rkerberos 0.1.0

data/CHANGES

@@ -0,0 +1,3 @@
+= 0.1.0 - 28-Apr-2011
+* Initial release. This is effectively a re-release of my own custom branch
+  of the krb5-auth library, with some minor changes.

data/MANIFEST

@@ -0,0 +1,16 @@
+CHANGES
+rkerberos.gemspec
+MANIFEST
+Rakefile
+README
+ext/ccache.c
+ext/context.c
+ext/extconf.rb
+ext/kadm5.c
+ext/keytab.c
+ext/keytab_entry.c
+ext/rkerberos.c
+ext/rkerberos.h
+ext/policy.c
+ext/principal.c
+test/test_krb5.rb

data/README

@@ -0,0 +1,51 @@
+= Description
+  The rkerberos library provides a Ruby interface for Kerberos.
+
+= Requirements
+  Kerberos 1.7.0 or later, including admin header and library files.
+
+= Synopsis
+  require 'rkerberos'
+
+  # Get the default realm name
+  krb5 = Kerberos::Krb5.new
+  puts krb5.default_realm
+  krb5.close
+
+  # Get the default keytab name
+  keytab = Kerberos::Krb5::Keytab.new
+  puts keytab.default_name
+  keytab.close
+
+  # Set the password for a given principal
+  kadm5 = Kerberos::Kadm5.new(:principal => 'foo/admin', :password => 'xxxx')
+  kadm5.set_password('someuser', 'abc123')
+  kadm5.close
+
+  # Using the block form
+  Kerberos::Kadm5.new(:principal => 'foo/admin', :password => 'xxxx') do |kadm5|
+    p kadm5.get_principal('someuser')
+    kadm5.set_password('someuser', 'abc123')
+  end
+
+= Notes
+  The rkerberos library is a repackaging of my custom branch of the krb5_auth
+  library. Eventually the gem djberg96-krb5_auth will be removed from the gem
+  index.
+
+= MIT vs Heimdal
+  This code was written for the MIT Kerberos library. It has not been tested
+  with the Heimdal Kerberos library.
+
+= TODO
+  Create a separate class for the replay cache.
+  Better credentials cache support.
+  Ability to add and delete keytab entries.
+
+= Known Issues
+  OS X users will probably need to install Kerberos manually and specify
+  the dir-config option because it ships with old Kerberos header files,
+  and none of the admin headers or libraries by default.
+
+= Author
+  Daniel Berger

data/Rakefile

@@ -0,0 +1,148 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/extensiontask'
+require 'rake/clean'
+require 'rbconfig'
+include Config
+
+Rake::ExtensionTask.new('rkerberos')
+
+CLEAN.include(
+  '**/*.gem',               # Gem files
+  '**/*.rbc',               # Rubinius
+  '**/*.o',                 # C object file
+  '**/*.log',               # Ruby extension build log
+  '**/Makefile',            # C Makefile
+  '**/conftest.dSYM',       # OS X build directory
+  "**/*.#{CONFIG['DLEXT']}" # C shared object
+)
+
+desc 'Create a tarball of the source'
+task :archive do
+  spec = eval(IO.read('rkerberos.gemspec'))
+  prefix = "rkerberos-#{spec.version}/"
+  Dir['*.tar*'].each{ |f| File.delete(f) }
+  sh "git archive --prefix=#{prefix} --format=tar HEAD > rkerberos-#{spec.version}.tar"
+  sh "gzip rkerberos-#{spec.version}.tar"
+end
+
+namespace :gem do
+  desc 'Delete any existing gem files in the project.'
+  task :clean do
+    Dir['*.gem'].each{ |f| File.delete(f) } 
+    rm_rf 'lib'
+  end 
+
+  desc 'Create the gem'
+  task :create => [:clean] do
+    spec = eval(IO.read('rkerberos.gemspec'))
+    Gem::Builder.new(spec).build
+  end
+
+  desc 'Install the gem'
+  task :install => [:create] do
+    file = Dir["*.gem"].first
+    sh "gem install #{file}" 
+  end
+
+  desc 'Create a binary gem'
+  task :binary => [:clean, :compile] do
+    spec = eval(IO.read('rkerberos.gemspec'))
+    spec.platform = Gem::Platform::CURRENT
+    spec.extensions = nil
+    spec.files = spec.files.reject{ |f| f.include?('ext') }
+
+    Gem::Builder.new(spec).build
+  end
+end
+
+namespace :sample do
+  desc "Run the sample configuration display program"
+  task :config => [:compile] do
+    sh "ruby -Ilib samples/sample_config_display.rb"
+  end
+end
+
+namespace 'test' do
+  Rake::TestTask.new('all') do |t|
+    task :all => [:clean, :compile]
+    t.libs << 'ext' 
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('context') do |t|
+    task :context => [:clean, :compile]
+    t.libs << 'ext' 
+    t.test_files = FileList['test/test_context.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('ccache') do |t|
+    task :ccache => [:clean, :compile]
+    t.libs << 'ext' 
+    t.test_files = FileList['test/test_credentials_cache.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('krb5') do |t|
+    task :krb5 => [:clean, :compile]
+    t.libs << 'ext' 
+    t.test_files = FileList['test/test_krb5.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('keytab') do |t|
+    task :keytab => [:clean, :compile]
+    t.libs << 'ext' 
+    t.test_files = FileList['test/test_krb5_keytab.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('keytab_entry') do |t|
+    task :keytab_entry => [:clean, :compile]
+    t.libs << 'ext' 
+    t.test_files = FileList['test/test_keytab_entry.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('principal') do |t|
+    task :principal => [:clean, :compile]
+    t.libs << 'ext' 
+    t.test_files = FileList['test/test_principal.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('kadm5') do |t|
+    task :kadm5 => [:clean, :compile]
+    t.libs << 'ext' 
+    t.test_files = FileList['test/test_kadm5.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('config') do |t|
+    task :config => [:clean, :compile]
+    t.libs << 'ext' 
+    t.test_files = FileList['test/test_config.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('policy') do |t|
+    task :policy => [:clean, :compile]
+    t.libs << 'ext' 
+    t.test_files = FileList['test/test_policy.rb']
+    t.warning = true
+    t.verbose = true
+  end
+end
+
+task :default => ['test:all']
+task :test => ['test:all']

