From 8eec9752d6bd27889f4a9b4f8ceb248794ee36e7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 8 Nov 2022 01:31:09 -0500 Subject: [PATCH] import mod_auth_gssapi-1.6.1-9.el8 --- .gitignore | 1 + .mod_auth_gssapi.metadata | 1 + ...ability-to-expose-the-used-mechanism.patch | 262 ++++++++++++ ...on-to-control-timeout-for-Basic-Auth.patch | 372 ++++++++++++++++++ .../Fix-PATH-handling-bug-in-test-suite.patch | 28 ++ SOURCES/Fix-distcheck.patch | 31 ++ ...e-test-to-work-with-older-gssapi-ver.patch | 42 ++ ...x-gss_localname-with-SPNEGO-wrapping.patch | 39 ++ ...ger-sizes-used-with-ap_set_flag_slot.patch | 38 ++ .../Fix-mag_auth_basic-function-call.patch | 121 ++++++ SOURCES/Fix-tests-to-work-with-python3.patch | 47 +++ ...-tests-show-the-exception-on-failure.patch | 43 ++ SOURCES/Move-to-python3-by-default.patch | 198 ++++++++++ ...ride-the-specific-environment-by-the.patch | 166 ++++++++ SOURCES/tests-Fixup-virtualenv-handling.patch | 87 ++++ .../tests-Support-Debian-s-libfaketime.patch | 35 ++ ...suite-fixes-for-virtualenv-and-clang.patch | 40 ++ .../tests-add-test-for-gss_localname.patch | 194 +++++++++ SPECS/mod_auth_gssapi.spec | 201 ++++++++++ 19 files changed, 1946 insertions(+) create mode 100644 .gitignore create mode 100644 .mod_auth_gssapi.metadata create mode 100644 SOURCES/Add-ability-to-expose-the-used-mechanism.patch create mode 100644 SOURCES/Add-option-to-control-timeout-for-Basic-Auth.patch create mode 100644 SOURCES/Fix-PATH-handling-bug-in-test-suite.patch create mode 100644 SOURCES/Fix-distcheck.patch create mode 100644 SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch create mode 100644 SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch create mode 100644 SOURCES/Fix-integer-sizes-used-with-ap_set_flag_slot.patch create mode 100644 SOURCES/Fix-mag_auth_basic-function-call.patch create mode 100644 SOURCES/Fix-tests-to-work-with-python3.patch create mode 100644 SOURCES/In-tests-show-the-exception-on-failure.patch create mode 100644 SOURCES/Move-to-python3-by-default.patch create mode 100644 SOURCES/tests-Don-t-override-the-specific-environment-by-the.patch create mode 100644 SOURCES/tests-Fixup-virtualenv-handling.patch create mode 100644 SOURCES/tests-Support-Debian-s-libfaketime.patch create mode 100644 SOURCES/tests-Test-suite-fixes-for-virtualenv-and-clang.patch create mode 100644 SOURCES/tests-add-test-for-gss_localname.patch create mode 100644 SPECS/mod_auth_gssapi.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..82535fc --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/mod_auth_gssapi-1.6.1.tar.gz diff --git a/.mod_auth_gssapi.metadata b/.mod_auth_gssapi.metadata new file mode 100644 index 0000000..5b8ef04 --- /dev/null +++ b/.mod_auth_gssapi.metadata @@ -0,0 +1 @@ +5dfc4eef25efad5313724bd6a1e55266a6667302 SOURCES/mod_auth_gssapi-1.6.1.tar.gz diff --git a/SOURCES/Add-ability-to-expose-the-used-mechanism.patch b/SOURCES/Add-ability-to-expose-the-used-mechanism.patch new file mode 100644 index 0000000..0352af8 --- /dev/null +++ b/SOURCES/Add-ability-to-expose-the-used-mechanism.patch @@ -0,0 +1,262 @@ +From 46caec4def9fd8df21e560db065b755e1d87354d Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Fri, 6 May 2022 22:54:45 +0200 +Subject: [PATCH 1/2] Add-ability-to-expose-the-used-mechanism.patch + +--- + README | 15 +++++++++++++++ + src/environ.c | 39 +++++++++++++++++++++++++++++++++++++++ + src/environ.h | 2 ++ + src/mod_auth_gssapi.c | 7 +++++++ + src/mod_auth_gssapi.h | 1 + + tests/Makefile.am | 4 +++- + tests/httpd.conf | 15 +++++++++++++++ + tests/magtests.py | 18 ++++++++++++++++++ + tests/mech.html | 1 + + tests/t_mech_name.py | 19 +++++++++++++++++++ + 10 files changed, 120 insertions(+), 1 deletion(-) + create mode 100644 tests/mech.html + create mode 100755 tests/t_mech_name.py + +diff --git a/README b/README +index 654a8918cc1cd078d84b8e571596444e262e83af..bbf2657d47c9b111e20fdc2b76fde8799c76e3cd 100644 +--- a/README ++++ b/README +@@ -109,6 +109,7 @@ Configuration Directives + [GssapiNameAttributes](#gssapinameattributes)
+ [GssapiNegotiateOnce](#gssapinegotiateonce)
+ [GssapiPublishErrors](#gssapipublisherrors)
++[GssapiPublishMech](#gssapipublishmech)
+ [GssapiRequiredNameAttributes](#gssapirequirednameattributes)
+ [GssapiSessionKey](#gssapisessionkey)
+ [GssapiSignalPersistentAuth](#gssapisignalpersistentauth)
+@@ -527,3 +528,17 @@ Note: the value is specified in seconds. + Sets ticket/session validity to 10 hours. + + ++### GssapiPublishMech ++ ++This option is used to publish the mech used for authentication as an ++Environment variable named GSS_MECH. ++ ++It will return a string of the form 'Authtype/Mechname'. ++Authtype represents the type of auth performed by the module. Possible values ++are 'Basic', 'Negotiate', 'NTLM', 'Impersonate'. ++Mechname is the name of the mechanism as reported by GSSAPI or the OID of the ++mechanism if a name is not available. In case of errors the 'Unavailable' ++string may also be returned for either Authtype or Mechname. ++ ++- **Enable with:** GssapiPublishMech On ++- **Default:** GssapiPublishMech Off +\ No newline at end of file +diff --git a/src/environ.c b/src/environ.c +index 7ee56a1ba434d5c1041968fb3f64191340cb0ea7..71a8564284cafa62c4cbeaf7ab8484a48c064e66 100644 +--- a/src/environ.c ++++ b/src/environ.c +@@ -498,3 +498,42 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min, + if (mag_err) + apr_table_set(req->subprocess_env, "MAG_ERROR", mag_err); + } ++ ++ ++void mag_publish_mech(request_rec *req, struct mag_conn *mc, ++ const char *auth_type, gss_OID mech_type) ++{ ++ gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc mech_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc mech_description = GSS_C_EMPTY_BUFFER; ++ char *mechdata; ++ uint32_t maj, min; ++ ++ maj = gss_inquire_saslname_for_mech(&min, mech_type, &sasl_mech_name, ++ &mech_name, &mech_description); ++ if (maj != GSS_S_COMPLETE) { ++ /* something failed, let's try to get a string OID */ ++ /* and if that fails there is nothing we can do */ ++ maj = gss_oid_to_str(&min, mech_type, &mech_name); ++ if (maj != GSS_S_COMPLETE) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, ++ "Failed to source mechanism name or OID"); ++ mech_name.value = strdup("Unavailable"); ++ mech_name.length = strlen(mech_name.value); ++ } ++ } ++ ++ mechdata = apr_psprintf(req->pool, "%s/%.*s", auth_type, ++ (int)mech_name.length, ++ (char *)mech_name.value); ++ ++ apr_table_set(mc->env, "GSS_MECH", mechdata); ++ ++ /* also log at info level */ ++ ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req, ++ "User %s authenticated with %s", mc->gss_name, mechdata); ++ ++ (void)gss_release_buffer(&min, &sasl_mech_name); ++ (void)gss_release_buffer(&min, &mech_name); ++ (void)gss_release_buffer(&min, &mech_description); ++} +diff --git a/src/environ.h b/src/environ.h +index 40bca9877f600246d19a3bf4be370310636ce6c7..b0813da6508df7c5594b51cada7712dc44393e44 100644 +--- a/src/environ.h ++++ b/src/environ.h +@@ -18,3 +18,5 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min, + const char *gss_err, const char *mag_err); + void mag_set_req_attr_fail(request_rec *req, struct mag_config *cfg, + struct mag_conn *mc); ++void mag_publish_mech(request_rec *req, struct mag_conn *mc, ++ const char *auth_type, gss_OID mech_type); +diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c +index c91aa60707ba9b237a84f95670d483f1a7eab86b..93c43308585cf140297de82e118a367f69d25a92 100644 +--- a/src/mod_auth_gssapi.c ++++ b/src/mod_auth_gssapi.c +@@ -1289,6 +1289,10 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, + mc->user_name = apr_pstrdup(mc->pool, mc->gss_name); + } + ++ if (cfg->pubmech) { ++ mag_publish_mech(req, mc, mag_str_auth_type(mc->auth_type), mech_type); ++ } ++ + mc->established = true; + if (req_cfg->use_sessions) { + mag_attempt_session(req_cfg, mc); +@@ -1894,6 +1898,9 @@ static const command_rec mag_commands[] = { + AP_INIT_FLAG("GssapiPublishErrors", ap_set_flag_slot, + (void *)APR_OFFSETOF(struct mag_config, enverrs), OR_AUTHCFG, + "Publish GSSAPI Errors in Envionment Variables"), ++ AP_INIT_FLAG("GssapiPublishMech", ap_set_flag_slot, ++ (void *)APR_OFFSETOF(struct mag_config, pubmech), OR_AUTHCFG, ++ "Publish GSSAPI Mech Name in Envionment Variables"), + AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG, + "Name of the acceptor