[CalendarServer-changes] [14615] PyKerberos/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Thu Mar 26 13:32:14 PDT 2015
Revision: 14615
http://trac.calendarserver.org//changeset/14615
Author: wsanchez at apple.com
Date: 2015-03-26 13:32:14 -0700 (Thu, 26 Mar 2015)
Log Message:
-----------
lint
Modified Paths:
--------------
PyKerberos/trunk/pysrc/kerberos.py
PyKerberos/trunk/setup.py
Modified: PyKerberos/trunk/pysrc/kerberos.py
===================================================================
--- PyKerberos/trunk/pysrc/kerberos.py 2015-03-26 18:39:13 UTC (rev 14614)
+++ PyKerberos/trunk/pysrc/kerberos.py 2015-03-26 20:32:14 UTC (rev 14615)
@@ -18,70 +18,104 @@
PyKerberos Function Description.
"""
+
+
class KrbError(Exception):
pass
+
+
class BasicAuthError(KrbError):
pass
+
+
class GSSError(KrbError):
pass
+
+
def checkPassword(user, pswd, service, default_realm):
"""
- This function provides a simple way to verify that a user name and password match
- those normally used for Kerberos authentication. It does this by checking that the
- supplied user name and password can be used to get a ticket for the supplied service.
- If the user name does not contain a realm, then the default realm supplied is used.
-
- NB For this to work properly the Kerberos must be configured properly on this machine.
- That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct
- realms and KDCs listed.
-
- IMPORTANT This method is vulnerable to KDC spoofing attacks and it should only used
- for testing. Do not use this in any production system - your security could be
- compromised if you do.
-
- @param user: a string containing the Kerberos user name. A realm may be
- included by appending an '@' followed by the realm string to the actual user id.
- If no realm is supplied, then the realm set in the default_realm argument will
- be used.
- @param pswd: a string containing the password for the user.
- @param service: a string containing the Kerberos service to check access for.
- This will be of the form 'sss/xx.yy.zz', where 'sss' is the service identifier
- (e.g., 'http', 'krbtgt'), and 'xx.yy.zz' is the hostname of the server.
- @param default_realm: a string containing the default realm to use if one is not
- supplied in the user argument. Note that Kerberos realms are normally all
- uppercase (e.g., 'EXAMPLE.COM').
- @return: True if authentication succeeds, False otherwise.
+ This function provides a simple way to verify that a user name and password
+ match those normally used for Kerberos authentication.
+ It does this by checking that the supplied user name and password can be
+ used to get a ticket for the supplied service.
+ If the user name does not contain a realm, then the default realm supplied
+ is used.
+
+ For this to work properly the Kerberos must be configured properly on this
+ machine.
+ That will likely mean ensuring that the edu.mit.Kerberos preference file
+ has the correct realms and KDCs listed.
+
+ IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should
+ only used for testing. Do not use this in any production system - your
+ security could be compromised if you do.
+
+ @param user: A string containing the Kerberos user name.
+ A realm may be included by appending an C{"@"} followed by the realm
+ string to the actual user id.
+ If no realm is supplied, then the realm set in the default_realm
+ argument will be used.
+
+ @param pswd: A string containing the password for the user.
+
+ @param service: A string containing the Kerberos service to check access
+ for.
+ This will be of the form C{"sss/xx.yy.zz"}, where C{"sss"} is the
+ service identifier (e.g., C{"http"}, C{"krbtgt"}), and C{"xx.yy.zz"} is
+ the hostname of the server.
+
+ @param default_realm: A string containing the default realm to use if one
+ is not supplied in the user argument.
+ Note that Kerberos realms are normally all uppercase (e.g.,
+ C{"EXAMPLE.COM"}).
+
+ @return: True if authentication succeeds, false otherwise.
"""
+
+
def changePassword(user, oldpswd, newpswd):
"""
This function allows to change the user password on the KDC.
- @param user: a string containing the Kerberos user name. A realm may be
- included by appending an '@' followed by the realm string to the actual user id.
- If no realm is supplied, then the realm set in the default_realm argument will
- be used.
- @param oldpswd: a string containing the old (current) password for the user.
- @param newpswd: a string containing the new password for the user.
- @return: True if password changing succeeds, False otherwise.
+ @param user: A string containing the Kerberos user name.
+ A realm may be included by appending a C{"@"} followed by the realm
+ string to the actual user id.
+ If no realm is supplied, then the realm set in the default_realm
+ argument will be used.
+
+ @param oldpswd: A string containing the old (current) password for the
+ user.
