authentication.py - Authentication Classes

Authentication

This module contains Gate One's authentication classes. They map to Gate One's --auth configuration option like so:

--auth=none NullAuthHandler
--auth=kerberos KerberosAuthHandler
--auth=google GoogleAuthHandler
--auth=pam PAMAuthHandler
--auth=api APIAuthHandler

Note

API authentication is handled inside of Gate One

None or Anonymous

By default Gate One will not authenticate users. This means that user sessions will be tied to their browser cookie and users will not be able to resume their sessions from another computer/browser. Most useful for situations where session persistence and logging aren't important.

All users will show up as ANONYMOUS using this authentication type.

Kerberos

Kerberos authentication utilizes GSSAPI for Single Sign-on (SSO) but will fall back to HTTP Basic authentication if GSSAPI auth fails. This authentication type can be integrated into any Kerberos infrastructure including Windows Active Directory.

It is great for both transparent authentication and being able to tie sessions and logs to specific users within your organization (compliance).

Note

The sso.py module itself has extensive documentation on this authentication type.

Google Authentication

If you want persistent user sessions but don't care to run your own authentication infrastructure this authentication type is for you. Assuming, of course, that your Gate One server and clients will have access to the Internet.

Note

This authentication type is perfect if you're using Chromebooks (Chrome OS devices).

API Authentication

API-based authentication is actually handled in gateone.py but we still need something to exist at the /auth URL that will always return the 'unauthenticated' response. This ensures that no one can authenticate themselves by visiting that URL manually.

Docstrings

gateone.auth.authentication.additional_attributes(user, settings_dir=None)[source]

Given a user dict, return a dict containing any additional attributes defined in Gate One's attribute repositories.

Note

This function doesn't actually work yet (support for attribute repos like LDAP is forthcoming).

class gateone.auth.authentication.BaseAuthHandler(application, request, **kwargs)[source]

The base class for all Gate One authentication handlers.

get_current_user()[source]

Tornado standard method--implemented our way.

user_login(user)[source]

Called immediately after a user authenticates successfully. Saves session information in the user's directory. Expects user to be a dict containing a 'upn' value representing the username or userPrincipalName. e.g. 'user@REALM' or just 'someuser'. Any additional values will be attached to the user object/cookie.

user_logout(user, redirect=None)[source]

Called immediately after a user logs out, cleans up the user's session information and optionally, redirects them to redirect (URL).

class gateone.auth.authentication.NullAuthHandler(application, request, **kwargs)[source]

A handler for when no authentication method is chosen (i.e. --auth=none). With this handler all users will show up as "ANONYMOUS".

get(*args, **kwargs)[source]

Sets the 'gateone_user' cookie with a new random session ID (go_session) and sets go_upn to 'ANONYMOUS'.

user_login(user)[source]

This is an override of BaseAuthHandler since anonymous auth is special. Generates a unique session ID for this user and saves it in a browser cookie. This is to ensure that anonymous users can't access each other's sessions.

class gateone.auth.authentication.APIAuthHandler(application, request, **kwargs)[source]

A handler that always reports 'unauthenticated' since API-based auth doesn't use auth handlers.

get(*args, **kwargs)[source]

Deletes the 'gateone_user' cookie and handles some other situations for backwards compatibility.

class gateone.auth.authentication.GoogleAuthHandler(application, request, **kwargs)[source]

Google authentication handler using Tornado's built-in GoogleOAuth2Mixin (fairly boilerplate).

get(*args, **kwargs)[source]

Sets the 'user' cookie with an appropriate upn and session and any other values that might be attached to the user object given to us by Google.

_on_auth(user)[source]

Just a continuation of the get() method (the final step where it actually sets the cookie).

class gateone.auth.authentication.SSLAuthHandler(application, request, **kwargs)[source]

SSL Certificate-based authentication handler. Can only be used if the ca_certs option is set along with ssl_auth=required or ssl_auth=optional.

initialize()[source]

Print out helpful error messages if the requisite settings aren't configured.

_convert_certificate(cert)[source]

Converts the certificate format returned by get_ssl_certificate() into a format more suitable for a user dict.

get(*args, **kwargs)[source]

Sets the 'user' cookie with an appropriate upn and session and any other values that might be attached to the user's client SSL certificate.

class gateone.auth.authentication.KerberosAuthHandler(application, request, **kwargs)[source]

Handles authenticating users via Kerberos/GSSAPI/SSO.

get(*args, **kwargs)[source]

Checks the user's request header for the proper Authorization data. If it checks out the user will be logged in via _on_auth(). If not, the browser will be redirected to login.

class gateone.auth.authentication.PAMAuthHandler(application, request, **kwargs)[source]

Handles authenticating users via PAM.

get(*args, **kwargs)[source]

Checks the user's request header for the proper Authorization data. If it checks out the user will be logged in via _on_auth(). If not, the browser will be redirected to login.

class gateone.auth.authentication.CASAuthHandler(application, request, **kwargs)[source]

CAS authentication handler.

initialize()[source]

Print out helpful error messages if the requisite settings aren't configured.

NOTE: It won't hurt anything to override this method in your RequestHandler.

get(*args, **kwargs)[source]

Sets the 'user' cookie with an appropriate upn and session and any other values that might be attached to the user object given to us by Google.

authenticate_redirect(callback=None)[source]

Redirects to the authentication URL for this CAS service.

After authentication, the service will redirect back to the given callback URI with additional parameters.

We request the given attributes for the authenticated user by default (name, email, language, and username). If you don't need all those attributes for your app, you can request fewer with the ax_attrs keyword argument.

get_authenticated_user(server_ticket)[source]

Requests the user's information from the CAS server using the given server_ticket and calls self._on_auth with the resulting user dict.

_on_auth(response)[source]

Just a continuation of the get() method (the final step where it actually sets the cookie).