def testCCacheFileBadFormat(self):
os.system('echo > %s' % config.user_ccache_file)
context = krbV.default_context()
ccache = krbV.CCache(config.user_ccache_file, context=context)
principal = krbV.Principal(config.service_principal, context=context)
result = is_initialize_ccache_necessary(context, ccache, principal)
self.assert_(result)
if config.run_under_user_principal:
context = krbV.default_context()
ccache = krbV.CCache(config.user_ccache_file, context=context)
principal = krbV.Principal(config.user_principal, context=context)
result = is_initialize_ccache_necessary(context, ccache, principal)
self.assert_(result)
def testCCacheFileNotFound(self):
os.system('kdestroy -c %s 2>/dev/null' % config.user_ccache_file)
context = krbV.default_context()
ccache = krbV.CCache(config.user_ccache_file, context=context)
principal = krbV.Principal(config.service_principal, context=context)
result = is_initialize_ccache_necessary(context, ccache, principal)
self.assert_(result)
if config.run_under_user_principal:
context = krbV.default_context()
ccache = krbV.CCache(config.user_ccache_file, context=context)
principal = krbV.Principal(config.user_principal, context=context)
result = is_initialize_ccache_necessary(context, ccache, principal)
self.assert_(result)
def testInitCCacheIsUnnecessary(self):
if config.run_under_user_principal:
init_user_ccache()
context = krbV.default_context()
ccache = krbV.CCache(config.user_ccache_file, context=context)
principal = krbV.Principal(config.user_principal, context=context)
result = is_initialize_ccache_necessary(context, ccache, principal)
self.assertFalse(result)
init_ccache_using_keytab()
context = krbV.default_context()
ccache = krbV.CCache(config.user_ccache_file, context=context)
principal = krbV.Principal(config.service_principal, context=context)
result = is_initialize_ccache_necessary(context, ccache, principal)
self.assertFalse(result)
def tcp_client(opts, conn):
ctx = krbV.default_context()
if opts.ccache:
ccache = krbV.CCache(name='FILE:' + opts.ccache, context=ctx)
else:
ccache = ctx.default_ccache()
cprinc = ccache.principal()
sprinc = krbV.Principal(name=opts.principal, context=ctx)
ac = ctx.sendauth(conn,
'1.0',
options=krbV.AP_OPTS_MUTUAL_REQUIRED,
server=sprinc,
client=cprinc,
ccache=ccache,
data='authtest')
print 'Successfully authenticated via tcp to service: %s' % sprinc.name
ac.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE | krbV.KRB5_AUTH_CONTEXT_DO_TIME
ac.rcache = ctx.default_rcache()
ac.genaddrs(
conn, krbV.KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR
| krbV.KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR)
enc_msg = ac.mk_priv(opts.message)
conn.send(enc_msg)
enc_resp = conn.recv(4096)
resp = ac.rd_priv(enc_resp)
if resp == opts.message:
print ' Exchanging encrypted messages succeeded'
conn.close()
def udp_client(opts, sock, addr):
ctx = krbV.default_context()
if opts.ccache:
ccache = krbV.CCache(name='FILE:' + opts.ccache, context=ctx)
else:
ccache = ctx.default_ccache()
cprinc = ccache.principal()
sprinc = krbV.Principal(name=opts.principal, context=ctx)
ac = krbV.AuthContext(context=ctx)
ac.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE | krbV.KRB5_AUTH_CONTEXT_DO_TIME
ac.rcache = ctx.default_rcache()
ac, req = ctx.mk_req(server=sprinc,
client=cprinc,
auth_context=ac,
ccache=ccache,
options=krbV.AP_OPTS_MUTUAL_REQUIRED)
