Use the admin creds in the HTTPClient when necessary #85
|
@ -6,7 +6,7 @@ from requests_gssapi import HTTPSPNEGOAuth
|
||||||
from zope import component
|
from zope import component
|
||||||
from zope.interface import implementer
|
from zope.interface import implementer
|
||||||
|
|
||||||
from ceo_common.interfaces import IConfig, IHTTPClient
|
from ceo_common.interfaces import IConfig, IHTTPClient, IKerberosService
|
||||||
|
|
||||||
|
|
||||||
@implementer(IHTTPClient)
|
@implementer(IHTTPClient)
|
||||||
|
@ -40,10 +40,18 @@ class HTTPClient:
|
||||||
'opportunistic_auth': True,
|
'opportunistic_auth': True,
|
||||||
'target_name': gssapi.Name('ceod/' + host),
|
'target_name': gssapi.Name('ceod/' + host),
|
||||||
}
|
}
|
||||||
if flask.has_request_context() and 'client_token' in g:
|
if flask.has_request_context():
|
||||||
# This is reached when we are the server and the client has
|
# This is reached when we are the server and the client has
|
||||||
# forwarded their credentials to us.
|
# forwarded their credentials to us.
|
||||||
spnego_kwargs['creds'] = gssapi.Credentials(token=g.client_token)
|
token = None
|
||||||
|
if g.get('need_admin_creds', False):
|
||||||
|
# Some Kerberos bindings in some programming languages can't
|
||||||
|
# perform delegation, so use the admin creds here.
|
||||||
|
token = component.getUtility(IKerberosService).get_admin_creds_token()
|
||||||
|
elif 'client_token' in g:
|
||||||
|
token = g.client_token
|
||||||
|
if token is not None:
|
||||||
|
spnego_kwargs['creds'] = gssapi.Credentials(token=token)
|
||||||
elif delegate:
|
elif delegate:
|
||||||
# This is reached when we are the client and we want to
|
# This is reached when we are the client and we want to
|
||||||
# forward our credentials to the server.
|
# forward our credentials to the server.
|
||||||
|
|
Loading…
Reference in New Issue