auth.py - Authentication Classes

Authentication

This module contains Gate One's authentication classes. They map to Gate One's --auth configuration option like so:

--auth=none	NullAuthHandler
--auth=kerberos	KerberosAuthHandler
--auth=google	GoogleAuthHandler

None or Anonymous

By default Gate One will not authenticate users. This means that user sessions will be tied to their browser cookie and users will not be able to resume their sessions from another computer/browser. Most useful for situations where session persistence and logging aren't important.

All users will show up as %anonymous using this authentication type.

Note

The % is there to avoid name conflicts.

Kerberos

Kerberos authentication utilizes GSSAPI for Single Sign-on (SSO) but will fall back to HTTP Basic authentication if GSSAPI auth fails. This authentication type can be integrated into any Kerberos infrastructure including Windows Active Directory.

It is great for both transparent authentication and being able to tie sessions and logs to specific users within your organization (compliance).

Note

The sso.py module itself has extensive documentation on this authentication type.

Google Authentication

If you want persistent user sessions but don't care to run your own authentication infrastructure this authentication type is for you. Assuming, of course, that your Gate One server and clients will have access to the Internet.

Note

This authentication type is perfect if you're using Chromebooks (Chrome OS devices).

Docstrings

class auth.BaseAuthHandler(application, request, **kwargs)

The base class for all Gate One authentication handlers.

get_current_user()

Tornado standard method--implemented our way.

user_login(user)

Called immediately after a user authenticates successfully. Saves session information in the user's directory. Expects user to be a string containing the username or userPrincipalName. e.g. 'user@REALM' or just 'someuser'.

user_logout(user)

Called immediately after a user logs out. Doesn't actually do anything. Just potential future use at this point.

class auth.NullAuthHandler(application, request, **kwargs)

A handler for when no authentication method is chosen (i.e. --auth=none).

get()

Sets the 'user' cookie with a new random session ID (go_session) and sets go_upn to '%anonymous'.

class auth.GoogleAuthHandler(application, request, **kwargs)

Google authentication handler.

get(*args, **kwargs)

Sets the 'user' cookie with an appropriate go_upn and go_session.

class auth.KerberosAuthHandler(application, request, **kwargs)

Handles authenticating users via Kerberos/GSSAPI/SSO.

get()

Checks the user's request header for the proper Authorization data. If it checks out the user will be logged in via _on_auth(). If not, the browser will be redirected to login.