Jon Robertson [Tue, 30 Sep 2014 05:22:01 +0000 (22:22 -0700)]
Finished first pass at mod_webkdc automated tests
The main tests are now all complete save PHP. The multifactor tests
have been halted for now due to waiting on template completion and
having higher-priority tasks to finish.
Jon Robertson [Mon, 22 Sep 2014 20:44:34 +0000 (13:44 -0700)]
Give a validation remctl command its own timeout error
In order to set up out of band methods that will time out if the user
doesn't respond to the out of band prompt (such as a phone call), we
need to have a validation remctl call tell us specifically if it timed
out. Currently it's just sent as a WK_ERR_UNRECOVERABLE_ERROR, which
makes it impossible to carve out special logic for a timeout. This will
now be sent as its own error code.
Currently this is only true for validate and not for the userinfo
command. If we later need to do special things for userinfo timeouts as
well, we'll build on this work.
Jon Robertson [Thu, 18 Sep 2014 06:26:18 +0000 (23:26 -0700)]
First pass at updating all tests for clarity and auto-running
Clarified a lot of the test information on the index page. Started to
do scripts with WWW::Mechanize to test an install. These tests do rely
on the Stanford templates so aren't good for general use. But then, the
multifactor tests were already relying on assumptions about our
infrastructure.
Jon Robertson [Tue, 26 Aug 2014 06:18:03 +0000 (23:18 -0700)]
WebLogin: Changes for better multifactor handling
* Reread multifactor data from fields on the multifactor template page.
* Pass a FreezeThaw version of the devices to the template as well, so
that it can be kept for future iterations.
* Attempt multifactor login even if there is no passcode given, to
accomodate non-passcode methods.
* Catch the unrecoverable error page from multifactor temporarily, as
we'll hit that error if an out-of-band method times out. Later we
want to expose the timeout as an actual error on its own instead so
that we can match against it rather than unrecoverable error.
Change-Id: I950b200c9ab58abfff9e59f65b29cd06c4c8d98c
Reviewed-on: https://gerrit.stanford.edu/1618 Reviewed-by: Jon Robertson <jonrober@stanford.edu> Tested-by: Jon Robertson <jonrober@stanford.edu>
Russ Allbery [Fri, 15 Aug 2014 00:44:32 +0000 (17:44 -0700)]
Add temporary test code to the multifactor template
To check the data returned from the WebKDC for the default device
and factor, and for the device list, add some temporary testing
code to print all of that out in the template. This should probably
be removed before a release.
Russ Allbery [Fri, 15 Aug 2014 00:43:23 +0000 (17:43 -0700)]
Add support for new multifactor data in WebLogin code
Support reading device_id from the posted form and passing it
through in the login token. Support reading the default device
and factor and the device list from mod_webkdc and exposing it
to the templates. Not yet tested thoroughly or end-to-end.
Russ Allbery [Thu, 14 Aug 2014 01:26:33 +0000 (18:26 -0700)]
Provide the device and default factor information to WebLogin
Pass the device information and default device through from the
user information service to the response to a WebLogin
<requestTokenRequest> so that it can be, eventually, passed all the
way to the templates.
Russ Allbery [Thu, 14 Aug 2014 00:23:16 +0000 (17:23 -0700)]
Add support for default and device info in userinfo calls
In the JSON implementation of the user information call, add
support for reading default device information and the list of
configured devices. Add support for passing in the device ID
for validate calls, and pull it out of the login token. (This
field is ignored with the old XML protocol.)
Russ Allbery [Thu, 14 Aug 2014 00:22:20 +0000 (17:22 -0700)]
Change the protocol for returning device information to WebLogin
Use more, separate XML elements to better match the information
model returned by the user information service using JSON, instead
of collapsing everything as attributes.
Russ Allbery [Thu, 14 Aug 2014 00:16:16 +0000 (17:16 -0700)]
Recognize more failed login error codes from Kerberos
Recognize KRB5_BAD_ENCTYPE, KRB5_GET_IN_TKT_LOOP, KRB5_PREAUTH_FAILED,
and KRB5KRB_AP_ERR_MODIFIED as additional synonyms for a failed login
error code. Various combinations of recent MIT and Heimdal with
different KDCs return these error codes if the password is incorrect.
Russ Allbery [Wed, 13 Aug 2014 23:48:44 +0000 (16:48 -0700)]
Add new device_id field to login tokens
This will be used by WebLogin to pass the authenticating device
identifier through to the WebKDC. Add the field to the login
token encoding and to all of the various tests, and adjust the
test suite construction of login tokens to account for the extra
field. Pass through a value in multifactor tests in preparation
for further tests that actually use that field.
Russ Allbery [Tue, 12 Aug 2014 03:26:58 +0000 (20:26 -0700)]
Add a note about possible Kerberos APIs for ticket serialization
Peter Mogensen pointed out MIT Kerberos APIs that can be used to
serialize a ticket in a native format, which would be a nice
replacement for our home-grown serialization format. Add a note
about that to TODO.
Russ Allbery [Thu, 7 Aug 2014 20:42:43 +0000 (13:42 -0700)]
Bump shared library versioning
The addition of the new json flag in the user information service
configuration will force this, and I plan on changing the API for
the user information service calls as well.
Russ Allbery [Thu, 7 Aug 2014 02:13:13 +0000 (19:13 -0700)]
Refactor JSON argument construction with macros
Add macros that wrap the error checking when building JSON objects
and that correctly free temporary objects. Use that to restructure
the command construction so that it shouldn't leak memory and is
much easier to read.
Russ Allbery [Thu, 7 Aug 2014 00:35:03 +0000 (17:35 -0700)]
Refactor userinfo code
Separate the remctl support, XML parsing, and JSON parsing into
separate source files to make each source file more comprehensible.
While doing this, stop always sending ip to the user information
service in the JSON protocol. Now that we have a protocol that can
handle optional arguments easily, don't send ip if we don't have an
IP address.
Russ Allbery [Mon, 4 Aug 2014 20:52:20 +0000 (13:52 -0700)]
Enable JSON testing and fix one minor bug
Enable testing of the new JSON support in the user information
service, and fix one minor bug that surfaced in that testing.
The JSON code now produces results equivalent to the non-JSON
code.
Russ Allbery [Sat, 2 Aug 2014 02:22:10 +0000 (19:22 -0700)]
Initial framework for testing JSON user information calls
Add the remctl interface, the Perl backend, and the JSON data
for testing the user information service with JSON. This is not
yet hooked into the test suite.
Russ Allbery [Sat, 2 Aug 2014 02:18:52 +0000 (19:18 -0700)]
Initial implementation of JSON user information service support
An initial implementation of a new user information service protocol
that uses JSON for communication. The JSON call and parsing of the
result is implemented and compiles, but is not yet tested and is
probably buggy. The code is in significant need of refactoring at
some point.
Russ Allbery [Sat, 2 Aug 2014 01:22:55 +0000 (18:22 -0700)]
Remove remctl and kadmin-remctl references in README
This was for the separate query for the user's password expiration,
which is no longer supported in favor of pulling that information
from the user information service and passing it down from mod_webkdc.
The change in the webauth_webkdc_config struct means that some
interfaces are no longer compatible with previous releases. Be
conservative and bump all of the library versioning. (Normally
I wouldn't do an ABI bump in a minor release, but in this case
the effect of the changes is very minor, just still an ABI break.)
* Use Lancaster Consensus environment variables to control tests.
* Use calloc or reallocarray for protection against integer overflows.
* Suppress warnings from Kerberos headers in non-system paths.
* Update warning flags when building with make warnings.
* Only pass warning suppression flags to Perl under make warnings.
Update to C TAP Harness 3.1:
* Check for integer overflow on memory allocations.
* Avoid all remaining uses of sprintf.
Translate an EINVAL error from the Kerberos libraries during password
authentication to an incorrect password error code. Older versions of
MIT Kerberos returned EINVAL for excessively long passwords.
Translate KRB5_KDC_UNREACH to WA_PEC_USER_REJECTED
When translating Kerberos errors, treat KRB5_KDC_UNREACH (cannot
contact any KDC for realm) as a user rejected error instead of a
Kerberos error. This avoids returning an internal error from WebLogin
and instead tells the user the username is invalid. This is not
always correct, since the unreachable KDC could be the local KDC, but
it's better than the previous behavior of throwing internal errors
when users enter email addresses as their username.
Allow newlines, CR, and LF in XML from WebKDC to WebLogin
Allow newlines, carriage returns, and tabs in the XML sent from the
WebKDC to the WebLogin server rather than replacing them with periods.
This fixes the display of <user-message> elements that contain
newlines.
Add a new configuration directive, WebKdcFastArmorCache, for
mod_webkdc. If set, this specifies the path to a Kerberos ticket
cache that can (and must) be used for FAST (Flexible Authentication
Secure Tunneling) protection of Kerberos password authentications.
The Kerberos KDC must also support FAST in order to safely enable this
option. Based on a patch by Jakob Uhd Jepsen (One.com A/S).
Fix parsing of the WebKdcKerberosFactors configuration directive.
Warn about credential delegation to load-balanced pools
Warn in the mod_webauth documentation that, when using credential
delegation to a load-balanced pool, all members of that pool must have
the same Kerberos identity.
Fix various grammar and wording issues in the protocol spec
Clarify the contents of the token returned to the WAS from the
WebKDC and the reason for having the session key both outside and
inside the encrypted token. Fix various other grammar and wording
mistakes, including using a more appropriate preposition than "in"
for specifying the key used for an encryption.
Add new factors mp (mobile push) and v (voice), which count as
separate classes for determining multifactor. This means the
combination of those factors with any other factor class will result
in a synthensized multifactor factor.
Update WebKDC to WebLogin protocol for new factor information
Add support for passing additional information about each
configured factor to enable better prompting in WebLogin. Provide
a device ID and a mechanism for WebLogin to return it to the
WebKDC when requesting authentication.
Override the value of BYPASS_CONFIRM if the WebKDC returns a list
of permitted_authz identities. Without this, users are unable to
assert an authz identity.
Russ Allbery [Sat, 10 May 2014 05:59:42 +0000 (22:59 -0700)]
Build correctly when remctl support is disabled
The new remctl-based password change protocol broke the build of
the library when remctl support was not enabled due to an
incorrectly-named stub function. Fix the function name and
diagnose attempting to configure remctl-based password change
without support for it earlier in the code path.
Russ Allbery [Sat, 10 May 2014 05:58:36 +0000 (22:58 -0700)]
Avoid gcc warnings when built without remctl support
GCC 4.8 warns about use of uninitialized variables when the userinfo
code is built without remctl support since it doesn't realize we
never reach the problematic code. Initialize the relevant variables
to NULL to unconfuse it.
Improve WebLogin logic for showing password expiration warning
Show the expiring password warning in WebLogin if the browser request
was a POST. Previously, it was skipped if the user had a REMOTE_USER
preference or if the browser presented a single sign-on cookie. This
was too conservative, not warning in cases when REMOTE_USER failed,
when the browser presented an expired single sign-on cookie (systems
that are suspended rather than shut down, for example), and when the
user has to do multifactor authentication. Checking for a POST is a
closer match for when we can force a confirmation screen without too
much user disruption.
Support for AuthType StanfordAuth (for backward compatibility with
WebAuth 2.5) was broken in WebAuth 4.6.0, causing mod_webauth to
reject all accesses to resources protected with that AuthType. This
has been fixed in this release.
Check the username parameter in WebLogin multifactor pages
In WebLogin, verify that the username form field was sent before
attempting to do multifactor operations and return an error if it
isn't, avoiding undefined variable warnings and other errors deeper in
the WebLogin code.
Russ Allbery [Thu, 20 Mar 2014 00:23:13 +0000 (17:23 -0700)]
Add upgrade warning about keyring permissions
Retroactively add a warning to NEWS about the permission change
required for the keyring when upgrading from older versions of
WebAuth. Clarify keyring permissions in INSTALL.
Russ Allbery [Wed, 19 Mar 2014 05:38:56 +0000 (22:38 -0700)]
Restructure and improve the mod_webauth tests
Move the logout script up a level so that it isn't covered by the
authentication requirement (auth/logout was weird). Adjust the
test harness so that tests can use an alternative logout path.
Move the tests for cookie path scoping to a separate directory so
that the whole directory can have the same path scope and they can
have their own logout script. Simplify the structure of those
tests somewhat.
Russ Allbery [Wed, 19 Mar 2014 05:38:00 +0000 (22:38 -0700)]
Fix logout handling
When path-scoped cookies were introduced, the change broke the
cookie nuking for WebAuthDoLogout. Correct this, and use a path
of / instead of (null) if no path was set.
Russ Allbery [Wed, 19 Mar 2014 00:14:14 +0000 (17:14 -0700)]
Ensure the keyring can be loaded at module entry points
At each module entry point that might perform actions with the
keyring, ensure that the keyring is loaded and return an appropriate
error immediately if it's not. Ensure there are sanity checks in
place for all places the keyring might be used.
Return HTTP_INTERNAL_SERVER_ERROR if configuring the WebKDC fails.
Vegard Edvardsen [Tue, 18 Mar 2014 06:17:23 +0000 (23:17 -0700)]
Use separate per-virtual-host internal keyrings
mod_webauth and mod_webkdc now maintain separate in-memory keyrings
per virtual host, and the WebAuthKeyring, WebKdcKeyring, and related
directives are now correctly honored in the virtual host configuration
and can be meaningfully set to different values. This allows the
modules to work properly with the ITK MPM with separate keyrings owned
by different users for each virtual host so that proper privilege
separation between virtual hosts is maintained.
Russ Allbery [Tue, 18 Mar 2014 05:28:06 +0000 (22:28 -0700)]
Preserve ownership and permissions on keyring updates
WebAuth keyring updates via either mod_webauth's and mod_webkdc's
auto-update support or via wa_keyring now preserve the keyring
ownership and permissions where possible, with the exception that the
permissions are not preserved if the old permissions included group
access and the group ownership could not be preserved.
Russ Allbery [Wed, 12 Mar 2014 06:12:35 +0000 (23:12 -0700)]
Add locking to keyring updates
webauth_keyring_write and webauth_keyring_auto_update now lock the
keyring, using a separate lock file named by appending ".lock" to the
name of the keyring. This applies to the keyrings used by
mod_webauth, mod_webkdc, and the wa_keyring utility and ensures that
only one process attempts to update a keyring at the same time. These
functions continue to use atomic replacement on all writes, and no
locks are used for reading the keyring.
Russ Allbery [Tue, 11 Mar 2014 04:30:53 +0000 (21:30 -0700)]
Change wai_error_set* functions to return the new code
Change all library-internal wai_error_set* functions to return the
new error code. Make use of this in various places to shorten or
simplify the code logic.
Since I'm touching every error message anyway, fix a few places
where error messages were unclear or where the wrong error code was
used.
Russ Allbery [Tue, 11 Mar 2014 02:20:52 +0000 (19:20 -0700)]
Fix handling of non-directive sections in module manuals
Based on the mod_fcgid documentation, use the correct method of
labeling non-directive sections so that they get proper sidebar
links. Remove the code from the clean-apache-manual script that
was cobbling this together.
Set the module status to External instead of Contributed, and add
a compatibility section to each module documentation page.
Russ Allbery [Mon, 10 Mar 2014 20:51:19 +0000 (13:51 -0700)]
Update to rra-c-util 5.3 and C TAP Harness 3.0
Update to rra-c-util 5.3:
* Avoid leaking dummy symbols into shared libraries.
* Probe for libdl for OpenSSL libraries (required on AIX).
* Distinguish failure to format output in asprintf wrappers.
* Check return status of snprintf properly.
* Better remctld process management in the test suite.
* Better memory management in Kerberos tests.
* Fix syntax error when buiding portable/krb5.h with a C++ compiler.
Update to C TAP Harness 3.0:
* Reopen standard input for tests to /dev/null.
* Clean up inherited file descriptors from the test harness.