From 2f8033174775f55cb2377baf524fc36914aa38fa Mon Sep 17 00:00:00 2001

From: Simo Sorce <simo@redhat.com>

Date: Thu, 23 Mar 2017 13:02:00 -0400

Subject: [PATCH] Work around issues fetching session data

Unfortunately the MIT krb5 library has a severe limitation with FILE

ccaches when retrieving config data. It will always only search until

the first entry is found and return that one.

For FILE caches MIT krb5 does not support removing old entries when a

new one is stored, and storage happens only in append mode, so the end

result is that even if an update is stored it is never returned with the

standard krb5_cc_get_config() call.

To work around this issue we simply implement what krb5_cc_get_config()

does under the hood with the difference that we do not stop at the first

match but keep going until all ccache entries have been checked.

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipapython/session_storage.py | 213 ++++++++++++++++++++++++++++++++++++++-----

 1 file changed, 190 insertions(+), 23 deletions(-)

diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py

index a88f9f7a75c73d4dc753183a100350d197d02199..f3094f60000aa6e3f4b27fe91092c4214936f651 100644

--- a/ipapython/session_storage.py

+++ b/ipapython/session_storage.py

@@ -13,6 +13,12 @@ try:

 except OSError as e:  # pragma: no cover

     raise ImportError(str(e))

+krb5_int32 = ctypes.c_int32

+krb5_error_code = krb5_int32

+krb5_magic = krb5_error_code

+krb5_enctype = krb5_int32

+krb5_octet = ctypes.c_uint8

+krb5_timestamp = krb5_int32

 class _krb5_context(ctypes.Structure):  # noqa

     """krb5/krb5.h struct _krb5_context"""

@@ -27,7 +33,7 @@ class _krb5_ccache(ctypes.Structure):  # noqa

 class _krb5_data(ctypes.Structure):  # noqa

     """krb5/krb5.h struct _krb5_data"""

     _fields_ = [

-        ("magic", ctypes.c_int32),

+        ("magic", krb5_magic),

         ("length", ctypes.c_uint),

         ("data", ctypes.c_char_p),

     ]

@@ -38,6 +44,63 @@ class krb5_principal_data(ctypes.Structure):  # noqa

     _fields_ = []

+class _krb5_keyblock(ctypes.Structure):  # noqa

+    """krb5/krb5.h struct _krb5_keyblock"""

+    _fields_ = [

+        ("magic", krb5_magic),

+        ("enctype", krb5_enctype),

+        ("length", ctypes.c_uint),

+        ("contents", ctypes.POINTER(krb5_octet))

+    ]

+

+

+class _krb5_ticket_times(ctypes.Structure):  # noqa

+    """krb5/krb5.h struct _krb5_ticket_times"""

+    _fields_ = [

+        ("authtime", krb5_timestamp),

+        ("starttime", krb5_timestamp),

+        ("endtime", krb5_timestamp),

+        ("renew_till", krb5_timestamp),

+    ]

+

+

+class _krb5_address(ctypes.Structure):  # noqa

+    """krb5/krb5.h struct _krb5_address"""

+    _fields_ = []

+

+

+class _krb5_authdata(ctypes.Structure):  # noqa

+    """krb5/krb5.h struct _krb5_authdata"""

+    _fields_ = []

+

+

+krb5_principal = ctypes.POINTER(krb5_principal_data)

+krb5_keyblock = _krb5_keyblock

+krb5_ticket_times = _krb5_ticket_times

+krb5_boolean = ctypes.c_uint

+krb5_flags = krb5_int32

+krb5_data = _krb5_data

+krb5_address_p = ctypes.POINTER(_krb5_address)

+krb5_authdata_p = ctypes.POINTER(_krb5_authdata)

+

+

+class _krb5_creds(ctypes.Structure):  # noqa

+    """krb5/krb5.h struct _krb5_creds"""

+    _fields_ = [

+        ("magic", krb5_magic),

+        ("client", krb5_principal),

+        ("server", krb5_principal),

+        ("keyblock", krb5_keyblock),

+        ("times", krb5_ticket_times),

+        ("is_skey", krb5_boolean),

+        ("ticket_flags", krb5_flags),

+        ("addresses", ctypes.POINTER(krb5_address_p)),

+        ("ticket", krb5_data),

+        ("second_ticket", krb5_data),

+        ("authdata", ctypes.POINTER(krb5_authdata_p))

+    ]

+

+

 class KRB5Error(Exception):

     pass

@@ -48,11 +111,13 @@ def krb5_errcheck(result, func, arguments):

         raise KRB5Error(result, func.__name__, arguments)

