def check_ticket(self, ticket):
init_context_res = chech_ticket_res = -1
principal = realm = orig_service = target_name = service = ''
try:
principal = kerberos.getServerPrincipalDetails(
self._service_type, self._hostname)
orig_service, realm = self._split_principal(principal)
init_context_res, context = kerberos.authGSSServerInit('')
chech_ticket_res = kerberos.authGSSServerStep(context, ticket)
target_name = kerberos.authGSSServerTargetName(context)
service, _ = self._split_principal(target_name)
response = kerberos.authGSSServerResponse(context)
principal = kerberos.authGSSServerUserName(context)
kerberos.authGSSServerClean(context)
except kerberos.GSSError:
if init_context_res != 1:
ERROR("Error init kerberos context")
elif chech_ticket_res == -1:
ERROR("Ticket is not correct:" + ticket)
elif service.lower() != orig_service.lower():
ERROR('Bad credentials: wrong target name ' + target_name)
return '', '', ''
except kerberos.KrbError:
ERROR("Internal kerberos error")
return '', '', ''
# del kerberos
username, realm = principal.split('@')
return response, username, realm
def _doNegotiateAuth(self):
_ignore_result, context = kerberos.authGSSServerInit("")
try:
self._getKerberosDetails()
kerberos.authGSSServerStep(context, self.authToken)
targetName = kerberos.authGSSServerTargetName(context)
if targetName.lower() != self._kerberosPrincipal.lower():
raise Exception(
"Target name did not match local principal - %s vs %s" %
(targetName, self._kerberosPrincipal))
response = kerberos.authGSSServerResponse(context)
principal = kerberos.authGSSServerUserName(context)
(user, realm) = principal.split("@", 1)
if realm.lower() != self._kerberosRealm.lower():
raise Exception("Mismatched realms - %s vs %s" %
(realm, self._kerberosRealm))
self.user = user
self.page.responseHeaders.append(
("WWW-Authenticate", "Negotiate %s" % response))
print "Did negotiate auth for %s" % self.user
except:
print "Failed negotiate auth"
self.page.offerNegotiate = False
raise
finally:
kerberos.authGSSServerClean(context)
def testGSSAPI(service):
def statusText(r):
if r == 1:
return "Complete"
elif r == 0:
return "Continue"
else:
return "Error"
rc, vc = kerberos.authGSSClientInit(service);
print "Status for authGSSClientInit = %s" % statusText(rc);
if rc != 1:
return
rs, vs = kerberos.authGSSServerInit(service);
print "Status for authGSSServerInit = %s" % statusText(rs);
if rs != 1:
return
rc = kerberos.authGSSClientStep(vc, "");
print "Status for authGSSClientStep = %s" % statusText(rc);
if rc != 0:
return
rs = kerberos.authGSSServerStep(vs, kerberos.authGSSClientResponse(vc));
print "Status for authGSSServerStep = %s" % statusText(rs);
if rs == -1:
return
rc = kerberos.authGSSClientStep(vc, kerberos.authGSSServerResponse(vs));
print "Status for authGSSClientStep = %s" % statusText(rc);
if rc == -1:
return
print "Server user name: %s" % kerberos.authGSSServerUserName(vs);
print "Server target name: %s" % kerberos.authGSSServerTargetName(vs);
print "Client user name: %s" % kerberos.authGSSClientUserName(vc);
rc = kerberos.authGSSClientClean(vc);
print "Status for authGSSClientClean = %s" % statusText(rc);
rs = kerberos.authGSSServerClean(vs);
print "Status for authGSSServerClean = %s" % statusText(rs);
def testGSSAPI(service):
def statusText(r):
if r == 1:
return "Complete"
elif r == 0:
return "Continue"
else:
return "Error"
rc, vc = kerberos.authGSSClientInit(service)
print("Status for authGSSClientInit = %s" % statusText(rc))
if rc != 1:
return
rs, vs = kerberos.authGSSServerInit(service)
print("Status for authGSSServerInit = %s" % statusText(rs))
if rs != 1:
return
rc = kerberos.authGSSClientStep(vc, "")
print("Status for authGSSClientStep = %s" % statusText(rc))
if rc != 0:
return
rs = kerberos.authGSSServerStep(vs, kerberos.authGSSClientResponse(vc))
print("Status for authGSSServerStep = %s" % statusText(rs))
if rs == -1:
return
rc = kerberos.authGSSClientStep(vc, kerberos.authGSSServerResponse(vs))
print("Status for authGSSClientStep = %s" % statusText(rc))
if rc == -1:
return
print("Server user name: %s" % kerberos.authGSSServerUserName(vs))
print("Server target name: %s" % kerberos.authGSSServerTargetName(vs))
print("Client user name: %s" % kerberos.authGSSClientUserName(vc))
rc = kerberos.authGSSClientClean(vc)
print("Status for authGSSClientClean = %s" % statusText(rc))
rs = kerberos.authGSSServerClean(vs)
print("Status for authGSSServerClean = %s" % statusText(rs))
def _doNegotiateAuth(self):
_ignore_result, context = kerberos.authGSSServerInit("")
try:
self._getKerberosDetails()
kerberos.authGSSServerStep(context, self.authToken)
targetName = kerberos.authGSSServerTargetName(context)
if targetName.lower() != self._kerberosPrincipal.lower():
raise Exception("Target name did not match local principal - %s vs %s" % (targetName, self._kerberosPrincipal))
response = kerberos.authGSSServerResponse(context)
principal = kerberos.authGSSServerUserName(context)
(user, realm) = principal.split("@", 1)
if realm.lower() != self._kerberosRealm.lower():
raise Exception("Mismatched realms - %s vs %s" % (realm, self._kerberosRealm))
self.user = user
self.page.responseHeaders.append(("WWW-Authenticate", "Negotiate %s" % response))
print "Did negotiate auth for %s" % self.user
except:
print "Failed negotiate auth"
self.page.offerNegotiate = False
raise
finally:
kerberos.authGSSServerClean(context)
def test_gssapi():
"""
Return Code Values
0 = Continue
1 = Complete
Other = Error
"""
service = "HTTP@%s" % hostname
rc, vc = kerberos.authGSSClientInit(service)
assert rc == 1, "authGSSClientInit = %d, expecting 1" % rc
rs, vs = kerberos.authGSSServerInit(service)
assert rs == 1, "authGSSServerInit = %d, expecting 1" % rs
rc = kerberos.authGSSClientStep(vc, "")
assert rc == 0, "authGSSClientStep = %d, expecting 0" % rc
rs = kerberos.authGSSServerStep(vs, kerberos.authGSSClientResponse(vc))
assert rs != -1, "authGSSServerStep = %d, not expecting it to be -1" % rs
rc = kerberos.authGSSClientStep(vc, kerberos.authGSSServerResponse(vs))
assert rc != -1, "authGSSClientStep = %d, not expecting it to be -1" % rc
expected_username = "******" % (username, realm.upper())
server_user_name = kerberos.authGSSServerUserName(vs)
assert server_user_name == expected_username, "Invalid server username returned"
client_user_name = kerberos.authGSSClientUserName(vc)
assert client_user_name == expected_username, "Invalid client username returned"
server_target_name = kerberos.authGSSServerTargetName(vs)
assert server_target_name is None, "Server target name is not None"
rc = kerberos.authGSSClientClean(vc)
assert rc == 1, "authGSSClientClean = %d, expecting it to be 0" % rc
rs = kerberos.authGSSServerClean(vs)
assert rs == 1, "authGSSServerClean = %d, expecting it to be 0" % rs
def targetName(self):
return kerberos.authGSSServerTargetName(self.context)
except kerberos.GSSError, ex:
self.log.error("authGSSServerStep: %s(%s)" % (
ex[0][0],
ex[1][0],
))
kerberos.authGSSServerClean(context)
raise error.UnauthorizedLogin('Bad credentials: %s(%s)' % (
ex[0][0],
ex[1][0],
))
except kerberos.KrbError, ex:
self.log.error("authGSSServerStep: %s" % (ex[0], ))
kerberos.authGSSServerClean(context)
raise error.UnauthorizedLogin('Bad credentials: %s' % (ex[0], ))
targetname = kerberos.authGSSServerTargetName(context)
try:
service, _ignore_realm = self._splitPrincipal(targetname)
except ValueError:
self.log.error(
"authGSSServerTargetName invalid target name: '%s'" %
(targetname, ))
kerberos.authGSSServerClean(context)
raise error.UnauthorizedLogin(
'Bad credentials: bad target name %s' % (targetname, ))
if service.lower() != self.service.lower():
self.log.error(
"authGSSServerTargetName mismatch got: '%s' wanted: '%s'" %
(service, self.service))
kerberos.authGSSServerClean(context)
raise error.UnauthorizedLogin(
self.log_error("authGSSServerInit: %s(%s)" % (ex[0][0], ex[1][0],))
raise error.LoginFailed('Authentication System Failure: %s(%s)' % (ex[0][0], ex[1][0],))
# Do the GSSAPI step and get response and username
try:
kerberos.authGSSServerStep(context, base64data);
except kerberos.GSSError, ex:
self.log_error("authGSSServerStep: %s(%s)" % (ex[0][0], ex[1][0],))
kerberos.authGSSServerClean(context)
raise error.UnauthorizedLogin('Bad credentials: %s(%s)' % (ex[0][0], ex[1][0],))
except kerberos.KrbError, ex:
self.log_error("authGSSServerStep: %s" % (ex[0],))
kerberos.authGSSServerClean(context)
raise error.UnauthorizedLogin('Bad credentials: %s' % (ex[0],))
targetname = kerberos.authGSSServerTargetName(context)
try:
service, _ignore_realm = self._splitPrincipal(targetname)
except ValueError:
self.log_error("authGSSServerTargetName invalid target name: '%s'" % (targetname,))
kerberos.authGSSServerClean(context)
raise error.UnauthorizedLogin('Bad credentials: bad target name %s' % (targetname,))
if service.lower() != self.service.lower():
self.log_error("authGSSServerTargetName mismatch got: '%s' wanted: '%s'" % (service, self.service))
kerberos.authGSSServerClean(context)
raise error.UnauthorizedLogin('Bad credentials: wrong target name %s' % (targetname,))
response = kerberos.authGSSServerResponse(context)
principal = kerberos.authGSSServerUserName(context)
username = principal
realmname = ""
