.travis.sh

@@ -8,19 +8,16 @@ fi
 
 if [ -f /etc/debian_version ]; then
     apt-get update
-    DEBIAN_FRONTEND=noninteractive apt-get -y install $COMPILER \
+    DEBIAN_FRONTEND=noninteractive apt-get -y install $COMPILER pkg-config \
                    apache2-bin {apache2,libkrb5,libssl,gss-ntlmssp}-dev \
                    python-{dev,requests,gssapi} lib{socket,nss}-wrapper \
-                   flex bison krb5-{kdc,admin-server} virtualenv pkg-config
-
-    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880599 - too old
-    virtualenv --system-site-packages .venv
-    source .venv/bin/activate
-    pip install requests_kerberos
+                   flex bison krb5-{kdc,admin-server,pkinit} \
+                   python-requests-kerberos flake8
+    flake8
 elif [ -f /etc/fedora-release ]; then
     # https://bugzilla.redhat.com/show_bug.cgi?id=1483553 means that this will
     # fail no matter what, but it will properly install the packages.
-    dnf -y install $COMPILER python-gssapi krb5-{server,workstation} \
+    dnf -y install $COMPILER python-gssapi krb5-{server,workstation,pkinit} \
         {httpd,krb5,openssl,gssntlmssp}-devel {socket,nss}_wrapper \
         python-requests{,-kerberos} autoconf automake libtool which bison \
         flex mod_session redhat-rpm-config \
@@ -35,6 +32,5 @@ else
 fi
 
 autoreconf -fiv
-./configure CFLAGS="$CFLAGS" CC=$(which $COMPILER)
-make
-make check
+./configure # overridden by below, but needs to generate Makefile
+make distcheck DISTCHECK_CONFIGURE_FLAGS="CFLAGS=\"$CFLAGS\" CC=$(which $COMPILER)"

.travis.yml

@@ -7,9 +7,9 @@ services:
   - docker
 
 env:
-  - DISTRO=fedora:rawhide COMPILER=gcc
-  - DISTRO=fedora:rawhide COMPILER=clang
-  - DISTRO=debian:sid COMPILER=clang
+  - DISTRO=fedora:27 COMPILER=gcc
+  - DISTRO=fedora:27 COMPILER=clang
+  - DISTRO=debian:testing COMPILER=clang
 
 script:
   - >

README

@@ -17,8 +17,8 @@ extension](http://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions)
 is necessary to achieve full functionality. Reduced functionality is
 provided without these extensions.
 
-    krb5 (>=1.11)
-    Apache (>=2.4)
+    MIT krb5 (>=1.11)
+    Apache httpd (>=2.4.11)
 
 ### Tests
 
@@ -67,9 +67,55 @@ extensions you can also simply set the KRB5_KTNAME environment variable in the
 Apache init script and skip the GssapiCredStore option completely.
 
 
+Environment Variables
+---------------------
+
+(Note: these are not process environment variables, but rather Apache
+environment variables, as described
+[in the apache docs](https://httpd.apache.org/docs/2.4/env.html).)
+
+### gssapi-no-negotiate
+
+This environment variable is used to suppress setting Negotiate headers.  Not
+sending these headers is useful to work around browsers that do not handle
+them properly (and incorrectly show authentication popups to users).
+
+#### Example
+
+For instance, to suppress negotiation on Windows browsers, one could set:
+
+    BrowserMatch Windows gssapi-no-negotiate
+
+
+
 Configuration Directives
 ------------------------
 
+### Alphabetic List of Directives
+
+[GssapiAcceptorName](#gssapiacceptorname)<br>
+[GssapiAllowedMech](#gssapiallowedmech)<br>
+[GssapiBasicAuth](#gssapibasicauth)<br>
+[GssapiBasicAuthMech](#gssapibasicauthmech)<br>
+[GssapiConnectionBound](#gssapiconnectionbound)<br>
+[GssapiCredStore](#gssapicredstore)<br>
+[GssapiDelegCcacheDir](#gssapidelegccachedir)<br>
+[GssapiDelegCcacheEnvVar](#gssapidelegccacheenvvar)<br>
+[GssapiDelegCcachePerms](#gssapidelegccacheperms)<br>
+[GssapiDelegCcacheUnique](#gssapidelegccacheunique)<br>
+[GssapiImpersonate](#gssapiimpersonate)<br>
+[GssapiLocalName](#gssapilocalname)<br>
+[GssapiNameAttributes](#gssapinameattributes)<br>
+[GssapiNegotiateOnce](#gssapinegotiateonce)<br>
+[GssapiPublishErrors](#gssapipublisherrors)<br>
+[GssapiRequiredNameAttributes](#gssapirequirednameattributes)<br>
+[GssapiSessionKey](#gssapisessionkey)<br>
+[GssapiSignalPersistentAuth](#gssapisignalpersistentauth)<br>
+[GssapiSSLonly](#gssapisslonly)<br>
+[GssapiUseS4U2Proxy](#gssapiuses4u2proxy)<br>
+[GssapiUseSessions](#gssapiusesessions)<br>
+
+
 ### GssapiSSLonly
 
 Forces the authentication attempt to fail if the connection is not being
@@ -108,6 +154,7 @@ request for continuation.
 
 
 ### GssapiSignalPersistentAuth
+
 For clients that make use of Persistent-Auth header, send the header according
 to GssapiConnectionBound setting.
 
@@ -237,6 +284,7 @@ keytab and store a ccache in the configured ccache file.
 
 
 ### GssapiBasicAuth
+
 Allows the use of Basic Auth in conjunction with Negotiate.
 If the browser fails to use Negotiate it will instead fallback to Basic and
 the username and password will be used to try to acquire credentials in the
@@ -307,6 +355,7 @@ underscores for environment variable names.
     GssapiNameAttributes json
     GssapiNameAttributes RADIUS_NAME urn:ietf:params:gss:radius-attribute_1
 
+
 ### GssapiRequiredNameAttributes
 
 This option allows specifying one or more Name Attributes that the client must
@@ -336,6 +385,7 @@ expression, or no Name Attributes are present, a 403 response is returned.
     GssapiRequiredNameAttributes "auth-indicators=high or other-attr=foo"
     GssapiRequiredNameAttributes "((auth-indicators=low and auth-indicators=med) or auth-indicators=high)"
 
+
 ### GssapiNegotiateOnce
 
 When this option is enabled the Negotiate header will not be resent if
@@ -360,6 +410,7 @@ Auth mechanism. Enable GssapiNegotiateOnce to avoid this situation.
 - **Enable with:** GssapiNegotiateOnce On
 - **Default:** GssapiNegotiateOnce Off
 
+
 ### GssapiImpersonate
 
 This option can be used even if AuthType GSSAPI is not used for given
@@ -451,21 +502,4 @@ Note: The GSS_C_NT_HOSTBASED_SERVICE format is used for names (see example).
 #### Example
     GssapiAcceptorName HTTP@www.example.com
 
-Environment Variables
----------------------
-
-(Note: these are not process environment variables, but rather Apache
-environment variables, as described
-[in the apache docs](https://httpd.apache.org/docs/2.4/env.html).)
-
-### gssapi-no-negotiate
-
-This environment variable is used to suppress setting Negotiate headers.  Not
-sending these headers is useful to work around browsers that do not handle
-them properly (and incorrectly show authentication popups to users).
 
-#### Example
-
-For instance, to suppress negotiation on Windows browsers, one could set:
-
-    BrowserMatch Windows gssapi-no-negotiate

contrib/sweeper.py

@@ -9,19 +9,21 @@
 # removing any ccaches that have expired from the filesystem, and serves as an
 # example of how this cleaning can be performed.
 
-import gssapi
 import os
-import re
 import stat
 import sys
 import time
 
+# try importing this first to provide a more useful error message
+import gssapi
+del gssapi
 try:
     from gssapi.raw import acquire_cred_from
 except ImportError:
     print("Your GSSAPI does not provide cred store extension; exiting!")
     exit(1)
 
+
 # process file as a ccache and indicate whether it is expired
 def should_delete(fname, t):
     try:
@@ -44,6 +46,7 @@ def should_delete(fname, t):
 
     return creds.lifetime == 0
 
+
 if __name__ == "__main__":
     dirs = sys.argv[1:]
     if len(dirs) < 1:

debian/changelog

+libapache2-mod-auth-gssapi (1.6.1-1) unstable; urgency=medium
+
+  * New upstream release.
+  * control: Drop dh_autoreconf from build-depends.
+  * control: Update vcs urls and maintainer address.
+  * rules: Use dh_missing.
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Wed, 17 Oct 2018 12:08:44 +0300
+
 libapache2-mod-auth-gssapi (1.6.0-1) unstable; urgency=medium
 
   * New upstream release.

debian/control

 Source: libapache2-mod-auth-gssapi
 Section: web
 Priority: optional
-Maintainer: Timo Aaltonen <tjaalton@debian.org>
+Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
+Uploaders: Timo Aaltonen <tjaalton@debian.org>
 Build-Depends:
  apache2-dev (>= 2.4),
  bison,
  debhelper (>= 10),
  dh-apache2,
- dh-autoreconf,
  flex,
  gss-ntlmssp-dev,
  libapr1-dev,
@@ -16,8 +16,8 @@ Build-Depends:
  pkg-config,
 Standards-Version: 4.1.2
 Homepage: https://github.com/modauthgssapi/mod_auth_gssapi
-Vcs-Git: https://anonscm.debian.org/git/collab-maint/mod-auth-gssapi.git
-Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/mod-auth-gssapi.git
+Vcs-Git: https://salsa.debian.org/freeipa-team/mod-auth-gssapi.git
+Vcs-Browser: https://salsa.debian.org/freeipa-team/mod-auth-gssapi
 
 Package: libapache2-mod-auth-gssapi
 Architecture: any

debian/rules

@@ -2,7 +2,7 @@
 # -*- makefile -*-
 
 %:
-	dh $@ --with autoreconf,apache2
+	dh $@ --with apache2
 
 override_dh_auto_test:
 
@@ -11,5 +11,5 @@ override_dh_auto_install:
 	install -m 755 src/.libs/mod_auth_gssapi.so \
 		$(CURDIR)/debian/tmp/usr/lib/apache2/modules
 
-override_dh_install:
-	dh_install --fail-missing
+override_dh_missing:
+	dh_missing --fail-missing

src/environ.c

@@ -340,9 +340,8 @@ void mag_get_name_attributes(request_rec *req, struct mag_config *cfg,
             /* Use the environment variable name matching the attribute name
              * from the map. */
             for (int j = 0; j < map_count; j++) {
-                if (strncmp(cfg->name_attributes->map[j].attr_name,
-                            attr.name.value,
-                            attr.name.length) == 0) {
+                if (mag_strbuf_equal(cfg->name_attributes->map[j].attr_name,
+                                     &attr.name)) {
                     attr.env_name = cfg->name_attributes->map[j].env_name;
                     break;
                 }

src/mod_auth_gssapi.h

@@ -142,3 +142,4 @@ const char *mag_str_auth_type(int auth_type);
 char *mag_error(apr_pool_t *pool, const char *msg, uint32_t maj, uint32_t min);
 int mag_get_user_uid(const char *name, uid_t *uid);
 int mag_get_group_gid(const char *name, gid_t *gid);
+bool mag_strbuf_equal(const char *str, gss_buffer_t buf);

src/util.c

@@ -64,3 +64,9 @@ int mag_get_group_gid(const char *name, gid_t *gid)
     free(buf);
     return ret;
 }
+
+bool mag_strbuf_equal(const char *str, gss_buffer_t buf)
+{
+    if (strncmp(str, buf->value, buf->length) != 0) return false;
+    return buf->length == strlen(str);
+}

tests/httpd.conf

-ServerRoot "${HTTPROOT}"
-ServerName "${HTTPNAME}"
-Listen ${HTTPADDR}:${HTTPPORT}
-Listen ${HTTPADDR}:${PROXYPORT}
+ServerRoot "{HTTPROOT}"
+ServerName "{HTTPNAME}"
+Listen {HTTPADDR}:{HTTPPORT}
+Listen {HTTPADDR}:{PROXYPORT}
 
 LoadModule access_compat_module modules/mod_access_compat.so
 LoadModule actions_module modules/mod_actions.so
@@ -77,6 +77,7 @@ LoadModule proxy_http_module modules/mod_proxy_http.so
 
 LoadModule auth_gssapi_module mod_auth_gssapi.so
 
+Mutex file:{HTTPROOT}
 
 <Directory />
     Options +Includes
@@ -85,13 +86,13 @@ LoadModule auth_gssapi_module mod_auth_gssapi.so
     Require all denied
 </Directory>
 
-DocumentRoot "${HTTPROOT}/html"
-<Directory "${HTTPROOT}">
+DocumentRoot "{HTTPROOT}/html"
+<Directory "{HTTPROOT}">
     AllowOverride None
     # Allow open access:
     Require all granted
 </Directory>
-<Directory "${HTTPROOT}/html">
+<Directory "{HTTPROOT}/html">
     Options Indexes FollowSymLinks
     Options +Includes
     AddOutputFilter INCLUDES .html
@@ -107,10 +108,10 @@ DocumentRoot "${HTTPROOT}/html"
     Require all denied
 </Files>
 
