Project

General

Profile

Feature #240

[PATCH] - SSL Client Certificate Authentification module

Added by over 12 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Resolution:

Description

Hi

Here is a patch to use a SSL Client certificate to authenticate user. The username should be equal to the user certificate CN (the full DN is too long to be used, login field is limited to 32 char)

Limitations:
  • Currently only tested in a SSL mod_python setup
  • Need SSLOptions +StdEnvVars
  • Used with python 2.3

In prewikka.conf

[auth ssl]

And this file in a new directory prewikka/modules/auth/ssl/

# Copyright (C) 2006 [[PreludeIDS]] Technologies. All Rights Reserved.
# Author: Francois Harvey <fharvey+prelude at securiweb dot net>
#
# This file is part of the Prewikka program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.

import os

from prewikka import Auth, User, Database

# Use the SSL_CLIENT_S_DN_CN from a SSL x509 Certificate to map the user
class SSLAuth(Auth.Auth):
    def getUser(self, request):
        if not request._req.subprocess_env['HTTPS']:
                raise Auth.AuthError(message=_("SSL Authentication failed: Not in a SSL session."))
        user = request._req.subprocess_env['SSL_CLIENT_S_DN_CN']
        if not user:
            raise Auth.AuthError(message=_("SSL Authentication failed: no user specified (hint: look at the certificate CN)."))

        return User.User(self.db, user, self.db.getLanguage(user), User.ALL_PERMISSIONS, self.db.getConfiguration(user))

def load(env, config):
    return SSLAuth(env)

ssl.py View - SSL Patch (1.59 KB) admin admin, 06/18/2007 04:58 PM

History

#1 Updated by Yoann VANDOORSELAERE over 12 years ago

Thanks for this contribution! The patch look good, the only drawback is that it require the use of the mod_python backend. Could you add the necessary interface to Request.py (and then to the mod_python and CGI implementation), so that the module will work independently from the backend?

Thanks again!

#2 Updated by Yoann VANDOORSELAERE over 10 years ago

  • Project changed from PRELUDE SIEM to Prewikka
  • Category deleted (5)

#3 Updated by Jean-Charles ROGEZ about 6 years ago

  • Assignee deleted (Yoann VANDOORSELAERE)
  • Target version set to 122

#4 Updated by Jean-Charles ROGEZ about 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Jean-Charles ROGEZ

#5 Updated by Thomas ANDREJAK about 4 years ago

  • Target version changed from 122 to Prelude OSS 3.0.0

#6 Updated by Thomas ANDREJAK over 3 years ago

  • Target version changed from Prelude OSS 3.0.0 to Prelude OSS 3.1.0

#7 Updated by Thomas ANDREJAK about 3 years ago

  • Status changed from Assigned to New
  • Assignee deleted (Jean-Charles ROGEZ)
  • Target version deleted (Prelude OSS 3.1.0)

Patch has to be updated

Also available in: Atom PDF