Mapepire-IBMi
diff --git a/‎.github/actions/setup-venv/action.yml‎
Lines changed: 8 additions & 2 deletions b/‎.github/actions/setup-venv/action.yml‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎.github/workflows/main.yml‎
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/main.yml‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 60 additions & 0 deletions b/‎README.md‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎mapepire_python/authentication/kerberosTokenProvider.py‎
Lines changed: 104 additions & 0 deletions b/‎mapepire_python/authentication/kerberosTokenProvider.py‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎mapepire_python/core/utils.py‎
Lines changed: 1 addition & 1 deletion b/‎mapepire_python/core/utils.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎mapepire_python/data_types.py‎
Lines changed: 8 additions & 1 deletion b/‎mapepire_python/data_types.py‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎mapepire_python/websocket.py‎
Lines changed: 3 additions & 1 deletion b/‎mapepire_python/websocket.py‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎pyproject.toml‎
Lines changed: 5 additions & 1 deletion b/‎pyproject.toml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎requirements-dev.txt‎
Lines changed: 3 additions & 1 deletion b/‎requirements-dev.txt‎
Lines changed: 3 additions & 1 deletion
@@ -11,8 +11,14 @@ inputs:
 runs:
   using: composite
   steps:
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libkrb5-dev
+
     - name: Setup Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ inputs.python-version }}
 
@@ -26,7 +32,7 @@ runs:
         # Get the exact Python version to use in the cache key.
         echo "PYTHON_VERSION=$(python --version)" >> $GITHUB_ENV
 
-    - uses: actions/cache@v2
+    - uses: actions/cache@v4
       id: virtualenv-cache
       with:
         path: .venv
 
@@ -68,7 +68,7 @@ jobs:
               run: cd docs && make html
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup Python environment
         uses: ./.github/actions/setup-venv
@@ -91,7 +91,7 @@ jobs:
 
       - name: Restore mypy cache
         if: matrix.task.name == 'Type check'
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: .mypy_cache
           key: mypy-${{ env.CACHE_PREFIX }}-${{ runner.os }}-${{ matrix.python }}-${{ hashFiles('*requirements.txt') }}-${{ github.ref }}-${{ github.sha }}
@@ -118,7 +118,7 @@ jobs:
 
       - name: Upload package distribution files
         if: matrix.task.name == 'Build'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: package
           path: dist
@@ -135,12 +135,12 @@ jobs:
     needs: [checks]
     if: startsWith(github.ref, 'refs/tags/')
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
 
@@ -155,7 +155,7 @@ jobs:
           echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
 
       - name: Download package distribution files
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: package
           path: dist
@@ -169,7 +169,7 @@ jobs:
           twine upload -u '${{ secrets.PYPI_USERNAME }}' -p '${{ secrets.PYPI_PASSWORD }}' dist/*
 
       - name: Publish GitHub release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
         with:
 
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 - add TLS support
 - enable server certificate verification by default
+- enable Kerberos authentication
 
 ## [v0.2.0](https://github.com/Mapepire-IBMi/mapepire-python/releases/tag/v0.2.0) - 2024-11-26
 - replace `websocket-client` with `websockets`
 
