Compare commits
No commits in common. "c8" and "c9s" have entirely different histories.
18
.gitignore
vendored
18
.gitignore
vendored
@ -1 +1,17 @@
|
||||
SOURCES/mod_auth_gssapi-1.6.1.tar.gz
|
||||
/mod_auth_gssapi-1.0.1.tar.gz
|
||||
/mod_auth_gssapi-1.0.2.tar.gz
|
||||
/mod_auth_gssapi-1.0.3.tar.gz
|
||||
/mod_auth_gssapi-1.0.4.tar.gz
|
||||
/mod_auth_gssapi-1.1.0.tar.gz
|
||||
/mod_auth_gssapi-1.2.0.tar.gz
|
||||
/mod_auth_gssapi-1.3.0.tar.gz
|
||||
/mod_auth_gssapi-1.3.1.tar.gz
|
||||
/mod_auth_gssapi-1.3.2.tar.gz
|
||||
/mod_auth_gssapi-1.4.0.tar.gz
|
||||
/mod_auth_gssapi-1.4.1.tar.gz
|
||||
/mod_auth_gssapi-1.5.0.tar.gz
|
||||
/mod_auth_gssapi-1.5.1.tar.gz
|
||||
/mod_auth_gssapi-1.6.0.tar.gz
|
||||
/mod_auth_gssapi-1.6.1.tar.gz
|
||||
/mod_auth_gssapi-1.6.2.tar.gz
|
||||
/mod_auth_gssapi-1.6.3.tar.gz
|
||||
|
@ -1 +0,0 @@
|
||||
5dfc4eef25efad5313724bd6a1e55266a6667302 SOURCES/mod_auth_gssapi-1.6.1.tar.gz
|
@ -1,262 +0,0 @@
|
||||
From 46caec4def9fd8df21e560db065b755e1d87354d Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Fri, 6 May 2022 22:54:45 +0200
|
||||
Subject: [PATCH 1/2] Add-ability-to-expose-the-used-mechanism.patch
|
||||
|
||||
---
|
||||
README | 15 +++++++++++++++
|
||||
src/environ.c | 39 +++++++++++++++++++++++++++++++++++++++
|
||||
src/environ.h | 2 ++
|
||||
src/mod_auth_gssapi.c | 7 +++++++
|
||||
src/mod_auth_gssapi.h | 1 +
|
||||
tests/Makefile.am | 4 +++-
|
||||
tests/httpd.conf | 15 +++++++++++++++
|
||||
tests/magtests.py | 18 ++++++++++++++++++
|
||||
tests/mech.html | 1 +
|
||||
tests/t_mech_name.py | 19 +++++++++++++++++++
|
||||
10 files changed, 120 insertions(+), 1 deletion(-)
|
||||
create mode 100644 tests/mech.html
|
||||
create mode 100755 tests/t_mech_name.py
|
||||
|
||||
diff --git a/README b/README
|
||||
index 654a8918cc1cd078d84b8e571596444e262e83af..bbf2657d47c9b111e20fdc2b76fde8799c76e3cd 100644
|
||||
--- a/README
|
||||
+++ b/README
|
||||
@@ -109,6 +109,7 @@ Configuration Directives
|
||||
[GssapiNameAttributes](#gssapinameattributes)<br>
|
||||
[GssapiNegotiateOnce](#gssapinegotiateonce)<br>
|
||||
[GssapiPublishErrors](#gssapipublisherrors)<br>
|
||||
+[GssapiPublishMech](#gssapipublishmech)<br>
|
||||
[GssapiRequiredNameAttributes](#gssapirequirednameattributes)<br>
|
||||
[GssapiSessionKey](#gssapisessionkey)<br>
|
||||
[GssapiSignalPersistentAuth](#gssapisignalpersistentauth)<br>
|
||||
@@ -527,3 +528,17 @@ Note: the value is specified in seconds.
|
||||
Sets ticket/session validity to 10 hours.
|
||||
|
||||
|
||||
+### GssapiPublishMech
|
||||
+
|
||||
+This option is used to publish the mech used for authentication as an
|
||||
+Environment variable named GSS_MECH.
|
||||
+
|
||||
+It will return a string of the form 'Authtype/Mechname'.
|
||||
+Authtype represents the type of auth performed by the module. Possible values
|
||||
+are 'Basic', 'Negotiate', 'NTLM', 'Impersonate'.
|
||||
+Mechname is the name of the mechanism as reported by GSSAPI or the OID of the
|
||||
+mechanism if a name is not available. In case of errors the 'Unavailable'
|
||||
+string may also be returned for either Authtype or Mechname.
|
||||
+
|
||||
+- **Enable with:** GssapiPublishMech On
|
||||
+- **Default:** GssapiPublishMech Off
|
||||
\ No newline at end of file
|
||||
diff --git a/src/environ.c b/src/environ.c
|
||||
index 7ee56a1ba434d5c1041968fb3f64191340cb0ea7..71a8564284cafa62c4cbeaf7ab8484a48c064e66 100644
|
||||
--- a/src/environ.c
|
||||
+++ b/src/environ.c
|
||||
@@ -498,3 +498,42 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min,
|
||||
if (mag_err)
|
||||
apr_table_set(req->subprocess_env, "MAG_ERROR", mag_err);
|
||||
}
|
||||
+
|
||||
+
|
||||
+void mag_publish_mech(request_rec *req, struct mag_conn *mc,
|
||||
+ const char *auth_type, gss_OID mech_type)
|
||||
+{
|
||||
+ gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER;
|
||||
+ gss_buffer_desc mech_name = GSS_C_EMPTY_BUFFER;
|
||||
+ gss_buffer_desc mech_description = GSS_C_EMPTY_BUFFER;
|
||||
+ char *mechdata;
|
||||
+ uint32_t maj, min;
|
||||
+
|
||||
+ maj = gss_inquire_saslname_for_mech(&min, mech_type, &sasl_mech_name,
|
||||
+ &mech_name, &mech_description);
|
||||
+ if (maj != GSS_S_COMPLETE) {
|
||||
+ /* something failed, let's try to get a string OID */
|
||||
+ /* and if that fails there is nothing we can do */
|
||||
+ maj = gss_oid_to_str(&min, mech_type, &mech_name);
|
||||
+ if (maj != GSS_S_COMPLETE) {
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
|
||||
+ "Failed to source mechanism name or OID");
|
||||
+ mech_name.value = strdup("Unavailable");
|
||||
+ mech_name.length = strlen(mech_name.value);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ mechdata = apr_psprintf(req->pool, "%s/%.*s", auth_type,
|
||||
+ (int)mech_name.length,
|
||||
+ (char *)mech_name.value);
|
||||
+
|
||||
+ apr_table_set(mc->env, "GSS_MECH", mechdata);
|
||||
+
|
||||
+ /* also log at info level */
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,
|
||||
+ "User %s authenticated with %s", mc->gss_name, mechdata);
|
||||
+
|
||||
+ (void)gss_release_buffer(&min, &sasl_mech_name);
|
||||
+ (void)gss_release_buffer(&min, &mech_name);
|
||||
+ (void)gss_release_buffer(&min, &mech_description);
|
||||
+}
|
||||
diff --git a/src/environ.h b/src/environ.h
|
||||
index 40bca9877f600246d19a3bf4be370310636ce6c7..b0813da6508df7c5594b51cada7712dc44393e44 100644
|
||||
--- a/src/environ.h
|
||||
+++ b/src/environ.h
|
||||
@@ -18,3 +18,5 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min,
|
||||
const char *gss_err, const char *mag_err);
|
||||
void mag_set_req_attr_fail(request_rec *req, struct mag_config *cfg,
|
||||
struct mag_conn *mc);
|
||||
+void mag_publish_mech(request_rec *req, struct mag_conn *mc,
|
||||
+ const char *auth_type, gss_OID mech_type);
|
||||
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
||||
index c91aa60707ba9b237a84f95670d483f1a7eab86b..93c43308585cf140297de82e118a367f69d25a92 100644
|
||||
--- a/src/mod_auth_gssapi.c
|
||||
+++ b/src/mod_auth_gssapi.c
|
||||
@@ -1289,6 +1289,10 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
||||
mc->user_name = apr_pstrdup(mc->pool, mc->gss_name);
|
||||
}
|
||||
|
||||
+ if (cfg->pubmech) {
|
||||
+ mag_publish_mech(req, mc, mag_str_auth_type(mc->auth_type), mech_type);
|
||||
+ }
|
||||
+
|
||||
mc->established = true;
|
||||
if (req_cfg->use_sessions) {
|
||||
mag_attempt_session(req_cfg, mc);
|
||||
@@ -1894,6 +1898,9 @@ static const command_rec mag_commands[] = {
|
||||
AP_INIT_FLAG("GssapiPublishErrors", ap_set_flag_slot,
|
||||
(void *)APR_OFFSETOF(struct mag_config, enverrs), OR_AUTHCFG,
|
||||
"Publish GSSAPI Errors in Envionment Variables"),
|
||||
+ AP_INIT_FLAG("GssapiPublishMech", ap_set_flag_slot,
|
||||
+ (void *)APR_OFFSETOF(struct mag_config, pubmech), OR_AUTHCFG,
|
||||
+ "Publish GSSAPI Mech Name in Envionment Variables"),
|
||||
AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG,
|
||||
"Name of the acceptor credentials."),
|
||||
AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL,
|
||||
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
|
||||
index 2312ab57f4b2e0bd50f191018b081a3ecb86f15a..8ab3bdc57be793cc493176c02910219e905900e9 100644
|
||||
--- a/src/mod_auth_gssapi.h
|
||||
+++ b/src/mod_auth_gssapi.h
|
||||
@@ -91,6 +91,7 @@ struct mag_config {
|
||||
struct mag_name_attributes *name_attributes;
|
||||
const char *required_na_expr;
|
||||
int enverrs;
|
||||
+ int pubmech;
|
||||
gss_name_t acceptor_name;
|
||||
bool acceptor_name_from_req;
|
||||
uint32_t basic_timeout;
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index c830e951d04316e4cbc76fa3b5961baedb516ec6..2ddb46ea30e6ebf9ff0b30278c609178d02c1efc 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -6,14 +6,16 @@ EXTRA_DIST = \
|
||||
index.html \
|
||||
localname.html \
|
||||
magtests.py \
|
||||
+ mech.html \
|
||||
t_bad_acceptor_name.py \
|
||||
t_basic_k5_fail_second.py \
|
||||
t_basic_k5.py \
|
||||
t_basic_k5_two_users.py \
|
||||
t_basic_proxy.py \
|
||||
t_basic_timeout.py \
|
||||
- t_localname.py \
|
||||
t_hostname_acceptor.py \
|
||||
+ t_localname.py \
|
||||
+ t_mech_name.py \
|
||||
t_nonego.py \
|
||||
t_required_name_attr.py \
|
||||
t_spnego_negotiate_once.py \
|
||||
diff --git a/tests/httpd.conf b/tests/httpd.conf
|
||||
index b3777574d9f0547560f24eff992fc1018569b5cc..775294b7d600e82c3955316a2d5b667c8b3c5581 100644
|
||||
--- a/tests/httpd.conf
|
||||
+++ b/tests/httpd.conf
|
||||
@@ -331,3 +331,18 @@ CoreDumpDirectory "{HTTPROOT}"
|
||||
GssapiSessionKey file:{HTTPROOT}/session.key
|
||||
Require valid-user
|
||||
</Location>
|
||||
+
|
||||
+<Location /mech_name>
|
||||
+ Options +Includes
|
||||
+ AddOutputFilter INCLUDES .html
|
||||
+ AuthType GSSAPI
|
||||
+ AuthName "Password Login"
|
||||
+ GssapiSSLonly Off
|
||||
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
|
||||
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
|
||||
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
|
||||
+ GssapiBasicAuth On
|
||||
+ GssapiBasicAuthMech krb5
|
||||
+ GssapiPublishMech On
|
||||
+ Require valid-user
|
||||
+</Location>
|
||||
\ No newline at end of file
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index d100413b371e7ecf4e09d944b7ff6e9bec7e316f..9aba68f826a37a890bfefb62665697eef7d07dfa 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -786,6 +786,22 @@ def test_gss_localname(testdir, testenv, logfile):
|
||||
return error_count
|
||||
|
||||
|
||||
+def test_mech_name(testdir, testenv, logfile):
|
||||
+ basicdir = os.path.join(testdir, 'httpd', 'html', 'mech_name')
|
||||
+ os.mkdir(basicdir)
|
||||
+ shutil.copy('tests/mech.html', basicdir)
|
||||
+
|
||||
+ mname = subprocess.Popen(["tests/t_mech_name.py"],
|
||||
+ stdout=logfile, stderr=logfile,
|
||||
+ env=testenv, preexec_fn=os.setsid)
|
||||
+ mname.wait()
|
||||
+ if mname.returncode != 0:
|
||||
+ sys.stderr.write('MECH-NAME: FAILED\n')
|
||||
+ return 1
|
||||
+ sys.stderr.write('MECH-NAME: SUCCESS\n')
|
||||
+ return 0
|
||||
+
|
||||
+
|
||||
if __name__ == '__main__':
|
||||
args = parse_args()
|
||||
|
||||
@@ -847,6 +863,8 @@ if __name__ == '__main__':
|
||||
|
||||
errs += test_no_negotiate(testdir, testenv, logfile)
|
||||
|
||||
+ errs += test_mech_name(testdir, testenv, logfile)
|
||||
+
|
||||
# After this point we need to speed up httpd to test creds timeout
|
||||
try:
|
||||
fakeenv = faketime_setup(kdcenv)
|
||||
diff --git a/tests/mech.html b/tests/mech.html
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..bb7b3cd5278f055e278a7dfde73c15aa400a6a17
|
||||
--- /dev/null
|
||||
+++ b/tests/mech.html
|
||||
@@ -0,0 +1 @@
|
||||
+<!--#echo var="GSS_MECH" -->
|
||||
diff --git a/tests/t_mech_name.py b/tests/t_mech_name.py
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..69f451f2bbe58a16f61418f96eca26e7994bcb8a
|
||||
--- /dev/null
|
||||
+++ b/tests/t_mech_name.py
|
||||
@@ -0,0 +1,19 @@
|
||||
+#!/usr/bin/env python3
|
||||
+# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
+
|
||||
+import os
|
||||
+import requests
|
||||
+from requests.auth import HTTPBasicAuth
|
||||
+
|
||||
+
|
||||
+if __name__ == '__main__':
|
||||
+ url = 'http://%s/mech_name/mech.html' % os.environ['NSS_WRAPPER_HOSTNAME']
|
||||
+ r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'],
|
||||
+ os.environ['MAG_USER_PASSWORD']))
|
||||
+ if r.status_code != 200:
|
||||
+ raise ValueError('Basic Auth Failed')
|
||||
+
|
||||
+ if r.text.rstrip() != 'Basic/krb5':
|
||||
+ raise ValueError(
|
||||
+ 'GSS_MECH check failed, expected Basic/krb5, got "%s"' %
|
||||
+ r.text.rstrip())
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,372 +0,0 @@
|
||||
From b4ddd657ccc7793df9378209433f0142195a94d1 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Thu, 14 May 2020 09:19:37 -0400
|
||||
Subject: [PATCH] Add option to control timeout for Basic Auth
|
||||
|
||||
Adds new option and tests.
|
||||
Adds optional dependency on libfaketime to test this feature.
|
||||
|
||||
Fixes: #210
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
Merges: #217
|
||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit 09df7584b4abadbfea411adafdcc825da5b720d3)
|
||||
[rharwood@redhat.com: git got confused by not having localname test]
|
||||
---
|
||||
README | 24 +++++++++++++
|
||||
src/mod_auth_gssapi.c | 27 +++++++++++---
|
||||
src/mod_auth_gssapi.h | 1 +
|
||||
tests/Makefile.am | 1 +
|
||||
tests/httpd.conf | 32 ++++++++++++++++-
|
||||
tests/magtests.py | 76 ++++++++++++++++++++++++++++++++++++++++
|
||||
tests/t_basic_timeout.py | 34 ++++++++++++++++++
|
||||
7 files changed, 190 insertions(+), 5 deletions(-)
|
||||
create mode 100755 tests/t_basic_timeout.py
|
||||
|
||||
diff --git a/README b/README
|
||||
index 700b57e..5eac94f 100644
|
||||
--- a/README
|
||||
+++ b/README
|
||||
@@ -97,6 +97,7 @@ Configuration Directives
|
||||
[GssapiAllowedMech](#gssapiallowedmech)<br>
|
||||
[GssapiBasicAuth](#gssapibasicauth)<br>
|
||||
[GssapiBasicAuthMech](#gssapibasicauthmech)<br>
|
||||
+[GssapiBasicTicketTimeout](#gssapibasicticketvalidity)<br>
|
||||
[GssapiConnectionBound](#gssapiconnectionbound)<br>
|
||||
[GssapiCredStore](#gssapicredstore)<br>
|
||||
[GssapiDelegCcacheDir](#gssapidelegccachedir)<br>
|
||||
@@ -503,3 +504,26 @@ Note: The GSS_C_NT_HOSTBASED_SERVICE format is used for names (see example).
|
||||
GssapiAcceptorName HTTP@www.example.com
|
||||
|
||||
|
||||
+### GssapiBasicTicketTimeout
|
||||
+
|
||||
+This option controls the ticket validity time requested for the user TGT by the
|
||||
+Basic Auth method.
|
||||
+
|
||||
+Normally basic auth is repeated by the browser on each request so a short
|
||||
+validity period is used to reduce the scope of the ticket as it will be
|
||||
+replaced quickly.
|
||||
+However in cases where the authentication page is separate and the session
|
||||
+is used by other pages the validity can be changed to arbitrary duration.
|
||||
+
|
||||
+Note: the validity of a ticket is still capped by KDC configuration.
|
||||
+
|
||||
+Note: the value is specified in seconds.
|
||||
+
|
||||
+- **Default:** GssapiBasicTicketTimeout 300
|
||||
+
|
||||
+#### Example
|
||||
+ GssapiBasicTicketTimeout 36000
|
||||
+
|
||||
+Sets ticket/session validity to 10 hours.
|
||||
+
|
||||
+
|
||||
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
||||
index 9e42ef4..b099973 100644
|
||||
--- a/src/mod_auth_gssapi.c
|
||||
+++ b/src/mod_auth_gssapi.c
|
||||
@@ -1,4 +1,5 @@
|
||||
-/* Copyright (C) 2014, 2016 mod_auth_gssapi contributors - See COPYING for (C) terms */
|
||||
+/* Copyright (C) 2014, 2016, 2020 mod_auth_gssapi contributors
|
||||
+ * See COPYING for (C) terms */
|
||||
|
||||
#include "mod_auth_gssapi.h"
|
||||
#include "mag_parse.h"
|
||||
@@ -600,7 +601,7 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
||||
}
|
||||
|
||||
maj = gss_acquire_cred_with_password(&min, user, &ba_pwd,
|
||||
- GSS_C_INDEFINITE,
|
||||
+ cfg->basic_timeout,
|
||||
allowed_mechs,
|
||||
GSS_C_INITIATE,
|
||||
&user_cred, &actual_mechs, NULL);
|
||||
@@ -619,8 +620,8 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
||||
|
||||
for (int i = 0; i < actual_mechs->count; i++) {
|
||||
maj = mag_context_loop(&min, req, cfg, user_cred, server_cred,
|
||||
- &actual_mechs->elements[i], 300, &client,
|
||||
- &vtime, &delegated_cred);
|
||||
+ &actual_mechs->elements[i], cfg->basic_timeout,
|
||||
+ &client, &vtime, &delegated_cred);
|
||||
if (maj == GSS_S_COMPLETE) {
|
||||
ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i],
|
||||
vtime, delegated_cred);
|
||||
@@ -1299,6 +1300,7 @@ static void *mag_create_dir_config(apr_pool_t *p, char *dir)
|
||||
#ifdef HAVE_CRED_STORE
|
||||
cfg->ccname_envvar = "KRB5CCNAME";
|
||||
#endif
|
||||
+ cfg->basic_timeout = 300;
|
||||
|
||||
return cfg;
|
||||
}
|
||||
@@ -1789,6 +1791,21 @@ static const char *mag_acceptor_name(cmd_parms *parms, void *mconfig,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static const char *mag_basic_timeout(cmd_parms *parms, void *mconfig,
|
||||
+ const char *w)
|
||||
+{
|
||||
+ struct mag_config *cfg = (struct mag_config *)mconfig;
|
||||
+ unsigned long int value;
|
||||
+
|
||||
+ value = strtoul(w, NULL, 10);
|
||||
+ if (value >= UINT32_MAX) {
|
||||
+ cfg->basic_timeout = GSS_C_INDEFINITE;
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ cfg->basic_timeout = value;
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
static void *mag_create_server_config(apr_pool_t *p, server_rec *s)
|
||||
{
|
||||
struct mag_server_config *scfg;
|
||||
@@ -1865,6 +1882,8 @@ static const command_rec mag_commands[] = {
|
||||
"Publish GSSAPI Errors in Envionment Variables"),
|
||||
AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG,
|
||||
"Name of the acceptor credentials."),
|
||||
+ AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL,
|
||||
+ OR_AUTHCFG, "Ticket Validity Timeout with Basic Auth."),
|
||||
{ NULL }
|
||||
};
|
||||
|
||||
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
|
||||
index 8c0b972..2312ab5 100644
|
||||
--- a/src/mod_auth_gssapi.h
|
||||
+++ b/src/mod_auth_gssapi.h
|
||||
@@ -93,6 +93,7 @@ struct mag_config {
|
||||
int enverrs;
|
||||
gss_name_t acceptor_name;
|
||||
bool acceptor_name_from_req;
|
||||
+ uint32_t basic_timeout;
|
||||
};
|
||||
|
||||
struct mag_server_config {
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index 16d87e9..c830e95 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -11,6 +11,7 @@ EXTRA_DIST = \
|
||||
t_basic_k5.py \
|
||||
t_basic_k5_two_users.py \
|
||||
t_basic_proxy.py \
|
||||
+ t_basic_timeout.py \
|
||||
t_localname.py \
|
||||
t_hostname_acceptor.py \
|
||||
t_nonego.py \
|
||||
diff --git a/tests/httpd.conf b/tests/httpd.conf
|
||||
index 8c91e1c..f76f2b6 100644
|
||||
--- a/tests/httpd.conf
|
||||
+++ b/tests/httpd.conf
|
||||
@@ -111,7 +111,7 @@ DocumentRoot "{HTTPROOT}/html"
|
||||
PidFile "{HTTPROOT}/logs/httpd.pid"
|
||||
|
||||
<IfModule log_config_module>
|
||||
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\"" combined
|
||||
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\" \"%{{Cookie}}i\"" combined
|
||||
CustomLog "logs/access_log" combined
|
||||
</IfModule>
|
||||
|
||||
@@ -288,3 +288,33 @@ CoreDumpDirectory "{HTTPROOT}"
|
||||
Require valid-user
|
||||
</Proxy>
|
||||
</VirtualHost>
|
||||
+
|
||||
+<Location /basic_auth_timeout/auth>
|
||||
+ Options +Includes
|
||||
+ AddOutputFilter INCLUDES .html
|
||||
+ AuthType GSSAPI
|
||||
+ AuthName "Password Login"
|
||||
+ GssapiSSLonly Off
|
||||
+ GssapiUseSessions On
|
||||
+ Session On
|
||||
+ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly
|
||||
+ GssapiSessionKey file:{HTTPROOT}/session.key
|
||||
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
|
||||
+ GssapiBasicAuth On
|
||||
+ GssapiBasicAuthMech krb5
|
||||
+ GssapiBasicTicketTimeout 400
|
||||
+ GssapiDelegCcacheDir {HTTPROOT}
|
||||
+ Require valid-user
|
||||
+</Location>
|
||||
+<Location /basic_auth_timeout/session>
|
||||
+ Options +Includes
|
||||
+ AddOutputFilter INCLUDES .html
|
||||
+ AuthType GSSAPI
|
||||
+ AuthName "Session Login"
|
||||
+ GssapiSSLonly Off
|
||||
+ GssapiUseSessions On
|
||||
+ Session On
|
||||
+ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly
|
||||
+ GssapiSessionKey file:{HTTPROOT}/session.key
|
||||
+ Require valid-user
|
||||
+</Location>
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index a4842a0..da1cca7 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -3,11 +3,13 @@
|
||||
|
||||
import argparse
|
||||
import os
|
||||
+import os.path
|
||||
import random
|
||||
import shutil
|
||||
import signal
|
||||
import subprocess
|
||||
import sys
|
||||
+import time
|
||||
import traceback
|
||||
|
||||
# check that we can import requests (for use in test scripts)
|
||||
@@ -341,6 +343,7 @@ USR_PWD_2 = "magpwd2"
|
||||
USR_NAME_3 = "maguser3"
|
||||
SVC_KTNAME = "httpd/http.keytab"
|
||||
KEY_TYPE = "aes256-cts-hmac-sha1-96:normal"
|
||||
+USR_NAME_4 = "timeoutusr"
|
||||
|
||||
|
||||
def setup_keys(tesdir, env):
|
||||
@@ -361,6 +364,9 @@ def setup_keys(tesdir, env):
|
||||
cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
|
||||
kadmin_local(cmd, env, logfile)
|
||||
|
||||
+ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4)
|
||||
+ kadmin_local(cmd, env, logfile)
|
||||
+
|
||||
# alias for multinamed hosts testing
|
||||
alias_name = "HTTP/%s" % WRAP_ALIASNAME
|
||||
cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
|
||||
@@ -600,6 +606,30 @@ def test_basic_auth_krb5(testdir, testenv, logfile):
|
||||
return error_count
|
||||
|
||||
|
||||
+def test_basic_auth_timeout(testdir, testenv, logfile):
|
||||
+ httpdir = os.path.join(testdir, 'httpd')
|
||||
+ timeoutdir = os.path.join(httpdir, 'html', 'basic_auth_timeout')
|
||||
+ os.mkdir(timeoutdir)
|
||||
+ authdir = os.path.join(timeoutdir, 'auth')
|
||||
+ os.mkdir(authdir)
|
||||
+ sessdir = os.path.join(timeoutdir, 'session')
|
||||
+ os.mkdir(sessdir)
|
||||
+ shutil.copy('tests/index.html', os.path.join(authdir))
|
||||
+ shutil.copy('tests/index.html', os.path.join(sessdir))
|
||||
+
|
||||
+ basictout = subprocess.Popen(["tests/t_basic_timeout.py"],
|
||||
+ stdout=logfile, stderr=logfile,
|
||||
+ env=testenv, preexec_fn=os.setsid)
|
||||
+ basictout.wait()
|
||||
+ if basictout.returncode != 0:
|
||||
+ sys.stderr.write('BASIC Timeout Behavior: FAILED\n')
|
||||
+ return 1
|
||||
+ else:
|
||||
+ sys.stderr.write('BASIC Timeout Behavior: SUCCESS\n')
|
||||
+
|
||||
+ return 0
|
||||
+
|
||||
+
|
||||
def test_bad_acceptor_name(testdir, testenv, logfile):
|
||||
bandir = os.path.join(testdir, 'httpd', 'html', 'bad_acceptor_name')
|
||||
os.mkdir(bandir)
|
||||
@@ -661,6 +691,33 @@ def test_hostname_acceptor(testdir, testenv, logfile):
|
||||
return 0
|
||||
|
||||
|
||||
+def faketime_setup(testenv):
|
||||
+ libfaketime = '/usr/lib64/faketime/libfaketime.so.1'
|
||||
+ # optional faketime
|
||||
+ if not os.path.isfile(libfaketime):
|
||||
+ raise NotImplementedError
|
||||
+
|
||||
+ # spedup x100
|
||||
+ fakeenv = {'FAKETIME': '+0 x100'}
|
||||
+ fakeenv.update(testenv)
|
||||
+ fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime))
|
||||
+ return fakeenv
|
||||
+
|
||||
+
|
||||
+def http_restart(testdir, so_dir, testenv):
|
||||
+
|
||||
+ httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
|
||||
+ 'MALLOC_CHECK_': '3',
|
||||
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
|
||||
+ httpenv.update(testenv)
|
||||
+
|
||||
+ httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
|
||||
+ config = os.path.join(testdir, 'httpd', 'httpd.conf')
|
||||
+ httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
|
||||
+ env=httpenv, preexec_fn=os.setsid)
|
||||
+ return httpproc
|
||||
+
|
||||
+
|
||||
if __name__ == '__main__':
|
||||
args = parse_args()
|
||||
|
||||
@@ -722,6 +779,25 @@ if __name__ == '__main__':
|
||||
errs += test_basic_auth_krb5(testdir, testenv, logfile)
|
||||
|
||||
errs += test_no_negotiate(testdir, testenv, logfile)
|
||||
+
|
||||
+ # After this point we need to speed up httpd to test creds timeout
|
||||
+ try:
|
||||
+ fakeenv = faketime_setup(kdcenv)
|
||||
+ timeenv = {'TIMEOUT_USER': USR_NAME_4,
|
||||
+ 'MAG_USER_PASSWORD': USR_PWD}
|
||||
+ timeenv.update(fakeenv)
|
||||
+ curporc = httpproc
|
||||
+ pid = processes['HTTPD(%d)' % httpproc.pid].pid
|
||||
+ os.killpg(pid, signal.SIGTERM)
|
||||
+ time.sleep(1)
|
||||
+ del processes['HTTPD(%d)' % httpproc.pid]
|
||||
+ httpproc = http_restart(testdir, so_dir, timeenv)
|
||||
+ processes['HTTPD(%d)' % httpproc.pid] = httpproc
|
||||
+
|
||||
+ errs += test_basic_auth_timeout(testdir, timeenv, logfile)
|
||||
+ except NotImplementedError:
|
||||
+ sys.stderr.write('BASIC Timeout Behavior: SKIPPED\n')
|
||||
+
|
||||
except Exception:
|
||||
traceback.print_exc()
|
||||
finally:
|
||||
diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py
|
||||
new file mode 100755
|
||||
index 0000000..983dfd2
|
||||
--- /dev/null
|
||||
+++ b/tests/t_basic_timeout.py
|
||||
@@ -0,0 +1,34 @@
|
||||
+#!/usr/bin/env python
|
||||
+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
+
|
||||
+import os
|
||||
+import time
|
||||
+
|
||||
+import requests
|
||||
+from requests.auth import HTTPBasicAuth
|
||||
+
|
||||
+
|
||||
+if __name__ == '__main__':
|
||||
+ s = requests.Session()
|
||||
+ url = 'http://{}/basic_auth_timeout/auth/'.format(
|
||||
+ os.environ['NSS_WRAPPER_HOSTNAME']
|
||||
+ )
|
||||
+ url2 = 'http://{}/basic_auth_timeout/session/'.format(
|
||||
+ os.environ['NSS_WRAPPER_HOSTNAME']
|
||||
+ )
|
||||
+
|
||||
+ r = s.get(url, auth=HTTPBasicAuth(os.environ['TIMEOUT_USER'],
|
||||
+ os.environ['MAG_USER_PASSWORD']))
|
||||
+ if r.status_code != 200:
|
||||
+ raise ValueError('Basic Auth Failed')
|
||||
+
|
||||
+ time.sleep(301)
|
||||
+ r = s.get(url2)
|
||||
+ if r.status_code != 200:
|
||||
+ raise ValueError('Session Auth Failed')
|
||||
+
|
||||
+ time.sleep(401)
|
||||
+
|
||||
+ r = s.get(url2)
|
||||
+ if r.status_code == 200:
|
||||
+ raise ValueError('Timeout check Failed')
|
@ -1,28 +0,0 @@
|
||||
From c26b1aafbb9679b19b630a46eeb35a9dee61a95f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 13 Oct 2020 11:04:00 -0400
|
||||
Subject: [PATCH] Fix PATH handling bug in test suite
|
||||
|
||||
virtualenv relies on its executable being ahead of the system ones. For
|
||||
setting up the KDC, we don't have a preferencee - we just need the sbins
|
||||
to be available.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit ae07252e356d8142ddd3987c9c3686ba7ee593de)
|
||||
---
|
||||
tests/magtests.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index e04fa65..082c6e4 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -312,7 +312,7 @@ def setup_kdc(testdir, wrapenv):
|
||||
|
||||
kdcenv = wrapenv.copy()
|
||||
kdcenv.update({
|
||||
- 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
|
||||
+ 'PATH': f'{wrapenv["PATH"]}:/sbin:/bin:/usr/sbin:/usr/bin',
|
||||
'KRB5_CONFIG': krb5conf,
|
||||
'KRB5_KDC_PROFILE': kdcconf,
|
||||
'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),
|
@ -1,31 +0,0 @@
|
||||
From 706494bde5c5124621006b857fc55529f9e8e0db Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Thu, 14 May 2020 18:04:47 -0400
|
||||
Subject: [PATCH] Fix distcheck
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit eb6de7e946d7ecc9292bb454d43ac05f0801adf7)
|
||||
---
|
||||
tests/Makefile.am | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index 70754fb..16d87e9 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -4,12 +4,14 @@ EXTRA_DIST = \
|
||||
401.html \
|
||||
httpd.conf \
|
||||
index.html \
|
||||
+ localname.html \
|
||||
magtests.py \
|
||||
t_bad_acceptor_name.py \
|
||||
t_basic_k5_fail_second.py \
|
||||
t_basic_k5.py \
|
||||
t_basic_k5_two_users.py \
|
||||
t_basic_proxy.py \
|
||||
+ t_localname.py \
|
||||
t_hostname_acceptor.py \
|
||||
t_nonego.py \
|
||||
t_required_name_attr.py \
|
@ -1,42 +0,0 @@
|
||||
From 2b96860d8cfcf48a54e59e2ca30fc8fdeb2b9d55 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Fri, 6 May 2022 22:54:45 +0200
|
||||
Subject: [PATCH 2/2]
|
||||
Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch
|
||||
|
||||
---
|
||||
tests/t_localname.py | 13 +++++++++++--
|
||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tests/t_localname.py b/tests/t_localname.py
|
||||
index e990762c42aa9b370ac71292b5019fc63622c240..df94922b52673b5b7fd780ff3f319d22feb348ac 100755
|
||||
--- a/tests/t_localname.py
|
||||
+++ b/tests/t_localname.py
|
||||
@@ -45,13 +45,22 @@ if __name__ == '__main__':
|
||||
|
||||
mech = None
|
||||
if mech_name is not None:
|
||||
- mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
|
||||
+ try:
|
||||
+ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
|
||||
+ except AttributeError:
|
||||
+ # older version of gssapi that does not support mechs
|
||||
+ if mech_name == 'SPNEGO':
|
||||
+ mech = '<Mechanism spnego (1.3.6.1.5.5.2)>'
|
||||
+ elif mech_name == 'GS2-KRB5':
|
||||
+ mech = '<Mechanism krb5 (1.2.840.113554.1.2.2)>'
|
||||
+ else:
|
||||
+ sys.exit(42) # SKIP
|
||||
|
||||
try:
|
||||
auth = HTTPSPNEGOAuth(mech=mech)
|
||||
use_requests(auth)
|
||||
except TypeError:
|
||||
- # odler version of requests that does not support mechs
|
||||
+ # older version of requests that does not support mechs
|
||||
if mech_name == 'SPNEGO':
|
||||
use_curl()
|
||||
elif mech_name == 'GS2-KRB5':
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,39 +0,0 @@
|
||||
From 676ec5fe0b6c7c5126dbf84ef59ec4a5d5f87ede Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Tue, 26 Apr 2022 10:23:53 +0200
|
||||
Subject: [PATCH] Fix gss_localname with SPNEGO wrapping
|
||||
|
||||
Fix implemented upstream by Simo
|
||||
---
|
||||
src/mod_auth_gssapi.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
||||
index b0999737daedf88fa84a9d8b1543bbedc79194ab..c91aa60707ba9b237a84f95670d483f1a7eab86b 100644
|
||||
--- a/src/mod_auth_gssapi.c
|
||||
+++ b/src/mod_auth_gssapi.c
|
||||
@@ -1264,7 +1264,21 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
||||
#endif
|
||||
|
||||
if (cfg->map_to_local) {
|
||||
+ /* We have to play heuristics here as gss_localname does not work
|
||||
+ * as expected with SPNEGO-wrapped names.
|
||||
+ * http://krbdev.mit.edu/rt/Ticket/Display.html?id=8782
|
||||
+ */
|
||||
maj = gss_localname(&min, client, mech_type, &lname);
|
||||
+ if (maj != GSS_S_COMPLETE) {
|
||||
+ uint32_t sub_maj, sub_min;
|
||||
+ /* try fallback with no oid */
|
||||
+ sub_maj = gss_localname(&sub_min, client, GSS_C_NO_OID, &lname);
|
||||
+ if (sub_maj != GSS_S_UNAVAILABLE) {
|
||||
+ /* use second call errors only if they are meaningful */
|
||||
+ maj = sub_maj;
|
||||
+ min = sub_min;
|
||||
+ }
|
||||
+ }
|
||||
if (maj != GSS_S_COMPLETE) {
|
||||
mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,
|
||||
"gss_localname() failed");
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,38 +0,0 @@
|
||||
From d681fe586a4f4258c5d61237511dd19c1fa84904 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 19 Feb 2019 13:55:12 -0500
|
||||
Subject: [PATCH] Fix integer sizes used with ap_set_flag_slot()
|
||||
|
||||
ap_set_flag_slot() requires a field of type `int`. Previously we
|
||||
passed type `bool` in two places, causing test failures on s390x
|
||||
because logging was not correctly configured.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit f89b876be5619d750e6ab4ea6e730a9a26b1cac4)
|
||||
(cherry picked from commit 73c690ca9bd1d470c603f5e1ee48d2384941ae55)
|
||||
---
|
||||
src/mod_auth_gssapi.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
|
||||
index 71404ff..8c0b972 100644
|
||||
--- a/src/mod_auth_gssapi.h
|
||||
+++ b/src/mod_auth_gssapi.h
|
||||
@@ -79,7 +79,7 @@ struct mag_config {
|
||||
gid_t deleg_ccache_gid;
|
||||
gss_key_value_set_desc *cred_store;
|
||||
bool deleg_ccache_unique;
|
||||
- bool s4u2self;
|
||||
+ int s4u2self;
|
||||
char *ccname_envvar;
|
||||
#endif
|
||||
struct seal_key *mag_skey;
|
||||
@@ -90,7 +90,7 @@ struct mag_config {
|
||||
bool negotiate_once;
|
||||
struct mag_name_attributes *name_attributes;
|
||||
const char *required_na_expr;
|
||||
- bool enverrs;
|
||||
+ int enverrs;
|
||||
gss_name_t acceptor_name;
|
||||
bool acceptor_name_from_req;
|
||||
};
|
@ -1,121 +0,0 @@
|
||||
From 1941fd1545b4786fee9464881239d74a91c55723 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Thu, 7 Feb 2019 14:48:56 -0500
|
||||
Subject: [PATCH] Fix mag_auth_basic function call.
|
||||
|
||||
In order to respect the API we'd have to return nech_type as a copy of
|
||||
the mech found to correctly complete authentication.
|
||||
It would need to be a copy because the actual_mechs variable is an array
|
||||
of statically copied OIDs not an array of pointers.
|
||||
|
||||
Instead change mag_auth_basic to directly call mag_complete() and
|
||||
mag_cache_basic on success. This is easier than attempting to handle
|
||||
copying out OIDs and then freeing them in the caller as GSSAPI does not
|
||||
offer standard APIs for copying OIDs.
|
||||
|
||||
As a side-effect we reduce the number of arguments to mag_auth_gssapi,
|
||||
which is good, to the slight detriment of legibility in the main
|
||||
function as now you need to know mag_auth_basic() is already calling
|
||||
mag_complete(). The trade off is worth it though.
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
(cherry picked from commit 318db0b0e3777d4cfdc09eeef98e28c478607271)
|
||||
---
|
||||
src/mod_auth_gssapi.c | 47 ++++++++++++++++++++-----------------------
|
||||
1 file changed, 22 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
||||
index 4048ee7..9e42ef4 100644
|
||||
--- a/src/mod_auth_gssapi.c
|
||||
+++ b/src/mod_auth_gssapi.c
|
||||
@@ -493,15 +493,15 @@ done:
|
||||
return maj;
|
||||
}
|
||||
|
||||
-static bool mag_auth_basic(request_rec *req,
|
||||
- struct mag_config *cfg,
|
||||
- gss_buffer_desc ba_user,
|
||||
- gss_buffer_desc ba_pwd,
|
||||
- gss_name_t *client,
|
||||
- gss_OID *mech_type,
|
||||
- gss_cred_id_t *delegated_cred,
|
||||
- uint32_t *vtime)
|
||||
+static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
||||
+ gss_name_t client, gss_OID mech_type,
|
||||
+ uint32_t vtime, gss_cred_id_t delegated_cred);
|
||||
+
|
||||
+static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
||||
+ gss_buffer_desc ba_user, gss_buffer_desc ba_pwd)
|
||||
{
|
||||
+ struct mag_config *cfg = req_cfg->cfg;
|
||||
+ request_rec *req = req_cfg->req;
|
||||
const char *user_ccache = NULL;
|
||||
const char *orig_ccache = NULL;
|
||||
long long unsigned int rndname;
|
||||
@@ -512,9 +512,12 @@ static bool mag_auth_basic(request_rec *req,
|
||||
gss_OID_set allowed_mechs;
|
||||
gss_OID_set filtered_mechs;
|
||||
gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
|
||||
+ gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
|
||||
+ gss_name_t client = GSS_C_NO_NAME;
|
||||
+ uint32_t vtime;
|
||||
uint32_t maj, min;
|
||||
int present = 0;
|
||||
- bool ret = false;
|
||||
+ int ret = HTTP_UNAUTHORIZED;
|
||||
|
||||
maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user);
|
||||
if (GSS_ERROR(maj)) {
|
||||
@@ -616,15 +619,21 @@ static bool mag_auth_basic(request_rec *req,
|
||||
|
||||
for (int i = 0; i < actual_mechs->count; i++) {
|
||||
maj = mag_context_loop(&min, req, cfg, user_cred, server_cred,
|
||||
- &actual_mechs->elements[i], 300, client, vtime,
|
||||
- delegated_cred);
|
||||
+ &actual_mechs->elements[i], 300, &client,
|
||||
+ &vtime, &delegated_cred);
|
||||
if (maj == GSS_S_COMPLETE) {
|
||||
- ret = true;
|
||||
+ ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i],
|
||||
+ vtime, delegated_cred);
|
||||
+ if (ret == OK) {
|
||||
+ mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
done:
|
||||
+ gss_release_cred(&min, &delegated_cred);
|
||||
+ gss_release_name(&min, &client);
|
||||
gss_release_cred(&min, &server_cred);
|
||||
gss_release_name(&min, &user);
|
||||
gss_release_cred(&min, &user_cred);
|
||||
@@ -683,10 +692,6 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req)
|
||||
return req_cfg;
|
||||
}
|
||||
|
||||
-static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
||||
- gss_name_t client, gss_OID mech_type,
|
||||
- uint32_t vtime, gss_cred_id_t delegated_cred);
|
||||
-
|
||||
#ifdef HAVE_CRED_STORE
|
||||
static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {
|
||||
if (req_cfg->cfg->use_s4u2proxy) {
|
||||
@@ -1105,15 +1110,7 @@ static int mag_auth(request_rec *req)
|
||||
#endif
|
||||
|
||||
if (auth_type == AUTH_TYPE_BASIC) {
|
||||
- if (mag_auth_basic(req, cfg, ba_user, ba_pwd,
|
||||
- &client, &mech_type,
|
||||
- &delegated_cred, &vtime)) {
|
||||
-
|
||||
- ret = mag_complete(req_cfg, mc, client, mech_type, vtime,
|
||||
- delegated_cred);
|
||||
- if (ret == OK)
|
||||
- mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
|
||||
- }
|
||||
+ ret = mag_auth_basic(req_cfg, mc, ba_user, ba_pwd);
|
||||
goto done;
