diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1123c8f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/python-kerberos-1.1.tar.gz diff --git a/.python-kerberos.metadata b/.python-kerberos.metadata new file mode 100644 index 0000000..7a91ee4 --- /dev/null +++ b/.python-kerberos.metadata @@ -0,0 +1 @@ +910f10a001a4ccecd2c90311b4f919b6eb571b57 SOURCES/python-kerberos-1.1.tar.gz diff --git a/SOURCES/PyKerberos-delegation.patch b/SOURCES/PyKerberos-delegation.patch new file mode 100644 index 0000000..be6d05b --- /dev/null +++ b/SOURCES/PyKerberos-delegation.patch @@ -0,0 +1,136 @@ +diff -uPr python-kerberos-1.1/pysrc/kerberos.py python-kerberos-1.1-gssflags/pysrc/kerberos.py +--- python-kerberos-1.1/pysrc/kerberos.py 2008-09-17 07:17:15.000000000 -0400 ++++ python-kerberos-1.1-gssflags/pysrc/kerberos.py 2008-12-15 09:21:42.000000000 -0500 +@@ -90,7 +90,18 @@ + AUTH_GSS_CONTINUE=0 + AUTH_GSS_COMPLETE=1 + +-def authGSSClientInit(service): ++#Some useful gss flags ++GSS_C_DELEG_FLAG=1 ++GSS_C_MUTUAL_FLAG=2 ++GSS_C_REPLAY_FLAG=4 ++GSS_C_SEQUENCE_FLAG=8 ++GSS_C_CONF_FLAG=16 ++GSS_C_INTEG_FLAG=32 ++GSS_C_ANON_FLAG=64 ++GSS_C_PROT_READY_FLAG=128 ++GSS_C_TRANS_FLAG=256 ++ ++def authGSSClientInit(service, gssflags=GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG): + """ + Initializes a context for GSSAPI client-side authentication with the given service principal. + authGSSClientClean must be called after this function returns an OK result to dispose of +@@ -98,6 +109,9 @@ + + @param service: a string containing the service principal in the form 'type@fqdn' + (e.g. 'imap@mail.apple.com'). ++ @param gssflags: optional integer used to set GSS flags. ++ (e.g. GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG will allow ++ to forward credentials to the remote host) + @return: a tuple of (result, context) where result is the result code (see above) and + context is an opaque value that will need to be passed to subsequent functions. + """ +diff -uPr python-kerberos-1.1/src/kerberos.c python-kerberos-1.1-gssflags/src/kerberos.c +--- python-kerberos-1.1/src/kerberos.c 2008-09-17 05:38:55.000000000 -0400 ++++ python-kerberos-1.1-gssflags/src/kerberos.c 2008-12-15 09:26:39.000000000 -0500 +@@ -84,20 +84,22 @@ + return NULL; + } + +-static PyObject* authGSSClientInit(PyObject* self, PyObject* args) ++static PyObject* authGSSClientInit(PyObject* self, PyObject* args, PyObject* keywds) + { + const char *service; + gss_client_state *state; + PyObject *pystate; ++ static char *kwlist[] = {"service", "gssflags", NULL}; ++ long int gss_flags = GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG; + int result = 0; + +- if (!PyArg_ParseTuple(args, "s", &service)) ++ if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|l", kwlist, &service, &gss_flags)) + return NULL; + + state = (gss_client_state *) malloc(sizeof(gss_client_state)); + pystate = PyCObject_FromVoidPtr(state, NULL); + +- result = authenticate_gss_client_init(service, state); ++ result = authenticate_gss_client_init(service, gss_flags, state); + if (result == AUTH_GSS_ERROR) + return NULL; + +@@ -367,7 +369,7 @@ + "Change the user password."}, + {"getServerPrincipalDetails", getServerPrincipalDetails, METH_VARARGS, + "Return the service principal for a given service and hostname."