import typing as t
from gssapi.raw import chan_bindings as rchan_bindings
from gssapi.raw import sec_contexts as rsec_contexts
from gssapi.raw import message as rmessage
from gssapi.raw import named_tuples as tuples
from gssapi.raw import names as rnames
from gssapi.raw import oids as roids
from gssapi.raw.types import RequirementFlag, IntEnumFlagSet
import gssapi.exceptions as excs
from gssapi import _utils
from gssapi.names import Name
from gssapi.creds import Credentials
[docs]
class SecurityContext(rsec_contexts.SecurityContext,
metaclass=_utils.CheckLastError):
"""A GSSAPI Security Context
This class represents a GSSAPI security context that may be used
with and/or returned by other GSSAPI methods.
It inherits from the low-level GSSAPI
:class:`~gssapi.raw.sec_contexts.SecurityContext` class,
and thus may used with both low-level and high-level API methods.
This class may be pickled and unpickled (the attached delegated
credentials object will not be preserved, however).
"""
def __new__(
cls,
base: t.Optional[rsec_contexts.SecurityContext] = None,
token: t.Optional[bytes] = None,
name: t.Optional[rnames.Name] = None,
creds: t.Optional[Credentials] = None,
lifetime: t.Optional[int] = None,
flags: t.Optional[int] = None,
mech: t.Optional[roids.OID] = None,
channel_bindings: t.Optional[rchan_bindings.ChannelBindings] = None,
usage: t.Optional[str] = None,
) -> "SecurityContext":
if token is not None:
base = rsec_contexts.import_sec_context(token)
return t.cast("SecurityContext",
super(SecurityContext, cls).__new__(cls, base))
def __init__(
self,
base: t.Optional[rsec_contexts.SecurityContext] = None,
token: t.Optional[bytes] = None,
name: t.Optional[rnames.Name] = None,
creds: t.Optional[Credentials] = None,
lifetime: t.Optional[int] = None,
flags: t.Optional[int] = None,
mech: t.Optional[roids.OID] = None,
channel_bindings: t.Optional[rchan_bindings.ChannelBindings] = None,
usage: t.Optional[str] = None,
) -> None:
"""
The constructor creates a new security context, but does not begin
the initiate or accept process.
If the `base` argument is used, an existing
:class:`~gssapi.raw.sec_contexts.SecurityContext` object from
the low-level API is converted into a high-level object.
If the `token` argument is passed, the security context is imported
using the token.
Otherwise, a new security context is created.
If the `usage` argument is not passed, the constructor will attempt
to detect what the appropriate usage is based on either the existing
security context (if `base` or `token` are used) or the argument set.
For a security context of the `initiate` usage, the `name` argument
must be used, and the `creds`, `mech`, `flags`,
`lifetime`, and `channel_bindings` arguments may be
used as well.
For a security context of the `accept` usage, the `creds` and
`channel_bindings` arguments may optionally be used.
"""
# NB(directxman12): _last_err must be set first
self._last_err = None
# determine the usage ('initiate' vs 'accept')
if base is None and token is None:
# this will be a new context
if usage is not None:
if usage not in ('initiate', 'accept'):
msg = "Usage must be either 'initiate' or 'accept'"
raise excs.UnknownUsageError(msg, obj="security context")
self.usage = usage
elif creds is not None and creds.usage != 'both':
self.usage = creds.usage
elif name is not None:
# if we pass a name, assume the usage is 'initiate'
self.usage = 'initiate'
else:
# if we don't pass a name, assume the usage is 'accept'
self.usage = 'accept'
# check for appropriate arguments
if self.usage == 'initiate':
# takes: creds?, target_name, mech?, flags?,
# channel_bindings?
if name is None:
raise TypeError("You must pass the 'name' argument when "
"creating an initiating security context")
self._target_name = name
self._mech = mech
self._desired_flags = IntEnumFlagSet(RequirementFlag, flags)
self._desired_lifetime = lifetime
else:
# takes creds?
if (name is not None or flags is not None or
mech is not None or lifetime is not None):
raise TypeError("You must pass at most the 'creds' "
"argument when creating an accepting "
"security context")
self._channel_bindings = channel_bindings
self._creds = creds
self._delegated_creds = None
else:
# we already have a context in progress, just inspect it
# NB(directxman12): MIT krb5 refuses to inquire about a context
# if it's partially established, so we have to check here
try:
if self.locally_initiated:
self.usage = 'initiate'
else:
self.usage = 'accept'
except excs.MissingContextError:
msg = ("Cannot extract usage from a partially completed "
"context")
raise excs.UnknownUsageError(msg, obj="security context")
# This is to work around an MIT krb5 bug (see the `complete` property)
self._complete: t.Optional[bool] = None
# NB(directxman12): DO NOT ADD AN __del__ TO THIS CLASS -- it screws up
# the garbage collector if _last_tb is still defined
# TODO(directxman12): implement flag properties
[docs]
def get_signature(
self,
message: bytes,
) -> bytes:
"""Calculate the signature for a message.
This method calculates the signature (called a MIC) for
the given message, which may be then used with
:meth:`verify_signature` to confirm the validity of the
signature. This is useful if you wish to transmit the
message signature and message in your own format.
Args:
message (bytes): the input message
Returns:
bytes: the message signature
Raises:
~gssapi.exceptions.ExpiredContextError
~gssapi.exceptions.MissingContextError
~gssapi.exceptions.BadQoPError
"""
# TODO(directxman12): check flags?
return rmessage.get_mic(self, message)
[docs]
def verify_signature(
self,
message: bytes,
mic: bytes,
) -> int:
"""Verify the signature for a message.
This method verifies that a signature (generated by
:meth:`get_signature` is valid for the given message.
If the signature is valid, the method will return.
Otherwise, it will raise an error.
Args:
message (bytes): the message
mic (bytes): the signature to verify
Returns:
int: the QoP used.
Raises:
~gssapi.exceptions.BadMICError: the signature was not valid
~gssapi.exceptions.InvalidTokenError
~gssapi.exceptions.DuplicateTokenError
~gssapi.exceptions.ExpiredTokenError
~gssapi.exceptions.TokenTooLateError
~gssapi.exceptions.TokenTooEarlyError
~gssapi.exceptions.ExpiredContextError
~gssapi.exceptions.MissingContextError
"""
return rmessage.verify_mic(self, message, mic)
[docs]
def wrap(
self,
message: bytes,
encrypt: bool,
) -> tuples.WrapResult:
"""Wrap a message, optionally with encryption
This wraps a message, signing it and optionally
encrypting it.
Args:
message (bytes): the message to wrap
encrypt (bool): whether or not to encrypt the message
Returns:
WrapResult: the wrapped message and details about it
(e.g. whether encryption was used succesfully)
Raises:
~gssapi.exceptions.ExpiredContextError
~gssapi.exceptions.MissingContextError
~gssapi.exceptions.BadQoPError
"""
return rmessage.wrap(self, message, encrypt)
[docs]
def unwrap(
self,
message: bytes,
) -> tuples.UnwrapResult:
"""Unwrap a wrapped message.
This method unwraps/unencrypts a wrapped message,
verifying the signature along the way.
Args:
message (bytes): the message to unwrap/decrypt
Returns:
UnwrapResult: the unwrapped message and details about it
(e.g. wheter encryption was used)
Raises:
~gssapi.exceptions.InvalidTokenError
~gssapi.exceptions.BadMICError
~gssapi.exceptions.DuplicateTokenError
~gssapi.exceptions.ExpiredTokenError
~gssapi.exceptions.TokenTooLateError
~gssapi.exceptions.TokenTooEarlyError
~gssapi.exceptions.ExpiredContextError
~gssapi.exceptions.MissingContextError
"""
return rmessage.unwrap(self, message)
[docs]
def encrypt(
self,
message: bytes,
) -> bytes:
"""Encrypt a message.
This method wraps and encrypts a message, similarly to
:meth:`wrap`. The difference is that encryption is always
used, and the method will raise an exception if this is
not possible. Additionally, this method simply returns
the encrypted message directly.
Args:
message (bytes): the message to encrypt
Returns:
bytes: the encrypted message
Raises:
~gssapi.exceptions.EncryptionNotUsed: the encryption could not be
used
~gssapi.exceptions.ExpiredContextError
~gssapi.exceptions.MissingContextError
~gssapi.exceptions.BadQoPError
"""
res = self.wrap(message, encrypt=True)
if not res.encrypted:
raise excs.EncryptionNotUsed("Wrapped message was not encrypted")
return res.message
[docs]
def decrypt(
self,
message: bytes,
) -> bytes:
"""Decrypt a message.
