archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix FreeBSD HTTP Kerberos setup (#72595)

Browse Source
pull/72601/head
Jordan Borean 4 years ago committed by GitHub
parent 8c67432fc8
commit aee7a3ed68
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 48 additions and 71 deletions
Show Stats Download Patch File Download Diff File

21
test/integration/targets/get_url/tasks/use_gssapi.yml
Unescape Escape View File

@ -1,7 +1,4 @@
- name: Skip explicit auth tests on FreeBSD as Heimdal there does not have gss_acquire_cred_with_password - name: test Negotiate auth over HTTP with explicit credentials
when: ansible_facts.os_family != 'FreeBSD'
block:
- name: test Negotiate auth over HTTP with explicit credentials
get_url: get_url:
url: http://{{ httpbin_host }}/gssapi url: http://{{ httpbin_host }}/gssapi
dest: '{{ remote_tmp_dir }}/gssapi_explicit.txt' dest: '{{ remote_tmp_dir }}/gssapi_explicit.txt'
@ -10,29 +7,17 @@
url_password: '{{ krb5_password }}' url_password: '{{ krb5_password }}'
register: http_explicit register: http_explicit
- name: get result of test Negotiate auth over HTTP with explicit credentials - name: get result of test Negotiate auth over HTTP with explicit credentials
slurp: slurp:
path: '{{ remote_tmp_dir }}/gssapi_explicit.txt' path: '{{ remote_tmp_dir }}/gssapi_explicit.txt'
register: http_explicit_actual register: http_explicit_actual
- name: assert test Negotiate auth with implicit credentials - name: assert test Negotiate auth with implicit credentials
assert: assert:
that: that:
- http_explicit.status_code == 200 - http_explicit.status_code == 200
- http_explicit_actual.content | b64decode | trim == 'Microsoft Rulz' - http_explicit_actual.content | b64decode | trim == 'Microsoft Rulz'
- name: FreeBSD - verify it fails with explicit credential
get_url:
url: http://{{ httpbin_host }}/gssapi
dest: '{{ remote_tmp_dir }}/gssapi_explicit.txt'
use_gssapi: yes
url_username: '{{ krb5_username }}'
url_password: '{{ krb5_password }}'
register: explicit_failure
when: ansible_facts.os_family == 'FreeBSD'
failed_when:
- '"Platform GSSAPI library does not support gss_acquire_cred_with_password, cannot acquire GSSAPI credential with explicit username and password" not in explicit_failure.msg'
- name: skip tests on macOS, I cannot seem to get it to read a credential from a custom ccache - name: skip tests on macOS, I cannot seem to get it to read a credential from a custom ccache
when: ansible_facts.distribution != 'MacOSX' when: ansible_facts.distribution != 'MacOSX'
block: block:

20
test/integration/targets/prepare_http_tests/library/httptester_kinit.py
Unescape Escape View File

@ -92,9 +92,19 @@ def main():
required_together=[('username', 'password')], required_together=[('username', 'password')],
) )
# Heimdal has a few quirks that we want to paper over in this module
# 1. KRB5_TRACE does not work in any released version (<=7.7), we need to use a custom krb5.config to enable it
# 2. When reading the password it reads from the pty not stdin by default causing an issue with subprocess. We
# can control that behaviour with '--password-file=STDIN'
# Also need to set the custom path to krb5-config and kinit as FreeBSD relies on the newer Heimdal version in the
# port package.
sysname = os.uname()[0]
prefix = '/usr/local/bin/' if sysname == 'FreeBSD' else ''
is_heimdal = sysname in ['Darwin', 'FreeBSD']
# Debugging purposes, get the Kerberos version. On platforms like OpenSUSE this may not be on the PATH. # Debugging purposes, get the Kerberos version. On platforms like OpenSUSE this may not be on the PATH.
try: try:
process = subprocess.Popen(['krb5-config', '--version'], stdout=subprocess.PIPE) process = subprocess.Popen(['%skrb5-config' % prefix, '--version'], stdout=subprocess.PIPE)
stdout, stderr = process.communicate() stdout, stderr = process.communicate()
version = to_text(stdout) version = to_text(stdout)
except OSError as e: except OSError as e:
@ -102,13 +112,7 @@ def main():
raise raise
version = 'Unknown (no krb5-config)' version = 'Unknown (no krb5-config)'
# Heimdal has a few quirks that we want to paper over in this module kinit_args = ['%skinit' % prefix]
# 1. KRB5_TRACE does not work in any released version (<=7.7), we need to use a custom krb5.config to enable it
# 2. When reading the password it reads from the pty not stdin by default causing an issue with subprocess. We
# can control that behaviour with '--password-file=STDIN'
is_heimdal = os.uname()[0] in ['Darwin', 'FreeBSD']
kinit_args = ['kinit']
config = {} config = {}
if is_heimdal: if is_heimdal:
kinit_args.append('--password-file=STDIN') kinit_args.append('--password-file=STDIN')

