X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/python-afs.git/blobdiff_plain/0de77457daaf0855fc5f87cc5cbd3be40f024d9a..41165a6d2c880400afc4b04700d05bd3fa537a42:/afs/_pts.pyx

diff --git a/afs/_pts.pyx b/afs/_pts.pyx
index 56292cd..3c10b70 100644
--- a/afs/_pts.pyx
+++ b/afs/_pts.pyx
@@ -1,7 +1,8 @@
-from afs cimport *
-from afs import pyafs_error
+from afs._util cimport *
+from afs._util import pyafs_error
+import re
 
-cdef import from "afs/ptuser.h":
+cdef extern from "afs/ptuser.h":
     enum:
         PR_MAXNAMELEN
         PRGRP
@@ -67,10 +68,30 @@ cdef import from "afs/ptuser.h":
     int ubik_PR_ListEntries(ubik_client *, afs_int32, afs_int32, afs_int32, prentries *, afs_int32 *)
     int ubik_PR_SetFieldsEntry(ubik_client *, afs_int32, afs_int32, afs_int32, afs_int32, afs_int32, afs_int32, afs_int32, afs_int32)
 
-cdef import from "afs/pterror.h":
+cdef extern from "afs/pterror.h":
     enum:
         PRNOENT
-        PRTOOMANY
+
+cdef extern from "krb5/krb5.h":
+    struct _krb5_context:
+        pass
+    struct krb5_principal_data:
+        pass
+
+    ctypedef _krb5_context * krb5_context
+    ctypedef krb5_principal_data * krb5_principal
+
+    ctypedef long krb5_int32
+    ctypedef krb5_int32 krb5_error_code
+    krb5_error_code krb5_init_context(krb5_context *)
+    krb5_error_code krb5_parse_name(krb5_context, char *, krb5_principal *)
+    krb5_error_code krb5_unparse_name(krb5_context, krb5_principal, char **)
+    krb5_error_code krb5_524_conv_principal(krb5_context, krb5_principal, char *, char *, char *)
+    krb5_error_code krb5_425_conv_principal(krb5_context, char *, char *, char *, krb5_principal *)
+    krb5_error_code krb5_get_host_realm(krb5_context, char *, char ***)
+    void krb5_free_host_realm(krb5_context, char **)
+    void krb5_free_principal(krb5_context, krb5_principal)
+    void krb5_free_context(krb5_context)
 
 cdef class PTEntry:
     cdef public afs_int32 flags
@@ -118,6 +139,28 @@ cdef int _ptentry_to_c(prcheckentry * c_entry, PTEntry p_entry) except -1:
     strncpy(c_entry.name, p_entry.name, sizeof(c_entry.name))
     return 0
 
+cdef object kname_re = re.compile(r'^([^.].*?)(?<!\\)(?:\.(.*?))?(?<!\\)@([^@]*)$')
+
+cdef object kname_parse(fullname):
+    """Parse a krb4-style principal into a name, instance, and realm."""
+    cdef object re_match = kname_re.match(fullname)
+    if not re_match:
+        return None
+    else:
+        princ = re_match.groups()
+        return tuple([re.sub(r'\\(.)', r'\1', x) if x else x for x in princ])
+
+cdef object kname_unparse(name, inst, realm):
+    """Unparse a name, instance, and realm into a single krb4
+    principal string."""
+    name = re.sub('r([.\\@])', r'\\\1', name)
+    inst = re.sub('r([.\\@])', r'\\\1', inst)
+    realm = re.sub(r'([\\@])', r'\\\1', realm)
+    if inst:
+        return '%s.%s@%s' % (name, inst, realm)
+    else:
+        return '%s@%s' % (name, realm)
+
 cdef class PTS:
     """
     A PTS object is essentially a handle to talk to the server in a
@@ -132,13 +175,20 @@ cdef class PTS:
       - 2: fail if an authenticated connection can't be established
       - 3: same as 2, plus encrypt all traffic to the protection
         server
+
+    The realm attribute is the Kerberos realm against which this cell
+    authenticates.
     """
     cdef ubik_client * client
+    cdef readonly object cell
+    cdef readonly object realm
 
     def __cinit__(self, cell=None, sec=1):
         cdef afs_int32 code
         cdef afsconf_dir *cdir
         cdef afsconf_cell info
+        cdef krb5_context context
+        cdef char ** hrealms = NULL
         cdef char * c_cell
         cdef ktc_principal prin
         cdef ktc_token token
@@ -167,6 +217,16 @@ cdef class PTS:
         code = afsconf_GetCellInfo(cdir, c_cell, "afsprot", &info)
         pyafs_error(code)
 
+        code = krb5_init_context(&context)
+        pyafs_error(code)
+        code = krb5_get_host_realm(context, info.hostName[0], &hrealms)
+        pyafs_error(code)
+        self.realm = hrealms[0]
+        krb5_free_host_realm(context, hrealms)
+        krb5_free_context(context)
+
+        self.cell = info.name
+
         if sec > 0:
             strncpy(prin.cell, info.name, sizeof(prin.cell))
             prin.instance[0] = 0
@@ -209,18 +269,18 @@ cdef class PTS:
         ubik_ClientDestroy(self.client)
         rx_Finalize()
 
-    def NameOrId(self, ident):
+    def _NameOrId(self, ident):
         """
         Given an identifier, convert it to a PTS ID by looking up the
         name if it's a string, or otherwise just converting it to an
         integer.
         """
-        if isinstance(ident, (str, unicode)):
-            return self.NameToId(ident)
+        if isinstance(ident, basestring):
+            return self._NameToId(ident)
         else:
             return int(ident)
 
-    def NameToId(self, name):
+    def _NameToId(self, name):
         """
         Converts a user or group to an AFS ID.
         """
@@ -243,7 +303,7 @@ cdef class PTS:
         pyafs_error(code)
         return id
 
-    def IdToName(self, id):
+    def _IdToName(self, id):
         """
         Convert an AFS ID to the name of a user or group.
         """
@@ -268,7 +328,7 @@ cdef class PTS:
         pyafs_error(code)
         return name
 
-    def CreateUser(self, name, id=None):
+    def _CreateUser(self, name, id=None):
         """
         Create a new user in the protection database. If an ID is
         provided, that one will be used.
@@ -288,7 +348,7 @@ cdef class PTS:
         pyafs_error(code)
         return cid
 
-    def CreateGroup(self, name, owner, id=None):
+    def _CreateGroup(self, name, owner, id=None):
         """
         Create a new group in the protection database. If an ID is
         provided, that one will be used.
@@ -296,7 +356,7 @@ cdef class PTS:
         cdef afs_int32 code, cid
 
         name = name[:PR_MAXNAMELEN].lower()
-        oid = self.NameOrId(owner)
+        oid = self._NameOrId(owner)
 
         if id is not None:
             cid = id
@@ -307,38 +367,38 @@ cdef class PTS:
         pyafs_error(code)
         return cid
 
-    def Delete(self, ident):
+    def _Delete(self, ident):
         """
         Delete the protection database entry with the provided
         identifier.
         """
         cdef afs_int32 code
-        cdef afs_int32 id = self.NameOrId(ident)
+        cdef afs_int32 id = self._NameOrId(ident)
 
         code = ubik_PR_Delete(self.client, 0, id)
         pyafs_error(code)
 
-    def AddToGroup(self, user, group):
+    def _AddToGroup(self, user, group):
         """
         Add the given user to the given group.
         """
         cdef afs_int32 code
-        cdef afs_int32 uid = self.NameOrId(user), gid = self.NameOrId(group)
+        cdef afs_int32 uid = self._NameOrId(user), gid = self._NameOrId(group)
 
         code = ubik_PR_AddToGroup(self.client, 0, uid, gid)
         pyafs_error(code)
 
-    def RemoveFromGroup(self, user, group):
+    def _RemoveFromGroup(self, user, group):
         """
         Remove the given user from the given group.
         """
         cdef afs_int32 code
-        cdef afs_int32 uid = self.NameOrId(user), gid = self.NameOrId(group)
+        cdef afs_int32 uid = self._NameOrId(user), gid = self._NameOrId(group)
 
         code = ubik_PR_RemoveFromGroup(self.client, 0, uid, gid)
         pyafs_error(code)
 
-    def ListMembers(self, ident):
+    def _ListMembers(self, ident):
         """
         Get the membership of an entity.
 
