diff --git a/.gitignore b/.gitignore index 82535fc..b05be67 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/mod_auth_gssapi-1.6.1.tar.gz +mod_auth_gssapi-1.6.5.tar.gz diff --git a/.mod_auth_gssapi.metadata b/.mod_auth_gssapi.metadata deleted file mode 100644 index 5b8ef04..0000000 --- a/.mod_auth_gssapi.metadata +++ /dev/null @@ -1 +0,0 @@ -5dfc4eef25efad5313724bd6a1e55266a6667302 SOURCES/mod_auth_gssapi-1.6.1.tar.gz diff --git a/SOURCES/Add-ability-to-expose-the-used-mechanism.patch b/SOURCES/Add-ability-to-expose-the-used-mechanism.patch deleted file mode 100644 index 0352af8..0000000 --- a/SOURCES/Add-ability-to-expose-the-used-mechanism.patch +++ /dev/null @@ -1,262 +0,0 @@ -From 46caec4def9fd8df21e560db065b755e1d87354d Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Fri, 6 May 2022 22:54:45 +0200 -Subject: [PATCH 1/2] Add-ability-to-expose-the-used-mechanism.patch - ---- - README | 15 +++++++++++++++ - src/environ.c | 39 +++++++++++++++++++++++++++++++++++++++ - src/environ.h | 2 ++ - src/mod_auth_gssapi.c | 7 +++++++ - src/mod_auth_gssapi.h | 1 + - tests/Makefile.am | 4 +++- - tests/httpd.conf | 15 +++++++++++++++ - tests/magtests.py | 18 ++++++++++++++++++ - tests/mech.html | 1 + - tests/t_mech_name.py | 19 +++++++++++++++++++ - 10 files changed, 120 insertions(+), 1 deletion(-) - create mode 100644 tests/mech.html - create mode 100755 tests/t_mech_name.py - -diff --git a/README b/README -index 654a8918cc1cd078d84b8e571596444e262e83af..bbf2657d47c9b111e20fdc2b76fde8799c76e3cd 100644 ---- a/README -+++ b/README -@@ -109,6 +109,7 @@ Configuration Directives - [GssapiNameAttributes](#gssapinameattributes)
- [GssapiNegotiateOnce](#gssapinegotiateonce)
- [GssapiPublishErrors](#gssapipublisherrors)
-+[GssapiPublishMech](#gssapipublishmech)
- [GssapiRequiredNameAttributes](#gssapirequirednameattributes)
- [GssapiSessionKey](#gssapisessionkey)
- [GssapiSignalPersistentAuth](#gssapisignalpersistentauth)
-@@ -527,3 +528,17 @@ Note: the value is specified in seconds. - Sets ticket/session validity to 10 hours. - - -+### GssapiPublishMech -+ -+This option is used to publish the mech used for authentication as an -+Environment variable named GSS_MECH. -+ -+It will return a string of the form 'Authtype/Mechname'. -+Authtype represents the type of auth performed by the module. Possible values -+are 'Basic', 'Negotiate', 'NTLM', 'Impersonate'. -+Mechname is the name of the mechanism as reported by GSSAPI or the OID of the -+mechanism if a name is not available. In case of errors the 'Unavailable' -+string may also be returned for either Authtype or Mechname. -+ -+- **Enable with:** GssapiPublishMech On -+- **Default:** GssapiPublishMech Off -\ No newline at end of file -diff --git a/src/environ.c b/src/environ.c -index 7ee56a1ba434d5c1041968fb3f64191340cb0ea7..71a8564284cafa62c4cbeaf7ab8484a48c064e66 100644 ---- a/src/environ.c -+++ b/src/environ.c -@@ -498,3 +498,42 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min, - if (mag_err) - apr_table_set(req->subprocess_env, "MAG_ERROR", mag_err); - } -+ -+ -+void mag_publish_mech(request_rec *req, struct mag_conn *mc, -+ const char *auth_type, gss_OID mech_type) -+{ -+ gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc mech_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc mech_description = GSS_C_EMPTY_BUFFER; -+ char *mechdata; -+ uint32_t maj, min; -+ -+ maj = gss_inquire_saslname_for_mech(&min, mech_type, &sasl_mech_name, -+ &mech_name, &mech_description); -+ if (maj != GSS_S_COMPLETE) { -+ /* something failed, let's try to get a string OID */ -+ /* and if that fails there is nothing we can do */ -+ maj = gss_oid_to_str(&min, mech_type, &mech_name); -+ if (maj != GSS_S_COMPLETE) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, -+ "Failed to source mechanism name or OID"); -+ mech_name.value = strdup("Unavailable"); -+ mech_name.length = strlen(mech_name.value); -+ } -+ } -+ -+ mechdata = apr_psprintf(req->pool, "%s/%.*s", auth_type, -+ (int)mech_name.length, -+ (char *)mech_name.value); -+ -+ apr_table_set(mc->env, "GSS_MECH", mechdata); -+ -+ /* also log at info level */ -+ ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req, -+ "User %s authenticated with %s", mc->gss_name, mechdata); -+ -+ (void)gss_release_buffer(&min, &sasl_mech_name); -+ (void)gss_release_buffer(&min, &mech_name); -+ (void)gss_release_buffer(&min, &mech_description); -+} -diff --git a/src/environ.h b/src/environ.h -index 40bca9877f600246d19a3bf4be370310636ce6c7..b0813da6508df7c5594b51cada7712dc44393e44 100644 ---- a/src/environ.h -+++ b/src/environ.h -@@ -18,3 +18,5 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min, - const char *gss_err, const char *mag_err); - void mag_set_req_attr_fail(request_rec *req, struct mag_config *cfg, - struct mag_conn *mc); -+void mag_publish_mech(request_rec *req, struct mag_conn *mc, -+ const char *auth_type, gss_OID mech_type); -diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c -index c91aa60707ba9b237a84f95670d483f1a7eab86b..93c43308585cf140297de82e118a367f69d25a92 100644 ---- a/src/mod_auth_gssapi.c -+++ b/src/mod_auth_gssapi.c -@@ -1289,6 +1289,10 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, - mc->user_name = apr_pstrdup(mc->pool, mc->gss_name); - } - -+ if (cfg->pubmech) { -+ mag_publish_mech(req, mc, mag_str_auth_type(mc->auth_type), mech_type); -+ } -+ - mc->established = true; - if (req_cfg->use_sessions) { - mag_attempt_session(req_cfg, mc); -@@ -1894,6 +1898,9 @@ static const command_rec mag_commands[] = { - AP_INIT_FLAG("GssapiPublishErrors", ap_set_flag_slot, - (void *)APR_OFFSETOF(struct mag_config, enverrs), OR_AUTHCFG, - "Publish GSSAPI Errors in Envionment Variables"), -+ AP_INIT_FLAG("GssapiPublishMech", ap_set_flag_slot, -+ (void *)APR_OFFSETOF(struct mag_config, pubmech), OR_AUTHCFG, -+ "Publish GSSAPI Mech Name in Envionment Variables"), - AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG, - "Name of the acceptor credentials."), - AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL, -diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h -index 2312ab57f4b2e0bd50f191018b081a3ecb86f15a..8ab3bdc57be793cc493176c02910219e905900e9 100644 ---- a/src/mod_auth_gssapi.h -+++ b/src/mod_auth_gssapi.h -@@ -91,6 +91,7 @@ struct mag_config { - struct mag_name_attributes *name_attributes; - const char *required_na_expr; - int enverrs; -+ int pubmech; - gss_name_t acceptor_name; - bool acceptor_name_from_req; - uint32_t basic_timeout; -diff --git a/tests/Makefile.am b/tests/Makefile.am -index c830e951d04316e4cbc76fa3b5961baedb516ec6..2ddb46ea30e6ebf9ff0b30278c609178d02c1efc 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -6,14 +6,16 @@ EXTRA_DIST = \ - index.html \ - localname.html \ - magtests.py \ -+ mech.html \ - t_bad_acceptor_name.py \ - t_basic_k5_fail_second.py \ - t_basic_k5.py \ - t_basic_k5_two_users.py \ - t_basic_proxy.py \ - t_basic_timeout.py \ -- t_localname.py \ - t_hostname_acceptor.py \ -+ t_localname.py \ -+ t_mech_name.py \ - t_nonego.py \ - t_required_name_attr.py \ - t_spnego_negotiate_once.py \ -diff --git a/tests/httpd.conf b/tests/httpd.conf -index b3777574d9f0547560f24eff992fc1018569b5cc..775294b7d600e82c3955316a2d5b667c8b3c5581 100644 ---- a/tests/httpd.conf -+++ b/tests/httpd.conf -@@ -331,3 +331,18 @@ CoreDumpDirectory "{HTTPROOT}" - GssapiSessionKey file:{HTTPROOT}/session.key - Require valid-user - -+ -+ -+ Options +Includes -+ AddOutputFilter INCLUDES .html -+ AuthType GSSAPI -+ AuthName "Password Login" -+ GssapiSSLonly Off -+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache -+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab -+ GssapiCredStore keytab:{HTTPROOT}/http.keytab -+ GssapiBasicAuth On -+ GssapiBasicAuthMech krb5 -+ GssapiPublishMech On -+ Require valid-user -+ -\ No newline at end of file -diff --git a/tests/magtests.py b/tests/magtests.py -index d100413b371e7ecf4e09d944b7ff6e9bec7e316f..9aba68f826a37a890bfefb62665697eef7d07dfa 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -786,6 +786,22 @@ def test_gss_localname(testdir, testenv, logfile): - return error_count - - -+def test_mech_name(testdir, testenv, logfile): -+ basicdir = os.path.join(testdir, 'httpd', 'html', 'mech_name') -+ os.mkdir(basicdir) -+ shutil.copy('tests/mech.html', basicdir) -+ -+ mname = subprocess.Popen(["tests/t_mech_name.py"], -+ stdout=logfile, stderr=logfile, -+ env=testenv, preexec_fn=os.setsid) -+ mname.wait() -+ if mname.returncode != 0: -+ sys.stderr.write('MECH-NAME: FAILED\n') -+ return 1 -+ sys.stderr.write('MECH-NAME: SUCCESS\n') -+ return 0 -+ -+ - if __name__ == '__main__': - args = parse_args() - -@@ -847,6 +863,8 @@ if __name__ == '__main__': - - errs += test_no_negotiate(testdir, testenv, logfile) - -+ errs += test_mech_name(testdir, testenv, logfile) -+ - # After this point we need to speed up httpd to test creds timeout - try: - fakeenv = faketime_setup(kdcenv) -diff --git a/tests/mech.html b/tests/mech.html -new file mode 100644 -index 0000000000000000000000000000000000000000..bb7b3cd5278f055e278a7dfde73c15aa400a6a17 ---- /dev/null -+++ b/tests/mech.html -@@ -0,0 +1 @@ -+ -diff --git a/tests/t_mech_name.py b/tests/t_mech_name.py -new file mode 100755 -index 0000000000000000000000000000000000000000..69f451f2bbe58a16f61418f96eca26e7994bcb8a ---- /dev/null -+++ b/tests/t_mech_name.py -@@ -0,0 +1,19 @@ -+#!