data/ext/rkerberos/ccache.c

@@ -0,0 +1,250 @@
+#include <rkerberos.h>
+
+VALUE cKrb5CCache;
+
+// Free function for the Kerberos::Krb5::CCache class.
+static void rkrb5_ccache_free(RUBY_KRB5_CCACHE* ptr){
+  if(!ptr)
+    return;
+
+  if(ptr->ccache)
+    krb5_cc_close(ptr->ctx, ptr->ccache);
+
+  if(ptr->principal)
+    krb5_free_principal(ptr->ctx, ptr->principal);
+
+  if(ptr->ctx)
+    krb5_free_context(ptr->ctx);
+
+  free(ptr);
+}
+
+// Allocation function for the Kerberos::Krb5::CCache class.
+static VALUE rkrb5_ccache_allocate(VALUE klass){
+  RUBY_KRB5_CCACHE* ptr = malloc(sizeof(RUBY_KRB5_CCACHE));
+  memset(ptr, 0, sizeof(RUBY_KRB5_CCACHE));
+  return Data_Wrap_Struct(klass, 0, rkrb5_ccache_free, ptr);
+}
+
+/*
+ * call-seq:
+ *   Kerberos::CredentialsCache.new(principal = nil, cache_name = nil)
+ *
+ * Creates and returns a new Kerberos::CredentialsCache object. If cache_name
+ * is specified, then that cache is used, which must be in "type:residual"
+ * format, where 'type' is a type known to Kerberos (typically 'FILE').
+ *
+ * If a +principal+ is specified, then it creates or refreshes the credentials
+ * cache with the primary principal set to +principal+. If the credentials
+ * cache already exists, its contents are destroyed.
+ *
+ * Note that the principal's credentials are not set via the constructor.
+ * It merely creates the cache and sets the default principal.
+ */
+static VALUE rkrb5_ccache_initialize(int argc, VALUE* argv, VALUE self){
+  RUBY_KRB5_CCACHE* ptr;
+  krb5_error_code kerror;
+  VALUE v_principal, v_name;
+
+  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+
+  rb_scan_args(argc, argv, "02", &v_principal, &v_name);
+
+  // Convert the principal name to a principal object
+  if(RTEST(v_principal)){
+    Check_Type(v_principal, T_STRING);
+
+    kerror = krb5_parse_name(
+      ptr->ctx,
+      StringValuePtr(v_principal),
+      &ptr->principal
+    );
+
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));
+  }
+
+  // Initialize the context
+  kerror = krb5_init_context(&ptr->ctx);
+
+  if(kerror)
+    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+
+  // Set the credentials cache using the default cache if no name is provided
+  if(NIL_P(v_name)){
+    kerror = krb5_cc_default(ptr->ctx, &ptr->ccache);
+
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror));
+  }
+  else{
+    Check_Type(v_name, T_STRING);
+    kerror = krb5_cc_resolve(ptr->ctx, StringValuePtr(v_name), &ptr->ccache);
+
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_cc_resolve: %s", error_message(kerror));
+  }
+
+  // Initialize the credentials cache if a principal was provided
+  if(RTEST(v_principal)){
+    kerror = krb5_cc_initialize(ptr->ctx, ptr->ccache, ptr->principal);
+
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_cc_initialize: %s", error_message(kerror));
+  }
+  
+  return self;
+}
+
+/*
+ * call-seq:
+ *   ccache.close
+ *   
+ * Closes the ccache object. Once the ccache object is closed no more
+ * methods may be called on it, or an exception will be raised.
+ *
+ * Note that unlike ccache.destroy, this does not delete the cache.
+ */
+static VALUE rkrb5_ccache_close(VALUE self){
+  RUBY_KRB5_CCACHE* ptr;
+
+  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+
+  if(!ptr->ctx)
+    return self;
+
+  if(ptr->ccache)
