This was a response to a post of mine in 2010. The comment was unformatted in the response, and I wanted to get it readable. Its a great example of making a Kerberized web call.
Courtesy of Rich Megginson
Note: requires MIT kerberos 1.11 or later if you want to skip doing the kinit, and just let the script do the kinit implicitly with the keytab.
import kerberos
import sys
import os
from requests.auth import AuthBase
import requests
import json
class IPAAuth(AuthBase):
def __init__(self, hostname, keytab):
self.hostname = hostname
self.keytab = keytab
self.token = None
self.refresh_auth()
def __call__(self, request):
if not self.token:
self.refresh_auth()
request.headers['Authorization'] = 'negotiate ' + self.token
return request
def refresh_auth(self):
if self.keytab:
os.environ['KRB5_CLIENT_KTNAME'] = self.keytab
else:
LOG.warn('No IPA client kerberos keytab file given')
service = "HTTP@" + self.hostname
flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
try:
(_, vc) = kerberos.authGSSClientInit(service, flags)
except kerberos.GSSError, e:
LOG.error("caught kerberos exception %r" % e)
raise e
try:
kerberos.authGSSClientStep(vc, "")
except kerberos.GSSError, e:
LOG.error("caught kerberos exception %r" % e)
raise e
self.token = kerberos.authGSSClientResponse(vc)
hostname, url, keytab, cacert = sys.argv[1:]
request = requests.Session()
request.auth = IPAAuth(hostname, keytab)
ipaurl = 'https://%s/ipa' % hostname
jsonurl = url % {'hostname': hostname}
request.headers.update({'Content-Type': 'application/json',
'Referer': ipaurl})
request.verify = cacert
myargs = {'method': 'dnsrecord_add',
'params': [["testdomain.com", "test4.testdomain.com"],
{'a_part_ip_address': '172.31.11.4'}],
'id': 0}
resp = request.post(jsonurl, data=json.dumps(myargs))
print resp.json()
myargs = {'method': 'dnsrecord_find', 'params': [["testdomain.com"], {}], 'id': 0}
resp = request.post(jsonurl, data=json.dumps(myargs))
print resp.json() |
import kerberos
import sys
import os
from requests.auth import AuthBase
import requests
import json
class IPAAuth(AuthBase):
def __init__(self, hostname, keytab):
self.hostname = hostname
self.keytab = keytab
self.token = None
self.refresh_auth()
def __call__(self, request):
if not self.token:
self.refresh_auth()
request.headers['Authorization'] = 'negotiate ' + self.token
return request
def refresh_auth(self):
if self.keytab:
os.environ['KRB5_CLIENT_KTNAME'] = self.keytab
else:
LOG.warn('No IPA client kerberos keytab file given')
service = "HTTP@" + self.hostname
flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
try:
(_, vc) = kerberos.authGSSClientInit(service, flags)
except kerberos.GSSError, e:
LOG.error("caught kerberos exception %r" % e)
raise e
try:
kerberos.authGSSClientStep(vc, "")
except kerberos.GSSError, e:
LOG.error("caught kerberos exception %r" % e)
raise e
self.token = kerberos.authGSSClientResponse(vc)
hostname, url, keytab, cacert = sys.argv[1:]
request = requests.Session()
request.auth = IPAAuth(hostname, keytab)
ipaurl = 'https://%s/ipa' % hostname
jsonurl = url % {'hostname': hostname}
request.headers.update({'Content-Type': 'application/json',
'Referer': ipaurl})
request.verify = cacert
myargs = {'method': 'dnsrecord_add',
'params': [["testdomain.com", "test4.testdomain.com"],
{'a_part_ip_address': '172.31.11.4'}],
'id': 0}
resp = request.post(jsonurl, data=json.dumps(myargs))
print resp.json()
myargs = {'method': 'dnsrecord_find', 'params': [["testdomain.com"], {}], 'id': 0}
resp = request.post(jsonurl, data=json.dumps(myargs))
print resp.json()
Run the script like this:
python script.py ipahost.domain.tld ‘https://%(hostname)s/ipa/json’ myuser.keytab /etc/ipa/ca.crt |
python script.py ipahost.domain.tld ‘https://%(hostname)s/ipa/json’ myuser.keytab /etc/ipa/ca.crt