def verify_kdc_cert_validity(kdc_cert, ca_certs, realm):
with NamedTemporaryFile() as kdc_file, NamedTemporaryFile() as ca_file:
kdc_file.write(kdc_cert.public_bytes(x509.Encoding.PEM))
kdc_file.flush()
x509.write_certificate_list(ca_certs, ca_file.name)
ca_file.flush()
try:
ipautil.run([
paths.OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name
],
capture_output=True)
except ipautil.CalledProcessError as e:
raise ValueError(e.output)
try:
eku = kdc_cert.extensions.get_extension_for_class(
cryptography.x509.ExtendedKeyUsage)
list(eku.value).index(
cryptography.x509.ObjectIdentifier(x509.EKU_PKINIT_KDC))
except (cryptography.x509.ExtensionNotFound, ValueError):
raise ValueError("invalid for a KDC")
principal = str(Principal(['krbtgt', realm], realm))
gns = x509.process_othernames(kdc_cert.san_general_names)
for gn in gns:
if isinstance(gn, x509.KRB5PrincipalName) and gn.name == principal:
break
else:
raise ValueError("invalid for realm %s" % realm)
def test_principals(valid_principal):
principal_name, data = valid_principal
princ = Principal(principal_name)
for name, value in data.items():
assert getattr(princ, name) == value
assert unicode(princ) == principal_name
def test_principals(valid_principal):
principal_name, data = valid_principal
princ = Principal(principal_name)
for name, value in data.items():
assert getattr(princ, name) == value
assert unicode(princ) == principal_name
assert repr(princ) == "ipapython.kerberos.Principal('{}')".format(
principal_name)
def test_principal_properties(principal_properties):
principal, data = principal_properties
princ = Principal(principal)
boolean_propertes = [prop for prop in dir(princ) if prop.startswith('is_')]
for b in boolean_propertes:
if b in data['property_true']:
assert getattr(princ, b)
else:
assert not getattr(princ, b)
for property_raises in data['property_raises']:
with pytest.raises(ValueError):
getattr(princ, property_raises)
def _create_kerberos_principals(ldap, pkey, entry_attrs, failed):
"""
Create 'krbprincipalname' and 'krbcanonicalname' attributes for incoming
user entry or skip it if there already is a user with such principal name.
The code does not search for `krbcanonicalname` since we assume that the
canonical principal name is always contained among values of
`krbprincipalname` attribute.Both `krbprincipalname` and `krbcanonicalname`
are set to default value generated from uid and realm.
Note: the migration does not currently preserve principal aliases
"""
principal = Principal((pkey, ), realm=api.env.realm)
try:
ldap.find_entry_by_attr('krbprincipalname', principal,
'krbprincipalaux', [''],
DN(api.env.container_user, api.env.basedn))
except errors.NotFound:
entry_attrs['krbprincipalname'] = principal
entry_attrs['krbcanonicalname'] = principal
except errors.LimitsExceeded:
failed[pkey] = unicode(_krb_failed_msg % unicode(principal))
else:
failed[pkey] = unicode(_krb_err_msg % unicode(principal))