rkerberos 0.1.5 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 0d897e8c2ed3d3508c09e319b88cac0c1822d8da
-  data.tar.gz: 17a003387c3845fdf1de23630936e0254c90c0f5
+SHA256:
+  metadata.gz: 5a969c8a989d5d310bd6906a8023acdd1bd511524cdf85e1b8df35b9e51a424e
+  data.tar.gz: 8792c83e657bd1ddc3da150a2989906050ea48bc2631a2de9e95fe5a8983f2c1
 SHA512:
-  metadata.gz: 267b4c8f68541e0df99abc42c02fb5a2056d7a038f896966d13d22c25fae24017870cc7fda4df608c0be74c9780650f0e8c056d81afbfc0d5a42d35cd09f4cae
-  data.tar.gz: e96e6dc43c144b7c3b1075c0f9deb6c7471007aac66b6f30ab59d41b2ac2c361c3f84eb90089a03bb1c2d89e86257ba7875d77cec8691c00640e4f63492caac7
+  metadata.gz: 41e50b69c30e64a0ca78548cb189ad6627b41b951abb906caac1e27d2746afbd81df6b96e1cbb1910b1b0c535c5fddd752e5246ff4eab16af860e1797b599374
+  data.tar.gz: 1b3a230983ff08f515412a0bf2055f1152c8e3d757cda4d017d2ec72a53210c077a4874117a0d56256b42535b83d5495c4ec0e315d02cf2e6be9220384d0ac8f

data/CHANGES

@@ -1,3 +1,10 @@
+ = 0.2.0 - 14-Feb-2026
+* Added Docker and Podman support for running tests in isolated environments with Kerberos and OpenLDAP services.
+* Updated documentation with modern testing and development workflows, including container-based instructions.
+* Improved compatibility for Ruby 3.4 and later.
+* Enhanced build and test automation using docker-compose and podman-compose.
+* Various bug fixes, code cleanups, and test improvements.
+
 = 0.1.5 - 17-Oct-2016
 * Fix build error on Ruby 2.0.0/2.1 with CFLAGS concatenation
 

data/Dockerfile

@@ -0,0 +1,42 @@
+# Dockerfile for rkerberos Ruby gem testing
+FROM ruby:3.4
+
+# Install MIT Kerberos, KDC, admin server, and build tools
+RUN apt-get update && \
+        apt-get install -y --no-install-recommends \
+            libkrb5-dev krb5-user krb5-kdc krb5-admin-server rake build-essential && \
+        rm -rf /var/lib/apt/lists/*
+
+# Set up a working directory
+WORKDIR /app
+
+# Set admin credentials for tests (matches docker-compose.yml)
+ENV KRB5_ADMIN_PRINCIPAL=admin/admin@EXAMPLE.COM
+ENV KRB5_ADMIN_PASSWORD=adminpassword
+
+# Copy the gemspec and Gemfile for dependency installation
+COPY Gemfile rkerberos.gemspec ./
+
+
+# Install gem dependencies and RSpec
+RUN bundle install && gem install rspec
+
+
+# Create a more complete krb5.conf for testing (with kadmin support)
+RUN echo "[libdefaults]\n  default_realm = EXAMPLE.COM\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  ticket_lifetime = 24h\n  renew_lifetime = 7d\n  forwardable = true\n[realms]\n  EXAMPLE.COM = {\n    kdc = kerberos-kdc\n    admin_server = kerberos-kdc\n    default_domain = example.com\n  }\n[domain_realm]\n  .example.com = EXAMPLE.COM\n  example.com = EXAMPLE.COM\n[kadmin]\n  default_keys = des-cbc-crc:normal des-cbc-md5:normal aes256-cts:normal aes128-cts:normal rc4-hmac:normal\n  admin_server = kerberos-kdc\n" > /etc/krb5.conf
+
+
+# Create a minimal KDC and admin server config, and a permissive ACL for kadmin
+RUN mkdir -p /etc/krb5kdc && \
+    echo "[kdcdefaults]\n kdc_ports = 88\n[kdc]\n profile = /etc/krb5.conf\n" > /etc/krb5kdc/kdc.conf && \
+    echo "admin/admin@EXAMPLE.COM *" > /etc/krb5kdc/kadm5.acl
+
+
+# Copy the rest of the code
+COPY . .
+
+# Compile the C extension
+RUN rake compile
+
+# Run RSpec tests
+CMD ["bundle", "exec", "rspec"]

data/README.md

@@ -2,48 +2,99 @@
   The rkerberos library provides a Ruby interface for Kerberos.
 