@@ -355,7 +415,7 @@ cdef class PTS:
         cdef int i
         cdef object members = []
 
-        cdef afs_int32 id = self.NameOrId(ident)
+        cdef afs_int32 id = self._NameOrId(ident)
 
         alist.prlist_len = 0
         alist.prlist_val = NULL
@@ -367,13 +427,11 @@ cdef class PTS:
                 members.append(alist.prlist_val[i])
             free(alist.prlist_val)
 
-        if over:
-            code = PRTOOMANY
         pyafs_error(code)
 
         return members
 
-    def ListOwned(self, owner):
+    def _ListOwned(self, owner):
         """
         Get all groups owned by an entity.
         """
@@ -382,7 +440,7 @@ cdef class PTS:
         cdef int i
         cdef object owned = []
 
-        cdef afs_int32 oid = self.NameOrId(owner)
+        cdef afs_int32 oid = self._NameOrId(owner)
 
         alist.prlist_len = 0
         alist.prlist_val = NULL
@@ -394,13 +452,11 @@ cdef class PTS:
                 owned.append(alist.prlist_val[i])
             free(alist.prlist_val)
 
-        if over:
-            code = PRTOOMANY
         pyafs_error(code)
 
         return owned
 
-    def ListEntry(self, ident):
+    def _ListEntry(self, ident):
         """
         Load a PTEntry instance with information about the provided
         entity.
@@ -409,7 +465,7 @@ cdef class PTS:
         cdef prcheckentry centry
         cdef object entry = PTEntry()
 
-        cdef afs_int32 id = self.NameOrId(ident)
+        cdef afs_int32 id = self._NameOrId(ident)
 
         code = ubik_PR_ListEntry(self.client, 0, id, &centry)
         pyafs_error(code)
@@ -417,7 +473,7 @@ cdef class PTS:
         _ptentry_from_c(entry, &centry)
         return entry
 
-    def ChangeEntry(self, ident, newname=None, newid=None, newoid=None):
+    def _ChangeEntry(self, ident, newname=None, newid=None, newoid=None):
         """
         Change the name, ID, and/or owner of a PTS entity.
 
@@ -428,10 +484,10 @@ cdef class PTS:
         cdef afs_int32 c_newid = 0, c_newoid = 0
         cdef char * c_newname
 
-        cdef afs_int32 id = self.NameOrId(ident)
+        cdef afs_int32 id = self._NameOrId(ident)
 
         if newname is None:
-            newname = self.IdToName(id)
+            newname = self._IdToName(id)
         c_newname = newname
         if newid is not None:
             c_newid = newid
@@ -441,21 +497,21 @@ cdef class PTS:
         code = ubik_PR_ChangeEntry(self.client, 0, id, c_newname, c_newoid, c_newid)
         pyafs_error(code)
 
-    def IsAMemberOf(self, user, group):
+    def _IsAMemberOf(self, user, group):
         """
         Return True if the given user is a member of the given group.
         """
         cdef afs_int32 code
         cdef afs_int32 flag
 
-        cdef afs_int32 uid = self.NameOrId(user), gid = self.NameOrId(group)
+        cdef afs_int32 uid = self._NameOrId(user), gid = self._NameOrId(group)
 
         code = ubik_PR_IsAMemberOf(self.client, 0, uid, gid, &flag)
         pyafs_error(code)
 
         return bool(flag)
 
-    def ListMax(self):
+    def _ListMax(self):
         """
         Return a tuple of the maximum user ID and the maximum group
         ID currently assigned.
@@ -467,7 +523,7 @@ cdef class PTS:
 
         return (uid, gid)
 
-    def SetMaxUserId(self, id):
+    def _SetMaxUserId(self, id):
         """
         Set the maximum currently assigned user ID (the next
         automatically assigned UID will be id + 1)
@@ -477,7 +533,7 @@ cdef class PTS:
         code = ubik_PR_SetMax(self.client, 0, id, 0)
         pyafs_error(code)
 
-    def SetMaxGroupId(self, id):
+    def _SetMaxGroupId(self, id):
         """
         Set the maximum currently assigned user ID (the next
         automatically assigned UID will be id + 1)
@@ -487,7 +543,7 @@ cdef class PTS:
         code = ubik_PR_SetMax(self.client, 0, id, PRGRP)
         pyafs_error(code)
 
-    def ListEntries(self, users=None, groups=None):
+    def _ListEntries(self, users=None, groups=None):
         """
         Return a list of PTEntry instances representing all entries in
         the PRDB.
@@ -525,7 +581,7 @@ cdef class PTS:
 
         return entries
 
-    def SetFields(self, ident, access=None, groups=None, users=None):
+    def _SetFields(self, ident, access=None, groups=None, users=None):
         """
         Update the fields for an entry.
 