}, +- {"authGSSClientInit", authGSSClientInit, METH_VARARGS, ++ {"authGSSClientInit", (PyCFunction)authGSSClientInit, METH_VARARGS|METH_KEYWORDS, + "Initialize client-side GSSAPI operations."}, + {"authGSSClientClean", authGSSClientClean, METH_VARARGS, + "Terminate client-side GSSAPI operations."}, +@@ -427,6 +429,15 @@ + PyDict_SetItemString(d, "AUTH_GSS_COMPLETE", PyInt_FromLong(AUTH_GSS_COMPLETE)); + PyDict_SetItemString(d, "AUTH_GSS_CONTINUE", PyInt_FromLong(AUTH_GSS_CONTINUE)); + ++ PyDict_SetItemString(d, "GSS_C_DELEG_FLAG", PyInt_FromLong(GSS_C_DELEG_FLAG)); ++ PyDict_SetItemString(d, "GSS_C_MUTUAL_FLAG", PyInt_FromLong(GSS_C_MUTUAL_FLAG)); ++ PyDict_SetItemString(d, "GSS_C_REPLAY_FLAG", PyInt_FromLong(GSS_C_REPLAY_FLAG)); ++ PyDict_SetItemString(d, "GSS_C_SEQUENCE_FLAG", PyInt_FromLong(GSS_C_SEQUENCE_FLAG)); ++ PyDict_SetItemString(d, "GSS_C_CONF_FLAG", PyInt_FromLong(GSS_C_CONF_FLAG)); ++ PyDict_SetItemString(d, "GSS_C_INTEG_FLAG", PyInt_FromLong(GSS_C_INTEG_FLAG)); ++ PyDict_SetItemString(d, "GSS_C_ANON_FLAG", PyInt_FromLong(GSS_C_ANON_FLAG)); ++ PyDict_SetItemString(d, "GSS_C_PROT_READY_FLAG", PyInt_FromLong(GSS_C_PROT_READY_FLAG)); ++ PyDict_SetItemString(d, "GSS_C_TRANS_FLAG", PyInt_FromLong(GSS_C_TRANS_FLAG)); + error: + if (PyErr_Occurred()) + PyErr_SetString(PyExc_ImportError, "kerberos: init failed"); +diff -uPr python-kerberos-1.1/src/kerberosgss.c python-kerberos-1.1-gssflags/src/kerberosgss.c +--- python-kerberos-1.1/src/kerberosgss.c 2008-09-17 06:35:15.000000000 -0400 ++++ python-kerberos-1.1-gssflags/src/kerberosgss.c 2008-12-15 09:21:42.000000000 -0500 +@@ -108,7 +108,7 @@ + return result; + } + +-int authenticate_gss_client_init(const char* service, gss_client_state* state) ++int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state) + { + OM_uint32 maj_stat; + OM_uint32 min_stat; +@@ -119,6 +119,7 @@ + state->context = GSS_C_NO_CONTEXT; + state->username = NULL; + state->response = NULL; ++ state->gss_flags = gss_flags; + + // Import server name first + name_token.length = strlen(service); +@@ -190,7 +191,7 @@ + &state->context, + state->server_name, + GSS_C_NO_OID, +- GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, ++ (OM_uint32)state->gss_flags, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, +diff -uPr python-kerberos-1.1/src/kerberosgss.h python-kerberos-1.1-gssflags/src/kerberosgss.h +--- python-kerberos-1.1/src/kerberosgss.h 2008-05-23 12:40:38.000000000 -0400 ++++ python-kerberos-1.1-gssflags/src/kerberosgss.h 2008-12-15 09:21:42.000000000 -0500 +@@ -33,6 +33,7 @@ + typedef struct { + gss_ctx_id_t context; + gss_name_t server_name; ++ long int gss_flags; + char* username; + char* response; + } gss_client_state; +@@ -49,7 +50,7 @@ + + char* server_principal_details(const char* service, const char* hostname); + +-int authenticate_gss_client_init(const char* service, gss_client_state* state); ++int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state); + int authenticate_gss_client_clean(gss_client_state *state); + int authenticate_gss_client_step(gss_client_state *state, const char *challenge); + int authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge); diff --git a/SOURCES/PyKerberos-gsswrap.patch b/SOURCES/PyKerberos-gsswrap.patch new file mode 100644 index 0000000..1e286aa --- /dev/null +++ b/SOURCES/PyKerberos-gsswrap.patch @@ -0,0 +1,11 @@ +--- python-kerberos-1.1/src/kerberosgss.c-orig 2009-11-11 14:26:47.000000000 -0500 ++++ python-kerberos-1.1/src/kerberosgss.c 2009-11-28 16:17:59.000000000 -0500 +@@ -355,7 +355,7 @@ int authenticate_gss_client_wrap(gss_cli + // server decides if principal can log in as user + strncpy(buf + 4, user, sizeof(buf) - 4); + input_token.value = buf; +- input_token.length = 4 + strlen(user) + 1; ++ input_token.length = 4 + strlen(user); + } + + // Do GSSAPI wrap diff --git a/SOURCES/PyKerberos-inquire.patch b/SOURCES/PyKerberos-inquire.patch new file mode 100644 index 0000000..ef6e446 --- /dev/null +++ b/SOURCES/PyKerberos-inquire.patch @@ -0,0 +1,126 @@ +diff -rupN python-kerberos-1.1.orig/src/kerberos.c python-kerberos-1.1/src/kerberos.c +--- python-kerberos-1.1.orig/src/kerberos.c 2014-01-16 20:52:24.684000000 -0700 ++++ python-kerberos-1.1/src/kerberos.c 2014-01-16 20:53:14.182000000 -0700 +@@ -250,6 +250,30 @@ static PyObject *authGSSClientWrap(PyObj + return Py_BuildValue("i", result); + } + ++static PyObject *authGSSClientInquireCred(PyObject *self, PyObject *args) ++{ ++ gss_client_state *state; ++ PyObject *pystate; ++ int result = 0; ++ if (!PyArg_ParseTuple(args, "O", &pystate)) ++ return NULL; ++ ++ if (!PyCObject_Check(pystate)) { ++ PyErr_SetString(PyExc_TypeError, "Expected a context object"); ++ return NULL; ++ } ++ ++ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); ++ if (state == NULL) ++ return NULL; ++ ++ result = authenticate_gss_client_inquire_cred(state); ++ if (result == AUTH_GSS_ERROR) ++ return NULL; ++ ++ return Py_BuildValue("i", result); ++} ++ + static PyObject *authGSSServerInit(PyObject *self, PyObject *args) + { + const char *service; +@@ -379,12 +403,16 @@ static PyMethodDef KerberosMethods[] = { + "Get the response from the last client-side GSSAPI step."}, + {"authGSSClientUserName", authGSSClientUserName, METH_VARARGS, + "Get the user name from the last client-side GSSAPI step."}, ++ {"authGSSClientInquireCred", authGSSClientInquireCred, METH_VARARGS, ++ "Get the current user name, if any, without a client-side GSSAPI step"}, + {"authGSSServerInit", authGSSServerInit, METH_VARARGS, + "Initialize server-side GSSAPI operations."}, + {"authGSSClientWrap", authGSSClientWrap, METH_VARARGS, + "Do a GSSAPI wrap."}, + {"authGSSClientUnwrap", authGSSClientUnwrap, METH_VARARGS, + "Do a GSSAPI unwrap."}, ++ {"authGSSClientInquireCred", authGSSClientInquireCred, METH_VARARGS, ++ "Get the current user name, if any."}, + {"authGSSServerClean", authGSSServerClean, METH_VARARGS, + "Terminate server-side GSSAPI operations."}, + {"authGSSServerStep", authGSSServerStep, METH_VARARGS, +diff -rupN python-kerberos-1.1.orig/src/kerberosgss.c python-kerberos-1.1/src/kerberosgss.c +--- python-kerberos-1.1.orig/src/kerberosgss.c 2014-01-16 20:52:24.739000000 -0700 ++++ python-kerberos-1.1/src/kerberosgss.c 2014-01-16 20:53:14.183000000 -0700 +@@ -388,6 +388,60 @@ end: + return ret; + } + ++int authenticate_gss_client_inquire_cred(gss_client_state* state) ++{ ++ OM_uint32 maj_stat; ++ OM_uint32 min_stat; ++ gss_cred_id_t client_creds = GSS_C_NO_CREDENTIAL; ++ gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER; ++ gss_name_t name = GSS_C_NO_NAME; ++ int ret = AUTH_GSS_COMPLETE; ++ ++ // Get credentials ++ maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE, ++ GSS_C_NO_OID_SET, GSS_C_INITIATE, &client_creds, NULL, NULL); ++ ++ if (GSS_ERROR(maj_stat)) ++ { ++ set_gss_error(maj_stat, min_stat); ++ ret = AUTH_GSS_ERROR; ++ goto end; ++ } ++ ++ // Get the name ++ maj_stat = gss_inquire_cred(&min_stat, client_creds, &name, ++ NULL, NULL, NULL); ++ ++ if (GSS_ERROR(maj_stat)) ++ { ++ set_gss_error(maj_stat, min_stat); ++ ret = AUTH_GSS_ERROR; ++ goto end; ++ } ++ ++ maj_stat = gss_display_name(&min_stat, name, &name_token, NULL); ++ ++ if (GSS_ERROR(maj_stat)) ++ { ++ set_gss_error(maj_stat, min_stat); ++ ret = AUTH_GSS_ERROR; ++ goto end; ++ } ++ ++ state->username = strndup(name_token.value, name_token.length); ++ if (!state->username) { ++ set_gss_error(GSS_S_FAILURE, ENOMEM); ++ ret = AUTH_GSS_ERROR; ++ } ++ ++end: ++ (void)gss_release_cred(&min_stat, &client_creds); ++ (void)gss_release_buffer(&min_stat, &name_token); ++ (void)gss_release_name(&min_stat, &name); ++ ++ return ret; ++} ++ + int authenticate_gss_server_init(const char *service, gss_server_state *state) + { + OM_uint32 maj_stat; +diff -rupN python-kerberos-1.1.orig/src/kerberosgss.h python-kerberos-1.1/src/kerberosgss.h +--- python-kerberos-1.1.orig/src/kerberosgss.h 2014-01-16 20:52:24.759000000 -0700 ++++ python-kerberos-1.1/src/kerberosgss.h 2014-01-16 20:53:37.505000000 -0700 +@@ -55,6 +55,7 @@ int authenticate_gss_client_clean(gss_cl + int authenticate_gss_client_step(gss_client_state *state, const char *challenge); + int authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge); + int authenticate_gss_client_wrap(gss_client_state* state, const char* challenge, const char* user); ++int authenticate_gss_client_inquire_cred(gss_client_state* state); + + int authenticate_gss_server_init(const char* service, gss_server_state* state); + int authenticate_gss_server_clean(gss_server_state *state); diff --git a/SOURCES/PyKerberos-version.patch b/SOURCES/PyKerberos-version.patch new file mode 100644 index 0000000..2bbd8cb --- /dev/null +++ b/SOURCES/PyKerberos-version.patch @@ -0,0 +1,12 @@ +diff -u --recursive python-kerberos-1.1/setup.py python-kerberos-1.1-version/setup.py +--- python-kerberos-1.1/setup.py 2008-04-16 16:15:24.000000000 -0400 ++++ python-kerberos-1.1-version/setup.py 2013-06-17 15:40:26.446493040 -0400 +@@ -22,7 +22,7 @@ + + setup ( + name = "kerberos", +- version = "1.0", ++ version = "1.1", + description = "Kerberos high-level interface", + ext_modules = [ + Extension( diff --git a/SPECS/python-kerberos.spec b/SPECS/python-kerberos.spec new file mode 100644 index 0000000..e019fea --- /dev/null +++ b/SPECS/python-kerberos.spec @@ -0,0 +1,140 @@ +%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} +Name: python-kerberos +Version: 1.1 +Release: 15%{?dist} +Summary: A high-level wrapper for Kerberos (GSSAPI) operations + +Group: System Environment/Libraries +License: ASL 2.0 +URL: http://trac.calendarserver.org/projects/calendarserver/browser/PyKerberos +# Pull from SVN +# svn export http://svn.calendarserver.org/repository/calendarserver/PyKerberos/tags/release/PyKerberos-1.1/ python-kerberos-1.1 +# tar czf python-kerberos-%{version}.tar.gz python-kerberos-%{version} +Source0: %{name}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: python-devel +BuildRequires: krb5-devel +BuildRequires: python-setuptools + +Patch0: PyKerberos-delegation.patch +Patch1: PyKerberos-version.patch +Patch2: PyKerberos-gsswrap.patch +Patch3: PyKerberos-inquire.patch + +%description +This Python package is a high-level wrapper for Kerberos (GSSAPI) operations. +The goal is to avoid having to build a module that wraps the entire +Kerberos.framework, and instead offer a limited set of functions that do what +is needed for client/serverKerberos authentication based on +. + +Much of the C-code here is adapted from Apache's mod_auth_kerb-5.0rc7. + + +%prep +%setup -q + +%patch0 -p1 -b .delegation +%patch1 -p1 -b .version +%patch2 -p1 -b .gsswrap +%patch3 -p1 -b .inquire + +%build +%{__python} setup.py build + +%install +rm -rf $RPM_BUILD_ROOT +%{__python} setup.py install --skip-build --root $RPM_BUILD_ROOT + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root,-) +%doc README.txt LICENSE test.py +%{python_sitearch}/* + + +%changelog +* Mon Sep 8 2014 Rob Crittenden - 1.1-15 +- Add patch to allow inquiring the current client credentials + (#1053860) + +* Mon Sep 8 2014 Rob Crittenden - 1.1-14 +- Fix calculation of username string length in authenticate_gss_client_wrap + (#1112373) + +* Fri Jan 24 2014 Daniel Mach - 1.1-13 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 1.1-12 +- Mass rebuild 2013-12-27 + +* Mon Jun 17 2013 Rob Crittenden - 1.1-11 +- Fix version in setup.py so egg information is correct (#975202) + +* Thu Feb 14 2013 Fedora Release Engineering - 1.1-10.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Jul 21 2012 Fedora Release Engineering - 1.1-9.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering - 1.1-8.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 1.1-7.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jul 22 2010 David Malcolm - 1.1-6.1 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Sun Jul 26 2009 Fedora Release Engineering - 1.1-5.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Feb 26 2009 Fedora Release Engineering - 1.1-4.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Dec 15 2008 Simo Sorce - 1.1-3.1 +- Fix minor issue with delegation patch + +* Fri Dec 12 2008 Simo Sorce - 1.1-3 +- Add delegation patch + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 1.1-2 +- Rebuild for Python 2.6 + +* Thu Nov 27 2008 Simo Sorce - 1.1-1 +- New Upstream Release +- Remove patches as this version has them included already + +* Tue Feb 19 2008 Fedora Release Engineering - 1.0-6 +- Autorebuild for GCC 4.3 + +* Wed Jan 16 2008 Rob Crittenden - 1.0-5 +- Package the egg-info too + +* Wed Jan 16 2008 Rob Crittenden - 1.0-4 +- Switch from python_sitelib macro to python_sitearch +- Add python-setuptools to BuildRequires + +* Wed Jan 16 2008 Rob Crittenden - 1.0-3 +- Use the setup.py install target in order to generate debuginfo. + +* Thu Jan 3 2008 Rob Crittenden - 1.0-2 +- Add krb5-devel to BuildRequires + +* Wed Jan 2 2008 Rob Crittenden - 1.0-1 +- Change name to python-kerberos from PyKerberos +- Change license from "Apache License" to ASL 2.0 per guidelines +- Upstream released 1.0 which is equivalent to version 1541. Reverting + to that. + +* Tue Aug 28 2007 Rob Crittenden - 0.1735-2 +- Include GSS_C_DELEG_FLAG in gss_init_sec_context() so the command-line + tools can do kerberos ticket forwarding. + +* Tue Jul 31 2007 Rob Crittenden - 0.1735-1 +- Initial rpm version