Class: KerberosAuthenticator::Krb5::Creds

Inherits:
Object
  • Object
show all
Defined in:
lib/kerberos_authenticator/krb5/creds.rb

Overview

Credentials, or tickets, provided by a KDC for a user.

Constant Summary collapse

SIZE_OF_KRB5_CREDS =

The size, in bytes, of the krb5_creds structure. This differs between implementations and architectures.

480

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(ptr) ⇒ Keytab

Initialize a new Keytab with a pointer to a krb5_keytab structure.

Parameters:

  • ptr (FFI::MemoryPointer) 


49
50
51
52
53
54
55
56
57
 
# File 'lib/kerberos_authenticator/krb5/creds.rb', line 49

def initialize(ptr)
  # HACK: AutoPointer won't accept a MemoryPointer, only a Pointer
  ptr.autorelease = false
  ptr = FFI::Pointer.new(ptr)

  ptr = FFI::AutoPointer.new ptr, self.class.method(:release)

  @ptr = ptr
end

Instance Attribute Details

#ptrFFI::Pointer (readonly)

Returns the pointer to the wrapped krb5_creds struct.

Returns:

  • (FFI::Pointer)

    the pointer to the wrapped krb5_creds struct




# File 'lib/kerberos_authenticator/krb5/creds.rb', line 18

Class Method Details

.initial_creds_for_principal_with_a_password(principal, password, service = nil) ⇒ Creds

Requests initial credentials for principal using password from a KDC.

Parameters:

  • principal (Principal)

    the user’s Principal

  • password (String)

    the user’s password

  • service (String) (defaults to: nil)

    the service name used when requesting the credentials

Returns:

Raises:

  • (Error)

    if a KDC for the principal can’t be contacted

  • (Error)

    if preauthentication fails

See Also:



37
38
39
40
41
42
43
44
 
# File 'lib/kerberos_authenticator/krb5/creds.rb', line 37

def self.initial_creds_for_principal_with_a_password(principal, password, service = nil)
  raise TypeError, 'expected Principal' unless principal.is_a? Principal

  ptr = FFI::MemoryPointer.new :char, SIZE_OF_KRB5_CREDS
  Krb5.get_init_creds_password(Context.context.ptr, ptr, principal.ptr, password.to_str, nil, nil, 0, service, nil)

  new(ptr)
end

.release(pointer) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Frees the contents of the Creds structure

See Also:



141
142
143
 
# File 'lib/kerberos_authenticator/krb5/creds.rb', line 141

def self.release(pointer)
  Krb5.free_cred_contents(Context.context.ptr, pointer)
end

Instance Method Details

#set_password(newpw, change_password_for = nil) ⇒ TrueClass

Sets a password for a principal using these Creds. The Creds should be for the ‘kadmin/changepw’ service.

Parameters:

  • newpw (String)

    the new password

  • change_password_for (Principal) (defaults to: nil)

    the Principal to change the password for

Returns:

  • (TrueClass)

    always returns true if no error was raised

Raises:

  • (Error)

    if there is a problem making the password change request

  • (Error)

    if server responds that the password change request failed

See Also:



122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
 
# File 'lib/kerberos_authenticator/krb5/creds.rb', line 122

def set_password(newpw, change_password_for = nil)
  change_password_for_ptr = change_password_for ? change_password_for.ptr : nil

  result_code = FFI::MemoryPointer.new :int
  result_code_string = Data.new
  result_string = Data.new

  Krb5.set_password(Context.context.ptr, ptr, newpw, change_password_for_ptr, result_code, result_code_string.pointer, result_string.pointer)

  result_code = result_code.read_uint
  result_string = result_string.read_string.force_encoding('UTF-8')
  raise SetPassError.new(result_code, result_string) if result_code > 0

  true
end

#verify(nofail = false, server_principal = nil, keytab = nil) ⇒ TrueClass

Attempts to verify that these Creds were obtained from a KDC with knowledge of a key in keytab.

Parameters:

  • nofail (Boolean) (defaults to: false)

    whether to raise an Error if no keytab information is available

  • server_principal (Principal) (defaults to: nil)

    the server principal to use choosing an entry in keytab

  • keytab (Keytab) (defaults to: nil)

    the key table containing a key that the KDC should know

Returns:

  • (TrueClass)

    always returns true if no error was raised

Raises:

  • (Error)

    if nofail is true and no keytab information is available

  • (Error)

    if the KDC did not have knowledge of the key requested

See Also:



94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
 
# File 'lib/kerberos_authenticator/krb5/creds.rb', line 94

def verify(nofail = false, server_principal = nil, keytab = nil)
  verify_creds_opt = FFI::MemoryPointer.new :int, 2
  Krb5.verify_init_creds_opt_init(verify_creds_opt)
  Krb5.verify_init_creds_opt_set_ap_req_nofail(verify_creds_opt, nofail)

  server_princ_ptr = server_principal ? server_principal.ptr : nil


  if @@KRB5_DOES_NOT_SUPPORT_MISSING_SERVER_PRINCIPAL and !server_princ_ptr
    server_principal = Principal.new_with_name("host/#{Socket.gethostname}")
    server_princ_ptr = server_principal.ptr
  end

  keytab_ptr = keytab ? keytab.ptr : nil

  Krb5.verify_init_creds(Context.context.ptr, ptr, server_princ_ptr, keytab_ptr, nil, verify_creds_opt)

  true
end

#verify!(server_principal = nil, keytab = nil) ⇒ TrueClass

Calls #verify with nofail as true.

Returns:

  • (TrueClass)

    always returns true if no error was raised

See Also:



77
78
79
 
# File 'lib/kerberos_authenticator/krb5/creds.rb', line 77

def verify!(server_principal = nil, keytab = nil)
  verify(true, server_principal, keytab)
end