rpms/mod_auth_gssapi
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10-beta
rpms:c10s
rpms:c8s
rpms:c8-beta
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:imports/c10-beta/mod_auth_gssapi-1.6.5-5.el10
rpms:imports/c10s/mod_auth_gssapi-1.6.5-8.el10
rpms:imports/c10s/mod_auth_gssapi-1.6.5-1.el10
rpms:imports/c10s/mod_auth_gssapi-1.6.5-7.el10
rpms:imports/c8/mod_auth_gssapi-1.6.1-9.el8
rpms:imports/c8-beta/mod_auth_gssapi-1.6.1-9.el8
rpms:imports/c8s/mod_auth_gssapi-1.6.1-9.el8
rpms:imports/c9/mod_auth_gssapi-1.6.3-7.el9
rpms:imports/c8s/mod_auth_gssapi-1.6.1-8.el8
rpms:imports/c9-beta/mod_auth_gssapi-1.6.3-7.el9
rpms:imports/c8-beta/mod_auth_gssapi-1.6.1-7.1.el8
rpms:imports/c8-beta/mod_auth_gssapi-1.6.1-6.el8
rpms:imports/c8s/mod_auth_gssapi-1.6.1-7.1.el8
rpms:imports/c8/mod_auth_gssapi-1.6.1-7.1.el8
rpms:imports/c8/mod_auth_gssapi-1.6.1-6.el8
rpms:imports/c8/mod_auth_gssapi-1.6.1-2.el8
...
pull from: rpms:c9
Branches Tags
rpms:c10-beta
rpms:c10s
rpms:c8s
rpms:c8
rpms:c8-beta
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:imports/c10-beta/mod_auth_gssapi-1.6.5-5.el10
rpms:imports/c10s/mod_auth_gssapi-1.6.5-8.el10
rpms:imports/c10s/mod_auth_gssapi-1.6.5-1.el10
rpms:imports/c10s/mod_auth_gssapi-1.6.5-7.el10
rpms:imports/c8/mod_auth_gssapi-1.6.1-9.el8
rpms:imports/c8-beta/mod_auth_gssapi-1.6.1-9.el8
rpms:imports/c8s/mod_auth_gssapi-1.6.1-9.el8
rpms:imports/c9/mod_auth_gssapi-1.6.3-7.el9
rpms:imports/c8s/mod_auth_gssapi-1.6.1-8.el8
rpms:imports/c9-beta/mod_auth_gssapi-1.6.3-7.el9
rpms:imports/c8-beta/mod_auth_gssapi-1.6.1-7.1.el8
rpms:imports/c8-beta/mod_auth_gssapi-1.6.1-6.el8
rpms:imports/c8s/mod_auth_gssapi-1.6.1-7.1.el8
rpms:imports/c8/mod_auth_gssapi-1.6.1-7.1.el8
rpms:imports/c8/mod_auth_gssapi-1.6.1-6.el8
rpms:imports/c8/mod_auth_gssapi-1.6.1-2.el8

No commits in common. "c8" and "c9" have entirely different histories.
c8 ... c9

20 changed files with 93 additions and 1796 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/mod_auth_gssapi-1.6.1.tar.gz SOURCES/mod_auth_gssapi-1.6.3.tar.gz

2
.mod_auth_gssapi.metadata
View File

@ -1 +1 @@
5dfc4eef25efad5313724bd6a1e55266a6667302 SOURCES/mod_auth_gssapi-1.6.1.tar.gz 7ee7ca772b2fbfedbb98a7dc59edeb7bede27bf0 SOURCES/mod_auth_gssapi-1.6.3.tar.gz

262
SOURCES/Add-ability-to-expose-the-used-mechanism.patch
View File

@ -1,262 +0,0 @@
From 46caec4def9fd8df21e560db065b755e1d87354d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Fri, 6 May 2022 22:54:45 +0200
Subject: [PATCH 1/2] Add-ability-to-expose-the-used-mechanism.patch
---
README | 15 +++++++++++++++
src/environ.c | 39 +++++++++++++++++++++++++++++++++++++++
src/environ.h | 2 ++
src/mod_auth_gssapi.c | 7 +++++++
src/mod_auth_gssapi.h | 1 +
tests/Makefile.am | 4 +++-
tests/httpd.conf | 15 +++++++++++++++
tests/magtests.py | 18 ++++++++++++++++++
tests/mech.html | 1 +
tests/t_mech_name.py | 19 +++++++++++++++++++
10 files changed, 120 insertions(+), 1 deletion(-)
create mode 100644 tests/mech.html
create mode 100755 tests/t_mech_name.py
diff --git a/README b/README
index 654a8918cc1cd078d84b8e571596444e262e83af..bbf2657d47c9b111e20fdc2b76fde8799c76e3cd 100644
--- a/README
+++ b/README
@@ -109,6 +109,7 @@ Configuration Directives
[GssapiNameAttributes](#gssapinameattributes)<br>
[GssapiNegotiateOnce](#gssapinegotiateonce)<br>
[GssapiPublishErrors](#gssapipublisherrors)<br>
+[GssapiPublishMech](#gssapipublishmech)<br>
[GssapiRequiredNameAttributes](#gssapirequirednameattributes)<br>
[GssapiSessionKey](#gssapisessionkey)<br>
[GssapiSignalPersistentAuth](#gssapisignalpersistentauth)<br>
@@ -527,3 +528,17 @@ Note: the value is specified in seconds.
Sets ticket/session validity to 10 hours.
+### GssapiPublishMech
+
+This option is used to publish the mech used for authentication as an
+Environment variable named GSS_MECH.
+
+It will return a string of the form 'Authtype/Mechname'.
+Authtype represents the type of auth performed by the module. Possible values
+are 'Basic', 'Negotiate', 'NTLM', 'Impersonate'.
+Mechname is the name of the mechanism as reported by GSSAPI or the OID of the
+mechanism if a name is not available. In case of errors the 'Unavailable'
+string may also be returned for either Authtype or Mechname.
+
+- **Enable with:** GssapiPublishMech On
+- **Default:** GssapiPublishMech Off
\ No newline at end of file
diff --git a/src/environ.c b/src/environ.c
index 7ee56a1ba434d5c1041968fb3f64191340cb0ea7..71a8564284cafa62c4cbeaf7ab8484a48c064e66 100644
--- a/src/environ.c
+++ b/src/environ.c
@@ -498,3 +498,42 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min,
if (mag_err)
apr_table_set(req->subprocess_env, "MAG_ERROR", mag_err);
}
+
+
+void mag_publish_mech(request_rec *req, struct mag_conn *mc,
+ const char *auth_type, gss_OID mech_type)
+{
+ gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc mech_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc mech_description = GSS_C_EMPTY_BUFFER;
+ char *mechdata;
+ uint32_t maj, min;
+
+ maj = gss_inquire_saslname_for_mech(&min, mech_type, &sasl_mech_name,
+ &mech_name, &mech_description);
+ if (maj != GSS_S_COMPLETE) {
+ /* something failed, let's try to get a string OID */
+ /* and if that fails there is nothing we can do */
+ maj = gss_oid_to_str(&min, mech_type, &mech_name);
+ if (maj != GSS_S_COMPLETE) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
+ "Failed to source mechanism name or OID");
+ mech_name.value = strdup("Unavailable");
+ mech_name.length = strlen(mech_name.value);
+ }
+ }
+
+ mechdata = apr_psprintf(req->pool, "%s/%.*s", auth_type,
+ (int)mech_name.length,
+ (char *)mech_name.value);
+
+ apr_table_set(mc->env, "GSS_MECH", mechdata);
+
+ /* also log at info level */
+ ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,
+ "User %s authenticated with %s", mc->gss_name, mechdata);
+
+ (void)gss_release_buffer(&min, &sasl_mech_name);
+ (void)gss_release_buffer(&min, &mech_name);
+ (void)gss_release_buffer(&min, &mech_description);
+}
diff --git a/src/environ.h b/src/environ.h
index 40bca9877f600246d19a3bf4be370310636ce6c7..b0813da6508df7c5594b51cada7712dc44393e44 100644
--- a/src/environ.h
+++ b/src/environ.h
@@ -18,3 +18,5 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min,
const char *gss_err, const char *mag_err);
void mag_set_req_attr_fail(request_rec *req, struct mag_config *cfg,
struct mag_conn *mc);
+void mag_publish_mech(request_rec *req, struct mag_conn *mc,
+ const char *auth_type, gss_OID mech_type);
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index c91aa60707ba9b237a84f95670d483f1a7eab86b..93c43308585cf140297de82e118a367f69d25a92 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -1289,6 +1289,10 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
mc->user_name = apr_pstrdup(mc->pool, mc->gss_name);
}
+ if (cfg->pubmech) {
+ mag_publish_mech(req, mc, mag_str_auth_type(mc->auth_type), mech_type);
+ }
+
mc->established = true;
if (req_cfg->use_sessions) {
mag_attempt_session(req_cfg, mc);
@@ -1894,6 +1898,9 @@ static const command_rec mag_commands[] = {
AP_INIT_FLAG("GssapiPublishErrors", ap_set_flag_slot,
(void *)APR_OFFSETOF(struct mag_config, enverrs), OR_AUTHCFG,
"Publish GSSAPI Errors in Envionment Variables"),
+ AP_INIT_FLAG("GssapiPublishMech", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(struct mag_config, pubmech), OR_AUTHCFG,
+ "Publish GSSAPI Mech Name in Envionment Variables"),
AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG,
"Name of the acceptor credentials."),
AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL,
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
index 2312ab57f4b2e0bd50f191018b081a3ecb86f15a..8ab3bdc57be793cc493176c02910219e905900e9 100644
--- a/src/mod_auth_gssapi.h
+++ b/src/mod_auth_gssapi.h
@@ -91,6 +91,7 @@ struct mag_config {
struct mag_name_attributes *name_attributes;
const char *required_na_expr;
int enverrs;
+ int pubmech;
gss_name_t acceptor_name;
bool acceptor_name_from_req;
uint32_t basic_timeout;
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c830e951d04316e4cbc76fa3b5961baedb516ec6..2ddb46ea30e6ebf9ff0b30278c609178d02c1efc 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -6,14 +6,16 @@ EXTRA_DIST = \
index.html \
localname.html \
magtests.py \
+ mech.html \
t_bad_acceptor_name.py \
t_basic_k5_fail_second.py \
t_basic_k5.py \
t_basic_k5_two_users.py \
t_basic_proxy.py \
t_basic_timeout.py \
- t_localname.py \
t_hostname_acceptor.py \
+ t_localname.py \
+ t_mech_name.py \
t_nonego.py \
t_required_name_attr.py \
t_spnego_negotiate_once.py \
diff --git a/tests/httpd.conf b/tests/httpd.conf
index b3777574d9f0547560f24eff992fc1018569b5cc..775294b7d600e82c3955316a2d5b667c8b3c5581 100644
--- a/tests/httpd.conf
+++ b/tests/httpd.conf
@@ -331,3 +331,18 @@ CoreDumpDirectory "{HTTPROOT}"
GssapiSessionKey file:{HTTPROOT}/session.key
Require valid-user
</Location>
+
+<Location /mech_name>
+ Options +Includes
+ AddOutputFilter INCLUDES .html
+ AuthType GSSAPI
+ AuthName "Password Login"
+ GssapiSSLonly Off
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
+ GssapiBasicAuth On
+ GssapiBasicAuthMech krb5
+ GssapiPublishMech On
+ Require valid-user
+</Location>
\ No newline at end of file
diff --git a/tests/magtests.py b/tests/magtests.py
index d100413b371e7ecf4e09d944b7ff6e9bec7e316f..9aba68f826a37a890bfefb62665697eef7d07dfa 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -786,6 +786,22 @@ def test_gss_localname(testdir, testenv, logfile):
return error_count
+def test_mech_name(testdir, testenv, logfile):
+ basicdir = os.path.join(testdir, 'httpd', 'html', 'mech_name')
+ os.mkdir(basicdir)
+ shutil.copy('tests/mech.html', basicdir)
+
+ mname = subprocess.Popen(["tests/t_mech_name.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ mname.wait()
+ if mname.returncode != 0:
+ sys.stderr.write('MECH-NAME: FAILED\n')
+ return 1
+ sys.stderr.write('MECH-NAME: SUCCESS\n')
+ return 0
+
+
if __name__ == '__main__':
args = parse_args()
@@ -847,6 +863,8 @@ if __name__ == '__main__':
errs += test_no_negotiate(testdir, testenv, logfile)
+ errs += test_mech_name(testdir, testenv, logfile)
+
# After this point we need to speed up httpd to test creds timeout
try:
fakeenv = faketime_setup(kdcenv)
diff --git a/tests/mech.html b/tests/mech.html
new file mode 100644
index 0000000000000000000000000000000000000000..bb7b3cd5278f055e278a7dfde73c15aa400a6a17
--- /dev/null
+++ b/tests/mech.html
@@ -0,0 +1 @@
+<!--#echo var="GSS_MECH" -->
diff --git a/tests/t_mech_name.py b/tests/t_mech_name.py
new file mode 100755
index 0000000000000000000000000000000000000000..69f451f2bbe58a16f61418f96eca26e7994bcb8a
--- /dev/null
+++ b/tests/t_mech_name.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
+
+import os
+import requests
+from requests.auth import HTTPBasicAuth
+
+
+if __name__ == '__main__':
+ url = 'http://%s/mech_name/mech.html' % os.environ['NSS_WRAPPER_HOSTNAME']
+ r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'],
+ os.environ['MAG_USER_PASSWORD']))
+ if r.status_code != 200:
+ raise ValueError('Basic Auth Failed')
+
+ if r.text.rstrip() != 'Basic/krb5':
+ raise ValueError(
+ 'GSS_MECH check failed, expected Basic/krb5, got "%s"' %
+ r.text.rstrip())
--
2.35.3

372
SOURCES/Add-option-to-control-timeout-for-Basic-Auth.patch
View File

@ -1,372 +0,0 @@
From b4ddd657ccc7793df9378209433f0142195a94d1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 14 May 2020 09:19:37 -0400
Subject: [PATCH] Add option to control timeout for Basic Auth
Adds new option and tests.
Adds optional dependency on libfaketime to test this feature.
Fixes: #210
Signed-off-by: Simo Sorce <simo@redhat.com>
Merges: #217
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 09df7584b4abadbfea411adafdcc825da5b720d3)
[rharwood@redhat.com: git got confused by not having localname test]
---
README | 24 +++++++++++++
src/mod_auth_gssapi.c | 27 +++++++++++---
src/mod_auth_gssapi.h | 1 +
tests/Makefile.am | 1 +
tests/httpd.conf | 32 ++++++++++++++++-
tests/magtests.py | 76 ++++++++++++++++++++++++++++++++++++++++
tests/t_basic_timeout.py | 34 ++++++++++++++++++
7 files changed, 190 insertions(+), 5 deletions(-)
create mode 100755 tests/t_basic_timeout.py
diff --git a/README b/README
index 700b57e..5eac94f 100644
--- a/README
+++ b/README
@@ -97,6 +97,7 @@ Configuration Directives
[GssapiAllowedMech](#gssapiallowedmech)<br>
[GssapiBasicAuth](#gssapibasicauth)<br>
[GssapiBasicAuthMech](#gssapibasicauthmech)<br>
+[GssapiBasicTicketTimeout](#gssapibasicticketvalidity)<br>
[GssapiConnectionBound](#gssapiconnectionbound)<br>
[GssapiCredStore](#gssapicredstore)<br>
[GssapiDelegCcacheDir](#gssapidelegccachedir)<br>
@@ -503,3 +504,26 @@ Note: The GSS_C_NT_HOSTBASED_SERVICE format is used for names (see example).
GssapiAcceptorName HTTP@www.example.com
+### GssapiBasicTicketTimeout
+
+This option controls the ticket validity time requested for the user TGT by the
+Basic Auth method.
+
+Normally basic auth is repeated by the browser on each request so a short
+validity period is used to reduce the scope of the ticket as it will be
+replaced quickly.
+However in cases where the authentication page is separate and the session
+is used by other pages the validity can be changed to arbitrary duration.
+
+Note: the validity of a ticket is still capped by KDC configuration.
+
+Note: the value is specified in seconds.
+
+- **Default:** GssapiBasicTicketTimeout 300
+
+#### Example
+ GssapiBasicTicketTimeout 36000
+
+Sets ticket/session validity to 10 hours.
+
+
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 9e42ef4..b099973 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -1,4 +1,5 @@
-/* Copyright (C) 2014, 2016 mod_auth_gssapi contributors - See COPYING for (C) terms */
+/* Copyright (C) 2014, 2016, 2020 mod_auth_gssapi contributors
+ * See COPYING for (C) terms */
#include "mod_auth_gssapi.h"
#include "mag_parse.h"
@@ -600,7 +601,7 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
}
maj = gss_acquire_cred_with_password(&min, user, &ba_pwd,
- GSS_C_INDEFINITE,
+ cfg->basic_timeout,
allowed_mechs,
GSS_C_INITIATE,
&user_cred, &actual_mechs, NULL);
@@ -619,8 +620,8 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
for (int i = 0; i < actual_mechs->count; i++) {
maj = mag_context_loop(&min, req, cfg, user_cred, server_cred,
- &actual_mechs->elements[i], 300, &client,
- &vtime, &delegated_cred);
+ &actual_mechs->elements[i], cfg->basic_timeout,
+ &client, &vtime, &delegated_cred);
if (maj == GSS_S_COMPLETE) {
ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i],
vtime, delegated_cred);
@@ -1299,6 +1300,7 @@ static void *mag_create_dir_config(apr_pool_t *p, char *dir)
#ifdef HAVE_CRED_STORE
cfg->ccname_envvar = "KRB5CCNAME";
#endif
+ cfg->basic_timeout = 300;
return cfg;
}
@@ -1789,6 +1791,21 @@ static const char *mag_acceptor_name(cmd_parms *parms, void *mconfig,
return NULL;
}
+static const char *mag_basic_timeout(cmd_parms *parms, void *mconfig,
+ const char *w)
+{
+ struct mag_config *cfg = (struct mag_config *)mconfig;
+ unsigned long int value;
+
+ value = strtoul(w, NULL, 10);
+ if (value >= UINT32_MAX) {
+ cfg->basic_timeout = GSS_C_INDEFINITE;
+ return NULL;
+ }
+ cfg->basic_timeout = value;
+ return NULL;
+}
+
static void *mag_create_server_config(apr_pool_t *p, server_rec *s)
{
struct mag_server_config *scfg;
@@ -1865,6 +1882,8 @@ static const command_rec mag_commands[] = {
"Publish GSSAPI Errors in Envionment Variables"),
AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG,
"Name of the acceptor credentials."),
+ AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL,
+ OR_AUTHCFG, "Ticket Validity Timeout with Basic Auth."),
{ NULL }
};
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
index 8c0b972..2312ab5 100644
--- a/src/mod_auth_gssapi.h
+++ b/src/mod_auth_gssapi.h
@@ -93,6 +93,7 @@ struct mag_config {
int enverrs;
gss_name_t acceptor_name;
bool acceptor_name_from_req;
+ uint32_t basic_timeout;
};
struct mag_server_config {
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 16d87e9..c830e95 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -11,6 +11,7 @@ EXTRA_DIST = \
t_basic_k5.py \
t_basic_k5_two_users.py \
t_basic_proxy.py \
+ t_basic_timeout.py \
t_localname.py \
t_hostname_acceptor.py \
t_nonego.py \
diff --git a/tests/httpd.conf b/tests/httpd.conf
index 8c91e1c..f76f2b6 100644
--- a/tests/httpd.conf
+++ b/tests/httpd.conf
@@ -111,7 +111,7 @@ DocumentRoot "{HTTPROOT}/html"
PidFile "{HTTPROOT}/logs/httpd.pid"
<IfModule log_config_module>
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\" \"%{{Cookie}}i\"" combined
CustomLog "logs/access_log" combined
</IfModule>
@@ -288,3 +288,33 @@ CoreDumpDirectory "{HTTPROOT}"
Require valid-user
</Proxy>
</VirtualHost>
+
+<Location /basic_auth_timeout/auth>
+ Options +Includes
+ AddOutputFilter INCLUDES .html
+ AuthType GSSAPI
+ AuthName "Password Login"
+ GssapiSSLonly Off
+ GssapiUseSessions On
+ Session On
+ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly
+ GssapiSessionKey file:{HTTPROOT}/session.key
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
+ GssapiBasicAuth On
+ GssapiBasicAuthMech krb5
+ GssapiBasicTicketTimeout 400
+ GssapiDelegCcacheDir {HTTPROOT}
+ Require valid-user
+</Location>
+<Location /basic_auth_timeout/session>
+ Options +Includes
+ AddOutputFilter INCLUDES .html
+ AuthType GSSAPI
+ AuthName "Session Login"
+ GssapiSSLonly Off
+ GssapiUseSessions On
+ Session On
+ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly
+ GssapiSessionKey file:{HTTPROOT}/session.key
+ Require valid-user
+</Location>
diff --git a/tests/magtests.py b/tests/magtests.py
index a4842a0..da1cca7 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -3,11 +3,13 @@
import argparse
import os
+import os.path
import random
import shutil
import signal
import subprocess
import sys
+import time
import traceback
# check that we can import requests (for use in test scripts)
@@ -341,6 +343,7 @@ USR_PWD_2 = "magpwd2"
USR_NAME_3 = "maguser3"
SVC_KTNAME = "httpd/http.keytab"
KEY_TYPE = "aes256-cts-hmac-sha1-96:normal"
+USR_NAME_4 = "timeoutusr"
def setup_keys(tesdir, env):
@@ -361,6 +364,9 @@ def setup_keys(tesdir, env):
cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
kadmin_local(cmd, env, logfile)
+ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4)
+ kadmin_local(cmd, env, logfile)
+
# alias for multinamed hosts testing
alias_name = "HTTP/%s" % WRAP_ALIASNAME
cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
@@ -600,6 +606,30 @@ def test_basic_auth_krb5(testdir, testenv, logfile):
return error_count
+def test_basic_auth_timeout(testdir, testenv, logfile):
+ httpdir = os.path.join(testdir, 'httpd')
+ timeoutdir = os.path.join(httpdir, 'html', 'basic_auth_timeout')
+ os.mkdir(timeoutdir)
+ authdir = os.path.join(timeoutdir, 'auth')
+ os.mkdir(authdir)
+ sessdir = os.path.join(timeoutdir, 'session')
+ os.mkdir(sessdir)
+ shutil.copy('tests/index.html', os.path.join(authdir))
+ shutil.copy('tests/index.html', os.path.join(sessdir))
+
+ basictout = subprocess.Popen(["tests/t_basic_timeout.py"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ basictout.wait()
+ if basictout.returncode != 0:
+ sys.stderr.write('BASIC Timeout Behavior: FAILED\n')
+ return 1
+ else:
+ sys.stderr.write('BASIC Timeout Behavior: SUCCESS\n')
+
+ return 0
+
+
def test_bad_acceptor_name(testdir, testenv, logfile):
bandir = os.path.join(testdir, 'httpd', 'html', 'bad_acceptor_name')
os.mkdir(bandir)
@@ -661,6 +691,33 @@ def test_hostname_acceptor(testdir, testenv, logfile):
return 0
+def faketime_setup(testenv):
+ libfaketime = '/usr/lib64/faketime/libfaketime.so.1'
+ # optional faketime
+ if not os.path.isfile(libfaketime):
+ raise NotImplementedError
+
+ # spedup x100
+ fakeenv = {'FAKETIME': '+0 x100'}
+ fakeenv.update(testenv)
+ fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime))
+ return fakeenv
+
+
+def http_restart(testdir, so_dir, testenv):
+
+ httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
+ 'MALLOC_CHECK_': '3',
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
+ httpenv.update(testenv)
+
+ httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
+ config = os.path.join(testdir, 'httpd', 'httpd.conf')
+ httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+ env=httpenv, preexec_fn=os.setsid)
+ return httpproc
+
+
if __name__ == '__main__':
args = parse_args()
@@ -722,6 +779,25 @@ if __name__ == '__main__':
errs += test_basic_auth_krb5(testdir, testenv, logfile)
errs += test_no_negotiate(testdir, testenv, logfile)
+
+ # After this point we need to speed up httpd to test creds timeout
+ try:
+ fakeenv = faketime_setup(kdcenv)
+ timeenv = {'TIMEOUT_USER': USR_NAME_4,
+ 'MAG_USER_PASSWORD': USR_PWD}
+ timeenv.update(fakeenv)
+ curporc = httpproc
+ pid = processes['HTTPD(%d)' % httpproc.pid].pid
+ os.killpg(pid, signal.SIGTERM)
+ time.sleep(1)
+ del processes['HTTPD(%d)' % httpproc.pid]
+ httpproc = http_restart(testdir, so_dir, timeenv)
+ processes['HTTPD(%d)' % httpproc.pid] = httpproc
+
+ errs += test_basic_auth_timeout(testdir, timeenv, logfile)
+ except NotImplementedError:
+ sys.stderr.write('BASIC Timeout Behavior: SKIPPED\n')
+
except Exception:
traceback.print_exc()
finally:
diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py
new file mode 100755
index 0000000..983dfd2
--- /dev/null
+++ b/tests/t_basic_timeout.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
+
+import os
+import time
+
+import requests
+from requests.auth import HTTPBasicAuth
+
+
+if __name__ == '__main__':
+ s = requests.Session()
+ url = 'http://{}/basic_auth_timeout/auth/'.format(
+ os.environ['NSS_WRAPPER_HOSTNAME']
+ )
+ url2 = 'http://{}/basic_auth_timeout/session/'.format(
+ os.environ['NSS_WRAPPER_HOSTNAME']
+ )
+
+ r = s.get(url, auth=HTTPBasicAuth(os.environ['TIMEOUT_USER'],
+ os.environ['MAG_USER_PASSWORD']))
+ if r.status_code != 200:
+ raise ValueError('Basic Auth Failed')
+
+ time.sleep(301)
+ r = s.get(url2)
+ if r.status_code != 200:
+ raise ValueError('Session Auth Failed')
+
+ time.sleep(401)
+
+ r = s.get(url2)
+ if r.status_code == 200:
+ raise ValueError('Timeout check Failed')