 # Requirements
+
+# Linux
+   Install krb5 development libraries using your package manager. For example:
+
+      # Debian/Ubuntu
+      sudo apt-get install libkrb5-dev
+
+      # Fedora/RHEL
+      sudo dnf install krb5-devel
+
+   Then install this gem:
+
+      gem install rkerberos
+
+   or if using bundler:
+
+      bundle install
+
   Kerberos 1.7.0 or later, including admin header and library files.
 
-# OS X (10.11)
-  krb5 must be installed from source before installing the rkerberos gem:
-```
-  brew install openssl
-  curl -0 http://web.mit.edu/kerberos/dist/krb5/1.14/krb5-1.14.tar.gz
-  tar -xzf krb5-1.14.tar.gz
-  cd krb5-1.14/src
-  export CPPFLAGS='-I/usr/local/opt/openssl/include'
-  export LDFLAGS='-L/usr/local/opt/openssl/lib'
-  ./configure
-  make
-  make install
-```
-  latest release is here: http://web.mit.edu/kerberos/dist/index.html
-
-# Synopsis
-```ruby
-  require 'rkerberos'
-
-  # Get the default realm name
-  krb5 = Kerberos::Krb5.new
-  puts krb5.default_realm
-  krb5.close
-
-  # Get the default keytab name
-  keytab = Kerberos::Krb5::Keytab.new
-  puts keytab.default_name
-  keytab.close
-
-  # Set the password for a given principal
-  kadm5 = Kerberos::Kadm5.new(:principal => 'foo/admin', :password => 'xxxx')
-  kadm5.set_password('someuser', 'abc123')
-  kadm5.close
-
-  # Using the block form
-  Kerberos::Kadm5.new(:principal => 'foo/admin', :password => 'xxxx') do |kadm5|
-    p kadm5.get_principal('someuser')
-    kadm5.set_password('someuser', 'abc123')
-  end
-```
+# OS X
+  Install krb5 using homebrew:
+
+    `brew install krb5`
+
+  then install this gem using the homebrew version of krb5:
+
+    # Or '/opt/homebrew/opt/krb' depending on your system
+    `gem install rkerberos -- --with-rkerberos-dir=/usr/local/opt/krb5`
+
+  or if using bundler:
+
+    `bundle config --global build.rkerberos --with-rkerberos-dir=/usr/local/opt/krb5`
+    `bundle install`
+
+# Testing
+
+## Prerequisites
+- Ruby 3.4 or later
+- Docker or Podman
+- docker-compose or podman-compose
+
+## Running Tests with Docker
+1. Start the Kerberos and LDAP services:
+   ```bash
+   docker-compose up -d
+   ```
+
+2. Run the test suite:
+   ```bash
+   docker-compose run --rm rkerberos-test bundle exec rspec
+   ```
+
+3. Stop the services when done:
+   ```bash
+   docker-compose down
+   ```
+
+   Add the `--remove-orphans` switch if it's being a pain.
+
+## Running Tests with Podman
+1. Start the Kerberos and LDAP services:
+   ```bash
+   podman-compose up -d
+   ```
+
+2. Run the test suite:
+   ```bash
+   podman-compose run --rm rkerberos-test
+   ```
+
+3. Stop the services when done:
+   ```bash
+   podman-compose down
+   ```
+
+## Local Development
+If you make changes to the Ruby code or C extensions:
+
+1. Rebuild the test container:
+   ```bash
+   podman-compose build --no-cache rkerberos-test
+   ```
+
+2. Run the tests again:
+   ```bash
+   podman-compose run --rm rkerberos-test
+   ```
+
+The test environment includes:
+- MIT Kerberos KDC (Key Distribution Center)
+- OpenLDAP server for directory services
+- Pre-configured test principals and keytabs
 
 # Notes
   The rkerberos library is a repackaging of my custom branch of the krb5_auth
@@ -65,4 +116,4 @@
 * Simon Levermann (maintainer)
 
 # License
-  rkerberos is distributed under the Artistic 2.0 license.
+  rkerberos is distributed under the Artistic-2.0 license.

data/Rakefile

@@ -1,10 +1,17 @@
 require 'rake'
-require 'rake/testtask'
+begin
+  require 'rspec/core/rake_task'
+rescue LoadError
+  # RSpec not available
+end
 require 'rake/extensiontask'
 require 'rake/clean'
 require 'rbconfig'
 require 'rubygems/package'
 
+# Windows one-click
+require 'devkit' if RbConfig::CONFIG['host_os'] =~ /cygwin|mingw/i
+
 Rake::ExtensionTask.new('rkerberos')
 
 CLEAN.include(
@@ -30,9 +37,9 @@ end
 namespace :gem do
   desc 'Delete any existing gem files in the project.'
   task :clean do
-    Dir['*.gem'].each{ |f| File.delete(f) } 
+    Dir['*.gem'].each{ |f| File.delete(f) }
     rm_rf 'lib'
-  end 
+  end
 
   desc 'Create the gem'
   task :create => [:clean] do
@@ -43,7 +50,7 @@ namespace :gem do
   desc 'Install the gem'
   task :install => [:create] do
     file = Dir["*.gem"].first
-    sh "gem install #{file}" 
+    sh "gem install #{file}"
   end
 
   desc 'Create a binary gem'
@@ -64,86 +71,15 @@ namespace :sample do
   end
 end
 
-namespace 'test' do
-  Rake::TestTask.new('all') do |t|
-    task :all => [:clean, :compile]
-    t.libs << 'ext' 
-    t.warning = true
-    t.verbose = true
-  end
-
-  Rake::TestTask.new('context') do |t|
-    task :context => [:clean, :compile]
-    t.libs << 'ext' 
-    t.test_files = FileList['test/test_context.rb']
-    t.warning = true
-    t.verbose = true
-  end
-
-  Rake::TestTask.new('ccache') do |t|
-    task :ccache => [:clean, :compile]
-    t.libs << 'ext' 
-    t.test_files = FileList['test/test_credentials_cache.rb']
-    t.warning = true
-    t.verbose = true
-  end
-
-  Rake::TestTask.new('krb5') do |t|
-    task :krb5 => [:clean, :compile]
-    t.libs << 'ext' 
-    t.test_files = FileList['test/test_krb5.rb']
-    t.warning = true
-    t.verbose = true
-  end
-
-  Rake::TestTask.new('keytab') do |t|
-    task :keytab => [:clean, :compile]
-    t.libs << 'ext' 
-    t.test_files = FileList['test/test_krb5_keytab.rb']
-    t.warning = true
-    t.verbose = true
-  end
-
-  Rake::TestTask.new('keytab_entry') do |t|
-    task :keytab_entry => [:clean, :compile]
-    t.libs << 'ext' 
-    t.test_files = FileList['test/test_keytab_entry.rb']
-    t.warning = true
-    t.verbose = true
-  end
-
-  Rake::TestTask.new('principal') do |t|
-    task :principal => [:clean, :compile]
-    t.libs << 'ext' 
-    t.test_files = FileList['test/test_principal.rb']
-    t.warning = true
-    t.verbose = true
-  end
-
-  Rake::TestTask.new('kadm5') do |t|
-    task :kadm5 => [:clean, :compile]
-    t.libs << 'ext' 
-    t.test_files = FileList['test/test_kadm5.rb']
-    t.warning = true
-    t.verbose = true
-  end
-
-  Rake::TestTask.new('config') do |t|
-    task :config => [:clean, :compile]
-    t.libs << 'ext' 
-    t.test_files = FileList['test/test_config.rb']
-    t.warning = true
-    t.verbose = true
-  end
+# RSpec tasks
+desc 'Run all specs'
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.pattern = 'spec/**/*_spec.rb'
+end
 
-  Rake::TestTask.new('policy') do |t|
-    task :policy => [:clean, :compile]
-    t.libs << 'ext' 
-    t.test_files = FileList['test/test_policy.rb']
-    t.warning = true
-    t.verbose = true
-  end
+# Clean up afterwards
+Rake::Task[:spec].enhance do
+  Rake::Task[:clean].invoke
 end
 