credentials."), + AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL, +diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h +index 2312ab57f4b2e0bd50f191018b081a3ecb86f15a..8ab3bdc57be793cc493176c02910219e905900e9 100644 +--- a/src/mod_auth_gssapi.h ++++ b/src/mod_auth_gssapi.h +@@ -91,6 +91,7 @@ struct mag_config { + struct mag_name_attributes *name_attributes; + const char *required_na_expr; + int enverrs; ++ int pubmech; + gss_name_t acceptor_name; + bool acceptor_name_from_req; + uint32_t basic_timeout; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index c830e951d04316e4cbc76fa3b5961baedb516ec6..2ddb46ea30e6ebf9ff0b30278c609178d02c1efc 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -6,14 +6,16 @@ EXTRA_DIST = \ + index.html \ + localname.html \ + magtests.py \ ++ mech.html \ + t_bad_acceptor_name.py \ + t_basic_k5_fail_second.py \ + t_basic_k5.py \ + t_basic_k5_two_users.py \ + t_basic_proxy.py \ + t_basic_timeout.py \ +- t_localname.py \ + t_hostname_acceptor.py \ ++ t_localname.py \ ++ t_mech_name.py \ + t_nonego.py \ + t_required_name_attr.py \ + t_spnego_negotiate_once.py \ +diff --git a/tests/httpd.conf b/tests/httpd.conf +index b3777574d9f0547560f24eff992fc1018569b5cc..775294b7d600e82c3955316a2d5b667c8b3c5581 100644 +--- a/tests/httpd.conf ++++ b/tests/httpd.conf +@@ -331,3 +331,18 @@ CoreDumpDirectory "{HTTPROOT}" + GssapiSessionKey file:{HTTPROOT}/session.key + Require valid-user + ++ ++ ++ Options +Includes ++ AddOutputFilter INCLUDES .html ++ AuthType GSSAPI ++ AuthName "Password Login" ++ GssapiSSLonly Off ++ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache ++ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab ++ GssapiCredStore keytab:{HTTPROOT}/http.keytab ++ GssapiBasicAuth On ++ GssapiBasicAuthMech krb5 ++ GssapiPublishMech On ++ Require valid-user ++ +\ No newline at end of file +diff --git a/tests/magtests.py b/tests/magtests.py +index d100413b371e7ecf4e09d944b7ff6e9bec7e316f..9aba68f826a37a890bfefb62665697eef7d07dfa 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -786,6 +786,22 @@ def test_gss_localname(testdir, testenv, logfile): + return error_count + + ++def test_mech_name(testdir, testenv, logfile): ++ basicdir = os.path.join(testdir, 'httpd', 'html', 'mech_name') ++ os.mkdir(basicdir) ++ shutil.copy('tests/mech.html', basicdir) ++ ++ mname = subprocess.Popen(["tests/t_mech_name.py"], ++ stdout=logfile, stderr=logfile, ++ env=testenv, preexec_fn=os.setsid) ++ mname.wait() ++ if mname.returncode != 0: ++ sys.stderr.write('MECH-NAME: FAILED\n') ++ return 1 ++ sys.stderr.write('MECH-NAME: SUCCESS\n') ++ return 0 ++ ++ + if __name__ == '__main__': + args = parse_args() + +@@ -847,6 +863,8 @@ if __name__ == '__main__': + + errs += test_no_negotiate(testdir, testenv, logfile) + ++ errs += test_mech_name(testdir, testenv, logfile) ++ + # After this point we need to speed up httpd to test creds timeout + try: + fakeenv = faketime_setup(kdcenv) +diff --git a/tests/mech.html b/tests/mech.html +new file mode 100644 +index 0000000000000000000000000000000000000000..bb7b3cd5278f055e278a7dfde73c15aa400a6a17 +--- /dev/null ++++ b/tests/mech.html +@@ -0,0 +1 @@ ++ +diff --git a/tests/t_mech_name.py b/tests/t_mech_name.py +new file mode 100755 +index 0000000000000000000000000000000000000000..69f451f2bbe58a16f61418f96eca26e7994bcb8a +--- /dev/null ++++ b/tests/t_mech_name.py +@@ -0,0 +1,19 @@ ++#!/usr/bin/env python3 ++# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. ++ ++import os ++import requests ++from requests.auth import HTTPBasicAuth ++ ++ ++if __name__ == '__main__': ++ url = 'http://%s/mech_name/mech.html' % os.environ['NSS_WRAPPER_HOSTNAME'] ++ r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'], ++ os.environ['MAG_USER_PASSWORD'])) ++ if r.status_code != 200: ++ raise ValueError('Basic Auth Failed') ++ ++ if r.text.rstrip() != 'Basic/krb5': ++ raise ValueError( ++ 'GSS_MECH check failed, expected Basic/krb5, got "%s"' % ++ r.text.rstrip()) +-- +2.35.3 + diff --git a/SOURCES/Add-option-to-control-timeout-for-Basic-Auth.patch b/SOURCES/Add-option-to-control-timeout-for-Basic-Auth.patch new file mode 100644 index 0000000..1f70a64 --- /dev/null +++ b/SOURCES/Add-option-to-control-timeout-for-Basic-Auth.patch @@ -0,0 +1,372 @@ +From b4ddd657ccc7793df9378209433f0142195a94d1 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 14 May 2020 09:19:37 -0400 +Subject: [PATCH] Add option to control timeout for Basic Auth + +Adds new option and tests. +Adds optional dependency on libfaketime to test this feature. + +Fixes: #210 +Signed-off-by: Simo Sorce +Merges: #217 +Reviewed-by: Robbie Harwood +(cherry picked from commit 09df7584b4abadbfea411adafdcc825da5b720d3) +[rharwood@redhat.com: git got confused by not having localname test] +--- + README | 24 +++++++++++++ + src/mod_auth_gssapi.c | 27 +++++++++++--- + src/mod_auth_gssapi.h | 1 + + tests/Makefile.am | 1 + + tests/httpd.conf | 32 ++++++++++++++++- + tests/magtests.py | 76 ++++++++++++++++++++++++++++++++++++++++ + tests/t_basic_timeout.py | 34 ++++++++++++++++++ + 7 files changed, 190 insertions(+), 5 deletions(-) + create mode 100755 tests/t_basic_timeout.py + +diff --git a/README b/README +index 700b57e..5eac94f 100644 +--- a/README ++++ b/README +@@ -97,6 +97,7 @@ Configuration Directives + [GssapiAllowedMech](#gssapiallowedmech)
+ [GssapiBasicAuth](#gssapibasicauth)
+ [GssapiBasicAuthMech](#gssapibasicauthmech)
++[GssapiBasicTicketTimeout](#gssapibasicticketvalidity)
+ [GssapiConnectionBound](#gssapiconnectionbound)
+ [GssapiCredStore](#gssapicredstore)
+ [GssapiDelegCcacheDir](#gssapidelegccachedir)
+@@ -503,3 +504,26 @@ Note: The GSS_C_NT_HOSTBASED_SERVICE format is used for names (see example). + GssapiAcceptorName HTTP@www.example.com + + ++### GssapiBasicTicketTimeout ++ ++This option controls the ticket validity time requested for the user TGT by the ++Basic Auth method. ++ ++Normally basic auth is repeated by the browser on each request so a short ++validity period is used to reduce the scope of the ticket as it will be ++replaced quickly. ++However in cases where the authentication page is separate and the session ++is used by other pages the validity can be changed to arbitrary duration. ++ ++Note: the validity of a ticket is still capped by KDC configuration. ++ ++Note: the value is specified in seconds. ++ ++- **Default:** GssapiBasicTicketTimeout 300 ++ ++#### Example ++ GssapiBasicTicketTimeout 36000 ++ ++Sets ticket/session validity to 10 hours. ++ ++ +diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c +index 9e42ef4..b099973 100644 +--- a/src/mod_auth_gssapi.c ++++ b/src/mod_auth_gssapi.c +@@ -1,4 +1,5 @@ +-/* Copyright (C) 2014, 2016 mod_auth_gssapi contributors - See COPYING for (C) terms */ ++/* Copyright (C) 2014, 2016, 2020 mod_auth_gssapi contributors ++ * See COPYING for (C) terms */ + + #include "mod_auth_gssapi.h" + #include "mag_parse.h" +@@ -600,7 +601,7 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc, + } + + maj = gss_acquire_cred_with_password(&min, user, &ba_pwd, +- GSS_C_INDEFINITE, ++ cfg->basic_timeout, + allowed_mechs, + GSS_C_INITIATE, + &user_cred, &actual_mechs, NULL); +@@ -619,8 +620,8 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc, + + for (int i = 0; i < actual_mechs->count; i++) { + maj = mag_context_loop(&min, req, cfg, user_cred, server_cred, +- &actual_mechs->elements[i], 300, &client, +- &vtime, &delegated_cred); ++ &actual_mechs->elements[i], cfg->basic_timeout, ++ &client, &vtime, &delegated_cred); + if (maj == GSS_S_COMPLETE) { + ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i], + vtime, delegated_cred); +@@ -1299,6 +1300,7 @@ static void *mag_create_dir_config(apr_pool_t *p, char *dir) + #ifdef HAVE_CRED_STORE + cfg->ccname_envvar = "KRB5CCNAME"; + #endif ++ cfg->basic_timeout = 300; + + return cfg; + } +@@ -1789,6 +1791,21 @@ static const char *mag_acceptor_name(cmd_parms *parms, void *mconfig, + return NULL; + } + ++static const char *mag_basic_timeout(cmd_parms *parms, void *mconfig, ++ const char *w) ++{ ++ struct mag_config *cfg = (struct mag_config *)mconfig; ++ unsigned long int value; ++ ++ value = strtoul(w, NULL, 10); ++ if (value >= UINT32_MAX) { ++ cfg->basic_timeout = GSS_C_INDEFINITE; ++ return NULL; ++ } ++ cfg->basic_timeout = value; ++ return NULL; ++} ++ + static void *mag_create_server_config(apr_pool_t *p, server_rec *s) + { + struct mag_server_config *scfg; +@@ -1865,6 +1882,8 @@ static const command_rec mag_commands[] = { + "Publish GSSAPI Errors in Envionment Variables"), + AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG, + "Name of the acceptor credentials."), ++ AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL, ++ OR_AUTHCFG, "Ticket Validity Timeout with Basic Auth."), + { NULL } + }; + +diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h +index 8c0b972..2312ab5 100644 +--- a/src/mod_auth_gssapi.h ++++ b/src/mod_auth_gssapi.h +@@ -93,6 +93,7 @@ struct mag_config { + int enverrs; + gss_name_t acceptor_name; + bool acceptor_name_from_req; ++ uint32_t basic_timeout; + }; + + struct mag_server_config { +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 16d87e9..c830e95 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -11,6 +11,7 @@ EXTRA_DIST = \ + t_basic_k5.py \ + t_basic_k5_two_users.py \ + t_basic_proxy.py \ ++ t_basic_timeout.py \ + t_localname.py \ + t_hostname_acceptor.py \ + t_nonego.py \ +diff --git a/tests/httpd.conf b/tests/httpd.conf +index 8c91e1c..f76f2b6 100644 +--- a/tests/httpd.conf ++++ b/tests/httpd.conf +@@ -111,7 +111,7 @@ DocumentRoot "{HTTPROOT}/html" + PidFile "{HTTPROOT}/logs/httpd.pid" + + +-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\"" combined ++LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\" \"%{{Cookie}}i\"" combined + CustomLog "logs/access_log" combined + + +@@ -288,3 +288,33 @@ CoreDumpDirectory "{HTTPROOT}" + Require valid-user + + ++ ++ ++ Options +Includes ++ AddOutputFilter INCLUDES .html ++ AuthType GSSAPI ++ AuthName "Password Login" ++ GssapiSSLonly Off ++ GssapiUseSessions On ++ Session On ++ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly ++ GssapiSessionKey file:{HTTPROOT}/session.key ++ GssapiCredStore keytab:{HTTPROOT}/http.keytab ++ GssapiBasicAuth On ++ GssapiBasicAuthMech krb5 ++ GssapiBasicTicketTimeout 400 ++ GssapiDelegCcacheDir {HTTPROOT} ++ Require valid-user ++ ++ ++ Options +Includes ++ AddOutputFilter INCLUDES .html ++ AuthType GSSAPI ++ AuthName "Session Login" ++ GssapiSSLonly Off ++ GssapiUseSessions On ++ Session On ++ SessionCookieName gssapi_session path=/basic_auth_timeout;httponly ++ GssapiSessionKey file:{HTTPROOT}/session.key ++ Require valid-user ++ +diff --git a/tests/magtests.py b/tests/magtests.py +index a4842a0..da1cca7 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -3,11 +3,13 @@ + + import argparse + import os ++import os.path + import random + import shutil + import signal + import subprocess + import sys ++import time + import traceback + + # check that we can import requests (for use in test scripts) +@@ -341,6 +343,7 @@ USR_PWD_2 = "magpwd2" + USR_NAME_3 = "maguser3" + SVC_KTNAME = "httpd/http.keytab" + KEY_TYPE = "aes256-cts-hmac-sha1-96:normal" ++USR_NAME_4 = "timeoutusr" + + + def setup_keys(tesdir, env): +@@ -361,6 +364,9 @@ def setup_keys(tesdir, env): + cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2) + kadmin_local(cmd, env, logfile) + ++ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4) ++ kadmin_local(cmd, env, logfile) ++ + # alias for multinamed hosts testing + alias_name = "HTTP/%s" % WRAP_ALIASNAME + cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name) +@@ -600,6 +606,30 @@ def test_basic_auth_krb5(testdir, testenv, logfile): + return error_count + + ++def test_basic_auth_timeout(testdir, testenv, logfile): ++ httpdir = os.path.join(testdir, 'httpd') ++ timeoutdir = os.path.join(httpdir, 'html', 'basic_auth_timeout') ++ os.mkdir(timeoutdir) ++ authdir = os.path.join(timeoutdir, 'auth') ++ os.mkdir(authdir) ++ sessdir = os.path.join(timeoutdir, 'session') ++ os.mkdir(sessdir) ++ shutil.copy('tests/index.html', os.path.join(authdir)) ++ shutil.copy('tests/index.html', os.path.join(sessdir)) ++ ++ basictout = subprocess.Popen(["tests/t_basic_timeout.py"], ++ stdout=logfile, stderr=logfile, ++ env=testenv, preexec_fn=os.setsid) ++ basictout.wait() ++ if basictout.returncode != 0: ++ sys.stderr.write('BASIC Timeout Behavior: FAILED\n') ++ return 1 ++ else: ++ sys.stderr.write('BASIC Timeout Behavior: SUCCESS\n') ++ ++ return 0 ++ ++ + def test_bad_acceptor_name(testdir, testenv, logfile): + bandir = os.path.join(testdir, 'httpd', 'html', 'bad_acceptor_name') + os.mkdir(bandir) +@@ -661,6 +691,33 @@ def test_hostname_acceptor(testdir, testenv, logfile): + return 0 + + ++def faketime_setup(testenv): ++ libfaketime = '/usr/lib64/faketime/libfaketime.so.1' ++ # optional faketime ++ if not os.path.isfile(libfaketime): ++ raise NotImplementedError ++ ++ # spedup x100 ++ fakeenv = {'FAKETIME': '+0 x100'} ++ fakeenv.update(testenv) ++ fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime)) ++ return fakeenv ++ ++ ++def http_restart(testdir, so_dir, testenv): ++ ++ httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', ++ 'MALLOC_CHECK_': '3', ++ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} ++ httpenv.update(testenv) ++ ++ httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2" ++ config = os.path.join(testdir, 'httpd', 'httpd.conf') ++ httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config], ++ env=httpenv, preexec_fn=os.setsid) ++ return httpproc ++ ++ + if __name__ == '__main__': + args = parse_args() + +@@ -722,6 +779,25 @@ if __name__ == '__main__': + errs += test_basic_auth_krb5(testdir, testenv, logfile) + + errs += test_no_negotiate(testdir, testenv, logfile) ++ ++ # After this point we need to speed up httpd to test creds timeout ++ try: ++ fakeenv = faketime_setup(kdcenv) ++ timeenv = {'TIMEOUT_USER': USR_NAME_4, ++ 'MAG_USER_PASSWORD': USR_PWD} ++ timeenv.update(fakeenv) ++ curporc = httpproc ++ pid = processes['HTTPD(%d)' % httpproc.pid].pid ++ os.killpg(pid, signal.SIGTERM) ++ time.sleep(1) ++ del processes['HTTPD(%d)' % httpproc.pid] ++ httpproc = http_restart(testdir, so_dir, timeenv) ++ processes['HTTPD(%d)' % httpproc.pid] = httpproc ++ ++ errs += test_basic_auth_timeout(testdir, timeenv, logfile) ++ except NotImplementedError: ++ sys.stderr.write('BASIC Timeout Behavior: SKIPPED\n') ++ + except Exception: + traceback.print_exc() + finally: +diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py +new file mode 100755 +index 0000000..983dfd2 +--- /dev/null ++++ b/tests/t_basic_timeout.py +@@ -0,0 +1,34 @@ ++#!/usr/bin/env python ++# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. ++ ++import os ++import time ++ ++import requests ++from requests.auth import HTTPBasicAuth ++ ++ ++if __name__ == '__main__': ++ s = requests.Session() ++ url = 'http://{}/basic_auth_timeout/auth/'.format( ++ os.environ['NSS_WRAPPER_HOSTNAME'] ++ ) ++ url2 = 'http://{}/basic_auth_timeout/session/'.format( ++ os.environ['NSS_WRAPPER_HOSTNAME'] ++ ) ++ ++ r = s.get(url, auth=HTTPBasicAuth(os.environ['TIMEOUT_USER'], ++ os.environ['MAG_USER_PASSWORD'])) ++ if r.status_code != 200: ++ raise ValueError('Basic Auth Failed') ++ ++ time.sleep(301) ++ r = s.get(url2) ++ if r.status_code != 200: ++ raise ValueError('Session Auth Failed') ++ ++ time.sleep(401) ++ ++ r = s.get(url2) ++ if r.status_code == 200: ++ raise ValueError('Timeout check Failed') diff --git a/SOURCES/Fix-PATH-handling-bug-in-test-suite.patch b/SOURCES/Fix-PATH-handling-bug-in-test-suite.patch new file mode 100644 index 0000000..97957e0 --- /dev/null +++ b/SOURCES/Fix-PATH-handling-bug-in-test-suite.patch @@ -0,0 +1,28 @@ +From c26b1aafbb9679b19b630a46eeb35a9dee61a95f Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 13 Oct 2020 11:04:00 -0400 +Subject: [PATCH] Fix PATH handling bug in test suite + +virtualenv relies on its executable being ahead of the system ones. For +setting up the KDC, we don't have a preferencee - we just need the sbins +to be available. + +Signed-off-by: Robbie Harwood +(cherry picked from commit ae07252e356d8142ddd3987c9c3686ba7ee593de) +--- + tests/magtests.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/magtests.py b/tests/magtests.py +index e04fa65..082c6e4 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -312,7 +312,7 @@ def setup_kdc(testdir, wrapenv): + + kdcenv = wrapenv.copy() + kdcenv.update({ +- 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', ++ 'PATH': f'{wrapenv["PATH"]}:/sbin:/bin:/usr/sbin:/usr/bin', + 'KRB5_CONFIG': krb5conf, + 'KRB5_KDC_PROFILE': kdcconf, + 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'), diff --git a/SOURCES/Fix-distcheck.patch b/SOURCES/Fix-distcheck.patch new file mode 100644 index 0000000..a18e7c3 --- /dev/null +++ b/SOURCES/Fix-distcheck.patch @@ -0,0 +1,31 @@ +From 706494bde5c5124621006b857fc55529f9e8e0db Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 14 May 2020 18:04:47 -0400 +Subject: [PATCH] Fix distcheck + +Signed-off-by: Simo Sorce +Reviewed-by: Robbie Harwood +(cherry picked from commit eb6de7e946d7ecc9292bb454d43ac05f0801adf7) +--- + tests/Makefile.am | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 70754fb..16d87e9 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -4,12 +4,14 @@ EXTRA_DIST = \ + 401.html \ + httpd.conf \ + index.html \ ++ localname.html \ + magtests.py \ + t_bad_acceptor_name.py \ + t_basic_k5_fail_second.py \ + t_basic_k5.py \ + t_basic_k5_two_users.py \ + t_basic_proxy.py \ ++ t_localname.py \ + t_hostname_acceptor.py \ + t_nonego.py \ + t_required_name_attr.py \ diff --git a/SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch b/SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch new file mode 100644 index 0000000..51d381f --- /dev/null +++ b/SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch @@ -0,0 +1,42 @@ +From 2b96860d8cfcf48a54e59e2ca30fc8fdeb2b9d55 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Fri, 6 May 2022 22:54:45 +0200 +Subject: [PATCH 2/2] + Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch + +--- + tests/t_localname.py | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/tests/t_localname.py b/tests/t_localname.py +index e990762c42aa9b370ac71292b5019fc63622c240..df94922b52673b5b7fd780ff3f319d22feb348ac 100755 +--- a/tests/t_localname.py ++++ b/tests/t_localname.py +@@ -45,13 +45,22 @@ if __name__ == '__main__': + + mech = None + if mech_name is not None: +- mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name) ++ try: ++ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name) ++ except AttributeError: ++ # older version of gssapi that does not support mechs ++ if mech_name == 'SPNEGO': ++ mech = '' ++ elif mech_name == 'GS2-KRB5': ++ mech = '' ++ else: ++ sys.exit(42) # SKIP + + try: + auth = HTTPSPNEGOAuth(mech=mech) + use_requests(auth) + except TypeError: +- # odler version of requests that does not support mechs ++ # older version of requests that does not support mechs + if mech_name == 'SPNEGO': + use_curl() + elif mech_name == 'GS2-KRB5': +-- +2.35.3 + diff --git a/SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch b/SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch new file mode 100644 index 0000000..7b1c5de --- /dev/null +++ b/SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch @@ -0,0 +1,39 @@ +From 676ec5fe0b6c7c5126dbf84ef59ec4a5d5f87ede Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 26 Apr 2022 10:23:53 +0200 +Subject: [PATCH] Fix gss_localname with SPNEGO wrapping + +Fix implemented upstream by Simo +--- + src/mod_auth_gssapi.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c +index b0999737daedf88fa84a9d8b1543bbedc79194ab..c91aa60707ba9b237a84f95670d483f1a7eab86b 100644 +--- a/src/mod_auth_gssapi.c ++++ b/src/mod_auth_gssapi.c +@@ -1264,7 +1264,21 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, + #endif + + if (cfg->map_to_local) { ++ /* We have to play heuristics here as gss_localname does not work ++ * as expected with SPNEGO-wrapped names. ++ * http://krbdev.mit.edu/rt/Ticket/Display.html?id=8782 ++ */ + maj = gss_localname(&min, client, mech_type, &lname); ++ if (maj != GSS_S_COMPLETE) { ++ uint32_t sub_maj, sub_min; ++ /* try fallback with no oid */ ++ sub_maj = gss_localname(&sub_min, client, GSS_C_NO_OID, &lname); ++ if (sub_maj != GSS_S_UNAVAILABLE) { ++ /* use second call errors only if they are meaningful */ ++ maj = sub_maj; ++ min = sub_min; ++ } ++ } + if (maj != GSS_S_COMPLETE) { + mag_post_error(req, cfg, MAG_GSS_ERR, maj, min, + "gss_localname() failed"); +-- +2.35.1 + diff --git a/SOURCES/Fix-integer-sizes-used-with-ap_set_flag_slot.patch b/SOURCES/Fix-integer-sizes-used-with-ap_set_flag_slot.patch new file mode 100644 index 0000000..b75d272 --- /dev/null +++ b/SOURCES/Fix-integer-sizes-used-with-ap_set_flag_slot.patch @@ -0,0 +1,38 @@ +From d681fe586a4f4258c5d61237511dd19c1fa84904 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 19 Feb 2019 13:55:12 -0500 +Subject: [PATCH] Fix integer sizes used with ap_set_flag_slot() + +ap_set_flag_slot() requires a field of type `int`. Previously we +passed type `bool` in two places, causing test failures on s390x +because logging was not correctly configured. + +Signed-off-by: Robbie Harwood +(cherry picked from commit f89b876be5619d750e6ab4ea6e730a9a26b1cac4) +(cherry picked from commit 73c690ca9bd1d470c603f5e1ee48d2384941ae55) +--- + src/mod_auth_gssapi.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h +index 71404ff..8c0b972 100644 +--- a/src/mod_auth_gssapi.h ++++ b/src/mod_auth_gssapi.h +@@ -79,7 +79,7 @@ struct mag_config { + gid_t deleg_ccache_gid; + gss_key_value_set_desc *cred_store; + bool deleg_ccache_unique; +- bool s4u2self; ++ int s4u2self; + char *ccname_envvar; + #endif + struct seal_key *mag_skey; +@@ -90,7 +90,7 @@ struct mag_config { + bool negotiate_once; + struct mag_name_attributes *name_attributes; + const char *required_na_expr; +- bool enverrs; ++ int enverrs; + gss_name_t acceptor_name; + bool acceptor_name_from_req; + }; diff --git a/SOURCES/Fix-mag_auth_basic-function-call.patch b/SOURCES/Fix-mag_auth_basic-function-call.patch new file mode 100644 index 0000000..1f81a73 --- /dev/null +++ b/SOURCES/Fix-mag_auth_basic-function-call.patch @@ -0,0 +1,121 @@ +From 1941fd1545b4786fee9464881239d74a91c55723 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 7 Feb 2019 14:48:56 -0500 +Subject: [PATCH] Fix mag_auth_basic function call. + +In order to respect the API we'd have to return nech_type as a copy of +the mech found to correctly complete authentication. +It would need to be a copy because the actual_mechs variable is an array +of statically copied OIDs not an array of pointers. + +Instead change mag_auth_basic to directly call mag_complete() and +mag_cache_basic on success. This is easier than attempting to handle +copying out OIDs and then freeing them in the caller as GSSAPI does not +offer standard APIs for copying OIDs. + +As a side-effect we reduce the number of arguments to mag_auth_gssapi, +which is good, to the slight detriment of legibility in the main +function as now you need to know mag_auth_basic() is already calling +mag_complete(). The trade off is worth it though. + +Signed-off-by: Simo Sorce +(cherry picked from commit 318db0b0e3777d4cfdc09eeef98e28c478607271) +--- + src/mod_auth_gssapi.c | 47 ++++++++++++++++++++----------------------- + 1 file changed, 22 insertions(+), 25 deletions(-) + +diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c +index 4048ee7..9e42ef4 100644 +--- a/src/mod_auth_gssapi.c ++++ b/src/mod_auth_gssapi.c +@@ -493,15 +493,15 @@ done: + return maj; + } + +-static bool mag_auth_basic(request_rec *req, +- struct mag_config *cfg, +- gss_buffer_desc ba_user, +- gss_buffer_desc ba_pwd, +- gss_name_t *client, +- gss_OID *mech_type, +- gss_cred_id_t *delegated_cred, +- uint32_t *vtime) ++static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, ++ gss_name_t client, gss_OID mech_type, ++ uint32_t vtime, gss_cred_id_t delegated_cred); ++ ++static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc, ++ gss_buffer_desc ba_user, gss_buffer_desc ba_pwd) + { ++ struct mag_config *cfg = req_cfg->cfg; ++ request_rec *req = req_cfg->req; + const char *user_ccache = NULL; + const char *orig_ccache = NULL; + long long unsigned int rndname; +@@ -512,9 +512,12 @@ static bool mag_auth_basic(request_rec *req, + gss_OID_set allowed_mechs; + gss_OID_set filtered_mechs; + gss_OID_set actual_mechs = GSS_C_NO_OID_SET; ++ gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; ++ gss_name_t client = GSS_C_NO_NAME; ++ uint32_t vtime; + uint32_t maj, min; + int present = 0; +- bool ret = false; ++ int ret = HTTP_UNAUTHORIZED; + + maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user); + if (GSS_ERROR(maj)) { +@@ -616,15 +619,21 @@ static bool mag_auth_basic(request_rec *req, + + for (int i = 0; i < actual_mechs->count; i++) { + maj = mag_context_loop(&min, req, cfg, user_cred, server_cred, +- &actual_mechs->elements[i], 300, client, vtime, +- delegated_cred); ++ &actual_mechs->elements[i], 300, &client, ++ &vtime, &delegated_cred); + if (maj == GSS_S_COMPLETE) { +- ret = true; ++ ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i], ++ vtime, delegated_cred); ++ if (ret == OK) { ++ mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); ++ } + break; + } + } + + done: ++ gss_release_cred(&min, &delegated_cred); ++ gss_release_name(&min, &client); + gss_release_cred(&min, &server_cred); + gss_release_name(&min, &user); + gss_release_cred(&min, &user_cred); +@@ -683,10 +692,6 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req) + return req_cfg; + } + +-static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, +- gss_name_t client, gss_OID mech_type, +- uint32_t vtime, gss_cred_id_t delegated_cred); +- + #ifdef HAVE_CRED_STORE + static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) { + if (req_cfg->cfg->use_s4u2proxy) { +@@ -1105,15 +1110,7 @@ static int mag_auth(request_rec *req) + #endif + + if (auth_type == AUTH_TYPE_BASIC) { +- if (mag_auth_basic(req, cfg, ba_user, ba_pwd, +- &client, &mech_type, +- &delegated_cred, &vtime)) { +- +- ret = mag_complete(req_cfg, mc, client, mech_type, vtime, +- delegated_cred); +- if (ret == OK) +- mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); +- } ++ ret = mag_auth_basic(req_cfg, mc, ba_user, ba_pwd); + goto done; + } + diff --git a/SOURCES/Fix-tests-to-work-with-python3.patch b/SOURCES/Fix-tests-to-work-with-python3.patch new file mode 100644 index 0000000..7549c09 --- /dev/null +++ b/SOURCES/Fix-tests-to-work-with-python3.patch @@ -0,0 +1,47 @@ +From 613933383aa352bb8f350f43ecb393a0604016cc Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Fri, 21 Dec 2018 11:50:16 -0500 +Subject: [PATCH] Fix tests to work with python3 + +Signed-off-by: Robbie Harwood +(cherry picked from commit 751eb09e7abf38f49fc525e1616d48a6f951673f) +(cherry picked from commit d2748e79d31f153505f944b09a4790c6231dcd79) +--- + tests/magtests.py | 3 ++- + tests/t_spnego_proxy.py | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tests/magtests.py b/tests/magtests.py +index 6414503..f14f47a 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -431,7 +431,7 @@ def kinit_user(testdir, kdcenv): + stdin=subprocess.PIPE, + stdout=logfile, stderr=logfile, + env=testenv, preexec_fn=os.setsid) +- kinit.communicate('%s\n' % USR_PWD) ++ kinit.communicate(('%s\n' % USR_PWD).encode("utf8")) + kinit.wait() + if kinit.returncode != 0: + raise ValueError('kinit failed') +@@ -495,6 +495,7 @@ def test_spnego_auth(testdir, testenv, logfile): + else: + sys.stderr.write('SPNEGO No Auth: SUCCESS\n') + ++ + return error_count + + +diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py +index 6219721..c47558b 100755 +--- a/tests/t_spnego_proxy.py ++++ b/tests/t_spnego_proxy.py +@@ -17,7 +17,7 @@ def getAuthToken(target): + ctx = gssapi.SecurityContext(name=name, mech=spnego_mech) + token = ctx.step() + +- return 'Negotiate %s' % b64encode(token) ++ return 'Negotiate %s' % b64encode(token).decode() + + + if __name__ == '__main__': diff --git a/SOURCES/In-tests-show-the-exception-on-failure.patch b/SOURCES/In-tests-show-the-exception-on-failure.patch new file mode 100644 index 0000000..0f8c0dc --- /dev/null +++ b/SOURCES/In-tests-show-the-exception-on-failure.patch @@ -0,0 +1,43 @@ +From 3fc1f9f5d7f5a33900572b419ecdfd2d3672ceca Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Fri, 21 Dec 2018 10:50:49 -0500 +Subject: [PATCH] In tests, show the exception on failure + +Otherwise, the user might get nothing at all out, depending on what failed. + +Signed-off-by: Robbie Harwood +(cherry picked from commit 881f98ee08f6d8d7a2352ab2f3e8e38845cf8039) +(cherry picked from commit 1de81677f1878ea1667b56169fe714d685771b4e) +--- + tests/magtests.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/magtests.py b/tests/magtests.py +index 576e88f..6414503 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -8,6 +8,7 @@ import shutil + import signal + import subprocess + import sys ++import traceback + + # check that we can import requests (for use in test scripts) + import requests +@@ -207,7 +208,6 @@ def setup_test_certs(testdir, testenv, logfile): + with open(opensslcnf, 'w+') as f: + f.write(text) + +- print(pkinit_key) + cmd = subprocess.Popen(["openssl", "genrsa", "-out", pkinit_key, + "2048"], stdout=logfile, + stderr=logfile, env=testenv, +@@ -718,6 +718,8 @@ if __name__ == '__main__': + errs += test_basic_auth_krb5(testdir, testenv, logfile) + + errs += test_no_negotiate(testdir, testenv, logfile) ++ except Exception: ++ traceback.print_exc() + finally: + for name in processes: + logfile.write("Killing %s\n" % name) diff --git a/SOURCES/Move-to-python3-by-default.patch b/SOURCES/Move-to-python3-by-default.patch new file mode 100644 index 0000000..675f76f --- /dev/null +++ b/SOURCES/Move-to-python3-by-default.patch @@ -0,0 +1,198 @@ +From eeca34dc64804a4b771800f54f0e0647ce88bdd4 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 13 Oct 2020 10:33:39 -0400 +Subject: [PATCH] Move to python3 by default + +When moving 2 -> 3, python elected to keep "python" as the name of the +python2 interpreter. As a result, python3-only machines have no +/usr/bin/python. Since python2 is EOL, it should be safe to make our +scripting default to python3. + +Signed-off-by: Robbie Harwood +(cherry picked from commit 840863f89ed4809602f1ca7b8ad650c0b979d20e) +[rharwood@redhat.com: tests that don't exist yet, README prg/prk, +contrib isn't packaged in dist tarballs] +--- + README | 4 ++-- + tests/magtests.py | 2 +- + tests/t_bad_acceptor_name.py | 2 +- + tests/t_basic_k5.py | 2 +- + tests/t_basic_k5_fail_second.py | 2 +- + tests/t_basic_k5_two_users.py | 2 +- + tests/t_basic_proxy.py | 2 +- + tests/t_basic_timeout.py | 2 +- + tests/t_hostname_acceptor.py | 2 +- + tests/t_nonego.py | 2 +- + tests/t_required_name_attr.py | 2 +- + tests/t_spnego.py | 2 +- + tests/t_spnego_negotiate_once.py | 2 +- + tests/t_spnego_no_auth.py | 2 +- + tests/t_spnego_proxy.py | 2 +- + tests/t_spnego_rewrite.py | 2 +- + 16 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/README b/README +index 5eac94f..654a891 100644 +--- a/README ++++ b/README +@@ -26,8 +26,8 @@ To run tests, you also need: + + * The Kerberos 5 Key-Distribution-Center (`krb5-kdc` package on Debian, + `krb5-server` on Fedora) +-* Packages `mod_session`, `krb5-workstation`, `python-requests-kerberos`, +- and `python-gssapi` on Fedora ++* Packages `mod_session`, `krb5-workstation`, `python3-requests-gssapi`, ++ and `python3-gssapi` on Fedora + * Some tests require `krb5-pkinit` package on fedora and krb5 >= 1.15. + * [nss_wrapper](https://cwrap.org/nss_wrapper.html), packaged in Fedora + * [socket_wrapper](https://cwrap.org/socket_wrapper.html), packaged in Fedora +diff --git a/tests/magtests.py b/tests/magtests.py +index 082c6e4..d0f0a67 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import argparse +diff --git a/tests/t_bad_acceptor_name.py b/tests/t_bad_acceptor_name.py +index 41ee48b..6cee588 100755 +--- a/tests/t_bad_acceptor_name.py ++++ b/tests/t_bad_acceptor_name.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_basic_k5.py b/tests/t_basic_k5.py +index e499eac..4b24801 100755 +--- a/tests/t_basic_k5.py ++++ b/tests/t_basic_k5.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_basic_k5_fail_second.py b/tests/t_basic_k5_fail_second.py +index 273e9a5..7e53218 100755 +--- a/tests/t_basic_k5_fail_second.py ++++ b/tests/t_basic_k5_fail_second.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_basic_k5_two_users.py b/tests/t_basic_k5_two_users.py +index 41ffe98..3d27e9e 100755 +--- a/tests/t_basic_k5_two_users.py ++++ b/tests/t_basic_k5_two_users.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_basic_proxy.py b/tests/t_basic_proxy.py +index 5370314..347b802 100755 +--- a/tests/t_basic_proxy.py ++++ b/tests/t_basic_proxy.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py +index 983dfd2..007ff97 100755 +--- a/tests/t_basic_timeout.py ++++ b/tests/t_basic_timeout.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_hostname_acceptor.py b/tests/t_hostname_acceptor.py +index 6d59e85..bb85700 100755 +--- a/tests/t_hostname_acceptor.py ++++ b/tests/t_hostname_acceptor.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license. + + import sys +diff --git a/tests/t_nonego.py b/tests/t_nonego.py +index 430001a..4e77f80 100755 +--- a/tests/t_nonego.py ++++ b/tests/t_nonego.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_required_name_attr.py b/tests/t_required_name_attr.py +index bbfdc19..a67446b 100755 +--- a/tests/t_required_name_attr.py ++++ b/tests/t_required_name_attr.