def __init__(self, service, conn_info): """ @param service: a string containing the service principal in the form 'type@fqdn' (e.g. '*****@*****.**'). """ # ZEN-15434 Lazy import. import causes segmentation fault because of # differing versions of the kerberos.so file. Only import here global kerberos if not kerberos: import kerberos self._service = service self._conn_info = conn_info self._username = conn_info.username self._password = conn_info.password self._dcip = conn_info.dcip gssflags = kerberos.GSS_C_CONF_FLAG | kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG | kerberos.GSS_C_INTEG_FLAG os.environ['KRB5CCNAME'] = ccname(conn_info.username) if conn_info.trusted_realm and conn_info.trusted_kdc: add_trusted_realm(conn_info.trusted_realm, conn_info.trusted_kdc) if hasattr(kerberos, 'authGSSClientWrapIov'): result_code, self._context = kerberos.authGSSClientInit(service, gssflags=gssflags) else: result_code, self._context = kerberos.authGSSClientInit(service) if result_code != kerberos.AUTH_GSS_COMPLETE: raise Exception('kerberos authGSSClientInit failed')
def __init__(self, service, conn_info): """ @param service: a string containing the service principal in the form 'type@fqdn' (e.g. '*****@*****.**'). """ # ZEN-15434 Lazy import. import causes segmentation fault because of # differing versions of the kerberos.so file. Only import here global kerberos if not kerberos: import kerberos self._service = service self._conn_info = conn_info self._username = conn_info.username self._password = conn_info.password self._realm = conn_info.username.split('@')[1].upper() self._dcip = conn_info.dcip self._include_dir = conn_info.include_dir gssflags = kerberos.GSS_C_CONF_FLAG | kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG | kerberos.GSS_C_INTEG_FLAG os.environ['KRB5CCNAME'] = ccname(conn_info.username) if conn_info.trusted_realm and conn_info.trusted_kdc: add_trusted_realm(conn_info.trusted_realm, conn_info.trusted_kdc) if hasattr(kerberos, 'authGSSClientWrapIov'): result_code, self._context = kerberos.authGSSClientInit(service, gssflags=gssflags) else: result_code, self._context = kerberos.authGSSClientInit(service) if result_code != kerberos.AUTH_GSS_COMPLETE: raise Exception('kerberos authGSSClientInit failed')
def __init__(self, conn, creds=None): if creds: domain, user, password = split_credentials(creds) (self.result, self.context) = kerberos.authGSSClientInit("cifs/" + conn.server, gssmech=2, user=user, password=password, domain=domain) else: (self.result, self.context) = kerberos.authGSSClientInit("cifs/" + conn.server, gssmech=1)
def __init__(self, conn, creds=None): if creds: domain, user, password = split_credentials(creds) (self.result, self.context) = kerberos.authGSSClientInit( "cifs/" + conn.server, gssmech=2, user=user, password=password, domain=domain) else: (self.result, self.context) = kerberos.authGSSClientInit("cifs/" + conn.server, gssmech=1)
def _login(self, context_url, username, password): # use kerberos login, should be remove for security consideration if not username and not password: host = urlparse(context_url).hostname result, kbr_ctx = kerberos.authGSSClientInit('HTTP@%s' % host) if result < 1: raise OperationError("Kerberos login not support!") kerberos.authGSSClientStep(kbr_ctx, '') cret = 'Negotiate %s' % kerberos.authGSSClientResponse(kbr_ctx) step_auth_url = context_url if step_auth_url[-1] != '/': step_auth_url += '/' step_auth_url += 'step-auth-gss' res = self.session.get(step_auth_url, headers={ 'Authorization': cret, }) else: # prepare some cookies self.session.get(context_url) res = self.session.get(context_url, params={'os_authType': 'basic'}, auth=(username, password)) if not res.ok or not res.headers.get('X-AUSERNAME', None): # TODO delete me print res.text, res.headers raise PermissionDenied("Failed to login")
def gssapi_login(self, user): # Try GSSAPI login first # Used FTP response codes: # 235 [ADAT=base64data] - indicates that the security data exchange # completed successfully. # 334 [ADAT=base64data] - indicates that the requested security # mechanism is ok, and includes security data to be used by the # client to construct the next command. # 335 [ADAT=base64data] - indicates that the security data is # acceptable, and more is required to complete the security # data exchange. resp = self.sendcmd('AUTH GSSAPI') if resp.startswith('334 '): rc, self.vc = kerberos.authGSSClientInit("ftp@%s" % self.host) if kerberos.authGSSClientStep(self.vc, "") != 1: while resp[:4] in ('334 ', '335 '): authdata = kerberos.authGSSClientResponse(self.vc) resp = self.sendcmd('ADAT ' + authdata) if resp[:9] in ('235 ADAT=', '335 ADAT='): rc = kerberos.authGSSClientStep(self.vc, resp[9:]) if not ((resp.startswith('235 ') and rc == 1) or (resp.startswith('335 ') and rc == 0)): raise ftplib.error_reply, resp note( gettext("Authenticated as %s") % kerberos.authGSSClientUserName(self.vc)) # Monkey patch ftplib self.putcmd = self.mic_putcmd self.getline = self.mic_getline self.sendcmd('USER ' + user) return resp mutter("Unable to use GSSAPI authentication: %s", resp)
