Ubuntu
krb5 package

Merge ~ahasenack/ubuntu/+source/krb5:krb5-dep8-1677881 into ubuntu/+source/krb5:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/krb5
  3. krb5-dep8-1677881
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 171213f69220df0e4d55dd2f969747533bd62f01
Merge reported by: Christian Ehrhardt 
Merged at revision: 171213f69220df0e4d55dd2f969747533bd62f01
Proposed branch: ~ahasenack/ubuntu/+source/krb5:krb5-dep8-1677881
Merge into: ubuntu/+source/krb5:ubuntu/devel
Diff against target: 192 lines (+160/-0)
5 files modified
debian/changelog (+9/-0)
debian/tests/control (+7/-0)
debian/tests/kinit (+27/-0)
debian/tests/slapd-gssapi (+52/-0)
debian/tests/util (+65/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+349071@code.launchpad.net

Description of the change

Add dep8 tests to the krb5 package.

Bileto ticket: https://bileto.ubuntu.com/#/ticket/3355

Salsa merge request to add this in debian (no response so far): https://salsa.debian.org/debian/krb5/merge_requests/2

Note that this will become our only delta with debian in this package. Currently it's a sync.

On IRC a point was raised that the slapd-gssapi test could perhaps be in the slapd (openldap source) package. This test actually touches many areas:
- krb5 itself
- cyrus-sasl
- slapd

I used the bare mininum of slapd for the test, focusing on the authentication aspect. That's why I used the ldapwhoami command instead of anything that would actually touch the ldap database. That's also why I wanted debian's opinion on these tests.

That being said, this test could fail due to bugs in slapd, ldap-utils or even cyrus-sasl itself.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Got a review from debian, they want a copyright statement. I'll do it over there, and we should get this in our next sync. I'll put this MP back into "work in progress" for now, because of that.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Debian merged our tests, so reopening this MP.

Bileto ticket: https://bileto.ubuntu.com/#/ticket/3355

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3355/+packages

I don't know when debian will release a new krb5 package with these tests. Given the approaching freeze, I would like to get them in now, even if that means dropping them later on again.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Bileto tests passed, opening up the MP for review again.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The pastebin initially linked is a "zpool iostat 2", not what you wanted to add here.
But I find what I actually need, so ok on that - just FYI.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Removed the pastebin link and replaced it with the bileto one. Oops.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Checked the output on all arches, LGTM
+1 on good coverage

As mentioned on IRC you have used "local" which works in dash but isn't guaranteed by /bin/sh.
Let me know if you want to fix that up before upload.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

discussed on IRC - keeping as is as that is fine on Ubuntu (dash) and the way it already is accepted by Debian.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/krb5
 * [new tag] upload/1.16-2ubuntu1 -> upload/1.16-2ubuntu1

