Allow passing in creds explicitly (deprecates principal)

frozencemetery · frozencemetery · commit cdcc45ba93e1 · 2017-12-14T11:23:20.000-05:00
Signed-off-by: Robbie Harwood &lt;rharwood@redhat.com&gt;
diff --git a/requests_gssapi/compat.py b/requests_gssapi/compat.py
@@ -3,7 +3,9 @@
 """
 import sys
 
-from .gssapi_ import REQUIRED, HTTPSPNEGOAuth  # noqa
+import gssapi
+
+from .gssapi_ import REQUIRED, HTTPSPNEGOAuth, SPNEGOExchangeError, log
 
 # python 2.7 introduced a NullHandler which we want to use, but to support
 # older versions, we implement our own if needed.
@@ -22,18 +24,34 @@ class HTTPKerberosAuth(HTTPSPNEGOAuth):
     def __init__(self, mutual_authentication=REQUIRED, service="HTTP",
                  delegate=False, force_preemptive=False, principal=None,
                  hostname_override=None, sanitize_mutual_error_response=True):
+        # put this here for later
+        self.principal = principal
+
         HTTPSPNEGOAuth.__init__(
             self,
             mutual_authentication=mutual_authentication,
             service=service,
             delegate=delegate,
             opportunistic_auth=force_preemptive,
-            principal=principal,
+            creds=None,
             hostname_override=hostname_override,
             sanitize_mutual_error_response=sanitize_mutual_error_response)
 
     def generate_request_header(self, response, host, is_preemptive=False):
         # This method needs to be shimmed because `host` isn't exposed to
-        # __init__() and we need to derive things from it
-        return HTTPSPNEGOAuth.generate_request_header(self, response, host,
-                                                      is_preemptive)
+        # __init__() and we need to derive things from it.  Also, __init__()
+        # can't fail, in the strictest compatability sense.
+        try:
+            if self.principal is not None:
+                gss_stage = "acquiring credentials"
+                name = gssapi.Name(self.principal)
+                self.creds = gssapi.Credentials(name=name, usage="initiate")
+
+            return HTTPSPNEGOAuth.generate_request_header(self, response,
+                                                          host, is_preemptive)
+        except gssapi.exceptions.GSSError as error:
+            msg = error.gen_message()
+            log.exception(
+                "generate_request_header(): {0} failed:".format(gss_stage))
+            log.exception(msg)
+            raise SPNEGOExchangeError("%s failed: %s" % (gss_stage, msg))
diff --git a/requests_gssapi/gssapi_.py b/requests_gssapi/gssapi_.py
@@ -81,15 +81,15 @@ def _negotiate_value(response):
 class HTTPSPNEGOAuth(AuthBase):
     """Attaches HTTP GSSAPI Authentication to the given Request object."""
     def __init__(self, mutual_authentication=REQUIRED, service="HTTP",
-                 delegate=False, opportunistic_auth=False, principal=None,
+                 delegate=False, opportunistic_auth=False, creds=None,
                  hostname_override=None, sanitize_mutual_error_response=True):
         self.context = {}
         self.mutual_authentication = mutual_authentication
         self.delegate = delegate
         self.pos = None
         self.service = service
         self.opportunistic_auth = opportunistic_auth
-        self.principal = principal
+        self.creds = creds
         self.hostname_override = hostname_override
         self.sanitize_mutual_error_response = sanitize_mutual_error_response
 
@@ -118,16 +118,10 @@ def generate_request_header(self, response, host, is_preemptive=False):
 
             kerb_spn = "{0}@{1}".format(self.service, kerb_host)
 
-            creds = None
-            if self.principal:
-                gss_stage = "acquiring credentials"
-                creds = gssapi.Credentials(name=gssapi.Name(self.principal),
-                                           usage="initiate")
-
             gss_stage = "initiating context"
             self.context[host] = gssapi.SecurityContext(
                 usage="initiate", flags=gssflags, name=gssapi.Name(kerb_spn),
-                creds=creds)
+                creds=self.creds)
 
             gss_stage = "stepping context"
             if is_preemptive:
diff --git a/test_requests_gssapi.py b/test_requests_gssapi.py
@@ -573,6 +573,22 @@ def test_opportunistic_auth(self):
             self.assertEqual(request.headers.get('Authorization'),
                              'Negotiate GSSRESPONSE')
 
+    def test_explicit_creds(self):
+        with patch.multiple("gssapi.Credentials", __new__=fake_creds), \
+             patch.multiple("gssapi.SecurityContext", __init__=fake_init,
+                            step=fake_resp):
+            response = requests.Response()
+            response.url = "http://www.example.org/"
+            response.headers = {'www-authenticate': 'negotiate token'}
+            host = urlparse(response.url).hostname
+            creds = gssapi.Credentials()
+            auth = requests_gssapi.HTTPSPNEGOAuth(creds=creds)
+            auth.generate_request_header(response, host)
+            fake_init.assert_called_with(
+                name=gssapi.Name("HTTP@www.example.org"),
+                usage="initiate", flags=gssflags, creds="fake creds")
+            fake_resp.assert_called_with("token")
+
 
 if __name__ == '__main__':
     unittest.main()
