Added support for GGF inquire cred and sec context #141
Conversation
|
This is also a superset of #128 but also includes some documentation and tests as well as the |
There was a problem hiding this comment.
Thanks, the code looks good to me (will wait for review from @DirectXMan12). Also appreciate you adding tests.
In the commit message, it would be good if you fleshed out what the GGF extensions are a bit more - maybe with a link to the IETF draft as well. Also, it would be nice to give the @vm86 an Also-authored-by (or otherwise mention their contributions) in the commit message.
|
Thanks @frozencemetery will do |
|
@frozencemetery let me know if the latest commit message is what you are looking for. |
|
Thanks! I unfortunately did not have time. |
gssapi/raw/ext_ggf.pyx
Outdated
| mech (OID): the desired mechanism | ||
|
|
||
| Returns: | ||
| list: A list of zero or more pieces of data corresponding to the |
There was a problem hiding this comment.
nit: a list of zero or more bytes objects? Can you be more specific about what a piece of data is?
There was a problem hiding this comment.
I'm honestly not really sure, I've only used this to retrieve GSS_C_INQ_SSPI_SESSION_KEY and the end result is a list with a single entry of a byte string. I'm happy to say the "piece of data" is a byte string but not sure what else it could be.
There was a problem hiding this comment.
@DirectXMan12 no you can't be more precise, because the data is a bunch of bytes, and how you interpret them depends on the desired oid used.
There was a problem hiding this comment.
I mean, if the actual return type is just multiple chunks of bytes, then it's fine to say
a list of zero or more pieces of data (as
bytesobjects)
or something of the sort
gssapi/raw/ext_ggf.pyx
Outdated
|
|
||
| Args: | ||
| cred_handle (Creds): the security context to query | ||
| mech (OID): the desired mechanism |
There was a problem hiding this comment.
nit: is this really a mechanism OID, or is it just some other type of OID?
There was a problem hiding this comment.
Not sure what the terms actually mean but this is probably more desired_object (OID): the OID of the desired object or something like that?
There was a problem hiding this comment.
yeah, that's fine (alternatively, something like desired_aspect (OID): the desired aspect of the Credentials to inquire about (also, looks like you have have a copy-paste error above with creds vs contexts)
|
Also, could you put that link and info from the commit message into a module-level doc string? |
|
@DirectXMan12 so just add the commit message to a docstring at the top of the pyx file? |
|
Something like that should work, yes. When people look at the GGF extension module and they're wondering what it's all about, they'll see that documentation, so it should serve that purpose, more or less. |
|
No worries, will update the PR now. Thanks for the review. |
gssapi/raw/ext_ggf.pyx
Outdated
|
|
||
| GGF provides extended credential and security context inquiry that allows | ||
| application to retrieve more information about the client's credentials and | ||
| security context. One common use case is to use gss_inquire_sec_context_by_oid |
There was a problem hiding this comment.
should just be inquire_sec_context_by_oid, and you should be able to make it a link to the actual function documentation below.
There was a problem hiding this comment.
Do I link it by enclosing it with `? Sorry just can't find an example.
Edit: I think I found one, I will do ":meth:`inquire_sec_context_by_oid'"
gssapi/raw/ext_ggf.pyx
Outdated
| security context. One common use case is to use gss_inquire_sec_context_by_oid | ||
| to retrieve the "session" key that is required by the SMB protocol for signing | ||
| and encrypting a message. These calls are provided as a part of the raw | ||
| interface and are not exposed in the high-level interface. |
There was a problem hiding this comment.
no need for the sentence starting with "These calls". It just means if we ever expose it at the high level, we'll have to remember to remove that sentence.
|
Thanks @DirectXMan12 hopefully the latest changes are what you are looking for. |
|
sigh Travis-CI looks like it is still having issues, trying to run the tests again. |
GGF provides extended credential and security context inquiry that allows application to retrieve more information about the client's credentials and security context. One common use case is to use gss_inquire_sec_context_by_oid to retrieve the "session" key that is required by the SMB protocol for signing and encrypting a message. These calls are provided as a part of the raw interface and are not exposed in the high-level interface. Thanks to @vm86 for his work on the gss_inquire_sec_context_by_oid. Draft IETF document for these extensions can be found at https://tools.ietf.org/html/draft-engert-ggf-gss-extensions-00
|
Thanks @DirectXMan12 @frozencemetery for the reviews and help. |
Implements gss_inquire_cred_by_oid and gss_inquire_sec_context_by_oid. This partially completes #51.
I was trying to also implement the other 2 methods and wasn't able to get a working implementation so have decided to ignore it for now.