|
||||
}
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 613933383aa352bb8f350f43ecb393a0604016cc Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 21 Dec 2018 11:50:16 -0500
|
||||
Subject: [PATCH] Fix tests to work with python3
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit 751eb09e7abf38f49fc525e1616d48a6f951673f)
|
||||
(cherry picked from commit d2748e79d31f153505f944b09a4790c6231dcd79)
|
||||
---
|
||||
tests/magtests.py | 3 ++-
|
||||
tests/t_spnego_proxy.py | 2 +-
|
||||
2 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index 6414503..f14f47a 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -431,7 +431,7 @@ def kinit_user(testdir, kdcenv):
|
||||
stdin=subprocess.PIPE,
|
||||
stdout=logfile, stderr=logfile,
|
||||
env=testenv, preexec_fn=os.setsid)
|
||||
- kinit.communicate('%s\n' % USR_PWD)
|
||||
+ kinit.communicate(('%s\n' % USR_PWD).encode("utf8"))
|
||||
kinit.wait()
|
||||
if kinit.returncode != 0:
|
||||
raise ValueError('kinit failed')
|
||||
@@ -495,6 +495,7 @@ def test_spnego_auth(testdir, testenv, logfile):
|
||||
else:
|
||||
sys.stderr.write('SPNEGO No Auth: SUCCESS\n')
|
||||
|
||||
+
|
||||
return error_count
|
||||
|
||||
|
||||
diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py
|
||||
index 6219721..c47558b 100755
|
||||
--- a/tests/t_spnego_proxy.py
|
||||
+++ b/tests/t_spnego_proxy.py
|
||||
@@ -17,7 +17,7 @@ def getAuthToken(target):
|
||||
ctx = gssapi.SecurityContext(name=name, mech=spnego_mech)
|
||||
token = ctx.step()
|
||||
|
||||
- return 'Negotiate %s' % b64encode(token)
|
||||
+ return 'Negotiate %s' % b64encode(token).decode()
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
@ -1,43 +0,0 @@
|
||||
From 3fc1f9f5d7f5a33900572b419ecdfd2d3672ceca Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 21 Dec 2018 10:50:49 -0500
|
||||
Subject: [PATCH] In tests, show the exception on failure
|
||||
|
||||
Otherwise, the user might get nothing at all out, depending on what failed.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit 881f98ee08f6d8d7a2352ab2f3e8e38845cf8039)
|
||||
(cherry picked from commit 1de81677f1878ea1667b56169fe714d685771b4e)
|
||||
---
|
||||
tests/magtests.py | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index 576e88f..6414503 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -8,6 +8,7 @@ import shutil
|
||||
import signal
|
||||
import subprocess
|
||||
import sys
|
||||
+import traceback
|
||||
|
||||
# check that we can import requests (for use in test scripts)
|
||||
import requests
|
||||
@@ -207,7 +208,6 @@ def setup_test_certs(testdir, testenv, logfile):
|
||||
with open(opensslcnf, 'w+') as f:
|
||||
f.write(text)
|
||||
|
||||
- print(pkinit_key)
|
||||
cmd = subprocess.Popen(["openssl", "genrsa", "-out", pkinit_key,
|
||||
"2048"], stdout=logfile,
|
||||
stderr=logfile, env=testenv,
|
||||
@@ -718,6 +718,8 @@ if __name__ == '__main__':
|
||||
errs += test_basic_auth_krb5(testdir, testenv, logfile)
|
||||
|
||||
errs += test_no_negotiate(testdir, testenv, logfile)
|
||||
+ except Exception:
|
||||
+ traceback.print_exc()
|
||||
finally:
|
||||
for name in processes:
|
||||
logfile.write("Killing %s\n" % name)
|
@ -1,198 +0,0 @@
|
||||
From eeca34dc64804a4b771800f54f0e0647ce88bdd4 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 13 Oct 2020 10:33:39 -0400
|
||||
Subject: [PATCH] Move to python3 by default
|
||||
|
||||
When moving 2 -> 3, python elected to keep "python" as the name of the
|
||||
python2 interpreter. As a result, python3-only machines have no
|
||||
/usr/bin/python. Since python2 is EOL, it should be safe to make our
|
||||
scripting default to python3.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit 840863f89ed4809602f1ca7b8ad650c0b979d20e)
|
||||
[rharwood@redhat.com: tests that don't exist yet, README prg/prk,
|
||||
contrib isn't packaged in dist tarballs]
|
||||
---
|
||||
README | 4 ++--
|
||||
tests/magtests.py | 2 +-
|
||||
tests/t_bad_acceptor_name.py | 2 +-
|
||||
tests/t_basic_k5.py | 2 +-
|
||||
tests/t_basic_k5_fail_second.py | 2 +-
|
||||
tests/t_basic_k5_two_users.py | 2 +-
|
||||
tests/t_basic_proxy.py | 2 +-
|
||||
tests/t_basic_timeout.py | 2 +-
|
||||
tests/t_hostname_acceptor.py | 2 +-
|
||||
tests/t_nonego.py | 2 +-
|
||||
tests/t_required_name_attr.py | 2 +-
|
||||
tests/t_spnego.py | 2 +-
|
||||
tests/t_spnego_negotiate_once.py | 2 +-
|
||||
tests/t_spnego_no_auth.py | 2 +-
|
||||
tests/t_spnego_proxy.py | 2 +-
|
||||
tests/t_spnego_rewrite.py | 2 +-
|
||||
16 files changed, 17 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/README b/README
|
||||
index 5eac94f..654a891 100644
|
||||
--- a/README
|
||||
+++ b/README
|
||||
@@ -26,8 +26,8 @@ To run tests, you also need:
|
||||
|
||||
* The Kerberos 5 Key-Distribution-Center (`krb5-kdc` package on Debian,
|
||||
`krb5-server` on Fedora)
|
||||
-* Packages `mod_session`, `krb5-workstation`, `python-requests-kerberos`,
|
||||
- and `python-gssapi` on Fedora
|
||||
+* Packages `mod_session`, `krb5-workstation`, `python3-requests-gssapi`,
|
||||
+ and `python3-gssapi` on Fedora
|
||||
* Some tests require `krb5-pkinit` package on fedora and krb5 >= 1.15.
|
||||
* [nss_wrapper](https://cwrap.org/nss_wrapper.html), packaged in Fedora
|
||||
* [socket_wrapper](https://cwrap.org/socket_wrapper.html), packaged in Fedora
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index 082c6e4..d0f0a67 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import argparse
|
||||
diff --git a/tests/t_bad_acceptor_name.py b/tests/t_bad_acceptor_name.py
|
||||
index 41ee48b..6cee588 100755
|
||||
--- a/tests/t_bad_acceptor_name.py
|
||||
+++ b/tests/t_bad_acceptor_name.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_basic_k5.py b/tests/t_basic_k5.py
|
||||
index e499eac..4b24801 100755
|
||||
--- a/tests/t_basic_k5.py
|
||||
+++ b/tests/t_basic_k5.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_basic_k5_fail_second.py b/tests/t_basic_k5_fail_second.py
|
||||
index 273e9a5..7e53218 100755
|
||||
--- a/tests/t_basic_k5_fail_second.py
|
||||
+++ b/tests/t_basic_k5_fail_second.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_basic_k5_two_users.py b/tests/t_basic_k5_two_users.py
|
||||
index 41ffe98..3d27e9e 100755
|
||||
--- a/tests/t_basic_k5_two_users.py
|
||||
+++ b/tests/t_basic_k5_two_users.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_basic_proxy.py b/tests/t_basic_proxy.py
|
||||
index 5370314..347b802 100755
|
||||
--- a/tests/t_basic_proxy.py
|
||||
+++ b/tests/t_basic_proxy.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py
|
||||
index 983dfd2..007ff97 100755
|
||||
--- a/tests/t_basic_timeout.py
|
||||
+++ b/tests/t_basic_timeout.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_hostname_acceptor.py b/tests/t_hostname_acceptor.py
|
||||
index 6d59e85..bb85700 100755
|
||||
--- a/tests/t_hostname_acceptor.py
|
||||
+++ b/tests/t_hostname_acceptor.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import sys
|
||||
diff --git a/tests/t_nonego.py b/tests/t_nonego.py
|
||||
index 430001a..4e77f80 100755
|
||||
--- a/tests/t_nonego.py
|
||||
+++ b/tests/t_nonego.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_required_name_attr.py b/tests/t_required_name_attr.py
|
||||
index bbfdc19..a67446b 100755
|
||||
--- a/tests/t_required_name_attr.py
|
||||
+++ b/tests/t_required_name_attr.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_spnego.py b/tests/t_spnego.py
|
||||
index e7003a6..04190a9 100755
|
||||
--- a/tests/t_spnego.py
|
||||
+++ b/tests/t_spnego.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_spnego_negotiate_once.py b/tests/t_spnego_negotiate_once.py
|
||||
index e8eb601..3d8e048 100755
|
||||
--- a/tests/t_spnego_negotiate_once.py
|
||||
+++ b/tests/t_spnego_negotiate_once.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_spnego_no_auth.py b/tests/t_spnego_no_auth.py
|
||||
index abcccdf..c564388 100755
|
||||
--- a/tests/t_spnego_no_auth.py
|
||||
+++ b/tests/t_spnego_no_auth.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py
|
||||
index c47558b..b917191 100755
|
||||
--- a/tests/t_spnego_proxy.py
|
||||
+++ b/tests/t_spnego_proxy.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
||||
diff --git a/tests/t_spnego_rewrite.py b/tests/t_spnego_rewrite.py
|
||||
index 2ed1d3e..202d76a 100755
|
||||
--- a/tests/t_spnego_rewrite.py
|
||||
+++ b/tests/t_spnego_rewrite.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
|
||||
import os
|
@ -1,166 +0,0 @@
|
||||
From bd2f8d20c589feae7249ccca28199d826d007667 Mon Sep 17 00:00:00 2001
|
||||
From: Stanislav Levin <slev@altlinux.org>
|
||||
Date: Thu, 6 Aug 2020 13:55:45 +0300
|
||||
Subject: [PATCH] tests: Don't override the specific environment by the global
|
||||
one
|
||||
|
||||
This changes the way in which a test environment is prepared.
|
||||
|
||||
Before:
|
||||
specific -> global
|
||||
|
||||
After:
|
||||
global -> specific
|
||||
|
||||
In particular, this allows setting PATH env variable differed from
|
||||
the global configuration.
|
||||
|
||||
Fixes: https://github.com/gssapi/mod_auth_gssapi/issues/226
|
||||
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
||||
(cherry picked from commit 731761e63d72bf5656f40340daafce4e2d34bd92)
|
||||
---
|
||||
tests/magtests.py | 78 +++++++++++++++++++++++++++++------------------
|
||||
1 file changed, 48 insertions(+), 30 deletions(-)
|
||||
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index 1c0b26a..e04fa65 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -310,11 +310,13 @@ def setup_kdc(testdir, wrapenv):
|
||||
with open(kdcconf, 'w+') as f:
|
||||
f.write(text)
|
||||
|
||||
- kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
|
||||
- 'KRB5_CONFIG': krb5conf,
|
||||
- 'KRB5_KDC_PROFILE': kdcconf,
|
||||
- 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')}
|
||||
- kdcenv.update(wrapenv)
|
||||
+ kdcenv = wrapenv.copy()
|
||||
+ kdcenv.update({
|
||||
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
|
||||
+ 'KRB5_CONFIG': krb5conf,
|
||||
+ 'KRB5_KDC_PROFILE': kdcconf,
|
||||
+ 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),
|
||||
+ })
|
||||
|
||||
logfile = open(testlog, 'a')
|
||||
ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
|
||||
@@ -383,8 +385,10 @@ def setup_keys(tesdir, env):
|
||||
cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
|
||||
kadmin_local(cmd, env, logfile)
|
||||
|
||||
- keys_env = {"KRB5_KTNAME": svc_keytab, }
|
||||
- keys_env.update(env)
|
||||
+ keys_env = env.copy()
|
||||
+ keys_env.update({
|
||||
+ "KRB5_KTNAME": svc_keytab,
|
||||
+ })
|
||||
return keys_env
|
||||
|
||||
|
||||
@@ -421,10 +425,12 @@ def setup_http(testdir, so_dir, wrapenv):
|
||||
|
||||
shutil.copy('tests/401.html', os.path.join(httpdir, 'html'))
|
||||
|
||||
- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
|
||||
- 'MALLOC_CHECK_': '3',
|
||||
- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
|
||||
- httpenv.update(wrapenv)
|
||||
+ httpenv = wrapenv.copy()
|
||||
+ httpenv.update({
|
||||
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
|
||||
+ 'MALLOC_CHECK_': '3',
|
||||
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
|
||||
+ })
|
||||
|
||||
httpd = "httpd" if distro == "Fedora" else "apache2"
|
||||
httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
|
||||
@@ -435,8 +441,10 @@ def setup_http(testdir, so_dir, wrapenv):
|
||||
def kinit_user(testdir, kdcenv):
|
||||
testlog = os.path.join(testdir, 'kinit.log')
|
||||
ccache = os.path.join(testdir, 'k5ccache')
|
||||
- testenv = {'KRB5CCNAME': ccache}
|
||||
- testenv.update(kdcenv)
|
||||
+ testenv = kdcenv.copy()
|
||||
+ testenv.update({
|
||||
+ 'KRB5CCNAME': ccache,
|
||||
+ })
|
||||
|
||||
with (open(testlog, 'a')) as logfile:
|
||||
kinit = subprocess.Popen(["kinit", USR_NAME],
|
||||
@@ -457,8 +465,10 @@ def kinit_certuser(testdir, kdcenv):
|
||||
pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT)
|
||||
pkinit_key = os.path.join(testdir, PKINIT_KEY)
|
||||
ident = "X509_user_identity=FILE:" + pkinit_user_cert + "," + pkinit_key
|
||||
- testenv = {'KRB5CCNAME': ccache}
|
||||
- testenv.update(kdcenv)
|
||||
+ testenv = kdcenv.copy()
|
||||
+ testenv.update({
|
||||
+ 'KRB5CCNAME': ccache,
|
||||
+ })
|
||||
with (open(testlog, 'a')) as logfile:
|
||||
logfile.write('PKINIT for maguser3\n')
|
||||
kinit = subprocess.Popen(["kinit", USR_NAME_3, "-X", ident],
|
||||
@@ -711,17 +721,21 @@ def faketime_setup(testenv):
|
||||
raise NotImplementedError
|
||||
|
||||
# spedup x100
|
||||
- fakeenv = {'FAKETIME': '+0 x100'}
|
||||
- fakeenv.update(testenv)
|
||||
- fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime))
|
||||
+ fakeenv = testenv.copy()
|
||||
+ fakeenv.update({
|
||||
+ 'FAKETIME': '+0 x100',
|
||||
+ 'LD_PRELOAD': ' '.join((testenv['LD_PRELOAD'], libfaketime)),
|
||||
+ })
|
||||
return fakeenv
|
||||
|
||||
|
||||
def http_restart(testdir, so_dir, testenv):
|
||||
- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
|
||||
- 'MALLOC_CHECK_': '3',
|
||||
- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
|
||||
- httpenv.update(testenv)
|
||||
+ httpenv = testenv.copy()
|
||||
+ httpenv.update({
|
||||
+ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
|
||||
+ 'MALLOC_CHECK_': '3',
|
||||
+ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1),
|
||||
+ })
|
||||
|
||||
httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
|
||||
config = os.path.join(testdir, 'httpd', 'httpd.conf')
|
||||
@@ -776,11 +790,13 @@ if __name__ == '__main__':
|
||||
sys.stderr.write("krb5 PKINIT module not found, skipping name "
|
||||
"attribute tests\n")
|
||||
|
||||
- testenv = {'MAG_USER_NAME': USR_NAME,
|
||||
- 'MAG_USER_PASSWORD': USR_PWD,
|
||||
- 'MAG_USER_NAME_2': USR_NAME_2,
|
||||
- 'MAG_USER_PASSWORD_2': USR_PWD_2}
|
||||
- testenv.update(kdcenv)
|
||||
+ testenv = kdcenv.copy()
|
||||
+ testenv.update({
|
||||
+ 'MAG_USER_NAME': USR_NAME,
|
||||
+ 'MAG_USER_PASSWORD': USR_PWD,
|
||||
+ 'MAG_USER_NAME_2': USR_NAME_2,
|
||||
+ 'MAG_USER_PASSWORD_2': USR_PWD_2,
|
||||
+ })
|
||||
|
||||
errs += test_basic_auth_krb5(testdir, testenv, logfile)
|
||||
|
||||
@@ -789,9 +805,11 @@ if __name__ == '__main__':
|
||||
# After this point we need to speed up httpd to test creds timeout
|
||||
try:
|
||||
fakeenv = faketime_setup(kdcenv)
|
||||
- timeenv = {'TIMEOUT_USER': USR_NAME_4,
|
||||
- 'MAG_USER_PASSWORD': USR_PWD}
|
||||
- timeenv.update(fakeenv)
|
||||
+ timeenv = fakeenv.copy()
|
||||
+ timeenv.update({
|
||||
+ 'TIMEOUT_USER': USR_NAME_4,
|
||||
+ 'MAG_USER_PASSWORD': USR_PWD,
|
||||
+ })
|
||||
curporc = httpproc
|
||||
pid = processes['HTTPD(%d)' % httpproc.pid].pid
|
||||
os.killpg(pid, signal.SIGTERM)
|
@ -1,87 +0,0 @@
|
||||
From f106e3afa21cdbc098d3c82698585744e3325621 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 15 May 2020 15:56:50 -0400
|
||||
Subject: [PATCH] [tests] Fixup virtualenv handling
|
||||
|
||||
Fixes an issue where virtualenv's PATH would get lost
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit e60384c0d4d4b4c213ec728ec3d444f998625941)
|
||||
---
|
||||
tests/magtests.py | 21 ++++++++++-----------
|
||||
1 file changed, 10 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index 6c38a8f..1c0b26a 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -67,6 +67,12 @@ def setup_wrappers(base):
|
||||
return wenv
|
||||
|
||||
|
||||
+def apply_venv(env):
|
||||
+ env['PATH'] = os.environ.get('PATH', '')
|
||||
+ env['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
|
||||
+ return env
|
||||
+
|
||||
+
|
||||
TESTREALM = "MAG.DEV"
|
||||
KDC_DBNAME = 'db.file'
|
||||
KDC_STASH = 'stash.file'
|
||||
@@ -304,7 +310,7 @@ def setup_kdc(testdir, wrapenv):
|
||||
with open(kdcconf, 'w+') as f:
|
||||
f.write(text)
|
||||
|
||||
- kdcenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
|
||||
+ kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
|
||||
'KRB5_CONFIG': krb5conf,
|
||||
'KRB5_KDC_PROFILE': kdcconf,
|
||||
'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')}
|
||||
@@ -415,7 +421,7 @@ def setup_http(testdir, so_dir, wrapenv):
|
||||
|
||||
shutil.copy('tests/401.html', os.path.join(httpdir, 'html'))
|
||||
|
||||
- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
|
||||
+ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}',
|
||||
'MALLOC_CHECK_': '3',
|
||||
'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
|
||||
httpenv.update(wrapenv)
|
||||
@@ -712,8 +718,7 @@ def faketime_setup(testenv):
|
||||
|
||||
|
||||
def http_restart(testdir, so_dir, testenv):
|
||||
-
|
||||
- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
|
||||
+ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}',
|
||||
'MALLOC_CHECK_': '3',
|
||||
'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)}
|
||||
httpenv.update(testenv)
|
||||
@@ -738,7 +743,7 @@ if __name__ == '__main__':
|
||||
logfile = open(os.path.join(testdir, 'tests.log'), 'w')
|
||||
errs = 0
|
||||
try:
|
||||
- wrapenv = setup_wrappers(testdir)
|
||||
+ wrapenv = apply_venv(setup_wrappers(testdir))
|
||||
|
||||
kdcproc, kdcenv = setup_kdc(testdir, wrapenv)
|
||||
processes['KDC(%d)' % kdcproc.pid] = kdcproc
|
||||
@@ -749,10 +754,6 @@ if __name__ == '__main__':
|
||||
keysenv = setup_keys(testdir, kdcenv)
|
||||
testenv = kinit_user(testdir, kdcenv)
|
||||
|
||||
- # support virtualenv
|
||||
- testenv['PATH'] = os.environ.get('PATH', '')
|
||||
- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
|
||||
-
|
||||
testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd',
|
||||
USR_NAME + '@' + TESTREALM)
|
||||
errs += test_spnego_auth(testdir, testenv, logfile)
|
||||
@@ -780,8 +781,6 @@ if __name__ == '__main__':
|
||||
'MAG_USER_NAME_2': USR_NAME_2,
|
||||
'MAG_USER_PASSWORD_2': USR_PWD_2}
|
||||
testenv.update(kdcenv)
|
||||
- testenv['PATH'] = os.environ.get('PATH', '')
|
||||
- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
|
||||
|
||||
errs += test_basic_auth_krb5(testdir, testenv, logfile)
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 27f7ca84a5a05f65e6d113a8a6698c7f40fd66c6 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 15 May 2020 15:51:19 -0400
|
||||
Subject: [PATCH] [tests] Support Debian's libfaketime
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit 367120a1c02641680a8f51bd59cc96d56cc9804b)
|
||||
---
|
||||
tests/magtests.py | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index da1cca7..6c38a8f 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -692,9 +692,16 @@ def test_hostname_acceptor(testdir, testenv, logfile):
|
||||
|
||||
|
||||
def faketime_setup(testenv):
|
||||
- libfaketime = '/usr/lib64/faketime/libfaketime.so.1'
|
||||
- # optional faketime
|
||||
- if not os.path.isfile(libfaketime):
|
||||
+ # Wanted: an architecture- and distro-agnostic way to do this.
