Pull in fix to improve SPNEGO error messages

- pull in fix from master to make reporting of errors encountered by the SPNEGO mechanism work better (RT#7045, part of #1043962)
2013-12-19 11:52:30 -05:00 · 2013-12-19 11:52:30 -05:00 · e1cb527238
commit e1cb527238
parent 45d93c6d1c
2 changed files with 51 additions and 1 deletions
--- a/krb5-master-spnego_error_messages.patch
+++ b/krb5-master-spnego_error_messages.patch
@ -0,0 +1,44 @@
 commit 4faca53e3a8ee213d43da8998f6889e7bfd36248
 Author: Greg Hudson <ghudson@mit.edu>
 Date:   Wed Dec 18 16:03:16 2013 -0500
    Test SPNEGO error message in t_s4u.py
    Now that #7045 is fixed, we can check for the correct error message
    from t_s4u2proxy_krb5 with --spnego.
    ticket: 7045
 diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
 index 67dc810..e4aa259 100644
 --- a/src/tests/gssapi/t_s4u.py
 +++ b/src/tests/gssapi/t_s4u.py
@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or
     'NOT_ALLOWED_TO_DELEGATE' not in output):
     fail('krb5 -> s4u2proxy')
 -# Again with SPNEGO.  Bug #7045 prevents us from checking the error
 -# message, but we can at least exercise the code.
 +# Again with SPNEGO.
 output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
                     '-', pservice1, pservice2],
                    expected_code=1)
 -if ('auth1: ' + realm.user_princ not in output):
 +if ('auth1: ' + realm.user_princ not in output or
 +    'NOT_ALLOWED_TO_DELEGATE' not in output):
     fail('krb5 -> s4u2proxy (SPNEGO)')
 # Try krb5 -> S4U2Proxy without forwardable user creds.  This should
@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
     fail('s4u2self')
 # Again with SPNEGO.  This uses SPNEGO for the initial authentication,
 -# but still uses krb5 for S4U2Proxy (the delegated cred is returned as
 +# but still uses krb5 for S4U2Proxy--the delegated cred is returned as
 # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
 -# directly rather than saving and reacquiring it) so bug #7045 does
 -# not apply and we can verify the error message.
 +# directly rather than saving and reacquiring it.
 output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
 if 'NOT_ALLOWED_TO_DELEGATE' not in output:
     fail('s4u2self')
--- a/krb5.spec
+++ b/krb5.spec
@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12
-Release: 4%{?dist}
+Release: 5%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -95,6 +95,7 @@ Patch136: krb5-master-ignore-empty-unnecessary-final-token.patch
 Patch137: krb5-master-gss_oid_leak.patch
 Patch138: krb5-master-keytab_close.patch
 Patch139: krb5-1.12-copy_context.patch
 Patch140: krb5-master-spnego_error_messages.patch
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -313,6 +314,7 @@ ln -s NOTICE LICENSE
 %patch137 -p1 -b .gss_oid_leak
 %patch138 -p1 -b .keytab_close
 %patch139 -p1 -b .copy_context
 %patch140 -p1 -b .spnego_error_messages
 # Apply when the hard-wired or configured default location is
 # DIR:/run/user/%%{uid}/krb5cc.
@ -967,6 +969,10 @@ exit 0
 %{_sbindir}/uuserver
 %changelog
 * Thu Dec 19 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-5
 - pull in fix from master to make reporting of errors encountered by
  the SPNEGO mechanism work better (RT#7045, part of #1043962)
 * Thu Dec 19 2013 Nalin Dahyabhai <nalin@redhat.com>
 - update a test wrapper to properly handle things that the new libkrad does,
  and add python-pyrad as a build requirement so that we can run its tests