Merge lp:~fpytloun/duplicity/webdav-gssapi into lp:~duplicity-team/duplicity/0.7-series

Proposed by Filip Pytloun
Status: Merged
Merged at revision: 1184
Proposed branch: lp:~fpytloun/duplicity/webdav-gssapi
Merge into: lp:~duplicity-team/duplicity/0.7-series
Diff against target: 51 lines (+15/-1)
2 files modified
debian/control (+1/-0)
duplicity/backends/webdavbackend.py (+14/-1)
To merge this branch: bzr merge lp:~fpytloun/duplicity/webdav-gssapi
Reviewer Review Type Date Requested Status
edso Needs Fixing
Review via email: mp+284223@code.launchpad.net
To post a comment you must log in.
lp:~fpytloun/duplicity/webdav-gssapi updated
1184. By Kenneth Loafman

* Merged in lp:~fpytloun/duplicity/webdav-gssapi
  - support GSSAPI authentication in webdav backend

Revision history for this message
edso (ed.so) wrote :

hey Filip, Ken,

the change introduced an unnecessary dependency to kerberos.

Filip: would you mind to rework it (be aware it is merged already) in a way that the kerberos part is kept completely in get_kerberos_authorization()? you can move the import kerberos there as well and if it fails when needed, just log an error message but continue with basic auth.
also add the kerberos needed info to the manpage bin/duplicity REQUIREMENTS section as optional if people want to do kerberos auth.

Ken: agreed?

..ede/duply.net

review: Needs Fixing
Revision history for this message
Kenneth Loafman (kenneth-loafman) wrote :

Agreed. I missed that.

On Wed, Feb 3, 2016 at 11:18 AM, edso <email address hidden> wrote:

> Review: Needs Fixing
>
> hey Filip, Ken,
>
> the change introduced an unnecessary dependency to kerberos.
>
> Filip: would you mind to rework it (be aware it is merged already) in a
> way that the kerberos part is kept completely in
> get_kerberos_authorization()? you can move the import kerberos there as
> well and if it fails when needed, just log an error message but continue
> with basic auth.
> also add the kerberos needed info to the manpage bin/duplicity
> REQUIREMENTS section as optional if people want to do kerberos auth.
>
> Ken: agreed?
>
> ..ede/duply.net
> --
> https://code.launchpad.net/~fpytloun/duplicity/webdav-gssapi/+merge/284223
> You are subscribed to branch lp:duplicity.
>

Revision history for this message
Filip Pytloun (fpytloun) wrote :

Hello,

here's reworked version:
https://code.launchpad.net/~fpytloun/duplicity/webdav-gssapi-fix/+merge/285158

Filip

On 2016/02/03 17:18, edso wrote:
> Review: Needs Fixing
>
> hey Filip, Ken,
>
> the change introduced an unnecessary dependency to kerberos.
>
> Filip: would you mind to rework it (be aware it is merged already) in a way that the kerberos part is kept completely in get_kerberos_authorization()? you can move the import kerberos there as well and if it fails when needed, just log an error message but continue with basic auth.
> also add the kerberos needed info to the manpage bin/duplicity REQUIREMENTS section as optional if people want to do kerberos auth.
>
> Ken: agreed?
>
> ..ede/duply.net
> --
> https://code.launchpad.net/~fpytloun/duplicity/webdav-gssapi/+merge/284223
> You are the owner of lp:~fpytloun/duplicity/webdav-gssapi.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/control'
2--- debian/control 2014-10-27 14:15:52 +0000
3+++ debian/control 2016-01-28 08:15:43 +0000
4@@ -30,6 +30,7 @@
5 Suggests: ncftp,
6 python-boto,
7 python-paramiko,
8+ python-kerberos,
9 Description: encrypted bandwidth-efficient backup
10 Duplicity backs directories by producing encrypted tar-format volumes
11 and uploading them to a remote or local file server. Because duplicity
12
13=== modified file 'duplicity/backends/webdavbackend.py'
14--- duplicity/backends/webdavbackend.py 2016-01-25 16:21:48 +0000
15+++ duplicity/backends/webdavbackend.py 2016-01-28 08:15:43 +0000
16@@ -28,6 +28,7 @@
17 import urllib
18 import urllib2
19 import urlparse
20+import kerberos
21 import xml.dom.minidom
22
23 import duplicity.backend
24@@ -232,7 +233,13 @@
25 token, challenge = auth_hdr.split(' ', 1)
26 except ValueError:
27 return None
28- if token.lower() == 'basic':
29+ if token.split(',')[0].lower() == 'negotiate':
30+ try:
31+ return self.get_kerberos_authorization()
32+ except kerberos.GSSError:
33+ # Fallback to basic auth
34+ return self.get_basic_authorization()
35+ elif token.lower() == 'basic':
36 return self.get_basic_authorization()
37 else:
38 self.digest_challenge = self.parse_digest_challenge(challenge)
39@@ -241,6 +248,12 @@
40 def parse_digest_challenge(self, challenge_string):
41 return urllib2.parse_keqv_list(urllib2.parse_http_list(challenge_string))
42
43+ def get_kerberos_authorization(self):
44+ _, ctx = kerberos.authGSSClientInit("HTTP@%s" % self.conn.host)
45+ kerberos.authGSSClientStep(ctx, "")
46+ tgt = kerberos.authGSSClientResponse(ctx)
47+ return 'Negotiate %s' % tgt
48+
49 def get_basic_authorization(self):
50 """
51 Returns the basic auth header

Subscribers

People subscribed via source and target branches