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_spnego.py b/tests/t_spnego.py +index e7003a6..04190a9 100755 +--- a/tests/t_spnego.py ++++ b/tests/t_spnego.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_spnego_negotiate_once.py b/tests/t_spnego_negotiate_once.py +index e8eb601..3d8e048 100755 +--- a/tests/t_spnego_negotiate_once.py ++++ b/tests/t_spnego_negotiate_once.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_spnego_no_auth.py b/tests/t_spnego_no_auth.py +index abcccdf..c564388 100755 +--- a/tests/t_spnego_no_auth.py ++++ b/tests/t_spnego_no_auth.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py +index c47558b..b917191 100755 +--- a/tests/t_spnego_proxy.py ++++ b/tests/t_spnego_proxy.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os +diff --git a/tests/t_spnego_rewrite.py b/tests/t_spnego_rewrite.py +index 2ed1d3e..202d76a 100755 +--- a/tests/t_spnego_rewrite.py ++++ b/tests/t_spnego_rewrite.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. + + import os diff --git a/SOURCES/tests-Don-t-override-the-specific-environment-by-the.patch b/SOURCES/tests-Don-t-override-the-specific-environment-by-the.patch new file mode 100644 index 0000000..b613083 --- /dev/null +++ b/SOURCES/tests-Don-t-override-the-specific-environment-by-the.patch @@ -0,0 +1,166 @@ +From bd2f8d20c589feae7249ccca28199d826d007667 Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Thu, 6 Aug 2020 13:55:45 +0300 +Subject: [PATCH] tests: Don't override the specific environment by the global + one + +This changes the way in which a test environment is prepared. + +Before: +specific -> global + +After: +global -> specific + +In particular, this allows setting PATH env variable differed from +the global configuration. + +Fixes: https://github.com/gssapi/mod_auth_gssapi/issues/226 +Signed-off-by: Stanislav Levin +(cherry picked from commit 731761e63d72bf5656f40340daafce4e2d34bd92) +--- + tests/magtests.py | 78 +++++++++++++++++++++++++++++------------------ + 1 file changed, 48 insertions(+), 30 deletions(-) + +diff --git a/tests/magtests.py b/tests/magtests.py +index 1c0b26a..e04fa65 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -310,11 +310,13 @@ def setup_kdc(testdir, wrapenv): + with open(kdcconf, 'w+') as f: + f.write(text) + +- kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', +- 'KRB5_CONFIG': krb5conf, +- 'KRB5_KDC_PROFILE': kdcconf, +- 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')} +- kdcenv.update(wrapenv) ++ kdcenv = wrapenv.copy() ++ kdcenv.update({ ++ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', ++ 'KRB5_CONFIG': krb5conf, ++ 'KRB5_KDC_PROFILE': kdcconf, ++ 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'), ++ }) + + logfile = open(testlog, 'a') + ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s", +@@ -383,8 +385,10 @@ def setup_keys(tesdir, env): + cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3) + kadmin_local(cmd, env, logfile) + +- keys_env = {"KRB5_KTNAME": svc_keytab, } +- keys_env.update(env) ++ keys_env = env.copy() ++ keys_env.update({ ++ "KRB5_KTNAME": svc_keytab, ++ }) + return keys_env + + +@@ -421,10 +425,12 @@ def setup_http(testdir, so_dir, wrapenv): + + shutil.copy('tests/401.html', os.path.join(httpdir, 'html')) + +- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', +- 'MALLOC_CHECK_': '3', +- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} +- httpenv.update(wrapenv) ++ httpenv = wrapenv.copy() ++ httpenv.update({ ++ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', ++ 'MALLOC_CHECK_': '3', ++ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1), ++ }) + + httpd = "httpd" if distro == "Fedora" else "apache2" + httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config], +@@ -435,8 +441,10 @@ def setup_http(testdir, so_dir, wrapenv): + def kinit_user(testdir, kdcenv): + testlog = os.path.join(testdir, 'kinit.log') + ccache = os.path.join(testdir, 'k5ccache') +- testenv = {'KRB5CCNAME': ccache} +- testenv.update(kdcenv) ++ testenv = kdcenv.copy() ++ testenv.update({ ++ 'KRB5CCNAME': ccache, ++ }) + + with (open(testlog, 'a')) as logfile: + kinit = subprocess.Popen(["kinit", USR_NAME], +@@ -457,8 +465,10 @@ def kinit_certuser(testdir, kdcenv): + pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT) + pkinit_key = os.path.join(testdir, PKINIT_KEY) + ident = "X509_user_identity=FILE:" + pkinit_user_cert + "," + pkinit_key +- testenv = {'KRB5CCNAME': ccache} +- testenv.update(kdcenv) ++ testenv = kdcenv.copy() ++ testenv.update({ ++ 'KRB5CCNAME': ccache, ++ }) + with (open(testlog, 'a')) as logfile: + logfile.write('PKINIT for maguser3\n') + kinit = subprocess.Popen(["kinit", USR_NAME_3, "-X", ident], +@@ -711,17 +721,21 @@ def faketime_setup(testenv): + raise NotImplementedError + + # spedup x100 +- fakeenv = {'FAKETIME': '+0 x100'} +- fakeenv.update(testenv) +- fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime)) ++ fakeenv = testenv.copy() ++ fakeenv.update({ ++ 'FAKETIME': '+0 x100', ++ 'LD_PRELOAD': ' '.join((testenv['LD_PRELOAD'], libfaketime)), ++ }) + return fakeenv + + + def http_restart(testdir, so_dir, testenv): +- httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}', +- 'MALLOC_CHECK_': '3', +- 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} +- httpenv.update(testenv) ++ httpenv = testenv.copy() ++ httpenv.update({ ++ 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}', ++ 'MALLOC_CHECK_': '3', ++ 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1), ++ }) + + httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2" + config = os.path.join(testdir, 'httpd', 'httpd.conf') +@@ -776,11 +790,13 @@ if __name__ == '__main__': + sys.stderr.write("krb5 PKINIT module not found, skipping name " + "attribute tests\n") + +- testenv = {'MAG_USER_NAME': USR_NAME, +- 'MAG_USER_PASSWORD': USR_PWD, +- 'MAG_USER_NAME_2': USR_NAME_2, +- 'MAG_USER_PASSWORD_2': USR_PWD_2} +- testenv.update(kdcenv) ++ testenv = kdcenv.copy() ++ testenv.update({ ++ 'MAG_USER_NAME': USR_NAME, ++ 'MAG_USER_PASSWORD': USR_PWD, ++ 'MAG_USER_NAME_2': USR_NAME_2, ++ 'MAG_USER_PASSWORD_2': USR_PWD_2, ++ }) + + errs += test_basic_auth_krb5(testdir, testenv, logfile) + +@@ -789,9 +805,11 @@ if __name__ == '__main__': + # After this point we need to speed up httpd to test creds timeout + try: + fakeenv = faketime_setup(kdcenv) +- timeenv = {'TIMEOUT_USER': USR_NAME_4, +- 'MAG_USER_PASSWORD': USR_PWD} +- timeenv.update(fakeenv) ++ timeenv = fakeenv.copy() ++ timeenv.update({ ++ 'TIMEOUT_USER': USR_NAME_4, ++ 'MAG_USER_PASSWORD': USR_PWD, ++ }) + curporc = httpproc + pid = processes['HTTPD(%d)' % httpproc.pid].pid + os.killpg(pid, signal.SIGTERM) diff --git a/SOURCES/tests-Fixup-virtualenv-handling.patch b/SOURCES/tests-Fixup-virtualenv-handling.patch new file mode 100644 index 0000000..1fb638d --- /dev/null +++ b/SOURCES/tests-Fixup-virtualenv-handling.patch @@ -0,0 +1,87 @@ +From f106e3afa21cdbc098d3c82698585744e3325621 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Fri, 15 May 2020 15:56:50 -0400 +Subject: [PATCH] [tests] Fixup virtualenv handling + +Fixes an issue where virtualenv's PATH would get lost + +Signed-off-by: Robbie Harwood +(cherry picked from commit e60384c0d4d4b4c213ec728ec3d444f998625941) +--- + tests/magtests.py | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/tests/magtests.py b/tests/magtests.py +index 6c38a8f..1c0b26a 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -67,6 +67,12 @@ def setup_wrappers(base): + return wenv + + ++def apply_venv(env): ++ env['PATH'] = os.environ.get('PATH', '') ++ env['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') ++ return env ++ ++ + TESTREALM = "MAG.DEV" + KDC_DBNAME = 'db.file' + KDC_STASH = 'stash.file' +@@ -304,7 +310,7 @@ def setup_kdc(testdir, wrapenv): + with open(kdcconf, 'w+') as f: + f.write(text) + +- kdcenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', ++ kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', + 'KRB5_CONFIG': krb5conf, + 'KRB5_KDC_PROFILE': kdcconf, + 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')} +@@ -415,7 +421,7 @@ def setup_http(testdir, so_dir, wrapenv): + + shutil.copy('tests/401.html', os.path.join(httpdir, 'html')) + +- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', ++ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', + 'MALLOC_CHECK_': '3', + 