pkgsrc-WIP-changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
wip/ap24-auth-gssapi: Apache module for GSSAPI authentication.
Module Name: pkgsrc-wip
Committed By: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Pushed By: riastradh
Date: Sat Sep 6 18:40:57 2025 +0000
Changeset: d3e2d428d55a8b85da9b25bd8f148602438016ef
Added Files:
ap24-auth-gssapi/COMMIT_MSG
ap24-auth-gssapi/DESCR
ap24-auth-gssapi/Makefile
ap24-auth-gssapi/PLIST
ap24-auth-gssapi/distinfo
ap24-auth-gssapi/patches/patch-configure.ac
ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.c
ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.h
ap24-auth-gssapi/patches/patch-tests_httpd.conf
ap24-auth-gssapi/patches/patch-tests_magtests.py
ap24-auth-gssapi/patches/patch-tests_t__file__check.py
ap24-auth-gssapi/patches/patch-tests_t__mech__name.py
Log Message:
wip/ap24-auth-gssapi: Apache module for GSSAPI authentication.
This is lightly patched to support Heimdal -- requires some work in
heimdal-dev not yet in a release, though, for the GSSAPI credential
store extensions:
https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions
To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=d3e2d428d55a8b85da9b25bd8f148602438016ef
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diffstat:
ap24-auth-gssapi/COMMIT_MSG | 5 +
ap24-auth-gssapi/DESCR | 3 +
ap24-auth-gssapi/Makefile | 70 ++++++
ap24-auth-gssapi/PLIST | 2 +
ap24-auth-gssapi/distinfo | 12 +
ap24-auth-gssapi/patches/patch-configure.ac | 62 +++++
.../patches/patch-src_mod__auth__gssapi.c | 54 +++++
.../patches/patch-src_mod__auth__gssapi.h | 17 ++
ap24-auth-gssapi/patches/patch-tests_httpd.conf | 67 ++++++
ap24-auth-gssapi/patches/patch-tests_magtests.py | 264 +++++++++++++++++++++
.../patches/patch-tests_t__file__check.py | 22 ++
.../patches/patch-tests_t__mech__name.py | 18 ++
12 files changed, 596 insertions(+)
diffs:
diff --git a/ap24-auth-gssapi/COMMIT_MSG b/ap24-auth-gssapi/COMMIT_MSG
new file mode 100644
index 0000000000..edbdce7903
--- /dev/null
+++ b/ap24-auth-gssapi/COMMIT_MSG
@@ -0,0 +1,5 @@
+ap24-auth-gssapi: Import apache2.4 module mod_auth_gssapi-1.6.5
+
+This is a modern replacement for mod_auth_kerb (www/ap-auth-kerb),
+built with the standardized GSSAPI rather than with the not-quite-so
+standardized libkrb5.
diff --git a/ap24-auth-gssapi/DESCR b/ap24-auth-gssapi/DESCR
new file mode 100644
index 0000000000..62c39d36a8
--- /dev/null
+++ b/ap24-auth-gssapi/DESCR
@@ -0,0 +1,3 @@
+This module has been built as a replacement for the aging
+mod_auth_kerb. Its aim is to use only GSSAPI calls and be as much as
+possible agnostic of the actual mechanism used.
diff --git a/ap24-auth-gssapi/Makefile b/ap24-auth-gssapi/Makefile
new file mode 100644
index 0000000000..9e5eb37a45
--- /dev/null
+++ b/ap24-auth-gssapi/Makefile
@@ -0,0 +1,70 @@
+# $NetBSD$
+
+DISTNAME= mod_auth_gssapi-1.6.5
+PKGNAME= ${DISTNAME:S/mod/${APACHE_PKG_PREFIX}/:S/_/-/g}
+CATEGORIES= www
+MASTER_SITES= ${MASTER_SITE_GITHUB:=gssapi/}
+GITHUB_PROJECT= ${DISTNAME:C/-.*//}
+GITHUB_RELEASE= v${PKGVERSION_NOREV}
+
+MAINTAINER= pkgsrc-users%NetBSD.org@localhost
+HOMEPAGE= https://github.com/gssapi/mod_auth_gssapi
+COMMENT= Apache module for GSSAPI authentication
+LICENSE= isc
+
+PKG_APACHE_ACCEPTED= apache24
+APACHE_MODULE= yes
+
+USE_LIBTOOL= yes
+USE_TOOLS+= autoconf automake autoreconf pkg-config
+
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+= --with-apxs=${APXS:Q}
+CONFIGURE_ARGS+= APACHE=${_CROSS_DESTDIR:Q}${BUILDLINK_PREFIX.apache:Q}/sbin/httpd
+CONFIGURE_ARGS+= CPPFLAGS=-I${KRB5BASE:Q}/include
+
+INSTALLATION_DIRS= lib/httpd
+
+pre-configure:
+ @${STEP_MSG} Regenerating autoconf/automake products
+ ${RUN}cd ${WRKSRC} && autoreconf -fiv
+
+do-install:
+ @${STEP_MSG} Installing Apache module
+ ${INSTALL_LIB} ${WRKSRC}/src/.libs/mod_auth_gssapi.so \
+ ${DESTDIR}${PREFIX}/lib/httpd
+
+PYTHON_FOR_BUILD_ONLY= test
+
+REPLACE_PYTHON+= tests/t_*.py
+
+BUILDLINK_DEPMETHOD.nss_wrapper= build # for tests only
+BUILDLINK_DEPMETHOD.socket_wrapper= build # for tests only
+
+TEST_DEPENDS+= ${PYPKGPREFIX}-requests-gssapi>=0:../../devel/py-requests-gssapi
+
+TEST_ENV+= KRB5_TYPE=${KRB5_TYPE:Q}
+TEST_ENV+= LD_PRELOAD_PREFIX=${BUILDLINK_DIR}/lib/
+TEST_ENV+= APACHE_HTTPD=${PREFIX}/sbin/httpd
+TEST_ENV+= APACHE_MODULE_DIR=${PREFIX}/lib/httpd
+
+TEST_TARGET= check
+
+# We provide, via patch, a file that was missing in the upstream
+# distribution tarball (but included in git), and we have to make it
+# executable to run tests.
+post-patch: post-patch-fix-permissions
+post-patch-fix-permissions: .PHONY
+ @${STEP_MSG} Fixing permissions on missing file
+ ${RUN}cd ${WRKSRC} && ${CHMOD} +x tests/t_file_check.py
+
+# Requires GSSAPI credential store extensions.
+BUILDLINK_API_DEPENDS.heimdal+= heimdal>=7.99.1
+BUILDLINK_API_DEPENDS.mit-krb5+=mit-krb5>=1.11
+
+.include "../../devel/nss_wrapper/buildlink3.mk"
+.include "../../devel/socket_wrapper/buildlink3.mk"
+.include "../../lang/python/application.mk"
+.include "../../mk/apache.mk"
+.include "../../mk/krb5.buildlink3.mk"
+.include "../../mk/bsd.pkg.mk"
diff --git a/ap24-auth-gssapi/PLIST b/ap24-auth-gssapi/PLIST
new file mode 100644
index 0000000000..1b4d4a10a7
--- /dev/null
+++ b/ap24-auth-gssapi/PLIST
@@ -0,0 +1,2 @@
+@comment $NetBSD$
+lib/httpd/mod_auth_gssapi.so
diff --git a/ap24-auth-gssapi/distinfo b/ap24-auth-gssapi/distinfo
new file mode 100644
index 0000000000..75969c94d5
--- /dev/null
+++ b/ap24-auth-gssapi/distinfo
@@ -0,0 +1,12 @@
+$NetBSD$
+
+BLAKE2s (mod_auth_gssapi-1.6.5.tar.gz) = 5f03b2e7b46ffc17ed88b52a22f173c621ec83b29cda0c0f1999ccdcc05c70b5
+SHA512 (mod_auth_gssapi-1.6.5.tar.gz) = 97eb6dff90e686cd5d25c2925987bf51dbdf627720e74105204ec4625455255548414a03599cfd5a85734f5496f6a7b1f09760771a8278e8348e6ca35b6c48d0
+Size (mod_auth_gssapi-1.6.5.tar.gz) = 513260 bytes
+SHA1 (patch-configure.ac) = 5eed9d745c021f4b52916eb1c156a5e364fda0bb
+SHA1 (patch-src_mod__auth__gssapi.c) = 7d8181842dbb06faec5ea34faa84d4a2a80b41e8
+SHA1 (patch-src_mod__auth__gssapi.h) = 168109cfcfdbd71afe77a77d196e3bf0d1abcd61
+SHA1 (patch-tests_httpd.conf) = 6f5eadcf33e32311a49cd809fb04017fbb1355a4
+SHA1 (patch-tests_magtests.py) = 0e5beea9acd982a8a8d57bca4a6396f6d2517be5
+SHA1 (patch-tests_t__file__check.py) = b955529b5f8603d447df71a8dc3e3efd1fe86507
+SHA1 (patch-tests_t__mech__name.py) = 5eb8e37300d41e4eadbfdbf88eec3c2eebe73712
diff --git a/ap24-auth-gssapi/patches/patch-configure.ac b/ap24-auth-gssapi/patches/patch-configure.ac
new file mode 100644
index 0000000000..cb6445304f
--- /dev/null
+++ b/ap24-auth-gssapi/patches/patch-configure.ac
@@ -0,0 +1,62 @@
+$NetBSD$
+
+1. Fix shell portability.
+
+2. Use <gssapi/gssapi_ext.h> conditionally: mit-krb5 has it, heimdal
+ does not (even newer versions with the GSSAPI extensions).
+
+3. Use libgssapi, not libgssapi_krb5.
+
+4. Don't override caller's LIBTOOL.
+
+--- configure.ac.orig 2020-11-30 18:30:59.746815280 +0000
++++ configure.ac
+@@ -44,7 +44,7 @@ AC_TYPE_UINT32_T
+ AC_CHECK_FUNCS([strcasecmp])
+
+ AC_PATH_PROGS(APACHE, [apache2 httpd apache])
+-if test x"$APACHE" == x; then
++if test x"$APACHE" = x; then
+ AC_MSG_ERROR([Can't find the apache2/httpd executable!])
+ fi
+ chk="$(objdump -d "$APACHE" | grep ap_log_rdata)"
+@@ -97,8 +97,9 @@ AC_CHECK_FUNCS(EVP_CIPHER_CTX_new HMAC_C
+ LIBS=$save_LIBS
+
+ # GSSAPI availability and presence of specific functions
+-AC_CHECK_HEADERS([gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h],
++AC_CHECK_HEADERS([gssapi/gssapi.h gssapi/gssapi_krb5.h],
+ ,[AC_MSG_ERROR([Could not find GSSAPI headers])])
++AC_CHECK_HEADERS([gssapi/gssapi_ext.h])
+ AC_CHECK_HEADERS([gssapi/gssapi_ntlmssp.h])
+ AC_PATH_PROG(KRB5_CONFIG, krb5-config, failed)
+ if test x$KRB5_CONFIG = xfailed; then
+@@ -107,7 +108,7 @@ else
+ GSSAPI_CFLAGS="`$KRB5_CONFIG --cflags gssapi`"
+ GSSAPI_LIBS="`$KRB5_CONFIG --libs gssapi`"
+ fi
+-AC_CHECK_LIB([gssapi_krb5], [gss_accept_sec_context], [],
++AC_CHECK_LIB([gssapi], [gss_accept_sec_context], [],
+ [AC_MSG_ERROR([GSSAPI library check failed])])
+ AC_CHECK_FUNCS(gss_krb5_ccache_name, [],
+ [AC_MSG_ERROR([gss_krb5_ccache_name() not found])])
+@@ -115,13 +116,18 @@ AC_CHECK_FUNCS(gss_acquire_cred_with_pas
+ [AC_MSG_ERROR([gss_acquire_with_password() not found])])
+ AC_CHECK_FUNCS(gss_acquire_cred_from)
+ AC_CHECK_FUNCS(gss_store_cred_into)
++AC_CHECK_FUNCS(gss_set_neg_mechs)
++AC_CHECK_FUNCS(gss_str_to_oid)
++AC_CHECK_FUNCS(gss_mech_krb5_old)
++AC_CHECK_FUNCS(gss_mech_krb5_wrong)
++AC_CHECK_FUNCS(gss_mech_iakerb)
+
+ AC_SUBST([GSSAPI_CFLAGS])
+ AC_SUBST([GSSAPI_LIBS])
+
+ MAG_CFLAGS="`${APXS} -q CFLAGS` `${APXS} -q EXTRA_CPPFLAGS` `${APR} --cflags` ${GSSAPI_CFLAGS} ${OPENSSL_CFLAGS} -I`${APXS} -q INCLUDEDIR` `${APR} --includes` -fPIC"
+ MAG_LIBS="`${APR} --libs` ${GSSAPI_LIBS} ${OPENSSL_LIBS}"
+-LIBTOOL="`${APXS} -q LIBTOOL`"
++: ${LIBTOOL:=`${APXS} -q LIBTOOL`}
+
+ AC_SUBST([MAG_CFLAGS])
+ AC_SUBST([MAG_LIBS])
diff --git a/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.c b/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.c
new file mode 100644
index 0000000000..eed037d886
--- /dev/null
+++ b/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.c
@@ -0,0 +1,54 @@
+$NetBSD$
+
+1. Provide definitions of older GSSAPI OIDs not in Heimdal.
+
+2. Conditionalize use of gss_set_neg_mechs and gss_str_to_oid APIs.
+
+--- src/mod_auth_gssapi.c.orig 2022-08-29 10:27:33.722115054 +0000
++++ src/mod_auth_gssapi.c
+@@ -440,6 +440,21 @@ const char *mag_str_auth_type(int auth_t
+ return auth_types[auth_type];
+ }
+
++#ifndef HAVE_GSS_MECH_KRB5_OLD
++static const gss_const_OID gss_mech_krb5_old =
++ &(const gss_OID_desc){5, "\053\005\001\005\002"};
++#endif
++
++#ifndef HAVE_GSS_MECH_KRB5_WRONG
++static const gss_const_OID gss_mech_krb5_wrong =
++ &(const gss_OID_desc){9, "\052\206\110\202\367\022\001\002\002"};
++#endif
++
++#ifndef HAVE_GSS_MECH_IAKERB
++static const gss_const_OID gss_mech_iakerb =
++ &(const gss_OID_desc){6, "\053\006\001\005\002\005"};
++#endif
++
+ gss_OID_set mag_filter_unwanted_mechs(gss_OID_set src)
+ {
+ gss_const_OID unwanted_mechs[] = {
+@@ -1228,7 +1243,11 @@ static int mag_auth(request_rec *req)
+
+ if (auth_type == AUTH_TYPE_NEGOTIATE &&
+ cfg->allowed_mechs != GSS_C_NO_OID_SET) {
++#ifdef HAVE_GSS_SET_NEG_MECHS
+ maj = gss_set_neg_mechs(&min, acquired_cred, cfg->allowed_mechs);
++#else
++ maj = GSS_S_UNAVAILABLE;
++#endif
+ if (GSS_ERROR(maj)) {
+ mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,
+ "In Negotiate Auth: gss_set_neg_mechs() failed");
+@@ -1784,7 +1803,11 @@ static bool mag_list_of_mechs(cmd_parms
+ } else {
+ buf.value = discard_const(w);
+ buf.length = strlen(w);
++#ifdef HAVE_GSS_STR_TO_OID
+ maj = gss_str_to_oid(&min, &buf, &oid);
++#else
++ maj = GSS_S_UNAVAILABLE;
++#endif
+ if (maj != GSS_S_COMPLETE) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+ "Unrecognized GSSAPI Mechanism: [%s]", w);
diff --git a/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.h b/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.h
new file mode 100644
index 0000000000..d84f889808
--- /dev/null
+++ b/ap24-auth-gssapi/patches/patch-src_mod__auth__gssapi.h
@@ -0,0 +1,17 @@
+$NetBSD$
+
+Use <gssapi/gssapi_ext.h> conditionally: mit-krb5 has it, heimdal does
+not (even newer versions with the GSSAPI extensions).
+
+--- src/mod_auth_gssapi.h.orig 2020-11-30 18:30:59.758815269 +0000
++++ src/mod_auth_gssapi.h
+@@ -30,7 +30,9 @@
+ #include "config.h"
+
+ #include <gssapi/gssapi.h>
++#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
+ #include <gssapi/gssapi_ext.h>
++#endif
+ #include <gssapi/gssapi_krb5.h>
+ #ifdef HAVE_GSSAPI_GSSAPI_NTLMSSP_H
+ # include <gssapi/gssapi_ntlmssp.h>
diff --git a/ap24-auth-gssapi/patches/patch-tests_httpd.conf b/ap24-auth-gssapi/patches/patch-tests_httpd.conf
new file mode 100644
index 0000000000..84db5e2119
--- /dev/null
+++ b/ap24-auth-gssapi/patches/patch-tests_httpd.conf
@@ -0,0 +1,67 @@
+$NetBSD$
+
+1. Don't load mod_suexec.so, which we don't need and which is optional
+ in the pkgsrc www/apache24 build.
+
+2. Use a ./-relative path for mod_auth_gssapi.so; otherwise Apache
+ doesn't try the working directory (under some circumstances,
+ perhaps) and fails to load it.
+
+3. Use a local mime.types so we don't need to pull in more deps.
+
+4. Set GssapiAcceptorName as needed; otherwise Heimdal doesn't find any
+ credentials.
+
+--- tests/httpd.conf.orig 2020-11-30 18:30:59.759815268 +0000
++++ tests/httpd.conf
+@@ -61,7 +61,7 @@ LoadModule socache_memcache_module modul
+ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+ LoadModule status_module modules/mod_status.so
+ LoadModule substitute_module modules/mod_substitute.so
+-LoadModule suexec_module modules/mod_suexec.so
++#LoadModule suexec_module modules/mod_suexec.so
+ LoadModule unique_id_module modules/mod_unique_id.so
+ <IfModule !unixd_module>
+ LoadModule unixd_module modules/mod_unixd.so
+@@ -75,7 +75,7 @@ LoadModule mpm_prefork_module modules/mo
+ LoadModule proxy_module modules/mod_proxy.so
+ LoadModule proxy_http_module modules/mod_proxy_http.so
+
+-LoadModule auth_gssapi_module mod_auth_gssapi.so
++LoadModule auth_gssapi_module ./mod_auth_gssapi.so
+
+ Mutex file:{HTTPROOT}
+
+@@ -120,7 +120,7 @@ ErrorLog "logs/error_log"
+ LogLevel debug
+
+ <IfModule mime_module>
+- TypesConfig /etc/mime.types
++ TypesConfig ./mime.types
+ AddType application/x-compress .Z
+ AddType application/x-gzip .gz .tgz
+ AddType text/html .shtml
+@@ -194,6 +194,7 @@ CoreDumpDirectory "{HTTPROOT}"
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
++ GssapiAcceptorName {{HOSTNAME}}
+ GssapiBasicAuth On
+ GssapiBasicAuthMech krb5
+ GssapiConnectionBound On
+@@ -312,6 +313,7 @@ CoreDumpDirectory "{HTTPROOT}"
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
++ GssapiAcceptorName {{HOSTNAME}}
+ GssapiBasicAuth On
+ Require valid-user
+ </Proxy>
+@@ -356,6 +358,7 @@ CoreDumpDirectory "{HTTPROOT}"
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
++ GssapiAcceptorName {{HOSTNAME}}
+ GssapiBasicAuth On
+ GssapiBasicAuthMech krb5
+ GssapiPublishMech On
diff --git a/ap24-auth-gssapi/patches/patch-tests_magtests.py b/ap24-auth-gssapi/patches/patch-tests_magtests.py
new file mode 100644
index 0000000000..0367362748
--- /dev/null
+++ b/ap24-auth-gssapi/patches/patch-tests_magtests.py
@@ -0,0 +1,264 @@
+$NetBSD$
+
+1. Handle Heimdal.
+
+2. Provide a way to give paths to LD_PRELOAD libraries; NetBSD
+ ld.elf_so requires this and does not search relative to rpath or
+ LD_LIBRARY_PATH.
+
+3. Set Heimdal krb5.conf parameters for KDC database.
+
+4. Set Heimdal pidfile directory and support Heimdal KDC creation.
+
+5. Support Heimdal kadmin setup.
+
+6. Let the environment provide the Apache module directory.
+
+6. Create a simple mime.types to avoid reliance on any external one.
+
+7. Let the environment provide the Apache executable.
+
+8-9. Use a temporary directory (typically under /tmp with a short path)
+ to avoid overlong socket paths in pkgsrc workdirs.
+
+9. Fail if any test file didn't exist. (The distribution tarball is
+ missing t_file_check.py, but the tests wrongly passed without it.)
+
+--- tests/magtests.py.orig 2020-11-30 18:30:59.759815268 +0000
++++ tests/magtests.py
+@@ -30,6 +30,9 @@ def parse_args():
+ return vars(parser.parse_args())
+
+
++HEIMDAL = os.getenv('KRB5_TYPE', None) == 'heimdal'
++
++
+ WRAP_HOSTNAME = "kdc.mag.dev"
+ WRAP_ALIASNAME = "alias.mag.dev"
+ WRAP_FAILNAME = "fail.mag.dev"
+@@ -67,7 +70,9 @@ def setup_wrappers(base):
+ f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh')
+ f.write('timeoutusr:x:4:4:timeoutusr:/timeoutusr:/bin/sh')
+
+- wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so',
++ ld_preload_prefix = os.getenv('LD_PRELOAD_PREFIX', '')
++ wenv = {'LD_PRELOAD': '%slibsocket_wrapper.so %slibnss_wrapper.so' %
++ (ld_preload_prefix, ld_preload_prefix),
+ 'SOCKET_WRAPPER_DIR': wrapdir,
+ 'SOCKET_WRAPPER_DEFAULT_IFACE': '9',
+ 'WRAP_PROXY_PORT': WRAP_PROXY_PORT,
+@@ -111,6 +116,12 @@ KRB5_CONF_TEMPLATE = '''
+ {TESTREALM} = {{
+ database_name = {KDCDIR}/{KDC_DBNAME}
+ }}
++
++[kdc]
++ database = {{
++ dbname = {KDCDIR}/{KDC_DBNAME}
++ acl_file = {KDCDIR}/kadmind.acl
++ }}
+ '''
+ KDC_CONF_TEMPLATE = '''
+ [kdcdefaults]
+@@ -326,29 +337,60 @@ def setup_kdc(testdir, wrapenv):
+ 'KRB5_CONFIG': krb5conf,
+ 'KRB5_KDC_PROFILE': kdcconf,
+ 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'),
++ 'HEIM_PIDFILE_DIR': os.path.join(testdir, ''),
+ })
+
+ logfile = open(testlog, 'a')
+- ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
+- "-r", TESTREALM, "-P", KDC_PASSWORD],
+- stdout=logfile, stderr=logfile,
+- env=kdcenv, preexec_fn=os.setsid)
+- ksetup.wait()
+- if ksetup.returncode != 0:
+- raise ValueError('KDC Setup failed')
+
+- setup_test_certs(testdir, kdcenv, logfile)
++ if HEIMDAL:
++ ksetup = subprocess.Popen(['kadmin', '-c', krb5conf, '-l',
++ 'init',
++ '--realm-max-ticket-life=unlimited',
++ '--realm-max-renewable-life=unlimited',
++ TESTREALM],
++ stdin=subprocess.DEVNULL,
++ stdout=logfile, stderr=logfile,
++ env=kdcenv, preexec_fn=os.setsid)
++ ksetup.wait()
++ if ksetup.returncode != 0:
++ raise ValueError('KDC setup failed logfile=%r' % (logfile,))
++
++ setup_test_certs(testdir, kdcenv, logfile)
++
++ kdcproc = subprocess.Popen(['kdc',
++ '--config-file=' + kdcconf,
++ '--addresses=' + WRAP_IPADDR],
++ stdout=logfile, stderr=logfile,
++ env=kdcenv, preexec_fn=os.setsid)
++
++ else:
++ ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s",
++ "-r", TESTREALM, "-P", KDC_PASSWORD],
++ stdout=logfile, stderr=logfile,
++ env=kdcenv, preexec_fn=os.setsid)
++ ksetup.wait()
++ if ksetup.returncode != 0:
++ raise ValueError('KDC Setup failed logfile=%r' % (logfile,))
++
++ setup_test_certs(testdir, kdcenv, logfile)
++
++ kdcproc = subprocess.Popen(['krb5kdc', '-n'],
++ stdout=logfile, stderr=logfile,
++ env=kdcenv, preexec_fn=os.setsid)
+
+- kdcproc = subprocess.Popen(['krb5kdc', '-n'],
+- stdout=logfile, stderr=logfile,
+- env=kdcenv, preexec_fn=os.setsid)
+ return kdcproc, kdcenv
+
+
+ def kadmin_local(cmd, env, logfile):
+- ksetup = subprocess.Popen(["kadmin.local", "-q", cmd],
+- stdout=logfile, stderr=logfile,