/usr/bin/env python3 -+# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. -+ -+import os -+import requests -+from requests.auth import HTTPBasicAuth -+ -+ -+if __name__ == '__main__': -+ url = 'http://%s/mech_name/mech.html' % os.environ['NSS_WRAPPER_HOSTNAME'] -+ r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'], -+ os.environ['MAG_USER_PASSWORD'])) -+ if r.status_code != 200: -+ raise ValueError('Basic Auth Failed') -+ -+ if r.text.rstrip() != 'Basic/krb5': -+ raise ValueError( -+ 'GSS_MECH check failed, expected Basic/krb5, got "%s"' % -+ r.text.rstrip()) --- -2.35.3 - diff --git a/SOURCES/Add-option-to-control-timeout-for-Basic-Auth.patch b/SOURCES/Add-option-to-control-timeout-for-Basic-Auth.patch deleted file mode 100644 index 1f70a64..0000000 --- a/SOURCES/Add-option-to-control-timeout-for-Basic-Auth.patch +++ /dev/null @@ -1,372 +0,0 @@ -From b4ddd657ccc7793df9378209433f0142195a94d1 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 14 May 2020 09:19:37 -0400 -Subject: [PATCH] Add option to control timeout for Basic Auth - -Adds new option and tests. -Adds optional dependency on libfaketime to test this feature. - -Fixes: #210 -Signed-off-by: Simo Sorce -Merges: #217 -Reviewed-by: Robbie Harwood -(cherry picked from commit 09df7584b4abadbfea411adafdcc825da5b720d3) -[rharwood@redhat.com: git got confused by not having localname test] ---- - README | 24 +++++++++++++ - src/mod_auth_gssapi.c | 27 +++++++++++--- - src/mod_auth_gssapi.h | 1 + - tests/Makefile.am | 1 + - tests/httpd.conf | 32 ++++++++++++++++- - tests/magtests.py | 76 ++++++++++++++++++++++++++++++++++++++++ - tests/t_basic_timeout.py | 34 ++++++++++++++++++ - 7 files changed, 190 insertions(+), 5 deletions(-) - create mode 100755 tests/t_basic_timeout.py - -diff --git a/README b/README -index 700b57e..5eac94f 100644 ---- a/README -+++ b/README -@@ -97,6 +97,7 @@ Configuration Directives - [GssapiAllowedMech](#gssapiallowedmech)
- [GssapiBasicAuth](#gssapibasicauth)
- [GssapiBasicAuthMech](#gssapibasicauthmech)
-+[GssapiBasicTicketTimeout](#gssapibasicticketvalidity)
- [GssapiConnectionBound](#gssapiconnectionbound)
- [GssapiCredStore](#gssapicredstore)
- [GssapiDelegCcacheDir](#gssapidelegccachedir)
-@@ -503,3 +504,26 @@ Note: The GSS_C_NT_HOSTBASED_SERVICE format is used for names (see example). - GssapiAcceptorName HTTP@www.example.com - - -+### GssapiBasicTicketTimeout -+ -+This option controls the ticket validity time requested for the user TGT by the -+Basic Auth method. -+ -+Normally basic auth is repeated by the browser on each request so a short -+validity period is used to reduce the scope of the ticket as it will be -+replaced quickly. -+However in cases where the authentication page is separate and the session -+is used by other pages the validity can be changed to arbitrary duration. -+ -+Note: the validity of a ticket is still capped by KDC configuration. -+ -+Note: the value is specified in seconds. -+ -+- **Default:** GssapiBasicTicketTimeout 300 -+ -+#### Example -+ GssapiBasicTicketTimeout 36000 -+ -+Sets ticket/session validity to 10 hours. -+ -+ -diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c -index 9e42ef4..b099973 100644 ---- a/src/mod_auth_gssapi.c -+++ b/src/mod_auth_gssapi.c -@@ -1,4 +1,5 @@ --/* Copyright (C) 2014, 2016 mod_auth_gssapi contributors - See COPYING for (C) terms */ -+/* Copyright (C) 2014, 2016, 2020 mod_auth_gssapi contributors -+ * See COPYING for (C) terms */ - - #include "mod_auth_gssapi.h" - #include "mag_parse.h" -@@ -600,7 +601,7 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc, - } - - maj = gss_acquire_cred_with_password(&min, user, &ba_pwd, -- GSS_C_INDEFINITE, -+ cfg->basic_timeout, - allowed_mechs, - GSS_C_INITIATE, - &user_cred, &actual_mechs, NULL); -@@ -619,8 +620,8 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc, - - for (int i = 0; i < actual_mechs->count; i++) { - maj = mag_context_loop(&min, req, cfg, user_cred, server_cred, -- &actual_mechs->elements[i], 300, &client, -- &vtime, &delegated_cred); -+ &actual_mechs->elements[i], cfg->basic_timeout, -+ &client, &vtime, &delegated_cred); - if (maj == GSS_S_COMPLETE) { - ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i], - vtime, delegated_cred); -@@ -1299,6 +1300,7 @@ static void *mag_create_dir_config(apr_pool_t *p, char *dir) - #ifdef HAVE_CRED_STORE - cfg->ccname_envvar = "KRB5CCNAME"; - #endif -+ cfg->basic_timeout = 300; - - return cfg; - } -@@ -1789,6 +1791,21 @@ static const char *mag_acceptor_name(cmd_parms *parms, void *mconfig, - return NULL; - } - -+static const char *mag_basic_timeout(cmd_parms *parms, void *mconfig, -+ const char *w) -+{ -+ struct mag_config *cfg = (struct mag_config *)mconfig; -+ unsigned long int value; -+ -+ value = strtoul(w, NULL, 10); -+ if (value >= UINT32_MAX) { -+ cfg->basic_timeout = GSS_C_INDEFINITE; -+ return NULL; -+ } -+ cfg->basic_timeout = value; -+ return NULL; -+} -+ - static void *mag_create_server_config(apr_pool_t *p, server_rec *s) - { - struct mag_server_config *scfg; -@@ -1865,6 +1882,8 @@ static const command_rec mag_commands[] = { - "Publish GSSAPI Errors in Envionment Variables"), - AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG, - "Name of the acceptor credentials."), -+ AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL, -+ OR_AUTHCFG, "Ticket Validity Timeout with Basic Auth."), - { NULL } - }; - -diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h -index 8c0b972..2312ab5 100644 ---- a/src/mod_auth_gssapi.h -+++ b/src/mod_auth_gssapi.h -@@ -93,6 +93,7 @@ struct mag_config { - int enverrs; - gss_name_t acceptor_name; - bool acceptor_name_from_req; -+ uint32_t basic_timeout; - }; - - struct mag_server_config { -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 16d87e9..c830e95 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -11,6 +11,7 @@ EXTRA_DIST = \ - t_basic_k5.py \ - t_basic_k5_two_users.py \ - t_basic_proxy.py \ -+ t_basic_timeout.py \ - t_localname.py \ - t_hostname_acceptor.py \ - t_nonego.py \ -diff --git a/tests/httpd.conf b/tests/httpd.conf -index 8c91e1c..f76f2b6 100644 ---- a/tests/httpd.conf -+++ b/tests/httpd.conf -@@ -111,7 +111,7 @@ DocumentRoot "{HTTPROOT}/html" - PidFile "{HTTPROOT}/logs/httpd.pid" - - --LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\"" combined -+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\" \"%{{Cookie}}i\"" combined - CustomLog "logs/access_log" combined - - -@@ -288,3 +288,33 @@ CoreDumpDirectory "{HTTPROOT}" - Require valid-user - - -+ -+ -+ Options +Includes -+ AddOutputFilter INCLUDES .html -+ AuthType GSSAPI -+ AuthName "Password Login" -+ GssapiSSLonly Off -+ GssapiUseSessions On -+ Session On -+ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly -+ GssapiSessionKey file:{HTTPROOT}/session.key -+ GssapiCredStore keytab:{HTTPROOT}/http.keytab -+ GssapiBasicAuth On -+ GssapiBasicAuthMech krb5 -+ GssapiBasicTicketTimeout 400 -+ GssapiDelegCcacheDir {HTTPROOT} -+ Require valid-user -+ -+ -+ Options +Includes -+ AddOutputFilter INCLUDES .html -+ AuthType GSSAPI -+ AuthName "Session Login" -+ GssapiSSLonly Off -+ GssapiUseSessions On -+ Session On -+ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly -+ GssapiSessionKey file:{HTTPROOT}/session.key -+ Require valid-user -+ -diff --git a/tests/magtests.py b/tests/magtests.py -index a4842a0..da1cca7 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -3,11 +3,13 @@ - - import argparse - import os -+import os.path - import random - import shutil - import signal - import subprocess - import sys -+import time - import traceback - - # check that we can import requests (for use in test scripts) -@@ -341,6 +343,7 @@ USR_PWD_2 = "magpwd2" - USR_NAME_3 = "maguser3" - SVC_KTNAME = "httpd/http.keytab" - KEY_TYPE = "aes256-cts-hmac-sha1-96:normal" -+USR_NAME_4 = "timeoutusr" - - - def setup_keys(tesdir, env): -@@ -361,6 +364,9 @@ def setup_keys(tesdir, env): - cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2) - kadmin_local(cmd, env, logfile) - -+ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4) -+ kadmin_local(cmd, env, logfile) -+ - # alias for multinamed hosts testing - alias_name = "HTTP/%s" % WRAP_ALIASNAME - cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name) -@@ -600,6 +606,30 @@ def test_basic_auth_krb5(testdir, testenv, logfile): - return error_count - - -+def test_basic_auth_timeout(testdir, testenv, logfile): -+ httpdir = os.path.join(testdir, 'httpd') -+ timeoutdir = os.path.join(httpdir, 'html', 'basic_auth_timeout') -+ os.mkdir(timeoutdir) -+ authdir = os.path.join(timeoutdir, 'auth') -+ os.mkdir(authdir) -+ sessdir = os.path.join(timeoutdir, 'session') -+ os.mkdir(sessdir) -+ shutil.copy('tests/index.html', os.path.join(authdir)) -+ shutil.copy('tests/index.html', os.path.join(sessdir)) -+ -+ basictout = subprocess.Popen(["tests/t_basic_timeout.py"], -+ stdout=logfile, stderr=logfile, -+ env=testenv, preexec_fn=os.setsid) -+ basictout.wait() -+ if basictout.returncode != 0: -+ sys.stderr.write('BASIC Timeout Behavior: FAILED\n') -+ return 1 -+ else: -+ sys.stderr.write('BASIC Timeout Behavior: SUCCESS\n') -+ -+ return 0 -+ -+ - def test_bad_acceptor_name(testdir, testenv, logfile): - bandir = os.path.join(testdir, 'httpd', 'html', 'bad_acceptor_name') - os.mkdir(bandir) -@@ -661,6 +691,33 @@ def test_hostname_acceptor(testdir, testenv, logfile): - return 0 - - -+def faketime_setup(testenv): -+ libfaketime = '/usr/lib64/faketime/libfaketime.so.1' -+ # optional faketime -+ if not os.path.isfile(libfaketime): -+ raise NotImplementedError -+ -+ # spedup x100 -+ fakeenv = {'FAKETIME': '+0 x100'} -+ fakeenv.update(testenv) -+ fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime)) -+ return fakeenv -+ -+ -+def http_restart(testdir, so_dir, testenv): -+ -+ httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', -+ 'MALLOC_CHECK_': '3', -+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} -+ httpenv.update(testenv) -+ -+ httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2" -+ config = os.path.join(testdir, 'httpd', 'httpd.conf') -+ httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config], -+ env=httpenv, preexec_fn=os.setsid) -+ return httpproc -+ -+ - if __name__ == '__main__': - args = parse_args() - -@@ -722,6 +779,25 @@ if __name__ == '__main__': - errs += test_basic_auth_krb5(testdir, testenv, logfile) - - errs += test_no_negotiate(testdir, testenv, logfile) -+ -+ # After this point we need to speed up httpd to test creds timeout -+ try: -+ fakeenv = faketime_setup(kdcenv) -+ timeenv = {'TIMEOUT_USER': USR_NAME_4, -+ 'MAG_USER_PASSWORD': USR_PWD} -+ timeenv.update(fakeenv) -+ curporc = httpproc -+ pid = processes['HTTPD(%d)' % httpproc.pid].pid -+ os.killpg(pid, signal.SIGTERM) -+ time.sleep(1) -+ del processes['HTTPD(%d)' % httpproc.pid] -+ httpproc = http_restart(testdir, so_dir, timeenv) -+ processes['HTTPD(%d)' % httpproc.pid] = httpproc -+ -+ errs += test_basic_auth_timeout(testdir, timeenv, logfile) -+ except NotImplementedError: -+ sys.stderr.write('BASIC Timeout Behavior: SKIPPED\n') -+ - except Exception: - traceback.print_exc() - finally: -diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py -new file mode 100755 -index 0000000..983dfd2 ---- /dev/null -+++ b/tests/t_basic_timeout.py -@@ -0,0 +1,34 @@ -+#!/usr/bin/env python -+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. -+ -+import os -+import time -+ -+import requests -+from requests.auth import HTTPBasicAuth -+ -+ -+if __name__ == '__main__': -+ s = requests.Session() -+ url = 'http://{}/basic_auth_timeout/auth/'.format( -+ os.environ['NSS_WRAPPER_HOSTNAME'] -+ ) -+ url2 = 'http://{}/basic_auth_timeout/session/'.format( -+ os.environ['NSS_WRAPPER_HOSTNAME'] -+ ) -+ -+ r = s.get(url, auth=HTTPBasicAuth(os.environ['TIMEOUT_USER'], -+ os.environ['MAG_USER_PASSWORD'])) -+ if r.status_code != 200: -+ raise ValueError('Basic Auth Failed') -+ -+ time.sleep(301) -+ r = s.get(url2) -+ if r.status_code != 200: -+ raise ValueError('Session Auth Failed') -+ -+ time.sleep(401) -+ -+ r = s.get(url2) -+ if r.status_code == 200: -+ raise ValueError('Timeout check Failed') diff --git a/SOURCES/Fix-PATH-handling-bug-in-test-suite.patch b/SOURCES/Fix-PATH-handling-bug-in-test-suite.patch deleted file mode 100644 index 97957e0..0000000 --- a/SOURCES/Fix-PATH-handling-bug-in-test-suite.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c26b1aafbb9679b19b630a46eeb35a9dee61a95f Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 13 Oct 2020 11:04:00 -0400 -Subject: [PATCH] Fix PATH handling bug in test suite - -virtualenv relies on its executable being ahead of the system ones. For -setting up the KDC, we don't have a preferencee - we just need the sbins -to be available. - -Signed-off-by: Robbie Harwood -(cherry picked from commit ae07252e356d8142ddd3987c9c3686ba7ee593de) ---- - tests/magtests.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/magtests.py b/tests/magtests.py -index e04fa65..082c6e4 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -312,7 +312,7 @@ def setup_kdc(testdir, wrapenv): - - kdcenv = wrapenv.copy() - kdcenv.update({ -- 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', -+ 'PATH': f'{wrapenv["PATH"]}:/sbin:/bin:/usr/sbin:/usr/bin', - 'KRB5_CONFIG': krb5conf, - 'KRB5_KDC_PROFILE': kdcconf, - 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'), diff --git a/SOURCES/Fix-distcheck.patch b/SOURCES/Fix-distcheck.patch deleted file mode 100644 index a18e7c3..0000000 --- a/SOURCES/Fix-distcheck.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 706494bde5c5124621006b857fc55529f9e8e0db Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 14 May 2020 18:04:47 -0400 -Subject: [PATCH] Fix distcheck - -Signed-off-by: Simo Sorce -Reviewed-by: Robbie Harwood -(cherry picked from commit eb6de7e946d7ecc9292bb454d43ac05f0801adf7) ---- - tests/Makefile.am | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 70754fb..16d87e9 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -4,12 +4,14 @@ EXTRA_DIST = \ - 401.html \ - httpd.conf \ - index.html \ -+ localname.html \ - magtests.py \ - t_bad_acceptor_name.py \ - t_basic_k5_fail_second.py \ - t_basic_k5.py \ - t_basic_k5_two_users.py \ - t_basic_proxy.py \ -+ t_localname.py \ - t_hostname_acceptor.py \ - t_nonego.py \ - t_required_name_attr.py \ diff --git a/SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch b/SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch deleted file mode 100644 index 51d381f..0000000 --- a/SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 2b96860d8cfcf48a54e59e2ca30fc8fdeb2b9d55 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Fri, 6 May 2022 22:54:45 +0200 -Subject: [PATCH 2/2] - Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch - ---- - tests/t_localname.py | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/tests/t_localname.py b/tests/t_localname.py -index e990762c42aa9b370ac71292b5019fc63622c240..df94922b52673b5b7fd780ff3f319d22feb348ac 100755 ---- a/tests/t_localname.py -+++ b/tests/t_localname.py -@@ -45,13 +45,22 @@ if __name__ == '__main__': - - mech = None - if mech_name is not None: -- mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name) -+ try: -+ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name) -+ except AttributeError: -+ # older version of gssapi that does not support mechs -+ if mech_name == 'SPNEGO': -+ mech = '' -+ elif mech_name == 'GS2-KRB5': -+ mech = '' -+ else: -+ sys.exit(42) # SKIP - - try: - auth = HTTPSPNEGOAuth(mech=mech) - use_requests(auth) - except TypeError: -- # odler version of requests that does not support mechs -+ # older version of requests that does not support mechs - if mech_name == 'SPNEGO': - use_curl() - elif mech_name == 'GS2-KRB5': --- -2.35.3 - diff --git a/SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch b/SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch deleted file mode 100644 index 7b1c5de..0000000 --- a/SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 676ec5fe0b6c7c5126dbf84ef59ec4a5d5f87ede Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 26 Apr 2022 10:23:53 +0200 -Subject: [PATCH] Fix gss_localname with SPNEGO wrapping - -Fix implemented upstream by Simo ---- - src/mod_auth_gssapi.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c -index b0999737daedf88fa84a9d8b1543bbedc79194ab..c91aa60707ba9b237a84f95670d483f1a7eab86b 100644 ---- a/src/mod_auth_gssapi.c -+++ b/src/mod_auth_gssapi.c -@@ -1264,7 +1264,21 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, - #endif - - if (cfg->map_to_local) { -+ /* We have to play heuristics here as gss_localname does not work -+ * as expected with SPNEGO-wrapped names. -+ * http://krbdev.mit.edu/rt/Ticket/Display.html?id=8782 -+ */ - maj = gss_localname(&min, client, mech_type, &lname); -+ if (maj != GSS_S_COMPLETE) { -+ uint32_t sub_maj, sub_min; -+ /* try fallback with no oid */ -+ sub_maj = gss_localname(&sub_min, client, GSS_C_NO_OID, &lname); -+ if (sub_maj != GSS_S_UNAVAILABLE) { -+ /* use second call errors only if they are meaningful */ -+ maj = sub_maj; -+ min = sub_min; -+ } -+ } - if (maj != GSS_S_COMPLETE) { - mag_post_error(req, cfg, MAG_GSS_ERR, maj, min, - "gss_localname() failed"); --- -2.35.1 - diff --git a/SOURCES/Fix-integer-sizes-used-with-ap_set_flag_slot.patch b/SOURCES/Fix-integer-sizes-used-with-ap_set_flag_slot.patch deleted file mode 100644 index b75d272..0000000 --- a/SOURCES/Fix-integer-sizes-used-with-ap_set_flag_slot.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d681fe586a4f4258c5d61237511dd19c1fa84904 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 19 Feb 2019 13:55:12 -0500 -Subject: [PATCH] Fix integer sizes used with ap_set_flag_slot() - -ap_set_flag_slot() requires a field of type `int`. Previously we -passed type `bool` in two places, causing test failures on s390x -because logging was not correctly configured. - -Signed-off-by: Robbie Harwood -(cherry picked from commit f89b876be5619d750e6ab4ea6e730a9a26b1cac4) -(cherry picked from commit 73c690ca9bd1d470c603f5e1ee48d2384941ae55) ---- - src/mod_auth_gssapi.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h -index 71404ff..8c0b972 100644 ---- a/src/mod_auth_gssapi.h -+++ b/src/mod_auth_gssapi.h -@@ -79,7 +79,7 @@ struct mag_config { - gid_t deleg_ccache_gid; - gss_key_value_set_desc *cred_store; - bool deleg_ccache_unique; -- bool s4u2self; -+ int s4u2self; - char *ccname_envvar; - #endif - struct seal_key *mag_skey; -@@ -90,7 +90,7 @@ struct mag_config { - bool negotiate_once; - struct mag_name_attributes *name_attributes; - const char *required_na_expr; -- bool enverrs; -+ int enverrs; - gss_name_t acceptor_name; - bool acceptor_name_from_req; - }; diff --git a/SOURCES/Fix-mag_auth_basic-function-call.patch b/SOURCES/Fix-mag_auth_basic-function-call.patch deleted file mode 100644 index 1f81a73..0000000 --- a/SOURCES/Fix-mag_auth_basic-function-call.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 1941fd1545b4786fee9464881239d74a91c55723 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 7 Feb 2019 14:48:56 -0500 -Subject: [PATCH] Fix mag_auth_basic function call. - -In order to respect the API we'd have to return nech_type as a copy of -the mech found to correctly complete authentication. -It would need to be a copy because the actual_mechs variable is an array -of statically copied OIDs not an array of pointers. - -Instead change mag_auth_basic to directly call mag_complete() and -mag_cache_basic on success. This is easier than attempting to handle -copying out OIDs and then freeing them in the caller as GSSAPI does not -offer standard APIs for copying OIDs. - -As a side-effect we reduce the number of arguments to mag_auth_gssapi, -which is good, to the slight detriment of legibility in the main -function as now you need to know mag_auth_basic() is already calling -mag_complete(). The trade off is worth it though. - -Signed-off-by: Simo Sorce -(cherry picked from commit 318db0b0e3777d4cfdc09eeef98e28c478607271) ---- - src/mod_auth_gssapi.c | 47 ++++++++++++++++++++----------------------- - 1 file changed, 22 insertions(+), 25 deletions(-) - -diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c -index 4048ee7..9e42ef4 100644 ---- a/src/mod_auth_gssapi.c -+++ b/src/mod_auth_gssapi.c -@@ -493,15 +493,15 @@ done: - return maj; - } - --static bool mag_auth_basic(request_rec *req, -- struct mag_config *cfg, -- gss_buffer_desc ba_user, -- gss_buffer_desc ba_pwd, -- gss_name_t *client, -- gss_OID *mech_type, -- gss_cred_id_t *delegated_cred, -- uint32_t *vtime) -+static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, -+ gss_name_t client, gss_OID mech_type, -+ uint32_t vtime, gss_cred_id_t delegated_cred); -+ -+static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc, -+ gss_buffer_desc ba_user, gss_buffer_desc ba_pwd) - { -+ struct mag_config *cfg = req_cfg->cfg; -+ request_rec *req = req_cfg->req; - const char *user_ccache = NULL; - const char *orig_ccache = NULL; - long long unsigned int rndname; -@@ -512,9 +512,12 @@ static bool mag_auth_basic(request_rec *req, - gss_OID_set allowed_mechs; - gss_OID_set filtered_mechs; - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; -+ gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; -+ gss_name_t client = GSS_C_NO_NAME; -+ uint32_t vtime; - uint32_t maj, min; - int present = 0; -- bool ret = false; -+ int ret = HTTP_UNAUTHORIZED; - - maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user); - if (GSS_ERROR(maj)) { -@@ -616,15 +619,21 @@ static bool mag_auth_basic(request_rec *req, - - for (int i = 0; i < actual_mechs->count; i++) { - maj = mag_context_loop(&min, req, cfg, user_cred, server_cred, -- &actual_mechs->elements[i], 300, client, vtime, -- delegated_cred); -+ &actual_mechs->elements[i], 300, &client, -+ &vtime, &delegated_cred); - if (maj == GSS_S_COMPLETE) { -- ret = true; -+ ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i], -+ vtime, delegated_cred); -+ if (ret == OK) { -+ mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); -+ } - break; - } - } - - done: -+ gss_release_cred(&min, &delegated_cred); -+ gss_release_name(&min, &client); - gss_release_cred(&min, &server_cred); - gss_release_name(&min, &user); - gss_release_cred(&min, &user_cred); -@@ -683,10 +692,6 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req) - return req_cfg; - } - --static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, -- gss_name_t client, gss_OID mech_type, -- uint32_t vtime, gss_cred_id_t delegated_cred); -- - #ifdef HAVE_CRED_STORE - static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) { - if (req_cfg->cfg->use_s4u2proxy) { -@@ -1105,15 +1110,7 @@ static int mag_auth(request_rec *req) - #endif - - if (auth_type == AUTH_TYPE_BASIC) { -- if (mag_auth_basic(req, cfg, ba_user, ba_pwd, -- &client, &mech_type, -- &delegated_cred, &vtime)) { -- -- ret = mag_complete(req_cfg, mc, client, mech_type, vtime, -- delegated_cred); -- if (ret == OK) -- mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); -- } -+ ret = mag_auth_basic(req_cfg, mc, ba_user, ba_pwd); - goto done; - } - diff --git a/SOURCES/Fix-tests-to-work-with-python3.patch b/SOURCES/Fix-tests-to-work-with-python3.patch deleted file mode 100644 index 7549c09..0000000 --- a/SOURCES/Fix-tests-to-work-with-python3.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 613933383aa352bb8f350f43ecb393a0604016cc Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 21 Dec 2018 11:50:16 -0500 -Subject: [PATCH] Fix tests to work with python3 - -Signed-off-by: Robbie Harwood -(cherry picked from commit 751eb09e7abf38f49fc525e1616d48a6f951673f) -(cherry picked from commit d2748e79d31f153505f944b09a4790c6231dcd79) ---- - tests/magtests.py | 3 ++- - tests/t_spnego_proxy.py | 2 +- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/tests/magtests.py b/tests/magtests.py -index 6414503..f14f47a 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -431,7 +431,7 @@ def kinit_user(testdir, kdcenv): - stdin=subprocess.PIPE, - stdout=logfile, stderr=logfile, - env=testenv, preexec_fn=os.setsid) -- kinit.communicate('%s\n' % USR_PWD) -+ kinit.communicate(('%s\n' % USR_PWD).encode("utf8")) - kinit.wait() - if kinit.returncode != 0: - raise ValueError('kinit failed') -@@ -495,6 +495,7 @@ def test_spnego_auth(testdir, testenv, logfile): - else: - sys.stderr.write('SPNEGO No Auth: SUCCESS\n') - -+ - return error_count - - -diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py -index 6219721..c47558b 100755 ---- a/tests/t_spnego_proxy.py -+++ b/tests/t_spnego_proxy.py -@@ -17,7 +17,7 @@ def getAuthToken(target): - ctx = gssapi.SecurityContext(name=name, mech=spnego_mech) - token = ctx.step() - -- return 'Negotiate %s' % b64encode(token) -+ return 'Negotiate %s' % b64encode(token).decode() - - - if __name__ == '__main__': diff --git a/SOURCES/In-tests-show-the-exception-on-failure.patch b/SOURCES/In-tests-show-the-exception-on-failure.patch deleted file mode 100644 index 0f8c0dc..0000000 --- a/SOURCES/In-tests-show-the-exception-on-failure.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 3fc1f9f5d7f5a33900572b419ecdfd2d3672ceca Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 21 Dec 2018 10:50:49 -0500 -Subject: [PATCH] In tests, show the exception on failure - -Otherwise, the user might get nothing at all out, depending on what failed. - -Signed-off-by: Robbie Harwood -(cherry picked from commit 881f98ee08f6d8d7a2352ab2f3e8e38845cf8039) -(cherry picked from commit 1de81677f1878ea1667b56169fe714d685771b4e) ---- - tests/magtests.py | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/tests/magtests.py b/tests/magtests.py -index 576e88f..6414503 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -8,6 +8,7 @@ import shutil - import signal - import subprocess - import sys -+import traceback - - # check that we can import requests (for use in test scripts) - import requests -@@ -207,7 +208,6 @@ def setup_test_certs(testdir, testenv, logfile): - with open(opensslcnf, 'w+') as f: - f.write(text) - -- print(pkinit_key) - cmd = subprocess.Popen(["openssl", "genrsa", "-out", pkinit_key, - "2048"], stdout=logfile, - stderr=logfile, env=testenv, -@@ -718,6 +718,8 @@ if __name__ == '__main__': - errs += test_basic_auth_krb5(testdir, testenv, logfile) - - errs += test_no_negotiate(testdir, testenv, logfile) -+ except Exception: -+ traceback.print_exc() - finally: - for name in processes: - logfile.write("Killing %s\n" % name) diff --git a/SOURCES/Move-to-python3-by-default.patch b/SOURCES/Move-to-python3-by-default.patch deleted file mode 100644 index 675f76f..0000000 --- a/SOURCES/Move-to-python3-by-default.patch +++ /dev/null @@ -1,198 +0,0 @@ -From eeca34dc64804a4b771800f54f0e0647ce88bdd4 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 13 Oct 2020 10:33:39 -0400 -Subject: [PATCH] Move to python3 by default - -When moving 2 -> 3, python elected to keep "python" as the name of the -python2 interpreter. As a result, python3-only machines have no -/usr/bin/python. Since python2 is EOL, it should be safe to make our -scripting default to python3. - -Signed-off-by: Robbie Harwood -(cherry picked from commit 840863f89ed4809602f1ca7b8ad650c0b979d20e) -[rharwood@redhat.com: tests that don't exist yet, README prg/prk, -contrib isn't packaged in dist tarballs] ---- - README | 4 ++-- - tests/magtests.py | 2 +- - tests/t_bad_acceptor_name.py | 2 +- - tests/t_basic_k5.py | 2 +- - tests/t_basic_k5_fail_second.py | 2 +- - tests/t_basic_k5_two_users.py | 2 +- - tests/t_basic_proxy.py | 2 +- - tests/t_basic_timeout.py | 2 +- - tests/t_hostname_acceptor.py | 2 +- - tests/t_nonego.py | 2 +- - tests/t_required_name_attr.py | 2 +- - tests/t_spnego.py | 2 +- - tests/t_spnego_negotiate_once.py | 2 +- - tests/t_spnego_no_auth.py | 2 +- - tests/t_spnego_proxy.py | 2 +- - tests/t_spnego_rewrite.py | 2 +- - 16 files changed, 17 insertions(+), 17 deletions(-) - -diff --git a/README b/README -index 5eac94f..654a891 100644 ---- a/README -+++ b/README -@@ -26,8 +26,8 @@ To run tests, you also need: - - * The Kerberos 5 Key-Distribution-Center (`krb5-kdc` package on Debian, - `krb5-server` on Fedora) --* Packages `mod_session`, `krb5-workstation`, `python-requests-kerberos`, -- and `python-gssapi` on Fedora -+* Packages `mod_session`, `krb5-workstation`, `python3-requests-gssapi`, -+ and `python3-gssapi` on Fedora - * Some tests require `krb5-pkinit` package on fedora and krb5 >= 1.15. - * [nss_wrapper](https://cwrap.org/nss_wrapper.html), packaged in Fedora - * [socket_wrapper](https://cwrap.org/socket_wrapper.html), packaged in Fedora -diff --git a/tests/magtests.py b/tests/magtests.py -index 082c6e4..d0f0a67 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import argparse -diff --git a/tests/t_bad_acceptor_name.py b/tests/t_bad_acceptor_name.py -index 41ee48b..6cee588 100755 ---- a/tests/t_bad_acceptor_name.py -+++ b/tests/t_bad_acceptor_name.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_basic_k5.py b/tests/t_basic_k5.py -index e499eac..4b24801 100755 ---- a/tests/t_basic_k5.py -+++ b/tests/t_basic_k5.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_basic_k5_fail_second.py b/tests/t_basic_k5_fail_second.py -index 273e9a5..7e53218 100755 ---- a/tests/t_basic_k5_fail_second.py -+++ b/tests/t_basic_k5_fail_second.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_basic_k5_two_users.py b/tests/t_basic_k5_two_users.py -index 41ffe98..3d27e9e 100755 ---- a/tests/t_basic_k5_two_users.py -+++ b/tests/t_basic_k5_two_users.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_basic_proxy.py b/tests/t_basic_proxy.py -index 5370314..347b802 100755 ---- a/tests/t_basic_proxy.py -+++ b/tests/t_basic_proxy.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py -index 983dfd2..007ff97 100755 ---- a/tests/t_basic_timeout.py -+++ b/tests/t_basic_timeout.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_hostname_acceptor.py b/tests/t_hostname_acceptor.py -index 6d59e85..bb85700 100755 ---- a/tests/t_hostname_acceptor.py -+++ b/tests/t_hostname_acceptor.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license. - - import sys -diff --git a/tests/t_nonego.py b/tests/t_nonego.py -index 430001a..4e77f80 100755 ---- a/tests/t_nonego.py -+++ b/tests/t_nonego.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_required_name_attr.py b/tests/t_required_name_attr.py -index bbfdc19..a67446b 100755 ---- a/tests/t_required_name_attr.py -+++ b/tests/t_required_name_attr.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_spnego.py b/tests/t_spnego.py -index e7003a6..04190a9 100755 ---- a/tests/t_spnego.py -+++ b/tests/t_spnego.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_spnego_negotiate_once.py b/tests/t_spnego_negotiate_once.py -index e8eb601..3d8e048 100755 ---- a/tests/t_spnego_negotiate_once.py -+++ b/tests/t_spnego_negotiate_once.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_spnego_no_auth.py b/tests/t_spnego_no_auth.py -index abcccdf..c564388 100755 ---- a/tests/t_spnego_no_auth.py -+++ b/tests/t_spnego_no_auth.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py -index c47558b..b917191 100755 ---- a/tests/t_spnego_proxy.py -+++ b/tests/t_spnego_proxy.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os -diff --git a/tests/t_spnego_rewrite.py b/tests/t_spnego_rewrite.py -index 2ed1d3e..202d76a 100755 ---- a/tests/t_spnego_rewrite.py -+++ b/tests/t_spnego_rewrite.