Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Dne 4.8.2015 v 17:02 Robbie Harwood napsal(a): Michael Šimáček writes: Attaching new revision of the patch that performs the full negotiation cycle. Looks good to me, thanks! IPA compiles and installs fine with the patch applied, so ACK. Pushed to master: f0b4c4487ed77a3037cbbc46206d598c58f06bb1 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Michael Šimáček writes: > Attaching new revision of the patch that performs the full negotiation > cycle. Looks good to me, thanks! signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
On Mon, 2015-08-03 at 23:56 +0200, Michael Šimáček wrote: > On 2015-07-27 11:38, Simo Sorce wrote: > > On Sun, 2015-07-26 at 21:51 +0200, Michael Šimáček wrote: > >> It would probably be nicer to do the full cycle, but I'd like to > >> avoid > >> changes in behavior when porting from one library to another. And the > >> code above doesn't actually hold any connection, so it would require > >> more refactoring to make that happen. For now I would follow what the > >> original code was doing. As for the exceptions, I think it would > >> actually be justifiable to use the raw api's init_sec_context, > >> because > >> the high level api would just do the same call + the exception > >> handling > >> magic, which we want to avoid for now. Please let me know what do you > >> think. > >> Attaching updated patch that uses 'unicode' instead of > >> raw.display_name > >> and reverts back to using init_sec_context. > > > > Sorry, > > but we should really not use the raw API here. > > If it means more changes to the code, so be it, please us the high level > > API as recommended by Robbie, we wrote a better API so that people would > > use it, and we want to apply best practices when changing code in IPA. > > > > Attaching new revision of the patch that performs the full negotiation > cycle. > > Michael LGTM Thanks! -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
On 2015-07-27 11:38, Simo Sorce wrote: On Sun, 2015-07-26 at 21:51 +0200, Michael Šimáček wrote: It would probably be nicer to do the full cycle, but I'd like to avoid changes in behavior when porting from one library to another. And the code above doesn't actually hold any connection, so it would require more refactoring to make that happen. For now I would follow what the original code was doing. As for the exceptions, I think it would actually be justifiable to use the raw api's init_sec_context, because the high level api would just do the same call + the exception handling magic, which we want to avoid for now. Please let me know what do you think. Attaching updated patch that uses 'unicode' instead of raw.display_name and reverts back to using init_sec_context. Sorry, but we should really not use the raw API here. If it means more changes to the code, so be it, please us the high level API as recommended by Robbie, we wrote a better API so that people would use it, and we want to apply best practices when changing code in IPA. Attaching new revision of the patch that performs the full negotiation cycle. Michael From 9cd3f604ba4c2a8ccc116296ed9c4a5b4b2075fe Mon Sep 17 00:00:00 2001 From: Michael Simacek Date: Thu, 16 Jul 2015 18:22:00 +0200 Subject: [PATCH] Port from python-kerberos to python-gssapi kerberos library doesn't support Python 3 and probably never will. python-gssapi library is Python 3 compatible. https://fedorahosted.org/freeipa/ticket/5147 --- BUILD.txt| 2 +- freeipa.spec.in | 4 +- ipalib/rpc.py| 112 +++ ipalib/util.py | 13 +++--- ipapython/ipautil.py | 17 5 files changed, 95 insertions(+), 53 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index 6a28beba1e0844971fb5625c0e1adf3f0c0fc0e3..53012b14d05673d4fbc4d0567e877348d5e78444 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ autoconf automake m4 libtool gettext python-devel python-ldap \ -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \ sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ diff --git a/freeipa.spec.in b/freeipa.spec.in index 0351952c692eb0cee2148053462c50b6d9073b5d..57d3d26e94aab6267143793943268175ed440586 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -72,7 +72,7 @@ BuildRequires: python-krbV BuildRequires: python-nss BuildRequires: python-cryptography BuildRequires: python-netaddr -BuildRequires: python-kerberos >= 1.1-14 +BuildRequires: python-gssapi >= 1.1.1 BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint >= 1.0 @@ -303,7 +303,7 @@ IPA administrators. %package python Summary: Python libraries used by IPA Group: System Environment/Libraries -Requires: python-kerberos >= 1.1-14 +Requires: python-gssapi >= 1.1.1 Requires: gnupg Requires: iproute Requires: keyutils diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 466b49a6dd60370db4d588389acba8dcaa493aa1..4176bbd283da709b60844bdb38651af97ea8f48f 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ from urllib2 import urlparse from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, Transport, ProtocolError, MININT, MAXINT) -import kerberos +import gssapi from dns import resolver, rdatatype from dns.exception import DNSException from nss.error import NSPRError @@ -510,24 +510,32 @@ class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ -flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG +flags = [gssapi.RequirementFlag.mutual_authentication, + gssapi.RequirementFlag.out_of_sequence_detection] + +def __init__(self, *args, **kwargs): +SSLTransport.__init__(self, *args, **kwargs) +self._sec_context = None def _handle_exception(self, e, service=None): -(major, minor) = ipautil.get_gsserror(e) -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: +# kerberos library coerced error codes to signed, gssapi uses unsigned +minor = e.min_code +if minor & (1 << 31): +minor -= 1 << 32 +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: raise errors.ServiceError(service=service) -elif minor[1] == KRB5_FCC_NOFILE: +elif minor == KRB5_FCC_NOFILE: raise errors.NoCCacheError() -elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: +elif minor == KRB5KRB_AP_
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
On Sun, 2015-07-26 at 21:51 +0200, Michael Šimáček wrote: > It would probably be nicer to do the full cycle, but I'd like to > avoid > changes in behavior when porting from one library to another. And the > code above doesn't actually hold any connection, so it would require > more refactoring to make that happen. For now I would follow what the > original code was doing. As for the exceptions, I think it would > actually be justifiable to use the raw api's init_sec_context, > because > the high level api would just do the same call + the exception > handling > magic, which we want to avoid for now. Please let me know what do you > think. > Attaching updated patch that uses 'unicode' instead of > raw.display_name > and reverts back to using init_sec_context. Sorry, but we should really not use the raw API here. If it means more changes to the code, so be it, please us the high level API as recommended by Robbie, we wrote a better API so that people would use it, and we want to apply best practices when changing code in IPA. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Comments inline. On 2015-07-23 21:29, Robbie Harwood wrote: Some comments from Solly and I inline: Michael Šimáček writes: On 2015-07-22 15:47, Simo Sorce wrote: Comments inline. - Original Message - From: "Michael Simacek" To: freeipa-devel@redhat.com Sent: Tuesday, July 21, 2015 8:02:26 AM Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi diff --git a/ipalib/util.py b/ipalib/util.py index 649a487..aea3ba9 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -63,15 +63,15 @@ def json_serialize(obj): def get_current_principal(): try: -import kerberos -rc, vc = kerberos.authGSSClientInit("notempty") -rc = kerberos.authGSSClientInquireCred(vc) -username = kerberos.authGSSClientUserName(vc) -kerberos.authGSSClientClean(vc) +import gssapi +cred = gssapi.raw.acquire_cred(usage='initiate').creds +name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False, + mechs=False).name +username = gssapi.raw.display_name(name, name_type=False).name Same as above. Create a credential and inquire it with the high level api Done, but I still use raw.display_name as I don't see how to get it from high-level API (besides parsing repr). I believe one can call `str()`. See http://pythonhosted.org/gssapi/gssapi.html#gssapi.names.Name You're of course right. I'm sorry I missed such an obvious thing. @@ -548,14 +552,12 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: -(rc, vc) = kerberos.authGSSClientInit(service=service, - gssflags=self.flags) -except kerberos.GSSError, e: -self._handle_exception(e) - -try: -kerberos.authGSSClientStep(vc, "") -except kerberos.GSSError, e: +name = gssapi.Name(service, gssapi.NameType.hostbased_service) +sec_context = gssapi.SecurityContext(name=name, flags=self.flags) +# gssapi defers errors to next step, we want them now +sec_context.