+- env=env, preexec_fn=os.setsid)
++ if HEIMDAL:
++ ksetup = subprocess.Popen(["sh", "-c", "exec kadmin -l %s" % (cmd,)],
++ stdin=subprocess.DEVNULL,
++ stdout=logfile, stderr=logfile,
++ env=env, preexec_fn=os.setsid)
++ else:
++ ksetup = subprocess.Popen(["kadmin.local", "-q", cmd],
++ stdout=logfile, stderr=logfile,
++ env=env, preexec_fn=os.setsid)
+ ksetup.wait()
+ if ksetup.returncode != 0:
+ raise ValueError('Kadmin local [%s] failed' % cmd)
+@@ -369,31 +411,53 @@ def setup_keys(tesdir, env):
+ logfile = open(testlog, 'a')
+
+ svc_name = "HTTP/%s" % WRAP_HOSTNAME
+- cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, svc_name)
++ if HEIMDAL:
++ cmd = "add --random-key --use-defaults %s" % (svc_name,)
++ else:
++ cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, svc_name)
+ kadmin_local(cmd, env, logfile)
+
+ svc_keytab = os.path.join(testdir, SVC_KTNAME)
+- cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, svc_name)
++ if HEIMDAL:
++ cmd = "ext_keytab --keytab=%s %s" % (svc_keytab, svc_name)
++ else:
++ cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, svc_name)
+ kadmin_local(cmd, env, logfile)
+
+- cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME)
++ if HEIMDAL:
++ cmd = "add --password=%s --use-defaults %s" % (USR_PWD, USR_NAME)
++ else:
++ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME)
+ kadmin_local(cmd, env, logfile)
+
+- cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
++ if HEIMDAL:
++ cmd = "add --password=%s --use-defaults %s" % (USR_PWD_2, USR_NAME_2)
++ else:
++ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
+ kadmin_local(cmd, env, logfile)
+
+- cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4)
++ if HEIMDAL:
++ cmd = "add --password=%s --use-defaults %s" % (USR_PWD, USR_NAME_4)
++ else:
++ cmd = "addprinc -pw %s -e %s %s" % (USR_PWD, KEY_TYPE, USR_NAME_4)
+ kadmin_local(cmd, env, logfile)
+
+ # alias for multinamed hosts testing
+ alias_name = "HTTP/%s" % WRAP_ALIASNAME
+- cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
++ if HEIMDAL:
++ cmd = "add --random-key --use-defaults %s" % (alias_name,)
++ else:
++ cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
+ kadmin_local(cmd, env, logfile)
+- cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, alias_name)
++ if HEIMDAL:
++ cmd = "ext_keytab --keytab=%s %s" % (svc_keytab, alias_name)
++ else:
++ cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, alias_name)
+ kadmin_local(cmd, env, logfile)
+
+- cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
+- kadmin_local(cmd, env, logfile)
++ if not HEIMDAL: # XXX HEIMDAL PKINIT
++ cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3)
++ kadmin_local(cmd, env, logfile)
+
+ keys_env = env.copy()
+ keys_env.update({
+@@ -413,16 +477,16 @@ def setup_http(testdir, so_dir, wrapenv)
+ httpdstdlog = os.path.join(testdir, 'httpd.stdlog')
+
+ distro = "Fedora"
+- moddir = "/etc/httpd/modules"
+- if not os.path.exists(moddir):
+- distro = "Debian"
+- moddir = "/usr/lib/apache2/modules"
++ moddir = os.getenv('APACHE_MODULE_DIR')
+ if not os.path.exists(moddir):
+ raise ValueError("Could not find Apache module directory!")
+ os.symlink(moddir, os.path.join(httpdir, 'modules'))
+
+ shutil.copy('%s/mod_auth_gssapi.so' % so_dir, httpdir)
+
++ with open(os.path.join(httpdir, 'mime.types'), 'w') as f:
++ f.write('text/html\thtml\n')
++
+ with open('tests/httpd.conf') as f:
+ text = f.read().format(HTTPROOT=httpdir,
+ HTTPNAME=WRAP_HOSTNAME,
+@@ -444,6 +508,7 @@ def setup_http(testdir, so_dir, wrapenv)
+ })
+
+ httpd = "httpd" if distro == "Fedora" else "apache2"
++ httpd = os.getenv('APACHE_HTTPD', httpd)
+ log = open(httpdstdlog, 'a')
+ httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+ stdout=log, stderr=log,
+@@ -790,6 +855,7 @@ def http_restart(testdir, so_dir, testen
+ })
+
+ httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
++ httpd = os.getenv('APACHE_HTTPD', httpd)
+ config = os.path.join(testdir, 'httpd', 'httpd.conf')
+ log = open(os.path.join(testdir, 'httpd.stdlog'), 'a')
+ httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+@@ -845,6 +911,11 @@ if __name__ == '__main__':
+ errs = -1
+
+ try:
++ import tempfile
++ with tempfile.TemporaryDirectory(prefix='mod_auth_gssapi.') as tempdir:
++ otestdir = testdir
++ testdir = tempdir
++ try:
+ # prepare environment for tests
+ wrapenv = apply_venv(setup_wrappers(testdir))
+
+@@ -920,9 +991,14 @@ if __name__ == '__main__':
+ errs += test_basic_auth_timeout(testdir, timeenv, logfile)
+ except NotImplementedError:
+ sys.stderr.write('BASIC Timeout Behavior: SKIPPED\n')
++ finally:
++ shutil.rmtree(os.path.join(tempdir, 'wrapdir'))
++ shutil.copytree(tempdir, otestdir, symlinks=True, dirs_exist_ok=True)
++ testdir = otestdir
+
+ except Exception:
+ traceback.print_exc()
++ errs += 1
+ finally:
+ for name in processes:
+ logfile.write("Killing %s\n" % name)
diff --git a/ap24-auth-gssapi/patches/patch-tests_t__file__check.py b/ap24-auth-gssapi/patches/patch-tests_t__file__check.py
new file mode 100644
index 0000000000..9e4b87ec71
--- /dev/null
+++ b/ap24-auth-gssapi/patches/patch-tests_t__file__check.py
@@ -0,0 +1,22 @@
+$NetBSD$
+
+Missing file, content found from upstream git.
+
+--- tests/t_file_check.py.orig 2025-09-06 17:50:47.497707732 +0000
++++ tests/t_file_check.py
+@@ -0,0 +1,15 @@
++#!/usr/bin/env python3
++# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
++
++import os
++
++import requests
++from requests.auth import HTTPBasicAuth
++
++
++if __name__ == '__main__':
++ url = 'http://%s/keytab_file_check/' % os.environ['NSS_WRAPPER_HOSTNAME']
++ r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'],
++ os.environ['MAG_USER_PASSWORD']))
++ if r.status_code != 200:
++ raise ValueError('Basic Auth Failed(Keytab File Check)')
diff --git a/ap24-auth-gssapi/patches/patch-tests_t__mech__name.py b/ap24-auth-gssapi/patches/patch-tests_t__mech__name.py
new file mode 100644
index 0000000000..58a3dbbb38
--- /dev/null
+++ b/ap24-auth-gssapi/patches/patch-tests_t__mech__name.py
@@ -0,0 +1,18 @@
+$NetBSD$
+
+Accept disagreement between mit-krb5 and heimdal of case in
+human-readable short mechanism name from gss_inquire_saslname_for_mech.
+
+--- tests/t_mech_name.py.orig 2020-11-30 18:30:59.760815267 +0000
++++ tests/t_mech_name.py
+@@ -13,7 +13,9 @@ if __name__ == '__main__':
+ if r.status_code != 200:
+ raise ValueError('Basic Auth Failed')
+
+- if r.text.rstrip() != 'Basic/krb5':
++ # mit-krb5 returns `krb5'; heimdal returns `KRB5' -- maybe this
++ # should use the SASL name, which is formally registered with IANA
++ if r.text.rstrip().casefold() != 'basic/krb5':
+ raise ValueError(
+ 'GSS_MECH check failed, expected Basic/krb5, got "%s"' %
+ r.text.rstrip())
Home |
Main Index |
Thread Index |
Old Index