[Pkg-freeipa-devel] [Git][freeipa-team/mod-authnz-pam][upstream] 19 commits: Workaround 1869030.
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Tue Mar 29 08:54:11 BST 2022
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / mod-authnz-pam
Commits:
bdde2a31 by Jan Pazdziora at 2020-11-18T09:24:28+01:00
Workaround 1869030.
- - - - -
2a31be20 by Jan Pazdziora at 2020-12-02T20:07:47+01:00
CentOS 6 was EOL on 2020-11-30.
- - - - -
644d7434 by Jan Pazdziora at 2020-12-08T18:55:36+01:00
Disable testing on CentOS 6 in Cirrus CI as well.
- - - - -
7d30a943 by Jan Pazdziora at 2021-03-30T08:42:08+02:00
Add CI testing on GitHub Actions.
- - - - -
ac3ebb23 by Jake Chen at 2021-03-30T08:46:20+02:00
Use ap_get_useragent_host instead of ap_get_remote_host
- according to https://www.apachelounge.com/Changelog-2.4.html,
modules should be updated to inquire for ap_get_useragent_host()
in place of ap_get_remote_host().
- use module magic number 20120211,56 to determine whether to use ap_get_useragent_host
(according to https://github.com/apache/httpd/blob/2.4.x/include/ap_mmn.h)
- - - - -
577fb280 by Jan Pazdziora at 2021-03-30T08:55:10+02:00
Tagging 1.2.2 release.
- - - - -
63bea6d5 by Jan Pazdziora at 2021-05-08T07:51:05+02:00
Workaround 1897493 / 1900021 -- test on docker with disabled seccomp, we have to move the build steps to docker run.
- - - - -
e8a63a17 by Jan Pazdziora at 2021-05-08T14:17:20+02:00
Run Travis CI jobs on Ubuntu Focal 20.24 ARM64, to increase architecture coverage.
- - - - -
75df8ed2 by Jan Pazdziora at 2022-01-21T17:36:12+01:00
Revert "Workaround 1897493 / 1900021 -- test on docker with disabled seccomp, we have to move the build steps to docker run."
This reverts commit 63bea6d518f3d5d10384fa1530b805083c0f9478.
The latest dockers have updated seccomp policies.
- - - - -
eddd034a by Jan Pazdziora at 2022-01-21T20:27:45+01:00
Travis CI OSS credits do not replenish, stop attempting to run builds there.
- - - - -
afc59eba by Jan Pazdziora at 2022-01-21T20:30:48+01:00
CentOS 8 got EOL on 2021-12-31, switch to testing on CentOS 8 Stream.
- - - - -
7b129780 by Jan Pazdziora at 2022-01-21T21:01:42+01:00
Add testing of AuthPAMExpiredRedirect, using pam_unix and sp_max in shadow.
The chmod g+r /etc/shadow approach is obviously only for testing.
- - - - -
389c1e1b by Jan Pazdziora at 2022-01-21T22:49:45+01:00
Test the expansion of placeholders as well.
- - - - -
79170d64 by Jan Pazdziora at 2022-01-22T08:05:56+01:00
Test the exact redirect status done by AuthPAMExpiredRedirect.
- - - - -
3575243b by Jan Pazdziora at 2022-01-23T09:52:22+01:00
Change default redirect status for AuthPAMExpiredRedirect to 303 See Other, make it configurable.
Redirect to reset password typically goes to different system,
so repeating for example POST which 307 Temporary Redirect does
is not that useful; the 303 See Other will do plain GET.
The redirect status can be overriden with an optional second parameter
to AuthPAMExpiredRedirect.
- - - - -
c9f53756 by Jan Pazdziora at 2022-01-23T10:01:30+01:00
Test Fedora rawhide on GitHub Actions, to get repeated scheduled testing.
- - - - -
c2113d0e by Jan Pazdziora at 2022-01-23T10:06:13+01:00
Test on ARM in Cirrus CI to get wider architecture coverage.
- - - - -
cc8ae7f5 by Jan Pazdziora at 2022-01-23T14:06:42+01:00
Catch warnings, fix the incompatible pointer type one.
- - - - -
2dbd02ec by Jan Pazdziora at 2022-01-23T14:07:29+01:00
Tagging 1.2.3 release.
- - - - -
10 changed files:
- .cirrus.yml
- + .github/workflows/build-test.yaml
- − .travis.yml
- README
- mod_authnz_pam.c
- mod_authnz_pam.spec
- tests/auth.conf
- tests/config.sh
- + tests/pam-webl
- tests/run.sh
Changes:
=====================================
.cirrus.yml
=====================================
@@ -1,10 +1,9 @@
test_task:
- container:
+ arm_container:
matrix:
- image: registry.fedoraproject.org/fedora:rawhide
image: registry.fedoraproject.org/fedora:latest
+ image: quay.io/centos/centos:stream8
image: centos:centos7
- image: centos:centos6
build_script: tests/build.sh
config_script: tests/config.sh
run_httpd_background_script: /usr/sbin/httpd -DFOREGROUND
=====================================
.github/workflows/build-test.yaml
=====================================
@@ -0,0 +1,31 @@
+name: Build and test mod_authnz_pam
+
+on:
+ push:
+ pull_request:
+ workflow_dispatch:
+ schedule:
+ - cron: '38 4 3,17 * *'
+
+jobs:
+ build:
+ name: Run tests in container
+ runs-on: ubuntu-20.04
+ strategy:
+ fail-fast: false
+ matrix:
+ os:
+ - 'registry.fedoraproject.org/fedora:rawhide'
+ - 'registry.fedoraproject.org/fedora:latest'
+ - 'quay.io/centos/centos:stream8'
+ - 'registry.centos.org/centos:7'
+ steps:
+ - uses: actions/checkout at v2
+ - name: Set the right OS in the Dockerfile
+ run: sed -i "s#^FROM.*#FROM ${{ matrix.os }}#" tests/Dockerfile
+ - name: Build image
+ run: docker build -t mod_authnz_pam -f tests/Dockerfile .
+ - name: Run container
+ run: docker run --name mod_authnz_pam --rm -d mod_authnz_pam
+ - name: Run tests in the container
+ run: docker exec mod_authnz_pam tests/run.sh
=====================================
.travis.yml deleted
=====================================
@@ -1,33 +0,0 @@
-language: generic
-dist: bionic
-sudo: required
-
-services:
-- docker
-
-install: true
-
-stages:
-- build-and-test
-
-matrix:
- include:
- - stage: build-and-test
- env: fedora=rawhide
- - stage: build-and-test
- env: fedora=latest
- - stage: build-and-test
- env: centos=8
- - stage: build-and-test
- env: centos=centos7
- - stage: build-and-test
- env: centos=centos6
-
-before_script:
-- if test -n "$fedora" ; then sed -i "s#^FROM.*#FROM registry.fedoraproject.org/fedora:$fedora#" tests/Dockerfile ; fi
-- if test -n "$centos" ; then sed -i "s#^FROM.*#FROM centos:$centos#" tests/Dockerfile ; fi
-
-script:
-- docker build -t mod_authnz_pam -f tests/Dockerfile .
-- docker run --name mod_authnz_pam --rm -d mod_authnz_pam
-- docker exec mod_authnz_pam tests/run.sh
=====================================
README
=====================================
@@ -95,7 +95,7 @@ two separate account PAM checks during the Basic Authentication.
Handling expired password:
- AuthPAMExpiredRedirect <URL>
+ AuthPAMExpiredRedirect <URL> [<status>]
For both the authorization and HTTP Basic authentication case, if the
password the user has presented has expired (PAM return codes
@@ -117,6 +117,9 @@ For example for FreeIPA 4.1+, the value can actually be
https://<IPA-server>/ipa/ui/reset_password.html?url=%s
+By default the redirect is done using 303 See Other. The redirect
+status can be specified as numerical value in the 3xx range.
+
SELinux:
On SELinux enabled systems, boolean httpd_mod_auth_pam needs to
@@ -136,7 +139,7 @@ should build and install the module.
License
-------
-Copyright 2014--2020 Jan Pazdziora
+Copyright 2014--2022 Jan Pazdziora
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
=====================================
mod_authnz_pam.c
=====================================
@@ -1,6 +1,6 @@
/*
- * Copyright 2014--2018 Jan Pazdziora
+ * Copyright 2014--2022 Jan Pazdziora
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -32,9 +32,16 @@
#include "mod_auth.h"
+#ifdef APLOG_USE_MODULE
+#define SHOW_MODULE ""
+#else
+#define SHOW_MODULE "mod_authnz_pam: "
+#endif
+
typedef struct {
char * pam_service;
char * expired_redirect_url;
+ int expired_redirect_status;
} authnz_pam_config_rec;
static void * create_dir_conf(apr_pool_t * pool, char * dir) {
@@ -42,13 +49,36 @@ static void * create_dir_conf(apr_pool_t * pool, char * dir) {
return cfg;
}
+static const char * set_redirect_and_status(cmd_parms * cmd, void * conf_void, const char * url, const char * status) {
+ authnz_pam_config_rec * cfg = (authnz_pam_config_rec *) conf_void;
+ if (cfg) {
+ cfg->expired_redirect_url = apr_pstrdup(cmd->pool, url);
+ cfg->expired_redirect_status = HTTP_SEE_OTHER;
+ if (status) {
+ cfg->expired_redirect_status = apr_atoi64(status);
+ if (cfg->expired_redirect_status == 0) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server,
+ SHOW_MODULE "AuthPAMExpiredRedirect status has to be a number, setting to %d",
+ HTTP_SEE_OTHER);
+ cfg->expired_redirect_status = HTTP_SEE_OTHER;
+ } else if (cfg->expired_redirect_status < 300 || cfg->expired_redirect_status > 399) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server,
+ SHOW_MODULE "AuthPAMExpiredRedirect status has to be in the 3xx range, setting to %d",
+ HTTP_SEE_OTHER);
+ cfg->expired_redirect_status = HTTP_SEE_OTHER;
+ }
+ }
+ }
+ return NULL;
+}
+
static const command_rec authnz_pam_cmds[] = {
AP_INIT_TAKE1("AuthPAMService", ap_set_string_slot,
(void *)APR_OFFSETOF(authnz_pam_config_rec, pam_service),
OR_AUTHCFG, "PAM service to authenticate against"),
- AP_INIT_TAKE1("AuthPAMExpiredRedirect", ap_set_string_slot,
- (void *)APR_OFFSETOF(authnz_pam_config_rec, expired_redirect_url),
- OR_AUTHCFG, "URL to redirect to user credentials expired have expired"),
+ AP_INIT_TAKE12("AuthPAMExpiredRedirect", set_redirect_and_status,
+ NULL,
+ ACCESS_CONF|OR_AUTHCFG, "URL (and optional status) to redirect to should user have expired credentials"),
{NULL}
};
@@ -138,12 +168,6 @@ static const char * format_location(request_rec * r, const char * url, const cha
module AP_MODULE_DECLARE_DATA authnz_pam_module;
-#ifdef APLOG_USE_MODULE
-#define SHOW_MODULE ""
-#else
-#define SHOW_MODULE "mod_authnz_pam: "
-#endif
-
#if AP_MODULE_MAGIC_AT_LEAST(20100625,0)
static APR_OPTIONAL_FN_TYPE(ap_authn_cache_store) *authn_cache_store = NULL;
@@ -186,7 +210,11 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const
int ret;
ret = pam_start(pam_service, login, &pam_conversation, &pamh);
if (ret == PAM_SUCCESS) {
+#if AP_MODULE_MAGIC_AT_LEAST(20120211,56)
+ const char * remote_host_or_ip = ap_get_useragent_host(r, REMOTE_NAME, NULL);
+#else
const char * remote_host_or_ip = ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL);
+#endif
if (remote_host_or_ip) {
stage = "PAM pam_set_item PAM_RHOST failed for service";
ret = pam_set_item(pamh, PAM_RHOST, remote_host_or_ip);
@@ -206,10 +234,10 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const
authnz_pam_config_rec * conf = ap_get_module_config(r->per_dir_config, &authnz_pam_module);
if (conf && conf->expired_redirect_url) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- SHOW_MODULE "PAM_NEW_AUTHTOK_REQD: redirect to [%s]",
- conf->expired_redirect_url);
+ SHOW_MODULE "PAM_NEW_AUTHTOK_REQD: redirect to [%s] using [%d]",
+ conf->expired_redirect_url, conf->expired_redirect_status);
apr_table_addn(r->headers_out, "Location", format_location(r, conf->expired_redirect_url, login));
- r->status = HTTP_TEMPORARY_REDIRECT;
+ r->status = conf->expired_redirect_status;
ap_send_error_response(r, 0);
return AUTH_DENIED;
}
=====================================
mod_authnz_pam.spec
=====================================
@@ -7,7 +7,7 @@
Summary: PAM authorization checker and PAM Basic Authentication provider
Name: mod_authnz_pam
-Version: 1.2.1
+Version: 1.2.3
Release: 1%{?dist}
License: ASL 2.0
Group: System Environment/Daemons
@@ -35,7 +35,7 @@ can also be used as full Basic Authentication provider which runs the
%setup -q -n %{name}-%{version}
%build
-%{_httpd_apxs} -c -Wc,"%{optflags} -Wall -pedantic -std=c99" -lpam mod_authnz_pam.c
+%{_httpd_apxs} -c -Wc,"%{optflags} -Wall -Werror -pedantic -std=c99" -lpam mod_authnz_pam.c
%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
echo > authnz_pam.confx
echo "# Load the module in %{_httpd_modconfdir}/55-authnz_pam.conf" >> authnz_pam.confx
@@ -64,6 +64,13 @@ install -Dp -m 0644 authnz_pam.confx $RPM_BUILD_ROOT%{_httpd_confdir}/authnz_pam
%{_httpd_moddir}/*.so
%changelog
+* Sun Jan 23 2022 Jan Pazdziora <jpazdziora at redhat.com> - 1.2.3-1
+- Change default redirect status for AuthPAMExpiredRedirect
+ to 303 See Other, make it configurable.
+
+* Tue Mar 30 2021 Jan Pazdziora <jpazdziora at redhat.com> - 1.2.2-1
+- Use ap_get_useragent_host for interoperability with mod_remoteip.
+
* Thu Jul 09 2020 Jan Pazdziora <jpazdziora at redhat.com> - 1.2.1-1
- Store password to cache only after passing all PAM checks, including account.
=====================================
tests/auth.conf
=====================================
@@ -35,3 +35,32 @@ ScriptAlias /authnp2 /var/www/cgi-bin/auth.cgi
AuthPAMService web
Require pam-account web2
</LocationMatch>
+
+ScriptAlias /authnp3 /var/www/cgi-bin/auth.cgi
+<LocationMatch ^/authnp3>
+ AuthType Basic
+ AuthName "private area"
+ AuthBasicProvider PAM
+ AuthPAMService webl
+ Require pam-account webl
+</LocationMatch>
+
+ScriptAlias /authnp4 /var/www/cgi-bin/auth.cgi
+<LocationMatch ^/authnp4>
+ AuthType Basic
+ AuthName "private area"
+ AuthBasicProvider PAM
+ AuthPAMService webl
+ AuthPAMExpiredRedirect http://localhost/fix-password?return=%s&percent=%%&user=%u
+ Require pam-account webl
+</LocationMatch>
+
+ScriptAlias /authnp5 /var/www/cgi-bin/auth.cgi
+<LocationMatch ^/authnp5>
+ AuthType Basic
+ AuthName "private area"
+ AuthBasicProvider PAM
+ AuthPAMService webl
+ AuthPAMExpiredRedirect http://localhost/login?realm=ježek&return=%s 307
+ Require pam-account webl
+</LocationMatch>
=====================================
tests/config.sh
=====================================
@@ -11,6 +11,7 @@ cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi
cp -p tests/pam-exec /usr/bin/pam-exec
cp tests/pam-web /etc/pam.d/web
cp tests/pam-web /etc/pam.d/web2
+cp tests/pam-webl /etc/pam.d/webl
chmod a+x /var/log/httpd
touch /var/log/httpd/pam_exec.log
chown apache /var/log/httpd/pam_exec.log
@@ -19,3 +20,7 @@ if rpm -ql httpd | grep mod_authn_socache ; then
cat tests/auth-socache.conf >> /etc/httpd/conf.d/auth.conf
fi
htpasswd -bc /etc/htpasswd alice Tajnost
+useradd user1
+echo user1:heslo1 | chpasswd
+chgrp apache /etc/shadow
+chmod g+r /etc/shadow
=====================================
tests/pam-webl
=====================================
@@ -0,0 +1,2 @@
+auth sufficient pam_unix.so
+account required pam_unix.so
=====================================
tests/run.sh
=====================================
@@ -49,6 +49,18 @@ next_log | grep 'account .bob. ok' | wc -l | grep '^2$'
echo Secret2 > /etc/pam-auth/bob
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
+curl -u userx:heslox -s http://localhost/authnp3 | tee /dev/stderr | grep 401
+curl -u user1:heslox -s http://localhost/authnp3 | tee /dev/stderr | grep 401
+curl -u user1:heslo1 -s http://localhost/authnp3 | tee /dev/stderr | grep 'User user1'
+curl -u user1:heslo1 -s http://localhost/authnp4 | tee /dev/stderr | grep 'User user1'
+chage -d $(date -d -2days +%Y-%m-%d) -M 1 user1
+curl -u user1:heslo1 -s http://localhost/authnp3 | tee /dev/stderr | grep 401
+curl -i -u user1:heslo1 -s 'http://localhost/authnp4?id=123&data=M%26M' | tee /dev/stderr | grep -F -e 'Location: http://localhost/fix-password?return=http%3a%2f%2flocalhost%2fauthnp4%3fid%3d123%26data%3dM%2526M&percent=%25&user=user1' -e 'HTTP/1.1 303 See Other' | wc -l | grep 2
+curl -i -u user1:heslo1 -s 'http://localhost/authnp5?data=křížala' | tee /dev/stderr | grep -F -e 'Location: http://localhost/login?realm=ježek&return=http%3a%2f%2flocalhost%2fauthnp5%3fdata%3dk%c5%99%c3%ad%c5%beala' -e 'HTTP/1.1 307 Temporary Redirect' | wc -l | grep 2
+chage -d $(date -d -2days +%Y-%m-%d) -M 3 user1
+curl -u user1:heslo1 -s http://localhost/authnp3 | tee /dev/stderr | grep 'User user1'
+curl -u user1:heslo1 -s http://localhost/authnp4 | tee /dev/stderr | grep 'User user1'
+
if rpm -ql httpd | grep mod_authn_socache ; then
echo "Testing AuthBasicProvider socache PAM + AuthnCacheProvideFor PAM"
rm /etc/pam-account/bob
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-authnz-pam/-/compare/093e19024a069b747734cacb43ae72d23d495d33...2dbd02ec1cb03e3cb87ea066db1b1784f2b49b3f
--
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-authnz-pam/-/compare/093e19024a069b747734cacb43ae72d23d495d33...2dbd02ec1cb03e3cb87ea066db1b1784f2b49b3f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220329/9a6637d7/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list