+
+ @param newpswd: A string containing the new password for the user.
+
+ @return: True if password changing succeeds, false otherwise.
"""
+
+
def getServerPrincipalDetails(service, hostname):
"""
- This function returns the service principal for the server given a service type
- and hostname. Details are looked up via the /etc/keytab file.
-
- @param service: a string containing the Kerberos service type for the server.
- @param hostname: a string containing the hostname of the server.
- @return: a string containing the service principal.
+ This function returns the service principal for the server given a service
+ type and hostname.
+ Details are looked up via the C{/etc/keytab} file.
+
+ @param service: A string containing the Kerberos service type for the
+ server.
+
+ @param hostname: A string containing the hostname of the server.
+
+ @return: A string containing the service principal.
"""
+
+
"""
GSSAPI Function Result Codes:
-
+
-1 : Error
0 : GSSAPI step continuation (only returned by 'Step' function)
1 : GSSAPI step complete, or function return OK
@@ -89,178 +123,252 @@
"""
# Some useful result codes
-AUTH_GSS_CONTINUE = 0
-AUTH_GSS_COMPLETE = 1
-
-# Some useful gss flags
-GSS_C_DELEG_FLAG = 1
-GSS_C_MUTUAL_FLAG = 2
-GSS_C_REPLAY_FLAG = 4
-GSS_C_SEQUENCE_FLAG = 8
-GSS_C_CONF_FLAG = 16
-GSS_C_INTEG_FLAG = 32
-GSS_C_ANON_FLAG = 64
-GSS_C_PROT_READY_FLAG = 128
-GSS_C_TRANS_FLAG = 256
-
+AUTH_GSS_CONTINUE = 0
+AUTH_GSS_COMPLETE = 1
+
+# Some useful gss flags
+GSS_C_DELEG_FLAG = 1
+GSS_C_MUTUAL_FLAG = 2
+GSS_C_REPLAY_FLAG = 4
+GSS_C_SEQUENCE_FLAG = 8
+GSS_C_CONF_FLAG = 16
+GSS_C_INTEG_FLAG = 32
+GSS_C_ANON_FLAG = 64
+GSS_C_PROT_READY_FLAG = 128
+GSS_C_TRANS_FLAG = 256
+
+
+
def authGSSClientInit(service, **kwargs):
"""
- Initializes a context for GSSAPI client-side authentication with the given service principal.
- authGSSClientClean must be called after this function returns an OK result to dispose of
- the context once all GSSAPI operations are complete.
+ Initializes a context for GSSAPI client-side authentication with the given
+ service principal.
+ L{authGSSClientClean} must be called after this function returns an OK
+ result to dispose of the context once all GSSAPI operations are complete.
- @param service: a string containing the service principal in the form 'type at fqdn'
- (e.g. 'imap at mail.apple.com').
- @param principal: optional string containing the client principal in the form 'user at realm'
- (e.g. 'jdoe at example.com').
- @param gssflags: optional integer used to set GSS flags.
- (e.g. GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG will allow
- for forwarding credentials to the remote host)
- @param delegated: optional server context containing delegated credentials
- @return: a tuple of (result, context) where result is the result code (see above) and
- context is an opaque value that will need to be passed to subsequent functions.
+ @param service: A string containing the service principal in the form
+ C{"type at fqdn"}.
+
+ @param principal: Optional string containing the client principal in the
+ form C{"user at realm"}.
+
+ @param gssflags: Optional integer used to set GSS flags.
+ (e.g. C{GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG} will
+ allow for forwarding credentials to the remote host)
+
+ @param delegated: Optional server context containing delegated credentials
+
+ @return: A tuple of (result, context) where result is the result code (see
+ above) and context is an opaque value that will need to be passed to
+ subsequent functions.
"""
+
+
def authGSSClientClean(context):
"""
- Destroys the context for GSSAPI client-side authentication. After this call the context
- object is invalid and should not be used again.
+ Destroys the context for GSSAPI client-side authentication. After this call
+ the context object is invalid and should not be used again.
- @param context: the context object returned from authGSSClientInit.
- @return: a result code (see above).
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A result code (see above).
"""
+
+
def authGSSClientStep(context, challenge):
"""
Processes a single GSSAPI client-side step using the supplied server data.
- @param context: the context object returned from authGSSClientInit.
- @param challenge: a string containing the base64-encoded server data (which may be empty
- for the first step).
- @return: a result code (see above).
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @param challenge: A string containing the base64-encoded server data (which
+ may be empty for the first step).
+
+ @return: A result code (see above).
