[Pkg-freeipa-devel] [Git][freeipa-team/python-kdcproxy][upstream] 17 commits: Make webtest an optional dependency
Timo Aaltonen
gitlab at salsa.debian.org
Thu Dec 17 10:11:53 GMT 2020
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / python-kdcproxy
Commits:
c0bee88c by Robbie Harwood at 2018-08-09T15:12:36-04:00
Make webtest an optional dependency
Resolves: #38
- - - - -
0dc6bc8b by Robbie Harwood at 2018-08-09T15:12:36-04:00
Fix pep8 problem on line length for authors
Four is too many people for pep8
- - - - -
c5f3bdbf by Robbie Harwood at 2019-01-31T16:34:10-05:00
[CI] Pass pep8 again and bump Travis
- - - - -
7c2e45e4 by Christian Heimes at 2019-02-11T11:10:18-05:00
Use dnspython package on Python 3
The dnspython3 package is obsolete and superseded by dnspython. The dnspython
package supports Python 2 and Python 3.
The change also fixes a problem with Fedora 30's new Python dependency
generator. The python3-dnspython package does not provide dnspython3
distribution:
nothing provides python3.7dist(dnspython3) needed by python3-kdcproxy-0.4-4.fc30.noarch
See: https://pypi.org/project/dnspython3/
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
58b36765 by Robbie Harwood at 2019-02-11T11:11:36-05:00
Release 0.4.1
- - - - -
d0b35c2b by Robbie Harwood at 2019-08-28T17:33:00-04:00
Correct addrs sorting to be by TCP/UDP
Fixes any potential cases where the resolver might yield UDP addresses
first.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
7e2b1ab2 by Robbie Harwood at 2019-08-29T12:29:07-04:00
Always buffer TCP data in __handle_recv()
Refactor __handle_recv() to always create a BytesIO() object for TCP
data. Linearize control flow for ease of debugging. Always apply
length checks so that we don't have to wait for EOF in the multiple-recv
case.
Fixes a bug where we wouldn't return any data because we never received
the EOF, or didn't receive it fast enough.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
4bf61630 by Robbie Harwood at 2019-08-29T14:38:52-04:00
Release 0.4.2
- - - - -
1d773e59 by Michael Osipov at 2020-01-28T17:34:29-05:00
Use errno module instead of hardcoding EINPROGRESS
FreeBSD uses a different value for this errno than Linux, which caused
incorrect handling of TCP connections. This could result in UDP being
used for scenarios where it was too large for the KDC, causing all
requests to fail.
[rharwood at redhat.com: rewrote commit message]
Merges: #50
- - - - -
112ace52 by Michael Osipov at 2020-03-30T17:19:57-04:00
Support BSD-style /usr/local/etc for configuration
On BSD systems, pkg will install python (and related components) into
the /usr/local heirarchy. Python components are expected to store their
configuration in /usr/local/etc.
[rharwood at redhat.com: commit message, wrapping]
- - - - -
ebc1f98c by Michael Osipov at 2020-04-21T17:47:09-04:00
Document our non-use of krb5's udp_preference_limit
Closes: #48
[rharwood at redhat.com: add mention of krb5, rewrote commit message]
- - - - -
cd036ab9 by Ken Dreyer at 2020-04-24T12:35:47-06:00
README: switch to python3 example
Switch the documented example mod_wsgi configuration to use python36
file paths since Python 2 is deprecated.
- - - - -
bc9e4cf8 by Robbie Harwood at 2020-11-25T13:02:02-05:00
CI: Migrate to Github Actions
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
fcad7d54 by Robbie Harwood at 2020-11-25T13:21:59-05:00
Tox: Update supported python versions
Drop python2 support.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
d36d26b0 by Christian Heimes at 2020-12-08T13:08:02-05:00
Drop asn1crypto and just support pyasn1
I added asn1crypto support three years ago in #33, because I was under
the impression that other Python packages such as PyCA cryptography
were going to standardize on asn1crypto. Since 2017 cryptography and
other dependencies have dropped asn1crypto. kdcproxy is currently the
only package in RHEL that depends on python-asn1crypto.
Let's keep it simple and just support pyasn1.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
79bba1d0 by Robbie Harwood at 2020-12-08T13:08:58-05:00
Update setup.py URL and classifiers
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
0c46921b by Robbie Harwood at 2020-12-08T13:10:08-05:00
Release 1.0.0
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
10 changed files:
- + .github/workflows/build.yml
- â .travis.yml
- README
- kdcproxy/__init__.py
- kdcproxy/codec.py
- kdcproxy/config/__init__.py
- â kdcproxy/parse_asn1crypto.py
- setup.py
- tests.py
- tox.ini
Changes:
=====================================
.github/workflows/build.yml
=====================================
@@ -0,0 +1,29 @@
+{
+ "name": "CI",
+ "on": { "pull_request": null },
+ "jobs": {
+ "linux": {
+ "runs-on": "ubuntu-latest",
+ "strategy": {
+ "fail-fast": false,
+ "matrix": {
+ "python": [
+ "3.6",
+ "3.7",
+ "3.8",
+ "3.9",
+ ],
+ },
+ },
+ "steps": [
+ { "uses": "actions/checkout at v2" },
+ {
+ "uses": "actions/setup-python at v2",
+ "with": { "python-version": "${{ matrix.python }}"},
+ },
+ { "run": "pip install tox" },
+ { "run": "tox" },
+ ],
+ },
+ },
+}
=====================================
.travis.yml deleted
=====================================
@@ -1,33 +0,0 @@
-sudo: false
-
-language: python
-
-cache: pip
-
-matrix:
- include:
- - python: 2.7
- env: TOXENV=py27-asn1crypto
- - python: 3.5
- env: TOXENV=py35-asn1crypto
- - python: 3.6
- env: TOXENV=py36-asn1crypto
- - python: 2.7
- env: TOXENV=py27-pyasn1
- - python: 3.5
- env: TOXENV=py35-pyasn1
- - python: 3.6
- env: TOXENV=py36-pyasn1
- - python: 2.7
- env: TOXENV=pep8
- - python: 3.6
- env: TOXENV=py3pep8
-
-install:
- - pip install --upgrade pip setuptools
- - pip --version
- - pip install tox
- - tox --version
-
-script:
- - tox
=====================================
README
=====================================
@@ -15,9 +15,9 @@ to use mod_wsgi, try something like this::
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000 \
display-name=%{GROUP}
- WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+ WSGIImportScript /usr/lib/python3.6/site-packages/kdcproxy/__init__.py \
process-group=kdcproxy application-group=kdcproxy
- WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
+ WSGIScriptAlias /KdcProxy /usr/lib/python3.6/site-packages/kdcproxy/__init__.py
WSGIScriptReloading Off
<Location "/KdcProxy">
@@ -39,9 +39,11 @@ When kdcproxy receives a request, it needs to know where to proxy it to. This
is the purpose of configuration: discovering where to send kerberos requests.
One important note: where the underlying configuration does not specify TCP or
-UDP, both will be attempted. TCP will be attempted before UDP. This permits the
-use of longer timeouts and prevents possible lockouts when the KDC packets
-contain OTP token codes (which should preferably be sent to only one server).
+UDP, both will be attempted. TCP will be attempted before UDP, hence setting
+`udp_preference_limit = 1` is not required for kdcproxy itself (though krb5
+may still need it). This permits the use of longer timeouts and prevents
+possible lockouts when the KDC packets contain OTP token codes (which should
+preferably be sent to only one server).
Automatic Configuration
-----------------------
@@ -53,10 +55,11 @@ Master Configuration File
If you wish to have more detailed configuration, the first place you can
configure kdcproxy is the master configuration file. This file exists at the
location specified in the environment variable KDCPROXY_CONFIG. If this
-variable is unspecified, the default location is /etc/kdcproxy.conf. This
-configuration file takes precedence over all other configuration modules. This
-file is an ini-style configuration with a special section **[global]**. Two
-parameters are available in this section: **configs** and **use_dns**.
+variable is unspecified, the default locations are
+`/usr/local/etc/kdcproxy.conf` or `/etc/kdcproxy.conf`. This configuration
+file takes precedence over all other configuration modules. This file is an
+ini-style configuration with a special section **[global]**. Two parameters
+are available in this section: **configs** and **use_dns**.
The **use_dns** allows you to enable or disable use of DNS SRV record lookups.
=====================================
kdcproxy/__init__.py
=====================================
@@ -19,6 +19,7 @@
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
+import errno
import io
import logging
import select
@@ -128,29 +129,37 @@ class Application:
# length prefix. So add it.
reply = struct.pack("!I", len(reply)) + reply
return reply
- else:
- # TCP is a different story. The reply must be buffered
- # until the full answer is accumulated.
- buf = read_buffers.get(sock)
- part = sock.recv(1048576)
- if buf is None:
- if len(part) > 4:
- # got enough data in the initial package. Now check
- # if we got the full package in the first run.
- (length, ) = struct.unpack("!I", part[0:4])
- if length + 4 == len(part):
- return part
- read_buffers[sock] = buf = io.BytesIO()
-
- if part:
- # data received, accumulate it in a buffer
- buf.write(part)
- return None
- else:
- # EOF received
- read_buffers.pop(sock)
- reply = buf.getvalue()
- return reply
+
+ # TCP is a different story. The reply must be buffered until the full
+ # answer is accumulated.
+ buf = read_buffers.get(sock)
+ if buf is None:
+ read_buffers[sock] = buf = io.BytesIO()
+
+ part = sock.recv(1048576)
+ if not part:
+ # EOF received. Return any incomplete data we have on the theory
+ # that a decode error is more apparent than silent failure. The
+ # client will fail faster, at least.
+ read_buffers.pop(sock)
+ reply = buf.getvalue()
+ return reply
+
+ # Data received, accumulate it in a buffer.
+ buf.write(part)
+
+ reply = buf.getvalue()
+ if len(reply) < 4:
+ # We don't have the length yet.
+ return None
+
+ # Got enough data to check if we have the full package.
+ (length, ) = struct.unpack("!I", reply[0:4])
+ if length + 4 == len(reply):
+ read_buffers.pop(sock)
+ return reply
+
+ return None
def __filter_addr(self, addr):
if addr[0] not in (socket.AF_INET, socket.AF_INET6):
@@ -227,12 +236,13 @@ class Application:
#
# Stick a None address on the end so we can get one
# more attempt after all servers have been contacted.
- addrs = tuple(sorted(filter(self.__filter_addr, addrs)))
+ addrs = tuple(sorted(filter(self.__filter_addr, addrs),
+ key=lambda a: a[2]))
for addr in addrs + (None,):
if addr is not None:
# Bypass unspecified socktypes
- if (len(scheme) > 1 and
- addr[1] != self.SOCKTYPES[scheme[1]]):
+ if len(scheme) > 1 and \
+ addr[1] != self.SOCKTYPES[scheme[1]]:
continue
# Create the socket
@@ -246,7 +256,7 @@ class Application:
# Python 3.x, it throws io.BlockingIOError()..
sock.connect(addr[4])
except socket.error as e:
- if e.errno != 115: # errno != EINPROGRESS
+ if e.errno != errno.EINPROGRESS:
sock.close()
continue
except io.BlockingIOError:
=====================================
kdcproxy/codec.py
=====================================
@@ -19,36 +19,11 @@
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
-import os
import struct
+from kdcproxy import parse_pyasn1 as asn1mod
from kdcproxy.exceptions import ParsingError
-ASN1MOD = os.environ.get('KDCPROXY_ASN1MOD')
-
-if ASN1MOD is None:
- try:
- from asn1crypto.version import __version_info__ as asn1crypto_version
- except ImportError:
- asn1crypto_version = None
- else:
- if asn1crypto_version >= (0, 22, 0):
- ASN1MOD = 'asn1crypto'
- if ASN1MOD is None:
- try:
- __import__('pyasn1')
- except ImportError:
- pass
- else:
- ASN1MOD = 'pyasn1'
-
-if ASN1MOD == 'asn1crypto':
- from kdcproxy import parse_asn1crypto as asn1mod
-elif ASN1MOD == 'pyasn1':
- from kdcproxy import parse_pyasn1 as asn1mod
-else:
- raise ValueError("Invalid KDCPROXY_ASN1MOD='{}'".format(ASN1MOD))
-
class ProxyRequest(object):
TYPE = None
=====================================
kdcproxy/config/__init__.py
=====================================
@@ -49,18 +49,18 @@ class IConfig(IResolver):
class KDCProxyConfig(IConfig):
GLOBAL = "global"
- default_filename = "/etc/kdcproxy.conf"
+ default_filenames = ["/usr/local/etc/kdcproxy.conf", "/etc/kdcproxy.conf"]
- def __init__(self, filename=None):
+ def __init__(self, filenames=None):
self.__cp = configparser.ConfigParser()
- if filename is None:
- filename = os.environ.get("KDCPROXY_CONFIG", None)
- if filename is None:
- filename = self.default_filename
+ if filenames is None:
+ filenames = os.environ.get("KDCPROXY_CONFIG", None)
+ if filenames is None:
+ filenames = self.default_filenames
try:
- self.__cp.read(filename)
+ self.__cp.read(filenames)
except configparser.Error:
- logging.error("Unable to read config file: %s", filename)
+ logging.error("Unable to read config file(s): %s", filenames)
try:
mod = self.__cp.get(self.GLOBAL, "configs")
=====================================
kdcproxy/parse_asn1crypto.py deleted
=====================================
@@ -1,104 +0,0 @@
-# Copyright (C) 2017, Red Hat, Inc.
-# All rights reserved.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-from asn1crypto import core
-
-from kdcproxy.exceptions import ASN1ParsingError
-
-
-APPLICATION = 1
-
-
-class KerberosString(core.GeneralString):
- """KerberosString ::= GeneralString (IA5String)
-
- For compatibility, implementations MAY choose to accept GeneralString
- values that contain characters other than those permitted by
- IA5String...
- """
-
-
-class Realm(KerberosString):
- """Realm ::= KerberosString
- """
-
-
-class ProxyMessage(core.Sequence):
- pretty_name = 'KDC-PROXY-MESSAGE'
-
- _fields = [
- ('kerb-message', core.OctetString, {
- 'explicit': 0}),
- ('target-domain', Realm, {
- 'explicit': 1, 'optional': True}),
- ('dclocator-hint', core.Integer, {
- 'explicit': 2, 'optional': True}),
- ]
-
-
-class ASREQ(core.Sequence):
- pretty_name = 'AS-REQ'
-
- explicit = (APPLICATION, 10)
-
-
-class TGSREQ(core.Sequence):
- pretty_name = 'TGS-REQ'
-
- explicit = (APPLICATION, 12)
-
-
-class APREQ(core.Sequence):
- pretty_name = 'AP-REQ'
-
- explicit = (APPLICATION, 14)
-
-
-class KRBPriv(core.Sequence):
- pretty_name = 'KRBPRiv'
-
- explicit = (APPLICATION, 21)
-
-
-def decode_proxymessage(data):
- req = ProxyMessage.load(data, strict=True)
- message = req['kerb-message'].native
- realm = req['target-domain'].native
- try: # Python 3.x
- realm = str(realm, "utf-8")
- except TypeError: # Python 2.x
- realm = str(realm)
- flags = req['dclocator-hint'].native
- return message, realm, flags
-
-
-def encode_proxymessage(data):
- rep = ProxyMessage()
- rep['kerb-message'] = data
- return rep.dump()
-
-
-def try_decode(data, cls):
- try:
- req = cls.load(data, strict=True)
- except ValueError as e:
- raise ASN1ParsingError(e)
- return req.pretty_name
=====================================
setup.py
=====================================
@@ -20,16 +20,12 @@
# THE SOFTWARE.
import os
-import sys
-import setuptools
from setuptools import setup
-
-SETUPTOOLS_VERSION = tuple(int(v) for v in setuptools.__version__.split("."))
-
install_requires = [
- 'asn1crypto>=0.23',
+ 'pyasn1',
+ 'dnspython'
]
extras_require = {
@@ -37,17 +33,6 @@ extras_require = {
"test_pep8": ['flake8', 'flake8-import-order', 'pep8-naming']
}
-if SETUPTOOLS_VERSION >= (18, 0):
- extras_require.update({
- ":python_version<'3'": ["dnspython"],
- ":python_version>='3'": ["dnspython3"],
- })
-else:
- if sys.version_info.major == 2:
- install_requires.append("dnspython")
- else:
- install_requires.append("dnspython3")
-
def read(fname):
fname = os.path.join(os.path.dirname(__file__), fname)
@@ -55,15 +40,22 @@ def read(fname):
return f.read()
+# in chronological order
+authors = {
+ "Nalin Dahyabhai": "nalin at redhat.com",
+ "Nathaniel McCallum": "npmccallum at redhat.com",
+ "Christian Heimes": "cheimes at redhat.com",
+ "Robbie Harwood": "rharwood at redhat.com",
+}
setup(
name="kdcproxy",
- version="0.4",
- author="Nalin Dahyabhai, Nathaniel McCallum, Christian Heimes, Robbie Harwood",
- author_email="nalin at redhat.com, npmccallum at redhat.com, cheimes at redhat.com, rharwood at redhat.com",
+ version="1.0.0",
+ author=", ".join(authors.keys()),
+ author_email=", ".join(authors.values()),
description=("A kerberos KDC HTTP proxy WSGI module."),
license="MIT",
keywords="krb5 proxy http https kerberos",
- url="http://github.com/npmccallum/kdcproxy",
+ url="http://github.com/latchset/kdcproxy",
packages=['kdcproxy', 'kdcproxy.config'],
long_description=read('README'),
install_requires=install_requires,
@@ -74,10 +66,11 @@ setup(
"Intended Audience :: System Administrators",
"License :: OSI Approved :: MIT License",
"Operating System :: OS Independent",
- "Programming Language :: Python :: 2.7",
"Programming Language :: Python :: 3",
- "Programming Language :: Python :: 3.5",
"Programming Language :: Python :: 3.6",
+ "Programming Language :: Python :: 3.7",
+ "Programming Language :: Python :: 3.8",
+ "Programming Language :: Python :: 3.9",
"Topic :: Internet :: Proxy Servers",
],
)
=====================================
tests.py
=====================================
@@ -20,7 +20,6 @@
# THE SOFTWARE.
import os
-import sys
import unittest
from base64 import b64decode
try:
@@ -33,7 +32,11 @@ from dns.rdataclass import IN as RDCLASS_IN
from dns.rdatatype import SRV as RDTYPE_SRV
from dns.rdtypes.IN.SRV import SRV
-from webtest import TestApp as WebTestApp
+try:
+ from webtest import TestApp as WebTestApp
+except ImportError:
+ print("webtest not installed! Tests will be skipped")
+ WebTestApp = "skip"
import kdcproxy
from kdcproxy import codec
@@ -45,6 +48,7 @@ HERE = os.path.dirname(os.path.abspath(__file__))
KRB5_CONFIG = os.path.join(HERE, 'tests.krb5.conf')
+ at unittest.skipIf(WebTestApp == "skip", "webtest not installed")
class KDCProxyWSGITests(unittest.TestCase):
addrinfo = [
(2, 1, 6, '', ('128.66.0.2', 88)),
@@ -221,21 +225,6 @@ class KDCProxyCodecTests(unittest.TestCase):
'FREEIPA.LOCAL KPASSWD-REQ (603 bytes) (version 0x0001)'
)
- def test_asn1mod(self):
- modmap = {
- 'asn1crypto': (
- 'kdcproxy.parse_asn1crypto', 'kdcproxy.parse_pyasn1'),
- 'pyasn1': (
- 'kdcproxy.parse_pyasn1', 'kdcproxy.parse_asn1crypto'),
- }
- asn1mod = os.environ.get('KDCPROXY_ASN1MOD', None)
- if asn1mod is None:
- self.fail("Tests require KDCPROXY_ASN1MOD env var.")
- self.assertIn(asn1mod, modmap)
- mod, opposite = modmap[asn1mod]
- self.assertIn(mod, set(sys.modules))
- self.assertNotIn(opposite, set(sys.modules))
-
class KDCProxyConfigTests(unittest.TestCase):
=====================================
tox.ini
=====================================
@@ -1,17 +1,11 @@
[tox]
minversion = 2.3.1
-envlist = {py27,py35,py36}-{asn1crypto,pyasn1},pep8,py3pep8,doc,coverage-report
+envlist = py36,py37,py38,py39,pep8,py3pep8,doc,coverage-report
skip_missing_interpreters = true
[testenv]
deps =
.[tests]
- py27: mock
- pyasn1: pyasn1
- asn1crypto: asn1crypto>=0.23
-setenv =
- asn1crypto: KDCPROXY_ASN1MOD=asn1crypto
- pyasn1: KDCPROXY_ASN1MOD=pyasn1
commands =
{envpython} -m coverage run --parallel \
-m pytest --capture=no --strict {posargs}
@@ -24,7 +18,7 @@ commands =
{envpython} -m coverage report --show-missing
[testenv:pep8]
-basepython = python2.7
+basepython = python3
deps =
.[test_pep8]
commands =
@@ -42,7 +36,7 @@ deps =
doc8
docutils
markdown
-basepython = python2.7
+basepython = python3
commands =
doc8 --allow-long-titles README
python setup.py check --restructuredtext --metadata --strict
@@ -57,3 +51,5 @@ exclude = .tox,*.egg,dist,build
show-source = true
max-line-length = 79
application-import-names = kdcproxy
+# N815 is camelCase names; N813 is for changing case on import
+ignore = N815, N813
View it on GitLab: https://salsa.debian.org/freeipa-team/python-kdcproxy/-/compare/898760d01a3bdb3de2c6862cf6ed285790bae1cd...0c46921ba2ff168d8400659b8e0a4f37abfa9498
--
View it on GitLab: https://salsa.debian.org/freeipa-team/python-kdcproxy/-/compare/898760d01a3bdb3de2c6862cf6ed285790bae1cd...0c46921ba2ff168d8400659b8e0a4f37abfa9498
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201217/1ad1f2df/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list