auth.py - Authentication Classes

Authentication

This module contains Gate One's authentication classes. They map to Gate One's --auth configuration option like so:

--auth=none	NullAuthHandler
--auth=kerberos	KerberosAuthHandler
--auth=google	GoogleAuthHandler
--auth=pam	PAMAuthHandler

Note

API authentication is handled inside of Gate One

None or Anonymous

By default Gate One will not authenticate users. This means that user sessions will be tied to their browser cookie and users will not be able to resume their sessions from another computer/browser. Most useful for situations where session persistence and logging aren't important.

All users will show up as ANONYMOUS using this authentication type.

Kerberos

Kerberos authentication utilizes GSSAPI for Single Sign-on (SSO) but will fall back to HTTP Basic authentication if GSSAPI auth fails. This authentication type can be integrated into any Kerberos infrastructure including Windows Active Directory.

It is great for both transparent authentication and being able to tie sessions and logs to specific users within your organization (compliance).

Note

The sso.py module itself has extensive documentation on this authentication type.

Google Authentication

If you want persistent user sessions but don't care to run your own authentication infrastructure this authentication type is for you. Assuming, of course, that your Gate One server and clients will have access to the Internet.

Note

This authentication type is perfect if you're using Chromebooks (Chrome OS devices).

Docstrings

class auth.BaseAuthHandler(application, request, **kwargs)

The base class for all Gate One authentication handlers.

get_current_user()

Tornado standard method--implemented our way.

user_login(user)

Called immediately after a user authenticates successfully. Saves session information in the user's directory. Expects user to be a string containing the username or userPrincipalName. e.g. 'user@REALM' or just 'someuser'.

user_logout(user, redirect=None)

Called immediately after a user logs out, cleans up the user's session information and optionally, redirects them to redirect (URL).

class auth.NullAuthHandler(application, request, **kwargs)

A handler for when no authentication method is chosen (i.e. --auth=none). With this handler all users will show up as "ANONYMOUS".

get(*args, **kwargs)

Sets the 'user' cookie with a new random session ID (go_session) and sets go_upn to 'ANONYMOUS'.

user_login(user)

This is an override of BaseAuthHandler since anonymous auth is special. Generates a unique session ID for this user and saves it in a browser cookie. This is to ensure that anonymous users can't access each other's sessions.

class auth.GoogleAuthHandler(application, request, **kwargs)

Google authentication handler using Tornado's built-in GoogleMixin (fairly boilerplate).

get(*args, **kwargs)

Sets the 'user' cookie with an appropriate upn and session.

_on_auth(user)

Just a continuation of the get() method (the final step where it actually sets the cookie).

class auth.KerberosAuthHandler(application, request, **kwargs)

Handles authenticating users via Kerberos/GSSAPI/SSO.

get(*args, **kwargs)

Checks the user's request header for the proper Authorization data. If it checks out the user will be logged in via _on_auth(). If not, the browser will be redirected to login.

class auth.PAMAuthHandler(application, request, **kwargs)

Handles authenticating users via PAM.

get(*args, **kwargs)

Checks the user's request header for the proper Authorization data. If it checks out the user will be logged in via _on_auth(). If not, the browser will be redirected to login.