[CalendarServer-changes] [4242] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Tue May 12 18:05:39 PDT 2009
Revision: 4242
http://trac.macosforge.org/projects/calendarserver/changeset/4242
Author: cdaboo at apple.com
Date: 2009-05-12 18:05:39 -0700 (Tue, 12 May 2009)
Log Message:
-----------
Handle the Kerberos service type in a case-insensitive manner. The actual RFC requires "HTTP"
but iCal and Leopard server use "http". So we change our default to "HTTP" but accept the
lower case variant as well.
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/tap/caldav.py
CalendarServer/trunk/run
CalendarServer/trunk/twistedcaldav/authkerb.py
CalendarServer/trunk/twistedcaldav/test/test_kerberos.py
Modified: CalendarServer/trunk/calendarserver/tap/caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/caldav.py 2009-05-13 01:01:58 UTC (rev 4241)
+++ CalendarServer/trunk/calendarserver/tap/caldav.py 2009-05-13 01:05:39 UTC (rev 4242)
@@ -517,7 +517,7 @@
principal = schemeConfig["ServicePrincipal"]
if not principal:
credFactory = NegotiateCredentialFactory(
- type="http",
+ type="HTTP",
hostname=config.ServerHostName,
)
else:
Modified: CalendarServer/trunk/run
===================================================================
--- CalendarServer/trunk/run 2009-05-13 01:01:58 UTC (rev 4241)
+++ CalendarServer/trunk/run 2009-05-13 01:05:39 UTC (rev 4242)
@@ -546,7 +546,7 @@
if ! py_have_module kerberos; then
kerberos="${top}/PyKerberos";
- svn_get "PyKerberos" "${kerberos}" "${svn_uri_base}/PyKerberos/trunk" 3108;
+ svn_get "PyKerberos" "${kerberos}" "${svn_uri_base}/PyKerberos/trunk" 4241;
py_build "PyKerberos" "${kerberos}" false; # FIXME: make optional
py_install "PyKerberos" "${kerberos}";
Modified: CalendarServer/trunk/twistedcaldav/authkerb.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/authkerb.py 2009-05-13 01:01:58 UTC (rev 4241)
+++ CalendarServer/trunk/twistedcaldav/authkerb.py 2009-05-13 01:05:39 UTC (rev 4242)
@@ -58,10 +58,10 @@
def __init__(self, principal=None, type=None, hostname=None):
"""
- @param principal: full Kerberos principal (e.g., 'http/server.example.com at EXAMPLE.COM'). If C{None}
+ @param principal: full Kerberos principal (e.g., 'HTTP/server.example.com at EXAMPLE.COM'). If C{None}
then the type and hostname arguments are used instead.
@type service: str
- @param type: service type for Kerberos (e.g., 'http'). Must be C{None} if principal used.
+ @param type: service type for Kerberos (e.g., 'HTTP'). Must be C{None} if principal used.
@type type: str
@param hostname: hostname for this server. Must be C{None} if principal used.
@type hostname: str
@@ -79,6 +79,10 @@
self.log_error("getServerPrincipalDetails: %s" % (ex[0],))
raise ValueError('Authentication System Failure: %s' % (ex[0],))
+ self.service, self.realm = self._splitPrincipal(principal)
+
+ def _splitPrincipal(self, principal):
+
try:
splits = principal.split("/")
servicetype = splits[0]
@@ -89,9 +93,11 @@
self.log_error("Invalid Kerberos principal: %s" % (principal,))
raise ValueError('Authentication System Failure: Invalid Kerberos principal: %s' % (principal,))
- self.service = "%s@%s" % (servicetype, service,)
- self.realm = realm
-
+ service = "%s@%s" % (servicetype, service,)
+ realm = realm
+
+ return (service, realm,)
+
class BasicKerberosCredentials(credentials.UsernamePassword):
"""
A set of user/password credentials that checks itself against Kerberos.
@@ -128,10 +134,10 @@
def __init__(self, principal=None, type=None, hostname=None):
"""
- @param principal: full Kerberos principal (e.g., 'http/server.example.com at EXAMPLE.COM'). If C{None}
+ @param principal: full Kerberos principal (e.g., 'HTTP/server.example.com at EXAMPLE.COM'). If C{None}
then the type and hostname arguments are used instead.
@type service: str
- @param type: service type for Kerberos (e.g., 'http'). Must be C{None} if principal used.
+ @param type: service type for Kerberos (e.g., 'HTTP'). Must be C{None} if principal used.
@type type: str
@param hostname: hostname for this server. Must be C{None} if principal used.
@type hostname: str
@@ -199,10 +205,10 @@
def __init__(self, principal=None, type=None, hostname=None):
"""
- @param principal: full Kerberos principal (e.g., 'http/server.example.com at EXAMPLE.COM'). If C{None}
+ @param principal: full Kerberos principal (e.g., 'HTTP/server.example.com at EXAMPLE.COM'). If C{None}
then the type and hostname arguments are used instead.
