Ticket #311: PyKerberos-delegation.patch

pysrc/kerberos.py

@@ -90 +90 @@
 AUTH_GSS_CONTINUE=0 
 AUTH_GSS_COMPLETE=1 
      
-def authGSSClientInit(service):
+#Some useful gss flags
+GSS_C_DELEG_FLAG=1
+GSS_C_MUTUAL_FLAG=2
+GSS_C_REPLAY_FLAG=4
+GSS_C_SEQUENCE_FLAG=8
+GSS_C_CONF_FLAG=16
+GSS_C_INTEG_FLAG=32
+GSS_C_ANON_FLAG=64
+GSS_C_PROT_READY_FLAG=128
+GSS_C_TRANS_FLAG=256
+
+def authGSSClientInit(service, gssflags=GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG):
     """
     Initializes a context for GSSAPI client-side authentication with the given service principal.
     authGSSClientClean must be called after this function returns an OK result to dispose of
@@ -98 +109 @@
 
     @param service: a string containing the service principal in the form 'type@fqdn'
         (e.g. 'imap@mail.apple.com').
+    @param gssflags: optional integer used to set GSS flags.
+        (e.g.  GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG will allow
+         to forward credentials to the remote host)
     @return:        a tuple of (result, context) where result is the result code (see above) and
         context is an opaque value that will need to be passed to subsequent functions.
     """

python-kerberos-1.

@@ -84 +84 @@
         return NULL;
 }
 
-static PyObject* authGSSClientInit(PyObject* self, PyObject* args)
+static PyObject* authGSSClientInit(PyObject* self, PyObject* args, PyObject* keywds)
 {
     const char *service;
     gss_client_state *state;
     PyObject *pystate;
+    static char *kwlist[] = {"service", "gssflags", NULL};
+    long int gss_flags = GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG;
     int result = 0;
     
-    if (!PyArg_ParseTuple(args, "s", &service))
+    if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|l", kwlist, &service, &gss_flags))
         return NULL;
     
     state = (gss_client_state *) malloc(sizeof(gss_client_state));
     pystate = PyCObject_FromVoidPtr(state, NULL);
     
-    result = authenticate_gss_client_init(service, state);
+    result = authenticate_gss_client_init(service, gss_flags, state);
     if (result == AUTH_GSS_ERROR)
         return NULL;
     
@@ -367 +369 @@
      "Change the user password."},
     {"getServerPrincipalDetails",  getServerPrincipalDetails, METH_VARARGS,
      "Return the service principal for a given service and hostname."},
-    {"authGSSClientInit",  authGSSClientInit, METH_VARARGS,
+    {"authGSSClientInit",  (PyCFunction)authGSSClientInit, METH_VARARGS|METH_KEYWORDS,
      "Initialize client-side GSSAPI operations."},
     {"authGSSClientClean",  authGSSClientClean, METH_VARARGS,
      "Terminate client-side GSSAPI operations."},
@@ -427 +429 @@
     PyDict_SetItemString(d, "AUTH_GSS_COMPLETE", PyInt_FromLong(AUTH_GSS_COMPLETE)); 
     PyDict_SetItemString(d, "AUTH_GSS_CONTINUE", PyInt_FromLong(AUTH_GSS_CONTINUE)); 
 
+    PyDict_SetItemString(d, "GSS_C_DELEG_FLAG", PyInt_FromLong(GSS_C_DELEG_FLAG)); 
+    PyDict_SetItemString(d, "GSS_C_MUTUAL_FLAG", PyInt_FromLong(GSS_C_MUTUAL_FLAG)); 
+    PyDict_SetItemString(d, "GSS_C_REPLAY_FLAG", PyInt_FromLong(GSS_C_REPLAY_FLAG)); 
+    PyDict_SetItemString(d, "GSS_C_SEQUENCE_FLAG", PyInt_FromLong(GSS_C_SEQUENCE_FLAG)); 
+    PyDict_SetItemString(d, "GSS_C_CONF_FLAG", PyInt_FromLong(GSS_C_CONF_FLAG)); 
+    PyDict_SetItemString(d, "GSS_C_INTEG_FLAG", PyInt_FromLong(GSS_C_INTEG_FLAG)); 
+    PyDict_SetItemString(d, "GSS_C_ANON_FLAG", PyInt_FromLong(GSS_C_ANON_FLAG)); 
+    PyDict_SetItemString(d, "GSS_C_PROT_READY_FLAG", PyInt_FromLong(GSS_C_PROT_READY_FLAG)); 
+    PyDict_SetItemString(d, "GSS_C_TRANS_FLAG", PyInt_FromLong(GSS_C_TRANS_FLAG)); 
 error:
     if (PyErr_Occurred())
         PyErr_SetString(PyExc_ImportError, "kerberos: init failed");

src/kerberosgss.c

@@ -108 +108 @@
     return result;
 }
 
-int authenticate_gss_client_init(const char* service, gss_client_state* state)
+int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state)
 {
     OM_uint32 maj_stat;
     OM_uint32 min_stat;
@@ -119 +119 @@
     state->context = GSS_C_NO_CONTEXT;
     state->username = NULL;
     state->response = NULL;
+    state->gss_flags = gss_flags;
     
     // Import server name first
     name_token.length = strlen(service);
@@ -190 +191 @@
                                     &state->context,
                                     state->server_name,
                                     GSS_C_NO_OID,
-                                    GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+                                    (OM_uint32)state->gss_flags,
                                     0,
                                     GSS_C_NO_CHANNEL_BINDINGS,
                                     &input_token,

src/kerberosgss.h

@@ -33 +33 @@
 typedef struct {
     gss_ctx_id_t     context;
     gss_name_t       server_name;
+    long int         gss_flags;
     char*            username;
     char*            response;
 } gss_client_state;
@@ -49 +50 @@
 
 char* server_principal_details(const char* service, const char* hostname);
 
-int authenticate_gss_client_init(const char* service, gss_client_state* state);
+int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state);
 int authenticate_gss_client_clean(gss_client_state *state);
 int authenticate_gss_client_step(gss_client_state *state, const char *challenge);
 int authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge);