Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement GSSAPI/Kerberos authentication for requests #647

Merged
merged 1 commit into from Jul 27, 2012

Conversation

Projects
None yet
5 participants
@mkomitee
Copy link
Contributor

commented Jun 1, 2012

Currently has two issues which may be related:

  • doesn't work with redirects, we try to authenticate the server a second
    time with a fully completed kerberos context.
  • 403 responses result in the wrong response object being returned, but
    this is also true for http digest authentication due to a bug in hook
    handling in general.
Implement GSSAPI/Kerberos authentication for requests
Currently has two issues which may be related:
- doesn't work with redirects, we try to authenticate the server a second
  time with a fully completed kerberos context.
- 403 responses result in the wrong response object being returned, but
  this is also true for http digest authentication due to a bug in hook
  handling in general.
@travisbot

This comment has been minimized.

Copy link

commented Jun 1, 2012

This pull request passes (merged c803e3a into 355b971).

@kenneth-reitz

This comment has been minimized.

Copy link
Collaborator

commented Jun 29, 2012

This looks awesome! Do you know of any way i can test this?

@mkomitee

This comment has been minimized.

Copy link
Contributor Author

commented Jun 29, 2012

Unfortunately no, not without a kerberos kdc and a web server setup with gssapi/kerberos support.

@ncoghlan

This comment has been minimized.

Copy link
Contributor

commented Jul 4, 2012

Oh, nice. I just downloaded this, and it works just fine against the internal server I was using while writing http://python-notes.boredomandlaziness.org/en/latest/python_kerberos.html

For an automated test, you could look at doing something based on the python-kerberos unit tests: http://trac.calendarserver.org/browser/PyKerberos/trunk/test.py

Specifically, if you look at testGSSAPI, the server side of that could be pulled out into a handler in a temporary HTTP server that extracts the Authorization header from the request, calls GSSServerStep and GSSServerRespone, and then sets the WWW-Authenticate header on the response.

Mix and match to cover the following three cases with mutual_auth enabled and disabled:

  • server sets the WWW-Authenticate response correctly
  • server doesn't set the header at all
  • server sets the header to an invalid value

One use case that this doesn't yet cover is that once a browser has seen the Negotiate header for a particular URL, all future requests to that URL will have the header added (which can be damn annoying if you want to test dropping your connection!). A custom client like mine which knows the server is expecting Kerberos also doesn't want to wait until the 401 - I want to force the transmission of the Kerberos ticket details immediately.

Perhaps an extra "always_auth" flag? Either that or two different authentication handlers:
HTTPKerberosAuth - always sets the Authorization header
HTTPNegotiateAuth - does the 401 dance before setting the Authorization header

@jpmens

This comment has been minimized.

Copy link

commented Jul 19, 2012

Can't wait for this to be pulled, so that I can pull. :)

Thank you, @ncoghlan for the write-up.

@kenneth-reitz

This comment has been minimized.

Copy link
Collaborator

commented Jul 27, 2012

Merging! Looking forward to further improvements :)

kenneth-reitz pushed a commit that referenced this pull request Jul 27, 2012

Kenneth Reitz
Merge pull request #647 from mkomitee/kerberos
Implement GSSAPI/Kerberos authentication for requests

@kenneth-reitz kenneth-reitz merged commit bc63617 into kennethreitz:develop Jul 27, 2012

@ncoghlan

This comment has been minimized.

Copy link
Contributor

commented Jul 27, 2012

Huzzah!

Just a follow up on the test situation - I realised my idea wouldn't work, as both the client and server side of the GSS API code expects the Kerberos infrastructure to exist.

However, I realised that what could be done for regression test purposes is to stub out the GSS API calls with an object that keeps track of the call sequence to ensure it doesn't change unexpectedly. That way, if the tests did break, Kenneth would know that it needed to be rechecked against a real Kerberos setup to make sure it was still working.

@kenneth-reitz

This comment has been minimized.

Copy link
Collaborator

commented Jul 27, 2012

I don't test OAuth at the moment either, and I don't want to officially maintain it, so let's just let twitter/github issues be the test suite in the meantime ;)

@mkomitee

This comment has been minimized.

Copy link
Contributor Author

commented Jul 27, 2012

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.