@@ -23,6 +23,9 @@
 - [Quick Start](#quick-start)
 - [Other Connection options](#other-connection-options)
   - [1. Using the `DaemonServer` object](#1-using-the-daemonserver-object)
+    - [1.1 Authenticating with Kerberos](#11-authenticating-with-kerberos)
+      - [1.1.1 Windows](#111-windows)
+      - [1.1.2 Other Platforms](#112-other-platforms)
   - [2. Passing the connection details as a dictionary](#2-passing-the-connection-details-as-a-dictionary)
   - [3. Using a config file (`.ini`) to store the connection details](#3-using-a-config-file-ini-to-store-the-connection-details)
   - [TLS Configuration](#tls-configuration)
@@ -155,6 +158,63 @@ creds = DaemonServer(
 job = SQLJob(creds)
 ```
 
+### 1.1 Authenticating with Kerberos
+If your IBM i is configured to support Kerberos authentication, you can authenticate using Kerberos instead of passing a plain-text password to the `DaemonServer` Object.
+
+#### 1.1.1 Windows
+
+If your Windows machine is part of a Kerberos realm and supports SSPI authentication, you can authenticate by creating the `DaemonServer` as shown below:
+```python
+from mapepire_python.data_types import DaemonServer
+from mapepire_python.authentication.kerberosTokenProvider import KerberosTokenProvider
+
+creds = DaemonServer(
+    host="SERVER",
+    password=KerberosTokenProvider(host="SERVER"),
+    user="USER",
+    port="PORT",
+)
+
+job = SQLJob(creds)
+```
+
+#### 1.1.2 Other Platforms
+
+For non-Windows platforms, Kerberos authentication requires a valid Ticket Granting Ticket (TGT) in your credential cache.
+
+Required Parameters:
+
+1. `host`: The IBM i host you are connecting to
+2. `realm`: Your Kerberos realm
+3. `realm_user`: Your Kerberos username
+4. `krb5_path`: Path to your `krb5.conf` configuration file
+
+Optional Parameters:
+
+1. `ticket_cache`: Path to your ticket cache (if not default)
+2. `krb5_mech`: The Kerberos 5 mechanism to use (if not default)
+
+```python
+from mapepire_python.data_types import DaemonServer
+from mapepire_python.authentication.kerberosTokenProvider import KerberosTokenProvider
+
+token_provider = KerberosTokenProvider(
+                  realm="REALM",
+                  realm_user="REALM_USER",
+                  host="SERVER",
+                  krb5_path="KRB5_PATH"
+                )
+
+creds = DaemonServer(
+    host="SERVER",
+    password=token_provider,
+    user="USER",
+    port="PORT",
+)
+
+job = SQLJob(creds)
+```
+
 ## 2. Passing the connection details as a dictionary
 
 You can also use a dictionary to configure the connection details:
 
@@ -0,0 +1,104 @@
+import base64
+import os
+import platform
+from typing import Final, Optional
+
+sspi = None
+gssapi = None
+PLATFORM = platform.system()
+TOKEN_PREFIX: Final = "_KERBEROSAUTH_"
+
+
+# For Windows SSPI token generation:
+if PLATFORM == "Windows":
+    import sspi
+else:
+    import gssapi
+
+
+class KerberosTokenProvider:
+    def __init__(
+        self,
+        host: str,
+        realm: Optional[str] = None,
+        realm_user: Optional[str] = None,
+        krb5_path: Optional[str] = None,
+        ticket_cache: Optional[str] = None,
+        krb5_mech: Optional[str] = None,
+    ):
+        self.host = host
+        self.realm = realm
+        self.realm_user = realm_user
+        self.krb5_path = krb5_path
+        self.ticket_cache = ticket_cache
+        self.krb5_mech = krb5_mech
+
+        if PLATFORM != "Windows":
+            missing = []
+            if not self.realm:
+                missing.append("realm")
+            if not self.realm_user:
+                missing.append("realm_user")
+            if not self.krb5_path:
+                missing.append("krb5_path")
+            if missing:
+                raise ValueError(f"Missing required parameters: {', '.join(missing)}")
+
+    def get_token(self) -> str:
+        return self._refresh_token()
+
+    def _refresh_token(self) -> str:
+        if PLATFORM == "Windows":
+            return self._refresh_token_windows()
+        else:
+            return self._refresh_token_unix()
