diff --git a/AUTHORS b/AUTHORS index a477e92..f9ea0fe 100644 --- a/AUTHORS +++ b/AUTHORS @@ -1 +1,3 @@ -Simo Sorce +To get the full list of authors please run the following command on a +git checkout of the project: +git shortlog -n -s -e diff --git a/README b/README index 566a4d9..b323558 100644 --- a/README +++ b/README @@ -26,8 +26,8 @@ To run tests, you also need: * The Kerberos 5 Key-Distribution-Center (`krb5-kdc` package on Debian, `krb5-server` on Fedora) -* Packages `mod_session`, `krb5-workstation`, `python-requests-gssapi`, - and `python-gssapi` on Fedora +* Packages `mod_session`, `krb5-workstation`, `python3-requests-gssapi`, + and `python3-gssapi` on Fedora * Some tests require `krb5-pkinit` package on fedora and krb5 >= 1.15. * [nss_wrapper](https://cwrap.org/nss_wrapper.html), packaged in Fedora * [socket_wrapper](https://cwrap.org/socket_wrapper.html), packaged in Fedora diff --git a/ci/ci.sh b/ci/ci.sh index accaee1..af1ca32 100755 --- a/ci/ci.sh +++ b/ci/ci.sh @@ -15,8 +15,8 @@ elif [ -f /etc/fedora-release ]; then dnf -y install $COMPILER python3-{gssapi,requests{,-gssapi},flake8} \ krb5-{server,workstation,pkinit} curl libfaketime \ {httpd,krb5,openssl,gssntlmssp}-devel {socket,nss}_wrapper \ - autoconf automake libtool which bison make python3 \ - flex mod_session redhat-rpm-config /usr/bin/virtualenv + autoconf automake libtool which bison make python3 python3-devel \ + flex mod_session redhat-rpm-config /usr/bin/virtualenv openssl else echo "Distro not found!" false diff --git a/contrib/session_generator.py b/contrib/session_generator.py index 7e7de27..463339c 100644 --- a/contrib/session_generator.py +++ b/contrib/session_generator.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Works with both python2 and python3; please preserve this property # Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms diff --git a/contrib/sweeper.py b/contrib/sweeper.py index 98ca010..427623f 100755 --- a/contrib/sweeper.py +++ b/contrib/sweeper.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Works with both python2 and python3; please preserve this property # Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms diff --git a/src/crypto.c b/src/crypto.c index 3f372a0..b3f7fd9 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -262,7 +262,7 @@ apr_status_t UNSEAL_BUFFER(apr_pool_t *p, struct seal_key *skey, totlen += outlen; outlen = plain->length - totlen; - ret = EVP_DecryptFinal_ex(ctx, plain->value, &outlen); + ret = EVP_DecryptFinal_ex(ctx, plain->value + totlen, &outlen); if (ret == 0) goto done; totlen += outlen; diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 928dc18..99de884 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -194,6 +194,9 @@ static bool mag_conn_is_https(conn_rec *c) return false; } +static char *get_ccache_name(request_rec *req, char *dir, const char *name, + bool use_unique, apr_pool_t *pool); + static bool mag_acquire_creds(request_rec *req, struct mag_config *cfg, gss_OID_set desired_mechs, @@ -226,7 +229,52 @@ static bool mag_acquire_creds(request_rec *req, } #ifdef HAVE_CRED_STORE - gss_const_key_value_set_t store = cfg->cred_store; + gss_const_key_value_set_t store = NULL; + + /* When using multiple names, we need to use individual separate ccaches + * for each principal or gss_acquire_cred() on the default ccache will + * fail when names don't match. This is needed only for the s4u2proxy + * case, where we try to acquire proxy credentials. The lucky thing is + * that in this case we require the use of a delegated creedntials + * directory, so we just use this directory to also hold permanent ccaches + * for individual acceptor names. */ + if (cfg->acceptor_name_from_req && cfg->use_s4u2proxy && + cfg->deleg_ccache_dir) { + + gss_key_value_set_desc *s; + bool add = true; + char *ccname; + char *special_name; + + special_name = apr_psprintf(req->pool, "acceptor_%s", req->hostname); + ccname = get_ccache_name(req, cfg->deleg_ccache_dir, special_name, + false, req->pool); + + s = apr_pcalloc(req->pool, sizeof(gss_key_value_set_desc)); + s->count = cfg->cred_store->count; + s->elements = apr_pcalloc(req->pool, + (s->count + 1) * + sizeof(gss_key_value_element_desc)); + for (size_t i = 0; i < s->count; i++) { + gss_key_value_element_desc *el = &cfg->cred_store->elements[i]; + s->elements[i].key = el->key; + if (strcmp(el->key, "ccache") == 0) { + s->elements[i].value = ccname; + add = false; + } else { + s->elements[i].value = el->value; + } + } + if (add) { + s->elements[s->count].key = "ccache"; + s->elements[s->count].value = ccname; + s->count++; + } + + store = s; + } else { + store = cfg->cred_store; + } maj = gss_acquire_cred_from(&min, acceptor_name, GSS_C_INDEFINITE, desired_mechs, cred_usage, store, creds, @@ -287,8 +335,8 @@ static char *escape(apr_pool_t *pool, const char *name, return escaped; } -static char *get_ccache_name(request_rec *req, char *dir, const char *gss_name, - bool use_unique, struct mag_conn *mc) +static char *get_ccache_name(request_rec *req, char *dir, const char *name, + bool use_unique, apr_pool_t *pool) { char *ccname, *escaped; int ccachefd; @@ -297,15 +345,15 @@ static char *get_ccache_name(request_rec *req, char *dir, const char *gss_name, /* We need to escape away '/', we can't have path separators in * a ccache file name */ /* first double escape the esacping char (~) if any */ - escaped = escape(req->pool, gss_name, '~', "~~"); + escaped = escape(req->pool, name, '~', "~~"); /* then escape away the separator (/) if any */ escaped = escape(req->pool, escaped, '/', "~"); if (use_unique == false) { - return apr_psprintf(mc->pool, "%s/%s", dir, escaped); + return apr_psprintf(pool, "%s/%s", dir, escaped); } - ccname = apr_psprintf(mc->pool, "%s/%s-XXXXXX", dir, escaped); + ccname = apr_psprintf(pool, "%s/%s-XXXXXX", dir, escaped); umask_save = umask(0177); ccachefd = mkstemp(ccname); @@ -659,6 +707,54 @@ static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc, return ret; } +#define OPTION_WARNING "Warning: %s is set but %s = %s is missing!" + +void mag_verify_config(request_rec *req, struct mag_config *cfg) +{ + /* we check only once */ + if (cfg->verified) return; + + /* Check if cred store config is consistent with use_s4u2proxy. + * Although not strictly required it is generally adivsable to + * set keytab, client_keytab, and ccache in the cred_store when + * use_s4u2proxy is set, this is to avoid easy mistakes that are + * very difficult to diagnose */ + if (cfg->use_s4u2proxy) { + bool has_keytab = false; + bool has_client_keytab = false; + bool has_ccache = false; + + for (int i = 0; i < cfg->cred_store->count; i++) { + const char *key = cfg->cred_store->elements[i].key; + if (strcmp(key, "keytab") == 0) { + has_keytab = true; + } else if (strcmp(key, "client_keytab") == 0) { + has_client_keytab = true; + } else if (strcmp(key, "ccache") == 0) { + has_ccache = true; + } + } + + if (!has_keytab) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req, + OPTION_WARNING, "GssapiUseS4U2Proxy", + "GssapiCredStore", "keytab"); + } + if (!has_client_keytab) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req, + OPTION_WARNING, "GssapiUseS4U2Proxy", + "GssapiCredStore", "client_keytab"); + } + if (!has_ccache) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req, + OPTION_WARNING, "GssapiUseS4U2Proxy", + "GssapiCredStore", "ccache"); + } + } + + cfg->verified = true; +} + struct mag_req_cfg *mag_init_cfg(request_rec *req) { struct mag_server_config *scfg; @@ -667,6 +763,7 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req) req_cfg->req = req; req_cfg->cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + mag_verify_config(req, req_cfg->cfg); scfg = ap_get_module_config(req->server->module_config, &auth_gssapi_module); @@ -1248,7 +1345,7 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, "requester: %s", mc->gss_name); ccache_path = get_ccache_name(req, cfg->deleg_ccache_dir, mc->gss_name, - cfg->deleg_ccache_unique, mc); + cfg->deleg_ccache_unique, mc->pool); if (ccache_path == NULL) { goto done; } @@ -1532,6 +1629,23 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig, } cfg->cred_store->count++; + /* check for files that we know should be present, so admins get + * some rope to figure out issues when they cannot be accessed */ + if (strcmp(key, "keytab") == 0 || + strcmp(key, "client_keytab") == 0) { + apr_status_t rc; + apr_file_t *file; + rc = apr_file_open(&file, value, APR_FOPEN_READ, 0, parms->pool); + if (rc != APR_SUCCESS) { + char err[256]; + apr_strerror(rc, err, sizeof(err)); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Cannot open %s file %s: %s", key, value, err); + } else { + apr_file_close(file); + } + } + elements[count].key = key; elements[count].value = value; diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h index fb748e5..5d17907 100644 --- a/src/mod_auth_gssapi.h +++ b/src/mod_auth_gssapi.h @@ -99,6 +99,8 @@ struct mag_config { gss_name_t acceptor_name; bool acceptor_name_from_req; uint32_t basic_timeout; + + bool verified; }; struct mag_server_config { diff --git a/src/parser.y b/src/parser.y index 8a5b008..9a0be17 100644 --- a/src/parser.y +++ b/src/parser.y @@ -40,11 +40,10 @@ static char *b64_enc(const char *val, size_t len); %token EQUAL %token EQUALBIN %token AST -%token STRING -%token INT -%type STRING -%type INT rule rule_start requiredkv +%token STRING +%token INT +%type rule rule_start requiredkv %parse-param {const char **keys} {const char **vals} {int *status} diff --git a/tests/httpd.conf b/tests/httpd.conf index b83d0fb..4672cde 100644 --- a/tests/httpd.conf +++ b/tests/httpd.conf @@ -238,6 +238,21 @@ CoreDumpDirectory "{HTTPROOT}" Require valid-user + + AuthType GSSAPI + AuthName "Login" + GssapiSSLonly Off + GssapiCredStore ccache:{HTTPROOT}/httpd_krb5_ccache + GssapiCredStore client_keytab:{HTTPROOT}/http.keytab + GssapiCredStore keytab:{HTTPROOT}/http.keytab + GssapiBasicAuth Off + GssapiAllowedMech krb5 + GssapiAcceptorName {{HOSTNAME}} + GssapiUseS4U2Proxy On + GssapiDelegCcacheDir {HTTPROOT}/delegccachedir + Require valid-user + + AuthType GSSAPI AuthName "Required Name Attributes" @@ -346,3 +361,16 @@ CoreDumpDirectory "{HTTPROOT}" GssapiPublishMech On Require valid-user + + + AuthType GSSAPI + AuthName "Password Login" + GssapiSSLonly Off + GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache + GssapiCredStore client_keytab:{HTTPROOT}/nofile/http.keytab + GssapiCredStore keytab:{HTTPROOT}/nofile/http.keytab + GssapiBasicAuth On + GssapiBasicAuthMech krb5 + GssapiPublishMech On + Require valid-user + diff --git a/tests/magtests.py b/tests/magtests.py index 4600ebd..7316788 100755 --- a/tests/magtests.py +++ b/tests/magtests.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import argparse @@ -320,11 +320,13 @@ def setup_kdc(testdir, wrapenv): with open(kdcconf, 'w+') as f: f.write(text) - kdcenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', - 'KRB5_CONFIG': krb5conf, - 'KRB5_KDC_PROFILE': kdcconf, - 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log')} - kdcenv.update(wrapenv) + kdcenv = wrapenv.copy() + kdcenv.update({ + 'PATH': f'{wrapenv["PATH"]}:/sbin:/bin:/usr/sbin:/usr/bin', + 'KRB5_CONFIG': krb5conf, + 'KRB5_KDC_PROFILE': kdcconf, + 'KRB5_TRACE': os.path.join(testdir, 'krbtrace.log'), + }) logfile = open(testlog, 'a') ksetup = subprocess.Popen(["kdb5_util", "create", "-W", "-s", @@ -393,8 +395,10 @@ def setup_keys(tesdir, env): cmd = "addprinc -nokey -e %s %s" % (KEY_TYPE, USR_NAME_3) kadmin_local(cmd, env, logfile) - keys_env = {"KRB5_KTNAME": svc_keytab, } - keys_env.update(env) + keys_env = env.copy() + keys_env.update({ + "KRB5_KTNAME": svc_keytab, + }) return keys_env @@ -406,6 +410,7 @@ def setup_http(testdir, so_dir, wrapenv): os.mkdir(os.path.join(httpdir, 'conf.d')) os.mkdir(os.path.join(httpdir, 'html')) os.mkdir(os.path.join(httpdir, 'logs')) + httpdstdlog = os.path.join(testdir, 'httpd.stdlog') distro = "Fedora" moddir = "/etc/httpd/modules" @@ -431,13 +436,17 @@ def setup_http(testdir, so_dir, wrapenv): shutil.copy('tests/401.html', os.path.join(httpdir, 'html')) - httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', - 'MALLOC_CHECK_': '3', - 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} - httpenv.update(wrapenv) + httpenv = wrapenv.copy() + httpenv.update({ + 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{wrapenv["PATH"]}', + 'MALLOC_CHECK_': '3', + 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1), + }) httpd = "httpd" if distro == "Fedora" else "apache2" + log = open(httpdstdlog, 'a') httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config], + stdout=log, stderr=log, env=httpenv, preexec_fn=os.setsid) return httpproc @@ -445,8 +454,10 @@ def setup_http(testdir, so_dir, wrapenv): def kinit_user(testdir, kdcenv): testlog = os.path.join(testdir, 'kinit.log') ccache = os.path.join(testdir, 'k5ccache') - testenv = {'KRB5CCNAME': ccache} - testenv.update(kdcenv) + testenv = kdcenv.copy() + testenv.update({ + 'KRB5CCNAME': ccache, + }) with (open(testlog, 'a')) as logfile: kinit = subprocess.Popen(["kinit", USR_NAME], @@ -467,8 +478,10 @@ def kinit_certuser(testdir, kdcenv): pkinit_user_cert = os.path.join(testdir, PKINIT_USER_CERT) pkinit_key = os.path.join(testdir, PKINIT_KEY) ident = "X509_user_identity=FILE:" + pkinit_user_cert + "," + pkinit_key - testenv = {'KRB5CCNAME': ccache} - testenv.update(kdcenv) + testenv = kdcenv.copy() + testenv.update({ + 'KRB5CCNAME': ccache, + }) with (open(testlog, 'a')) as logfile: logfile.write('PKINIT for maguser3\n') kinit = subprocess.Popen(["kinit", USR_NAME_3, "-X", ident], @@ -678,26 +691,32 @@ def test_no_negotiate(testdir, testenv, logfile): def test_hostname_acceptor(testdir, testenv, logfile): - hdir = os.path.join(testdir, 'httpd', 'html', 'hostname_acceptor') + plain_test_name = 'hostname_acceptor' + hdir = os.path.join(testdir, 'httpd', 'html', plain_test_name) os.mkdir(hdir) shutil.copy('tests/index.html', hdir) + proxy_test_name = 'hostname_proxy' + hdir = os.path.join(testdir, 'httpd', 'html', proxy_test_name) + os.mkdir(hdir) + shutil.copy('tests/index.html', hdir) + ddir = os.path.join(testdir, 'httpd', 'delegccachedir') + os.mkdir(ddir) + failed = False - for (name, fail) in [(WRAP_HOSTNAME, False), - (WRAP_ALIASNAME, False), - (WRAP_FAILNAME, True)]: - res = subprocess.Popen(["tests/t_hostname_acceptor.py", name], - stdout=logfile, stderr=logfile, - env=testenv, preexec_fn=os.setsid) - res.wait() - if fail: - if res.returncode == 0: + for test_name in [plain_test_name, proxy_test_name]: + for (name, fail) in [(WRAP_HOSTNAME, False), + (WRAP_ALIASNAME, False), + (WRAP_FAILNAME, True)]: + res = subprocess.Popen(["tests/t_hostname_acceptor.py", + name, test_name], + stdout=logfile, stderr=logfile, + env=testenv, preexec_fn=os.setsid) + res.wait() + if (fail and res.returncode == 0) or \ + (not fail and res.returncode != 0): failed = True - else: - if res.returncode != 0: - failed = True - if failed: - break + break if failed: sys.stderr.write('HOSTNAME ACCEPTOR: FAILED\n') @@ -754,21 +773,27 @@ def faketime_setup(testenv): raise NotImplementedError # spedup x100 - fakeenv = {'FAKETIME': '+0 x100'} - fakeenv.update(testenv) - fakeenv['LD_PRELOAD'] = ' '.join((testenv['LD_PRELOAD'], libfaketime)) + fakeenv = testenv.copy() + fakeenv.update({ + 'FAKETIME': '+0 x100', + 'LD_PRELOAD': ' '.join((testenv['LD_PRELOAD'], libfaketime)), + }) return fakeenv def http_restart(testdir, so_dir, testenv): - httpenv = {'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}', - 'MALLOC_CHECK_': '3', - 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1)} - httpenv.update(testenv) + httpenv = testenv.copy() + httpenv.update({ + 'PATH': f'/sbin:/bin:/usr/sbin:/usr/bin:{testenv["PATH"]}', + 'MALLOC_CHECK_': '3', + 'MALLOC_PERTURB_': str(random.randint(0, 32767) % 255 + 1), + }) httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2" config = os.path.join(testdir, 'httpd', 'httpd.conf') + log = open(os.path.join(testdir, 'httpd.stdlog'), 'a') httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config], + stdout=log, stderr=log, env=httpenv, preexec_fn=os.setsid) return httpproc @@ -789,6 +814,22 @@ def test_mech_name(testdir, testenv, logfile): return 0 +def test_file_check(testdir, testenv, logfile): + basicdir = os.path.join(testdir, 'httpd', 'html', 'keytab_file_check') + os.mkdir(basicdir) + shutil.copy('tests/index.html', basicdir) + + filec = subprocess.Popen(["tests/t_file_check.py"], + stdout=logfile, stderr=logfile, + env=testenv, preexec_fn=os.setsid) + filec.wait() + if filec.returncode == 0: + sys.stderr.write('FILE-CHECK: FAILED\n') + return 1 + sys.stderr.write('FILE-CHECK: SUCCESS\n') + return 0 + + if __name__ == '__main__': args = parse_args() @@ -800,8 +841,11 @@ def test_mech_name(testdir, testenv, logfile): processes = dict() logfile = open(os.path.join(testdir, 'tests.log'), 'w') - errs = 0 + # '-1' indicates setup phase + errs = -1 + try: + # prepare environment for tests wrapenv = apply_venv(setup_wrappers(testdir)) kdcproc, kdcenv = setup_kdc(testdir, wrapenv) @@ -815,6 +859,9 @@ def test_mech_name(testdir, testenv, logfile): testenv['DELEGCCACHE'] = os.path.join(testdir, 'httpd', USR_NAME + '@' + TESTREALM) + # making testing + errs = 0 + errs += test_spnego_auth(testdir, testenv, logfile) testenv['MAG_GSS_NAME'] = USR_NAME + '@' + TESTREALM @@ -838,11 +885,13 @@ def test_mech_name(testdir, testenv, logfile): sys.stderr.write("krb5 PKINIT module not found, skipping name " "attribute tests\n") - testenv = {'MAG_USER_NAME': USR_NAME, - 'MAG_USER_PASSWORD': USR_PWD, - 'MAG_USER_NAME_2': USR_NAME_2, - 'MAG_USER_PASSWORD_2': USR_PWD_2} - testenv.update(kdcenv) + testenv = kdcenv.copy() + testenv.update({ + 'MAG_USER_NAME': USR_NAME, + 'MAG_USER_PASSWORD': USR_PWD, + 'MAG_USER_NAME_2': USR_NAME_2, + 'MAG_USER_PASSWORD_2': USR_PWD_2, + }) errs += test_basic_auth_krb5(testdir, testenv, logfile) @@ -850,12 +899,16 @@ def test_mech_name(testdir, testenv, logfile): errs += test_mech_name(testdir, testenv, logfile) + errs += test_file_check(testdir, testenv, logfile) + # After this point we need to speed up httpd to test creds timeout try: fakeenv = faketime_setup(kdcenv) - timeenv = {'TIMEOUT_USER': USR_NAME_4, - 'MAG_USER_PASSWORD': USR_PWD} - timeenv.update(fakeenv) + timeenv = fakeenv.copy() + timeenv.update({ + 'TIMEOUT_USER': USR_NAME_4, + 'MAG_USER_PASSWORD': USR_PWD, + }) curporc = httpproc pid = processes['HTTPD(%d)' % httpproc.pid].pid os.killpg(pid, signal.SIGTERM) diff --git a/tests/t_bad_acceptor_name.py b/tests/t_bad_acceptor_name.py index 0e8c0fa..37b9dfb 100755 --- a/tests/t_bad_acceptor_name.py +++ b/tests/t_bad_acceptor_name.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_basic_k5.py b/tests/t_basic_k5.py index aaa60d5..8c6c11d 100755 --- a/tests/t_basic_k5.py +++ b/tests/t_basic_k5.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_basic_k5_fail_second.py b/tests/t_basic_k5_fail_second.py index de35707..7e64df2 100755 --- a/tests/t_basic_k5_fail_second.py +++ b/tests/t_basic_k5_fail_second.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_basic_k5_two_users.py b/tests/t_basic_k5_two_users.py index ed98255..5372035 100755 --- a/tests/t_basic_k5_two_users.py +++ b/tests/t_basic_k5_two_users.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_basic_proxy.py b/tests/t_basic_proxy.py index 14e90aa..9eb3008 100755 --- a/tests/t_basic_proxy.py +++ b/tests/t_basic_proxy.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_basic_timeout.py b/tests/t_basic_timeout.py index 983dfd2..007ff97 100755 --- a/tests/t_basic_timeout.py +++ b/tests/t_basic_timeout.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_file_check.py b/tests/t_file_check.py new file mode 100755 index 0000000..99b3b14 --- /dev/null +++ b/tests/t_file_check.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python3 +# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. + +import os + +import requests +from requests.auth import HTTPBasicAuth + + +if __name__ == '__main__': + url = 'http://%s/keytab_file_check/' % os.environ['NSS_WRAPPER_HOSTNAME'] + r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'], + os.environ['MAG_USER_PASSWORD'])) + if r.status_code != 200: + raise ValueError('Basic Auth Failed(Keytab File Check)') diff --git a/tests/t_hostname_acceptor.py b/tests/t_hostname_acceptor.py index 6d59e85..0a07a0f 100755 --- a/tests/t_hostname_acceptor.py +++ b/tests/t_hostname_acceptor.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license. import sys @@ -9,7 +9,7 @@ if __name__ == '__main__': sess = requests.Session() - url = 'http://%s/hostname_acceptor/' % sys.argv[1] + url = 'http://{}/{}/'.format(sys.argv[1], sys.argv[2]) r = sess.get(url, auth=HTTPKerberosAuth(delegate=True)) if r.status_code != 200: - raise ValueError('Hostname-based acceptor failed') + raise ValueError('Hostname acceptor ({}) failed'.format(sys.argv[2])) diff --git a/tests/t_localname.py b/tests/t_localname.py index 4950869..e990762 100755 --- a/tests/t_localname.py +++ b/tests/t_localname.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_mech_name.py b/tests/t_mech_name.py index 86dc094..69f451f 100755 --- a/tests/t_mech_name.py +++ b/tests/t_mech_name.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_nonego.py b/tests/t_nonego.py index 6cb7770..00e15cb 100755 --- a/tests/t_nonego.py +++ b/tests/t_nonego.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_required_name_attr.py b/tests/t_required_name_attr.py index b0c9724..c42c2e3 100755 --- a/tests/t_required_name_attr.py +++ b/tests/t_required_name_attr.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_spnego.py b/tests/t_spnego.py index e7003a6..04190a9 100755 --- a/tests/t_spnego.py +++ b/tests/t_spnego.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_spnego_negotiate_once.py b/tests/t_spnego_negotiate_once.py index 4e57b95..ce10122 100755 --- a/tests/t_spnego_negotiate_once.py +++ b/tests/t_spnego_negotiate_once.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_spnego_no_auth.py b/tests/t_spnego_no_auth.py index ac04b0b..5b72d9a 100755 --- a/tests/t_spnego_no_auth.py +++ b/tests/t_spnego_no_auth.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_spnego_proxy.py b/tests/t_spnego_proxy.py index 9db9a4f..bd84653 100755 --- a/tests/t_spnego_proxy.py +++ b/tests/t_spnego_proxy.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/tests/t_spnego_rewrite.py b/tests/t_spnego_rewrite.py index 4205a92..09d74f6 100755 --- a/tests/t_spnego_rewrite.py +++ b/tests/t_spnego_rewrite.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license. import os diff --git a/version.m4 b/version.m4 index 1b0ca29..8ea3303 100644 --- a/version.m4 +++ b/version.m4 @@ -1 +1 @@ -m4_define([VERSION_NUMBER], [1.6.3]) +m4_define([VERSION_NUMBER], [1.6.4])