[CalendarServer-changes] [2325] PyKerberos/trunk

source_changes at macosforge.org source_changes at macosforge.org
Wed Apr 16 13:15:25 PDT 2008


Revision: 2325
          http://trac.macosforge.org/projects/calendarserver/changeset/2325
Author:   wsanchez at apple.com
Date:     2008-04-16 13:15:24 -0700 (Wed, 16 Apr 2008)

Log Message:
-----------
Apply patch from #256

Modified Paths:
--------------
    PyKerberos/trunk/setup.py
    PyKerberos/trunk/src/kerberos.c

Added Paths:
-----------
    PyKerberos/trunk/src/kerberospw.c
    PyKerberos/trunk/src/kerberospw.h

Modified: PyKerberos/trunk/setup.py
===================================================================
--- PyKerberos/trunk/setup.py	2008-04-16 20:12:07 UTC (rev 2324)
+++ PyKerberos/trunk/setup.py	2008-04-16 20:15:24 UTC (rev 2325)
@@ -33,6 +33,7 @@
                 "src/kerberos.c",
                 "src/kerberosbasic.c",
                 "src/kerberosgss.c",
+                "src/kerberospw.c",
                 "src/base64.c"
             ],
         ),

Modified: PyKerberos/trunk/src/kerberos.c
===================================================================
--- PyKerberos/trunk/src/kerberos.c	2008-04-16 20:12:07 UTC (rev 2324)
+++ PyKerberos/trunk/src/kerberos.c	2008-04-16 20:15:24 UTC (rev 2325)
@@ -19,10 +19,12 @@
 #include <Python.h>
 
 #include "kerberosbasic.h"
+#include "kerberospw.h"
 #include "kerberosgss.h"
 
 PyObject *KrbException_class;
 PyObject *BasicAuthException_class;
+PyObject *PwdChangeException_class;
 PyObject *GssException_class;
 
 static PyObject *checkPassword(PyObject *self, PyObject *args)
@@ -44,6 +46,23 @@
         return NULL;
 }
 
+static PyObject *changePassword(PyObject *self, PyObject *args)
+{
+    const char *newpswd, *oldpswd;
+    const char *user;
+    int result = 0;
+
+    if (!PyArg_ParseTuple(args, "sss", &user, &oldpswd, &newpswd))
+        return NULL;
+
+    result = change_user_krb5pwd(user, oldpswd, newpswd);
+	
+    if (result)
+	return Py_INCREF(Py_True), Py_True;
+    else
+	return NULL;
+}
+
 static PyObject *getServerPrincipalDetails(PyObject *self, PyObject *args)
 {
     const char *service;
@@ -252,6 +271,8 @@
 static PyMethodDef KerberosMethods[] = {
     {"checkPassword",  checkPassword, METH_VARARGS,
         "Check the supplied user/password against Kerberos KDC."},
+    {"changePassword",  changePassword, METH_VARARGS,
+        "Change the user password."},
     {"getServerPrincipalDetails",  getServerPrincipalDetails, METH_VARARGS,
         "Return the service principal for a given service and hostname."},
     {"authGSSClientInit",  authGSSClientInit, METH_VARARGS,
@@ -297,6 +318,11 @@
     Py_INCREF(BasicAuthException_class);
     PyDict_SetItemString(d, "BasicAuthError", BasicAuthException_class);
 
+    if (!(PwdChangeException_class = PyErr_NewException("kerberos.PwdChangeError", KrbException_class, NULL)))
+        goto error;
+    Py_INCREF(PwdChangeException_class);
+    PyDict_SetItemString(d, "PwdChangeError", PwdChangeException_class);                                                                                                                                               
+
     if (!(GssException_class = PyErr_NewException("kerberos.GSSError", KrbException_class, NULL)))
         goto error;
     Py_INCREF(GssException_class);

