Sync from SUSE:SLFO:Main python-pyspnego revision ef4e1fc93c4d54e77041d84d51491e5e

2025-03-12 17:32:03 +01:00 · 2025-03-12 17:32:03 +01:00 · cac2fb33b2
commit cac2fb33b2
4 changed files with 381 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/pyspnego-0.11.2.tar.gz
+++ b/pyspnego-0.11.2.tar.gz
--- a/python-pyspnego.changes
+++ b/python-pyspnego.changes
@ -0,0 +1,272 @@
+-------------------------------------------------------------------
+Mon Nov 11 20:27:41 UTC 2024 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 0.11.2
+  * Fix CredSSP acceptor with LibreSSL.
+  * Bump dev deps and add 3.13 support.
+  * Update integration tests for 3.13.
+
+-------------------------------------------------------------------
+Mon Aug  5 19:04:53 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.11.1:
+  * Import `ARC4` cipher from the new `decrepits` module sub-
+    package, this removes the warning issued in newer versions of
+    the `cryptography` library
+
+-------------------------------------------------------------------
+Thu Jun 20 07:36:41 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.11.0:
+  * Support input password string encoded with the
+    `surrogatepass` error option
+  * This allows the caller to provide a password for a gMSA or
+    machine account that could contain invalid surrogate pairs
+    for both NTLM and Kerberos auth.
+  * Stop using deprecated `datetime.dateime.utcnow()` for CredSSP
+    acceptor context
+
+-------------------------------------------------------------------
+Sat Jun  8 22:35:51 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.10.2:
+  * Another rename of the `sspi` package dependency to `sspilib`
+  * Rename `sspi` package dependency to `sspic` to avoid
+    conflicts with pywin32
+  * Drop support for Python 3.7 - new minimum is 3.8+
+  * Moved SSPI bindings out into a separate package called `sspi`
+    This simplifies this project as it doesn't have to worry
+    about SSPI correctness.  The `sspi` package improves
+    performance and memory allocation with a more robust API
+  * Fixes an issue with Cython 3 allowing it to align with more
+    modern versions going forward
+
+-------------------------------------------------------------------
+Mon Sep  4 18:26:17 UTC 2023 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 0.9.2
+  * Only CI related changes
+- Update to version 0.9.1
+  * Always set the NTLMSSP_REQUEST_VERSION flag on the
+    NTLM Negotiate message.  This aligns the behaviour with how
+    SSPI generates this message.
+
+-------------------------------------------------------------------
+Wed May 10 07:03:54 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.9.0:
+  * Added the `spnego.ContextReq.dce_style` flag to enable DCE
+    authentication mode
+  * The value for `spnego.iov.BufferType.sign_only` on SSPI has
+    changed from representing `SECBUFFER_MECHLIST` to
+    `SECBUFFER_READONLY_WITH_CHECKSUM`
+  * Added the IOV buffer type
+    `spnego.iov.BufferType.data_readonly`
+  * Added limited support for `wrap_iov` and `unwrap_iov` in the
+    Python NTLM context provider.
+  * Added the `query_message_sizes()` function on a context to
+    retrieve the important message sizes
+    Currently this only contains the size of the message
+    `header`, also known as the signature or security trailer
+  * Added the `spnego.ContextReq.no_integrity` flag to disable
+    integrity/confidentiality on Kerberos/Negotiate contexts
+  * Added optional kwargs to `step()` on a security context
+    `channel_bindings`
+  * Added support for decoding the following TLS payloads with
+    `python -m spnego --token ...`
+          * Client Hello
+          * Server Hello
+          * Certificate
+          * Server Key Exchange
+          * Client Key Exchange
+          * Certificate Request
+  * Added the `new_context()` method on the context proxies to
+    provide an easy and efficient way to re-use the context
+    credentials and options for a new context
+  * Removed use of `gssntlmssp` to simplify codebase and ensure a
+    consistent experience across OS versions
+  * Using NTLM on a non-Windows system will use the Python NTLM
+    implementation instead
+
+-------------------------------------------------------------------
+Tue May  9 13:49:10 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
+
+- add sle15_python_module_pythons
+
+-------------------------------------------------------------------
+Wed Nov  9 18:35:52 UTC 2022 - Yogalakshmi Arunachalam <yarunachalam@suse.com>
+
+- Update to 0.6.3
+  * Ignore GSS_S_NO_CONTEXT errors on GSSAPI after stepping through the token exchange before the context is complete
+    This is raised by MIT krb5 before 1.14.x and can be ignored
+
+- Update to 0.6.2
+  * Fix up sdist and wheels to include py.typed type annotation marker
+
+- Update to 0.6.1
+  * Added Python 3.11 wheel
+
+-------------------------------------------------------------------
+Fri Oct 28 20:23:03 UTC 2022 - Yogalakshmi Arunachalam <yarunachalam@suse.com>
+
+- Update to 0.6.0
+  * Drop support for Python 3.6 - new minimum is 3.7+
+  * Moved setuptools config into pyproject.toml and made Cython a build requirement for Windows
+     For most users this is a hidden change
+     If a tool follows the PEP 517 standard, like pip, this build dependency will work automatically
+     The pre cythonised files are no longer included in the sdist going forward
+
+- Update to 0.5.4
+  * Fix str of enum values when running in Python 3.11 to be consistent with older versions
+  * Support gssapi on 1.5.x which comes with RHEL 8.
+
+- Update to 0.5.3
+  * Fix heap allocation errors when running with heap allocation monitoring on Windows
+
+- Update to 0.5.2
+  * Added custom MD4 hashing code for NTLM to use.
+     Newer Linux distributions ship with OpenSSL 3.x which typically disables MD4 breaking the use of hashlib.new('md4', b"")
+     Using this custom code allows NTLM to continue to work
+     While it's bad to continue to use older hashing mechanisms in this case there is no valid alternative available
+
+- Update to 0.5.1
+  * Call gss_inquire_sec_context_by_oid(ctx, spnego_req_mechlistMIC_oid) when using pure NTLM over GSSAPI to ensure the token contains a MIC
+
+-------------------------------------------------------------------
+Sat Oct  1 12:14:25 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.5.0:
+  * Added the `auth_stage` extra_info for a CredSSP context to give a human
+    friendly indication of what sub auth stage it is up to.
+  * Added the `protocol_version` extra_info for a CredSSP context to return the
+    negotiated CredSSP protocol version.
+  * Added the `credssp_min_protocol` keyword argument for a CredSSP context to
+    set a minimum version the caller will accept of the peer.
+    * This can be set to `5+` to ensure the peer supports and applies the mitigations for CVE-2018-0886.
+  * Added safeguards when trying to retrieve the completed context attributes
+    of `NegotiateProxy` before any contexts have been set up
+
+-------------------------------------------------------------------
+Tue Feb 22 09:26:20 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.4.0:
+  * Add `usage` argument for `tls.default_tls_context` to control whether the
+    context is for a initiator or acceptor
+  * Add type annotations and include `py.typed` in the package for downstream
+    library use
+  * Expose the `ContextProxy` class for type annotation use
+  * Added `get_extra_info` to `ContextProxy` to expose a common way to retrieve
+    context specific information, this is currently used by CredSSP to retrieve
+    * `client_credential`: The delegated client credential for acceptors
+      once the context is complete
+    * `sslcontext`: The SSL context used to create the TLS object
+    * `ssl_object`: The TLS object used during the CredSSP exchange
+  * The `client_credential` property on `CredSSP` has been removed in
+    favour of `context.get_extra_info('client_credential')
+  * Added support for custom credential types
+    * Can be used to for things like NTLM authentication with NT/LM hashes,
+      Kerberos with a keytab or from an explicit CCache, etc
+  * Support calling SSPI through `pyspnego`'s Negotiate proxy context
+    * This allows users on Windows to still use Negotiate auth but with a
+       complex set of credentials
+    * Also opens up the ability to use Negotiate but only with Kerberos auth
+  * The `username` and `password` property on the auth context object are
+    deprecated and will return `None` until it is removed in a future release
+
+-------------------------------------------------------------------
+Sat Nov  6 11:10:17 UTC 2021 - Ben Greiner <code@bnavigator.de>
+
+- Reactivate python36 build
+
+-------------------------------------------------------------------
+Fri Oct 29 18:44:17 UTC 2021 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 0.3.1
+  * Do not convert GSSAPI service to lowercase for GSSAPI and
+    uppercase for SSPI
+    * SPNs are case insensitive on Windows but case sensitive on
+      Linux
+    * Convering the service portion to upper or lower case could
+      cause problems finding the target server on non-Windows
+      GSSAPI implementations
+
+-------------------------------------------------------------------
+Mon Oct 25 19:41:06 UTC 2021 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 0.3.0
+  Packaging Changes
+  * Changed project structure to a src layout
+  * Include both Cython pyx/pyd and C files for SSPI in the
+    sdist generated
+  * Added Python 3.10 wheel
+  Bugfixes
+  * Ensure bad SPNEGO token inputs are raised as InvalidTokenError
+    rather than struct.error
+- Update to version 0.2.0
+  Breaking Changes
+  * Drop support for Python 2.7 and 3.5 - new minimum is 3.6+
+  * Made the gss, negotiate, ntlm, sspi exports private, use the
+    spnego.client and spnego.server functions instead
+    + A deprecation warning is raised when importing from these
+      package directly and this will be removed in the next major
+      release
+  Features
+  * Added support for CredSSP authentication using
+    protocol='credssp'
+  * Allow optional keyword arguments to be used with spnego.client
+    and spnego.server to control authentication specific options
+  Bugfixes
+  * Use Kerberos API to acquire Kerberos credential to get a
+    forwardable token in a thread safe manner
+  * Fix default credential logic when no username is provided
+    based on GSSAPI rules rather than just the default principal
+  * Ignore SPNEGO mechListMIC if it contains the same value as
+    the responseToken due to an old Windows SPNEGO logic bug.
