From 0dbf450a49784e2a750c667824e0e0249be575e4 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 27 Apr 2022 18:18:22 +0200 Subject: [PATCH] Add test for gss_localname Backport test for gss_localname implemented upstream by Simo --- tests/httpd.conf | 13 ++++++++++ tests/localname.html | 1 + tests/magtests.py | 47 ++++++++++++++++++++++++++++++++- tests/t_localname.py | 62 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 tests/localname.html create mode 100755 tests/t_localname.py diff --git a/tests/httpd.conf b/tests/httpd.conf index f76f2b671e02515e6d4effe09ab123dace90c023..b3777574d9f0547560f24eff992fc1018569b5cc 100644 --- a/tests/httpd.conf +++ b/tests/httpd.conf @@ -274,6 +274,19 @@ CoreDumpDirectory "{HTTPROOT}" Require valid-user + + AuthType GSSAPI + AuthName "Login" + GssapiSSLonly Off + GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache + GssapiCredStore client_keytab:{HTTPROOT}/http.keytab + GssapiCredStore keytab:{HTTPROOT}/http.keytab + GssapiBasicAuth Off + GssapiAllowedMech krb5 + GssapiLocalName On + Require valid-user + + ProxyRequests On ProxyVia On diff --git a/tests/localname.html b/tests/localname.html new file mode 100644 index 0000000000000000000000000000000000000000..abf7c507de1eb32b31b882502eed5f2bbcc5fbf3 --- /dev/null +++ b/tests/localname.html @@ -0,0 +1 @@ + diff --git a/tests/magtests.py b/tests/magtests.py index d0f0a67f075c6b631926e9abd91a665973d90f4a..d100413b371e7ecf4e09d944b7ff6e9bec7e316f 100755 --- a/tests/magtests.py +++ b/tests/magtests.py @@ -58,12 +58,20 @@ def setup_wrappers(base): f.write('%s %s\n' % (WRAP_IPADDR, WRAP_ALIASNAME)) f.write('%s %s\n' % (WRAP_IPADDR, WRAP_FAILNAME)) + passwd_file = os.path.join(testdir, 'passwd') + with open(passwd_file, 'w+') as f: + f.write('root:x:0:0:root:/root:/bin/sh') + f.write('maguser:x:1:1:maguser:/maguser:/bin/sh') + f.write('maguser2:x:2:2:maguser2:/maguser2:/bin/sh') + f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh') + wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so', 'SOCKET_WRAPPER_DIR': wrapdir, 'SOCKET_WRAPPER_DEFAULT_IFACE': '9', 'WRAP_PROXY_PORT': WRAP_PROXY_PORT, 'NSS_WRAPPER_HOSTNAME': WRAP_HOSTNAME, - 'NSS_WRAPPER_HOSTS': hosts_file} + 'NSS_WRAPPER_HOSTS': hosts_file, + 'NSS_WRAPPER_PASSWD': passwd_file} return wenv @@ -744,6 +752,40 @@ def http_restart(testdir, so_dir, testenv): return httpproc +def test_gss_localname(testdir, testenv, logfile): + hdir = os.path.join(testdir, 'httpd', 'html', 'gss_localname') + os.mkdir(hdir) + shutil.copy('tests/localname.html', os.path.join(hdir, 'index.html')) + error_count = 0 + + # Make sure spnego is explicitly tested + spnego = subprocess.Popen(["tests/t_localname.py", "SPNEGO"], + stdout=logfile, stderr=logfile, + env=testenv, preexec_fn=os.setsid) + spnego.wait() + if spnego.returncode != 0: + sys.stderr.write('LOCALNAME(SPNEGO): FAILED\n') + error_count += 1 + else: + sys.stderr.write('LOCALNAME(SPNEGO): SUCCESS\n') + + # and bare krb5 (GS2-KRB5 is the name used by SASL for it) + krb5 = subprocess.Popen(["tests/t_localname.py", "GS2-KRB5"], + stdout=logfile, stderr=logfile, + env=testenv, preexec_fn=os.setsid) + krb5.wait() + if krb5.returncode != 0: + if krb5.returncode == 42: + sys.stderr.write('LOCALNAME(KRB5): SKIPPED\n') + else: + sys.stderr.write('LOCALNAME(KRB5): FAILED\n') + error_count += 1 + else: + sys.stderr.write('LOCALNAME(KRB5): SUCCESS\n') + + return error_count + + if __name__ == '__main__': args = parse_args() @@ -781,6 +823,9 @@ if __name__ == '__main__': errs += test_bad_acceptor_name(testdir, testenv, logfile) + testenv['MAG_REMOTE_USER'] = USR_NAME + errs += test_gss_localname(testdir, testenv, logfile) + rpm_path = "/usr/lib64/krb5/plugins/preauth/pkinit.so" deb_path = "/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so" if os.path.exists(rpm_path) or os.path.exists(deb_path): diff --git a/tests/t_localname.py b/tests/t_localname.py new file mode 100755 index 0000000000000000000000000000000000000000..e990762c42aa9b370ac71292b5019fc63622c240 --- /dev/null +++ b/tests/t_localname.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python3 +# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. + +import os +import subprocess +import sys + +import gssapi + +import requests + +from requests_gssapi import HTTPSPNEGOAuth + + +def use_requests(auth): + sess = requests.Session() + url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME'] + + r = sess.get(url, auth=auth) + if r.status_code != 200: + raise ValueError('Localname failed') + + if r.text.rstrip() != os.environ['MAG_REMOTE_USER']: + raise ValueError('Localname, REMOTE_USER check failed') + + +def use_curl(): + url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME'] + curl = subprocess.Popen(["curl", "--negotiate", "-u:", url], + stdout=subprocess.PIPE) + curl.wait() + if curl.returncode != 0: + raise ValueError('Localname failed') + + line = curl.stdout.read().strip(b' \t\n\r').decode('utf-8') + if line != os.environ['MAG_REMOTE_USER']: + raise ValueError('Localname, REMOTE_USER check failed (%s != %s)' % ( + line, os.environ['MAG_REMOTE_USER'])) + + +if __name__ == '__main__': + mech_name = None + if len(sys.argv) > 1: + mech_name = sys.argv[1] + + mech = None + if mech_name is not None: + mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name) + + try: + auth = HTTPSPNEGOAuth(mech=mech) + use_requests(auth) + except TypeError: + # odler version of requests that does not support mechs + if mech_name == 'SPNEGO': + use_curl() + elif mech_name == 'GS2-KRB5': + # older request versions use krb5 as the mech by default + auth = HTTPSPNEGOAuth() + use_requests(auth) + else: + sys.exit(42) # SKIP -- 2.35.1