@@ -127,7 +127,7 @@ func NewCommandAdmin(name, fullName string, out io.Writer, errout io.Writer) *co

 	)

 	if name == fullName {

-		cmds.AddCommand(version.NewVersionCommand(fullName, false))

+		cmds.AddCommand(version.NewVersionCommand(fullName, version.Options{}))

 	}

 	return cmds

@@ -197,7 +197,7 @@ func NewCommandCLI(name, fullName string, in io.Reader, out, errout io.Writer) *

 	cmds.AddCommand(experimental)

 	if name == fullName {

-		cmds.AddCommand(version.NewVersionCommand(fullName, false))

+		cmds.AddCommand(version.NewVersionCommand(fullName, version.Options{PrintClientFeatures: true}))

 	}

 	cmds.AddCommand(cmd.NewCmdOptions(out))

@@ -35,7 +35,7 @@ func NewCommandSTIBuilder(name string) *cobra.Command {

 		},

 	}

-	cmd.AddCommand(version.NewVersionCommand(name, false))

+	cmd.AddCommand(version.NewVersionCommand(name, version.Options{}))

 	return cmd

 }

@@ -50,6 +50,6 @@ func NewCommandDockerBuilder(name string) *cobra.Command {

 			kcmdutil.CheckErr(err)

 		},

 	}

-	cmd.AddCommand(version.NewVersionCommand(name, false))

+	cmd.AddCommand(version.NewVersionCommand(name, version.Options{}))

 	return cmd

 }

@@ -79,7 +79,7 @@ func NewCommandDeployer(name string) *cobra.Command {

 		},

 	}

-	cmd.AddCommand(version.NewVersionCommand(name, false))

+	cmd.AddCommand(version.NewVersionCommand(name, version.Options{}))

 	flag := cmd.Flags()

 	flag.StringVar(&cfg.rcName, "deployment", util.Env("OPENSHIFT_DEPLOYMENT_NAME", ""), "The deployment name to start")

@@ -129,7 +129,7 @@ func NewCommandF5Router(name string) *cobra.Command {

 		},

 	}

-	cmd.AddCommand(version.NewVersionCommand(name, false))

+	cmd.AddCommand(version.NewVersionCommand(name, version.Options{}))

 	flag := cmd.Flags()

 	options.Config.Bind(flag)

@@ -115,7 +115,7 @@ func NewCommandTemplateRouter(name string) *cobra.Command {

 		},

 	}

-	cmd.AddCommand(version.NewVersionCommand(name, false))

+	cmd.AddCommand(version.NewVersionCommand(name, version.Options{}))

 	flag := cmd.Flags()

 	options.Config.Bind(flag)

@@ -116,7 +116,7 @@ func NewCommandOpenShift(name string) *cobra.Command {

 	root.AddCommand(cli.NewCmdKubectl("kube", out))

 	root.AddCommand(newExperimentalCommand("ex", name+" ex"))

 	root.AddCommand(newCompletionCommand("completion", name+" completion"))

-	root.AddCommand(version.NewVersionCommand(name, true))

+	root.AddCommand(version.NewVersionCommand(name, version.Options{PrintEtcdVersion: true}))

 	// infra commands are those that are bundled with the binary but not displayed to end users

 	// directly

@@ -38,7 +38,7 @@ func NewCommand(name, fullName string, out io.Writer) *cobra.Command {

 	cmds.AddCommand(NewProxyCommand("proxy", fullName+" proxy", out))

 	cmds.AddCommand(NewSchedulerCommand("scheduler", fullName+" scheduler", out))

 	if "hyperkube" == fullName {

-		cmds.AddCommand(version.NewVersionCommand(fullName, false))

+		cmds.AddCommand(version.NewVersionCommand(fullName, version.Options{}))

 	}

 	return cmds

@@ -14,6 +14,10 @@ import (

 	"github.com/openshift/origin/pkg/cmd/util"

 )

+func BasicEnabled() bool {

+	return true

+}

+

 type BasicChallengeHandler struct {

 	// Host is the server being authenticated to. Used only for displaying messages when prompting for username/password

 	Host string

@@ -38,7 +42,7 @@ func (c *BasicChallengeHandler) CanHandle(headers http.Header) bool {

 	isBasic, _ := basicRealm(headers)

 	return isBasic

 }

-func (c *BasicChallengeHandler) HandleChallenge(headers http.Header) (http.Header, bool, error) {

+func (c *BasicChallengeHandler) HandleChallenge(requestURL string, headers http.Header) (http.Header, bool, error) {

 	if c.prompted {

 		glog.V(2).Info("already prompted for challenge, won't prompt again")

 		return nil, false, nil

@@ -93,6 +97,13 @@ func (c *BasicChallengeHandler) HandleChallenge(headers http.Header) (http.Heade

 	glog.V(2).Info("no username or password available")

 	return nil, false, nil

 }

+func (c *BasicChallengeHandler) CompleteChallenge(requestURL string, headers http.Header) error {

+	return nil

+}

+

+func (c *BasicChallengeHandler) Release() error {

+	return nil

+}

 // if any of these match a WWW-Authenticate header, it is a basic challenge

 // capturing group 1 (if present) should contain the realm

@@ -204,7 +204,7 @@ Password: `,

 			}

 			if canHandle {

-				headers, handled, err := tc.Handler.HandleChallenge(challenge.Headers)

+				headers, handled, err := tc.Handler.HandleChallenge("", challenge.Headers)

 				if !reflect.DeepEqual(headers, challenge.ExpectedHeaders) {

 					t.Errorf("%s: %d: Expected headers\n\t%#v\ngot\n\t%#v", k, i, challenge.ExpectedHeaders, headers)

 				}

new file mode 100644

@@ -0,0 +1,105 @@

+package tokencmd

+

+import (

+	"net/http"

+

+	"github.com/golang/glog"

+

+	apierrs "k8s.io/kubernetes/pkg/api/errors"

+	utilerrors "k8s.io/kubernetes/pkg/util/errors"

+)

+

+var _ = ChallengeHandler(&MultiHandler{})

+

+// MultiHandler manages a series of authentication challenges

+// it is single-use only, and not thread-safe

+type MultiHandler struct {

+	// handler holds the selected handler.

+	// automatically populated with the first handler to successfully respond to HandleChallenge(),

+	// and used exclusively by CanHandle() and HandleChallenge() from that point forward.

+	handler ChallengeHandler

+

+	// possibleHandlers holds handlers that could handle subsequent challenges.

+	// filtered down during HandleChallenge() by calling CanHandle() on each item.

+	possibleHandlers []ChallengeHandler

+

+	// allHandlers holds all handlers, for purposes of delegating Release() calls

+	allHandlers []ChallengeHandler

+}

+

+func NewMultiHandler(handlers ...ChallengeHandler) ChallengeHandler {

+	return &MultiHandler{

+		possibleHandlers: handlers,

+		allHandlers:      handlers,

+	}

+}

+

+func (h *MultiHandler) CanHandle(headers http.Header) bool {

+	// If we've already selected a handler, it alone can decide whether we can handle the current request

+	if h.handler != nil {

+		return h.handler.CanHandle(headers)

+	}

+

+	// Otherwise, return true if any of our handlers can handle this request

+	for _, handler := range h.possibleHandlers {

+		if handler.CanHandle(headers) {

+			return true

+		}

+	}

+

+	return false

+}

+

+func (h *MultiHandler) HandleChallenge(requestURL string, headers http.Header) (http.Header, bool, error) {

+	// If we've already selected a handler, it alone can handle all subsequent challenges (don't change horses in mid-stream)

+	if h.handler != nil {

+		return h.handler.HandleChallenge(requestURL, headers)

+	}

+

+	// Otherwise, filter our list of handlers to the ones that can handle this request

+	applicable := []ChallengeHandler{}

+	for _, handler := range h.possibleHandlers {

+		if handler.CanHandle(headers) {

+			applicable = append(applicable, handler)

+		}

+	}

+	h.possibleHandlers = applicable

+

+	// Then select the first available handler that successfully handles the request

+	var (

+		retryHeaders http.Header

+		retry        bool

+		err          error

+	)

+	for i, handler := range h.possibleHandlers {

+		retryHeaders, retry, err = handler.HandleChallenge(requestURL, headers)

+

+		if err != nil {

+			glog.V(5).Infof("handler[%d] error: %v", i, err)

+		}

+		// If the handler successfully handled the challenge, or we have no other options, select it as our handler

+		if err == nil || i == len(h.possibleHandlers)-1 {

+			h.handler = handler

+			return retryHeaders, retry, err

+		}

+	}

+

+	return nil, false, apierrs.NewUnauthorized("unhandled challenge")

+}

+

+func (h *MultiHandler) CompleteChallenge(requestURL string, headers http.Header) error {

+	if h.handler != nil {

+		return h.handler.CompleteChallenge(requestURL, headers)

+	}

+	return nil

+}

+

+func (h *MultiHandler) Release() error {

+	var errs []error

+	for _, handler := range h.allHandlers {

+		if err := handler.Release(); err != nil {

+			errs = append(errs, err)

+		}

+	}

+	return utilerrors.NewAggregate(errs)

+}

new file mode 100644

@@ -0,0 +1,112 @@

+package tokencmd

+

+import (

+	"encoding/base64"

+	"errors"

+	"net/http"

+	"strings"

+

+	"github.com/golang/glog"

+)

+

+// Negotiater defines the minimal interface needed to interact with GSSAPI to perform a negotiate challenge/response

+type Negotiater interface {

+	// InitSecContext returns the response token for a Negotiate challenge token from a given URL,

+	// or an error if no response token could be obtained or the incoming token is invalid.

+	InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error)

+	// IsComplete returns true if the negotiator is satisfied with the negotiation.

+	// This typically means gssapi returned GSS_S_COMPLETE to an initSecContext call.

+	IsComplete() bool

+	// Release gives the negotiator a chance to release any resources held during a challenge/response sequence.

+	// It is always invoked, even in cases where no challenges were received or handled.

+	Release() error

+}

+

+// NegotiateChallengeHandler manages a challenge negotiation session

+// it is single-host, single-use only, and not thread-safe

+type NegotiateChallengeHandler struct {

+	negotiater Negotiater

+}

+

+func NewNegotiateChallengeHandler(negotiater Negotiater) ChallengeHandler {

+	return &NegotiateChallengeHandler{negotiater: negotiater}

+}

+

+func (c *NegotiateChallengeHandler) CanHandle(headers http.Header) bool {

+	// Make sure this is a negotiate request

+	isNegotiate, _, err := getNegotiateToken(headers)

+	return err == nil && isNegotiate

+}

+

+func (c *NegotiateChallengeHandler) HandleChallenge(requestURL string, headers http.Header) (http.Header, bool, error) {

+	// Get incoming token

+	_, incomingToken, err := getNegotiateToken(headers)

+	if err != nil {

+		return nil, false, err

+	}

+

+	// Process the token

+	outgoingToken, err := c.negotiater.InitSecContext(requestURL, incomingToken)

+	if err != nil {

+		glog.V(5).Infof("InitSecContext returned error: %v", err)

+		return nil, false, err

+	}

+

+	// Build the response headers

+	responseHeaders := http.Header{}

+	responseHeaders.Set("Authorization", "Negotiate "+base64.StdEncoding.EncodeToString(outgoingToken))

+	return responseHeaders, true, nil

+}

+

+func (c *NegotiateChallengeHandler) CompleteChallenge(requestURL string, headers http.Header) error {

+	if c.negotiater.IsComplete() {

+		return nil

+	}

+	glog.V(5).Infof("continue needed")

+

+	// Get incoming token

+	isNegotiate, incomingToken, err := getNegotiateToken(headers)

+	if err != nil {

+		return err

+	}

+	if !isNegotiate {

+		return errors.New("client requires final negotiate token, none provided")

+	}

+

+	// Process the token

+	_, err = c.negotiater.InitSecContext(requestURL, incomingToken)

+	if err != nil {

+		glog.V(5).Infof("InitSecContext returned error during final negotiation: %v", err)

+		return err

+	}

+	if !c.negotiater.IsComplete() {

+		return errors.New("InitSecContext did not indicate final negotiation completed")

