Example #1
0
def verify_kdc_cert_validity(kdc_cert, ca_certs, realm):
    with NamedTemporaryFile() as kdc_file, NamedTemporaryFile() as ca_file:
        kdc_file.write(kdc_cert.public_bytes(x509.Encoding.PEM))
        kdc_file.flush()
        x509.write_certificate_list(ca_certs, ca_file.name)
        ca_file.flush()

        try:
            ipautil.run([
                paths.OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name
            ],
                        capture_output=True)
        except ipautil.CalledProcessError as e:
            raise ValueError(e.output)

        try:
            eku = kdc_cert.extensions.get_extension_for_class(
                cryptography.x509.ExtendedKeyUsage)
            list(eku.value).index(
                cryptography.x509.ObjectIdentifier(x509.EKU_PKINIT_KDC))
        except (cryptography.x509.ExtensionNotFound, ValueError):
            raise ValueError("invalid for a KDC")

        principal = str(Principal(['krbtgt', realm], realm))
        gns = x509.process_othernames(kdc_cert.san_general_names)
        for gn in gns:
            if isinstance(gn, x509.KRB5PrincipalName) and gn.name == principal:
                break
        else:
            raise ValueError("invalid for realm %s" % realm)
Example #2
0
def test_principals(valid_principal):
    principal_name, data = valid_principal

    princ = Principal(principal_name)

    for name, value in data.items():
        assert getattr(princ, name) == value

    assert unicode(princ) == principal_name
Example #3
0
def test_principals(valid_principal):
    principal_name, data = valid_principal

    princ = Principal(principal_name)

    for name, value in data.items():
        assert getattr(princ, name) == value

    assert unicode(princ) == principal_name
    assert repr(princ) == "ipapython.kerberos.Principal('{}')".format(
        principal_name)
Example #4
0
def test_principal_properties(principal_properties):
    principal, data = principal_properties

    princ = Principal(principal)

    boolean_propertes = [prop for prop in dir(princ) if prop.startswith('is_')]

    for b in boolean_propertes:
        if b in data['property_true']:
            assert getattr(princ, b)
        else:
            assert not getattr(princ, b)

    for property_raises in data['property_raises']:
        with pytest.raises(ValueError):
            getattr(princ, property_raises)
Example #5
0
def _create_kerberos_principals(ldap, pkey, entry_attrs, failed):
    """
    Create 'krbprincipalname' and 'krbcanonicalname' attributes for incoming
    user entry or skip it if there already is a user with such principal name.
    The code does not search for `krbcanonicalname` since we assume that the
    canonical principal name is always contained among values of
    `krbprincipalname` attribute.Both `krbprincipalname` and `krbcanonicalname`
    are set to default value generated from uid and realm.

    Note: the migration does not currently preserve principal aliases
    """
    principal = Principal((pkey, ), realm=api.env.realm)
    try:
        ldap.find_entry_by_attr('krbprincipalname', principal,
                                'krbprincipalaux', [''],
                                DN(api.env.container_user, api.env.basedn))
    except errors.NotFound:
        entry_attrs['krbprincipalname'] = principal
        entry_attrs['krbcanonicalname'] = principal
    except errors.LimitsExceeded:
        failed[pkey] = unicode(_krb_failed_msg % unicode(principal))
    else:
        failed[pkey] = unicode(_krb_err_msg % unicode(principal))