twice the timeout | |
elif time.time()-begin > timeout*2: | |
break | |
#recv something | |
try: | |
data = the_socket.recv(8192) | |
if data: | |
total_data.append(data) | |
#change the beginning time for measurement | |
begin=time.time() | |
else: | |
#for aquilon, no data is end of message | |
break | |
except: | |
pass | |
#join all parts to make final string | |
return ''.join(total_data) | |
if 'AUTH_TYPE' in environ and environ['AUTH_TYPE'] == 'Negotiate': | |
request = "%s %s %s" % ( | |
environ['REQUEST_METHOD'], | |
environ['REQUEST_URI'].replace(environ['SCRIPT_NAME'], ''), | |
'HTTP/1.0', # HTTP/1.0 for GET, HTTP/1.1 for PUT? | |
) | |
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) | |
s.connect(KNC_SOCKET_PATH) | |
s.send("CREDS:%s\n" % (environ['REMOTE_USER'])) | |
s.send("REMOTE_IP:%s\n" % (environ['REMOTE_ADDR'])) | |
s.send("REMOTE_PORT:%s\n" % (environ['REMOTE_PORT'])) | |
s.send("END\n") | |
s.send(request+"\r\n\r\n") | |
data = recv_timeout(s, 1) | |
s.close() | |
if data: | |
data = data.splitlines() | |
if '200 OK' in data[0]: | |
print "cache-control: private, max-age=0, no-cache" | |
for l in data[1:]: | |
if "content-type" in l.lower(): | |
print "Content-Type: text/plain" #Make life easier for JavaScript (twisted sends text/http) | |
else: | |
print l | |
else: | |
print "Content-Type: text/plain" | |
print "cache-control: private, max-age=0, no-cache" | |
print "No data" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LoadModule env_module modules/mod_env.so | |
LoadModule auth_kerb_module modules/mod_auth_kerb.so | |
LoadModule ssl_module modules/mod_ssl.so | |
Listen 443 | |
<VirtualHost "*:443"> | |
AddHandler cgi-script .py | |
SSLEngine on | |
SSLProtocol all -SSLv2 | |
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-LOW | |
SSLCertificateFile "/etc/grid-security/hostcert.pem" | |
SSLCertificateKeyFile "/etc/grid-security/hostkey.pem" | |
SSLCACertificatePath "/etc/grid-security/certificates" | |
SSLOptions +StdEnvVars | |
</VirtualHost> | |
<Location /private> | |
Options +ExecCGI | |
SSLRequireSSL | |
AuthType Kerberos | |
AuthName "Kerberos Login" | |
KrbMethodNegotiate On | |
KrbMethodK5Passwd Off | |
KrbAuthRealms EXAMPLE.COM | |
Krb5KeyTab /etc/aquilon/http.keytab | |
require valid-user | |
ErrorDocument 401 /auth-error.php | |
</Location> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment