Skip to content

Commit

Permalink
Use USER_NAME instead of HOSTBASED_SERVICE for user principals
Browse files Browse the repository at this point in the history
Probably this was me making an assumption based on seeing "name" in the
start of a connection and assuming it was the server name.  Bad naming -
there's "name" and "target_name" around.
  • Loading branch information
frozencemetery committed Aug 6, 2020
1 parent 65690d1 commit 6aa78d6
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 17 deletions.
2 changes: 1 addition & 1 deletion requests_gssapi/compat.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ def generate_request_header(self, response, host, is_preemptive=False):
if self.principal is not None:
gss_stage = "acquiring credentials"
name = gssapi.Name(
self.principal, gssapi.NameType.hostbased_service)
self.principal, gssapi.NameType.user)
self.creds = gssapi.Credentials(name=name, usage="initiate")

# contexts still need to be stored by host, but hostname_override
Expand Down
36 changes: 20 additions & 16 deletions test_requests_gssapi.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,14 @@
b64_negotiate_server = "negotiate " + b64encode(b"servertoken").decode()


def gssapi_name(s):
def gssapi_sname(s):
return gssapi.Name(s, gssapi.NameType.hostbased_service)


def gssapi_uname(s):
return gssapi.Name(s, gssapi.NameType.user)


class GSSAPITestCase(unittest.TestCase):
def setUp(self):
"""Setup."""
Expand Down Expand Up @@ -105,7 +109,7 @@ def test_generate_request_header(self):
auth.generate_request_header(response, host),
b64_negotiate_response)
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
creds=None, mech=None, flags=gssflags, usage="initiate")
fake_resp.assert_called_with(b"token")

Expand All @@ -120,7 +124,7 @@ def test_generate_request_header_init_error(self):
self.assertRaises(requests_gssapi.exceptions.SPNEGOExchangeError,
auth.generate_request_header, response, host)
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags, creds=None, mech=None)

def test_generate_request_header_step_error(self):
Expand All @@ -134,7 +138,7 @@ def test_generate_request_header_step_error(self):
self.assertRaises(requests_gssapi.exceptions.SPNEGOExchangeError,
auth.generate_request_header, response, host)
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags, creds=None, mech=None)
fail_resp.assert_called_with(b"token")

Expand Down Expand Up @@ -171,7 +175,7 @@ def test_authenticate_user(self):
connection.send.assert_called_with(request)
raw.release_conn.assert_called_with()
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
flags=gssflags, usage="initiate", creds=None, mech=None)
fake_resp.assert_called_with(b"token")

Expand Down Expand Up @@ -208,7 +212,7 @@ def test_handle_401(self):
connection.send.assert_called_with(request)
raw.release_conn.assert_called_with()
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
creds=None, mech=None, flags=gssflags, usage="initiate")
fake_resp.assert_called_with(b"token")

Expand Down Expand Up @@ -447,7 +451,7 @@ def test_handle_response_401(self):
connection.send.assert_called_with(request)
raw.release_conn.assert_called_with()
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags, creds=None, mech=None)
fake_resp.assert_called_with(b"token")

Expand Down Expand Up @@ -490,7 +494,7 @@ def connection_send(self, *args, **kwargs):
connection.send.assert_called_with(request)
raw.release_conn.assert_called_with()
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags, creds=None, mech=None)
fake_resp.assert_called_with(b"token")

Expand All @@ -504,7 +508,7 @@ def test_generate_request_header_custom_service(self):
auth = requests_gssapi.HTTPKerberosAuth(service="barfoo")
auth.generate_request_header(response, host),
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags, creds=None, mech=None)
fake_resp.assert_called_with(b"token")

Expand Down Expand Up @@ -542,7 +546,7 @@ def test_delegation(self):
connection.send.assert_called_with(request)
raw.release_conn.assert_called_with()
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssdelegflags, creds=None, mech=None)
fake_resp.assert_called_with(b"token")

Expand All @@ -558,9 +562,9 @@ def test_principal_override(self):
auth.generate_request_header(response, host)
fake_creds.assert_called_with(gssapi.creds.Credentials,
usage="initiate",
name=gssapi_name("user@REALM"))
name=gssapi_uname("user@REALM", ))
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags,
creds=b"fake creds", mech=None)

Expand All @@ -575,7 +579,7 @@ def test_realm_override(self):
hostname_override="otherhost.otherdomain.org")
auth.generate_request_header(response, host)
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags, creds=None, mech=None)
fake_resp.assert_called_with(b"token")

Expand Down Expand Up @@ -604,7 +608,7 @@ def test_explicit_creds(self):
auth = requests_gssapi.HTTPSPNEGOAuth(creds=creds)
auth.generate_request_header(response, host)
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags,
creds=b"fake creds", mech=None)
fake_resp.assert_called_with(b"token")
Expand All @@ -621,7 +625,7 @@ def test_explicit_mech(self):
auth = requests_gssapi.HTTPSPNEGOAuth(mech=fake_mech)
auth.generate_request_header(response, host)
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags,
creds=None, mech=b'fake mech')
fake_resp.assert_called_with(b"token")
Expand All @@ -637,7 +641,7 @@ def test_target_name(self):
target_name="[email protected]")
auth.generate_request_header(response, host)
fake_init.assert_called_with(
name=gssapi_name("[email protected]"),
name=gssapi_sname("[email protected]"),
usage="initiate", flags=gssflags, creds=None, mech=None)
fake_resp.assert_called_with(b"token")

Expand Down

0 comments on commit 6aa78d6

Please sign in to comment.