Skip to content

add krb5.aname_to_localname() #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pseudometric wants to merge 3 commits into
base: main
Choose a base branch
from
Open

add krb5.aname_to_localname() #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cda1e05
Have krb5.init_context() raise an exception on error.
pseudometric Oct 31, 2022
d141410
add krb5_aname_to_localname()
pseudometric Oct 31, 2022
da355d7
Revert "Have krb5.init_context() raise an exception on error."
pseudometric Nov 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,7 @@ def get_krb5_lib_path(
("principal_heimdal", "krb5_principal_get_realm"),
"string",
("string_mit", "krb5_enctype_to_name"),
"localauth",
]:
name = e
canary = None
Expand Down
2 changes: 2 additions & 0 deletions src/krb5/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@
kt_remove_entry,
kt_resolve,
)
from krb5._localauth import aname_to_localname
from krb5._principal import (
Principal,
PrincipalParseFlags,
Expand All @@ -81,6 +82,7 @@
"Principal",
"PrincipalParseFlags",
"PrincipalUnparseFlags",
"aname_to_localname",
"cc_default",
"cc_default_name",
"cc_destroy",
Expand Down
23 changes: 23 additions & 0 deletions src/krb5/_localauth.pyi
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Copyright: (c) 2022 Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

from krb5._context import Context
from krb5._principal import Principal

def aname_to_localname(context: Context, principal: Principal) -> str:
"""Translate a Kerberos principal to an authorization ID ("local name").

Using configured rules, translate a Kerberos principal name to a
string suitable for use in authorization rules; often, this means
mapping it to a username for the host OS. See krb5.conf(5)
"localauth interface" for details.

Args:
context: krb5 context
principal: principal name to translate

Returns:
str: translation
Copy link
Copy Markdown
Owner

@jborean93 jborean93 Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if Google doc strings support this format. Usually I do

    Returns:
        Optional[str]: Details about what it returns and when it could
        be None.

None: principal has no translation
(krb5_aname_to_localname() returns KRB5_LNAME_NOTRANS)
"""
47 changes: 47 additions & 0 deletions src/krb5/_localauth.pyx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Copyright: (c) 2022 Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

from libc.stdlib cimport free, malloc

from krb5._exceptions import Krb5Error

from krb5._context cimport Context
from krb5._krb5_types cimport *
from krb5._principal cimport Principal


cdef extern from "python_krb5.h":

krb5_error_code krb5_aname_to_localname(
krb5_context context,
krb5_const_principal aname,
int lnsize,
Copy link
Copy Markdown
Owner

@jborean93 jborean93 Nov 1, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at Heimdal, this is declared as size_t https://github.com/heimdal/heimdal/blob/fa92fe37e7ed1cfbe546fd617d712f47c55e35b9/lib/krb5/aname_to_localname.c#L299. I'm no expert at C or how the ABIs work but I would have thought this could potentially cause some problems.

It might require some trickery that we do in _keyblock.pyx to define a generic function but use compiler directives to cast as needed to size_t on Heimdal.

Considering the code passes and the compiler doesn't complain, I think it will be fine but it's something to keep in mind.

char *lname_out
) nogil

krb5_error_code KRB5_LNAME_NOTRANS

def aname_to_localname(
context: Context,
principal: Principal
) -> str:
Copy link
Copy Markdown
Owner

@jborean93 jborean93 Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments about bytes, but this should also be t.Optional[bytes]: as it can return None.


cdef krb5_error_code err = 0
limit = 256

cdef char *localname = <char *>malloc(limit + 1)
if not localname:
raise MemoryError()

err = krb5_aname_to_localname(context.raw, principal.raw, limit, localname)
# The definition of KRB5_LNAME_NOTRANS in the Heimdal header file
# included in the pykrb5 source appears to be out of date; this is
# the value that actually gets returned in the test -- so I'm just
# adding it here for now.
if err in [KRB5_LNAME_NOTRANS, -1765328227]:
Comment on lines +37 to +41
Copy link
Copy Markdown
Owner

