apipie-bindings 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5c27168a737308891f84a0437f14b21247d4054651f698f888ef3a5e80dced00
-  data.tar.gz: 6d68349f382e9282d5674db0e175280d05952ea35004a6dc525d896b93ae46c6
+  metadata.gz: e93c13921f92db59b1bd280310cb4ace26fe6767f97671e4c895cbc7acc04c9e
+  data.tar.gz: fa4bcb25505765dcf6e8c8664465ba068f82fa3e3709466d25b8a359b66ca75d
 SHA512:
-  metadata.gz: eeb6522be945abe8c90588ac382751e4cf0ece7b898ae233def0a73d9d621264ee5bb4494e5da4921a75cde2af8fe078be3aa4875441e54390417b9948ff75b5
-  data.tar.gz: 1ac904b2c5e2ea670246619fe8d1e5b3450cc7567f716692506311e0ce5a0130191862e71e9ef253fcb87437a88fa9213ab3e93b57a902f7d0f6c056c2c18f04
+  metadata.gz: f0e5ad7af8416017fda3a1d6bca9e95ccfbfacc6a0322c66b640975dcaa2af20dba421ea0d09274b473d101c45bdebf88f02102c828a2db6a5a189800274f3ba
+  data.tar.gz: 1caa898dc4998246a0d0843423904f6bc4fb18a230918e841d5f84f560d3c4090ede054ad6c4de4cee4ca44ffdcff74370f95e9356460eaa1c2fb3772e45c666

data/doc/release_notes.md

@@ -1,5 +1,8 @@
 Release notes
 =============
+### 0.5.0 (2022-05-10)
+* Add support for kerberos negotiate auth ([PR #81](https://github.com/Apipie/apipie-bindings/pull/81))
+
 ### 0.4.0 (2020-05-29)
 * support Ruby 2.7 ([PR #79](https://github.com/Apipie/apipie-bindings/pull/79))
 

data/lib/apipie_bindings/authenticators/base.rb

@@ -1,6 +1,13 @@
 module ApipieBindings
   module Authenticators
     class Base
+      # In case an authenticator needs to make an authentication call
+      # before the original one you might want to set auth_cookie
+      # returned by the server to be available for futher processing
+      # (e.g. saving the session id) since it may contain session id
+      # to use with all the next calls
+      attr_reader :auth_cookie
+
       def authenticate(request, args)
       end
 

data/lib/apipie_bindings/authenticators/negotiate.rb

@@ -0,0 +1,65 @@
+require 'apipie_bindings/authenticators/base'
+require 'gssapi'
+
+module ApipieBindings
+  module Authenticators
+    # Negotiate authenticator
+    # Implements gssapi negotiation with preexisting kerberos ticket
+    # Requires a authentication url, the authentication request will be against.
+    # This url needs to support auth negotiation and after successful auth it should return 'set-cookie' header with session.
+    # This session will be initiated in the auth request and the original request will be made with this cookie.
+    # Next requests should be already skip the negotiation, please implement Session support in your client, for not using the negotiation on every request.
+    class Negotiate < Base
+
+      # Creates new authenticator for Negotiate auth
+      # @param [String] url to make authentication request to.
+      # @param [Hash] auth_request_options passed to RestClient::Request - especially for SSL options
+      #   see https://github.com/rest-client/rest-client/blob/master/lib/restclient/request.rb.
+      # @option service service principal used for gssapi tickets - defaults to HTTP.
+      # @option method http method used for the auth request - defaults to 'get'.
+      def initialize(authorization_url, auth_request_options = {})
+        @authorization_url = authorization_url
+        @service = auth_request_options.delete(:service) || 'HTTP'
+        auth_request_options[:method] ||= 'get'
+        @auth_request_options = auth_request_options
+      end
+
+      def error(ex)
+        if ex.is_a?(GSSAPI::GssApiError)
+          raise ApipieBindings::AuthenticatorError.new(:negotiate, :no_context, ex)
+        elsif ex.is_a?(ApipieBindings::ConfigurationError)
+          raise ApipieBindings::AuthenticatorError.new(:negotiate, :configuration, ex)
+        else
+          raise ex
+        end
+      end
+
+      def authenticate(original_request, args)
+        uri = URI.parse(@authorization_url)
+        @gsscli = GSSAPI::Simple.new(uri.host, @service)
+
+        token = @gsscli.init_context
+        headers = { 'Authorization' => "Negotiate #{Base64.strict_encode64(token)}" }
+
+        RestClient::Request.execute(@auth_request_options.merge(headers: headers, url: @authorization_url)) do |response, request, raw_response|
+          if response.code == 401
+            raise RestClient::Unauthorized.new(response), 'Negotiation authentication did not pass.'
+          end
+          if response.code == 302 && response.headers[:location].end_with?('/users/login')
+            raise ApipieBindings::ConfigurationError, 'Server misconfiguration detected'
+          end
+
+          # This part is only for next calls, that could be simplified if all resources are behind negotiate auth
+          itok = Array(raw_response['WWW-Authenticate']).pop.split(/\s+/).last
+          @gsscli.init_context(Base64.strict_decode64(itok)) # The context should now return true
+
+          cookie = raw_response['set-cookie'].split('; ')[0]
+          @auth_cookie = cookie
+          original_request['Cookie'] = cookie
+        end
+
+        original_request
+      end
+    end
+  end
+end

data/lib/apipie_bindings/authenticators.rb

@@ -1,4 +1,5 @@
 require 'apipie_bindings/authenticators/basic_auth'
 require 'apipie_bindings/authenticators/credentials_legacy'
 require 'apipie_bindings/authenticators/oauth'
+require 'apipie_bindings/authenticators/negotiate'
 require 'apipie_bindings/authenticators/token_auth'

data/lib/apipie_bindings/exceptions.rb

@@ -33,4 +33,13 @@ module ApipieBindings
     end
   end
 
+  class AuthenticatorError < StandardError
+    attr_reader :type, :cause, :original_error
+
+    def initialize(type, cause, original_error)
+      @type = type
+      @cause = cause
+      @original_error = original_error
+    end
+  end
 end

data/lib/apipie_bindings/version.rb

@@ -1,5 +1,5 @@
 module ApipieBindings
   def self.version
-    @version ||= Gem::Version.new '0.4.0'
+    @version ||= Gem::Version.new '0.5.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apipie-bindings
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Martin Bačovský
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-29 00:00:00.000000000 Z
+date: 2022-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -58,6 +58,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: gssapi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -184,6 +198,7 @@ files:
 - lib/apipie_bindings/authenticators/base.rb
 - lib/apipie_bindings/authenticators/basic_auth.rb
 - lib/apipie_bindings/authenticators/credentials_legacy.rb
+- lib/apipie_bindings/authenticators/negotiate.rb
 - lib/apipie_bindings/authenticators/oauth.rb
 - lib/apipie_bindings/authenticators/token_auth.rb
 - lib/apipie_bindings/credentials.rb
@@ -256,8 +271,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: The Ruby bindings for Apipie documented APIs