kerberos 0.2

data/ext/ruby_kerberos.c

@@ -0,0 +1,362 @@
+
+#include "ruby.h"
+#include "krb5.h"
+#include <stdio.h>
+#include <strings.h>
+#include "admin.h"
+#include "ruby_kerberos.h"
+
+static VALUE mKerberos;
+static VALUE cKrb5;
+static VALUE cKadm5;
+int kadm5_error_number = 0;
+int krb5_error_number = 0;
+void *kadm5_handle = NULL;
+
+static VALUE Kadm5_errstr(VALUE self);
+int Kadm55_register_error(int error);
+static VALUE Kadm5_init_with_password(VALUE self,VALUE _auser,VALUE _apass);
+static VALUE Kadm5_create_principal(VALUE self, VALUE _user, VALUE _pass, VALUE options);
+static VALUE Kadm5_delete_principal(VALUE self, VALUE _auser);
+
+static VALUE Krb5_errstr(VALUE self);
+int Krb5_register_error(int error);
+static VALUE Krb5_change_password(VALUE self, VALUE _user, VALUE _pass, VALUE _newpass);
+static VALUE Krb5_get_init_creds_password(VALUE self, VALUE _user, VALUE _pass);
+
+
+int Krb5_register_error(int error) {
+  krb5_error_number = error;
+  return 0;
+}
+
+int Kadm5_register_error(int error) {
+  kadm5_error_number = error;
+  return 0;
+}
+
+/* returns the last error message generated or nil */
+static VALUE Kadm5_errstr(VALUE self) {
+  char error[255];
+  if (kadm5_error_number == 0) {
+    return Qnil;
+  }
+  strncpy(error,error_message(kadm5_error_number), sizeof(error));
+  error[sizeof(error) - 1] = '\0';
+  VALUE kerror = rb_str_new2(error);
+  return kerror;
+}
+
+/* returns the last error message generated or nil */
+static VALUE Krb5_errstr(VALUE self) {
+  char error[255];
+  if (kadm5_error_number == 0) {
+    return Qnil;
+  }
+  strncpy(error,error_message(krb5_error_number), sizeof(error));
+  error[sizeof(error) - 1] = '\0';
+  VALUE kerror = rb_str_new2(error);
+  return kerror;
+}
+
+
+/*
+Initializes a connection to the kdc using an administrative user.  This method must be called before any other Kadm5 methods.
+Returns true on success, false on falure.  The reason for a failure can be found in Kadm5.errstr
+  *p1 = username
+  *p2 = password
+*/
+static VALUE Kadm5_init_with_password(VALUE self, VALUE _auser, VALUE _apass) {
+  Check_Type(_auser,T_STRING);
+  Check_Type(_apass,T_STRING);
+  char * auser = STR2CSTR(_auser);
+  char * apass = STR2CSTR(_apass);
+  kadm5_ret_t rc;
+
+  rc = kadm5_init_with_password(auser, apass, KADM5_ADMIN_SERVICE, NULL, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, &kadm5_handle);
+  if (rc) {
+    Kadm5_register_error(rc);
+    return Qfalse;
+  }
+  return Qtrue;
+}
+
+/*
+Create a kerberos principal.
+  *p1 = username
+  *p2 = password
+  *p3 = options hash
+
+Options hash can contain any of the following keys:
+  *kvno
+  *attributes
+  *max_renewable_life
+  *pw_expiration
+  *max_life
+  *princ_expire_time
+  *policy
+
+attributes is a bitmask of the above KRB5_KDB_* constants.  
+*/
+static VALUE Kadm5_create_principal(VALUE self, VALUE _user, VALUE _pass, VALUE options) {
+  Check_Type(options,T_HASH);
+  Check_Type(_user,T_STRING);
+  Check_Type(_pass,T_STRING);
+  char * user = STR2CSTR(_user);
+  char * pass = STR2CSTR(_pass);
+
+  VALUE hval;
+  long mask =0;
+  krb5_error_code  krbret;
+  kadm5_ret_t rc;
+  krb5_context  ctx;
+  kadm5_principal_ent_rec princ;
+
+  memset(&princ, 0, sizeof(princ));
+  if ((krbret = krb5_init_context(&ctx))) {
+    Kadm5_register_error(krbret);
+    return Qfalse;
+  }
+
+  if ((krbret = krb5_parse_name(ctx, user, &princ.principal))) {
+    krb5_free_context(ctx);
+    Kadm5_register_error(krbret);
+    return Qfalse;
+  }
+
+  if (st_lookup(RHASH(options)->tbl, rb_str_new2(OP_KVNO), &hval)) {
+    Check_Type(hval,T_FIXNUM);
+    mask |= KADM5_KVNO;
+    princ.kvno = FIX2LONG(hval);
+  }
+
