[Pkg-freeipa-devel] [Git][freeipa-team/mod-authnz-pam][upstream] 14 commits: Support building in copr using make srpm.

Timo Aaltonen gitlab at salsa.debian.org
Thu Nov 12 11:15:02 GMT 2020



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / mod-authnz-pam


Commits:
67174cff by Jan Pazdziora at 2018-08-01T12:11:49+02:00
Support building in copr using make srpm.

- - - - -
daa6dbed by Jan Pazdziora at 2018-08-01T12:33:41+02:00
Promote https: scheme.

- - - - -
60077456 by Peter Oliver at 2018-12-03T11:44:04+01:00
Document new name for allow_httpd_mod_auth_pam SELinux boolean

This is named `httpd_mod_auth_pam` in RHEL 7.

- - - - -
a7c12875 by Jan Pazdziora at 2018-12-03T11:48:40+01:00
Test on the latest released (and tagged) Fedora, whichever it is.

- - - - -
656a3725 by Jan Pazdziora at 2019-03-01T11:00:38+01:00
Fedora rawhide is not stable.

Workaround
Public key for rpm-build-4.14.2.1-4.fc30.1.x86_64.rpm is not installed. Failing package is: rpm-build-4.14.2.1-4.fc30.1.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-31-x86_64

- - - - -
a61b4a54 by Jan Pazdziora at 2019-03-15T18:12:05+01:00
Revert "Fedora rawhide is not stable."

This reverts commit 656a372582b75014209e5fd68d40ca5403f4e7d2
since Fedora rawhide is usable again.

- - - - -
0a0cd57d by Jan Pazdziora at 2020-01-09T09:08:26+01:00
Signal success in the output, not just with exit status.

- - - - -
ca023ee5 by Jan Pazdziora at 2020-01-09T09:22:16+01:00
Add testing on CentOS 8.

- - - - -
1ba8c3bc by Jan Pazdziora at 2020-01-09T09:34:36+01:00
Allow easy rerunning tests/run.sh multiple times.

- - - - -
3f25ee81 by Jan Pazdziora at 2020-03-19T08:44:24+01:00
Related to 1760300 - move to Bionic where libseccomp handles statx.

Addressing
stat: cannot statx '/root/rpmbuild/BUILDROOT/mod_authnz_pam-1.2.0-1.fc33.localbuild.x86_64/usr/lib64/httpd/modules/mod_authnz_pam.so': Operation not permitted

- - - - -
a9b23ffa by Jake Chen at 2020-07-08T23:14:59+02:00
Harden the test, show that auth is not enough and that account is run.

- - - - -
622996a9 by Jake Chen at 2020-07-08T23:20:09+02:00
Store password to cache only after passing all PAM checks, including account.

- - - - -
025f62ad by Jan Pazdziora at 2020-07-09T16:19:25+02:00
Clarify account behaviour with AuthBasicProvider and interaction with Require pam-account.

- - - - -
093e1902 by Jan Pazdziora at 2020-07-09T16:36:58+02:00
Tagging 1.2.1 release.

- - - - -


9 changed files:

- + .copr/Makefile
- .travis.yml
- README
- mod_authnz_pam.c
- mod_authnz_pam.spec
- tests/auth.conf
- tests/config.sh
- tests/pam-exec
- tests/run.sh


Changes:

=====================================
.copr/Makefile
=====================================
@@ -0,0 +1,22 @@
+
+PACKAGE := mod_authnz_pam
+
+outdir := $(CURDIR)
+spec := $(PACKAGE).spec
+
+spec_dir := .
+ifeq ($(shell test -d $(spec) && echo true),true)
+	spec_dir = $(spec)
+	spec_file = $(spec)/$(PACKAGE).spec
+else
+	spec_dir = $(dir $(spec))
+	spec_file = $(spec)
+endif
+
+VERSION := $(shell rpm -q --qf '%{name}-%{version}\n' --specfile mod_authnz_pam.spec 2> /dev/null | head -1)
+
+srpm:
+	cd $(spec_dir) && mkdir -p .source/$(VERSION) && cp -rp * .source/$(VERSION) && cd .source && tar cvzf $(VERSION).tar.gz $(VERSION)
+	cd $(spec_dir) && rpmbuild -D '_srcrpmdir $(outdir)' -D '_sourcedir .source' -bs $(spec_file)
+	cd $(spec_dir) && rm -rf .source
+


=====================================
.travis.yml
=====================================
@@ -1,5 +1,5 @@
 language: generic
-
+dist: bionic
 sudo: required
 
 services:
@@ -15,7 +15,9 @@ matrix:
     - stage: build-and-test
       env: fedora=rawhide
     - stage: build-and-test
-      env: fedora=28
+      env: fedora=latest
+    - stage: build-and-test
+      env: centos=8
     - stage: build-and-test
       env: centos=centos7
     - stage: build-and-test


=====================================
README
=====================================
@@ -68,6 +68,31 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content
 
 to authenticate against sssd.
 
