diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-11-23 17:40:47 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-11-29 14:50:51 +0100 |
commit | 7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1 (patch) | |
tree | 9dbbb1c9cf63a236947ecee6d82ea16d4c256a3e /ipapython/ipautil.py | |
parent | 75b70e3f0d52a9c98f443d3fc2f7cef92bdc7b1a (diff) | |
download | freeipa-7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1.tar.gz freeipa-7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1.tar.xz freeipa-7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1.zip |
ipautil: move kinit functions to ipalib.install
kinit_password() depends on ipaplatform.
Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Diffstat (limited to 'ipapython/ipautil.py')
-rw-r--r-- | ipapython/ipautil.py | 85 |
1 files changed, 0 insertions, 85 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 931f13535..6a2118bc8 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -34,7 +34,6 @@ import datetime import netaddr import netifaces import time -import gssapi import pwd import grp from contextlib import contextmanager @@ -56,11 +55,6 @@ from ipapython.dn import DN GEN_PWD_LEN = 22 GEN_TMP_PWD_LEN = 12 # only for OTP password that is manually retyped by user -# Having this in krb_utils would cause circular import -KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm -KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941 # A service is not available that is - # required to process the request - class UnsafeIPAddress(netaddr.IPAddress): """Any valid IP address with or without netmask.""" @@ -1285,85 +1279,6 @@ def wait_for_open_socket(socket_name, timeout=0): raise e -def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): - """ - Given a ccache_path, keytab file and a principal kinit as that user. - - The optional parameter 'attempts' specifies how many times the credential - initialization should be attempted in case of non-responsive KDC. - """ - errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE, - KRB5_KDC_UNREACH} - root_logger.debug("Initializing principal %s using keytab %s" - % (principal, keytab)) - root_logger.debug("using ccache %s" % ccache_name) - for attempt in range(1, attempts + 1): - old_config = os.environ.get('KRB5_CONFIG') - if config is not None: - os.environ['KRB5_CONFIG'] = config - else: - os.environ.pop('KRB5_CONFIG', None) - try: - name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) - store = {'ccache': ccache_name, - 'client_keytab': keytab} - cred = gssapi.Credentials(name=name, store=store, usage='initiate') - root_logger.debug("Attempt %d/%d: success" - % (attempt, attempts)) - return cred - except gssapi.exceptions.GSSError as e: - if e.min_code not in errors_to_retry: # pylint: disable=no-member - raise - root_logger.debug("Attempt %d/%d: failed: %s" - % (attempt, attempts, e)) - if attempt == attempts: - root_logger.debug("Maximum number of attempts (%d) reached" - % attempts) - raise - root_logger.debug("Waiting 5 seconds before next retry") - time.sleep(5) - finally: - if old_config is not None: - os.environ['KRB5_CONFIG'] = old_config - else: - os.environ.pop('KRB5_CONFIG', None) - - -def kinit_password(principal, password, ccache_name, config=None, - armor_ccache_name=None, canonicalize=False, - enterprise=False): - """ - perform interactive kinit as principal using password. If using FAST for - web-based authentication, use armor_ccache_path to specify http service - ccache. - """ - root_logger.debug("Initializing principal %s using password" % principal) - args = [paths.KINIT, principal, '-c', ccache_name] - if armor_ccache_name is not None: - root_logger.debug("Using armor ccache %s for FAST webauth" - % armor_ccache_name) - args.extend(['-T', armor_ccache_name]) - - if canonicalize: - root_logger.debug("Requesting principal canonicalization") - args.append('-C') - - if enterprise: - root_logger.debug("Using enterprise principal") - args.append('-E') - - env = {'LC_ALL': 'C'} - if config is not None: - env['KRB5_CONFIG'] = config - - # this workaround enables us to capture stderr and put it - # into the raised exception in case of unsuccessful authentication - result = run(args, stdin=password, env=env, raiseonerr=False, - capture_error=True) - if result.returncode: - raise RuntimeError(result.error_output) - - def dn_attribute_property(private_name): ''' Create a property for a dn attribute which assures the attribute |