[Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi

Michael Šimáček msimacek at redhat.com
Thu Jul 23 10:07:27 UTC 2015 

On 2015-07-22 15:47, Simo Sorce wrote:
> Comments inline.
>
> ----- Original Message -----
>> From: "Michael Simacek" <msimacek at redhat.com>
>> To: freeipa-devel at redhat.com
>> Sent: Tuesday, July 21, 2015 8:02:26 AM
>> Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to	python-gssapi
>>
>> Hi,
>>
>> This is a first part of my effort to port FreeIPA from Python3-incompatible
>> Kerberos libraries to python-gssapi. This patch should replace
>> python-kerberos
>> with python-gssapi (both use C GSSAPI behind the scenes).
>>
>> --
>> Michael Simacek
>>
>>
>> >From bca55a6bd9cdb9cdea9d81b55cfdbc2c1279f031 Mon Sep 17 00:00:00 2001
>> From: Michael Simacek <msimacek at redhat.com>
>> Date: Thu, 16 Jul 2015 18:22:00 +0200
>> Subject: [PATCH] Port from python-kerberos library to python-gssapi
>>
>> kerberos library doesn't support Python 3 and probably never will.
>> python-gssapi library is Python 3 compatible.
>> ---
>>   BUILD.txt            |  2 +-
>>   freeipa.spec.in      |  2 +-
>>   ipalib/rpc.py        | 42 +++++++++++++++++++++---------------------
>>   ipalib/util.py       | 14 +++++++-------
>>   ipapython/ipautil.py | 17 -----------------
>>   5 files changed, 30 insertions(+), 47 deletions(-)
>>
>> diff --git a/BUILD.txt b/BUILD.txt
>> index 6a28beb..53012b1 100644
>> --- a/BUILD.txt
>> +++ b/BUILD.txt
>> @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel
>> libtalloc-devel \
>>   libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel
>>   \
>>   krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \
>>   autoconf automake m4 libtool gettext python-devel python-ldap \
>> -python-setuptools python-krbV python-nss python-netaddr python-kerberos \
>> +python-setuptools python-krbV python-nss python-netaddr python-gssapi \
>>   python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python
>>   python-memcached \
>>   sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \
>>   check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \
>> diff --git a/freeipa.spec.in b/freeipa.spec.in
>> index fef20e1..5e10022 100644
>> --- a/freeipa.spec.in
>> +++ b/freeipa.spec.in
>> @@ -72,7 +72,7 @@ BuildRequires:  python-krbV
>>   BuildRequires:  python-nss
>>   BuildRequires:  python-cryptography
>>   BuildRequires:  python-netaddr
>> -BuildRequires:  python-kerberos >= 1.1-14
>> +BuildRequires:  python-gssapi >= 1.1.1
>>   BuildRequires:  python-rhsm
>>   BuildRequires:  pyOpenSSL
>>   BuildRequires:  pylint >= 1.0
>> diff --git a/ipalib/rpc.py b/ipalib/rpc.py
>> index 466b49a..bbedcc9 100644
>> --- a/ipalib/rpc.py
>> +++ b/ipalib/rpc.py
>> @@ -44,7 +44,7 @@ from urllib2 import urlparse
>>
>>   from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy,
>>           Transport, ProtocolError, MININT, MAXINT)
>> -import kerberos
>> +import gssapi
>>   from dns import resolver, rdatatype
>>   from dns.exception import DNSException
>>   from nss.error import NSPRError
>> @@ -510,24 +510,27 @@ class KerbTransport(SSLTransport):
>>       """
>>       Handles Kerberos Negotiation authentication to an XML-RPC server.
>>       """
>> -    flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
>> +    flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag,
>> +
>> [gssapi.RequirementFlag.mutual_authentication,
>> +
>> gssapi.RequirementFlag.out_of_sequence_detection])
>>
>>       def _handle_exception(self, e, service=None):
>> -        (major, minor) = ipautil.get_gsserror(e)
>> -        if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
>> +        # kerberos library coerced error codes to signed, gssapi uses
>> unsigned
>> +        minor = e.min_code - (1 << 32)
>> +        if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
>>               raise errors.ServiceError(service=service)
>> -        elif minor[1] == KRB5_FCC_NOFILE:
>> +        elif minor == KRB5_FCC_NOFILE:
>>               raise errors.NoCCacheError()
>> -        elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED:
>> +        elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED:
>>               raise errors.TicketExpired()
>> -        elif minor[1] == KRB5_FCC_PERM:
>> +        elif minor == KRB5_FCC_PERM:
>>               raise errors.BadCCachePerms()
>> -        elif minor[1] == KRB5_CC_FORMAT:
>> +        elif minor == KRB5_CC_FORMAT:
>>               raise errors.BadCCacheFormat()
>> -        elif minor[1] == KRB5_REALM_CANT_RESOLVE:
>> +        elif minor == KRB5_REALM_CANT_RESOLVE:
>>               raise errors.CannotResolveKDC()
>>           else:
>> -            raise errors.KerberosError(major=major, minor=minor)
>> +            raise errors.KerberosError(major=e.maj_code, minor=minor)
>>
>>       def get_host_info(self, host):
>>           """
>> @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport):
>>           service = "HTTP@" + host.split(':')[0]
>>
>>           try:
>> -            (rc, vc) = kerberos.authGSSClientInit(service=service,
>> -                                                  gssflags=self.flags)
>> -        except kerberos.GSSError, e:
>> -            self._handle_exception(e)
>> -
>> -        try:
>> -            kerberos.authGSSClientStep(vc, "")
>> -        except kerberos.GSSError, e:
>> +            name = gssapi.Name(service, gssapi.NameType.hostbased_service)
>> +            response = gssapi.raw.init_sec_context(name,
>> flags=self.flags).token
>
> Please do not use the raw api unless you have no other option.
> Use the high level api, also do not refernce a member while instantiating a class.
> Instantiate, then reference please, we want readable code.


