Added ok_as_delegate flags

docs/source/gssapi.rst

@@ -65,6 +65,34 @@ imported in the high-level API :mod:`gssapi` module:
 .. autoclass:: gssapi.RequirementFlag
     :show-inheritance:
 
+The ``ok_as_delegate`` flag corresponds to the C level flag
+``GSS_C_DELEG_POLICY_FLAG``. This flag is similar to ``delegate_to_peer``
+except it only delegates if the KDC delegation policies for the service
+principal allow it to use delegation. This is typically used on Microsoft
+domain environments to control whether constrained or unconstrained delegation
+is allowed for a service principal. By setting this flag, the delegation
+process follows the same behaviour as delegation on SSPI/Windows.
+
+Here are the four cases when either of these flags are set or not.
+
+Neither flag set
+   No delegation occurs.
+
+delegate_to_peer
+   Always try to delegate regardless of the KDC delegation policies.
+   ``delegate_to_peer`` is set in the return flags if successful.
+
+ok_as_delegate
+   Try to delegate but only if the KDC trusts the service principal for
+   delegation. ``delegate_to_peer`` and ``ok_as_delegate`` are set in the
+   return flags if successful.
+
+delegate_to_peer | ok_as_delegate
+   Acts like ``delegate_to_peer`` being set but will also set
+   ``ok_as_delegate`` in the return flags if the service principal was trusted
+   for delegation by the KDC.
+
+
 .. autoclass:: gssapi.AddressType
     :show-inheritance:
 

gssapi/raw/cython_types.pxd

@@ -105,6 +105,7 @@ cdef extern from "python_gssapi.h":
     OM_uint32 GSS_C_ANON_FLAG
     OM_uint32 GSS_C_TRANS_FLAG
     OM_uint32 GSS_C_PROT_READY_FLAG
+    OM_uint32 GSS_C_DELEG_POLICY_FLAG
 
     # address types
     OM_uint32 GSS_C_AF_UNSPEC

gssapi/raw/types.pyx

@@ -60,6 +60,7 @@ class RequirementFlag(IntEnum, metaclass=ExtendableEnum):
     anonymity = GSS_C_ANON_FLAG
     protection_ready = GSS_C_PROT_READY_FLAG
     transferable = GSS_C_TRANS_FLAG
+    ok_as_delegate = GSS_C_DELEG_POLICY_FLAG
 
 
 class AddressType(IntEnum, metaclass=ExtendableEnum):