diff options
Diffstat (limited to 'urllib2_kerberos.py')
-rw-r--r-- | urllib2_kerberos.py | 35 |
1 files changed, 22 insertions, 13 deletions
diff --git a/urllib2_kerberos.py b/urllib2_kerberos.py index da99a03..84542bd 100644 --- a/urllib2_kerberos.py +++ b/urllib2_kerberos.py @@ -24,6 +24,7 @@ import urllib2 as u2 import kerberos as k + def getLogger(): log = logging.getLogger("http_kerberos_auth_handler") handler = logging.StreamHandler() @@ -33,18 +34,22 @@ def getLogger(): return log log = getLogger() +log.setLevel(logging.DEBUG) + class AbstractKerberosAuthHandler: - """auth handler for urllib2 that does Kerberos HTTP Negotiate Authentication + """auth handler for urllib2 that does Kerberos HTTP Negotiate + Authentication """ def negotiate_value(self, headers): """checks for "Negotiate" in proper auth header """ authreq = headers.get(self.auth_header, None) + log.debug('authreq = {}'.format(authreq)) if authreq: - rx = re.compile('(?:.*,)*\s*Negotiate\s*([^,]*),?', re.I) + rx = re.compile(r'(?:.*,)*\s*Negotiate\s*([^,]*),?', re.I) mo = rx.search(authreq) if mo: return mo.group(1) @@ -68,7 +73,7 @@ class AbstractKerberosAuthHandler: log.debug("req.get_host() returned %s" % host) domain = host.rsplit(':', 1)[0] - + result, self.context = k.authGSSClientInit("HTTP@%s" % domain) if result < 1: @@ -87,7 +92,7 @@ class AbstractKerberosAuthHandler: response = k.authGSSClientResponse(self.context) log.debug("authGSSClientResponse() succeeded") - + return "Negotiate %s" % response def authenticate_server(self, headers): @@ -98,11 +103,12 @@ class AbstractKerberosAuthHandler: result = k.authGSSClientStep(self.context, neg_value) - if result < 1: + if result < 1: # this is a critical security warning # should change to a raise --Tim - log.critical("mutual auth failed: authGSSClientStep returned result %d" % result) - pass + log.critical( + "mutual auth failed: authGSSClientStep returned result %d" % + result) def clean_context(self): if self.context is not None: @@ -111,7 +117,7 @@ class AbstractKerberosAuthHandler: self.context = None def http_error_auth_reqed(self, host, req, headers): - neg_value = self.negotiate_value(headers) #Check for auth_header + neg_value = self.negotiate_value(headers) # Check for auth_header if neg_value is not None: if not self.retried > 0: return self.retry_http_kerberos_auth(req, headers, neg_value) @@ -131,7 +137,8 @@ class AbstractKerberosAuthHandler: req.add_unredirected_header(self.authz_header, neg_hdr) resp = self.parent.open(req) - self.authenticate_server(resp.info()) + if resp.getcode() != 200: + self.authenticate_server(resp.info()) return resp @@ -144,6 +151,7 @@ class AbstractKerberosAuthHandler: self.clean_context() self.retried = 0 + class ProxyKerberosAuthHandler(u2.BaseHandler, AbstractKerberosAuthHandler): """Kerberos Negotiation handler for HTTP proxy auth """ @@ -151,7 +159,7 @@ class ProxyKerberosAuthHandler(u2.BaseHandler, AbstractKerberosAuthHandler): authz_header = 'Proxy-Authorization' auth_header = 'proxy-authenticate' - handler_order = 480 # before Digest auth + handler_order = 480 # before Digest auth def http_error_407(self, req, fp, code, msg, headers): log.debug("inside http_error_407") @@ -160,6 +168,7 @@ class ProxyKerberosAuthHandler(u2.BaseHandler, AbstractKerberosAuthHandler): self.retried = 0 return retry + class HTTPKerberosAuthHandler(u2.BaseHandler, AbstractKerberosAuthHandler): """Kerberos Negotiation handler for HTTP auth """ @@ -167,7 +176,7 @@ class HTTPKerberosAuthHandler(u2.BaseHandler, AbstractKerberosAuthHandler): authz_header = 'Authorization' auth_header = 'www-authenticate' - handler_order = 480 # before Digest auth + handler_order = 480 # before Digest auth def http_error_401(self, req, fp, code, msg, headers): log.debug("inside http_error_401") @@ -176,6 +185,7 @@ class HTTPKerberosAuthHandler(u2.BaseHandler, AbstractKerberosAuthHandler): self.retried = 0 return retry + def test(): log.setLevel(logging.DEBUG) log.info("starting test") @@ -183,8 +193,7 @@ def test(): opener.add_handler(HTTPKerberosAuthHandler()) resp = opener.open(sys.argv[1]) print dir(resp), resp.info(), resp.code - + if __name__ == '__main__': test() - |