[Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Michael Šimáček
msimacek at redhat.com
Sun Jul 26 19:51:59 UTC 2015
Comments inline.
On 2015-07-23 21:29, Robbie Harwood wrote:
> Some comments from Solly and I inline:
>
> Michael Šimáček <msimacek at redhat.com> writes:
>
>> On 2015-07-22 15:47, Simo Sorce wrote:
>>> Comments inline.
>>>
>>> ----- Original Message -----
>>>> From: "Michael Simacek" <msimacek at redhat.com>
>>>> To: freeipa-devel at redhat.com
>>>> Sent: Tuesday, July 21, 2015 8:02:26 AM
>>>> Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
>>>>
>>>> diff --git a/ipalib/util.py b/ipalib/util.py
>>>> index 649a487..aea3ba9 100644
>>>> --- a/ipalib/util.py
>>>> +++ b/ipalib/util.py
>>>> @@ -63,15 +63,15 @@ def json_serialize(obj):
>>>>
>>>> def get_current_principal():
>>>> try:
>>>> - import kerberos
>>>> - rc, vc = kerberos.authGSSClientInit("notempty")
>>>> - rc = kerberos.authGSSClientInquireCred(vc)
>>>> - username = kerberos.authGSSClientUserName(vc)
>>>> - kerberos.authGSSClientClean(vc)
>>>> + import gssapi
>>>> + cred = gssapi.raw.acquire_cred(usage='initiate').creds
>>>> + name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False,
>>>> + mechs=False).name
>>>> + username = gssapi.raw.display_name(name, name_type=False).name
>>>
>>> Same as above.
>>> Create a credential and inquire it with the high level api
>>
>> Done, but I still use raw.display_name as I don't see how to get it from
>> high-level API (besides parsing repr).
>
> I believe one can call `str()`. See
> http://pythonhosted.org/gssapi/gssapi.html#gssapi.names.Name
>
You're of course right. I'm sorry I missed such an obvious thing.
>> @@ -548,14 +552,12 @@ class KerbTransport(SSLTransport):
>> service = "HTTP@" + host.split(':')[0]
>>
>> try:
>> - (rc, vc) = kerberos.authGSSClientInit(service=service,
>> - gssflags=self.flags)
>> - except kerberos.GSSError, e:
>> - self._handle_exception(e)
>> -
>> - try:
>> - kerberos.authGSSClientStep(vc, "")
>> - except kerberos.GSSError, e:
>> + name = gssapi.Name(service, gssapi.NameType.hostbased_service)
>> + sec_context = gssapi.SecurityContext(name=name, flags=self.flags)
>> + # gssapi defers errors to next step, we want them now
>> + sec_context.__DEFER_STEP_ERRORS__ = False
>
> As a class-level flag, this should probably be used as such. Preferable
> to using it would be to check complete, though - is there a reason not
> to do that here?
>
> Otherwise, looks good!
>
It would probably be nicer to do the full cycle, but I'd like to avoid
changes in behavior when porting from one library to another. And the
code above doesn't actually hold any connection, so it would require
more refactoring to make that happen. For now I would follow what the
original code was doing. As for the exceptions, I think it would
actually be justifiable to use the raw api's init_sec_context, because
the high level api would just do the same call + the exception handling
magic, which we want to avoid for now. Please let me know what do you think.
Attaching updated patch that uses 'unicode' instead of raw.display_name
and reverts back to using init_sec_context.
Thank you.
--
Michael Simacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-msimacek-0001-4-Port-from-python-kerberos-to-python-gssapi.patch
Type: text/x-patch
Size: 7525 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150726/adf7e135/attachment.bin>
More information about the Freeipa-devel
mailing list