+    krb5_cc_close(ptr->ctx, ptr->ccache);
+
+  if(ptr->principal)
+    krb5_free_principal(ptr->ctx, ptr->principal);
+
+  if(ptr->ctx)
+    krb5_free_context(ptr->ctx);
+
+  ptr->ccache = NULL;
+  ptr->ctx = NULL;
+  ptr->principal = NULL;
+
+  return self;
+}
+
+/*
+ * call-seq:
+ *   ccache.default_name
+ *
+ * Returns the name of the default credentials cache.
+ *
+ * This is typically a file under /tmp with a name like 'krb5cc_xxxx',
+ * where 'xxxx' is the uid of the current process owner.
+ */
+static VALUE rkrb5_ccache_default_name(VALUE self){
+  RUBY_KRB5_CCACHE* ptr;
+
+  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  return rb_str_new2(krb5_cc_default_name(ptr->ctx));
+}
+
+/*
+ * call-seq:
+ *   ccache.primary_principal
+ *
+ * Returns the name of the primary principal of the credentials cache.
+ */
+static VALUE rkrb5_ccache_primary_principal(VALUE self){
+  RUBY_KRB5_CCACHE* ptr;
+  krb5_error_code kerror;
+  char* name;
+
+  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  kerror = krb5_cc_get_principal(ptr->ctx, ptr->ccache, &ptr->principal);
+
+  if(kerror)
+    rb_raise(cKrb5Exception, "krb5_cc_get_principal: %s", error_message(kerror));
+
+  kerror = krb5_unparse_name(ptr->ctx, ptr->principal, &name);
+
+  if(kerror)
+    rb_raise(cKrb5Exception, "krb5_unparse_name: %s", error_message(kerror));
+
+  return rb_str_new2(name);
+}
+
+/*
+ * call-seq:
+ *   ccache.destroy
+ *
+ * Destroy the credentials cache of the current principal. This also closes
+ * the object and it cannot be reused.
+ *
+ * If the cache was destroyed then true is returned. If there is no cache
+ * then false is returned.
+ */
+static VALUE rkrb5_ccache_destroy(VALUE self){
+  RUBY_KRB5_CCACHE* ptr;
+  krb5_error_code kerror;
+  VALUE v_bool = Qtrue;
+
+  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  kerror = krb5_cc_destroy(ptr->ctx, ptr->ccache);
+
+  // Don't raise an error if there's no cache. Just return false.
+  if(kerror){
+    if((kerror == KRB5_CC_NOTFOUND) || (kerror == KRB5_FCC_NOFILE)){
+      v_bool = Qfalse;
+    }
+    else{
+      if(ptr->principal)
+        krb5_free_principal(ptr->ctx, ptr->principal);
+
+      if(ptr->ctx)
+        krb5_free_context(ptr->ctx);
+
+      rb_raise(cKrb5Exception, "krb5_cc_destroy: %s", error_message(kerror));
+    }
+  }
+
+  if(ptr->principal)
+    krb5_free_principal(ptr->ctx, ptr->principal);
+
+  if(ptr->ctx)
+    krb5_free_context(ptr->ctx);
+
+  ptr->ccache = NULL;
+  ptr->ctx = NULL;
+  ptr->principal = NULL;
+
+  return v_bool;
+}
+
+void Init_ccache(){
+  /* The Kerberos::Krb5::CredentialsCache class encapsulates a Kerberos credentials cache. */
+  cKrb5CCache = rb_define_class_under(cKrb5, "CredentialsCache", rb_cObject);
+
+  // Allocation Function
+  rb_define_alloc_func(cKrb5CCache, rkrb5_ccache_allocate);
+
+  // Constructor
+  rb_define_method(cKrb5CCache, "initialize", rkrb5_ccache_initialize, -1);
+
+  // Instance Methods
+  rb_define_method(cKrb5CCache, "close", rkrb5_ccache_close, 0);
+  rb_define_method(cKrb5CCache, "default_name", rkrb5_ccache_default_name, 0);
+  rb_define_method(cKrb5CCache, "destroy", rkrb5_ccache_destroy, 0);
+  rb_define_method(cKrb5CCache, "primary_principal", rkrb5_ccache_primary_principal, 0);
+
+  // Aliases
+  rb_define_alias(cKrb5CCache, "delete", "destroy");
+}