28
SOURCES/Fix-PATH-handling-bug-in-test-suite.patch
View File

@ -1,28 +0,0 @@
From c26b1aafbb9679b19b630a46eeb35a9dee61a95f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 13 Oct 2020 11:04:00 -0400
Subject: [PATCH] Fix PATH handling bug in test suite
virtualenv relies on its executable being ahead of the system ones. For
setting up the KDC, we don't have a preferencee - we just need the sbins
to be available.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit ae07252e356d8142ddd3987c9c3686ba7ee593de)
---
tests/magtests.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index e04fa65..082c6e4 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -312,7 +312,7 @@ def setup_kdc(testdir, wrapenv):
kdcenv = wrapenv.copy()
kdcenv.update({
- 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
+ 'PATH': f'{wrapenv["PATH"]}:/sbin:/bin:/usr/sbin:/usr/bin',
'KRB5_CONFIG': krb5conf,
'KRB5_KDC_PROFILE': kdcconf,
'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),

31
SOURCES/Fix-distcheck.patch
View File

@ -1,31 +0,0 @@
From 706494bde5c5124621006b857fc55529f9e8e0db Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 14 May 2020 18:04:47 -0400
Subject: [PATCH] Fix distcheck
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit eb6de7e946d7ecc9292bb454d43ac05f0801adf7)
---
tests/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 70754fb..16d87e9 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -4,12 +4,14 @@ EXTRA_DIST = \
401.html \
httpd.conf \
index.html \
+ localname.html \
magtests.py \
t_bad_acceptor_name.py \
t_basic_k5_fail_second.py \
t_basic_k5.py \
t_basic_k5_two_users.py \
t_basic_proxy.py \
+ t_localname.py \
t_hostname_acceptor.py \
t_nonego.py \
t_required_name_attr.py \

42
SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch
View File

@ -1,42 +0,0 @@
From 2b96860d8cfcf48a54e59e2ca30fc8fdeb2b9d55 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Fri, 6 May 2022 22:54:45 +0200
Subject: [PATCH 2/2]
Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch
---
tests/t_localname.py | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/tests/t_localname.py b/tests/t_localname.py
index e990762c42aa9b370ac71292b5019fc63622c240..df94922b52673b5b7fd780ff3f319d22feb348ac 100755
--- a/tests/t_localname.py
+++ b/tests/t_localname.py
@@ -45,13 +45,22 @@ if __name__ == '__main__':
mech = None
if mech_name is not None:
- mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
+ try:
+ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
+ except AttributeError:
+ # older version of gssapi that does not support mechs
+ if mech_name == 'SPNEGO':
+ mech = '<Mechanism spnego (1.3.6.1.5.5.2)>'
+ elif mech_name == 'GS2-KRB5':
+ mech = '<Mechanism krb5 (1.2.840.113554.1.2.2)>'
+ else:
+ sys.exit(42) # SKIP
try:
auth = HTTPSPNEGOAuth(mech=mech)
use_requests(auth)
except TypeError:
- # odler version of requests that does not support mechs
+ # older version of requests that does not support mechs
if mech_name == 'SPNEGO':
use_curl()
elif mech_name == 'GS2-KRB5':
--
2.35.3

39
SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch
View File

@ -1,39 +0,0 @@
From 676ec5fe0b6c7c5126dbf84ef59ec4a5d5f87ede Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 26 Apr 2022 10:23:53 +0200
Subject: [PATCH] Fix gss_localname with SPNEGO wrapping
Fix implemented upstream by Simo
---
src/mod_auth_gssapi.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index b0999737daedf88fa84a9d8b1543bbedc79194ab..c91aa60707ba9b237a84f95670d483f1a7eab86b 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -1264,7 +1264,21 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
#endif
if (cfg->map_to_local) {
+ /* We have to play heuristics here as gss_localname does not work
+ * as expected with SPNEGO-wrapped names.
+ * http://krbdev.mit.edu/rt/Ticket/Display.html?id=8782
+ */
maj = gss_localname(&min, client, mech_type, &lname);
+ if (maj != GSS_S_COMPLETE) {
+ uint32_t sub_maj, sub_min;
+ /* try fallback with no oid */
+ sub_maj = gss_localname(&sub_min, client, GSS_C_NO_OID, &lname);
+ if (sub_maj != GSS_S_UNAVAILABLE) {
+ /* use second call errors only if they are meaningful */
+ maj = sub_maj;
+ min = sub_min;
+ }
+ }
if (maj != GSS_S_COMPLETE) {
mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,
"gss_localname() failed");
--
2.35.1

38
SOURCES/Fix-integer-sizes-used-with-ap_set_flag_slot.patch
View File

@ -1,38 +0,0 @@
From d681fe586a4f4258c5d61237511dd19c1fa84904 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 19 Feb 2019 13:55:12 -0500
Subject: [PATCH] Fix integer sizes used with ap_set_flag_slot()
ap_set_flag_slot() requires a field of type `int`. Previously we
passed type `bool` in two places, causing test failures on s390x
because logging was not correctly configured.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit f89b876be5619d750e6ab4ea6e730a9a26b1cac4)
(cherry picked from commit 73c690ca9bd1d470c603f5e1ee48d2384941ae55)
---
src/mod_auth_gssapi.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
index 71404ff..8c0b972 100644
--- a/src/mod_auth_gssapi.h
+++ b/src/mod_auth_gssapi.h
@@ -79,7 +79,7 @@ struct mag_config {
gid_t deleg_ccache_gid;
gss_key_value_set_desc *cred_store;
bool deleg_ccache_unique;
- bool s4u2self;
+ int s4u2self;
char *ccname_envvar;
#endif
struct seal_key *mag_skey;
@@ -90,7 +90,7 @@ struct mag_config {
bool negotiate_once;
struct mag_name_attributes *name_attributes;
const char *required_na_expr;
- bool enverrs;
+ int enverrs;
gss_name_t acceptor_name;
bool acceptor_name_from_req;
};

121
SOURCES/Fix-mag_auth_basic-function-call.patch
View File

@ -1,121 +0,0 @@
From 1941fd1545b4786fee9464881239d74a91c55723 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 7 Feb 2019 14:48:56 -0500
Subject: [PATCH] Fix mag_auth_basic function call.
In order to respect the API we'd have to return nech_type as a copy of
the mech found to correctly complete authentication.
It would need to be a copy because the actual_mechs variable is an array
of statically copied OIDs not an array of pointers.
Instead change mag_auth_basic to directly call mag_complete() and
mag_cache_basic on success. This is easier than attempting to handle
copying out OIDs and then freeing them in the caller as GSSAPI does not
offer standard APIs for copying OIDs.
As a side-effect we reduce the number of arguments to mag_auth_gssapi,
which is good, to the slight detriment of legibility in the main
function as now you need to know mag_auth_basic() is already calling
mag_complete(). The trade off is worth it though.
Signed-off-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 318db0b0e3777d4cfdc09eeef98e28c478607271)
---
src/mod_auth_gssapi.c | 47 ++++++++++++++++++++-----------------------
1 file changed, 22 insertions(+), 25 deletions(-)
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 4048ee7..9e42ef4 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -493,15 +493,15 @@ done:
return maj;
}
-static bool mag_auth_basic(request_rec *req,
- struct mag_config *cfg,
- gss_buffer_desc ba_user,
- gss_buffer_desc ba_pwd,
- gss_name_t *client,
- gss_OID *mech_type,
- gss_cred_id_t *delegated_cred,
- uint32_t *vtime)
+static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
+ gss_name_t client, gss_OID mech_type,
+ uint32_t vtime, gss_cred_id_t delegated_cred);
+
+static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
+ gss_buffer_desc ba_user, gss_buffer_desc ba_pwd)
{
+ struct mag_config *cfg = req_cfg->cfg;
+ request_rec *req = req_cfg->req;
const char *user_ccache = NULL;
const char *orig_ccache = NULL;
long long unsigned int rndname;
@@ -512,9 +512,12 @@ static bool mag_auth_basic(request_rec *req,
gss_OID_set allowed_mechs;
gss_OID_set filtered_mechs;
gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
+ gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
+ gss_name_t client = GSS_C_NO_NAME;
+ uint32_t vtime;
uint32_t maj, min;
int present = 0;
- bool ret = false;
+ int ret = HTTP_UNAUTHORIZED;
maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user);
if (GSS_ERROR(maj)) {
@@ -616,15 +619,21 @@ static bool mag_auth_basic(request_rec *req,
for (int i = 0; i < actual_mechs->count; i++) {
maj = mag_context_loop(&min, req, cfg, user_cred, server_cred,
- &actual_mechs->elements[i], 300, client, vtime,
- delegated_cred);
+ &actual_mechs->elements[i], 300, &client,
+ &vtime, &delegated_cred);
if (maj == GSS_S_COMPLETE) {
- ret = true;
+ ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i],
+ vtime, delegated_cred);
+ if (ret == OK) {
+ mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
+ }
break;
}
}
done:
+ gss_release_cred(&min, &delegated_cred);
+ gss_release_name(&min, &client);
gss_release_cred(&min, &server_cred);
gss_release_name(&min, &user);
gss_release_cred(&min, &user_cred);
@@ -683,10 +692,6 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req)
return req_cfg;
}
-static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
- gss_name_t client, gss_OID mech_type,
- uint32_t vtime, gss_cred_id_t delegated_cred);
-
#ifdef HAVE_CRED_STORE
static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {
if (req_cfg->cfg->use_s4u2proxy) {
@@ -1105,15 +1110,7 @@ static int mag_auth(request_rec *req)
#endif
if (auth_type == AUTH_TYPE_BASIC) {
- if (mag_auth_basic(req, cfg, ba_user, ba_pwd,
- &client, &mech_type,
- &delegated_cred, &vtime)) {
-
- ret = mag_complete(req_cfg, mc, client, mech_type, vtime,
- delegated_cred);
- if (ret == OK)
- mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
- }
+ ret = mag_auth_basic(req_cfg, mc, ba_user, ba_pwd);
goto done;
}

