Import Upstream version 1.6.1

.travis.yml

@@ -6,15 +6,7 @@ language: python
 services:
   - docker
 
-env:
-  - DISTRO=debian:stable PYTHON="2"
-  - DISTRO=debian:stable PYTHON="3" # 3.4, not 3.5
-  - DISTRO=debian:stable PYTHON="3" KRB5_VER="heimdal"
-  - DISTRO=centos:7 PYTHON="2" # el7 doesn't do python3 modules
-  - DISTRO=fedora:rawhide PYTHON="3"
-  - DISTRO=fedora:rawhide PYTHON="2"
-
-# we do everything in docker
+# we do everything in docker for non MacOS, MacOS setup is in .travis/build.sh
 install: skip
 before_install: skip
 
@@ -27,29 +19,73 @@ stages:
   if: tag is PRESENT
 
 script:
-  - sudo sed -i '1i 127.0.0.1 test.box' /etc/hosts
-  - sudo hostname test.box
-  - source ./.travis/lib-util.sh
-  - util::docker-run $DISTRO ./.travis/build.sh
+- if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then
+  sudo sed -i '1i 127.0.0.1 test.box' /etc/hosts;
+  sudo hostname test.box;
+  source ./.travis/lib-util.sh;
+  util::docker-run $DISTRO ./.travis/build.sh;
+  fi
+- if [[ "$TRAVIS_OS_NAME" != "linux" ]]; then ./.travis/build.sh; fi
 
 jobs:
   include:
-  - stage: verify
-    env: DISTRO=fedora:rawhide PYTHON="2"
+  - &docker_verify
+    stage: verify
+    env: DISTRO=fedora:latest PYTHON="2"
     script:
     - source ./.travis/lib-util.sh
     - util::docker-run $DISTRO ./.travis/verify.sh
 
-  - stage: verify
-    env: DISTRO=fedora:rawhide PYTHON="3"
-    script:
-    - source ./.travis/lib-util.sh
-    - util::docker-run $DISTRO ./.travis/verify.sh
+  - <<: *docker_verify
+    env: DISTRO=fedora:latest PYTHON="3"
+
+
+  # need to explictly define each builder for test due to different os types
+  - stage: test
+    env: DISTRO=debian:stable PYTHON="2"
+
+  - stage: test
+    env: DISTRO=debian:stable PYTHON="3" # 3.4, not 3.5
+
+  - stage: test
+    env: DISTRO=debian:stable PYTHON="3" KRB5_VER="heimdal"
+
+  - stage: test
+    env: DISTRO=centos:7 PYTHON="2" # el7 doesn't do python3 modules
+
+  - stage: test
+    env: DISTRO=fedora:latest PYTHON="3"
+
+  - stage: test
+    env: DISTRO=fedora:latest PYTHON="2"
+
+  - &osx_test
+    stage: test
+    env: PYTHON="2" KRB5_VER="heimdal" PYENV="2.7.14"
+    os: osx
+    osx_image: xcode9.2
+    language: generic # causes issues with pyenv installer when set to python
+
+  - <<: *osx_test
+    env: PYTHON="3" KRB5_VER="heimdal" PYENV="3.6.3"
+
+  - &win_test
+    stage: test
+    env: PYTHON="2" PYENV="2.7.16" EXTRA_BUILDEXT="--compiler=mingw32"
+    os: windows
+    language: sh  # Windows not supported yet
+
+  - <<: *win_test
+    env: PYTHON="3" PYENV="3.6.8"
+
+  - <<: *win_test
+    env: PYTHON="3" PYENV="3.7.3"
+
 
   - stage: deploy latest docs
     script: skip
     env:
-    - DISTRO=fedora:rawhide
+    - DISTRO=fedora:latest
     - PYTHON="3"
     - secure: L5SpEj5+no20PWwC9Y/XNhAfmUvYiuykwSMa/YyqvUuBjdizzpZcHr7Ego5nMdM1TniTxj4pSTM+GbM0FHCzNmAINSRh9g/D3hheRqlRBacqR0XwC9ZZRvkKvtzwnLh4vYWiauq4AoDeR5U6tkEcay6LjE57iMQcLjcKYBc+Eos=
     before_deploy:
@@ -67,7 +103,7 @@ jobs:
   - stage: deploy
     script: skip
     env:
-    - DISTRO=fedora:rawhide
+    - DISTRO=fedora:latest
     - PYTHON="3"
     - secure: L5SpEj5+no20PWwC9Y/XNhAfmUvYiuykwSMa/YyqvUuBjdizzpZcHr7Ego5nMdM1TniTxj4pSTM+GbM0FHCzNmAINSRh9g/D3hheRqlRBacqR0XwC9ZZRvkKvtzwnLh4vYWiauq4AoDeR5U6tkEcay6LjE57iMQcLjcKYBc+Eos=
     before_deploy:
@@ -87,20 +123,40 @@ jobs:
         all_branches: true
 
     - provider: pypi
-      user:
-        secure: "jUAMucBq+9xH8x9u0I0LOwrs3Zb++KN7FwIIwz2CyAt/+TyyrJzeGJaV+dTiJ1OqcUIFqQG6jopzpnAe4biL1O68PEwz9BphKetFLpLHiFNm/n67LYno6NFonWmxndIy99pOP6NZu29nzSNeYq/KgEHo/5OkqEGOxk//lh7X/OY="
+      user: rharwood
       password:
-        secure: "ZqywwnR+G5VeM2sStwfLeutOvqbULHtnStjrdYc8WcC/FBVwmH/W48fTlvxrnswmfKx7Eljv0nN4VcBpoFf1tvz4O2oK/tCRpf0N8SvpT0jBx8bLGUxJ1/3Po6rFgBRWgSb/mzKHPKI6fLlQNcNg8lrd9e1j/zgbVRSwNeMUOR8="
+        secure: "hN861mjtLeC8IysypC6Pqzlazq29I+c69XGjbUR53izYQ90cz2F+B2azVTl9Su9NbXzdsGnhWZrjY1jtYMPIZE15xDaC8vs61QijFClqmyuKNRVzCt1w/sj21hyLXnYIrkAo4e3bswPF+hRGNwfb+rVrR/dqUwd1wyjZBBYMcQE="
       skip_cleanup: true
       docs_dir: travis_docs_build/html
       on:
         all_branches: true
       # NB(directxman12): this is a hack.  Check ./.travis/before-deploy.sh for an explanation.
       distributions: "check"
-    
+
     - provider: script
       script: .travis/docs-deploy.sh travis_docs_build/html stable pythongssapi/python-gssapi
       skip_cleanup: true
       on:
         all_branches: true
 
+  - &win_deploy
+    stage: deploy
+    os: windows
+    script: # This is egregious hacks around Travis
+      - ./.travis/before-deploy-windows-wheels.sh
+      - ./.travis/deploy-win.sh
+    env:
+      - PYTHON="2"
+      - PYENV="2.7.16"
+      - EXTRA_BUILDEXT="--compiler=mingw32"
+    language: sh # Travis doesn't support python here
+
+  - <<: *win_deploy
+    env:
+      - PYTHON="3"
+      - PYENV="3.6.8"
+
+  - <<: *win_deploy
+    env:
+      - PYTHON="3"
+      - PYENV="3.7.3"

.travis/before-deploy-windows-wheels.sh

+#!/bin/bash -ex
+
+# See before-deploy.sh for anything unexplained
+
+source ./.travis/lib-setup.sh
+source ./.travis/lib-deploy.sh
+
+./.travis/build.sh
+
+# Sigh, go find paths again
+PYPATH="/c/Python${PYENV:0:1}${PYENV:2:1}"
+export PATH="$PYPATH:$PYPATH/Scripts:/c/Program Files/MIT/Kerberos/bin:$PATH"
+
+# build the wheel
+python -m pip install wheel
+python setup.py bdist_wheel
+
+cd dist
+
+# Rename and checksum the wheel
+if [ x"${TRAVIS_TAG#v[0-9]}" = "x${TRAVIS_TAG}" ]; then
+    PYTHON_GSSAPI_VERSION=${TRAVIS_TAG}
+else
+    PYTHON_GSSAPI_VERSION=${TRAVIS_TAG#v}
+fi
+
+PKG_NAME_VER=$(ls *.whl | sed "s/gssapi-[^-]*-\(.*\)\.whl/python-gssapi-${PYTHON_GSSAPI_VERSION}-\1/")
+
+cp *.whl "${PKG_NAME_VER}.whl"
+
+sha512sum --binary ./${PKG_NAME_VER}.whl > ./${PKG_NAME_VER}.sha512sum
+
+cd ..

.travis/before-deploy.sh

@@ -11,7 +11,7 @@ source ./.travis/lib-deploy.sh
 
 setup::activate
 
-yum -y install tar coreutils git
+yum -y install tar git
 
 # build the docs
 deploy::build-docs

.travis/build.sh

@@ -5,7 +5,7 @@ source ./.travis/lib-setup.sh
 setup::install
 
 # always build in-place so that Sphinx can find the modules
-python setup.py build_ext --inplace
+python setup.py build_ext --inplace $EXTRA_BUILDEXT
 BUILD_RES=$?
 
 if [ x"$KRB5_VER" = "xheimdal" ]; then
@@ -13,6 +13,11 @@ if [ x"$KRB5_VER" = "xheimdal" ]; then
     exit $BUILD_RES
 fi
 
+if [ "$TRAVIS_OS_NAME" == "windows" ]; then
+    # Windows can't run tests yet, so just exit
+    exit $BUILD_RES
+fi
+
 if [ $BUILD_RES -ne 0 ]; then
     # if the build failed, don't run the tests
     exit $BUILD_RES

.travis/deploy-win.sh

+#!/bin/bash -e
+
+# Temporary hack while issue DPL issue persists
+# Manually upload wheels via twine for windows
+# https://github.com/travis-ci/dpl/issues/1009
+
+success="yes"
+
+# Sigh, go find paths again
+PYPATH="/c/Python${PYENV:0:1}${PYENV:2:1}"
+export PATH="$PYPATH:$PYPATH/Scripts:/c/Program Files/MIT/Kerberos/bin:$PATH"
+
+echo 'Running: python -m pip install twine ...'
+python -m pip install twine
+
+echo 'Running: set +x; python -m twine upload...'
+# Please note this cannot be set -x or passwords will leak!
+set +x
+
+python -m twine upload -u $TWINE_USER -p $TWINE_PASSWORD dist/gssapi* > out.log 2>&1 || true
+
+# and restore...
+set -x
+egrep -i 'fail|error' out.log && cat out.log && exit 1
+
+exit 0

.travis/lib-setup.sh

@@ -20,7 +20,8 @@ setup::debian::install() {
     if [ x"$KRB5_VER" = "xheimdal" ]; then
         apt-get -y install heimdal-dev
     else
-        apt-get -y install krb5-{user,kdc,admin-server,multidev} libkrb5-dev
+        apt-get -y install krb5-{user,kdc,admin-server,multidev} libkrb5-dev \
+                gss-ntlmssp
     fi
 
     apt-get -y install gcc virtualenv python$IS3-{virtualenv,dev} cython$IS3
@@ -55,7 +56,8 @@ setup::fedora::install() {
 }
 
 setup::rh::install() {
-    setup::rh::yuminst krb5-{devel,libs,server,workstation} which gcc findutils
+    setup::rh::yuminst krb5-{devel,libs,server,workstation} \
+                       which gcc findutils gssntlmssp
 
     if [ -f /etc/fedora-release ]; then
         setup::fedora::install
@@ -64,11 +66,42 @@ setup::rh::install() {
     fi
 }
 
+setup::macos::install() {
+    # install Python from pyenv so we know what version is being used
+    pyenv install $PYENV
+    pyenv global $PYENV
+    virtualenv -p $(pyenv which python) .venv
+    source ./.venv/bin/activate
+    pip install --install-option='--no-cython-compile' cython
+}
+
+setup::windows::install() {
+    # Install the right Python version and MIT Kerberos
+    choco install python"${PYENV:0:1}" --version $PYENV
+    choco install mitkerberos --install-arguments "'ADDLOCAL=ALL'" || true
+    PYPATH="/c/Python${PYENV:0:1}${PYENV:2:1}"
+    # Update path to include them
+    export PATH="$PYPATH:$PYPATH/Scripts:/c/Program Files/MIT/Kerberos/bin:$PATH"
+
+    if [ "${PYENV:0:1}" == "2" ]; then
+        choco install vcredist2008
+        # Skip dotnet dependency:
+        # https://github.com/fredrikaverpil/vcpython27/pull/3
+        choco install --ignore-dependencies vcpython27
+    fi
+
+    python -m pip install --upgrade pip
+}
+
 setup::install() {
     if [ -f /etc/debian_version ]; then
         setup::debian::install
     elif [ -f /etc/redhat-release ]; then
         setup::rh::install
+    elif [ "$(uname)" == "Darwin" ]; then
+        setup::macos::install
+    elif [ "$TRAVIS_OS_NAME" == "windows" ]; then
+        setup::windows::install
     else
         echo "Distro not found!"
         false

README.rst

-python-gssapi-1.4.1/README.txt
\ No newline at end of file
+python-gssapi-1.6.1/README.txt
\ No newline at end of file

README.txt

@@ -55,6 +55,14 @@ For Running the Tests
 
 * the `shouldbe` package (for tests)
 
+* the `k5test` package
+
+To install test dependencies using pip:
+
+.. code-block:: bash
+
+    $ pip install -r test-requirements.txt # Optional, for running test suite
+
 Installation
 ============
 
@@ -156,6 +164,8 @@ In addition to RFC 2743/2744, Python-GSSAPI also has support for:
 
 * `acquire_cred_with_password` and `add_cred_with_password`
 
+* GGF Extensions
+
 The Team
 ========
 

docs-requirements.txt

 Sphinx >= 1.3.1
 sphinx-rtd-theme >= 0.2.5b1
-sphinxcontrib-napoleon >= 0.2.8
 recommonmark >= 0.4.0

docs/source/basic-tutorial.md

@@ -26,7 +26,7 @@ functions available in the `REALM` object (see gssapi-console.py in
 try `$ run-lit -e gssapi basic-tutorial.md` when you have both
 gssapi_console and yalpt installed).  Any actions performed using the
 `REALM` object are not part of the GSSAPI library; the `REALM` object
-simply contians wrappers to krb5 commands generally run separately from
+simply contains wrappers to krb5 commands generally run separately from
 the application using GSSAPI.
 
 Names and Credentials
@@ -36,7 +36,7 @@ Two important concepts in GSSAPI are *names* and *credentials*.
 
 *Names*, as the name suggests, identify different entities, be they
 users or services.  GSSAPI has the concept of different *name types*.
-These represent different types of names and corresponding sytaxes
+These represent different types of names and corresponding syntax
 for representing names as strings.
 
 Suppose we wanted to refer to an HTTP server on the current host.
@@ -95,7 +95,7 @@ Credentials have a *usage*: 'accept' for accepting security contexts,
 credentials used for both initiating and accepting security contexts.
 
 Credentials also have an associated *name*, *lifetime* (which may
-be `None` for indefinite), and set of *mechansims* with which the
+be `None` for indefinite), and set of *mechanisms* with which the
 credentials are usable:
 
     >>> server_creds.usage
@@ -132,7 +132,7 @@ the user's already acquired credentials:
     >>>
 
 Just like credentials, security contexts are either initiating
-contexts, or accepting contexts (they cannot be both).  Initating
+contexts, or accepting contexts (they cannot be both).  Initiating
 contexts must specify at least a target name.  In this case,
 we indicate that we wish to establish a context with the HTTP server
 from above.  The http server can then accept that context:
@@ -186,7 +186,7 @@ messages, or just sign them:
     >>>
 
 Manually passing in a second parameter and checking whether or not encryption
-was used can get tedious, so python-gssapi provides two convinience methods
+was used can get tedious, so python-gssapi provides two convenience methods
 to help with this: `encrypt` and `decrypt`.  If the context is set up to use
 encryption, they will call `wrap` with encryption.  If not, they will
 call `wrap` without encryption.

docs/source/conf.py

@@ -30,7 +30,7 @@ from custom_recommonmark import AllCodeCommonMarkParser
 
 # Add any Sphinx extension module names here, as strings. They can be extensions
 # coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
-extensions = ['sphinx.ext.autodoc', 'sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.coverage', 'sphinx.ext.ifconfig', 'sphinx.ext.viewcode', "sphinxcontrib.napoleon", 'gssapi_find_missing', 'requires_rfc']
+extensions = ['sphinx.ext.autodoc', 'sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.coverage', 'sphinx.ext.ifconfig', 'sphinx.ext.viewcode', "sphinx.ext.napoleon", 'gssapi_find_missing', 'requires_rfc']
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@@ -58,9 +58,9 @@ copyright = u'2014, The Python-GSSAPI team'
 # built documents.
 #
 # The short X.Y version.
-version = '1.4.1'
+version = '1.6.1'
 # The full version, including alpha/beta/rc tags.
-release = '1.4.1'
+release = '1.6.1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/source/credstore.rst

+Common Values for Credentials Store Extensions
+==============================================
+
+The credentials store extension is an extension introduced by the MIT krb5
+library implementation of GSSAPI. It allows for finer control of credentials
+from within a GSSAPI application.
+Each mechanism can define keywords to manipulate various aspects of their
+credentials for storage or retrieval operations.
+
+.. note:
+
+   Only mechanisms that implement keywords can use them, some mechanism may
+   share the same or similar keywords, but their meaning is always local to
+   a specific mechanism.
+
+The krb5 mechanism in MIT libraries
+-----------------------------------
+
+The krb5 mechanism as implemented by MIT libraries supports the credentials
+store extension with a number of keywords.
+
+client_keytab
+"""""""""""""
+
+The `client_keytab` keyword can be used in a credential store when it is used
+with the :func:`gssapi.raw.ext_cred_store.acquire_cred_from` /
+:func:`gssapi.raw.ext_cred_store.add_cred_from` functions, to indicate a
+custom location for a keytab containing client keys.
+It is not used in the context of calls used to store credentials.
+The value is a string in the form **type:residual** where **type** can be any
+keytab storage type understood by the implementation and **residual** is the
+keytab identifier (usually something like a path). If the string is just a path
+then the type is defaulted to `FILE`.
+
+keytab
+""""""
+
+The `keytab` keyword can be used in a credential store when it is used with
+the :func:`gssapi.raw.ext_cred_store.acquire_cred_from` /
+:func:`gssapi.raw.ext_cred_store.add_cred_from` functions, to indicate a
+custom location for a keytab containing service keys.
+It is not used in the context of calls used to store credentials.
+The value is a string in the form **type:residual** where **type** can be any
+keytab storage type understood by the implementation and **residual** is the
+keytab identifier (usually something like a path). If the string is just a path
+then the type is defaulted to `FILE`.
+
+ccache
+""""""
+
+The `ccache` keyword can be used to reference a specific credential storage.
+It can be used both to indicate the source of existing credentials for the
+:func:`gssapi.raw.ext_cred_store.acquire_cred_from` /
+:func:`gssapi.raw.ext_cred_store.add_cred_from` functions, as well as the
+destination storage for the :func:`gssapi.raw.ext_cred_store.store_cred_into`
+function.
+The value is a string in the form **type:residual** where type can be any
+credential cache storage type understood by the implementation and
+**residual** is the ccache identifier. If the string is just a path then
+the type is defaulted to `FILE`. Other commonly used types are `DIR`,
+`KEYRING`, `KCM`. Each type has a different format for the **residual**;
+refer to the MIT krb5 documentation for more details.
+
+rcache
+""""""
+
+The `rcache` keyword can be used to reference a custom replay cache storage.
+It is used only with the :func:`gssapi.raw.ext_cred_store.acquire_cred_from` /
+:func:`gssapi.raw.ext_cred_store.add_cred_from` functions for credentials used
+to accept context establishments, not to initiate contexts.
+The value is a string in the form **type:residual** where type can be any
+replay cache storage type understood by the implementation and **residual** is
+the cache identifier (usually something like a path). If the string is just a
+path then the type is defaulted to `FILE`.
+

docs/source/gssapi.rst

@@ -46,7 +46,7 @@ Enums and Helper Classes
 ------------------------
 
 The following enumerations from the low-level API are also
-used with the high-level API.  For convienience, the are
+used with the high-level API.  For convenience, they are
 imported in the high-level API :mod:`gssapi` module:
 
 .. autoclass:: gssapi.NameType
@@ -68,7 +68,7 @@ imported in the high-level API :mod:`gssapi` module:
 .. autoclass:: gssapi.AddressType
     :show-inheritance:
 
-Similiarly, there are a couple classes from the low-level API
+Similarly, there are a couple classes from the low-level API
 that are imported into the high-level API module.  These classes
 are less likely to be used directly by a user, but are returned
 by several methods:

docs/source/index.rst

@@ -28,6 +28,7 @@ straight into the :doc:`high-level API documentation <gssapi>`.
 
    gssapi.rst
    gssapi.raw.rst
+   otherdoc.rst
    tutorials.rst
 
 

docs/source/otherdoc.rst

+Other Documentation
+===================
+
+This section contain documentation that is not expressed directly in functions
+documentation, like implementation specific quirks or issues, implementation
+tips, environment influence on operations and similar.
+
+.. toctree::
+   :maxdepth: 1
+
+   credstore.rst

gssapi/__init__.py

@@ -33,5 +33,6 @@ from gssapi.raw.oids import OID  # noqa
 from gssapi.creds import Credentials  # noqa
 from gssapi.names import Name  # noqa
 from gssapi.sec_contexts import SecurityContext  # noqa
+from gssapi.mechs import Mechanism  # noqa
 
 from gssapi._utils import set_encoding  # noqa

gssapi/mechs.py

+import six
+
+from gssapi.raw import oids as roids
+from gssapi._utils import import_gssapi_extension
+from gssapi.raw import misc as rmisc
+from gssapi import _utils
+
+rfc5587 = import_gssapi_extension('rfc5587')
+rfc5801 = import_gssapi_extension('rfc5801')
+
+
+class Mechanism(roids.OID):
+    """
+    A GSSAPI Mechanism
+
+    This class represents a mechanism and centralizes functions dealing with
+    mechanisms and can be used with any calls.
+
+    It inherits from the low-level GSSAPI :class:`~gssapi.raw.oids.OID` class,
+    and thus can be used with both low-level and high-level API calls.
+    """
+    def __new__(cls, cpy=None, elements=None):
+        return super(Mechanism, cls).__new__(cls, cpy, elements)
+
+    @property
+    def name_types(self):
+        """
+        Get the set of name types supported by this mechanism.
+        """
+        return rmisc.inquire_names_for_mech(self)
+
+    @property
+    def _saslname(self):
+        if rfc5801 is None:
+            raise NotImplementedError("Your GSSAPI implementation does not "
+                                      "have support for RFC 5801")
+        return rfc5801.inquire_saslname_for_mech(self)
+
+    @property
+    def _attrs(self):
+        if rfc5587 is None:
+            raise NotImplementedError("Your GSSAPI implementation does not "
+                                      "have support for RFC 5587")
+
+        return rfc5587.inquire_attrs_for_mech(self)
+
+    def __str__(self):
+        if issubclass(str, six.text_type):
+            # Python 3 -- we should return unicode
+            return self._bytes_desc().decode(_utils._get_encoding())
+        else:
+            return self._bytes_desc()
+
+    def __unicode__(self):
+        return self._bytes_desc().decode(_utils._get_encoding())
+
+    def _bytes_desc(self):
+        base = self.dotted_form
+        if rfc5801 is not None and self._saslname and self._saslname.mech_name:
+            base = self._saslname.mech_name
+
+        if isinstance(base, six.text_type):
+            base = base.encode(_utils._get_encoding())
+
+        return base
+
+    def __repr__(self):
+        """
+        Get a name representing the mechanism; always safe to call
+        """
+        base = "<Mechanism (%s)>" % self.dotted_form
+        if rfc5801 is not None:
+            base = "<Mechanism %s (%s)>" % (
+                self._saslname.mech_name.decode('UTF-8'),
+                self.dotted_form
+            )
+
+        return base
+
+    @property
+    def sasl_name(self):
+        """
+        Get the SASL name for the mechanism
+
+        :requires-ext:`rfc5801`
+        """
+        return self._saslname.sasl_mech_name.decode('UTF-8')
+
+    @property
+    def description(self):
+        """
+        Get the description of the mechanism
+
+        :requires-ext:`rfc5801`
+        """
+        return self._saslname.mech_description.decode('UTF-8')
+
+    @property
+    def known_attrs(self):
+        """
+        Get the known attributes of the mechanism; returns a set of OIDs
+        ([OID])
+
+        :requires-ext:`rfc5587`
+        """
+        return self._attrs.known_mech_attrs
+
+    @property
+    def attrs(self):
+        """
+        Get the attributes of the mechanism; returns a set of OIDs ([OID])
+
+        :requires-ext:`rfc5587`
+        """
+        return self._attrs.mech_attrs
+
+    @classmethod
+    def all_mechs(cls):
+        """
+        Get a generator of all mechanisms supported by GSSAPI
+        """
+        return (cls(mech) for mech in rmisc.indicate_mechs())
+
+    @classmethod
+    def from_name(cls, name=None):
+        """
+        Get a generator of mechanisms that may be able to process the name
+
+        Args:
+            name (Name): a name to inquire about
+
+        Returns:
+            [Mechanism]: a set of mechanisms which support this name
+
+        Raises:
+            GSSError
+        """
+        return (cls(mech) for mech in rmisc.inquire_mechs_for_name(name))
+
+    @classmethod
+    def from_sasl_name(cls, name=None):
+        """
+        Create a Mechanism from its SASL name
+
+        Args:
+            name (str): SASL name of the desired mechanism
+
+        Returns:
+            Mechanism: the desired mechanism
+
+        Raises:
+            GSSError
+
+        :requires-ext:`rfc5801`
+        """
+        if rfc5801 is None:
+            raise NotImplementedError("Your GSSAPI implementation does not "
+                                      "have support for RFC 5801")
+        if isinstance(name, six.text_type):
+            name = name.encode(_utils._get_encoding())
+
+        m = rfc5801.inquire_mech_for_saslname(name)
+
+        return cls(m)
+
+    @classmethod
+    def from_attrs(cls, desired_attrs=None, except_attrs=None,
+                   critical_attrs=None):
+        """
+        Get a generator of mechanisms supporting the specified attributes. See
+        RFC 5587's :func:`indicate_mechs_by_attrs` for more information.
+
+        Args:
+            desired_attrs ([OID]): Desired attributes
+            except_attrs ([OID]): Except attributes
+            critical_attrs ([OID]): Critical attributes
+
+        Returns:
+            [Mechanism]: A set of mechanisms having the desired features.
+
+        Raises:
+            GSSError
+
+        :requires-ext:`rfc5587`
+        """
+        if isinstance(desired_attrs, roids.OID):
+            desired_attrs = set([desired_attrs])
+        if isinstance(except_attrs, roids.OID):
+            except_attrs = set([except_attrs])
+        if isinstance(critical_attrs, roids.OID):
+            critical_attrs = set([critical_attrs])
+
+        if rfc5587 is None:
+            raise NotImplementedError("Your GSSAPI implementation does not "
+                                      "have support for RFC 5587")
+
+        mechs = rfc5587.indicate_mechs_by_attrs(desired_attrs,
+                                                except_attrs,
+                                                critical_attrs)
+        return (cls(mech) for mech in mechs)

gssapi/names.py

-import collections
-
 import six
 
 from gssapi.raw import names as rname
@@ -7,6 +5,12 @@ from gssapi.raw import NameType
 from gssapi.raw import named_tuples as tuples
 from gssapi import _utils
 
+if six.PY2:
+    from collections import MutableMapping, Iterable
+else:
+    from collections.abc import MutableMapping, Iterable
+
+
 rname_rfc6680 = _utils.import_gssapi_extension('rfc6680')
 rname_rfc6680_comp_oid = _utils.import_gssapi_extension('rfc6680_comp_oid')
 
@@ -313,7 +317,7 @@ class Name(rname.Name):
         return self._attr_obj
 
 
-class _NameAttributeMapping(collections.MutableMapping):
+class _NameAttributeMapping(MutableMapping):
 
     """Provides dict-like access to RFC 6680 Name attributes."""
     def __init__(self, name):
@@ -345,7 +349,7 @@ class _NameAttributeMapping(collections.MutableMapping):
             complete = False
 
         if (isinstance(value, (six.string_types, bytes)) or
-                not isinstance(value, collections.Iterable)):
+                not isinstance(value, Iterable)):
             # NB(directxman12): this allows us to easily assign a single
             # value, since that's a common case
             value = [value]

gssapi/raw/__init__.py

@@ -69,6 +69,12 @@ try:
 except ImportError:
     pass
 
+# optional RFC 4178 support
+try:
+    from gssapi.raw.ext_rfc4178 import *  # noqa
+except ImportError:
+    pass
+
 # optional RFC 5587 support
 try:
     from gssapi.raw.ext_rfc5587 import *  # noqa
@@ -125,3 +131,9 @@ try:
     from gssapi.raw.ext_ggf import *  # noqa
 except ImportError:
     pass
+
+# optional set_cred_option support
+try:
+    from gssapi.raw.ext_set_cred_opt import *  # noqa
+except ImportError:
+    pass

gssapi/raw/cython_converters.pxd

@@ -32,5 +32,5 @@ cdef inline object c_c_ttl_to_py(OM_uint32 ttl):
 cdef inline bint c_compare_oids(gss_OID a, gss_OID b):
     """Compare two OIDs to see if they are the same."""
 
-    return (a.length == b.length and
-            not memcmp(a.elements, b.elements, a.length))
+    return (a.length == b.length and not
+            memcmp(a.elements, b.elements, a.length))