rpms/mod_auth_gssapi
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import mod_auth_gssapi-1.6.1-7.1.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:56:57 -04:00 committed by Andrew Lukoshko
parent 128a9ca085
commit f8a0366c19
9 changed files with 1055 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

372
SOURCES/Add-option-to-control-timeout-for-Basic-Auth.patch Normal file
View File

@ -0,0 +1,372 @@
From b4ddd657ccc7793df9378209433f0142195a94d1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 14 May 2020 09:19:37 -0400
Subject: [PATCH] Add option to control timeout for Basic Auth
Adds new option and tests.
Adds optional dependency on libfaketime to test this feature.
Fixes: #210
Signed-off-by: Simo Sorce <simo@redhat.com>
Merges: #217
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 09df7584b4abadbfea411adafdcc825da5b720d3)
[rharwood@redhat.com: git got confused by not having localname test]
---
README | 24 +++++++++++++
src/mod_auth_gssapi.c | 27 +++++++++++---
src/mod_auth_gssapi.h | 1 +
tests/Makefile.am | 1 +
tests/httpd.conf | 32 ++++++++++++++++-
tests/magtests.py | 76 ++++++++++++++++++++++++++++++++++++++++
tests/t_basic_timeout.py | 34 ++++++++++++++++++
7 files changed, 190 insertions(+), 5 deletions(-)
create mode 100755 tests/t_basic_timeout.py
diff --git a/README b/README
index 700b57e..5eac94f 100644
--- a/README
+++ b/README
@@ -97,6 +97,7 @@ Configuration Directives
[GssapiAllowedMech](#gssapiallowedmech)<br>
[GssapiBasicAuth](#gssapibasicauth)<br>
[GssapiBasicAuthMech](#gssapibasicauthmech)<br>
+[GssapiBasicTicketTimeout](#gssapibasicticketvalidity)<br>
[GssapiConnectionBound](#gssapiconnectionbound)<br>
[GssapiCredStore](#gssapicredstore)<br>
[GssapiDelegCcacheDir](#gssapidelegccachedir)<br>
@@ -503,3 +504,26 @@ Note: The GSS_C_NT_HOSTBASED_SERVICE format is used for names (see example).
GssapiAcceptorName HTTP@www.example.com
+### GssapiBasicTicketTimeout
+
+This option controls the ticket validity time requested for the user TGT by the
+Basic Auth method.
+
+Normally basic auth is repeated by the browser on each request so a short
+validity period is used to reduce the scope of the ticket as it will be
+replaced quickly.
+However in cases where the authentication page is separate and the session
+is used by other pages the validity can be changed to arbitrary duration.
+
+Note: the validity of a ticket is still capped by KDC configuration.
+
+Note: the value is specified in seconds.
+
+- **Default:** GssapiBasicTicketTimeout 300
+
+#### Example
+ GssapiBasicTicketTimeout 36000
+
+Sets ticket/session validity to 10 hours.
+
+
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 9e42ef4..b099973 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -1,4 +1,5 @@
-/* Copyright (C) 2014, 2016 mod_auth_gssapi contributors - See COPYING for (C) terms */
+/* Copyright (C) 2014, 2016, 2020 mod_auth_gssapi contributors
+ * See COPYING for (C) terms */
#include "mod_auth_gssapi.h"
#include "mag_parse.h"
@@ -600,7 +601,7 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
}
maj = gss_acquire_cred_with_password(&min, user, &ba_pwd,
- GSS_C_INDEFINITE,
+ cfg->basic_timeout,
allowed_mechs,
GSS_C_INITIATE,
&user_cred, &actual_mechs, NULL);
@@ -619,8 +620,8 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
for (int i = 0; i < actual_mechs->count; i++) {
maj = mag_context_loop(&min, req, cfg, user_cred, server_cred,
- &actual_mechs->elements[i], 300, &client,
- &vtime, &delegated_cred);
+ &actual_mechs->elements[i], cfg->basic_timeout,
+ &client, &vtime, &delegated_cred);
if (maj == GSS_S_COMPLETE) {
ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i],
vtime, delegated_cred);
@@ -1299,6 +1300,7 @@ static void *mag_create_dir_config(apr_pool_t *p, char *dir)