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading krb5_1.16-2ubuntu1.dsc: done.
  Uploading krb5_1.16-2ubuntu1.debian.tar.xz: done.
  Uploading krb5_1.16-2ubuntu1_source.buildinfo: done.
  Uploading krb5_1.16-2ubuntu1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 1987b93..8ce40eb 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,12 @@
6+krb5 (1.16-2ubuntu1) cosmic; urgency=medium
7+
8+ * Add DEP8 tests (LP: #1677881):
9+ - d/t/util: common functions used in the tests
10+ - d/t/control, d/t/kinit: simple kinit test
11+ - d/t/control, d/t/slapd-gssapi: DEP8 test for service principals
12+
13+ -- Andreas Hasenack <andreas@canonical.com> Fri, 06 Jul 2018 15:39:44 -0300
14+
15 krb5 (1.16-2build1) bionic; urgency=high
16
17 * No change rebuild against openssl1.1.
18diff --git a/debian/tests/control b/debian/tests/control
19new file mode 100644
20index 0000000..42ae680
21--- /dev/null
22+++ b/debian/tests/control
23@@ -0,0 +1,7 @@
24+Tests: kinit
25+Depends: @
26+Restrictions: isolation-container, needs-root, allow-stderr
27+
28+Tests: slapd-gssapi
29+Depends: @, slapd, ldap-utils, libsasl2-modules-gssapi-mit
30+Restrictions: isolation-container, needs-root, allow-stderr
31diff --git a/debian/tests/kinit b/debian/tests/kinit
32new file mode 100644
33index 0000000..5c5075f
34--- /dev/null
35+++ b/debian/tests/kinit
36@@ -0,0 +1,27 @@
37+#!/bin/sh
38+
39+set -ex
40+
41+. debian/tests/util
42+
43+TEST_REALM="EXAMPLE.INTERNAL"
44+MYHOSTNAME="krb5-dep8.internal"
45+adjust_hostname "${MYHOSTNAME}"
46+
47+create_realm "${TEST_REALM}" "${MYHOSTNAME}"
48+
49+# create a random-enough principal
50+principal="testuser$$"
51+kadmin.local -q "addprinc -pw secret ${principal}"
52+
53+# get a ticket
54+echo secret | kinit ${principal}
55+
56+# did we really get a ticket?
57+klist | grep krbtgt/${TEST_REALM}@${TEST_REALM}
58+
59+# destroy it
60+kdestroy
61+
62+# delete the principal
63+kadmin.local -q "delprinc -force ${principal}"
64diff --git a/debian/tests/slapd-gssapi b/debian/tests/slapd-gssapi
65new file mode 100644
66index 0000000..1b28606
67--- /dev/null
68+++ b/debian/tests/slapd-gssapi
69@@ -0,0 +1,52 @@
70+#!/bin/sh
71+
72+set -ex
73+
74+. debian/tests/util
75+
76+TEST_REALM="EXAMPLE.INTERNAL"
77+MYHOSTNAME="krb5-dep8.internal"
78+adjust_hostname "${MYHOSTNAME}"
79+
80+create_realm "${TEST_REALM}" "${MYHOSTNAME}"
81+
82+# restart slapd
83+systemctl restart slapd.service
84+
85+# create a random-enough principal
86+principal="testuser$$"
87+kadmin.local -q "addprinc -pw secret ${principal}"
88+
89+# create an ldap service principal
90+kadmin.local -q "addprinc -randkey ldap/${MYHOSTNAME}"
91+
92+# extract the key into the system keytab
93+kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/${MYHOSTNAME}"
94+
95+# make sure the user under which the service runs can read that keytab
96+chown root:openldap /etc/krb5.keytab
97+chmod 0640 /etc/krb5.keytab
98+
99+# Prepare some LDAP defaults
100+# The LDAP base doesn't matter for this test
101+cat > /etc/ldap/ldap.conf <<EOF
102+BASE dc=example,dc=internal
103+URI ldap://${MYHOSTNAME}/
104+SASL_REALM ${TEST_REALM}
105+# Do not perform reverse DNS lookups to canonicalize SASL host names.
106+SASL_NOCANON yes
107+EOF
108+
109+# moment of truth
110+# first, authenticate ourselves
111+echo secret | kinit ${principal}
112+klist | grep krbtgt/${TEST_REALM}@${TEST_REALM}
113+
114+# now let's see if ldap thinks we are authenticated with gssapi
115+ldapwhoami -Y GSSAPI -Q | grep -E "^dn:uid=${principal},cn=gssapi,cn=auth"
116+
117+# and we should have an ldap ticket
118+klist | grep ldap/${MYHOSTNAME}@${TEST_REALM}
119+
120+# remove tickets
121+kdestroy
122diff --git a/debian/tests/util b/debian/tests/util
123new file mode 100644
124index 0000000..b4c5838
125--- /dev/null
126+++ b/debian/tests/util
127@@ -0,0 +1,65 @@
128+#!/bin/sh
129+
130+set -ex
131+
132+adjust_hostname() {
133+ local myhostname="$1"
134+
135+ echo "${myhostname}" > /etc/hostname
136+ hostname "${myhostname}"
137+ if ! grep -qE "${myhostname}" /etc/hosts; then
138+ # just so it's resolvable
139+ echo "127.0.1.10 ${myhostname}" >> /etc/hosts
140+ fi
141+}
142+
143+create_realm() {
144+ local realm_name="$1"
145+ local kerberos_server="$2"
146+
147+ # start fresh
148+ rm -rf /var/lib/krb5kdc/*
149+ rm -rf /etc/krb5kdc/*
150+ rm -f /etc/krb5.keytab
151+
152+ # setup some defaults
153+ cat > /etc/krb5kdc/kdc.conf <<EOF
154+[kdcdefaults]
155+ kdc_ports = 750,88
156+[realms]
157+ ${realm_name} = {
158+ database_name = /var/lib/krb5kdc/principal
159+ admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
160+ acl_file = /etc/krb5kdc/kadm5.acl
161+ key_stash_file = /etc/krb5kdc/stash
162+ kdc_ports = 750,88
163+ max_life = 10h 0m 0s
164+ max_renewable_life = 7d 0h 0m 0s
165+ master_key_type = des3-hmac-sha1
166+ #supported_enctypes = aes256-cts:normal aes128-cts:normal
167+ default_principal_flags = +preauth
168+ }
169+EOF
170+
171+ cat > /etc/krb5.conf <<EOF
172+[libdefaults]
173+ default_realm = ${realm_name}
174+ kdc_timesync = 1
175+ ccache_type = 4
176+ forwardable = true
177+ proxiable = true
178+ fcc-mit-ticketflags = true
179+[realms]
180+ ${realm_name} = {
181+ kdc = ${kerberos_server}
182+ admin_server = ${kerberos_server}
183+ }
184+EOF
185+ echo "# */admin *" > /etc/krb5kdc/kadm5.acl
186+
187+ # create the realm
188+ kdb5_util create -s -P secretpassword
189+
190+ # restart services
191+ systemctl restart krb5-kdc.service krb5-admin-server.service
192+}

Subscribers

People subscribed via source and target branches