sock.sendto(req, addr)
rep, saddr = sock.recvfrom(4096)
rep_tup = ctx.rd_rep(rep, auth_context=ac)
print 'Successfully authenticated via udp to service: %s' % sprinc.name
try:
addrinfo = socket.getaddrinfo(socket.gethostname(),
sock.getsockname()[1], opts.addr_family)
localaddr = addrinfo[0][4]
except socket.gaierror, e:
gai_error(opts, 'local', socket.gethostname(), e)
def get_sender():
global config, session, target
if session and target:
try:
return session.sender(target)
except:
logging.getLogger('koji.plugin.messagebus').warning('Error getting session, will retry', exc_info=True)
session = None
target = None
config = ConfigParser.SafeConfigParser()
config.read(CONFIG_FILE)
if not config.has_option('broker', 'timeout'):
config.set('broker', 'timeout', '60')
if not config.has_option('broker', 'heartbeat'):
config.set('broker', 'heartbeat', '60')
if config.getboolean('broker', 'ssl'):
url = 'amqps://'
else:
url = 'amqp://'
auth = config.get('broker', 'auth')
if auth == 'PLAIN':
url += config.get('broker', 'username') + '/'
url += config.get('broker', 'password') + '@'
elif auth == 'GSSAPI':
ccname = 'MEMORY:messagebus'
os.environ['KRB5CCNAME'] = ccname
ctx = krbV.default_context()
ccache = krbV.CCache(name=ccname, context=ctx)
cprinc = krbV.Principal(name=config.get('broker', 'principal'), context=ctx)
ccache.init(principal=cprinc)
keytab = krbV.Keytab(name='FILE:' + config.get('broker', 'keytab'), context=ctx)
ccache.init_creds_keytab(principal=cprinc, keytab=keytab)
else:
raise PluginError('unsupported auth type: %s' % auth)
url += config.get('broker', 'host') + ':'
url += config.get('broker', 'port')
conn = Connection.establish(url,
sasl_mechanisms=config.get('broker', 'auth'),
transport='tls+timeout',
timeout=config.getfloat('broker', 'timeout'),
heartbeat=config.getint('broker', 'heartbeat'))
sess = conn.session()
tgt = """%s;
{ create: sender,
assert: always,
node: { type: topic,
durable: %s,
x-declare: { exchange: "%s",
type: %s } } }""" % \
(config.get('exchange', 'name'), config.getboolean('exchange', 'durable'),
config.get('exchange', 'name'), config.get('exchange', 'type'))
sender = sess.sender(tgt)
session = sess
target = tgt
return sender
def refresh_HTTP_credential_cache():
'''
Put service ticket into credential cache from service's keytab file.
Return the credential cache file name.
'''
import krbV, os
keytab_file = st.SERVICE_KEYTAB
principal_name = st.SERVICE_PRINCIPAL
# This is the credential cache file, according to the Kerberbos V5 standard
ccache_file = '/tmp/krb5cc_%d_%d' % (os.getuid(), os.getpid())
ctx = krbV.default_context()
princ = krbV.Principal(name=principal_name, context=ctx)
if keytab_file:
keytab = krbV.Keytab(name=keytab_file, context=ctx)
else:
# According the documentation of MIT Kerberos V5,
# default keytab file is /etc/krb5.keytab. It might be changed
# by modifying default_keytab_name in krb5.conf
keytab = ctx.default_keytab()
ccache = krbV.CCache(name=ccache_file, context=ctx)
ccache.init(princ)
ccache.init_creds_keytab(principal=princ, keytab=keytab)
return ccache_file
def kinit_keytab(principal, keytab, ccache_name, attempts=1):
"""
Given a ccache_path, keytab file and a principal kinit as that user.
The optional parameter 'attempts' specifies how many times the credential
initialization should be attempted in case of non-responsive KDC.
