Jon Robertson [Tue, 30 Sep 2014 05:22:01 +0000 (22:22 -0700)]
Finished first pass at mod_webkdc automated tests
The main tests are now all complete save PHP. The multifactor tests
have been halted for now due to waiting on template completion and
having higher-priority tasks to finish.
Jon Robertson [Mon, 22 Sep 2014 20:44:34 +0000 (13:44 -0700)]
Give a validation remctl command its own timeout error
In order to set up out of band methods that will time out if the user
doesn't respond to the out of band prompt (such as a phone call), we
need to have a validation remctl call tell us specifically if it timed
out. Currently it's just sent as a WK_ERR_UNRECOVERABLE_ERROR, which
makes it impossible to carve out special logic for a timeout. This will
now be sent as its own error code.
Currently this is only true for validate and not for the userinfo
command. If we later need to do special things for userinfo timeouts as
well, we'll build on this work.
Jon Robertson [Thu, 18 Sep 2014 06:26:18 +0000 (23:26 -0700)]
First pass at updating all tests for clarity and auto-running
Clarified a lot of the test information on the index page. Started to
do scripts with WWW::Mechanize to test an install. These tests do rely
on the Stanford templates so aren't good for general use. But then, the
multifactor tests were already relying on assumptions about our
infrastructure.
Jon Robertson [Tue, 26 Aug 2014 06:18:03 +0000 (23:18 -0700)]
WebLogin: Changes for better multifactor handling
* Reread multifactor data from fields on the multifactor template page.
* Pass a FreezeThaw version of the devices to the template as well, so
that it can be kept for future iterations.
* Attempt multifactor login even if there is no passcode given, to
accomodate non-passcode methods.
* Catch the unrecoverable error page from multifactor temporarily, as
we'll hit that error if an out-of-band method times out. Later we
want to expose the timeout as an actual error on its own instead so
that we can match against it rather than unrecoverable error.
Change-Id: I950b200c9ab58abfff9e59f65b29cd06c4c8d98c
Reviewed-on: https://gerrit.stanford.edu/1618 Reviewed-by: Jon Robertson <jonrober@stanford.edu> Tested-by: Jon Robertson <jonrober@stanford.edu>
Russ Allbery [Fri, 15 Aug 2014 00:44:32 +0000 (17:44 -0700)]
Add temporary test code to the multifactor template
To check the data returned from the WebKDC for the default device
and factor, and for the device list, add some temporary testing
code to print all of that out in the template. This should probably
be removed before a release.
Russ Allbery [Fri, 15 Aug 2014 00:43:23 +0000 (17:43 -0700)]
Add support for new multifactor data in WebLogin code
Support reading device_id from the posted form and passing it
through in the login token. Support reading the default device
and factor and the device list from mod_webkdc and exposing it
to the templates. Not yet tested thoroughly or end-to-end.
Russ Allbery [Thu, 14 Aug 2014 01:26:33 +0000 (18:26 -0700)]
Provide the device and default factor information to WebLogin
Pass the device information and default device through from the
user information service to the response to a WebLogin
<requestTokenRequest> so that it can be, eventually, passed all the
way to the templates.
Russ Allbery [Thu, 14 Aug 2014 00:23:16 +0000 (17:23 -0700)]
Add support for default and device info in userinfo calls
In the JSON implementation of the user information call, add
support for reading default device information and the list of
configured devices. Add support for passing in the device ID
for validate calls, and pull it out of the login token. (This
field is ignored with the old XML protocol.)
Russ Allbery [Thu, 14 Aug 2014 00:22:20 +0000 (17:22 -0700)]
Change the protocol for returning device information to WebLogin
Use more, separate XML elements to better match the information
model returned by the user information service using JSON, instead
of collapsing everything as attributes.
Russ Allbery [Thu, 14 Aug 2014 00:16:16 +0000 (17:16 -0700)]
Recognize more failed login error codes from Kerberos
Recognize KRB5_BAD_ENCTYPE, KRB5_GET_IN_TKT_LOOP, KRB5_PREAUTH_FAILED,
and KRB5KRB_AP_ERR_MODIFIED as additional synonyms for a failed login
error code. Various combinations of recent MIT and Heimdal with
different KDCs return these error codes if the password is incorrect.
Russ Allbery [Wed, 13 Aug 2014 23:48:44 +0000 (16:48 -0700)]
Add new device_id field to login tokens
This will be used by WebLogin to pass the authenticating device
identifier through to the WebKDC. Add the field to the login
token encoding and to all of the various tests, and adjust the
test suite construction of login tokens to account for the extra
field. Pass through a value in multifactor tests in preparation
for further tests that actually use that field.
Russ Allbery [Tue, 12 Aug 2014 03:26:58 +0000 (20:26 -0700)]
Add a note about possible Kerberos APIs for ticket serialization
Peter Mogensen pointed out MIT Kerberos APIs that can be used to
serialize a ticket in a native format, which would be a nice
replacement for our home-grown serialization format. Add a note
about that to TODO.
Russ Allbery [Thu, 7 Aug 2014 20:42:43 +0000 (13:42 -0700)]
Bump shared library versioning
The addition of the new json flag in the user information service
configuration will force this, and I plan on changing the API for
the user information service calls as well.
Russ Allbery [Thu, 7 Aug 2014 02:13:13 +0000 (19:13 -0700)]
Refactor JSON argument construction with macros
Add macros that wrap the error checking when building JSON objects
and that correctly free temporary objects. Use that to restructure
the command construction so that it shouldn't leak memory and is
much easier to read.
Russ Allbery [Thu, 7 Aug 2014 00:35:03 +0000 (17:35 -0700)]
Refactor userinfo code
Separate the remctl support, XML parsing, and JSON parsing into
separate source files to make each source file more comprehensible.
While doing this, stop always sending ip to the user information
service in the JSON protocol. Now that we have a protocol that can
handle optional arguments easily, don't send ip if we don't have an
IP address.
Russ Allbery [Mon, 4 Aug 2014 20:52:20 +0000 (13:52 -0700)]
Enable JSON testing and fix one minor bug
Enable testing of the new JSON support in the user information
service, and fix one minor bug that surfaced in that testing.
The JSON code now produces results equivalent to the non-JSON
code.
Russ Allbery [Sat, 2 Aug 2014 02:22:10 +0000 (19:22 -0700)]
Initial framework for testing JSON user information calls
Add the remctl interface, the Perl backend, and the JSON data
for testing the user information service with JSON. This is not
yet hooked into the test suite.
Russ Allbery [Sat, 2 Aug 2014 02:18:52 +0000 (19:18 -0700)]
Initial implementation of JSON user information service support
An initial implementation of a new user information service protocol
that uses JSON for communication. The JSON call and parsing of the
result is implemented and compiles, but is not yet tested and is
probably buggy. The code is in significant need of refactoring at
some point.
Russ Allbery [Sat, 2 Aug 2014 01:22:55 +0000 (18:22 -0700)]
Remove remctl and kadmin-remctl references in README
This was for the separate query for the user's password expiration,
which is no longer supported in favor of pulling that information
from the user information service and passing it down from mod_webkdc.
The change in the webauth_webkdc_config struct means that some
interfaces are no longer compatible with previous releases. Be
conservative and bump all of the library versioning. (Normally
I wouldn't do an ABI bump in a minor release, but in this case
the effect of the changes is very minor, just still an ABI break.)
* Use Lancaster Consensus environment variables to control tests.
* Use calloc or reallocarray for protection against integer overflows.
* Suppress warnings from Kerberos headers in non-system paths.
* Update warning flags when building with make warnings.
* Only pass warning suppression flags to Perl under make warnings.
Update to C TAP Harness 3.1:
* Check for integer overflow on memory allocations.
* Avoid all remaining uses of sprintf.
Translate an EINVAL error from the Kerberos libraries during password
authentication to an incorrect password error code. Older versions of
MIT Kerberos returned EINVAL for excessively long passwords.