rkerberos 0.2.0 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5a969c8a989d5d310bd6906a8023acdd1bd511524cdf85e1b8df35b9e51a424e
-  data.tar.gz: 8792c83e657bd1ddc3da150a2989906050ea48bc2631a2de9e95fe5a8983f2c1
+  metadata.gz: 10c43a653634532f7c52f8156f9ea2c9b5646d9bdff60866f8dde301c1abe5e7
+  data.tar.gz: 99021863b149758d3231938481736878027ad99ef8b4056d3d994e0b0a8dbffb
 SHA512:
-  metadata.gz: 41e50b69c30e64a0ca78548cb189ad6627b41b951abb906caac1e27d2746afbd81df6b96e1cbb1910b1b0c535c5fddd752e5246ff4eab16af860e1797b599374
-  data.tar.gz: 1b3a230983ff08f515412a0bf2055f1152c8e3d757cda4d017d2ec72a53210c077a4874117a0d56256b42535b83d5495c4ec0e315d02cf2e6be9220384d0ac8f
+  metadata.gz: c74926903cdbbcafe0e756189b0e5b53308fc30f4808d090d8091e92941c28f9c7e4629f61c9fb30df130990574bec809f42cfccee9d75d9b697e27e5654889f
+  data.tar.gz: 798be63f34c776a54d1ea54556edc36d965ac0149b7a04414f37b16db3439f8ea1dc8ae7d0f64a0c826c3f80d7cdea0818f5c519a2a77bac0495fa3cb4a44317

data/CHANGES.md

@@ -0,0 +1,59 @@
+# 0.2.2 - 3-Mar-2026
+* Added custom .dup methods for CredentialsCache and Keytab.
+* Added the keytab_name and keytab_type methods to Keytab.
+* Added the cache_name, cache_type and principal methods to CredentialsCache.
+* The Keytab#get_entry method now properly honors the vno and encoding type arguments.
+* Fixed the max_life and max_rlife attributes in Config.
+* Fixed the get_privileges method in Kadm5.
+* Fixed the change_password method in Kadm5 and added specs for it. Previously it would
+  generally always return true because it wasn't considering KDC failures, only raw
+  function failures.
+* Heaps of memory leak fixes. Get it? Heaps? Right, I'll see myself out.
+* Converted the CHANGES and MANIFEST files to markdown.
+
+# 0.2.1 - 1-Mar-2026
+* Added the verify_init_creds and an authenticate! methods.
+* The Context constructor now accepts optional :secure and/or :profile arguments
+  for different types of contexts.
+* Minor fix for the CredentialsCache constructor.
+* Minor fix for the get_init_creds_keytab method.
+* Fixed a mistake in an rb_funcall in the Policy class (thanks Ondřej Gajdušek).
+* Update gemspec so that releases don't include Docker related files (thanks Ondřej Gajdušek).
+* Add a spec:compose task for convenience.
+* The rake-compiler gem is now a development dependency, not a runtime
+  dependency (thanks Ondřej Gajdušek).
+
+# 0.2.0 - 14-Feb-2026
+* Added Docker and Podman support for running tests in isolated environments with Kerberos and OpenLDAP services.
+* Updated documentation with modern testing and development workflows, including container-based instructions.
+* Improved compatibility for Ruby 3.4 and later.
+* Enhanced build and test automation using docker-compose and podman-compose.
+* Various bug fixes, code cleanups, and test improvements.
+
+# 0.1.5 - 17-Oct-2016
+* Fix build error on Ruby 2.0.0/2.1 with CFLAGS concatenation
+
+# 0.1.4 - 14-Oct-2016
+* Implement db_args functionality in kadmin (fixes #8)
+* Fix a double-free error when setting the realm for a principal
+* Fix an error in policy creation that would sometimes cause a communication failure
+* Set C99 as the C Standard and fix all compiler warnings at this level
+
+# 0.1.3 - 07-Sep-2013
+* Add optional 'service' argument to get_init_creds_password (fixes #3)
+* Artistic License 2.0 text now included (fixes #2)
+
+# 0.1.2 - 24-Jun-2013
+* Fix kadm5clnt build issue on EL6
+* Remove admin_keytab references for krb5 1.11
+* Add Gemfile
+* Replace deprecated Config with RbConfig (Ruby 2)
+
+# 0.1.1 - 08-May-2013
+* Add credential cache argument to get_init_creds_keytab
+* Fixed invalid VALUE declarations affecting non-gcc compilers
+* Add OS X install instructions
+
+# 0.1.0 - 28-Apr-2011
+* Initial release. This is effectively a re-release of my own custom branch
+  of the krb5-auth library, with some minor changes.

data/MANIFEST.md

@@ -0,0 +1,24 @@
+* CHANGES.md
+* rkerberos.gemspec
+* MANIFEST.md
+* Rakefile
+* README
+* ext/ccache.c
+* ext/context.c
+* ext/extconf.rb
+* ext/kadm5.c
+* ext/keytab.c
+* ext/keytab_entry.c
+* ext/rkerberos.c
+* ext/rkerberos.h
+* ext/policy.c
+* ext/principal.c
+* spec/config_spec.rb
+* spec/context_spec.rb
+* spec/credentials_spec.rb
+* spec/kadm5_spec.rb
+* spec/keytab_entry_spec.rb
+* spec/krb5_keytab_spec.rb
+* spec/krb5_spec.rb
+* spec/policy_spec.rb
+* spec/principal_spec.rb

data/README.md

@@ -1,5 +1,44 @@
+[![Ruby](https://github.com/rkerberos/rkerberos/actions/workflows/ci.yml/badge.svg)](https://github.com/rkerberos/rkerberos/actions/workflows/ci.yml)
+
 # Description
-  The rkerberos library provides a Ruby interface for Kerberos.
+The rkerberos library provides a Ruby interface for Kerberos.
+
+## Code synopsis
+
+Some basic usage:
+
+```ruby
+require 'rkerberos'
+
+# Client
+krb = Kerberos::Krb5.new
+puts krb.default_realm
+puts krb.default_principal
+puts krb.get_permitted_enctypes.keys.join(',')
+
+# Credentials cache
+cc = Kerberos::Krb5::CredentialsCache.new
+krb.verify_init_creds(nil, nil, cc)
+puts cc.primary_principal
+
+# Keytab
+kt_name = Kerberos::Krb5::Keytab.new.default_name # e.g. "FILE:/etc/krb5.keytab"
+krb.get_init_creds_keytab('host/server.example.com', kt_name)
+krb.get_init_creds_keytab('host/server.example.com', kt_name, nil, cc) # or write to cache
+
+# Admin
+Kerberos::Kadm5.new(principal: ENV['KRB5_ADMIN_PRINCIPAL'], password: ENV['KRB5_ADMIN_PASSWORD']) do |kadmin|
+  kadmin.create_principal('newuser@EXAMPLE.COM', 'initialpass')
+  kadmin.set_password('newuser@EXAMPLE.COM', 'betterpass')
+  kadmin.delete_principal('newuser@EXAMPLE.COM')
+end
+
+# Contexts
+ctx = Kerberos::Krb5::Context.new # standard context
+ctx = Kerberos::Krb5::Context.new(profile: '/etc/krb5.conf') # or use a profile
+ctx = Kerberos::Krb5::Context.new(secure: true) # or use a secure context
+ctx.close
+```
 
 # Requirements
 
@@ -91,6 +130,19 @@ If you make changes to the Ruby code or C extensions:
    podman-compose run --rm rkerberos-test
    ```
 
+Alternatively, you can just run containerized tests via the `spec:compose`
+Rake task. This task runs the same containerized workflow used above and
+prefers `podman-compose` with a `docker-compose` fallback.
+
+```bash
+# build image and run RSpec inside the test container
+rake spec:compose
+# skip the build step by passing a positional or named argument:
+# (equivalent forms)
+rake spec:compose[true]
+rake "spec:compose[fast=true]"
+```
+
 The test environment includes:
 - MIT Kerberos KDC (Key Distribution Center)
 - OpenLDAP server for directory services
@@ -112,8 +164,8 @@ The test environment includes:
 
 # Authors
 * Daniel Berger
-* Dominic Cleal (maintainer)
-* Simon Levermann (maintainer)
+* Dominic Cleal
+* Simon Levermann
 
 # License
   rkerberos is distributed under the Artistic-2.0 license.

data/Rakefile

@@ -77,6 +77,41 @@ RSpec::Core::RakeTask.new(:spec) do |t|
   t.pattern = 'spec/**/*_spec.rb'
 end
 
+# Run specs inside the project container using podman-compose (or docker-compose).
+namespace :spec do
+  desc 'Build test image and run RSpec inside container (podman-compose or docker-compose)'
+  task :compose, [:fast] do |t, args|
+    # allow either positional or named argument (e.g. "fast=true")
+    fast = args[:fast]
+    if fast && fast.include?("=")
+      k,v = fast.split("=",2)
+      fast = v if k == 'fast'
+    end
+    fast = true if fast == 'true'
+
+    compose = `which podman-compose`.strip
+    compose = 'docker-compose' if compose.empty?
+
+    if fast
+      puts "Using #{compose} to run containerized specs (fast)..."
+    else
+      puts "Using #{compose} to run containerized specs..."
+    end
+
+    FileUtils.rm_rf('Gemfile.lock')
+    begin
+      unless fast
+        sh "#{compose} build --no-cache kerberos-kdc"
+        sh "#{compose} build --no-cache rkerberos-test"
+      end
+      sh "#{compose} run --rm rkerberos-test"
+    ensure
+      # redirect stderr so missing-container messages don't appear
+      sh "#{compose} down -v 2>/dev/null" rescue nil
+    end
+  end
+end
+
 # Clean up afterwards
 Rake::Task[:spec].enhance do
   Rake::Task[:clean].invoke

data/ext/rkerberos/ccache.c

@@ -57,10 +57,17 @@ static VALUE rkrb5_ccache_initialize(int argc, VALUE* argv, VALUE self){
 
   rb_scan_args(argc, argv, "02", &v_principal, &v_name);
 
-  // Convert the principal name to a principal object
-  if(RTEST(v_principal)){
+  if(RTEST(v_principal))
     Check_Type(v_principal, T_STRING);
 
+  // Initialize the context
+  kerror = krb5_init_context(&ptr->ctx);
+
+  if(kerror)
+    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+
+  // Convert the principal name to a principal object
+  if(RTEST(v_principal)){
     kerror = krb5_parse_name(
       ptr->ctx,
       StringValueCStr(v_principal),
@@ -71,12 +78,6 @@ static VALUE rkrb5_ccache_initialize(int argc, VALUE* argv, VALUE self){
       rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));
   }
 
-  // Initialize the context
-  kerror = krb5_init_context(&ptr->ctx);
-
-  if(kerror)
-    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
-
   // Set the credentials cache using the default cache if no name is provided
   if(NIL_P(v_name)){
     kerror = krb5_cc_default(ptr->ctx, &ptr->ccache);
@@ -156,6 +157,40 @@ static VALUE rkrb5_ccache_default_name(VALUE self){
   return rb_str_new2(krb5_cc_default_name(ptr->ctx));
 }
 
+// Wrapper for krb5_cc_get_name; returns the actual ccache name.
+static VALUE rkrb5_ccache_get_name(VALUE self){
+  RUBY_KRB5_CCACHE* ptr;
+  const char *name;
+
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  name = krb5_cc_get_name(ptr->ctx, ptr->ccache);
+  if(!name)
+    rb_raise(cKrb5Exception, "krb5_cc_get_name returned NULL");
+
+  return rb_str_new2(name);
+}
+
+// Wrapper for krb5_cc_get_type; returns the cache type string.
+static VALUE rkrb5_ccache_get_type(VALUE self){
+  RUBY_KRB5_CCACHE* ptr;
+  const char *type;
+
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  type = krb5_cc_get_type(ptr->ctx, ptr->ccache);
+  if(!type)
+    rb_raise(cKrb5Exception, "krb5_cc_get_type returned NULL");
+
+  return rb_str_new2(type);
+}
+
 /*
  * call-seq:
  *   ccache.primary_principal
@@ -172,6 +207,11 @@ static VALUE rkrb5_ccache_primary_principal(VALUE self){
   if(!ptr->ctx)
     rb_raise(cKrb5Exception, "no context has been established");
 
+  if(ptr->principal){
+    krb5_free_principal(ptr->ctx, ptr->principal);
+    ptr->principal = NULL;
+  }
+
   kerror = krb5_cc_get_principal(ptr->ctx, ptr->ccache, &ptr->principal);
 
   if(kerror)
@@ -182,7 +222,15 @@ static VALUE rkrb5_ccache_primary_principal(VALUE self){
   if(kerror)
     rb_raise(cKrb5Exception, "krb5_unparse_name: %s", error_message(kerror));
 
-  return rb_str_new2(name);
+  VALUE v_name = rb_str_new2(name);
+  krb5_free_unparsed_name(ptr->ctx, name);
+
+  return v_name;
+}
+
+// Simple wrapper around krb5_cc_get_principal returning a principal name string.
+static VALUE rkrb5_ccache_principal(VALUE self){
+  return rkrb5_ccache_primary_principal(self);
 }
 
 /*
@@ -236,6 +284,47 @@ static VALUE rkrb5_ccache_destroy(VALUE self){
   return v_bool;
 }
 
+// Duplicate the credentials cache object.
+// call-seq:
+//   ccache.dup -> new_ccache
+//
+// Returns a new Kerberos::Krb5::CredentialsCache that references the
+// same underlying cache data. The new object has its own krb5 context so
+// that closing one cache does not affect the other.
+static VALUE rkrb5_ccache_dup(VALUE self){
+  RUBY_KRB5_CCACHE *ptr, *newptr;
+  krb5_error_code kerror;
+  VALUE newobj;
+
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  // allocate new ruby object and struct
+  newobj = rkrb5_ccache_allocate(CLASS_OF(self));
+  TypedData_Get_Struct(newobj, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, newptr);
+
+  // initialize a fresh context for the duplicate
+  kerror = krb5_init_context(&newptr->ctx);
+  if(kerror){
+    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+  }
+
+  // perform ccache duplication using the new context
+  kerror = krb5_cc_dup(newptr->ctx, ptr->ccache, &newptr->ccache);
+  if(kerror){
+    krb5_free_context(newptr->ctx);
+    newptr->ctx = NULL;
+    rb_raise(cKrb5Exception, "krb5_cc_dup: %s", error_message(kerror));
+  }
+
+  // principal is not copied; let callers query primary_principal on each
+  newptr->principal = NULL;
+
+  return newobj;
+}
+
 void Init_ccache(void){
   /* The Kerberos::Krb5::CredentialsCache class encapsulates a Kerberos credentials cache. */
   cKrb5CCache = rb_define_class_under(cKrb5, "CredentialsCache", rb_cObject);
@@ -249,8 +338,13 @@ void Init_ccache(void){
   // Instance Methods
   rb_define_method(cKrb5CCache, "close", rkrb5_ccache_close, 0);
   rb_define_method(cKrb5CCache, "default_name", rkrb5_ccache_default_name, 0);
+  rb_define_method(cKrb5CCache, "cache_name", rkrb5_ccache_get_name, 0);
+  rb_define_method(cKrb5CCache, "cache_type", rkrb5_ccache_get_type, 0);
   rb_define_method(cKrb5CCache, "destroy", rkrb5_ccache_destroy, 0);
   rb_define_method(cKrb5CCache, "primary_principal", rkrb5_ccache_primary_principal, 0);
+  rb_define_method(cKrb5CCache, "principal", rkrb5_ccache_principal, 0);
+  rb_define_method(cKrb5CCache, "dup", rkrb5_ccache_dup, 0);
+  rb_define_alias(cKrb5CCache, "clone", "dup");
 
   // Aliases
   rb_define_alias(cKrb5CCache, "delete", "destroy");

data/ext/rkerberos/config.c

@@ -263,12 +263,12 @@ static VALUE rkadm5_config_inspect(VALUE self){
   rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@mkey_from_kbd")));
   rb_str_buf_cat2(v_str, " ");
 
-  rb_str_buf_cat2(v_str, "maxlife=");
-  rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@maxlife")));
+  rb_str_buf_cat2(v_str, "max_life=");
+  rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@max_life")));
   rb_str_buf_cat2(v_str, " ");
 
-  rb_str_buf_cat2(v_str, "maxrlife=");
-  rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@maxrlife")));
+  rb_str_buf_cat2(v_str, "max_rlife=");
+  rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@max_rlife")));
   rb_str_buf_cat2(v_str, " ");
 
   rb_str_buf_cat2(v_str, "num_keysalts=");

data/ext/rkerberos/context.c

@@ -1,5 +1,7 @@
 #include <rkerberos.h>
 
+#include <profile.h>
+
 VALUE cKrb5Context;
 
 // Free function for the Kerberos::Krb5::Context class.
@@ -51,23 +53,76 @@ static VALUE rkrb5_context_close(VALUE self){
 
 /*
  * call-seq:
- *   Kerberos::Context.new
+ *   Kerberos::Context.new(options = {})
  *
  * Creates and returns a new Kerberos::Context object.
  *
- * This class is not typically instantiated directly, but is used internally
- * by the krb5-auth library.
+ * The options hash may be one or both of the following keys:
+ *
+ *   :secure  => true|false           # Use config files only, ignore env variables
+ *   :profile => '/path/to/krb5.conf' # Use the specified profile file
  */
-static VALUE rkrb5_context_initialize(VALUE self){
+static VALUE rkrb5_context_initialize(int argc, VALUE *argv, VALUE self){
   RUBY_KRB5_CONTEXT* ptr;
+  VALUE v_opts;
+  VALUE v_secure, v_profile;
   krb5_error_code kerror;
 
   TypedData_Get_Struct(self, RUBY_KRB5_CONTEXT, &rkrb5_context_data_type, ptr);
 
-  kerror = krb5_init_context(&ptr->ctx);
+  rb_scan_args(argc, argv, "01", &v_opts);
+
+  // Default behavior is a normal context that may respect environment.
+  if (NIL_P(v_opts)) {
+    kerror = krb5_init_context(&ptr->ctx);
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+
+    return self;
+  }
+
+  Check_Type(v_opts, T_HASH);
+
+  v_secure = rb_hash_aref2(v_opts, ID2SYM(rb_intern("secure")));
+  v_profile = rb_hash_aref2(v_opts, ID2SYM(rb_intern("profile")));
+
+  /*
+   * If a profile path is supplied, load it via profile_init_path() and
+   * create a context from that profile. The KRB5_INIT_CONTEXT_SECURE flag
+   * is used when the :secure option is truthy.
+   */
+  if (!NIL_P(v_profile)){
+    Check_Type(v_profile, T_STRING);
+
+    const char *profile_path = StringValueCStr(v_profile);
+    profile_t profile = NULL;
+    long pres = profile_init_path(profile_path, &profile);
+
+    if(pres != 0)
+      rb_raise(cKrb5Exception, "profile_init_path: %ld", pres);
+
+    krb5_flags flags = RTEST(v_secure) ? KRB5_INIT_CONTEXT_SECURE : 0;
+    kerror = krb5_init_context_profile(profile, flags, &ptr->ctx);
+
+    profile_release(profile);
+
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_init_context_profile: %s", error_message(kerror));
+
+    return self;
+  }
 
-  if(kerror)
-    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+  // No profile given, choose secure or normal init.
+  if (RTEST(v_secure)){
+    kerror = krb5_init_secure_context(&ptr->ctx);
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_init_secure_context: %s", error_message(kerror));
+  }
+  else{
+    kerror = krb5_init_context(&ptr->ctx);
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+  }
 
   return self;
 }
@@ -80,7 +135,7 @@ void Init_context(void){
   rb_define_alloc_func(cKrb5Context, rkrb5_context_allocate);
 
   // Constructor
-  rb_define_method(cKrb5Context, "initialize", rkrb5_context_initialize, 0);
+  rb_define_method(cKrb5Context, "initialize", rkrb5_context_initialize, -1);
 
   // Instance Methods
   rb_define_method(cKrb5Context, "close", rkrb5_context_close, 0);