1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
#!/bin/bash
set -e
PY_MAJOR=${PYENV:0:1}
export KERBEROS_HOSTNAME=$(cat /etc/hostname)
export KERBEROS_REALM=$(echo $KERBEROS_HOSTNAME | cut -d'.' -f2,3)
export DEBIAN_FRONTEND=noninteractive
echo "Setting up Kerberos config file at /etc/krb5.conf"
cat > /etc/krb5.conf << EOL
[libdefaults]
default_realm = ${KERBEROS_REALM^^}
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
${KERBEROS_REALM^^} = {
kdc = localhost
admin_server = localhost
}
[domain_realm]
.$KERBEROS_REALM = ${KERBEROS_REALM^^}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
EOL
echo "Setting up kerberos ACL configuration at /etc/krb5kdc/kadm5.acl"
mkdir /etc/krb5kdc
echo -e "*/*@${KERBEROS_REALM^^}\t*" > /etc/krb5kdc/kadm5.acl
echo "Installing all the packages required in this test"
apt-get update
apt-get \
-yq \
-qq \
install \
krb5-{user,kdc,admin-server,multidev} \
libkrb5-dev \
curl \
apache2 \
libapache2-mod-auth-gssapi \
build-essential
echo "Creating KDC database"
# krb5_newrealm returns non-0 return code as it is running in a container, ignore it for this command only
set +e
printf "$KERBEROS_PASSWORD\n$KERBEROS_PASSWORD" | krb5_newrealm
set -e
echo "Creating principals for tests"
kadmin.local -q "addprinc -pw $KERBEROS_PASSWORD $KERBEROS_USERNAME"
echo "Adding HTTP principal for Kerberos and create keytab"
kadmin.local -q "addprinc -randkey HTTP/$KERBEROS_HOSTNAME"
kadmin.local -q "ktadd -k /etc/krb5.keytab HTTP/$KERBEROS_HOSTNAME"
chmod 777 /etc/krb5.keytab
echo "Restarting Kerberos KDS service"
service krb5-kdc restart
echo "Add ServerName to Apache config"
grep -q -F "ServerName $KERBEROS_HOSTNAME" /etc/apache2/apache2.conf || echo "ServerName $KERBEROS_HOSTNAME" >> /etc/apache2/apache2.conf
echo "Deleting default virtual host file"
rm /etc/apache2/sites-enabled/000-default.conf
rm /etc/apache2/sites-available/000-default.conf
rm /etc/apache2/sites-available/default-ssl.conf
echo "Create website directory structure and pages"
mkdir -p /var/www/example.com/public_html
chmod -R 755 /var/www
echo "<html><head><title>Title</title></head><body>body mesage</body></html>" > /var/www/example.com/public_html/index.html
echo "Create self signed certificate for HTTPS endpoint"
mkdir /etc/apache2/ssl
openssl req \
-x509 \
-nodes \
-days 365 \
-newkey rsa:2048 \
-keyout /etc/apache2/ssl/https.key \
-out /etc/apache2/ssl/https.crt \
-subj "/CN=$KERBEROS_HOSTNAME/o=Testing LTS./C=US"
echo "Create virtual host files"
cat > /etc/apache2/sites-available/example.com.conf << EOL
<VirtualHost *:80>
ServerName $KERBEROS_HOSTNAME
ServerAlias $KERBEROS_HOSTNAME
DocumentRoot /var/www/example.com/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/example.com/public_html">
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
Require user $KERBEROS_USERNAME@${KERBEROS_REALM^^}
GssapiCredStore keytab:/etc/krb5.keytab
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName $KERBEROS_HOSTNAME
ServerAlias $KERBEROS_HOSTNAME
DocumentRoot /var/www/example.com/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/https.crt
SSLCertificateKeyFile /etc/apache2/ssl/https.key
<Directory "/var/www/example.com/public_html">
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
Require user $KERBEROS_USERNAME@${KERBEROS_REALM^^}
GssapiCredStore keytab:/etc/krb5.keytab
</Directory>
</VirtualHost>
EOL
echo "Enabling virtual host site"
a2enmod ssl
a2ensite example.com.conf
service apache2 restart
echo "Getting ticket for Kerberos user"
echo -n "$KERBEROS_PASSWORD" | kinit "$KERBEROS_USERNAME@${KERBEROS_REALM^^}"
echo "Try out the HTTP connection with curl"
CURL_OUTPUT=$(curl --negotiate -u : "http://$KERBEROS_HOSTNAME")
if [ "$CURL_OUTPUT" != "<html><head><title>Title</title></head><body>body mesage</body></html>" ]; then
echo -e "ERROR: Did not get success message, cannot continue with actual tests:\nActual Output:\n$CURL_OUTPUT"
exit 1
else
echo -e "SUCCESS: Apache site built and set for Kerberos auth\nActual Output:\n$CURL_OUTPUT"
fi
echo "Try out the HTTPS connection with curl"
CURL_OUTPUT=$(curl --negotiate -u : "https://$KERBEROS_HOSTNAME" --insecure)
if [ "$CURL_OUTPUT" != "<html><head><title>Title</title></head><body>body mesage</body></html>" ]; then
echo -e "ERROR: Did not get success message, cannot continue with actual tests:\nActual Output:\n$CURL_OUTPUT"
exit 1
else
echo -e "SUCCESS: Apache site built and set for Kerberos auth\nActual Output:\n$CURL_OUTPUT"
fi
echo "Updating pip and installing library"
pip$PY_MAJOR install -U pip setuptools
pip$PY_MAJOR install .
pip$PY_MAJOR install -r requirements-test.txt
echo "Outputting build info before tests"
echo "Python Version: $(python$PY_MAJOR --version 2>&1)"
echo "Pip Version: $(pip$PY_MAJOR --version)"
echo "Pip packages: $(pip$PY_MAJOR list)"
echo "Running Python tests"
export KERBEROS_PRINCIPAL="$KERBEROS_USERNAME@${KERBEROS_REALM^^}"
export KERBEROS_URL="http://$KERBEROS_HOSTNAME"
python$PY_MAJOR -m pytest -v --cov=requests_kerberos\
echo "Running Python test over HTTPS for basic CBT test"
export KERBEROS_URL="https://$KERBEROS_HOSTNAME"
python$PY_MAJOR -m pytest -v --cov=requests_kerberos\
|