-PidFile "${HTTPROOT}/logs/httpd.pid"
+PidFile "{HTTPROOT}/logs/httpd.pid"
 
 <IfModule log_config_module>
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\"" combined
 CustomLog "logs/access_log" combined
 </IfModule>
 
@@ -130,7 +131,7 @@ AddDefaultCharset UTF-8
 
 IncludeOptional conf.d/*.conf
 
-CoreDumpDirectory "${HTTPROOT}"
+CoreDumpDirectory "{HTTPROOT}"
 
 
 <Location /spnego>
@@ -140,11 +141,11 @@ CoreDumpDirectory "${HTTPROOT}"
   GssapiUseSessions On
   Session On
   SessionCookieName gssapi_session path=/spnego;httponly
-  GssapiSessionKey file:${HTTPROOT}/session.key
-  GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
-  GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
-  GssapiDelegCcacheDir ${HTTPROOT}
+  GssapiSessionKey file:{HTTPROOT}/session.key
+  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
+  GssapiDelegCcacheDir {HTTPROOT}
   GssapiDelegCcachePerms mode:0666
   GssapiBasicAuth Off
   GssapiAllowedMech krb5
@@ -157,14 +158,14 @@ CoreDumpDirectory "${HTTPROOT}"
 
   AuthType GSSAPI
   AuthName "Login"
-  GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiAllowedMech krb5
   Require valid-user
 
   RewriteEngine on
-  RewriteCond %{REQUEST_FILENAME} !-d
-  RewriteCond %{REQUEST_FILENAME} !-f
+  RewriteCond %{{REQUEST_FILENAME}} !-d
+  RewriteCond %{{REQUEST_FILENAME}} !-f
   RewriteRule . /spnego_rewrite/index.html [L]
 </Location>
 
@@ -175,9 +176,9 @@ CoreDumpDirectory "${HTTPROOT}"
   GssapiUseSessions On
   Session On
   SessionCookieName gssapi_session path=/spnego_negotiate_once;httponly
-  GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
-  GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiBasicAuth Off
   GssapiAllowedMech krb5
   GssapiNegotiateOnce On
@@ -190,9 +191,9 @@ CoreDumpDirectory "${HTTPROOT}"
   AuthType GSSAPI
   AuthName "Password Login"
   GssapiSSLonly Off
-  GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
-  GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiBasicAuth On
   GssapiBasicAuthMech krb5
   GssapiConnectionBound On
@@ -204,9 +205,9 @@ CoreDumpDirectory "${HTTPROOT}"
   AuthType GSSAPI
   AuthName "Bad Acceptor Name"
   GssapiSSLonly Off
-  GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
-  GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiAcceptorName BAD@example.com
   Require valid-user
 </Location>
@@ -216,9 +217,9 @@ CoreDumpDirectory "${HTTPROOT}"
   AuthType GSSAPI
   AuthName "Login"
   GssapiSSLonly Off
-  GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
-  GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiBasicAuth On
   GssapiAllowedMech krb5
   Require valid-user
@@ -228,19 +229,19 @@ CoreDumpDirectory "${HTTPROOT}"
   AuthType GSSAPI
   AuthName "Login"
   GssapiSSLonly Off
-  GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
-  GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiBasicAuth Off
   GssapiAllowedMech krb5
-  GssapiAcceptorName {HOSTNAME}
+  GssapiAcceptorName {{HOSTNAME}}
   Require valid-user
 </Location>
 
 <Location /required_name_attr1>
   AuthType GSSAPI
   AuthName "Required Name Attributes"
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiRequiredNameAttributes auth-indicators=na1
   LogLevel debug
   Require valid-user
@@ -249,7 +250,7 @@ CoreDumpDirectory "${HTTPROOT}"
 <Location /required_name_attr2>
   AuthType GSSAPI
   AuthName "Required Name Attributes"
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiRequiredNameAttributes auth-indicators:=bmEx
   LogLevel debug
   Require valid-user
@@ -258,7 +259,7 @@ CoreDumpDirectory "${HTTPROOT}"
 <Location /required_name_attr3>
   AuthType GSSAPI
   AuthName "Required Name Attributes"
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiRequiredNameAttributes (auth-indicators=foo and auth-indicators=na2) or auth-indicators=na3
   LogLevel debug
   Require valid-user
@@ -267,22 +268,22 @@ CoreDumpDirectory "${HTTPROOT}"
 <Location /required_name_attr4>
   AuthType GSSAPI
   AuthName "Required Name Attributes"
-  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
   GssapiRequiredNameAttributes auth-indicators=foo
   LogLevel debug
   Require valid-user
 </Location>
 
