Implement remaining GGF extensions #151
Conversation
jborean93
force-pushed
the
ggf-set_option
branch
from
d64e1c7
to
2dcb2ba
Compare
|
If |
gssapi/raw/ext_ggf.pyx
Outdated
| Creds: The output credential. | ||
|
|
||
| Raises: | ||
| GSS_ERROR |
There was a problem hiding this comment.
This should be the python type (GSSError)
There was a problem hiding this comment.
(can you fix that up in the rest of these functions, too? Don't know how that snuck by last time).
There was a problem hiding this comment.
Sure, don't know why I wrote them this way.
gssapi/raw/ext_ggf.pyx
Outdated
| An example of how this can be used would be to reset the NTLM crypto engine | ||
| used in gss-ntlmssp. The OID that controls this value is | ||
| '1.3.6.1.4.1.7165.655.1.3' and it takes it a byte value that represents | ||
| an int32 where 1 reset's the verifier handle and any other int resets the |
gssapi/tests/test_raw.py
Outdated
| # nothing much we can test here apart from it doesn't fail and the | ||
| # id of the return cred is the same as the input one | ||
| output_cred = gb.set_cred_option(no_ci_flags_x, creds=orig_cred) | ||
| id(orig_cred).should_be(id(output_cred)) |
There was a problem hiding this comment.
oof, I don't like testing the id like that. Just drop that line. It's probably fine to just test that it doesn't error out.
gssapi/tests/test_raw.py
Outdated
| b"\x00") | ||
|
|
||
| # TODO: get these tests to detect gss-ntlmssp once it is installed | ||
| """ |
There was a problem hiding this comment.
gss-ntlmssp will be installed as part of #150, so we just need to figure out how to detect it, and get that merged into k5test.
gssapi/tests/test_raw.py
Outdated
| # because MIT krb5 doesn't implement any OID's for | ||
| # gss_set_sec_context_option, we just need to query any OID and it will | ||
| # raise an exception | ||
| gb.set_sec_context_option.should_raise(gb.GSSError, |
There was a problem hiding this comment.
this test feels fragile. Is there anything else we can do?
There was a problem hiding this comment.
Once the NTLMSSP stuff works in the tests we can call that with an invalid value instead.
jborean93
force-pushed
the
ggf-set_option
branch
from
2dcb2ba
to
a121831
Compare
|
Thanks for the review @DirectXMan12, let me know what you would like me to do about the |
|
It's there on master now. |
|
Must have done something wrong the first time, have updated the tests to use ntlmssp. |
jborean93
force-pushed
the
ggf-set_option
branch
3 times, most recently
from
a7489c1
to
726366d
Compare
There was a problem hiding this comment.
new revisions look good at a glance. Feel free to merge @frozencemetery.
These parts of th GGF extensions provide extended support for managing security contexts and credentials. In particular, with NTLM, they can be used to reset the crypto handles using the GSS_NTLMSSP_RESET_CRYPTO_OID_LENGTH OID. Draft IETF document for the gss_set_sec_context_option(): https://tools.ietf.org/html/draft-engert-ggf-gss-extensions-00 Draft IETF document for the gss_set_cred_option(): https://tools.ietf.org/html/draft-ietf-kitten-channel-bound-flag-02 Fixes: pythongssapi#51 [rharwood@redhat.com edited commit message]
frozencemetery
force-pushed
the
ggf-set_option
branch
from
726366d
to
13467fb
Compare
This PR implements the remaining GGF extensions #51, excluding the
gss_{import,export}_credvariants as they are not implemented as per the GGF spec in both MIT krb5 and Heimdal. This PR adds in thegss_set_cred_optionandgss_set_sec_context_optionfunctions.While
gss_set_cred_optiondoesn't seem to be a function that was part of the GGF draft, most implementations bundle it together with the GGFgss_set_sec_context_optionand so I decided to keep it inext_ggf, please let me know if you want to split them up further.I also have a commented out test for
gss_set_sec_context_option, it requiresgss-ntlmsspand unfortunately I was unable to get that working in the docker container tests. Not sure if I needed to do anything extra (apart from installing it from apt/dnf) as it was unable to find the mech when i supplied it as part of the test. For now it is commented out until someone smarter can figure it out.