diff options
-rw-r--r-- | urllib2_kerberos.py | 67 |
1 files changed, 36 insertions, 31 deletions
diff --git a/urllib2_kerberos.py b/urllib2_kerberos.py index 3b4eb6f..6ef3649 100644 --- a/urllib2_kerberos.py +++ b/urllib2_kerberos.py @@ -34,14 +34,14 @@ def getLogger(): log = getLogger() -class AbstractKerberosAuthHandler(u2.AbstractDigestAuthHandler): +class AbstractKerberosAuthHandler: """auth handler for urllib2 that does Kerberos HTTP Negotiate Authentication """ - def negotiate_value(self, auth_header, headers): + def negotiate_value(self, headers): """checks for "Negotiate" in proper auth header """ - authreq = headers.get(auth_header, None) + authreq = headers.get(self.auth_header, None) if authreq: rx = re.compile('(?:.*,)*\s*Negotiate\s*([^,]*),?', re.I) @@ -52,7 +52,7 @@ class AbstractKerberosAuthHandler(u2.AbstractDigestAuthHandler): log.debug("regex failed on: %s" % authreq) else: - log.debug("%s header not found" % auth_header) + log.debug("%s header not found" % self.auth_header) return None @@ -66,7 +66,7 @@ class AbstractKerberosAuthHandler(u2.AbstractDigestAuthHandler): log.debug("retry count: %d" % self.retried) log.debug("req.get_host() returned %s" % req.get_host()) - result, self.context = k.authGSSClientInit("HTTP@%s" % req.get_host().rpartition(":")[0]) + result, self.context = k.authGSSClientInit("HTTP@%s" % req.get_host()) #.rpartition(":")[0]) if result < 1: log.warning("authGSSClientInit returned result %d" % result) @@ -95,7 +95,10 @@ class AbstractKerberosAuthHandler(u2.AbstractDigestAuthHandler): if k.authGSSClientStep(self.context, neg_value) < 1: #TODO pyflakes flagged this so I commented it out --Gar - #log.critical("mutual auth failed: authGSSClientStep returned result %d" % result) + # + # this is a critical security warning + # uncommenting. will change to a raise soon --Tim + log.critical("mutual auth failed: authGSSClientStep returned result %d" % result) pass def clean_context(self): @@ -104,67 +107,69 @@ class AbstractKerberosAuthHandler(u2.AbstractDigestAuthHandler): k.authGSSClientClean(self.context) self.context = None - def http_error_auth_reqed(self, auth_header, host, req, headers): - neg_value = self.negotiate_values(auth_header, headers) #Check for appropriate auth_header + def http_error_auth_reqed(self, host, req, headers): + neg_value = self.negotiate_value(headers) #Check for auth_header if neg_value is not None: if not self.retried > 0: - return self.retry_http_kerberos_auth(req, headers, auth_header, neg_value) + return self.retry_http_kerberos_auth(req, headers, neg_value) else: return None else: self.retried = 0 - def retry_http_kerberos_auth(self, req, headers, auth_header, neg_value): - try: - neg_hdr = self.generate_request_header(req, headers, neg_value) + def retry_http_kerberos_auth(self, req, headers, neg_value): + try: + neg_hdr = self.generate_request_header(req, headers, neg_value) - if neg_hdr is None: - log.debug("neg_hdr was None") - return None + if neg_hdr is None: + log.debug("neg_hdr was None") + return None - req.add_unredirected_header(self.auth_header, neg_hdr) - resp = self.parent.open(req) + req.add_unredirected_header(self.authz_header, neg_hdr) + resp = self.parent.open(req) - self.authenticate_server(resp.info()) + self.authenticate_server(resp.info()) - return resp + return resp - except k.GSSError, e: - log.critical("GSSAPI Error: %s/%s" % (e[0][0], e[1][0])) - return None + except k.GSSError, e: + log.critical("GSSAPI Error: %s/%s" % (e[0][0], e[1][0])) + return None - finally: - self.clean_context() - self.retried = 0 + finally: + self.clean_context() + self.retried = 0 class ProxyKerberosAuthHandler(u2.BaseHandler, AbstractKerberosAuthHandler): """Kerberos Negotiation handler for HTTP proxy auth """ - auth_header = 'Proxy-Authorization' + authz_header = 'Proxy-Authorization' + auth_header = 'proxy-authenticate' handler_order = 480 # before Digest auth def http_error_407(self, req, fp, code, msg, headers): log.debug("inside http_error_407") host = req.get_host() - retry = self.http_error_auth_reqed('proxy_authenticate', host, req, headers) - self.reset_retry_count() + retry = self.http_error_auth_reqed(host, req, headers) + self.retried = 0 return retry class HTTPKerberosAuthHandler(u2.BaseHandler, AbstractKerberosAuthHandler): """Kerberos Negotiation handler for HTTP auth """ - auth_header = 'Authorization' + authz_header = 'Authorization' + auth_header = 'www-authenticate' handler_order = 480 # before Digest auth def http_error_401(self, req, fp, code, msg, headers): log.debug("inside http_error_401") host = req.get_host() - retry = self.http_error_auth_reqed('www-authenticate', host, req, headers) - self.reset_retry_count() + retry = self.http_error_auth_reqed(host, req, headers) + self.retried = 0 return retry def test(): |