diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..50631d3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/python-gssapi-1.2.0.tar.gz diff --git a/.python-gssapi.metadata b/.python-gssapi.metadata new file mode 100644 index 0000000..21f129f --- /dev/null +++ b/.python-gssapi.metadata @@ -0,0 +1 @@ +b1ae3dc59a10f794ab86827089dd2343018bb99d SOURCES/python-gssapi-1.2.0.tar.gz diff --git a/SOURCES/k5test-0.9.1-usr_lib64.patch b/SOURCES/k5test-0.9.1-usr_lib64.patch new file mode 100644 index 0000000..cd65a09 --- /dev/null +++ b/SOURCES/k5test-0.9.1-usr_lib64.patch @@ -0,0 +1,31 @@ +From 833d6c6b7cac7721e6e246b49edc794c19ab5178 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 24 Mar 2016 14:39:53 -0400 +Subject: [PATCH 1/3] Ensure test suite works with RHEL /usr/lib64 + +Adapted from https://github.com/pythongssapi/k5test/pull/1 +--- + gssapi/tests/_utils.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/gssapi/tests/_utils.py b/gssapi/tests/_utils.py +index 603be56..57e10e4 100644 +--- a/gssapi/tests/_utils.py ++++ b/gssapi/tests/_utils.py +@@ -75,9 +75,11 @@ def _find_plugin_dir(): + + # if there was no LD_LIBRARY_PATH, or the above failed + if _PLUGIN_DIR is None: +- # if we don't have a LD_LIBRARY_PATH, just search in +- # $prefix/lib ++ lib_dir = os.path.join(get_output('krb5-config --prefix'), 'lib64') ++ _PLUGIN_DIR = _decide_plugin_dir(_find_plugin_dirs_installed(lib_dir)) + ++ # /usr/lib64 has only been observed on RHEL ++ if _PLUGIN_DIR is None: + lib_dir = os.path.join(get_output('krb5-config --prefix'), 'lib') + _PLUGIN_DIR = _decide_plugin_dir(_find_plugin_dirs_installed(lib_dir)) + +-- +1.8.3.1 + diff --git a/SOURCES/python-gssapi-1.2.1-overwrite_cred_store.patch b/SOURCES/python-gssapi-1.2.1-overwrite_cred_store.patch new file mode 100644 index 0000000..4d6093d --- /dev/null +++ b/SOURCES/python-gssapi-1.2.1-overwrite_cred_store.patch @@ -0,0 +1,47 @@ +From fddcbec3d7b5ad50ffd2e66c7203dc200d26a594 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 28 Mar 2016 22:07:08 -0400 +Subject: [PATCH 3/3] Force overwrite on cred_store tests + +Certain versions of krb5 (>= 1.14 or anything that backported the +patch, including RHEL/Centos/Fedora) object (probably rightly so) to +duplicate credentials already existing in the ccache. Tell those +versions to sit down and shut up. + +This is the third and final commit in a series to enable running our +test suite on RHEL-7. +--- + gssapi/tests/test_high_level.py | 3 ++- + gssapi/tests/test_raw.py | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/gssapi/tests/test_high_level.py b/gssapi/tests/test_high_level.py +index 404ed43..3a9b8a3 100644 +--- a/gssapi/tests/test_high_level.py ++++ b/gssapi/tests/test_high_level.py +@@ -174,7 +174,8 @@ class CredsTestCase(_GSSAPIKerberosTestCase): + deleg_creds = server_ctx.delegated_creds + deleg_creds.shouldnt_be_none() + +- store_res = deleg_creds.store(usage='initiate', set_default=True) ++ store_res = deleg_creds.store(usage='initiate', set_default=True, ++ overwrite=True) + store_res.usage.should_be('initiate') + store_res.mechs.should_include(gb.MechType.kerberos) + +diff --git a/gssapi/tests/test_raw.py b/gssapi/tests/test_raw.py +index 23f2e2c..beebfb3 100644 +--- a/gssapi/tests/test_raw.py ++++ b/gssapi/tests/test_raw.py +@@ -474,7 +474,7 @@ class