%global _empty_manifest_terminate_build 0 Name: python-kerberos Version: 1.3.1 Release: 1 Summary: Kerberos high-level interface License: Apache License, Version 2.0 URL: https://github.com/apple/ccs-pykerberos Source0: https://mirrors.nju.edu.cn/pypi/web/packages/39/cd/f98699a6e806b9d974ea1d3376b91f09edcb90415adbf31e3b56ee99ba64/kerberos-1.3.1.tar.gz BuildArch: noarch %description # PyKerberos Package This Python package is a high-level wrapper for Kerberos (GSSAPI) operations. The goal is to avoid having to build a module that wraps the entire Kerberos.framework, and instead offer a limited set of functions that do what is needed for client/server Kerberos authentication based on . Much of the C-code here is adapted from Apache's mod_auth_kerb-5.0rc7. ## Build In this directory, run: ``` python setup.py build ``` ## Testing To run the tests in the tests folder, you must have a valid Kerberos setup on the test machine. You can use the script .travis.sh as quick and easy way to setup a Kerberos KDC and Apache web endpoint that can be used for the tests. Otherwise you can also run the following to run a self contained Docker container ``` docker run \ -v $(pwd):/app \ -w /app \ -e PYENV=2.7.13 \ -e KERBEROS_USERNAME=administrator \ -e KERBEROS_PASSWORD=Password01 \ -e KERBEROS_REALM=example.com \ -e KERBEROS_PORT=80 \ ubuntu:16.04 \ /bin/bash .travis.sh ``` The docker command needs to be run in the same directory as this library and you can test it with different Python versions by changing the value of the PYENV environment value set in the command. Please have a look at testing_notes.md for more information. ## IMPORTANT The checkPassword method provided by this library is meant only for testing purposes as it does not offer any protection against possible KDC spoofing. That method should not be used in any production code. ## Channel Bindings You can use this library to authenticate with Channel Binding support. Channel Bindings are tags that identify the particular data channel being used with the authentication. You can use Channel bindings to offer more proof of a valid identity. Some services like Microsoft's Extended Protection can enforce Channel Binding support on authorisation and you can use this library to meet those requirements. More details on Channel Bindings as set through the GSSAPI can be found here . Using TLS as a example this is how you would add Channel Binding support to your authentication mechanism. The following code snippet is based on RFC5929 using the 'tls-server-endpoint-point' type. ``` import hashlib def get_channel_bindings_application_data(socket): # This is a highly simplified example, there are other use cases # where you might need to use different hash types or get a socket # object somehow. server_certificate = socket.getpeercert(True) certificate_hash = hashlib.sha256(server_certificate).hexdigest().upper() certificate_digest = base64.b16decode(certificate_hash) application_data = b'tls-server-end-point:%s' % certificate_digest return application_data def main(): # Code to setup a socket with the server # A lot of code to setup the handshake and start the auth process socket = getsocketsomehow() # Connect to the host and start the auth process # Build the channel bindings object application_data = get_channel_bindings_application_data(socket) channel_bindings = kerberos.channelBindings(application_data=application_data) # More work to get responses from the server result, context = kerberos.authGSSClientInit(kerb_spn, gssflags=gssflags, principal=principal) # Pass through the channel_bindings object as created in the kerberos.channelBindings method result = kerberos.authGSSClientStep(context, neg_resp_value, channel_bindings=channel_bindings) # Repeat as necessary ``` ## Python APIs See kerberos.py. ## Copyright and License Copyright (c) 2006-2021 Apple Inc. All rights reserved. This software is licensed under the Apache License, Version 2.0. The Apache License is a well-established open source license, enabling collaborative open source software development. See the "LICENSE" file for the full text of the license terms. %package -n python3-kerberos Summary: Kerberos high-level interface Provides: python-kerberos BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-pip %description -n python3-kerberos # PyKerberos Package This Python package is a high-level wrapper for Kerberos (GSSAPI) operations. The goal is to avoid having to build a module that wraps the entire Kerberos.framework, and instead offer a limited set of functions that do what is needed for client/server Kerberos authentication based on . Much of the C-code here is adapted from Apache's mod_auth_kerb-5.0rc7. ## Build In this directory, run: ``` python setup.py build ``` ## Testing To run the tests in the tests folder, you must have a valid Kerberos setup on the test machine. You can use the script .travis.sh as quick and easy way to setup a Kerberos KDC and Apache web endpoint that can be used for the tests. Otherwise you can also run the following to run a self contained Docker container ``` docker run \ -v $(pwd):/app \ -w /app \ -e PYENV=2.7.13 \ -e KERBEROS_USERNAME=administrator \ -e KERBEROS_PASSWORD=Password01 \ -e KERBEROS_REALM=example.com \ -e KERBEROS_PORT=80 \ ubuntu:16.04 \ /bin/bash .travis.sh ``` The docker command needs to be run in the same directory as this library and you can test it with different Python versions by changing the value of the PYENV environment value set in the command. Please have a look at testing_notes.md for more information. ## IMPORTANT The checkPassword method provided by this library is meant only for testing purposes as it does not offer any protection against possible KDC spoofing. That method should not be used in any production code. ## Channel Bindings You can use this library to authenticate with Channel Binding support. Channel Bindings are tags that identify the particular data channel being used with the authentication. You can use Channel bindings to offer more proof of a valid identity. Some services like Microsoft's Extended Protection can enforce Channel Binding support on authorisation and you can use this library to meet those requirements. More details on Channel Bindings as set through the GSSAPI can be found here . Using TLS as a example this is how you would add Channel Binding support to your authentication mechanism. The following code snippet is based on RFC5929 using the 'tls-server-endpoint-point' type. ``` import hashlib def get_channel_bindings_application_data(socket): # This is a highly simplified example, there are other use cases # where you might need to use different hash types or get a socket # object somehow. server_certificate = socket.getpeercert(True) certificate_hash = hashlib.sha256(server_certificate).hexdigest().upper() certificate_digest = base64.b16decode(certificate_hash) application_data = b'tls-server-end-point:%s' % certificate_digest return application_data def main(): # Code to setup a socket with the server # A lot of code to setup the handshake and start the auth process socket = getsocketsomehow() # Connect to the host and start the auth process # Build the channel bindings object application_data = get_channel_bindings_application_data(socket) channel_bindings = kerberos.channelBindings(application_data=application_data) # More work to get responses from the server result, context = kerberos.authGSSClientInit(kerb_spn, gssflags=gssflags, principal=principal) # Pass through the channel_bindings object as created in the kerberos.channelBindings method result = kerberos.authGSSClientStep(context, neg_resp_value, channel_bindings=channel_bindings) # Repeat as necessary ``` ## Python APIs See kerberos.py. ## Copyright and License Copyright (c) 2006-2021 Apple Inc. All rights reserved. This software is licensed under the Apache License, Version 2.0. The Apache License is a well-established open source license, enabling collaborative open source software development. See the "LICENSE" file for the full text of the license terms. %package help Summary: Development documents and examples for kerberos Provides: python3-kerberos-doc %description help # PyKerberos Package This Python package is a high-level wrapper for Kerberos (GSSAPI) operations. The goal is to avoid having to build a module that wraps the entire Kerberos.framework, and instead offer a limited set of functions that do what is needed for client/server Kerberos authentication based on . Much of the C-code here is adapted from Apache's mod_auth_kerb-5.0rc7. ## Build In this directory, run: ``` python setup.py build ``` ## Testing To run the tests in the tests folder, you must have a valid Kerberos setup on the test machine. You can use the script .travis.sh as quick and easy way to setup a Kerberos KDC and Apache web endpoint that can be used for the tests. Otherwise you can also run the following to run a self contained Docker container ``` docker run \ -v $(pwd):/app \ -w /app \ -e PYENV=2.7.13 \ -e KERBEROS_USERNAME=administrator \ -e KERBEROS_PASSWORD=Password01 \ -e KERBEROS_REALM=example.com \ -e KERBEROS_PORT=80 \ ubuntu:16.04 \ /bin/bash .travis.sh ``` The docker command needs to be run in the same directory as this library and you can test it with different Python versions by changing the value of the PYENV environment value set in the command. Please have a look at testing_notes.md for more information. ## IMPORTANT The checkPassword method provided by this library is meant only for testing purposes as it does not offer any protection against possible KDC spoofing. That method should not be used in any production code. ## Channel Bindings You can use this library to authenticate with Channel Binding support. Channel Bindings are tags that identify the particular data channel being used with the authentication. You can use Channel bindings to offer more proof of a valid identity. Some services like Microsoft's Extended Protection can enforce Channel Binding support on authorisation and you can use this library to meet those requirements. More details on Channel Bindings as set through the GSSAPI can be found here . Using TLS as a example this is how you would add Channel Binding support to your authentication mechanism. The following code snippet is based on RFC5929 using the 'tls-server-endpoint-point' type. ``` import hashlib def get_channel_bindings_application_data(socket): # This is a highly simplified example, there are other use cases # where you might need to use different hash types or get a socket # object somehow. server_certificate = socket.getpeercert(True) certificate_hash = hashlib.sha256(server_certificate).hexdigest().upper() certificate_digest = base64.b16decode(certificate_hash) application_data = b'tls-server-end-point:%s' % certificate_digest return application_data def main(): # Code to setup a socket with the server # A lot of code to setup the handshake and start the auth process socket = getsocketsomehow() # Connect to the host and start the auth process # Build the channel bindings object application_data = get_channel_bindings_application_data(socket) channel_bindings = kerberos.channelBindings(application_data=application_data) # More work to get responses from the server result, context = kerberos.authGSSClientInit(kerb_spn, gssflags=gssflags, principal=principal) # Pass through the channel_bindings object as created in the kerberos.channelBindings method result = kerberos.authGSSClientStep(context, neg_resp_value, channel_bindings=channel_bindings) # Repeat as necessary ``` ## Python APIs See kerberos.py. ## Copyright and License Copyright (c) 2006-2021 Apple Inc. All rights reserved. This software is licensed under the Apache License, Version 2.0. The Apache License is a well-established open source license, enabling collaborative open source software development. See the "LICENSE" file for the full text of the license terms. %prep %autosetup -n kerberos-1.3.1 %build %py3_build %install %py3_install install -d -m755 %{buildroot}/%{_pkgdocdir} if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi pushd %{buildroot} if [ -d usr/lib ]; then find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst fi if [ -d usr/lib64 ]; then find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst fi if [ -d usr/bin ]; then find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst fi if [ -d usr/sbin ]; then find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst fi touch doclist.lst if [ -d usr/share/man ]; then find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst fi popd mv %{buildroot}/filelist.lst . mv %{buildroot}/doclist.lst . %files -n python3-kerberos -f filelist.lst %dir %{python3_sitelib}/* %files help -f doclist.lst %{_docdir}/* %changelog * Sun Apr 23 2023 Python_Bot - 1.3.1-1 - Package Spec generated