__DEFER_STEP_ERRORS__ = False As a class-level flag, this should probably be used as such. Preferable to using it would be to check complete, though - is there a reason not to do that here? Otherwise, looks good! It would probably be nicer to do the full cycle, but I'd like to avoid changes in behavior when porting from one library to another. And the code above doesn't actually hold any connection, so it would require more refactoring to make that happen. For now I would follow what the original code was doing. As for the exceptions, I think it would actually be justifiable to use the raw api's init_sec_context, because the high level api would just do the same call + the exception handling magic, which we want to avoid for now. Please let me know what do you think. Attaching updated patch that uses 'unicode' instead of raw.display_name and reverts back to using init_sec_context. Thank you. -- Michael Simacek From abdee5c742cf0adaa287b8932f25d701219f71a0 Mon Sep 17 00:00:00 2001 From: Michael Simacek Date: Thu, 16 Jul 2015 18:22:00 +0200 Subject: [PATCH] Port from python-kerberos to python-gssapi kerberos library doesn't support Python 3 and probably never will. python-gssapi library is Python 3 compatible. https://fedorahosted.org/freeipa/ticket/5147 --- BUILD.txt| 2 +- freeipa.spec.in | 2 +- ipalib/rpc.py| 43 ++- ipalib/util.py | 13 + ipapython/ipautil.py | 17 - 5 files changed, 29 insertions(+), 48 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index 6a28beba1e0844971fb5625c0e1adf3f0c0fc0e3..53012b14d05673d4fbc4d0567e877348d5e78444 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ autoconf automake m4 libtool gettext python-devel python-ldap \ -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \ sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ diff --git a/freeipa.spec.in b/freeipa.spec.in index 928425fdc65a092f67a28d97101c32b7392bf1c8..e2bbd79360ac626db93fe7e957b0ef3be043da4f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -72,7 +72,7 @@ BuildRequires: python-krbV BuildRequires: python-nss BuildRequires: python-cryptography BuildRequires: python-netaddr -BuildRequires: python-kerberos >= 1.1-14 +BuildRequires: python-gssapi
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Some comments from Solly and I inline: Michael Šimáček writes: > On 2015-07-22 15:47, Simo Sorce wrote: >> Comments inline. >> >> - Original Message - >>> From: "Michael Simacek" >>> To: freeipa-devel@redhat.com >>> Sent: Tuesday, July 21, 2015 8:02:26 AM >>> Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to >>> python-gssapi >>> >>> diff --git a/ipalib/util.py b/ipalib/util.py >>> index 649a487..aea3ba9 100644 >>> --- a/ipalib/util.py >>> +++ b/ipalib/util.py >>> @@ -63,15 +63,15 @@ def json_serialize(obj): >>> >>> def get_current_principal(): >>> try: >>> -import kerberos >>> -rc, vc = kerberos.authGSSClientInit("notempty") >>> -rc = kerberos.authGSSClientInquireCred(vc) >>> -username = kerberos.authGSSClientUserName(vc) >>> -kerberos.authGSSClientClean(vc) >>> +import gssapi >>> +cred = gssapi.raw.acquire_cred(usage='initiate').creds >>> +name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False, >>> + mechs=False).name >>> +username = gssapi.raw.display_name(name, name_type=False).name >> >> Same as above. >> Create a credential and inquire it with the high level api > > Done, but I still use raw.display_name as I don't see how to get it from > high-level API (besides parsing repr). I believe one can call `str()`. See http://pythonhosted.org/gssapi/gssapi.html#gssapi.names.Name > @@ -548,14 +552,12 @@ class KerbTransport(SSLTransport): > service = "HTTP@" + host.split(':')[0] > > try: > -(rc, vc) = kerberos.authGSSClientInit(service=service, > - gssflags=self.flags) > -except kerberos.GSSError, e: > -self._handle_exception(e) > - > -try: > -kerberos.authGSSClientStep(vc, "") > -except kerberos.GSSError, e: > +name = gssapi.Name(service, gssapi.NameType.hostbased_service) > +sec_context = gssapi.SecurityContext(name=name, flags=self.flags) > +# gssapi defers errors to next step, we want them now > +sec_context.__DEFER_STEP_ERRORS__ = False As a class-level flag, this should probably be used as such. Preferable to using it would be to check complete, though - is there a reason not to do that here? Otherwise, looks good! signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
