Jon Robertson [Tue, 30 Sep 2014 05:22:01 +0000 (22:22 -0700)]
Finished first pass at mod_webkdc automated tests
The main tests are now all complete save PHP. The multifactor tests
have been halted for now due to waiting on template completion and
having higher-priority tasks to finish.
Jon Robertson [Mon, 22 Sep 2014 20:44:34 +0000 (13:44 -0700)]
Give a validation remctl command its own timeout error
In order to set up out of band methods that will time out if the user
doesn't respond to the out of band prompt (such as a phone call), we
need to have a validation remctl call tell us specifically if it timed
out. Currently it's just sent as a WK_ERR_UNRECOVERABLE_ERROR, which
makes it impossible to carve out special logic for a timeout. This will
now be sent as its own error code.
Currently this is only true for validate and not for the userinfo
command. If we later need to do special things for userinfo timeouts as
well, we'll build on this work.
Jon Robertson [Thu, 18 Sep 2014 06:26:18 +0000 (23:26 -0700)]
First pass at updating all tests for clarity and auto-running
Clarified a lot of the test information on the index page. Started to
do scripts with WWW::Mechanize to test an install. These tests do rely
on the Stanford templates so aren't good for general use. But then, the
multifactor tests were already relying on assumptions about our
infrastructure.
Jon Robertson [Tue, 26 Aug 2014 06:18:03 +0000 (23:18 -0700)]
WebLogin: Changes for better multifactor handling
* Reread multifactor data from fields on the multifactor template page.
* Pass a FreezeThaw version of the devices to the template as well, so
that it can be kept for future iterations.
* Attempt multifactor login even if there is no passcode given, to
accomodate non-passcode methods.
* Catch the unrecoverable error page from multifactor temporarily, as
we'll hit that error if an out-of-band method times out. Later we
want to expose the timeout as an actual error on its own instead so
that we can match against it rather than unrecoverable error.
Change-Id: I950b200c9ab58abfff9e59f65b29cd06c4c8d98c
Reviewed-on: https://gerrit.stanford.edu/1618 Reviewed-by: Jon Robertson <jonrober@stanford.edu> Tested-by: Jon Robertson <jonrober@stanford.edu>
Russ Allbery [Fri, 15 Aug 2014 00:44:32 +0000 (17:44 -0700)]
Add temporary test code to the multifactor template
To check the data returned from the WebKDC for the default device
and factor, and for the device list, add some temporary testing
code to print all of that out in the template. This should probably
be removed before a release.
Russ Allbery [Fri, 15 Aug 2014 00:43:23 +0000 (17:43 -0700)]
Add support for new multifactor data in WebLogin code
Support reading device_id from the posted form and passing it
through in the login token. Support reading the default device
and factor and the device list from mod_webkdc and exposing it
to the templates. Not yet tested thoroughly or end-to-end.
Russ Allbery [Thu, 14 Aug 2014 01:26:33 +0000 (18:26 -0700)]
Provide the device and default factor information to WebLogin
Pass the device information and default device through from the
user information service to the response to a WebLogin
<requestTokenRequest> so that it can be, eventually, passed all the
way to the templates.
Russ Allbery [Thu, 14 Aug 2014 00:23:16 +0000 (17:23 -0700)]
Add support for default and device info in userinfo calls
In the JSON implementation of the user information call, add
support for reading default device information and the list of
configured devices. Add support for passing in the device ID
for validate calls, and pull it out of the login token. (This
field is ignored with the old XML protocol.)
Russ Allbery [Thu, 14 Aug 2014 00:22:20 +0000 (17:22 -0700)]
Change the protocol for returning device information to WebLogin
Use more, separate XML elements to better match the information
model returned by the user information service using JSON, instead
of collapsing everything as attributes.
Russ Allbery [Thu, 14 Aug 2014 00:16:16 +0000 (17:16 -0700)]
Recognize more failed login error codes from Kerberos
Recognize KRB5_BAD_ENCTYPE, KRB5_GET_IN_TKT_LOOP, KRB5_PREAUTH_FAILED,
and KRB5KRB_AP_ERR_MODIFIED as additional synonyms for a failed login
error code. Various combinations of recent MIT and Heimdal with
different KDCs return these error codes if the password is incorrect.
Russ Allbery [Wed, 13 Aug 2014 23:48:44 +0000 (16:48 -0700)]
Add new device_id field to login tokens
This will be used by WebLogin to pass the authenticating device
identifier through to the WebKDC. Add the field to the login
token encoding and to all of the various tests, and adjust the
test suite construction of login tokens to account for the extra
field. Pass through a value in multifactor tests in preparation
for further tests that actually use that field.
Russ Allbery [Tue, 12 Aug 2014 03:26:58 +0000 (20:26 -0700)]
Add a note about possible Kerberos APIs for ticket serialization
Peter Mogensen pointed out MIT Kerberos APIs that can be used to
serialize a ticket in a native format, which would be a nice
replacement for our home-grown serialization format. Add a note
about that to TODO.
Russ Allbery [Thu, 7 Aug 2014 20:42:43 +0000 (13:42 -0700)]
Bump shared library versioning
The addition of the new json flag in the user information service
configuration will force this, and I plan on changing the API for
the user information service calls as well.
Russ Allbery [Thu, 7 Aug 2014 02:13:13 +0000 (19:13 -0700)]
Refactor JSON argument construction with macros
Add macros that wrap the error checking when building JSON objects
and that correctly free temporary objects. Use that to restructure
the command construction so that it shouldn't leak memory and is
much easier to read.
Russ Allbery [Thu, 7 Aug 2014 00:35:03 +0000 (17:35 -0700)]
Refactor userinfo code
Separate the remctl support, XML parsing, and JSON parsing into
separate source files to make each source file more comprehensible.
While doing this, stop always sending ip to the user information
service in the JSON protocol. Now that we have a protocol that can
handle optional arguments easily, don't send ip if we don't have an
IP address.
Russ Allbery [Mon, 4 Aug 2014 20:52:20 +0000 (13:52 -0700)]
Enable JSON testing and fix one minor bug
Enable testing of the new JSON support in the user information
service, and fix one minor bug that surfaced in that testing.
The JSON code now produces results equivalent to the non-JSON
code.
Russ Allbery [Sat, 2 Aug 2014 02:22:10 +0000 (19:22 -0700)]
Initial framework for testing JSON user information calls
Add the remctl interface, the Perl backend, and the JSON data
for testing the user information service with JSON. This is not
yet hooked into the test suite.
Russ Allbery [Sat, 2 Aug 2014 02:18:52 +0000 (19:18 -0700)]
Initial implementation of JSON user information service support
An initial implementation of a new user information service protocol
that uses JSON for communication. The JSON call and parsing of the
result is implemented and compiles, but is not yet tested and is
probably buggy. The code is in significant need of refactoring at
some point.
Russ Allbery [Sat, 2 Aug 2014 01:22:55 +0000 (18:22 -0700)]
Remove remctl and kadmin-remctl references in README
This was for the separate query for the user's password expiration,
which is no longer supported in favor of pulling that information
from the user information service and passing it down from mod_webkdc.
The change in the webauth_webkdc_config struct means that some
interfaces are no longer compatible with previous releases. Be
conservative and bump all of the library versioning. (Normally
I wouldn't do an ABI bump in a minor release, but in this case
the effect of the changes is very minor, just still an ABI break.)
* Use Lancaster Consensus environment variables to control tests.
* Use calloc or reallocarray for protection against integer overflows.
* Suppress warnings from Kerberos headers in non-system paths.
* Update warning flags when building with make warnings.
* Only pass warning suppression flags to Perl under make warnings.
Update to C TAP Harness 3.1:
* Check for integer overflow on memory allocations.
* Avoid all remaining uses of sprintf.
Translate an EINVAL error from the Kerberos libraries during password
authentication to an incorrect password error code. Older versions of
MIT Kerberos returned EINVAL for excessively long passwords.
Translate KRB5_KDC_UNREACH to WA_PEC_USER_REJECTED
When translating Kerberos errors, treat KRB5_KDC_UNREACH (cannot
contact any KDC for realm) as a user rejected error instead of a
Kerberos error. This avoids returning an internal error from WebLogin
and instead tells the user the username is invalid. This is not
always correct, since the unreachable KDC could be the local KDC, but
it's better than the previous behavior of throwing internal errors
when users enter email addresses as their username.
Allow newlines, CR, and LF in XML from WebKDC to WebLogin
Allow newlines, carriage returns, and tabs in the XML sent from the
WebKDC to the WebLogin server rather than replacing them with periods.
This fixes the display of <user-message> elements that contain
newlines.
Add a new configuration directive, WebKdcFastArmorCache, for
mod_webkdc. If set, this specifies the path to a Kerberos ticket
cache that can (and must) be used for FAST (Flexible Authentication
Secure Tunneling) protection of Kerberos password authentications.
The Kerberos KDC must also support FAST in order to safely enable this
option. Based on a patch by Jakob Uhd Jepsen (One.com A/S).
Fix parsing of the WebKdcKerberosFactors configuration directive.
Warn about credential delegation to load-balanced pools
Warn in the mod_webauth documentation that, when using credential
delegation to a load-balanced pool, all members of that pool must have
the same Kerberos identity.
Fix various grammar and wording issues in the protocol spec
Clarify the contents of the token returned to the WAS from the
WebKDC and the reason for having the session key both outside and
inside the encrypted token. Fix various other grammar and wording
mistakes, including using a more appropriate preposition than "in"
for specifying the key used for an encryption.
Add new factors mp (mobile push) and v (voice), which count as
separate classes for determining multifactor. This means the
combination of those factors with any other factor class will result
in a synthensized multifactor factor.
Update WebKDC to WebLogin protocol for new factor information
Add support for passing additional information about each
configured factor to enable better prompting in WebLogin. Provide
a device ID and a mechanism for WebLogin to return it to the
WebKDC when requesting authentication.
Override the value of BYPASS_CONFIRM if the WebKDC returns a list
of permitted_authz identities. Without this, users are unable to
assert an authz identity.
Pull Perl vendorarch directory from Perl at build time
* Use an executable debian/libwebauth-perl.install file and some Perl
code in debian/rules to pull the correct Perl arch-specific vendor
module path from Perl during the build. Should fix builds with Perl
5.20. Thanks, Niko Tyni and gregor herrmann. (Closes: #752903)
Russ Allbery [Sat, 10 May 2014 05:59:42 +0000 (22:59 -0700)]
Build correctly when remctl support is disabled
The new remctl-based password change protocol broke the build of
the library when remctl support was not enabled due to an
incorrectly-named stub function. Fix the function name and
diagnose attempting to configure remctl-based password change
without support for it earlier in the code path.
Russ Allbery [Sat, 10 May 2014 05:58:36 +0000 (22:58 -0700)]
Avoid gcc warnings when built without remctl support
GCC 4.8 warns about use of uninitialized variables when the userinfo
code is built without remctl support since it doesn't realize we
never reach the problematic code. Initialize the relevant variables
to NULL to unconfuse it.
Improve WebLogin logic for showing password expiration warning
Show the expiring password warning in WebLogin if the browser request
was a POST. Previously, it was skipped if the user had a REMOTE_USER
preference or if the browser presented a single sign-on cookie. This
was too conservative, not warning in cases when REMOTE_USER failed,
when the browser presented an expired single sign-on cookie (systems
that are suspended rather than shut down, for example), and when the
user has to do multifactor authentication. Checking for a POST is a
closer match for when we can force a confirmation screen without too
much user disruption.
Support for AuthType StanfordAuth (for backward compatibility with
WebAuth 2.5) was broken in WebAuth 4.6.0, causing mod_webauth to
reject all accesses to resources protected with that AuthType. This
has been fixed in this release.
Russ Allbery [Wed, 19 Mar 2014 21:32:31 +0000 (14:32 -0700)]
Handle keyring ownership in the transition package
* Handle ownership change of the mod_webauth keyring in the
libapache2-webauth transition package as well, since that's the
package that will see the versioned upgrade.
Check the username parameter in WebLogin multifactor pages
In WebLogin, verify that the username form field was sent before
attempting to do multifactor operations and return an error if it
isn't, avoiding undefined variable warnings and other errors deeper in
the WebLogin code.
Russ Allbery [Thu, 20 Mar 2014 00:23:13 +0000 (17:23 -0700)]
Add upgrade warning about keyring permissions
Retroactively add a warning to NEWS about the permission change
required for the keyring when upgrading from older versions of
WebAuth. Clarify keyring permissions in INSTALL.
projects / kerberos / webauth.git / log