Done, but the code now needs to deal with __DEFER_STEP_ERRORS__.


>
>> +        except gssapi.exceptions.GSSError as e:
>>               self._handle_exception(e, service=service)
>>
>>           for (h, v) in extra_headers:
>> @@ -564,7 +562,7 @@ class KerbTransport(SSLTransport):
>>                   break
>>
>>           extra_headers.append(
>> -            ('Authorization', 'negotiate %s' %
>> kerberos.authGSSClientResponse(vc))
>> +            ('Authorization', 'negotiate %s' % base64.b64encode(response))
>>           )
>>
>>           return (host, extra_headers, x509)
>> @@ -632,8 +630,10 @@ class DelegatedKerbTransport(KerbTransport):
>>       Handles Kerberos Negotiation authentication and TGT delegation to an
>>       XML-RPC server.
>>       """
>> -    flags = kerberos.GSS_C_DELEG_FLAG |  kerberos.GSS_C_MUTUAL_FLAG | \
>> -            kerberos.GSS_C_SEQUENCE_FLAG
>> +    flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag,
>> +                                  [gssapi.RequirementFlag.delegate_to_peer,
>> +
>> gssapi.RequirementFlag.mutual_authentication,
>> +
>> gssapi.RequirementFlag.out_of_sequence_detection])
>>
>>
>>   class RPCClient(Connectible):
>> diff --git a/ipalib/util.py b/ipalib/util.py
>> index 649a487..aea3ba9 100644
>> --- a/ipalib/util.py
>> +++ b/ipalib/util.py
>> @@ -63,15 +63,15 @@ def json_serialize(obj):
>>
>>   def get_current_principal():
>>       try:
>> -        import kerberos
>> -        rc, vc = kerberos.authGSSClientInit("notempty")
>> -        rc = kerberos.authGSSClientInquireCred(vc)
>> -        username = kerberos.authGSSClientUserName(vc)
>> -        kerberos.authGSSClientClean(vc)
>> +        import gssapi
>> +        cred = gssapi.raw.acquire_cred(usage='initiate').creds
>> +        name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False,
>> +                                       mechs=False).name
>> +        username = gssapi.raw.display_name(name, name_type=False).name
>
> Same as above.
> Create a credential and inquire it with the high level api


Done, but I still use raw.display_name as I don't see how to get it from 
high-level API (besides parsing repr).


>
>>           return unicode(username)
>>       except ImportError:
>> -        raise RuntimeError('python-kerberos is not available.')
>> -    except kerberos.GSSError, e:
>> +        raise RuntimeError('python-gssapi is not available.')
>> +    except gssapi.exceptions.GSSError:
>>           #TODO: do a kinit?
>>           raise errors.CCacheError()
>>
>> diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
>> index 88e8970..05a7eeb 100644
>> --- a/ipapython/ipautil.py
>> +++ b/ipapython/ipautil.py
>> @@ -783,23 +783,6 @@ def user_input(prompt, default = None, allow_empty =
>> True):
>>                   return ret
>>
>>
>> -def get_gsserror(e):
>> -    """
>> -    A GSSError exception looks differently in python 2.4 than it does
>> -    in python 2.5. Deal with it.
>> -    """
>> -
>> -    try:
>> -       major = e[0]
>> -       minor = e[1]
>> -    except:
>> -       major = e[0][0]
>> -       minor = e[0][1]
>> -
>> -    return (major, minor)
>> -
>> -
>> -
>>   def host_port_open(host, port, socket_type=socket.SOCK_STREAM,
>>   socket_timeout=None):
>>       for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC,
>>       socket_type):
>>           af, socktype, proto, canonname, sa = res
>> --
>> 2.1.0
>>
>> --
>> Manage your subscription for the Freeipa-devel mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-msimacek-0001-3-Port-from-python-kerberos-to-python-gssapi.patch
Type: text/x-patch
Size: 7717 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150723/2fc3e6af/attachment.bin>

More information about the Freeipa-devel mailing list