This method decrypts and unwraps a message, verifying the signature
along the way, similarly to :meth:`unwrap`. The difference is that
this method will raise an exception if encryption was established
by the context and not used, and simply returns the decrypted
message directly.
Args:
message (bytes): the encrypted message
Returns:
bytes: the decrypted message
Raises:
~gssapi.exceptions.EncryptionNotUsed: encryption was expected, but
not used
~gssapi.exceptions.InvalidTokenError
~gssapi.exceptions.BadMICError
~gssapi.exceptions.DuplicateTokenError
~gssapi.exceptions.ExpiredTokenError
~gssapi.exceptions.TokenTooLateError
~gssapi.exceptions.TokenTooEarlyError
~gssapi.exceptions.ExpiredContextError
~gssapi.exceptions.MissingContextError
"""
res = self.unwrap(message)
if (not res.encrypted and
self.actual_flags & RequirementFlag.confidentiality):
raise excs.EncryptionNotUsed("The context was established with "
"encryption, but unwrapped message "
"was not encrypted",
unwrapped_message=res.message)
return res.message
[docs]
def get_wrap_size_limit(
self,
desired_output_size: int,
encrypted: bool = True,
) -> int:
"""Calculate the maximum message size for a given wrapped message size.
This method calculates the maximum input message size for a given
maximum wrapped/encrypted message size.
Args:
desired_output_size (int): the maximum output message size
encrypted (bool): whether or not encryption should be taken
into account
Returns:
int: the maximum input message size
Raises:
~gssapi.exceptions.MissingContextError
~gssapi.exceptions.ExpiredContextError
~gssapi.exceptions.BadQoPError
"""
return rmessage.wrap_size_limit(self, desired_output_size,
encrypted)
[docs]
def process_token(
self,
token: bytes,
) -> None:
"""Process an output token asynchronously.
This method processes an output token even when the security context
was not expecting it.
Warning:
This method is deprecated.
Args:
token (bytes): the token to process
Raises:
~gssapi.exceptions.InvalidTokenError
~gssapi.exceptions.MissingContextError
"""
rsec_contexts.process_context_token(self, token)
[docs]
def export(self) -> bytes:
"""Export a security context.
This method exports a security context, allowing it to be passed
between processes.
Returns:
bytes: the exported security context
Raises:
~gssapi.exceptions.ExpiredContextError
~gssapi.exceptions.MissingContextError
~gssapi.exceptions.OperationUnavailableError
"""
return rsec_contexts.export_sec_context(self)
_INQUIRE_ARGS = ('initiator_name', 'target_name', 'lifetime',
'mech', 'flags', 'locally_init', 'complete')
@_utils.check_last_err
def _inquire(
self,
**kwargs: bool,
) -> tuples.InquireContextResult:
"""Inspect the security context for information
This method inspects the security context for information.
If no keyword arguments are passed, all available information
is returned. Otherwise, only the keyword arguments that
are passed and set to `True` are returned.
Args:
initiator_name (bool): get the initiator name for this context
target_name (bool): get the target name for this context
lifetime (bool): get the remaining lifetime, in seconds, for this
context
mech (bool): get the :class:`MechType` used by this context
flags (bool): get the flags set on this context
locally_init (bool): get whether this context was locally initiated
complete (bool): get whether negotiation on this context has
been completed
Returns:
InquireContextResult: the results of the inquiry, with unused
fields set to None
Raises:
~gssapi.exceptions.MissingContextError
"""
if not kwargs:
default_val = True
else:
default_val = False
for arg in self._INQUIRE_ARGS:
kwargs[arg] = kwargs.get(arg, default_val)
res = rsec_contexts.inquire_context(self, **kwargs)
if (kwargs.get('initiator_name', False) and
res.initiator_name is not None):
init_name = Name(res.initiator_name)
else:
init_name = None
if (kwargs.get('target_name', False) and
res.target_name is not None):
target_name = Name(res.target_name)
else:
target_name = None
return tuples.InquireContextResult(init_name, target_name,
res.lifetime, res.mech,
res.flags, res.locally_init,
res.complete)
@property
def lifetime(self) -> int:
"""The amount of time for which this context remains valid"""
return rsec_contexts.context_time(self)
@property
def delegated_creds(self) -> t.Optional[Credentials]:
"""The credentials delegated from the initiator to the acceptor
.. warning::
This value will not be preserved across picklings. These should
be separately exported and transferred.