#ifdef HAVE_CRED_STORE
cfg->ccname_envvar = "KRB5CCNAME";
#endif
+ cfg->basic_timeout = 300;
return cfg;
}
@@ -1789,6 +1791,21 @@ static const char *mag_acceptor_name(cmd_parms *parms, void *mconfig,
return NULL;
}
+static const char *mag_basic_timeout(cmd_parms *parms, void *mconfig,
+ const char *w)
+{
+ struct mag_config *cfg = (struct mag_config *)mconfig;
+ unsigned long int value;
+
+ value = strtoul(w, NULL, 10);
+ if (value >= UINT32_MAX) {
+ cfg->basic_timeout = GSS_C_INDEFINITE;
+ return NULL;
+ }
+ cfg->basic_timeout = value;
+ return NULL;
+}
+
static void *mag_create_server_config(apr_pool_t *p, server_rec *s)
{
struct mag_server_config *scfg;
@@ -1865,6 +1882,8 @@ static const command_rec mag_commands[] = {
"Publish GSSAPI Errors in Envionment Variables"),
AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG,
"Name of the acceptor credentials."),
+ AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL,
+ OR_AUTHCFG, "Ticket Validity Timeout with Basic Auth."),
{ NULL }
};
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
index 8c0b972..2312ab5 100644
--- a/src/mod_auth_gssapi.h
+++ b/src/mod_auth_gssapi.h
@@ -93,6 +93,7 @@ struct mag_config {
int enverrs;
gss_name_t acceptor_name;
bool acceptor_name_from_req;
+ uint32_t basic_timeout;
};
struct mag_server_config {
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 16d87e9..c830e95 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -11,6 +11,7 @@ EXTRA_DIST = \
t_basic_k5.py \
t_basic_k5_two_users.py \
t_basic_proxy.py \
+ t_basic_timeout.py \
t_localname.py \
t_hostname_acceptor.py \
t_nonego.py \
diff --git a/tests/httpd.conf b/tests/httpd.conf
index 8c91e1c..f76f2b6 100644
--- a/tests/httpd.conf
+++ b/tests/httpd.conf
@@ -111,7 +111,7 @@ DocumentRoot "{HTTPROOT}/html"
PidFile "{HTTPROOT}/logs/httpd.pid"
<IfModule log_config_module>
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\" \"%{{Cookie}}i\"" combined
CustomLog "logs/access_log" combined
</IfModule>
@@ -288,3 +288,33 @@ CoreDumpDirectory "{HTTPROOT}"
Require valid-user
</Proxy>
</VirtualHost>
+
+<Location /basic_auth_timeout/auth>
+ Options +Includes
+ AddOutputFilter INCLUDES .html
+ AuthType GSSAPI
+ AuthName "Password Login"
+ GssapiSSLonly Off
+ GssapiUseSessions On
+ Session On
+ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly
+ GssapiSessionKey file:{HTTPROOT}/session.key
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
+ GssapiBasicAuth On
+ GssapiBasicAuthMech krb5
+ GssapiBasicTicketTimeout 400
+ GssapiDelegCcacheDir {HTTPROOT}
+ Require valid-user
+</Location>
+<Location /basic_auth_timeout/session>
+ Options +Includes
+ AddOutputFilter INCLUDES .html
+ AuthType GSSAPI
+ AuthName "Session Login"
+ GssapiSSLonly Off
+ GssapiUseSessions On
+ Session On
+ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly
+ GssapiSessionKey file:{HTTPROOT}/session.key
+ Require valid-user
+</Location>
diff --git a/tests/magtests.py b/tests/magtests.py
index a4842a0..da1cca7 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -3,11 +3,13 @@
import argparse
import os
+import os.path
import random
import shutil
import signal
import subprocess
import sys
+import time
import traceback
# check that we can import requests (for use in test scripts)
@@ -341,6 +343,7 @@ USR_PWD_2 = "magpwd2"
USR_NAME_3 = "maguser3"
SVC_KTNAME = "httpd/http.keytab"
KEY_TYPE = "aes256-cts-hmac-sha1-96:normal"
+USR_NAME_4 = "timeoutusr"
def setup_keys(tesdir, env):
@@ -361,6 +364,9 @@ def setup_keys(tesdir, env):
cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
kadmin_local(cmd, env, logfile)
+ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4)
+ kadmin_local(cmd, env, logfile)
+
