def test_fail_only_ntlm(self, reset_imports):
spnego.HAS_SSPI = False
spnego.HAS_GSSAPI = False
with pytest.raises(ValueError) as err:
get_auth_context("", "", "kerberos", None, None, None, False,
False)
assert str(err.value) == \
"The auth_provider specified 'kerberos' cannot be used without " \
"GSSAPI or SSPI being installed, select auto or install GSSAPI " \
"or SSPI"
def test_get_auth_has_gssapi_ntlm_with_cred(self, reset_imports):
spnego.HAS_GSSAPI = True
spnego.HAS_SSPI = False
context, gen, token = get_auth_context("", "", "ntlm", None, None,
None, False, True)
assert isinstance(context, NTLMContext)
assert token.startswith(b"NTLMSSP\x00\x01\x00\x00\x00")
def test_get_auth_no_sspi_or_gssapi(self, reset_imports):
spnego.HAS_GSSAPI = False
spnego.HAS_SSPI = False
context, gen, token = get_auth_context("", "", "auto", None, None,
None, False, False)
assert isinstance(context, NTLMContext)
assert token.startswith(b"NTLMSSP\x00\x01\x00\x00\x00")
def test_get_auth_gssapi_kerb_not_available(self, reset_imports,
monkeypatch):
pytest.importorskip("gssapi")
spnego.HAS_GSSAPI_ENCRYPTION = False
def _step(self, token=None):
yield b"token"
mock_set_sec = MagicMock()
monkeypatch.setattr('gssapi.raw.set_sec_context_option', mock_set_sec)
with pytest.raises(ValueError) as err:
get_auth_context("", "", "kerberos", None, "host", "service",
False, True)
assert str(err.value) == \
"The auth_provider specified 'kerberos' is not available as " \
"message encryption is required but is not available on the " \
"current system. Either disable encryption, use https or " \
"specify auto/ntlm"
def test_get_auth_has_gssapi_kerb_failure(self, monkeypatch):
gss = pytest.importorskip("gssapi")
mock_set_sec = MagicMock(side_effect=gss.exceptions.GSSError(65536, 0))
monkeypatch.setattr('gssapi.raw.set_sec_context_option', mock_set_sec)
# gssapi will fail because the user is not a valid user, we expect
# this to happen and should result in NTLMContext being returned
context, gen, token = get_auth_context("", "", "auto", None, "host",
"service", False, False)
assert isinstance(context, NTLMContext)
assert token.startswith(b"NTLMSSP\x00\x01\x00\x00\x00")
def test_get_auth_has_gssapi_no_encryption_and_ntlm(self, reset_imports,
monkeypatch):
gss = pytest.importorskip("gssapi")
spnego.HAS_GSSAPI_ENCRYPTION = False
mock_set_sec = MagicMock(side_effect=gss.exceptions.GSSError(65536, 0))
monkeypatch.setattr('gssapi.raw.set_sec_context_option', mock_set_sec)
context, gen, token = get_auth_context("", "", "auto", None, "host",
"service", False, True)
assert isinstance(context, NTLMContext)
assert token.startswith(b"NTLMSSP\x00\x01\x00\x00\x00")
assert len(mock_set_sec.call_args) == 2
assert mock_set_sec.call_args[0] == \
(gss.OID.from_int_seq("1.3.6.1.4.1.7165.655.1.3"),)
assert isinstance(mock_set_sec.call_args[1]['context'],
gss.SecurityContext)
assert mock_set_sec.call_args[1]['value'] == b"\x00\x00\x00\x00"
def test_get_auth_has_sspi(self, reset_imports, auth, provider, wrap,
monkeypatch):
spnego.HAS_SSPI = True
def _step(self, token=None):
yield b"token"
mock_init = MagicMock()
monkeypatch.setattr(SSPIContext, "init_context", mock_init)
monkeypatch.setattr(SSPIContext, "step", _step)
context, gen, token = get_auth_context("", "", auth, None, "host",
"service", False, wrap)
assert isinstance(context, SSPIContext)
assert context.auth_provider == provider
assert mock_init.call_count == 1
assert isinstance(gen, types.GeneratorType)
assert token == b"token"
def test_get_auth_gssapi_auto_kerb_avail(self, monkeypatch):
gss = pytest.importorskip("gssapi")
def _step(self, token=None):
yield b"token"
mock_set_sec = MagicMock(side_effect=gss.exceptions.GSSError(65536, 0))
mock_init = MagicMock()
monkeypatch.setattr('gssapi.raw.set_sec_context_option', mock_set_sec)
monkeypatch.setattr(GSSAPIContext, "init_context", mock_init)
monkeypatch.setattr(GSSAPIContext, "step", _step)
context, gen, token = get_auth_context("", "", "auto", None, "host",
"service", False, False)
assert isinstance(context, GSSAPIContext)
assert context.auth_provider == "1.2.840.113554.1.2.2"
assert mock_init.call_count == 1
assert isinstance(gen, types.GeneratorType)
assert token == b"token"
def test_get_auth_gssapi_auto_successful(self, monkeypatch):
pytest.importorskip("gssapi")
def _step(self, token=None):
yield b"token"
mock_set_sec = MagicMock()
mock_init = MagicMock()
monkeypatch.setattr('gssapi.raw.set_sec_context_option', mock_set_sec)
monkeypatch.setattr(GSSAPIContext, "init_context", mock_init)
monkeypatch.setattr(GSSAPIContext, "step", _step)
context, gen, token = get_auth_context("", "", "auto", None, "host",
"service", False, False)
assert isinstance(context, GSSAPIContext)
assert context.auth_provider == "1.3.6.1.5.5.2"
assert mock_init.call_count == 1
assert isinstance(gen, types.GeneratorType)
assert token == b"token"
def handle_401(self, response, **kwargs):
host = get_hostname(response.url)
if self.send_cbt:
cbt_app_data = HTTPNegotiateAuth._get_cbt_data(response)
auth_hostname = self.hostname_override or host
context, token_gen, out_token = get_auth_context(
self.username, self.password, self.auth_provider, cbt_app_data,
auth_hostname, self.service, self.delegate, self.wrap_required
)
self.contexts[host] = context
while not context.complete or out_token is not None:
# consume content and release the original connection to allow the
# new request to reuse the same one.
response.content
response.raw.release_conn()
# create a request with the Negotiate token present
request = response.request.copy()
log.debug("Sending http request with new auth token")
self._set_auth_token(request, out_token, "Negotiate")
# send the request with the auth token and get the response
response = response.connection.send(request, **kwargs)
# attempt to retrieve the auth token response
in_token = self._get_auth_token(response, self._regex)
# break if there was no token received from the host and return the
# last response
if in_token in [None, b""]:
log.debug("Did not receive a http response with an auth "
"response, stopping authentication process")
break
out_token = token_gen.send(in_token)
return response
def test_invalid_provider(self):
with pytest.raises(ValueError) as err:
get_auth_context("", "", "fake", None, None, None, False, False)
assert str(err.value) == \
"Invalid auth_provider specified fake, must be auto, kerberos, " \
"or ntlm"