def get_kerberos_authorization(self): import kerberos _, ctx = kerberos.authGSSClientInit("HTTP@%s" % self.conn.host) kerberos.authGSSClientStep(ctx, "") tgt = kerberos.authGSSClientResponse(ctx) return "Negotiate %s" % tgt
def thresholdCheck(service,alert_msg,thresholdTypes=[]): endpoint=config_grabber(service+"-svc-config")["endpoint"] principal=config_grabber(service+"-svc-config")["principal"] __, krb_context = kerberos.authGSSClientInit(principal) kerberos.authGSSClientStep(krb_context, "") negotiate_details = kerberos.authGSSClientResponse(krb_context) headers = {"Authorization": "Negotiate " + negotiate_details} res = requests.get(endpoint, headers=headers, verify=False) data = json.loads(res.text) df=pd.DataFrame.from_records(data['beans']) sub = '';flag = 0 for thresholdType in thresholdTypes: for key in literal_eval(config_grabber(service)[thresholdType]): for prio in literal_eval(config_grabber('root')['priority']): if (service+"|"+key) in config_grabber(prio).keys(): value=config_grabber(prio)[service+"|"+key] new_val=df.loc[0][key] #if(apply_operator(value,thresholdType,df.loc[0][key])) if(thresholdType in ['ne','eq']): res = apply_operator(value,thresholdType,str(new_val).strip()) elif(thresholdType == 'lt'): res = True if float(value) < float(new_val) else False; elif(thresholdType == 'gt'): res = True if float(new_val) > float(value) else False if(res): print(float(df.loc[0][key]),thresholdType,float(value)) alert_msg += '<tr class="'+prio+'"> <td> '+key+' </td><td> '+value+' </td><td> '+str(df.loc[0][key])+' </td></tr>' if flag == 0: sub = "ALERT "+prio+": "+service+" ";flag=1 else :alert_msg += '<tr> <td> '+key+' </td><td> '+value+' </td><td> '+str(df.loc[0][key])+' </td></tr>' return (sub,alert_msg)
def get(self, path): """ Perform a GET request with Kerberos authentication """ # Prepare Kerberos ticket granting ticket """ _, ctx = kerberos.authGSSClientInit( 'HTTP@{0}'.format(self.url.netloc)) kerberos.authGSSClientStep(ctx, "") tgt = kerberos.authGSSClientResponse(ctx) # Make the connection connection = httplib.HTTPSConnection(self.url.netloc, 443) log.debug("GET {0}".format(path)) connection.putrequest("GET", path) connection.putheader("Authorization", "Negotiate {0}".format(tgt)) connection.putheader("Referer", self.url_string) connection.endheaders() # Perform the request, convert response into lines response = connection.getresponse() if response.status != 200: raise ReportError( "Failed to fetch tickets: {0}".format(response.status)) lines = response.read().decode("utf8").strip().split("\n")[1:] log.debug("Tickets fetched:") log.debug(pretty(lines)) return lines
def start(self, properties): self.username = properties["username"] self.authzid = properties.get("authzid") _unused, self._gss = kerberos.authGSSClientInit(self.authzid or "{0}@{1}".format("xmpp", properties["service-hostname"])) self.step = 0 return self.challenge(b"")
def setup(self, name): authzid = self.credentials["authzid"] if not authzid: authzid = "xmpp@%s" % self.credentials["service-name"] _, self.gss = kerberos.authGSSClientInit(authzid) self.step = 0
def __init__(self, service): __, krb_context = kerberos.authGSSClientInit(service) kerberos.authGSSClientStep(krb_context, "") self._krb_context = krb_context self.auth_header = ( "Negotiate " + kerberos.authGSSClientResponse(krb_context) )
def __init__(self, service): """Init self.""" __, krb_context = kerberos.authGSSClientInit(service) kerberos.authGSSClientStep(krb_context, "") self._krb_context = krb_context self.auth_header = ("Negotiate " + kerberos.authGSSClientResponse(krb_context))
def _krb_auth_header(self): retcode = subprocess.Popen( ["klist"], stdout=subprocess.PIPE, stderr=subprocess.PIPE ).wait() krb5ccname = None if retcode or self.ktfile: old_krb5ccname = os.environ.get("KRB5CCNAME", "") _, krb5ccname = tempfile.mkstemp(prefix="krb5cc") retcode = subprocess.Popen( ["kinit", self.krb_princ, "-k", "-t", self.ktfile, "-c", krb5ccname], stdout=subprocess.PIPE, stderr=subprocess.PIPE, ).wait() try: if krb5ccname: os.environ["KRB5CCNAME"] = krb5ccname __, krb_context = kerberos.authGSSClientInit("HTTP@%s" % self.service) kerberos.authGSSClientStep(krb_context, "") self._krb_context = krb_context auth_header = "Negotiate " + kerberos.authGSSClientResponse(krb_context) finally: if krb5ccname: os.environ["KRB5CCNAME"] = old_krb5ccname os.unlink(krb5ccname) return auth_header