+  if (st_lookup(RHASH(options)->tbl, rb_str_new2(OP_ATTRIBUTES), &hval)) {
+    Check_Type(hval,T_FIXNUM);
+    princ.attributes = FIX2LONG(hval);
+    mask |= KADM5_ATTRIBUTES;
+  }
+
+  if (st_lookup(RHASH(options)->tbl, rb_str_new2(OP_MAX_RLIFE), &hval)) {
+    Check_Type(hval,T_FIXNUM);
+    mask |= KADM5_MAX_RLIFE;
+    princ.max_renewable_life = FIX2LONG(hval);
+  }
+
+  if (st_lookup(RHASH(options)->tbl, rb_str_new2(OP_PW_EXPIRATION), &hval)) {
+    Check_Type(hval,T_FIXNUM);
+    mask |= KADM5_PW_EXPIRATION;
+    princ.pw_expiration = FIX2LONG(hval);
+  }
+
+  if (st_lookup(RHASH(options)->tbl, rb_str_new2(OP_PRINC_EXPIRE_TIME), &hval)) {
+    Check_Type(hval,T_FIXNUM);
+    mask |= KADM5_PRINC_EXPIRE_TIME;
+    princ.princ_expire_time = FIX2LONG(hval);
+  }
+
+  if (st_lookup(RHASH(options)->tbl, rb_str_new2(OP_MAX_LIFE), &hval)) {
+    Check_Type(hval,T_FIXNUM);
+    mask |= KADM5_MAX_LIFE;
+    princ.max_life = FIX2LONG(hval);
+  }
+
+  if (st_lookup(RHASH(options)->tbl, rb_str_new2(OP_POLICY), &hval)) {
+    Check_Type(hval,T_STRING);
+    mask |= KADM5_POLICY;
+    princ.policy = RSTRING(hval)->ptr;
+  }
+
+
+  mask |= KADM5_PRINCIPAL;
+  rc = kadm5_create_principal(kadm5_handle, &princ, mask, pass);
+  if (rc) {
+    krb5_free_principal(ctx, princ.principal);
+    krb5_free_context(ctx);
+    Kadm5_register_error(rc);
+    return Qfalse;
+  }
+
+  krb5_free_principal(ctx, princ.principal);
+  krb5_free_context(ctx);
+  return Qtrue;
+
+}
+
+
+/*
+Deletes a principal from the kerberos database.  Takes the username to delete as it's sole argument.
+Returns true on success, false on failure.
+*/
+static VALUE Kadm5_delete_principal(VALUE self, VALUE _user) {
+  Check_Type(_user,T_STRING);
+  char * user = STR2CSTR(_user);
+
+  krb5_error_code             krbret;
+  kadm5_ret_t                 rc;
+  krb5_context                ctx;
+  krb5_principal              princ;
+
+  if ((krbret = krb5_init_context(&ctx))) {
+    Kadm5_register_error(krbret);
+    return Qfalse;
+  }
+  if ((krbret = krb5_parse_name(ctx, user, &princ))) {
+    krb5_free_context(ctx);
+    Kadm5_register_error(krbret);
+    return Qfalse;
+  }
+
+  rc = kadm5_delete_principal(kadm5_handle, princ);
+  if (rc) {
+    krb5_free_principal(ctx, princ);
+    krb5_free_context(ctx);
+    Kadm5_register_error(rc);
+    return Qfalse;
+  }
+
+  krb5_free_principal(ctx, princ);
+  krb5_free_context(ctx);
+  return Qtrue;
+
+}
+
+/*
+Change password of an existing user.  Returns true on success, false on failure.
+  *p1=username
+  *p2=current password
+  *p3=new password
+*/
+static VALUE Krb5_change_password(VALUE self, VALUE _user, VALUE _pass, VALUE _newpass) {
+  Check_Type(_user,T_STRING);
+  Check_Type(_pass,T_STRING);
+  Check_Type(_newpass,T_STRING);
+  char * user = STR2CSTR(_user);
+  char * pass = STR2CSTR(_pass);
+  char * newpass = STR2CSTR(_newpass);
+
+  krb5_error_code             krbret;
+  krb5_context                ctx;
+  krb5_creds                  creds;
+  krb5_principal              princ;
+  int pw_result;
+  krb5_data       pw_res_string, res_string;
+
+  if ((krbret = krb5_init_context(&ctx))) {
+    Krb5_register_error(krbret);
+    return Qfalse;
+  }
+
+  if ((krbret = krb5_parse_name(ctx, user, &princ))) {
+    krb5_free_context(ctx);
+    Krb5_register_error(krbret);
+    return Qfalse;
+  }
+
+  if ((krbret = krb5_get_init_creds_password( ctx, &creds, princ, pass, NULL, NULL, 0, KADM5_CHANGEPW_SERVICE, NULL))) {
+    krb5_free_principal(ctx, princ);
+    krb5_free_context(ctx);
+    Krb5_register_error(krbret);
+    return Qfalse;
+  }
+
+  krbret = krb5_change_password(ctx, &creds, newpass, &pw_result, &pw_res_string, &res_string );
+  if (pw_result) {
+    krb5_free_cred_contents(ctx, &creds);
+    krb5_free_principal(ctx, princ);
+    krb5_free_context(ctx);
+    Krb5_register_error(pw_result);
+    return Qfalse;
+  }
+
+  krb5_free_cred_contents(ctx, &creds);
+  krb5_free_principal(ctx, princ);
+  krb5_free_context(ctx);
+  return Qtrue;
+
+}
+
+/*
+Kerberos user authentication. Returns true on success, false on failure.
+  *p1=username
+  *p2=password
+*/
+static VALUE Krb5_get_init_creds_password(VALUE self, VALUE _user, VALUE _pass) {
+  Check_Type(_user,T_STRING);
+  Check_Type(_pass,T_STRING);
+  char * user = STR2CSTR(_user);
+  char * pass = STR2CSTR(_pass);
+
+  krb5_error_code             krbret;
+  krb5_context                ctx;
+  krb5_creds                  creds;
+  krb5_principal              princ;
+
+  if ((krbret = krb5_init_context(&ctx))) {
+    Krb5_register_error(krbret);
+    return Qfalse;
+  }
+
+  memset(&creds, 0, sizeof(krb5_creds));
+  if ((krbret = krb5_parse_name(ctx, user, &princ))) {
+    krb5_free_context(ctx);
+    Krb5_register_error(krbret);
+    return Qfalse;
+  }
+
+  if ((krbret = krb5_get_init_creds_password( ctx, &creds, princ, pass, 0, NULL, 0, NULL, NULL))) {
+    krb5_free_context(ctx);
+    krb5_free_principal(ctx, princ);
+    Krb5_register_error(krbret);
+    return Qfalse;
+  }
+
+    krb5_free_cred_contents(ctx, &creds);
+    krb5_free_principal(ctx, princ);
+    krb5_free_context(ctx);
+   
+    return Qtrue;
+}
+
+VALUE Krb5_init(VALUE self)
+{
+  return self;
+}
+
+VALUE Kadm5_init(VALUE self)
+{
+  return self;
+}
+
+  void Init_ruby_kerberos() {
+   mKerberos = rb_define_module("Kerberos");
+
+   cKadm5 = rb_define_class_under(mKerberos,"Kadm5", rb_cObject);
+   rb_define_method(cKadm5, "initialize", Kadm5_init,0);
+   rb_define_method(cKadm5, "errstr", Kadm5_errstr,0);
+   rb_define_method(cKadm5, "init_with_password", Kadm5_init_with_password,2);
+   rb_define_method(cKadm5, "create_principal", Kadm5_create_principal,3);
+   rb_define_method(cKadm5, "delete_principal", Kadm5_delete_principal,1);
+
+   /* Principal primary attributes */
+   rb_define_const(cKadm5,"KRB5_KDB_PWCHANGE_SERVICE",INT2NUM(KRB5_KDB_PWCHANGE_SERVICE));
+   rb_define_const(cKadm5,"KRB5_KDB_DISALLOW_POSTDATED",INT2NUM(KRB5_KDB_DISALLOW_POSTDATED));
+   rb_define_const(cKadm5,"KRB5_KDB_DISALLOW_FORWARDABLE",INT2NUM(KRB5_KDB_DISALLOW_FORWARDABLE));
+   rb_define_const(cKadm5,"KRB5_KDB_DISALLOW_TGT_BASED",INT2NUM(KRB5_KDB_DISALLOW_TGT_BASED));
+   rb_define_const(cKadm5,"KRB5_KDB_DISALLOW_RENEWABLE",INT2NUM(KRB5_KDB_DISALLOW_RENEWABLE));
+   rb_define_const(cKadm5,"KRB5_KDB_DISALLOW_PROXIABLE",INT2NUM(KRB5_KDB_DISALLOW_PROXIABLE));
+   rb_define_const(cKadm5,"KRB5_KDB_DISALLOW_DUP_SKEY",INT2NUM(KRB5_KDB_DISALLOW_DUP_SKEY));
+   rb_define_const(cKadm5,"KRB5_KDB_DISALLOW_ALL_TIX",INT2NUM(KRB5_KDB_DISALLOW_ALL_TIX));
+   rb_define_const(cKadm5,"KRB5_KDB_REQUIRES_PRE_AUTH",INT2NUM(KRB5_KDB_REQUIRES_PRE_AUTH));
+   rb_define_const(cKadm5,"KRB5_KDB_REQUIRES_HW_AUTH",INT2NUM(KRB5_KDB_REQUIRES_HW_AUTH));
+   rb_define_const(cKadm5,"KRB5_KDB_DISALLOW_SVR",INT2NUM(KRB5_KDB_DISALLOW_SVR));
+   rb_define_const(cKadm5,"KRB5_KDB_REQUIRES_PWCHANGE",INT2NUM(KRB5_KDB_REQUIRES_PWCHANGE));
+   rb_define_const(cKadm5,"KRB5_KDB_SUPPORT_DESMD5",INT2NUM(KRB5_KDB_SUPPORT_DESMD5));
+   rb_define_const(cKadm5,"KRB5_KDB_NEW_PRINC",INT2NUM(KRB5_KDB_NEW_PRINC));
+
+   cKrb5 = rb_define_class_under(mKerberos,"Krb5", rb_cObject);
+   rb_define_method(cKrb5, "initialize", Krb5_init,0);
+   rb_define_method(cKrb5, "errstr", Krb5_errstr,0);
+   rb_define_method(cKrb5, "get_init_creds_password", Krb5_get_init_creds_password,2);
+   rb_define_method(cKrb5, "change_password", Krb5_change_password,3);
+  }
+

