implement Kerberos auth

this tries to use requests-gssapi and falls back to requests-kerberos

Author: evgeni

.github/workflows/main.yml

@@ -42,7 +42,7 @@ jobs:
         run: sudo mkdir -p /etc/rhsm/ca/ && sudo curl -o /etc/rhsm/ca/redhat-uep.pem https://ftp.redhat.com/redhat/convert2rhel/redhat-uep.pem
       - name: Install system dependencies
         # libyaml-dev for PyYAML, rpm for rpm-py-installer, python3-rpm for rpm-shim
-        run: sudo apt-get install -y libyaml-dev rpm python3-rpm
+        run: sudo apt-get install -y libyaml-dev rpm python3-rpm libkrb5-dev build-essential --no-install-recommends
       - name: Fix up Python RPM binding filenames so that other Pythons find it
         run: |
           for file in /usr/lib/python3/dist-packages/rpm/_rpm*.cpython-*.so; do

apypie/api.py

@@ -12,6 +12,14 @@
 from urllib.parse import urljoin  # type: ignore
 import requests
 
+try:
+    from requests_gssapi import HTTPKerberosAuth  # type: ignore
+except ImportError:
+    try:
+        from requests_kerberos import HTTPKerberosAuth  # type: ignore
+    except ImportError:
+        HTTPKerberosAuth = None
+
 from apypie.resource import Resource
 from apypie.exceptions import DocLoadingError
 
@@ -40,6 +48,7 @@ class Api(object):
     :param password: password to access the API
     :param client_cert: client cert to access the API
     :param client_key: client key to access the API
+    :param kerberos: use Kerberos/GSSAPI for authentication with the API. Requires either `requests-gssapi` or `requests-kerberos`.
     :param api_version: version of the API. Defaults to `1`
     :param language: prefered locale for the API description
     :param apidoc_cache_base_dir: base directory for building apidoc_cache_dir. Defaults to `~/.cache/apipie_bindings`.
@@ -85,6 +94,12 @@ def __init__(self, **kwargs):
         if kwargs.get('client_cert') and kwargs.get('client_key'):
             self._session.cert = (kwargs['client_cert'], kwargs['client_key'])
 
+        if kwargs.get('kerberos'):
+            if HTTPKerberosAuth is not None:
+                self._session.auth = HTTPKerberosAuth()
+            else:
+                raise ValueError('Kerberos authentication requested, but neither requests-gssapi nor requests-kerberos found.')
+
         self._apidoc = None
 
     @property

apypie/foreman.py

@@ -63,6 +63,8 @@ def __init__(self, **kwargs):
         self.task_poll = 4
         kwargs['api_version'] = 2
         super().__init__(**kwargs)
+        if kwargs.get('kerberos'):
+            self.call('users', 'extlogin')
 
     def _resource(self, resource: str) -> 'Resource':
         if resource not in self.resources:

requirements-test.txt

@@ -8,4 +8,5 @@ pytest-xdist
 pytest-pylint
 pytest-mock
 requests_mock
+requests-gssapi
 setuptools

setup.py

@@ -39,4 +39,7 @@
     install_requires=[
         'requests>=2.4.2',
     ],
+    extras_require={
+        'kerberos': ['requests-gssapi'],
+    },
 )

tests/test_foreman.py

@@ -36,6 +36,15 @@ def test_init(foremanapi):
     assert foremanapi.apidoc
 
 
+def test_kerberos(fixture_dir, requests_mock, tmpdir):
+    with fixture_dir.join('foreman.json').open() as read_file:
+        data = json.load(read_file)
+    requests_mock.get('https://api.example.com/apidoc/v2.json', json=data)
+    requests_mock.get('https://api.example.com/api/users/extlogin', status_code=204)
+    ForemanApi(uri='https://api.example.com', apidoc_cache_dir=tmpdir.strpath, kerberos=True)
+    assert requests_mock.last_request.url == 'https://api.example.com/api/users/extlogin'
+
+
 def test_resources(foremanapi):
     assert 'domains' in foremanapi.resources