-<VirtualHost *:${PROXYPORT}>
+<VirtualHost *:{PROXYPORT}>
   ProxyRequests On
   ProxyVia On
 
   <Proxy *>
     AuthType GSSAPI
     AuthName "Proxy Login"
-    GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
-    GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
-    GssapiCredStore keytab:${HTTPROOT}/http.keytab
+    GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+    GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+    GssapiCredStore keytab:{HTTPROOT}/http.keytab
     GssapiBasicAuth On
     Require valid-user
   </Proxy>

tests/t_bad_acceptor_name.py

@@ -3,8 +3,7 @@
 
 import os
 import requests
-from stat import ST_MODE
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
 
 
 if __name__ == '__main__':

tests/t_basic_k5_fail_second.py

@@ -3,30 +3,31 @@
 
 import os
 import requests
-import sys
-from requests.auth import HTTPBasicAuth
 
 
 if __name__ == '__main__':
     s = requests.Session()
 
-    url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME'],
+    url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+          (os.environ['MAG_USER_NAME'],
            os.environ['MAG_USER_PASSWORD'],
            os.environ['NSS_WRAPPER_HOSTNAME'])
     r = s.get(url)
     if r.status_code != 200:
         raise ValueError('Basic Auth: Failed Authentication')
 
-    url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME_2'],
+    url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+          (os.environ['MAG_USER_NAME_2'],
            os.environ['MAG_USER_PASSWORD'],
            os.environ['NSS_WRAPPER_HOSTNAME'])
     r = s.get(url)
     if r.status_code == 200:
         raise ValueError('Basic Auth: Got Success while expecting Error')
-    if not 'GSS ERROR' in r.text:
+    if 'GSS ERROR' not in r.text:
         raise ValueError('Basic Auth: Expected error variable is missing')
 
-    url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME_2'],
+    url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+          (os.environ['MAG_USER_NAME_2'],
            os.environ['MAG_USER_PASSWORD_2'],
            os.environ['NSS_WRAPPER_HOSTNAME'])
     r = s.get(url)

tests/t_basic_k5_two_users.py

@@ -3,20 +3,21 @@
 
 import os
 import requests
-from requests.auth import HTTPBasicAuth
 
 
 if __name__ == '__main__':
     s = requests.Session()
 
-    url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME'],
+    url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+          (os.environ['MAG_USER_NAME'],
            os.environ['MAG_USER_PASSWORD'],
            os.environ['NSS_WRAPPER_HOSTNAME'])
     r = s.get(url)
     if r.status_code != 200:
         raise ValueError('Basic Auth Failed')
 
-    url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME_2'],
+    url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+          (os.environ['MAG_USER_NAME_2'],
            os.environ['MAG_USER_PASSWORD_2'],
            os.environ['NSS_WRAPPER_HOSTNAME'])
     r2 = s.get(url)

tests/t_hostname_acceptor.py

 #!/usr/bin/env python
 # Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license.
 
-import os
-import requests
 import sys
-from stat import ST_MODE
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+
+import requests
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
 
 
 if __name__ == '__main__':

tests/t_nonego.py

@@ -23,7 +23,7 @@ if __name__ == '__main__':
     r = requests.get(url, headers={'User-Agent': 'NONEGO'})
     if r.status_code != 401:
         raise ValueError('NO Negotiate failed - 401 expected')
-    if (r.headers.get("WWW-Authenticate") and
-        r.headers.get("WWW-Authenticate").startswith("Negotiate")):
+    if r.headers.get("WWW-Authenticate") and \
+       r.headers.get("WWW-Authenticate").startswith("Negotiate"):
         raise ValueError('NO Negotiate failed - WWW-Authenticate '
                          'Negotiate header is present, should be absent')

tests/t_required_name_attr.py

@@ -3,7 +3,7 @@
 
 import os
 import requests
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
 
 
 if __name__ == '__main__':

tests/t_spnego.py

@@ -2,10 +2,10 @@
 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
 
 import os
-import requests
 from stat import ST_MODE
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
 
+import requests
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
 
 if __name__ == '__main__':
     sess = requests.Session()
@@ -19,5 +19,5 @@ if __name__ == '__main__':
         raise ValueError('gssapi_session not set')
 
     data = os.stat(os.environ['DELEGCCACHE'])
-    if data[ST_MODE] != 0100666:
+    if data[ST_MODE] != 0o100666:
         raise ValueError('Incorrect perm on ccache: %o' % data[ST_MODE])