"""
return self._delegated_creds
initiator_name = _utils.inquire_property(
'initiator_name', 'The :class:`Name` of the initiator of this context')
target_name = _utils.inquire_property(
'target_name', 'The :class:`Name` of the target of this context')
mech = _utils.inquire_property(
'mech', 'The mechanism (:class:`MechType`) in use by this context')
actual_flags = _utils.inquire_property(
'flags', 'The flags set on this context')
locally_initiated = _utils.inquire_property(
'locally_init', 'Whether this context was locally intiated')
@property # type: ignore # https://github.com/python/mypy/issues/1362
@_utils.check_last_err
def complete(self) -> bool:
"""Whether negotiation for this context has been completed"""
# NB(directxman12): MIT krb5 has a bug where it refuses to
# inquire about partially completed contexts,
# so we can't just use `self._inquire` generally
if self._started:
complete = self._complete
if complete is None:
try:
complete = self._inquire(complete=True).complete
except excs.MissingContextError:
return False
else:
self._complete = complete
return complete
else:
return False
[docs]
@_utils.catch_and_return_token
def step(
self,
token: t.Optional[bytes] = None,
) -> t.Optional[bytes]:
"""Perform a negotation step.
This method performs a negotiation step based on the usage type
of this context. If `__DEFER_STEP_ERRORS__` is set to True on
the class, this method will return a token, even when exceptions
would be thrown. The generated exception will be thrown on the next
method call or property lookup on the context.
**This is the default behavior.**
This method should be used in a while loop, as such:
.. code-block:: python
input_token = None
try:
while not ctx.complete:
output_token = ctx.step(input_token)
if not output_token:
break
input_token = send_and_receive(output_token)
except GSSError as e:
handle_the_issue()
.. tip::
Disabling `__DEFER_STEP_ERRORS__` is rarely necessary.
When this method is used in a loop (as above),
`__DEFER_STEP_ERRORS__` will ensure that you always
send an error token when it's available,
keeping the other end of the security context updated
with the status of the negotiation.
Args:
token (bytes): the input token from the other participant's step
Returns:
bytes: the output token to send to the other participant
Raises:
~gssapi.exceptions.InvalidTokenError
~gssapi.exceptions.InvalidCredentialsError
~gssapi.exceptions.MissingCredentialsError
~gssapi.exceptions.ExpiredCredentialsError
~gssapi.exceptions.BadChannelBindingsError
~gssapi.exceptions.BadMICError
~gssapi.exceptions.ExpiredTokenError: (initiate only)
~gssapi.exceptions.DuplicateTokenError
~gssapi.exceptions.MissingContextError
~gssapi.exceptions.BadNameTypeError: (initiate only)
~gssapi.exceptions.BadNameError: (initiate only)
~gssapi.exceptions.BadMechanismError
"""
if self.usage == 'accept':
return self._acceptor_step(token=token or b"")
else:
return self._initiator_step(token=token)
def _acceptor_step(
self,
token: bytes,
) -> t.Optional[bytes]:
res = rsec_contexts.accept_sec_context(token, self._creds,
self, self._channel_bindings)
if res.delegated_creds is not None:
self._delegated_creds = Credentials(res.delegated_creds)
else:
self._delegated_creds = None
self._complete = not res.more_steps
return res.token
def _initiator_step(
self,
token: t.Optional[bytes] = None,
) -> t.Optional[bytes]:
res = rsec_contexts.init_sec_context(self._target_name, self._creds,
self, self._mech,
self._desired_flags,
self._desired_lifetime,
self._channel_bindings,
token)
self._complete = not res.more_steps
return res.token
# pickle protocol support
def __reduce__(
self,
) -> t.Tuple[t.Type["SecurityContext"], t.Tuple[None, bytes]]:
# the unpickle arguments to new are (base=None, token=self.export())
return (type(self), (None, self.export()))