Bugfix: get correct principal name when keytab is given

[belldandyxtq]

This commit fixes a bug where the principal name is not obtained
correctly when a keytab is given though KRB5_KTNAME

This closes #93
This should be tested after #96

[kuenishi]

Currently username is only taken from keytab. But I think it can be improved more: my suggestion of taking username from krb5 info is like following::

1. try to take username from just klist, regarding KRB5CCNAME
2. If 1 fails, try to take it from klist -k, regarding KRB5_KTNAME
3. If 2 fails, fall back to Unix user name.

Limitation on procedure 2 that it only takes first KVNO in the keytab must be documented precisely.

[kuenishi]

Use tempfile.TemporaryDirectory() with it's cleanup capability on with statement in case of unexpected test failure.

[kuenishi]

Use os.getenv() or os.environ.get() for default value.

[kuenishi]

Also this must be done in finally clause in case of unexpected exceptions.

[kuenishi]

This method name indicates it being intended for unittest of def _parse_klist_keytab_output(output): somehow. Also practical unittest on parsing the output of klist had better be separated from integrated test of create_handler().

[belldandyxtq]

The username is not only taken from keytab. If the keytab is given then we get username from keytab, otherwise from klist. If both failed, from login name.

[kuenishi]

The username is not only taken from keytab. If the keytab is given then we get username from keytab, otherwise from klist. If both failed, from login name.

Yes. But the priority behaviour is different than mine. Current behaviour is 1) if KRB5_KTNAME is defined then run kinit -k and take name from keytab. 2) otherwise just run klist implicitly taking KRB5CCNAME and take name from credential file. This is different from KrbTicket behaviour and I'm worrying about potential bug that hides behind this gap. Also, with my suggestion the code would be much simpler:

1. try taking name form klist
2. if it failed with exception then run klist -k
3. if it failed with exception then take the name from Unix username.

[kuenishi]

My intention was not to change from create_handler to direct object construction, but to clarify what unit feature to be tested with the test method name matching test target. Hereby there're several unit functionalities here, 1) calling the klist command, 2) parsing klist command output, 3) identifying the user name. Strictly speaking, all these three must be tested one by one in unit tests. I don't request strict tests, but at least it must be clarified what is being tested here.

In other word, _parse_klist_output() is tested at (new) line 93 below, but why not _parse_klist_keytab_output(out) ? Also integrated test of those would be nice if it's done here.

[kuenishi]

Added several nit comments. I also hope for careful documentation about this behaviour somewhere.

[kuenishi]

As self isn't used in this method, it should be moved out of the class.

[kuenishi]

I think passing boolean indicating -k rather than string would remove potential bug that may stem from string variations.

[kuenishi]

I don't this line is needed, but just running klist -k is enough. Because not only it automatically refers to KRB5_KTNAMEbut follows default fallback to /etc/krb5.keytab .

[kuenishi]

This else indent is not needed, I would prefer it removed for readability.

[kuenishi]

ping?