[CalendarServer-changes] [272] CalendarServer/trunk/twistedcaldav/authkerb.py

source_changes at macosforge.org source_changes at macosforge.org
Fri Oct 13 12:53:30 PDT 2006


Revision: 272
          http://trac.macosforge.org/projects/calendarserver/changeset/272
Author:   cdaboo at apple.com
Date:     2006-10-13 12:53:30 -0700 (Fri, 13 Oct 2006)

Log Message:
-----------
Kerberos exception handling provided by Guido Guenther.

Modified Paths:
--------------
    CalendarServer/trunk/twistedcaldav/authkerb.py

Modified: CalendarServer/trunk/twistedcaldav/authkerb.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/authkerb.py	2006-10-13 18:55:36 UTC (rev 271)
+++ CalendarServer/trunk/twistedcaldav/authkerb.py	2006-10-13 19:53:30 UTC (rev 272)
@@ -45,6 +45,8 @@
 from twisted.web2.auth.interfaces import ICredentialFactory
 from twisted.web2.dav.auth import IPrincipalCredentials
 
+from twistedcaldav import logging
+
 import kerberos
 
 class BasicKerberosCredentials(credentials.UsernamePassword):
@@ -107,7 +109,12 @@
 
         creds = pcreds.credentials
         if isinstance(creds, BasicKerberosCredentials):
-            if kerberos.checkPassword(creds.username, creds.password, creds.service, creds.default_realm):
+            try:
+                kerberos.checkPassword(creds.username, creds.password, creds.service, creds.default_realm)
+            except kerberos.BasicAuthError, ex:
+                logging.err("%s" % (ex[0],), system="BasicKerberosCredentialsChecker")
+                raise error.UnauthorizedLogin("Bad credentials for: %s (%s)" % (pcreds.principalURI, ex[0],))
+            else:
                 return succeed(pcreds.principalURI)
         
         raise error.UnauthorizedLogin("Bad credentials for: %s" % (pcreds.principalURI,))
@@ -145,26 +152,37 @@
     def decode(self, base64data, request):
         
         # Init GSSAPI first
-        result, context = kerberos.authGSSServerInit(self.service);
-        if result != 1:
-            raise error.LoginFailed('Authentication System Failure')
+        try:
+            result, context = kerberos.authGSSServerInit(self.service);
+        except kerberos.GSSError, ex:
+            logging.err("authGSSServerInit: %s" % (ex[0][0], ex[1][0],), system="NegotiateCredentialFactory")
+            raise error.LoginFailed('Authentication System Failure: %s(%s)' % (ex[0][0], ex[1][0],))
 
         # Do the GSSAPI step and get response and username
-        result = kerberos.authGSSServerStep(context, base64data);
-        if result == -1:
-            raise error.UnauthorizedLogin("Bad credentials for")
-        else:
-            response = kerberos.authGSSServerResponse(context)
-            username = kerberos.authGSSServerUserName(context)
-            
-            # Username may include realm suffix which we want to strip
-            if username.find("@") != -1:
-                username = username.split("@", 1)[0]
+        try:
+            kerberos.authGSSServerStep(context, base64data);
+        except kerberos.GSSError, ex:
+            logging.err("authGSSServerStep: %s" % (ex[0][0], ex[1][0],), system="NegotiateCredentialFactory")
+            kerberos.authGSSServerClean(context)
+            raise error.UnauthorizedLogin('Bad credentials: %s(%s)' % (ex[0][0], ex[1][0],))
+        except kerberos.KrbError, ex:
+            logging.err("authGSSServerStep: %s" % (ex[0],), system="NegotiateCredentialFactory")
+            kerberos.authGSSServerClean(context)
+            raise error.UnauthorizedLogin('Bad credentials: %s' % (ex[0],))
 
+        response = kerberos.authGSSServerResponse(context)
+        username = kerberos.authGSSServerUserName(context)
+        
+        # Username may include realm suffix which we want to strip
+        if username.find("@") != -1:
+            username = username.split("@", 1)[0]
+
         # Close the context
-        result = kerberos.authGSSServerClean(context);
-        if result != 1:
-            raise error.LoginFailed('Authentication System Failure')
+        try:
+            result = kerberos.authGSSServerClean(context);
+        except kerberos.GSSError, ex:
+            logging.err("authGSSServerClean: %s" % (ex[0][0], ex[1][0],), system="NegotiateCredentialFactory")
+            raise error.LoginFailed('Authentication System Failure %s(%s)' % (ex[0][0], ex[1][0],))
         
         # If we successfully decoded and verified the Kerberos credentials we need to add the Kerberos
         # response data to the outgoing request

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20061013/2ed5be74/attachment.html


More information about the calendarserver-changes mailing list