2021-12-11 16:30:18 -05:00
|
|
|
import ceod.utils as ceod_utils
|
2021-08-23 19:01:24 -04:00
|
|
|
import contextlib
|
|
|
|
|
import os
|
2021-12-11 16:30:18 -05:00
|
|
|
import grp
|
|
|
|
|
import pwd
|
2021-08-23 19:01:24 -04:00
|
|
|
import subprocess
|
|
|
|
|
from subprocess import DEVNULL
|
|
|
|
|
import tempfile
|
2021-12-11 16:30:18 -05:00
|
|
|
from unittest.mock import patch
|
2021-08-23 19:01:24 -04:00
|
|
|
|
2021-08-25 22:19:18 -04:00
|
|
|
import gssapi
|
|
|
|
|
import pytest
|
2021-08-23 19:01:24 -04:00
|
|
|
|
2021-08-25 22:19:18 -04:00
|
|
|
|
|
|
|
|
# map principals to GSSAPI credentials
|
|
|
|
|
_cache = {}
|
2021-08-23 19:01:24 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@contextlib.contextmanager
|
2021-08-28 01:51:48 -04:00
|
|
|
def gssapi_token_ctx(principal: str):
|
2021-08-23 19:01:24 -04:00
|
|
|
"""
|
|
|
|
|
Temporarily set KRB5CCNAME to a ccache storing credentials
|
2021-08-25 22:19:18 -04:00
|
|
|
for the specified user, and yield the GSSAPI credentials.
|
2021-08-23 19:01:24 -04:00
|
|
|
"""
|
|
|
|
|
old_krb5ccname = os.environ['KRB5CCNAME']
|
|
|
|
|
try:
|
2021-08-25 22:19:18 -04:00
|
|
|
if principal not in _cache:
|
2021-08-23 19:01:24 -04:00
|
|
|
f = tempfile.NamedTemporaryFile()
|
|
|
|
|
os.environ['KRB5CCNAME'] = 'FILE:' + f.name
|
|
|
|
|
args = ['kinit', principal]
|
|
|
|
|
if principal == 'ceod/admin':
|
|
|
|
|
args = ['kinit', '-k', principal]
|
|
|
|
|
subprocess.run(
|
2021-08-25 22:19:18 -04:00
|
|
|
args, stdout=DEVNULL, text=True, input='krb5', check=True)
|
|
|
|
|
creds = gssapi.Credentials(name=gssapi.Name(principal), usage='initiate')
|
|
|
|
|
# Keep the credential cache files around as long as the creds are
|
|
|
|
|
# used, otherwise we get a "Invalid credential was supplied" error
|
|
|
|
|
_cache[principal] = creds, f
|
2021-08-23 19:01:24 -04:00
|
|
|
else:
|
2021-08-25 22:19:18 -04:00
|
|
|
creds, f = _cache[principal]
|
|
|
|
|
os.environ['KRB5CCNAME'] = 'FILE:' + f.name
|
2021-08-28 01:51:48 -04:00
|
|
|
yield creds.export()
|
2021-08-23 19:01:24 -04:00
|
|
|
finally:
|
|
|
|
|
os.environ['KRB5CCNAME'] = old_krb5ccname
|
2021-08-25 22:19:18 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.fixture(scope='session', autouse=True)
|
|
|
|
|
def ccache_cleanup():
|
|
|
|
|
"""Make sure the ccache files get deleted at the end of the tests."""
|
|
|
|
|
yield
|
|
|
|
|
_cache.clear()
|
2021-12-11 16:30:18 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@contextlib.contextmanager
|
|
|
|
|
def gen_password_mock_ctx():
|
|
|
|
|
with patch.object(ceod_utils, 'gen_password') as mock:
|
|
|
|
|
mock.return_value = 'krb5'
|
|
|
|
|
yield
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@contextlib.contextmanager
|
|
|
|
|
def mocks_for_create_user_ctx():
|
|
|
|
|
with gen_password_mock_ctx(), \
|
|
|
|
|
patch.object(pwd, 'getpwuid') as getpwuid_mock, \
|
|
|
|
|
patch.object(grp, 'getgrgid') as getgrgid_mock:
|
|
|
|
|
# Normally, if getpwuid or getgrgid do *not* raise a KeyError,
|
|
|
|
|
# then LDAPService will skip that UID. Therefore, by raising a
|
|
|
|
|
# KeyError, we are making sure that the UID will *not* be skipped.
|
|
|
|
|
getpwuid_mock.side_effect = KeyError()
|
|
|
|
|
getgrgid_mock.side_effect = KeyError()
|
|
|
|
|
yield
|
