Add config option 'http_auth_convert_realm_to_lowercase'

schlatterbeck · schlatterbeck · commit a63c1a4ede4e · 2020-01-13T09:36:40.000+01:00
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -40,6 +40,16 @@ Features:
   (current 4.4.1). The pull request has been around for a
   while. (Patch: Paul Spooren; templates merged by Christof Meerwald;
   other merged by John Rouillard)
+- Add config option 'http_auth_convert_realm_to_lowercase'
+  If usernames consist of a name and a domain/realm part of the form
+  user@realm and we're using REMOTE_USER for authentication (e.g. via
+  Kerberos), convert the realm part of the incoming REMOTE_USER to
+  lowercase before matching against the roundup username. This allows
+  roundup usernames to be lowercase (including the realm) and still
+  follow the Kerberos convention of using an uppercase realm. In
+  addition this is compatible with Active Directory which stores the
+  username with realm as UserPrincipalName in lowercase.
+
 
 Fixed:
 
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1001,10 +1001,14 @@ def determine_user(self):
 
         user = None
         # first up, try http authorization if enabled
-        if self.instance.config['WEB_HTTP_AUTH']:
+        cfg = self.instance.config
+        if cfg.WEB_HTTP_AUTH:
             if 'REMOTE_USER' in self.env:
                 # we have external auth (e.g. by Apache)
                 user = self.env['REMOTE_USER']
+                if cfg.WEB_HTTP_AUTH_CONVERT_REALM_TO_LOWERCASE and '@' in user:
+                    u, d = user.split ('@', 1)
+                    user = '@'.join ((u, d.lower()))
             elif self.env.get('HTTP_AUTHORIZATION', ''):
                 # try handling Basic Auth ourselves
                 auth = self.env['HTTP_AUTHORIZATION']
diff --git a/roundup/configuration.py b/roundup/configuration.py
@@ -828,6 +828,17 @@ def str2value(self, value):
             "variables supplied by your web server (in that order).\n"
             "Set this option to 'no' if you do not wish to use HTTP Basic\n"
             "Authentication in your web interface."),
+        (BooleanOption, 'http_auth_convert_realm_to_lowercase', "no",
+            "If usernames consist of a name and a domain/realm part of\n"
+            "the form user@realm and we're using REMOTE_USER for\n"
+            "authentication (e.g. via Kerberos), convert the realm part\n"
+            "of the incoming REMOTE_USER to lowercase before matching\n"
+            "against the roundup username. This allows roundup usernames\n"
+            "to be lowercase (including the realm) and still follow the\n"
+            "Kerberos convention of using an uppercase realm. In\n"
+            "addition this is compatible with Active Directory which\n"
+            "stores the username with realm as UserPrincipalName in\n"
+            "lowercase."),
         (IntegerNumberGeqZeroOption, 'login_attempts_min', "3",
             "Limit login attempts per user per minute to this number.\n"
             "By default the 4th login attempt in a minute will notify\n"