"""
+
+
def authGSSClientResponse(context):
"""
Get the client response from the last successful GSSAPI client-side step.
- @param context: the context object returned from authGSSClientInit.
- @return: a string containing the base64-encoded client data to be sent to the server.
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A string containing the base64-encoded client data to be sent to
+ the server.
"""
+
+
def authGSSClientResponseConf(context):
"""
- Returns 1 if confidentiality was enabled in the previously unwrapped buffer. 0 otherwise.
+ Determine whether confidentiality was enabled in the previously unwrapped
+ buffer.
- @param context: the context object returned from authGSSClientInit.
- @return: an integer representing the confidentiality of the previously unwrapped buffer.
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: C{1} if confidentiality was enabled in the previously unwrapped
+ buffer, C{0} otherwise.
"""
+
+
def authGSSClientUserName(context):
"""
- Get the user name of the principal authenticated via the now complete GSSAPI client-side operations.
- This method must only be called after authGSSClientStep returns a complete response code.
+ Get the user name of the principal authenticated via the now complete
+ GSSAPI client-side operations.
+ This method must only be called after authGSSClientStep returns a complete
+ response code.
- @param context: the context object returned from authGSSClientInit.
- @return: a string containing the user name.
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A string containing the user name.
"""
-def authGSSClientUnwrap(context, challenge):
- """
- Perform the client side GSSAPI unwrap step
-
- @param challenge: a string containing the base64-encoded server data.
- @return: a result code (see above)
- """
-def authGSSClientWrap(context, data, user=None, protect=0):
- """
- Perform the client side GSSAPI wrap step.
-
- @param data:the result of the authGSSClientResponse after the authGSSClientUnwrap
- @param user: the user to authorize
- @param protect: if 0 then just provide integrity protection, if 1, then provide confidentiality as well.
- @return: a result code (see above)
- """
+def authGSSClientUnwrap(context, challenge):
+ """
+ Perform the client side GSSAPI unwrap step.
+
+ @param challenge: A string containing the base64-encoded server data.
+
+ @return: A result code (see above)
+ """
+
+
+
+def authGSSClientWrap(context, data, user=None, protect=0):
+ """
+ Perform the client side GSSAPI wrap step.
+
+ @param data: The result of the L{authGSSClientResponse} after the
+ L{authGSSClientUnwrap}.
+
+ @param user: The user to authorize.
+
+ @param protect: If C{0}, then just provide integrity protection.
+ If C{1}, then provide confidentiality as well.
+
+ @return: A result code (see above)
+ """
+
+
+
def authGSSServerInit(service):
"""
- Initializes a context for GSSAPI server-side authentication with the given service principal.
- authGSSServerClean must be called after this function returns an OK result to dispose of
- the context once all GSSAPI operations are complete.
+ Initializes a context for GSSAPI server-side authentication with the given
+ service principal.
+ authGSSServerClean must be called after this function returns an OK result
+ to dispose of the context once all GSSAPI operations are complete.
- @param service: a string containing the service principal in the form 'type at fqdn'
- (e.g. 'imap at mail.apple.com').
- @return: a tuple of (result, context) where result is the result code (see above) and
- context is an opaque value that will need to be passed to subsequent functions.
+ @param service: A string containing the service principal in the form
+ C{"type at fqdn"}.
+
+ @return: A tuple of (result, context) where result is the result code (see
+ above) and context is an opaque value that will need to be passed to
+ subsequent functions.
"""
+
+
def authGSSServerClean(context):
"""
- Destroys the context for GSSAPI server-side authentication. After this call the context
- object is invalid and should not be used again.
+ Destroys the context for GSSAPI server-side authentication.
+ After this call the context object is invalid and should not be used again.
- @param context: the context object returned from authGSSServerInit.
- @return: a result code (see above).
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A result code (see above).
"""
+
+
def authGSSServerStep(context, challenge):
"""
Processes a single GSSAPI server-side step using the supplied client data.
- @param context: the context object returned from authGSSServerInit.
- @param challenge: a string containing the base64-encoded client data.
- @return: a result code (see above).
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @param challenge: A string containing the base64-encoded client data.
+
+ @return: A result code (see above).
"""
+
+
def authGSSServerResponse(context):
"""
Get the server response from the last successful GSSAPI server-side step.
- @param context: the context object returned from authGSSServerInit.
- @return: a string containing the base64-encoded server data to be sent to the client.
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A string containing the base64-encoded server data to be sent to
+ the client.
"""
+
+
def authGSSServerHasDelegated(context):
"""
Checks whether a server context has delegated credentials.
