Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Krb5 utils stuff #211

Closed
wants to merge 4 commits into from
Closed

Krb5 utils stuff #211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a5ae46f
Moved @jvperrin's user-email related function here
May 7, 2020
fd8ee72
added functionality of getting the ticket for you
May 13, 2020
a285091
migrated some krb5 stuff here, style check later
May 13, 2020
77c1cda
finally passed make test/pre-commit
May 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions ocflib/account/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,15 @@
import grp
import os.path
import re
import subprocess

import pexpect

import ocflib.account.validators as validators
from ocflib.infra.ldap import OCF_LDAP_PEOPLE
import ocflib.misc.krb5

LDAP_MAIL_ATTR = 'mail'


def password_matches(username, password):
Expand Down Expand Up @@ -91,3 +95,31 @@ def dn_for_username(username):
user=username,
base_people=OCF_LDAP_PEOPLE,
)


def get_email(username, have_ticket=True, operatorname=""):
"""Returns current email, or None."""
"""Assume a ticket is created already, otherwise this'd require username and help you do that"""

if not have_ticket:
if operatorname == "":
# Or do you want this to just automatically be current user?
raise ValueError("Operator username must not be empty.")
ocflib.misc.krb5.kerberos_init(operatorname)

# Since the mail attribute is private, and we can't get the attribute's
# value without authenticating, we have to use ldapsearch here instead of
# something like ldap3.
output = subprocess.check_output(
('ldapsearch', '-LLL', 'uid={}'.format(username), LDAP_MAIL_ATTR),
stderr=subprocess.DEVNULL,
).decode('utf-8').split('\n')

if not have_ticket:
ocflib.misc.krb5.kerberos_destroy()

mail_attr = [attr for attr in output if attr.startswith(LDAP_MAIL_ATTR + ': ')]

if mail_attr:
# Strip the '{LDAP_MAIL_ATTR}: ' from the beginning of the string
return mail_attr[0][len(LDAP_MAIL_ATTR) + 2:].strip()
25 changes: 25 additions & 0 deletions ocflib/misc/krb5.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
"""Some utilities for shelling out and do kerberos stuff.
This should be considered temporary and find a non-shell out solution for our happiness"""
import json
import subprocess

# Initiates a kerberos ticket for current user
# Returns True when a new ticket is created via kinit so that we destroy it afterwards
# Raises OSError is kinit screwed up


def kerberos_init(username):
klist = subprocess.run(['sudo', '-u', username, 'klist', '--json'], stdout=subprocess.PIPE)
if klist.returncode == 0:
cache_info = json.loads(klist.stdout.decode())
if cache_info.get('principal') == '{}/[email protected]'.format(username):
return False
if (subprocess.call(['kinit', '{}/admin'.format(username)]) != 0):
# Or some other kinds of Exception
raise OSError('Kinit failed.')
else:
return True


def kerberos_destroy():
return subprocess.call(['kdestroy'])