[Pkg-freeipa-devel] [Git][freeipa-team/mod-auth-gssapi][master] 25 commits: [travis] Remove debian python-requests-kerberos virtualenv logic
Timo Aaltonen
gitlab at salsa.debian.org
Wed Oct 17 10:22:19 BST 2018
Timo Aaltonen pushed to branch master at FreeIPA packaging / mod-auth-gssapi
Commits:
9ac8ffc9 by Robbie Harwood at 2017-11-06T18:44:46Z
[travis] Remove debian python-requests-kerberos virtualenv logic
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
1a3598e3 by Robbie Harwood at 2017-11-06T18:44:46Z
[travis] Run `make distcheck` during build
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
d429c5ba by Robbie Harwood at 2017-11-08T22:06:44Z
Return number of failures from test suite
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
fa762bef by Robbie Harwood at 2017-11-08T22:06:44Z
Switch apache mutex type in tests
When running apache as root, it will try to drop privileges. If the
environment is not perfectly configured, this will result in an
inability to read its own multiprocessing mutex:
(22)Invalid argument: AH00024: Couldn't set permissions on the
mpm-accept mutex; check User and Group directives
Since apache also refuses to run as root (-DBIG_SECURITY_HOLE), move
the mutex somewhere that apache will definitely be able to read.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
94c96fe1 by Robbie Harwood at 2017-11-08T22:06:44Z
[travis] Turn on the pkinit test
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
7bfe7ff0 by Simo Sorce at 2017-11-08T22:06:58Z
Add list of directives
This allows to consult the whole list in one place and then jump to the
desired section as needed.
Also fix some minor formatting discrepancies.
Signed-off-by: Simo Sorce <simo at redhat.com>
Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Merges: #160
- - - - -
2a931180 by Robbie Harwood at 2017-11-09T15:11:06Z
Don't repeatedly open and close the test log files
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
6159fc66 by Robbie Harwood at 2017-11-09T15:11:06Z
Fix Python unused imports and variables
This includes flagging the requests_kerberos magic OPTIONAL keyword as
to be ignored.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
ea49deea by Robbie Harwood at 2017-11-09T15:11:06Z
Fix Python lines that were too long
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
838ed876 by Robbie Harwood at 2017-11-09T15:11:06Z
Fix various Python indentation problems
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
ca691104 by Robbie Harwood at 2017-11-09T15:11:06Z
Update Python syntax for machine readability
- Treat `print()` only as a function
- Treat `del` only as a keyword
- Use modern octal notation
- Perform idiomatic set non-membership check
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
e0192ef8 by Robbie Harwood at 2017-11-09T15:11:06Z
Various Python whitespace cleanups
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
ad31b87f by Robbie Harwood at 2017-11-09T15:11:06Z
Fix Python module import order problems
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
f71bcaa3 by Robbie Harwood at 2017-11-09T15:11:06Z
Replace `strings.Template` with `str.format()` in Python code
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Resolves: #163
- - - - -
307e7551 by Robbie Harwood at 2017-11-09T15:11:06Z
[travis] Add flake8 check
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
4537ad40 by Simo Sorce at 2018-01-17T17:16:57Z
Update minimum Apache HTTPD version required
We use some functions that were added only in v 2.4.11, make that the
minimum required version in the docs.
Resloves: #167
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
7e2c046b by Robbie Harwood at 2018-04-16T17:36:06Z
[travis] Lower versions of Debian and Fedora
This should reduce general bugginess, and works around immediate
issues with both.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
0b746d29 by Simo Sorce at 2018-04-16T19:14:19Z
Fix truncation on comparison in name attr maps
The check to match a mapped name to a named attribute inadvertently
considered only the length of one of the strings.
This would cause incorrect prefix matches.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
d49615a9 by Robbie Harwood at 2018-04-20T20:37:17Z
Release 1.6.1
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
636e45b4 by Timo Aaltonen at 2018-10-17T08:52:32Z
Merge branch 'upstream'
- - - - -
d4535dbc by Timo Aaltonen at 2018-10-17T08:58:39Z
New upstream release.
- - - - -
61c986dd by Timo Aaltonen at 2018-10-17T09:05:13Z
control: Drop dh_autoreconf from build-depends.
- - - - -
a860f808 by Timo Aaltonen at 2018-10-17T09:07:51Z
control: Update vcs urls and maintainer address.
- - - - -
e9731ecd by Timo Aaltonen at 2018-10-17T09:08:37Z
rules: Use dh_missing.
- - - - -
d81cac21 by Timo Aaltonen at 2018-10-17T09:08:50Z
releasing package libapache2-mod-auth-gssapi version 1.6.1-1
- - - - -
25 changed files:
- .travis.sh
- .travis.yml
- README
- contrib/sweeper.py
- debian/changelog
- debian/control
- debian/rules
- src/environ.c
- src/mod_auth_gssapi.h
- src/util.c
- tests/httpd.conf
- tests/magtests.py
- tests/t_bad_acceptor_name.py
- tests/t_basic_k5_fail_second.py
- tests/t_basic_k5_two_users.py
- tests/t_basic_proxy.py
- tests/t_hostname_acceptor.py
- tests/t_nonego.py
- tests/t_required_name_attr.py
- tests/t_spnego.py
- tests/t_spnego_negotiate_once.py
- tests/t_spnego_no_auth.py
- tests/t_spnego_proxy.py
- tests/t_spnego_rewrite.py
- version.m4
Changes:
=====================================
.travis.sh
=====================================
@@ -8,19 +8,16 @@ fi
if [ -f /etc/debian_version ]; then
apt-get update
- DEBIAN_FRONTEND=noninteractive apt-get -y install $COMPILER \
+ DEBIAN_FRONTEND=noninteractive apt-get -y install $COMPILER pkg-config \
apache2-bin {apache2,libkrb5,libssl,gss-ntlmssp}-dev \
python-{dev,requests,gssapi} lib{socket,nss}-wrapper \
- flex bison krb5-{kdc,admin-server} virtualenv pkg-config
-
- # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880599 - too old
- virtualenv --system-site-packages .venv
- source .venv/bin/activate
- pip install requests_kerberos
+ flex bison krb5-{kdc,admin-server,pkinit} \
+ python-requests-kerberos flake8
+ flake8
elif [ -f /etc/fedora-release ]; then
# https://bugzilla.redhat.com/show_bug.cgi?id=1483553 means that this will
# fail no matter what, but it will properly install the packages.
- dnf -y install $COMPILER python-gssapi krb5-{server,workstation} \
+ dnf -y install $COMPILER python-gssapi krb5-{server,workstation,pkinit} \
{httpd,krb5,openssl,gssntlmssp}-devel {socket,nss}_wrapper \
python-requests{,-kerberos} autoconf automake libtool which bison \
flex mod_session redhat-rpm-config \
@@ -35,6 +32,5 @@ else
fi
autoreconf -fiv
-./configure CFLAGS="$CFLAGS" CC=$(which $COMPILER)
-make
-make check
+./configure # overridden by below, but needs to generate Makefile
+make distcheck DISTCHECK_CONFIGURE_FLAGS="CFLAGS=\"$CFLAGS\" CC=$(which $COMPILER)"
=====================================
.travis.yml
=====================================
@@ -7,9 +7,9 @@ services:
- docker
env:
- - DISTRO=fedora:rawhide COMPILER=gcc
- - DISTRO=fedora:rawhide COMPILER=clang
- - DISTRO=debian:sid COMPILER=clang
+ - DISTRO=fedora:27 COMPILER=gcc
+ - DISTRO=fedora:27 COMPILER=clang
+ - DISTRO=debian:testing COMPILER=clang
script:
- >
=====================================
README
=====================================
@@ -17,8 +17,8 @@ extension](http://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions)
is necessary to achieve full functionality. Reduced functionality is
provided without these extensions.
- krb5 (>=1.11)
- Apache (>=2.4)
+ MIT krb5 (>=1.11)
+ Apache httpd (>=2.4.11)
### Tests
@@ -67,9 +67,55 @@ extensions you can also simply set the KRB5_KTNAME environment variable in the
Apache init script and skip the GssapiCredStore option completely.
+Environment Variables
+---------------------
+
+(Note: these are not process environment variables, but rather Apache
+environment variables, as described
+[in the apache docs](https://httpd.apache.org/docs/2.4/env.html).)
+
+### gssapi-no-negotiate
+
+This environment variable is used to suppress setting Negotiate headers. Not
+sending these headers is useful to work around browsers that do not handle
+them properly (and incorrectly show authentication popups to users).
+
+#### Example
+
+For instance, to suppress negotiation on Windows browsers, one could set:
+
+ BrowserMatch Windows gssapi-no-negotiate
+
+
+
Configuration Directives
------------------------
+### Alphabetic List of Directives
+
+[GssapiAcceptorName](#gssapiacceptorname)<br>
+[GssapiAllowedMech](#gssapiallowedmech)<br>
+[GssapiBasicAuth](#gssapibasicauth)<br>
+[GssapiBasicAuthMech](#gssapibasicauthmech)<br>
+[GssapiConnectionBound](#gssapiconnectionbound)<br>
+[GssapiCredStore](#gssapicredstore)<br>
+[GssapiDelegCcacheDir](#gssapidelegccachedir)<br>
+[GssapiDelegCcacheEnvVar](#gssapidelegccacheenvvar)<br>
+[GssapiDelegCcachePerms](#gssapidelegccacheperms)<br>
+[GssapiDelegCcacheUnique](#gssapidelegccacheunique)<br>
+[GssapiImpersonate](#gssapiimpersonate)<br>
+[GssapiLocalName](#gssapilocalname)<br>
+[GssapiNameAttributes](#gssapinameattributes)<br>
+[GssapiNegotiateOnce](#gssapinegotiateonce)<br>
+[GssapiPublishErrors](#gssapipublisherrors)<br>
+[GssapiRequiredNameAttributes](#gssapirequirednameattributes)<br>
+[GssapiSessionKey](#gssapisessionkey)<br>
+[GssapiSignalPersistentAuth](#gssapisignalpersistentauth)<br>
+[GssapiSSLonly](#gssapisslonly)<br>
+[GssapiUseS4U2Proxy](#gssapiuses4u2proxy)<br>
+[GssapiUseSessions](#gssapiusesessions)<br>
+
+
### GssapiSSLonly
Forces the authentication attempt to fail if the connection is not being
@@ -108,6 +154,7 @@ request for continuation.
### GssapiSignalPersistentAuth
+
For clients that make use of Persistent-Auth header, send the header according
to GssapiConnectionBound setting.
@@ -237,6 +284,7 @@ keytab and store a ccache in the configured ccache file.
### GssapiBasicAuth
+
Allows the use of Basic Auth in conjunction with Negotiate.
If the browser fails to use Negotiate it will instead fallback to Basic and
the username and password will be used to try to acquire credentials in the
@@ -307,6 +355,7 @@ underscores for environment variable names.
GssapiNameAttributes json
GssapiNameAttributes RADIUS_NAME urn:ietf:params:gss:radius-attribute_1
+
### GssapiRequiredNameAttributes
This option allows specifying one or more Name Attributes that the client must
@@ -336,6 +385,7 @@ expression, or no Name Attributes are present, a 403 response is returned.
GssapiRequiredNameAttributes "auth-indicators=high or other-attr=foo"
GssapiRequiredNameAttributes "((auth-indicators=low and auth-indicators=med) or auth-indicators=high)"
+
### GssapiNegotiateOnce
When this option is enabled the Negotiate header will not be resent if
@@ -360,6 +410,7 @@ Auth mechanism. Enable GssapiNegotiateOnce to avoid this situation.
- **Enable with:** GssapiNegotiateOnce On
- **Default:** GssapiNegotiateOnce Off
+
### GssapiImpersonate
This option can be used even if AuthType GSSAPI is not used for given
@@ -451,21 +502,4 @@ Note: The GSS_C_NT_HOSTBASED_SERVICE format is used for names (see example).
#### Example
GssapiAcceptorName HTTP at www.example.com
-Environment Variables
----------------------
-
-(Note: these are not process environment variables, but rather Apache
-environment variables, as described
-[in the apache docs](https://httpd.apache.org/docs/2.4/env.html).)
-
-### gssapi-no-negotiate
-
-This environment variable is used to suppress setting Negotiate headers. Not
-sending these headers is useful to work around browsers that do not handle
-them properly (and incorrectly show authentication popups to users).
-#### Example
-
-For instance, to suppress negotiation on Windows browsers, one could set:
-
- BrowserMatch Windows gssapi-no-negotiate
=====================================
contrib/sweeper.py
=====================================
@@ -9,19 +9,21 @@
# removing any ccaches that have expired from the filesystem, and serves as an
# example of how this cleaning can be performed.
-import gssapi
import os
-import re
import stat
import sys
import time
+# try importing this first to provide a more useful error message
+import gssapi
+del gssapi
try:
from gssapi.raw import acquire_cred_from
except ImportError:
print("Your GSSAPI does not provide cred store extension; exiting!")
exit(1)
+
# process file as a ccache and indicate whether it is expired
def should_delete(fname, t):
try:
@@ -44,6 +46,7 @@ def should_delete(fname, t):
return creds.lifetime == 0
+
if __name__ == "__main__":
dirs = sys.argv[1:]
if len(dirs) < 1:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+libapache2-mod-auth-gssapi (1.6.1-1) unstable; urgency=medium
+
+ * New upstream release.
+ * control: Drop dh_autoreconf from build-depends.
+ * control: Update vcs urls and maintainer address.
+ * rules: Use dh_missing.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 17 Oct 2018 12:08:44 +0300
+
libapache2-mod-auth-gssapi (1.6.0-1) unstable; urgency=medium
* New upstream release.
=====================================
debian/control
=====================================
@@ -1,13 +1,13 @@
Source: libapache2-mod-auth-gssapi
Section: web
Priority: optional
-Maintainer: Timo Aaltonen <tjaalton at debian.org>
+Maintainer: Debian FreeIPA Team <pkg-freeipa-devel at alioth-lists.debian.net>
+Uploaders: Timo Aaltonen <tjaalton at debian.org>
Build-Depends:
apache2-dev (>= 2.4),
bison,
debhelper (>= 10),
dh-apache2,
- dh-autoreconf,
flex,
gss-ntlmssp-dev,
libapr1-dev,
@@ -16,8 +16,8 @@ Build-Depends:
pkg-config,
Standards-Version: 4.1.2
Homepage: https://github.com/modauthgssapi/mod_auth_gssapi
-Vcs-Git: https://anonscm.debian.org/git/collab-maint/mod-auth-gssapi.git
-Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/mod-auth-gssapi.git
+Vcs-Git: https://salsa.debian.org/freeipa-team/mod-auth-gssapi.git
+Vcs-Browser: https://salsa.debian.org/freeipa-team/mod-auth-gssapi
Package: libapache2-mod-auth-gssapi
Architecture: any
=====================================
debian/rules
=====================================
@@ -2,7 +2,7 @@
# -*- makefile -*-
%:
- dh $@ --with autoreconf,apache2
+ dh $@ --with apache2
override_dh_auto_test:
@@ -11,5 +11,5 @@ override_dh_auto_install:
install -m 755 src/.libs/mod_auth_gssapi.so \
$(CURDIR)/debian/tmp/usr/lib/apache2/modules
-override_dh_install:
- dh_install --fail-missing
+override_dh_missing:
+ dh_missing --fail-missing
=====================================
src/environ.c
=====================================
@@ -340,9 +340,8 @@ void mag_get_name_attributes(request_rec *req, struct mag_config *cfg,
/* Use the environment variable name matching the attribute name
* from the map. */
for (int j = 0; j < map_count; j++) {
- if (strncmp(cfg->name_attributes->map[j].attr_name,
- attr.name.value,
- attr.name.length) == 0) {
+ if (mag_strbuf_equal(cfg->name_attributes->map[j].attr_name,
+ &attr.name)) {
attr.env_name = cfg->name_attributes->map[j].env_name;
