Page MenuHomeFreeBSD

www/nginx: HTTP_AUTH_KRB5 option is not fully implemented. This patch makes it build with security/krb5 and security/heimdal
ClosedPublic

Authored by joneum on Apr 5 2018, 3:05 PM.

Details

Summary

www/nginx's HTTP_AUTH_KRB5 option is not fully implemented. This patch makes it build with security/krb5 and security/heimdal.

  • Enable the Kerberos selection options, which have been commented out ever since they were first committed
  • Move these options out of the HTTP_AUTH_KRB5 conditional
    • make config now saves the selected option, if any
    • the build dependency on the selected Kerberos does now exist in poudriere
  • Update the patch for the spnego-http-auth-nginx-module config file to use the current GitHub commit from the Makefile
  • Fix the same patch to not assume that -lgssapi is always there
  • Force the nginx build system to admit the existence of CPPFLAGS, necessary to build with Heimdal

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

joneum created this revision.Apr 5 2018, 3:05 PM
brnrd added a comment.Apr 5 2018, 7:43 PM

This can't use GSSAPI from base?

Also I think you need a OPTIONS_DEFAULT+= to add make sure one is actually used.

www/nginx/Makefile.extmod
87 ↗(On Diff #41131)

I understand why you'd put them here, but shouldn't these go with all the other OPTIONS defines?

joneum added inline comments.Apr 6 2018, 4:55 AM
www/nginx/Makefile.extmod
87 ↗(On Diff #41131)

I just commented out that here. How would you do that?

brnrd added inline comments.Apr 6 2018, 9:28 PM
www/nginx/Makefile.extmod
87 ↗(On Diff #41131)

Drop them in with all of the other OPTIONS defines.
Probably add a GSSAPI_HEIMDAL_IMPLIES= and GSSAPI_MIT_IMPLIES= HTTP_AUTH_KRB5
and add a check after bsd.port.options.mk that HTTP_AUTH_KRB5 without either HEIMDAL or MIT is BROKEN

Pretty convoluted, all of that...

How do you know it's BROKEN? I'm confused ....

brnrd added a comment.Apr 8 2018, 10:30 AM

How do you know it's BROKEN? I'm confused ....

If you were to enable HTTP_AUTH_KRB5 but don't have a GSSAPI implementation selected, results will be unreliable at best. That's why I'd say that should result in an error message, implemented with BROKEN

brnrd added a comment.EditedApr 8 2018, 11:11 AM

How do you know it's BROKEN? I'm confused ....

www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config
6 ↗(On Diff #41131)

The %%GSSAPILIBS%% will be expanded to hold the libs needed to build this. Probably not smart to remove them. See Mk/Uses/gssapi.mk for usage

brnrd added a comment.Apr 8 2018, 11:49 AM
ngx_addon_name=ngx_http_auth_spnego_module
ngx_feature_libs="%%GSSAPILIBS%%"
ngx_module_incs="%%GSSAPINCDIR%%"

if test -n "$ngx_module_link"; then
    ngx_module_type=HTTP
    ngx_module_name=ngx_http_auth_spnego_module
    ngx_module_srcs="$ngx_addon_dir/ngx_http_auth_spnego_module.c"
    ngx_module_libs="$ngx_feature_libs"
    . auto/module
else
    HTTP_MODULES="$HTTP_MODULES ngx_http_auth_spnego_module"
    NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_auth_spnego_module.c"
    CORE_LIBS="$CORE_LIBS $ngx_feature_libs"
fi

LDFLAGS="-L%%GSSAPILIBDIR%% $LDFLAGS"

You may need to add some more stuff to force the module to link correctly. And add a check that OpenSSL and GSSAPI are both from base _or_ ports (mixing results in runtime issues!)

joneum updated this revision to Diff 41681.Apr 20 2018, 9:30 AM

add new Patch for this Problem.

brnrd added a comment.Apr 21 2018, 6:56 PM

Looking good!
What has been tested?

www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config
10 ↗(On Diff #41681)

Have you tested with both heimdal from base as well as with one of the versions from ports?

joneum added inline comments.Apr 21 2018, 7:26 PM
www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config
10 ↗(On Diff #41681)

yes. "make" and "make install" works fine with both options

brnrd accepted this revision.Apr 21 2018, 8:24 PM
This revision is now accepted and ready to land.Apr 21 2018, 8:24 PM
This revision was automatically updated to reflect the committed changes.