47
SOURCES/Fix-tests-to-work-with-python3.patch
View File

@ -1,47 +0,0 @@
From 613933383aa352bb8f350f43ecb393a0604016cc Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 21 Dec 2018 11:50:16 -0500
Subject: [PATCH] Fix tests to work with python3
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 751eb09e7abf38f49fc525e1616d48a6f951673f)
(cherry picked from commit d2748e79d31f153505f944b09a4790c6231dcd79)
---
tests/magtests.py | 3 ++-
tests/t_spnego_proxy.py | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index 6414503..f14f47a 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -431,7 +431,7 @@ def kinit_user(testdir, kdcenv):
stdin=subprocess.PIPE,
stdout=logfile, stderr=logfile,
env=testenv, preexec_fn=os.setsid)
- kinit.communicate('%s\n' % USR_PWD)
+ kinit.communicate(('%s\n' % USR_PWD).encode("utf8"))
kinit.wait()
if kinit.returncode != 0:
raise ValueError('kinit failed')
@@ -495,6 +495,7 @@ def test_spnego_auth(testdir, testenv, logfile):
else:
sys.stderr.write('SPNEGO No Auth: SUCCESS\n')
+
return error_count
diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py
index 6219721..c47558b 100755
--- a/tests/t_spnego_proxy.py
+++ b/tests/t_spnego_proxy.py
@@ -17,7 +17,7 @@ def getAuthToken(target):
ctx = gssapi.SecurityContext(name=name, mech=spnego_mech)
token = ctx.step()
- return 'Negotiate %s' % b64encode(token)
+ return 'Negotiate %s' % b64encode(token).decode()
if __name__ == '__main__':

43
SOURCES/In-tests-show-the-exception-on-failure.patch
View File

@ -1,43 +0,0 @@
From 3fc1f9f5d7f5a33900572b419ecdfd2d3672ceca Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 21 Dec 2018 10:50:49 -0500
Subject: [PATCH] In tests, show the exception on failure
Otherwise, the user might get nothing at all out, depending on what failed.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 881f98ee08f6d8d7a2352ab2f3e8e38845cf8039)
(cherry picked from commit 1de81677f1878ea1667b56169fe714d685771b4e)
---
tests/magtests.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index 576e88f..6414503 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -8,6 +8,7 @@ import shutil
import signal
import subprocess
import sys
+import traceback
# check that we can import requests (for use in test scripts)
import requests
@@ -207,7 +208,6 @@ def setup_test_certs(testdir, testenv, logfile):
with open(opensslcnf, 'w+') as f:
f.write(text)
- print(pkinit_key)
cmd = subprocess.Popen(["openssl", "genrsa", "-out", pkinit_key,
"2048"], stdout=logfile,
stderr=logfile, env=testenv,
@@ -718,6 +718,8 @@ if __name__ == '__main__':
errs += test_basic_auth_krb5(testdir, testenv, logfile)
errs += test_no_negotiate(testdir, testenv, logfile)
+ except Exception:
+ traceback.print_exc()
finally:
for name in processes:
logfile.write("Killing %s\n" % name)

198
SOURCES/Move-to-python3-by-default.patch
View File

@ -1,198 +0,0 @@
From eeca34dc64804a4b771800f54f0e0647ce88bdd4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 13 Oct 2020 10:33:39 -0400
Subject: [PATCH] Move to python3 by default
When moving 2 -> 3, python elected to keep "python" as the name of the
python2 interpreter. As a result, python3-only machines have no
/usr/bin/python. Since python2 is EOL, it should be safe to make our
scripting default to python3.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 840863f89ed4809602f1ca7b8ad650c0b979d20e)
[rharwood@redhat.com: tests that don't exist yet, README prg/prk,
contrib isn't packaged in dist tarballs]
---
README | 4 ++--
tests/magtests.py | 2 +-
tests/t_bad_acceptor_name.py | 2 +-
tests/t_basic_k5.py | 2 +-
tests/t_basic_k5_fail_second.py | 2 +-
tests/t_basic_k5_two_users.py | 2 +-
tests/t_basic_proxy.py | 2 +-
tests/t_basic_timeout.py | 2 +-
tests/t_hostname_acceptor.py | 2 +-
tests/t_nonego.py | 2 +-
tests/t_required_name_attr.py | 2 +-
tests/t_spnego.py | 2 +-
tests/t_spnego_negotiate_once.py | 2 +-
tests/t_spnego_no_auth.py | 2 +-
tests/t_spnego_proxy.py | 2 +-
tests/t_spnego_rewrite.py | 2 +-
16 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/README b/README
index 5eac94f..654a891 100644
--- a/README
+++ b/README
@@ -26,8 +26,8 @@ To run tests, you also need:
* The Kerberos 5 Key-Distribution-Center (`krb5-kdc` package on Debian,
`krb5-server` on Fedora)
-* Packages `mod_session`, `krb5-workstation`, `python-requests-kerberos`,
- and `python-gssapi` on Fedora
+* Packages `mod_session`, `krb5-workstation`, `python3-requests-gssapi`,
+ and `python3-gssapi` on Fedora
* Some tests require `krb5-pkinit` package on fedora and krb5 >= 1.15.
* [nss_wrapper](https://cwrap.org/nss_wrapper.html), packaged in Fedora
* [socket_wrapper](https://cwrap.org/socket_wrapper.html), packaged in Fedora
diff --git a/tests/magtests.py b/tests/magtests.py
index 082c6e4..d0f0a67 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import argparse
diff --git a/tests/t_bad_acceptor_name.py b/tests/t_bad_acceptor_name.py
index 41ee48b..6cee588 100755
--- a/tests/t_bad_acceptor_name.py
+++ b/tests/t_bad_acceptor_name.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_k5.py b/tests/t_basic_k5.py
index e499eac..4b24801 100755
--- a/tests/t_basic_k5.py
+++ b/tests/t_basic_k5.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_k5_fail_second.py b/tests/t_basic_k5_fail_second.py
index 273e9a5..7e53218 100755
--- a/tests/t_basic_k5_fail_second.py
+++ b/tests/t_basic_k5_fail_second.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_k5_two_users.py b/tests/t_basic_k5_two_users.py
index 41ffe98..3d27e9e 100755
--- a/tests/t_basic_k5_two_users.py
+++ b/tests/t_basic_k5_two_users.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_proxy.py b/tests/t_basic_proxy.py
index 5370314..347b802 100755
--- a/tests/t_basic_proxy.py
+++ b/tests/t_basic_proxy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py
index 983dfd2..007ff97 100755
--- a/tests/t_basic_timeout.py
+++ b/tests/t_basic_timeout.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_hostname_acceptor.py b/tests/t_hostname_acceptor.py
index 6d59e85..bb85700 100755
--- a/tests/t_hostname_acceptor.py
+++ b/tests/t_hostname_acceptor.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license.
import sys
diff --git a/tests/t_nonego.py b/tests/t_nonego.py
index 430001a..4e77f80 100755
--- a/tests/t_nonego.py
+++ b/tests/t_nonego.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_required_name_attr.py b/tests/t_required_name_attr.py
index bbfdc19..a67446b 100755
--- a/tests/t_required_name_attr.py
+++ b/tests/t_required_name_attr.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego.py b/tests/t_spnego.py
index e7003a6..04190a9 100755
--- a/tests/t_spnego.py
+++ b/tests/t_spnego.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego_negotiate_once.py b/tests/t_spnego_negotiate_once.py
index e8eb601..3d8e048 100755
--- a/tests/t_spnego_negotiate_once.py
+++ b/tests/t_spnego_negotiate_once.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego_no_auth.py b/tests/t_spnego_no_auth.py
index abcccdf..c564388 100755
--- a/tests/t_spnego_no_auth.py
+++ b/tests/t_spnego_no_auth.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py
index c47558b..b917191 100755
--- a/tests/t_spnego_proxy.py
+++ b/tests/t_spnego_proxy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os
diff --git a/tests/t_spnego_rewrite.py b/tests/t_spnego_rewrite.py
index 2ed1d3e..202d76a 100755
--- a/tests/t_spnego_rewrite.py
+++ b/tests/t_spnego_rewrite.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
import os

