def test_handle_response_500_mutual_auth_required_fail_no_san(
patched_ctx_fail):
response_500 = null_response(
status=500,
headers={
'date': 'DATE',
'content-length': '100',
'other': 'x'
},
)
response_500._content = b'CONTENT'
auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=REQUIRED,
sanitize_mutual_error_response=False)
auth.context = {"www.example.org": "CTX"}
flow = auth.handle_response(response_500)
with pytest.raises(StopIteration): # advance flow with no new requests
next(flow)
assert response_500.headers['other'] == 'x'
assert response_500.headers['date'] == 'DATE'
assert response_500.headers['content-length'] == '100'
assert response_500.content == b'CONTENT'
assert not fail_resp.called
def test_realm_override(patched_ctx):
response = null_response(headers=neg_token)
otherhost = "otherhost.otherdomain.org"
auth = httpx_gssapi.HTTPKerberosAuth(hostname_override=otherhost)
auth.generate_request_header(response.url.host, response)
check_init(name=gssapi_name(f"HTTP@{otherhost}"))
fake_resp.assert_called_with(b"token")
def test_generate_request_header(patched_ctx):
resp = null_response(headers=neg_token)
host = resp.url.host
auth = httpx_gssapi.HTTPKerberosAuth()
assert auth.generate_request_header(host, resp) == b64_negotiate_response
check_init()
fake_resp.assert_called_with(b"token")
def test_generate_request_header_init_error(patched_ctx_fail):
response = null_response(headers=neg_token)
host = response.url.host
auth = httpx_gssapi.HTTPKerberosAuth()
with pytest.raises(httpx_gssapi.exceptions.SPNEGOExchangeError):
auth.generate_request_header(host, response)
check_init()
def test_no_force_preemptive(patched_ctx):
auth = httpx_gssapi.HTTPKerberosAuth()
request = null_request()
flow = auth.auth_flow(request)
next(flow) # Move to first request yield
assert 'Authorization' not in request.headers
def test_force_preemptive(patched_ctx):
auth = httpx_gssapi.HTTPKerberosAuth(force_preemptive=True)
request = null_request()
flow = auth.auth_flow(request)
next(flow) # Move to first request yield
assert 'Authorization' in request.headers
assert request.headers.get('Authorization') == b64_negotiate_response
def test_principal_override(patched_ctx, patched_creds):
response = null_response(headers=neg_token)
auth = httpx_gssapi.HTTPKerberosAuth(principal="user@REALM")
auth.generate_request_header(response.url.host, response)
fake_creds.assert_called_with(
gssapi.creds.Credentials,
usage="initiate",
name=gssapi_name("user@REALM"),
)
check_init(creds=b"fake creds")
def test_authenticate_server(patched_ctx):
response_ok = null_response(
headers={
'www-authenticate': b64_negotiate_server,
'authorization': b64_negotiate_response,
})
auth = httpx_gssapi.HTTPKerberosAuth()
auth.context = {"www.example.org": gssapi.SecurityContext}
assert auth.authenticate_server(response_ok)
fake_resp.assert_called_with(b"servertoken")
def test_handle_response_200_mutual_auth_optional_soft_failure(patched_ctx):
response_ok = null_response()
auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=OPTIONAL)
auth.context = {"www.example.org": gssapi.SecurityContext}
flow = auth.handle_response(response_ok)
with pytest.raises(StopIteration): # advance flow with no new requests
next(flow)
assert not fake_resp.called
def test_handle_response_200_mutual_auth_required_failure(patched_ctx_fail):
response_ok = null_response()
auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=REQUIRED)
auth.context = {"www.example.org": "CTX"}
flow = auth.handle_response(response_ok)
with pytest.raises(httpx_gssapi.MutualAuthenticationError):
next(flow)
assert not fail_resp.called
def test_authenticate_user(patched_ctx):
response = null_response(
status=401,
request=null_request(),
headers=neg_token,
)
auth = httpx_gssapi.HTTPKerberosAuth()
request = auth.authenticate_user(response)
assert 'Authorization' in request.headers
assert request.headers['Authorization'] == b64_negotiate_response
check_init()
fake_resp.assert_called_with(b"token")
def test_delegation(patched_ctx):
auth = httpx_gssapi.HTTPKerberosAuth(delegate=True)
response_401 = null_response(status=401, headers=neg_token)
flow = auth.handle_response(response_401)
request = next(flow)
assert isinstance(request, httpx.Request)
assert request.headers['Authorization'] == b64_negotiate_response
response_ok = null_response(headers=neg_server, request=request)
with pytest.raises(StopIteration): # no more requests
flow.send(response_ok)
check_init(flags=gssdelegflags)
fake_resp.assert_called_with(b"token")
def test_handle_other(patched_ctx):
response_ok = null_response(
headers={
'www-authenticate': b64_negotiate_server,
'authorization': b64_negotiate_response,
})
auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=REQUIRED)
auth.context = {"www.example.org": gssapi.SecurityContext}
auth.handle_mutual_auth(response_ok) # No error raised
fake_resp.assert_called_with(b"servertoken")
def test_handle_response_200(patched_ctx):
response_ok = null_response(
headers={
'www-authenticate': b64_negotiate_server,
'authorization': b64_negotiate_response,
})
auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=REQUIRED)
auth.context = {"www.example.org": gssapi.SecurityContext}
flow = auth.handle_response(response_ok)
with pytest.raises(StopIteration): # No other requests required
next(flow)
fake_resp.assert_called_with(b"servertoken")
def test_handle_response_200_mutual_auth_optional_hard_fail(patched_ctx_fail):
response_ok = null_response(
headers={
'www-authenticate': b64_negotiate_server,
'authorization': b64_negotiate_response,
})
auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=OPTIONAL)
auth.context = {"www.example.org": gssapi.SecurityContext}
flow = auth.handle_response(response_ok)
with pytest.raises(httpx_gssapi.MutualAuthenticationError):
next(flow)
fail_resp.assert_called_with(b"servertoken")
def test_handle_response_401_rejected(patched_ctx):
# Get a 401 from server, authenticate, and get another 401 back.
# Ensure there is no infinite auth loop.
auth = httpx_gssapi.HTTPKerberosAuth()
response_401 = null_response(status=401, headers=neg_token)
flow = auth.handle_response(response_401)
request = next(flow)
assert isinstance(request, httpx.Request)
assert request.headers['Authorization'] == b64_negotiate_response
response_401 = null_response(status=401,
headers=neg_token,
request=request)
request = flow.send(response_401)
assert isinstance(request, httpx.Request)
assert request.headers['Authorization'] == b64_negotiate_response
with pytest.raises(StopIteration): # no more requests, max is 2
flow.send(null_response(status=401, headers=neg_token,
request=request))
check_init()
fake_resp.assert_called_with(b"token")
def test_generate_request_header_custom_service(patched_ctx):
response = null_response(headers=neg_token)
auth = httpx_gssapi.HTTPKerberosAuth(service="barfoo")
auth.generate_request_header(response.url.host, response),
check_init(name=gssapi_name("*****@*****.**"))
fake_resp.assert_called_with(b"token")