[Freeipa-devel] [PATCH] 800 rpc-client: add forms based auth support

Milan Kubik mkubik at redhat.com
Wed May 6 14:25:47 UTC 2015 

On 02/19/2015 03:51 PM, Petr Vobornik wrote:
> This patch is a prerequisite for patch 801 which will follow. It was 
> developed to enable to use ipalib RPC client in Web UI tests. Plus it 
> will enable to significantly speed up Web UI tests suite (if 
> preparation of data is transformed to use this method).
>
> Partly related https://fedorahosted.org/freeipa/ticket/4772 and 
> https://fedorahosted.org/freeipa/ticket/4307
>
>
> Leverage session support to enable forms-based authenticate in rpc 
> client.
>
> In order to do that session support in KerbTransport was moved to new
> SessionTransport. RPCClient.create_connection is then modified to
> force forms-based auth if new optional options - user and password are
> specified. For this case SessionTransport is used and user is
> authenticated by calling
> 'https://ipa.server/ipa/session/login_password'. Session cookie is
> stored and used in subsequent calls.
>
> This feature is usable for use cases where one wants to call the API
> without being on ipa client. Non-being on ipa client also means that
> IPA's NSS database and configuration is not available. Therefore one
> has to define "~/.ipa/default.conf" in a similar way as ipa client
> does and prepare a NSS database with IPA CA cert.
>
> Usage:
>
>     api.Backend.rpcclient.connect(
>         nss_dir=my_nss_dir_path,
>         user=user,
>         password=password
>     )
>
> It's possible to switch users with:
>
>     api.Backend.rpcclient.disconnect()
>
>     api.Backend.rpcclient.connect(
>         nss_dir=my_nss_dir_path,
>         user=other_user,
>         password=other_password
>     )
>
> Or check connection with:
>
>     api.Backend.rpcclient.isconnected()
>
> Example: download a CA cert and add it to a new temporary NSS database:
>     from urllib2 import urlparse
>     from ipaplatform.paths import paths
>     from ipapython import certdb, ipautil
>     from ipapython.ipautil import run
>     from ipalib import x509
>
>     # create new NSSDatabase
>     tmp_db = certdb.NSSDatabase()
>     pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
>     tmp_db.create_db(pwd_file.name)
>
>     # download and add cert
>     url = urlparse.urlunparse(('http', ipautil.format_netloc(ipa_server),
>                                '/ipa/config/ca.crt', '', '', ''))
>     stdout, stderr, rc = run([paths.BIN_WGET, "-O", "-", url])
>     certs = x509.load_certificate_list(stdout, tmp_db.secdir)
>     ca_certs = [cert.der_data for cert in certs]
>     for i, cert in enumerate(ca_certs):
>         tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
>
>     my_nss_dir_path = tmp_db.secdir
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Hi,

thanks for the patch. Please, fix the pep8 complaints.

Can someone else look at the code as well, please?

Thanks,
Milan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150506/52933969/attachment.htm>

More information about the Freeipa-devel mailing list