kerberos_authenticator 0.0.4 → 0.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ae668eaa13a5a760620f1c5fbe67ea57c48fb08f
|
|
4
|
+
data.tar.gz: 60eab79c31c8f11e858c782d3220a5e51db13a37
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 89e39afb2afe2ce6d2ffb0e7e39a108aa8f3b3747cc3154985655b1ba71b79773496e0f986a7aa7b7d44d1c1e622a0a357b63c4a12d0424903879afa3aa5f46d
|
|
7
|
+
data.tar.gz: 35cd393566e7818ea3c71b07b3e5980f9697b025f0ccef61199aa94b73b2d97ebadf9748517c64a1789a0eb85cba919bfa685c68e15221ff66907f7ace2fc191
|
|
@@ -35,16 +35,16 @@ module KerberosAuthenticator
|
|
|
35
35
|
end
|
|
36
36
|
|
|
37
37
|
# @!attribute [rw] server
|
|
38
|
-
# @return [String] the server principal name to use when verifying the identity the KDC
|
|
38
|
+
# @return [String] the server principal name to use when verifying the identity of the KDC
|
|
39
39
|
|
|
40
40
|
# @!attribute [rw] service
|
|
41
41
|
# @return [String] the service principal name to request a ticket for when obtaining a user's credentials
|
|
42
42
|
|
|
43
43
|
# @!attribute [rw] keytab_base64
|
|
44
|
-
# @return [String] the keytab to use when verifying the identity the KDC represented as a Base64 encoded string (overrides keytab_path)
|
|
44
|
+
# @return [String] the keytab to use when verifying the identity of the KDC represented as a Base64 encoded string (overrides keytab_path)
|
|
45
45
|
|
|
46
46
|
# @!attribute [rw] keytab_path
|
|
47
|
-
# @return [String] the path to the keytab to use when verifying the identity the KDC
|
|
47
|
+
# @return [String] the path to the keytab to use when verifying the identity of the KDC
|
|
48
48
|
|
|
49
49
|
@service = nil
|
|
50
50
|
|
|
@@ -92,7 +92,7 @@ module KerberosAuthenticator
|
|
|
92
92
|
def self.new_kt_tmp_file
|
|
93
93
|
return nil unless keytab_base64
|
|
94
94
|
|
|
95
|
-
kt_tmp_file = Tempfile.new('krb5_kt', encoding: '
|
|
95
|
+
kt_tmp_file = Tempfile.new('krb5_kt', encoding: 'binary')
|
|
96
96
|
kt_tmp_file.write(Base64.decode64(keytab_base64))
|
|
97
97
|
kt_tmp_file.close
|
|
98
98
|
|
|
@@ -6,12 +6,16 @@ module KerberosAuthenticator
|
|
|
6
6
|
module Krb5
|
|
7
7
|
extend FFI::Library
|
|
8
8
|
|
|
9
|
-
|
|
9
|
+
# Version suffixes of the library to search for, in order:
|
|
10
|
+
# - .3: MIT as of Debian 8, RHEL 7
|
|
11
|
+
# - .26: Heimdal as of Debian 8, RHEL 7
|
|
12
|
+
# and then no suffix (which should pickup OS X Kerberos).
|
|
13
|
+
PREFERRED_VERSIONS = ['.3', '.26', ''].freeze
|
|
10
14
|
|
|
11
15
|
if ENV['FFI_KRB5_LIBRARY_NAME']
|
|
12
16
|
ffi_lib ENV['FFI_KRB5_LIBRARY_NAME']
|
|
13
17
|
else
|
|
14
|
-
ffi_lib PREFERRED_VERSIONS.map {|v| FFI.map_library_name('krb5') + v}
|
|
18
|
+
ffi_lib PREFERRED_VERSIONS.map { |v| FFI.map_library_name('krb5') + v }
|
|
15
19
|
end
|
|
16
20
|
|
|
17
21
|
# @!attribute [rw] use_secure_context
|
|
@@ -8,13 +8,17 @@ module KerberosAuthenticator
|
|
|
8
8
|
attach_function :krb5_verify_init_creds_opt_init, [:pointer], :void
|
|
9
9
|
attach_function :krb5_verify_init_creds_opt_set_ap_req_nofail, [:pointer, :bool], :void
|
|
10
10
|
|
|
11
|
-
attach_function :