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} + httpenv.update(wrapenv) +@@ -712,8 +718,7 @@ def faketime_setup(testenv): + + + def http_restart(testdir, so_dir, testenv): +- +- httpenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', ++ httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}', + 'MALLOC_CHECK_': '3', + 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} + httpenv.update(testenv) +@@ -738,7 +743,7 @@ if __name__ == '__main__': + logfile = open(os.path.join(testdir, 'tests.log'), 'w') + errs = 0 + try: +- wrapenv = setup_wrappers(testdir) ++ wrapenv = apply_venv(setup_wrappers(testdir)) + + kdcproc, kdcenv = setup_kdc(testdir, wrapenv) + processes['KDC(%d)' % kdcproc.pid] = kdcproc +@@ -749,10 +754,6 @@ if __name__ == '__main__': + keysenv = setup_keys(testdir, kdcenv) + testenv = kinit_user(testdir, kdcenv) + +- # support virtualenv +- testenv['PATH'] = os.environ.get('PATH', '') +- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') +- + testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd', + USR_NAME + '@' + TESTREALM) + errs += test_spnego_auth(testdir, testenv, logfile) +@@ -780,8 +781,6 @@ if __name__ == '__main__': + 'MAG_USER_NAME_2': USR_NAME_2, + 'MAG_USER_PASSWORD_2': USR_PWD_2} + testenv.update(kdcenv) +- testenv['PATH'] = os.environ.get('PATH', '') +- testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') + + errs += test_basic_auth_krb5(testdir, testenv, logfile) + diff --git a/SOURCES/tests-Support-Debian-s-libfaketime.patch b/SOURCES/tests-Support-Debian-s-libfaketime.patch new file mode 100644 index 0000000..94f2314 --- /dev/null +++ b/SOURCES/tests-Support-Debian-s-libfaketime.patch @@ -0,0 +1,35 @@ +From 27f7ca84a5a05f65e6d113a8a6698c7f40fd66c6 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Fri, 15 May 2020 15:51:19 -0400 +Subject: [PATCH] [tests] Support Debian's libfaketime + +Signed-off-by: Robbie Harwood +(cherry picked from commit 367120a1c02641680a8f51bd59cc96d56cc9804b) +--- + tests/magtests.py | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/tests/magtests.py b/tests/magtests.py +index da1cca7..6c38a8f 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -692,9 +692,16 @@ def test_hostname_acceptor(testdir, testenv, logfile): + + + def faketime_setup(testenv): +- libfaketime = '/usr/lib64/faketime/libfaketime.so.1' +- # optional faketime +- if not os.path.isfile(libfaketime): ++ # Wanted: an architecture- and distro-agnostic way to do this. ++ # libfaketime is installed in a place where ld.so won't pick it up by ++ # default, so... ++ paths = ['/usr/lib64/faketime/libfaketime.so.1', ++ '/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1'] ++ libfaketime = None ++ for p in paths: ++ if os.path.isfile(p): ++ libfaketime = p ++ if not libfaketime: + raise NotImplementedError + + # spedup x100 diff --git a/SOURCES/tests-Test-suite-fixes-for-virtualenv-and-clang.patch b/SOURCES/tests-Test-suite-fixes-for-virtualenv-and-clang.patch new file mode 100644 index 0000000..2b042e0 --- /dev/null +++ b/SOURCES/tests-Test-suite-fixes-for-virtualenv-and-clang.patch @@ -0,0 +1,40 @@ +From ce83aa116397fb71143e5b1363ce7563f7a4444d Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 11 Mar 2019 14:56:31 -0400 +Subject: [PATCH] [tests] Test suite fixes for virtualenv and clang + +- Typo fix - VIRTUAL_ENV in magtests.py +- testenv object manipulation fix in magtests.py +- Work around -fstack-clash-protection problems in clang + +Signed-off-by: Robbie Harwood +(cherry picked from commit 6aa0a5bfe9d60a50cf36c561268c5d7c1fdb2f0e) +[rharwood@redhat.com: drop Travis goo] +(cherry picked from commit 11c966cc630393e322ef6b88df91d16247bbfc37) +--- + tests/magtests.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tests/magtests.py b/tests/magtests.py +index f14f47a..a4842a0 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -687,7 +687,7 @@ if __name__ == '__main__': + + # support virtualenv + testenv['PATH'] = os.environ.get('PATH', '') +- testenv['ViRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') ++ testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') + + testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd', + USR_NAME + '@' + TESTREALM) +@@ -716,6 +716,9 @@ if __name__ == '__main__': + 'MAG_USER_NAME_2': USR_NAME_2, + 'MAG_USER_PASSWORD_2': USR_PWD_2} + testenv.update(kdcenv) ++ testenv['PATH'] = os.environ.get('PATH', '') ++ testenv['VIRTUAL_ENV'] = os.environ.get('VIRTUAL_ENV', '') ++ + errs += test_basic_auth_krb5(testdir, testenv, logfile) + + errs += test_no_negotiate(testdir, testenv, logfile) diff --git a/SOURCES/tests-add-test-for-gss_localname.patch b/SOURCES/tests-add-test-for-gss_localname.patch new file mode 100644 index 0000000..ab97f87 --- /dev/null +++ b/SOURCES/tests-add-test-for-gss_localname.patch @@ -0,0 +1,194 @@ +From 0dbf450a49784e2a750c667824e0e0249be575e4 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 27 Apr 2022 18:18:22 +0200 +Subject: [PATCH] Add test for gss_localname + +Backport test for gss_localname implemented upstream by Simo +--- + tests/httpd.conf | 13 ++++++++++ + tests/localname.html | 1 + + tests/magtests.py | 47 ++++++++++++++++++++++++++++++++- + tests/t_localname.py | 62 ++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 122 insertions(+), 1 deletion(-) + create mode 100644 tests/localname.html + create mode 100755 tests/t_localname.py + +diff --git a/tests/httpd.conf b/tests/httpd.conf +index f76f2b671e02515e6d4effe09ab123dace90c023..b3777574d9f0547560f24eff992fc1018569b5cc 100644 +--- a/tests/httpd.conf ++++ b/tests/httpd.conf +@@ -274,6 +274,19 @@ CoreDumpDirectory "{HTTPROOT}" + Require valid-user + + ++ ++ AuthType GSSAPI ++ AuthName "Login" ++ GssapiSSLonly Off ++ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache ++ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab ++ GssapiCredStore keytab:{HTTPROOT}/http.keytab ++ GssapiBasicAuth Off ++ GssapiAllowedMech krb5 ++ GssapiLocalName On ++ Require valid-user ++ ++ + + ProxyRequests On + ProxyVia On +diff --git a/tests/localname.html b/tests/localname.html +new file mode 100644 +index 0000000000000000000000000000000000000000..abf7c507de1eb32b31b882502eed5f2bbcc5fbf3 +--- /dev/null ++++ b/tests/localname.html +@@ -0,0 +1 @@ ++ +diff --git a/tests/magtests.py b/tests/magtests.py +index d0f0a67f075c6b631926e9abd91a665973d90f4a..d100413b371e7ecf4e09d944b7ff6e9bec7e316f 100755 +--- a/tests/magtests.py ++++ b/tests/magtests.py +@@ -58,12 +58,20 @@ def setup_wrappers(base): + f.write('%s %s\n' % (WRAP_IPADDR, WRAP_ALIASNAME)) + f.write('%s %s\n' % (WRAP_IPADDR, WRAP_FAILNAME)) + ++ passwd_file = os.path.join(testdir, 'passwd') ++ with open(passwd_file, 'w+') as f: ++ f.write('root:x:0:0:root:/root:/bin/sh') ++ f.write('maguser:x:1:1:maguser:/maguser:/bin/sh') ++ f.write('maguser2:x:2:2:maguser2:/maguser2:/bin/sh') ++ f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh') ++ + wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so', + 'SOCKET_WRAPPER_DIR': wrapdir, + 'SOCKET_WRAPPER_DEFAULT_IFACE': '9', + 'WRAP_PROXY_PORT': WRAP_PROXY_PORT, + 'NSS_WRAPPER_HOSTNAME': WRAP_HOSTNAME, +- 'NSS_WRAPPER_HOSTS': hosts_file} ++ 'NSS_WRAPPER_HOSTS': hosts_file, ++ 'NSS_WRAPPER_PASSWD': passwd_file} + return wenv + + +@@ -744,6 +752,40 @@ def http_restart(testdir, so_dir, testenv): + return httpproc + + ++def test_gss_localname(testdir, testenv, logfile): ++ hdir = os.path.join(testdir, 'httpd', 'html', 'gss_localname') ++ os.mkdir(hdir) ++ shutil.copy('tests/localname.html', os.path.join(hdir, 'index.html')) ++ error_count = 0 ++ ++ # Make sure spnego is explicitly tested ++ spnego = subprocess.Popen(["tests/t_localname.py", "SPNEGO"], ++ stdout=logfile, stderr=logfile, ++ env=testenv, preexec_fn=os.setsid) ++ spnego.wait() ++ if spnego.returncode != 0: ++ sys.stderr.write('LOCALNAME(SPNEGO): FAILED\n') ++ error_count += 1 ++ else: ++ sys.stderr.write('LOCALNAME(SPNEGO): SUCCESS\n') ++ ++ # and bare krb5 (GS2-KRB5 is the name used by SASL for it) ++ krb5 = subprocess.Popen(["tests/t_localname.py", "GS2-KRB5"], ++ stdout=logfile, stderr=logfile, ++ env=testenv, preexec_fn=os.setsid) ++ krb5.wait() ++ if krb5.returncode != 0: ++ if krb5.returncode == 42: ++ sys.stderr.write('LOCALNAME(KRB5): SKIPPED\n') ++ else: ++ sys.stderr.write('LOCALNAME(KRB5): FAILED\n') ++ error_count += 1 ++ else: ++ sys.stderr.write('LOCALNAME(KRB5): SUCCESS\n') ++ ++ return error_count ++ ++ + if __name__ == '__main__': + args = parse_args() + +@@ -781,6 +823,9 @@ if __name__ == '__main__': + + errs += test_bad_acceptor_name(testdir, testenv, logfile) + ++ testenv['MAG_REMOTE_USER'] = USR_NAME ++ errs += test_gss_localname(testdir, testenv, logfile) ++ + rpm_path = "/usr/lib64/krb5/plugins/preauth/pkinit.so" + deb_path = "/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so" + if os.path.exists(rpm_path) or os.path.exists(deb_path): +diff --git a/tests/t_localname.py b/tests/t_localname.py +new file mode 100755 +index 0000000000000000000000000000000000000000..e990762c42aa9b370ac71292b5019fc63622c240 +--- /dev/null ++++ b/tests/t_localname.py +@@ -0,0 +1,62 @@ ++#!