def __request_authenticate(self, method, url, body, extra_hdrs): self.__probe_mechanisms() try: result, gssctx = kerberos.authGSSClientInit(self.__spn, principal=self.__upn) except kerberos.GSSError as ex: raise Krb5Error('%s (%s)' % (ex[0][0], ex[1][0])) response = None blob = '' while True: try: result, blob = self.__challenge(gssctx, blob) except Krb5Error as ex: kerberos.authGSSClientClean(gssctx) raise ex if result: self.__upn = kerberos.authGSSClientUserName(gssctx) break self.close() extra_hdrs['Authorization'] = 'Negotiate %s' % (blob, ) response = davlib.DAV._request(self, method, url, body, extra_hdrs) self.__store_cookies(response) authstr = response.getheader('www-authenticate') (mech, blob) = authstr.split(' ') persistauth = response.getheader('persistent-auth') self.__persistauth = persistauth == 'true' kerberos.authGSSClientClean(gssctx) return response
def _get_krb5_ap_req(service, server): """Returns the AP_REQ Kerberos 5 ticket for a given service.""" import kerberos, base64 try: status_code, context = kerberos.authGSSClientInit('moira@%s' % server) kerberos.authGSSClientStep(context, "") token_gssapi = base64.b64decode( kerberos.authGSSClientResponse(context)) # The following code "parses" GSSAPI token as described in RFC 2743 and RFC 4121. # "Parsing" in this context means throwing out the GSSAPI header correctly # while doing some very basic validation of its contents. # # This code is here because Python's interface provides only GSSAPI interface, # and Moira does not use GSSAPI. # (FIXTHEM: it should) # # FIXME: this probably should either parse tokens properly or use another # Kerberos bindings for Python. # Note that krb5 bindings are even more horrible. body_start = token_gssapi.find( chr(0x01) + chr(0x00)) # 01 00 indicates that this is AP_REQ if token_gssapi[0] != chr(0x60) or \ not (token_gssapi[2] == chr(0x06) or token_gssapi[4] == chr(0x06)) or \ body_start == -1 or body_start < 8 or body_start > 64: raise ConnectionError( "Invalid GSSAPI token provided by Python's Kerberos API") body = token_gssapi[body_start + 2:] return body except kerberos.GSSError as err: raise AuthenticationError("Kerberos authentication error: %s" % err[1][0])
def __enter__(self): '''Initialize the GSS context.''' rc,ctx = kerberos.authGSSClientInit(self.service) if (rc != AUTH_GSS_CONTINUE and rc != AUTH_GSS_COMPLETE): raise Exception("Bad GSSAPI return code: {}".format(rc)) self.context = ctx return self
def generate_request_header(self, req, headers, neg_value): self.retried += 1 log.debug("retry count: %d" % self.retried) host = req.get_host() log.debug("req.get_host() returned %s" % host) tail, sep, head = host.rpartition(':') domain = tail if tail else head result, self.context = k.authGSSClientInit("HTTP@%s" % domain) if result < 1: log.warning("authGSSClientInit returned result %d" % result) return None log.debug("authGSSClientInit() succeeded") result = k.authGSSClientStep(self.context, neg_value) if result < 0: log.warning("authGSSClientStep returned result %d" % result) return None log.debug("authGSSClientStep() succeeded") response = k.authGSSClientResponse(self.context) log.debug("authGSSClientResponse() succeeded") return "Negotiate %s" % response
def setup(self, name): authzid = self.credentials['authzid'] if not authzid: authzid = 'xmpp@%s' % self.credentials['service-name'] _, self.gss = kerberos.authGSSClientInit(authzid) self.step = 0
def _get_krb5_ap_req(service, server): """Returns the AP_REQ Kerberos 5 ticket for a given service.""" import kerberos, base64 try: status_code, context = kerberos.authGSSClientInit( 'moira@%s' % server ) kerberos.authGSSClientStep(context, "") token_gssapi = base64.b64decode( kerberos.authGSSClientResponse(context) ) # The following code "parses" GSSAPI token as described in RFC 2743 and RFC 4121. # "Parsing" in this context means throwing out the GSSAPI header correctly # while doing some very basic validation of its contents. # # This code is here because Python's interface provides only GSSAPI interface, # and Moira does not use GSSAPI. # (FIXTHEM: it should) # # FIXME: this probably should either parse tokens properly or use another # Kerberos bindings for Python. # Note that krb5 bindings are even more horrible. body_start = token_gssapi.find( chr(0x01) + chr(0x00) ) # 01 00 indicates that this is AP_REQ if token_gssapi[0] != chr(0x60) or \ not (token_gssapi[2] == chr(0x06) or token_gssapi[4] == chr(0x06)) or \ body_start == -1 or body_start < 8 or body_start > 64: raise ConnectionError("Invalid GSSAPI token provided by Python's Kerberos API") body = token_gssapi[body_start + 2:] return body except kerberos.GSSError as err: raise AuthenticationError("Kerberos authentication error: %s" % err[1][0])