"""
errors_to_retry = {krbV.KRB5KDC_ERR_SVC_UNAVAILABLE, krbV.KRB5_KDC_UNREACH}
root_logger.debug("Initializing principal %s using keytab %s" %
(principal, keytab))
root_logger.debug("using ccache %s" % ccache_name)
for attempt in range(1, attempts + 1):
try:
krbcontext = krbV.default_context()
ktab = krbV.Keytab(name=keytab, context=krbcontext)
princ = krbV.Principal(name=principal, context=krbcontext)
ccache = krbV.CCache(name=ccache_name,
context=krbcontext,
primary_principal=princ)
ccache.init(princ)
ccache.init_creds_keytab(keytab=ktab, principal=princ)
root_logger.debug("Attempt %d/%d: success" % (attempt, attempts))
return
except krbV.Krb5Error as e:
if e.args[0] not in errors_to_retry:
raise
root_logger.debug("Attempt %d/%d: failed: %s" %
(attempt, attempts, e))
if attempt == attempts:
root_logger.debug("Maximum number of attempts (%d) reached" %
attempts)
raise
root_logger.debug("Waiting 5 seconds before next retry")
time.sleep(5)
def __init__(self, ccache):
'''
:parameters:
ccache
The name of a Kerberos ccache used to hold Kerberos tickets.
:returns:
`KRB5_CCache` object encapsulting the ccache.
'''
log_mgr.get_logger(self, True)
self.context = None
self.scheme = None
self.name = None
self.ccache = None
self.principal = None
try:
self.context = krbV.default_context()
self.scheme, self.name = krb5_parse_ccache(ccache)
self.ccache = krbV.CCache(name=str(ccache), context=self.context)
self.principal = self.ccache.principal()
except krbV.Krb5Error, e:
error_code = e.args[0]
message = e.args[1]
if error_code == KRB5_FCC_NOFILE:
raise ValueError('"%s", ccache="%s"' % (message, ccache))
else:
raise e
def setUp(self):
self.context = krbV.default_context()
self.principal = krbV.Principal(config.service_principal,
context=self.context)
self.keytab = krbV.Keytab(config.user_keytab_file,
context=self.context)
self.ccache = krbV.CCache(config.user_ccache_file,
context=self.context)
def _login_krbv(self):
"""Login using kerberos credentials (uses python-krbV)."""
# read default values from settings
principal = self._conf.get("KRB_PRINCIPAL")
keytab = self._conf.get("KRB_KEYTAB")
service = self._conf.get("KRB_SERVICE")
realm = self._conf.get("KRB_REALM")
ccache = self._conf.get("KRB_CCACHE")
proxyuser = self._conf.get("KRB_PROXYUSER")
import krbV
ctx = krbV.default_context()
if ccache is not None:
ccache = krbV.CCache(name='FILE:' + ccache, context=ctx)
else:
ccache = ctx.default_ccache()
if principal is not None:
if keytab is not None:
cprinc = krbV.Principal(name=principal, context=ctx)
keytab = krbV.Keytab(name=keytab, context=ctx)
ccache.init(cprinc)
ccache.init_creds_keytab(principal=cprinc, keytab=keytab)
else:
raise ImproperlyConfigured(
"Cannot specify a principal without a keytab")
else:
# connect using existing credentials
cprinc = ccache.principal()
sprinc = krbV.Principal(name=self.get_server_principal(service=service,
realm=realm),
context=ctx)
ac = krbV.AuthContext(context=ctx)
ac.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE | krbV.KRB5_AUTH_CONTEXT_DO_TIME
ac.rcache = ctx.default_rcache()
# create and encode the authentication request
try:
ac, req = ctx.mk_req(server=sprinc,
client=cprinc,
auth_context=ac,
ccache=ccache,
options=krbV.AP_OPTS_MUTUAL_REQUIRED)
except krbV.Krb5Error as ex:
if getattr(ex, "err_code", None) == -1765328377:
ex.message += ". Make sure you correctly set KRB_REALM (current value: %s)." % realm
ex.args = (ex.err_code, ex.message)
raise ex
encode_func = base64.encodebytes if hasattr(
base64, "encodebytes") else base64.encodestring
req_enc = encode_func(req)
self._hub.auth.login_krbv(req_enc)
def testInitCCacheIsNecessary(self):
''' Sleep several seconds after initializing credentials cache so that
it expires.