Added: PyKerberos/trunk/src/kerberospw.c
===================================================================
--- PyKerberos/trunk/src/kerberospw.c	                        (rev 0)
+++ PyKerberos/trunk/src/kerberospw.c	2008-04-16 20:15:24 UTC (rev 2325)
@@ -0,0 +1,137 @@
+/**
+ * Copyright (c) 2008 Guido Guenther <agx at sigxcpu.org>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+#include <Python.h>
+#include "kerberospw.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#undef PRINTFS
+
+extern PyObject *PwdChangeException_class;
+
+static void set_pwchange_error(krb5_context context, krb5_error_code code)
+{
+    PyErr_SetObject(PwdChangeException_class, Py_BuildValue("(s:i)",
+                    krb5_get_err_text(context, code), code));
+}
+
+/* Inspired by krb5_verify_user from Heimdal */
+static krb5_error_code verify_krb5_user(krb5_context context,
+                                        krb5_principal principal,
+                                        const char *password,
+                    const char *service,
+                    krb5_creds* creds)
+{
+    krb5_get_init_creds_opt gic_options;
+    krb5_error_code code;
+    int ret = 0;
+    
+#ifdef PRINTFS
+    {
+        char *name = NULL;
+        code = krb5_unparse_name(context, principal, &name);
+        if (!code)
+            printf("Trying to get TGT for user %s\n", name);
+        free(name);
+    }
+#endif
+    krb5_get_init_creds_opt_init(&gic_options);
+    krb5_get_init_creds_opt_set_forwardable(&gic_options, 0);
+    krb5_get_init_creds_opt_set_proxiable(&gic_options, 0);
+    krb5_get_init_creds_opt_set_renew_life(&gic_options, 0);
+
+    memset(creds, 0, sizeof(krb5_creds));
+    
+    code = krb5_get_init_creds_password(context, creds, principal,
+                                        (char *)password, NULL, NULL, 0,
+                                        (char *)service, &gic_options);
+    if (code) {
+        set_pwchange_error(context, code);
+        goto end;
+    }
+    ret = 1; /* success */
+end:
+    return ret;
+}
+
+int change_user_krb5pwd(const char *user, const char* oldpswd, const char *newpswd)
+{
+    krb5_context    kcontext = NULL;
+    krb5_error_code code;
+    krb5_principal  client = NULL;
+    krb5_creds    creds;
+    int             ret = 0;
+    char            *name = NULL;
+    const char* service = "kadmin/changepw";
+    int result_code;
+    krb5_data result_code_string, result_string;
+
+    code = krb5_init_context(&kcontext);
+    if (code) {
+        PyErr_SetObject(PwdChangeException_class, Py_BuildValue("((s:i))",
+                                                                "Cannot initialize Kerberos5 context",
+                                                                code));
+        return 0;
+    }
+
+    name = (char *)malloc(256);
+    snprintf(name, 256, "%s", user);
+        
+    code = krb5_parse_name(kcontext, name, &client);
+    if (code) {
+        set_pwchange_error(kcontext, code);
+        goto end;
+    }
+
+    code = verify_krb5_user(kcontext, client, oldpswd, service, &creds);
+    if (!code) /* exception set by verify_krb5_user */
+        goto end;
+
+    code = krb5_change_password(kcontext, &creds, (char*)newpswd,
+                    &result_code, &result_code_string, &result_string);
+    if (code) {
+        set_pwchange_error(kcontext, code);
+        goto end;
+    }
+    if (result_code) {
+        char *message = NULL;
+        asprintf(&message, "%.*s: %.*s",
+                 (int) result_code_string.length,
+                 (char *) result_code_string.data,
+                 (int) result_string.length,
+                 (char *) result_string.data);
+        PyErr_SetObject(PwdChangeException_class, Py_BuildValue("((s:i))",
+                                                                message, result_code));
+        free(message);
+        goto end;
+    }
+
+    ret = 1; /* success */
+end:
+#ifdef PRINTFS
+    printf("%s: ret=%d user=%s\n", __FUNCTION__, ret, name);
+#endif
+    if (name)
+        free(name);
+    if (client)
+        krb5_free_principal(kcontext, client);
+    krb5_free_context(kcontext);
+    return ret;
+}
+

Added: PyKerberos/trunk/src/kerberospw.h
===================================================================
--- PyKerberos/trunk/src/kerberospw.h	                        (rev 0)
+++ PyKerberos/trunk/src/kerberospw.h	2008-04-16 20:15:24 UTC (rev 2325)
@@ -0,0 +1,24 @@
+/**
+ * Copyright (c) 2008 Guido Guenther <agx at sigxcpu.org>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **/
+
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_generic.h>
+#include <gssapi/gssapi_krb5.h>
+
+#define krb5_get_err_text(context,code) error_message(code)
+
+int change_user_krb5pwd(const char *user, const char* oldpswd, const char *newpswd);

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080416/b2813613/attachment-0001.html


More information about the calendarserver-changes mailing list