Add test for gss_localname

simo5 · simo5 · commit dca7b51bb818 · 2020-04-25T17:58:56.000-04:00
Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/.travis.sh b/.travis.sh
@@ -9,7 +9,7 @@ if [ -f /etc/debian_version ]; then
     apt-get -y install $COMPILER pkg-config flake8 virtualenv \
             apache2-bin {apache2,libkrb5,libssl,gss-ntlmssp}-dev \
             $PYTHON{,-dev,-requests} lib{socket,nss}-wrapper \
-            flex bison krb5-{kdc,admin-server,pkinit}
+            flex bison krb5-{kdc,admin-server,pkinit} curl
 
     apt-get -y install $PYTHON-requests-gssapi 2>/dev/null || true
 
@@ -23,7 +23,7 @@ elif [ -f /etc/redhat-release ]; then
     fi
 
     $DY -y install $COMPILER $PYTHON-{gssapi,requests} \
-        krb5-{server,workstation,pkinit} \
+        krb5-{server,workstation,pkinit} curl \
         {httpd,krb5,openssl,gssntlmssp}-devel {socket,nss}_wrapper \
         autoconf automake libtool which bison make $PYTHON \
         flex mod_session redhat-rpm-config /usr/bin/virtualenv
diff --git a/tests/httpd.conf b/tests/httpd.conf
@@ -274,6 +274,19 @@ CoreDumpDirectory "{HTTPROOT}"
   Require valid-user
 </Location>
 
+<Location /gss_localname>
+  AuthType GSSAPI
+  AuthName "Login"
+  GssapiSSLonly Off
+  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/http.keytab
+  GssapiBasicAuth Off
+  GssapiAllowedMech krb5
+  GssapiLocalName On
+  Require valid-user
+</Location>
+
 <VirtualHost *:{PROXYPORT}>
   ProxyRequests On
   ProxyVia On
diff --git a/tests/localname.html b/tests/localname.html
@@ -0,0 +1 @@
+<!--#echo var="REMOTE_USER" -->
diff --git a/tests/magtests.py b/tests/magtests.py
@@ -56,12 +56,20 @@ def setup_wrappers(base):
         f.write('%s %s\n' % (WRAP_IPADDR, WRAP_ALIASNAME))
         f.write('%s %s\n' % (WRAP_IPADDR, WRAP_FAILNAME))
 
+    passwd_file = os.path.join(testdir, 'passwd')
+    with open(passwd_file, 'w+') as f:
+        f.write('root:x:0:0:root:/root:/bin/sh')
+        f.write('maguser:x:1:1:maguser:/maguser:/bin/sh')
+        f.write('maguser2:x:2:2:maguser2:/maguser2:/bin/sh')
+        f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh')
+
     wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so',
             'SOCKET_WRAPPER_DIR': wrapdir,
             'SOCKET_WRAPPER_DEFAULT_IFACE': '9',
             'WRAP_PROXY_PORT': WRAP_PROXY_PORT,
             'NSS_WRAPPER_HOSTNAME': WRAP_HOSTNAME,
-            'NSS_WRAPPER_HOSTS': hosts_file}
+            'NSS_WRAPPER_HOSTS': hosts_file,
+            'NSS_WRAPPER_PASSWD': passwd_file}
     return wenv
 
 
@@ -660,6 +668,40 @@ def test_hostname_acceptor(testdir, testenv, logfile):
     return 0
 
 
+def test_gss_localname(testdir, testenv, logfile):
+    hdir = os.path.join(testdir, 'httpd', 'html', 'gss_localname')
+    os.mkdir(hdir)
+    shutil.copy('tests/localname.html', os.path.join(hdir, 'index.html'))
+    error_count = 0
+
+    # Make sure spnego is explicitly tested
+    spnego = subprocess.Popen(["tests/t_localname.py", "SPNEGO"],
+                              stdout=logfile, stderr=logfile,
+                              env=testenv, preexec_fn=os.setsid)
+    spnego.wait()
+    if spnego.returncode != 0:
+        sys.stderr.write('LOCALNAME(SPNEGO): FAILED\n')
+        error_count += 1
+    else:
+        sys.stderr.write('LOCALNAME(SPNEGO): SUCCESS\n')
+
+    # and bare krb5 (GS2-KRB5 is the name used by SASL for it)
+    krb5 = subprocess.Popen(["tests/t_localname.py", "GS2-KRB5"],
+                            stdout=logfile, stderr=logfile,
+                            env=testenv, preexec_fn=os.setsid)
+    krb5.wait()
+    if krb5.returncode != 0:
+        if krb5.returncode == 42:
+            sys.stderr.write('LOCALNAME(KRB5): SKIPPED\n')
+        else:
+            sys.stderr.write('LOCALNAME(KRB5): FAILED\n')
+            error_count += 1
+    else:
+        sys.stderr.write('LOCALNAME(KRB5): SUCCESS\n')
+
+    return error_count
+
+
 if __name__ == '__main__':
     args = parse_args()
 
@@ -701,6 +743,9 @@ def test_hostname_acceptor(testdir, testenv, logfile):
 
         errs += test_bad_acceptor_name(testdir, testenv, logfile)
 
+        testenv['MAG_REMOTE_USER'] = USR_NAME
+        errs += test_gss_localname(testdir, testenv, logfile)
+
         rpm_path = "/usr/lib64/krb5/plugins/preauth/pkinit.so"
         deb_path = "/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so"
         if os.path.exists(rpm_path) or os.path.exists(deb_path):
diff --git a/tests/t_localname.py b/tests/t_localname.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
+
+import os
+import gssapi
+import requests
+import subprocess
+import sys
+from requests_gssapi import HTTPSPNEGOAuth
+
+def use_requests(auth):
+    sess = requests.Session()
+    url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME']
+
+    r = sess.get(url, auth=auth)
+    if r.status_code != 200:
+        raise ValueError('Localname failed')
+
+    if r.text.rstrip() != os.environ['MAG_REMOTE_USER']:
+        raise ValueError('Localname, REMOTE_USER check failed')
+
+
+def use_curl():
+    url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME']
+    curl = subprocess.Popen(["curl", "--negotiate", "-u:", url],
+                            stdout=subprocess.PIPE)
+    curl.wait()
+    if curl.returncode != 0:
+        raise ValueError('Localname failed')
+
+    line = curl.stdout.read().strip(b' \t\n\r').decode('utf-8')
+    if line != os.environ['MAG_REMOTE_USER']:
+        raise ValueError('Localname, REMOTE_USER check failed (%s != %s)' % (
+                         line, os.environ['MAG_REMOTE_USER']))
+
+
+if __name__ == '__main__':
+    mech_name = None
+    if len(sys.argv) > 1:
+        mech_name = sys.argv[1]
+
+    mech=None
+    if mech_name is not None:
+        mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
+
+    try:
+        auth = HTTPSPNEGOAuth(mech=mech)
+        use_requests(auth)
+    except TypeError as e:
+        # odler version of requests that does not support mechs
+        if mech_name == 'SPNEGO':
+            use_curl()
+        elif mech_name == 'GS2-KRB5':
+            # older request versions use krb5 as the mech by default
+            auth = HTTPSPNEGOAuth()
+            use_requests(auth)
+        else:
+            sys.exit(42) # SKIP
