From 4e41655532c31ba43fb74d9b79812adaa1f47bb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri.vosandi@gmail.com>
Date: Mon, 8 May 2017 10:26:11 +0000
Subject: [PATCH] api: Better error message when confronted with NTLM

---
 certidude/auth.py | 2 ++
 tests/test_cli.py | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/certidude/auth.py b/certidude/auth.py
index 4fc743f..0be6063 100644
--- a/certidude/auth.py
+++ b/certidude/auth.py
@@ -46,6 +46,8 @@ def authenticate(optional=False):
                 context.step(b64decode(token))
             except TypeError: # base64 errors
                 raise falcon.HTTPBadRequest("Bad request", "Malformed token")
+            except gssapi.raw.exceptions.BadMechanismError:
+                raise falcon.HTTPBadRequest("Bad request", "Unsupported authentication mechanism (NTLM?) was offered. Please make sure you've logged into the computer with domain user account. The web interface should not prompt for username or password.")
 
             username, domain = str(context.initiator_name).split("@")
 
diff --git a/tests/test_cli.py b/tests/test_cli.py
index f820081..30d2a7d 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -887,6 +887,10 @@ def test_cli_setup_authority():
     assert "No Kerberos ticket offered" in r.text, r.text
     r = requests.get("http://ca.example.lan/api/", headers={"Authorization": "Negotiate blerrgh"})
     assert r.status_code == 400, r.text
+    assert "Malformed token" in r.text
+    r = requests.get("http://ca.example.lan/api/", headers={"Authorization": "Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKADk4AAAADw=="})
+    assert r.status_code == 400, r.text
+    assert "Unsupported authentication mechanism (NTLM" in r.text
     r = requests.get("http://ca.example.lan/api/", auth=auth)
     assert r.status_code == 200, r.text