- @param context: the context object returned from authGSSServerInit.
- @return: a bool saying whether delegated credentials are available.
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A bool saying whether delegated credentials are available.
"""
+
+
def authGSSServerUserName(context):
"""
Get the user name of the principal trying to authenticate to the server.
- This method must only be called after authGSSServerStep returns a complete or continue response code.
+ This method must only be called after L{authGSSServerStep} returns a
+ complete or continue response code.
- @param context: the context object returned from authGSSServerInit.
- @return: a string containing the user name.
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A string containing the user name.
"""
+
+
def authGSSServerTargetName(context):
"""
Get the target name if the server did not supply its own credentials.
- This method must only be called after authGSSServerStep returns a complete or continue response code.
+ This method must only be called after L{authGSSServerStep} returns a
+ complete or continue response code.
- @param context: the context object returned from authGSSServerInit.
- @return: a string containing the target name.
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A string containing the target name.
"""
+
+
def authGSSServerStoreDelegate(context):
"""
- Save the ticket sent to the server in the file /tmp/krb5_pyserv_XXXXXX
- his method must only be called after authGSSServerStep returns a complete or continue response code.
+ Save the ticket sent to the server in the file C{/tmp/krb5_pyserv_XXXXXX}.
+ This method must only be called after L{authGSSServerStep} returns a
+ complete or continue response code.
- @param context: the context object returned from authGSSServerInit.
- @return: a result code (see above).
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A result code (see above).
"""
+
+
def authGSSServerCacheName(context):
"""
- Get the name of the credential cache created with authGSSServerStoreDelegate.
- This method must only be called after authGSSServerStoreDelegate.
+ Get the name of the credential cache created with
+ L{authGSSServerStoreDelegate}.
+ This method must only be called after L{authGSSServerStoreDelegate}.
- @param context: the context object returned from authGSSServerInit.
- @return: a string containing the cache name.
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A string containing the cache name.
"""
Modified: PyKerberos/trunk/setup.py
===================================================================
--- PyKerberos/trunk/setup.py 2015-03-26 18:39:13 UTC (rev 14614)
+++ PyKerberos/trunk/setup.py 2015-03-26 20:32:14 UTC (rev 14615)
@@ -15,43 +15,48 @@
##
from distutils.core import setup, Extension
-import sys
-import commands
+from commands import getoutput
+
long_description = """
This Python package is a high-level wrapper for Kerberos (GSSAPI) operations.
-The goal is to avoid having to build a module that wraps the entire Kerberos.framework,
-and instead offer a limited set of functions that do what is needed for client/server
-Kerberos authentication based on <http://www.ietf.org/rfc/rfc4559.txt>.
-
+The goal is to avoid having to build a module that wraps the entire
+Kerberos.framework, and instead offer a limited set of functions that do what
+is needed for client/server Kerberos authentication based on
+<http://www.ietf.org/rfc/rfc4559.txt>.
"""
-setup (
- name = "kerberos",
- version = "1.2.0",
- description = "Kerberos high-level interface",
+extra_link_args = getoutput("krb5-config --libs gssapi").split()
+extra_compile_args = getoutput("krb5-config --cflags gssapi").split()
+
+
+setup(
+ name="kerberos",
+ version="1.2.0",
+ description="Kerberos high-level interface",
long_description=long_description,
- classifiers = [
+ classifiers=[
"License :: OSI Approved :: Apache Software License",
"Programming Language :: Python :: 2",
+ "Programming Language :: Python :: 3",
"Topic :: Software Development :: Libraries :: Python Modules",
"Topic :: System :: Systems Administration :: Authentication/Directory"
- ],
- ext_modules = [
+ ],
+ ext_modules=[
Extension(
"kerberos",
- extra_link_args = commands.getoutput("krb5-config --libs gssapi").split(),
- extra_compile_args = commands.getoutput("krb5-config --cflags gssapi").split(),
- sources = [
+ extra_link_args=extra_link_args,
+ extra_compile_args=extra_compile_args,
+ sources=[
"src/base64.c"
- "src/base64.h",
+ "src/base64.h",
"src/kerberos.c",
"src/kerberosbasic.c",
- "src/kerberosbasic.h",
+ "src/kerberosbasic.h",
"src/kerberosgss.c",
- "src/kerberosgss.h",
+ "src/kerberosgss.h",
"src/kerberospw.c",
- "src/kerberospw.h",
+ "src/kerberospw.h",
],
),
],
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20150326/7c1cf7b9/attachment-0001.html>
More information about the calendarserver-changes
mailing list