Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Implement GSSAPI/Kerberos authentication for requests #647
Currently has two issues which may be related:
Oh, nice. I just downloaded this, and it works just fine against the internal server I was using while writing http://python-notes.boredomandlaziness.org/en/latest/python_kerberos.html
For an automated test, you could look at doing something based on the python-kerberos unit tests: http://trac.calendarserver.org/browser/PyKerberos/trunk/test.py
Specifically, if you look at testGSSAPI, the server side of that could be pulled out into a handler in a temporary HTTP server that extracts the Authorization header from the request, calls GSSServerStep and GSSServerRespone, and then sets the WWW-Authenticate header on the response.
Mix and match to cover the following three cases with mutual_auth enabled and disabled:
One use case that this doesn't yet cover is that once a browser has seen the Negotiate header for a particular URL, all future requests to that URL will have the header added (which can be damn annoying if you want to test dropping your connection!). A custom client like mine which knows the server is expecting Kerberos also doesn't want to wait until the 401 - I want to force the transmission of the Kerberos ticket details immediately.
Perhaps an extra "always_auth" flag? Either that or two different authentication handlers:
Just a follow up on the test situation - I realised my idea wouldn't work, as both the client and server side of the GSS API code expects the Kerberos infrastructure to exist.
However, I realised that what could be done for regression test purposes is to stub out the GSS API calls with an object that keeps track of the call sequence to ensure it doesn't change unexpectedly. That way, if the tests did break, Kenneth would know that it needed to be rechecked against a real Kerberos setup to make sure it was still working.