@jborean93 jborean93 Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like -1765328227 is KRB5_NO_LOCALNAME, it's not surprising that Heimdal is returning a different value than MIT. You can even see it in https://github.com/heimdal/heimdal/blob/fa92fe37e7ed1cfbe546fd617d712f47c55e35b9/lib/krb5/aname_to_localname.c#L330 that it is returning KRB5_NO_LOCALNAME. It's been in MIT krb5 and Heimdal for over 10 years so it's probably safe to for years so it's probably safe to do if err in [KRB5_LNAME_NOTRANS, KRB5_NO_LOCALNAME]: with a brief comment as to why we check both.

Just as an FYI the Heimdal headers in the repo are only used for macOS builds as they are not available on the host. If compiling against Heimdal on an actual Linux host it will use the headers from the source you are linking against.

return None
elif err != 0:
free(localname)
Copy link
Copy Markdown
Owner

@jborean93 jborean93 Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You free it here but not in the good case, we should always free any memory we allocate or any memory allocated by the krb5 library.

See kt_default_name which has a similar API to this call. It starts with a fixed buffer and continues to increase it until there is enough space. It also ensures the buffer is freed once it has been allocated using a try/finally and uses strlen to get the size.

I would see the current code looking like

cdef krb5_error_code err = KRB5_CONFIG_NOTENUFSPACE
buffer_size = 1024
buffer_length = buffer_size
cdef char *buffer = <char *>malloc(buffer_length)
if not buffer:
    raise MemoryError()

try:
    while err == KRB5_CONFIG_NOTENUFSPACE:
        err = krb5_aname_to_localname(context.raw, principal.raw, buffer_length, buffer)

        if err == KRB5_CONFIG_NOTENUFSPACE:
            buffer_length += buffer_size

            # Use a temp var to ensure buffer is always something valid to be freed
            new_buffer = <char *>realloc(buffer, buffer_length)
            if not new_buffer:
                raise MemoryError()
            buffer = new_buffer

        elif err in [KRB5_LNAME_NOTRANS, KRB5_NO_LOCALNAME]:
            return None
            
        elif err:
            raise Krb5Error(context, err)

        else:
            name_len = strlen(buffer)
            return <bytes>buffer[:name_len]

finally:
    free(buffer)

I saw in the MIT krb5 and Heimdal tests that they use a buffer size of 1024 and not 256 so I've used that as a base.

Copy link
Copy Markdown
Contributor Author

@pseudometric pseudometric Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the detailed review! Skimming it everything you say makes sense. I'll try to make the changes in the next few days; I won't get to it right away, I'm afraid.

Copy link
Copy Markdown
Contributor Author

@pseudometric pseudometric Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing:

You free it here but not in the good case, we should always free any memory we allocate or any memory allocated by the krb5 library.

I must be missing something: we can't free it in the good case, because we're returning it to the caller. I was assuming that once it's returned it's reified as a Python str object and will be managed (garbage-collected) as usual by Python. Is that not the case?

Ah, maybe it's this: an expression like localname.decode("utf-8") in my original code, your new <bytes>buffer[:name_len], actually creates a Python object from the C string and returns that -- so now it's OK to free the C buffer before returning. Is that it? Pardon my unfamiliarity with Cython.

Copy link
Copy Markdown
Contributor Author

@pseudometric pseudometric Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually thought about the keep-mallocing-until-it's-big-enough strategy, but I didn't because a) I'm suspicious of things that can cause a program to just keep allocating memory endlessly until it crashes; I prefer setting some reasonable limit instead, where it makes sense, and b) it seems pretty unlikely in practice to have such long translations. It's a bit of a tension between different aspects of correctness and safety. But I'm happy to do it this way if you prefer.