+	}

+	return nil

+}

+

+func (c *NegotiateChallengeHandler) Release() error {

+	return c.negotiater.Release()

+}

+

+const negotiateScheme = "negotiate"

+

+func getNegotiateToken(headers http.Header) (bool, []byte, error) {

+	for _, challengeHeader := range headers[http.CanonicalHeaderKey("WWW-Authenticate")] {

+		// TODO: handle WWW-Authenticate headers containing more than one scheme

+		caseInsensitiveHeader := strings.ToLower(challengeHeader)

+		if caseInsensitiveHeader == negotiateScheme {

+			return true, nil, nil

+		}

+		if strings.HasPrefix(caseInsensitiveHeader, negotiateScheme+" ") {

+			payload := challengeHeader[len(negotiateScheme):]

+			payload = strings.Replace(payload, " ", "", -1)

+			data, err := base64.StdEncoding.DecodeString(payload)

+			if err != nil {

+				return false, nil, err

+			}

+			return true, data, nil

+		}

+	}

+	return false, nil, nil

+}

new file mode 100644

@@ -0,0 +1,131 @@

+// +build gssapi

+

+package tokencmd

+

+import (

+	"net"

+	"net/url"

+	"sync"

+	"time"

+

+	"github.com/apcera/gssapi"

+	"github.com/golang/glog"

+

+	utilerrors "k8s.io/kubernetes/pkg/util/errors"

+)

+

+func GSSAPIEnabled() bool {

+	return true

+}

+

+type gssapiNegotiator struct {

+	// handle to a loaded gssapi lib

+	lib *gssapi.Lib

+	// error seen when loading the lib

+	loadError error

+	// lock to make sure we only load it once

+	loadOnce sync.Once

+

+	// service name of the server we are negotiating against

+	name *gssapi.Name

+	// security context holding the state of the negotiation

+	ctx *gssapi.CtxId

+	// flags indicating what options we want for the negotiation

+	// TODO: surface option for mutual authentication, e.g. gssapi.GSS_C_MUTUAL_FLAG

+	flags uint32

+

+	// track whether the last response from InitSecContext was GSS_S_COMPLETE

+	complete bool

+}

+

+func NewGSSAPINegotiator() Negotiater {

+	return &gssapiNegotiator{}

+}

+

+func (g *gssapiNegotiator) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {

+	lib, err := g.loadLib()

+	if err != nil {

+		return nil, err

+	}

+

+	// Initialize our context if we haven't already

+	if g.ctx == nil {

+		u, err := url.Parse(requestURL)

+		if err != nil {

+			return nil, err

+		}

+

+		hostname := u.Host

+		if h, _, err := net.SplitHostPort(u.Host); err == nil {

+			hostname = h

+		}

+

+		serviceName := "HTTP@" + hostname

+		glog.V(5).Infof("importing service name %s", serviceName)

+		nameBuf, err := lib.MakeBufferString(serviceName)

+		if err != nil {

+			return nil, err

+		}

+		defer nameBuf.Release()

+

+		name, err := nameBuf.Name(lib.GSS_C_NT_HOSTBASED_SERVICE)

+		if err != nil {

+			return nil, err

+		}

+		g.name = name

+		g.ctx = lib.GSS_C_NO_CONTEXT

+	}

+

+	incomingTokenBuffer, err := lib.MakeBufferBytes(challengeToken)

+	if err != nil {

+		return nil, err

+	}

+	defer incomingTokenBuffer.Release()

+

+	var outgoingToken *gssapi.Buffer

+	g.ctx, _, outgoingToken, _, _, err = lib.InitSecContext(lib.GSS_C_NO_CREDENTIAL, g.ctx, g.name, lib.GSS_C_NO_OID, g.flags, time.Duration(0), lib.GSS_C_NO_CHANNEL_BINDINGS, incomingTokenBuffer)

+	defer outgoingToken.Release()

+

+	switch err {

+	case nil:

+		glog.V(5).Infof("InitSecContext returned GSS_S_COMPLETE")

+		g.complete = true

+		return outgoingToken.Bytes(), nil

+	case gssapi.ErrContinueNeeded:

+		glog.V(5).Infof("InitSecContext returned GSS_S_CONTINUE_NEEDED")

+		g.complete = false

+		return outgoingToken.Bytes(), nil

+	default:

+		glog.V(5).Infof("InitSecContext returned error: %v", err)

+		return nil, err

+	}

+}

+

+func (g *gssapiNegotiator) IsComplete() bool {

+	return g.complete

+}

+

+func (g *gssapiNegotiator) Release() error {

+	var errs []error

+	if err := g.name.Release(); err != nil {

+		errs = append(errs, err)

+	}

+	if err := g.ctx.Release(); err != nil {

+		errs = append(errs, err)

+	}

+	if err := g.lib.Unload(); err != nil {

+		errs = append(errs, err)

+	}

+	return utilerrors.NewAggregate(errs)

+}

+

+func (g *gssapiNegotiator) loadLib() (*gssapi.Lib, error) {

+	g.loadOnce.Do(func() {

+		glog.V(5).Infof("loading gssapi")

+		g.lib, g.loadError = gssapi.Load(nil)

+		if g.loadError != nil {

+			glog.V(5).Infof("could not load gssapi: %v", g.loadError)

+		}

+	})

+	return g.lib, g.loadError

+}

new file mode 100644

@@ -0,0 +1,25 @@

+// +build !gssapi

+

+package tokencmd

+

+import "errors"

+

+func GSSAPIEnabled() bool {

+	return false

+}

+

+type gssapiUnsupported struct{}

+

+func NewGSSAPINegotiator() Negotiater {

+	return &gssapiUnsupported{}

+}

+

+func (g *gssapiUnsupported) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {

+	return nil, errors.New("GSSAPI support is not enabled")

+}

+func (g *gssapiUnsupported) IsComplete() bool {

+	return false

+}

+func (g *gssapiUnsupported) Release() error {

+	return errors.New("GSSAPI support is not enabled")

+}

@@ -9,6 +9,8 @@ import (

 	"net/url"

 	"strings"

+	"github.com/golang/glog"

+

 	apierrs "k8s.io/kubernetes/pkg/api/errors"

 	"k8s.io/kubernetes/pkg/api/unversioned"

 	"k8s.io/kubernetes/pkg/client/restclient"

@@ -19,28 +21,81 @@ import (

 // Corresponds to the header expected by basic-auth challenging authenticators

 const CSRFTokenHeader = "X-CSRF-Token"

+// ChallengeHandler handles responses to WWW-Authenticate challenges.

+type ChallengeHandler interface {

+	// CanHandle returns true if the handler recognizes a challenge it thinks it can handle.

+	CanHandle(headers http.Header) bool

+	// HandleChallenge lets the handler attempt to handle a challenge.

+	// It is only invoked if CanHandle() returned true for the given headers.

+	// Returns response headers and true if the challenge is successfully handled.

+	// Returns false if the challenge was not handled, and an optional error in error cases.

+	HandleChallenge(requestURL string, headers http.Header) (http.Header, bool, error)

+	// CompleteChallenge is invoked with the headers from a successful server response

+	// received after having handled one or more challenges.

+	// Returns an error if the handler does not consider the challenge/response interaction complete.

+	CompleteChallenge(requestURL string, headers http.Header) error

+	// Release gives the handler a chance to release any resources held during a challenge/response sequence.

+	// It is always invoked, even in cases where no challenges were received or handled.

+	Release() error

+}

+

+type RequestTokenOptions struct {

+	ClientConfig *restclient.Config

+	Handler      ChallengeHandler

+}

+

 // RequestToken uses the cmd arguments to locate an openshift oauth server and attempts to authenticate

 // it returns the access token if it gets one.  An error if it does not

 func RequestToken(clientCfg *restclient.Config, reader io.Reader, defaultUsername string, defaultPassword string) (string, error) {

-	challengeHandler := &BasicChallengeHandler{

-		Host:     clientCfg.Host,

-		Reader:   reader,

-		Username: defaultUsername,

-		Password: defaultPassword,

+	handlers := []ChallengeHandler{}

+	if GSSAPIEnabled() {

+		handlers = append(handlers, NewNegotiateChallengeHandler(NewGSSAPINegotiator()))

+	}

+	if BasicEnabled() {

+		handlers = append(handlers, &BasicChallengeHandler{Host: clientCfg.Host, Reader: reader, Username: defaultUsername, Password: defaultPassword})

+	}

+

+	var handler ChallengeHandler

+	if len(handlers) == 1 {

+		handler = handlers[0]

+	} else {

+		handler = NewMultiHandler(handlers...)

