IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-11 00:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity

krb_utils: Simplify get_credentials

Browse Source 
Previously, `get_credentials` raises either ValueError or re-raises
GSSError. The former makes the handling of this function more difficult
without a good reason.

With this change:
- `get_credentials` no longer handles exceptions by itself, but delegates
this to the callers (which already process GSS errors).
- `get_credentials_if_valid` doesn't raise any expected exceptions, but
return valid credentials (on the moment of calling) or None. This makes
it consistent with docs.

Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Stanislav Levin 2021-06-04 12:53:25 +03:00 committed by Alexander Bokovoy
parent 16ab690bf6
commit 0a169b1bea
3 changed files with 28 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
install/tools/ipa-ccache-sweeper.in
View File

@ -43,13 +43,8 @@ def should_delete(fname, t, minlife):
# is not provided in cred_store the result of gss_acquire_cred_from # is not provided in cred_store the result of gss_acquire_cred_from
# is KRB5_FCC_NOFILE, which is mapped by gssproxy to # is KRB5_FCC_NOFILE, which is mapped by gssproxy to
# 0x04200000 + KRB5_FCC_NOFILE. # 0x04200000 + KRB5_FCC_NOFILE.
try: creds = get_credentials_if_valid(ccache_name=fname)
creds = get_credentials_if_valid(ccache_name=fname) return creds is None
return creds is None
except ValueError:
return True
return False
if __name__ == "__main__": if __name__ == "__main__":

42
ipalib/krb_utils.py
View File

@ -19,14 +19,10 @@
import time import time
import re import re
import six
import gssapi import gssapi
from ipalib import errors from ipalib import errors
if six.PY3:
unicode = str
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# Kerberos error codes # Kerberos error codes
@ -149,14 +145,24 @@ def get_credentials(name=None, ccache_name=None):
store = None store = None
if ccache_name: if ccache_name:
store = {'ccache': ccache_name} store = {'ccache': ccache_name}
try: """
return gssapi.Credentials(usage='initiate', name=name, store=store) https://datatracker.ietf.org/doc/html/rfc2744.html#section-5.2
except gssapi.exceptions.GSSError as e: gss_acquire_cred:
if e.min_code in ( # pylint: disable=no-member If credential acquisition is time-consuming for a mechanism, the
KRB5_FCC_NOFILE, GSSPROXY_KRB5_FCC_NOFILE, KRB5_CC_NOTFOUND, mechanism may choose to delay the actual acquisition until the
): credential is required (e.g. by gss_init_sec_context or
raise ValueError('"%s", ccache="%s"' % (e, ccache_name)) gss_accept_sec_context). Such mechanism-specific implementation
raise decisions should be invisible to the calling application; thus a call
of gss_inquire_cred immediately following the call of
gss_acquire_cred must return valid credential data, and may therefore
incur the overhead of a deferred credential acquisition.
So, as gssapi.Credentials() calls only gss_acquire_cred it is not
guaranteed to have valid(not expired) returned creds and all the
callers of this function have to deal with GSSAPI exceptions by
themselves, for example, to handle ExpiredCredentialsError.
"""
return gssapi.Credentials(usage="initiate", name=name, store=store)
def get_principal(ccache_name=None): def get_principal(ccache_name=None):
''' '''
@ -174,9 +180,9 @@ def get_principal(ccache_name=None):
''' '''
try: try:
creds = get_credentials(ccache_name=ccache_name) creds = get_credentials(ccache_name=ccache_name)
return unicode(creds.name) return str(creds.name)
except ValueError as e: except gssapi.exceptions.GSSError as e:
raise errors.CCacheError(message=unicode(e)) raise errors.CCacheError(message=str(e))
def get_credentials_if_valid(name=None, ccache_name=None): def get_credentials_if_valid(name=None, ccache_name=None):
''' '''
@ -199,8 +205,6 @@ def get_credentials_if_valid(name=None, ccache_name=None):
creds = get_credentials(name=name, ccache_name=ccache_name) creds = get_credentials(name=name, ccache_name=ccache_name)
if creds.lifetime > 0: if creds.lifetime > 0:
return creds return creds
except gssapi.exceptions.GSSError:
return None return None
except gssapi.exceptions.ExpiredCredentialsError: return None
return None
except ValueError:
return None

3
ipaserver/rpcserver.py
View File

@ -913,6 +913,9 @@ class jsonserver_session(jsonserver, KerberosSession):
else: else:
return self.service_unavailable(environ, start_response, msg) return self.service_unavailable(environ, start_response, msg)
except CCacheError:
return self.need_login(start_response)
try: try:
response = super(jsonserver_session, self).__call__(environ, start_response) response = super(jsonserver_session, self).__call__(environ, start_response)
finally: finally: