Pull the GSSAPI principal out of the userattrs

This was originally getting the principal from the
user object itself which meant it was looking for
it in the database. Look in the attributes instead
which are stored in the user session.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

2 files changed, 5 insertions, 3 deletions

diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index b2c9549..8b84bc2 100644
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -197,7 +197,8 @@ class AuthenticateRequest(ProviderPageBase):
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
             nameid = '_' + uuid.uuid4().hex
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
-            nameid = us.get_data('user', 'gssapi_principal_name')
+            userattrs = us.get_user_attrs()
+            nameid = userattrs.get('gssapi_principal_name')
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
             nameid = us.get_user().email
             if not nameid:
diff --git a/tests/helpers/http.py b/tests/helpers/http.py
index 0da7ee2..97098c8 100755
--- a/tests/helpers/http.py
+++ b/tests/helpers/http.py
@@ -94,8 +94,9 @@ class HttpSessions(object):
         session = self.get_session(url)
         allow_redirects = False
         if krb:
-            # In at least the test instance we don't get back a negotiate
-            # blob to do mutual authentication against.
+            # python-requests-kerberos isn't too bright about doing mutual
+            # authentication and it tries to do it on any non-401 response
+            # which doesn't work in our case since we follow redirects.
             kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL)
             kwargs['auth'] = kerberos_auth
             allow_redirects = True