Add HTTPSPNEGOAuth (and retain HTTPKerberosAuth as a shim)

frozencemetery · frozencemetery · commit f49c3591605a · 2017-12-14T13:46:37.000-05:00
Signed-off-by: Robbie Harwood <rharwood@redhat.com> Resolves: #1
diff --git a/README.rst b/README.rst
@@ -9,8 +9,8 @@ authentication. Basic GET usage:
 .. code-block:: python
 
     >>> import requests
-    >>> from requests_gssapi import HTTPKerberosAuth
-    >>> r = requests.get("http://example.org", auth=HTTPKerberosAuth())
+    >>> from requests_gssapi import HTTPSPNEGOAuth
+    >>> r = requests.get("http://example.org", auth=HTTPSPNEGOAuth())
     ...
 
 The entire ``requests.api`` should be supported.
@@ -27,7 +27,7 @@ Mutual Authentication
 REQUIRED
 ^^^^^^^^
 
-By default, ``HTTPKerberosAuth`` will require mutual authentication from the
+By default, ``HTTPSPNEGOAuth`` will require mutual authentication from the
 server, and if a server emits a non-error response which cannot be
 authenticated, a ``requests_gssapi.errors.MutualAuthenticationError`` will
 be raised. If a server emits an error which cannot be authenticated, it will
@@ -39,8 +39,8 @@ setting ``sanitize_mutual_error_response=False``:
 .. code-block:: python
 
     >>> import requests
-    >>> from requests_gssapi import HTTPKerberosAuth, REQUIRED
-    >>> gssapi_auth = HTTPKerberosAuth(mutual_authentication=REQUIRED, sanitize_mutual_error_response=False)
+    >>> from requests_gssapi import HTTPSPNEGOAuth, REQUIRED
+    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=REQUIRED, sanitize_mutual_error_response=False)
     >>> r = requests.get("https://windows.example.org/wsman", auth=gssapi_auth)
     ...
 
@@ -49,13 +49,13 @@ OPTIONAL
 ^^^^^^^^
 
 If you'd prefer to not require mutual authentication, you can set your
-preference when constructing your ``HTTPKerberosAuth`` object:
+preference when constructing your ``HTTPSPNEGOAuth`` object:
 
 .. code-block:: python
 
     >>> import requests
-    >>> from requests_gssapi import HTTPKerberosAuth, OPTIONAL
-    >>> gssapi_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL)
+    >>> from requests_gssapi import HTTPSPNEGOAuth, OPTIONAL
+    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=OPTIONAL)
     >>> r = requests.get("http://example.org", auth=gssapi_auth)
     ...
 
@@ -72,15 +72,15 @@ authentication, you can do that as well:
 .. code-block:: python
 
     >>> import requests
-    >>> from requests_gssapi import HTTPKerberosAuth, DISABLED
-    >>> gssapi_auth = HTTPKerberosAuth(mutual_authentication=DISABLED)
+    >>> from requests_gssapi import HTTPSPNEGOAuth, DISABLED
+    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=DISABLED)
     >>> r = requests.get("http://example.org", auth=gssapi_auth)
     ...
 
 Preemptive Authentication
 -------------------------
 
-``HTTPKerberosAuth`` can be forced to preemptively initiate the GSSAPI
+``HTTPSPNEGOAuth`` can be forced to preemptively initiate the GSSAPI
 exchange and present a token on the initial request (and all
 subsequent). By default, authentication only occurs after a
 ``401 Unauthorized`` response containing a Negotiate challenge
@@ -92,8 +92,8 @@ behavior can be altered by setting  ``force_preemptive=True``:
 .. code-block:: python
     
     >>> import requests
-    >>> from requests_gssapi import HTTPKerberosAuth, REQUIRED
-    >>> gssapi_auth = HTTPKerberosAuth(mutual_authentication=REQUIRED, force_preemptive=True)
+    >>> from requests_gssapi import HTTPSPNEGOAuth, REQUIRED
+    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=REQUIRED, force_preemptive=True)
     >>> r = requests.get("https://windows.example.org/wsman", auth=gssapi_auth)
     ...
 
@@ -108,15 +108,15 @@ setting the ``hostname_override`` arg:
 .. code-block:: python
 
     >>> import requests
-    >>> from requests_gssapi import HTTPKerberosAuth, REQUIRED
-    >>> gssapi_auth = HTTPKerberosAuth(hostname_override="internalhost.local")
-    >>> r = requests.get("https://externalhost.example.org/", auth=kerberos_auth)
+    >>> from requests_gssapi import HTTPSPNEGOAuth, REQUIRED
+    >>> gssapi_auth = HTTPSPNEGOAuth(hostname_override="internalhost.local")
+    >>> r = requests.get("https://externalhost.example.org/", auth=gssapi_auth)
     ...
 
 Explicit Principal
 ------------------
 
-``HTTPKerberosAuth`` normally uses the default principal (ie, the user for
+``HTTPSPNEGOAuth`` normally uses the default principal (ie, the user for
 whom you last ran ``kinit`` or ``kswitch``, or an SSO credential if
 applicable). However, an explicit principal can be specified, which will
 cause GSSAPI to look for a matching credential cache for the named user.
@@ -126,8 +126,8 @@ An explicit principal can be specified with the ``principal`` arg:
 .. code-block:: python
 
     >>> import requests
-    >>> from requests_gssapi import HTTPKerberosAuth, REQUIRED
-    >>> gssapi_auth = HTTPKerberosAuth(principal="user@REALM")
+    >>> from requests_gssapi import HTTPSPNEGOAuth, REQUIRED
+    >>> gssapi_auth = HTTPSPNEGOAuth(principal="user@REALM")
     >>> r = requests.get("http://example.org", auth=gssapi_auth)
     ...
 
@@ -136,13 +136,13 @@ Delegation
 
 ``requests_gssapi`` supports credential delegation (``GSS_C_DELEG_FLAG``).
 To enable delegation of credentials to a server that requests delegation, pass
-``delegate=True`` to ``HTTPKerberosAuth``:
+``delegate=True`` to ``HTTPSPNEGOAuth``:
 
 .. code-block:: python
 
     >>> import requests
-    >>> from requests_gssapi import HTTPKerberosAuth
-    >>> r = requests.get("http://example.org", auth=HTTPKerberosAuth(delegate=True))
+    >>> from requests_gssapi import HTTPSPNEGOAuth
+    >>> r = requests.get("http://example.org", auth=HTTPSPNEGOAuth(delegate=True))
     ...
 
 Be careful to only allow delegation to servers you trust as they will be able
diff --git a/requests_gssapi/__init__.py b/requests_gssapi/__init__.py
@@ -7,19 +7,22 @@
 authentication. Basic GET usage:
 
     >>> import requests
-    >>> from requests_gssapi import HTTPKerberosAuth
-    >>> r = requests.get("http://example.org", auth=HTTPKerberosAuth())
+    >>> from requests_gssapi import HTTPSPNEGOAuth
+    >>> r = requests.get("http://example.org", auth=HTTPSPNEGOAuth())
 
 The entire `requests.api` should be supported.
 """
 import logging
 
-from .gssapi_ import HTTPKerberosAuth, REQUIRED, OPTIONAL, DISABLED
+from .gssapi_ import HTTPSPNEGOAuth, REQUIRED, OPTIONAL, DISABLED
 from .exceptions import MutualAuthenticationError
 from .compat import NullHandler
 
 logging.getLogger(__name__).addHandler(NullHandler())
 
-__all__ = ('HTTPKerberosAuth', 'MutualAuthenticationError', 'REQUIRED',
-           'OPTIONAL', 'DISABLED')
+""" Deprecated compatability shim """
+HTTPKerberosAuth = HTTPSPNEGOAuth
+
+__all__ = ('HTTPKerberosAuth', 'HTTPSNPEGOAuth', 'MutualAuthenticationError',
+           'REQUIRED', 'OPTIONAL', 'DISABLED')
 __version__ = '0.11.0'
diff --git a/requests_gssapi/gssapi_.py b/requests_gssapi/gssapi_.py
@@ -78,7 +78,7 @@ def _negotiate_value(response):
     return None
 
 
-class HTTPKerberosAuth(AuthBase):
+class HTTPSPNEGOAuth(AuthBase):
     """Attaches HTTP GSSAPI Authentication to the given Request object."""
     def __init__(self, mutual_authentication=REQUIRED, service="HTTP",
                  delegate=False, force_preemptive=False, principal=None,
@@ -292,7 +292,7 @@ def __call__(self, request):
                                                        is_preemptive=True)
 
             log.debug(
-                "HTTPKerberosAuth: Preemptive Authorization header: {0}"
+                "HTTPSPNEGOAuth: Preemptive Authorization header: {0}"
                 .format(auth_header))
 
             request.headers['Authorization'] = auth_header
@@ -301,7 +301,7 @@ def __call__(self, request):
         try:
             self.pos = request.body.tell()
         except AttributeError:
-            # In the case of HTTPKerberosAuth being reused and the body
+            # In the case of HTTPSPNEGOAuth being reused and the body
             # of the previous request was a file-like object, pos has
             # the file position of the previous body. Ensure it's set to
             # None.
diff --git a/setup.py b/setup.py
@@ -42,7 +42,7 @@ def get_version():
     long_description=long_desc,
     author='Ian Cordasco, Cory Benfield, Michael Komitee, Robbie Harwood',
     author_email='rharwood@redhat.com',
-    url='https://github.com/frozencemetery/requests-gssapi',
+    url='https://github.com/pythongssapi/requests-gssapi',
     packages=['requests_gssapi'],
     package_data={'': ['LICENSE', 'AUTHORS']},
     include_package_data=True,
diff --git a/test_requests_gssapi.py b/test_requests_gssapi.py
@@ -59,7 +59,7 @@ def test_negotate_value_extraction_none(self):
     def test_force_preemptive(self):
         with patch.multiple("gssapi.SecurityContext", __init__=fake_init,
                             step=fake_resp):
-            auth = requests_gssapi.HTTPKerberosAuth(force_preemptive=True)
+            auth = requests_gssapi.HTTPSPNEGOAuth(force_preemptive=True)
 
             request = requests.Request(url="http://www.example.org")
 
@@ -72,7 +72,7 @@ def test_force_preemptive(self):
     def test_no_force_preemptive(self):
         with patch.multiple("gssapi.SecurityContext", __init__=fake_init,
                             step=fake_resp):
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
 
             request = requests.Request(url="http://www.example.org")
 
@@ -87,7 +87,7 @@ def test_generate_request_header(self):
             response.url = "http://www.example.org/"
             response.headers = {'www-authenticate': 'negotiate token'}
             host = urlparse(response.url).hostname
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             self.assertEqual(
                 auth.generate_request_header(response, host),
                 "Negotiate GSSRESPONSE")
@@ -103,7 +103,7 @@ def test_generate_request_header_init_error(self):
             response.url = "http://www.example.org/"
             response.headers = {'www-authenticate': 'negotiate token'}
             host = urlparse(response.url).hostname
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             self.assertRaises(requests_gssapi.exceptions.KerberosExchangeError,
                               auth.generate_request_header, response, host)
             fake_init.assert_called_with(
@@ -117,7 +117,7 @@ def test_generate_request_header_step_error(self):
             response.url = "http://www.example.org/"
             response.headers = {'www-authenticate': 'negotiate token'}
             host = urlparse(response.url).hostname
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             self.assertRaises(requests_gssapi.exceptions.KerberosExchangeError,
                               auth.generate_request_header, response, host)
             fake_init.assert_called_with(
@@ -148,7 +148,7 @@ def test_authenticate_user(self):
             response.connection = connection
             response._content = ""
             response.raw = raw
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             r = auth.authenticate_user(response)
 
             self.assertTrue(response in r.history)
@@ -185,7 +185,7 @@ def test_handle_401(self):
             response.connection = connection
             response._content = ""
             response.raw = raw
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             r = auth.handle_401(response)
 
             self.assertTrue(response in r.history)
@@ -209,7 +209,7 @@ def test_authenticate_server(self):
                 'www-authenticate': 'negotiate servertoken',
                 'authorization': 'Negotiate GSSRESPONSE'}
 
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             auth.context = {"www.example.org": gssapi.SecurityContext}
             result = auth.authenticate_server(response_ok)
 
@@ -226,7 +226,7 @@ def test_handle_other(self):
                 'www-authenticate': 'negotiate servertoken',
                 'authorization': 'Negotiate GSSRESPONSE'}
 
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             auth.context = {"www.example.org": gssapi.SecurityContext}
 
             r = auth.handle_other(response_ok)
@@ -244,7 +244,7 @@ def test_handle_response_200(self):
                 'www-authenticate': 'negotiate servertoken',
                 'authorization': 'Negotiate GSSRESPONSE'}
 
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             auth.context = {"www.example.org": gssapi.SecurityContext}
 
             r = auth.handle_response(response_ok)
@@ -261,7 +261,7 @@ def test_handle_response_200_mutual_auth_required_failure(self):
             response_ok.status_code = 200
             response_ok.headers = {}
 
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             auth.context = {"www.example.org": "CTX"}
 
             self.assertRaises(requests_gssapi.MutualAuthenticationError,
@@ -279,7 +279,7 @@ def test_handle_response_200_mutual_auth_required_failure_2(self):
                 'www-authenticate': 'negotiate servertoken',
                 'authorization': 'Negotiate GSSRESPONSE'}
 
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             auth.context = {"www.example.org": gssapi.SecurityContext}
 
             self.assertRaises(requests_gssapi.MutualAuthenticationError,
@@ -297,7 +297,7 @@ def test_handle_response_200_mutual_auth_optional_hard_failure(self):
                 'www-authenticate': 'negotiate servertoken',
                 'authorization': 'Negotiate GSSRESPONSE'}
 
-            auth = requests_gssapi.HTTPKerberosAuth(
+            auth = requests_gssapi.HTTPSPNEGOAuth(
                 requests_gssapi.OPTIONAL)
             auth.context = {"www.example.org": gssapi.SecurityContext}
 
@@ -313,7 +313,7 @@ def test_handle_response_200_mutual_auth_optional_soft_failure(self):
             response_ok.url = "http://www.example.org/"
             response_ok.status_code = 200
 
-            auth = requests_gssapi.HTTPKerberosAuth(
+            auth = requests_gssapi.HTTPSPNEGOAuth(
                 requests_gssapi.OPTIONAL)
             auth.context = {"www.example.org": gssapi.SecurityContext}
 
@@ -337,7 +337,7 @@ def test_handle_response_500_mutual_auth_required_failure(self):
             response_500.raw = "RAW"
             response_500.cookies = "COOKIES"
 
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             auth.context = {"www.example.org": "CTX"}
 
             r = auth.handle_response(response_500)
@@ -358,7 +358,7 @@ def test_handle_response_500_mutual_auth_required_failure(self):
             self.assertFalse(fail_resp.called)
 
             # re-test with error response sanitizing disabled
-            auth = requests_gssapi.HTTPKerberosAuth(
+            auth = requests_gssapi.HTTPSPNEGOAuth(
                 sanitize_mutual_error_response=False)
             auth.context = {"www.example.org": "CTX"}
 
@@ -381,7 +381,7 @@ def test_handle_response_500_mutual_auth_optional_failure(self):
             response_500.raw = "RAW"
             response_500.cookies = "COOKIES"
 
-            auth = requests_gssapi.HTTPKerberosAuth(
+            auth = requests_gssapi.HTTPSPNEGOAuth(
                 requests_gssapi.OPTIONAL)
             auth.context = {"www.example.org": "CTX"}
 
@@ -416,7 +416,7 @@ def test_handle_response_401(self):
             response._content = ""
             response.raw = raw
 
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
             auth.handle_other = Mock(return_value=response_ok)
 
             r = auth.handle_response(response)
@@ -462,7 +462,7 @@ def connection_send(self, *args, **kwargs):
             response._content = ""
             response.raw = raw
 
-            auth = requests_gssapi.HTTPKerberosAuth()
+            auth = requests_gssapi.HTTPSPNEGOAuth()
 
             r = auth.handle_response(response)
 
@@ -483,7 +483,7 @@ def test_generate_request_header_custom_service(self):
             response.url = "http://www.example.org/"
             response.headers = {'www-authenticate': 'negotiate token'}
             host = urlparse(response.url).hostname
-            auth = requests_gssapi.HTTPKerberosAuth(service="barfoo")
+            auth = requests_gssapi.HTTPSPNEGOAuth(service="barfoo")
             auth.generate_request_header(response, host),
             fake_init.assert_called_with(
                 name=gssapi.Name("barfoo@www.example.org"),
@@ -513,7 +513,7 @@ def test_delegation(self):
             response.connection = connection
             response._content = ""
             response.raw = raw
-            auth = requests_gssapi.HTTPKerberosAuth(1, "HTTP", True)
+            auth = requests_gssapi.HTTPSPNEGOAuth(1, "HTTP", True)
             r = auth.authenticate_user(response)
 
             self.assertTrue(response in r.history)
@@ -535,7 +535,7 @@ def test_principal_override(self):
             response.url = "http://www.example.org/"
             response.headers = {'www-authenticate': 'negotiate token'}
             host = urlparse(response.url).hostname
-            auth = requests_gssapi.HTTPKerberosAuth(principal="user@REALM")
+            auth = requests_gssapi.HTTPSPNEGOAuth(principal="user@REALM")
             auth.generate_request_header(response, host)
             fake_creds.assert_called_with(gssapi.creds.Credentials,
                                           usage="initiate",
@@ -552,7 +552,7 @@ def test_realm_override(self):
             response.url = "http://www.example.org/"
             response.headers = {'www-authenticate': 'negotiate token'}
             host = urlparse(response.url).hostname
-            auth = requests_gssapi.HTTPKerberosAuth(
+            auth = requests_gssapi.HTTPSPNEGOAuth(
                 hostname_override="otherhost.otherdomain.org")
             auth.generate_request_header(response, host)
             fake_init.assert_called_with(
