From 58217d98f9a92a492505e246a76e39ace6f1cd01 Mon Sep 17 00:00:00 2001 From: canth1 Date: Fri, 11 Feb 2022 11:42:52 -0700 Subject: [PATCH 1/2] mod_auth_gssapi: Add support for every configuration directive --- manifests/vhost.pp | 34 +++++++- spec/defines/vhost_spec.rb | 168 ++++++++++++++++++++++++++++++++++-- templates/vhost/_gssapi.epp | 137 +++++++++++++++++++++++++---- 3 files changed, 316 insertions(+), 23 deletions(-) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 1ad825fa11..d04d267459 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -1509,9 +1509,37 @@ # directories => [ # { path => '/path/to/different/dir', # gssapi => { -# credstore => 'keytab:/foo/bar.keytab', -# localname => 'Off', -# sslonly => 'On', +# acceptor_name => '{HOSTNAME}', +# allowed_mech => ['krb5', 'iakerb', 'ntlmssp'], +# basic_auth => true, +# basic_auth_mech => ['krb5', 'iakerb', 'ntlmssp'], +# basic_ticket_timeout => 300, +# connection_bound => true, +# cred_store => { +# ccache => ['/path/to/directory'], +# client_keytab => ['/path/to/example.keytab'], +# keytab => ['/path/to/example.keytab'], +# }, +# deleg_ccache_dir => '/path/to/directory', +# deleg_ccache_env_var => 'KRB5CCNAME', +# deleg_ccache_perms => { +# mode => '0600', +# uid => 'example-user', +# gid => 'example-group', +# }, +# deleg_ccache_unique => true, +# impersonate => true, +# local_name => true, +# name_attributes => 'json', +# negotiate_once => true, +# publish_errors => true, +# publish_mech => true, +# required_name_attributes => 'auth-indicators=high', +# session_key => 'file:/path/to/example.key', +# signal_persistent_auth => true, +# ssl_only => true, +# use_s4u2_proxy => true, +# use_sessions => true, # } # }, # ], diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 730e9e0bfa..45bc4286af 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -252,9 +252,37 @@ 'passenger_app_log_file' => '/tmp/app.log', 'passenger_debugger' => false, 'gssapi' => { - 'credstore' => 'keytab:/foo/bar.keytab', - 'localname' => 'On', - 'sslonly' => 'Off', + acceptor_name => '{HOSTNAME}', + allowed_mech => ['krb5', 'iakerb', 'ntlmssp'], + basic_auth => true, + basic_auth_mech => ['krb5', 'iakerb', 'ntlmssp'], + basic_ticket_timeout => 300, + connection_bound => true, + cred_store => { + ccache => ['/path/to/directory'], + client_keytab => ['/path/to/example.keytab'], + keytab => ['/path/to/example.keytab'], + }, + deleg_ccache_dir => '/path/to/directory', + deleg_ccache_env_var => 'KRB5CCNAME', + deleg_ccache_perms => { + mode => '0600', + uid => 'example-user', + gid => 'example-group', + }, + deleg_ccache_unique => true, + impersonate => true, + local_name => true, + name_attributes => 'json', + negotiate_once => true, + publish_errors => true, + publish_mech => true, + required_name_attributes => 'auth-indicators=high', + session_key => 'file:/path/to/example.key', + signal_persistent_auth => true, + ssl_only => true, + use_s4u2_proxy => true, + use_sessions => true, }, }, { @@ -945,12 +973,92 @@ } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( - content: %r{^\s+GssapiCredStore\skeytab:/foo/bar.keytab$}, + content: %r{^\s+GssapiAcceptorName\s{HOSTNAME}$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiAllowedMech\skrb5$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiAllowedMech\siakerb$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiAllowedMech\sntlmssp$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiBasicAuth\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiBasicAuthMech\skrb5$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiBasicAuthMech\siakerb$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiBasicAuthMech\sntlmssp$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiBasicTicketTimeout\s300$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiConnectionBound\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiCredStore\sccache:FILE:/path/to/directory$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiCredStore\sclient_keytab:/path/to/example\.keytab$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiCredStore\skeytab:/path/to/example\.keytab$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiDelegCcacheDir\s/path/to/directory$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiDelegCcacheEnvVar\sKRB5CCNAME$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiDelegCcachePerms\smode:0600\suid:example-user\sgid:example-group$}, ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( - content: %r{^\s+GssapiSSLonly\sOff$}, + content: %r{^\s+GssapiDelegCcacheUnique\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiImpersonate\sOn$}, ) } it { @@ -958,6 +1066,56 @@ content: %r{^\s+GssapiLocalName\sOn$}, ) } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiNameAttributes\sjson$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiNegotiateOnce\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiPublishErrors\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiPublishMech\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiRequiredNameAttributes\s"auth-indicators=high"$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiSessionKey\sfile:/path/to/example\.key$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiSignalPersistentAuth\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiSSLonly\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiUseS4U2Proxy\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiUseSessions\sOn$}, + ) + } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( content: %r{^\s+SSLVerifyClient\soptional$}, diff --git a/templates/vhost/_gssapi.epp b/templates/vhost/_gssapi.epp index 4f2d9f9114..87a755a6b9 100644 --- a/templates/vhost/_gssapi.epp +++ b/templates/vhost/_gssapi.epp @@ -1,16 +1,123 @@ -<%| +<%- | # https://github.com/gssapi/mod_auth_gssapi - Optional[String[1]] $credstore = undef, - Optional[Enum['On','Off']] $sslonly = undef, - Optional[Enum['On','Off']] $localname = undef, -|%> -# mod_auth_gssapi configuration -<% if $sslonly { -%> - GssapiSSLonly <%= $sslonly %> -<% } -%> -<% if $localname { -%> - GssapiLocalName <%= $localname %> -<% } -%> -<% if $credstore { -%> - GssapiCredStore <%= $credstore %> -<% } -%> + Optional[Variant[String[1], Enum['{HOSTNAME}']]] $acceptor_name = undef, + Optional[Array[Enum['krb5','iakerb','ntlmssp']]] $allowed_mech = undef, + Optional[Boolean] $basic_auth = undef, + Optional[Array[Enum['krb5','iakerb','ntlmssp']]] $basic_auth_mech = undef, + Optional[[Integer[1]]] $basic_ticket_timeout = undef, + Optional[Boolean] $connection_bound = undef, + Optional[Struct[{ + Optional['ccache'] => Array[Stdlib::Unixpath], + Optional['client_keytab'] => Array[Stdlib::Unixpath], + Optional['keytab'] => Array[Stdlib::Unixpath], + }]] $cred_store = undef, + Optional[Stdlib::Unixpath] $deleg_ccache_dir = undef, + Optional[[String[1]]] $deleg_ccache_env_var = undef, + Optional[Struct[{ + 'mode' => Stdlib::Filemode, + 'uid' => Variant[Integer[1], String[1]], + 'gid' => Variant[Integer[1], String[1]], + }]] $deleg_ccache_perms = undef, + Optional[Boolean] $deleg_ccache_unique = undef, + Optional[Boolean] $impersonate = undef, + Optional[Boolean] $local_name = undef, + Optional[Variant[String[1], Enum['json']]] $name_attributes = undef, + Optional[Boolean] $negotiate_once = undef, + Optional[Boolean] $publish_errors = undef, + Optional[Boolean] $publish_mech = undef, + Optional[[String[1]]] $required_name_attributes = undef, + Optional[[String[1]]] $session_key = undef, + Optional[Boolean] $signal_persistent_auth = undef, + Optional[Boolean] $ssl_only = undef, + Optional[Boolean] $use_s4u2_proxy = undef, + Optional[Boolean] $use_sessions = undef, +| -%> + + # mod_auth_gssapi configuration +<%- if $acceptor_name { -%> + GssapiAcceptorName <%= $acceptor_name %> +<%- } -%> +<%- if $allowed_mech { -%> + <%- $allowed_mech.each |$mech| { -%> + GssapiAllowedMech <%= $mech %> + <%- } -%> +<%- } -%> +<%- if $basic_auth { -%> + GssapiBasicAuth On +<%- } -%> +<%- if $basic_auth_mech { -%> +<%- $basic_auth_mech.each |$mech| { -%> + GssapiBasicAuthMech <%= $mech %> +<%- } -%> +<%- } -%> +<%- if $basic_ticket_timeout { -%> + GssapiBasicTicketTimeout <%= $basic_ticket_timeout %> +<%- } -%> +<%- if $connection_bound { -%> + GssapiConnectionBound On +<%- } -%> +<%- if $cred_store { -%> + <%- if $cred_store[ccache] { -%> + <%- $cred_store[ccache].each |$path| { -%> + GssapiCredStore ccache:FILE:<%= $path %> + <%- } -%> + <%- } -%> + <%- if $cred_store[client_keytab] { -%> + <%- $cred_store[client_keytab].each |$path| { -%> + GssapiCredStore client_keytab:<%= $path %> + <%- } -%> + <%- } -%> + <%- if $cred_store[keytab] { -%> + <%- $cred_store[keytab].each |$path| { -%> + GssapiCredStore keytab:<%= $path %> + <%- } -%> + <%- } -%> +<%- } -%> +<%- if $deleg_ccache_dir { -%> + GssapiDelegCcacheDir <%= $deleg_ccache_dir %> +<%- } -%> +<%- if $deleg_ccache_env_var { -%> + GssapiDelegCcacheEnvVar <%= $deleg_ccache_env_var %> +<%- } -%> +<%- if $deleg_ccache_perms { -%> + GssapiDelegCcachePerms mode:<%= $deleg_ccache_perms[mode] %> uid:<%= $deleg_ccache_perms[uid] %> gid:<%= $deleg_ccache_perms[gid] %> +<%- } -%> +<%- if $deleg_ccache_unique { -%> + GssapiDelegCcacheUnique On +<%- } -%> +<%- if $impersonate { -%> + GssapiImpersonate On +<%- } -%> +<%- if $local_name { -%> + GssapiLocalName On +<%- } -%> +<%- if $name_attributes { -%> + GssapiNameAttributes <%= $name_attributes %> +<%- } -%> +<%- if $negotiate_once { -%> + GssapiNegotiateOnce On +<%- } -%> +<%- if $publish_errors { -%> + GssapiPublishErrors On +<%- } -%> +<%- if $publish_mech { -%> + GssapiPublishMech On +<%- } -%> +<%- if $required_name_attributes { -%> + GssapiRequiredNameAttributes "<%= $required_name_attributes %>" +<%- } -%> +<%- if $session_key { -%> + GssapiSessionKey <%= $session_key %> +<%- } -%> +<%- if $signal_persistent_auth { -%> + GssapiSignalPersistentAuth On +<%- } -%> +<%- if $ssl_only { -%> + GssapiSSLonly On +<%- } -%> +<%- if $use_s4u2_proxy and $deleg_ccache_dir { -%> + GssapiUseS4U2Proxy On +<%- } -%> +<%- if $use_sessions { -%> + GssapiUseSessions On +<%- } -%> From 7f797cccf319175ff17fa2f4331cff71df8dfad7 Mon Sep 17 00:00:00 2001 From: canth1 Date: Tue, 7 Jun 2022 09:56:54 -0600 Subject: [PATCH 2/2] -Fix unit test errors --- spec/defines/vhost_spec.rb | 58 +++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 45bc4286af..13849fe4c7 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -252,37 +252,37 @@ 'passenger_app_log_file' => '/tmp/app.log', 'passenger_debugger' => false, 'gssapi' => { - acceptor_name => '{HOSTNAME}', - allowed_mech => ['krb5', 'iakerb', 'ntlmssp'], - basic_auth => true, - basic_auth_mech => ['krb5', 'iakerb', 'ntlmssp'], - basic_ticket_timeout => 300, - connection_bound => true, - cred_store => { - ccache => ['/path/to/directory'], - client_keytab => ['/path/to/example.keytab'], - keytab => ['/path/to/example.keytab'], + 'acceptor_name' => '{HOSTNAME}', + 'allowed_mech' => ['krb5', 'iakerb', 'ntlmssp'], + 'basic_auth' => true, + 'basic_auth_mech' => ['krb5', 'iakerb', 'ntlmssp'], + 'basic_ticket_timeout' => 300, + 'connection_bound' => true, + 'cred_store' => { + 'ccache' => ['/path/to/directory'], + 'client_keytab' => ['/path/to/example.keytab'], + 'keytab' => ['/path/to/example.keytab'], }, - deleg_ccache_dir => '/path/to/directory', - deleg_ccache_env_var => 'KRB5CCNAME', - deleg_ccache_perms => { - mode => '0600', - uid => 'example-user', - gid => 'example-group', + 'deleg_ccache_dir' => '/path/to/directory', + 'deleg_ccache_env_var' => 'KRB5CCNAME', + 'deleg_ccache_perms' => { + 'mode' => '0600', + 'uid' => 'example-user', + 'gid' => 'example-group', }, - deleg_ccache_unique => true, - impersonate => true, - local_name => true, - name_attributes => 'json', - negotiate_once => true, - publish_errors => true, - publish_mech => true, - required_name_attributes => 'auth-indicators=high', - session_key => 'file:/path/to/example.key', - signal_persistent_auth => true, - ssl_only => true, - use_s4u2_proxy => true, - use_sessions => true, + 'deleg_ccache_unique' => true, + 'impersonate' => true, + 'local_name' => true, + 'name_attributes' => 'json', + 'negotiate_once' => true, + 'publish_errors' => true, + 'publish_mech' => true, + 'required_name_attributes' => 'auth-indicators=high', + 'session_key' => 'file:/path/to/example.key', + 'signal_persistent_auth' => true, + 'ssl_only' => true, + 'use_s4u2_proxy' => true, + 'use_sessions' => true, }, }, {