[Freeipa-devel] [PATCH] 800 rpc-client: add forms based auth support

Petr Vobornik pvoborni at redhat.com
Thu Feb 19 14:51:47 UTC 2015 

This patch is a prerequisite for patch 801 which will follow. It was 
developed to enable to use ipalib RPC client in Web UI tests. Plus it 
will enable to significantly speed up Web UI tests suite (if preparation 
of data is transformed to use this method).

Partly related https://fedorahosted.org/freeipa/ticket/4772 and 
https://fedorahosted.org/freeipa/ticket/4307


Leverage session support to enable forms-based authenticate in rpc client.

In order to do that session support in KerbTransport was moved to new
SessionTransport. RPCClient.create_connection is then modified to
force forms-based auth if new optional options - user and password are
specified. For this case SessionTransport is used and user is
authenticated by calling
'https://ipa.server/ipa/session/login_password'. Session cookie is
stored and used in subsequent calls.

This feature is usable for use cases where one wants to call the API
without being on ipa client. Non-being on ipa client also means that
IPA's NSS database and configuration is not available. Therefore one
has to define "~/.ipa/default.conf" in a similar way as ipa client
does and prepare a NSS database with IPA CA cert.

Usage:

     api.Backend.rpcclient.connect(
         nss_dir=my_nss_dir_path,
         user=user,
         password=password
     )

It's possible to switch users with:

     api.Backend.rpcclient.disconnect()

     api.Backend.rpcclient.connect(
         nss_dir=my_nss_dir_path,
         user=other_user,
         password=other_password
     )

Or check connection with:

     api.Backend.rpcclient.isconnected()

Example: download a CA cert and add it to a new temporary NSS database:
     from urllib2 import urlparse
     from ipaplatform.paths import paths
     from ipapython import certdb, ipautil
     from ipapython.ipautil import run
     from ipalib import x509

     # create new NSSDatabase
     tmp_db = certdb.NSSDatabase()
     pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
     tmp_db.create_db(pwd_file.name)

     # download and add cert
     url = urlparse.urlunparse(('http', ipautil.format_netloc(ipa_server),
                                '/ipa/config/ca.crt', '', '', ''))
     stdout, stderr, rc = run([paths.BIN_WGET, "-O", "-", url])
     certs = x509.load_certificate_list(stdout, tmp_db.secdir)
     ca_certs = [cert.der_data for cert in certs]
     for i, cert in enumerate(ca_certs):
         tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')

     my_nss_dir_path = tmp_db.secdir
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0800-rpc-client-add-forms-based-auth-support.patch
Type: text/x-patch
Size: 20170 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150219/85f97f56/attachment.bin>

More information about the Freeipa-devel mailing list