[Pkg-freeipa-devel] [Git][freeipa-team/mod-auth-gssapi][master] 17 commits: tests: Catch errors during tests setup
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Thu Aug 25 13:49:32 BST 2022
Timo Aaltonen pushed to branch master at FreeIPA packaging / mod-auth-gssapi
Commits:
fcf9d4da by Stanislav Levin at 2020-08-06T20:41:18+00:00
tests: Catch errors during tests setup
Fixes: https://github.com/gssapi/mod_auth_gssapi/issues/224
Signed-off-by: Stanislav Levin <slev at altlinux.org>
- - - - -
70c90bfa by Stanislav Levin at 2020-08-06T20:41:18+00:00
tests: Require python3-devel
python3-devel is required to build python-gssapi within
virtualenv.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
- - - - -
731761e6 by Stanislav Levin at 2020-08-06T20:43:12+00:00
tests: Don't override the specific environment by the global one
This changes the way in which a test environment is prepared.
Before:
specific -> global
After:
global -> specific
In particular, this allows setting PATH env variable differed from
the global configuration.
Fixes: https://github.com/gssapi/mod_auth_gssapi/issues/226
Signed-off-by: Stanislav Levin <slev at altlinux.org>
- - - - -
8ef0dc89 by Simo Sorce at 2020-09-03T10:36:31-04:00
Emit error in logs if keytab files can't be opened
This will give a useful warning to admins when config point to missing
files.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
b4b43c2d by Simo Sorce at 2020-09-04T16:54:59-04:00
Add warnings if s4u2proxy options are inconsistent
In most cases, people configuring GssapiUseS4U2Proxy should really
set all three cred store options for keytab, client_keytab, and ccache
to isolate httpd from default system ccaches and keytabs.
Not doing so unintentionally easily leads to very hard to debug issues
when trying to use the proxying feature.
Not enforcing as a hard misconfiguration both for compatibility reasons
and also because there are corner cases where the configuration is
intentional.
Signed-off-by: Simo Sorce <simo at redhat.com>
[rharwood at redhat.com: typo fix and commit message cleanup]
Reviewed-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
1a08c315 by Robbie Harwood at 2020-10-13T16:07:44-04:00
Move to python3 by default
When moving 2 -> 3, python elected to keep "python" as the name of the
python2 interpreter. As a result, python3-only machines have no
/usr/bin/python. Since python2 is EOL, it should be safe to make our
scripting default to python3.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
45fa4f21 by Robbie Harwood at 2020-10-13T16:07:44-04:00
Fix PATH handling bug in test suite
virtualenv relies on its executable being ahead of the system ones. For
setting up the KDC, we don't have a preferencee - we just need the sbins
to be available.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
27ad217b by Robbie Harwood at 2020-10-14T12:13:13-04:00
Fix type/token distinction in parser.y
Bison complains that, for yacc compliance, %type is for nonterminals.
Resolves: #236
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
73397865 by Simo Sorce at 2020-10-15T17:05:24-04:00
Add test that exercises S4u2Proxy code
This test shows that currently GssapiAcceptor {HOSTNAME} option will
break the S4U2Proxy case.
Signed-off-by: Simo Sorce <simo at redhat.com>
[rharwood at redhat.com: nits]
- - - - -
a84b9a32 by Simo Sorce at 2020-10-15T17:05:24-04:00
Special ccache handling for {HOSTNAME} acceptor
This applies only to the case when GssapiS4U2Proxy is enabled.
When using the {HOSTNAME} acceptor, the principal used in the server
ccache can vary with each request. GSSAPI does not handle gracefully
a request to resolve a ccache if there is already another credential
under a different name. Even with ccache collections GSSAPI will
resolve an existing ccache from the collection if any is available and
throw an error if it does not match the desired_name. This even if
there is a client_keytab that could be used to initiate a new cache in
the collection with the right name.
Therefore in case GssapiAcceptor is set to the special value {HOSTNAME},
instead of using the provided ccache or the process default ccache we
create a new ccache named after the hostname in the delegated ccache
directory. This directory is required when the S4U2Proxy mode is enabled
so we are guaranteed to have it available an writable.
Signed-off-by: Simo Sorce <simo at redhat.com>
[rharwood at redhat.com: nits]
- - - - -
43d10318 by Robbie Harwood at 2021-08-24T16:03:00-04:00
CI: install openssl on Fedora
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
06d1f7d3 by Robbie Harwood at 2021-08-24T16:03:00-04:00
crypto: Handle EVP changes in OpenSSL 3
OpenSSL 3 changes the padding behavior of EVP_DecryptFinal_ex(), which
causes our decryption to fail. It is the opnion of the OpenSSL
developers that mod_auth_gssapi's use of this function was incorrect.
Patch suggested by Tomáš Mráz.
Related: https://github.com/openssl/openssl/issues/16351
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
- - - - -
78f1d047 by Simo Sorce at 2022-08-25T05:34:08-04:00
Update authors file
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
925a9cd9 by Simo Sorce at 2022-08-25T05:34:42-04:00
Release version 1.6.4
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
9ed8c9fd by Timo Aaltonen at 2022-08-25T15:22:30+03:00
Merge branch 'upstream'
- - - - -
214cd93e by Timo Aaltonen at 2022-08-25T15:23:29+03:00
version bump
- - - - -
7a6e5eba by Timo Aaltonen at 2022-08-25T15:35:40+03:00
releasing package libapache2-mod-auth-gssapi version 1.6.4-1
- - - - -
30 changed files:
- AUTHORS
- README
- ci/ci.sh
- contrib/session_generator.py
- contrib/sweeper.py
- debian/changelog
- src/crypto.c
- src/mod_auth_gssapi.c
- src/mod_auth_gssapi.h
- src/parser.y
- tests/httpd.conf
- tests/magtests.py
- tests/t_bad_acceptor_name.py
- tests/t_basic_k5.py
- tests/t_basic_k5_fail_second.py
- tests/t_basic_k5_two_users.py
- tests/t_basic_proxy.py
- tests/t_basic_timeout.py
- + tests/t_file_check.py
- tests/t_hostname_acceptor.py
- tests/t_localname.py
- tests/t_mech_name.py
- tests/t_nonego.py
- tests/t_required_name_attr.py
- tests/t_spnego.py
- tests/t_spnego_negotiate_once.py
- tests/t_spnego_no_auth.py
- tests/t_spnego_proxy.py
- tests/t_spnego_rewrite.py
- version.m4
Changes:
=====================================
AUTHORS
=====================================
@@ -1 +1,3 @@
-Simo Sorce <simo at redhat.com>
+To get the full list of authors please run the following command on a
+git checkout of the project:
+git shortlog -n -s -e
=====================================
README
=====================================
@@ -26,8 +26,8 @@ To run tests, you also need:
* The Kerberos 5 Key-Distribution-Center (`krb5-kdc` package on Debian,
`krb5-server` on Fedora)
-* Packages `mod_session`, `krb5-workstation`, `python-requests-gssapi`,
- and `python-gssapi` on Fedora
+* Packages `mod_session`, `krb5-workstation`, `python3-requests-gssapi`,
+ and `python3-gssapi` on Fedora
* Some tests require `krb5-pkinit` package on fedora and krb5 >= 1.15.
* [nss_wrapper](https://cwrap.org/nss_wrapper.html), packaged in Fedora
* [socket_wrapper](https://cwrap.org/socket_wrapper.html), packaged in Fedora
=====================================
ci/ci.sh
=====================================
@@ -15,8 +15,8 @@ elif [ -f /etc/fedora-release ]; then
dnf -y install $COMPILER python3-{gssapi,requests{,-gssapi},flake8} \
krb5-{server,workstation,pkinit} curl libfaketime \
{httpd,krb5,openssl,gssntlmssp}-devel {socket,nss}_wrapper \
- autoconf automake libtool which bison make python3 \
- flex mod_session redhat-rpm-config /usr/bin/virtualenv
+ autoconf automake libtool which bison make python3 python3-devel \
+ flex mod_session redhat-rpm-config /usr/bin/virtualenv openssl
else
echo "Distro not found!"
false
=====================================
contrib/session_generator.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Works with both python2 and python3; please preserve this property
# Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms
=====================================
contrib/sweeper.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Works with both python2 and python3; please preserve this property
# Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms
=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+libapache2-mod-auth-gssapi (1.6.4-1) unstable; urgency=medium
+
+ * New upstream release. (Closes: #1017867)
+
+ -- Timo Aaltonen <tjaalton at debian.org> Thu, 25 Aug 2022 15:35:34 +0300
+
libapache2-mod-auth-gssapi (1.6.3-1) unstable; urgency=medium
* New upstream release. (Closes: #895836)
=====================================
src/crypto.c
=====================================
@@ -262,7 +262,7 @@ apr_status_t UNSEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
totlen += outlen;
outlen = plain->length - totlen;
- ret = EVP_DecryptFinal_ex(ctx, plain->value, &outlen);
+ ret = EVP_DecryptFinal_ex(ctx, plain->value + totlen, &outlen);
if (ret == 0) goto done;
totlen += outlen;
=====================================
src/mod_auth_gssapi.c
=====================================
@@ -194,6 +194,9 @@ static bool mag_conn_is_https(conn_rec *c)
return false;
}
+static char *get_ccache_name(request_rec *req, char *dir, const char *name,
+ bool use_unique, apr_pool_t *pool);
+
static bool mag_acquire_creds(request_rec *req,
struct mag_config *cfg,
gss_OID_set desired_mechs,
@@ -226,7 +229,52 @@ static bool mag_acquire_creds(request_rec *req,
}
#ifdef HAVE_CRED_STORE
- gss_const_key_value_set_t store = cfg->cred_store;
+ gss_const_key_value_set_t store = NULL;
+
+ /* When using multiple names, we need to use individual separate ccaches
+ * for each principal or gss_acquire_cred() on the default ccache will
+ * fail when names don't match. This is needed only for the s4u2proxy
+ * case, where we try to acquire proxy credentials. The lucky thing is
+ * that in this case we require the use of a delegated creedntials
+ * directory, so we just use this directory to also hold permanent ccaches
+ * for individual acceptor names. */
+ if (cfg->acceptor_name_from_req && cfg->use_s4u2proxy &&
+ cfg->deleg_ccache_dir) {
+
+ gss_key_value_set_desc *s;
+ bool add = true;
+ char *ccname;
+ char *special_name;
+
+ special_name = apr_psprintf(req->pool, "acceptor_%s", req->hostname);
+ ccname = get_ccache_name(req, cfg->deleg_ccache_dir, special_name,
+ false, req->pool);
+
+ s = apr_pcalloc(req->pool, sizeof(gss_key_value_set_desc));
+ s->count = cfg->cred_store->count;
+ s->elements = apr_pcalloc(req->pool,
+ (s->count + 1) *
+ sizeof(gss_key_value_element_desc));
+ for (size_t i = 0; i < s->count; i++) {
+ gss_key_value_element_desc *el = &cfg->cred_store->elements[i];
+ s->elements[i].key = el->key;
+ if (strcmp(el->key, "ccache") == 0) {
+ s->elements[i].value = ccname;
+ add = false;
+ } else {
+ s->elements[i].value = el->value;
+ }
+ }
+ if (add) {
+ s->elements[s->count].key = "ccache";
+ s->elements[s->count].value = ccname;
+ s->count++;
+ }
+
+ store = s;
+ } else {
+ store = cfg->cred_store;
+ }
maj = gss_acquire_cred_from(&min, acceptor_name, GSS_C_INDEFINITE,
desired_mechs, cred_usage, store, creds,
@@ -287,8 +335,8 @@ static char *escape(apr_pool_t *pool, const char *name,
return escaped;
}
-static char *get_ccache_name(request_rec *req, char *dir, const char *gss_name,
- bool use_unique, struct mag_conn *mc)
+static char *get_ccache_name(request_rec *req, char *dir, const char *name,
+ bool use_unique, apr_pool_t *pool)
{
char *ccname, *escaped;
int ccachefd;
@@ -297,15 +345,15 @@ static char *get_ccache_name(request_rec *req, char *dir, const char *gss_name,
/* We need to escape away '/', we can't have path separators in
* a ccache file name */
/* first double escape the esacping char (~) if any */
- escaped = escape(req->pool, gss_name, '~', "~~");
+ escaped = escape(req->pool, name, '~', "~~");
/* then escape away the separator (/) if any */
escaped = escape(req->pool, escaped, '/', "~");
if (use_unique == false) {
- return apr_psprintf(mc->pool, "%s/%s", dir, escaped);
+ return apr_psprintf(pool, "%s/%s", dir, escaped);
}
- ccname = apr_psprintf(mc->pool, "%s/%s-XXXXXX", dir, escaped);
+ ccname = apr_psprintf(pool, "%s/%s-XXXXXX", dir, escaped);
umask_save = umask(0177);
ccachefd = mkstemp(ccname);
@@ -659,6 +707,54 @@ done:
return ret;
}
+#define OPTION_WARNING "Warning: %s is set but %s = %s is missing!"
+
+void mag_verify_config(request_rec *req, struct mag_config *cfg)
+{
+ /* we check only once */
+ if (cfg->verified) return;
+
+ /* Check if cred store config is consistent with use_s4u2proxy.
+ * Although not strictly required it is generally adivsable to
+ * set keytab, client_keytab, and ccache in the cred_store when
+ * use_s4u2proxy is set, this is to avoid easy mistakes that are
+ * very difficult to diagnose */
+ if (cfg->use_s4u2proxy) {
+ bool has_keytab = false;
+ bool has_client_keytab = false;
+ bool has_ccache = false;
+
+ for (int i = 0; i < cfg->cred_store->count; i++) {
+ const char *key = cfg->cred_store->elements[i].key;
+ if (strcmp(key, "keytab") == 0) {
+ has_keytab = true;
+ } else if (strcmp(key, "client_keytab") == 0) {
+ has_client_keytab = true;
+ } else if (strcmp(key, "ccache") == 0) {
+ has_ccache = true;
+ }
+ }
+
+ if (!has_keytab) {
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
+ OPTION_WARNING, "GssapiUseS4U2Proxy",
+ "GssapiCredStore", "keytab");
+ }
+ if (!has_client_keytab) {
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
+ OPTION_WARNING, "GssapiUseS4U2Proxy",
+ "GssapiCredStore", "client_keytab");
+ }
+ if (!has_ccache) {
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
+ OPTION_WARNING, "GssapiUseS4U2Proxy",
+ "GssapiCredStore", "ccache");
+ }
+ }
+
+ cfg->verified = true;
+}
+
struct mag_req_cfg *mag_init_cfg(request_rec *req)
{
struct mag_server_config *scfg;
@@ -667,6 +763,7 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req)
req_cfg->req = req;
req_cfg->cfg = ap_get_module_config(req->per_dir_config,
&auth_gssapi_module);
+ mag_verify_config(req, req_cfg->cfg);
scfg = ap_get_module_config(req->server->module_config,
&auth_gssapi_module);
@@ -1248,7 +1345,7 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
"requester: %s", mc->gss_name);
ccache_path = get_ccache_name(req, cfg->deleg_ccache_dir, mc->gss_name,
- cfg->deleg_ccache_unique, mc);
+ cfg->deleg_ccache_unique, mc->pool);
if (ccache_path == NULL) {
goto done;
}
@@ -1532,6 +1629,23 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig,
}
cfg->cred_store->count++;
+ /* check for files that we know should be present, so admins get
+ * some rope to figure out issues when they cannot be accessed */
+ if (strcmp(key, "keytab") == 0 ||
+ strcmp(key, "client_keytab") == 0) {
+ apr_status_t rc;
+ apr_file_t *file;
+ rc = apr_file_open(&file, value, APR_FOPEN_READ, 0, parms->pool);
+ if (rc != APR_SUCCESS) {
+ char err[256];
+ apr_strerror(rc, err, sizeof(err));
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+ "Cannot open %s file %s: %s", key, value, err);
+ } else {
+ apr_file_close(file);
+ }
+ }
+
elements[count].key = key;
elements[count].value = value;
=====================================
src/mod_auth_gssapi.h
=====================================
@@ -99,6 +99,8 @@ struct mag_config {
gss_name_t acceptor_name;
bool acceptor_name_from_req;
uint32_t basic_timeout;
+
+ bool verified;
};
struct mag_server_config {
=====================================
src/parser.y
=====================================
@@ -40,11 +40,10 @@ static char *b64_enc(const char *val, size_t len);
%token EQUAL
%token EQUALBIN
%token AST
-%token STRING
-%token INT
-%type <sval> STRING
-%type <ival> INT rule rule_start requiredkv
+%token <sval> STRING
+%token <ival> INT
+%type <ival> rule rule_start requiredkv
%parse-param {const char **keys} {const char **vals} {int *status}
=====================================
tests/httpd.conf
=====================================
@@ -238,6 +238,21 @@ CoreDumpDirectory "{HTTPROOT}"
Require valid-user
</Location>
+<Location /hostname_proxy>
+ AuthType GSSAPI
+ AuthName "Login"
+ GssapiSSLonly Off