@@ -537,7 +593,7 @@ cdef class PTS:
         cdef afs_int32 code
         cdef afs_int32 mask = 0, flags = 0, nusers = 0, ngroups = 0
 
-        cdef afs_int32 id = self.NameOrId(ident)
+        cdef afs_int32 id = self._NameOrId(ident)
 
         if access is not None:
             flags = access
@@ -551,3 +607,90 @@ cdef class PTS:
 
         code = ubik_PR_SetFieldsEntry(self.client, 0, id, mask, flags, ngroups, nusers, 0, 0)
         pyafs_error(code)
+
+    def _AfsToKrb5(self, afs_name):
+        """Convert an AFS principal to a Kerberos v5 one."""
+        cdef krb5_context ctx = NULL
+        cdef krb5_principal princ = NULL
+        cdef krb5_error_code code = 0
+        cdef char * krb5_princ = NULL
+        cdef char *name = NULL, *inst = NULL, *realm = NULL
+        cdef object pname, pinst, prealm
+
+        if '@' in afs_name:
+            pname, prealm = afs_name.rsplit('@', 1)
+            prealm = prealm.upper()
+            krb4_name = '%s@%s' % (pname, prealm)
+        else:
+            krb4_name = '%s@%s' % (afs_name, self.realm)
+
+        pname, pinst, prealm = kname_parse(krb4_name)
+        if pname:
+            name = pname
+        if pinst:
+            inst = pinst
+        if prealm:
+            realm = prealm
+
+        code = krb5_init_context(&ctx)
+        try:
+            pyafs_error(code)
+
+            code = krb5_425_conv_principal(ctx, name, inst, realm, &princ)
+            try:
+                pyafs_error(code)
+
+                code = krb5_unparse_name(ctx, princ, &krb5_princ)
+                try:
+                    pyafs_error(code)
+
+                    return krb5_princ
+                finally:
+                    if krb5_princ is not NULL:
+                        free(krb5_princ)
+            finally:
+                if princ is not NULL:
+                    krb5_free_principal(ctx, princ)
+        finally:
+            if ctx is not NULL:
+                krb5_free_context(ctx)
+
+    def _Krb5ToAfs(self, krb5_name):
+        """Convert a Kerberos v5 principal to an AFS one."""
+        cdef krb5_context ctx = NULL
+        cdef krb5_principal k5_princ = NULL
+        cdef char *k4_name, *k4_inst, *k4_realm
+        cdef object afs_princ
+        cdef object afs_name, afs_realm
+
+        k4_name = <char *>malloc(40)
+        k4_name[0] = '\0'
+        k4_inst = <char *>malloc(40)
+        k4_inst[0] = '\0'
+        k4_realm = <char *>malloc(40)
+        k4_realm[0] = '\0'
+
+        code = krb5_init_context(&ctx)
+        try:
+            pyafs_error(code)
+
+            code = krb5_parse_name(ctx, krb5_name, &k5_princ)
+            try:
+                pyafs_error(code)
+
+                code = krb5_524_conv_principal(ctx, k5_princ, k4_name, k4_inst, k4_realm)
+                pyafs_error(code)
+
+                afs_princ = kname_unparse(k4_name, k4_inst, k4_realm)
+                afs_name, afs_realm = afs_princ.rsplit('@', 1)
+
+                if k4_realm == self.realm:
+                    return afs_name
+                else:
+                    return '%s@%s' % (afs_name, afs_realm.lower())
+            finally:
+                if k5_princ is not NULL:
+                    krb5_free_principal(ctx, k5_princ)
+        finally:
+            if ctx is not NULL:
+                krb5_free_context(ctx)