From ee780df13c99a5465cd6df965772260c297a5eb2 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Sat, 25 Feb 2012 13:39:19 -0500 Subject: Implement password based session login * Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095 --- ipalib/krb_utils.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'ipalib/krb_utils.py') diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py index 7e68bf67b..a8f7751dd 100644 --- a/ipalib/krb_utils.py +++ b/ipalib/krb_utils.py @@ -42,7 +42,7 @@ ccache_name_re = re.compile(r'^((\w+):)?(.+)') #------------------------------------------------------------------------------- -def krb5_parse_ccache(name): +def krb5_parse_ccache(ccache_name): ''' Given a Kerberos ccache name parse it into it's scheme and location components. Currently valid values for the scheme @@ -55,12 +55,12 @@ def krb5_parse_ccache(name): does not exist it defaults to FILE. :parameters: - name + ccache_name The name of the Kerberos ccache. :returns: A two-tuple of (scheme, ccache) ''' - match = ccache_name_re.search(name) + match = ccache_name_re.search(ccache_name) if match: scheme = match.group(2) location = match.group(3) @@ -71,7 +71,10 @@ def krb5_parse_ccache(name): return scheme, location else: - raise ValueError('Invalid ccache name = "%s"' % name) + raise ValueError('Invalid ccache name = "%s"' % ccache_name) + +def krb5_unparse_ccache(scheme, name): + return '%s:%s' % (scheme.upper(), name) def krb5_format_principal_name(user, realm): ''' @@ -388,5 +391,5 @@ class KRB5_CCache(object): except KeyError: pass - self.debug('"%s" ccache endtime=%s (%s)', self.ccache_str(), result, krb5_format_time(result)) + self.debug('KRB5_CCache %s endtime=%s (%s)', self.ccache_str(), result, krb5_format_time(result)) return result -- cgit