Use the admin creds in the HTTPClient when necessary #85
|
@ -6,7 +6,7 @@ from requests_gssapi import HTTPSPNEGOAuth
|
|||
from zope import component
|
||||
from zope.interface import implementer
|
||||
|
||||
from ceo_common.interfaces import IConfig, IHTTPClient
|
||||
from ceo_common.interfaces import IConfig, IHTTPClient, IKerberosService
|
||||
|
||||
|
||||
@implementer(IHTTPClient)
|
||||
|
@ -40,10 +40,18 @@ class HTTPClient:
|
|||
'opportunistic_auth': True,
|
||||
'target_name': gssapi.Name('ceod/' + host),
|
||||
}
|
||||
if flask.has_request_context() and 'client_token' in g:
|
||||
if flask.has_request_context():
|
||||
# This is reached when we are the server and the client has
|
||||
# forwarded their credentials to us.
|
||||
spnego_kwargs['creds'] = gssapi.Credentials(token=g.client_token)
|
||||
token = None
|
||||
if g.get('need_admin_creds', False):
|
||||
# Some Kerberos bindings in some programming languages can't
|
||||
# perform delegation, so use the admin creds here.
|
||||
token = component.getUtility(IKerberosService).get_admin_creds_token()
|
||||
elif 'client_token' in g:
|
||||
token = g.client_token
|
||||
if token is not None:
|
||||
spnego_kwargs['creds'] = gssapi.Credentials(token=token)
|
||||
elif delegate:
|
||||
# This is reached when we are the client and we want to
|
||||
# forward our credentials to the server.
|
||||
|
|
Loading…
Reference in New Issue