def _authenticate_with_kerberos(conn_info, url, agent, gss_client=None):
service = '{0}@{1}'.format(conn_info.scheme.upper(), conn_info.hostname)
if gss_client is None:
gss_client = AuthGSSClient(
service,
conn_info)
base64_client_data = yield gss_client.get_base64_client_data()
auth = 'Kerberos {0}'.format(base64_client_data)
k_headers = Headers(_CONTENT_TYPE)
k_headers.addRawHeader('Authorization', auth)
k_headers.addRawHeader('Content-Length', '0')
response = yield agent.request('POST', url, k_headers, None)
auth_header = response.headers.getRawHeaders('WWW-Authenticate')[0]
auth_details = get_auth_details(auth_header)
if response.code == httplib.UNAUTHORIZED:
try:
if auth_details:
gss_client._step(auth_details)
except kerberos.GSSError as e:
msg = "HTTP Unauthorized received on kerberos initialization. "\
"Kerberos error code {0}: {1}.".format(e.args[1][1], e.args[1][0])
raise Exception(msg)
raise UnauthorizedError(
"HTTP Unauthorized received on initial kerberos request. Check username and password")
elif response.code == httplib.FORBIDDEN:
raise ForbiddenError(
"Forbidden. Check WinRM port and version.")
elif response.code != httplib.OK:
proto = _StringProtocol()
response.deliverBody(proto)
xml_str = yield proto.d
xml_str = gss_client.decrypt_body(xml_str)
raise Exception(
"status code {0} received on initial kerberos request {1}"
.format(response.code, xml_str))
if not auth_details:
raise Exception(
'negotiate not found in WWW-Authenticate header: {0}'
.format(auth_header))
k_username = gss_client.get_username(auth_details)
log.debug('kerberos auth successful for user: {0} / {1} '
.format(conn_info.username, k_username))
defer.returnValue(gss_client)
评论列表
文章目录