+	}

+

+	opts := &RequestTokenOptions{

+		ClientConfig: clientCfg,

+		Handler:      handler,

 	}

-	rt, err := restclient.TransportFor(clientCfg)

+	return opts.RequestToken()

+}

+

+// RequestToken locates an openshift oauth server and attempts to authenticate.

+// It returns the access token if it gets one, or an error if it does not.

+// It should only be invoked once on a given RequestTokenOptions instance.

+// The Handler held by the options is released as part of this call.

+func (o *RequestTokenOptions) RequestToken() (string, error) {

+	defer func() {

+		// Always release the handler

+		if err := o.Handler.Release(); err != nil {

+			// Release errors shouldn't fail the token request, just log

+			glog.V(4).Infof("error releasing handler: %v", err)

+		}

+	}()

+

+	rt, err := restclient.TransportFor(o.ClientConfig)

 	if err != nil {

 		return "", err

 	}

 	// requestURL holds the current URL to make requests to. This can change if the server responds with a redirect

-	requestURL := clientCfg.Host + "/oauth/authorize?response_type=token&client_id=openshift-challenging-client"

-	// requestHeaders holds additional headers to add to the request. This can be changed by challengeHandlers

+	requestURL := o.ClientConfig.Host + "/oauth/authorize?response_type=token&client_id=openshift-challenging-client"

+	// requestHeaders holds additional headers to add to the request. This can be changed by o.Handlers

 	requestHeaders := http.Header{}

 	// requestedURLSet/requestedURLList hold the URLs we have requested, to prevent redirect loops. Gets reset when a challenge is handled.

 	requestedURLSet := sets.NewString()

 	requestedURLList := []string{}

+	handledChallenge := false

 	for {

 		// Make the request

@@ -52,17 +107,19 @@ func RequestToken(clientCfg *restclient.Config, reader io.Reader, defaultUsernam

 		if resp.StatusCode == http.StatusUnauthorized {

 			if resp.Header.Get("WWW-Authenticate") != "" {

-				if !challengeHandler.CanHandle(resp.Header) {

+				if !o.Handler.CanHandle(resp.Header) {

 					return "", apierrs.NewUnauthorized("unhandled challenge")

 				}

-				// Handle a challenge

-				newRequestHeaders, shouldRetry, err := challengeHandler.HandleChallenge(resp.Header)

+				// Handle the challenge

+				newRequestHeaders, shouldRetry, err := o.Handler.HandleChallenge(requestURL, resp.Header)

 				if err != nil {

 					return "", err

 				}

 				if !shouldRetry {

 					return "", apierrs.NewUnauthorized("challenger chose not to retry the request")

 				}

+				// Remember if we've ever handled a challenge

+				handledChallenge = true

 				// Reset request set/list. Since we're setting different headers, it is legitimate to request the same urls

 				requestedURLSet = sets.NewString()

@@ -86,6 +143,14 @@ func RequestToken(clientCfg *restclient.Config, reader io.Reader, defaultUsernam

 			return "", unauthorizedError

 		}

+		// if we've ever handled a challenge, see if the handler also considers the interaction complete.

+		// this is required for negotiate flows with mutual authentication.

