search

r-lib / httr

httr: a friendly http package for R
https://httr.r-lib.org
Other
986 stars 1.99k forks source link

Kerberos authentication with flags #703

Closed fomcl closed 10 months ago

fomcl commented 2 years ago

Hi,

I am trying to make a kerberized request with the delegation flag set to a non-default value. The url below works from the browser and using Python (requests_kerberos). On the server I see a delegate_to_peer=1 flag in Python, but not in R. As a result, no delegated credentials are available on the server. Is there something I am doing wrong in the code below? Or am I using the wrong libcurl version? In issue #24 I noticed that curlVersion()$features includes gssnegotiate while below I only see spnego.

At any rate, I think the documentation would improve if an example such as below would be included.

Albert-Jan

f:\Desktop>type krb_delegate.R
library("httr")
library("RCurl")

set_config(verbose())
url <- "http://<<lowercased_hostname_and_domain>>:5000/api/v1/whoami"
delegflags <- list(NONE=0, POLICY=1, ALWAYS=2)
httpauth <- httr:::auth_flags("gssnegotiate")
delegation <- config(proxy="", httpauth=httpauth, userpwd=":", gssapi_delegation=delegflags$POLICY)
resp <- httr::GET(url, config=delegation)
print(resp$status_code)
print(version$version.string)  # "R version 4.0.3 (2020-10-10)"
print(curl::curl_version()$version)  # "7.64.1"
print(curlVersion())
#print(authenticate)
#print(httr_options("gssapi_delegation"))
#delegflags: https://github.com/curl/curl/blob/master/include/curl/curl.h
f:\Desktop>rscript.exe krb_delegate.R
-> GET /api/v1/whoami HTTP/1.1
-> Host: <<lowercased_hostname_and_domain>>:5000
-> Authorization: Negotiate YIITJwYGKwYBBQUCoIITGzCCExegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCEuEEg
....(omitted for brevity)...
RAz/omPlk34P1yC3EQ2yP9nRddFLWGnb6PNQMZjettmLuf0EO7/QTxb99cr3mdgbIuke+qlQmBlvN4ec5dkpn13Wscg=
-> User-Agent: libcurl/7.64.1 r-curl/4.3 httr/1.4.2
-> Accept-Encoding: deflate, gzip
-> Accept: application/json, text/xml, application/xml, */*
->
<- HTTP/1.0 500 INTERNAL SERVER ERROR
<- Content-Type: application/json
<- Content-Length: 272
<- Server: Werkzeug/2.0.1 Python/3.6.8
<- Date: Wed, 29 Sep 2021 09:28:54 GMT
<-
[1] 500
[1] "R version 4.0.3 (2020-10-10)"
[1] "7.64.1"
$age
[1] 3

$version
[1] "7.40.0"

$vesion_num
[1] 468992

$host
[1] "x86_64-pc-win32"

$features
      ssl      libz      ntlm asynchdns    spnego largefile       idn      sspi
        4         8        16       128       256       512      1024      2048

$ssl_version
[1] "OpenSSL/1.0.0o"

$ssl_version_num
[1] 0

$libz_version
[1] "1.2.8"

$protocols
 [1] "dict"   "file"   "ftp"    "ftps"   "gopher" "http"   "https"  "imap"
 [9] "imaps"  "ldap"   "pop3"   "pop3s"  "rtmp"   "rtsp"   "scp"    "sftp"
[17] "smtp"   "smtps"  "telnet" "tftp"

$ares
[1] ""

$ares_num
[1] 0

$libidn
[1] ""

For reference, this is the working Python code. 

import socket
from http import HTTPStatus
from urllib.parse import urlparse

import requests
from requests_kerberos import HTTPKerberosAuth

url = "http://my-kerberized-api:5000/api/v1/whoami"
host, port = urlparse(url).netloc.split(":")
canonhost = socket.getfqdn(host)
kwargs = dict(hostname_override=canonhost, delegate=True)
auth = HTTPKerberosAuth(**kwargs)
resp = requests.get(url, auth=auth)
assert resp.status_code == HTTPStatus.OK
fomcl commented 2 years ago

Possibly related: https://github.com/curl/curl/issues/2859 It seems that we only support the delegation flag in GSSAPI (and the policy option, only if the gss library supports GSS_C_DELEG_POLICY_FLAG), not in SSPI.

hadley commented 10 months ago

httr has been superseded in favour of httr2, so is no longer under active development. If this problem is still important to you in httr2, I'd suggest filing an issue offer there 😄. Thanks for using httr!