|
||||
+ # libfaketime is installed in a place where ld.so won't pick it up by
|
||||
+ # default, so...
|
||||
+ paths = ['/usr/lib64/faketime/libfaketime.so.1',
|
||||
+ '/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1']
|
||||
+ libfaketime = None
|
||||
+ for p in paths:
|
||||
+ if os.path.isfile(p):
|
||||
+ libfaketime = p
|
||||
+ if not libfaketime:
|
||||
raise NotImplementedError
|
||||
|
||||
# spedup x100
|
@ -1,40 +0,0 @@
|
||||
From ce83aa116397fb71143e5b1363ce7563f7a4444d Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 11 Mar 2019 14:56:31 -0400
|
||||
Subject: [PATCH] [tests] Test suite fixes for virtualenv and clang
|
||||
|
||||
- Typo fix - VIRTUAL_ENV in magtests.py
|
||||
- testenv object manipulation fix in magtests.py
|
||||
- Work around -fstack-clash-protection problems in clang
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit 6aa0a5bfe9d60a50cf36c561268c5d7c1fdb2f0e)
|
||||
[rharwood@redhat.com: drop Travis goo]
|
||||
(cherry picked from commit 11c966cc630393e322ef6b88df91d16247bbfc37)
|
||||
---
|
||||
tests/magtests.py | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index f14f47a..a4842a0 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -687,7 +687,7 @@ if __name__ == '__main__':
|
||||
|
||||
# support virtualenv
|
||||
testenv['PATH'] = os.environ.get('PATH', '')
|
||||
- testenv['ViRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
|
||||
+ testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
|
||||
|
||||
testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd',
|
||||
USR_NAME + '@' + TESTREALM)
|
||||
@@ -716,6 +716,9 @@ if __name__ == '__main__':
|
||||
'MAG_USER_NAME_2': USR_NAME_2,
|
||||
'MAG_USER_PASSWORD_2': USR_PWD_2}
|
||||
testenv.update(kdcenv)
|
||||
+ testenv['PATH'] = os.environ.get('PATH', '')
|
||||
+ testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '')
|
||||
+
|
||||
errs += test_basic_auth_krb5(testdir, testenv, logfile)
|
||||
|
||||
errs += test_no_negotiate(testdir, testenv, logfile)
|
@ -1,194 +0,0 @@
|
||||
From 0dbf450a49784e2a750c667824e0e0249be575e4 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 27 Apr 2022 18:18:22 +0200
|
||||
Subject: [PATCH] Add test for gss_localname
|
||||
|
||||
Backport test for gss_localname implemented upstream by Simo
|
||||
---
|
||||
tests/httpd.conf | 13 ++++++++++
|
||||
tests/localname.html | 1 +
|
||||
tests/magtests.py | 47 ++++++++++++++++++++++++++++++++-
|
||||
tests/t_localname.py | 62 ++++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 122 insertions(+), 1 deletion(-)
|
||||
create mode 100644 tests/localname.html
|
||||
create mode 100755 tests/t_localname.py
|
||||
|
||||
diff --git a/tests/httpd.conf b/tests/httpd.conf
|
||||
index f76f2b671e02515e6d4effe09ab123dace90c023..b3777574d9f0547560f24eff992fc1018569b5cc 100644
|
||||
--- a/tests/httpd.conf
|
||||
+++ b/tests/httpd.conf
|
||||
@@ -274,6 +274,19 @@ CoreDumpDirectory "{HTTPROOT}"
|
||||
Require valid-user
|
||||
</Location>
|
||||
|
||||
+<Location /gss_localname>
|
||||
+ AuthType GSSAPI
|
||||
+ AuthName "Login"
|
||||
+ GssapiSSLonly Off
|
||||
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
|
||||
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
|
||||
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
|
||||
+ GssapiBasicAuth Off
|
||||
+ GssapiAllowedMech krb5
|
||||
+ GssapiLocalName On
|
||||
+ Require valid-user
|
||||
+</Location>
|
||||
+
|
||||
<VirtualHost *:{PROXYPORT}>
|
||||
ProxyRequests On
|
||||
ProxyVia On
|
||||
diff --git a/tests/localname.html b/tests/localname.html
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..abf7c507de1eb32b31b882502eed5f2bbcc5fbf3
|
||||
--- /dev/null
|
||||
+++ b/tests/localname.html
|
||||
@@ -0,0 +1 @@
|
||||
+<!--#echo var="REMOTE_USER" -->
|
||||
diff --git a/tests/magtests.py b/tests/magtests.py
|
||||
index d0f0a67f075c6b631926e9abd91a665973d90f4a..d100413b371e7ecf4e09d944b7ff6e9bec7e316f 100755
|
||||
--- a/tests/magtests.py
|
||||
+++ b/tests/magtests.py
|
||||
@@ -58,12 +58,20 @@ def setup_wrappers(base):
|
||||
f.write('%s %s\n' % (WRAP_IPADDR, WRAP_ALIASNAME))
|
||||
f.write('%s %s\n' % (WRAP_IPADDR, WRAP_FAILNAME))
|
||||
|
||||
+ passwd_file = os.path.join(testdir, 'passwd')
|
||||
+ with open(passwd_file, 'w+') as f:
|
||||
+ f.write('root:x:0:0:root:/root:/bin/sh')
|
||||
+ f.write('maguser:x:1:1:maguser:/maguser:/bin/sh')
|
||||
+ f.write('maguser2:x:2:2:maguser2:/maguser2:/bin/sh')
|
||||
+ f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh')
|
||||
+
|
||||
wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so',
|
||||
'SOCKET_WRAPPER_DIR': wrapdir,
|
||||
'SOCKET_WRAPPER_DEFAULT_IFACE': '9',
|
||||
'WRAP_PROXY_PORT': WRAP_PROXY_PORT,
|
||||
'NSS_WRAPPER_HOSTNAME': WRAP_HOSTNAME,
|
||||
- 'NSS_WRAPPER_HOSTS': hosts_file}
|
||||
+ 'NSS_WRAPPER_HOSTS': hosts_file,
|
||||
+ 'NSS_WRAPPER_PASSWD': passwd_file}
|
||||
return wenv
|
||||
|
||||
|
||||
@@ -744,6 +752,40 @@ def http_restart(testdir, so_dir, testenv):
|
||||
return httpproc
|
||||
|
||||
|
||||
+def test_gss_localname(testdir, testenv, logfile):
|
||||
+ hdir = os.path.join(testdir, 'httpd', 'html', 'gss_localname')
|
||||
+ os.mkdir(hdir)
|
||||
+ shutil.copy('tests/localname.html', os.path.join(hdir, 'index.html'))
|
||||
+ error_count = 0
|
||||
+
|
||||
+ # Make sure spnego is explicitly tested
|
||||
+ spnego = subprocess.Popen(["tests/t_localname.py", "SPNEGO"],
|
||||
+ stdout=logfile, stderr=logfile,
|
||||
+ env=testenv, preexec_fn=os.setsid)
|
||||
+ spnego.wait()
|
||||
+ if spnego.returncode != 0:
|
||||
+ sys.stderr.write('LOCALNAME(SPNEGO): FAILED\n')
|
||||
+ error_count += 1
|
||||
+ else:
|
||||
+ sys.stderr.write('LOCALNAME(SPNEGO): SUCCESS\n')
|
||||
+
|
||||
+ # and bare krb5 (GS2-KRB5 is the name used by SASL for it)
|
||||
+ krb5 = subprocess.Popen(["tests/t_localname.py", "GS2-KRB5"],
|
||||
+ stdout=logfile, stderr=logfile,
|
||||
+ env=testenv, preexec_fn=os.setsid)
|
||||
+ krb5.wait()
|
||||
+ if krb5.returncode != 0:
|
||||
+ if krb5.returncode == 42:
|
||||
+ sys.stderr.write('LOCALNAME(KRB5): SKIPPED\n')
|
||||
+ else:
|
||||
+ sys.stderr.write('LOCALNAME(KRB5): FAILED\n')
|
||||
+ error_count += 1
|
||||
+ else:
|
||||
+ sys.stderr.write('LOCALNAME(KRB5): SUCCESS\n')
|
||||
+
|
||||
+ return error_count
|
||||
+
|
||||
+
|
||||
if __name__ == '__main__':
|
||||
args = parse_args()
|
||||
|
||||
@@ -781,6 +823,9 @@ if __name__ == '__main__':
|
||||
|
||||
errs += test_bad_acceptor_name(testdir, testenv, logfile)
|
||||
|
||||
+ testenv['MAG_REMOTE_USER'] = USR_NAME
|
||||
+ errs += test_gss_localname(testdir, testenv, logfile)
|
||||
+
|
||||
rpm_path = "/usr/lib64/krb5/plugins/preauth/pkinit.so"
|
||||
deb_path = "/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so"
|
||||
if os.path.exists(rpm_path) or os.path.exists(deb_path):
|
||||
diff --git a/tests/t_localname.py b/tests/t_localname.py
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..e990762c42aa9b370ac71292b5019fc63622c240
|
||||
--- /dev/null
|
||||
+++ b/tests/t_localname.py
|
||||
@@ -0,0 +1,62 @@
|
||||
+#!/usr/bin/env python3
|
||||
+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
|
||||
+
|
||||
+import os
|
||||
+import subprocess
|
||||
+import sys
|
||||
+
|
||||
+import gssapi
|
||||
+
|
||||
+import requests
|
||||
+
|
||||
+from requests_gssapi import HTTPSPNEGOAuth
|
||||
+
|
||||
+
|
||||
+def use_requests(auth):
|
||||
+ sess = requests.Session()
|
||||
+ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME']
|
||||
+
|
||||
+ r = sess.get(url, auth=auth)
|
||||
+ if r.status_code != 200:
|
||||
+ raise ValueError('Localname failed')
|
||||
+
|
||||
+ if r.text.rstrip() != os.environ['MAG_REMOTE_USER']:
|
||||
+ raise ValueError('Localname, REMOTE_USER check failed')
|
||||
+
|
||||
+
|
||||
+def use_curl():
|
||||
+ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME']
|
||||
+ curl = subprocess.Popen(["curl", "--negotiate", "-u:", url],
|
||||
+ stdout=subprocess.PIPE)
|
||||
+ curl.wait()
|
||||
+ if curl.returncode != 0:
|
||||
+ raise ValueError('Localname failed')
|
||||
+
|
||||
+ line = curl.stdout.read().strip(b' \t\n\r').decode('utf-8')
|
||||
+ if line != os.environ['MAG_REMOTE_USER']:
|
||||
+ raise ValueError('Localname, REMOTE_USER check failed (%s != %s)' % (
|
||||
+ line, os.environ['MAG_REMOTE_USER']))
|
||||
+
|
||||
+
|
||||
+if __name__ == '__main__':
|
||||
+ mech_name = None
|
||||
+ if len(sys.argv) > 1:
|
||||
+ mech_name = sys.argv[1]
|
||||
+
|
||||
+ mech = None
|
||||
+ if mech_name is not None:
|
||||
+ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
|
||||
+
|
||||
+ try:
|
||||
+ auth = HTTPSPNEGOAuth(mech=mech)
|
||||
+ use_requests(auth)
|
||||
+ except TypeError:
|
||||
+ # odler version of requests that does not support mechs
|
||||
+ if mech_name == 'SPNEGO':
|
||||
+ use_curl()
|
||||
+ elif mech_name == 'GS2-KRB5':
|
||||
+ # older request versions use krb5 as the mech by default
|
||||
+ auth = HTTPSPNEGOAuth()
|
||||
+ use_requests(auth)
|
||||
+ else:
|
||||
+ sys.exit(42) # SKIP
|
||||
--
|
||||
2.35.1
|
||||
|
36
crypto-Handle-EVP-changes-in-OpenSSL-3.patch
Normal file
36
crypto-Handle-EVP-changes-in-OpenSSL-3.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 74fd6dc6c3ba65e48c625d4724878721c46a5e6f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 24 Aug 2021 15:04:13 -0400
|
||||
Subject: [PATCH] crypto: Handle EVP changes in OpenSSL 3
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
OpenSSL 3 changes the padding behavior of EVP_DecryptFinal_ex(), which
|
||||
causes our decryption to fail. It is the opnion of the OpenSSL
|
||||
developers that mod_auth_gssapi's use of this function was incorrect.
