Add kerberos support to authentication pip (when supported)

docs/html/reference/pip_install.rst

@@ -513,6 +513,21 @@ SSL Certificate Verification
 Starting with v1.3, pip provides SSL certificate verification over https, to
 prevent man-in-the-middle attacks against PyPI downloads.
 
+.. _`Kerberos Authentication`:
+
+Kerberos Authentication
+++++++++++++++++++++++++++++
+
+Starting with v10.0, pip supports using a Kerberos ticket to authenticate
+with servers. This feature requires that ``pykerberos`` or ``winkerberos``
+is installed in the same environment as pip.
+
+If you wish to ignore Kerberos authenticated (index) servers for bootstrapping
+the installation of ``pykerberos`` or ``winkerberos`` or are not authenticated
+for all servers by default pip will ask for input. To change this behaviour
+to ignore those servers use the ``--no-input`` command line option. Your system
+administrator can also set this in the config files or an environment variable,
+see :ref:`Configuration`.
 
 .. _`Caching`:
 

news/4854.feature

@@ -0,0 +1 @@
+Add kerberos support to possible authenticators, when available. Vendor in requests_kerberos 0.11.0.

news/requests_kerberos.vendor

@@ -0,0 +1 @@
+Vendored requests_kerberos at requests_kerberos==0.11.0

src/pip/_internal/download.py

@@ -101,6 +101,14 @@
         )
 
 
+try:
+    from pip._vendor.requests_kerberos import HTTPKerberosAuth
+    from pip._vendor.requests_kerberos import kerberos_ as ik
+    _KERBEROS_AVAILABLE = True
+
+except ImportError:
+    _KERBEROS_AVAILABLE = False
+
 __all__ = ['get_file_content',
            'is_url', 'url_to_path', 'path_to_url',
            'is_archive_file', 'unpack_vcs_link',
@@ -494,6 +502,47 @@ def save_credentials(self, resp, **kwargs):
                 logger.exception('Failed to save credentials')
 
 
+class MultiAuth(AuthBase):
+    def __init__(self, initial_auth=None, *auths):
+        if initial_auth is None:
+            self.initial_auth = MultiDomainBasicAuth(prompting=False)
+        else:
+            self.initial_auth = initial_auth
+
+        self.auths = auths
+
+    def __call__(self, req):
+        req = self.initial_auth(req)
+        self._register_hook(req, 0)  # register hook after auth itself
+        return req
+
+    def _register_hook(self, req, i):
+        if i >= len(self.auths):
+            return
+
+        def hook(resp, **kwargs):
+            self.handle_response(resp, i, **kwargs)
+
+        req.register_hook("response", hook)
+
+    def handle_response(self, resp, i, **kwargs):
+        if resp.status_code != 401:  # authorization required
+            return resp
+
+        # clear response
+        resp.content
+        resp.raw.release_conn()
+
+        req = self.auths[i](resp.request)  # deletegate to ith auth
+        logger.info('registering hook {}'.format(i + 1))
+        self._register_hook(req, i + 1)  # register hook after auth itself
+
+        new_resp = resp.connection.send(req, **kwargs)
+        new_resp.history.append(resp)
+
+        return new_resp
+
+
 class LocalFSAdapter(BaseAdapter):
 
     def send(self, request, stream=None, timeout=None, verify=None, cert=None,
@@ -579,8 +628,10 @@ def __init__(self, *args, **kwargs):
         """
         retries = kwargs.pop("retries", 0)
         cache = kwargs.pop("cache", None)
+
         trusted_hosts = kwargs.pop("trusted_hosts", [])  # type: List[str]
         index_urls = kwargs.pop("index_urls", None)
+        prompting = kwargs.pop("prompting", True)
 
         super(PipSession, self).__init__(*args, **kwargs)
 
@@ -592,7 +643,21 @@ def __init__(self, *args, **kwargs):
         self.headers["User-Agent"] = user_agent()
 
         # Attach our Authentication handler to the session
-        self.auth = MultiDomainBasicAuth(index_urls=index_urls)
+        no_prompt = MultiDomainBasicAuth(prompting=False)
+        prompt = MultiDomainBasicAuth(prompting=True)
+        prompt.passwords = no_prompt.passwords  # share same dict of passwords
+
+        if _KERBEROS_AVAILABLE and prompting:
+            auths = [no_prompt, HTTPKerberosAuth(ik.REQUIRED), prompt]
+        elif _KERBEROS_AVAILABLE and not prompting:
+            auths = [no_prompt, HTTPKerberosAuth(ik.REQUIRED)]
+        else:
+            auths = [MultiDomainBasicAuth(
+                prompting=prompting,
+                index_urls=index_urls
+            )]
+
+        self.auth = MultiAuth(*auths)
 
         # Create our urllib3.Retry instance which will allow us to customize
         # how we handle retries.

src/pip/_internal/utils/logging.py

@@ -304,6 +304,13 @@ def setup_logging(verbosity, no_color, user_log_file):
     # enabled for vendored libraries.
     vendored_log_level = "WARNING" if level in ["INFO", "ERROR"] else "DEBUG"
 
+    # Similar for vendored Kerberos, which is a bit trigger happy.
+    logging.addLevelName(logging.CRITICAL + 1, "SUPERCRITICAL")
+    kerberos_log_level = (
+        "SUPERCRITICAL" if level in ["INFO", "ERROR"] else
+        "DEBUG"
+    )
+
     # Shorthands for clarity
     log_streams = {
         "stdout": "ext://sys.stdout",
@@ -387,8 +394,11 @@ def setup_logging(verbosity, no_color, user_log_file):
         "loggers": {
             "pip._vendor": {
                 "level": vendored_log_level
+            },
+            "pip._vendor.requests_kerberos.kerberos_": {
+                "level": kerberos_log_level
             }
-        },
+        }
     })
 
     return level_number

src/pip/_vendor/README.rst

@@ -104,6 +104,7 @@ Modifications
 * ``CacheControl`` has been modified to import its dependencies from ``pip._vendor``
 * ``requests`` has been modified to import its other dependencies from ``pip._vendor``
   and to *not* load ``simplejson`` (all platforms) and ``pyopenssl`` (Windows).
+* ``requests_kerberos`` has been modified to import its dependencies from ``pip._vendor``
 
 
 Automatic Vendoring

src/pip/_vendor/requests_kerberos/__init__.py

@@ -0,0 +1,25 @@
+"""
+requests Kerberos/GSSAPI authentication library
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Requests is an HTTP library, written in Python, for human beings. This library
+adds optional Kerberos/GSSAPI authentication support and supports mutual
+authentication. Basic GET usage:
+
+    >>> import pip._vendor.requests
+    >>> from pip._vendor.requests_kerberos import HTTPKerberosAuth
+    >>> r = pip._vendor.requests.get("http://example.org", auth=HTTPKerberosAuth())
+
+The entire `requests.api` should be supported.
+"""
+import logging
+
+from .kerberos_ import HTTPKerberosAuth, REQUIRED, OPTIONAL, DISABLED
+from .exceptions import MutualAuthenticationError
+from .compat import NullHandler
+
+logging.getLogger(__name__).addHandler(NullHandler())
+
+__all__ = ('HTTPKerberosAuth', 'MutualAuthenticationError', 'REQUIRED',
+           'OPTIONAL', 'DISABLED')
+__version__ = '0.11.0'

src/pip/_vendor/requests_kerberos/compat.py

@@ -0,0 +1,14 @@
+"""
+Compatibility library for older versions of python
+"""
+import sys
+
+# python 2.7 introduced a NullHandler which we want to use, but to support
+# older versions, we implement our own if needed.
+if sys.version_info[:2] > (2, 6):
+    from logging import NullHandler
+else:
+    from logging import Handler
+    class NullHandler(Handler):
+        def emit(self, record):
+            pass

src/pip/_vendor/requests_kerberos/exceptions.py

@@ -0,0 +1,15 @@
+"""
+requests_kerberos.exceptions
+~~~~~~~~~~~~~~~~~~~
+
+This module contains the set of exceptions.
+
+"""
+from pip._vendor.requests.exceptions import RequestException
+
+
+class MutualAuthenticationError(RequestException):
+    """Mutual Authentication Error"""
+
+class KerberosExchangeError(RequestException):
+    """Kerberos Exchange Failed Error"""