'''
if config.run_under_user_principal:
init_user_ccache(lifetime='3s')
time.sleep(5)
context = krbV.default_context()
ccache = krbV.CCache(config.user_ccache_file, context=context)
principal = krbV.Principal(config.user_principal, context=context)
result = is_initialize_ccache_necessary(context, ccache, principal)
self.assert_(result)
init_ccache_using_keytab(lifetime='3s')
time.sleep(5)
context = krbV.default_context()
ccache = krbV.CCache(config.user_ccache_file, context=context)
principal = krbV.Principal(config.service_principal, context=context)
result = is_initialize_ccache_necessary(context, ccache, principal)
self.assert_(result)
def __init__(self,principal,keytab,ccache_file=None):
self.context = krbV.default_context()
self.principal = krbV.Principal(name=principal, context=self.context)
self.keytab = krbV.Keytab(name=keytab, context=self.context)
self.ccache_file = ccache_file
if ccache_file:
self.ccache_file = ccache_file
self.ccache = krbV.CCache(name="FILE:" + self.ccache_file, context=self.context, primary_principal=self.principal)
else:
self.ccache = self.context.default_ccache(primary_principal=self.principal)
self.ccache.init(self.principal)
self.ccache.init_creds_keytab(keytab=self.keytab,principal=self.principal)
def __init__(self,
app,
cache_file=None,
primary_principal=None,
keytab=None):
self.context = krbV.default_context()
self.primary_principal = primary_principal
self.keytab = keytab
if not keytab:
self.keytab = app.config.get('auth.keytab')
if self.keytab and not isinstance(self.keytab, krbV.Keytab):
self.keytab = krbV.Keytab(name=self.keytab, context=self.context)
if not self.primary_principal:
self.primary_principal = app.config.get('auth.principal')
if not self.primary_principal:
self.primary_principal = None
if self.primary_principal and not isinstance(self.primary_principal,
krbV.Principal):
self.primary_principal = krbV.Principal(
name=self.primary_principal, context=self.context)
if self.primary_principal:
if cache_file:
self.ccache = krbV.CCache(
name="FILE:" + cache_file,
context=self.context,
primary_principal=self.primary_principal)
else:
self.ccache = self.context.default_ccache(
primary_principal=self.primary_principal)
else:
if cache_file:
self.ccache = krbV.CCache(name="FILE:" + cache_file,
context=self.context)
else:
self.ccache = self.context.default_ccache()
self.primary_principal = self.ccache.principal()
if self.keytab: self.reinit()
self.local_rsa_info = None
self.rsa_info = {}
def __init__(self, cache_file=None, primary_principal=None, keytab=None):
self.context = krbV.default_context()
self.primary_principal = primary_principal
self.keytab = keytab
if self.keytab and not isinstance(self.keytab, krbV.Keytab):
self.keytab = krbV.Keytab(name=self.keytab, context=self.context)
if not self.primary_principal and not cache_file:
raise ValueError('No cache file nor primary principal')
if self.primary_principal and not isinstance(self.primary_principal, krbV.Principal):
self.primary_principal = krbV.Principal(name=self.primary_principal, context=self.context)
if self.primary_principal:
if cache_file:
self.ccache = krbV.CCache(name="FILE:"+cache_file, context=self.context,
primary_principal=self.primary_principal)
else:
self.ccache = self.context.default_ccache(primary_principal=self.primary_principal)
else:
if cache_file:
self.ccache = krbV.CCache(name="FILE:"+cache_file, context=self.context)
else:
self.ccache = self.context.default_ccache()
self.primary_principal = self.ccache.principal()
if self.keytab: self.reinit()
def clean_kwargs(context, kwargs):
''' Clean argument to related object
In the case of using Key table, principal is required. keytab_file is
optional, and default key table file /etc/krb5.keytab is used if
keytab_file is not provided.
