rubysspi 1.2.4 → 1.3

data/CHANGELOG.txt

@@ -1,3 +1,10 @@
+== 1.3
+ * Updated library to work with either "Negotiate" or "NTLM" authorization schemes. Arguments to Win32::SSPI.get_initial_token have changed
+   but that should only impact code directly using the library. Net::HTTP support still works the same.
+   
+== 1.2.5
+ * Fixed patching on net/http so hard-coded paths are not used, but paths from rbconfig.
+ 
 == 1.2.4
  * Compatibility updates for rubygems 1.2.0
  

data/Rakefile

@@ -6,7 +6,7 @@ require 'rake/testtask'
 spec = Gem::Specification.new do |s|
 	s.name = "rubysspi"
 	s.summary = "A library which implements Ruby bindings to the Win32 SSPI library. Also includes a module to add Negotiate authentication support to Net::HTTP."
-	s.version = "1.2.4"
+	s.version = "1.3"
 	s.author = "Justin Bailey"
 	s.email = "jgbailey @nospam@ gmail.com"
 	s.homepage = "http://rubyforge.org/projects/rubysspi/"

data/bin/apply_sspi_patch

@@ -62,20 +62,21 @@ unless spec
 	exit
 end
 
-gem_path = Pathname.new(spec.full_gem_path) + "lib"
+gem_path = (Pathname.new(spec.full_gem_path) + "lib").sub(Config::TOPDIR, "\#{Config::TOPDIR}")
 
 # Write patch file. 
 puts "Creating patch file to replace #{orig_file}"
 orig_file.open("w") { |f| f.write(<<EOS) }
 # Include original net/http
 require 'net/#{orig_dest.basename(orig_dest.extname)}'
+require 'rbconfig'
 
 # This magic constant can be defined to disable the patch. 
 unless defined? DISABLE_RUBY_SSPI_PATCH
 	# Because rubygems >= 0.9.2 requires net/http, 
 	# we can't depend on ruby gems here. Instead, directly
 	# require path containing RubySSPI gem.
-	$: << "#{gem_path}" unless $:.include?("#{gem_path}")
+	$: << %(#{gem_path}) unless $:.include?(%(#{gem_path}))
   require 'win32/sspi/http_proxy_patch'
 end
 EOS

data/lib/win32/sspi.rb

@@ -224,9 +224,14 @@ module Win32
 				raise "http must respond to :get" unless http.respond_to?(:get)
 				nego_auth = self.new user, domain
 	      
-				resp = http.get path, { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
-				if resp["Proxy-Authenticate"]
+				resp = http.get path, { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token("Negotiate") }
+				# Negotiate may not be supported, so we need to look for NTLM too.
+				
+				if resp["Proxy-Authenticate"].include? "Negotiate"
 					resp = http.get path, { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(resp["Proxy-Authenticate"].split(" ").last.strip) }
+				elsif resp["Proxy-Authenticate"].include? "NTLM"
+					resp = http.get path, { "Proxy-Authorization" => "NTLM " + nego_auth.get_initial_token("NTLM") }
+					resp = http.get path, { "Proxy-Authorization" => "NTLM " + nego_auth.complete_authentication(resp["Proxy-Authenticate"].split(" ").last.strip) }
 				end
 
 				resp
@@ -247,9 +252,11 @@ module Win32
 
 			# Gets the initial Negotiate token. Returns it as a base64 encoded string suitable for use in HTTP. Can
 			# be easily decoded, however.
-			def get_initial_token
+			#
+			# auth_type is the authentication method being used. It is usually "Negotiate" or "NTLM".
+			def get_initial_token(auth_type)
 				raise "This object is no longer usable because its resources have been freed." if @cleaned_up
-				get_credentials
+				get_credentials auth_type
 
 				outputBuffer = SecurityBuffer.new
 				@context = CtxtHandle.new
@@ -275,7 +282,7 @@ module Win32
 				# Nil token OK, just set it to empty string      
 				token = "" if token.nil?
 
-				if token.include? "Negotiate"
+				if token.include?("Negotiate") || token.include?("NTLM")
 					# If the Negotiate prefix is passed in, assume we are seeing "Negotiate <token>" and get the token.
 					token = token.split(" ").last
 				end
@@ -314,11 +321,13 @@ module Win32
 			end
 
 			# Gets credentials based on user, domain or both. If both are nil, an error occurs
-			def get_credentials
+			#
+			# auth_type is the authentication type being used. It usually either "Negotiate" or "NTLM".
+			def get_credentials(auth_type)
 				@credentials = CredHandle.new
 				ts = TimeStamp.new
 				@identity = Identity.new @user, @domain
-				result = SSPIResult.new(API::AcquireCredentialsHandle.call(nil, "Negotiate", SECPKG_CRED_OUTBOUND, nil, @identity.to_p, 
+				result = SSPIResult.new(API::AcquireCredentialsHandle.call(nil, auth_type, SECPKG_CRED_OUTBOUND, nil, @identity.to_p, 
 					nil, nil, @credentials.to_p, ts.to_p))
 				raise "Error acquire credentials: #{result}" unless result.ok?
 			end

data/lib/win32/sspi/http_proxy_patch.rb

@@ -78,10 +78,10 @@ module Net
             end_transport req, res
             begin_transport req
             if proxy?
-              req["Proxy-Authorization"] = "#{tok} #{n.get_initial_token}"
+              req["Proxy-Authorization"] = "#{tok} #{n.get_initial_token(tok)}"
               req["Proxy-Connection"] = "Keep-Alive"
             else
-              req["Authorization"] = "#{tok} #{n.get_initial_token}"
+              req["Authorization"] = "#{tok} #{n.get_initial_token(tok)}"
             end
             # Some versions of ISA will close the connection if this isn't present.
             req["Connection"] = "Keep-Alive"

data/test/test_ruby_sspi.rb

@@ -32,8 +32,16 @@ class NTLMTest < Test::Unit::TestCase
     
     Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
       nego_auth = Win32::SSPI::NegotiateAuth.new 
-      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
-      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token("Negotiate") }
+      if sr["Proxy-Authenticate"].include? "Negotiate"
+	      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+			elsif sr["Proxy-Authenticate"].include? "NTLM"
+				sr = http.get "/", { "Proxy-Authorization" => "NTLM " + nego_auth.get_initial_token("NTLM") }
+				resp = http.get "/", { "Proxy-Authorization" => "NTLM " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+      else
+				raise "Proxy-Authentica method must be either NTLM or Negotiate. Got #{sr["Proxy-Authenticate"].inspect}"
+      end
+      
       # Google redirects to country of origins domain if not US.
       assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
       resp = http.get "/foobar.html"
@@ -56,8 +64,17 @@ class NTLMTest < Test::Unit::TestCase
     
     Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
       nego_auth = Win32::SSPI::NegotiateAuth.new 
-      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
-      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token("Negotiate") }
+
+      if sr["Proxy-Authenticate"].include? "Negotiate"
+	      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+			elsif sr["Proxy-Authenticate"].include? "NTLM"
+				sr = http.get "/", { "Proxy-Authorization" => "NTLM " + nego_auth.get_initial_token("NTLM") }
+				resp = http.get "/", { "Proxy-Authorization" => "NTLM " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+      else
+				raise "Proxy-Authentica method must be either NTLM or Negotiate. Got #{sr["Proxy-Authenticate"].inspect}"
+      end
+      
       assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
       assert_raises(RuntimeError, "Should not be able to call complete_authentication again") do
         nego_auth.complete_authentication "foo"
@@ -71,19 +88,38 @@ class NTLMTest < Test::Unit::TestCase
     # Test that raw token works
     Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
       nego_auth = Win32::SSPI::NegotiateAuth.new 
-      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
-      token = Base64.decode64(sr["Proxy-Authenticate"].split(" ").last.strip)
-      completed_token = nego_auth.complete_authentication(token)
-      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + completed_token }
-      assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token("Negotiate") }
+
+      if sr["Proxy-Authenticate"].include? "Negotiate"
+				token = Base64.decode64(sr["Proxy-Authenticate"].split(" ").last.strip)
+				completed_token = nego_auth.complete_authentication(token)
+				resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + completed_token }
+				assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+			elsif sr["Proxy-Authenticate"].include? "NTLM"
+				sr = http.request_get "/", { "Proxy-Authorization" => "NTLM " + nego_auth.get_initial_token("NTLM") }
+				token = Base64.decode64(sr["Proxy-Authenticate"].split(" ").last.strip)
+				completed_token = nego_auth.complete_authentication(token)
+				resp = http.get "/", { "Proxy-Authorization" => "NTLM " + completed_token }
+				assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+      else
+				raise "Proxy-Authentica method must be either NTLM or Negotiate. Got #{sr["Proxy-Authenticate"].inspect}"
+      end
     end
 
     # Test that token w/ "Negotiate" header included works
     Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
       nego_auth = Win32::SSPI::NegotiateAuth.new 
-      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
-      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"]) }
-      assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token("Negotiate") }
+      if sr["Proxy-Authenticate"].include? "Negotiate"
+				resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"]) }
+				assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+			elsif sr["Proxy-Authenticate"].include? "NTLM"
+				sr = http.request_get "/", { "Proxy-Authorization" => "NTLM " + nego_auth.get_initial_token("NTLM") }
+				resp = http.get "/", { "Proxy-Authorization" => "NTLM " + nego_auth.complete_authentication(sr["Proxy-Authenticate"]) }
+				assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+      else
+				raise "Proxy-Authentica method must be either NTLM or Negotiate. Got #{sr["Proxy-Authenticate"].inspect}"
+      end
     end
   end
   

data/test/trace_proxy.rb

@@ -29,8 +29,14 @@ conn =  Net::HTTP.Proxy(proxy.host, proxy.port).new("www.google.com")
 conn.set_debug_output $stdout
 conn.start() do |http|
   nego_auth = Win32::SSPI::NegotiateAuth.new 
-  sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
-  resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+  sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token("Negotiate") }
+  if sr["Proxy-Authenticate"].include? "Negotiate"
+    resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+  elsif sr["Proxy-Authenticate"].include? "NTLM"
+    sr = http.request_get "/", { "Proxy-Authorization" => "NTLM " + nego_auth.get_initial_token("NTLM") }
+    resp = http.get "/", { "Proxy-Authorization" => "NTLM " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+  end
+  
   # Google redirects to country of origins domain if not US.
   raise "Response code not as expected: #{resp.inspect}" unless resp.code.to_i == 200 || resp.code.to_i == 302
   resp = http.get "/foobar.html"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: rubysspi
 version: !ruby/object:Gem::Version 
-  version: 1.2.4
+  version: "1.3"
 platform: ruby
 authors: 
 - Justin Bailey
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2008-08-01 00:00:00 -07:00
+date: 2008-12-08 00:00:00 -08:00
 default_executable: 
 dependencies: []