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. - - import os diff --git a/SOURCES/tests-Don-t-override-the-specific-environment-by-the.patch b/SOURCES/tests-Don-t-override-the-specific-environment-by-the.patch deleted file mode 100644 index b613083..0000000 --- a/SOURCES/tests-Don-t-override-the-specific-environment-by-the.patch +++ /dev/null @@ -1,166 +0,0 @@ -From bd2f8d20c589feae7249ccca28199d826d007667 Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Thu, 6 Aug 2020 13:55:45 +0300 -Subject: [PATCH] tests: Don't override the specific environment by the global - one - -This changes the way in which a test environment is prepared. - -Before: -specific -> global - -After: -global -> specific - -In particular, this allows setting PATH env variable differed from -the global configuration. - -Fixes: https://github.com/gssapi/mod_auth_gssapi/issues/226 -Signed-off-by: Stanislav Levin -(cherry picked from commit 731761e63d72bf5656f40340daafce4e2d34bd92) ---- - tests/magtests.py | 78 +++++++++++++++++++++++++++++------------------ - 1 file changed, 48 insertions(+), 30 deletions(-) - -diff --git a/tests/magtests.py b/tests/magtests.py -index 1c0b26a..e04fa65 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -310,11 +310,13 @@ def setup_kdc(testdir, wrapenv): - with open(kdcconf, 'w+') as f: - f.write(text) - -- kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', -- 'KRB5_CONFIG': krb5conf, -- 'KRB5_KDC_PROFILE': kdcconf, -- 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')} -- kdcenv.update(wrapenv) -+ kdcenv = wrapenv.copy() -+ kdcenv.update({ -+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', -+ 'KRB5_CONFIG': krb5conf, -+ 'KRB5_KDC_PROFILE': kdcconf, -+ 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'), -+ }) - - logfile = open(testlog, 'a') - ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s", -@@ -383,8 +385,10 @@ def setup_keys(tesdir, env): - cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3) - kadmin_local(cmd, env, logfile) - -- keys_env = {"KRB5_KTNAME": svc_keytab, } -- keys_env.update(env) -+ keys_env = env.copy() -+ keys_env.update({ -+ "KRB5_KTNAME": svc_keytab, -+ }) - return keys_env - - -@@ -421,10 +425,12 @@ def setup_http(testdir, so_dir, wrapenv): - - shutil.copy('tests/401.html', os.path.join(httpdir, 'html')) - -- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', -- 'MALLOC_CHECK_': '3', -- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} -- httpenv.update(wrapenv) -+ httpenv = wrapenv.copy() -+ httpenv.update({ -+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', -+ 'MALLOC_CHECK_': '3', -+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1), -+ }) - - httpd = "httpd" if distro == "Fedora" else "apache2" - httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config], -@@ -435,8 +441,10 @@ def setup_http(testdir, so_dir, wrapenv): - def kinit_user(testdir, kdcenv): - testlog = os.path.join(testdir, 'kinit.log') - ccache = os.path.join(testdir, 'k5ccache') -- testenv = {'KRB5CCNAME': ccache} -- testenv.update(kdcenv) -+ testenv = kdcenv.copy() -+ testenv.update({ -+ 'KRB5CCNAME': ccache, -+ }) - - with (open(testlog, 'a')) as logfile: - kinit = subprocess.Popen(["kinit", USR_NAME], -@@ -457,8 +465,10 @@ def kinit_certuser(testdir, kdcenv): - pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT) - pkinit_key = os.path.join(testdir, PKINIT_KEY) - ident = "X509_user_identity=FILE:" + pkinit_user_cert + "," + pkinit_key -- testenv = {'KRB5CCNAME': ccache} -- testenv.update(kdcenv) -+ testenv = kdcenv.copy() -+ testenv.update({ -+ 'KRB5CCNAME': ccache, -+ }) - with (open(testlog, 'a')) as logfile: - logfile.write('PKINIT for maguser3\n') - kinit = subprocess.Popen(["kinit", USR_NAME_3, "-X", ident], -@@ -711,17 +721,21 @@ def faketime_setup(testenv): - raise NotImplementedError - - # spedup x100 -- fakeenv = {'FAKETIME': '+0 x100'} -- fakeenv.update(testenv) -- fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime)) -+ fakeenv = testenv.copy() -+ fakeenv.update({ -+ 'FAKETIME': '+0 x100', -+ 'LD_PRELOAD': ' '.join((testenv['LD_PRELOAD'], libfaketime)), -+ }) - return fakeenv - - - def http_restart(testdir, so_dir, testenv): -- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}', -- 'MALLOC_CHECK_': '3', -- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} -- httpenv.update(testenv) -+ httpenv = testenv.copy() -+ httpenv.update({ -+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}', -+ 'MALLOC_CHECK_': '3', -+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1), -+ }) - - httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2" - config = os.path.join(testdir, 'httpd', 'httpd.conf') -@@ -776,11 +790,13 @@ if __name__ == '__main__': - sys.stderr.write("krb5 PKINIT module not found, skipping name " - "attribute tests\n") - -- testenv = {'MAG_USER_NAME': USR_NAME, -- 'MAG_USER_PASSWORD': USR_PWD, -- 'MAG_USER_NAME_2': USR_NAME_2, -- 'MAG_USER_PASSWORD_2': USR_PWD_2} -- testenv.update(kdcenv) -+ testenv = kdcenv.copy() -+ testenv.update({ -+ 'MAG_USER_NAME': USR_NAME, -+ 'MAG_USER_PASSWORD': USR_PWD, -+ 'MAG_USER_NAME_2': USR_NAME_2, -+ 'MAG_USER_PASSWORD_2': USR_PWD_2, -+ }) - - errs += test_basic_auth_krb5(testdir, testenv, logfile) - -@@ -789,9 +805,11 @@ if __name__ == '__main__': - # After this point we need to speed up httpd to test creds timeout - try: - fakeenv = faketime_setup(kdcenv) -- timeenv = {'TIMEOUT_USER': USR_NAME_4, -- 'MAG_USER_PASSWORD': USR_PWD} -- timeenv.update(fakeenv) -+ timeenv = fakeenv.copy() -+ timeenv.update({ -+ 'TIMEOUT_USER': USR_NAME_4, -+ 'MAG_USER_PASSWORD': USR_PWD, -+ }) - curporc = httpproc - pid = processes['HTTPD(%d)' % httpproc.pid].pid - os.killpg(pid, signal.SIGTERM) diff --git a/SOURCES/tests-Fixup-virtualenv-handling.patch b/SOURCES/tests-Fixup-virtualenv-handling.patch deleted file mode 100644 index 1fb638d..0000000 --- a/SOURCES/tests-Fixup-virtualenv-handling.patch +++ /dev/null @@ -1,87 +0,0 @@ -From f106e3afa21cdbc098d3c82698585744e3325621 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 15 May 2020 15:56:50 -0400 -Subject: [PATCH] [tests] Fixup virtualenv handling - -Fixes an issue where virtualenv's PATH would get lost - -Signed-off-by: Robbie Harwood -(cherry picked from commit e60384c0d4d4b4c213ec728ec3d444f998625941) ---- - tests/magtests.py | 21 ++++++++++----------- - 1 file changed, 10 insertions(+), 11 deletions(-) - -diff --git a/tests/magtests.py b/tests/magtests.py -index 6c38a8f..1c0b26a 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -67,6 +67,12 @@ def setup_wrappers(base): - return wenv - - -+def apply_venv(env): -+ env['PATH'] = os.environ.get('PATH', '') -+ env['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') -+ return env -+ -+ - TESTREALM = "MAG.DEV" - KDC_DBNAME = 'db.file' - KDC_STASH = 'stash.file' -@@ -304,7 +310,7 @@ def setup_kdc(testdir, wrapenv): - with open(kdcconf, 'w+') as f: - f.write(text) - -- kdcenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', -+ kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', - 'KRB5_CONFIG': krb5conf, - 'KRB5_KDC_PROFILE': kdcconf, - 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')} -@@ -415,7 +421,7 @@ def setup_http(testdir, so_dir, wrapenv): - - shutil.copy('tests/401.html', os.path.join(httpdir, 'html')) - -- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', -+ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', - 'MALLOC_CHECK_': '3', - 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} - httpenv.update(wrapenv) -@@ -712,8 +718,7 @@ def faketime_setup(testenv): - - - def http_restart(testdir, so_dir, testenv): -- -- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', -+ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}', - 'MALLOC_CHECK_': '3', - 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} - httpenv.update(testenv) -@@ -738,7 +743,7 @@ if __name__ == '__main__': - logfile = open(os.path.join(testdir, 'tests.log'), 'w') - errs = 0 - try: -- wrapenv = setup_wrappers(testdir) -+ wrapenv = apply_venv(setup_wrappers(testdir)) - - kdcproc, kdcenv = setup_kdc(testdir, wrapenv) - processes['KDC(%d)' % kdcproc.pid] = kdcproc -@@ -749,10 +754,6 @@ if __name__ == '__main__': - keysenv = setup_keys(testdir, kdcenv) - testenv = kinit_user(testdir, kdcenv) - -- # support virtualenv -- testenv['PATH'] = os.environ.get('PATH', '') -- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') -- - testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd', - USR_NAME + '@' + TESTREALM) - errs += test_spnego_auth(testdir, testenv, logfile) -@@ -780,8 +781,6 @@ if __name__ == '__main__': - 'MAG_USER_NAME_2': USR_NAME_2, - 'MAG_USER_PASSWORD_2': USR_PWD_2} - testenv.update(kdcenv) -- testenv['PATH'] = os.environ.get('PATH', '') -- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') - - errs += test_basic_auth_krb5(testdir, testenv, logfile) - diff --git a/SOURCES/tests-Support-Debian-s-libfaketime.patch b/SOURCES/tests-Support-Debian-s-libfaketime.patch deleted file mode 100644 index 94f2314..0000000 --- a/SOURCES/tests-Support-Debian-s-libfaketime.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 27f7ca84a5a05f65e6d113a8a6698c7f40fd66c6 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 15 May 2020 15:51:19 -0400 -Subject: [PATCH] [tests] Support Debian's libfaketime - -Signed-off-by: Robbie Harwood -(cherry picked from commit 367120a1c02641680a8f51bd59cc96d56cc9804b) ---- - tests/magtests.py | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/tests/magtests.py b/tests/magtests.py -index da1cca7..6c38a8f 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -692,9 +692,16 @@ def test_hostname_acceptor(testdir, testenv, logfile): - - - def faketime_setup(testenv): -- libfaketime = '/usr/lib64/faketime/libfaketime.so.1' -- # optional faketime -- if not os.path.isfile(libfaketime): -+ # Wanted: an architecture- and distro-agnostic way to do this. -+ # libfaketime is installed in a place where ld.so won't pick it up by -+ # default, so... -+ paths = ['/usr/lib64/faketime/libfaketime.so.1', -+ '/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1'] -+ libfaketime = None -+ for p in paths: -+ if os.path.isfile(p): -+ libfaketime = p -+ if not libfaketime: - raise NotImplementedError - - # spedup x100 diff --git a/SOURCES/tests-Test-suite-fixes-for-virtualenv-and-clang.patch b/SOURCES/tests-Test-suite-fixes-for-virtualenv-and-clang.patch deleted file mode 100644 index 2b042e0..0000000 --- a/SOURCES/tests-Test-suite-fixes-for-virtualenv-and-clang.patch +++ /dev/null @@ -1,40 +0,0 @@ -From ce83aa116397fb71143e5b1363ce7563f7a4444d Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 11 Mar 2019 14:56:31 -0400 -Subject: [PATCH] [tests] Test suite fixes for virtualenv and clang - -- Typo fix - VIRTUAL_ENV in magtests.py -- testenv object manipulation fix in magtests.py -- Work around -fstack-clash-protection problems in clang - -Signed-off-by: Robbie Harwood -(cherry picked from commit 6aa0a5bfe9d60a50cf36c561268c5d7c1fdb2f0e) -[rharwood@redhat.com: drop Travis goo] -(cherry picked from commit 11c966cc630393e322ef6b88df91d16247bbfc37) ---- - tests/magtests.py | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/tests/magtests.py b/tests/magtests.py -index f14f47a..a4842a0 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -687,7 +687,7 @@ if __name__ == '__main__': - - # support virtualenv - testenv['PATH'] = os.environ.get('PATH', '') -- testenv['ViRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') -+ testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') - - testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd', - USR_NAME + '@' + TESTREALM) -@@ -716,6 +716,9 @@ if __name__ == '__main__': - 'MAG_USER_NAME_2': USR_NAME_2, - 'MAG_USER_PASSWORD_2': USR_PWD_2} - testenv.update(kdcenv) -+ testenv['PATH'] = os.environ.get('PATH', '') -+ testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') -+ - errs += test_basic_auth_krb5(testdir, testenv, logfile) - - errs += test_no_negotiate(testdir, testenv, logfile) diff --git a/SOURCES/tests-add-test-for-gss_localname.patch b/SOURCES/tests-add-test-for-gss_localname.patch deleted file mode 100644 index ab97f87..0000000 --- a/SOURCES/tests-add-test-for-gss_localname.patch +++ /dev/null @@ -1,194 +0,0 @@ -From 0dbf450a49784e2a750c667824e0e0249be575e4 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 27 Apr 2022 18:18:22 +0200 -Subject: [PATCH] Add test for gss_localname - -Backport test for gss_localname implemented upstream by Simo ---- - tests/httpd.conf | 13 ++++++++++ - tests/localname.html | 1 + - tests/magtests.py | 47 ++++++++++++++++++++++++++++++++- - tests/t_localname.py | 62 ++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 122 insertions(+), 1 deletion(-) - create mode 100644 tests/localname.html - create mode 100755 tests/t_localname.py - -diff --git a/tests/httpd.conf b/tests/httpd.conf -index f76f2b671e02515e6d4effe09ab123dace90c023..b3777574d9f0547560f24eff992fc1018569b5cc 100644 ---- a/tests/httpd.conf -+++ b/tests/httpd.conf -@@ -274,6 +274,19 @@ CoreDumpDirectory "{HTTPROOT}" - Require valid-user - - -+ -+ AuthType GSSAPI -+ AuthName "Login" -+ GssapiSSLonly Off -+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache -+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab -+ GssapiCredStore keytab:{HTTPROOT}/http.keytab -+ GssapiBasicAuth Off -+ GssapiAllowedMech krb5 -+ GssapiLocalName On -+ Require valid-user -+ -+ - - ProxyRequests On - ProxyVia On -diff --git a/tests/localname.html b/tests/localname.html -new file mode 100644 -index 0000000000000000000000000000000000000000..abf7c507de1eb32b31b882502eed5f2bbcc5fbf3 ---- /dev/null -+++ b/tests/localname.html -@@ -0,0 +1 @@ -+ -diff --git a/tests/magtests.py b/tests/magtests.py -index d0f0a67f075c6b631926e9abd91a665973d90f4a..d100413b371e7ecf4e09d944b7ff6e9bec7e316f 100755 ---- a/tests/magtests.py -+++ b/tests/magtests.py -@@ -58,12 +58,20 @@ def setup_wrappers(base): - f.write('%s %s\n' % (WRAP_IPADDR, WRAP_ALIASNAME)) - f.write('%s %s\n' % (WRAP_IPADDR, WRAP_FAILNAME)) - -+ passwd_file = os.path.join(testdir, 'passwd') -+ with open(passwd_file, 'w+') as f: -+ f.write('root:x:0:0:root:/root:/bin/sh') -+ f.write('maguser:x:1:1:maguser:/maguser:/bin/sh') -+ f.write('maguser2:x:2:2:maguser2:/maguser2:/bin/sh') -+ f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh') -+ - wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so', - 'SOCKET_WRAPPER_DIR': wrapdir, - 'SOCKET_WRAPPER_DEFAULT_IFACE': '9', - 'WRAP_PROXY_PORT': WRAP_PROXY_PORT, - 'NSS_WRAPPER_HOSTNAME': WRAP_HOSTNAME, -- 'NSS_WRAPPER_HOSTS': hosts_file} -+ 'NSS_WRAPPER_HOSTS': hosts_file, -+ 'NSS_WRAPPER_PASSWD': passwd_file} - return wenv - - -@@ -744,6 +752,40 @@ def http_restart(testdir, so_dir, testenv): - return httpproc - - -+def test_gss_localname(testdir, testenv, logfile): -+ hdir = os.path.join(testdir, 'httpd', 'html', 'gss_localname') -+ os.mkdir(hdir) -+ shutil.copy('tests/localname.html', os.path.join(hdir, 'index.html')) -+ error_count = 0 -+ -+ # Make sure spnego is explicitly tested -+ spnego = subprocess.Popen(["tests/t_localname.py", "SPNEGO"], -+ stdout=logfile, stderr=logfile, -+ env=testenv, preexec_fn=os.setsid) -+ spnego.wait() -+ if spnego.returncode != 0: -+ sys.stderr.write('LOCALNAME(SPNEGO): FAILED\n') -+ error_count += 1 -+ else: -+ sys.stderr.write('LOCALNAME(SPNEGO): SUCCESS\n') -+ -+ # and bare krb5 (GS2-KRB5 is the name used by SASL for it) -+ krb5 = subprocess.Popen(["tests/t_localname.py", "GS2-KRB5"], -+ stdout=logfile, stderr=logfile, -+ env=testenv, preexec_fn=os.setsid) -+ krb5.wait() -+ if krb5.returncode != 0: -+ if krb5.returncode == 42: -+ sys.stderr.write('LOCALNAME(KRB5): SKIPPED\n') -+ else: -+ sys.stderr.write('LOCALNAME(KRB5): FAILED\n') -+ error_count += 1 -+ else: -+ sys.stderr.write('LOCALNAME(KRB5): SUCCESS\n') -+ -+ return error_count -+ -+ - if __name__ == '__main__': - args = parse_args() - -@@ -781,6 +823,9 @@ if __name__ == '__main__': - - errs += test_bad_acceptor_name(testdir, testenv, logfile) - -+ testenv['MAG_REMOTE_USER'] = USR_NAME -+ errs += test_gss_localname(testdir, testenv, logfile) -+ - rpm_path = "/usr/lib64/krb5/plugins/preauth/pkinit.so" - deb_path = "/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so" - if os.path.exists(rpm_path) or os.path.exists(deb_path): -diff --git a/tests/t_localname.py b/tests/t_localname.py -new file mode 100755 -index 0000000000000000000000000000000000000000..e990762c42aa9b370ac71292b5019fc63622c240 ---- /dev/null -+++ b/tests/t_localname.py -@@ -0,0 +1,62 @@ -+#!/usr/bin/env python3 -+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. -+ -+import os -+import subprocess -+import sys -+ -+import gssapi -+ -+import requests -+ -+from requests_gssapi import HTTPSPNEGOAuth -+ -+ -+def use_requests(auth): -+ sess = requests.Session() -+ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME'] -+ -+ r = sess.get(url, auth=auth) -+ if r.status_code != 200: -+ raise ValueError('Localname failed') -+ -+ if r.text.rstrip() != os.environ['MAG_REMOTE_USER']: -+ raise ValueError('Localname, REMOTE_USER check failed') -+ -+ -+def use_curl(): -+ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME'] -+ curl = subprocess.Popen(["curl", "--negotiate", "-u:", url], -+ stdout=subprocess.PIPE) -+ curl.wait() -+ if curl.returncode != 0: -+ raise ValueError('Localname failed') -+ -+ line = curl.stdout.read().strip(b' \t\n\r').decode('utf-8') -+ if line != os.environ['MAG_REMOTE_USER']: -+ raise ValueError('Localname, REMOTE_USER check failed (%s != %s)' % ( -+ line, os.environ['MAG_REMOTE_USER'])) -+ -+ -+if __name__ == '__main__': -+ mech_name = None -+ if len(sys.argv) > 1: -+ mech_name = sys.argv[1] -+ -+ mech = None -+ if mech_name is not None: -+ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name) -+ -+ try: -+ auth = HTTPSPNEGOAuth(mech=mech) -+ use_requests(auth) -+ except TypeError: -+ # odler version of requests that does not support mechs -+ if mech_name == 'SPNEGO': -+ use_curl() -+ elif mech_name == 'GS2-KRB5': -+ # older request versions use krb5 as the mech by default -+ auth = HTTPSPNEGOAuth() -+ use_requests(auth) -+ else: -+ sys.exit(42) # SKIP --- -2.35.1 - diff --git a/SPECS/mod_auth_gssapi.spec b/mod_auth_gssapi.spec similarity index 53% rename from SPECS/mod_auth_gssapi.spec rename to mod_auth_gssapi.spec index b8b119c..2b71bf3 100644 --- a/SPECS/mod_auth_gssapi.spec +++ b/mod_auth_gssapi.spec @@ -1,42 +1,40 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 8; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + Name: mod_auth_gssapi -Version: 1.6.1 -Release: 9%{?dist} +Version: 1.6.5 +Release: %autorelease Summary: A GSSAPI Authentication module for Apache -Group: System Environment/Daemons License: MIT -URL: https://github.com/modauthgssapi/mod_auth_gssapi -Source0: https://github.com/modauthgssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz +URL: https://github.com/gssapi/mod_auth_gssapi +Source0: https://github.com/gssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz -Patch0: In-tests-show-the-exception-on-failure.patch -Patch1: Fix-tests-to-work-with-python3.patch -Patch2: tests-Test-suite-fixes-for-virtualenv-and-clang.patch -Patch3: Fix-integer-sizes-used-with-ap_set_flag_slot.patch -Patch4: Fix-mag_auth_basic-function-call.patch -Patch6: Fix-distcheck.patch -Patch7: Add-option-to-control-timeout-for-Basic-Auth.patch -Patch8: tests-Support-Debian-s-libfaketime.patch -Patch9: tests-Fixup-virtualenv-handling.patch -Patch10: tests-Don-t-override-the-specific-environment-by-the.patch -Patch11: Fix-PATH-handling-bug-in-test-suite.patch -Patch12: Move-to-python3-by-default.patch -Patch13: Fix-gss_localname-with-SPNEGO-wrapping.patch -Patch14: tests-add-test-for-gss_localname.patch -Patch15: Add-ability-to-expose-the-used-mechanism.patch -Patch16: Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch - -BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libtool -BuildRequires: gssntlmssp-devel +BuildRequires: httpd-devel, krb5-devel, openssl-devel +BuildRequires: autoconf, automake, libtool, bison, flex, make BuildRequires: git Requires: httpd-mmn = %{_httpd_mmn} Requires: krb5-libs >= 1.11.5 +# If you're reading this: NTLM is insecure. Migrate off it. +%if 0%{?rhel} +%else +BuildRequires: gssntlmssp-devel +%endif + %description The mod_auth_gssapi module is an authentication service that implements the SPNEGO based HTTP Authentication protocol defined in RFC4559. %prep -%autosetup -S git +%autosetup -S git_am %build export APXS=%{_httpd_apxs} @@ -61,41 +59,89 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir} %{_httpd_moddir}/mod_auth_gssapi.so %changelog -* Thu Apr 28 2022 Francisco Trivino 1.6.1-9 -- Add missing repos to the osci tests -- Fix gss localname test to work with older gssapi version -- Resolves: #2083122 -- Add ability to expose the used mechanism -- Resolves: #2046231 +## START: Generated by rpmautospec +* Tue Oct 29 2024 Troy Dawson - 1.6.5-8 +- Bump release for October 2024 mass rebuild: -* Wed Apr 27 2022 Francisco Trivino 1.6.1-8 -- Add test for gss_localname -- Fix gss_localname with SPNEGO wrapping -- Resolves: #1787630 +* Fri Jul 05 2024 Florence Blanc-Renaud - 1.6.5-7 +- Fix gating -* Mon Oct 12 2020 Robbie Harwood 1.6.1-7.1 -- Bang on gating until the environment gives up -- Resolves: #1866149 +* Fri Jul 05 2024 Sudhir Menon - 1.6.5-6 +- Added gating.yaml and test for mod_auth_gssapi -* Mon Oct 12 2020 Robbie Harwood - 1.6.1-7 -- Backport basic auth timeout control -- Resolves: #1866149 +* Mon Jun 24 2024 Troy Dawson - 1.6.5-5 +- Bump release for June 2024 mass rebuild -* Fri Mar 22 2019 Robbie Harwood - 1.6.1-6 -- Gating update -- Resolves: #1682259 +* Sun Jan 21 2024 Fedora Release Engineering - 1.6.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Mon Mar 18 2019 Robbie Harwood - 1.6.1-5 +* Thu Jul 20 2023 Fedora Release Engineering - 1.6.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 1.6.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Aug 29 2022 Simo Sorce - 1.6.5-1 +- Update to release 1.6.5 + +* Sat Aug 27 2022 Adam Williamson - 1.6.4-2 +- Disable a check added in 1.6.4 which causes crashes (#2121952) + +* Fri Aug 26 2022 Simo Sorce - 1.6.4-1 +- Update to new 1.6.4 release + +* Fri Aug 26 2022 Simo Sorce - 1.6.3-11 +- Use %%autorelease going forward + +* Thu Jul 21 2022 Fedora Release Engineering - 1.6.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 1.6.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 1.6.3-6 +- Rebuilt with OpenSSL 3.0.0 + +* Tue Aug 24 2021 Robbie Harwood - 1.6.3-5 +- crypto: Handle EVP changes in OpenSSL 3 + +* Thu Jul 22 2021 Fedora Release Engineering - 1.6.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Mar 16 2021 Robbie Harwood - 1.6.3-3 +- Build dep adjustments; no Fedora code changes + +* Tue Jan 26 2021 Fedora Release Engineering - 1.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Aug 05 2020 Robbie Harwood - 1.6.3-1 +- New upstream release (1.6.3) + +* Tue Jul 28 2020 Fedora Release Engineering - 1.6.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Apr 27 2020 Robbie Harwood - 1.6.2-1 +- New upstream release (1.6.2) +- Resolves: #1828142 + +* Wed Jan 29 2020 Fedora Release Engineering - 1.6.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jul 25 2019 Fedora Release Engineering - 1.6.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Mar 18 2019 Robbie Harwood - 1.6.1-6 +- Test suite fixes for virtualenv and clang + +* Tue Feb 19 2019 Robbie Harwood - 1.6.1-5 - Fix integer sizes used with ap_set_flag_slot() -- Resolves: #1674501 +- Resolves: #1678872 -* Mon Mar 18 2019 Robbie Harwood - 1.6.1-4 -- Fix virtualenv logic and add gating -- Resolves: #1682259 +* Fri Feb 01 2019 Fedora Release Engineering - 1.6.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild -* Thu Mar 14 2019 Robbie Harwood - 1.6.1-3 +* Thu Jan 03 2019 Robbie Harwood - 1.6.1-3 - Fix tests to work with python3 -- Resolves: #1661589 * Fri Jul 13 2018 Fedora Release Engineering - 1.6.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild @@ -199,3 +245,5 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir} * Mon Aug 4 2014 Simo Sorce 1.0.0-1 - First release + +## END: Generated by rpmautospec diff --git a/sources b/sources new file mode 100644 index 0000000..0c13ccd --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (mod_auth_gssapi-1.6.5.tar.gz) = 97eb6dff90e686cd5d25c2925987bf51dbdf627720e74105204ec4625455255548414a03599cfd5a85734f5496f6a7b1f09760771a8278e8348e6ca35b6c48d0