break;
}
=====================================
src/mod_auth_gssapi.h
=====================================
@@ -142,3 +142,4 @@ const char *mag_str_auth_type(int auth_type);
char *mag_error(apr_pool_t *pool, const char *msg, uint32_t maj, uint32_t min);
int mag_get_user_uid(const char *name, uid_t *uid);
int mag_get_group_gid(const char *name, gid_t *gid);
+bool mag_strbuf_equal(const char *str, gss_buffer_t buf);
=====================================
src/util.c
=====================================
@@ -64,3 +64,9 @@ int mag_get_group_gid(const char *name, gid_t *gid)
free(buf);
return ret;
}
+
+bool mag_strbuf_equal(const char *str, gss_buffer_t buf)
+{
+ if (strncmp(str, buf->value, buf->length) != 0) return false;
+ return buf->length == strlen(str);
+}
=====================================
tests/httpd.conf
=====================================
@@ -1,7 +1,7 @@
-ServerRoot "${HTTPROOT}"
-ServerName "${HTTPNAME}"
-Listen ${HTTPADDR}:${HTTPPORT}
-Listen ${HTTPADDR}:${PROXYPORT}
+ServerRoot "{HTTPROOT}"
+ServerName "{HTTPNAME}"
+Listen {HTTPADDR}:{HTTPPORT}
+Listen {HTTPADDR}:{PROXYPORT}
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
@@ -77,6 +77,7 @@ LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule auth_gssapi_module mod_auth_gssapi.so
+Mutex file:{HTTPROOT}
<Directory />
Options +Includes
@@ -85,13 +86,13 @@ LoadModule auth_gssapi_module mod_auth_gssapi.so
Require all denied
</Directory>
-DocumentRoot "${HTTPROOT}/html"
-<Directory "${HTTPROOT}">
+DocumentRoot "{HTTPROOT}/html"
+<Directory "{HTTPROOT}">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
-<Directory "${HTTPROOT}/html">
+<Directory "{HTTPROOT}/html">
Options Indexes FollowSymLinks
Options +Includes
AddOutputFilter INCLUDES .html
@@ -107,10 +108,10 @@ DocumentRoot "${HTTPROOT}/html"
Require all denied
</Files>
-PidFile "${HTTPROOT}/logs/httpd.pid"
+PidFile "{HTTPROOT}/logs/httpd.pid"
<IfModule log_config_module>
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\"" combined
CustomLog "logs/access_log" combined
</IfModule>
@@ -130,7 +131,7 @@ AddDefaultCharset UTF-8
IncludeOptional conf.d/*.conf
-CoreDumpDirectory "${HTTPROOT}"
+CoreDumpDirectory "{HTTPROOT}"
<Location /spnego>
@@ -140,11 +141,11 @@ CoreDumpDirectory "${HTTPROOT}"
GssapiUseSessions On
Session On
SessionCookieName gssapi_session path=/spnego;httponly
- GssapiSessionKey file:${HTTPROOT}/session.key
- GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
- GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
- GssapiDelegCcacheDir ${HTTPROOT}
+ GssapiSessionKey file:{HTTPROOT}/session.key
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
+ GssapiDelegCcacheDir {HTTPROOT}
GssapiDelegCcachePerms mode:0666
GssapiBasicAuth Off
GssapiAllowedMech krb5
@@ -157,14 +158,14 @@ CoreDumpDirectory "${HTTPROOT}"
AuthType GSSAPI
AuthName "Login"
- GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiAllowedMech krb5
Require valid-user
RewriteEngine on
- RewriteCond %{REQUEST_FILENAME} !-d
- RewriteCond %{REQUEST_FILENAME} !-f
+ RewriteCond %{{REQUEST_FILENAME}} !-d
+ RewriteCond %{{REQUEST_FILENAME}} !-f
RewriteRule . /spnego_rewrite/index.html [L]
</Location>
@@ -175,9 +176,9 @@ CoreDumpDirectory "${HTTPROOT}"
GssapiUseSessions On
Session On
SessionCookieName gssapi_session path=/spnego_negotiate_once;httponly
- GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
- GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiBasicAuth Off
GssapiAllowedMech krb5
GssapiNegotiateOnce On
@@ -190,9 +191,9 @@ CoreDumpDirectory "${HTTPROOT}"
AuthType GSSAPI
AuthName "Password Login"
GssapiSSLonly Off
- GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
- GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiBasicAuth On
GssapiBasicAuthMech krb5
GssapiConnectionBound On
@@ -204,9 +205,9 @@ CoreDumpDirectory "${HTTPROOT}"
AuthType GSSAPI
AuthName "Bad Acceptor Name"
GssapiSSLonly Off
- GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
- GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiAcceptorName BAD at example.com
Require valid-user
</Location>
@@ -216,9 +217,9 @@ CoreDumpDirectory "${HTTPROOT}"
AuthType GSSAPI
AuthName "Login"
GssapiSSLonly Off
- GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
- GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiBasicAuth On
GssapiAllowedMech krb5
Require valid-user
@@ -228,19 +229,19 @@ CoreDumpDirectory "${HTTPROOT}"
AuthType GSSAPI
AuthName "Login"
GssapiSSLonly Off
- GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
- GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiBasicAuth Off
GssapiAllowedMech krb5
- GssapiAcceptorName {HOSTNAME}
+ GssapiAcceptorName {{HOSTNAME}}
Require valid-user
</Location>
<Location /required_name_attr1>
AuthType GSSAPI
AuthName "Required Name Attributes"
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiRequiredNameAttributes auth-indicators=na1
LogLevel debug
Require valid-user
@@ -249,7 +250,7 @@ CoreDumpDirectory "${HTTPROOT}"
<Location /required_name_attr2>
AuthType GSSAPI
AuthName "Required Name Attributes"
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiRequiredNameAttributes auth-indicators:=bmEx
LogLevel debug
Require valid-user
@@ -258,7 +259,7 @@ CoreDumpDirectory "${HTTPROOT}"
<Location /required_name_attr3>
AuthType GSSAPI
AuthName "Required Name Attributes"
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiRequiredNameAttributes (auth-indicators=foo and auth-indicators=na2) or auth-indicators=na3
LogLevel debug
Require valid-user
@@ -267,22 +268,22 @@ CoreDumpDirectory "${HTTPROOT}"
<Location /required_name_attr4>
AuthType GSSAPI
AuthName "Required Name Attributes"
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiRequiredNameAttributes auth-indicators=foo
LogLevel debug
Require valid-user
</Location>
-<VirtualHost *:${PROXYPORT}>
+<VirtualHost *:{PROXYPORT}>
ProxyRequests On
ProxyVia On
<Proxy *>
AuthType GSSAPI
AuthName "Proxy Login"
- GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
- GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
- GssapiCredStore keytab:${HTTPROOT}/http.keytab
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
GssapiBasicAuth On
Require valid-user
</Proxy>
=====================================
tests/magtests.py
=====================================
@@ -2,28 +2,27 @@
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import argparse
-import glob
import os
import random
import shutil
import signal
-from string import Template
import subprocess
import sys
-import time
# check that we can import requests (for use in test scripts)
-import requests, requests_kerberos
-del(requests)
-del(requests_kerberos)
+import requests
+import requests_gssapi
+del requests
+del requests_gssapi
+
def parse_args():
- parser = argparse.ArgumentParser(description='Mod Auth GSSAPI Tests Environment')
+ parser = argparse.ArgumentParser(
+ description='Mod Auth GSSAPI Tests Environment')
parser.add_argument('--path', default='%s/scratchdir' % os.getcwd(),
help="Directory in which tests are run")
parser.add_argument('--so-dir', default='%s/src/.libs' % os.getcwd(),
help="mod_auth_gssapi shared object dirpath")
-
return vars(parser.parse_args())
@@ -34,8 +33,8 @@ WRAP_IPADDR = '127.0.0.9'
WRAP_HTTP_PORT = '80'
WRAP_PROXY_PORT = '8080'
-def setup_wrappers(base):
+def setup_wrappers(base):
pkgcfg = subprocess.Popen(['pkg-config', '--exists', 'socket_wrapper'])
pkgcfg.wait()
if pkgcfg.returncode != 0:
@@ -62,7 +61,6 @@ def setup_wrappers(base):
'WRAP_PROXY_PORT': WRAP_PROXY_PORT,
'NSS_WRAPPER_HOSTNAME': WRAP_HOSTNAME,
'NSS_WRAPPER_HOSTS': hosts_file}
-
return wenv
@@ -72,53 +70,53 @@ KDC_STASH = 'stash.file'
KDC_PASSWORD = 'modauthgssapi'
KRB5_CONF_TEMPLATE = '''
[libdefaults]
- default_realm = ${TESTREALM}
+ default_realm = {TESTREALM}
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
- default_ccache_name = FILE://${TESTDIR}/ccaches/krb5_ccache_XXXXXX
+ default_ccache_name = FILE://{TESTDIR}/ccaches/krb5_ccache_XXXXXX
[realms]
- ${TESTREALM} = {
- kdc =${WRAP_HOSTNAME}
- pkinit_anchors = FILE:${TESTDIR}/${PKINIT_CA}
- }
+ {TESTREALM} = {{
+ kdc = {WRAP_HOSTNAME}
+ pkinit_anchors = FILE:{TESTDIR}/{PKINIT_CA}
+ }}
[domain_realm]
- .mag.dev = ${TESTREALM}
- mag.dev = ${TESTREALM}
+ .mag.dev = {TESTREALM}
+ mag.dev = {TESTREALM}
[dbmodules]
- ${TESTREALM} = {
- database_name = ${KDCDIR}/${KDC_DBNAME}
- }
+ {TESTREALM} = {{
+ database_name = {KDCDIR}/{KDC_DBNAME}
+ }}
'''
KDC_CONF_TEMPLATE = '''
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
restrict_anonymous_to_tgt = true
- pkinit_identity = FILE:${TESTDIR}/${PKINIT_KDC_CERT},${TESTDIR}/${PKINIT_KEY}
- pkinit_anchors = FILE:${TESTDIR}/${PKINIT_CA}
+ pkinit_identity = FILE:{TESTDIR}/{PKINIT_KDC_CERT},{TESTDIR}/{PKINIT_KEY}
+ pkinit_anchors = FILE:{TESTDIR}/{PKINIT_CA}
pkinit_indicator = na1
pkinit_indicator = na2
pkinit_indicator = na3
[realms]
- ${TESTREALM} = {
+ {TESTREALM} = {{
master_key_type = aes256-cts
max_life = 7d
max_renewable_life = 14d
- acl_file = ${KDCDIR}/kadm5.acl
+ acl_file = {KDCDIR}/kadm5.acl
dict_file = /usr/share/dict/words
default_principal_flags = +preauth
- admin_keytab = ${TESTREALM}/kadm5.keytab
- key_stash_file = ${KDCDIR}/${KDC_STASH}
- }
+ admin_keytab = {TESTREALM}/kadm5.keytab
+ key_stash_file = {KDCDIR}/{KDC_STASH}
+ }}
[logging]
- kdc = FILE:${KDCLOG}
+ kdc = FILE:{KDCLOG}
'''
PKINIT_CA = 'cacert.pem'
@@ -131,22 +129,22 @@ PKINIT_KDC_CERT = 'kdccert.pem'
OPENSSLCNF_TEMPLATE = '''
[req]
prompt = no
-distinguished_name = $$ENV::O_SUBJECT
+distinguished_name = $ENV::O_SUBJECT
[ca]
CN = CA
C = US
OU = Insecure test CA do not use
-O = ${TESTREALM}
+O = {TESTREALM}
[kdc]
C = US
-O = ${TESTREALM}
+O = {TESTREALM}
CN = KDC
[user]
C = US
-O = ${TESTREALM}
+O = {TESTREALM}
CN = maguser3
[exts_ca]
@@ -157,14 +155,14 @@ basicConstraints = critical,CA:TRUE
[components_kdc]
0.component=GeneralString:krbtgt
-1.component=GeneralString:${TESTREALM}
+1.component=GeneralString:{TESTREALM}
[princ_kdc]
nametype=EXPLICIT:0,INTEGER:1
components=EXPLICIT:1,SEQUENCE:components_kdc
[krb5princ_kdc]
-realm=EXPLICIT:0,GeneralString:${TESTREALM}
+realm=EXPLICIT:0,GeneralString:{TESTREALM}
princ=EXPLICIT:1,SEQUENCE:princ_kdc
[exts_kdc]
@@ -183,7 +181,7 @@ nametype=EXPLICIT:0,INTEGER:1
components=EXPLICIT:1,SEQUENCE:components_client
[krb5princ_client]
-realm=EXPLICIT:0,GeneralString:${TESTREALM}
+realm=EXPLICIT:0,GeneralString:{TESTREALM}
princ=EXPLICIT:1,SEQUENCE:princ_client
[exts_client]
@@ -193,10 +191,10 @@ keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
basicConstraints = critical,CA:FALSE
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:krb5princ_client
extendedKeyUsage = 1.3.6.1.5.2.3.4
-'''
+''' # noqa
-def setup_test_certs(testdir, testenv, testlog):
+def setup_test_certs(testdir, testenv, logfile):
opensslcnf = os.path.join(testdir, 'openssl.cnf')
pkinit_key = os.path.join(testdir, PKINIT_KEY)
pkinit_ca = os.path.join(testdir, PKINIT_CA)
@@ -205,109 +203,102 @@ def setup_test_certs(testdir, testenv, testlog):
pkinit_kdc_cert = os.path.join(testdir, PKINIT_KDC_CERT)
pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT)
- cnf = Template(OPENSSLCNF_TEMPLATE)
- text = cnf.substitute({'TESTREALM': TESTREALM})
+ text = OPENSSLCNF_TEMPLATE.format(TESTREALM=TESTREALM)
with open(opensslcnf, 'w+') as f:
f.write(text)
- with (open(testlog, 'a')) as logfile:
- print pkinit_key
- cmd = subprocess.Popen(["openssl", "genrsa", "-out", pkinit_key,
- "2048"], stdout=logfile,
- stderr=logfile, env=testenv,
- preexec_fn=os.setsid)
- cmd.wait()
- if cmd.returncode != 0:
- raise ValueError('Generating CA RSA key failed')
-
- testenv.update({'O_SUBJECT': 'ca'})
- cmd = subprocess.Popen(["openssl", "req", "-config", opensslcnf,
- "-new", "-x509", "-extensions", "exts_ca",
- "-set_serial", "1", "-days", "100",
- "-key", pkinit_key, "-out", pkinit_ca],
- stdout=logfile, stderr=logfile, env=testenv,
- preexec_fn=os.setsid)
- cmd.wait()
- if cmd.returncode != 0:
- raise ValueError('Generating CA certificate failed')
-
- testenv.update({'O_SUBJECT': 'kdc'})
- cmd = subprocess.Popen(["openssl", "req", "-config", opensslcnf,
- "-new", "-subj", "/CN=kdc",
- "-key", pkinit_key, "-out", pkinit_kdc_req],
- stdout=logfile, stderr=logfile, env=testenv,
- preexec_fn=os.setsid)
- cmd.wait()
- if cmd.returncode != 0:
- raise ValueError('Generating KDC req failed')
-
- cmd = subprocess.Popen(["openssl", "x509", "-extfile", opensslcnf,
- "-extensions", "exts_kdc", "-set_serial", "2",
- "-days", "100", "-req", "-CA", pkinit_ca,
- "-CAkey", pkinit_key, "-out", pkinit_kdc_cert,
- "-in", pkinit_kdc_req],
- stdout=logfile, stderr=logfile, env=testenv,
- preexec_fn=os.setsid)
- cmd.wait()
- if cmd.returncode != 0:
- raise ValueError('Generating KDC certificate failed')
-
- testenv.update({'O_SUBJECT': 'user'})
- cmd = subprocess.Popen(["openssl", "req", "-config", opensslcnf,
- "-new", "-subj", "/CN=user",
- "-key", pkinit_key, "-out", pkinit_user_req],
- stdout=logfile, stderr=logfile, env=testenv,
- preexec_fn=os.setsid)
- cmd.wait()
- if cmd.returncode != 0:
- raise ValueError('Generating client req failed')
-
- cmd = subprocess.Popen(["openssl", "x509", "-extfile", opensslcnf,
- "-extensions", "exts_client", "-set_serial", "3",
- "-days", "100", "-req", "-CA", pkinit_ca,
- "-CAkey", pkinit_key, "-out", pkinit_user_cert,
- "-in", pkinit_user_req],
- stdout=logfile, stderr=logfile, env=testenv,
- preexec_fn=os.setsid)
- cmd.wait()
- if cmd.returncode != 0:
- raise ValueError('Generating client certificate failed')
+ print(pkinit_key)
+ cmd = subprocess.Popen(["openssl", "genrsa", "-out", pkinit_key,
+ "2048"], stdout=logfile,
+ stderr=logfile, env=testenv,
+ preexec_fn=os.setsid)
+ cmd.wait()
+ if cmd.returncode != 0:
+ raise ValueError('Generating CA RSA key failed')
+
+ testenv.update({'O_SUBJECT': 'ca'})
+ cmd = subprocess.Popen(["openssl", "req", "-config", opensslcnf,
+ "-new", "-x509", "-extensions", "exts_ca",
+ "-set_serial", "1", "-days", "100",
+ "-key", pkinit_key, "-out", pkinit_ca],
+ stdout=logfile, stderr=logfile, env=testenv,
+ preexec_fn=os.setsid)
+ cmd.wait()
+ if cmd.returncode != 0:
+ raise ValueError('Generating CA certificate failed')
+
+ testenv.update({'O_SUBJECT': 'kdc'})
+ cmd = subprocess.Popen(["openssl", "req", "-config", opensslcnf,
+ "-new", "-subj", "/CN=kdc",
+ "-key", pkinit_key, "-out", pkinit_kdc_req],
+ stdout=logfile, stderr=logfile, env=testenv,
+ preexec_fn=os.setsid)
+ cmd.wait()
+ if cmd.returncode != 0:
+ raise ValueError('Generating KDC req failed')
+
+ cmd = subprocess.Popen(["openssl", "x509", "-extfile", opensslcnf,
+ "-extensions", "exts_kdc", "-set_serial", "2",
+ "-days", "100", "-req", "-CA", pkinit_ca,
+ "-CAkey", pkinit_key, "-out", pkinit_kdc_cert,
+ "-in", pkinit_kdc_req],
+ stdout=logfile, stderr=logfile, env=testenv,
+ preexec_fn=os.setsid)
+ cmd.wait()
+ if cmd.returncode != 0:
+ raise ValueError('Generating KDC certificate failed')
+
+ testenv.update({'O_SUBJECT': 'user'})
+ cmd = subprocess.Popen(["openssl", "req", "-config", opensslcnf,
+ "-new", "-subj", "/CN=user",
+ "-key", pkinit_key, "-out", pkinit_user_req],
+ stdout=logfile, stderr=logfile, env=testenv,
+ preexec_fn=os.setsid)
+ cmd.wait()
+ if cmd.returncode != 0:
+ raise ValueError('Generating client req failed')
+
+ cmd = subprocess.Popen(["openssl", "x509", "-extfile", opensslcnf,
+ "-extensions", "exts_client", "-set_serial", "3",
+ "-days", "100", "-req", "-CA", pkinit_ca,
+ "-CAkey", pkinit_key, "-out", pkinit_user_cert,
+ "-in", pkinit_user_req],
+ stdout=logfile, stderr=logfile, env=testenv,
+ preexec_fn=os.setsid)
+ cmd.wait()
+ if cmd.returncode != 0:
+ raise ValueError('Generating client certificate failed')
def setup_kdc(testdir, wrapenv):
-
# setup kerberos environment
testlog = os.path.join(testdir, 'kerb.log')
krb5conf = os.path.join(testdir, 'krb5.conf')
kdcconf = os.path.join(testdir, 'kdc.conf')
kdcdir = os.path.join(testdir, 'kdc')
- kdcstash = os.path.join(kdcdir, KDC_STASH)
- kdcdb = os.path.join(kdcdir, KDC_DBNAME)
if os.path.exists(kdcdir):
shutil.rmtree(kdcdir)
os.makedirs(kdcdir)
- t = Template(KRB5_CONF_TEMPLATE)
- text = t.substitute({'TESTREALM': TESTREALM,
- 'TESTDIR': testdir,
- 'KDCDIR': kdcdir,
- 'KDC_DBNAME': KDC_DBNAME,
- 'WRAP_HOSTNAME': WRAP_HOSTNAME,
- 'PKINIT_CA': PKINIT_CA,
- 'PKINIT_USER_CERT': PKINIT_USER_CERT,
- 'PKINIT_KEY': PKINIT_KEY})
+ text = KRB5_CONF_TEMPLATE.format(TESTREALM=TESTREALM,
+ TESTDIR=testdir,
+ KDCDIR=kdcdir,
+ KDC_DBNAME=KDC_DBNAME,
+ WRAP_HOSTNAME=WRAP_HOSTNAME,
+ PKINIT_CA=PKINIT_CA,
+ PKINIT_USER_CERT=PKINIT_USER_CERT,
+ PKINIT_KEY=PKINIT_KEY)
with open(krb5conf, 'w+') as f:
f.write(text)
- t = Template(KDC_CONF_TEMPLATE)
- text = t.substitute({'TESTREALM': TESTREALM,
- 'TESTDIR': testdir,
- 'KDCDIR': kdcdir,
- 'KDCLOG': testlog,
- 'KDC_STASH': KDC_STASH,
- 'PKINIT_CA': PKINIT_CA,
- 'PKINIT_KDC_CERT': PKINIT_KDC_CERT,
- 'PKINIT_KEY': PKINIT_KEY})
+ text = KDC_CONF_TEMPLATE.format(TESTREALM=TESTREALM,
+ TESTDIR=testdir,
+ KDCDIR=kdcdir,
+ KDCLOG=testlog,
+ KDC_STASH=KDC_STASH,
+ PKINIT_CA=PKINIT_CA,
+ PKINIT_KDC_CERT=PKINIT_KDC_CERT,
+ PKINIT_KEY=PKINIT_KEY)
with open(kdcconf, 'w+') as f:
f.write(text)
@@ -317,22 +308,20 @@ def setup_kdc(testdir, wrapenv):
'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')}
kdcenv.update(wrapenv)
- with (open(testlog, 'a')) as logfile:
- ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
- "-r", TESTREALM, "-P", KDC_PASSWORD],
- stdout=logfile, stderr=logfile,
- env=kdcenv, preexec_fn=os.setsid)
+ logfile = open(testlog, 'a')
+ ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
+ "-r", TESTREALM, "-P", KDC_PASSWORD],
+ stdout=logfile, stderr=logfile,
+ env=kdcenv, preexec_fn=os.setsid)
ksetup.wait()
if ksetup.returncode != 0:
raise ValueError('KDC Setup failed')
- setup_test_certs(testdir, kdcenv, testlog)
-
- with (open(testlog, 'a')) as logfile:
- kdcproc = subprocess.Popen(['krb5kdc', '-n'],
- stdout=logfile, stderr=logfile,
- env=kdcenv, preexec_fn=os.setsid)
+ setup_test_certs(testdir, kdcenv, logfile)
+ kdcproc = subprocess.Popen(['krb5kdc', '-n'],
+ stdout=logfile, stderr=logfile,
+ env=kdcenv, preexec_fn=os.setsid)
return kdcproc, kdcenv
@@ -355,42 +344,35 @@ KEY_TYPE = "aes256-cts-hmac-sha1-96:normal"
def setup_keys(tesdir, env):
-
testlog = os.path.join(testdir, 'kerb.log')
+ logfile = open(testlog, 'a')
svc_name = "HTTP/%s" % WRAP_HOSTNAME
- svc_keytab = os.path.join(testdir, SVC_KTNAME)
cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, svc_name)
- with (open(testlog, 'a')) as logfile:
- kadmin_local(cmd, env, logfile)
+ kadmin_local(cmd, env, logfile)
+
+ svc_keytab = os.path.join(testdir, SVC_KTNAME)
cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, svc_name)
- with (open(testlog, 'a')) as logfile:
- kadmin_local(cmd, env, logfile)
+ kadmin_local(cmd, env, logfile)
cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME)
- with (open(testlog, 'a')) as logfile:
- kadmin_local(cmd, env, logfile)
+ kadmin_local(cmd, env, logfile)
cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
- with (open(testlog, 'a')) as logfile:
- kadmin_local(cmd, env, logfile)
+ kadmin_local(cmd, env, logfile)
# alias for multinamed hosts testing
alias_name = "HTTP/%s" % WRAP_ALIASNAME
cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
- with (open(testlog, 'a')) as logfile:
- kadmin_local(cmd, env, logfile)
+ kadmin_local(cmd, env, logfile)
cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, alias_name)
- with (open(testlog, 'a')) as logfile:
- kadmin_local(cmd, env, logfile)
+ kadmin_local(cmd, env, logfile)
cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
- with (open(testlog, 'a')) as logfile:
- kadmin_local(cmd, env, logfile)
+ kadmin_local(cmd, env, logfile)
- keys_env = { "KRB5_KTNAME": svc_keytab }
+ keys_env = {"KRB5_KTNAME": svc_keytab, }
keys_env.update(env)
-
return keys_env
@@ -415,12 +397,12 @@ def setup_http(testdir, so_dir, wrapenv):
shutil.copy('%s/mod_auth_gssapi.so' % so_dir, httpdir)
with open('tests/httpd.conf') as f:
- t = Template(f.read())
- text = t.substitute({'HTTPROOT': httpdir,
- 'HTTPNAME': WRAP_HOSTNAME,
- 'HTTPADDR': WRAP_IPADDR,
- 'PROXYPORT': WRAP_PROXY_PORT,
- 'HTTPPORT': WRAP_HTTP_PORT})
+ text = f.read().format(HTTPROOT=httpdir,
+ HTTPNAME=WRAP_HOSTNAME,
+ HTTPADDR=WRAP_IPADDR,
+ PROXYPORT=WRAP_PROXY_PORT,
+ HTTPPORT=WRAP_HTTP_PORT,
+ HOSTNAME=WRAP_HOSTNAME)
config = os.path.join(httpdir, 'httpd.conf')
with open(config, 'w+') as f:
f.write(text)
@@ -435,7 +417,6 @@ def setup_http(testdir, so_dir, wrapenv):
httpd = "httpd" if distro == "Fedora" else "apache2"
httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
env=httpenv, preexec_fn=os.setsid)
-
return httpproc
@@ -454,6 +435,7 @@ def kinit_user(testdir, kdcenv):
kinit.wait()
if kinit.returncode != 0:
raise ValueError('kinit failed')
+
return testenv
@@ -477,210 +459,208 @@ def kinit_certuser(testdir, kdcenv):
return testenv
-def test_spnego_auth(testdir, testenv, testlog):
-
+def test_spnego_auth(testdir, testenv, logfile):
spnegodir = os.path.join(testdir, 'httpd', 'html', 'spnego')
os.mkdir(spnegodir)
shutil.copy('tests/index.html', spnegodir)
+ error_count = 0
- with (open(testlog, 'a')) as logfile:
- spnego = subprocess.Popen(["tests/t_spnego.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- spnego.wait()
- if spnego.returncode != 0:
- sys.stderr.write('SPNEGO: FAILED\n')
- else:
- sys.stderr.write('SPNEGO: SUCCESS\n')
-
- with (open(testlog, 'a')) as logfile:
- spnego = subprocess.Popen(["tests/t_spnego_proxy.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- spnego.wait()
- if spnego.returncode != 0:
- sys.stderr.write('SPNEGO Proxy Auth: FAILED\n')
- else:
- sys.stderr.write('SPNEGO Proxy Auth: SUCCESS\n')
+ spnego = subprocess.Popen(["tests/t_spnego.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ spnego.wait()
+ if spnego.returncode != 0:
+ sys.stderr.write('SPNEGO: FAILED\n')
+ error_count += 1
+ else:
+ sys.stderr.write('SPNEGO: SUCCESS\n')
+
+ spnego = subprocess.Popen(["tests/t_spnego_proxy.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ spnego.wait()
+ if spnego.returncode != 0:
+ sys.stderr.write('SPNEGO Proxy Auth: FAILED\n')
+ error_count += 1
+ else:
+ sys.stderr.write('SPNEGO Proxy Auth: SUCCESS\n')
+
+ spnego = subprocess.Popen(["tests/t_spnego_no_auth.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ spnego.wait()
+ if spnego.returncode != 0:
+ sys.stderr.write('SPNEGO No Auth: FAILED\n')
+ error_count += 1
+ else:
+ sys.stderr.write('SPNEGO No Auth: SUCCESS\n')
- with (open(testlog, 'a')) as logfile:
- spnego = subprocess.Popen(["tests/t_spnego_no_auth.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- spnego.wait()
- if spnego.returncode != 0:
- sys.stderr.write('SPNEGO No Auth: FAILED\n')
- else:
- sys.stderr.write('SPNEGO No Auth: SUCCESS\n')
+ return error_count
-def test_required_name_attr(testdir, testenv, testlog):
+def test_required_name_attr(testdir, testenv, logfile):
for i in range(1, 5):
required_name_attr_dir = os.path.join(testdir, 'httpd', 'html',
'required_name_attr'+str(i))
os.mkdir(required_name_attr_dir)
shutil.copy('tests/index.html', required_name_attr_dir)
- with (open(testlog, 'a')) as logfile:
- tattr = subprocess.Popen(["tests/t_required_name_attr.py"],
- stdout=logfile, stderr=logfile, env=testenv,
- preexec_fn=os.setsid)
- tattr.wait()
- if tattr.returncode != 0:
- sys.stderr.write('Required Name Attr: FAILED\n')
- else:
- sys.stderr.write('Required Name Attr: SUCCESS\n')
-
+ tattr = subprocess.Popen(["tests/t_required_name_attr.py"],
+ stdout=logfile, stderr=logfile, env=testenv,
+ preexec_fn=os.setsid)
+ tattr.wait()
+ if tattr.returncode != 0:
+ sys.stderr.write('Required Name Attr: FAILED\n')
+ return 1
+ sys.stderr.write('Required Name Attr: SUCCESS\n')
+ return 0
-def test_spnego_rewrite(testdir, testenv, testlog):
+def test_spnego_rewrite(testdir, testenv, logfile):
spnego_rewrite_dir = os.path.join(testdir, 'httpd', 'html',
- 'spnego_rewrite')
+ 'spnego_rewrite')
os.mkdir(spnego_rewrite_dir)
shutil.copy('tests/index.html', spnego_rewrite_dir)
- with (open(testlog, 'a')) as logfile:
- spnego = subprocess.Popen(["tests/t_spnego_rewrite.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- spnego.wait()
- if spnego.returncode != 0:
- sys.stderr.write('SPNEGO Rewrite: FAILED\n')
- else:
- sys.stderr.write('SPNEGO Rewrite: SUCCESS\n')
-
+ spnego = subprocess.Popen(["tests/t_spnego_rewrite.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ spnego.wait()
+ if spnego.returncode != 0:
+ sys.stderr.write('SPNEGO Rewrite: FAILED\n')
+ return 1
+ sys.stderr.write('SPNEGO Rewrite: SUCCESS\n')
+ return 0
-def test_spnego_negotiate_once(testdir, testenv, testlog):
+def test_spnego_negotiate_once(testdir, testenv, logfile):
spnego_negotiate_once_dir = os.path.join(testdir, 'httpd', 'html',
- 'spnego_negotiate_once')
+ 'spnego_negotiate_once')
os.mkdir(spnego_negotiate_once_dir)
shutil.copy('tests/index.html', spnego_negotiate_once_dir)
- with (open(testlog, 'a')) as logfile:
- spnego = subprocess.Popen(["tests/t_spnego_negotiate_once.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- spnego.wait()
- if spnego.returncode != 0:
- sys.stderr.write('SPNEGO Negotiate Once: FAILED\n')
- else:
- sys.stderr.write('SPNEGO Negotiate Once: SUCCESS\n')
-
+ spnego = subprocess.Popen(["tests/t_spnego_negotiate_once.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ spnego.wait()
+ if spnego.returncode != 0:
+ sys.stderr.write('SPNEGO Negotiate Once: FAILED\n')
+ return 1
+ sys.stderr.write('SPNEGO Negotiate Once: SUCCESS\n')
+ return 0
-def test_basic_auth_krb5(testdir, testenv, testlog):
+def test_basic_auth_krb5(testdir, testenv, logfile):
basicdir = os.path.join(testdir, 'httpd', 'html', 'basic_auth_krb5')
os.mkdir(basicdir)
shutil.copy('tests/index.html', basicdir)
+ error_count = 0
- with (open(testlog, 'a')) as logfile:
- basick5 = subprocess.Popen(["tests/t_basic_k5.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- basick5.wait()
- if basick5.returncode != 0:
- sys.stderr.write('BASIC-AUTH: FAILED\n')
- else:
- sys.stderr.write('BASIC-AUTH: SUCCESS\n')
-
- with (open(testlog, 'a')) as logfile:
- basick5 = subprocess.Popen(["tests/t_basic_k5_two_users.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- basick5.wait()
- if basick5.returncode != 0:
- sys.stderr.write('BASIC-AUTH Two Users: FAILED\n')
- else:
- sys.stderr.write('BASIC-AUTH Two Users: SUCCESS\n')
-
- with (open(testlog, 'a')) as logfile:
- basick5 = subprocess.Popen(["tests/t_basic_k5_fail_second.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- basick5.wait()
- if basick5.returncode != 0:
- sys.stderr.write('BASIC Fail Second User: FAILED\n')
- else:
- sys.stderr.write('BASIC Fail Second User: SUCCESS\n')
-
- with (open(testlog, 'a')) as logfile:
- basick5 = subprocess.Popen(["tests/t_basic_proxy.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- basick5.wait()
- if basick5.returncode != 0:
- sys.stderr.write('BASIC Proxy Auth: FAILED\n')
- else:
- sys.stderr.write('BASIC Proxy Auth: SUCCESS\n')
+ basick5 = subprocess.Popen(["tests/t_basic_k5.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ basick5.wait()
+ if basick5.returncode != 0:
+ sys.stderr.write('BASIC-AUTH: FAILED\n')
+ error_count += 1
+ else:
+ sys.stderr.write('BASIC-AUTH: SUCCESS\n')
+
+ basick5 = subprocess.Popen(["tests/t_basic_k5_two_users.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ basick5.wait()
+ if basick5.returncode != 0:
+ sys.stderr.write('BASIC-AUTH Two Users: FAILED\n')
+ error_count += 1
+ else:
+ sys.stderr.write('BASIC-AUTH Two Users: SUCCESS\n')
+
+ basick5 = subprocess.Popen(["tests/t_basic_k5_fail_second.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ basick5.wait()