TestBaseUtilities(_GSSAPIKerberosTestCase): + deleg_creds = server_ctx_resp.delegated_creds + deleg_creds.shouldnt_be_none() + store_res = gb.store_cred(deleg_creds, usage='initiate', +- set_default=True) ++ set_default=True, overwrite=True) + + store_res.shouldnt_be_none() + store_res.usage.should_be('initiate') +-- +1.8.3.1 + diff --git a/SOURCES/python-gssapi-cython_0.19.patch b/SOURCES/python-gssapi-cython_0.19.patch new file mode 100644 index 0000000..6c025c7 --- /dev/null +++ b/SOURCES/python-gssapi-cython_0.19.patch @@ -0,0 +1,88 @@ +From 3b9a02481ff0f98ec9ee40d06d71d2a25d7d0bf3 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 24 Mar 2016 14:46:02 -0400 +Subject: [PATCH 2/3] Work around bug in Cython 0.19 in test suite + +Pre-0.21 Cython seems to incorrectly represent integral types as too +large. However, for our purposes, it is acceptable for them to be +larger than their declared type, as long as they are integral. +--- + gssapi/tests/test_raw.py | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/gssapi/tests/test_raw.py b/gssapi/tests/test_raw.py +index 37f6372..23f2e2c 100644 +--- a/gssapi/tests/test_raw.py ++++ b/gssapi/tests/test_raw.py +@@ -394,8 +394,8 @@ class TestBaseUtilities(_GSSAPIKerberosTestCase): + actual_mechs.shouldnt_be_empty() + actual_mechs.should_include(gb.MechType.kerberos) + +- output_init_ttl.should_be_a(int) +- output_accept_ttl.should_be_a(int) ++ output_init_ttl.should_be_an_integer() ++ output_accept_ttl.should_be_an_integer() + + new_creds.should_be_a(gb.Creds) + +@@ -426,7 +426,7 @@ class TestBaseUtilities(_GSSAPIKerberosTestCase): + actual_mechs.shouldnt_be_empty() + actual_mechs.should_include(gb.MechType.kerberos) + +- output_ttl.should_be_a(int) ++ output_ttl.should_be_an_integer() + # no need to explicitly release any more -- we can just rely on + # __dealloc__ (b/c cython) + +@@ -541,8 +541,8 @@ class TestBaseUtilities(_GSSAPIKerberosTestCase): + actual_mechs.shouldnt_be_empty() + actual_mechs.should_include(gb.MechType.kerberos) + +- output_init_ttl.should_be_a(int) +- output_accept_ttl.should_be_a(int) ++ output_init_ttl.should_be_an_integer() ++ output_accept_ttl.should_be_an_integer() + + new_creds.should_be_a(gb.Creds) + +@@ -618,7 +618,7 @@ class TestBaseUtilities(_GSSAPIKerberosTestCase): + actual_mechs.shouldnt_be_empty() + actual_mechs.should_include(gb.MechType.kerberos) + +- output_ttl.should_be_a(int) ++ output_ttl.should_be_an_integer() + + @_extension_test('password_add', 'Password (add)') + def test_add_cred_with_password(self): +@@ -638,8 +638,8 @@ class TestBaseUtilities(_GSSAPIKerberosTestCase): + actual_mechs.shouldnt_be_empty() + actual_mechs.should_include(gb.MechType.kerberos) + +- output_init_ttl.should_be_a(int) +- output_accept_ttl.should_be_a(int) ++ output_init_ttl.should_be_an_integer() ++ output_accept_ttl.should_be_an_integer() + + new_creds.should_be_a(gb.Creds) + +@@ -1079,7 +1079,7 @@ class TestWrapUnwrap(_GSSAPIKerberosTestCase): + conf.should_be_a(bool) + conf.should_be_true() + +- qop.should_be_a(int) ++ qop.should_be_an_integer() + + init_message[1].value.should_be(init_signed_info) + init_message[2].value.should_be(init_data) +@@ -1111,7 +1111,7 @@ class TestWrapUnwrap(_GSSAPIKerberosTestCase): + conf.should_be_a(bool) + conf.should_be_true() + +- qop.should_be_a(int) ++ qop.should_be_an_integer() + + init_message[1].value.should_be(init_signed_info) + init_message[2].value.should_be(init_data) +-- +1.8.3.1 + diff --git a/SOURCES/python-gssapi-display_status-infinite-recursion.patch b/SOURCES/python-gssapi-display_status-infinite-recursion.patch new file mode 100644 index 0000000..326d273 --- /dev/null +++ b/SOURCES/python-gssapi-display_status-infinite-recursion.patch @@ -0,0 +1,71 @@ +From b7e6c6c5451590f18df965a2a84550a63461d76e Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 27 Mar 2017 13:24:37 -0400 +Subject: [PATCH] Prevent GSSError/_display_status() infinite recursion + +I was unable to reproduce the problem, but this should prevent the issue. + +Resolves: #111 +--- + gssapi/raw/misc.pyx | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/gssapi/raw/misc.pyx b/gssapi/raw/misc.pyx +index e278c4b..4ea0c55 100644 +--- a/gssapi/raw/misc.pyx ++++ b/gssapi/raw/misc.pyx +@@ -139,7 +139,7 @@ def _display_status(unsigned int error_code, bint is_major_code, + whether or not to call again for further messages + + Raises: +- GSSError ++ ValueError + """ + + cdef int status_type +@@ -165,13 +165,16 @@ def _display_status(unsigned int error_code, bint is_major_code, + + if maj_stat == GSS_S_COMPLETE: + call_again = bool(msg_ctx_out) +- + msg_out = msg_buff.value[:msg_buff.length] + gss_release_buffer(&min_stat, &msg_buff) + return (msg_out, msg_ctx_out, call_again) + else: +- # NB(directxman12): this is highly unlikely to cause a recursive loop +- raise GSSError(maj_stat, min_stat) ++ # This hides whatever error gss_display_status is complaining about, ++ # but obviates infinite recursion into stack exhaustion. The ++ # exception raised here is handled by get_all_statuses(), which prints ++ # the code. ++ raise ValueError("gss_display_status call returned failure " ++ "(major {0}, minor {1}).".format(maj_stat, min_stat)) + + + class GSSErrorRegistry(type): +@@ -294,8 +297,8 @@ class GSSError(Exception, metaclass=GSSErrorRegistry): + try: + msg, ctx, cont = _display_status(code, is_maj) + res.append(msg.decode(msg_encoding)) +- except GSSError: +- res.append(u'issue decoding code: {0}'.format(code)) ++ except ValueError as e: ++ res.append(u'{0} Decoding code: {1}'.format(e, code)) + cont = False + + while cont: +@@ -303,9 +306,8 @@ class GSSError(Exception, metaclass=GSSErrorRegistry): + msg, ctx, cont = _display_status(code, is_maj, + message_context=ctx) + res.append(msg.decode(msg_encoding)) +- except GSSError: +- res.append(u'issue decoding ' +- u'code: {0}'.format(code)) ++ except ValueError: ++ res.append(u'{0} Decoding code: {1}'.format(e, code)) + cont = False + + return res +-- +2.11.0 + diff --git a/SPECS/python-gssapi.spec b/SPECS/python-gssapi.spec new file mode 100644 index 0000000..7f5d7ad --- /dev/null +++ b/SPECS/python-gssapi.spec @@ -0,0 +1,154 @@ +# NOTE: tests are disabled since should_be has not yet been packaged. +%global run_tests 0 + +# NOTE: python3 is disabled since python3-Cython is not yet packaged +%global with_python3 0 + +Name: python-gssapi +Version: 1.2.0 +Release: 3%{?dist} +Summary: Python Bindings for GSSAPI (RFC 2743/2744 and extensions) + +License: ISC +URL: https://github.com/pythongssapi/python-gssapi +Source0: https://github.com/pythongssapi/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz + +Patch0: k5test-0.9.1-usr_lib64.patch +Patch1: python-gssapi-cython_0.19.patch +Patch2: python-gssapi-1.2.1-overwrite_cred_store.patch +Patch3: python-gssapi-display_status-infinite-recursion.patch + +BuildRequires: python2-devel +BuildRequires: krb5-devel >= 1.10 +BuildRequires: krb5-libs >= 1.10 +BuildRequires: Cython >= 0.19 +BuildRequires: python-setuptools +Requires: krb5-libs >= 1.10 +Requires: python-six +Requires: python-enum34 +Requires: python-decorator + +%if 0%{?run_tests} +BuildRequires: python-nose +BuildRequires: python-nose-parameterized +BuildRequires: python-shouldbe +BuildRequires: python-tox +BuildRequires: krb5-server >= 1.10 +%endif + +%if 0%{?with_python3} +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-Cython + +%if 0%{?run_tests} +BuildRequires: python3-nose +BuildRequires: python3-nose-parameterized +BuildRequires: python3-should-be +%endif +%endif + +%description +A set of Python bindings to the GSSAPI C library providing both +a high-level pythonic interfaces and a low-level interfaces +which more closely matches RFC 2743. Includes support for +RFC 2743, as well as multiple extensions. + + +%if 0%{?with_python3} +%package -n python3-gssapi +Summary: Python 3 Bindings for GSSAPI (RFC 2743/2744 and extensions) + +Requires: krb5-libs >= 1.10 +Requires: python3-six +Requires: python3-decorator + +%description -n python3-gssapi +A set of Python 3 bindings to the GSSAPI C library providing both +a high-level pythonic interfaces and a low-level interfaces +which more closely matches RFC 2743. Includes support for +RFC 2743, as well as multiple extensions. +%endif + + +%prep +%setup -q + +%patch0 -p1 -b .usr_lib64 +%patch1 -p1 -b .cython_0.19 +%patch2 -p1 -b .overwrite_cred_store +%patch3 -p1 -b .display_status-infinite-recursion + +%if 0%{?with_python3} +rm -rf %{py3dir} +cp -a . %{py3dir} +%endif + + +%build +CFLAGS="%{optflags}" %{__python2} setup.py build + +%if 0%{?with_python3} +pushd %{py3dir} +CFLAGS="%{optflags}" %{__python3} setup.py build +popd +%endif + + +%install +%if 0%{?with_python3} +pushd %{py3dir} +%{__python3} setup.py install --skip-build --root %{buildroot} + +# fix permissions on shared objects (mock seems to set them +# to 0775, whereas a normal build gives 0755) +find %{buildroot}%{python3_sitearch}/gssapi -name '*.so' \ + -exec chmod 0755 {} \; + +popd +%endif + +%{__python2} setup.py install --skip-build --root %{buildroot} + +# fix permissions on shared objects (mock seems to set them +# to 0775, whereas a normal build gives 0755) +find %{buildroot}%{python2_sitearch}/gssapi -name '*.so' \ + -exec chmod 0755 {} \; + +%check +%if 0%{?run_tests} +%{__python2} setup.py nosetests + +%if 0%{?with_python3} +pushd %{py3dir} +%{__python3} setup.py nosetests +popd +%endif +%endif + + +%files +%doc README.txt +%license LICENSE.txt +%{python2_sitearch}/* + +%if 0%{?with_python3} +%files -n python3-gssapi +%doc README.txt +%license LICENSE.txt +%{python3_sitearch}/* +%endif + + +%changelog +* Tue Apr 11 2017 Robbie Harwood - 1.2.0-3 +- Fix an infinite loop from gss_display_status +- Resolves: #1438390 + +* Mon Apr 04 2016 Robbie Harwood - 1.2.0-2 +- Move python-tox from build requirement to test requirement +- Resolves: #1292139 + +* Mon Mar 28 2016 Robbie Harwood - 1.2.0-1 +- Import upstream version 1.2.0 with patches +- Resolves: #1292139