In the case of initing as a regular user, principal is optional, and
current user's effective name is used if principal is not provided.
By default, initialize credentials cache for regular user.
'''
cleaned_kwargs = {}
using_keytab = kwargs.get('using_keytab', False)
if using_keytab:
# Principal is required when using key table to initialize
# credential cache.
principal_name = kwargs.get('principal', None)
if principal_name is None:
raise NameError('Principal is required when using key table.')
else:
principal = krbV.Principal(principal_name, context=context)
cleaned_kwargs['principal'] = principal
kt_name = kwargs.get('keytab_file', None)
if kt_name is None:
keytab = context.default_keytab()
else:
keytab = krbV.Keytab(kt_name, context=context)
cleaned_kwargs['keytab'] = keytab
else:
# When initialize credentials cache with a regular user, clean
# principal has different rule. It will return a valid Principal object
# always.
principal_name = kwargs.get('principal', None)
if principal_name is None:
principal_name = get_login()
principal = krbV.Principal(principal_name, context=context)
cleaned_kwargs['principal'] = principal
cleaned_kwargs['using_keytab'] = using_keytab
ccache_file = kwargs.get('ccache_file', None)
if ccache_file is None:
ccache = get_default_ccache(context)
else:
ccache = krbV.CCache(ccache_file, context=context)
cleaned_kwargs['ccache'] = ccache
return cleaned_kwargs
def use_keytab(principal, keytab):
try:
tmpdir = tempfile.mkdtemp(prefix="tmp-")
ccache_file = 'FILE:%s/ccache' % tmpdir
krbcontext = krbV.default_context()
principal = str(principal)
keytab = krbV.Keytab(name=keytab, context=krbcontext)
principal = krbV.Principal(name=principal, context=krbcontext)
os.environ['KRB5CCNAME'] = ccache_file
ccache = krbV.CCache(name=ccache_file,
context=krbcontext,
primary_principal=principal)
ccache.init(principal)
ccache.init_creds_keytab(keytab=keytab, principal=principal)
conn = ldap2(shared_instance=False,
ldap_uri=api.env.ldap_uri,
base_dn=api.env.basedn)
conn.connect(ccache=ccache)
conn.disconnect()
except krbV.Krb5Error, e:
raise StandardError(
'Unable to bind to LDAP. Error initializing principal %s in %s: %s'
% (principal.name, keytab, str(e)))
def kinit_hostprincipal(keytab, ccachedir, principal):
"""
Given a ccache directory and a principal kinit as that user.
This blindly overwrites the current CCNAME so if you need to save
it do so before calling this function.
Thus far this is used to kinit as the local host.
"""
try:
ccache_file = 'FILE:%s/ccache' % ccachedir
krbcontext = krbV.default_context()
ktab = krbV.Keytab(name=keytab, context=krbcontext)
princ = krbV.Principal(name=principal, context=krbcontext)
os.environ['KRB5CCNAME'] = ccache_file
ccache = krbV.CCache(name=ccache_file,
context=krbcontext,
primary_principal=princ)
ccache.init(princ)
ccache.init_creds_keytab(keytab=ktab, principal=princ)
return ccache_file
except krbV.Krb5Error, e:
raise StandardError('Error initializing principal %s in %s: %s' %
(principal, keytab, str(e)))
def _login_krbv(self):
"""Login using kerberos credentials (uses python-krbV)."""
def get_server_principal(service=None, realm=None):
"""Convert hub url to kerberos principal."""
