search

pythongssapi / httpx-gssapi

A GSSAPI authentication handler for Python's HTTPX
Other
12 stars 3 forks source link

Problems with queries from windows host #2

Closed mchugh19 closed 4 years ago

mchugh19 commented 4 years ago

Hi all. Is this is working implementation?

I have a windows host running python 3.6. I've have a kerberos ticket through the usual windows AD mechanisms, but have also installed the MIT msi from https://web.mit.edu/KERBEROS/dist/

I can see my personal and computer's tickets with klist, but a quick test throws an error:

import httpx
from httpx_gssapi import HTTPSPNEGOAuth, OPTIONAL
gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=OPTIONAL)
r = httpx.get("https://localserver/api/v1.0/public/table/version_mapping", verify=False, auth=gssapi_auth)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\httpx\_api.py", line 170, in get
    trust_env=trust_env,
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\httpx\_api.py", line 96, in request
    allow_redirects=allow_redirects,
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\httpx\_client.py", line 601, in request
    request, auth=auth, allow_redirects=allow_redirects, timeout=timeout,
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\httpx\_client.py", line 621, in send
    request, auth=auth, timeout=timeout, allow_redirects=allow_redirects,
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\httpx\_client.py", line 648, in send_handling_redirects
    request, auth=auth, timeout=timeout, history=history
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\httpx\_client.py", line 693, in send_handling_auth
    raise exc from None
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\httpx\_client.py", line 688, in send_handling_auth
    next_request = auth_flow.send(response)
  File "c:\code\gits\httpx-gssapi\httpx_gssapi\gssapi_.py", line 113, in auth_flow
    yield from self.handle_response(response)
  File "c:\code\gits\httpx-gssapi\httpx_gssapi\gssapi_.py", line 121, in handle_response
    response = yield self.handle_401(response)
  File "c:\code\gits\httpx-gssapi\httpx_gssapi\gssapi_.py", line 138, in handle_401
    request = self.authenticate_user(response)
  File "c:\code\gits\httpx-gssapi\httpx_gssapi\gssapi_.py", line 229, in authenticate_user
    auth_header = self.generate_request_header(host, response)
  File "c:\code\gits\httpx-gssapi\httpx_gssapi\gssapi_.py", line 218, in generate_request_header
    gss_resp = self.context[host].step(token)
  File "<decorator-gen-15>", line 2, in step
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\gssapi\_utils.py", line 169, in check_last_err
    return func(self, *args, **kwargs)
  File "<decorator-gen-5>", line 2, in step
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\gssapi\_utils.py", line 129, in catch_and_return_token
    return func(self, *args, **kwargs)
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\gssapi\sec_contexts.py", line 521, in step
    return self._initiator_step(token=token)
  File "C:\code\gits\uthh-api\.venv\lib\site-packages\gssapi\sec_contexts.py", line 542, in _initiator_step
    token)
  File "gssapi\raw\sec_contexts.pyx", line 245, in gssapi.raw.sec_contexts.init_sec_context
  File "gssapi\raw\misc.pyx", line 219, in gssapi.raw.misc.GSSErrorRegistry.__call__
  File "gssapi\raw\misc.pyx", line 275, in gssapi.raw.misc.GSSError.__init__
  File "gssapi\raw\misc.pyx", line 326, in gssapi.raw.misc.GSSError.gen_message
  File "gssapi\raw\misc.pyx", line 294, in gssapi.raw.misc.GSSError.get_all_statuses
AttributeError: module 'locale' has no attribute 'LC_MESSAGES'
aiudirog commented 4 years ago

@frozencemetery This bug is actually in Python GSSAPI: locale doesn't have an LC_MESSAGES constant on Windows. (similar issue)

This code probably needs to be changed to something like:

try:
    msg_encoding = locale.getlocale(locale.LC_MESSAGES)[1] or 'UTF-8'
except AttributeError:  # Windows doesn't have LC_MESSAGES
    msg_encoding = 'UTF-8'

@mchugh19

Other than the above, this library should work but I haven't finished testing or cut an official release yet and the API should be considered unstable until I do.

Also, this error occurred while trying to render a GSSError so you may have run into an incompatibility between Windows SSPI and MIT Kerberos. If this is the case, you may have to kinit directly using MIT Kerberos instead of relying on the Windows AD system. More information in this previous comment.

frozencemetery commented 4 years ago

@aiudirog Do you mind opening a PR for that, or should I?

aiudirog commented 4 years ago

@frozencemetery Just opened a PR. Should be a simple one.

aiudirog commented 4 years ago

@frozencemetery Do you think we could cut a bug fix release so the wheels can be built?

frozencemetery commented 4 years ago

@aiudirog That's not entirely straightforward. The Windows releases broke like this and there's a problem with the Linux pipeline too that I don't understand since I was pretty sure I dry-ran all this...

aiudirog commented 4 years ago

Oh, those are some interesting new errors.... I honestly have no idea why both releases failed but the PR built it just fine. I compared the logs and everything seems to execute exactly the same up until that point where it can't find the extern functions.

frozencemetery commented 4 years ago

I think I fixed it so there should be updated wheels for 1.6.9 now. (We need to port away from should_be; see https://github.com/pythongssapi/python-gssapi/issues/215 )

aiudirog commented 4 years ago

Interesting, I don't immediately see how your changes fixed the Windows builds, but as long as it works.

@mchugh19 Can you upgrade gssapi to v1.6.9 and test it out?

mchugh19 commented 4 years ago

@aiudirog Looks like 1.6.9 corrected the stacktrace.

But even when I use MIT Kerbereos' kinit, I'm still getting authenticated denied, but that's likely on my end.

Thanks!