From c0c97365931f5ea1d14736e97abbc01a37c4cd53 Mon Sep 17 00:00:00 2001
From: Max Erenberg <merenber@csclub.uwaterloo.ca>
Date: Sun, 6 Nov 2022 15:23:27 -0500
Subject: [PATCH] Use the admin creds in the HTTPClient when necessary (#85)

Currently, ceod uses the Kerberos credentials of the client when making requests to other services. This requires the client to send delegated credentials. Unfortunately the NPM krb5 package appears to be unable to perform delegation. So we will use the admin credentials instead (when appropriate).

Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/85
Reviewed-by: Raymond Li <raymo@csclub.uwaterloo.ca>
Co-authored-by: Max Erenberg <merenber@csclub.uwaterloo.ca>
Co-committed-by: Max Erenberg <merenber@csclub.uwaterloo.ca>
---
 ceo_common/model/HTTPClient.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/ceo_common/model/HTTPClient.py b/ceo_common/model/HTTPClient.py
index 1348a9f..cbf635b 100644
--- a/ceo_common/model/HTTPClient.py
+++ b/ceo_common/model/HTTPClient.py
@@ -6,7 +6,7 @@ from requests_gssapi import HTTPSPNEGOAuth
 from zope import component
 from zope.interface import implementer
 
-from ceo_common.interfaces import IConfig, IHTTPClient
+from ceo_common.interfaces import IConfig, IHTTPClient, IKerberosService
 
 
 @implementer(IHTTPClient)
@@ -40,10 +40,18 @@ class HTTPClient:
                 'opportunistic_auth': True,
                 'target_name': gssapi.Name('ceod/' + host),
             }
-            if flask.has_request_context() and 'client_token' in g:
+            if flask.has_request_context():
                 # This is reached when we are the server and the client has
                 # forwarded their credentials to us.
-                spnego_kwargs['creds'] = gssapi.Credentials(token=g.client_token)
+                token = None
+                if g.get('need_admin_creds', False):
+                    # Some Kerberos bindings in some programming languages can't
+                    # perform delegation, so use the admin creds here.
+                    token = component.getUtility(IKerberosService).get_admin_creds_token()
+                elif 'client_token' in g:
+                    token = g.client_token
+                if token is not None:
+                    spnego_kwargs['creds'] = gssapi.Credentials(token=token)
             elif delegate:
                 # This is reached when we are the client and we want to
                 # forward our credentials to the server.