On 2015-07-22 15:47, Simo Sorce wrote: Comments inline. - Original Message - From: "Michael Simacek" To: freeipa-devel@redhat.com Sent: Tuesday, July 21, 2015 8:02:26 AM Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi Hi, This is a first part of my effort to port FreeIPA from Python3-incompatible Kerberos libraries to python-gssapi. This patch should replace python-kerberos with python-gssapi (both use C GSSAPI behind the scenes). -- Michael Simacek >From bca55a6bd9cdb9cdea9d81b55cfdbc2c1279f031 Mon Sep 17 00:00:00 2001 From: Michael Simacek Date: Thu, 16 Jul 2015 18:22:00 +0200 Subject: [PATCH] Port from python-kerberos library to python-gssapi kerberos library doesn't support Python 3 and probably never will. python-gssapi library is Python 3 compatible. --- BUILD.txt| 2 +- freeipa.spec.in | 2 +- ipalib/rpc.py| 42 +- ipalib/util.py | 14 +++--- ipapython/ipautil.py | 17 - 5 files changed, 30 insertions(+), 47 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index 6a28beb..53012b1 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ autoconf automake m4 libtool gettext python-devel python-ldap \ -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \ sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1..5e10022 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -72,7 +72,7 @@ BuildRequires: python-krbV BuildRequires: python-nss BuildRequires: python-cryptography BuildRequires: python-netaddr -BuildRequires: python-kerberos >= 1.1-14 +BuildRequires: python-gssapi >= 1.1.1 BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint >= 1.0 diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 466b49a..bbedcc9 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ from urllib2 import urlparse from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, Transport, ProtocolError, MININT, MAXINT) -import kerberos +import gssapi from dns import resolver, rdatatype from dns.exception import DNSException from nss.error import NSPRError @@ -510,24 +510,27 @@ class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ -flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG +flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, + [gssapi.RequirementFlag.mutual_authentication, + gssapi.RequirementFlag.out_of_sequence_detection]) def _handle_exception(self, e, service=None): -(major, minor) = ipautil.get_gsserror(e) -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: +# kerberos library coerced error codes to signed, gssapi uses unsigned +minor = e.min_code - (1 << 32) +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: raise errors.ServiceError(service=service) -elif minor[1] == KRB5_FCC_NOFILE: +elif minor == KRB5_FCC_NOFILE: raise errors.NoCCacheError() -elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: +elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED: raise errors.TicketExpired() -elif minor[1] == KRB5_FCC_PERM: +elif minor == KRB5_FCC_PERM: raise errors.BadCCachePerms() -elif minor[1] == KRB5_CC_FORMAT: +elif minor == KRB5_CC_FORMAT: raise errors.BadCCacheFormat() -elif minor[1] == KRB5_REALM_CANT_RESOLVE: +elif minor == KRB5_REALM_CANT_RESOLVE: raise errors.CannotResolveKDC() else: -raise errors.KerberosError(major=major, minor=minor) +raise errors.KerberosError(major=e.maj_code, minor=minor) def get_host_info(self, host): """ @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: -(rc, vc) = kerberos.authGSSClientInit(service=service, - gssflags=self.flags) -except kerberos.GSSError, e: -self._handle_exception(e) - -try: -kerberos.authGSSClientStep(vc, "") -except kerberos.GSSError, e: +name = gssapi.Name(service, gssapi.NameType.hostbased_service) +response = gssapi.raw.init_sec_context(name, flags=s
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Comments inline. - Original Message - > From: "Michael Simacek" > To: freeipa-devel@redhat.com > Sent: Tuesday, July 21, 2015 8:02:26 AM > Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to > python-gssapi > > Hi, > > This is a first part of my effort to port FreeIPA from Python3-incompatible > Kerberos libraries to python-gssapi. This patch should replace > python-kerberos > with python-gssapi (both use C GSSAPI behind the scenes). > > -- > Michael Simacek > > > >From bca55a6bd9cdb9cdea9d81b55cfdbc2c1279f031 Mon Sep 17 00:00:00 2001 > From: Michael Simacek > Date: Thu, 16 Jul 2015 18:22:00 +0200 > Subject: [PATCH] Port from python-kerberos library to python-gssapi > > kerberos library doesn't support Python 3 and probably never will. > python-gssapi library is Python 3 compatible. > --- > BUILD.txt| 2 +- > freeipa.spec.in | 2 +- > ipalib/rpc.py| 42 +- > ipalib/util.py | 14 +++--- > ipapython/ipautil.py | 17 - > 5 files changed, 30 insertions(+), 47 deletions(-) > > diff --git a/BUILD.txt b/BUILD.txt > index 6a28beb..53012b1 100644 > --- a/BUILD.txt > +++ b/BUILD.txt > @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel > libtalloc-devel \ > libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel > \ > krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ > autoconf automake m4 libtool gettext python-devel python-ldap \ > -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ > +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ > python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python > python-memcached \ > sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ > check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ > diff --git a/freeipa.spec.in b/freeipa.spec.in > index fef20e1..5e10022 100644 > --- a/freeipa.spec.in > +++ b/freeipa.spec.in > @@ -72,7 +72,7 @@ BuildRequires: python-krbV > BuildRequires: python-nss > BuildRequires: python-cryptography > BuildRequires: python-netaddr > -BuildRequires: python-kerberos >= 1.1-14 > +BuildRequires: python-gssapi >= 1.1.1 > BuildRequires: python-rhsm > BuildRequires: pyOpenSSL > BuildRequires: pylint >= 1.0 > diff --git a/ipalib/rpc.py b/ipalib/rpc.py > index 466b49a..bbedcc9 100644 > --- a/ipalib/rpc.py > +++ b/ipalib/rpc.py > @@ -44,7 +44,7 @@ from urllib2 import urlparse > > from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, > Transport, ProtocolError, MININT, MAXINT) > -import kerberos > +import gssapi > from dns import resolver, rdatatype > from dns.exception import DNSException > from nss.error import NSPRError > @@ -510,24 +510,27 @@ class KerbTransport(SSLTransport): > """ > Handles Kerberos Negotiation authentication to an XML-RPC server. > """ > -flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG > +flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, > + > [gssapi.RequirementFlag.mutual_authentication, > + > gssapi.RequirementFlag.out_of_sequence_detection]) > > def _handle_exception(self, e, service=None): > -(major, minor) = ipautil.get_gsserror(e) > -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > +# kerberos library coerced error codes to signed, gssapi uses > unsigned > +minor = e.min_code - (1 << 32) > +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > raise errors.ServiceError(service=service) > -elif minor[1] == KRB5_FCC_NOFILE: > +elif minor == KRB5_FCC_NOFILE: > raise errors.NoCCacheError() > -elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: > +elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED: > raise errors.TicketExpired() > -elif minor[1] == KRB5_FCC_PERM: > +elif minor == KRB5_FCC_PERM: > raise errors.BadCCachePerms() > -elif minor[1] == KRB5_CC_FORMAT: > +elif minor == KRB5_CC_FORMAT: > raise errors.BadCCacheFormat() > -elif minor[1] == KRB5_REALM_CANT_RESOLVE: > +elif minor == KRB5_REALM_CANT_RESOLVE: > raise errors.CannotResolveKDC() > else: > -raise errors.KerberosError(major=major, minor=minor) > +raise errors.KerberosError(major=e.maj_code, minor=minor) > > def get_host_info(self, host): > """ > @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport): > service = "HTTP@" + host.split(':')[0] > > try: > -(rc, vc) = kerberos.authGSSClientInit(service=service, > - gssflags=self.flags) > -except kerberos.GSSError, e: > -self._handle_exception(e) > - > -try: > -kerberos.authGSSClientStep(vc, "") > -
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Michael Simacek writes: > This is a first part of my effort to port FreeIPA from Python3-incompatible > Kerberos libraries to python-gssapi. This patch should replace python-kerberos > with python-gssapi (both use C GSSAPI behind the scenes). Okay, Solly and I went through this again, and there might be a problem. > @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport): > service = "HTTP@" + host.split(':')[0] > > try: > -(rc, vc) = kerberos.authGSSClientInit(service=service, > - gssflags=self.flags) > -except kerberos.GSSError, e: > -self._handle_exception(e) > - > -try: > -kerberos.authGSSClientStep(vc, "") > -except kerberos.GSSError, e: > +name = gssapi.Name(service, gssapi.NameType.hostbased_service) > +response = gssapi.raw.init_sec_context(name, > flags=self.flags).token > +except gssapi.exceptions.GSSError as e: > self._handle_exception(e, service=service) > > for (h, v) in extra_headers: > @@ -564,7 +562,7 @@ class KerbTransport(SSLTransport): > break > > extra_headers.append( > -('Authorization', 'negotiate %s' % > kerberos.authGSSClientResponse(vc)) > +('Authorization', 'negotiate %s' % base64.b64encode(response)) > ) If you call init_sec_context, the token returned may be an error token, and the error will be deferred until the next use of the context. This behavior can be turned off by setting __DEFER_STEP_ERRORS__ to false on the class. More information: https://pythonhosted.org/gssapi/gssapi.html#gssapi.sec_contexts.SecurityContext.step signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Hello, Would you mind formatting your patch following the format described at http://www.freeipa.org/page/Contribute/Patch_Format and attach the patch to this thread? Please attach your patch to the corresponding trac ticket as well. thanks, Gabe On Tue, Jul 21, 2015 at 7:26 AM, Michael Simacek wrote: > - Original Message - > > From: "Christian Heimes" > > To: freeipa-devel@redhat.com, msima...@redhat.com > > Sent: Tuesday, July 21, 2015 2:23:06 PM > > Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library > to python-gssapi > > > > On 2015-07-21 14:02, Michael Simacek wrote: > > > Hi, > > > > > > This is a first part of my effort to port FreeIPA from > Python3-incompatible > > > Kerberos libraries to python-gssapi. This patch should replace > > > python-kerberos > > > with python-gssapi (both use C GSSAPI behind the scenes). > > > > > def _handle_exception(self, e, service=None): > > > -(major, minor) = ipautil.get_gsserror(e) > > > -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > > > +# kerberos library coerced error codes to signed, gssapi uses > > > unsigned > > > +minor = e.min_code - (1 << 32) > > > +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > > > > The unsigned to sign conversion is not correct. Although it doesn't make > > a difference here, please use the technical correct way: > > > > minor = e.min_code > > if minor & (1 << 31): > > minor -= 1 << 32 > > > > or if you prefer hex: > > > > if minor & 0x8000: > > minor -= 0x1 > > > > Fixed, thank you. Hopefully, when FreeIPA will use python-gssapi > everywhere, such coercions won't be needed. > > -- > Michael Simacek > > > > >From c59cadae8d461aa0c771cb56a34d53c9533a4248 Mon Sep 17 00:00:00 2001 > From: Michael Simacek > Date: Thu, 16 Jul 2015 18:22:00 +0200 > Subject: [PATCH] Port from python-kerberos library to python-gssapi > > kerberos library doesn't support Python 3 and probably never will. > python-gssapi library is Python 3 compatible. > --- > BUILD.txt| 2 +- > freeipa.spec.in | 2 +- > ipalib/rpc.py| 44 +++- > ipalib/util.py | 14 +++--- > ipapython/ipautil.py | 17 - > 5 files changed, 32 insertions(+), 47 deletions(-) > > diff --git a/BUILD.txt b/BUILD.txt > index 6a28beb..53012b1 100644 > --- a/BUILD.txt > +++ b/BUILD.txt > @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel > libtalloc-devel \ > libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel > krb5-devel \ > krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ > autoconf automake m4 libtool gettext python-devel python-ldap \ > -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ > +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ > python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python > python-memcached \ > sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ > check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ > diff --git a/freeipa.spec.in b/freeipa.spec.in > index fef20e1..5e10022 100644 > --- a/freeipa.spec.in > +++ b/freeipa.spec.in > @@ -72,7 +72,7 @@ BuildRequires: python-krbV > BuildRequires: python-nss > BuildRequires: python-cryptography > BuildRequires: python-netaddr > -BuildRequires: python-kerberos >= 1.1-14 > +BuildRequires: python-gssapi >= 1.1.1 > BuildRequires: python-rhsm > BuildRequires: pyOpenSSL > BuildRequires: pylint >= 1.0 > diff --git a/ipalib/rpc.py b/ipalib/rpc.py > index 466b49a..9e8c97d 100644 > --- a/ipalib/rpc.py > +++ b/ipalib/rpc.py > @@ -44,7 +44,7 @@ from urllib2 import urlparse > > from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, > Transport, ProtocolError, MININT, MAXINT) > -import kerberos > +import gssapi > from dns import resolver, rdatatype > from dns.exception import DNSException > from nss.error import NSPRError > @@ -510,24 +510,29 @@ class KerbTransport(SSLTransport): > """ > Handles Kerberos Negotiation authentication to an XML-RPC server. > """ > -flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG > +flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, > + > [gssapi.RequirementFlag.mutual_authentication, > + > gssapi.Re
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Michael Simacek writes: > - Original Message - >> From: "Christian Heimes" >> To: freeipa-devel@redhat.com, msima...@redhat.com >> Sent: Tuesday, July 21, 2015 2:23:06 PM >> Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to >> python-gssapi >> >> On 2015-07-21 14:02, Michael Simacek wrote: >> > Hi, >> > >> > This is a first part of my effort to port FreeIPA from Python3-incompatible >> > Kerberos libraries to python-gssapi. This patch should replace >> > python-kerberos >> > with python-gssapi (both use C GSSAPI behind the scenes). This looks good to me! I'm glad the port is progressing well, and please feel free to contact me if you hit trouble with python-gssapi. signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
