[Pkg-freeipa-devel] [Git][freeipa-team/mod-authnz-pam][master] 17 commits: Escape macros in %changelog

Wed Oct 17 10:38:56 BST 2018

Timo Aaltonen pushed to branch master at FreeIPA packaging / mod-authnz-pam


Commits:
bdf47540 by Igor Gnatenko at 2018-02-23T12:27:31Z
Escape macros in %changelog

Reference: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Y2ZUKK2B7T2IKXPMODNF6HB2O5T5TS6H/
Signed-off-by: Igor Gnatenko <ignatenkobrain at fedoraproject.org>

(cherry picked from dist-git commit 3dc29f87fd91b51a0768e253604b7baa5efce360)

- - - - -
3ebc05ef by Jan Pazdziora at 2018-02-23T12:28:40Z
https://fedoraproject.org/wiki/Packaging:C_and_C%2B%2B#BuildRequires_and_Requires

- - - - -
49a0904d by Jan Pazdziora at 2018-07-15T13:33:59Z
Build rpm in Travis CI.

- - - - -
54b7e866 by Jan Pazdziora at 2018-07-16T20:59:53Z
Build rpm in Cirrus CI, use the same tests/build.sh for Travis CI.

- - - - -
02a147cf by Jan Pazdziora at 2018-07-16T22:01:50Z
Test Require pam-account and AuthBasicProvider PAM in CI.

- - - - -
7d81960c by Jan Pazdziora at 2018-07-16T22:22:23Z
Wait for the HTTP server to start in tests.

- - - - -
cba4286a by schnitzi99 at 2018-07-17T17:24:32Z
Implementation of socache caching.

Copied from example code of dbd and dbm socache implementations
If PAM-Authentification is successful (AUTH_GRANTED), do apache-style salted bcrypt hash and store it in socache.

- - - - -
679b0871 by Jan Pazdziora at 2018-07-17T17:24:32Z
Skip support for caching on 2.3.7 or older where ap_authn_cache_store did not exist.

- - - - -
9236628d by Jan Pazdziora at 2018-07-17T17:24:53Z
On Apache 2.4, test AuthBasicProvider socache PAM + AuthnCacheProvideFor PAM.

- - - - -
708a652a by Jan Pazdziora at 2018-07-17T17:42:31Z
Tagging 1.2.0 release.

- - - - -
ce447269 by Timo Aaltonen at 2018-10-17T09:25:51Z
Merge branch 'upstream'

- - - - -
b56d61b4 by Timo Aaltonen at 2018-10-17T09:26:23Z
New upstream release.

- - - - -
2075e395 by Timo Aaltonen at 2018-10-17T09:29:56Z
control: Update vcs urls and maintainer address.

- - - - -
9ee5a91e by Timo Aaltonen at 2018-10-17T09:30:23Z
Bump debhelper to 11.

- - - - -
30ef2bcd by Timo Aaltonen at 2018-10-17T09:32:36Z
rules: Use dh_missing.

- - - - -
3d2137eb by Timo Aaltonen at 2018-10-17T09:32:59Z
Bump policy to 4.2.1, no changes.

- - - - -
df271705 by Timo Aaltonen at 2018-10-17T09:38:20Z
releasing package libapache2-mod-authnz-pam version 1.2.0-1

- - - - -


19 changed files:

- + .cirrus.yml
- + .dockerignore
- + .travis.yml
- README
- debian/changelog
- debian/compat
- debian/control
- debian/rules
- mod_authnz_pam.c
- mod_authnz_pam.spec
- + tests/Dockerfile
- + tests/auth-socache.conf
- + tests/auth.cgi
- + tests/auth.conf
- + tests/build.sh
- + tests/config.sh
- + tests/pam-exec
- + tests/pam-web
- + tests/run.sh


Changes:

=====================================
.cirrus.yml
=====================================
@@ -0,0 +1,11 @@
+test_task:
+  container:
+    matrix:
+      image: registry.fedoraproject.org/fedora:rawhide
+      image: registry.fedoraproject.org/fedora:latest
+      image: centos:centos7
+      image: centos:centos6
+  build_script: tests/build.sh
+  config_script: tests/config.sh
+  run_httpd_background_script: /usr/sbin/httpd -DFOREGROUND
+  test_script: tests/run.sh


=====================================
.dockerignore
=====================================
@@ -0,0 +1,2 @@
+.git
+tests/Dockerfile


=====================================
.travis.yml
=====================================
@@ -0,0 +1,31 @@
+language: generic
+
+sudo: required
+
+services:
+- docker
+
+install: true
+
+stages:
+- build-and-test
+
+matrix:
+  include:
+    - stage: build-and-test
+      env: fedora=rawhide
+    - stage: build-and-test
+      env: fedora=28
+    - stage: build-and-test
+      env: centos=centos7
+    - stage: build-and-test
+      env: centos=centos6
+
+before_script:
+- if test -n "$fedora" ; then sed -i "s#^FROM.*#FROM registry.fedoraproject.org/fedora:$fedora#" tests/Dockerfile ; fi
+- if test -n "$centos" ; then sed -i "s#^FROM.*#FROM centos:$centos#" tests/Dockerfile ; fi
+
+script:
+- docker build -t mod_authnz_pam -f tests/Dockerfile .
+- docker run --name mod_authnz_pam --rm -d mod_authnz_pam
+- docker exec mod_authnz_pam tests/run.sh


=====================================
README
=====================================
@@ -111,7 +111,7 @@ should build and install the module.
 License
 -------
 
-Copyright 2014--2016 Jan Pazdziora
+Copyright 2014--2018 Jan Pazdziora
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.


=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+libapache2-mod-authnz-pam (1.2.0-1) unstable; urgency=medium
+
+  * New upstream release. (Closes: #814086)
+  * control: Update vcs urls and maintainer address.
+  * Bump debhelper to 11.
+  * rules: Use dh_missing.
+  * Bump policy to 4.2.1, no changes.
+
+ -- Timo Aaltonen <tjaalton at debian.org>  Wed, 17 Oct 2018 12:36:53 +0300
+
 libapache2-mod-authnz-pam (1.1.0-1) unstable; urgency=medium
 
   * New upstream release.


=====================================
debian/compat
=====================================
@@ -1 +1 @@
-9
+11


=====================================
debian/control
=====================================
@@ -1,16 +1,17 @@
 Source: libapache2-mod-authnz-pam
 Section: web
 Priority: optional
-Maintainer: Timo Aaltonen <tjaalton at debian.org>
+Maintainer: Debian FreeIPA Team <pkg-freeipa-devel at alioth-lists.debian.net>
+Uploaders: Timo Aaltonen <tjaalton at debian.org>
 Build-Depends:
  apache2-dev (>= 2.4),
- debhelper (>= 9),
+ debhelper (>= 11),
  dh-apache2,
  libpam0g-dev,
-Standards-Version: 3.9.8
+Standards-Version: 4.2.1
 Homepage: http://www.adelton.com/apache/mod_authnz_pam/
-Vcs-Git: https://anonscm.debian.org/git/collab-maint/mod-authnz-pam.git
-Vcs-Browser: https://anon.debian.org/git/collab-maint/mod-authnz-pam.git
+Vcs-Git: https://salsa.debian.org/freeipa-team/mod-authnz-pam.git
+Vcs-Browser: https://salsa.debian.org/freeipa-team/mod-authnz-pam
 
 Package: libapache2-mod-authnz-pam
 Architecture: any


=====================================
debian/rules
=====================================
@@ -12,5 +12,5 @@ override_dh_auto_install:
 	install -m 755 .libs/mod_authnz_pam.so \
 		$(CURDIR)/debian/tmp/usr/lib/apache2/modules
 
-override_dh_install:
-	dh_install --fail-missing
+override_dh_missing:
+	dh_missing --fail-missing


=====================================
mod_authnz_pam.c
=====================================
@@ -1,6 +1,6 @@
 
 /*
- * Copyright 2014--2016 Jan Pazdziora
+ * Copyright 2014--2018 Jan Pazdziora
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,9 @@
 
 #include <security/pam_appl.h>
 
+#include "apr_general.h"
 #include "apr_strings.h"
+#include "apr_md5.h"
 
 #include "ap_config.h"
 #include "ap_provider.h"
@@ -142,6 +144,34 @@ module AP_MODULE_DECLARE_DATA authnz_pam_module;
 #define SHOW_MODULE "mod_authnz_pam: "
 #endif
 
+#if AP_MODULE_MAGIC_AT_LEAST(20100625,0)
+static APR_OPTIONAL_FN_TYPE(ap_authn_cache_store) *authn_cache_store = NULL;
+
+// copied from socache implementations of dbm and dbd @ http://svn.eu.apache.org/viewvc?view=revision&revision=957072
+static void opt_retr(void) {
+	authn_cache_store = APR_RETRIEVE_OPTIONAL_FN(ap_authn_cache_store);
+}
+
+void store_password_to_cache(request_rec * r, const char * login, const char * password) {
+	if (!(authn_cache_store && login && password)) {
+		return;
+	}
+	unsigned char salt[16];
+	char hash[61];
+	if (apr_generate_random_bytes(salt, sizeof(salt)) != APR_SUCCESS) {
+		ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+			SHOW_MODULE "apr_generate_random_bytes failed, will not cache password");
+		return;
+	}
+	if (apr_bcrypt_encode(password, 5, salt, sizeof(salt), hash, sizeof(hash)) != APR_SUCCESS) {
+		ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+			SHOW_MODULE "apr_bcrypt_encode failed, will not cache password");
+		return;
+	}
+	authn_cache_store(r, "PAM", login, NULL, hash);
+}
+#endif
+
 #define _REMOTE_USER_ENV_NAME "REMOTE_USER"
 #define _EXTERNAL_AUTH_ERROR_ENV_NAME "EXTERNAL_AUTH_ERROR"
 #define _PAM_STEP_AUTH 1
@@ -167,6 +197,11 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const
 			param = login;
 			stage = "PAM authentication failed for user";
 			ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
+#if AP_MODULE_MAGIC_AT_LEAST(20100625,0)
+			if (ret == PAM_SUCCESS) {
+				store_password_to_cache(r, login, password);
+			}
+#endif
 		}
 		if ((ret == PAM_SUCCESS) && (steps & _PAM_STEP_ACCOUNT)) {
 			param = login;
@@ -275,6 +310,9 @@ static void register_hooks(apr_pool_t * p) {
 	ap_hook_auth_checker(check_user_access, NULL, NULL, APR_HOOK_MIDDLE);
 #endif
 	APR_REGISTER_OPTIONAL_FN(pam_authenticate_with_login_password);
+#if AP_MODULE_MAGIC_AT_LEAST(20100625,0)
+	ap_hook_optional_fn_retrieve(opt_retr, NULL, NULL, APR_HOOK_MIDDLE);
+#endif
 }
 
 #ifdef AP_DECLARE_MODULE


=====================================
mod_authnz_pam.spec
=====================================
@@ -7,12 +7,13 @@
 
 Summary: PAM authorization checker and PAM Basic Authentication provider
 Name: mod_authnz_pam
-Version: 1.1.0
+Version: 1.2.0
 Release: 1%{?dist}
 License: ASL 2.0
 Group: System Environment/Daemons
 URL: http://www.adelton.com/apache/mod_authnz_pam/
 Source0: http://www.adelton.com/apache/mod_authnz_pam/%{name}-%{version}.tar.gz
+BuildRequires: gcc
 BuildRequires: httpd-devel
 BuildRequires: pam-devel
 BuildRequires: pkgconfig
@@ -63,10 +64,19 @@ install -Dp -m 0644 authnz_pam.confx $RPM_BUILD_ROOT%{_httpd_confdir}/authnz_pam
 %{_httpd_moddir}/*.so
 
 %changelog
+* Tue Jul 17 2018 Jan Pazdziora <jpazdziora at redhat.com> - 1.2.0-1
+- Add support for mod_authn_socache.
+
+* Fri Feb 23 2018 Jan Pazdziora <jpazdziora at redhat.com> - 1.1.0-8
+- https://fedoraproject.org/wiki/Packaging:C_and_C%2B%2B#BuildRequires_and_Requires
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain at fedoraproject.org> - 1.1.0-7
+- Escape macros in %%changelog
+
 * Tue Nov 22 2016 Jan Pazdziora <jpazdziora at redhat.com> - 1.1.0-1
 - Logging improvements; success logging moved from notice to info level.
 - Fix redirect for AuthPAMExpiredRedirect with Basic Auth.
-- Fix AuthPAMExpiredRedirect %s escaping on Apache 2.2.
+- Fix AuthPAMExpiredRedirect %%s escaping on Apache 2.2.
 
 * Mon Mar 21 2016 Jan Pazdziora <jpazdziora at redhat.com> - 1.0.2-1
 - 1319166 - the Requires(pre) httpd does not seem to be needed.


=====================================
tests/Dockerfile
=====================================
@@ -0,0 +1,6 @@
+FROM registry.fedoraproject.org/fedora
+COPY . /src/
+WORKDIR /src
+RUN tests/build.sh
+RUN tests/config.sh
+ENTRYPOINT [ "/usr/sbin/httpd", "-DFOREGROUND" ]


=====================================
tests/auth-socache.conf
=====================================
@@ -0,0 +1,9 @@
+
+LoadModule authn_socache_module modules/mod_authn_socache.so
+
+ScriptAlias /authn-cached /var/www/cgi-bin/auth.cgi
+<Location /authn-cached>
+	AuthBasicProvider socache PAM
+	AuthnCacheProvideFor PAM
+	AuthnCacheTimeout 10
+</Location>


=====================================
tests/auth.cgi
=====================================
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+echo "Content-Type: text/plain"
+echo "Pragma: no-cache"
+echo
+if [ -n "$REMOTE_USER" ] ; then
+	echo "User $REMOTE_USER."
+else
+	echo "Not authenticated."
+fi


=====================================
tests/auth.conf
=====================================
@@ -0,0 +1,19 @@
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+
+ScriptAlias /authz /var/www/cgi-bin/auth.cgi
+<Location /authz>
+	AuthType Basic
+	AuthName "private area"
+	AuthBasicProvider file
+	AuthUserFile /etc/htpasswd
+	Require pam-account web
+</Location>
+
+ScriptAlias /authn /var/www/cgi-bin/auth.cgi
+<LocationMatch ^/authn>
+	AuthType Basic
+	AuthName "private area"
+	AuthBasicProvider PAM
+	AuthPAMService web
+	Require valid-user
+</LocationMatch>


=====================================
tests/build.sh
=====================================
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+set -x
+
+DNF=yum
+BUILDDEP_PROVIDER=yum-utils
+BUILDDEP=yum-builddep
+if type dnf 2> /dev/null ; then
+	DNF=dnf
+	BUILDDEP_PROVIDER='dnf-command(builddep)'
+	BUILDDEP='dnf builddep'
+fi
+
+$DNF install -y rpm-build "$BUILDDEP_PROVIDER"
+$BUILDDEP -y mod_authnz_pam.spec
+NAME_VERSION=$( rpm -q --qf '%{name}-%{version}\n' --specfile mod_authnz_pam.spec | head -1 )
+mkdir .$NAME_VERSION
+cp -rp * .$NAME_VERSION
+mv .$NAME_VERSION $NAME_VERSION
+mkdir -p ~/rpmbuild/SOURCES
+tar cvzf ~/rpmbuild/SOURCES/$NAME_VERSION.tar.gz $NAME_VERSION
+rpmbuild -bb --define "dist $( rpm --eval '%{dist}' ).localbuild" mod_authnz_pam.spec
+$DNF install -y ~/rpmbuild/RPMS/*/$NAME_VERSION-*.localbuild.*.rpm


=====================================
tests/config.sh
=====================================
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+set -x
+
+sed -i 's/^MaxClients.*/MaxClients 1/' /etc/httpd/conf/httpd.conf
+mkdir -p /etc/pam-auth
+cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi
+cp -p tests/pam-exec /usr/bin/pam-exec
+cp tests/pam-web /etc/pam.d/web
+chmod a+x /var/log/httpd
+touch /var/log/httpd/pam_exec.log
+chown apache /var/log/httpd/pam_exec.log
+cp tests/auth.conf /etc/httpd/conf.d/
+if rpm -ql httpd | grep mod_authn_socache ; then
+	cat tests/auth-socache.conf >> /etc/httpd/conf.d/auth.conf
+fi
+htpasswd -bc /etc/htpasswd alice Tajnost


=====================================
tests/pam-exec
=====================================
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+echo "$0: $PAM_TYPE $PAM_USER"
+
+if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then
+	PAM_FILE="/etc/pam-auth/$PAM_USER"
+	if ! [ -f $PAM_FILE ] ; then
+		echo "No [$PAM_FILE] for user [$PAM_USER]" >&2
+		exit 2
+	fi
+	if [ $PAM_TYPE == 'account' ] ; then
+		# For account check, existing file is enough to allow access
+		echo "$0: account [$PAM_USER] ok"
+		exit 0
+	fi
+
+	# For auth, we compare the passwords
+	read PASSWORD
+	read CHECK_PASSWORD < $PAM_FILE
+	if [ "$PASSWORD" == "$CHECK_PASSWORD" ] ; then
+		echo "$0: auth [$PAM_USER] ok"
+		exit 0
+	fi
+	echo "Provided password [$PASSWORD] does not match expected [$CHECK_PASSWORD]" >&2
+	exit 3
+fi
+echo "Unsupported PAM_TYPE [$PAM_TYPE]" >&2
+exit 4


=====================================
tests/pam-web
=====================================
@@ -0,0 +1,2 @@
+auth	optional	pam_exec.so debug expose_authtok log=/var/log/httpd/pam_exec.log /usr/bin/pam-exec
+account	required	pam_exec.so debug log=/var/log/httpd/pam_exec.log /usr/bin/pam-exec


=====================================
tests/run.sh
=====================================
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -e
+set -x
+
+echo "Wait for the HTTP server to start ..."
+for i in $( seq 1 10 ) ; do
+	if curl -s -o /dev/null http://localhost/ ; then
+		break
+	fi
+	sleep 3
+done
+
+echo "Testing Require pam-account"
+curl -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401
+curl -u alice:Tajnost -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401
+touch /etc/pam-auth/alice
+curl -u alice:Tajnost -s http://localhost/authz | tee /dev/stderr | grep 'User alice'
+
+echo "Testing AuthBasicProvider PAM"
+curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
+curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
+touch /etc/pam-auth/bob
+curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
+echo Secret > /etc/pam-auth/bob
+curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob'
+echo Secret2 > /etc/pam-auth/bob
+curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
+
+if rpm -ql httpd | grep mod_authn_socache ; then
+	echo "Testing AuthBasicProvider socache PAM + AuthnCacheProvideFor PAM"
+	curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
+	curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
+	echo Secret > /etc/pam-auth/bob
+	curl -u bob:Secret -s http://localhost/authn-cached | tee /dev/stderr | grep 'User bob'
+	echo Secret2 > /etc/pam-auth/bob
+	curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
+	curl -u bob:Secret -s http://localhost/authn-cached | tee /dev/stderr | grep 'User bob'
+	sleep 11
+	curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
+fi



View it on GitLab: https://salsa.debian.org/freeipa-team/mod-authnz-pam/compare/98a0d6f61b32dae35af1c78b1d0a162a73080033...df2717050584279816b0aae426b140fa348595f9

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-authnz-pam/compare/98a0d6f61b32dae35af1c78b1d0a162a73080033...df2717050584279816b0aae426b140fa348595f9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20181017/1e520921/attachment-0001.html>