data/ext/ruby_kerberos.h

@@ -0,0 +1,25 @@
+#define OP_PRINCIPAL         "principal"
+#define OP_PRINC_EXPIRE_TIME "princ_expire_time"
+#define OP_PW_EXPIRATION     "pw_expiration"
+#define OP_LAST_PW_CHANGE    "last_pwd_change"
+#define OP_ATTRIBUTES        "attributes"
+#define OP_MAX_LIFE          "max_life"
+#define OP_MOD_TIME          "mod_time"
+#define OP_MOD_NAME          "mod_name"
+#define OP_KVNO              "kvno"
+#define OP_MKVNO             "mkvno"
+#define OP_AUX_ATTRIBUTES    "aux_attributes"
+#define OP_POLICY            "policy"
+#define OP_CLEARPOLICY       "clearpolicy"
+#define OP_RANDKEY           "randkey"
+#define OP_MAX_RLIFE         "max_renewable_life"
+#define OP_LAST_SUCCESS      "last_success"
+#define OP_LAST_FAILED       "last_failed"
+#define OP_FAIL_AUTH_COUNT   "fail_auth_count"
+
+#define OP_PW_MAX_LIFE       "pw_max_life"
+#define OP_PW_MIN_LIFE       "pw_min_life"
+#define OP_PW_MIN_LENGTH     "pw_min_length"
+#define OP_PW_MIN_CLASSES    "pw_min_classes"
+#define OP_PW_HISTORY_NUM    "pw_history_num"
+#define OP_REF_COUNT         "pw_refcnt"

data/lib/kerberos.rb

@@ -0,0 +1,18 @@
+
+
+require 'ruby_kerberos'
+
+# Ruby C extension for basic Kerberos functions. Tested on Linux/Freebsd with Kerberos 5-1.4.3 and 5-1.5.1.
+module Kerberos
+
+# Krb5 contains the kerberos end user functionality, such as user authentication and password changes.
+  class Krb5
+
+  end
+
+# Kadm5 contains the administrative functions, such as adding/deleting/modifying principals.
+  class Kadm5
+
+  end
+
+end

metadata

@@ -0,0 +1,52 @@
+--- !ruby/object:Gem::Specification 
+rubygems_version: 0.8.11
+specification_version: 1
+name: kerberos
+version: !ruby/object:Gem::Version 
+  version: "0.2"
+date: 2006-09-22 00:00:00 -07:00
+summary: Kerberos binding for ruby
+require_paths: 
+- lib
+email: chris@paymentonline.com
+homepage: 
+rubyforge_project: 
+description: 
+autorequire: kerberos
+default_executable: 
+bindir: bin
+has_rdoc: true
+required_ruby_version: !ruby/object:Gem::Version::Requirement 
+  requirements: 
+  - - ">"
+    - !ruby/object:Gem::Version 
+      version: 0.0.0
+  version: 
+platform: ruby
+signing_key: 
+cert_chain: 
+authors: 
+- Chris Ochs
+files: 
+- README
+- lib/kerberos.rb
+- bin/example.rb
+- ext/extconf.rb
+- ext/ruby_kerberos.c
+- ext/ruby_kerberos.h
+- ext/admin.h
+- ext/krb5.h
+test_files: []
+
+rdoc_options: []
+
+extra_rdoc_files: []
+
+executables: []
+
+extensions: 
+- ext/extconf.rb
+requirements: []
+
+dependencies: []
+