[CalendarServer-changes] [3947] PyKerberos/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Wed Apr 1 09:59:58 PDT 2009
Revision: 3947
http://trac.macosforge.org/projects/calendarserver/changeset/3947
Author: cdaboo at apple.com
Date: 2009-04-01 09:59:57 -0700 (Wed, 01 Apr 2009)
Log Message:
-----------
Incorporate patch to allow GSS flags to be passed in.
Modified Paths:
--------------
PyKerberos/trunk/pysrc/kerberos.py
PyKerberos/trunk/src/kerberos.c
PyKerberos/trunk/src/kerberosgss.c
PyKerberos/trunk/src/kerberosgss.h
Modified: PyKerberos/trunk/pysrc/kerberos.py
===================================================================
--- PyKerberos/trunk/pysrc/kerberos.py 2009-04-01 16:57:48 UTC (rev 3946)
+++ PyKerberos/trunk/pysrc/kerberos.py 2009-04-01 16:59:57 UTC (rev 3947)
@@ -85,10 +85,21 @@
"""
# Some useful result codes
-AUTH_GSS_CONTINUE=0
-AUTH_GSS_COMPLETE=1
+AUTH_GSS_CONTINUE = 0
+AUTH_GSS_COMPLETE = 1
-def authGSSClientInit(service):
+# Some useful gss flags
+GSS_C_DELEG_FLAG = 1
+GSS_C_MUTUAL_FLAG = 2
+GSS_C_REPLAY_FLAG = 4
+GSS_C_SEQUENCE_FLAG = 8
+GSS_C_CONF_FLAG = 16
+GSS_C_INTEG_FLAG = 32
+GSS_C_ANON_FLAG = 64
+GSS_C_PROT_READY_FLAG = 128
+GSS_C_TRANS_FLAG = 256
+
+def authGSSClientInit(service, gssflags=GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG):
"""
Initializes a context for GSSAPI client-side authentication with the given service principal.
authGSSClientClean must be called after this function returns an OK result to dispose of
@@ -96,7 +107,10 @@
@param service: a string containing the service principal in the form 'type at fqdn'
(e.g. 'imap at mail.apple.com').
- @return: a tuple of (result, context) where result is the result code (see above) and
+ @param gssflags: optional integer used to set GSS flags.
+ (e.g. GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG will allow
+ for forwarding credentials to the remote host)
+ @return: a tuple of (result, context) where result is the result code (see above) and
context is an opaque value that will need to be passed to subsequent functions.
"""
@@ -106,25 +120,25 @@
object is invalid and should not be used again.
@param context: the context object returned from authGSSClientInit.
- @return: a result code (see above).
+ @return: a result code (see above).
"""
def authGSSClientStep(context, challenge):
"""
Processes a single GSSAPI client-side step using the supplied server data.
- @param context: the context object returned from authGSSClientInit.
+ @param context: the context object returned from authGSSClientInit.
@param challenge: a string containing the base64-encoded server data (which may be empty
for the first step).
- @return: a result code (see above).
+ @return: a result code (see above).
"""
def authGSSClientResponse(context):
"""
Get the client response from the last successful GSSAPI client-side step.
- @param context: the context object returned from authGSSClientInit.
- @return: a string containing the base64-encoded client data to be sent to the server.
+ @param context: the context object returned from authGSSClientInit.
+ @return: a string containing the base64-encoded client data to be sent to the server.
"""
def authGSSClientUserName(context):
@@ -133,7 +147,7 @@
This method must only be called after authGSSClientStep returns a complete response code.
@param context: the context object returned from authGSSClientInit.
- @return: a string containing the user name.
+ @return: a string containing the user name.
"""
def authGSSClientUnwrap(context, challenge):
@@ -161,7 +175,7 @@
@param service: a string containing the service principal in the form 'type at fqdn'
(e.g. 'imap at mail.apple.com').
- @return: a tuple of (result, context) where result is the result code (see above) and
+ @return: a tuple of (result, context) where result is the result code (see above) and
context is an opaque value that will need to be passed to subsequent functions.
"""
@@ -171,24 +185,24 @@
object is invalid and should not be used again.
@param context: the context object returned from authGSSServerInit.
- @return: a result code (see above).
+ @return: a result code (see above).
"""
def authGSSServerStep(context, challenge):
"""
Processes a single GSSAPI server-side step using the supplied client data.
- @param context: the context object returned from authGSSServerInit.
+ @param context: the context object returned from authGSSServerInit.
@param challenge: a string containing the base64-encoded client data.
- @return: a result code (see above).
+ @return: a result code (see above).
"""
def authGSSServerResponse(context):
"""
Get the server response from the last successful GSSAPI server-side step.
- @param context: the context object returned from authGSSServerInit.
- @return: a string containing the base64-encoded server data to be sent to the client.
+ @param context: the context object returned from authGSSServerInit.
+ @return: a string containing the base64-encoded server data to be sent to the client.
"""
def authGSSServerUserName(context):
@@ -196,7 +210,7 @@
Get the user name of the principal trying to authenticate to the server.
This method must only be called after authGSSClientStep returns a complete or continue response code.
- @param context: the context object returned from authGSSServerInit.
- @return: a string containing the user name.
+ @param context: the context object returned from authGSSServerInit.
+ @return: a string containing the user name.
