From 7a7adb7c2e459eca48cc0f18fd5118308680606a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 20 Aug 2019 14:02:53 -0400 Subject: [PATCH 1/4] Revert "Support empty values in gss_key_value_set_desc" Upon further discussion, the cred_store extension designers are opposed to supporting empty values for keys. This reverts commit 2d12ed98b0ab09584e7e3ae657e3f494715f5fe0. --- gssapi/raw/ext_cred_store.pyx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/gssapi/raw/ext_cred_store.pyx b/gssapi/raw/ext_cred_store.pyx index 0a65fe0a..9ee57c36 100644 --- a/gssapi/raw/ext_cred_store.pyx +++ b/gssapi/raw/ext_cred_store.pyx @@ -83,8 +83,7 @@ cdef gss_key_value_set_desc* c_create_key_value_set(dict values) except NULL: for (i, (k, v)) in enumerate(values.items()): res.elements[i].key = k - if v: - res.elements[i].value = v + res.elements[i].value = v return res From fb37f4c9ab391d9bfb4f48e711d804c1425a6000 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 20 Aug 2019 14:10:48 -0400 Subject: [PATCH 2/4] [docs] Clean up cred store extension reference --- docs/source/credstore.rst | 49 +++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/docs/source/credstore.rst b/docs/source/credstore.rst index 32d8a3ee..895f3f3a 100644 --- a/docs/source/credstore.rst +++ b/docs/source/credstore.rst @@ -2,16 +2,16 @@ Common Values for Credentials Store Extensions ============================================== The credentials store extension is an extension introduced by the MIT krb5 -library implementation of GSSAPI. It allows for finer control of credentials -from within a GSSAPI application. -Each mechanism can define keywords to manipulate various aspects of their -credentials for storage or retrieval operations. +library implementation of GSSAPI. It allows for finer control of credentials +from within a GSSAPI application. Each mechanism can define keywords to +manipulate various aspects of their credentials for storage or retrieval +operations. .. note: - Only mechanisms that implement keywords can use them, some mechanism may - share the same or similar keywords, but their meaning is always local to - a specific mechanism. + Only mechanisms that implement keywords can use them: some mechanisms may + share the same or similar keywords, but their meaning is always local to a + specific mechanism. The krb5 mechanism in MIT libraries ----------------------------------- @@ -24,12 +24,13 @@ client_keytab The `client_keytab` keyword can be used in a credential store when it is used with the :func:`gssapi.raw.ext_cred_store.acquire_cred_from` / -:func:`gssapi.raw.ext_cred_store.add_cred_from` functions, to indicate a -custom location for a keytab containing client keys. -It is not used in the context of calls used to store credentials. +:func:`gssapi.raw.ext_cred_store.add_cred_from` functions to indicate a custom +location for a keytab containing client keys. It is not used in the context +of calls used to store credentials. + The value is a string in the form **type:residual** where **type** can be any keytab storage type understood by the implementation and **residual** is the -keytab identifier (usually something like a path). If the string is just a path +keytab identifier (usually something like a path). If the string is a path, then the type is defaulted to `FILE`. keytab @@ -37,12 +38,13 @@ keytab The `keytab` keyword can be used in a credential store when it is used with the :func:`gssapi.raw.ext_cred_store.acquire_cred_from` / -:func:`gssapi.raw.ext_cred_store.add_cred_from` functions, to indicate a -custom location for a keytab containing service keys. -It is not used in the context of calls used to store credentials. +:func:`gssapi.raw.ext_cred_store.add_cred_from` functions to indicate a custom +location for a keytab containing service keys. It is not used in the context +of calls used to store credentials. + The value is a string in the form **type:residual** where **type** can be any keytab storage type understood by the implementation and **residual** is the -keytab identifier (usually something like a path). If the string is just a path +keytab identifier (usually something like a path). If the string is a path, then the type is defaulted to `FILE`. ccache @@ -54,11 +56,12 @@ It can be used both to indicate the source of existing credentials for the :func:`gssapi.raw.ext_cred_store.add_cred_from` functions, as well as the destination storage for the :func:`gssapi.raw.ext_cred_store.store_cred_into` function. -The value is a string in the form **type:residual** where type can be any + +The value is a string in the form **type:residual** where **type** can be any credential cache storage type understood by the implementation and -**residual** is the ccache identifier. If the string is just a path then -the type is defaulted to `FILE`. Other commonly used types are `DIR`, -`KEYRING`, `KCM`. Each type has a different format for the **residual**; +**residual** is the ccache identifier. If the string is a path, then the type +is defaulted to `FILE`. Other commonly used types are `DIR`, `KEYRING`, +`KCM`, and `MEMORY`. Each type has a different format for the **residual**; refer to the MIT krb5 documentation for more details. rcache @@ -68,8 +71,8 @@ The `rcache` keyword can be used to reference a custom replay cache storage. It is used only with the :func:`gssapi.raw.ext_cred_store.acquire_cred_from` / :func:`gssapi.raw.ext_cred_store.add_cred_from` functions for credentials used to accept context establishments, not to initiate contexts. -The value is a string in the form **type:residual** where type can be any -replay cache storage type understood by the implementation and **residual** is -the cache identifier (usually something like a path). If the string is just a -path then the type is defaulted to `FILE`. +The value is a string in the form **type:residual** where **type** can be any +replay cache storage type understood by the implementation and **residual** is +the cache identifier (usually something like a path). If the string is a +path, then the type is defaulted to `FILE`. From 444938c105dd6a83bc2a4b50c29101a15d13cc6e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 20 Aug 2019 14:11:16 -0400 Subject: [PATCH 3/4] [docs] Add note about Heimdal to cred store reference --- docs/source/credstore.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/source/credstore.rst b/docs/source/credstore.rst index 895f3f3a..f99f4ccd 100644 --- a/docs/source/credstore.rst +++ b/docs/source/credstore.rst @@ -76,3 +76,10 @@ The value is a string in the form **type:residual** where **type** can be any replay cache storage type understood by the implementation and **residual** is the cache identifier (usually something like a path). If the string is a path, then the type is defaulted to `FILE`. + +The krb5 mechanism in Heimdal +----------------------------- + +Heimdal has recently implemented the credential store extensions with the same +interface as MIT krb5. However, it is not yet present in any released +version. From 07b2087f096ae02addc9893a20aa8be163aad474 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 20 Aug 2019 14:13:43 -0400 Subject: [PATCH 4/4] [docs] Note that cred store values must not be empty Resolves: #182 --- docs/source/credstore.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/source/credstore.rst b/docs/source/credstore.rst index f99f4ccd..b777ca7c 100644 --- a/docs/source/credstore.rst +++ b/docs/source/credstore.rst @@ -13,6 +13,11 @@ operations. share the same or similar keywords, but their meaning is always local to a specific mechanism. +.. note: + + `None` is not a permitted value and will raise exceptions. Phrased + differently, values must be strings, not empty. + The krb5 mechanism in MIT libraries -----------------------------------