+ GssapiCredStore ccache:{HTTPROOT}/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
+ GssapiBasicAuth Off
+ GssapiAllowedMech krb5
+ GssapiAcceptorName {{HOSTNAME}}
+ GssapiUseS4U2Proxy On
+ GssapiDelegCcacheDir {HTTPROOT}/delegccachedir
+ Require valid-user
+</Location>
+
<Location /required_name_attr1>
AuthType GSSAPI
AuthName "Required Name Attributes"
@@ -346,3 +361,16 @@ CoreDumpDirectory "{HTTPROOT}"
GssapiPublishMech On
Require valid-user
</Location>
+
+<Location /keytab_file_check>
+ AuthType GSSAPI
+ AuthName "Password Login"
+ GssapiSSLonly Off
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/nofile/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/nofile/http.keytab
+ GssapiBasicAuth On
+ GssapiBasicAuthMech krb5
+ GssapiPublishMech On
+ Require valid-user
+</Location>
=====================================
tests/magtests.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import argparse
@@ -320,11 +320,13 @@ def setup_kdc(testdir, wrapenv):
with open(kdcconf, 'w+') as f:
f.write(text)
- kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
- 'KRB5_CONFIG': krb5conf,
- 'KRB5_KDC_PROFILE': kdcconf,
- 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')}
- kdcenv.update(wrapenv)
+ kdcenv = wrapenv.copy()
+ kdcenv.update({
+ 'PATH': f'{wrapenv["PATH"]}:/sbin:/bin:/usr/sbin:/usr/bin',
+ 'KRB5_CONFIG': krb5conf,
+ 'KRB5_KDC_PROFILE': kdcconf,
+ 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),
+ })
logfile = open(testlog, 'a')
ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
@@ -393,8 +395,10 @@ def setup_keys(tesdir, env):
cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
kadmin_local(cmd, env, logfile)
- keys_env = {"KRB5_KTNAME": svc_keytab, }
- keys_env.update(env)
+ keys_env = env.copy()
+ keys_env.update({
+ "KRB5_KTNAME": svc_keytab,
+ })
return keys_env
@@ -406,6 +410,7 @@ def setup_http(testdir, so_dir, wrapenv):
os.mkdir(os.path.join(httpdir, 'conf.d'))
os.mkdir(os.path.join(httpdir, 'html'))
os.mkdir(os.path.join(httpdir, 'logs'))
+ httpdstdlog = os.path.join(testdir, 'httpd.stdlog')
distro = "Fedora"
moddir = "/etc/httpd/modules"
@@ -431,13 +436,17 @@ def setup_http(testdir, so_dir, wrapenv):
shutil.copy('tests/401.html', os.path.join(httpdir, 'html'))
- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
- 'MALLOC_CHECK_': '3',
- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
- httpenv.update(wrapenv)
+ httpenv = wrapenv.copy()
+ httpenv.update({
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
+ 'MALLOC_CHECK_': '3',
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
+ })
httpd = "httpd" if distro == "Fedora" else "apache2"
+ log = open(httpdstdlog, 'a')
httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+ stdout=log, stderr=log,
env=httpenv, preexec_fn=os.setsid)
return httpproc
@@ -445,8 +454,10 @@ def setup_http(testdir, so_dir, wrapenv):
def kinit_user(testdir, kdcenv):
testlog = os.path.join(testdir, 'kinit.log')
ccache = os.path.join(testdir, 'k5ccache')
- testenv = {'KRB5CCNAME': ccache}
- testenv.update(kdcenv)
+ testenv = kdcenv.copy()
+ testenv.update({
+ 'KRB5CCNAME': ccache,
+ })
with (open(testlog, 'a')) as logfile:
kinit = subprocess.Popen(["kinit", USR_NAME],
@@ -467,8 +478,10 @@ def kinit_certuser(testdir, kdcenv):
pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT)
pkinit_key = os.path.join(testdir, PKINIT_KEY)
ident = "X509_user_identity=FILE:" + pkinit_user_cert + "," + pkinit_key
- testenv = {'KRB5CCNAME': ccache}
- testenv.update(kdcenv)
+ testenv = kdcenv.copy()
+ testenv.update({
+ 'KRB5CCNAME': ccache,
+ })
with (open(testlog, 'a')) as logfile:
logfile.write('PKINIT for maguser3\n')
kinit = subprocess.Popen(["kinit", USR_NAME_3, "-X", ident],
@@ -678,26 +691,32 @@ def test_no_negotiate(testdir, testenv, logfile):
def test_hostname_acceptor(testdir, testenv, logfile):
- hdir = os.path.join(testdir, 'httpd', 'html', 'hostname_acceptor')
+ plain_test_name = 'hostname_acceptor'
+ hdir = os.path.join(testdir, 'httpd', 'html', plain_test_name)
os.mkdir(hdir)
shutil.copy('tests/index.html', hdir)
+ proxy_test_name = 'hostname_proxy'
+ hdir = os.path.join(testdir, 'httpd', 'html', proxy_test_name)
+ os.mkdir(hdir)
+ shutil.copy('tests/index.html', hdir)
+ ddir = os.path.join(testdir, 'httpd', 'delegccachedir')
+ os.mkdir(ddir)
+
failed = False
- for (name, fail) in [(WRAP_HOSTNAME, False),
- (WRAP_ALIASNAME, False),
- (WRAP_FAILNAME, True)]:
- res = subprocess.Popen(["tests/t_hostname_acceptor.py", name],
- stdout=logfile, stderr=logfile,
- env=testenv, preexec_fn=os.setsid)
- res.wait()
- if fail:
- if res.returncode == 0:
+ for test_name in [plain_test_name, proxy_test_name]:
+ for (name, fail) in [(WRAP_HOSTNAME, False),
+ (WRAP_ALIASNAME, False),
+ (WRAP_FAILNAME, True)]:
+ res = subprocess.Popen(["tests/t_hostname_acceptor.py",
+ name, test_name],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ res.wait()
+ if (fail and res.returncode == 0) or \
+ (not fail and res.returncode != 0):
failed = True
- else:
- if res.returncode != 0:
- failed = True
- if failed:
- break
+ break
if failed:
sys.stderr.write('HOSTNAME ACCEPTOR: FAILED\n')
@@ -754,21 +773,27 @@ def faketime_setup(testenv):
raise NotImplementedError
# spedup x100
- fakeenv = {'FAKETIME': '+0 x100'}
- fakeenv.update(testenv)
- fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime))
+ fakeenv = testenv.copy()
+ fakeenv.update({
+ 'FAKETIME': '+0 x100',
+ 'LD_PRELOAD': ' '.join((testenv['LD_PRELOAD'], libfaketime)),
+ })
return fakeenv
def http_restart(testdir, so_dir, testenv):
- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
- 'MALLOC_CHECK_': '3',
- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
- httpenv.update(testenv)
+ httpenv = testenv.copy()
+ httpenv.update({
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
+ 'MALLOC_CHECK_': '3',
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
+ })
httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
config = os.path.join(testdir, 'httpd', 'httpd.conf')
+ log = open(os.path.join(testdir, 'httpd.stdlog'), 'a')
httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+ stdout=log, stderr=log,
env=httpenv, preexec_fn=os.setsid)
return httpproc
@@ -789,6 +814,22 @@ def test_mech_name(testdir, testenv, logfile):
return 0
+def test_file_check(testdir, testenv, logfile):
+ basicdir = os.path.join(testdir, 'httpd', 'html', 'keytab_file_check')
+ os.mkdir(basicdir)
+ shutil.copy('tests/index.html', basicdir)
+
+ filec = subprocess.Popen(["tests/t_file_check.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ filec.wait()
+ if filec.returncode == 0:
+ sys.stderr.write('FILE-CHECK: FAILED\n')
+ return 1
+ sys.stderr.write('FILE-CHECK: SUCCESS\n')
+ return 0
+
+
if __name__ == '__main__':
args = parse_args()
@@ -800,8 +841,11 @@ if __name__ == '__main__':
processes = dict()
logfile = open(os.path.join(testdir, 'tests.log'), 'w')
- errs = 0
+ # '-1' indicates setup phase
+ errs = -1
+
try:
+ # prepare environment for tests
wrapenv = apply_venv(setup_wrappers(testdir))
kdcproc, kdcenv = setup_kdc(testdir, wrapenv)
@@ -815,6 +859,9 @@ if __name__ == '__main__':
testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd',
USR_NAME + '@' + TESTREALM)
+ # making testing
+ errs = 0
+
errs += test_spnego_auth(testdir, testenv, logfile)
testenv['MAG_GSS_NAME'] = USR_NAME + '@' + TESTREALM
@@ -838,11 +885,13 @@ if __name__ == '__main__':
sys.stderr.write("krb5 PKINIT module not found, skipping name "
"attribute tests\n")
- testenv = {'MAG_USER_NAME': USR_NAME,
