-
Notifications
You must be signed in to change notification settings - Fork 46
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow initalizing kerberos credentials from keytab
Requires klist and kinit from krb5-workstation. Closes #127.
- Loading branch information
Showing
7 changed files
with
204 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
""" | ||
Copyright (c) 2015 Red Hat, Inc | ||
All rights reserved. | ||
This software may be modified and distributed under the terms | ||
of the BSD license. See the LICENSE file for details. | ||
""" | ||
from __future__ import print_function, absolute_import, unicode_literals | ||
|
||
import re | ||
import os | ||
import logging | ||
import datetime | ||
import subprocess | ||
|
||
from osbs.exceptions import OsbsException | ||
|
||
logger = logging.getLogger(__name__) | ||
|
||
KLIST_TGT_RE = (r"\d\d/\d\d/\d{2,4}" | ||
" +" | ||
"\d\d:\d\d:\d\d" | ||
" +" | ||
"(?P<month>\d\d)" | ||
"/" | ||
"(?P<day>\d\d)" | ||
"/" | ||
"(?P<year>\d{2,4})" | ||
" +" | ||
"(?P<hour>\d\d)" | ||
":" | ||
"(?P<minute>\d\d)" | ||
":" | ||
"(?P<second>\d\d)" | ||
" +" | ||
"krbtgt/(?P<realm>[-.A-Z0-9]+)@(?P=realm)") | ||
|
||
def run(cmd, extraenv={}): | ||
env = os.environ.copy() | ||
env.update(extraenv) | ||
|
||
logger.debug("Subprocess: %s", ' '.join(cmd)) | ||
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env) | ||
stdout, stderr = p.communicate() | ||
|
||
return p.returncode, stdout, stderr | ||
|
||
def kerberos_ccache_init(principal, keytab_file, ccache_file=None): | ||
""" | ||
Checks whether kerberos credential cache has ticket-granting ticket that is valid for at least | ||
an hour. | ||
Default ccache is used unless ccache_file is provided. In that case, KRB5CCNAME environment | ||
variable is set to the value of ccache_file if we successfully obtain the ticket. | ||
""" | ||
tgt_valid = False | ||
env = { "KRB5CCNAME": ccache_file } if ccache_file else {} | ||
|
||
# check if we have tgt that is valid more than one hour | ||
rc, klist, _ = run(["klist"], extraenv=env) | ||
if rc == 0: | ||
for line in klist.splitlines(): | ||
m = re.match(KLIST_TGT_RE, line) | ||
if m: | ||
# rhel6 has only last two digits | ||
year = m.group("year") | ||
if len(year) == 2: | ||
year = "20" + year | ||
|
||
expires = datetime.datetime( | ||
int(year), int(m.group("month")), int(m.group("day")), | ||
int(m.group("hour")), int(m.group("minute")), int(m.group("second")) | ||
) | ||
|
||
if expires - datetime.datetime.now() > datetime.timedelta(hours=1): | ||
logger.debug("Valid TGT found, not renewing") | ||
tgt_valid = True | ||
break | ||
|
||
if not tgt_valid: | ||
logger.debug("Retrieving kerberos TGT") | ||
rc, out, err = run(["kinit", "-k", "-t", keytab_file, principal], extraenv=env) | ||
if rc != 0: | ||
raise OsbsException("kinit returned %s:\nstdout: %s\nstderr: %s" % (rc, out, err)) | ||
|
||
if ccache_file: | ||
os.environ["KRB5CCNAME"] = ccache_file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters