Fix up the interface we present to mention SPNEGO

[frozencemetery]

(It's probably easiest to look at README.rst after the changes. Most of these were performed with sed and as such aren't very interesting.)

New auth provider is named "HTTPSPNEGOAuth". If there are suggestions., I am happy to modify the API to be more than a bare shim. If they're breaking backward compat, now is the time to offer them before we merge this :)

[simo5]

I think we should deprecate principal and hostname_override and instead allow to pass in GSS-Names, although hostname_override is relatively neutral, principal applies only to kerberos as a concept, and I do not think it expresses the richness it could (does it support enterprise names as is ?)

[simo5]

force_preemptive is a strange name, the strategy is normally called "opportunistic auth", maybe we should also deprecate that old name and introduce a better one here.

[simo5]

I think it may also be nice to let delegate have mutliple values given we have 2 delegate flags that means two different things.

[simo5]

another thing we may want to consider is the ability to pass in a python-gssapi credential instead of havin request-gssapi always find it itself, this is better than passing in principal as it allows to use a MEMORY creadential we just created and is not in the defaul cache collection used by the system. Otherwise we'd have to set the process ccache and this will impact other threads/functions unnecessarily. Bad especially in systems that deal with multiple users as proxies of some kind (that use delegation for example).

[frozencemetery]

I think it may also be nice to let delegate have mutliple values given we have 2 delegate flags that means two different things.

GSSAPI only has GSS_C_DELEG_FLAG; I'm not sure what second one you mean? (Stream cross with gssproxy conversation perhaps?)

[simo5]

GSS_C_DELEG_POLICY_FLAG

[frozencemetery]

GSS_C_DELEG_POLICY_FLAG

Well, one issue with that is that python-gssapi doesn't know about that flag, but we could teach it [python-gssapi issue #132](pythongssapi/python-gssapi#132)

[simo5]

Can we have conditional support in this code until python-gssapi gets it, or should we rather wait and fix it later?

[frozencemetery]

I'd rather wait until it at least lands in python-gssapi master, but I am working on that as well.

For the interface, because python, we can reuse the delegate parameter, and give it a other options besides True and False - "if_permitted" or something, and that all works out.

What I'm not clear on is how that would behave, and moreover what behaviors we want to support. The Heimdal doc defines four behaviors based on the two flags being set or not; I'm not clear which are desirable here, and how to handle the new two cases in the code.

[frozencemetery]

Four new commits, hopefully addressing your API suggestions @simo5 (except delegate; see above).

[simo5]

nitpicks :)

[simo5]

I was thinking we shouldn't retain force_preemptive, but provide a translation from that flag to opportunistic_auth in the wrapper that respondes to the old class name (HTTPKerberosAuth)

[simo5]

should we retain hostname_override at all ?
shouldn't we just deal it in the compat wrapper for the old class to translate it into a gssapi service name before calling into the HTTPSPNEGOAuth initializer ?

[simo5]

If we want to make it easy to pass in a string instead of a gssapi name type then we could change the service string to allow to pass in "HTTP@hostname", it sounds silly to have a "hostname_pverride as a separate argument when you can easily use the "service", which I would perhaps rename to "target", but that may be going too far.

[frozencemetery]

Pushed up a new version with a stricter shim that hopefully behaves more in line with your suggestion.

[frozencemetery]

@simo5 please re-review, thanks!

[simo5]

/lgtm