+As part of the Basic Authentication operation, both PAM authentication
+and PAM account verification (auth and account in PAM service
+configuration) are run. This is to ensure that the HTTP status 401
+is returned when the user is not permitted to log in, allowing fallback
+to different authentication mechanism. That also means that for the
+above example
+
+      AuthBasicProvider PAM
+      AuthPAMService tlwiki
+
+it is not necessary to use
+
+      Require pam-account tlwiki
+
+and
+
+      Require valid-user
+
+is enough because the account verification will be run as part of the
+HTTP authentication. In fact, using Require pam-account with the same
+PAM service name will cause the account PAM checks to be run twice.
+On the other hand, it is possible to configure Require pam-account
+with different PAM service name than the AuthPAMService value and get
+two separate account PAM checks during the Basic Authentication.
+
 Handling expired password:
 
     AuthPAMExpiredRedirect <URL>
@@ -94,10 +119,10 @@ For example for FreeIPA 4.1+, the value can actually be
 
 SELinux:
 
-On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to
+On SELinux enabled systems, boolean httpd_mod_auth_pam needs to
 be enabled:
 
-    setsebool -P allow_httpd_mod_auth_pam 1
+    setsebool -P httpd_mod_auth_pam 1
 
 Building from sources
 ---------------------
@@ -111,7 +136,7 @@ should build and install the module.
 License
 -------
 
-Copyright 2014--2018 Jan Pazdziora
+Copyright 2014--2020 Jan Pazdziora
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.


=====================================
mod_authnz_pam.c
=====================================
@@ -197,11 +197,6 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const
 			param = login;
 			stage = "PAM authentication failed for user";
 			ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
-#if AP_MODULE_MAGIC_AT_LEAST(20100625,0)
-			if (ret == PAM_SUCCESS) {
-				store_password_to_cache(r, login, password);
-			}
-#endif
 		}
 		if ((ret == PAM_SUCCESS) && (steps & _PAM_STEP_ACCOUNT)) {
 			param = login;
@@ -232,6 +227,11 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const
 	r->user = apr_pstrdup(r->pool, login);
 	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, SHOW_MODULE "PAM authentication passed for user %s", login);
 	pam_end(pamh, ret);
+#if AP_MODULE_MAGIC_AT_LEAST(20100625,0)
+	if (steps & _PAM_STEP_AUTH) {
+		store_password_to_cache(r, login, password);
+	}
+#endif
 	return AUTH_GRANTED;
 }
 


=====================================
mod_authnz_pam.spec
=====================================
@@ -7,12 +7,12 @@
 
 Summary: PAM authorization checker and PAM Basic Authentication provider
 Name: mod_authnz_pam
-Version: 1.2.0
+Version: 1.2.1
 Release: 1%{?dist}
 License: ASL 2.0
 Group: System Environment/Daemons
-URL: http://www.adelton.com/apache/mod_authnz_pam/
-Source0: http://www.adelton.com/apache/mod_authnz_pam/%{name}-%{version}.tar.gz
+URL: https://www.adelton.com/apache/mod_authnz_pam/
+Source0: https://www.adelton.com/apache/mod_authnz_pam/%{name}-%{version}.tar.gz
 BuildRequires: gcc
 BuildRequires: httpd-devel
 BuildRequires: pam-devel
@@ -64,6 +64,9 @@ install -Dp -m 0644 authnz_pam.confx $RPM_BUILD_ROOT%{_httpd_confdir}/authnz_pam
 %{_httpd_moddir}/*.so
 
 %changelog
+* Thu Jul 09 2020 Jan Pazdziora <jpazdziora at redhat.com> - 1.2.1-1
+- Store password to cache only after passing all PAM checks, including account.
+
 * Tue Jul 17 2018 Jan Pazdziora <jpazdziora at redhat.com> - 1.2.0-1
 - Add support for mod_authn_socache.
 


=====================================
tests/auth.conf
=====================================
@@ -17,3 +17,21 @@ ScriptAlias /authn /var/www/cgi-bin/auth.cgi
 	AuthPAMService web
 	Require valid-user
 </LocationMatch>
+
+ScriptAlias /authnp /var/www/cgi-bin/auth.cgi
+<LocationMatch ^/authnp>
+	AuthType Basic
+	AuthName "private area"
+	AuthBasicProvider PAM
+	AuthPAMService web
+	Require pam-account web
+</LocationMatch>
+
+ScriptAlias /authnp2 /var/www/cgi-bin/auth.cgi
+<LocationMatch ^/authnp2>
+	AuthType Basic
+	AuthName "private area"
+	AuthBasicProvider PAM
+	AuthPAMService web
+	Require pam-account web2
+</LocationMatch>


=====================================
tests/config.sh
=====================================
@@ -5,9 +5,12 @@ set -x
 
 sed -i 's/^MaxClients.*/MaxClients 1/' /etc/httpd/conf/httpd.conf
 mkdir -p /etc/pam-auth
+mkdir -p /etc/pam-account
+mkdir -p /etc/pam-account2
 cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi
 cp -p tests/pam-exec /usr/bin/pam-exec
 cp tests/pam-web /etc/pam.d/web
+cp tests/pam-web /etc/pam.d/web2
 chmod a+x /var/log/httpd
 touch /var/log/httpd/pam_exec.log
 chown apache /var/log/httpd/pam_exec.log