+ if basick5.returncode != 0:
+ sys.stderr.write('BASIC Fail Second User: FAILED\n')
+ error_count += 1
+ else:
+ sys.stderr.write('BASIC Fail Second User: SUCCESS\n')
+
+ basick5 = subprocess.Popen(["tests/t_basic_proxy.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ basick5.wait()
+ if basick5.returncode != 0:
+ sys.stderr.write('BASIC Proxy Auth: FAILED\n')
+ error_count += 1
+ else:
+ sys.stderr.write('BASIC Proxy Auth: SUCCESS\n')
+ return error_count
-def test_bad_acceptor_name(testdir, testenv, testlog):
+def test_bad_acceptor_name(testdir, testenv, logfile):
bandir = os.path.join(testdir, 'httpd', 'html', 'bad_acceptor_name')
os.mkdir(bandir)
shutil.copy('tests/index.html', bandir)
- with (open(testlog, 'a')) as logfile:
- ban = subprocess.Popen(["tests/t_bad_acceptor_name.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- ban.wait()
- if ban.returncode != 0:
- sys.stderr.write('BAD ACCEPTOR: SUCCESS\n')
- else:
- sys.stderr.write('BAD ACCEPTOR: FAILED\n')
+ ban = subprocess.Popen(["tests/t_bad_acceptor_name.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ ban.wait()
+ if ban.returncode != 0:
+ sys.stderr.write('BAD ACCEPTOR: SUCCESS\n')
+ return 0
+ sys.stderr.write('BAD ACCEPTOR: FAILED\n')
+ return 1
-def test_no_negotiate(testdir, testenv, testlog):
-
+def test_no_negotiate(testdir, testenv, logfile):
nonego_dir = os.path.join(testdir, 'httpd', 'html', 'nonego')
os.mkdir(nonego_dir)
shutil.copy('tests/index.html', nonego_dir)
- with (open(testlog, 'a')) as logfile:
- spnego = subprocess.Popen(["tests/t_nonego.py"],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- spnego.wait()
- if spnego.returncode != 0:
- sys.stderr.write('NO Negotiate: FAILED\n')
- else:
- sys.stderr.write('NO Negotiate: SUCCESS\n')
-
+ spnego = subprocess.Popen(["tests/t_nonego.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ spnego.wait()
+ if spnego.returncode != 0:
+ sys.stderr.write('NO Negotiate: FAILED\n')
+ return 1
+ sys.stderr.write('NO Negotiate: SUCCESS\n')
+ return 0
-def test_hostname_acceptor(testdir, testenv, testlog):
+def test_hostname_acceptor(testdir, testenv, logfile):
hdir = os.path.join(testdir, 'httpd', 'html', 'hostname_acceptor')
os.mkdir(hdir)
shutil.copy('tests/index.html', hdir)
- with (open(testlog, 'a')) as logfile:
- failed = False
- for (name, fail) in [(WRAP_HOSTNAME, False),
- (WRAP_ALIASNAME,False),
- (WRAP_FAILNAME, True)]:
- res = subprocess.Popen(["tests/t_hostname_acceptor.py", name],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- res.wait()
- if fail:
- if res.returncode == 0:
- failed = True
- else:
- if res.returncode != 0:
- failed = True
- if failed:
- break
-
- if failed:
- sys.stderr.write('HOSTNAME ACCEPTOR: FAILED\n')
+ failed = False
+ for (name, fail) in [(WRAP_HOSTNAME, False),
+ (WRAP_ALIASNAME, False),
+ (WRAP_FAILNAME, True)]:
+ res = subprocess.Popen(["tests/t_hostname_acceptor.py", name],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ res.wait()
+ if fail:
+ if res.returncode == 0:
+ failed = True
else:
- sys.stderr.write('HOSTNAME ACCEPTOR: SUCCESS\n')
+ if res.returncode != 0:
+ failed = True
+ if failed:
+ break
+ if failed:
+ sys.stderr.write('HOSTNAME ACCEPTOR: FAILED\n')
+ return 1
+ sys.stderr.write('HOSTNAME ACCEPTOR: SUCCESS\n')
+ return 0
-if __name__ == '__main__':
+if __name__ == '__main__':
args = parse_args()
testdir = args['path']
@@ -690,9 +670,8 @@ if __name__ == '__main__':
os.makedirs(testdir)
processes = dict()
-
- testlog = os.path.join(testdir, 'tests.log')
-
+ logfile = open(os.path.join(testdir, 'tests.log'), 'w')
+ errs = 0
try:
wrapenv = setup_wrappers(testdir)
@@ -711,21 +690,22 @@ if __name__ == '__main__':
testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd',
USR_NAME + '@' + TESTREALM)
- test_spnego_auth(testdir, testenv, testlog)
+ errs += test_spnego_auth(testdir, testenv, logfile)
testenv['MAG_GSS_NAME'] = USR_NAME + '@' + TESTREALM
- test_spnego_rewrite(testdir, testenv, testlog)
+ errs += test_spnego_rewrite(testdir, testenv, logfile)
- test_spnego_negotiate_once(testdir, testenv, testlog)
+ errs += test_spnego_negotiate_once(testdir, testenv, logfile)
- test_hostname_acceptor(testdir, testenv, testlog)
+ errs += test_hostname_acceptor(testdir, testenv, logfile)
- test_bad_acceptor_name(testdir, testenv, testlog)
+ errs += test_bad_acceptor_name(testdir, testenv, logfile)
- if os.path.exists("/usr/lib64/krb5/plugins/preauth/pkinit.so") or \
- os.path.exists("/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so"):
+ rpm_path = "/usr/lib64/krb5/plugins/preauth/pkinit.so"
+ deb_path = "/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so"
+ if os.path.exists(rpm_path) or os.path.exists(deb_path):
testenv = kinit_certuser(testdir, testenv)
- test_required_name_attr(testdir, testenv, testlog)
+ errs += test_required_name_attr(testdir, testenv, logfile)
else:
sys.stderr.write("krb5 PKINIT module not found, skipping name "
"attribute tests\n")
@@ -735,12 +715,11 @@ if __name__ == '__main__':
'MAG_USER_NAME_2': USR_NAME_2,
'MAG_USER_PASSWORD_2': USR_PWD_2}
testenv.update(kdcenv)
- test_basic_auth_krb5(testdir, testenv, testlog)
-
- test_no_negotiate(testdir, testenv, testlog)
+ errs += test_basic_auth_krb5(testdir, testenv, logfile)
+ errs += test_no_negotiate(testdir, testenv, logfile)
finally:
- with (open(testlog, 'a')) as logfile:
- for name in processes:
- logfile.write("Killing %s\n" % name)
- os.killpg(processes[name].pid, signal.SIGTERM)
+ for name in processes:
+ logfile.write("Killing %s\n" % name)
+ os.killpg(processes[name].pid, signal.SIGTERM)
+ exit(errs)
=====================================
tests/t_bad_acceptor_name.py
=====================================
@@ -3,8 +3,7 @@
import os
import requests
-from stat import ST_MODE
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
if __name__ == '__main__':
=====================================
tests/t_basic_k5_fail_second.py
=====================================
@@ -3,32 +3,33 @@
import os
import requests
-import sys
-from requests.auth import HTTPBasicAuth
if __name__ == '__main__':
s = requests.Session()
- url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME'],
- os.environ['MAG_USER_PASSWORD'],
- os.environ['NSS_WRAPPER_HOSTNAME'])
+ url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+ (os.environ['MAG_USER_NAME'],
+ os.environ['MAG_USER_PASSWORD'],
+ os.environ['NSS_WRAPPER_HOSTNAME'])
r = s.get(url)
if r.status_code != 200:
raise ValueError('Basic Auth: Failed Authentication')
- url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME_2'],
- os.environ['MAG_USER_PASSWORD'],
- os.environ['NSS_WRAPPER_HOSTNAME'])
+ url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+ (os.environ['MAG_USER_NAME_2'],
+ os.environ['MAG_USER_PASSWORD'],
+ os.environ['NSS_WRAPPER_HOSTNAME'])
r = s.get(url)
if r.status_code == 200:
raise ValueError('Basic Auth: Got Success while expecting Error')
- if not 'GSS ERROR' in r.text:
+ if 'GSS ERROR' not in r.text:
raise ValueError('Basic Auth: Expected error variable is missing')
- url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME_2'],
- os.environ['MAG_USER_PASSWORD_2'],
- os.environ['NSS_WRAPPER_HOSTNAME'])
+ url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+ (os.environ['MAG_USER_NAME_2'],
+ os.environ['MAG_USER_PASSWORD_2'],
+ os.environ['NSS_WRAPPER_HOSTNAME'])
r = s.get(url)
if r.status_code != 200:
raise ValueError('Basic Auth: Failed Authentication')
=====================================
tests/t_basic_k5_two_users.py
=====================================
@@ -3,25 +3,26 @@
import os
import requests
-from requests.auth import HTTPBasicAuth
if __name__ == '__main__':
s = requests.Session()
- url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME'],
- os.environ['MAG_USER_PASSWORD'],
- os.environ['NSS_WRAPPER_HOSTNAME'])
+ url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+ (os.environ['MAG_USER_NAME'],
+ os.environ['MAG_USER_PASSWORD'],
+ os.environ['NSS_WRAPPER_HOSTNAME'])
r = s.get(url)
if r.status_code != 200:
raise ValueError('Basic Auth Failed')
- url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME_2'],
- os.environ['MAG_USER_PASSWORD_2'],
- os.environ['NSS_WRAPPER_HOSTNAME'])
+ url = 'http://%s:%s@%s/basic_auth_krb5/' % \
+ (os.environ['MAG_USER_NAME_2'],
+ os.environ['MAG_USER_PASSWORD_2'],
+ os.environ['NSS_WRAPPER_HOSTNAME'])
r2 = s.get(url)
if r2.status_code != 200:
raise ValueError('Basic Auth failed')
if r.text == r2.text:
- raise ValueError('Basic Auth fatal error')
+ raise ValueError('Basic Auth fatal error')
=====================================
tests/t_basic_proxy.py
=====================================
@@ -8,10 +8,10 @@ from requests.auth import HTTPBasicAuth
if __name__ == '__main__':
proxy = 'http://%s:%s@%s:%s' % (os.environ['MAG_USER_NAME'],
- os.environ['MAG_USER_PASSWORD'],
- os.environ['NSS_WRAPPER_HOSTNAME'],
- os.environ['WRAP_PROXY_PORT'])
- proxies = { "http": proxy, }
+ os.environ['MAG_USER_PASSWORD'],
+ os.environ['NSS_WRAPPER_HOSTNAME'],
+ os.environ['WRAP_PROXY_PORT'])
+ proxies = {"http": proxy, }
url = 'http://%s/basic_auth_krb5/' % os.environ['NSS_WRAPPER_HOSTNAME']
r = requests.get(url, proxies=proxies,
auth=HTTPBasicAuth(os.environ['MAG_USER_NAME_2'],
=====================================
tests/t_hostname_acceptor.py
=====================================
@@ -1,11 +1,10 @@
#!/usr/bin/env python
# Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license.
-import os
-import requests
import sys
-from stat import ST_MODE
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+
+import requests
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
if __name__ == '__main__':
=====================================
tests/t_nonego.py
=====================================
@@ -23,7 +23,7 @@ if __name__ == '__main__':
r = requests.get(url, headers={'User-Agent': 'NONEGO'})
if r.status_code != 401:
raise ValueError('NO Negotiate failed - 401 expected')
- if (r.headers.get("WWW-Authenticate") and
- r.headers.get("WWW-Authenticate").startswith("Negotiate")):
+ if r.headers.get("WWW-Authenticate") and \
+ r.headers.get("WWW-Authenticate").startswith("Negotiate"):
raise ValueError('NO Negotiate failed - WWW-Authenticate '
'Negotiate header is present, should be absent')
=====================================
tests/t_required_name_attr.py
=====================================
@@ -3,7 +3,7 @@
import os
import requests
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
if __name__ == '__main__':
=====================================
tests/t_spnego.py
=====================================
@@ -2,10 +2,10 @@
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
-import requests
from stat import ST_MODE
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+import requests
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
if __name__ == '__main__':
sess = requests.Session()
@@ -19,5 +19,5 @@ if __name__ == '__main__':
raise ValueError('gssapi_session not set')
data = os.stat(os.environ['DELEGCCACHE'])
- if data[ST_MODE] != 0100666:
+ if data[ST_MODE] != 0o100666:
raise ValueError('Incorrect perm on ccache: %o' % data[ST_MODE])
=====================================
tests/t_spnego_negotiate_once.py
=====================================
@@ -3,7 +3,7 @@
import os
import requests
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
if __name__ == '__main__':
@@ -17,7 +17,7 @@ if __name__ == '__main__':
if r.status_code != 401:
raise ValueError('Spnego Negotiate Once failed - 401 expected')
if not (r.headers.get("WWW-Authenticate") and
- r.headers.get("WWW-Authenticate").startswith("Negotiate")):
+ r.headers.get("WWW-Authenticate").startswith("Negotiate")):
raise ValueError('Spnego Negotiate Once failed - WWW-Authenticate '
'Negotiate header missing')
@@ -34,4 +34,3 @@ if __name__ == '__main__':
r = sess.get(url, auth=HTTPKerberosAuth())
if r.status_code != 200:
raise ValueError('Spnego Negotiate Once failed')
-
=====================================
tests/t_spnego_no_auth.py
=====================================
@@ -3,7 +3,7 @@
import os
import requests
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
if __name__ == '__main__':
@@ -18,4 +18,3 @@ if __name__ == '__main__':
r.headers.get("WWW-Authenticate").startswith("Negotiate")):
raise ValueError('Spnego failed - WWW-Authenticate Negotiate header '
'missing')
-
=====================================
tests/t_spnego_proxy.py
=====================================
@@ -2,10 +2,12 @@
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
-import requests
-import gssapi
from base64 import b64encode
+import gssapi
+import requests
+
+
def getAuthToken(target):
spnego_mech = gssapi.raw.OID.from_int_seq('1.3.6.1.5.5.2')
@@ -25,7 +27,7 @@ if __name__ == '__main__':
url = 'http://%s/spnego/' % target
proxy = 'http://%s:%s' % (target, os.environ['WRAP_PROXY_PORT'])
- proxies = { "http" : proxy, }
+ proxies = {"http": proxy, }
s.headers.update({'Proxy-Authorization': getAuthToken(target)})
s.headers.update({'Authorization': getAuthToken(target)})
=====================================
tests/t_spnego_rewrite.py
=====================================
@@ -3,7 +3,7 @@
import os
import requests
-from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
if __name__ == '__main__':
=====================================
version.m4
=====================================
@@ -1 +1 @@
-m4_define([VERSION_NUMBER], [1.6.0])
+m4_define([VERSION_NUMBER], [1.6.1])
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-auth-gssapi/compare/a04ff2fc4398f2c8835a21913834865e26517d5b...d81cac2148dfefa3da7f9ac32ee84b8b0dade856
--
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-auth-gssapi/compare/a04ff2fc4398f2c8835a21913834865e26517d5b...d81cac2148dfefa3da7f9ac32ee84b8b0dade856
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20181017/8bb77ca6/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list