Deprecate service and hostname_override in favor of explicit names

Signed-off-by: Robbie Harwood <[email protected]>

Author: frozencemetery

requests_gssapi/compat.py

@@ -24,17 +24,18 @@ class HTTPKerberosAuth(HTTPSPNEGOAuth):
     def __init__(self, mutual_authentication=REQUIRED, service="HTTP",
                  delegate=False, force_preemptive=False, principal=None,
                  hostname_override=None, sanitize_mutual_error_response=True):
-        # put this here for later
+        # put these here for later
         self.principal = principal
+        self.service = service
+        self.hostname_override = hostname_override
 
         HTTPSPNEGOAuth.__init__(
             self,
             mutual_authentication=mutual_authentication,
-            service=service,
+            target_name=None,
             delegate=delegate,
             opportunistic_auth=force_preemptive,
             creds=None,
-            hostname_override=hostname_override,
             sanitize_mutual_error_response=sanitize_mutual_error_response)
 
     def generate_request_header(self, response, host, is_preemptive=False):
@@ -47,6 +48,19 @@ def generate_request_header(self, response, host, is_preemptive=False):
                 name = gssapi.Name(self.principal)
                 self.creds = gssapi.Credentials(name=name, usage="initiate")
 
+            # contexts still need to be stored by host, but hostname_override
+            # allows use of an arbitrary hostname for the GSSAPI exchange (eg,
+            # in cases of aliased hosts, internal vs external, CNAMEs w/
+            # name-based HTTP hosting)
+            if self.service is not None:
+                gss_stage = "initiating context"
+                kerb_host = host
+                if self.hostname_override:
+                    kerb_host = self.hostname_override
+
+                kerb_spn = "{0}@{1}".format(self.service, kerb_host)
+                self.target_name = gssapi.Name(kerb_spn)
+
             return HTTPSPNEGOAuth.generate_request_header(self, response,
                                                           host, is_preemptive)
         except gssapi.exceptions.GSSError as error:

requests_gssapi/gssapi_.py

@@ -80,17 +80,16 @@ def _negotiate_value(response):
 
 class HTTPSPNEGOAuth(AuthBase):
     """Attaches HTTP GSSAPI Authentication to the given Request object."""
-    def __init__(self, mutual_authentication=REQUIRED, service="HTTP",
+    def __init__(self, mutual_authentication=REQUIRED, target_name="HTTP",
                  delegate=False, opportunistic_auth=False, creds=None,
-                 hostname_override=None, sanitize_mutual_error_response=True):
+                 sanitize_mutual_error_response=True):
         self.context = {}
+        self.pos = None
         self.mutual_authentication = mutual_authentication
+        self.target_name = target_name
         self.delegate = delegate
-        self.pos = None
-        self.service = service
         self.opportunistic_auth = opportunistic_auth
         self.creds = creds
-        self.hostname_override = hostname_override
         self.sanitize_mutual_error_response = sanitize_mutual_error_response
 
     def generate_request_header(self, response, host, is_preemptive=False):
@@ -108,19 +107,14 @@ def generate_request_header(self, response, host, is_preemptive=False):
             gssflags.append(gssapi.RequirementFlag.delegate_to_peer)
 
         try:
-            # contexts still need to be stored by host, but hostname_override
-            # allows use of an arbitrary hostname for the GSSAPI exchange
-            # (eg, in cases of aliased hosts, internal vs external, CNAMEs
-            # w/ name-based HTTP hosting)
-            kerb_host = host
-            if self.hostname_override:
-                kerb_host = self.hostname_override
-
-            kerb_spn = "{0}@{1}".format(self.service, kerb_host)
-
             gss_stage = "initiating context"
+            if type(self.target_name) != gssapi.Name:
+                if '@' not in self.target_name:
+                    self.target_name = "%s@%s" % (self.target_name, host)
+
+                self.target_name = gssapi.Name(self.target_name)
             self.context[host] = gssapi.SecurityContext(
-                usage="initiate", flags=gssflags, name=gssapi.Name(kerb_spn),
+                usage="initiate", flags=gssflags, name=self.target_name,
                 creds=self.creds)
 
             gss_stage = "stepping context"

test_requests_gssapi.py

@@ -589,6 +589,21 @@ def test_explicit_creds(self):
                 usage="initiate", flags=gssflags, creds="fake creds")
             fake_resp.assert_called_with("token")
 
+    def test_target_name(self):
+        with patch.multiple("gssapi.SecurityContext", __init__=fake_init,
+                            step=fake_resp):
+            response = requests.Response()
+            response.url = "http://www.example.org/"
+            response.headers = {'www-authenticate': 'negotiate token'}
+            host = urlparse(response.url).hostname
+            auth = requests_gssapi.HTTPSPNEGOAuth(
+                target_name="[email protected]")
+            auth.generate_request_header(response, host)
+            fake_init.assert_called_with(
+                name=gssapi.Name("[email protected]"),
+                usage="initiate", flags=gssflags, creds=None)
+            fake_resp.assert_called_with("token")
+
 
 if __name__ == '__main__':
     unittest.main()