+
+    def _format_token(self, token: bytes) -> str:
+        token_b64 = base64.b64encode(token).decode("utf-8")
+        return TOKEN_PREFIX + token_b64
+
+    def _refresh_token_windows(self) -> str:
+        target = f"krbsvr400/{self.host}"
+        client = sspi.ClientAuth("Kerberos", targetspn=target)
+
+        err, out_buffer = client.authorize(None)
+        if err != 0:
+            raise RuntimeError(f"Windows SSPI error when attempting Kerberos login: {hex(err)}")
+
+        token = out_buffer[0].Buffer
+        return self._format_token(token)
+
+    def _refresh_token_unix(self) -> str:
+        os.environ["KRB5_CONFIG"] = self.krb5_path
+        if self.ticket_cache:
+            os.environ["KRB5CCNAME"] = self.ticket_cache
+
+        mech = (
+            gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")
+            if self.krb5_mech is None
+            else gssapi.OID.from_int_seq(self.krb5_mech)
+        )
+
+        try:
+            user_name = gssapi.Name(
+                f"{self.realm_user}@{self.realm}", name_type=gssapi.NameType.user
+            )
+            cred = gssapi.Credentials(name=user_name, usage="initiate", mechs=[mech])
+            server_name = gssapi.Name(
+                f"krbsvr400@{self.host}", name_type=gssapi.NameType.hostbased_service
+            )
+            ctx = gssapi.SecurityContext(name=server_name, mech=mech, creds=cred, usage="initiate")
+
+            token = ctx.step(b"")
+            if token is None:
+                raise RuntimeError(
+                    "Failed to generate Kerberos token. No token returned from GSSAPI context."
+                )
+        except gssapi.exceptions.GSSError as e:
+            if "No credentials were supplied" in str(e) or "Unavailable" in str(e):
+                raise RuntimeError("No valid TGT found in credential cache.")
+            raise RuntimeError(
+                f"Kerberos token generation error when attempting Kerberos login: {str(e)}"
+            )
+
+        return self._format_token(token)
@@ -26,7 +26,7 @@ def wrapped(self, *args, **kwargs):
 
 
 def ignore_transaction_error(
-    method: Callable[..., ReturnType]
+    method: Callable[..., ReturnType],
 ) -> Callable[..., Optional[ReturnType]]:
     """
     Ignore transaction errors, returning `None` instead. Useful for
 
@@ -4,6 +4,8 @@
 
 from dataclasses_json import dataclass_json
 
+from mapepire_python.authentication.kerberosTokenProvider import KerberosTokenProvider
+
 
 def dict_to_dataclass(data: Dict[str, Any], dataclass_type: Any) -> Any:
     field_names = {f.name for f in fields(dataclass_type)}
@@ -44,11 +46,16 @@ class ServerTraceDest(Enum):
 class DaemonServer:
     host: str
     user: str
-    password: str
+    password: Union[str, KerberosTokenProvider]
     port: Optional[Union[str, int]]
     ignoreUnauthorized: Optional[bool] = False
     ca: Optional[Union[str, bytes]] = None
 
+    def get_password(self) -> str:
+        if isinstance(self.password, KerberosTokenProvider):
+            return self.password.get_token()
+        return self.password
+
 
 @dataclass_json
 @dataclass
 
@@ -16,7 +16,9 @@ def __init__(self, db2_server: DaemonServer) -> None:
         self.uri = f"wss://{db2_server.host}:{db2_server.port}/db/"
         self.headers = {
             "Authorization": "Basic "
-            + base64.b64encode(f"{db2_server.user}:{db2_server.password}".encode()).decode("ascii")
+            + base64.b64encode(f"{db2_server.user}:{db2_server.get_password()}".encode()).decode(
+                "ascii"
+            )
         }
         self.db2_server = db2_server
 
 
@@ -56,7 +56,11 @@ dev = [
     "sphinx-autobuild==2021.3.14",
     "sphinx-autodoc-typehints==1.23.3",
     "packaging",
-    "pre-commit"
+    "pre-commit",
+    "python-dotenv",
+    "pytest-env",
+    "gssapi",
+    'pywin32; sys_platform == "win32"'
 ]
 
 [tool.setuptools.packages.find]
 
@@ -10,4 +10,6 @@ black
 ruff
 mypy
 websockets
-pyee
+pyee
+gssapi
+pywin32; sys_platform == "win32"