+  * Do not use SSPI when auth='ntlm' and the password is in the
+    form {lm_hash}:{nt_hash}
+
+-------------------------------------------------------------------
+Thu May 13 16:27:28 UTC 2021 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 0.1.6
+  * Change enum type of iov.BufferType to IntEnum to fix load on
+    Python 3.10 - #10
+  * Make pyspnego-parse and entry point which uses __main__.py in
+    the spnego package. This allows users to use the parser script
+    by running python -m spnego --token ...
+
+-------------------------------------------------------------------
+Tue Jan 12 09:47:29 UTC 2021 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 0.1.5
+  * Respect NETBIOS_COMPUTER_NAME when getting the workstation
+    name for NTLM tokens. This matches the behaviour of gss-ntlmssp
+    to ensure a consistent approach.
+
+-------------------------------------------------------------------
+Fri Dec  4 08:13:16 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 0.1.4
+  * Only send negState: request-mic for the first reply from an
+    acceptor for Negotiate auth.
+  * Strict interpretations of SPNEGO will fail if the initiator
+    sends this state as it is against the RFC.
+
+-------------------------------------------------------------------
+Thu Oct 29 16:47:02 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 0.1.3
+  * Added Python 3.9 to CI
+
+-------------------------------------------------------------------
+Sun Oct 25 15:53:36 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 0.1.2
+  * Fix up WinRM wrapping on SSPI
+- Update to version 0.1.1
+  * Include the cython files in the built sdist
+
+-------------------------------------------------------------------
+Sat Aug 22 14:27:14 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Initial package, version 0.1.0
--- a/python-pyspnego.spec
+++ b/python-pyspnego.spec
@ -0,0 +1,83 @@
+#
+# spec file for package python-pyspnego
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%{?sle15_python_module_pythons}
+Name:           python-pyspnego
+Version:        0.11.2
+Release:        0
+Summary:        Python SPNEGO authentication library
+License:        MIT
+Group:          Development/Languages/Python
+URL:            https://github.com/jborean93/pyspnego
+Source:         https://github.com/jborean93/pyspnego/archive/v%{version}.tar.gz#/pyspnego-%{version}.tar.gz
+BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module wheel}
+BuildRequires:  python-rpm-macros
+# SECTION test requirements
+BuildRequires:  %{python_module dataclasses if %python-base < 3.7}
+BuildRequires:  %{python_module cryptography}
+BuildRequires:  %{python_module pytest-mock}
+BuildRequires:  %{python_module pytest}
+# /SECTION
+BuildRequires:  fdupes
+Requires:       python-cryptography
+%if 0%{python_version_nodots} < 37
+Requires:       python-dataclasses
+%endif
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
+Suggests:       python-gssapi >= 1.5.0
+Suggests:       python-ruamel.yaml
+BuildArch:      noarch
+%python_subpackages
+
+%description
+Library to handle SPNEGO (Negotiate, NTLM, Kerberos) authentication.
+Also includes a packet parser that can be used to decode raw
+NTLM/SPNEGO/Kerberos tokens into a human readable format.
+
+%prep
+%setup -q -n pyspnego-%{version}
+sed -i '1{/^#!/ d}' src/spnego/__main__.py
+
+%build
+%pyproject_wheel
+
+%install
+%pyproject_install
+%python_clone -a %{buildroot}%{_bindir}/pyspnego-parse
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+
+%post
+%python_install_alternative pyspnego-parse
+
+%postun
+%python_uninstall_alternative pyspnego-parse
+
+%check
+%pytest
+
+%files %{python_files}
+%license LICENSE
+%doc CHANGELOG.md README.md
+%python_alternative %{_bindir}/pyspnego-parse
+%{python_sitelib}/spnego
+%{python_sitelib}/pyspnego-%{version}.dist-info
+
+%changelog