|
||||
|
||||
Patch suggested by Tomáš Mráz.
|
||||
|
||||
Related: https://github.com/openssl/openssl/issues/16351
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit 06d1f7d36d2455747e6e8231d28e6524ea1181f1)
|
||||
(cherry picked from commit 915a3d7fca3beefadd751562abe2d481354a2a9c)
|
||||
---
|
||||
src/crypto.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/crypto.c b/src/crypto.c
|
||||
index 3f372a0..b3f7fd9 100644
|
||||
--- a/src/crypto.c
|
||||
+++ b/src/crypto.c
|
||||
@@ -262,7 +262,7 @@ apr_status_t UNSEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
|
||||
|
||||
totlen += outlen;
|
||||
outlen = plain->length - totlen;
|
||||
- ret = EVP_DecryptFinal_ex(ctx, plain->value, &outlen);
|
||||
+ ret = EVP_DecryptFinal_ex(ctx, plain->value + totlen, &outlen);
|
||||
if (ret == 0) goto done;
|
||||
|
||||
totlen += outlen;
|
6
gating.yaml
Normal file
6
gating.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
@ -1,42 +1,32 @@
|
||||
Name: mod_auth_gssapi
|
||||
Version: 1.6.1
|
||||
Release: 9%{?dist}
|
||||
Version: 1.6.3
|
||||
Release: 7%{?dist}
|
||||
Summary: A GSSAPI Authentication module for Apache
|
||||
|
||||
Group: System Environment/Daemons
|
||||
License: MIT
|
||||
URL: https://github.com/modauthgssapi/mod_auth_gssapi
|
||||
Source0: https://github.com/modauthgssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz
|
||||
URL: https://github.com/gssapi/mod_auth_gssapi
|
||||
Source0: https://github.com/gssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz
|
||||
|
||||
Patch0: In-tests-show-the-exception-on-failure.patch
|
||||
Patch1: Fix-tests-to-work-with-python3.patch
|
||||
Patch2: tests-Test-suite-fixes-for-virtualenv-and-clang.patch
|
||||
Patch3: Fix-integer-sizes-used-with-ap_set_flag_slot.patch
|
||||
Patch4: Fix-mag_auth_basic-function-call.patch
|
||||
Patch6: Fix-distcheck.patch
|
||||
Patch7: Add-option-to-control-timeout-for-Basic-Auth.patch
|
||||
Patch8: tests-Support-Debian-s-libfaketime.patch
|
||||
Patch9: tests-Fixup-virtualenv-handling.patch
|
||||
Patch10: tests-Don-t-override-the-specific-environment-by-the.patch
|
||||
Patch11: Fix-PATH-handling-bug-in-test-suite.patch
|
||||
Patch12: Move-to-python3-by-default.patch
|
||||
Patch13: Fix-gss_localname-with-SPNEGO-wrapping.patch
|
||||
Patch14: tests-add-test-for-gss_localname.patch
|
||||
Patch15: Add-ability-to-expose-the-used-mechanism.patch
|
||||
Patch16: Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch
|
||||
|
||||
BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libtool
|
||||
BuildRequires: gssntlmssp-devel
|
||||
BuildRequires: httpd-devel, krb5-devel, openssl-devel
|
||||
BuildRequires: autoconf, automake, libtool, bison, flex, make
|
||||
BuildRequires: git
|
||||
Requires: httpd-mmn = %{_httpd_mmn}
|
||||
Requires: krb5-libs >= 1.11.5
|
||||
|
||||
Patch0: crypto-Handle-EVP-changes-in-OpenSSL-3.patch
|
||||
|
||||
# If you're reading this: NTLM is insecure. Migrate off it.
|
||||
%if 0%{?rhel}
|
||||
%else
|
||||
BuildRequires: gssntlmssp-devel
|
||||
%endif
|
||||
|
||||
%description
|
||||
The mod_auth_gssapi module is an authentication service that implements the
|
||||
SPNEGO based HTTP Authentication protocol defined in RFC4559.
|
||||
|
||||
%prep
|
||||
%autosetup -S git
|
||||
%autosetup -S git_am
|
||||
|
||||
%build
|
||||
export APXS=%{_httpd_apxs}
|
||||
@ -61,41 +51,55 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
|
||||
%{_httpd_moddir}/mod_auth_gssapi.so
|
||||
|
||||
%changelog
|
||||
* Thu Apr 28 2022 Francisco Trivino <ftrivino@redhat.com> 1.6.1-9
|
||||
- Add missing repos to the osci tests
|
||||
- Fix gss localname test to work with older gssapi version
|
||||
- Resolves: #2083122
|
||||
- Add ability to expose the used mechanism
|
||||
- Resolves: #2046231
|
||||
* Wed Aug 25 2021 Robbie Harwood <rharwood@redhat.com> - 1.6.3-7
|
||||
- crypto: Handle EVP changes in OpenSSL 3
|
||||
- Resolves: #1992648
|
||||
|
||||
* Wed Apr 27 2022 Francisco Trivino <ftrivino@redhat.com> 1.6.1-8
|
||||
- Add test for gss_localname
|
||||
- Fix gss_localname with SPNEGO wrapping
|
||||
- Resolves: #1787630
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.3-6
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Mon Oct 12 2020 Robbie Harwood <rharwood@redhat.com> 1.6.1-7.1
|
||||
- Bang on gating until the environment gives up
|
||||
- Resolves: #1866149
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.3-5
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Mon Oct 12 2020 Robbie Harwood <rharwood@redhat.com> - 1.6.1-7
|
||||
- Backport basic auth timeout control
|
||||
- Resolves: #1866149
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.3-4
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Fri Mar 22 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-6
|
||||
- Gating update
|
||||
- Resolves: #1682259
|
||||
* Tue Mar 16 2021 Robbie Harwood <rharwood@redhat.com> - 1.6.3-3
|
||||
- Build dep adjustments; no Fedora code changes
|
||||
|
||||
* Mon Mar 18 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-5
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.3-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Wed Aug 05 2020 Robbie Harwood <rharwood@redhat.com> - 1.6.3-1
|
||||
- New upstream release (1.6.3)
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Mon Apr 27 2020 Robbie Harwood <rharwood@redhat.com> - 1.6.2-1
|
||||
- New upstream release (1.6.2)
|
||||
- Resolves: #1828142
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Mon Mar 18 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-6
|
||||
- Test suite fixes for virtualenv and clang
|
||||
|
||||
* Tue Feb 19 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-5
|
||||
- Fix integer sizes used with ap_set_flag_slot()
|
||||
- Resolves: #1674501
|
||||
- Resolves: #1678872
|
||||
|
||||
* Mon Mar 18 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-4
|
||||
- Fix virtualenv logic and add gating
|
||||
- Resolves: #1682259
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Thu Mar 14 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-3
|
||||
* Thu Jan 03 2019 Robbie Harwood <rharwood@redhat.com> - 1.6.1-3
|
||||
- Fix tests to work with python3
|
||||
- Resolves: #1661589
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
||||
SHA512 (mod_auth_gssapi-1.6.3.tar.gz) = 37ac1931c5be962e025bcc71eba377947b5b79bc270c384c0a03b2fb1ecfdefcad5f07b4d1f9dc3c7e2dfefa7f6ee4167cf6df6c1b8c0f24267afae55bfe29d5
|
10
tests/driver/runtest.sh
Normal file
10
tests/driver/runtest.sh
Normal file
@ -0,0 +1,10 @@
|
||||
#!/bin/sh -ex
|
||||
|
||||
cd ../source
|
||||
|
||||
# Fake a build...
|
||||
mkdir -p src/.libs
|
||||
cp /usr/lib64/httpd/modules/mod_auth_gssapi.so src/.libs
|
||||
|
||||
# ... and run the tests.
|
||||
./tests/magtests.py || (cat scratchdir/tests.log scratchdir/httpd/logs/error_log ; exit -1)
|
41
tests/tests.yml
Normal file
41
tests/tests.yml
Normal file
@ -0,0 +1,41 @@
|
||||
---
|
||||
- hosts: localhost
|
||||
tags: classic
|
||||
tasks:
|
||||
- name: Grab EPEL
|
||||
shell: dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
|
||||
args:
|
||||
warn: false
|
||||
|
||||
- hosts: localhost
|
||||
tags: classic
|
||||
tasks:
|
||||
- name: Life is short
|
||||
shell: dnf -y builddep mod_auth_gssapi
|
||||
args:
|
||||
warn: false
|
||||
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-source
|
||||
tags:
|
||||
- always
|
||||
- role: standard-test-basic
|
||||
tags:
|
||||
- atomic
|
||||
- classic
|
||||
required_packages:
|
||||
- gcc
|
||||
- libfaketime
|
||||
- krb5-devel
|
||||
- krb5-pkinit
|
||||
- krb5-server
|
||||
- krb5-workstation
|
||||
- mod_auth_gssapi # wut
|
||||
- mod_session
|
||||
- nss_wrapper
|
||||
- python3-requests-gssapi
|
||||
- python3-virtualenv
|
||||
- socket_wrapper
|
||||
tests:
|
||||
- driver
|
Loading…
Reference in New Issue
Block a user