def tcp_client(opts, conn): ctx = krbV.default_context() if opts.ccache: ccache = krbV.CCache(name='FILE:' + opts.ccache, context=ctx) else: ccache = ctx.default_ccache() cprinc = ccache.principal() sprinc = krbV.Principal(name=opts.principal, context=ctx) tgt = krbV.Principal('krbtgt/%s@%s' % (sprinc.realm, sprinc.realm), context=ctx) try: creds = (cprinc, tgt, (0, None), (0,0,0,0), None, None, None, None, None, None) tcreds = ccache.get_credentials(creds, krbV.KRB5_GC_CACHED) creds = (cprinc, sprinc, (0, None), (0,0,0,0), None, None, None, None, tcreds[7], None) screds = ccache.get_credentials(creds, krbV.KRB5_GC_USER_USER) ac = krbV.AuthContext(context=ctx) ac, bc = ctx.mk_req(sprinc, 'None', krbV.AP_OPTS_MUTUAL_REQUIRED, cprinc, ccache, ac, screds) pdb.set_trace() _ignore, vc = kerberos.authGSSClientInit('*****@*****.**') kerberos.authGSSClientStep(vc, "") #_ignore = kerberos.authGSSClientStep(ctx, bc) #tgt = kerberos.authGSSClientResponse(ctx) headers = {'Authorization': 'Negotiate %s' % kerberos.authGSSClientResponse(vc) } servername, port = ('localhost', 80) h = httplib.HTTPConnection(servername, port) h.request('GET', "", "", headers) response = h.getresponse() print 'Successfully authenticated via tcp to service: %s' % sprinc.name except krbV.Krb5Error, e: return e
def http_error_401(self, req, fp, code, msg, headers): try: if self._retried > 5: raise urllib2.HTTPError(req.get_full_url(), 401, "negotiate auth failed", headers, None) self._retried += 1 logging.debug('gssapi handler, try %s' % self._retried) negotiate = get_negociate_value(headers) if negotiate is None: logging.debug('no negociate found in a www-authenticate header') return None logging.debug('HTTPGssapiAuthHandler: negotiate 1 is %r' % negotiate) result, self._context = krb.authGSSClientInit("HTTP@%s" % req.get_host()) if result < 1: raise GssapiAuthError("HTTPGssapiAuthHandler: init failed with %d" % result) result = krb.authGSSClientStep(self._context, negotiate) if result < 0: raise GssapiAuthError("HTTPGssapiAuthHandler: step 1 failed with %d" % result) client_response = krb.authGSSClientResponse(self._context) logging.debug('HTTPGssapiAuthHandler: client response is %s...' % client_response[:10]) req.add_unredirected_header('Authorization', "Negotiate %s" % client_response) server_response = self.parent.open(req) negotiate = get_negociate_value(server_response.info()) if negotiate is None: logging.warning('HTTPGssapiAuthHandler: failed to authenticate server') else: logging.debug('HTTPGssapiAuthHandler negotiate 2: %s' % negotiate) result = krb.authGSSClientStep(self._context, negotiate) if result < 1: raise GssapiAuthError("HTTPGssapiAuthHandler: step 2 failed with %d" % result) return server_response except GssapiAuthError, exc: logging.error(repr(exc))
def __gssauth(self, response): data = base64.b64encode(response) try: if self.gss_step == self.GSS_STATE_STEP: if not self.gss_vc: rc, self.gss_vc = kerberos.authGSSClientInit('imap@' + self.hostname) response = kerberos.authGSSClientResponse(self.gss_vc) rc = kerberos.authGSSClientStep(self.gss_vc, data) if rc != kerberos.AUTH_GSS_CONTINUE: self.gss_step = self.GSS_STATE_WRAP elif self.gss_step == self.GSS_STATE_WRAP: rc = kerberos.authGSSClientUnwrap(self.gss_vc, data) response = kerberos.authGSSClientResponse(self.gss_vc) rc = kerberos.authGSSClientWrap(self.gss_vc, response, self.username) response = kerberos.authGSSClientResponse(self.gss_vc) except kerberos.GSSError as err: # Kerberos errored out on us, respond with None to cancel the # authentication self.ui.debug('imap', '%s: %s' % (err[0][0], err[1][0])) return None if not response: response = '' return base64.b64decode(response)
def gssapi_login(self, user): # Try GSSAPI login first # Used FTP response codes: # 235 [ADAT=base64data] - indicates that the security data exchange # completed successfully. # 334 [ADAT=base64data] - indicates that the requested security # mechanism is ok, and includes security data to be used by the # client to construct the next command. # 335 [ADAT=base64data] - indicates that the security data is # acceptable, and more is required to complete the security # data exchange. resp = self.sendcmd('AUTH GSSAPI') if resp.startswith('334 '): rc, self.vc = kerberos.authGSSClientInit("ftp@%s" % self.host) if kerberos.authGSSClientStep(self.vc, "") != 1: while resp[:4] in ('334 ', '335 '): authdata = kerberos.authGSSClientResponse(self.vc) resp = self.sendcmd('ADAT ' + authdata) if resp[:9] in ('235 ADAT=', '335 ADAT='): rc = kerberos.authGSSClientStep(self.vc, resp[9:]) if not ((resp.startswith('235 ') and rc == 1) or (resp.startswith('335 ') and rc == 0)): raise ftplib.error_reply, resp note(gettext("Authenticated as %s") % kerberos.authGSSClientUserName(self.vc)) # Monkey patch ftplib self.putcmd = self.mic_putcmd self.getline = self.mic_getline self.sendcmd('USER ' + user) return resp mutter("Unable to use GSSAPI authentication: %s", resp)
def __init__(self, endpoint, auth=None, capath=True): logger.debug("Initializing service (endpoint: %s, auth: %s", endpoint, auth) self._endpoint = endpoint if auth == 'kerberos': # This step has been extended to work around issue #942 in the # kerberos library where the default principal cannot be # derived without raising an error. An explicit principal has # to be provided. # # This is ignored if PyKerberos is used. from urllib.parse import urlparse import kerberos if 'authGSSClientInquireCred' in dir(kerberos): parse = urlparse(endpoint) kerb_spn = "{0}@{1}".format("HTTP", parse.netloc) _, krb_context = kerberos.authGSSClientInit(kerb_spn) kerberos.authGSSClientInquireCred(krb_context) principal = kerberos.authGSSClientUserName(krb_context) # kerberos.authGSSClientClean(krb_context) auth = HTTPKerberosAuth(principal=principal) else: auth = HTTPKerberosAuth() self._auth = auth self._capath = capath