6
test/integration/targets/prepare_http_tests/tasks/kerberos.yml
Unescape Escape View File

@ -43,8 +43,10 @@
state: present state: present
extra_args: '-c {{ remote_constraints }}' extra_args: '-c {{ remote_constraints }}'
environment: environment:
# Need this custom path for OpenSUSE as krb5-config is placed there # Put /usr/local/bin for FreeBSD as we need to use the heimdal port over the builtin version
PATH: '{{ ansible_facts.env.PATH }}:/usr/lib/mit/bin' # https://github.com/pythongssapi/python-gssapi/issues/228
# Need the /usr/lib/mit/bin custom path for OpenSUSE as krb5-config is placed there
PATH: '/usr/local/bin:{{ ansible_facts.env.PATH }}:/usr/lib/mit/bin'
notify: Remove python gssapi notify: Remove python gssapi
- name: test the environment to make sure Kerberos is working properly - name: test the environment to make sure Kerberos is working properly

20
test/integration/targets/uri/tasks/use_gssapi.yml
Unescape Escape View File

@ -5,10 +5,7 @@
register: no_auth_failure register: no_auth_failure
failed_when: no_auth_failure.www_authenticate != 'Negotiate' failed_when: no_auth_failure.www_authenticate != 'Negotiate'
- name: Skip explicit auth tests on FreeBSD as Heimdal there does not have gss_acquire_cred_with_password - name: test Negotiate auth over HTTP with explicit credentials
when: ansible_facts.os_family != 'FreeBSD'
block:
- name: test Negotiate auth over HTTP with explicit credentials
uri: uri:
url: http://{{ httpbin_host }}/gssapi url: http://{{ httpbin_host }}/gssapi
use_gssapi: yes use_gssapi: yes
@ -17,7 +14,7 @@
return_content: yes return_content: yes
register: http_explicit register: http_explicit
- name: test Negotiate auth over HTTPS with explicit credentials - name: test Negotiate auth over HTTPS with explicit credentials
uri: uri:
url: https://{{ httpbin_host }}/gssapi url: https://{{ httpbin_host }}/gssapi
use_gssapi: yes use_gssapi: yes
@ -26,7 +23,7 @@
return_content: yes return_content: yes
register: https_explicit register: https_explicit
- name: assert test Negotiate auth with implicit credentials - name: assert test Negotiate auth with implicit credentials
assert: assert:
that: that:
- http_explicit.status == 200 - http_explicit.status == 200
@ -34,17 +31,6 @@
- https_explicit.status == 200 - https_explicit.status == 200
- https_explicit.content | trim == 'Microsoft Rulz' - https_explicit.content | trim == 'Microsoft Rulz'
- name: FreeBSD - verify it fails with explicit credential
uri:
url: https://{{ httpbin_host }}/gssapi
use_gssapi: yes
url_username: '{{ krb5_username }}'
url_password: '{{ krb5_password }}'
register: explicit_failure
when: ansible_facts.os_family == 'FreeBSD'
failed_when:
- '"Platform GSSAPI library does not support gss_acquire_cred_with_password, cannot acquire GSSAPI credential with explicit username and password" not in explicit_failure.msg'
- name: skip tests on macOS, I cannot seem to get it to read a credential from a custom ccache - name: skip tests on macOS, I cannot seem to get it to read a credential from a custom ccache
when: ansible_facts.distribution != 'MacOSX' when: ansible_facts.distribution != 'MacOSX'
block: block:

Write Preview
Loading…
Cancel
Save