rkerberos 0.2.1 → 0.2.3

data/ext/rkerberos/rkerberos.c

@@ -100,7 +100,10 @@ static VALUE rkrb5_get_default_realm(VALUE self){
   if(kerror)
     rb_raise(cKrb5Exception, "krb5_get_default_realm: %s", error_message(kerror));
 
-  return rb_str_new2(realm);
+  VALUE v_realm = rb_str_new2(realm);
+  krb5_free_default_realm(ptr->ctx, realm);
+
+  return v_realm;
 }
 
 /*
@@ -164,18 +167,41 @@ static VALUE rkrb5_get_init_creds_keytab(int argc, VALUE* argv, VALUE self){
   if(!ptr->ctx)
     rb_raise(cKrb5Exception, "no context has been established");
 
+  // Free resources from a previous call to avoid leaks on repeated use.
+  if(ptr->keytab){
+    krb5_kt_close(ptr->ctx, ptr->keytab);
+    ptr->keytab = NULL;
+  }
+
+  if(ptr->princ){
+    krb5_free_principal(ptr->ctx, ptr->princ);
+    ptr->princ = NULL;
+  }
+
+  krb5_free_cred_contents(ptr->ctx, &ptr->creds);
+  memset(&ptr->creds, 0, sizeof(ptr->creds));
+
+  rb_scan_args(argc, argv, "04", &v_user, &v_keytab_name, &v_service, &v_ccache);
+
+  // Validate argument types before allocating opt, so type errors don't leak it.
+  if(!NIL_P(v_user))
+    Check_Type(v_user, T_STRING);
+
+  if(!NIL_P(v_keytab_name))
+    Check_Type(v_keytab_name, T_STRING);
+
+  if(!NIL_P(v_service))
+    Check_Type(v_service, T_STRING);
+
   kerror = krb5_get_init_creds_opt_alloc(ptr->ctx, &opt);
   if(kerror)
     rb_raise(cKrb5Exception, "krb5_get_init_creds_opt_alloc: %s", error_message(kerror));
 
-  rb_scan_args(argc, argv, "04", &v_user, &v_keytab_name, &v_service, &v_ccache);
-
   // We need the service information for later.
   if(NIL_P(v_service)){
     service = NULL;
   }
   else{
-    Check_Type(v_service, T_STRING);
     service = StringValueCStr(v_service);
   }
 
@@ -195,7 +221,6 @@ static VALUE rkrb5_get_init_creds_keytab(int argc, VALUE* argv, VALUE self){
     }
   }
   else{
-    Check_Type(v_user, T_STRING);
     user = StringValueCStr(v_user);
 
     kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
@@ -216,7 +241,6 @@ static VALUE rkrb5_get_init_creds_keytab(int argc, VALUE* argv, VALUE self){
     }
   }
   else{
-    Check_Type(v_keytab_name, T_STRING);
     strncpy(keytab_name, StringValueCStr(v_keytab_name), MAX_KEYTAB_NAME_LEN - 1);
     keytab_name[MAX_KEYTAB_NAME_LEN - 1] = '\0';
   }
@@ -304,6 +328,9 @@ static VALUE rkrb5_change_password(VALUE self, VALUE v_old, VALUE v_new){
   if(!ptr->princ)
     rb_raise(cKrb5Exception, "no principal has been established");
 
+  krb5_free_cred_contents(ptr->ctx, &ptr->creds);
+  memset(&ptr->creds, 0, sizeof(ptr->creds));
+
   kerror = krb5_get_init_creds_password(
     ptr->ctx,
     &ptr->creds,
@@ -328,8 +355,23 @@ static VALUE rkrb5_change_password(VALUE self, VALUE v_old, VALUE v_new){
     &result_string
   );
 
-  if(kerror)
+  if(kerror){
+    krb5_free_data_contents(ptr->ctx, &result_string);
+    krb5_free_data_contents(ptr->ctx, &pw_result_string);
     rb_raise(cKrb5Exception, "krb5_change_password: %s", error_message(kerror));
+  }
+
+  if(pw_result){
+    VALUE v_msg = (result_string.length > 0)
+      ? rb_str_new(result_string.data, result_string.length)
+      : rb_str_new_cstr("password change rejected");
+    krb5_free_data_contents(ptr->ctx, &result_string);
+    krb5_free_data_contents(ptr->ctx, &pw_result_string);
+    rb_raise(cKrb5Exception, "krb5_change_password: %s", StringValueCStr(v_msg));
+  }
+
+  krb5_free_data_contents(ptr->ctx, &result_string);
+  krb5_free_data_contents(ptr->ctx, &pw_result_string);
 
   return Qtrue;
 }
@@ -355,6 +397,15 @@ static VALUE rkrb5_get_init_creds_passwd(int argc, VALUE* argv, VALUE self){
   if(!ptr->ctx)
     rb_raise(cKrb5Exception, "no context has been established");
 
+  // Free resources from a previous call to avoid leaks on repeated use.
+  if(ptr->princ){
+    krb5_free_principal(ptr->ctx, ptr->princ);
+    ptr->princ = NULL;
+  }
+
+  krb5_free_cred_contents(ptr->ctx, &ptr->creds);
+  memset(&ptr->creds, 0, sizeof(ptr->creds));
+
   rb_scan_args(argc, argv, "21", &v_user, &v_pass, &v_service);
 
   Check_Type(v_user, T_STRING);
@@ -419,6 +470,15 @@ static VALUE rkrb5_authenticate_bang(int argc, VALUE* argv, VALUE self){
   if(!ptr->ctx)
     rb_raise(cKrb5Exception, "no context has been established");
 
+  // Free resources from a previous call to avoid leaks on repeated use.
+  if(ptr->princ){
+    krb5_free_principal(ptr->ctx, ptr->princ);
+    ptr->princ = NULL;
+  }
+
+  krb5_free_cred_contents(ptr->ctx, &ptr->creds);
+  memset(&ptr->creds, 0, sizeof(ptr->creds));
+
   // Require user and password, optional service
   rb_scan_args(argc, argv, "21", &v_user, &v_pass, &v_service);
 
@@ -509,6 +569,11 @@ static VALUE rkrb5_close(VALUE self){
 
   TypedData_Get_Struct(self, RUBY_KRB5, &rkrb5_data_type, ptr);
 
+  if(ptr->keytab){
+    krb5_kt_close(ptr->ctx, ptr->keytab);
+    ptr->keytab = NULL;
+  }
+
   if(ptr->ctx)
     krb5_free_cred_contents(ptr->ctx, &ptr->creds);
 
@@ -544,6 +609,12 @@ static VALUE rkrb5_get_default_principal(VALUE self){
   if(!ptr->ctx)
     rb_raise(cKrb5Exception, "no context has been established");
 
+  // Free previous principal to avoid leaks on repeated calls.
+  if(ptr->princ){
+    krb5_free_principal(ptr->ctx, ptr->princ);
+    ptr->princ = NULL;
+  }
+
   // Get the default credentials cache
   kerror = krb5_cc_default(ptr->ctx, &ccache);
 
@@ -562,9 +633,12 @@ static VALUE rkrb5_get_default_principal(VALUE self){
   kerror = krb5_unparse_name(ptr->ctx, ptr->princ, &princ_name);
 
   if(kerror)
-    rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror));
+    rb_raise(cKrb5Exception, "krb5_unparse_name: %s", error_message(kerror));
 
-  return rb_str_new2(princ_name);
+  VALUE v_name = rb_str_new2(princ_name);
+  krb5_free_unparsed_name(ptr->ctx, princ_name);
+
+  return v_name;
 }
 