def generate_request_header(self, req, headers, neg_value): self.retried += 1 LOG.debug("retry count: %d" % self.retried) host = req.get_host() LOG.debug("req.get_host() returned %s" % host) # We need Python 2.4 compatibility #tail, sep, head = host.rpartition(':') #domain = tail or head host_parts = host.rsplit(':', 1) domain = host_parts[0] result, self.context = k.authGSSClientInit("HTTP@%s" % domain) if result < 1: LOG.warning("authGSSClientInit returned result %d" % result) return None LOG.debug("authGSSClientInit() succeeded") result = k.authGSSClientStep(self.context, neg_value) if result < 0: LOG.warning("authGSSClientStep returned result %d" % result) return None LOG.debug("authGSSClientStep() succeeded") response = k.authGSSClientResponse(self.context) LOG.debug("authGSSClientResponse() succeeded") return "Negotiate %s" % response
def __gssauth(self, response): data = base64.b64encode(response) try: if self.gss_step == self.GSS_STATE_STEP: if not self.gss_vc: rc, self.gss_vc = kerberos.authGSSClientInit( 'imap@' + self.hostname) response = kerberos.authGSSClientResponse(self.gss_vc) rc = kerberos.authGSSClientStep(self.gss_vc, data) if rc != kerberos.AUTH_GSS_CONTINUE: self.gss_step = self.GSS_STATE_WRAP elif self.gss_step == self.GSS_STATE_WRAP: rc = kerberos.authGSSClientUnwrap(self.gss_vc, data) response = kerberos.authGSSClientResponse(self.gss_vc) rc = kerberos.authGSSClientWrap( self.gss_vc, response, self.username) response = kerberos.authGSSClientResponse(self.gss_vc) except kerberos.GSSError as err: # Kerberos errored out on us, respond with None to cancel the # authentication self.ui.debug('imap', '%s: %s'% (err[0][0], err[1][0])) return None if not response: response = '' return base64.b64decode(response)
def krb_authenticate(es_client: EsClient, service=None, username=None, name=None): _logger.debug(f'Connection with Kerberos: {service}') if service is None: raise PeekError('Service is required for kerberos authentication') import kerberos result, context = kerberos.authGSSClientInit(service, principal=username) kerberos.authGSSClientStep(context, '') ticket = kerberos.authGSSClientResponse(context) _logger.debug(f'Kerberos ticket: {ticket}') auth_response = es_client.perform_request( 'POST', '/_security/oauth2/token', json.dumps({ 'grant_type': '_kerberos', 'kerberos_ticket': ticket, }), deserialize_it=True) _logger.debug(f'Kerberos Token auth response: {auth_response}') return RefreshingEsClient( es_client, '_KRB', auth_response['access_token'], auth_response['refresh_token'], auth_response['expires_in'], name=name)
def generate_request_header(self, req, headers, neg_value): self.retried += 1 log.debug("retry count: %d" % self.retried) host = req.get_host() log.debug("req.get_host() returned %s" % host) domain = host.rsplit(':', 1)[0] #result, self.context = k.authGSSClientInit("HTTP@%s" % domain) result, self.context = k.authGSSClientInit("HTTP@%s" % "hadoop") if result < 1: log.warning("authGSSClientInit returned result %d" % result) return None log.debug("authGSSClientInit() succeeded") result = k.authGSSClientStep(self.context, neg_value) if result < 0: log.warning("authGSSClientStep returned result %d" % result) return None log.debug("authGSSClientStep() succeeded") response = k.authGSSClientResponse(self.context) log.debug("authGSSClientResponse() succeeded") return "Negotiate %s" % response
def _kerberos_client_request(self, host, handler, errcode, errmsg, headers): """Kerberos auth - create a client request string""" # check if "Negotiate" challenge is present in headers negotiate = [ i.lower() for i in headers.get("WWW-Authenticate", "").split(", ") ] if "negotiate" not in negotiate: # negotiate not supported, raise 401 error raise xmlrpclib.ProtocolError(host + handler, errcode, errmsg, headers) # initialize GSSAPI service = "HTTP@%s" % host rc, vc = kerberos.authGSSClientInit(service) if rc != 1: errmsg = "KERBEROS: Could not initialize GSSAPI" raise xmlrpclib.ProtocolError(host + handler, errcode, errmsg, headers) # do a client step rc = kerberos.authGSSClientStep(vc, "") if rc != 0: errmsg = "KERBEROS: Client step failed" raise xmlrpclib.ProtocolError(host + handler, errcode, errmsg, headers) return vc, kerberos.authGSSClientResponse(vc)