=====================================
tests/pam-exec
=====================================
@@ -2,18 +2,16 @@
 
 echo "$0: $PAM_TYPE $PAM_USER"
 
-if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then
-	PAM_FILE="/etc/pam-auth/$PAM_USER"
+if [ "$PAM_TYPE" == 'auth' ] ; then
+	if [ "$PAM_SERVICE" = 'web2' ] ; then
+		PAM_FILE="/etc/pam-auth2/$PAM_USER"
+	else
+		PAM_FILE="/etc/pam-auth/$PAM_USER"
+	fi
 	if ! [ -f $PAM_FILE ] ; then
 		echo "No [$PAM_FILE] for user [$PAM_USER]" >&2
 		exit 2
 	fi
-	if [ $PAM_TYPE == 'account' ] ; then
-		# For account check, existing file is enough to allow access
-		echo "$0: account [$PAM_USER] ok"
-		exit 0
-	fi
-
 	# For auth, we compare the passwords
 	read PASSWORD
 	read CHECK_PASSWORD < $PAM_FILE
@@ -24,5 +22,21 @@ if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then
 	echo "Provided password [$PASSWORD] does not match expected [$CHECK_PASSWORD]" >&2
 	exit 3
 fi
+
+if [ "$PAM_TYPE" == 'account' ] ; then
+	if [ "$PAM_SERVICE" = 'web2' ] ; then
+		PAM_FILE="/etc/pam-account2/$PAM_USER"
+	else
+		PAM_FILE="/etc/pam-account/$PAM_USER"
+	fi
+	if ! [ -f $PAM_FILE ] ; then
+		echo "No [$PAM_FILE] for user [$PAM_USER]" >&2
+		exit 2
+	fi
+	# For account check, existing file is enough to allow access
+	echo "$0: account [$PAM_USER] ok"
+	exit 0
+fi
+
 echo "Unsupported PAM_TYPE [$PAM_TYPE]" >&2
 exit 4


=====================================
tests/run.sh
=====================================
@@ -11,10 +11,21 @@ for i in $( seq 1 10 ) ; do
 	sleep 3
 done
 
+cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old
+
+function next_log () { set +x
+	tail -c +$(( $( stat -c%s /var/log/httpd/pam_exec.log.old ) + 1 )) /var/log/httpd/pam_exec.log | sed 's/^/:: /'
+	# echo '###' >> /var/log/httpd/pam_exec.log
+	cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old
+	set -x
+}
+
+rm -f /etc/pam-auth/*
+
 echo "Testing Require pam-account"
 curl -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401
 curl -u alice:Tajnost -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401
-touch /etc/pam-auth/alice
+touch /etc/pam-account/alice
 curl -u alice:Tajnost -s http://localhost/authz | tee /dev/stderr | grep 'User alice'
 
 echo "Testing AuthBasicProvider PAM"
@@ -23,15 +34,31 @@ curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /
 touch /etc/pam-auth/bob
 curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
 echo Secret > /etc/pam-auth/bob
+curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
+next_log > /dev/null
+touch /etc/pam-account/bob
 curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob'
+next_log | grep 'account .bob. ok' | wc -l | grep '^1$'
+curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob'
+next_log | grep 'account .bob. ok' | wc -l | grep '^2$'
+curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authnp2 | tee /dev/stderr | grep 401
+next_log | grep -E 'account .bob. ok|No ./etc/pam-account2/bob' | uniq | wc -l | grep '^2$'
+touch /etc/pam-account2/bob
+curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob'
+next_log | grep 'account .bob. ok' | wc -l | grep '^2$'
 echo Secret2 > /etc/pam-auth/bob
 curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
 
 if rpm -ql httpd | grep mod_authn_socache ; then
 	echo "Testing AuthBasicProvider socache PAM + AuthnCacheProvideFor PAM"
+	rm /etc/pam-account/bob
 	curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
 	curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
 	echo Secret > /etc/pam-auth/bob
+	curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
+	# rerun the same request, verify that passing auth did not store password into cache
+	curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
+	touch /etc/pam-account/bob
 	curl -u bob:Secret -s http://localhost/authn-cached | tee /dev/stderr | grep 'User bob'
 	echo Secret2 > /etc/pam-auth/bob
 	curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
@@ -39,3 +66,5 @@ if rpm -ql httpd | grep mod_authn_socache ; then
 	sleep 11
 	curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
 fi
+
+echo OK $0.



View it on GitLab: https://salsa.debian.org/freeipa-team/mod-authnz-pam/-/compare/708a652a62980fa7e2fba37273d91f1182215bd5...093e19024a069b747734cacb43ae72d23d495d33

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-authnz-pam/-/compare/708a652a62980fa7e2fba37273d91f1182215bd5...093e19024a069b747734cacb43ae72d23d495d33
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201112/d5255630/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list