/usr/bin/env python3 ++# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. ++ ++import os ++import subprocess ++import sys ++ ++import gssapi ++ ++import requests ++ ++from requests_gssapi import HTTPSPNEGOAuth ++ ++ ++def use_requests(auth): ++ sess = requests.Session() ++ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME'] ++ ++ r = sess.get(url, auth=auth) ++ if r.status_code != 200: ++ raise ValueError('Localname failed') ++ ++ if r.text.rstrip() != os.environ['MAG_REMOTE_USER']: ++ raise ValueError('Localname, REMOTE_USER check failed') ++ ++ ++def use_curl(): ++ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME'] ++ curl = subprocess.Popen(["curl", "--negotiate", "-u:", url], ++ stdout=subprocess.PIPE) ++ curl.wait() ++ if curl.returncode != 0: ++ raise ValueError('Localname failed') ++ ++ line = curl.stdout.read().strip(b' \t\n\r').decode('utf-8') ++ if line != os.environ['MAG_REMOTE_USER']: ++ raise ValueError('Localname, REMOTE_USER check failed (%s != %s)' % ( ++ line, os.environ['MAG_REMOTE_USER'])) ++ ++ ++if __name__ == '__main__': ++ mech_name = None ++ if len(sys.argv) > 1: ++ mech_name = sys.argv[1] ++ ++ mech = None ++ if mech_name is not None: ++ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name) ++ ++ try: ++ auth = HTTPSPNEGOAuth(mech=mech) ++ use_requests(auth) ++ except TypeError: ++ # odler version of requests that does not support mechs ++ if mech_name == 'SPNEGO': ++ use_curl() ++ elif mech_name == 'GS2-KRB5': ++ # older request versions use krb5 as the mech by default ++ auth = HTTPSPNEGOAuth() ++ use_requests(auth) ++ else: ++ sys.exit(42) # SKIP +-- +2.35.1 + diff --git a/SPECS/mod_auth_gssapi.spec b/SPECS/mod_auth_gssapi.spec new file mode 100644 index 0000000..b8b119c --- /dev/null +++ b/SPECS/mod_auth_gssapi.spec @@ -0,0 +1,201 @@ +Name: mod_auth_gssapi +Version: 1.6.1 +Release: 9%{?dist} +Summary: A GSSAPI Authentication module for Apache + +Group: System Environment/Daemons +License: MIT +URL: https://github.com/modauthgssapi/mod_auth_gssapi +Source0: https://github.com/modauthgssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz + +Patch0: In-tests-show-the-exception-on-failure.patch +Patch1: Fix-tests-to-work-with-python3.patch +Patch2: tests-Test-suite-fixes-for-virtualenv-and-clang.patch +Patch3: Fix-integer-sizes-used-with-ap_set_flag_slot.patch +Patch4: Fix-mag_auth_basic-function-call.patch +Patch6: Fix-distcheck.patch +Patch7: Add-option-to-control-timeout-for-Basic-Auth.patch +Patch8: tests-Support-Debian-s-libfaketime.patch +Patch9: tests-Fixup-virtualenv-handling.patch +Patch10: tests-Don-t-override-the-specific-environment-by-the.patch +Patch11: Fix-PATH-handling-bug-in-test-suite.patch +Patch12: Move-to-python3-by-default.patch +Patch13: Fix-gss_localname-with-SPNEGO-wrapping.patch +Patch14: tests-add-test-for-gss_localname.patch +Patch15: Add-ability-to-expose-the-used-mechanism.patch +Patch16: Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch + +BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libtool +BuildRequires: gssntlmssp-devel +BuildRequires: git +Requires: httpd-mmn = %{_httpd_mmn} +Requires: krb5-libs >= 1.11.5 + +%description +The mod_auth_gssapi module is an authentication service that implements the +SPNEGO based HTTP Authentication protocol defined in RFC4559. + +%prep +%autosetup -S git + +%build +export APXS=%{_httpd_apxs} +autoreconf -fi +%configure +make %{?_smp_mflags} + +%install +mkdir -p %{buildroot}%{_httpd_moddir} +install -m 755 src/.libs/%{name}.so %{buildroot}%{_httpd_moddir} + +# Apache configuration for the module +echo "LoadModule auth_gssapi_module modules/mod_auth_gssapi.so" > 10-auth_gssapi.conf +mkdir -p %{buildroot}%{_httpd_modconfdir} +install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir} + +%files +%doc +%defattr(-,root,root) +%doc README COPYING +%config(noreplace) %{_httpd_modconfdir}/10-auth_gssapi.conf +%{_httpd_moddir}/mod_auth_gssapi.so + +%changelog +* Thu Apr 28 2022 Francisco Trivino 1.6.1-9 +- Add missing repos to the osci tests +- Fix gss localname test to work with older gssapi version +- Resolves: #2083122 +- Add ability to expose the used mechanism +- Resolves: #2046231 + +* Wed Apr 27 2022 Francisco Trivino 1.6.1-8 +- Add test for gss_localname +- Fix gss_localname with SPNEGO wrapping +- Resolves: #1787630 + +* Mon Oct 12 2020 Robbie Harwood 1.6.1-7.1 +- Bang on gating until the environment gives up +- Resolves: #1866149 + +* Mon Oct 12 2020 Robbie Harwood - 1.6.1-7 +- Backport basic auth timeout control +- Resolves: #1866149 + +* Fri Mar 22 2019 Robbie Harwood - 1.6.1-6 +- Gating update +- Resolves: #1682259 + +* Mon Mar 18 2019 Robbie Harwood - 1.6.1-5 +- Fix integer sizes used with ap_set_flag_slot() +- Resolves: #1674501 + +* Mon Mar 18 2019 Robbie Harwood - 1.6.1-4 +- Fix virtualenv logic and add gating +- Resolves: #1682259 + +* Thu Mar 14 2019 Robbie Harwood - 1.6.1-3 +- Fix tests to work with python3 +- Resolves: #1661589 + +* Fri Jul 13 2018 Fedora Release Engineering - 1.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Apr 23 2018 Robbie Harwood - 1.6.1-1 +- Release 1.6.1 +- Resolves: #1570271 + +* Thu Feb 08 2018 Fedora Release Engineering - 1.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Nov 06 2017 Robbie Harwood - 1.6.0-1 +- Release 1.6.0 + +* Fri Oct 27 2017 Robbie Harwood - 1.5.1-6 +- Document gssapi-no-negotiate + +* Tue Oct 03 2017 Robbie Harwood - 1.5.1-5 +- Handle extra large NSS entries +- Resolves: #1498175 + +* Mon Oct 02 2017 Robbie Harwood - 1.5.1-4 +- Allow admins to selectively suppress negotiation +- Migrate to autosetup + +* Thu Aug 03 2017 Fedora Release Engineering - 1.5.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Mar 9 2017 Simo Sorce - 1.5.1-1 +- Korabl-Sputnik 4 launch (1.5.1) + +* Fri Feb 10 2017 Fedora Release Engineering - 1.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Jan 16 2017 Simo Sorce - 1.5.0-1 +- Last listoff of Space Shuttle Columbia release (1.5.0) + +* Mon Nov 14 2016 Joe Orton - 1.4.1-2 +- rebuild for new OpenSSL + +* Mon Aug 15 2016 Robbie Harwood 1.4.1-1 +- Mishka & Chizhik fly on a rocket release (1.4.1) +- Fix bogus changelog date + +* Fri Jun 17 2016 Simo Sorce 1.4.0-1 +- Lunar Reconnaissance Orbiter (2009) release (1.4.0) + +* Mon Feb 22 2016 Simo Sorce 1.3.2-1 +- NEAR Shoemaker launch (1996) release (1.3.2) + +* Thu Feb 04 2016 Fedora Release Engineering - 1.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Sep 3 2015 Simo Sorce 1.3.1-1 +- Viking 2 landing (1976) release (1.3.1) + +* Tue Jul 7 2015 Simo Sorce 1.3.0-2 +- Fix annoying incorrect behavior with simple configuration where + GssapiAllowedMech is not used. + +* Sat Jul 4 2015 Simo Sorce 1.3.0-1 +- US Independence Day Release + +* Wed Jun 17 2015 Fedora Release Engineering - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Apr 21 2015 Simo Sorce 1.2.0-1 +- New minor release 1.2.0 +- Adds delegation support on Basic Auth +- Response fix, send last auth token on successful auth + +* Tue Mar 31 2015 Simo Sorce 1.1.0-3 +- Fix some authentication issues + +* Thu Mar 26 2015 Simo Sorce 1.1.0-2 +- Fix saving delegated credentials for SPNs + +* Thu Mar 12 2015 Simo Sorce 1.1.0-1 +- New minor release 1.1.0 +- New feature: Basic Auth support +- Improvements: Better crypto for sesison cookies + +* Sat Nov 8 2014 Simo Sorce 1.0.4-1 +- Patch release 1.0.4 +- logging initialization fixes +- additional build fixes + +* Sat Oct 11 2014 Simo Sorce 1.0.3-1 +- Patch release 1.0.3 +- fixes some build issues on various distros + +* Wed Aug 27 2014 Simo Sorce 1.0.2-1 +- Adds documntation to README +- fixes bad bug that crippled configuration + +* Thu Aug 14 2014 Simo Sorce 1.0.1-1 +- Patch release 1.0.1 + +* Mon Aug 4 2014 Simo Sorce 1.0.0-1 +- First release