hostname = urlparse.urlparse(self._hub_url)[1]
# remove port from hostname
hostname = hostname.split(":")[0]
if realm is None:
# guess realm: last two parts from hostname
realm = ".".join(hostname.split(".")[-2:]).upper()
if service is None:
service = "HTTP"
return '%s/%s@%s' % (service, hostname, realm)
# read default values from settings
principal = self._conf.get("KRB_PRINCIPAL")
keytab = self._conf.get("KRB_KEYTAB")
service = self._conf.get("KRB_SERVICE")
realm = self._conf.get("KRB_REALM")
ccache = self._conf.get("KRB_CCACHE")
proxyuser = self._conf.get("PROXY_USER")
import krbV
ctx = krbV.default_context()
if ccache is not None:
ccache = krbV.CCache(name='FILE:' + ccache, context=ctx)
elif keytab is not None:
# If we will be init'ing the ccache using a keytab, we need to
# always avoid using the default shared ccache, as a workaround for
# a race condition in krb5_cc_initialize() between unlink() and open()
# (see RHBZ#1313580).
ccache_tmpfile = tempfile.NamedTemporaryFile(prefix='krb5cc_bkr_')
ccache = krbV.CCache(name='FILE:' + ccache_tmpfile.name,
context=ctx)
else:
ccache = ctx.default_ccache()
if principal is not None:
if keytab is not None:
cprinc = krbV.Principal(name=principal, context=ctx)
keytab = krbV.Keytab(name=keytab, context=ctx)
ccache.init(cprinc)
ccache.init_creds_keytab(principal=cprinc, keytab=keytab)
else:
raise ImproperlyConfigured(
"Cannot specify a principal without a keytab")
else:
# connect using existing credentials
cprinc = ccache.principal()
sprinc = krbV.Principal(name=get_server_principal(service=service,
realm=realm),
context=ctx)
ac = krbV.AuthContext(context=ctx)
ac.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE | krbV.KRB5_AUTH_CONTEXT_DO_TIME
ac.rcache = ctx.default_rcache()
# create and encode the authentication request
try:
ac, req = ctx.mk_req(server=sprinc,
client=cprinc,
auth_context=ac,
ccache=ccache,
options=krbV.AP_OPTS_MUTUAL_REQUIRED)
except krbV.Krb5Error, ex:
if getattr(ex, "err_code", None) == -1765328377:
ex.message += ". Make sure you correctly set KRB_REALM (current value: %s)." % realm
ex.args = (ex.err_code, ex.message)
raise ex
def get_default_ccache(context):
if ENV_KRB5CCNAME in os.environ:
return krbV.CCache(os.environ[ENV_KRB5CCNAME], context=context)
else:
return context.default_ccache()
def get_tgt_time_from_ccache(principal_name):
context = krbV.default_context()
principal = krbV.Principal(principal_name, context=context)
ccache = krbV.CCache(config.user_ccache_file, context=context)
ct = get_tgt_time(context, ccache, principal)
return ct.endtime
def _setUp(self):
self.context = krbV.default_context()
self.principal = krbV.Principal(config.user_principal,
context=self.context)
self.ccache = krbV.CCache(config.user_ccache_file,
context=self.context)
def create_connection(self,
ccache=None,
bind_dn=None,
bind_pw='',
tls_cacertfile=None,
tls_certfile=None,
tls_keyfile=None,
debug_level=0,
autobind=False,
serverctrls=None,
clientctrls=None):
"""
Connect to LDAP server.
Keyword arguments:
ldapuri -- the LDAP server to connect to
ccache -- Kerberos V5 ccache object or name
bind_dn -- dn used to bind to the server
bind_pw -- password used to bind to the server
debug_level -- LDAP debug level option
tls_cacertfile -- TLS CA certificate filename
tls_certfile -- TLS certificate filename
tls_keyfile - TLS bind key filename
autobind - autobind as the current user
Extends backend.Connectible.create_connection.
"""
if bind_dn is None:
bind_dn = DN()
assert isinstance(bind_dn, DN)
if tls_cacertfile is not None:
_ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile)
if tls_certfile is not None:
_ldap.set_option(_ldap.OPT_X_TLS_CERTFILE, tls_certfile)
if tls_keyfile is not None:
_ldap.set_option(_ldap.OPT_X_TLS_KEYFILE, tls_keyfile)
if debug_level:
_ldap.set_option(_ldap.OPT_DEBUG_LEVEL, debug_level)
object.__setattr__(self, '_force_schema_updates', self.api.env.context
in ('installer', 'updates'))
LDAPClient._connect(self)
conn = self._conn
with self.error_handler():
if self.ldap_uri.startswith('ldapi://') and ccache:
conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host)
minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN)
maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX)
# Always connect with at least an SSF of 56, confidentiality
# This also protects us from a broken ldap.conf
if minssf < 56:
minssf = 56
conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf)
if maxssf < minssf:
conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
if ccache is not None:
if isinstance(ccache, krbV.CCache):
principal = ccache.principal().name
# Get a fully qualified CCACHE name (schema+name)
# As we do not use the krbV.CCache object later,
# we can safely overwrite it
ccache = "%(type)s:%(name)s" % dict(type=ccache.type,
name=ccache.name)
else:
principal = krbV.CCache(
name=ccache,
context=krbV.default_context()).principal().name
os.environ['KRB5CCNAME'] = ccache
self.gssapi_bind(server_controls=serverctrls,
client_controls=clientctrls)
setattr(context, 'principal', principal)
else:
# no kerberos ccache, use simple bind or external sasl
if autobind:
pent = pwd.getpwuid(os.geteuid())
self.external_bind(pent.pw_name,
server_controls=serverctrls,
client_controls=clientctrls)
else:
self.simple_bind(bind_dn,
bind_pw,
server_controls=serverctrls,
client_controls=clientctrls)
return conn
def __get_ccache(self, ccname):
"""
Return the ``krbV.CCache`` for the ``ccname`` credential ccache.
"""
return krbV.CCache(ccname)
def _login_krbv(self):
"""Login using kerberos credentials (uses python-krbV)."""
def get_server_principal(service=None, realm=None):
"""Convert hub url to kerberos principal."""
hostname = urlparse.urlparse(self._hub_url)[1]
# remove port from hostname
hostname = hostname.split(":")[0]
if realm is None:
# guess realm: last two parts from hostname
realm = ".".join(hostname.split(".")[-2:]).upper()
if service is None:
service = "HTTP"
return '%s/%s@%s' % (service, hostname, realm)
# read default values from settings
principal = self._conf.get("KRB_PRINCIPAL")
keytab = self._conf.get("KRB_KEYTAB")
service = self._conf.get("KRB_SERVICE")
realm = self._conf.get("KRB_REALM")
ccache = self._conf.get("KRB_CCACHE")
proxyuser = self._conf.get("KRB_PROXYUSER")
import krbV
ctx = krbV.default_context()
if ccache is not None:
ccache = krbV.CCache(name='FILE:' + ccache, context=ctx)
else:
ccache = ctx.default_ccache()
if principal is not None:
if keytab is not None:
cprinc = krbV.Principal(name=principal, context=ctx)
keytab = krbV.Keytab(name=keytab, context=ctx)
ccache.init(cprinc)
ccache.init_creds_keytab(principal=cprinc, keytab=keytab)
else:
raise ImproperlyConfigured(
"Cannot specify a principal without a keytab")
else:
# connect using existing credentials
cprinc = ccache.principal()
sprinc = krbV.Principal(name=get_server_principal(service=service,
realm=realm),
context=ctx)
ac = krbV.AuthContext(context=ctx)
ac.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE | krbV.KRB5_AUTH_CONTEXT_DO_TIME
ac.rcache = ctx.default_rcache()
# create and encode the authentication request
try:
ac, req = ctx.mk_req(server=sprinc,
client=cprinc,
auth_context=ac,
ccache=ccache,
options=krbV.AP_OPTS_MUTUAL_REQUIRED)
except krbV.Krb5Error as ex:
if getattr(ex, "err_code", None) == -1765328377:
ex.message += ". Make sure you correctly set KRB_REALM (current value: %s)." % realm
ex.args = (ex.err_code, ex.message)
raise ex
req_enc = base64.encodestring(req)
self._hub.auth.login_krbv(req_enc)