- 'MAG_USER_PASSWORD': USR_PWD,
- 'MAG_USER_NAME_2': USR_NAME_2,
- 'MAG_USER_PASSWORD_2': USR_PWD_2}
- testenv.update(kdcenv)
+ testenv = kdcenv.copy()
+ testenv.update({
+ 'MAG_USER_NAME': USR_NAME,
+ 'MAG_USER_PASSWORD': USR_PWD,
+ 'MAG_USER_NAME_2': USR_NAME_2,
+ 'MAG_USER_PASSWORD_2': USR_PWD_2,
+ })
errs += test_basic_auth_krb5(testdir, testenv, logfile)
@@ -850,12 +899,16 @@ if __name__ == '__main__':
errs += test_mech_name(testdir, testenv, logfile)
+ errs += test_file_check(testdir, testenv, logfile)
+
# After this point we need to speed up httpd to test creds timeout
try:
fakeenv = faketime_setup(kdcenv)
- timeenv = {'TIMEOUT_USER': USR_NAME_4,
- 'MAG_USER_PASSWORD': USR_PWD}
- timeenv.update(fakeenv)
+ timeenv = fakeenv.copy()
+ timeenv.update({
+ 'TIMEOUT_USER': USR_NAME_4,
+ 'MAG_USER_PASSWORD': USR_PWD,
+ })
curporc = httpproc
pid = processes['HTTPD(%d)' % httpproc.pid].pid
os.killpg(pid, signal.SIGTERM)
=====================================
tests/t_bad_acceptor_name.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_basic_k5.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_basic_k5_fail_second.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_basic_k5_two_users.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_basic_proxy.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_basic_timeout.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_file_check.py
=====================================
@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
+
+import os
+
+import requests
+from requests.auth import HTTPBasicAuth
+
+
+if __name__ == '__main__':
+ url = 'http://%s/keytab_file_check/' % os.environ['NSS_WRAPPER_HOSTNAME']
+ r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'],
+ os.environ['MAG_USER_PASSWORD']))
+ if r.status_code != 200:
+ raise ValueError('Basic Auth Failed(Keytab File Check)')
=====================================
tests/t_hostname_acceptor.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license.
import sys
@@ -9,7 +9,7 @@ from requests_gssapi import HTTPKerberosAuth, OPTIONAL # noqa
if __name__ == '__main__':
sess = requests.Session()
- url = 'http://%s/hostname_acceptor/' % sys.argv[1]
+ url = 'http://{}/{}/'.format(sys.argv[1], sys.argv[2])
r = sess.get(url, auth=HTTPKerberosAuth(delegate=True))
if r.status_code != 200:
- raise ValueError('Hostname-based acceptor failed')
+ raise ValueError('Hostname acceptor ({}) failed'.format(sys.argv[2]))
=====================================
tests/t_localname.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_mech_name.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_nonego.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_required_name_attr.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_spnego.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_spnego_negotiate_once.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_spnego_no_auth.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_spnego_proxy.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
tests/t_spnego_rewrite.py
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
=====================================
version.m4
=====================================
@@ -1 +1 @@
-m4_define([VERSION_NUMBER], [1.6.3])
+m4_define([VERSION_NUMBER], [1.6.4])
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-auth-gssapi/-/compare/b1ef60b9272ebaf091758504b4bc5a13a958de18...7a6e5ebadb9fce8aa97dd9362a643b225ec23142
--
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-auth-gssapi/-/compare/b1ef60b9272ebaf091758504b4bc5a13a958de18...7a6e5ebadb9fce8aa97dd9362a643b225ec23142
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220825/cec66de2/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list