- Original Message - > From: "Christian Heimes" > To: freeipa-devel@redhat.com, msima...@redhat.com > Sent: Tuesday, July 21, 2015 2:23:06 PM > Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to > python-gssapi > > On 2015-07-21 14:02, Michael Simacek wrote: > > Hi, > > > > This is a first part of my effort to port FreeIPA from Python3-incompatible > > Kerberos libraries to python-gssapi. This patch should replace > > python-kerberos > > with python-gssapi (both use C GSSAPI behind the scenes). > > > def _handle_exception(self, e, service=None): > > -(major, minor) = ipautil.get_gsserror(e) > > -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > > +# kerberos library coerced error codes to signed, gssapi uses > > unsigned > > +minor = e.min_code - (1 << 32) > > +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > > The unsigned to sign conversion is not correct. Although it doesn't make > a difference here, please use the technical correct way: > > minor = e.min_code > if minor & (1 << 31): > minor -= 1 << 32 > > or if you prefer hex: > > if minor & 0x8000: > minor -= 0x1 > Fixed, thank you. Hopefully, when FreeIPA will use python-gssapi everywhere, such coercions won't be needed. -- Michael Simacek >From c59cadae8d461aa0c771cb56a34d53c9533a4248 Mon Sep 17 00:00:00 2001 From: Michael Simacek Date: Thu, 16 Jul 2015 18:22:00 +0200 Subject: [PATCH] Port from python-kerberos library to python-gssapi kerberos library doesn't support Python 3 and probably never will. python-gssapi library is Python 3 compatible. --- BUILD.txt| 2 +- freeipa.spec.in | 2 +- ipalib/rpc.py| 44 +++- ipalib/util.py | 14 +++--- ipapython/ipautil.py | 17 - 5 files changed, 32 insertions(+), 47 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index 6a28beb..53012b1 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ autoconf automake m4 libtool gettext python-devel python-ldap \ -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \ sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1..5e10022 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -72,7 +72,7 @@ BuildRequires: python-krbV BuildRequires: python-nss BuildRequires: python-cryptography BuildRequires: python-netaddr -BuildRequires: python-kerberos >= 1.1-14 +BuildRequires: python-gssapi >= 1.1.1 BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint >= 1.0 diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 466b49a..9e8c97d 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ from urllib2 import urlparse from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, Transport, ProtocolError, MININT, MAXINT) -import kerberos +import gssapi from dns import resolver, rdatatype from dns.exception import DNSException from nss.error import NSPRError @@ -510,24 +510,29 @@ class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ -flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG +flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, + [gssapi.RequirementFlag.mutual_authentication, + gssapi.RequirementFlag.out_of_sequence_detection]) def _handle_exception(self, e, service=None): -(major, minor) = ipautil.get_gsserror(e) -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: +# kerberos library coerced error codes to signed, gssapi uses unsigned +minor = e.min_code +if minor & (1 << 31): +minor -= 1 << 32 +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: raise errors.ServiceError(service=service) -elif minor[1] == KRB5_FCC_NOFILE: +elif minor == KRB5_FCC_NOFILE: raise errors.NoCCacheError() -elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: +elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED: raise errors.TicketExpired() -elif mino
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
On 2015-07-21 14:02, Michael Simacek wrote: > Hi, > > This is a first part of my effort to port FreeIPA from Python3-incompatible > Kerberos libraries to python-gssapi. This patch should replace python-kerberos > with python-gssapi (both use C GSSAPI behind the scenes). > def _handle_exception(self, e, service=None): > -(major, minor) = ipautil.get_gsserror(e) > -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > +# kerberos library coerced error codes to signed, gssapi uses > unsigned > +minor = e.min_code - (1 << 32) > +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: The unsigned to sign conversion is not correct. Although it doesn't make a difference here, please use the technical correct way: minor = e.min_code if minor & (1 << 31): minor -= 1 << 32 or if you prefer hex: if minor & 0x8000: minor -= 0x1 Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code