Ñò Ã#xPc@sÉddkZddkZddkZddkTdZdZdZdZdZdZ d Z d Z dZ d Z eidƒZd„Zd„Zd„Zd„Zd„Zd„Zdefd„ƒYZdS(iÿÿÿÿN(t*ii:Ç–iÃ:Ç–i:Ç–i :Ç–iÂ:Ç–iÇ:Ç–iÜ:Ç–i<is%m/%d/%y %H:%M:%Ss^((\w+):)?(.+)cCsvti|ƒ}|oL|idƒ}|idƒ}|djo d}n |iƒ}||fStd|ƒ‚dS(s’ Given a Kerberos ccache name parse it into it's scheme and location components. Currently valid values for the scheme are: * FILE * MEMORY The scheme is always returned as upper case. If the scheme does not exist it defaults to FILE. :parameters: ccache_name The name of the Kerberos ccache. :returns: A two-tuple of (scheme, ccache) iitFILEsInvalid ccache name = "%s"N(tccache_name_retsearchtgrouptNonetuppert ValueError(t ccache_nametmatchtschemetlocation((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pytkrb5_parse_ccache-s    cCsd|iƒ|fS(Ns%s:%s(R(R tname((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pytkrb5_unparse_ccacheLscCsd||fS(s Given a Kerberos user principal name and a Kerberos realm return the Kerberos V5 user principal name. :parameters: user User principal name. realm The Kerberos realm the user exists in. :returns: Kerberos V5 user principal name. s%s@%s((tusertrealm((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pytkrb5_format_principal_nameOs cCsd|||fS(s¥ Given a Kerberos service principal name, the host where the service is running and a Kerberos realm return the Kerberos V5 service principal name. :parameters: service Service principal name. host The DNS name of the host where the service is located. realm The Kerberos realm the service exists in. :returns: Kerberos V5 service principal name. s%s/%s@%s((tservicethostR((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pyt"krb5_format_service_principal_name^scCstd||ƒS(s· Given a Kerberos realm return the Kerberos V5 TGT name. :parameters: realm The Kerberos realm the TGT exists in. :returns: Kerberos V5 TGT name. tkrbtgt(R(R((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pytkrb5_format_tgt_principal_nameqs cCstitti|ƒƒS(sý Given a UNIX timestamp format it into a string in the same manner the MIT Kerberos library does. Kerberos timestamps are always in local time. :parameters: timestamp Unix timestamp :returns: formated string (ttimetstrftimet krb5_time_fmtt localtime(t timestamp((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pytkrb5_format_time}s t KRB5_CCachecBsVeZdZd„Zd„Zd„Zd„Zd„Zd„Zd„Z d„Z RS( sy Kerberos stores a TGT (Ticket Granting Ticket) and the service tickets bound to it in a ccache (credentials cache). ccaches are bound to a Kerberos user principal. This class opens a Kerberos ccache and allows one to manipulate it. Most useful is the extraction of ticket entries (cred's) in the ccache and the ability to examine their attributes. cCsti|tƒd|_d|_d|_d|_d|_yat i ƒ|_t |ƒ\|_|_t i dt |ƒd|iƒ|_|iiƒ|_Wn_t ij oP}|id}|id}|tjotd||fƒ‚q|‚nXdS(s :parameters: ccache The name of a Kerberos ccache used to hold Kerberos tickets. :returns: `KRB5_CCache` object encapsulting the ccache. R tcontextiis"%s", ccache="%s"N(tlog_mgrt get_loggertTrueRRR R tccachet principaltkrbVtdefault_contextR tCCachetstrt Krb5ErrortargstKRB5_FCC_NOFILER(tselfR"tet error_codetmessage((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pyt__init__•s"     $   cCsd|i|ifS(s A Kerberos ccache is identified by a name comprised of a scheme and location component. This function returns that canonical name. See `krb5_parse_ccache()` :returns: The name of ccache with it's scheme and location components. s%s:%s(R R (R+((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pyt ccache_str±s cCsd|iƒ|iifS(Nscache="%s" principal="%s"(R0R#R (R+((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pyt__str__½sc Cs)t|tiƒo |}nQytit|ƒ|iƒ}Wn.tj o"}|id||ƒ|‚nX|i|ddddddddf }y|i i |t ƒ}Wnuti j oL}|i d}|tjo#td|i|iƒfƒ‚n|‚ntj o}|‚nX|S(s> Given a Kerberos principal return the krbV credentials tuple describing the credential. If the principal does not exist in the ccache a KeyError is raised. :parameters: principal The Kerberos principal whose ticket is being retrieved. The principal may be either a string formatted as a Kerberos V5 principal or it may be a `krbV.Principal` object. :returns: A krbV credentials tuple. If the principal is not in the ccache a KeyError is raised. s-could not create krbV principal from "%s", %sis("%s" credential not found in "%s" ccacheN(iN(iiii(t isinstanceR$t PrincipalR'Rt ExceptionterrorR#RR"tget_credentialstKRB5_GC_CACHEDR(R)tKRB5_CC_NOTFOUNDtKeyErrorR R0(R+R#tkrbV_principalR,t creds_tupletcredR-((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pyR6Às6       c Cs/t|tiƒo |}nQytit|ƒ|iƒ}Wn.tj o"}|id||ƒ|‚nXyp|i|ƒ}|d\}}}}|id|i t |ƒt |ƒt |ƒt |ƒƒ||||fSWnKt j o}|‚n2tj o%}|id|i |ƒ|‚nXdS(sÀ Given a Kerberos principal return the ticket timestamps if the principal's ticket in the ccache is valid. If the principal does not exist in the ccache a KeyError is raised. The return credential time values are Unix timestamps in localtime. The returned timestamps are: authtime The time when the ticket was issued. starttime The time when the ticket becomes valid. endtime The time when the ticket expires. renew_till The time when the ticket becomes no longer renewable (if renewable). :parameters: principal The Kerberos principal whose ticket is being validated. The principal may be either a string formatted as a Kerberos V5 principal or it may be a `krbV.Principal` object. :returns: return authtime, starttime, endtime, renew_till s-could not create krbV principal from "%s", %sisXget_credential_times: principal=%s, authtime=%s, starttime=%s, endtime=%s, renew_till=%ss6get_credential_times failed, principal="%s" error="%s"N( R2R$R3R'RR4R5R6tdebugR RR9( R+R#R:R,R<tauthtimet starttimetendtimet renew_till((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pytget_credential_timesñs(    cCs™y|i|ƒ\}}}}WnCtj o }tStj o"}|id||ƒ|‚nXtiƒ}||jotS||jotStS(s² Given a Kerberos principal return a boolean indicating if the principal's ticket in the ccache is valid. If the ticket is not in the ccache False is returned. If the ticket exists in the ccache it's validity is checked and returned. :parameters: principal The Kerberos principal whose ticket is being validated. The principal may be either a string formatted as a Kerberos V5 principal or it may be a `krbV.Principal` object. :returns: True if the principal's ticket exists and is valid. False if the ticket does not exist or if the ticket is not valid. s5credential_is_valid failed, principal="%s" error="%s"(RBR9tFalseR4R5RR!(R+R#R>R?R@RAR,tnow((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pytcredential_is_valid)s    cCs…y1td||ƒ}|i|ƒ}|otSWntj onXy#t|ƒ}|i|ƒ}|SWntj otSXdS(s$ Test to see if ldap service ticket or the TGT is valid. :parameters: host ldap server realm kerberos realm :returns: True if either the ldap service ticket or the TGT is valid, False otherwise. tHTTPN(RRER!R9RRC(R+RRR#tvalid((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pyRGKs  c Csôd}yQtd||ƒ}|i|ƒ\}}}}|ot||ƒ}n|}Wntj onXyKt|ƒ}|i|ƒ\}}}}|ot||ƒ}n|}Wntj onX|id|iƒ|t|ƒƒ|S(sö Returns the minimum endtime for tickets of interest (ldap service or TGT). :parameters: host ldap server realm kerberos realm :returns: UNIX timestamp value. iRFsKRB5_CCache %s endtime=%s (%s)(RRBtminR9RR=R0R( R+RRtresultR#R>R?R@RA((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pyR@hs&    "( t__name__t __module__t__doc__R/R0R1R6RBRERGR@(((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pyR‹s   1 8 " i,(R$Rtretipapython.ipa_log_managerR7R8R*tKRB5KDC_ERR_S_PRINCIPAL_UNKNOWNtKRB5KRB_AP_ERR_TKT_EXPIREDt KRB5_FCC_PERMtKRB5_CC_FORMATtKRB5_REALM_CANT_RESOLVEtkrb_ticket_expiration_thresholdRtcompileRR RRRRRtobjectR(((s4/usr/lib/python2.6/site-packages/ipalib/krb_utils.pyts*