ipautil: move kinit functions to ipalib.install

kinit_password() depends on ipaplatform. Move kinit_password() as well as kinit_keytab() to a new ipalib.install.kinit module, as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2016-11-23 17:40:47 +0100
committer: Martin Basti <mbasti@redhat.com> 2016-11-29 14:50:51 +0100
commit: 7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1 (patch)
tree: 9dbbb1c9cf63a236947ecee6d82ea16d4c256a3e /ipapython/ipautil.py
parent: 75b70e3f0d52a9c98f443d3fc2f7cef92bdc7b1a (diff)
download: freeipa-7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1.tar.gz
freeipa-7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1.tar.xz
freeipa-7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1.zip
1 files changed, 0 insertions, 85 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 931f13535..6a2118bc8 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -34,7 +34,6 @@ import datetime
 import netaddr
 import netifaces
 import time
-import gssapi
 import pwd
 import grp
 from contextlib import contextmanager
@@ -56,11 +55,6 @@ from ipapython.dn import DN
 GEN_PWD_LEN = 22
 GEN_TMP_PWD_LEN = 12  # only for OTP password that is manually retyped by user
 
-# Having this in krb_utils would cause circular import
-KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm
-KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941 # A service is not available that is
-                                         # required to process the request
-
 
 class UnsafeIPAddress(netaddr.IPAddress):
     """Any valid IP address with or without netmask."""
@@ -1285,85 +1279,6 @@ def wait_for_open_socket(socket_name, timeout=0):
                 raise e
 
 
-def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
-    """
-    Given a ccache_path, keytab file and a principal kinit as that user.
-
-    The optional parameter 'attempts' specifies how many times the credential
-    initialization should be attempted in case of non-responsive KDC.
-    """
-    errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE,
-                       KRB5_KDC_UNREACH}
-    root_logger.debug("Initializing principal %s using keytab %s"
-                      % (principal, keytab))
-    root_logger.debug("using ccache %s" % ccache_name)
-    for attempt in range(1, attempts + 1):
-        old_config = os.environ.get('KRB5_CONFIG')
-        if config is not None:
-            os.environ['KRB5_CONFIG'] = config
-        else:
-            os.environ.pop('KRB5_CONFIG', None)
-        try:
-            name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
-            store = {'ccache': ccache_name,
-                     'client_keytab': keytab}
-            cred = gssapi.Credentials(name=name, store=store, usage='initiate')
-            root_logger.debug("Attempt %d/%d: success"
-                              % (attempt, attempts))
-            return cred
-        except gssapi.exceptions.GSSError as e:
-            if e.min_code not in errors_to_retry:  # pylint: disable=no-member
-                raise
-            root_logger.debug("Attempt %d/%d: failed: %s"
-                              % (attempt, attempts, e))
-            if attempt == attempts:
-                root_logger.debug("Maximum number of attempts (%d) reached"
-                                  % attempts)
-                raise
-            root_logger.debug("Waiting 5 seconds before next retry")
-            time.sleep(5)
-        finally:
-            if old_config is not None:
-                os.environ['KRB5_CONFIG'] = old_config
-            else:
-                os.environ.pop('KRB5_CONFIG', None)
-
-
-def kinit_password(principal, password, ccache_name, config=None,
-                   armor_ccache_name=None, canonicalize=False,
-                   enterprise=False):
-    """
-    perform interactive kinit as principal using password. If using FAST for
-    web-based authentication, use armor_ccache_path to specify http service
-    ccache.
-    """
-    root_logger.debug("Initializing principal %s using password" % principal)
-    args = [paths.KINIT, principal, '-c', ccache_name]
-    if armor_ccache_name is not None:
-        root_logger.debug("Using armor ccache %s for FAST webauth"
-                          % armor_ccache_name)
-        args.extend(['-T', armor_ccache_name])
-
-    if canonicalize:
-        root_logger.debug("Requesting principal canonicalization")
-        args.append('-C')
-
-    if enterprise:
-        root_logger.debug("Using enterprise principal")
-        args.append('-E')
-
-    env = {'LC_ALL': 'C'}
-    if config is not None:
-        env['KRB5_CONFIG'] = config
-
-    # this workaround enables us to capture stderr and put it
-    # into the raised exception in case of unsuccessful authentication
-    result = run(args, stdin=password, env=env, raiseonerr=False,
-                 capture_error=True)
-    if result.returncode:
-        raise RuntimeError(result.error_output)
-
-
 def dn_attribute_property(private_name):
     '''
     Create a property for a dn attribute which assures the attribute
author	Jan Cholasta <jcholast@redhat.com>	2016-11-23 17:40:47 +0100
committer	Martin Basti <mbasti@redhat.com>	2016-11-29 14:50:51 +0100
commit	7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1 (patch)
tree	9dbbb1c9cf63a236947ecee6d82ea16d4c256a3e /ipapython/ipautil.py
parent	75b70e3f0d52a9c98f443d3fc2f7cef92bdc7b1a (diff)
download	freeipa-7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1.tar.gz freeipa-7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1.tar.xz freeipa-7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1.zip