Page MenuHomeFreeBSD
Differential D14973

www/nginx: HTTP_AUTH_KRB5 option is not fully implemented. This patch makes it build with security/krb5 and security/heimdal
ClosedPublic
Actions

Authored by joneum on Apr 5 2018, 3:05 PM.
Tags
None
Referenced Files
F81638118: D14973.diff
Fri, Apr 19, 8:14 AM
Unknown Object (File)
Feb 29 2024, 4:14 AM
Unknown Object (File)
Dec 22 2023, 4:59 AM
Unknown Object (File)
Dec 20 2023, 1:35 AM
Unknown Object (File)
Dec 19 2023, 3:08 AM
Unknown Object (File)
Nov 28 2023, 4:57 AM
Unknown Object (File)
Nov 22 2023, 8:41 PM
Unknown Object (File)
Nov 22 2023, 1:18 PM
View All 30 Files
Subscribers
mat

Details

Reviewers
tcberner
miwi
brnrd
Commits
rP468031: HTTP_AUTH_KRB5 option is not fully implemented. This patch makes it build with…
Summary

www/nginx's HTTP_AUTH_KRB5 option is not fully implemented. This patch makes it build with security/krb5 and security/heimdal.

  • Enable the Kerberos selection options, which have been commented out ever since they were first committed
  • Move these options out of the HTTP_AUTH_KRB5 conditional
    • make config now saves the selected option, if any
    • the build dependency on the selected Kerberos does now exist in poudriere
  • Update the patch for the spnego-http-auth-nginx-module config file to use the current GitHub commit from the Makefile
  • Fix the same patch to not assume that -lgssapi is always there
  • Force the nginx build system to admit the existence of CPPFLAGS, necessary to build with Heimdal

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 16233
Build 16183: arc lint + arc unit

Event Timeline

joneum created this revision.Apr 5 2018, 3:05 PM
Herald added a subscriber: mat. · View Herald TranscriptApr 5 2018, 3:05 PM
Harbormaster completed remote builds in B15992: Diff 41131.Apr 5 2018, 3:05 PM
brnrd added a comment.Apr 5 2018, 7:43 PM

This can't use GSSAPI from base?

Also I think you need a OPTIONS_DEFAULT+= to add make sure one is actually used.

www/nginx/Makefile.extmod
87

I understand why you'd put them here, but shouldn't these go with all the other OPTIONS defines?

joneum added inline comments.Apr 6 2018, 4:55 AM
www/nginx/Makefile.extmod
87

I just commented out that here. How would you do that?

brnrd added inline comments.Apr 6 2018, 9:28 PM
www/nginx/Makefile.extmod
87

Drop them in with all of the other OPTIONS defines.
Probably add a GSSAPI_HEIMDAL_IMPLIES= and GSSAPI_MIT_IMPLIES= HTTP_AUTH_KRB5
and add a check after bsd.port.options.mk that HTTP_AUTH_KRB5 without either HEIMDAL or MIT is BROKEN

Pretty convoluted, all of that...

joneum added a comment.Apr 8 2018, 10:19 AM

How do you know it's BROKEN? I'm confused ....

brnrd added a comment.Apr 8 2018, 10:30 AM
In D14973#315921, @joneum wrote:

How do you know it's BROKEN? I'm confused ....

If you were to enable HTTP_AUTH_KRB5 but don't have a GSSAPI implementation selected, results will be unreliable at best. That's why I'd say that should result in an error message, implemented with BROKEN

brnrd added a comment.EditedApr 8 2018, 11:11 AM
In D14973#315921, @joneum wrote:

How do you know it's BROKEN? I'm confused ....

www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config
6

The %%GSSAPILIBS%% will be expanded to hold the libs needed to build this. Probably not smart to remove them. See Mk/Uses/gssapi.mk for usage

brnrd added a comment.Apr 8 2018, 11:49 AM
ngx_addon_name=ngx_http_auth_spnego_module
ngx_feature_libs="%%GSSAPILIBS%%"
ngx_module_incs="%%GSSAPINCDIR%%"

if test -n "$ngx_module_link"; then
    ngx_module_type=HTTP
    ngx_module_name=ngx_http_auth_spnego_module
    ngx_module_srcs="$ngx_addon_dir/ngx_http_auth_spnego_module.c"
    ngx_module_libs="$ngx_feature_libs"
    . auto/module
else
    HTTP_MODULES="$HTTP_MODULES ngx_http_auth_spnego_module"
    NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_auth_spnego_module.c"
    CORE_LIBS="$CORE_LIBS $ngx_feature_libs"
fi

LDFLAGS="-L%%GSSAPILIBDIR%% $LDFLAGS"

You may need to add some more stuff to force the module to link correctly. And add a check that OpenSSL and GSSAPI are both from base _or_ ports (mixing results in runtime issues!)

joneum updated this revision to Diff 41681.Apr 20 2018, 9:30 AM

add new Patch for this Problem.

Harbormaster completed remote builds in B16233: Diff 41681.Apr 20 2018, 9:30 AM
brnrd added a comment.Apr 21 2018, 6:56 PM

Looking good!
What has been tested?

www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config
10

Have you tested with both heimdal from base as well as with one of the versions from ports?

joneum added inline comments.Apr 21 2018, 7:26 PM
www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config
10

yes. "make" and "make install" works fine with both options

brnrd accepted this revision.Apr 21 2018, 8:24 PM
This revision is now accepted and ready to land.Apr 21 2018, 8:24 PM
Closed by commit rP468031: HTTP_AUTH_KRB5 option is not fully implemented. This patch makes it build with… (authored by joneum). · Explain WhyApr 22 2018, 2:59 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Diff 41681

View Options

www/nginx/Makefile

Loading...
View Options

www/nginx/Makefile.extmod

Loading...
View Options

www/nginx/Makefile.options.desc

Loading...
View Options

www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config

Loading...