Rev 4016: (Jelmer) Support GSSAPI authentication for HTTP and HTTPS. in file:///home/pqm/archives/thelove/bzr/%2Btrunk/
Canonical.com Patch Queue Manager
pqm at pqm.ubuntu.com
Wed Feb 18 09:41:20 GMT 2009
At file:///home/pqm/archives/thelove/bzr/%2Btrunk/
------------------------------------------------------------
revno: 4016
revision-id: pqm at pqm.ubuntu.com-20090218094117-mum4jrw92j9ijj01
parent: pqm at pqm.ubuntu.com-20090218084918-7d1qa881h8ahpu82
parent: jelmer at samba.org-20090218090055-2bt6b70yrv52zjx4
committer: Canonical.com Patch Queue Manager <pqm at pqm.ubuntu.com>
branch nick: +trunk
timestamp: Wed 2009-02-18 09:41:17 +0000
message:
(Jelmer) Support GSSAPI authentication for HTTP and HTTPS.
modified:
NEWS NEWS-20050323055033-4e00b5db738777ff
bzrlib/transport/http/_urllib2_wrappers.py _urllib2_wrappers.py-20060913231729-ha9ugi48ktx481ao-1
------------------------------------------------------------
revno: 4011.3.6
revision-id: jelmer at samba.org-20090218090055-2bt6b70yrv52zjx4
parent: jelmer at samba.org-20090217144626-rc6jt0qmfe950fp0
parent: pqm at pqm.ubuntu.com-20090218084918-7d1qa881h8ahpu82
committer: Jelmer Vernooij <jelmer at samba.org>
branch nick: http-gssapi
timestamp: Wed 2009-02-18 10:00:55 +0100
message:
Merge bzr.dev.
modified:
NEWS NEWS-20050323055033-4e00b5db738777ff
bzrlib/branch.py branch.py-20050309040759-e4baf4e0d046576e
bzrlib/bzrdir.py bzrdir.py-20060131065624-156dfea39c4387cb
bzrlib/remote.py remote.py-20060720103555-yeeg2x51vn0rbtdp-1
bzrlib/shelf_ui.py shelver.py-20081005210102-33worgzwrtdw0yrm-1
bzrlib/smart/branch.py branch.py-20061124031907-mzh3pla28r83r97f-1
bzrlib/tests/blackbox/test_push.py test_push.py-20060329002750-929af230d5d22663
bzrlib/tests/branch_implementations/test_branch.py testbranch.py-20050711070244-121d632bc37d7253
bzrlib/tests/branch_implementations/test_hooks.py test_hooks.py-20070129154855-blhpwxmvjs07waei-1
bzrlib/tests/branch_implementations/test_sprout.py test_sprout.py-20070521151739-b8t8p7axw1h966ws-1
bzrlib/tests/bzrdir_implementations/test_bzrdir.py test_bzrdir.py-20060131065642-0ebeca5e30e30866
bzrlib/tests/per_repository/test_add_fallback_repository.py test_add_fallback_re-20080215040003-8w9n4ck9uqdxj18m-1
bzrlib/tests/per_repository/test_repository.py test_repository.py-20060131092128-ad07f494f5c9d26c
bzrlib/tests/test_remote.py test_remote.py-20060720103555-yeeg2x51vn0rbtdp-2
bzrlib/tests/test_shelf_ui.py test_shelf_ui.py-20081027155203-wtcuazg85wp9u4fv-1
bzrlib/trace.py trace.py-20050309040759-c8ed824bdcd4748a
bzrlib/win32utils.py win32console.py-20051021033308-123c6c929d04973d
------------------------------------------------------------
revno: 4011.3.5
revision-id: jelmer at samba.org-20090217144626-rc6jt0qmfe950fp0
parent: jelmer at samba.org-20090217110548-n4k4hh28uhxx0vg1
committer: Jelmer Vernooij <jelmer at samba.org>
branch nick: http-gssapi
timestamp: Tue 2009-02-17 15:46:26 +0100
message:
Move import next to other system libs, fix format.
modified:
bzrlib/transport/http/_urllib2_wrappers.py _urllib2_wrappers.py-20060913231729-ha9ugi48ktx481ao-1
------------------------------------------------------------
revno: 4011.3.4
revision-id: jelmer at samba.org-20090217110548-n4k4hh28uhxx0vg1
parent: jelmer at samba.org-20090217021059-eyk0hufrwnanok1c
committer: Jelmer Vernooij <jelmer at samba.org>
branch nick: http-gssapi
timestamp: Tue 2009-02-17 12:05:48 +0100
message:
review from vila: mention HTTPS, clarify error a bit, move import to top-level.
modified:
NEWS NEWS-20050323055033-4e00b5db738777ff
bzrlib/transport/http/_urllib2_wrappers.py _urllib2_wrappers.py-20060913231729-ha9ugi48ktx481ao-1
------------------------------------------------------------
revno: 4011.3.3
revision-id: jelmer at samba.org-20090217021059-eyk0hufrwnanok1c
parent: jelmer at samba.org-20090217015430-62v560na6f1ngybp
committer: Jelmer Vernooij <jelmer at samba.org>
branch nick: http-gssapi
timestamp: Tue 2009-02-17 03:10:59 +0100
message:
Remove realm support, it's not necessary.
modified:
bzrlib/transport/http/_urllib2_wrappers.py _urllib2_wrappers.py-20060913231729-ha9ugi48ktx481ao-1
------------------------------------------------------------
revno: 4011.3.2
revision-id: jelmer at samba.org-20090217015430-62v560na6f1ngybp
parent: jelmer at samba.org-20090217013950-94zno65wcmx7kvb1
committer: Jelmer Vernooij <jelmer at samba.org>
branch nick: http-gssapi
timestamp: Tue 2009-02-17 02:54:30 +0100
message:
Only attempt GSSAPI authentication when the kerberos module is present.
modified:
NEWS NEWS-20050323055033-4e00b5db738777ff
bzrlib/transport/http/_urllib2_wrappers.py _urllib2_wrappers.py-20060913231729-ha9ugi48ktx481ao-1
------------------------------------------------------------
revno: 4011.3.1
revision-id: jelmer at samba.org-20090217013950-94zno65wcmx7kvb1
parent: pqm at pqm.ubuntu.com-20090216172448-vj35mjoe463c3bk2
committer: Jelmer Vernooij <jelmer at samba.org>
branch nick: http-gssapi
timestamp: Tue 2009-02-17 02:39:50 +0100
message:
Add simple support for GSSAPI authentication over HTTP.
modified:
bzrlib/transport/http/_urllib2_wrappers.py _urllib2_wrappers.py-20060913231729-ha9ugi48ktx481ao-1
=== modified file 'NEWS'
--- a/NEWS 2009-02-18 08:49:18 +0000
+++ b/NEWS 2009-02-18 09:00:55 +0000
@@ -30,6 +30,9 @@
generation of a working tree in the new branch.
(Daniel Watkins, John Klinger, #273993)
+ * Support for GSSAPI authentication when using HTTP or HTTPS.
+ (Jelmer Vernooij)
+
* The ``bzr shelve`` prompt now includes a '?' help option to explain the
short options better. (Daniel Watkins, #327429)
=== modified file 'bzrlib/transport/http/_urllib2_wrappers.py'
--- a/bzrlib/transport/http/_urllib2_wrappers.py 2009-02-09 18:25:43 +0000
+++ b/bzrlib/transport/http/_urllib2_wrappers.py 2009-02-17 14:46:26 +0000
@@ -47,6 +47,12 @@
# ensure that.
import httplib
+try:
+ import kerberos
+except ImportError:
+ have_kerberos = False
+else:
+ have_kerberos = True
import socket
import urllib
import urllib2
@@ -943,7 +949,7 @@
preventively set authentication headers after the first
successful authentication.
- This can be used for http and proxy, as well as for basic and
+ This can be used for http and proxy, as well as for basic, negotiate and
digest authentications.
This provides an unified interface for all authentication handlers
@@ -1143,6 +1149,53 @@
https_request = http_request # FIXME: Need test
+class NegotiateAuthHandler(AbstractAuthHandler):
+ """A authentication handler that handles WWW-Authenticate: Negotiate.
+
+ At the moment this handler supports just Kerberos. In the future,
+ NTLM support may also be added.
+ """
+
+ handler_order = 480
+
+ def auth_match(self, header, auth):
+ scheme = header.lower()
+ if scheme != 'negotiate':
+ return False
+ self.update_auth(auth, 'scheme', scheme)
+ resp = self._auth_match_kerberos(auth)
+ if resp is None:
+ return False
+ # Optionally should try to authenticate using NTLM here
+ self.update_auth(auth, 'negotiate_response', resp)
+ return True
+
+ def _auth_match_kerberos(self, auth):
+ """Try to create a GSSAPI response for authenticating against a host."""
+ if not have_kerberos:
+ return None
+ ret, vc = kerberos.authGSSClientInit("HTTP@%(host)s" % auth)
+ if ret < 1:
+ trace.warning('Unable to create GSSAPI context for %s: %d',
+ auth['host'], ret)
+ return None
+ ret = kerberos.authGSSClientStep(vc, "")
+ if ret < 0:
+ trace.mutter('authGSSClientStep failed: %d', ret)
+ return None
+ return kerberos.authGSSClientResponse(vc)
+
+ def build_auth_header(self, auth, request):
+ return "Negotiate %s" % auth['negotiate_response']
+
+ def auth_params_reusable(self, auth):
+ # If the auth scheme is known, it means a previous
+ # authentication was successful, all information is
+ # available, no further checks are needed.
+ return (auth.get('scheme', None) == 'negotiate' and
+ auth.get('negotiate_response', None) is not None)
+
+
class BasicAuthHandler(AbstractAuthHandler):
"""A custom basic authentication handler."""
@@ -1368,6 +1421,14 @@
"""Custom proxy basic authentication handler"""
+class HTTPNegotiateAuthHandler(NegotiateAuthHandler, HTTPAuthHandler):
+ """Custom http negotiate authentication handler"""
+
+
+class ProxyNegotiateAuthHandler(NegotiateAuthHandler, ProxyAuthHandler):
+ """Custom proxy negotiate authentication handler"""
+
+
class HTTPErrorProcessor(urllib2.HTTPErrorProcessor):
"""Process HTTP error responses.
@@ -1432,8 +1493,10 @@
ProxyHandler(),
HTTPBasicAuthHandler(),
HTTPDigestAuthHandler(),
+ HTTPNegotiateAuthHandler(),
ProxyBasicAuthHandler(),
ProxyDigestAuthHandler(),
+ ProxyNegotiateAuthHandler(),
HTTPHandler,
HTTPSHandler,
HTTPDefaultErrorHandler,
More information about the bazaar-commits
mailing list