def build_session(self):
if self.server_cert_validation == 'ignore':
# if we're explicitly ignoring validation, try to suppress requests' vendored urllib3 InsecureRequestWarning
try:
from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter('ignore', category=InsecureRequestWarning)
except:
# oh well, we tried...
pass
session = requests.Session()
session.verify = self.server_cert_validation == 'validate'
# configure proxies from HTTP/HTTPS_PROXY envvars
session.trust_env = True
settings = session.merge_environment_settings(url=self.endpoint, proxies={}, stream=None,
verify=None, cert=None)
# we're only applying proxies from env, other settings are ignored
session.proxies = settings['proxies']
if self.auth_method == 'kerberos':
if not HAVE_KERBEROS:
raise WinRMError("requested auth method is kerberos, but requests_kerberos is not installed")
# TODO: do argspec sniffing on extensions to ensure we're not setting bogus kwargs on older versions
session.auth = HTTPKerberosAuth(mutual_authentication=REQUIRED, delegate=self.kerberos_delegation,
force_preemptive=True, principal=self.username, hostname_override=self.realm)
elif self.auth_method in ['certificate','ssl']:
if self.auth_method == 'ssl' and not self.cert_pem and not self.cert_key_pem:
# 'ssl' was overloaded for HTTPS with optional certificate auth,
# fall back to basic auth if no cert specified
session.auth = requests.auth.HTTPBasicAuth(username=self.username, password=self.password)
else:
# client cert auth, validate accordingly
if not self.cert_pem or not self.cert_key_pem:
raise InvalidCredentialsError("both cert_pem and cert_key_pem must be specified for cert auth")
if not os.path.exists(self.cert_pem):
raise InvalidCredentialsError("cert_pem file not found (%s)" % self.cert_pem)
if not os.path.exists(self.cert_key_pem):
raise InvalidCredentialsError("cert_key_pem file not found (%s)" % self.cert_key_pem)
session.cert = (self.cert_pem, self.cert_key_pem)
session.headers['Authorization'] = \
"http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/mutual"
elif self.auth_method == 'ntlm':
if not HAVE_NTLM:
raise WinRMError("requested auth method is ntlm, but requests_ntlm is not installed")
if not self.username:
raise InvalidCredentialsError("auth method ntlm requires a username")
if not self.password:
raise InvalidCredentialsError("auth method ntlm requires a password")
session.auth = HttpNtlmAuth(username=self.username, password=self.password)
# TODO: ssl is not exactly right here- should really be client_cert
elif self.auth_method in ['basic','plaintext']:
if not self.username:
raise InvalidCredentialsError("auth method basic requires a username")
if not self.password:
raise InvalidCredentialsError("auth method basic requires a password")
session.auth = requests.auth.HTTPBasicAuth(username=self.username, password=self.password)
else:
raise WinRMError("unsupported auth method: %s" % self.auth_method)
session.headers.update(self.default_headers)
return session