# alias for multinamed hosts testing
alias_name = "HTTP/%s" % WRAP_ALIASNAME
cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
@@ -600,6 +606,30 @@ def test_basic_auth_krb5(testdir, testenv, logfile):
return error_count
+def test_basic_auth_timeout(testdir, testenv, logfile):
+ httpdir = os.path.join(testdir, 'httpd')
+ timeoutdir = os.path.join(httpdir, 'html', 'basic_auth_timeout')
+ os.mkdir(timeoutdir)
+ authdir = os.path.join(timeoutdir, 'auth')
+ os.mkdir(authdir)
+ sessdir = os.path.join(timeoutdir, 'session')
+ os.mkdir(sessdir)
+ shutil.copy('tests/index.html', os.path.join(authdir))
+ shutil.copy('tests/index.html', os.path.join(sessdir))
+
+ basictout = subprocess.Popen(["tests/t_basic_timeout.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ basictout.wait()
+ if basictout.returncode != 0:
+ sys.stderr.write('BASIC Timeout Behavior: FAILED\n')
+ return 1
+ else:
+ sys.stderr.write('BASIC Timeout Behavior: SUCCESS\n')
+
+ return 0
+
+
def test_bad_acceptor_name(testdir, testenv, logfile):
bandir = os.path.join(testdir, 'httpd', 'html', 'bad_acceptor_name')
os.mkdir(bandir)
@@ -661,6 +691,33 @@ def test_hostname_acceptor(testdir, testenv, logfile):
return 0
+def faketime_setup(testenv):
+ libfaketime = '/usr/lib64/faketime/libfaketime.so.1'
+ # optional faketime
+ if not os.path.isfile(libfaketime):
+ raise NotImplementedError
+
+ # spedup x100
+ fakeenv = {'FAKETIME': '+0 x100'}
+ fakeenv.update(testenv)
+ fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime))
+ return fakeenv
+
+
+def http_restart(testdir, so_dir, testenv):
+
+ httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
+ 'MALLOC_CHECK_': '3',
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
+ httpenv.update(testenv)
+
+ httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
+ config = os.path.join(testdir, 'httpd', 'httpd.conf')
+ httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+ env=httpenv, preexec_fn=os.setsid)
+ return httpproc
+
+
if __name__ == '__main__':
args = parse_args()
@@ -722,6 +779,25 @@ if __name__ == '__main__':
errs += test_basic_auth_krb5(testdir, testenv, logfile)
errs += test_no_negotiate(testdir, testenv, logfile)
+
+ # After this point we need to speed up httpd to test creds timeout
+ try:
+ fakeenv = faketime_setup(kdcenv)
+ timeenv = {'TIMEOUT_USER': USR_NAME_4,
+ 'MAG_USER_PASSWORD': USR_PWD}
+ timeenv.update(fakeenv)
+ curporc = httpproc
+ pid = processes['HTTPD(%d)' % httpproc.pid].pid
+ os.killpg(pid, signal.SIGTERM)
+ time.sleep(1)
+ del processes['HTTPD(%d)' % httpproc.pid]
+ httpproc = http_restart(testdir, so_dir, timeenv)
+ processes['HTTPD(%d)' % httpproc.pid] = httpproc
+
+ errs += test_basic_auth_timeout(testdir, timeenv, logfile)
+ except NotImplementedError:
+ sys.stderr.write('BASIC Timeout Behavior: SKIPPED\n')
+
except Exception:
traceback.print_exc()
finally:
diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py
new file mode 100755
index 0000000..983dfd2
--- /dev/null
+++ b/tests/t_basic_timeout.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
+
+import os
+import time
+
+import requests
+from requests.auth import HTTPBasicAuth
+
+
+if __name__ == '__main__':
+ s = requests.Session()
+ url = 'http://{}/basic_auth_timeout/auth/'.format(
+ os.environ['NSS_WRAPPER_HOSTNAME']
+ )
+ url2 = 'http://{}/basic_auth_timeout/session/'.format(
+ os.environ['NSS_WRAPPER_HOSTNAME']
+ )
+
+ r = s.get(url, auth=HTTPBasicAuth(os.environ['TIMEOUT_USER'],
+ os.environ['MAG_USER_PASSWORD']))
+ if r.status_code != 200:
+ raise ValueError('Basic Auth Failed')
+
+ time.sleep(301)
+ r = s.get(url2)
+ if r.status_code != 200:
+ raise ValueError('Session Auth Failed')
+
+ time.sleep(401)
+
+ r = s.get(url2)
+ if r.status_code == 200:
+ raise ValueError('Timeout check Failed')

28
SOURCES/Fix-PATH-handling-bug-in-test-suite.patch Normal file
View File

@ -0,0 +1,28 @@
From c26b1aafbb9679b19b630a46eeb35a9dee61a95f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 13 Oct 2020 11:04:00 -0400
Subject: [PATCH] Fix PATH handling bug in test suite
virtualenv relies on its executable being ahead of the system ones. For
setting up the KDC, we don't have a preferencee - we just need the sbins
to be available.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit ae07252e356d8142ddd3987c9c3686ba7ee593de)
---
tests/magtests.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index e04fa65..082c6e4 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -312,7 +312,7 @@ def setup_kdc(testdir, wrapenv):
kdcenv = wrapenv.copy()
kdcenv.update({
- 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
+ 'PATH': f'{wrapenv["PATH"]}:/sbin:/bin:/usr/sbin:/usr/bin',
'KRB5_CONFIG': krb5conf,
'KRB5_KDC_PROFILE': kdcconf,
'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),

31
SOURCES/Fix-distcheck.patch Normal file
View File

@ -0,0 +1,31 @@
From 706494bde5c5124621006b857fc55529f9e8e0db Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 14 May 2020 18:04:47 -0400
Subject: [PATCH] Fix distcheck
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit eb6de7e946d7ecc9292bb454d43ac05f0801adf7)
---
tests/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 70754fb..16d87e9 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -4,12 +4,14 @@ EXTRA_DIST = \
401.html \
httpd.conf \
index.html \
+ localname.html \
magtests.py \
t_bad_acceptor_name.py \
t_basic_k5_fail_second.py \
t_basic_k5.py \
t_basic_k5_two_users.py \
t_basic_proxy.py \
+ t_localname.py \
t_hostname_acceptor.py \
t_nonego.py \
t_required_name_attr.py \

121
SOURCES/Fix-mag_auth_basic-function-call.patch Normal file
View File

@ -0,0 +1,121 @@
From 1941fd1545b4786fee9464881239d74a91c55723 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 7 Feb 2019 14:48:56 -0500
Subject: [PATCH] Fix mag_auth_basic function call.
In order to respect the API we'd have to return nech_type as a copy of
the mech found to correctly complete authentication.
It would need to be a copy because the actual_mechs variable is an array
of statically copied OIDs not an array of pointers.
Instead change mag_auth_basic to directly call mag_complete() and
mag_cache_basic on success. This is easier than attempting to handle
copying out OIDs and then freeing them in the caller as GSSAPI does not
offer standard APIs for copying OIDs.
As a side-effect we reduce the number of arguments to mag_auth_gssapi,
which is good, to the slight detriment of legibility in the main
function as now you need to know mag_auth_basic() is already calling
mag_complete(). The trade off is worth it though.
Signed-off-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 318db0b0e3777d4cfdc09eeef98e28c478607271)
---
src/mod_auth_gssapi.c | 47 ++++++++++++++++++++-----------------------
1 file changed, 22 insertions(+), 25 deletions(-)
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 4048ee7..9e42ef4 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -493,15 +493,15 @@ done:
return maj;
}
-static bool mag_auth_basic(request_rec *req,
- struct mag_config *cfg,
- gss_buffer_desc ba_user,
- gss_buffer_desc ba_pwd,
- gss_name_t *client,
- gss_OID *mech_type,
- gss_cred_id_t *delegated_cred,
- uint32_t *vtime)
+static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
+ gss_name_t client, gss_OID mech_type,
+ uint32_t vtime, gss_cred_id_t delegated_cred);
+
+static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
+ gss_buffer_desc ba_user, gss_buffer_desc ba_pwd)
{
+ struct mag_config *cfg = req_cfg->cfg;
+ request_rec *req = req_cfg->req;
const char *user_ccache = NULL;
const char *orig_ccache = NULL;
long long unsigned int rndname;
@@ -512,9 +512,12 @@ static bool mag_auth_basic(request_rec *req,
gss_OID_set allowed_mechs;
gss_OID_set filtered_mechs;
gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
+ gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
+ gss_name_t client = GSS_C_NO_NAME;
+ uint32_t vtime;
uint32_t maj, min;
int present = 0;
- bool ret = false;
+ int ret = HTTP_UNAUTHORIZED;
maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user);
if (GSS_ERROR(maj)) {
@@ -616,15 +619,21 @@ static bool mag_auth_basic(request_rec *req,
for (int i = 0; i < actual_mechs->count; i++) {
maj = mag_context_loop(&min, req, cfg, user_cred, server_cred,
- &actual_mechs->elements[i], 300, client, vtime,
- delegated_cred);
+ &actual_mechs->elements[i], 300, &client,
+ &vtime, &delegated_cred);
if (maj == GSS_S_COMPLETE) {
- ret = true;
+ ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i],
+ vtime, delegated_cred);
+ if (ret == OK) {
+ mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
+ }
break;
}
}
done:
+ gss_release_cred(&min, &delegated_cred);
+ gss_release_name(&min, &client);
gss_release_cred(&min, &server_cred);
gss_release_name(&min, &user);
gss_release_cred(&min, &user_cred);
@@ -683,10 +692,6 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req)
return req_cfg;
}
-static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
- gss_name_t client, gss_OID mech_type,
- uint32_t vtime, gss_cred_id_t delegated_cred);
-
#ifdef HAVE_CRED_STORE
static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {
if (req_cfg->cfg->use_s4u2proxy) {
@@ -1105,15 +1110,7 @@ static int mag_auth(request_rec *req)
#endif
if (auth_type == AUTH_TYPE_BASIC) {
- if (mag_auth_basic(req, cfg, ba_user, ba_pwd,
- &client, &mech_type,
- &delegated_cred, &vtime)) {
-
- ret = mag_complete(req_cfg, mc, client, mech_type, vtime,
- delegated_cred);
- if (ret == OK)
- mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
- }
+ ret = mag_auth_basic(req_cfg, mc, ba_user, ba_pwd);
goto done;
}

198
SOURCES/Move-to-python3-by-default.patch Normal file
View File

@ -0,0 +1,198 @@
From eeca34dc64804a4b771800f54f0e0647ce88bdd4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 13 Oct 2020 10:33:39 -0400
Subject: [PATCH] Move to python3 by default
When moving 2 -> 3, python elected to keep "python" as the name of the
python2 interpreter. As a result, python3-only machines have no
/usr/bin/python. Since python2 is EOL, it should be safe to make our
scripting default to python3.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 840863f89ed4809602f1ca7b8ad650c0b979d20e)
[rharwood@redhat.com: tests that don't exist yet, README prg/prk,
contrib isn't packaged in dist tarballs]
---
README | 4 ++--
tests/magtests.py | 2 +-
tests/t_bad_acceptor_name.py | 2 +-
tests/t_basic_k5.py | 2 +-
tests/t_basic_k5_fail_second.py | 2 +-
tests/t_basic_k5_two_users.py | 2 +-
tests/t_basic_proxy.py | 2 +-
tests/t_basic_timeout.py | 2 +-
tests/t_hostname_acceptor.py | 2 +-
tests/t_nonego.py | 2 +-
tests/t_required_name_attr.py | 2 +-
tests/t_spnego.py | 2 +-
tests/t_spnego_negotiate_once.py | 2 +-
tests/t_spnego_no_auth.py | 2 +-
tests/t_spnego_proxy.py | 2 +-
tests/t_spnego_rewrite.py | 2 +-
16 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/README b/README
index 5eac94f..654a891 100644
--- a/README
+++ b/README
@@ -26,8 +26,8 @@ To run tests, you also need:
* The Kerberos 5 Key-Distribution-Center (`krb5-kdc` package on Debian,
`krb5-server` on Fedora)
-* Packages `mod_session`, `krb5-workstation`, `python-requests-kerberos`,
- and `python-gssapi` on Fedora
+* Packages `mod_session`, `krb5-workstation`, `python3-requests-gssapi`,
+ and `python3-gssapi` on Fedora
* Some tests require `krb5-pkinit` package on fedora and krb5 >= 1.15.
* [nss_wrapper](https://cwrap.org/nss_wrapper.html), packaged in Fedora
* [socket_wrapper](https://cwrap.org/socket_wrapper.html), packaged in Fedora
diff --git a/tests/magtests.py b/tests/magtests.py
index 082c6e4..d0f0a67 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import argparse
diff --git a/tests/t_bad_acceptor_name.py b/tests/t_bad_acceptor_name.py
index 41ee48b..6cee588 100755
--- a/tests/t_bad_acceptor_name.py
+++ b/tests/t_bad_acceptor_name.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_k5.py b/tests/t_basic_k5.py
index e499eac..4b24801 100755
--- a/tests/t_basic_k5.py
+++ b/tests/t_basic_k5.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_k5_fail_second.py b/tests/t_basic_k5_fail_second.py
index 273e9a5..7e53218 100755
--- a/tests/t_basic_k5_fail_second.py
+++ b/tests/t_basic_k5_fail_second.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_k5_two_users.py b/tests/t_basic_k5_two_users.py
index 41ffe98..3d27e9e 100755
--- a/tests/t_basic_k5_two_users.py
+++ b/tests/t_basic_k5_two_users.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_proxy.py b/tests/t_basic_proxy.py
index 5370314..347b802 100755
--- a/tests/t_basic_proxy.py
+++ b/tests/t_basic_proxy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py
index 983dfd2..007ff97 100755
--- a/tests/t_basic_timeout.py
+++ b/tests/t_basic_timeout.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_hostname_acceptor.py b/tests/t_hostname_acceptor.py
index 6d59e85..bb85700 100755
--- a/tests/t_hostname_acceptor.py
+++ b/tests/t_hostname_acceptor.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license.
import sys
diff --git a/tests/t_nonego.py b/tests/t_nonego.py
index 430001a..4e77f80 100755
--- a/tests/t_nonego.py
+++ b/tests/t_nonego.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_required_name_attr.py b/tests/t_required_name_attr.py
index bbfdc19..a67446b 100755
--- a/tests/t_required_name_attr.py
+++ b/tests/t_required_name_attr.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego.py b/tests/t_spnego.py
index e7003a6..04190a9 100755
--- a/tests/t_spnego.py
+++ b/tests/t_spnego.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego_negotiate_once.py b/tests/t_spnego_negotiate_once.py
index e8eb601..3d8e048 100755
--- a/tests/t_spnego_negotiate_once.py
+++ b/tests/t_spnego_negotiate_once.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego_no_auth.py b/tests/t_spnego_no_auth.py
index abcccdf..c564388 100755
--- a/tests/t_spnego_no_auth.py
+++ b/tests/t_spnego_no_auth.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py
index c47558b..b917191 100755
--- a/tests/t_spnego_proxy.py
+++ b/tests/t_spnego_proxy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego_rewrite.py b/tests/t_spnego_rewrite.py
index 2ed1d3e..202d76a 100755
--- a/tests/t_spnego_rewrite.py
+++ b/tests/t_spnego_rewrite.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os

166
SOURCES/tests-Don-t-override-the-specific-environment-by-the.patch Normal file
View File

@ -0,0 +1,166 @@
From bd2f8d20c589feae7249ccca28199d826d007667 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Thu, 6 Aug 2020 13:55:45 +0300
Subject: [PATCH] tests: Don't override the specific environment by the global
one
This changes the way in which a test environment is prepared.
Before:
specific -> global
After:
global -> specific
In particular, this allows setting PATH env variable differed from
the global configuration.
Fixes: https://github.com/gssapi/mod_auth_gssapi/issues/226
Signed-off-by: Stanislav Levin <slev@altlinux.org>
(cherry picked from commit 731761e63d72bf5656f40340daafce4e2d34bd92)
---
tests/magtests.py | 78 +++++++++++++++++++++++++++++------------------
1 file changed, 48 insertions(+), 30 deletions(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index 1c0b26a..e04fa65 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -310,11 +310,13 @@ def setup_kdc(testdir, wrapenv):
with open(kdcconf, 'w+') as f:
f.write(text)
- kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
- 'KRB5_CONFIG': krb5conf,
- 'KRB5_KDC_PROFILE': kdcconf,
- 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')}
- kdcenv.update(wrapenv)
+ kdcenv = wrapenv.copy()
+ kdcenv.update({
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
+ 'KRB5_CONFIG': krb5conf,
+ 'KRB5_KDC_PROFILE': kdcconf,
+ 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),
+ })
logfile = open(testlog, 'a')
ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
@@ -383,8 +385,10 @@ def setup_keys(tesdir, env):
cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
kadmin_local(cmd, env, logfile)
- keys_env = {"KRB5_KTNAME": svc_keytab, }
- keys_env.update(env)
+ keys_env = env.copy()
+ keys_env.update({
+ "KRB5_KTNAME": svc_keytab,
+ })
return keys_env
@@ -421,10 +425,12 @@ def setup_http(testdir, so_dir, wrapenv):
shutil.copy('tests/401.html', os.path.join(httpdir, 'html'))
- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
- 'MALLOC_CHECK_': '3',
- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
- httpenv.update(wrapenv)
+ httpenv = wrapenv.copy()
+ httpenv.update({
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
+ 'MALLOC_CHECK_': '3',
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
+ })
httpd = "httpd" if distro == "Fedora" else "apache2"
httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
@@ -435,8 +441,10 @@ def setup_http(testdir, so_dir, wrapenv):
def kinit_user(testdir, kdcenv):
testlog = os.path.join(testdir, 'kinit.log')
ccache = os.path.join(testdir, 'k5ccache')
- testenv = {'KRB5CCNAME': ccache}
- testenv.update(kdcenv)
+ testenv = kdcenv.copy()
+ testenv.update({
+ 'KRB5CCNAME': ccache,
+ })
with (open(testlog, 'a')) as logfile:
kinit = subprocess.Popen(["kinit", USR_NAME],
@@ -457,8 +465,10 @@ def kinit_certuser(testdir, kdcenv):
pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT)
pkinit_key = os.path.join(testdir, PKINIT_KEY)
ident = "X509_user_identity=FILE:" + pkinit_user_cert + "," + pkinit_key
- testenv = {'KRB5CCNAME': ccache}
- testenv.update(kdcenv)
+ testenv = kdcenv.copy()
+ testenv.update({
+ 'KRB5CCNAME': ccache,
+ })
with (open(testlog, 'a')) as logfile:
logfile.write('PKINIT for maguser3\n')
kinit = subprocess.Popen(["kinit", USR_NAME_3, "-X", ident],
@@ -711,17 +721,21 @@ def faketime_setup(testenv):
raise NotImplementedError
# spedup x100
- fakeenv = {'FAKETIME': '+0 x100'}
- fakeenv.update(testenv)
- fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime))
+ fakeenv = testenv.copy()
+ fakeenv.update({
+ 'FAKETIME': '+0 x100',
+ 'LD_PRELOAD': ' '.join((testenv['LD_PRELOAD'], libfaketime)),
+ })
return fakeenv
def http_restart(testdir, so_dir, testenv):
- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
- 'MALLOC_CHECK_': '3',
- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
- httpenv.update(testenv)
+ httpenv = testenv.copy()
+ httpenv.update({
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
+ 'MALLOC_CHECK_': '3',
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
+ })
httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
config = os.path.join(testdir, 'httpd', 'httpd.conf')
@@ -776,11 +790,13 @@ if __name__ == '__main__':
sys.stderr.write("krb5 PKINIT module not found, skipping name "
"attribute tests\n")
- testenv = {'MAG_USER_NAME': USR_NAME,
- 'MAG_USER_PASSWORD': USR_PWD,
- 'MAG_USER_NAME_2': USR_NAME_2,
- 'MAG_USER_PASSWORD_2': USR_PWD_2}
- testenv.update(kdcenv)
+ testenv = kdcenv.copy()
+ testenv.update({
+ 'MAG_USER_NAME': USR_NAME,
+ 'MAG_USER_PASSWORD': USR_PWD,
+ 'MAG_USER_NAME_2': USR_NAME_2,
+ 'MAG_USER_PASSWORD_2': USR_PWD_2,
+ })
errs += test_basic_auth_krb5(testdir, testenv, logfile)
@@ -789,9 +805,11 @@ if __name__ == '__main__':
# After this point we need to speed up httpd to test creds timeout
try:
fakeenv = faketime_setup(kdcenv)
- timeenv = {'TIMEOUT_USER': USR_NAME_4,
- 'MAG_USER_PASSWORD': USR_PWD}
- timeenv.update(fakeenv)
+ timeenv = fakeenv.copy()
+ timeenv.update({
+ 'TIMEOUT_USER': USR_NAME_4,
+ 'MAG_USER_PASSWORD': USR_PWD,
+ })
curporc = httpproc
pid = processes['HTTPD(%d)' % httpproc.pid].pid
os.killpg(pid, signal.SIGTERM)

87
SOURCES/tests-Fixup-virtualenv-handling.patch Normal file
View File

@ -0,0 +1,87 @@
From f106e3afa21cdbc098d3c82698585744e3325621 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 May 2020 15:56:50 -0400
Subject: [PATCH] [tests] Fixup virtualenv handling
Fixes an issue where virtualenv's PATH would get lost
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit e60384c0d4d4b4c213ec728ec3d444f998625941)
---
tests/magtests.py | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index 6c38a8f..1c0b26a 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -67,6 +67,12 @@ def setup_wrappers(base):
return wenv
+def apply_venv(env):
+ env['PATH'] = os.environ.get('PATH', '')
+ env['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
+ return env
+
+
TESTREALM = "MAG.DEV"
KDC_DBNAME = 'db.file'
KDC_STASH = 'stash.file'
@@ -304,7 +310,7 @@ def setup_kdc(testdir, wrapenv):
with open(kdcconf, 'w+') as f:
f.write(text)
- kdcenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
+ kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
'KRB5_CONFIG': krb5conf,
'KRB5_KDC_PROFILE': kdcconf,
'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')}
@@ -415,7 +421,7 @@ def setup_http(testdir, so_dir, wrapenv):
shutil.copy('tests/401.html', os.path.join(httpdir, 'html'))
- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
+ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
'MALLOC_CHECK_': '3',
'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
httpenv.update(wrapenv)
@@ -712,8 +718,7 @@ def faketime_setup(testenv):
def http_restart(testdir, so_dir, testenv):
-
- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
+ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
'MALLOC_CHECK_': '3',
'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
httpenv.update(testenv)
@@ -738,7 +743,7 @@ if __name__ == '__main__':
logfile = open(os.path.join(testdir, 'tests.log'), 'w')
errs = 0
try:
- wrapenv = setup_wrappers(testdir)
+ wrapenv = apply_venv(setup_wrappers(testdir))
kdcproc, kdcenv = setup_kdc(testdir, wrapenv)
processes['KDC(%d)' % kdcproc.pid] = kdcproc
@@ -749,10 +754,6 @@ if __name__ == '__main__':
keysenv = setup_keys(testdir, kdcenv)
testenv = kinit_user(testdir, kdcenv)
- # support virtualenv
- testenv['PATH'] = os.environ.get('PATH', '')
- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
-
testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd',
USR_NAME + '@' + TESTREALM)
errs += test_spnego_auth(testdir, testenv, logfile)
@@ -780,8 +781,6 @@ if __name__ == '__main__':
'MAG_USER_NAME_2': USR_NAME_2,
'MAG_USER_PASSWORD_2': USR_PWD_2}
testenv.update(kdcenv)
- testenv['PATH'] = os.environ.get('PATH', '')
- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
errs += test_basic_auth_krb5(testdir, testenv, logfile)

35
SOURCES/tests-Support-Debian-s-libfaketime.patch Normal file
View File

@ -0,0 +1,35 @@
From 27f7ca84a5a05f65e6d113a8a6698c7f40fd66c6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 May 2020 15:51:19 -0400
Subject: [PATCH] [tests] Support Debian's libfaketime
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 367120a1c02641680a8f51bd59cc96d56cc9804b)
---
tests/magtests.py | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index da1cca7..6c38a8f 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -692,9 +692,16 @@ def test_hostname_acceptor(testdir, testenv, logfile):
def faketime_setup(testenv):
- libfaketime = '/usr/lib64/faketime/libfaketime.so.1'
- # optional faketime
- if not os.path.isfile(libfaketime):
+ # Wanted: an architecture- and distro-agnostic way to do this.
+ # libfaketime is installed in a place where ld.so won't pick it up by
+ # default, so...
+ paths = ['/usr/lib64/faketime/libfaketime.so.1',
+ '/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1']
+ libfaketime = None
+ for p in paths:
+ if os.path.isfile(p):
+ libfaketime = p
+ if not libfaketime:
raise NotImplementedError
# spedup x100

18
SPECS/mod_auth_gssapi.spec
View File

@ -1,6 +1,6 @@
Name: mod_auth_gssapi
Version: 1.6.1
Release: 6%{?dist}
Release: 7.1%{?dist}
Summary: A GSSAPI Authentication module for Apache
Group: System Environment/Daemons
@ -12,6 +12,14 @@ Patch0: In-tests-show-the-exception-on-failure.patch
Patch1: Fix-tests-to-work-with-python3.patch
Patch2: tests-Test-suite-fixes-for-virtualenv-and-clang.patch
Patch3: Fix-integer-sizes-used-with-ap_set_flag_slot.patch
Patch4: Fix-mag_auth_basic-function-call.patch
Patch6: Fix-distcheck.patch
Patch7: Add-option-to-control-timeout-for-Basic-Auth.patch
Patch8: tests-Support-Debian-s-libfaketime.patch
Patch9: tests-Fixup-virtualenv-handling.patch
Patch10: tests-Don-t-override-the-specific-environment-by-the.patch
Patch11: Fix-PATH-handling-bug-in-test-suite.patch
Patch12: Move-to-python3-by-default.patch
BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libtool
BuildRequires: gssntlmssp-devel
@ -49,6 +57,14 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
%{_httpd_moddir}/mod_auth_gssapi.so
%changelog
* Mon Oct 12 2020 Robbie Harwood <rharwood@redhat.com> 1.6.1-7.1
- Bang on gating until the environment gives up
- Resolves: #1866149
* Mon Oct 12 2020 Robbie Harwood <rharwood@redhat.com> - 1.6.1-7
- Backport basic auth timeout control
- Resolves: #1866149
* Fri Mar 22 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-6
- Gating update
- Resolves: #1682259