Port from python-krbV to python-gssapi

python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.

- Removed Backend.krb and KRB5_CCache classes
  They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
  in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
  Using api.env.realm instead of krbV call

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

ipalib/plugins/kerberos.py

@@ -1,125 +0,0 @@
-# Authors:
-#   Jason Gerard DeRose <jderose@redhat.com>
-#
-# Copyright (C) 2008  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-Backend plugin for Kerberos.
-
-This wraps the python-kerberos and python-krbV bindings.
-"""
-
-import sys
-from ipalib import api
-from ipalib.backend import Backend
-from ipalib.plugable import Registry
-import krbV
-
-register = Registry()
-
-ENCODING = 'UTF-8'
-
-
-@register()
-class krb(Backend):
-    """
-    Kerberos backend plugin.
-
-    This wraps the `krbV` bindings (and will eventually wrap the `kerberos`
-    bindings also).  Importantly, this plugin does correct Unicode
-    encoding/decoding of values going-to/coming-from the bindings.
-    """
-
-    def __default_ccache(self):
-        """
-        Return the ``krbV.CCache`` for the default credential cache.
-        """
-        return krbV.default_context().default_ccache()
-
-    def __default_principal(self):
-        """
-        Return the ``krb5.Principal`` for the default credential cache.
-        """
-        return self.__default_ccache().principal()
-
-    def __get_ccache(self, ccname):
-        """
-        Return the ``krbV.CCache`` for the ``ccname`` credential ccache.
-        """
-        return krbV.CCache(ccname)
-
-    def __get_principal(self, ccname):
-        """
-        Return the ``krb5.Principal`` for the ``ccname`` credential ccache.
-        """
-        return self.__get_ccache(ccname).principal()
-
-    def default_ccname(self):
-        """
-        Return the default ccache file name (schema+name).
-
-        This will return something like 'FILE:/tmp/krb5cc_500'.
-
-        This cannot return anything meaningful if used in the server as a
-        request is processed.
-        """
-        default_ccache = self.__default_ccache()
-        ccname = "%(type)s:%(name)s" % dict(type=default_ccache.type,
-                                            name=default_ccache.name)
-        return ccname
-
-    def default_principal(self):
-        """
-        Return the principal name in default credential cache.
-
-        This will return something like 'admin@EXAMPLE.COM'.  If no credential
-        cache exists for the invoking user, None is returned.
-
-        This cannot return anything meaningful if used in the server as a
-        request is processed.
-        """
-        return self.__default_principal().name.decode(ENCODING)
-
-    def default_realm(self):
-        """
-        Return the realm from the default credential cache.
-
-        This will return something like 'EXAMPLE.COM'.  If no credential cache
-        exists for the invoking user, None is returned.
-
-        This cannot return anything meaningful if used in the server as a
-        request is processed.
-        """
-        return krbV.default_context().default_realm.decode(ENCODING)
-
-    def get_principal(self, ccname):
-        """
-        Return the principal from credential cache file at ``ccname``.
-
-        This will return something like 'admin@EXAMPLE.COM'.
-        """
-        return self.__get_principal(ccname).name.decode(ENCODING)
-
-    def get_realm(self, ccname):
-        """
-        Return the realm from credential cache file at ``ccname``.
-
-        This will return something like 'EXAMPLE.COM'.
-        """
-        return self.__get_principal(ccname).realm.decode(ENCODING)
-
-

ipalib/plugins/passwd.py

@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ipalib import api, errors, util
+from ipalib import api, errors, krb_utils
 from ipalib import Command
 from ipalib import Str, Password
 from ipalib import _
@@ -58,7 +58,7 @@ def get_current_password(principal):
     current password is prompted for, otherwise return a fixed value to
     be ignored later.
     """
-    current_principal = util.get_current_principal()
+    current_principal = krb_utils.get_principal()
     if current_principal == normalize_principal(principal):
         return None
     else:
@@ -74,7 +74,7 @@ class passwd(Command):
             label=_('User name'),
             primary_key=True,
             autofill=True,
-            default_from=lambda: util.get_current_principal(),
+            default_from=lambda: krb_utils.get_principal(),
             normalizer=lambda value: normalize_principal(value),
         ),
         Password('password',

ipalib/plugins/vault.py

@@ -34,7 +34,6 @@ from cryptography.hazmat.primitives.serialization import load_pem_public_key,\
     load_pem_private_key
 
 import nss.nss as nss
-import krbV
 
 from ipalib.frontend import Command, Object, Local
 from ipalib import api, errors
@@ -640,7 +639,7 @@ class vault_add(PKQuery, Local):
         else:
             backend = self.api.Backend.rpcclient
         if not backend.isconnected():
-            backend.connect(ccache=krbV.default_context().default_ccache())
+            backend.connect()
 
         if vault_type == u'standard':
 
@@ -1239,7 +1238,7 @@ class vault_archive(PKQuery, Local):
         else:
             backend = self.api.Backend.rpcclient
         if not backend.isconnected():
-            backend.connect(ccache=krbV.default_context().default_ccache())
+            backend.connect()
 
         # retrieve vault info
         vault = self.api.Command.vault_show(*args, **options)['result']
@@ -1508,7 +1507,7 @@ class vault_retrieve(PKQuery, Local):
         else:
             backend = self.api.Backend.rpcclient
         if not backend.isconnected():
-            backend.connect(ccache=krbV.default_context().default_ccache())
+            backend.connect()
 
         # retrieve vault info
         vault = self.api.Command.vault_show(*args, **options)['result']