Emit error in logs if keytab files can't be opened

simo5 · frozencemetery · commit 8ef0dc89d84e · 2020-09-03T10:36:31.000-04:00
This will give a useful warning to admins when config point to missing
files.

Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
@@ -1532,6 +1532,23 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig,
     }
     cfg->cred_store->count++;
 
+    /* check for files that we know should be present, so admins get
+     * some rope to figure out issues when they cannot be accessed */
+    if (strcmp(key, "keytab") == 0 ||
+        strcmp(key, "client_keytab") == 0) {
+        apr_status_t rc;
+        apr_file_t *file;
+        rc = apr_file_open(&file, value, APR_FOPEN_READ, 0, parms->pool);
+        if (rc != APR_SUCCESS) {
+            char err[256];
+            apr_strerror(rc, err, sizeof(err));
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                         "Cannot open %s file %s: %s", key, value, err);
+        } else {
+            apr_file_close(file);
+        }
+    }
+
     elements[count].key = key;
     elements[count].value = value;
 
diff --git a/tests/httpd.conf b/tests/httpd.conf
@@ -346,3 +346,16 @@ CoreDumpDirectory "{HTTPROOT}"
   GssapiPublishMech On
   Require valid-user
 </Location>
+
+<Location /keytab_file_check>
+  AuthType GSSAPI
+  AuthName "Password Login"
+  GssapiSSLonly Off
+  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:{HTTPROOT}/nofile/http.keytab
+  GssapiCredStore keytab:{HTTPROOT}/nofile/http.keytab
+  GssapiBasicAuth On
+  GssapiBasicAuthMech krb5
+  GssapiPublishMech On
+  Require valid-user
+</Location>
diff --git a/tests/magtests.py b/tests/magtests.py
@@ -410,6 +410,7 @@ def setup_http(testdir, so_dir, wrapenv):
     os.mkdir(os.path.join(httpdir, 'conf.d'))
     os.mkdir(os.path.join(httpdir, 'html'))
     os.mkdir(os.path.join(httpdir, 'logs'))
+    httpdstdlog = os.path.join(testdir, 'httpd.stdlog')
 
     distro = "Fedora"
     moddir = "/etc/httpd/modules"
@@ -443,7 +444,9 @@ def setup_http(testdir, so_dir, wrapenv):
     })
 
     httpd = "httpd" if distro == "Fedora" else "apache2"
+    log = open(httpdstdlog, 'a')
     httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+                                stdout=log, stderr=log,
                                 env=httpenv, preexec_fn=os.setsid)
     return httpproc
 
@@ -782,7 +785,9 @@ def http_restart(testdir, so_dir, testenv):
 
     httpd = "httpd" if os.path.exists("/etc/httpd/modules") else "apache2"
     config = os.path.join(testdir, 'httpd', 'httpd.conf')
+    log = open(os.path.join(testdir, 'httpd.stdlog'), 'a')
     httpproc = subprocess.Popen([httpd, '-DFOREGROUND', '-f', config],
+                                stdout=log, stderr=log,
                                 env=httpenv, preexec_fn=os.setsid)
     return httpproc
 
@@ -803,6 +808,22 @@ def test_mech_name(testdir, testenv, logfile):
     return 0
 
 
+def test_file_check(testdir, testenv, logfile):
+    basicdir = os.path.join(testdir, 'httpd', 'html', 'keytab_file_check')
+    os.mkdir(basicdir)
+    shutil.copy('tests/index.html', basicdir)
+
+    filec = subprocess.Popen(["tests/t_file_check.py"],
+                             stdout=logfile, stderr=logfile,
+                             env=testenv, preexec_fn=os.setsid)
+    filec.wait()
+    if filec.returncode == 0:
+        sys.stderr.write('FILE-CHECK: FAILED\n')
+        return 1
+    sys.stderr.write('FILE-CHECK: SUCCESS\n')
+    return 0
+
+
 if __name__ == '__main__':
     args = parse_args()
 
@@ -872,6 +893,8 @@ def test_mech_name(testdir, testenv, logfile):
 
         errs += test_mech_name(testdir, testenv, logfile)
 
+        errs += test_file_check(testdir, testenv, logfile)
+
         # After this point we need to speed up httpd to test creds timeout
         try:
             fakeenv = faketime_setup(kdcenv)
diff --git a/tests/t_file_check.py b/tests/t_file_check.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
+
+import os
+
+import requests
+from requests.auth import HTTPBasicAuth
+
+
+if __name__ == '__main__':
+    url = 'http://%s/keytab_file_check/' % os.environ['NSS_WRAPPER_HOSTNAME']
+    r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'],
+                                             os.environ['MAG_USER_PASSWORD']))
+    if r.status_code != 200:
+        raise ValueError('Basic Auth Failed(Keytab File Check)')
