From 6aa78d6bba4fce1cf4d0b1e104c47f03f20c815b Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 6 Aug 2020 19:04:55 -0400 Subject: [PATCH] Use USER_NAME instead of HOSTBASED_SERVICE for user principals Probably this was me making an assumption based on seeing "name" in the start of a connection and assuming it was the server name. Bad naming - there's "name" and "target_name" around. --- requests_gssapi/compat.py | 2 +- test_requests_gssapi.py | 36 ++++++++++++++++++++---------------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/requests_gssapi/compat.py b/requests_gssapi/compat.py index 9373331..f59f08d 100644 --- a/requests_gssapi/compat.py +++ b/requests_gssapi/compat.py @@ -46,7 +46,7 @@ def generate_request_header(self, response, host, is_preemptive=False): if self.principal is not None: gss_stage = "acquiring credentials" name = gssapi.Name( - self.principal, gssapi.NameType.hostbased_service) + self.principal, gssapi.NameType.user) self.creds = gssapi.Credentials(name=name, usage="initiate") # contexts still need to be stored by host, but hostname_override diff --git a/test_requests_gssapi.py b/test_requests_gssapi.py index a4dbc21..c33a73e 100644 --- a/test_requests_gssapi.py +++ b/test_requests_gssapi.py @@ -39,10 +39,14 @@ b64_negotiate_server = "negotiate " + b64encode(b"servertoken").decode() -def gssapi_name(s): +def gssapi_sname(s): return gssapi.Name(s, gssapi.NameType.hostbased_service) +def gssapi_uname(s): + return gssapi.Name(s, gssapi.NameType.user) + + class GSSAPITestCase(unittest.TestCase): def setUp(self): """Setup.""" @@ -105,7 +109,7 @@ def test_generate_request_header(self): auth.generate_request_header(response, host), b64_negotiate_response) fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), creds=None, mech=None, flags=gssflags, usage="initiate") fake_resp.assert_called_with(b"token") @@ -120,7 +124,7 @@ def test_generate_request_header_init_error(self): self.assertRaises(requests_gssapi.exceptions.SPNEGOExchangeError, auth.generate_request_header, response, host) fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), usage="initiate", flags=gssflags, creds=None, mech=None) def test_generate_request_header_step_error(self): @@ -134,7 +138,7 @@ def test_generate_request_header_step_error(self): self.assertRaises(requests_gssapi.exceptions.SPNEGOExchangeError, auth.generate_request_header, response, host) fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), usage="initiate", flags=gssflags, creds=None, mech=None) fail_resp.assert_called_with(b"token") @@ -171,7 +175,7 @@ def test_authenticate_user(self): connection.send.assert_called_with(request) raw.release_conn.assert_called_with() fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), flags=gssflags, usage="initiate", creds=None, mech=None) fake_resp.assert_called_with(b"token") @@ -208,7 +212,7 @@ def test_handle_401(self): connection.send.assert_called_with(request) raw.release_conn.assert_called_with() fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), creds=None, mech=None, flags=gssflags, usage="initiate") fake_resp.assert_called_with(b"token") @@ -447,7 +451,7 @@ def test_handle_response_401(self): connection.send.assert_called_with(request) raw.release_conn.assert_called_with() fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), usage="initiate", flags=gssflags, creds=None, mech=None) fake_resp.assert_called_with(b"token") @@ -490,7 +494,7 @@ def connection_send(self, *args, **kwargs): connection.send.assert_called_with(request) raw.release_conn.assert_called_with() fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), usage="initiate", flags=gssflags, creds=None, mech=None) fake_resp.assert_called_with(b"token") @@ -504,7 +508,7 @@ def test_generate_request_header_custom_service(self): auth = requests_gssapi.HTTPKerberosAuth(service="barfoo") auth.generate_request_header(response, host), fake_init.assert_called_with( - name=gssapi_name("barfoo@www.example.org"), + name=gssapi_sname("barfoo@www.example.org"), usage="initiate", flags=gssflags, creds=None, mech=None) fake_resp.assert_called_with(b"token") @@ -542,7 +546,7 @@ def test_delegation(self): connection.send.assert_called_with(request) raw.release_conn.assert_called_with() fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), usage="initiate", flags=gssdelegflags, creds=None, mech=None) fake_resp.assert_called_with(b"token") @@ -558,9 +562,9 @@ def test_principal_override(self): auth.generate_request_header(response, host) fake_creds.assert_called_with(gssapi.creds.Credentials, usage="initiate", - name=gssapi_name("user@REALM")) + name=gssapi_uname("user@REALM", )) fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), usage="initiate", flags=gssflags, creds=b"fake creds", mech=None) @@ -575,7 +579,7 @@ def test_realm_override(self): hostname_override="otherhost.otherdomain.org") auth.generate_request_header(response, host) fake_init.assert_called_with( - name=gssapi_name("HTTP@otherhost.otherdomain.org"), + name=gssapi_sname("HTTP@otherhost.otherdomain.org"), usage="initiate", flags=gssflags, creds=None, mech=None) fake_resp.assert_called_with(b"token") @@ -604,7 +608,7 @@ def test_explicit_creds(self): auth = requests_gssapi.HTTPSPNEGOAuth(creds=creds) auth.generate_request_header(response, host) fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), usage="initiate", flags=gssflags, creds=b"fake creds", mech=None) fake_resp.assert_called_with(b"token") @@ -621,7 +625,7 @@ def test_explicit_mech(self): auth = requests_gssapi.HTTPSPNEGOAuth(mech=fake_mech) auth.generate_request_header(response, host) fake_init.assert_called_with( - name=gssapi_name("HTTP@www.example.org"), + name=gssapi_sname("HTTP@www.example.org"), usage="initiate", flags=gssflags, creds=None, mech=b'fake mech') fake_resp.assert_called_with(b"token") @@ -637,7 +641,7 @@ def test_target_name(self): target_name="HTTP@otherhost.otherdomain.org") auth.generate_request_header(response, host) fake_init.assert_called_with( - name=gssapi_name("HTTP@otherhost.otherdomain.org"), + name=gssapi_sname("HTTP@otherhost.otherdomain.org"), usage="initiate", flags=gssflags, creds=None, mech=None) fake_resp.assert_called_with(b"token")