+		if handledChallenge {

+			if err := o.Handler.CompleteChallenge(requestURL, resp.Header); err != nil {

+				return "", err

+			}

+		}

+

 		if resp.StatusCode == http.StatusFound {

 			redirectURL := resp.Header.Get("Location")

new file mode 100644

@@ -0,0 +1,392 @@

+package tokencmd

+

+import (

+	"bytes"

+	"errors"

+	"fmt"

+	"net/http"

+	"net/http/httptest"

+	"testing"

+

+	"k8s.io/kubernetes/pkg/client/restclient"

+)

+

+type failingNegotiator struct {

+	releaseCalls int

+}

+

+func (n *failingNegotiator) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {

+	return nil, errors.New("InitSecContext failed")

+}

+func (n *failingNegotiator) IsComplete() bool {

+	return false

+}

+func (n *failingNegotiator) Release() error {

+	n.releaseCalls++

+	return errors.New("Release failed")

+}

+

+type successfulNegotiator struct {

+	rounds              int

+	initSecContextCalls int

+	releaseCalls        int

+}

+

+func (n *successfulNegotiator) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {

+	n.initSecContextCalls++

+

+	if n.initSecContextCalls > n.rounds {

+		return nil, fmt.Errorf("InitSecContext: expected %d calls, saw %d", n.rounds, n.initSecContextCalls)

+	}

+

+	if n.initSecContextCalls == 1 {

+		if len(challengeToken) > 0 {

+			return nil, errors.New("expected empty token for first challenge")

+		}

+	} else {

+		expectedChallengeToken := fmt.Sprintf("challenge%d", n.initSecContextCalls)

+		if string(challengeToken) != expectedChallengeToken {

+			return nil, fmt.Errorf("expected challenge token '%s', got '%s'", expectedChallengeToken, string(challengeToken))

+		}

+	}

+

+	return []byte(fmt.Sprintf("response%d", n.initSecContextCalls)), nil

+}

+func (n *successfulNegotiator) IsComplete() bool {

+	return n.initSecContextCalls == n.rounds

+}

+func (n *successfulNegotiator) Release() error {

+	n.releaseCalls++

+	return nil

+}

+

+func TestRequestToken(t *testing.T) {

+	type req struct {

+		authorization string

+	}

+	type resp struct {

+		status          int

+		location        string

+		wwwAuthenticate []string

+	}

+

+	type requestResponse struct {

+		expectedRequest req

+		serverResponse  resp

+	}

+

+	var verifyReleased func(test string, handler ChallengeHandler)

+	verifyReleased = func(test string, handler ChallengeHandler) {

+		switch handler := handler.(type) {

+		case *MultiHandler:

+			for _, subhandler := range handler.allHandlers {

+				verifyReleased(test, subhandler)

+			}

+		case *BasicChallengeHandler:

+			// we don't care

+		case *NegotiateChallengeHandler:

+			switch negotiator := handler.negotiater.(type) {

+			case *successfulNegotiator:

+				if negotiator.releaseCalls != 1 {

+					t.Errorf("%s: expected one call to Release(), saw %d", test, negotiator.releaseCalls)

+				}

+			case *failingNegotiator:

+				if negotiator.releaseCalls != 1 {

+					t.Errorf("%s: expected one call to Release(), saw %d", test, negotiator.releaseCalls)

+				}

+			default:

+				t.Errorf("%s: unrecognized negotiator: %#v", test, handler)

+			}

+		default:

+			t.Errorf("%s: unrecognized handler: %#v", test, handler)

+		}

+	}

+

+	initialRequest := req{}

+

+	basicChallenge1 := resp{401, "", []string{"Basic realm=foo"}}

+	basicRequest1 := req{"Basic bXl1c2VyOm15cGFzc3dvcmQ="} // base64("myuser:mypassword")

+	basicChallenge2 := resp{401, "", []string{"Basic realm=seriously...foo"}}

+

+	negotiateChallenge1 := resp{401, "", []string{"Negotiate"}}

+	negotiateRequest1 := req{"Negotiate cmVzcG9uc2Ux"}                           // base64("response1")

+	negotiateChallenge2 := resp{401, "", []string{"Negotiate Y2hhbGxlbmdlMg=="}} // base64("challenge2")

+	negotiateRequest2 := req{"Negotiate cmVzcG9uc2Uy"}                           // base64("response2")

+

+	doubleChallenge := resp{401, "", []string{"Negotiate", "Basic realm=foo"}}

+

+	successfulToken := "12345"

+	successfulLocation := fmt.Sprintf("/#access_token=%s", successfulToken)

+	success := resp{302, successfulLocation, nil}

+	successWithNegotiate := resp{302, successfulLocation, []string{"Negotiate Y2hhbGxlbmdlMg=="}}

+

+	testcases := map[string]struct {

+		Handler       ChallengeHandler

+		Requests      []requestResponse

+		ExpectedToken string

+		ExpectedError string

+	}{

+		// Defaulting basic handler

+		"defaulted basic handler, no challenge, success": {

+			Handler: &BasicChallengeHandler{Username: "myuser", Password: "mypassword"},

+			Requests: []requestResponse{

+				{initialRequest, success},

+			},

+			ExpectedToken: successfulToken,

+		},

+		"defaulted basic handler, basic challenge, success": {

+			Handler: &BasicChallengeHandler{Username: "myuser", Password: "mypassword"},

+			Requests: []requestResponse{

+				{initialRequest, basicChallenge1},

+				{basicRequest1, success},

+			},

+			ExpectedToken: successfulToken,

+		},

+		"defaulted basic handler, basic+negotiate challenge, success": {

+			Handler: &BasicChallengeHandler{Username: "myuser", Password: "mypassword"},

+			Requests: []requestResponse{

+				{initialRequest, doubleChallenge},

+				{basicRequest1, success},

+			},

+			ExpectedToken: successfulToken,

+		},

+		"defaulted basic handler, basic challenge, failure": {

+			Handler: &BasicChallengeHandler{Username: "myuser", Password: "mypassword"},

+			Requests: []requestResponse{

+				{initialRequest, basicChallenge1},

+				{basicRequest1, basicChallenge2},

+			},

+			ExpectedError: "challenger chose not to retry the request",

+		},

+		"defaulted basic handler, negotiate challenge, failure": {

+			Handler: &BasicChallengeHandler{Username: "myuser", Password: "mypassword"},

+			Requests: []requestResponse{

+				{initialRequest, negotiateChallenge1},

+			},

+			ExpectedError: "unhandled challenge",

+		},

+		"failing basic handler, basic challenge, failure": {

+			Handler: &BasicChallengeHandler{},

+			Requests: []requestResponse{

+				{initialRequest, basicChallenge1},

+			},

+			ExpectedError: "challenger chose not to retry the request",

+		},

+

+		// Prompting basic handler

+		"prompting basic handler, no challenge, success": {

+			Handler: &BasicChallengeHandler{Reader: bytes.NewBufferString("myuser\nmypassword\n")},

+			Requests: []requestResponse{

+				{initialRequest, success},

+			},

+			ExpectedToken: successfulToken,

+		},

+		"prompting basic handler, basic challenge, success": {

+			Handler: &BasicChallengeHandler{Reader: bytes.NewBufferString("myuser\nmypassword\n")},

+			Requests: []requestResponse{

+				{initialRequest, basicChallenge1},

+				{basicRequest1, success},

+			},

+			ExpectedToken: successfulToken,

+		},

+		"prompting basic handler, basic+negotiate challenge, success": {

+			Handler: &BasicChallengeHandler{Reader: bytes.NewBufferString("myuser\nmypassword\n")},

+			Requests: []requestResponse{

+				{initialRequest, doubleChallenge},

+				{basicRequest1, success},

+			},

+			ExpectedToken: successfulToken,

+		},

+		"prompting basic handler, basic challenge, failure": {

+			Handler: &BasicChallengeHandler{Reader: bytes.NewBufferString("myuser\nmypassword\n")},

+			Requests: []requestResponse{

+				{initialRequest, basicChallenge1},

+				{basicRequest1, basicChallenge2},

+			},

+			ExpectedError: "challenger chose not to retry the request",

+		},

+		"prompting basic handler, negotiate challenge, failure": {

+			Handler: &BasicChallengeHandler{Reader: bytes.NewBufferString("myuser\nmypassword\n")},

+			Requests: []requestResponse{

+				{initialRequest, negotiateChallenge1},

+			},

+			ExpectedError: "unhandled challenge",

+		},

+

+		// negotiate handler

+		"negotiate handler, no challenge, success": {

+			Handler: &NegotiateChallengeHandler{negotiater: &successfulNegotiator{rounds: 1}},

+			Requests: []requestResponse{