-krb5_principal = ctypes.POINTER(krb5_principal_data)

 krb5_context = ctypes.POINTER(_krb5_context)

 krb5_ccache = ctypes.POINTER(_krb5_ccache)

 krb5_data_p = ctypes.POINTER(_krb5_data)

 krb5_error = ctypes.c_int32

+krb5_creds = _krb5_creds

+krb5_pointer = ctypes.c_void_p

+krb5_cc_cursor = krb5_pointer

 krb5_init_context = LIBKRB5.krb5_init_context

 krb5_init_context.argtypes = (ctypes.POINTER(krb5_context), )

@@ -61,15 +126,15 @@ krb5_init_context.errcheck = krb5_errcheck

 krb5_free_context = LIBKRB5.krb5_free_context

 krb5_free_context.argtypes = (krb5_context, )

-krb5_free_context.retval = None

+krb5_free_context.restype = None

 krb5_free_principal = LIBKRB5.krb5_free_principal

 krb5_free_principal.argtypes = (krb5_context, krb5_principal)

-krb5_free_principal.retval = None

+krb5_free_principal.restype = None

 krb5_free_data_contents = LIBKRB5.krb5_free_data_contents

 krb5_free_data_contents.argtypes = (krb5_context, krb5_data_p)

-krb5_free_data_contents.retval = None

+krb5_free_data_contents.restype = None

 krb5_cc_default = LIBKRB5.krb5_cc_default

 krb5_cc_default.argtypes = (krb5_context, ctypes.POINTER(krb5_ccache), )

@@ -78,26 +143,79 @@ krb5_cc_default.errcheck = krb5_errcheck

 krb5_cc_close = LIBKRB5.krb5_cc_close

 krb5_cc_close.argtypes = (krb5_context, krb5_ccache, )

-krb5_cc_close.retval = krb5_error

+krb5_cc_close.restype = krb5_error

 krb5_cc_close.errcheck = krb5_errcheck

 krb5_parse_name = LIBKRB5.krb5_parse_name

 krb5_parse_name.argtypes = (krb5_context, ctypes.c_char_p,

                             ctypes.POINTER(krb5_principal), )

-krb5_parse_name.retval = krb5_error

+krb5_parse_name.restype = krb5_error

 krb5_parse_name.errcheck = krb5_errcheck

 krb5_cc_set_config = LIBKRB5.krb5_cc_set_config

 krb5_cc_set_config.argtypes = (krb5_context, krb5_ccache, krb5_principal,

                                ctypes.c_char_p, krb5_data_p, )

-krb5_cc_set_config.retval = krb5_error

+krb5_cc_set_config.restype = krb5_error

 krb5_cc_set_config.errcheck = krb5_errcheck

-krb5_cc_get_config = LIBKRB5.krb5_cc_get_config

-krb5_cc_get_config.argtypes = (krb5_context, krb5_ccache, krb5_principal,

-                               ctypes.c_char_p, krb5_data_p, )

-krb5_cc_get_config.retval = krb5_error

-krb5_cc_get_config.errcheck = krb5_errcheck

+krb5_cc_get_principal = LIBKRB5.krb5_cc_get_principal

+krb5_cc_get_principal.argtypes = (krb5_context, krb5_ccache,

+                                  ctypes.POINTER(krb5_principal), )

+krb5_cc_get_principal.restype = krb5_error

+krb5_cc_get_principal.errcheck = krb5_errcheck

+

+# krb5_build_principal is a variadic function but that can't be expressed

+# in a ctypes argtypes definition, so I explicitly listed the number of

+# arguments we actually use through the code for type checking purposes

+krb5_build_principal = LIBKRB5.krb5_build_principal

+krb5_build_principal.argtypes = (krb5_context, ctypes.POINTER(krb5_principal),

+                                 ctypes.c_uint, ctypes.c_char_p,

+                                 ctypes.c_char_p, ctypes.c_char_p,

+                                 ctypes.c_char_p, ctypes.c_char_p, )

+krb5_build_principal.restype = krb5_error

+krb5_build_principal.errcheck = krb5_errcheck

+

+krb5_cc_start_seq_get = LIBKRB5.krb5_cc_start_seq_get

+krb5_cc_start_seq_get.argtypes = (krb5_context, krb5_ccache,

+                                  ctypes.POINTER(krb5_cc_cursor), )

+krb5_cc_start_seq_get.restype = krb5_error

+krb5_cc_start_seq_get.errcheck = krb5_errcheck

+

+krb5_cc_next_cred = LIBKRB5.krb5_cc_next_cred

+krb5_cc_next_cred.argtypes = (krb5_context, krb5_ccache,

+                              ctypes.POINTER(krb5_cc_cursor),

+                              ctypes.POINTER(krb5_creds), )

+krb5_cc_next_cred.restype = krb5_error

+krb5_cc_next_cred.errcheck = krb5_errcheck

+

+krb5_cc_end_seq_get = LIBKRB5.krb5_cc_end_seq_get

+krb5_cc_end_seq_get.argtypes = (krb5_context, krb5_ccache,

+                                ctypes.POINTER(krb5_cc_cursor), )