"""
Modified: PyKerberos/trunk/src/kerberos.c
===================================================================
--- PyKerberos/trunk/src/kerberos.c 2009-04-01 16:57:48 UTC (rev 3946)
+++ PyKerberos/trunk/src/kerberos.c 2009-04-01 16:59:57 UTC (rev 3947)
@@ -82,20 +82,22 @@
return NULL;
}
-static PyObject* authGSSClientInit(PyObject* self, PyObject* args)
+static PyObject* authGSSClientInit(PyObject* self, PyObject* args, PyObject* keywds)
{
const char *service;
gss_client_state *state;
PyObject *pystate;
+ static char *kwlist[] = {"service", "gssflags", NULL};
+ long int gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
int result = 0;
- if (!PyArg_ParseTuple(args, "s", &service))
+ if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|l", kwlist, &service, &gss_flags))
return NULL;
state = (gss_client_state *) malloc(sizeof(gss_client_state));
pystate = PyCObject_FromVoidPtr(state, NULL);
- result = authenticate_gss_client_init(service, state);
+ result = authenticate_gss_client_init(service, gss_flags, state);
if (result == AUTH_GSS_ERROR)
return NULL;
@@ -365,7 +367,7 @@
"Change the user password."},
{"getServerPrincipalDetails", getServerPrincipalDetails, METH_VARARGS,
"Return the service principal for a given service and hostname."},
- {"authGSSClientInit", authGSSClientInit, METH_VARARGS,
+ {"authGSSClientInit", (PyCFunction)authGSSClientInit, METH_VARARGS | METH_KEYWORDS,
"Initialize client-side GSSAPI operations."},
{"authGSSClientClean", authGSSClientClean, METH_VARARGS,
"Terminate client-side GSSAPI operations."},
@@ -425,6 +427,16 @@
PyDict_SetItemString(d, "AUTH_GSS_COMPLETE", PyInt_FromLong(AUTH_GSS_COMPLETE));
PyDict_SetItemString(d, "AUTH_GSS_CONTINUE", PyInt_FromLong(AUTH_GSS_CONTINUE));
+ PyDict_SetItemString(d, "GSS_C_DELEG_FLAG", PyInt_FromLong(GSS_C_DELEG_FLAG));
+ PyDict_SetItemString(d, "GSS_C_MUTUAL_FLAG", PyInt_FromLong(GSS_C_MUTUAL_FLAG));
+ PyDict_SetItemString(d, "GSS_C_REPLAY_FLAG", PyInt_FromLong(GSS_C_REPLAY_FLAG));
+ PyDict_SetItemString(d, "GSS_C_SEQUENCE_FLAG", PyInt_FromLong(GSS_C_SEQUENCE_FLAG));
+ PyDict_SetItemString(d, "GSS_C_CONF_FLAG", PyInt_FromLong(GSS_C_CONF_FLAG));
+ PyDict_SetItemString(d, "GSS_C_INTEG_FLAG", PyInt_FromLong(GSS_C_INTEG_FLAG));
+ PyDict_SetItemString(d, "GSS_C_ANON_FLAG", PyInt_FromLong(GSS_C_ANON_FLAG));
+ PyDict_SetItemString(d, "GSS_C_PROT_READY_FLAG", PyInt_FromLong(GSS_C_PROT_READY_FLAG));
+ PyDict_SetItemString(d, "GSS_C_TRANS_FLAG", PyInt_FromLong(GSS_C_TRANS_FLAG));
+
error:
if (PyErr_Occurred())
PyErr_SetString(PyExc_ImportError, "kerberos: init failed");
Modified: PyKerberos/trunk/src/kerberosgss.c
===================================================================
--- PyKerberos/trunk/src/kerberosgss.c 2009-04-01 16:57:48 UTC (rev 3946)
+++ PyKerberos/trunk/src/kerberosgss.c 2009-04-01 16:59:57 UTC (rev 3947)
@@ -106,7 +106,7 @@
return result;
}
-int authenticate_gss_client_init(const char* service, gss_client_state* state)
+int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state)
{
OM_uint32 maj_stat;
OM_uint32 min_stat;
@@ -115,6 +115,7 @@
state->server_name = GSS_C_NO_NAME;
state->context = GSS_C_NO_CONTEXT;
+ state->gss_flags = gss_flags;
state->username = NULL;
state->response = NULL;
@@ -188,7 +189,7 @@
&state->context,
state->server_name,
GSS_C_NO_OID,
- GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+ (OM_uint32)state->gss_flags,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&input_token,
Modified: PyKerberos/trunk/src/kerberosgss.h
===================================================================
--- PyKerberos/trunk/src/kerberosgss.h 2009-04-01 16:57:48 UTC (rev 3946)
+++ PyKerberos/trunk/src/kerberosgss.h 2009-04-01 16:59:57 UTC (rev 3947)
@@ -31,6 +31,7 @@
typedef struct {
gss_ctx_id_t context;
gss_name_t server_name;
+ long int gss_flags;
char* username;
char* response;
} gss_client_state;
@@ -47,7 +48,7 @@
char* server_principal_details(const char* service, const char* hostname);
-int authenticate_gss_client_init(const char* service, gss_client_state* state);
+int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state);
int authenticate_gss_client_clean(gss_client_state *state);
int authenticate_gss_client_step(gss_client_state *state, const char *challenge);
int authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20090401/4f8c2813/attachment-0001.html>
More information about the calendarserver-changes
mailing list