Copy link
Copy Markdown
Owner

@jborean93 jborean93 Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I must be missing something: we can't free it in the good case, because we're returning it to the caller. I was assuming that once it's returned it's reified as a Python str object and will be managed (garbage-collected) as usual by Python. Is that not the case?

In that case the use of localname.decode("utf-8") was creating a new object anyway. You still need to cleanup the buffer that was malloc'd to avoid memory leaks as there is nothing tracking the lifetime of it. So in both your original code and the one I'm proposing this buffer needs to be freed regardless as the object returned by the function is a brand new copy based on that original buffer.

I actually thought about the keep-mallocing-until-it's-big-enough strategy, but I didn't because a) I'm suspicious of things that can cause a program to just keep allocating memory endlessly until it crashes

That's a good point, we should probably have a check to see if the buffer_length > ..., maybe 8192? You can probably keep the original code if you want but I recommend increasing the buffer size to 1024 rather than 256 as that's what both Heimdal and MIT krb5 uses for it's tests.

raise Krb5Error(context, err)
else:
return localname.decode("utf-8")
Copy link
Copy Markdown
Owner

@jborean93 jborean93 Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I try to keep these APIs agnostic to encodings as there isn't really one set encoding that the krb5 uses. It might be utf-8 in most cases but that isn't a guarantee. Because of this, char based APIs return bytes and rely on the caller to decode it based on their host setup.

63 changes: 63 additions & 0 deletions tests/test_localauth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Copyright: (c) 2021 Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

import os
import tempfile
from typing import Optional

import k5test
import pytest

import krb5


def test_aname_to_localname(realm: k5test.K5Realm) -> None:
Copy link
Copy Markdown
Owner

@jborean93 jborean93 Nov 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have a look at test_cc_cache_match which uses pytests' tmp_path and monkeypatch fixture to deal with temp dirs scoped to the test and monkeypatch.setenv to set env vars that only live for the life of the test. With these it would look something like

def test_aname_to_localname(realm: k5test.K5Realm, tmp_path: pathlib.Path, monkeypatch: pytest.MonkeyPatch) -> None:
    krb5_conf = tmp_path / "krb5.conf"
    with open(krb5_conf, mode="w") as fd:
        fd.write(...)

    monkeypatch.setenv("KRB5_CONFIG", str(krb5_conf))

    ... test code starts here


# require: translation(p) == t
def test(ctx: krb5.Context, p: str, t: Optional[str]) -> None:
assert t == krb5.aname_to_localname(ctx, krb5.parse_name_flags(ctx, p.encode()))

# To test, apply our own krb5.conf with a single translation
# rule. The file is read by krb5_init_context(), so set the
# environment variable before calling that. This overrides the
# default rule, so only matching principals will have a
# translation. Require a 2-instance name in the realm TEST.
#
# ... that's for MIT. Heimdal doesn't appear to have RULE
# translations built in, so use auth_to_local_names instead.
#
# Since environment variables are process-wide, this could mess up
# other tests in a multi-threaded test framework -- but that
# probably won't be an issue here.

with tempfile.NamedTemporaryFile() as config:
saved_conf = os.environ.get("KRB5_CONFIG")
try:
config.write(
b"""
[libdefaults]
default_realm = TEST

[realms]
TEST = {
auth_to_local = RULE:[2:$1:$2@$0](^.*@TEST$)s/@TEST$//
auth_to_local_names = {
heimdal = mapped
}
}
"""
)
config.flush()
os.environ["KRB5_CONFIG"] = config.name
ctx = krb5.init_context()
if realm.provider == "mit":
test(ctx, "foo/bar@TEST", "foo:bar")
test(ctx, "foo@TEST", None)
test(ctx, "foo/bar@WRONG", None)
if realm.provider == "heimdal":
test(ctx, "heimdal", "mapped")
finally:
if saved_conf:
os.environ["KRB5_CONFIG"] = saved_conf
else:
del os.environ["KRB5_CONFIG"]