|
|
11
|
+
attach_function :krb5_free_cred_contents, [:krb5_context, :krb5_creds], :void
|
|
12
12
|
attach_function :krb5_get_init_creds_opt_free, [:krb5_context, :pointer], :void
|
|
13
13
|
|
|
14
14
|
# Credentials, or tickets, provided by a KDC for a user.
|
|
15
15
|
class Creds
|
|
16
16
|
attr_reader :context, :ptr
|
|
17
17
|
|
|
18
|
+
# The size, in bytes, of the krb5_creds structure.
|
|
19
|
+
# This differs between implementations and architectures.
|
|
20
|
+
SIZE_OF_KRB5_CREDS = 480
|
|
21
|
+
|
|
18
22
|
# Requests initial credentials for principal using password from a KDC.
|
|
19
23
|
# @param principal [Principal] the user's Principal
|
|
20
24
|
# @param password [String] the user's password
|
|
@@ -25,12 +29,12 @@ module KerberosAuthenticator
|
|
|
25
29
|
# @see http://web.mit.edu/kerberos/krb5-1.14/doc/appdev/refs/api/krb5_get_init_creds_password.html krb5_get_init_creds_password
|
|
26
30
|
# @see http://web.mit.edu/kerberos/krb5-1.14/doc/appdev/init_creds.html Initial credentials
|
|
27
31
|
def self.initial_creds_for_principal_with_a_password(principal, password, service = nil)
|
|
28
|
-
raise
|
|
32
|
+
raise TypeError, 'expected Principal' unless principal.is_a? Principal
|
|
29
33
|
|
|
30
34
|
context = principal.context
|
|
31
|
-
ptr = FFI::MemoryPointer.new :char,
|
|
35
|
+
ptr = FFI::MemoryPointer.new :char, SIZE_OF_KRB5_CREDS
|
|
32
36
|
|
|
33
|
-
Krb5.get_init_creds_password(context.ptr, ptr, principal.ptr, password, nil, nil, 0, service, nil)
|
|
37
|
+
Krb5.get_init_creds_password(context.ptr, ptr, principal.ptr, password.to_str, nil, nil, 0, service, nil)
|
|
34
38
|
|
|
35
39
|
new(context, ptr)
|
|
36
40
|
end
|
|
@@ -62,24 +66,20 @@ module KerberosAuthenticator
|
|
|
62
66
|
# @see http://web.mit.edu/kerberos/krb5-1.14/doc/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html krb5_verify_init_creds_opt_set_ap_req_nofail
|
|
63
67
|
def verify(nofail = false, server_principal = nil, keytab = nil)
|
|
64
68
|
verify_creds_opt = FFI::MemoryPointer.new :int, 2
|
|
65
|
-
|
|
66
69
|
Krb5.verify_init_creds_opt_init(verify_creds_opt)
|
|
70
|
+
Krb5.verify_init_creds_opt_set_ap_req_nofail(verify_creds_opt, nofail)
|
|
67
71
|
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
server_princ_ptr = server_principal ? server_principal.ptr : nil
|
|
72
|
-
keytab_ptr = keytab ? keytab.ptr : nil
|
|
72
|
+
server_princ_ptr = server_principal ? server_principal.ptr : nil
|
|
73
|
+
keytab_ptr = keytab ? keytab.ptr : nil
|
|
73
74
|
|
|
74
|
-
|
|
75
|
-
end
|
|
75
|
+
Krb5.verify_init_creds(context.ptr, ptr, server_princ_ptr, keytab_ptr, nil, verify_creds_opt)
|
|
76
76
|
|
|
77
77
|
true
|
|
78
78
|
end
|
|
79
79
|
|
|
80
80
|
# @api private
|
|
81
81
|
def self.finalize(context, ptr)
|
|
82
|
-
proc { Krb5.
|
|
82
|
+
proc { Krb5.free_cred_contents(context.ptr, ptr); ptr.free }
|
|
83
83
|
end
|
|
84
84
|
end
|
|
85
85
|
end
|
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
module KerberosAuthenticator
|
|
2
2
|
module Krb5
|
|
3
3
|
typedef :int, :krb5_error_code
|
|
4
|
-
attach_function :krb5_get_error_message, [:pointer, :krb5_error_code], :
|
|
4
|
+
attach_function :krb5_get_error_message, [:pointer, :krb5_error_code], :strptr
|
|
5
|
+
attach_function :krb5_free_error_message, [:pointer, :pointer], :void
|
|
5
6
|
|
|
6
7
|
# A Kerberos library error
|
|
7
8
|
class Error < StandardError
|
|
@@ -10,7 +11,13 @@ module KerberosAuthenticator
|
|
|
10
11
|
# @see http://web.mit.edu/kerberos/krb5-1.14/doc/appdev/refs/api/krb5_get_error_message.html krb5_get_error_message
|
|
11
12
|
def initialize(context_ptr, krb5_error_code)
|
|
12
13
|
@error_code = krb5_error_code
|
|
13
|
-
|
|
14
|
+
error_message, error_ptr = Krb5.get_error_message(context_ptr, krb5_error_code)
|
|
15
|
+
FFI::AutoPointer.new(error_ptr, self.class.finalize(context_ptr))
|
|
16
|
+
super(String.new(error_message))
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def self.finalize(context_ptr)
|
|
20
|
+
proc { |ptr| Krb5.free_error_message(context_ptr, ptr) }
|
|
14
21
|
end
|
|
15
22
|
|
|
16
23
|
def self.raise_if_error(context_ptr = nil)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kerberos_authenticator
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Adam Watkins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-04-
|
|
11
|
+
date: 2016-04-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: ffi
|