@type service: str
- @param type: service type for Kerberos (e.g., 'http'). Must be C{None} if principal used.
+ @param type: service type for Kerberos (e.g., 'HTTP'). Must be C{None} if principal used.
@type type: str
@param hostname: hostname for this server. Must be C{None} if principal used.
@type hostname: str
@@ -215,9 +221,10 @@
def decode(self, base64data, request):
- # Init GSSAPI first
+ # Init GSSAPI first - we won't specify the service now as we need to accept a target
+ # name that is case-insenstive as some clients will use "http" instead of "HTTP"
try:
- _ignore_result, context = kerberos.authGSSServerInit(self.service);
+ _ignore_result, context = kerberos.authGSSServerInit("");
except kerberos.GSSError, ex:
self.log_error("authGSSServerInit: %s(%s)" % (ex[0][0], ex[1][0],))
raise error.LoginFailed('Authentication System Failure: %s(%s)' % (ex[0][0], ex[1][0],))
@@ -234,6 +241,18 @@
kerberos.authGSSServerClean(context)
raise error.UnauthorizedLogin('Bad credentials: %s' % (ex[0],))
+ targetname = kerberos.authGSSServerTargetName(context)
+ try:
+ service, _ignore_realm = self._splitPrincipal(targetname)
+ except ValueError:
+ self.log_error("authGSSServerTargetName invalid target name: '%s'" % (targetname,))
+ kerberos.authGSSServerClean(context)
+ raise error.UnauthorizedLogin('Bad credentials: bad target name %s' % (targetname,))
+ if service.lower() != self.service.lower():
+ self.log_error("authGSSServerTargetName mismatch got: '%s' wanted: '%s'" % (service, self.service))
+ kerberos.authGSSServerClean(context)
+ raise error.UnauthorizedLogin('Bad credentials: wrong target name %s' % (targetname,))
+
response = kerberos.authGSSServerResponse(context)
principal = kerberos.authGSSServerUserName(context)
username = principal
Modified: CalendarServer/trunk/twistedcaldav/test/test_kerberos.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/test/test_kerberos.py 2009-05-13 01:01:58 UTC (rev 4241)
+++ CalendarServer/trunk/twistedcaldav/test/test_kerberos.py 2009-05-13 01:05:39 UTC (rev 4242)
@@ -30,11 +30,11 @@
class KerberosTests(twistedcaldav.test.util.TestCase):
def test_BasicKerberosCredentials(self):
- authkerb.BasicKerberosCredentials("test", "test", "http/example.com at EXAMPLE.COM", "EXAMPLE.COM")
+ authkerb.BasicKerberosCredentials("test", "test", "HTTP/example.com at EXAMPLE.COM", "EXAMPLE.COM")
@inlineCallbacks
def test_BasicKerberosCredentialFactory(self):
- factory = authkerb.BasicKerberosCredentialFactory(principal="http/server.example.com at EXAMPLE.COM")
+ factory = authkerb.BasicKerberosCredentialFactory(principal="HTTP/server.example.com at EXAMPLE.COM")
challenge = (yield factory.getChallenge("peer"))
expected_challenge = {'realm': "EXAMPLE.COM"}
@@ -45,7 +45,7 @@
self.assertRaises(
ValueError,
authkerb.BasicKerberosCredentialFactory,
- principal="http/server.example.com/EXAMPLE.COM"
+ principal="HTTP/server.example.com/EXAMPLE.COM"
)
def test_NegotiateCredentials(self):
@@ -53,7 +53,7 @@
@inlineCallbacks
def test_NegotiateCredentialFactory(self):
- factory = authkerb.NegotiateCredentialFactory(principal="http/server.example.com at EXAMPLE.COM")
+ factory = authkerb.NegotiateCredentialFactory(principal="HTTP/server.example.com at EXAMPLE.COM")
challenge = (yield factory.getChallenge("peer"))
expected_challenge = {}
@@ -71,13 +71,13 @@
self.fail(msg="NegotiateCredentialFactory decode did not fail")
def test_NegotiateCredentialFactoryDifferentRealm(self):
- factory = authkerb.NegotiateCredentialFactory(principal="http/server.example.com at EXAMPLE.COM")
+ factory = authkerb.NegotiateCredentialFactory(principal="HTTP/server.example.com at EXAMPLE.COM")
self.assertEquals(factory.realm, "EXAMPLE.COM")
- self.assertEquals(factory.service, "http at SERVER.EXAMPLE.COM")
+ self.assertEquals(factory.service, "HTTP at SERVER.EXAMPLE.COM")
def test_NegotiateCredentialFactoryInvalidPrincipal(self):
self.assertRaises(
ValueError,
authkerb.NegotiateCredentialFactory,
- principal="http/server.example.com/EXAMPLE.COM"
+ principal="HTTP/server.example.com/EXAMPLE.COM"
)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20090512/c8c13916/attachment.html>
More information about the calendarserver-changes
mailing list