 /*
@@ -611,11 +685,15 @@ static VALUE rkrb5_get_permitted_enctypes(VALUE self){
     v_enctypes = rb_hash_new();
 
     for(i = 0; ktypes[i]; i++){
-      if(krb5_enctype_to_string(ktypes[i], encoding, 128)){
-        rb_raise(cKrb5Exception, "krb5_enctype_to_string: %s", error_message(kerror));
+      krb5_error_code enc_err = krb5_enctype_to_string(ktypes[i], encoding, 128);
+      if(enc_err){
+        krb5_free_enctypes(ptr->ctx, ktypes);
+        rb_raise(cKrb5Exception, "krb5_enctype_to_string: %s", error_message(enc_err));
       }
       rb_hash_aset(v_enctypes, INT2FIX(ktypes[i]), rb_str_new2(encoding));
     }
+
+    krb5_free_enctypes(ptr->ctx, ktypes);
   }
 
   return v_enctypes;
@@ -730,8 +808,8 @@ void Init_rkerberos(void){
   rb_define_alias(cKrb5, "default_realm", "get_default_realm");
   rb_define_alias(cKrb5, "default_principal", "get_default_principal");
 
-  /* 0.2.1: The version of the custom rkerberos library */
-  rb_define_const(cKrb5, "VERSION", rb_str_new2("0.2.1"));
+  /* 0.2.3: The version of the custom rkerberos library */
+  rb_define_const(cKrb5, "VERSION", rb_str_new2("0.2.3"));
 
   // Encoding type constants
 

data/rkerberos.gemspec

@@ -2,7 +2,7 @@ require 'rubygems'
 
 Gem::Specification.new do |spec|
   spec.name       = 'rkerberos'
-  spec.version    = '0.2.1'
+  spec.version    = '0.2.3'
   spec.authors    = ['Daniel Berger', 'Dominic Cleal', 'Simon Levermann']
   spec.license    = 'Artistic-2.0'
   spec.email      = ['djberg96@gmail.com', 'dominic@cleal.org', 'simon-rubygems@slevermann.de']

data/spec/config_spec.rb

@@ -1,10 +1,11 @@
 # spec/config_spec.rb
 # RSpec tests for Kerberos::Kadm5::Config
 
-require 'rkerberos'
+require 'spec_helper'
 
-RSpec.describe Kerberos::Kadm5::Config do
-  subject(:config) { described_class.new }
+RSpec.describe 'Kerberos::Kadm5::Config', :kadm5 do
+  subject(:klass){ Kerberos::Kadm5::Config }
+  let(:config) { klass.new }
 
   it 'is frozen' do
     expect(config).to be_frozen
@@ -14,6 +15,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to realm' do
       expect(config).to respond_to(:realm)
     end
+
     it 'returns a String' do
       expect(config.realm).to be_a(String)
     end
@@ -23,6 +25,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to kadmind_port' do
       expect(config).to respond_to(:kadmind_port)
     end
+
     it 'returns an Integer' do
       expect(config.kadmind_port).to be_a(Integer)
     end
@@ -32,6 +35,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to kpasswd_port' do
       expect(config).to respond_to(:kpasswd_port)
     end
+
     it 'returns an Integer' do
       expect(config.kpasswd_port).to be_a(Integer)
     end
@@ -41,6 +45,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to admin_server' do
       expect(config).to respond_to(:admin_server)
     end
+
     it 'returns a String' do
       expect(config.admin_server).to be_a(String)
     end
@@ -50,6 +55,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to acl_file' do
       expect(config).to respond_to(:acl_file)
     end
+
     it 'returns a String' do
       expect(config.acl_file).to be_a(String)
     end
@@ -59,6 +65,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to dict_file' do
       expect(config).to respond_to(:dict_file)
     end
+
     it 'returns a String or nil' do
       expect([String, NilClass]).to include(config.dict_file.class)
     end
@@ -68,6 +75,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to stash_file' do
       expect(config).to respond_to(:stash_file)
     end
+
     it 'returns a String or nil' do
       expect([String, NilClass]).to include(config.stash_file.class)
     end
@@ -77,6 +85,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to mkey_name' do
       expect(config).to respond_to(:mkey_name)
     end
+
     it 'returns a String or nil' do
       expect([String, NilClass]).to include(config.mkey_name.class)
     end
@@ -86,6 +95,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to mkey_from_kbd' do
       expect(config).to respond_to(:mkey_from_kbd)
     end
+
     it 'returns an Integer or nil' do
       expect([Integer, NilClass]).to include(config.mkey_from_kbd.class)
     end
@@ -95,6 +105,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to enctype' do
       expect(config).to respond_to(:enctype)
     end
+
     it 'returns an Integer' do
       expect(config.enctype).to be_a(Integer)
     end
@@ -104,8 +115,9 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to max_life' do
       expect(config).to respond_to(:max_life)
     end
-    it 'returns an Integer or nil' do
-      expect([Integer, NilClass]).to include(config.max_life.class)
+
+    it 'returns an Integer' do
+      expect(config.max_life).to be_a(Integer)
     end
   end
 
@@ -113,8 +125,9 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to max_rlife' do
       expect(config).to respond_to(:max_rlife)
     end
-    it 'returns an Integer or nil' do
-      expect([Integer, NilClass]).to include(config.max_rlife.class)
+
+    it 'returns an Integer' do
+      expect(config.max_rlife).to be_a(Integer)
     end
   end
 
@@ -122,6 +135,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to expiration' do
       expect(config).to respond_to(:expiration)
     end
+
     it 'returns a Time or nil' do
       expect([Time, NilClass]).to include(config.expiration.class)
     end
@@ -131,6 +145,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to kvno' do
       expect(config).to respond_to(:kvno)
     end
+
     it 'returns an Integer or nil' do
       expect([Integer, NilClass]).to include(config.kvno.class)
     end
@@ -140,6 +155,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to iprop_enabled' do
       expect(config).to respond_to(:iprop_enabled)
     end
+
     it 'returns a boolean' do
       expect(!!config.iprop_enabled == config.iprop_enabled).to be true
     end
@@ -149,6 +165,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to iprop_logfile' do
       expect(config).to respond_to(:iprop_logfile)
     end
+
     it 'returns a String' do
       expect(config.iprop_logfile).to be_a(String)
     end
@@ -158,6 +175,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to iprop_poll_time' do
       expect(config).to respond_to(:iprop_poll_time)
     end
+
     it 'returns an Integer' do
       expect(config.iprop_poll_time).to be_a(Integer)
     end
@@ -167,6 +185,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to iprop_port' do
       expect(config).to respond_to(:iprop_port)
     end
+
     it 'returns an Integer or nil' do
       expect([Integer, NilClass]).to include(config.iprop_port.class)
     end
@@ -176,6 +195,7 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to num_keysalts' do
       expect(config).to respond_to(:num_keysalts)
     end
+
     it 'returns an Integer' do
       expect(config.num_keysalts).to be_a(Integer)
     end
@@ -185,9 +205,11 @@ RSpec.describe Kerberos::Kadm5::Config do
     it 'responds to keysalts' do
       expect(config).to respond_to(:keysalts)
     end
+
     it 'returns an Array' do
       expect(config.keysalts).to be_a(Array)
     end
+
     it 'contains KeySalt objects if not empty' do
       unless config.keysalts.empty?
         expect(config.keysalts.first).to be_a(Kerberos::Kadm5::KeySalt)

data/spec/context_spec.rb

@@ -1,7 +1,7 @@
 # spec/context_spec.rb
 # RSpec tests for Kerberos::Krb5::Context
 
-require 'rkerberos'
+require 'spec_helper'
 
 RSpec.describe Kerberos::Krb5::Context do
   subject(:context) { described_class.new }
@@ -19,17 +19,18 @@ RSpec.describe Kerberos::Krb5::Context do
   end
 
   describe 'constructor options' do
+    let(:profile_path){ RSpec.configuration.krb5_conf }
+
     it 'accepts secure: true to use a secure context' do
       expect { described_class.new(secure: true) }.not_to raise_error
     end
 
-    it 'accepts a profile path via :profile' do
-      profile_path = ENV['KRB5_CONFIG'] || '/etc/krb5.conf'
+    it 'accepts a profile path via :profile', :unix do
       expect(File).to exist(profile_path)
       expect { described_class.new(profile: profile_path) }.not_to raise_error
     end
 
-    it 'validates profile argument type' do
+    it 'validates profile argument type', :unix do
       expect { described_class.new(profile: 123) }.to raise_error(TypeError)
     end
 
@@ -43,10 +44,8 @@ RSpec.describe Kerberos::Krb5::Context do
       end
     end
 
-    it 'accepts secure: true together with profile' do
-      profile_path = ENV['KRB5_CONFIG'] || '/etc/krb5.conf'
+    it 'accepts secure: true together with profile', :unix do
       expect(File).to exist(profile_path)
-
       ctx = nil
       expect { ctx = described_class.new(secure: true, profile: profile_path) }.not_to raise_error
       expect(ctx).to be_a(described_class)

data/spec/credentials_cache_spec.rb

@@ -1,51 +1,55 @@
 # spec/credentials_cache_spec.rb
 # RSpec tests for Kerberos::Krb5::CredentialsCache
 
-require 'rkerberos'
-require 'etc'
+require 'spec_helper'
 require 'open3'
-require 'tmpdir'
 
 RSpec.describe Kerberos::Krb5::CredentialsCache do
-  let(:login) do
-    Etc.getlogin || ENV['USER'] || (Etc.getpwuid(Process.uid).name rescue nil)
-  end
   let(:realm) { Kerberos::Krb5.new.default_realm }
-  let(:princ) { "#{login}@#{realm}" }
-  let(:cfile) { File.join(Dir.tmpdir, "krb5cc_#{Etc.getpwnam(login).uid}") }
+  let(:princ) { RSpec.configuration.login + '@' + realm }
+  let(:cfile) { RSpec.configuration.krb5_cc_name }
   let(:ccache) { described_class.new }
 
   def cache_found?
-    found = true
-    Open3.popen3('klist') { |_, _, stderr| found = false unless stderr.gets.nil? }
-    found
+    if File::ALT_SEPARATOR
+      File.exist?(cfile)
+    else
+      found = true
+      Open3.popen3('klist') { |_, _, stderr| found = false unless stderr.gets.nil? }
+      found
+    end
   end
 
   after(:each) do
-    Open3.popen3('kdestroy') { sleep 0.1 }
+    Open3.popen3('kdestroy -q') { sleep 0.1 } if cache_found?
   end
 
   describe 'constructor' do
     it 'can be called with no arguments' do
       expect { described_class.new }.not_to raise_error
     end
+
     it 'does not create a cache with no arguments' do
       described_class.new
       expect(File.exist?(cfile)).to be false
       expect(cache_found?).to be false
     end
+
     it 'creates a cache with a principal' do
       expect { described_class.new(princ) }.not_to raise_error
       expect(File.exist?(cfile)).to be true
       expect(cache_found?).to be true
     end
+
     it 'accepts an explicit cache name' do
       expect { described_class.new(princ, cfile) }.not_to raise_error
       expect { described_class.new(nil, cfile) }.not_to raise_error
     end
+
     it 'raises error for non-string argument' do
       expect { described_class.new(true) }.to raise_error(TypeError)
     end
+
     it 'accepts only up to two arguments' do
       expect { described_class.new(princ, cfile, cfile) }.to raise_error(ArgumentError)
     end
@@ -55,15 +59,18 @@ RSpec.describe Kerberos::Krb5::CredentialsCache do
     it 'responds to close' do
       expect(described_class.new(princ)).to respond_to(:close)
     end
+
     it 'does not delete credentials cache' do
       c = described_class.new(princ)
       expect { c.close }.not_to raise_error
       expect(cache_found?).to be true
     end
+
     it 'can be called multiple times without error' do
       c = described_class.new(princ)
       expect { 3.times { c.close } }.not_to raise_error
     end
+
     it 'raises error when calling method on closed object' do
       c = described_class.new(princ)
       c.close
@@ -77,18 +84,43 @@ RSpec.describe Kerberos::Krb5::CredentialsCache do
       expect(c).to respond_to(:default_name)
       expect { c.default_name }.not_to raise_error
     end
+
     it 'returns a string' do
       c = described_class.new(princ)
       expect(c.default_name).to be_a(String)
     end
   end
 
+  describe '#cache_name and #cache_type' do
+    it 'returns the ccache name and type' do
+      c = described_class.new(princ)
+      expect(c).to respond_to(:cache_name)
+      expect(c).to respond_to(:cache_type)
+
+      expect(c.cache_name).to be_a(String)
+      expect(c.cache_type).to be_a(String)
+
+      # cache_name returns the residual portion of the cache name; default_name
+      # may include the type prefix (e.g. "FILE:"). ensure the suffix matches.
+      expect(c.cache_name).to eq(c.default_name.split(/\w{2,}:/).last)
+    end
+  end
+
+  describe '#principal' do
+    it 'is an alias for primary_principal' do
+      c = described_class.new(princ)
+      expect(c).to respond_to(:principal)
+      expect(c.principal).to eq(c.primary_principal)
+    end
+  end
+
   describe '#primary_principal' do
     it 'responds to primary_principal' do
       c = described_class.new(princ)
       expect(c).to respond_to(:primary_principal)
       expect { c.primary_principal }.not_to raise_error
     end
+
     it 'returns expected results' do
       c = described_class.new(princ)
       expect(c.primary_principal).to be_a(String)
@@ -102,28 +134,63 @@ RSpec.describe Kerberos::Krb5::CredentialsCache do
       c = described_class.new(princ)
       expect(c).to respond_to(:destroy)
     end
+
     it 'deletes credentials cache' do
       c = described_class.new(princ)
       expect { c.destroy }.not_to raise_error
       expect(cache_found?).to be false
     end
+
     it 'delete is an alias for destroy' do
       c = described_class.new(princ)
       expect(c).to respond_to(:delete)
       expect(c.method(:delete)).to eq(c.method(:destroy))
     end
+
     it 'returns false if no credentials cache' do
       c = described_class.new
       expect(c.destroy).to be false
     end
+
     it 'raises error when calling method on destroyed object' do
       c = described_class.new(princ)
       c.destroy
       expect { c.default_name }.to raise_error(Kerberos::Krb5::Exception)
     end
+
     it 'does not accept arguments' do
       c = described_class.new(princ)
       expect { c.destroy(true) }.to raise_error(ArgumentError)
     end
   end
+
+  describe '#dup' do
+    it 'returns a new cache object with the same properties' do
+      c = described_class.new(princ)
+      c2 = c.dup
+      expect(c2).to be_a(described_class)
+      expect(c2.default_name).to eq(c.default_name)
+      expect(c2.primary_principal).to eq(c.primary_principal)
+    end
+
+    it 'closing original does not affect duplicate' do
+      c = described_class.new(princ)
+      c2 = c.dup
+      c.close
+      expect { c2.default_name }.not_to raise_error
+    end
+
+    it 'closing duplicate does not affect original' do
+      c = described_class.new(princ)
+      c2 = c.dup
+      c2.close
+      expect { c.default_name }.not_to raise_error
+    end
+
+    it 'raises when duping closed cache' do
+      c = described_class.new(princ)
+      c.close
+      expect { c.dup }.to raise_error(Kerberos::Krb5::Exception)
+    end
+  end
 end