-task :default => ['test:all']
-task :test => ['test:all']
+task :default => [:compile, :spec]

data/docker/Dockerfile.kdc

@@ -0,0 +1,16 @@
+FROM debian:bullseye
+
+RUN apt-get update && \
+    apt-get install -y krb5-kdc krb5-admin-server krb5-user krb5-kdc-ldap ldap-utils expect && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy configuration files
+COPY krb5.conf /etc/krb5.conf
+COPY kdc.conf /etc/krb5kdc/kdc.conf
+COPY kadm5.acl /etc/krb5kdc/kadm5.acl
+
+# Copy entrypoint
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

data/docker/docker-entrypoint.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+
+# Initialize KDC DB if not already present
+if [ ! -f /etc/krb5kdc/.k5.EXAMPLE.COM ]; then
+  printf "masterpassword\nmasterpassword\n" | krb5_newrealm
+  kadmin.local -q "addprinc -pw adminpassword admin/admin"
+fi
+
+# Create standard test principals for keytab/credential cache tests
+kadmin.local -q "addprinc -pw changeme testuser1@EXAMPLE.COM"
+kadmin.local -q "addprinc -pw changeme zztop@EXAMPLE.COM"
+kadmin.local -q "addprinc -pw changeme martymcfly@EXAMPLE.COM"
+kadmin.local -q "ktadd -k /etc/krb5.keytab testuser1@EXAMPLE.COM"
+kadmin.local -q "ktadd -k /etc/krb5.keytab zztop@EXAMPLE.COM"
+kadmin.local -q "ktadd -k /etc/krb5.keytab martymcfly@EXAMPLE.COM"
+
+# Start KDC and admin server
+krb5kdc
+kadmind
+
+# Keep container running
+trap : TERM INT; sleep infinity & wait

data/docker/kadm5.acl

@@ -0,0 +1 @@
+admin/admin@EXAMPLE.COM *

data/docker/kdc.conf

@@ -0,0 +1,13 @@
+[kdcdefaults]
+ kdc_ports = 88
+
+[realms]
+ EXAMPLE.COM = {
+    admin_keytab = /etc/krb5kdc/kadm5.keytab
+    acl_file = /etc/krb5kdc/kadm5.acl
+    dict_file = /usr/share/dict/words
+    key_stash_file = /etc/krb5kdc/.k5.EXAMPLE.COM
+    kdc_ports = 88
+    max_life = 10h 0m 0s
+    max_renewable_life = 7d 0h 0m 0s
+ }

data/docker/krb5.conf

@@ -0,0 +1,14 @@
+[libdefaults]
+  default_realm = EXAMPLE.COM
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+
+[realms]
+  EXAMPLE.COM = {
+    kdc = kerberos-kdc
+    admin_server = kerberos-kdc
+  }
+
+[domain_realm]
+  .example.com = EXAMPLE.COM
+  example.com = EXAMPLE.COM

data/docker-compose.yml

@@ -0,0 +1,44 @@
+version: '3.8'
+services:
+  kerberos-kdc:
+    build:
+      context: ./docker
+      dockerfile: Dockerfile.kdc
+    container_name: kerberos-kdc
+    ports:
+      - "1088:88"
+      - "1749:749"
+    volumes:
+      - krb5-keytab:/etc/krb5.keytab
+    depends_on:
+      - ldap
+
+  rkerberos-test:
+    build: .
+    container_name: rkerberos-test
+    environment:
+      - LANG=C.UTF-8
+      - KRB5_CONFIG=/etc/krb5.conf
+      - KRB5_ADMIN_PRINCIPAL=admin/admin@EXAMPLE.COM
+      - KRB5_ADMIN_PASSWORD=adminpassword
+      # LDAP test variables for integration tests
+      - KRB5_LDAP_PRINCIPAL=admin@ldap
+      - KRB5_LDAP_PASSWORD=admin
+      - KRB5_LDAP_DRIVER=ou=People,dc=example,dc=com:foobar:uid
+    working_dir: /app
+    depends_on:
+      - kerberos-kdc
+
+  ldap:
+    image: osixia/openldap:latest
+    container_name: ldap
+    environment:
+      LDAP_ORGANISATION: "Example Org"
+      LDAP_DOMAIN: "example.com"
+      LDAP_BASE_DN: "dc=example,dc=com"
+      LDAP_ADMIN_PASSWORD: "admin"
+    ports:
+      - "1389:389"
+
+volumes:
+  krb5-keytab:

data/ext/rkerberos/ccache.c

@@ -2,28 +2,35 @@
 
 VALUE cKrb5CCache;
 
-// Free function for the Kerberos::Krb5::CCache class.
-static void rkrb5_ccache_free(RUBY_KRB5_CCACHE* ptr){
-  if(!ptr)
-    return;
 
-  if(ptr->ccache)
-    krb5_cc_close(ptr->ctx, ptr->ccache);
-
-  if(ptr->principal)
-    krb5_free_principal(ptr->ctx, ptr->principal);
-
-  if(ptr->ctx)
-    krb5_free_context(ptr->ctx);
+// TypedData functions for RUBY_KRB5_CCACHE
+static void rkrb5_ccache_typed_free(void *ptr) {
+  if (!ptr) return;
+  RUBY_KRB5_CCACHE *c = (RUBY_KRB5_CCACHE *)ptr;
+  if (c->ccache)
+    krb5_cc_close(c->ctx, c->ccache);
+  if (c->principal)
+    krb5_free_principal(c->ctx, c->principal);
+  if (c->ctx)
+    krb5_free_context(c->ctx);
+  free(c);
+}
 
-  free(ptr);
+static size_t rkrb5_ccache_typed_size(const void *ptr) {
+  return sizeof(RUBY_KRB5_CCACHE);
 }
 
+const rb_data_type_t rkrb5_ccache_data_type = {
+  "RUBY_KRB5_CCACHE",
+  {NULL, rkrb5_ccache_typed_free, rkrb5_ccache_typed_size,},
+  NULL, NULL, RUBY_TYPED_FREE_IMMEDIATELY
+};
+
 // Allocation function for the Kerberos::Krb5::CCache class.
 static VALUE rkrb5_ccache_allocate(VALUE klass){
-  RUBY_KRB5_CCACHE* ptr = malloc(sizeof(RUBY_KRB5_CCACHE));
+  RUBY_KRB5_CCACHE* ptr = ALLOC(RUBY_KRB5_CCACHE);
   memset(ptr, 0, sizeof(RUBY_KRB5_CCACHE));
-  return Data_Wrap_Struct(klass, 0, rkrb5_ccache_free, ptr);
+  return TypedData_Wrap_Struct(klass, &rkrb5_ccache_data_type, ptr);
 }
 
 /*
@@ -46,7 +53,7 @@ static VALUE rkrb5_ccache_initialize(int argc, VALUE* argv, VALUE self){
   krb5_error_code kerror;
   VALUE v_principal, v_name;
 
-  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
 
   rb_scan_args(argc, argv, "02", &v_principal, &v_name);
 
@@ -92,14 +99,14 @@ static VALUE rkrb5_ccache_initialize(int argc, VALUE* argv, VALUE self){
     if(kerror)
       rb_raise(cKrb5Exception, "krb5_cc_initialize: %s", error_message(kerror));
   }
-  
+
   return self;
 }
 
 /*
  * call-seq:
  *   ccache.close
- *   
+ *
  * Closes the ccache object. Once the ccache object is closed no more
  * methods may be called on it, or an exception will be raised.
  *
@@ -108,7 +115,7 @@ static VALUE rkrb5_ccache_initialize(int argc, VALUE* argv, VALUE self){
 static VALUE rkrb5_ccache_close(VALUE self){
   RUBY_KRB5_CCACHE* ptr;
 
-  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
 
   if(!ptr->ctx)
     return self;
@@ -141,7 +148,7 @@ static VALUE rkrb5_ccache_close(VALUE self){
 static VALUE rkrb5_ccache_default_name(VALUE self){
   RUBY_KRB5_CCACHE* ptr;
 
-  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
 
   if(!ptr->ctx)
     rb_raise(cKrb5Exception, "no context has been established");
@@ -160,7 +167,7 @@ static VALUE rkrb5_ccache_primary_principal(VALUE self){
   krb5_error_code kerror;
   char* name;
 
-  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
 
   if(!ptr->ctx)
     rb_raise(cKrb5Exception, "no context has been established");
@@ -193,7 +200,7 @@ static VALUE rkrb5_ccache_destroy(VALUE self){
   krb5_error_code kerror;
   VALUE v_bool = Qtrue;
 
-  Data_Get_Struct(self, RUBY_KRB5_CCACHE, ptr);
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
 
   if(!ptr->ctx)
     rb_raise(cKrb5Exception, "no context has been established");
@@ -229,7 +236,7 @@ static VALUE rkrb5_ccache_destroy(VALUE self){
   return v_bool;
 }
 
-void Init_ccache(){
+void Init_ccache(void){
   /* The Kerberos::Krb5::CredentialsCache class encapsulates a Kerberos credentials cache. */
   cKrb5CCache = rb_define_class_under(cKrb5, "CredentialsCache", rb_cObject);