strawman for ntlm support using rubyntlm gem #59
Conversation
|
is this still relevant? if so, how stable is the ruby-ntlm gem and what about specs? see #54. |
|
I think it is still relevant to anyone trying to access a SOAP web service over NTLM transport, but the way forward is muddy. (this pull request is a strawman -- you can kill it; I wasn't sure how to post a comment on the project such that both the maintainer and other contributors could talk about it) In my case, I was trying to take a linux-deployed Rails app and get data from a Sharepoint site (via Sharepoints SOAP API) that is deployed on a windows intranet using NTLM auth (Sharepoint + NTLM is extremely common in IT intranets) Maybe this is a rare intersection of technologies, but if it's useful I wanted to offer the idea to the community. So, if you'd like me to flesh this out futher, what do you think would make sense? some open questions:
re: use of ruby-ntlm:
|
|
I'm trying to refresh my memory as to why I thought httpi-ntlm was windows only. Checked pyu-ntlm-http where the functions are defined, and it looks cross-platform now... before I could have sworn there was a link somewhere to a windows native function or library. I have to retry my implementation with the latest stuff and get back to you. |
|
hey @coldnebo, thanks for following up! as far as i know, httpi-ntlm should be platform-independent. that gem is really just a hack, because i didn't want to add ntlm support to httpi itself. by now, httpi should be a little more extensible and i would like to keep ntlm support as an "addon". my main problem is, that i don't think there are any integration tests for ntlm and that i'm not very familiar with ntlm authentication in general and i have no idea whether ruby-ntlm is superior to pyu-ntlm-http or others. so any changes to the current ntlm implementation need a good set of (integration) specs. |
|
ok, I'll take a stab at trying to clean this up for real. I totally understand -- it's a PITA. There are no public NTLM servers for integration tests, however I think I can get the Windows Server 2012 trial VHD and writeup an integration test plan for this and then work up from the most recent pulls. I have some free time coming up to work on this. |
|
that would be just awesome! let me know when you have any questions or code to talk about. |
|
Ok, here is a basic integration test plan that works with the fork I made of httpi. Next step is to figure out how to integrate this better. |
|
@coldnebo nice work! i hope automating this isn't going to be too painful. |
|
Ok, here's the revised version... looks like the pull request did the right thing and only showed my changes (awesome!). So, I've noted the caveat in the net_http_spec.rb file, namely that currently the configured server has to be running before that integration test will work... it's not completely automated. But if you don't set the environment variable NTLM=on before running the specs, it won't run that test. All other tests currently pass as they do in master. I think the next step is if you or someone else can replicate the results. Some of my doc may need to be rewritten -- also, I wasn't sure where the doc has gone since README.md moved most of it to http://httpirb.com/ Comments welcome at this point. |
|
So here's what I discovered while trying to think of ways to automate this integration testing.... There is a possibility of configuring a publicly accessible win 2012 server on Azure that I looked at... but unfortunately it costs about $10/mo ($500 minimum commitment) for the cheapest deployment option. The other option is to put the 9GB VHD somewhere and start that up as part of the automation... but I can't see automating the install of virtualbox + the VHD -- it's possible, but it's like driving the Space Shuttle downtown. A simpler but less effective unit test would be to capture an example exchange via wireshark and then simply play that exchange back via a local server written with Rack or some such. A Rack server could be started with Puma, so maybe this is a better way to automate the test... I'm assuming the NTLM stack changes very rarely, but we could buttress it by running the standalone win2012 server integration test every once in a while to verify they still match. Ideas? |
|
hey larry, thanks again for helping out. i won't be able to take a closer look at this until some day next week, but your suggestion to capture and playback the response, while occasionally verifying it's still valid, sounds like a good tradeoff. |
|
Ok, I'll fire up wireshark and give that a go. Thanks! |
|
Ok, the simulated NTLM exchange is now part of the Rack IntegrationServer and respective rspec tests and runs without restriction. The external test against a real NTLM server can be run manually by passing "NTLM=external bundle exec rspec" assuming the server exists and is configured according to the instructions. Happy new year! |
|
@coldnebo It would be great if you "fix" the first commit. It's very difficult to do code review right now.
I hope you understands and thanks for the help! |
|
ok, no prob. I saw that on my branch but when I looked at the files diff above, it looked ok... I'm assuming this is still a broken view in git though... I'll fix it tonight. Thanks! |
|
this ended up in pull 80: #80 |
I have been trying to get Savon to work with ntlm connections, but I couldn't get it working with the ntlm experimental branch -- so here's a version (including unit and integration tests) using the newer rubyntlm gem.
here's the writeup