From dbd39d9ac83852ccf9e1f26069b7d03c829bf632 Mon Sep 17 00:00:00 2001
From: Bernie Hackett <bernie@10gen.com>
Date: Wed, 16 Aug 2017 10:51:55 -0700
Subject: [PATCH] PYTHON-1354 - Work around WinKerberos deprecations

The user, domain, and password arguments to authGSSClientInit
are deprecated. The principal argument works as of 0.5.0. Use
it instead.
---
 pymongo/auth.py | 28 ++++++++++++++++++++++------
 setup.py        |  2 +-
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/pymongo/auth.py b/pymongo/auth.py
index 04f119e3d..a6cce49ec 100644
--- a/pymongo/auth.py
+++ b/pymongo/auth.py
@@ -17,9 +17,17 @@
 import hmac
 import socket
 
+try:
+    from urllib import quote
+except ImportError:
+    from urllib.parse import quote
+
 HAVE_KERBEROS = True
+_USE_PRINCIPAL = False
 try:
     import winkerberos as kerberos
+    if tuple(map(int, kerberos.__version__.split('.')[:2])) >= (0, 5):
+        _USE_PRINCIPAL = True
 except ImportError:
     try:
         import kerberos
@@ -292,13 +300,21 @@ def _authenticate_gssapi(credentials, sock_info):
             service = service + '@' + props.service_realm
 
         if password is not None:
-            if '@' in username:
-                user, domain = username.split('@', 1)
+            if _USE_PRINCIPAL:
+                # Note that, though we use unquote_plus for unquoting URI
+                # options, we use quote here. Microsoft's UrlUnescape (used
+                # by WinKerberos) doesn't support +.
+                principal = ":".join((quote(username), quote(password)))
+                result, ctx = kerberos.authGSSClientInit(
+                    service, principal, gssflags=kerberos.GSS_C_MUTUAL_FLAG)
             else:
-                user, domain = username, None
-            result, ctx = kerberos.authGSSClientInit(
-                service, gssflags=kerberos.GSS_C_MUTUAL_FLAG,
-                user=user, domain=domain, password=password)
+                if '@' in username:
+                    user, domain = username.split('@', 1)
+                else:
+                    user, domain = username, None
+                result, ctx = kerberos.authGSSClientInit(
+                    service, gssflags=kerberos.GSS_C_MUTUAL_FLAG,
+                    user=user, domain=domain, password=password)
         else:
             result, ctx = kerberos.authGSSClientInit(
                 service, gssflags=kerberos.GSS_C_MUTUAL_FLAG)
diff --git a/setup.py b/setup.py
index 229910b5c..e923d9d62 100755
--- a/setup.py
+++ b/setup.py
@@ -321,7 +321,7 @@ vi = sys.version_info
 if vi[0] == 2:
     extras_require['tls'].append("ipaddress")
 if sys.platform == 'win32':
-    extras_require['gssapi'] = ["winkerberos>=0.3.0"]
+    extras_require['gssapi'] = ["winkerberos>=0.5.0"]
     if vi[0] == 2 and vi < (2, 7, 9) or vi[0] == 3 and vi < (3, 4):
         extras_require['tls'].append("wincertstore>=0.2")
 else: