Fix FreeBSD HTTP Kerberos setup (#72595)
This commit is contained in:
parent
8c67432fc8
commit
aee7a3ed68
4 changed files with 48 additions and 71 deletions
|
@ -1,37 +1,22 @@
|
|||
- name: Skip explicit auth tests on FreeBSD as Heimdal there does not have gss_acquire_cred_with_password
|
||||
when: ansible_facts.os_family != 'FreeBSD'
|
||||
block:
|
||||
- name: test Negotiate auth over HTTP with explicit credentials
|
||||
get_url:
|
||||
url: http://{{ httpbin_host }}/gssapi
|
||||
dest: '{{ remote_tmp_dir }}/gssapi_explicit.txt'
|
||||
use_gssapi: yes
|
||||
url_username: '{{ krb5_username }}'
|
||||
url_password: '{{ krb5_password }}'
|
||||
register: http_explicit
|
||||
|
||||
- name: get result of test Negotiate auth over HTTP with explicit credentials
|
||||
slurp:
|
||||
path: '{{ remote_tmp_dir }}/gssapi_explicit.txt'
|
||||
register: http_explicit_actual
|
||||
|
||||
- name: assert test Negotiate auth with implicit credentials
|
||||
assert:
|
||||
that:
|
||||
- http_explicit.status_code == 200
|
||||
- http_explicit_actual.content | b64decode | trim == 'Microsoft Rulz'
|
||||
|
||||
- name: FreeBSD - verify it fails with explicit credential
|
||||
- name: test Negotiate auth over HTTP with explicit credentials
|
||||
get_url:
|
||||
url: http://{{ httpbin_host }}/gssapi
|
||||
dest: '{{ remote_tmp_dir }}/gssapi_explicit.txt'
|
||||
use_gssapi: yes
|
||||
url_username: '{{ krb5_username }}'
|
||||
url_password: '{{ krb5_password }}'
|
||||
register: explicit_failure
|
||||
when: ansible_facts.os_family == 'FreeBSD'
|
||||
failed_when:
|
||||
- '"Platform GSSAPI library does not support gss_acquire_cred_with_password, cannot acquire GSSAPI credential with explicit username and password" not in explicit_failure.msg'
|
||||
register: http_explicit
|
||||
|
||||
- name: get result of test Negotiate auth over HTTP with explicit credentials
|
||||
slurp:
|
||||
path: '{{ remote_tmp_dir }}/gssapi_explicit.txt'
|
||||
register: http_explicit_actual
|
||||
|
||||
- name: assert test Negotiate auth with implicit credentials
|
||||
assert:
|
||||
that:
|
||||
- http_explicit.status_code == 200
|
||||
- http_explicit_actual.content | b64decode | trim == 'Microsoft Rulz'
|
||||
|
||||
- name: skip tests on macOS, I cannot seem to get it to read a credential from a custom ccache
|
||||
when: ansible_facts.distribution != 'MacOSX'
|
||||
|
|
|
@ -92,9 +92,19 @@ def main():
|
|||
required_together=[('username', 'password')],
|
||||
)
|
||||
|
||||
# Heimdal has a few quirks that we want to paper over in this module
|
||||
# 1. KRB5_TRACE does not work in any released version (<=7.7), we need to use a custom krb5.config to enable it
|
||||
# 2. When reading the password it reads from the pty not stdin by default causing an issue with subprocess. We
|
||||
# can control that behaviour with '--password-file=STDIN'
|
||||
# Also need to set the custom path to krb5-config and kinit as FreeBSD relies on the newer Heimdal version in the
|
||||
# port package.
|
||||
sysname = os.uname()[0]
|
||||
prefix = '/usr/local/bin/' if sysname == 'FreeBSD' else ''
|
||||
is_heimdal = sysname in ['Darwin', 'FreeBSD']
|
||||
|
||||
# Debugging purposes, get the Kerberos version. On platforms like OpenSUSE this may not be on the PATH.
|
||||
try:
|
||||
process = subprocess.Popen(['krb5-config', '--version'], stdout=subprocess.PIPE)
|
||||
process = subprocess.Popen(['%skrb5-config' % prefix, '--version'], stdout=subprocess.PIPE)
|
||||
stdout, stderr = process.communicate()
|
||||
version = to_text(stdout)
|
||||
except OSError as e:
|
||||
|
@ -102,13 +112,7 @@ def main():
|
|||
raise
|
||||
version = 'Unknown (no krb5-config)'
|
||||
|
||||
# Heimdal has a few quirks that we want to paper over in this module
|
||||
# 1. KRB5_TRACE does not work in any released version (<=7.7), we need to use a custom krb5.config to enable it
|
||||
# 2. When reading the password it reads from the pty not stdin by default causing an issue with subprocess. We
|
||||
# can control that behaviour with '--password-file=STDIN'
|
||||
is_heimdal = os.uname()[0] in ['Darwin', 'FreeBSD']
|
||||
|
||||
kinit_args = ['kinit']
|
||||
kinit_args = ['%skinit' % prefix]
|
||||
config = {}
|
||||
if is_heimdal:
|
||||
kinit_args.append('--password-file=STDIN')
|
||||
|
|
|
@ -43,8 +43,10 @@
|
|||
state: present
|
||||
extra_args: '-c {{ remote_constraints }}'
|
||||
environment:
|
||||
# Need this custom path for OpenSUSE as krb5-config is placed there
|
||||
PATH: '{{ ansible_facts.env.PATH }}:/usr/lib/mit/bin'
|
||||
# Put /usr/local/bin for FreeBSD as we need to use the heimdal port over the builtin version
|
||||
# https://github.com/pythongssapi/python-gssapi/issues/228
|
||||
# Need the /usr/lib/mit/bin custom path for OpenSUSE as krb5-config is placed there
|
||||
PATH: '/usr/local/bin:{{ ansible_facts.env.PATH }}:/usr/lib/mit/bin'
|
||||
notify: Remove python gssapi
|
||||
|
||||
- name: test the environment to make sure Kerberos is working properly
|
||||
|
|
|
@ -5,45 +5,31 @@
|
|||
register: no_auth_failure
|
||||
failed_when: no_auth_failure.www_authenticate != 'Negotiate'
|
||||
|
||||
- name: Skip explicit auth tests on FreeBSD as Heimdal there does not have gss_acquire_cred_with_password
|
||||
when: ansible_facts.os_family != 'FreeBSD'
|
||||
block:
|
||||
- name: test Negotiate auth over HTTP with explicit credentials
|
||||
uri:
|
||||
url: http://{{ httpbin_host }}/gssapi
|
||||
use_gssapi: yes
|
||||
url_username: '{{ krb5_username }}'
|
||||
url_password: '{{ krb5_password }}'
|
||||
return_content: yes
|
||||
register: http_explicit
|
||||
- name: test Negotiate auth over HTTP with explicit credentials
|
||||
uri:
|
||||
url: http://{{ httpbin_host }}/gssapi
|
||||
use_gssapi: yes
|
||||
url_username: '{{ krb5_username }}'
|
||||
url_password: '{{ krb5_password }}'
|
||||
return_content: yes
|
||||
register: http_explicit
|
||||
|
||||
- name: test Negotiate auth over HTTPS with explicit credentials
|
||||
uri:
|
||||
url: https://{{ httpbin_host }}/gssapi
|
||||
use_gssapi: yes
|
||||
url_username: '{{ krb5_username }}'
|
||||
url_password: '{{ krb5_password }}'
|
||||
return_content: yes
|
||||
register: https_explicit
|
||||
|
||||
- name: assert test Negotiate auth with implicit credentials
|
||||
assert:
|
||||
that:
|
||||
- http_explicit.status == 200
|
||||
- http_explicit.content | trim == 'Microsoft Rulz'
|
||||
- https_explicit.status == 200
|
||||
- https_explicit.content | trim == 'Microsoft Rulz'
|
||||
|
||||
- name: FreeBSD - verify it fails with explicit credential
|
||||
- name: test Negotiate auth over HTTPS with explicit credentials
|
||||
uri:
|
||||
url: https://{{ httpbin_host }}/gssapi
|
||||
use_gssapi: yes
|
||||
url_username: '{{ krb5_username }}'
|
||||
url_password: '{{ krb5_password }}'
|
||||
register: explicit_failure
|
||||
when: ansible_facts.os_family == 'FreeBSD'
|
||||
failed_when:
|
||||
- '"Platform GSSAPI library does not support gss_acquire_cred_with_password, cannot acquire GSSAPI credential with explicit username and password" not in explicit_failure.msg'
|
||||
return_content: yes
|
||||
register: https_explicit
|
||||
|
||||
- name: assert test Negotiate auth with implicit credentials
|
||||
assert:
|
||||
that:
|
||||
- http_explicit.status == 200
|
||||
- http_explicit.content | trim == 'Microsoft Rulz'
|
||||
- https_explicit.status == 200
|
||||
- https_explicit.content | trim == 'Microsoft Rulz'
|
||||
|
||||
- name: skip tests on macOS, I cannot seem to get it to read a credential from a custom ccache
|
||||
when: ansible_facts.distribution != 'MacOSX'
|
||||
|
|
Loading…
Reference in a new issue