pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www
Module Name: pkgsrc
Committed By: riastradh
Date: Sat May 16 03:47:29 UTC 2026
Modified Files:
pkgsrc/www: Makefile
Added Files:
pkgsrc/www/ap24-auth-gssapi: DESCR Makefile PLIST distinfo
pkgsrc/www/ap24-auth-gssapi/patches: patch-configure.ac
patch-src_mod__auth__gssapi.c patch-src_mod__auth__gssapi.h
patch-tests_httpd.conf patch-tests_magtests.py
patch-tests_t__file__check.py patch-tests_t__mech__name.py
Log Message:
ap24-auth-gssapi: Import apache2.4 module mod_auth_gssapi-1.6.5
This is a modern replacement for mod_auth_kerb (www/ap-auth-kerb),
built with the standardized GSSAPI rather than with the not-quite-so
standardized libkrb5.
To generate a diff of this commit:
cvs rdiff -u -r1.1918 -r1.1919 pkgsrc/www/Makefile
cvs rdiff -u -r0 -r1.1 pkgsrc/www/ap24-auth-gssapi/DESCR \
pkgsrc/www/ap24-auth-gssapi/Makefile pkgsrc/www/ap24-auth-gssapi/PLIST \
pkgsrc/www/ap24-auth-gssapi/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/www/ap24-auth-gssapi/patches/patch-configure.ac \
pkgsrc/www/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.c \
pkgsrc/www/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.h \
pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_httpd.conf \
pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_magtests.py \
pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_t__file__check.py \
pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_t__mech__name.py
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/Makefile
diff -u pkgsrc/www/Makefile:1.1918 pkgsrc/www/Makefile:1.1919
--- pkgsrc/www/Makefile:1.1918 Sat May 9 13:15:13 2026
+++ pkgsrc/www/Makefile Sat May 16 03:47:28 2026
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.1918 2026/05/09 13:15:13 vins Exp $
+# $NetBSD: Makefile,v 1.1919 2026/05/16 03:47:28 riastradh Exp $
#
COMMENT= Packages related to the World Wide Web
@@ -58,6 +58,7 @@ SUBDIR+= ap2-xsendfile
SUBDIR+= ap22-auth-ofba
SUBDIR+= ap22-authz-ldap
SUBDIR+= ap22-dnssd
+SUBDIR+= ap24-auth-gssapi
SUBDIR+= ap24-authnz-external
SUBDIR+= apache-roller
SUBDIR+= apache-tomcat10
Added files:
Index: pkgsrc/www/ap24-auth-gssapi/DESCR
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/DESCR:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/DESCR Sat May 16 03:47:28 2026
@@ -0,0 +1,3 @@
+This module has been built as a replacement for the aging
+mod_auth_kerb. Its aim is to use only GSSAPI calls and be as much as
+possible agnostic of the actual mechanism used.
Index: pkgsrc/www/ap24-auth-gssapi/Makefile
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/Makefile:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/Makefile Sat May 16 03:47:28 2026
@@ -0,0 +1,66 @@
+# $NetBSD: Makefile,v 1.1 2026/05/16 03:47:28 riastradh Exp $
+
+DISTNAME= mod_auth_gssapi-1.6.5
+PKGNAME= ${DISTNAME:S/mod/${APACHE_PKG_PREFIX}/:S/_/-/g}
+CATEGORIES= www
+MASTER_SITES= ${MASTER_SITE_GITHUB:=gssapi/}
+GITHUB_PROJECT= ${DISTNAME:C/-.*//}
+GITHUB_RELEASE= v${PKGVERSION_NOREV}
+
+MAINTAINER= pkgsrc-users%NetBSD.org@localhost
+HOMEPAGE= https://github.com/gssapi/mod_auth_gssapi
+COMMENT= Apache module for GSSAPI authentication
+LICENSE= isc
+
+PKG_APACHE_ACCEPTED= apache24
+APACHE_MODULE= yes
+
+USE_LIBTOOL= yes
+USE_TOOLS+= autoconf automake autoreconf pkg-config
+
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+= --with-apxs=${APXS:Q}
+CONFIGURE_ARGS+= APACHE=${_CROSS_DESTDIR:Q}${BUILDLINK_PREFIX.apache:Q}/sbin/httpd
+CONFIGURE_ARGS+= CPPFLAGS=-I${KRB5BASE:Q}/include
+
+INSTALLATION_DIRS= lib/httpd
+
+pre-configure:
+ @${STEP_MSG} Regenerating autoconf/automake products
+ ${RUN}cd ${WRKSRC} && autoreconf -fiv
+
+do-install:
+ @${STEP_MSG} Installing Apache module
+ ${INSTALL_LIB} ${WRKSRC}/src/.libs/mod_auth_gssapi.so \
+ ${DESTDIR}${PREFIX}/lib/httpd
+
+PYTHON_FOR_BUILD_ONLY= test
+
+REPLACE_PYTHON+= tests/*.py
+
+BUILDLINK_DEPMETHOD.nss_wrapper= build # for tests only
+BUILDLINK_DEPMETHOD.socket_wrapper= build # for tests only
+
+TEST_DEPENDS+= ${PYPKGPREFIX}-requests-gssapi>=0:../../devel/py-requests-gssapi
+
+TEST_ENV+= KRB5_TYPE=${KRB5_TYPE:Q}
+TEST_ENV+= LD_PRELOAD_PREFIX=${BUILDLINK_DIR}/lib/
+TEST_ENV+= APACHE_HTTPD=${PREFIX}/sbin/httpd
+TEST_ENV+= APACHE_MODULE_DIR=${PREFIX}/lib/httpd
+
+TEST_TARGET= check
+
+# We provide, via patch, a file that was missing in the upstream
+# distribution tarball (but included in git), and we have to make it
+# executable to run tests.
+post-patch: post-patch-fix-permissions
+post-patch-fix-permissions: .PHONY
+ @${STEP_MSG} Fixing permissions on missing file
+ ${RUN}cd ${WRKSRC} && ${CHMOD} +x tests/t_file_check.py
+
+.include "../../devel/nss_wrapper/buildlink3.mk"
+.include "../../devel/socket_wrapper/buildlink3.mk"
+.include "../../lang/python/application.mk"
+.include "../../mk/apache.mk"
+.include "../../mk/krb5.buildlink3.mk"
+.include "../../mk/bsd.pkg.mk"
Index: pkgsrc/www/ap24-auth-gssapi/PLIST
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/PLIST:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/PLIST Sat May 16 03:47:28 2026
@@ -0,0 +1,2 @@
+@comment $NetBSD: PLIST,v 1.1 2026/05/16 03:47:28 riastradh Exp $
+lib/httpd/mod_auth_gssapi.so
Index: pkgsrc/www/ap24-auth-gssapi/distinfo
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/distinfo:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/distinfo Sat May 16 03:47:28 2026
@@ -0,0 +1,12 @@
+$NetBSD: distinfo,v 1.1 2026/05/16 03:47:28 riastradh Exp $
+
+BLAKE2s (mod_auth_gssapi-1.6.5.tar.gz) = 5f03b2e7b46ffc17ed88b52a22f173c621ec83b29cda0c0f1999ccdcc05c70b5
+SHA512 (mod_auth_gssapi-1.6.5.tar.gz) = 97eb6dff90e686cd5d25c2925987bf51dbdf627720e74105204ec4625455255548414a03599cfd5a85734f5496f6a7b1f09760771a8278e8348e6ca35b6c48d0
+Size (mod_auth_gssapi-1.6.5.tar.gz) = 513260 bytes
+SHA1 (patch-configure.ac) = 5eed9d745c021f4b52916eb1c156a5e364fda0bb
+SHA1 (patch-src_mod__auth__gssapi.c) = 7d8181842dbb06faec5ea34faa84d4a2a80b41e8
+SHA1 (patch-src_mod__auth__gssapi.h) = 168109cfcfdbd71afe77a77d196e3bf0d1abcd61
+SHA1 (patch-tests_httpd.conf) = 6f5eadcf33e32311a49cd809fb04017fbb1355a4
+SHA1 (patch-tests_magtests.py) = 0e5beea9acd982a8a8d57bca4a6396f6d2517be5
+SHA1 (patch-tests_t__file__check.py) = b955529b5f8603d447df71a8dc3e3efd1fe86507
+SHA1 (patch-tests_t__mech__name.py) = 5eb8e37300d41e4eadbfdbf88eec3c2eebe73712
Index: pkgsrc/www/ap24-auth-gssapi/patches/patch-configure.ac
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/patches/patch-configure.ac:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/patches/patch-configure.ac Sat May 16 03:47:28 2026
@@ -0,0 +1,62 @@
+$NetBSD: patch-configure.ac,v 1.1 2026/05/16 03:47:28 riastradh Exp $
+
+1. Fix shell portability.
+
+2. Use <gssapi/gssapi_ext.h> conditionally: mit-krb5 has it, heimdal
+ does not (even newer versions with the GSSAPI extensions).
+
+3. Use libgssapi, not libgssapi_krb5.
+
+4. Don't override caller's LIBTOOL.
+
+--- configure.ac.orig 2020-11-30 18:30:59.746815280 +0000
++++ configure.ac
+@@ -44,7 +44,7 @@ AC_TYPE_UINT32_T
+ AC_CHECK_FUNCS([strcasecmp])
+
+ AC_PATH_PROGS(APACHE, [apache2 httpd apache])
+-if test x"$APACHE" == x; then
++if test x"$APACHE" = x; then
+ AC_MSG_ERROR([Can't find the apache2/httpd executable!])
+ fi
+ chk="$(objdump -d "$APACHE" | grep ap_log_rdata)"
+@@ -97,8 +97,9 @@ AC_CHECK_FUNCS(EVP_CIPHER_CTX_new HMAC_C
+ LIBS=$save_LIBS
+
+ # GSSAPI availability and presence of specific functions
+-AC_CHECK_HEADERS([gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h],
++AC_CHECK_HEADERS([gssapi/gssapi.h gssapi/gssapi_krb5.h],
+ ,[AC_MSG_ERROR([Could not find GSSAPI headers])])
++AC_CHECK_HEADERS([gssapi/gssapi_ext.h])
+ AC_CHECK_HEADERS([gssapi/gssapi_ntlmssp.h])
+ AC_PATH_PROG(KRB5_CONFIG, krb5-config, failed)
+ if test x$KRB5_CONFIG = xfailed; then
+@@ -107,7 +108,7 @@ else
+ GSSAPI_CFLAGS="`$KRB5_CONFIG --cflags gssapi`"
+ GSSAPI_LIBS="`$KRB5_CONFIG --libs gssapi`"
+ fi
+-AC_CHECK_LIB([gssapi_krb5], [gss_accept_sec_context], [],
++AC_CHECK_LIB([gssapi], [gss_accept_sec_context], [],
+ [AC_MSG_ERROR([GSSAPI library check failed])])
+ AC_CHECK_FUNCS(gss_krb5_ccache_name, [],
+ [AC_MSG_ERROR([gss_krb5_ccache_name() not found])])
+@@ -115,13 +116,18 @@ AC_CHECK_FUNCS(gss_acquire_cred_with_pas
+ [AC_MSG_ERROR([gss_acquire_with_password() not found])])
+ AC_CHECK_FUNCS(gss_acquire_cred_from)
+ AC_CHECK_FUNCS(gss_store_cred_into)
++AC_CHECK_FUNCS(gss_set_neg_mechs)
++AC_CHECK_FUNCS(gss_str_to_oid)
++AC_CHECK_FUNCS(gss_mech_krb5_old)
++AC_CHECK_FUNCS(gss_mech_krb5_wrong)
++AC_CHECK_FUNCS(gss_mech_iakerb)
+
+ AC_SUBST([GSSAPI_CFLAGS])
+ AC_SUBST([GSSAPI_LIBS])
+
+ MAG_CFLAGS="`${APXS} -q CFLAGS` `${APXS} -q EXTRA_CPPFLAGS` `${APR} --cflags` ${GSSAPI_CFLAGS} ${OPENSSL_CFLAGS} -I`${APXS} -q INCLUDEDIR` `${APR} --includes` -fPIC"
+ MAG_LIBS="`${APR} --libs` ${GSSAPI_LIBS} ${OPENSSL_LIBS}"
+-LIBTOOL="`${APXS} -q LIBTOOL`"
++: ${LIBTOOL:=`${APXS} -q LIBTOOL`}
+
+ AC_SUBST([MAG_CFLAGS])
+ AC_SUBST([MAG_LIBS])
Index: pkgsrc/www/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.c
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.c:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.c Sat May 16 03:47:29 2026
@@ -0,0 +1,54 @@
+$NetBSD: patch-src_mod__auth__gssapi.c,v 1.1 2026/05/16 03:47:29 riastradh Exp $
+
+1. Provide definitions of older GSSAPI OIDs not in Heimdal.
+
+2. Conditionalize use of gss_set_neg_mechs and gss_str_to_oid APIs.
+
+--- src/mod_auth_gssapi.c.orig 2022-08-29 10:27:33.722115054 +0000
++++ src/mod_auth_gssapi.c
+@@ -440,6 +440,21 @@ const char *mag_str_auth_type(int auth_t
+ return auth_types[auth_type];
+ }
+
++#ifndef HAVE_GSS_MECH_KRB5_OLD
++static const gss_const_OID gss_mech_krb5_old =
++ &(const gss_OID_desc){5, "\053\005\001\005\002"};
++#endif
++
++#ifndef HAVE_GSS_MECH_KRB5_WRONG
++static const gss_const_OID gss_mech_krb5_wrong =
++ &(const gss_OID_desc){9, "\052\206\110\202\367\022\001\002\002"};
++#endif
++
++#ifndef HAVE_GSS_MECH_IAKERB
++static const gss_const_OID gss_mech_iakerb =
++ &(const gss_OID_desc){6, "\053\006\001\005\002\005"};
++#endif
++
+ gss_OID_set mag_filter_unwanted_mechs(gss_OID_set src)
+ {
+ gss_const_OID unwanted_mechs[] = {
+@@ -1228,7 +1243,11 @@ static int mag_auth(request_rec *req)
+
+ if (auth_type == AUTH_TYPE_NEGOTIATE &&
+ cfg->allowed_mechs != GSS_C_NO_OID_SET) {
++#ifdef HAVE_GSS_SET_NEG_MECHS
+ maj = gss_set_neg_mechs(&min, acquired_cred, cfg->allowed_mechs);
++#else
++ maj = GSS_S_UNAVAILABLE;
++#endif
+ if (GSS_ERROR(maj)) {
+ mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,
+ "In Negotiate Auth: gss_set_neg_mechs() failed");
+@@ -1784,7 +1803,11 @@ static bool mag_list_of_mechs(cmd_parms
+ } else {
+ buf.value = discard_const(w);
+ buf.length = strlen(w);
++#ifdef HAVE_GSS_STR_TO_OID
+ maj = gss_str_to_oid(&min, &buf, &oid);
++#else
++ maj = GSS_S_UNAVAILABLE;
++#endif
+ if (maj != GSS_S_COMPLETE) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+ "Unrecognized GSSAPI Mechanism: [%s]", w);
Index: pkgsrc/www/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.h
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.h:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.h Sat May 16 03:47:29 2026
@@ -0,0 +1,17 @@
+$NetBSD: patch-src_mod__auth__gssapi.h,v 1.1 2026/05/16 03:47:29 riastradh Exp $
+
+Use <gssapi/gssapi_ext.h> conditionally: mit-krb5 has it, heimdal does
+not (even newer versions with the GSSAPI extensions).
+
+--- src/mod_auth_gssapi.h.orig 2020-11-30 18:30:59.758815269 +0000
++++ src/mod_auth_gssapi.h
+@@ -30,7 +30,9 @@
+ #include "config.h"
+
+ #include <gssapi/gssapi.h>
++#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
+ #include <gssapi/gssapi_ext.h>
++#endif
+ #include <gssapi/gssapi_krb5.h>
+ #ifdef HAVE_GSSAPI_GSSAPI_NTLMSSP_H
+ # include <gssapi/gssapi_ntlmssp.h>
Index: pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_httpd.conf
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_httpd.conf:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_httpd.conf Sat May 16 03:47:29 2026
@@ -0,0 +1,67 @@
+$NetBSD: patch-tests_httpd.conf,v 1.1 2026/05/16 03:47:29 riastradh Exp $
+
+1. Don't load mod_suexec.so, which we don't need and which is optional
+ in the pkgsrc www/apache24 build.
+
+2. Use a ./-relative path for mod_auth_gssapi.so; otherwise Apache
+ doesn't try the working directory (under some circumstances,
+ perhaps) and fails to load it.
+
+3. Use a local mime.types so we don't need to pull in more deps.
+
+4. Set GssapiAcceptorName as needed; otherwise Heimdal doesn't find any
+ credentials.
+
+--- tests/httpd.conf.orig 2020-11-30 18:30:59.759815268 +0000
++++ tests/httpd.conf
+@@ -61,7 +61,7 @@ LoadModule socache_memcache_module modul
+ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+ LoadModule status_module modules/mod_status.so
+ LoadModule substitute_module modules/mod_substitute.so
+-LoadModule suexec_module modules/mod_suexec.so
++#LoadModule suexec_module modules/mod_suexec.so
+ LoadModule unique_id_module modules/mod_unique_id.so
+ <IfModule !unixd_module>
+ LoadModule unixd_module modules/mod_unixd.so
+@@ -75,7 +75,7 @@ LoadModule mpm_prefork_module modules/mo
+ LoadModule proxy_module modules/mod_proxy.so
+ LoadModule proxy_http_module modules/mod_proxy_http.so
+
+-LoadModule auth_gssapi_module mod_auth_gssapi.so
++LoadModule auth_gssapi_module ./mod_auth_gssapi.so
+
+ Mutex file:{HTTPROOT}
+
+@@ -120,7 +120,7 @@ ErrorLog "logs/error_log"
+ LogLevel debug
+
+ <IfModule mime_module>
+- TypesConfig /etc/mime.types
++ TypesConfig ./mime.types
+ AddType application/x-compress .Z
+ AddType application/x-gzip .gz .tgz
+ AddType text/html .shtml
+@@ -194,6 +194,7 @@ CoreDumpDirectory "{HTTPROOT}"
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
++ GssapiAcceptorName {{HOSTNAME}}
+ GssapiBasicAuth On
+ GssapiBasicAuthMech krb5
+ GssapiConnectionBound On
+@@ -312,6 +313,7 @@ CoreDumpDirectory "{HTTPROOT}"
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
++ GssapiAcceptorName {{HOSTNAME}}
+ GssapiBasicAuth On
+ Require valid-user
+ </Proxy>
+@@ -356,6 +358,7 @@ CoreDumpDirectory "{HTTPROOT}"
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
++ GssapiAcceptorName {{HOSTNAME}}
+ GssapiBasicAuth On
+ GssapiBasicAuthMech krb5
+ GssapiPublishMech On
Index: pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_magtests.py
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_magtests.py:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_magtests.py Sat May 16 03:47:29 2026
@@ -0,0 +1,264 @@
+$NetBSD: patch-tests_magtests.py,v 1.1 2026/05/16 03:47:29 riastradh Exp $
+
+1. Handle Heimdal.
+
+2. Provide a way to give paths to LD_PRELOAD libraries; NetBSD
+ ld.elf_so requires this and does not search relative to rpath or
+ LD_LIBRARY_PATH.
+
+3. Set Heimdal krb5.conf parameters for KDC database.
+
+4. Set Heimdal pidfile directory and support Heimdal KDC creation.
+
+5. Support Heimdal kadmin setup.
+
+6. Let the environment provide the Apache module directory.
+
+6. Create a simple mime.types to avoid reliance on any external one.
+
+7. Let the environment provide the Apache executable.
+
+8-9. Use a temporary directory (typically under /tmp with a short path)
+ to avoid overlong socket paths in pkgsrc workdirs.
+
+9. Fail if any test file didn't exist. (The distribution tarball is
+ missing t_file_check.py, but the tests wrongly passed without it.)
+
+--- tests/magtests.py.orig 2020-11-30 18:30:59.759815268 +0000
++++ tests/magtests.py
+@@ -30,6 +30,9 @@ def parse_args():
+ return vars(parser.parse_args())
+
+
++HEIMDAL = os.getenv('KRB5_TYPE', None) == 'heimdal'
++
++
+ WRAP_HOSTNAME = "kdc.mag.dev"
+ WRAP_ALIASNAME = "alias.mag.dev"
+ WRAP_FAILNAME = "fail.mag.dev"
+@@ -67,7 +70,9 @@ def setup_wrappers(base):
+ f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh')
+ f.write('timeoutusr:x:4:4:timeoutusr:/timeoutusr:/bin/sh')
+
+- wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so',
++ ld_preload_prefix = os.getenv('LD_PRELOAD_PREFIX', '')
++ wenv = {'LD_PRELOAD': '%slibsocket_wrapper.so %slibnss_wrapper.so' %
++ (ld_preload_prefix, ld_preload_prefix),
+ 'SOCKET_WRAPPER_DIR': wrapdir,
+ 'SOCKET_WRAPPER_DEFAULT_IFACE': '9',
+ 'WRAP_PROXY_PORT': WRAP_PROXY_PORT,
+@@ -111,6 +116,12 @@ KRB5_CONF_TEMPLATE = '''
+ {TESTREALM} = {{
+ database_name = {KDCDIR}/{KDC_DBNAME}
+ }}
++
++[kdc]
++ database = {{
++ dbname = {KDCDIR}/{KDC_DBNAME}
++ acl_file = {KDCDIR}/kadmind.acl
++ }}
+ '''
+ KDC_CONF_TEMPLATE = '''
+ [kdcdefaults]
+@@ -326,29 +337,60 @@ def setup_kdc(testdir, wrapenv):
+ 'KRB5_CONFIG': krb5conf,
+ 'KRB5_KDC_PROFILE': kdcconf,
+ 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),
++ 'HEIM_PIDFILE_DIR': os.path.join(testdir, ''),
+ })
+
+ logfile = open(testlog, 'a')
+- ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
+- "-r", TESTREALM, "-P", KDC_PASSWORD],
+- stdout=logfile, stderr=logfile,
+- env=kdcenv, preexec_fn=os.setsid)
+- ksetup.wait()
+- if ksetup.returncode != 0:
+- raise ValueError('KDC Setup failed')
+
+- setup_test_certs(testdir, kdcenv, logfile)
++ if HEIMDAL:
++ ksetup = subprocess.Popen(['kadmin', '-c', krb5conf, '-l',
++ 'init',
++ '--realm-max-ticket-life=unlimited',
++ '--realm-max-renewable-life=unlimited',
++ TESTREALM],
++ stdin=subprocess.DEVNULL,
++ stdout=logfile, stderr=logfile,
++ env=kdcenv, preexec_fn=os.setsid)
++ ksetup.wait()
++ if ksetup.returncode != 0:
++ raise ValueError('KDC setup failed logfile=%r' % (logfile,))
++
++ setup_test_certs(testdir, kdcenv, logfile)
++
++ kdcproc = subprocess.Popen(['kdc',
++ '--config-file=' + kdcconf,
++ '--addresses=' + WRAP_IPADDR],
++ stdout=logfile, stderr=logfile,
++ env=kdcenv, preexec_fn=os.setsid)
++
++ else:
++ ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
++ "-r", TESTREALM, "-P", KDC_PASSWORD],
++ stdout=logfile, stderr=logfile,
++ env=kdcenv, preexec_fn=os.setsid)
++ ksetup.wait()
++ if ksetup.returncode != 0:
++ raise ValueError('KDC Setup failed logfile=%r' % (logfile,))
++
++ setup_test_certs(testdir, kdcenv, logfile)
++
++ kdcproc = subprocess.Popen(['krb5kdc', '-n'],
++ stdout=logfile, stderr=logfile,
++ env=kdcenv, preexec_fn=os.setsid)
+
+- kdcproc = subprocess.Popen(['krb5kdc', '-n'],
+- stdout=logfile, stderr=logfile,
+- env=kdcenv, preexec_fn=os.setsid)
+ return kdcproc, kdcenv
+
+
+ def kadmin_local(cmd, env, logfile):
+- ksetup = subprocess.Popen(["kadmin.local", "-q", cmd],
+- stdout=logfile, stderr=logfile,
+- env=env, preexec_fn=os.setsid)
++ if HEIMDAL:
++ ksetup = subprocess.Popen(["sh", "-c", "exec kadmin -l %s" % (cmd,)],
++ stdin=subprocess.DEVNULL,
++ stdout=logfile, stderr=logfile,
++ env=env, preexec_fn=os.setsid)
++ else:
++ ksetup = subprocess.Popen(["kadmin.local", "-q", cmd],
++ stdout=logfile, stderr=logfile,
++ env=env, preexec_fn=os.setsid)
+ ksetup.wait()
+ if ksetup.returncode != 0:
+ raise ValueError('Kadmin local [%s] failed' % cmd)
+@@ -369,31 +411,53 @@ def setup_keys(tesdir, env):
+ logfile = open(testlog, 'a')
+
+ svc_name = "HTTP/%s" % WRAP_HOSTNAME
+- cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, svc_name)
++ if HEIMDAL:
++ cmd = "add --random-key --use-defaults %s" % (svc_name,)
++ else:
++ cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, svc_name)
+ kadmin_local(cmd, env, logfile)
+
+ svc_keytab = os.path.join(testdir, SVC_KTNAME)
+- cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, svc_name)
++ if HEIMDAL:
++ cmd = "ext_keytab --keytab=%s %s" % (svc_keytab, svc_name)
++ else:
++ cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, svc_name)
+ kadmin_local(cmd, env, logfile)
+
+- cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME)
++ if HEIMDAL:
++ cmd = "add --password=%s --use-defaults %s" % (USR_PWD, USR_NAME)
++ else:
++ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME)
+ kadmin_local(cmd, env, logfile)
+
+- cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
++ if HEIMDAL:
++ cmd = "add --password=%s --use-defaults %s" % (USR_PWD_2, USR_NAME_2)
++ else:
++ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
+ kadmin_local(cmd, env, logfile)
+
+- cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4)
++ if HEIMDAL:
++ cmd = "add --password=%s --use-defaults %s" % (USR_PWD, USR_NAME_4)
++ else:
++ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4)
+ kadmin_local(cmd, env, logfile)
+
+ # alias for multinamed hosts testing
+ alias_name = "HTTP/%s" % WRAP_ALIASNAME
+- cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
++ if HEIMDAL:
++ cmd = "add --random-key --use-defaults %s" % (alias_name,)
++ else:
++ cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
+ kadmin_local(cmd, env, logfile)
+- cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, alias_name)
++ if HEIMDAL:
++ cmd = "ext_keytab --keytab=%s %s" % (svc_keytab, alias_name)
++ else:
++ cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, alias_name)
+ kadmin_local(cmd, env, logfile)
+
+- cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
+- kadmin_local(cmd, env, logfile)
++ if not HEIMDAL: # XXX HEIMDAL PKINIT
++ cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
++ kadmin_local(cmd, env, logfile)
+
+ keys_env = env.copy()
+ keys_env.update({
+@@ -413,16 +477,16 @@ def setup_http(testdir, so_dir, wrapenv)
+ httpdstdlog = os.path.join(testdir, 'httpd.stdlog')
+
+ distro = "Fedora"
+- moddir = "/etc/httpd/modules"
+- if not os.path.exists(moddir):
+- distro = "Debian"
+- moddir = "/usr/lib/apache2/modules"
++ moddir = os.getenv('APACHE_MODULE_DIR')
+ if not os.path.exists(moddir):
+ raise ValueError("Could not find Apache module directory!")
+ os.symlink(moddir, os.path.join(httpdir, 'modules'))
+
+ shutil.copy('%s/mod_auth_gssapi.so' % so_dir, httpdir)
+
++ with open(os.path.join(httpdir, 'mime.types'), 'w') as f:
++ f.write('text/html\thtml\n')
++
+ with open('tests/httpd.conf') as f:
+ text = f.read().format(HTTPROOT=httpdir,
+ HTTPNAME=WRAP_HOSTNAME,
+@@ -444,6 +508,7 @@ def setup_http(testdir, so_dir, wrapenv)
+ })
+
+ httpd = "httpd" if distro == "Fedora" else "apache2"
++ httpd = os.getenv('APACHE_HTTPD', httpd)
+ log = open(httpdstdlog, 'a')
+ httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+ stdout=log, stderr=log,
+@@ -790,6 +855,7 @@ def http_restart(testdir, so_dir, testen
+ })
+
+ httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
++ httpd = os.getenv('APACHE_HTTPD', httpd)
+ config = os.path.join(testdir, 'httpd', 'httpd.conf')
+ log = open(os.path.join(testdir, 'httpd.stdlog'), 'a')
+ httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+@@ -845,6 +911,11 @@ if __name__ == '__main__':
+ errs = -1
+
+ try:
++ import tempfile
++ with tempfile.TemporaryDirectory(prefix='mod_auth_gssapi.') as tempdir:
++ otestdir = testdir
++ testdir = tempdir
++ try:
+ # prepare environment for tests
+ wrapenv = apply_venv(setup_wrappers(testdir))
+
+@@ -920,9 +991,14 @@ if __name__ == '__main__':
+ errs += test_basic_auth_timeout(testdir, timeenv, logfile)
+ except NotImplementedError:
+ sys.stderr.write('BASIC Timeout Behavior: SKIPPED\n')
++ finally:
++ shutil.rmtree(os.path.join(tempdir, 'wrapdir'))
++ shutil.copytree(tempdir, otestdir, symlinks=True, dirs_exist_ok=True)
++ testdir = otestdir
+
+ except Exception:
+ traceback.print_exc()
++ errs += 1
+ finally:
+ for name in processes:
+ logfile.write("Killing %s\n" % name)
Index: pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_t__file__check.py
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_t__file__check.py:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_t__file__check.py Sat May 16 03:47:29 2026
@@ -0,0 +1,22 @@
+$NetBSD: patch-tests_t__file__check.py,v 1.1 2026/05/16 03:47:29 riastradh Exp $
+
+Missing file, content found from upstream git.
+
+--- tests/t_file_check.py.orig 2025-09-06 17:50:47.497707732 +0000
++++ tests/t_file_check.py
+@@ -0,0 +1,15 @@
++#!/usr/bin/env python3
++# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
++
++import os
++
++import requests
++from requests.auth import HTTPBasicAuth
++
++
++if __name__ == '__main__':
++ url = 'http://%s/keytab_file_check/' % os.environ['NSS_WRAPPER_HOSTNAME']
++ r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'],
++ os.environ['MAG_USER_PASSWORD']))
++ if r.status_code != 200:
++ raise ValueError('Basic Auth Failed(Keytab File Check)')
Index: pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_t__mech__name.py
diff -u /dev/null pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_t__mech__name.py:1.1
--- /dev/null Sat May 16 03:47:29 2026
+++ pkgsrc/www/ap24-auth-gssapi/patches/patch-tests_t__mech__name.py Sat May 16 03:47:29 2026
@@ -0,0 +1,18 @@
+$NetBSD: patch-tests_t__mech__name.py,v 1.1 2026/05/16 03:47:29 riastradh Exp $
+
+Accept disagreement between mit-krb5 and heimdal of case in
+human-readable short mechanism name from gss_inquire_saslname_for_mech.
+
+--- tests/t_mech_name.py.orig 2020-11-30 18:30:59.760815267 +0000
++++ tests/t_mech_name.py
+@@ -13,7 +13,9 @@ if __name__ == '__main__':
+ if r.status_code != 200:
+ raise ValueError('Basic Auth Failed')
+
+- if r.text.rstrip() != 'Basic/krb5':
++ # mit-krb5 returns `krb5'; heimdal returns `KRB5' -- maybe this
++ # should use the SASL name, which is formally registered with IANA
++ if r.text.rstrip().casefold() != 'basic/krb5':
+ raise ValueError(
+ 'GSS_MECH check failed, expected Basic/krb5, got "%s"' %
+ r.text.rstrip())
Home |
Main Index |
Thread Index |
Old Index