36
SOURCES/crypto-Handle-EVP-changes-in-OpenSSL-3.patch Normal file
View File

@ -0,0 +1,36 @@
From 74fd6dc6c3ba65e48c625d4724878721c46a5e6f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 24 Aug 2021 15:04:13 -0400
Subject: [PATCH] crypto: Handle EVP changes in OpenSSL 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenSSL 3 changes the padding behavior of EVP_DecryptFinal_ex(), which
causes our decryption to fail. It is the opnion of the OpenSSL
developers that mod_auth_gssapi's use of this function was incorrect.
Patch suggested by Tomáš Mráz.
Related: https://github.com/openssl/openssl/issues/16351
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 06d1f7d36d2455747e6e8231d28e6524ea1181f1)
(cherry picked from commit 915a3d7fca3beefadd751562abe2d481354a2a9c)
---
src/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/crypto.c b/src/crypto.c
index 3f372a0..b3f7fd9 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -262,7 +262,7 @@ apr_status_t UNSEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
totlen += outlen;
outlen = plain->length - totlen;
- ret = EVP_DecryptFinal_ex(ctx, plain->value, &outlen);
+ ret = EVP_DecryptFinal_ex(ctx, plain->value + totlen, &outlen);
if (ret == 0) goto done;
totlen += outlen;

166
SOURCES/tests-Don-t-override-the-specific-environment-by-the.patch
View File

@ -1,166 +0,0 @@
From bd2f8d20c589feae7249ccca28199d826d007667 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Thu, 6 Aug 2020 13:55:45 +0300
Subject: [PATCH] tests: Don't override the specific environment by the global
one
This changes the way in which a test environment is prepared.
Before:
specific -> global
After:
global -> specific
In particular, this allows setting PATH env variable differed from
the global configuration.
Fixes: https://github.com/gssapi/mod_auth_gssapi/issues/226
Signed-off-by: Stanislav Levin <slev@altlinux.org>
(cherry picked from commit 731761e63d72bf5656f40340daafce4e2d34bd92)
---
tests/magtests.py | 78 +++++++++++++++++++++++++++++------------------
1 file changed, 48 insertions(+), 30 deletions(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index 1c0b26a..e04fa65 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -310,11 +310,13 @@ def setup_kdc(testdir, wrapenv):
with open(kdcconf, 'w+') as f:
f.write(text)
- kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
- 'KRB5_CONFIG': krb5conf,
- 'KRB5_KDC_PROFILE': kdcconf,
- 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')}
- kdcenv.update(wrapenv)
+ kdcenv = wrapenv.copy()
+ kdcenv.update({
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
+ 'KRB5_CONFIG': krb5conf,
+ 'KRB5_KDC_PROFILE': kdcconf,
+ 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),
+ })
logfile = open(testlog, 'a')
ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
@@ -383,8 +385,10 @@ def setup_keys(tesdir, env):
cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
kadmin_local(cmd, env, logfile)
- keys_env = {"KRB5_KTNAME": svc_keytab, }
- keys_env.update(env)
+ keys_env = env.copy()
+ keys_env.update({
+ "KRB5_KTNAME": svc_keytab,
+ })
return keys_env
@@ -421,10 +425,12 @@ def setup_http(testdir, so_dir, wrapenv):
shutil.copy('tests/401.html', os.path.join(httpdir, 'html'))
- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
- 'MALLOC_CHECK_': '3',
- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
- httpenv.update(wrapenv)
+ httpenv = wrapenv.copy()
+ httpenv.update({
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
+ 'MALLOC_CHECK_': '3',
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
+ })
httpd = "httpd" if distro == "Fedora" else "apache2"
httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
@@ -435,8 +441,10 @@ def setup_http(testdir, so_dir, wrapenv):
def kinit_user(testdir, kdcenv):
testlog = os.path.join(testdir, 'kinit.log')
ccache = os.path.join(testdir, 'k5ccache')
- testenv = {'KRB5CCNAME': ccache}
- testenv.update(kdcenv)
+ testenv = kdcenv.copy()
+ testenv.update({
+ 'KRB5CCNAME': ccache,
+ })
with (open(testlog, 'a')) as logfile:
kinit = subprocess.Popen(["kinit", USR_NAME],
@@ -457,8 +465,10 @@ def kinit_certuser(testdir, kdcenv):
pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT)
pkinit_key = os.path.join(testdir, PKINIT_KEY)
ident = "X509_user_identity=FILE:" + pkinit_user_cert + "," + pkinit_key
- testenv = {'KRB5CCNAME': ccache}
- testenv.update(kdcenv)
+ testenv = kdcenv.copy()
+ testenv.update({
+ 'KRB5CCNAME': ccache,
+ })
with (open(testlog, 'a')) as logfile:
logfile.write('PKINIT for maguser3\n')
kinit = subprocess.Popen(["kinit", USR_NAME_3, "-X", ident],
@@ -711,17 +721,21 @@ def faketime_setup(testenv):
raise NotImplementedError
# spedup x100
- fakeenv = {'FAKETIME': '+0 x100'}
- fakeenv.update(testenv)
- fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime))
+ fakeenv = testenv.copy()
+ fakeenv.update({
+ 'FAKETIME': '+0 x100',
+ 'LD_PRELOAD': ' '.join((testenv['LD_PRELOAD'], libfaketime)),
+ })
return fakeenv
def http_restart(testdir, so_dir, testenv):
- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
- 'MALLOC_CHECK_': '3',
- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
- httpenv.update(testenv)
+ httpenv = testenv.copy()
+ httpenv.update({
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
+ 'MALLOC_CHECK_': '3',
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
+ })
httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
config = os.path.join(testdir, 'httpd', 'httpd.conf')
@@ -776,11 +790,13 @@ if __name__ == '__main__':
sys.stderr.write("krb5 PKINIT module not found, skipping name "
"attribute tests\n")
- testenv = {'MAG_USER_NAME': USR_NAME,
- 'MAG_USER_PASSWORD': USR_PWD,
- 'MAG_USER_NAME_2': USR_NAME_2,
- 'MAG_USER_PASSWORD_2': USR_PWD_2}
- testenv.update(kdcenv)
+ testenv = kdcenv.copy()
+ testenv.update({
+ 'MAG_USER_NAME': USR_NAME,
+ 'MAG_USER_PASSWORD': USR_PWD,
+ 'MAG_USER_NAME_2': USR_NAME_2,
+ 'MAG_USER_PASSWORD_2': USR_PWD_2,
+ })
errs += test_basic_auth_krb5(testdir, testenv, logfile)
@@ -789,9 +805,11 @@ if __name__ == '__main__':
# After this point we need to speed up httpd to test creds timeout
try:
fakeenv = faketime_setup(kdcenv)
- timeenv = {'TIMEOUT_USER': USR_NAME_4,
- 'MAG_USER_PASSWORD': USR_PWD}
- timeenv.update(fakeenv)
+ timeenv = fakeenv.copy()
+ timeenv.update({
+ 'TIMEOUT_USER': USR_NAME_4,
+ 'MAG_USER_PASSWORD': USR_PWD,
+ })
curporc = httpproc
pid = processes['HTTPD(%d)' % httpproc.pid].pid
os.killpg(pid, signal.SIGTERM)

87
SOURCES/tests-Fixup-virtualenv-handling.patch
View File

@ -1,87 +0,0 @@
From f106e3afa21cdbc098d3c82698585744e3325621 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 May 2020 15:56:50 -0400
Subject: [PATCH] [tests] Fixup virtualenv handling
Fixes an issue where virtualenv's PATH would get lost
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit e60384c0d4d4b4c213ec728ec3d444f998625941)
---
tests/magtests.py | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index 6c38a8f..1c0b26a 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -67,6 +67,12 @@ def setup_wrappers(base):
return wenv
+def apply_venv(env):
+ env['PATH'] = os.environ.get('PATH', '')
+ env['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
+ return env
+
+
TESTREALM = "MAG.DEV"
KDC_DBNAME = 'db.file'
KDC_STASH = 'stash.file'
@@ -304,7 +310,7 @@ def setup_kdc(testdir, wrapenv):
with open(kdcconf, 'w+') as f:
f.write(text)
- kdcenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
+ kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
'KRB5_CONFIG': krb5conf,
'KRB5_KDC_PROFILE': kdcconf,
'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')}
@@ -415,7 +421,7 @@ def setup_http(testdir, so_dir, wrapenv):
shutil.copy('tests/401.html', os.path.join(httpdir, 'html'))
- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
+ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
'MALLOC_CHECK_': '3',
'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
httpenv.update(wrapenv)
@@ -712,8 +718,7 @@ def faketime_setup(testenv):
def http_restart(testdir, so_dir, testenv):
-
- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
+ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
'MALLOC_CHECK_': '3',
'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
httpenv.update(testenv)
@@ -738,7 +743,7 @@ if __name__ == '__main__':
logfile = open(os.path.join(testdir, 'tests.log'), 'w')
errs = 0
try:
- wrapenv = setup_wrappers(testdir)
+ wrapenv = apply_venv(setup_wrappers(testdir))
kdcproc, kdcenv = setup_kdc(testdir, wrapenv)
processes['KDC(%d)' % kdcproc.pid] = kdcproc
@@ -749,10 +754,6 @@ if __name__ == '__main__':
keysenv = setup_keys(testdir, kdcenv)
testenv = kinit_user(testdir, kdcenv)
- # support virtualenv
- testenv['PATH'] = os.environ.get('PATH', '')
- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
-
testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd',
USR_NAME + '@' + TESTREALM)
errs += test_spnego_auth(testdir, testenv, logfile)
@@ -780,8 +781,6 @@ if __name__ == '__main__':
'MAG_USER_NAME_2': USR_NAME_2,
'MAG_USER_PASSWORD_2': USR_PWD_2}
testenv.update(kdcenv)
- testenv['PATH'] = os.environ.get('PATH', '')
- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
errs += test_basic_auth_krb5(testdir, testenv, logfile)

35
SOURCES/tests-Support-Debian-s-libfaketime.patch
View File

@ -1,35 +0,0 @@
From 27f7ca84a5a05f65e6d113a8a6698c7f40fd66c6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 May 2020 15:51:19 -0400
Subject: [PATCH] [tests] Support Debian's libfaketime
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 367120a1c02641680a8f51bd59cc96d56cc9804b)
---
tests/magtests.py | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index da1cca7..6c38a8f 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -692,9 +692,16 @@ def test_hostname_acceptor(testdir, testenv, logfile):
def faketime_setup(testenv):
- libfaketime = '/usr/lib64/faketime/libfaketime.so.1'
- # optional faketime
- if not os.path.isfile(libfaketime):
+ # Wanted: an architecture- and distro-agnostic way to do this.
+ # libfaketime is installed in a place where ld.so won't pick it up by
+ # default, so...
+ paths = ['/usr/lib64/faketime/libfaketime.so.1',
+ '/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1']
+ libfaketime = None
+ for p in paths:
+ if os.path.isfile(p):
+ libfaketime = p
+ if not libfaketime:
raise NotImplementedError
# spedup x100

40
SOURCES/tests-Test-suite-fixes-for-virtualenv-and-clang.patch
View File

@ -1,40 +0,0 @@
From ce83aa116397fb71143e5b1363ce7563f7a4444d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 11 Mar 2019 14:56:31 -0400
Subject: [PATCH] [tests] Test suite fixes for virtualenv and clang
- Typo fix - VIRTUAL_ENV in magtests.py
- testenv object manipulation fix in magtests.py
- Work around -fstack-clash-protection problems in clang
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 6aa0a5bfe9d60a50cf36c561268c5d7c1fdb2f0e)
[rharwood@redhat.com: drop Travis goo]
(cherry picked from commit 11c966cc630393e322ef6b88df91d16247bbfc37)
---
tests/magtests.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tests/magtests.py b/tests/magtests.py
index f14f47a..a4842a0 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -687,7 +687,7 @@ if __name__ == '__main__':
# support virtualenv
testenv['PATH'] = os.environ.get('PATH', '')
- testenv['ViRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
+ testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd',
USR_NAME + '@' + TESTREALM)
@@ -716,6 +716,9 @@ if __name__ == '__main__':
'MAG_USER_NAME_2': USR_NAME_2,
'MAG_USER_PASSWORD_2': USR_PWD_2}
testenv.update(kdcenv)
+ testenv['PATH'] = os.environ.get('PATH', '')
+ testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
+
errs += test_basic_auth_krb5(testdir, testenv, logfile)
errs += test_no_negotiate(testdir, testenv, logfile)

194
SOURCES/tests-add-test-for-gss_localname.patch
View File

@ -1,194 +0,0 @@
From 0dbf450a49784e2a750c667824e0e0249be575e4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 27 Apr 2022 18:18:22 +0200
Subject: [PATCH] Add test for gss_localname
Backport test for gss_localname implemented upstream by Simo
---
tests/httpd.conf | 13 ++++++++++
tests/localname.html | 1 +
tests/magtests.py | 47 ++++++++++++++++++++++++++++++++-
tests/t_localname.py | 62 ++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 122 insertions(+), 1 deletion(-)
create mode 100644 tests/localname.html
create mode 100755 tests/t_localname.py
diff --git a/tests/httpd.conf b/tests/httpd.conf
index f76f2b671e02515e6d4effe09ab123dace90c023..b3777574d9f0547560f24eff992fc1018569b5cc 100644
--- a/tests/httpd.conf
+++ b/tests/httpd.conf
@@ -274,6 +274,19 @@ CoreDumpDirectory "{HTTPROOT}"
Require valid-user
</Location>
+<Location /gss_localname>
+ AuthType GSSAPI
+ AuthName "Login"
+ GssapiSSLonly Off
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
+ GssapiBasicAuth Off
+ GssapiAllowedMech krb5
+ GssapiLocalName On
+ Require valid-user
+</Location>
+
<VirtualHost *:{PROXYPORT}>
ProxyRequests On
ProxyVia On
diff --git a/tests/localname.html b/tests/localname.html
new file mode 100644
index 0000000000000000000000000000000000000000..abf7c507de1eb32b31b882502eed5f2bbcc5fbf3
--- /dev/null
+++ b/tests/localname.html
@@ -0,0 +1 @@
+<!--#echo var="REMOTE_USER" -->
diff --git a/tests/magtests.py b/tests/magtests.py
index d0f0a67f075c6b631926e9abd91a665973d90f4a..d100413b371e7ecf4e09d944b7ff6e9bec7e316f 100755
--- a/tests/magtests.py
+++ b/tests/magtests.py
@@ -58,12 +58,20 @@ def setup_wrappers(base):
f.write('%s %s\n' % (WRAP_IPADDR, WRAP_ALIASNAME))
f.write('%s %s\n' % (WRAP_IPADDR, WRAP_FAILNAME))
+ passwd_file = os.path.join(testdir, 'passwd')
+ with open(passwd_file, 'w+') as f:
+ f.write('root:x:0:0:root:/root:/bin/sh')
+ f.write('maguser:x:1:1:maguser:/maguser:/bin/sh')
+ f.write('maguser2:x:2:2:maguser2:/maguser2:/bin/sh')
+ f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh')
+
wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so',
'SOCKET_WRAPPER_DIR': wrapdir,
'SOCKET_WRAPPER_DEFAULT_IFACE': '9',
'WRAP_PROXY_PORT': WRAP_PROXY_PORT,
'NSS_WRAPPER_HOSTNAME': WRAP_HOSTNAME,
- 'NSS_WRAPPER_HOSTS': hosts_file}
+ 'NSS_WRAPPER_HOSTS': hosts_file,
+ 'NSS_WRAPPER_PASSWD': passwd_file}
return wenv
@@ -744,6 +752,40 @@ def http_restart(testdir, so_dir, testenv):
return httpproc
+def test_gss_localname(testdir, testenv, logfile):
+ hdir = os.path.join(testdir, 'httpd', 'html', 'gss_localname')
+ os.mkdir(hdir)
+ shutil.copy('tests/localname.html', os.path.join(hdir, 'index.html'))
+ error_count = 0
+
+ # Make sure spnego is explicitly tested
+ spnego = subprocess.Popen(["tests/t_localname.py", "SPNEGO"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ spnego.wait()
+ if spnego.returncode != 0:
+ sys.stderr.write('LOCALNAME(SPNEGO): FAILED\n')
+ error_count += 1
+ else:
+ sys.stderr.write('LOCALNAME(SPNEGO): SUCCESS\n')
+
+ # and bare krb5 (GS2-KRB5 is the name used by SASL for it)
+ krb5 = subprocess.Popen(["tests/t_localname.py", "GS2-KRB5"],
+ stdout=logfile, stderr=logfile,
+ env=testenv, preexec_fn=os.setsid)
+ krb5.wait()
+ if krb5.returncode != 0:
+ if krb5.returncode == 42:
+ sys.stderr.write('LOCALNAME(KRB5): SKIPPED\n')
+ else:
+ sys.stderr.write('LOCALNAME(KRB5): FAILED\n')
+ error_count += 1
+ else:
+ sys.stderr.write('LOCALNAME(KRB5): SUCCESS\n')
+
+ return error_count
+
+
if __name__ == '__main__':
args = parse_args()
@@ -781,6 +823,9 @@ if __name__ == '__main__':
errs += test_bad_acceptor_name(testdir, testenv, logfile)
+ testenv['MAG_REMOTE_USER'] = USR_NAME
+ errs += test_gss_localname(testdir, testenv, logfile)
+
rpm_path = "/usr/lib64/krb5/plugins/preauth/pkinit.so"
deb_path = "/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so"
if os.path.exists(rpm_path) or os.path.exists(deb_path):
diff --git a/tests/t_localname.py b/tests/t_localname.py
new file mode 100755
index 0000000000000000000000000000000000000000..e990762c42aa9b370ac71292b5019fc63622c240
--- /dev/null
+++ b/tests/t_localname.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
+
+import os
+import subprocess
+import sys
+
+import gssapi
+
+import requests
+
+from requests_gssapi import HTTPSPNEGOAuth
+
+
+def use_requests(auth):
+ sess = requests.Session()
+ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME']
+
+ r = sess.get(url, auth=auth)
+ if r.status_code != 200:
+ raise ValueError('Localname failed')
+
+ if r.text.rstrip() != os.environ['MAG_REMOTE_USER']:
+ raise ValueError('Localname, REMOTE_USER check failed')
+
+
+def use_curl():
+ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME']
+ curl = subprocess.Popen(["curl", "--negotiate", "-u:", url],
+ stdout=subprocess.PIPE)
+ curl.wait()
+ if curl.returncode != 0:
+ raise ValueError('Localname failed')
+
+ line = curl.stdout.read().strip(b' \t\n\r').decode('utf-8')
+ if line != os.environ['MAG_REMOTE_USER']:
+ raise ValueError('Localname, REMOTE_USER check failed (%s != %s)' % (
+ line, os.environ['MAG_REMOTE_USER']))
+
+
+if __name__ == '__main__':
+ mech_name = None
+ if len(sys.argv) > 1:
+ mech_name = sys.argv[1]
+
+ mech = None
+ if mech_name is not None:
+ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
+
+ try:
+ auth = HTTPSPNEGOAuth(mech=mech)
+ use_requests(auth)
+ except TypeError:
+ # odler version of requests that does not support mechs
+ if mech_name == 'SPNEGO':
+ use_curl()
+ elif mech_name == 'GS2-KRB5':
+ # older request versions use krb5 as the mech by default
+ auth = HTTPSPNEGOAuth()
+ use_requests(auth)
+ else:
+ sys.exit(42) # SKIP
--
2.35.1