+krb5_cc_end_seq_get.restype = krb5_error

+krb5_cc_end_seq_get.errcheck = krb5_errcheck

+

+krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents

+krb5_free_cred_contents.argtypes = (krb5_context, ctypes.POINTER(krb5_creds))

+krb5_free_cred_contents.restype = krb5_error

+krb5_free_cred_contents.errcheck = krb5_errcheck

+

+krb5_principal_compare = LIBKRB5.krb5_principal_compare

+krb5_principal_compare.argtypes = (krb5_context, krb5_principal,

+                                   krb5_principal, )

+krb5_principal_compare.restype = krb5_boolean

+

+krb5_unparse_name = LIBKRB5.krb5_unparse_name

+krb5_unparse_name.argtypes = (krb5_context, krb5_principal,

+                              ctypes.POINTER(ctypes.c_char_p), )

+krb5_unparse_name.restype = krb5_error

+krb5_unparse_name.errcheck = krb5_errcheck

+

+krb5_free_unparsed_name = LIBKRB5.krb5_free_unparsed_name

+krb5_free_unparsed_name.argtypes = (krb5_context, ctypes.c_char_p, )

+krb5_free_unparsed_name.restype = None

+

+CONF_REALM = "X-CACHECONF:"

+CONF_NAME = "krb5_ccache_conf_data"

 def store_data(princ_name, key, value):

@@ -144,29 +262,78 @@ def get_data(princ_name, key):

     """

     context = krb5_context()

     principal = krb5_principal()

+    srv_princ = krb5_principal()

     ccache = krb5_ccache()

-    data = _krb5_data()

+    pname_princ = krb5_principal()

+    pname = ctypes.c_char_p()

     try:

         krb5_init_context(ctypes.byref(context))

-        krb5_parse_name(context, ctypes.c_char_p(princ_name),

-                        ctypes.byref(principal))

-

         krb5_cc_default(context, ctypes.byref(ccache))

+        krb5_cc_get_principal(context, ccache, ctypes.byref(principal))

-        krb5_cc_get_config(context, ccache, principal, key,

-                           ctypes.byref(data))

-

-        return str(data.data)

+        # We need to parse and then unparse the name in case the pric_name

+        # passed in comes w/o a realm attached

+        krb5_parse_name(context, ctypes.c_char_p(princ_name),

+                        ctypes.byref(pname_princ))

+        krb5_unparse_name(context, pname_princ, ctypes.byref(pname))

+

+        krb5_build_principal(context, ctypes.byref(srv_princ),

+                             len(CONF_REALM), ctypes.c_char_p(CONF_REALM),

+                             ctypes.c_char_p(CONF_NAME), ctypes.c_char_p(key),

+                             pname, ctypes.c_char_p(None))

+

+        # Unfortunately we can't just use krb5_cc_get_config()

+        # because of bugs in some ccache handling code in krb5

+        # libraries that would always return the first entry

+        # stored and not the last one, which is the one we want.

+        cursor = krb5_cc_cursor()

+        creds = krb5_creds()

+        got_creds = False

+        krb5_cc_start_seq_get(context, ccache, ctypes.byref(cursor))

+        try:

+            while True:

+                checkcreds = krb5_creds()

+                # the next function will throw an error and break out of the

+                # while loop when we try to access past the last cred

+                krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),

+                                  ctypes.byref(checkcreds))

+                if (krb5_principal_compare(context, principal,

+                                          checkcreds.client) == 1 and

+                    krb5_principal_compare(context, srv_princ,

+                                           checkcreds.server) == 1):

+                    if got_creds:

+                        krb5_free_cred_contents(context, ctypes.byref(creds))

+                    creds = checkcreds

+                    got_creds = True

+                    # We do not stop here, as we want the LAST entry

+                    # in the ccache for those ccaches that cannot delete

+                    # but only always append, like FILE

+                else:

+                    krb5_free_cred_contents(context,

+                                            ctypes.byref(checkcreds))

+        except KRB5Error:

+            pass

+        finally:

+            krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor))

+

+        if got_creds:

+            data = creds.ticket.data.decode('utf-8')

+            krb5_free_cred_contents(context, ctypes.byref(creds))

+            return data

     finally:

         if principal:

             krb5_free_principal(context, principal)

+        if srv_princ:

+            krb5_free_principal(context, srv_princ)

+        if pname_princ:

+            krb5_free_principal(context, pname_princ)

+        if pname:

+            krb5_free_unparsed_name(context, pname)

         if ccache:

             krb5_cc_close(context, ccache)

-        if data:

-            krb5_free_data_contents(context, data)

         if context:

             krb5_free_context(context)

-- 

2.12.1