set is_authenticated on final receive; is_done on final send

Author: dpkp

kafka/sasl/gssapi.py

@@ -39,8 +39,8 @@ def __init__(self, **config):
         self._next_token = self._client_ctx.step(None)
 
     def auth_bytes(self):
-        if self._is_done:
-            self._is_authenticated = True
+        if self._is_authenticated:
+            self._is_done = True
         return self._next_token or b''
 
     def receive(self, auth_bytes):
@@ -70,10 +70,12 @@ def receive(self, auth_bytes):
             # add authorization identity to the response, and GSS-wrap
             self._next_token = self._client_ctx.wrap(b''.join(message_parts), False).message
             # GSSAPI Auth does not have a final broker->client message
-            # so mark is_done after the final token is generated
+            # so we need to be able to identify when the final token is generated
+            # here we set _is_authenticated after receiving the final response,
+            # but wait until the final send (auth_bytes() call) to set _is_done.
             # in practice we'll still receive a response when using SaslAuthenticate
             # but not when using the prior unframed approach.
-            self._is_done = True
+            self._is_authenticated = True
 
     def is_done(self):
         return self._is_done