def generate_request_header(self, req, headers): neg_value = self.negotiate_value(headers) if neg_value is None: self.retried = 0 return None if self.retried > 5: raise urllib2.HTTPError(req.get_full_url(), 401, "negotiate auth failed", headers, None) self.retried += 1 result, self.context = kerberos.authGSSClientInit( self.service_principal) if result < 1: return None result = kerberos.authGSSClientStep(self.context, neg_value) if result < 0: return None response = kerberos.authGSSClientResponse(self.context) return "Negotiate %s" % response
def authenticate(self): gss_flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG _ignore, context = kerberos.authGSSClientInit('HTTP@' + self.hostname, gssflags=gss_flags) _ignore = kerberos.authGSSClientStep(context, '') response = kerberos.authGSSClientResponse(context) return response
def get_kerberos_auth_handler(jenkinsurl): """ Get a handler which enabled authentication over GSSAPI :param jenkinsurl: jenkins base url, str :return: a list of handlers """ jenkinsnetloc = urlparse(jenkinsurl).netloc assert type( jenkinsnetloc ) == str, "Jenkins network location should be a string, got %s" % repr( jenkinsnetloc) _ignore, ctx = krb.authGSSClientInit('HTTP@%s' % jenkinsnetloc, gssflags=krb.GSS_C_DELEG_FLAG | krb.GSS_C_MUTUAL_FLAG | krb.GSS_C_SEQUENCE_FLAG) rc = krb.authGSSClientStep(ctx, '') if rc != krb.AUTH_GSS_CONTINUE: return [] tgt = krb.authGSSClientResponse(ctx) if not tgt: return [] krb_handler = KerberosAuthHandler(tgt) return [krb_handler]
def _create_kerberos_session(self, kerberos_service): __, krb_context = kerb.authGSSClientInit(kerberos_service) kerb.authGSSClientStep(krb_context, "") auth_header = ("Negotiate " + kerb.authGSSClientResponse(krb_context)) self._update_header("Authorization", auth_header) response = self._session.get(self.url, verify=self.verify_ssl) response.raise_for_status()
def generate_request_header(self, response, host, is_preemptive=False): """ Generates the GSSAPI authentication token with kerberos. If any GSSAPI step fails, raise KerberosExchangeError with failure detail. """ # Flags used by kerberos module. gssflags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG if self.delegate: gssflags |= kerberos.GSS_C_DELEG_FLAG try: kerb_stage = "authGSSClientInit()" # contexts still need to be stored by host, but hostname_override # allows use of an arbitrary hostname for the kerberos exchange # (eg, in cases of aliased hosts, internal vs external, CNAMEs # w/ name-based HTTP hosting) kerb_host = self.hostname_override if self.hostname_override is not None else host kerb_spn = "{0}@{1}".format(self.service, kerb_host) result, self.context[host] = kerberos.authGSSClientInit(kerb_spn, gssflags=gssflags, principal=self.principal) if result < 1: raise EnvironmentError(result, kerb_stage) # if we have a previous response from the server, use it to continue # the auth process, otherwise use an empty value negotiate_resp_value = '' if is_preemptive else _negotiate_value(response) kerb_stage = "authGSSClientStep()" result = kerberos.authGSSClientStep(self.context[host], negotiate_resp_value) if result < 0: raise EnvironmentError(result, kerb_stage) kerb_stage = "authGSSClientResponse()" gss_response = kerberos.authGSSClientResponse(self.context[host]) return "Negotiate {0}".format(gss_response) except kerberos.GSSError as error: log.exception( "generate_request_header(): {0} failed:".format(kerb_stage)) log.exception(error) raise KerberosExchangeError("%s failed: %s" % (kerb_stage, str(error.args))) except EnvironmentError as error: # ensure we raised this for translation to KerberosExchangeError # by comparing errno to result, re-raise if not if error.errno != result: raise message = "{0} failed, result: {1}".format(kerb_stage, result) log.error("generate_request_header(): {0}".format(message)) raise KerberosExchangeError(message)
def testHTTP(host, port, use_ssl, service): class HTTPSConnection_SSLv3(httplib.HTTPSConnection): "This class allows communication via SSL." def connect(self): "Connect to a host on a given (SSL) port." sock = socket.create_connection((self.host, self.port), self.timeout) self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3) def sendRequest(host, port, ssl, method, uri, headers): response = None if use_ssl: http = HTTPSConnection_SSLv3(host, port) else: http = httplib.HTTPConnection(host, port) try: http.request(method, uri, "", headers) response = http.getresponse() finally: http.close() return response # Initial request without auth header uri = "/principals/" response = sendRequest(host, port, use_ssl, "OPTIONS", uri, {}) if response is None: print "Initial HTTP request to server failed" return if response.status != 401: print "Initial HTTP request did not result in a 401 response" return hdrs = response.msg.getheaders("www-authenticate") if (hdrs is None) or (len(hdrs) == 0): print "No www-authenticate header in initial HTTP response." for hdr in hdrs: hdr = hdr.strip() splits = hdr.split(' ', 1) if (len(splits) != 1) or (splits[0].lower() != "negotiate"): continue else: break else: print "No www-authenticate header with negotiate in initial HTTP response." return try: rc, vc = kerberos.authGSSClientInit(service=service) except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0], e[1][0]) return
def start(self, username, authzid): self.username = username self.authzid = authzid rc, self._gss = kerberos.authGSSClientInit( authzid or "%s@%s" % ("xmpp", self.password_manager.get_serv_host())) self.step = 0 return self.challenge("")
def __init__(self, service): ignored_code, krb_context = kerberos.authGSSClientInit(service) kerberos.authGSSClientStep(krb_context, "") # TODO authGSSClientStep may raise following error: # GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ("Credentials cache file '/tmp/krb5cc_1000' not found", -1765328189)) self._krb_context = krb_context gss_response = kerberos.authGSSClientResponse(krb_context) self.auth_header = "Negotiate {0}".format(gss_response)
def start(self, username, authzid): self.username = username self.authzid = authzid _unused, self._gss = kerberos.authGSSClientInit( authzid or "{0}@{1}".format("xmpp", self.password_manager.get_serv_host())) self.step = 0 return self.challenge("")
def __init__(self, service): ignored_code, krb_context = kerberos.authGSSClientInit(service) kerberos.authGSSClientStep(krb_context, '') # TODO authGSSClientStep may raise following error: #GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ("Credentials cache file '/tmp/krb5cc_1000' not found", -1765328189)) self._krb_context = krb_context gss_response = kerberos.authGSSClientResponse(krb_context) self.auth_header = 'Negotiate {0}'.format(gss_response)
def __init__(self, sasl, principal=None, **props): Mechanism.__init__(self, sasl) self.user = None self._have_negotiated_details = False self.host = self.sasl.host self.service = self.sasl.service self.principal = principal self._fetch_properties('host', 'service') krb_service = '@'.join((self.service, self.host)) try: _, self.context = kerberos.authGSSClientInit(service=krb_service, principal=self.principal) except TypeError: if self.principal is not None: raise Exception("Error: kerberos library does not support principal.") _, self.context = kerberos.authGSSClientInit(service=krb_service)
def start(self, username, authzid): self.username = username self.authzid = authzid _unused, self._gss = kerberos.authGSSClientInit(authzid or "{0}@{1}".format("xmpp", self.password_manager.get_serv_host())) self.step = 0 return self.challenge("")
def get_auth_header(self): if self.ctx: raise RuntimeError("Context has already been initialized") __, self.ctx = kerberos.authGSSClientInit(self.service, principal=self.principal) kerberos.authGSSClientStep(self.ctx, "") token = kerberos.authGSSClientResponse(self.ctx) return {"Authorization": "Negotiate " + token}
def set_kerberos_auth(self): _, ctx = kerberos.authGSSClientInit("HTTP@" + self.host, gssflags=kerberos.GSS_C_DELEG_FLAG|kerberos.GSS_C_MUTUAL_FLAG|kerberos.GSS_C_SEQUENCE_FLAG) kerberos.authGSSClientStep(ctx, '') self.__tgt = kerberos.authGSSClientResponse(ctx) if self.__tgt: self.headers['Authorization'] = 'Negotiate %s' % self.__tgt else: raise RuntimeError(_("Couldn't authenticate via kerberos"))
def _negotiate_get_svctk(self, spn, authdata): if authdata is None: return None result, self.context = kerberos.authGSSClientInit(spn) if result < kerberos.AUTH_GSS_COMPLETE: return None result = kerberos.authGSSClientStep(self.context, authdata) if result < kerberos.AUTH_GSS_CONTINUE: return None response = kerberos.authGSSClientResponse(self.context) return "Negotiate %s" % response
def _call(self, fun, *args): if self._function_is_sessioned(fun): args = [self._get_session()] + list(args) if fun.endswith("_dig") and self._argcount(fun) == 3: if isinstance(args[1], str) or isinstance(args[1], unicode): args[1] = self._parse_digstr(args[1]) if len(args) == 2: args.append({'_': True}) elif isinstance(args[2], str) or isinstance(args[2], unicode): args[2] = self._parse_digstr(args[2]) if fun == "session_auth_kerberos": try: import kerberos except: raise ValueError( "No kerberos module installed - cannot perform kerberos authentication" ) (_res, ctx) = kerberos.authGSSClientInit("HTTP@" + self._host) kerberos.authGSSClientStep(ctx, "") token = kerberos.authGSSClientResponse(ctx) # print >>sys.stderr, "TOKEN=",token args.append(token) # Perform call, measuring passed time. start_time = time.time() rawret = self._rawcall(fun, *args) self._time = time.time() - start_time if "result" in rawret: # Call succeeded. ret = rawret["result"] # Save auth and session data from known calls. if fun == 'session_auth_login': self._auth = args[1] elif fun == 'session_deauth': self._auth = None elif fun.startswith('session_start'): self._session_id = ret if self._attrdicts: ret = self._convert_to_attrdicts(ret) return ret else: # Call returned an error err = rawret['error'] if self._attrdicts: err = self._convert_to_attrdicts(err) _errname = err['name'] raise error_object(err, self._pyexceptions)