106
SPECS/mod_auth_gssapi.spec
View File

@ -1,42 +1,32 @@
Name: mod_auth_gssapi Name: mod_auth_gssapi
Version: 1.6.1 Version: 1.6.3
Release: 9%{?dist} Release: 7%{?dist}
Summary: A GSSAPI Authentication module for Apache Summary: A GSSAPI Authentication module for Apache
Group: System Environment/Daemons
License: MIT License: MIT
URL: https://github.com/modauthgssapi/mod_auth_gssapi URL: https://github.com/gssapi/mod_auth_gssapi
Source0: https://github.com/modauthgssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz Source0: https://github.com/gssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz
Patch0: In-tests-show-the-exception-on-failure.patch BuildRequires: httpd-devel, krb5-devel, openssl-devel
Patch1: Fix-tests-to-work-with-python3.patch BuildRequires: autoconf, automake, libtool, bison, flex, make
Patch2: tests-Test-suite-fixes-for-virtualenv-and-clang.patch
Patch3: Fix-integer-sizes-used-with-ap_set_flag_slot.patch
Patch4: Fix-mag_auth_basic-function-call.patch
Patch6: Fix-distcheck.patch
Patch7: Add-option-to-control-timeout-for-Basic-Auth.patch
Patch8: tests-Support-Debian-s-libfaketime.patch
Patch9: tests-Fixup-virtualenv-handling.patch
Patch10: tests-Don-t-override-the-specific-environment-by-the.patch
Patch11: Fix-PATH-handling-bug-in-test-suite.patch
Patch12: Move-to-python3-by-default.patch
Patch13: Fix-gss_localname-with-SPNEGO-wrapping.patch
Patch14: tests-add-test-for-gss_localname.patch
Patch15: Add-ability-to-expose-the-used-mechanism.patch
Patch16: Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch
BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libtool
BuildRequires: gssntlmssp-devel
BuildRequires: git BuildRequires: git
Requires: httpd-mmn = %{_httpd_mmn} Requires: httpd-mmn = %{_httpd_mmn}
Requires: krb5-libs >= 1.11.5 Requires: krb5-libs >= 1.11.5
Patch0: crypto-Handle-EVP-changes-in-OpenSSL-3.patch
# If you're reading this: NTLM is insecure. Migrate off it.
%if 0%{?rhel}
%else
BuildRequires: gssntlmssp-devel
%endif
%description %description
The mod_auth_gssapi module is an authentication service that implements the The mod_auth_gssapi module is an authentication service that implements the
SPNEGO based HTTP Authentication protocol defined in RFC4559. SPNEGO based HTTP Authentication protocol defined in RFC4559.
%prep %prep
%autosetup -S git %autosetup -S git_am
%build %build
export APXS=%{_httpd_apxs} export APXS=%{_httpd_apxs}
@ -61,41 +51,55 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
%{_httpd_moddir}/mod_auth_gssapi.so %{_httpd_moddir}/mod_auth_gssapi.so
%changelog %changelog
* Thu Apr 28 2022 Francisco Trivino <ftrivino@redhat.com> 1.6.1-9 * Wed Aug 25 2021 Robbie Harwood <rharwood@redhat.com> - 1.6.3-7
- Add missing repos to the osci tests - crypto: Handle EVP changes in OpenSSL 3
- Fix gss localname test to work with older gssapi version - Resolves: #1992648
- Resolves: #2083122
- Add ability to expose the used mechanism
- Resolves: #2046231
* Wed Apr 27 2022 Francisco Trivino <ftrivino@redhat.com> 1.6.1-8 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.3-6
- Add test for gss_localname - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
- Fix gss_localname with SPNEGO wrapping Related: rhbz#1991688
- Resolves: #1787630
* Mon Oct 12 2020 Robbie Harwood <rharwood@redhat.com> 1.6.1-7.1 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.3-5
- Bang on gating until the environment gives up - Rebuilt for RHEL 9 BETA for openssl 3.0
- Resolves: #1866149 Related: rhbz#1971065
* Mon Oct 12 2020 Robbie Harwood <rharwood@redhat.com> - 1.6.1-7 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.3-4
- Backport basic auth timeout control - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
- Resolves: #1866149
* Fri Mar 22 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-6 * Tue Mar 16 2021 Robbie Harwood <rharwood@redhat.com> - 1.6.3-3
- Gating update - Build dep adjustments; no Fedora code changes
- Resolves: #1682259
* Mon Mar 18 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-5 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Aug 05 2020 Robbie Harwood <rharwood@redhat.com> - 1.6.3-1
- New upstream release (1.6.3)
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Apr 27 2020 Robbie Harwood <rharwood@redhat.com> - 1.6.2-1
- New upstream release (1.6.2)
- Resolves: #1828142
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Mar 18 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-6
- Test suite fixes for virtualenv and clang
* Tue Feb 19 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-5
- Fix integer sizes used with ap_set_flag_slot() - Fix integer sizes used with ap_set_flag_slot()
- Resolves: #1674501 - Resolves: #1678872
* Mon Mar 18 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-4 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-4
- Fix virtualenv logic and add gating - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
- Resolves: #1682259
* Thu Mar 14 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-3 * Thu Jan 03 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-3
- Fix tests to work with python3 - Fix tests to work with python3
- Resolves: #1661589
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-2 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild