[CalendarServer-changes] [1421]
CalendarServer/branches/users/cdaboo/serviceprincipal-1418
source_changes at macosforge.org
source_changes at macosforge.org
Fri Mar 23 11:08:01 PDT 2007
Revision: 1421
http://trac.macosforge.org/projects/calendarserver/changeset/1421
Author: cdaboo at apple.com
Date: 2007-03-23 11:08:01 -0700 (Fri, 23 Mar 2007)
Log Message:
-----------
Allow the server to automatically lookup its own Kerberos service principal.
Modified Paths:
--------------
CalendarServer/branches/users/cdaboo/serviceprincipal-1418/run
CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/authkerb.py
CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/tap.py
CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/test/test_kerberos.py
CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/test/test_tap.py
Modified: CalendarServer/branches/users/cdaboo/serviceprincipal-1418/run
===================================================================
--- CalendarServer/branches/users/cdaboo/serviceprincipal-1418/run 2007-03-23 17:49:26 UTC (rev 1420)
+++ CalendarServer/branches/users/cdaboo/serviceprincipal-1418/run 2007-03-23 18:08:01 UTC (rev 1421)
@@ -409,7 +409,7 @@
if ! py_have_module kerberos; then
kerberos="${top}/PyKerberos";
- svn_get "PyKerberos" "${kerberos}" "${svn_uri_base}/PyKerberos/trunk" 1213;
+ svn_get "PyKerberos" "${kerberos}" "${svn_uri_base}/PyKerberos/trunk" 1420;
py_build "PyKerberos" "${kerberos}" false; # FIXME: make optional
py_install "PyKerberos" "${kerberos}";
Modified: CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/authkerb.py
===================================================================
--- CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/authkerb.py 2007-03-23 17:49:26 UTC (rev 1420)
+++ CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/authkerb.py 2007-03-23 18:08:01 UTC (rev 1421)
@@ -46,6 +46,7 @@
from twisted.web2.dav.auth import IPrincipalCredentials
from twistedcaldav import logging
+from twistedcaldav.config import config
import kerberos
@@ -73,15 +74,29 @@
scheme = 'basic'
- def __init__(self, service, realm):
+ def __init__(self, principal):
"""
- The realm string can be of the form service/realm at domain. We split that
- into service at domain, and realm.
+ The principal string must be of the form service/host at realm. We split that
+ into service at realm, and realm. It can also be empty in which case we find
+ the right values automatically from the keytab.
"""
- self.service = service
+
+ if not principal:
+ try:
+ principal = kerberos.getServerPrincipalDetails("http", config.ServerHostName)
+ except kerberos.KrbError, ex:
+ logging.err("getServerPrincipalDetails: %s" % (ex[0],), system="BasicKerberosCredentialFactory")
+ raise config.ConfigurationError("Could not automatically determine the server's service principal from the default Kerberos keytab file.")
+
+ try:
+ service, rest = principal.split("/")
+ ignore_host, realm = rest.split("@")
+ except ValueError:
+ raise config.ConfigurationError("Could not parse Kerberos service principal '%s'. Required format is 'service/host at realm'" % (principal,))
+ self.service = "%s@%s" % (service, realm,)
self.realm = realm
- def getChallenge(self, peer):
+ def getChallenge(self, unused_peer):
return {'realm': self.realm}
def decode(self, response, request): #@UnusedVariable
@@ -142,19 +157,36 @@
scheme = 'negotiate'
- def __init__(self, service, realm):
+ def __init__(self, principal):
+ """
+ The principal string must be of the form service/host at realm. We split that
+ into service at realm, and realm. It can also be empty in which case we find
+ the right values automatically from the keytab.
+ """
+
+ if not principal:
+ try:
+ principal = kerberos.getServerPrincipalDetails("http", config.ServerHostName)
+ except kerberos.KrbError, ex:
+ logging.err("getServerPrincipalDetails: %s" % (ex[0],), system="NegotiateCredentialFactory")
+ raise config.ConfigurationError("Could not automatically determine the server's service principal from the default Kerberos keytab file.")
- self.service = service
+ try:
+ service, rest = principal.split("/")
+ ignore_host, realm = rest.split("@")
+ except ValueError:
+ raise config.ConfigurationError("Could not parse Kerberos service principal '%s'. Required format is 'service/host at realm'." % (principal,))
+ self.service = "%s@%s" % (service, realm,)
self.realm = realm
- def getChallenge(self, peer):
+ def getChallenge(self, unused_peer):
return {}
def decode(self, base64data, request):
# Init GSSAPI first
try:
- result, context = kerberos.authGSSServerInit(self.service);
+ ignore_result, context = kerberos.authGSSServerInit(self.service);
except kerberos.GSSError, ex:
logging.err("authGSSServerInit: %s(%s)" % (ex[0][0], ex[1][0],), system="NegotiateCredentialFactory")
raise error.LoginFailed('Authentication System Failure: %s(%s)' % (ex[0][0], ex[1][0],))
@@ -191,7 +223,7 @@
# Close the context
try:
- result = kerberos.authGSSServerClean(context);
+ ignore_result = kerberos.authGSSServerClean(context);
except kerberos.GSSError, ex:
logging.err("authGSSServerClean: %s" % (ex[0][0], ex[1][0],), system="NegotiateCredentialFactory")
raise error.LoginFailed('Authentication System Failure %s(%s)' % (ex[0][0], ex[1][0],))
Modified: CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/tap.py
===================================================================
--- CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/tap.py 2007-03-23 17:49:26 UTC (rev 1420)
+++ CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/tap.py 2007-03-23 18:08:01 UTC (rev 1421)
@@ -390,15 +390,7 @@
service = schemeConfig['ServicePrincipal']
- if '@' in service:
- rest, kerbRealm = service.split('@', 1)
- else:
- kerbRealm = config.ServerHostName
-
- credFactory = NegotiateCredentialFactory(
- service,
- kerbRealm
- )
+ credFactory = NegotiateCredentialFactory(schemeConfig['ServicePrincipal'])
elif scheme == 'digest':
credFactory = QopDigestCredentialFactory(
Modified: CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/test/test_kerberos.py
===================================================================
--- CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/test/test_kerberos.py 2007-03-23 17:49:26 UTC (rev 1420)
+++ CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/test/test_kerberos.py 2007-03-23 18:08:01 UTC (rev 1421)
@@ -31,10 +31,10 @@
class KerberosTests(twistedcaldav.test.util.TestCase):
def test_BasicKerberosCredentials(self):
- authkerb.BasicKerberosCredentials("test", "test", "http/example.com at EXAMPLE.COM", "EXAMPLE.COM")
+ authkerb.BasicKerberosCredentials("test", "test", "http at EXAMPLE.COM", "EXAMPLE.COM")
def test_BasicKerberosCredentialFactory(self):
- factory = authkerb.BasicKerberosCredentialFactory("http/example.com at EXAMPLE.COM", "EXAMPLE.COM")
+ factory = authkerb.BasicKerberosCredentialFactory("http/example.com at EXAMPLE.COM")
challenge = factory.getChallenge("peer")
expected_challenge = {'realm': "EXAMPLE.COM"}
@@ -45,7 +45,7 @@
authkerb.NegotiateCredentials("test")
def test_NegotiateCredentialFactory(self):
- factory = authkerb.NegotiateCredentialFactory("http/example.com at EXAMPLE.COM", "EXAMPLE.COM")
+ factory = authkerb.NegotiateCredentialFactory("http/example.com at EXAMPLE.COM")
challenge = factory.getChallenge("peer")
expected_challenge = {}
Modified: CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/test/test_tap.py
===================================================================
--- CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/test/test_tap.py 2007-03-23 17:49:26 UTC (rev 1420)
+++ CalendarServer/branches/users/cdaboo/serviceprincipal-1418/twistedcaldav/test/test_tap.py 2007-03-23 18:08:01 UTC (rev 1421)
@@ -403,6 +403,7 @@
"""
self.config['Authentication']['Digest']['Enabled'] = True
self.config['Authentication']['Kerberos']['Enabled'] = True
+ self.config['Authentication']['Kerberos']['ServicePrincipal'] = 'http/hello at bob'
self.config['Authentication']['Basic']['Enabled'] = True
self.writeConfig()
@@ -427,7 +428,7 @@
Test that the Kerberos Realm defaults to the ServerHostName when
the principal is not in the form of proto/host at realm
"""
- self.config['Authentication']['Kerberos']['ServicePrincipal'] = 'http/hello'
+ self.config['Authentication']['Kerberos']['ServicePrincipal'] = 'http/hello at bob'
self.config['Authentication']['Kerberos']['Enabled'] = True
self.writeConfig()
site = self.getSite()
@@ -435,8 +436,8 @@
authWrapper = site.resource.resource
ncf = authWrapper.credentialFactories['negotiate']
- self.assertEquals(ncf.service, 'http/hello')
- self.assertEquals(ncf.realm, 'localhost')
+ self.assertEquals(ncf.service, 'http at bob')
+ self.assertEquals(ncf.realm, 'bob')
def test_servicePrincipalWithRealm(self):
"""
@@ -451,7 +452,7 @@
authWrapper = site.resource.resource
ncf = authWrapper.credentialFactories['negotiate']
- self.assertEquals(ncf.service, 'http/hello at bob')
+ self.assertEquals(ncf.service, 'http at bob')
self.assertEquals(ncf.realm, 'bob')
def test_AuthWrapperPartialEnabled(self):
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070323/16b6ef96/attachment.html
More information about the calendarserver-changes
mailing list