Replace deprecated Ntlm() with NtlmContext() #116
Conversation
|
Tests are failing, but it looks unrelated to my changes: Upstream issue: z4r/python-coveralls#66 |
NtlmContext does not have a create_negotiate_message method. Replace with what Ntlm.create_negotiate_message() did.
|
Tests are now green. I had to add some unrelated changes to the Travis setup to get the tests through. I think someone needs to add this project to the setup at https://coveralls.io/github/requests if we want to see the coverage report again. @Lukasa Can you have a look at this PR? |
|
Ping? |
|
@jborean93 Can you have a look at this PR? |
| server_certificate_hash=server_certificate_hash | ||
| ) | ||
| authenticate_message = authenticate_message.decode('ascii') | ||
| context._server_certificate_hash = server_certificate_hash |
There was a problem hiding this comment.
Instead of setting this we should be passing in a CBT object to NtlmContext on initialisation through the cbt_data kwarg. The _server_certificate_hash attribute is only used for backwards compat with Ntlm() in ntlm-auth and will be removed if I ever get to removing Ntlm().
What you need to do instead is change _get_certificate_hash() to return certificate_hash_bytes and don't worry about using hexlify there. Then you can create the CBT struct with:
from ntlm_auth.gss_channel_bindings import GssChannelBindingsStruct
cbt_data = GssChannelBindingsStruct()
cbt_data[cbt_data.APPLICATION_DATA] = b'tls-server-end-point:' + server_certificate_hash
It might be a good idea to change the variable name server_certificate_hash to b_server_cert_hash to make sure people are aware that it is a byte string.
| @@ -131,7 +131,7 @@ def retry_using_http_NTLM_auth(self, auth_header_field, auth_header, | |||
| response3.history.append(response2) | |||
|
|
|||
| # Get the session_security object created by ntlm-auth for signing and sealing of messages | |||
| self.session_security = context.session_security | |||
| self.session_security = context._session_security | |||
There was a problem hiding this comment.
This one is a tricky one, technically the wrap and unwrap methods of NtlmContext() should be used instead but unfortunately unwrap on NtlmContext has a different signature than the one of session_security. While this works I don't really want to rely on _ prefixed attributes because they aren't really guaranteed to stay stable over different releases.
What I recommend is to add a session_security property to this class like so:
@property
def session_security(self):
warnings.warn("Deprecated property session_security, the wrap and unwrap methods should be accessed using the host context ntlm.contexts['hostname'].wrap/unwrap instead.", DeprecationWarning)
return next(iter(self.contexts))._session_security
This also requires us to store the NtlmContext as a property in requests-ntlm. This is done in a similar way with requests-kerberos where the context is stored in a dict that's indexed with the hostname of the request. You can see that requests-kerberos uses urlparse from requests.compat import urlparse to get the hostname from the request and that is passed into the retry method. From there the context that is initialized is stored in self.contexts[hostname].
Doing this means that other libraries that rely on the wrapping and unwrapping functions provided by session_security aren't broken in the next release, are warned about it being deprecated here and are offered the alternative.
|
This has been superseded by #126. |
Fixes #111
Fixes #108