def testHTTP(host, port, use_ssl, service): class HTTPSConnection_SSLv3(httplib.HTTPSConnection): "This class allows communication via SSL." def connect(self): "Connect to a host on a given (SSL) port." sock = socket.create_connection((self.host, self.port), self.timeout) self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3) def sendRequest(host, port, ssl, method, uri, headers): response = None if use_ssl: http = HTTPSConnection_SSLv3(host, port) else: http = httplib.HTTPConnection(host, port) try: http.request(method, uri, "", headers) response = http.getresponse() finally: http.close() return response # Initial request without auth header uri = "/principals/" response = sendRequest(host, port, use_ssl, "OPTIONS", uri, {}) if response is None: print "Initial HTTP request to server failed" return if response.status != 401: print "Initial HTTP request did not result in a 401 response" return hdrs = response.msg.getheaders("www-authenticate") if (hdrs is None) or (len(hdrs) == 0): print "No www-authenticate header in initial HTTP response." for hdr in hdrs: hdr = hdr.strip() splits = hdr.split(' ', 1) if (len(splits) != 1) or (splits[0].lower() != "negotiate"): continue else: break else: print "No www-authenticate header with negotiate in initial HTTP response." return try: rc, vc = kerberos.authGSSClientInit(service=service); except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0], e[1][0]) return
def _krb_response(self, host, krb_val): logger.debug("INSIDE _krb_response") _dummy, self.krb_context = kerberos.authGSSClientInit("HTTP@%s" % host) kerberos.authGSSClientStep(self.krb_context, krb_val) response = kerberos.authGSSClientResponse(self.krb_context) logger.debug("kerb auth successful") return response
def negotiate_auth(): #_, krb_context = kerberos.authGSSClientInit("HTTP@hadoop") #ipdb.set_trace() _, krb_context = kerberos.authGSSClientInit("HTTP@hadoop") kerberos.authGSSClientStep(krb_context, "") negotiate_details = kerberos.authGSSClientResponse(krb_context) headers = {"Authorization": "Negotiate" + negotiate_details} resp = requests.get("http://lg-hadoop-control01.bj:21201/webhdfs/v1/?op=liststatus", headers = headers) print resp.status_code print resp.content
def _call(self, fun, *args): if self._function_is_sessioned(fun): args = [self._get_session()] + list(args) if fun.endswith("_dig") and self._argcount(fun) == 3: if isinstance(args[1], str) or isinstance(args[1], unicode): args[1] = self._parse_digstr(args[1]) if len(args) == 2: args.append({'_': True}) elif isinstance(args[2], str) or isinstance(args[2], unicode): args[2] = self._parse_digstr(args[2]) if fun == "session_auth_kerberos": try: import kerberos except: raise ValueError("No kerberos module installed - cannot perform kerberos authentication") (_res, ctx) = kerberos.authGSSClientInit("HTTP@" + self._host) kerberos.authGSSClientStep(ctx, "") token = kerberos.authGSSClientResponse(ctx) # print >>sys.stderr, "TOKEN=",token args.append(token) # Perform call, measuring passed time. start_time = time.time() rawret = self._rawcall(fun, *args) self._time = time.time() - start_time if "result" in rawret: # Call succeeded. ret = rawret["result"] # Save auth and session data from known calls. if fun == 'session_auth_login': self._auth = args[1] elif fun == 'session_deauth': self._auth = None elif fun.startswith('session_start'): self._session_id = ret if self._attrdicts: ret = self._convert_to_attrdicts(ret) return ret else: # Call returned an error err = rawret['error'] if self._attrdicts: err = self._convert_to_attrdicts(err) _errname = err['name'] raise error_object(err, self._pyexceptions)
def set_headers(self, headers): ctx = kerberos.authGSSClientInit("HTTP@" + self.__host, \ gssflags=kerberos.GSS_C_DELEG_FLAG|kerberos.GSS_C_MUTUAL_FLAG|kerberos.GSS_C_SEQUENCE_FLAG)[1] kerberos.authGSSClientStep(ctx, '') tgt = kerberos.authGSSClientResponse(ctx) if tgt: headers['Authorization'] = 'Negotiate %s' % tgt return headers else: raise RuntimeError(_("Couldn't authenticate via kerberos"))
def _authenticate_request(self, response, **kwargs): res, ctx = kerberos.authGSSClientInit(self._service_principal, mech_oid=self._mech_oid) kerberos.authGSSClientStep(ctx, "") token = kerberos.authGSSClientResponse(ctx) response.request.headers['Authorization'] = "Negotiate " + token response.content # NOQA - to drain the stream response.raw.release_conn() authenticated_response = response.connection.send(response.request, **kwargs) authenticated_response.history.append(response) return authenticated_response
def get_host_info(self, host): host, extra_headers, x509 = xmlrpclib.Transport.get_host_info(self, host) # Set the remote host principal h = host hostinfo = h.split(":") service = "HTTP@" + hostinfo[0] try: rc, vc = kerberos.authGSSClientInit(service) except kerberos.GSSError, e: raise kerberos.GSSError(e)