Add Kerberos and NTLM auth adapters for HTTPXWrapper#22706
Add Kerberos and NTLM auth adapters for HTTPXWrapper#22706mwdd146980 wants to merge 1 commit intomwdd146980/phase3-httpx-config-parityfrom
Conversation
|
✨ Fix all issues with BitsAI or with Cursor
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5a613fa354
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| principal: str | None = None, | ||
| keytab: str | None = None, | ||
| ) -> None: | ||
| self._mutual_authentication = mutual_authentication.lower() |
There was a problem hiding this comment.
KerberosAuth.__init__ unconditionally calls .lower() on mutual_authentication, but _build_httpx_client still forwards legacy kerberos_auth: true values on the deprecated compatibility path. In that case client construction raises AttributeError before any request is sent, so existing Kerberos configs that worked in the requests wrapper fail when using HTTPX.
Useful? React with 👍 / 👎.
| ctx = self._build_context(hostname) | ||
| token = ctx.step(in_token=server_token) |
There was a problem hiding this comment.
When force_preemptive is enabled, the flow sends an initial token with one context and then creates a brand-new context on a 401 before processing the server challenge. SPNEGO/Kerberos handshakes are stateful, so the challenge token should be handled by the same context that generated the first token; resetting it can cause preemptive Kerberos auth to fail on servers that respond with a challenge.
Useful? React with 👍 / 👎.
| if server_token: | ||
| try: | ||
| ctx.step(in_token=server_token) | ||
| except Exception: | ||
| LOGGER.warning('Kerberos mutual authentication failed for %s', hostname) |
There was a problem hiding this comment.
In mutual_authentication='required' mode, verification only runs when a token exists and any verification failure is swallowed with a warning, so responses can still be accepted without successful mutual auth. This weakens the semantics of the required mode because missing or invalid server tokens are treated as success instead of failing the request.
Useful? React with 👍 / 👎.
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files🚀 New features to boost your workflow:
|
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-config-parity
branch
from
39234c0 to
baef5ae
Compare
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-auth-adapters
branch
from
5a613fa to
4812725
Compare
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-config-parity
branch
from
baef5ae to
f3d3b4d
Compare
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-auth-adapters
branch
2 times, most recently
from
25568d5 to
2a078ba
Compare
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-config-parity
branch
from
f3d3b4d to
db8c5bd
Compare
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-auth-adapters
branch
from
2a078ba to
bee9cdb
Compare
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-config-parity
branch
2 times, most recently
from
77875b8 to
ce64c85
Compare
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-auth-adapters
branch
from
bee9cdb to
4fe7683
Compare
- Add KerberosAuth(httpx.Auth) using spnego for GSSAPI/Kerberos negotiate: preemptive and non-preemptive modes, mutual auth, delegate, keytab - Add NTLMAuth(httpx.Auth) using spnego for three-step NTLM handshake: Type1 Negotiate -> Type2 Challenge -> Type3 Authenticate - Wire both adapters into _build_httpx_client for auth_type=kerberos/ntlm - spnego loaded via lazy_loader; no startup cost when auth not used - Add test_httpx_auth.py with 12 tests covering all auth flows using mocked spnego Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-auth-adapters
branch
from
4fe7683 to
8142f0b
Compare
mwdd146980
force-pushed
the
mwdd146980/phase3-httpx-config-parity
branch
from
ce64c85 to
3901269
Compare
1 participant
Summary
KerberosAuth(httpx.Auth)usingspnegofor GSSAPI/Kerberos negotiate: preemptive and non-preemptive modes, mutual auth, delegate, keytabNTLMAuth(httpx.Auth)usingspnegofor three-step NTLM handshake: Type1 Negotiate → Type2 Challenge → Type3 Authenticate_build_httpx_clientforauth_type=kerberos/ntlmspnegoloaded vialazy_loader; no startup cost when auth is not usedtest_httpx_auth.pywith 12 tests covering all auth flows using mocked spnegoTest plan
ddev test datadog_checks_base -- tests/base/utils/http/test_httpx_auth.py -vddev test datadog_checks_base -- tests/base/utils/http/test_http_httpx.py::TestBuildHttpxClient -v🤖 Generated with Claude Code