Fixes: #224
Signed-off-by: Stanislav Levin <slev@altlinux.org>

python3-devel is required to build python-gssapi within
virtualenv.

Signed-off-by: Stanislav Levin <slev@altlinux.org>

This changes the way in which a test environment is prepared.

Before:
specific -> global

After:
global -> specific

In particular, this allows setting PATH env variable differed from
the global configuration.

Fixes: #226
Signed-off-by: Stanislav Levin <slev@altlinux.org>

This will give a useful warning to admins when config point to missing
files.

Signed-off-by: Simo Sorce <simo@redhat.com>

In most cases, people configuring GssapiUseS4U2Proxy should really
set all three cred store options for keytab, client_keytab, and ccache
to isolate httpd from default system ccaches and keytabs.

Not doing so unintentionally easily leads to very hard to debug issues
when trying to use the proxying feature.

Not enforcing as a hard misconfiguration both for compatibility reasons
and also because there are corner cases where the configuration is
intentional.

Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: typo fix and commit message cleanup]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>

When moving 2 -> 3, python elected to keep "python" as the name of the
python2 interpreter.  As a result, python3-only machines have no
/usr/bin/python.  Since python2 is EOL, it should be safe to make our
scripting default to python3.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

virtualenv relies on its executable being ahead of the system ones.  For
setting up the KDC, we don't have a preferencee - we just need the sbins
to be available.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

Bison complains that, for yacc compliance, %type is for nonterminals.

Resolves: #236
Signed-off-by: Robbie Harwood <rharwood@redhat.com>

This test shows that currently GssapiAcceptor {HOSTNAME} option will
break the S4U2Proxy case.

Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: nits]

This applies only to the case when GssapiS4U2Proxy is enabled.

When using the {HOSTNAME} acceptor, the principal used in the server
ccache can vary with each request. GSSAPI does not handle gracefully
a request to resolve a ccache if there is already another credential
under a different name. Even with ccache collections GSSAPI will
resolve an existing ccache from the collection if any is available and
throw an error if it does not match the desired_name. This even if
there is a client_keytab that could be used to initiate a new cache in
the collection with the right name.

Therefore in case GssapiAcceptor is set to the special value {HOSTNAME},
instead of using the provided ccache or the process default ccache we
create a new ccache named after the hostname in the delegated ccache
directory. This directory is required when the S4U2Proxy mode is enabled
so we are guaranteed to have it available an writable.

Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: nits]

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

OpenSSL 3 changes the padding behavior of EVP_DecryptFinal_ex(), which
causes our decryption to fail.  It is the opnion of the OpenSSL
developers that mod_auth_gssapi's use of this function was incorrect.

Patch suggested by Tomáš Mráz.

Related: openssl/openssl#16351

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

Signed-off-by: Simo Sorce <simo@redhat.com>

Signed-off-by: Simo Sorce <simo@redhat.com>