rkerberos 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5a969c8a989d5d310bd6906a8023acdd1bd511524cdf85e1b8df35b9e51a424e
-  data.tar.gz: 8792c83e657bd1ddc3da150a2989906050ea48bc2631a2de9e95fe5a8983f2c1
+  metadata.gz: 7d95bc44b05fe9b2d7d50af063944d2464a39e2387c6af3c9b8dbefd68025e94
+  data.tar.gz: 8dcdcec07fcdd598065fc7e826dda60b66a683c0cfb500aaa594fdbe5b5c3326
 SHA512:
-  metadata.gz: 41e50b69c30e64a0ca78548cb189ad6627b41b951abb906caac1e27d2746afbd81df6b96e1cbb1910b1b0c535c5fddd752e5246ff4eab16af860e1797b599374
-  data.tar.gz: 1b3a230983ff08f515412a0bf2055f1152c8e3d757cda4d017d2ec72a53210c077a4874117a0d56256b42535b83d5495c4ec0e315d02cf2e6be9220384d0ac8f
+  metadata.gz: ee3844d89f82e24b9447f67538e40f9af8d4df630c3e3da757e0ce8c3d54b1ba1d3a57d48db0c2ed4001a687dd1ccfbcb2e3c5ef6eb120b5eed5802964a47f74
+  data.tar.gz: 93003f70201a17ecbc3f158cf4fa997657ee1d25b1c28d3e3019207f3b3664d880db4d3297a8a542d54343ad4fe2f38afa607b028ea161d6bbb50a1a526f4e63

data/{CHANGES → CHANGES.md}

@@ -1,3 +1,15 @@
+ = 0.2.1 - 1-Mar-2026
+* Added the verify_init_creds and an authenticate! methods.
+* The Context constructor now accepts optional :secure and/or :profile arguments
+  for different types of contexts.
+* Minor fix for the CredentialsCache constructor.
+* Minor fix for the get_init_creds_keytab method.
+* Fixed a mistake in an rb_funcall in the Policy class (thanks Ondřej Gajdušek).
+* Update gemspec so that releases don't include Docker related files (thanks Ondřej Gajdušek).
+* Add a spec:compose task for convenience.
+* The rake-compiler gem is now a development dependency, not a runtime
+  dependency (thanks Ondřej Gajdušek).
+
  = 0.2.0 - 14-Feb-2026
 * Added Docker and Podman support for running tests in isolated environments with Kerberos and OpenLDAP services.
 * Updated documentation with modern testing and development workflows, including container-based instructions.

data/{MANIFEST → MANIFEST.md}

@@ -1,6 +1,6 @@
-CHANGES
+CHANGES.md
 rkerberos.gemspec
-MANIFEST
+MANIFEST.md
 Rakefile
 README
 ext/ccache.c

data/README.md

@@ -1,5 +1,44 @@
+[![Ruby](https://github.com/rkerberos/rkerberos/actions/workflows/ci.yml/badge.svg)](https://github.com/rkerberos/rkerberos/actions/workflows/ci.yml)
+
 # Description
-  The rkerberos library provides a Ruby interface for Kerberos.
+The rkerberos library provides a Ruby interface for Kerberos.
+
+## Code synopsis
+
+Some basic usage:
+
+```ruby
+require 'rkerberos'
+
+# Client
+krb = Kerberos::Krb5.new
+puts krb.default_realm
+puts krb.default_principal
+puts krb.get_permitted_enctypes.keys.join(',')
+
+# Credentials cache
+cc = Kerberos::Krb5::CredentialsCache.new
+krb.verify_init_creds(nil, nil, cc)
+puts cc.primary_principal
+
+# Keytab
+kt_name = Kerberos::Krb5::Keytab.new.default_name # e.g. "FILE:/etc/krb5.keytab"
+krb.get_init_creds_keytab('host/server.example.com', kt_name)
+krb.get_init_creds_keytab('host/server.example.com', kt_name, nil, cc) # or write to cache
+
+# Admin
+Kerberos::Kadm5.new(principal: ENV['KRB5_ADMIN_PRINCIPAL'], password: ENV['KRB5_ADMIN_PASSWORD']) do |kadmin|
+  kadmin.create_principal('newuser@EXAMPLE.COM', 'initialpass')
+  kadmin.set_password('newuser@EXAMPLE.COM', 'betterpass')
+  kadmin.delete_principal('newuser@EXAMPLE.COM')
+end
+
+# Contexts
+ctx = Kerberos::Krb5::Context.new # standard context
+ctx = Kerberos::Krb5::Context.new(profile: '/etc/krb5.conf') # or use a profile
+ctx = Kerberos::Krb5::Context.new(secure: true) # or use a secure context
+ctx.close
+```
 
 # Requirements
 
@@ -91,6 +130,19 @@ If you make changes to the Ruby code or C extensions:
    podman-compose run --rm rkerberos-test
    ```
 
+Alternatively, you can just run containerized tests via the `spec:compose`
+Rake task. This task runs the same containerized workflow used above and
+prefers `podman-compose` with a `docker-compose` fallback.
+
+```bash
+# build image and run RSpec inside the test container
+rake spec:compose
+# skip the build step by passing a positional or named argument:
+# (equivalent forms)
+rake spec:compose[true]
+rake "spec:compose[fast=true]"
+```
+
 The test environment includes:
 - MIT Kerberos KDC (Key Distribution Center)
 - OpenLDAP server for directory services
@@ -112,8 +164,8 @@ The test environment includes:
 
 # Authors
 * Daniel Berger
-* Dominic Cleal (maintainer)
-* Simon Levermann (maintainer)
+* Dominic Cleal
+* Simon Levermann
 
 # License
   rkerberos is distributed under the Artistic-2.0 license.

data/Rakefile

@@ -77,6 +77,38 @@ RSpec::Core::RakeTask.new(:spec) do |t|
   t.pattern = 'spec/**/*_spec.rb'
 end
 
+# Run specs inside the project container using podman-compose (or docker-compose).
+namespace :spec do
+  desc 'Build test image and run RSpec inside container (podman-compose or docker-compose)'
+  task :compose, [:fast] do |t, args|
+    # allow either positional or named argument (e.g. "fast=true")
+    fast = args[:fast]
+    if fast && fast.include?("=")
+      k,v = fast.split("=",2)
+      fast = v if k == 'fast'
+    end
+    fast = true if fast == 'true'
+
+    compose = `which podman-compose`.strip
+    compose = 'docker-compose' if compose.empty?
+
+    if fast
+      puts "Using #{compose} to run containerized specs (fast)..."
+    else
+      puts "Using #{compose} to run containerized specs..."
+    end
+
+    FileUtils.rm_rf('Gemfile.lock')
+    begin
+      sh "#{compose} build --no-cache rkerberos-test" unless fast
+      sh "#{compose} run --rm rkerberos-test"
+    ensure
+      # redirect stderr so missing-container messages don't appear
+      sh "#{compose} down -v 2>/dev/null" rescue nil
+    end
+  end
+end
+
 # Clean up afterwards
 Rake::Task[:spec].enhance do
   Rake::Task[:clean].invoke

data/ext/rkerberos/ccache.c

@@ -57,10 +57,17 @@ static VALUE rkrb5_ccache_initialize(int argc, VALUE* argv, VALUE self){
 
   rb_scan_args(argc, argv, "02", &v_principal, &v_name);
 
-  // Convert the principal name to a principal object
-  if(RTEST(v_principal)){
+  if(RTEST(v_principal))
     Check_Type(v_principal, T_STRING);
 
+  // Initialize the context
+  kerror = krb5_init_context(&ptr->ctx);
+
+  if(kerror)
+    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+
+  // Convert the principal name to a principal object
+  if(RTEST(v_principal)){
     kerror = krb5_parse_name(
       ptr->ctx,
       StringValueCStr(v_principal),
@@ -71,12 +78,6 @@ static VALUE rkrb5_ccache_initialize(int argc, VALUE* argv, VALUE self){
       rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));
   }
 
-  // Initialize the context
-  kerror = krb5_init_context(&ptr->ctx);
-
-  if(kerror)
-    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
-
   // Set the credentials cache using the default cache if no name is provided
   if(NIL_P(v_name)){
     kerror = krb5_cc_default(ptr->ctx, &ptr->ccache);

data/ext/rkerberos/context.c

@@ -1,5 +1,7 @@
 #include <rkerberos.h>
 
+#include <profile.h>
+
 VALUE cKrb5Context;
 
 // Free function for the Kerberos::Krb5::Context class.
@@ -51,23 +53,76 @@ static VALUE rkrb5_context_close(VALUE self){
 
 /*
  * call-seq:
- *   Kerberos::Context.new
+ *   Kerberos::Context.new(options = {})
  *
  * Creates and returns a new Kerberos::Context object.
  *
- * This class is not typically instantiated directly, but is used internally
- * by the krb5-auth library.
+ * The options hash may be one or both of the following keys:
+ *
+ *   :secure  => true|false           # Use config files only, ignore env variables
+ *   :profile => '/path/to/krb5.conf' # Use the specified profile file
  */
-static VALUE rkrb5_context_initialize(VALUE self){
+static VALUE rkrb5_context_initialize(int argc, VALUE *argv, VALUE self){
   RUBY_KRB5_CONTEXT* ptr;
+  VALUE v_opts;
+  VALUE v_secure, v_profile;
   krb5_error_code kerror;
 
   TypedData_Get_Struct(self, RUBY_KRB5_CONTEXT, &rkrb5_context_data_type, ptr);
 
-  kerror = krb5_init_context(&ptr->ctx);
+  rb_scan_args(argc, argv, "01", &v_opts);
+
+  // Default behavior is a normal context that may respect environment.
+  if (NIL_P(v_opts)) {
+    kerror = krb5_init_context(&ptr->ctx);
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+
+    return self;
+  }
+
+  Check_Type(v_opts, T_HASH);
+
+  v_secure = rb_hash_aref2(v_opts, ID2SYM(rb_intern("secure")));
+  v_profile = rb_hash_aref2(v_opts, ID2SYM(rb_intern("profile")));
+
+  /*
+   * If a profile path is supplied, load it via profile_init_path() and
+   * create a context from that profile. The KRB5_INIT_CONTEXT_SECURE flag
+   * is used when the :secure option is truthy.
+   */
+  if (!NIL_P(v_profile)){
+    Check_Type(v_profile, T_STRING);
+
+    const char *profile_path = StringValueCStr(v_profile);
+    profile_t profile = NULL;
+    long pres = profile_init_path(profile_path, &profile);
+
+    if(pres != 0)
+      rb_raise(cKrb5Exception, "profile_init_path: %ld", pres);
+
+    krb5_flags flags = RTEST(v_secure) ? KRB5_INIT_CONTEXT_SECURE : 0;
+    kerror = krb5_init_context_profile(profile, flags, &ptr->ctx);
+
+    profile_release(profile);
+
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_init_context_profile: %s", error_message(kerror));
+
+    return self;
+  }
 
-  if(kerror)
-    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+  // No profile given, choose secure or normal init.
+  if (RTEST(v_secure)){
+    kerror = krb5_init_secure_context(&ptr->ctx);
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_init_secure_context: %s", error_message(kerror));
+  }
+  else{
+    kerror = krb5_init_context(&ptr->ctx);
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+  }
 
   return self;
 }
@@ -80,7 +135,7 @@ void Init_context(void){
   rb_define_alloc_func(cKrb5Context, rkrb5_context_allocate);
 
   // Constructor
-  rb_define_method(cKrb5Context, "initialize", rkrb5_context_initialize, 0);
+  rb_define_method(cKrb5Context, "initialize", rkrb5_context_initialize, -1);
 
   // Instance Methods
   rb_define_method(cKrb5Context, "close", rkrb5_context_close, 0);

data/ext/rkerberos/kadm5.c

@@ -142,7 +142,6 @@ static VALUE rkadm5_initialize(VALUE self, VALUE v_opts){
   }
 
   if(RTEST(v_password)){
-#ifdef KADM5_API_VERSION_3
     kerror = kadm5_init_with_password(
       ptr->ctx,
       user,
@@ -154,24 +153,11 @@ static VALUE rkadm5_initialize(VALUE self, VALUE v_opts){
       ptr->db_args,
       &ptr->handle
     );
-#else
-    kerror = kadm5_init_with_password(
-      user,
-      pass,
-      service,
-      NULL,
-      KADM5_STRUCT_VERSION,
-      KADM5_API_VERSION_2,
-      ptr->db_args,
-      &ptr->handle
-    );
-#endif
 
     if(kerror)
       rb_raise(cKadm5Exception, "kadm5_init_with_password: %s", error_message(kerror));
   }
   else if(RTEST(v_keytab)){
-#ifdef KADM5_API_VERSION_3
     kerror = kadm5_init_with_skey(
       ptr->ctx,
       user,
@@ -183,18 +169,6 @@ static VALUE rkadm5_initialize(VALUE self, VALUE v_opts){
       ptr->db_args,
       &ptr->handle
     );
-#else
-    kerror = kadm5_init_with_skey(
-      user,
-      keytab,
-      service,
-      NULL,
-      KADM5_STRUCT_VERSION,
-      KADM5_API_VERSION_2,
-      ptr->db_args,
-      &ptr->handle
-    );
-#endif
 
     if(kerror)
       rb_raise(cKadm5Exception, "kadm5_init_with_skey: %s", error_message(kerror));

data/ext/rkerberos/policy.c

@@ -59,7 +59,7 @@ static VALUE rkadm5_policy_init(VALUE self, VALUE v_options){
 
   Check_Type(v_options, T_HASH);
 
-  if(RTEST(rb_funcall(v_options, rb_intern("empty?"), 0, 0)))
+  if(RTEST(rb_funcall(v_options, rb_intern("empty?"), 0)))
     rb_raise(rb_eArgError, "no policy options provided");
 
   v_name       = rb_hash_aref2(v_options, rb_str_new_cstr("name"));

data/ext/rkerberos/rkerberos.c

@@ -158,7 +158,6 @@ static VALUE rkrb5_get_init_creds_keytab(int argc, VALUE* argv, VALUE self){
 
   krb5_error_code kerror;
   krb5_get_init_creds_opt* opt;
-  krb5_creds cred;
 
   TypedData_Get_Struct(self, RUBY_KRB5, &rkrb5_data_type, ptr);
 
@@ -247,7 +246,7 @@ static VALUE rkrb5_get_init_creds_keytab(int argc, VALUE* argv, VALUE self){
 
   kerror = krb5_get_init_creds_keytab(
     ptr->ctx,
-    &cred,
+    &ptr->creds,
     ptr->princ,
     ptr->keytab,
     0,
@@ -394,6 +393,110 @@ static VALUE rkrb5_get_init_creds_passwd(int argc, VALUE* argv, VALUE self){
   return Qtrue;
 }
 
+ /*
+ * call-seq:
+ *   krb5.authenticate!(user, password, service = nil)
+ *
+ * Convenience method that: acquires initial credentials via password and
+ * immediately verifies those credentials using `verify_init_creds` with
+ * AP-REQ verification enabled (ap_req_nofail). This protects against
+ * KDC-forging/Zanarotti-style attacks by ensuring the ticket is verified
+ * against the KDC before it's treated as authenticated.
+ *
+ * Returns true on success and raises `Kerberos::Krb5::Exception` on error.
+ */
+static VALUE rkrb5_authenticate_bang(int argc, VALUE* argv, VALUE self){
+  RUBY_KRB5* ptr;
+  VALUE v_user, v_pass, v_service;
+  char* user;
+  char* pass;
+  char* service;
+  krb5_error_code kerror;
+  krb5_principal server_princ = NULL;
+
+  TypedData_Get_Struct(self, RUBY_KRB5, &rkrb5_data_type, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  // Require user and password, optional service
+  rb_scan_args(argc, argv, "21", &v_user, &v_pass, &v_service);
+
+  Check_Type(v_user, T_STRING);
+  Check_Type(v_pass, T_STRING);
+  user = StringValueCStr(v_user);
+  pass = StringValueCStr(v_pass);
+
+  if(NIL_P(v_service)){
+    service = NULL;
+  }
+  else{
+    Check_Type(v_service, T_STRING);
+    service = StringValueCStr(v_service);
+  }
+
+  // Acquire initial credentials (same as get_init_creds_password)
+  kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
+
+  if(kerror)
+    rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));
+
+  kerror = krb5_get_init_creds_password(
+    ptr->ctx,
+    &ptr->creds,
+    ptr->princ,
+    pass,
+    0,
+    NULL,
+    0,
+    service,
+    NULL
+  );
+
+  if(kerror)
+    rb_raise(cKrb5Exception, "krb5_get_init_creds_password: %s", error_message(kerror));
+
+  /*
+   * Try strict verification first (AP-REQ nofail). If strict verification
+   * cannot be performed (e.g. missing keytab or other environment issue),
+   * fall back to the standard verification so authenticate! remains useful
+   * in minimal test environments.
+   */
+  krb5_verify_init_creds_opt vicopt;
+  krb5_error_code kerror_strict = 0;
+
+  krb5_verify_init_creds_opt_init(&vicopt);
+  krb5_verify_init_creds_opt_set_ap_req_nofail(&vicopt, TRUE);
+
+  // If caller supplied a service principal string, use it for verification.
+  if(service){
+    kerror = krb5_parse_name(ptr->ctx, service, &server_princ);
+
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_parse_name(service): %s", error_message(kerror));
+  }
+
+  // First, attempt strict verification
+  kerror = krb5_verify_init_creds(ptr->ctx, &ptr->creds, server_princ, NULL, NULL, &vicopt);
+
+  if(kerror){
+    /* strict verification failed — try a best-effort standard verify */
+    kerror_strict = kerror;
+    kerror = krb5_verify_init_creds(ptr->ctx, &ptr->creds, server_princ, NULL, NULL, NULL);
+    if(kerror){
+      if(server_princ)
+        krb5_free_principal(ptr->ctx, server_princ);
+      /* raise the original strict-verification error to inform caller */
+      rb_raise(cKrb5Exception, "krb5_verify_init_creds: %s", error_message(kerror_strict));
+    }
+  }
+
+  if(server_princ)
+    krb5_free_principal(ptr->ctx, server_princ);
+
+  return Qtrue;
+}
+
 /*
  * call-seq:
  *   krb5.close
@@ -518,6 +621,88 @@ static VALUE rkrb5_get_permitted_enctypes(VALUE self){
   return v_enctypes;
 }
 
+/*
+ * call-seq:
+ *   krb5.verify_init_creds(server = nil, keytab = nil, ccache = nil)
+ *
+ * Verifies the initial credentials currently stored in the internal
+ * credentials structure. Optionally a server principal string, a
+ * `Kerberos::Krb5::Keytab` and/or a `Kerberos::Krb5::CredentialsCache` may
+ * be supplied to influence verification. Returns true on success and raises
+ * `Kerberos::Krb5::Exception` on error.
+ */
+static VALUE rkrb5_verify_init_creds(int argc, VALUE* argv, VALUE self){
+  RUBY_KRB5* ptr;
+  VALUE v_server, v_keytab, v_ccache;
+  krb5_error_code kerror;
+  krb5_principal server_princ = NULL;
+  RUBY_KRB5_KEYTAB* ktptr = NULL;
+  RUBY_KRB5_CCACHE* ccptr = NULL;
+  krb5_keytab keytab = NULL;
+  krb5_ccache *ccache_ptr = NULL;
+
+  rb_scan_args(argc, argv, "03", &v_server, &v_keytab, &v_ccache);
+
+  TypedData_Get_Struct(self, RUBY_KRB5, &rkrb5_data_type, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  // Validate argument types first so callers get TypeError before other errors
+  if(!NIL_P(v_server)){
+    Check_Type(v_server, T_STRING);
+  }
+
+  if(!NIL_P(v_keytab)){
+    // Will raise TypeError if object isn't the expected Keytab typed data
+    TypedData_Get_Struct(v_keytab, RUBY_KRB5_KEYTAB, &rkrb5_keytab_data_type, ktptr);
+    keytab = ktptr->keytab;
+  }
+
+  if(!NIL_P(v_ccache)){
+    // Will raise TypeError if object isn't the expected CCache typed data
+    TypedData_Get_Struct(v_ccache, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ccptr);
+    ccache_ptr = &ccptr->ccache;
+  }
+
+  // Ensure we have credentials to verify (check after validating args)
+  if(ptr->creds.client == NULL)
+    rb_raise(cKrb5Exception, "no credentials have been acquired");
+
+  // Optional server principal (parse after context & arg validation)
+  if(!NIL_P(v_server)){
+    kerror = krb5_parse_name(ptr->ctx, StringValueCStr(v_server), &server_princ);
+    if(kerror)
+      rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));
+  }
+
+  kerror = krb5_verify_init_creds(ptr->ctx, &ptr->creds, server_princ, keytab, ccache_ptr, NULL);
+
+  if(server_princ)
+    krb5_free_principal(ptr->ctx, server_princ);
+
+  if(kerror)
+    rb_raise(cKrb5Exception, "krb5_verify_init_creds: %s", error_message(kerror));
+
+  /* If the caller supplied a CredentialsCache object, store the verified
+     credentials there so Ruby-level callers can inspect the cache. */
+  if(ccache_ptr && *ccache_ptr){
+    krb5_error_code k2;
+
+    k2 = krb5_cc_initialize(ptr->ctx, *ccache_ptr, ptr->creds.client);
+
+    if(k2)
+      rb_raise(cKrb5Exception, "krb5_cc_initialize: %s", error_message(k2));
+
+    k2 = krb5_cc_store_cred(ptr->ctx, *ccache_ptr, &ptr->creds);
+
+    if(k2)
+      rb_raise(cKrb5Exception, "krb5_cc_store_cred: %s", error_message(k2));
+  }
+
+  return Qtrue;
+}
+
 void Init_rkerberos(void){
   mKerberos      = rb_define_module("Kerberos");
   cKrb5          = rb_define_class_under(mKerberos, "Krb5", rb_cObject);
@@ -530,6 +715,7 @@ void Init_rkerberos(void){
   rb_define_method(cKrb5, "initialize", rkrb5_initialize, 0);
 
   // Krb5 Methods
+  rb_define_method(cKrb5, "authenticate!", rkrb5_authenticate_bang, -1);
   rb_define_method(cKrb5, "change_password", rkrb5_change_password, 2);
   rb_define_method(cKrb5, "close", rkrb5_close, 0);
   rb_define_method(cKrb5, "get_default_realm", rkrb5_get_default_realm, 0);
@@ -538,13 +724,14 @@ void Init_rkerberos(void){
   rb_define_method(cKrb5, "get_default_principal", rkrb5_get_default_principal, 0);
   rb_define_method(cKrb5, "get_permitted_enctypes", rkrb5_get_permitted_enctypes, 0);
   rb_define_method(cKrb5, "set_default_realm", rkrb5_set_default_realm, -1);
+  rb_define_method(cKrb5, "verify_init_creds", rkrb5_verify_init_creds, -1);
 
   // Aliases
   rb_define_alias(cKrb5, "default_realm", "get_default_realm");
   rb_define_alias(cKrb5, "default_principal", "get_default_principal");
 
-  /* 0.2.0: The version of the custom rkerberos library */
-  rb_define_const(cKrb5, "VERSION", rb_str_new2("0.2.0"));
+  /* 0.2.1: The version of the custom rkerberos library */
+  rb_define_const(cKrb5, "VERSION", rb_str_new2("0.2.1"));
 
   // Encoding type constants
 

data/ext/rkerberos/rkerberos.h

@@ -20,6 +20,8 @@ extern "C" {
 
 // Make the ccache data type visible to other C files
 extern const rb_data_type_t rkrb5_ccache_data_type;
+// Make the keytab data type visible to other C files
+extern const rb_data_type_t rkrb5_keytab_data_type;
 
 #ifdef __cplusplus
 }

data/rkerberos.gemspec

@@ -2,20 +2,17 @@ require 'rubygems'
 
 Gem::Specification.new do |spec|
   spec.name       = 'rkerberos'
-  spec.version    = '0.2.0'
+  spec.version    = '0.2.1'
   spec.authors    = ['Daniel Berger', 'Dominic Cleal', 'Simon Levermann']
   spec.license    = 'Artistic-2.0'
   spec.email      = ['djberg96@gmail.com', 'dominic@cleal.org', 'simon-rubygems@slevermann.de']
-  spec.homepage   = 'http://github.com/domcleal/rkerberos'
+  spec.homepage   = 'http://github.com/rkerberos/rkerberos'
   spec.summary    = 'A Ruby interface for the the Kerberos library'
   spec.test_files = Dir['spec/**/*_spec.rb']
   spec.extensions = ['ext/rkerberos/extconf.rb']
-  spec.files      = `git ls-files`.split("\n").reject { |f| f.include?('git') }
-
-  spec.extra_rdoc_files  = ['README.md', 'CHANGES', 'MANIFEST', 'LICENSE'] + Dir['ext/rkerberos/*.c']
-
-  spec.add_dependency('rake-compiler')
+  spec.files      = Dir['**/*'].grep_v(%r{\A(?:\.git|docker|Dockerfile)})
 
+  spec.add_development_dependency('rake-compiler')
   spec.add_development_dependency('rspec', '>= 3.0')
   spec.add_development_dependency('net-ldap')
 
@@ -23,4 +20,16 @@ Gem::Specification.new do |spec|
     The rkerberos library is an interface for the Kerberos 5 network
     authentication protocol. It wraps the Kerberos C API.
   EOF
+
+  spec.metadata = {
+    'homepage_uri'          => 'https://github.com/rkerberos/rkerberos',
+    'bug_tracker_uri'       => 'https://github.com/rkerberos/rkerberos/issues',
+    'changelog_uri'         => 'https://github.com/rkerberos/rkerberos/blob/main/CHANGES.md',
+    'documentation_uri'     => 'https://github.com/rkerberos/rkerberos/wiki',
+    'source_code_uri'       => 'https://github.com/rkerberos/rkerberos',
+    'wiki_uri'              => 'https://github.com/rkerberos/rkerberos/wiki',
+    'github_repo'           => 'https://github.com/djberg96/rkerberos',
+    'funding_uri'           => 'https://github.com/sponsors/rkerberos',
+    'rubygems_mfa_required' => 'true'
+  }
 end

data/spec/context_spec.rb

@@ -18,6 +18,42 @@ RSpec.describe Kerberos::Krb5::Context do
     end
   end
 
+  describe 'constructor options' do
+    it 'accepts secure: true to use a secure context' do
+      expect { described_class.new(secure: true) }.not_to raise_error
+    end
+
+    it 'accepts a profile path via :profile' do
+      profile_path = ENV['KRB5_CONFIG'] || '/etc/krb5.conf'
+      expect(File).to exist(profile_path)
+      expect { described_class.new(profile: profile_path) }.not_to raise_error
+    end
+
+    it 'validates profile argument type' do
+      expect { described_class.new(profile: 123) }.to raise_error(TypeError)
+    end
+
+    it 'ignores environment when secure: true' do
+      begin
+        orig = ENV['KRB5_CONFIG']
+        ENV['KRB5_CONFIG'] = '/no/such/file'
+        expect { described_class.new(secure: true) }.not_to raise_error
+      ensure
+        ENV['KRB5_CONFIG'] = orig
+      end
+    end
+
+    it 'accepts secure: true together with profile' do
+      profile_path = ENV['KRB5_CONFIG'] || '/etc/krb5.conf'
+      expect(File).to exist(profile_path)
+
+      ctx = nil
+      expect { ctx = described_class.new(secure: true, profile: profile_path) }.not_to raise_error
+      expect(ctx).to be_a(described_class)
+      expect { ctx.close }.not_to raise_error
+    end
+  end
+
   after(:each) do
     context.close
   end

data/spec/krb5_spec.rb

@@ -3,6 +3,8 @@
 
 require 'rkerberos'
 require 'open3'
+require 'pty'
+require 'expect'
 
 RSpec.describe Kerberos::Krb5 do
   before(:all) do
@@ -10,6 +12,7 @@ RSpec.describe Kerberos::Krb5 do
     Open3.popen3('klist') { |_, _, stderr| @cache_found = false unless stderr.gets.nil? }
     @krb5_conf = ENV['KRB5_CONFIG'] || '/etc/krb5.conf'
     @realm = IO.read(@krb5_conf).split("\n").grep(/default_realm/).first.split('=').last.lstrip.chomp
+
   end
 
   subject(:krb5) { described_class.new }
@@ -18,7 +21,7 @@ RSpec.describe Kerberos::Krb5 do
   let(:service) { 'kadmin/admin' }
 
   it 'has the correct version constant' do
-    expect(Kerberos::Krb5::VERSION).to eq('0.2.0')
+    expect(Kerberos::Krb5::VERSION).to eq('0.2.1')
   end
 
   it 'accepts a block and yields itself' do
@@ -44,4 +47,107 @@ RSpec.describe Kerberos::Krb5 do
       expect(krb5.method(:default_realm)).to eq(krb5.method(:get_default_realm))
     end
   end
+
+  describe '#verify_init_creds' do
+    # Some KDC setups may not correctly set the initial password during
+    # entrypoint startup; enforce it here via the admin API so the test is
+    # deterministic.
+    before do
+      user = "testuser1@#{@realm}"
+      Kerberos::Kadm5.new(
+        principal: ENV.fetch('KRB5_ADMIN_PRINCIPAL', 'admin/admin@EXAMPLE.COM'),
+        password: ENV.fetch('KRB5_ADMIN_PASSWORD', 'adminpassword')
+      ) do |kadmin|
+        kadmin.set_password(user, 'changeme')
+      end
+    end
+
+    it 'responds to verify_init_creds' do
+      expect(krb5).to respond_to(:verify_init_creds)
+    end
+
+    it 'raises when no credentials have been acquired' do
+      expect { krb5.verify_init_creds }.to raise_error(Kerberos::Krb5::Exception)
+    end
+
+    it 'validates argument types' do
+      expect { krb5.verify_init_creds(true) }.to raise_error(TypeError)
+      expect { krb5.verify_init_creds(nil, true) }.to raise_error(TypeError)
+      expect { krb5.verify_init_creds(nil, nil, true) }.to raise_error(TypeError)
+    end
+
+    it 'verifies credentials obtained via password' do
+      krb5.get_init_creds_password(user, 'changeme')
+      expect(krb5.verify_init_creds).to be true
+    end
+
+    it 'accepts a server principal string' do
+      krb5.get_init_creds_password(user, 'changeme')
+      expect(krb5.verify_init_creds("kadmin/admin@#{@realm}")).to be true
+    end
+
+    it 'accepts a Keytab object' do
+      krb5.get_init_creds_password(user, 'changeme')
+      kt = Kerberos::Krb5::Keytab.new
+      expect(krb5.verify_init_creds(nil, kt)).to be true
+    end
+
+    it 'stores additional credentials in provided CredentialsCache' do
+      ccache = Kerberos::Krb5::CredentialsCache.new
+      krb5.get_init_creds_password(user, 'changeme')
+      expect(krb5.verify_init_creds(nil, nil, ccache)).to be true
+      expect(ccache.primary_principal).to be_a(String)
+      expect(ccache.primary_principal).to include('@')
+    end
+
+    it 'provides authenticate! which acquires and verifies (Zanarotti mitigation)' do
+      expect(krb5).to respond_to(:authenticate!)
+      expect(krb5.authenticate!(user, 'changeme')).to be true
+      expect(krb5.verify_init_creds).to be true
+    end
+
+    it 'accepts an optional service argument' do
+      expect { krb5.authenticate!(user, 'changeme', 'kadmin/changepw') }.not_to raise_error
+      expect(krb5.verify_init_creds).to be true
+    end
+
+    it 'validates argument types for authenticate!' do
+      expect { krb5.authenticate!(true, true) }.to raise_error(TypeError)
+    end
+  end
+
+  describe '#get_init_creds_keytab' do
+    before(:each) do
+      @kt_file = File.join(Dir.tmpdir, "test_get_init_creds_#{Process.pid}_#{rand(10000)}.keytab")
+
+      PTY.spawn('ktutil') do |reader, writer, _|
+        reader.expect(/ktutil:\s+/)
+        writer.puts("add_entry -password -p testuser1@#{@realm} -k 1 -e aes128-cts-hmac-sha1-96")
+        reader.expect(/Password for #{Regexp.quote("testuser1@#{@realm}")}:\s+/)
+        writer.puts('changeme')
+        reader.expect(/ktutil:\s+/)
+        writer.puts("wkt #{@kt_file}")
+        reader.expect(/ktutil:\s+/)
+        writer.puts('quit')
+      end
+    end
+
+    it 'responds to get_init_creds_keytab' do
+      expect(krb5).to respond_to(:get_init_creds_keytab)
+    end
+
+    it 'acquires credentials for a principal from a supplied keytab file' do
+      kt_name = "FILE:#{@kt_file}"
+      expect { krb5.get_init_creds_keytab(user, kt_name) }.not_to raise_error
+      expect(krb5.verify_init_creds).to be true
+    end
+
+    it 'accepts a CredentialsCache to receive credentials' do
+      ccache = Kerberos::Krb5::CredentialsCache.new
+      kt_name = "FILE:#{@kt_file}"
+      expect { krb5.get_init_creds_keytab(user, kt_name, nil, ccache) }.not_to raise_error
+      expect(ccache.primary_principal).to be_a(String)
+      expect(ccache.primary_principal).to include('@')
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rkerberos
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Daniel Berger
@@ -18,7 +18,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -63,34 +63,14 @@ email:
 executables: []
 extensions:
 - ext/rkerberos/extconf.rb
-extra_rdoc_files:
-- CHANGES
-- LICENSE
-- MANIFEST
-- README.md
-- ext/rkerberos/ccache.c
-- ext/rkerberos/config.c
-- ext/rkerberos/context.c
-- ext/rkerberos/kadm5.c
-- ext/rkerberos/keytab.c
-- ext/rkerberos/keytab_entry.c
-- ext/rkerberos/policy.c
-- ext/rkerberos/principal.c
-- ext/rkerberos/rkerberos.c
+extra_rdoc_files: []
 files:
-- CHANGES
-- Dockerfile
+- CHANGES.md
 - Gemfile
 - LICENSE
-- MANIFEST
+- MANIFEST.md
 - README.md
 - Rakefile
-- docker-compose.yml
-- docker/Dockerfile.kdc
-- docker/docker-entrypoint.sh
-- docker/kadm5.acl
-- docker/kdc.conf
-- docker/krb5.conf
 - ext/rkerberos/ccache.c
 - ext/rkerberos/config.c
 - ext/rkerberos/context.c
@@ -112,10 +92,19 @@ files:
 - spec/krb5_spec.rb
 - spec/policy_spec.rb
 - spec/principal_spec.rb
-homepage: http://github.com/domcleal/rkerberos
+homepage: http://github.com/rkerberos/rkerberos
 licenses:
 - Artistic-2.0
-metadata: {}
+metadata:
+  homepage_uri: https://github.com/rkerberos/rkerberos
+  bug_tracker_uri: https://github.com/rkerberos/rkerberos/issues
+  changelog_uri: https://github.com/rkerberos/rkerberos/blob/main/CHANGES.md
+  documentation_uri: https://github.com/rkerberos/rkerberos/wiki
+  source_code_uri: https://github.com/rkerberos/rkerberos
+  wiki_uri: https://github.com/rkerberos/rkerberos/wiki
+  github_repo: https://github.com/djberg96/rkerberos
+  funding_uri: https://github.com/sponsors/rkerberos
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -130,7 +119,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 4.0.3
 specification_version: 4
 summary: A Ruby interface for the the Kerberos library
 test_files:

data/Dockerfile

@@ -1,42 +0,0 @@
-# Dockerfile for rkerberos Ruby gem testing
-FROM ruby:3.4
-
-# Install MIT Kerberos, KDC, admin server, and build tools
-RUN apt-get update && \
-        apt-get install -y --no-install-recommends \
-            libkrb5-dev krb5-user krb5-kdc krb5-admin-server rake build-essential && \
-        rm -rf /var/lib/apt/lists/*
-
-# Set up a working directory
-WORKDIR /app
-
-# Set admin credentials for tests (matches docker-compose.yml)
-ENV KRB5_ADMIN_PRINCIPAL=admin/admin@EXAMPLE.COM
-ENV KRB5_ADMIN_PASSWORD=adminpassword
-
-# Copy the gemspec and Gemfile for dependency installation
-COPY Gemfile rkerberos.gemspec ./
-
-
-# Install gem dependencies and RSpec
-RUN bundle install && gem install rspec
-
-
-# Create a more complete krb5.conf for testing (with kadmin support)
-RUN echo "[libdefaults]\n  default_realm = EXAMPLE.COM\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  ticket_lifetime = 24h\n  renew_lifetime = 7d\n  forwardable = true\n[realms]\n  EXAMPLE.COM = {\n    kdc = kerberos-kdc\n    admin_server = kerberos-kdc\n    default_domain = example.com\n  }\n[domain_realm]\n  .example.com = EXAMPLE.COM\n  example.com = EXAMPLE.COM\n[kadmin]\n  default_keys = des-cbc-crc:normal des-cbc-md5:normal aes256-cts:normal aes128-cts:normal rc4-hmac:normal\n  admin_server = kerberos-kdc\n" > /etc/krb5.conf
-
-
-# Create a minimal KDC and admin server config, and a permissive ACL for kadmin
-RUN mkdir -p /etc/krb5kdc && \
-    echo "[kdcdefaults]\n kdc_ports = 88\n[kdc]\n profile = /etc/krb5.conf\n" > /etc/krb5kdc/kdc.conf && \
-    echo "admin/admin@EXAMPLE.COM *" > /etc/krb5kdc/kadm5.acl
-
-
-# Copy the rest of the code
-COPY . .
-
-# Compile the C extension
-RUN rake compile
-
-# Run RSpec tests
-CMD ["bundle", "exec", "rspec"]

data/docker/Dockerfile.kdc

@@ -1,16 +0,0 @@
-FROM debian:bullseye
-
-RUN apt-get update && \
-    apt-get install -y krb5-kdc krb5-admin-server krb5-user krb5-kdc-ldap ldap-utils expect && \
-    rm -rf /var/lib/apt/lists/*
-
-# Copy configuration files
-COPY krb5.conf /etc/krb5.conf
-COPY kdc.conf /etc/krb5kdc/kdc.conf
-COPY kadm5.acl /etc/krb5kdc/kadm5.acl
-
-# Copy entrypoint
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-RUN chmod +x /docker-entrypoint.sh
-
-ENTRYPOINT ["/docker-entrypoint.sh"]

data/docker/docker-entrypoint.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-set -e
-
-# Initialize KDC DB if not already present
-if [ ! -f /etc/krb5kdc/.k5.EXAMPLE.COM ]; then
-  printf "masterpassword\nmasterpassword\n" | krb5_newrealm
-  kadmin.local -q "addprinc -pw adminpassword admin/admin"
-fi
-
-# Create standard test principals for keytab/credential cache tests
-kadmin.local -q "addprinc -pw changeme testuser1@EXAMPLE.COM"
-kadmin.local -q "addprinc -pw changeme zztop@EXAMPLE.COM"
-kadmin.local -q "addprinc -pw changeme martymcfly@EXAMPLE.COM"
-kadmin.local -q "ktadd -k /etc/krb5.keytab testuser1@EXAMPLE.COM"
-kadmin.local -q "ktadd -k /etc/krb5.keytab zztop@EXAMPLE.COM"
-kadmin.local -q "ktadd -k /etc/krb5.keytab martymcfly@EXAMPLE.COM"
-
-# Start KDC and admin server
-krb5kdc
-kadmind
-
-# Keep container running
-trap : TERM INT; sleep infinity & wait

data/docker/kadm5.acl

@@ -1 +0,0 @@
-admin/admin@EXAMPLE.COM *

data/docker/kdc.conf

@@ -1,13 +0,0 @@
-[kdcdefaults]
- kdc_ports = 88
-
-[realms]
- EXAMPLE.COM = {
-    admin_keytab = /etc/krb5kdc/kadm5.keytab
-    acl_file = /etc/krb5kdc/kadm5.acl
-    dict_file = /usr/share/dict/words
-    key_stash_file = /etc/krb5kdc/.k5.EXAMPLE.COM
-    kdc_ports = 88
-    max_life = 10h 0m 0s
-    max_renewable_life = 7d 0h 0m 0s
- }

data/docker/krb5.conf

@@ -1,14 +0,0 @@
-[libdefaults]
-  default_realm = EXAMPLE.COM
-  dns_lookup_realm = false
-  dns_lookup_kdc = false
-
-[realms]
-  EXAMPLE.COM = {
-    kdc = kerberos-kdc
-    admin_server = kerberos-kdc
-  }
-
-[domain_realm]
-  .example.com = EXAMPLE.COM
-  example.com = EXAMPLE.COM

data/docker-compose.yml

@@ -1,44 +0,0 @@
-version: '3.8'
-services:
-  kerberos-kdc:
-    build:
-      context: ./docker
-      dockerfile: Dockerfile.kdc
-    container_name: kerberos-kdc
-    ports:
-      - "1088:88"
-      - "1749:749"
-    volumes:
-      - krb5-keytab:/etc/krb5.keytab
-    depends_on:
-      - ldap
-
-  rkerberos-test:
-    build: .
-    container_name: rkerberos-test
-    environment:
-      - LANG=C.UTF-8
-      - KRB5_CONFIG=/etc/krb5.conf
-      - KRB5_ADMIN_PRINCIPAL=admin/admin@EXAMPLE.COM
-      - KRB5_ADMIN_PASSWORD=adminpassword
-      # LDAP test variables for integration tests
-      - KRB5_LDAP_PRINCIPAL=admin@ldap
-      - KRB5_LDAP_PASSWORD=admin
-      - KRB5_LDAP_DRIVER=ou=People,dc=example,dc=com:foobar:uid
-    working_dir: /app
-    depends_on:
-      - kerberos-kdc
-
-  ldap:
-    image: osixia/openldap:latest
-    container_name: ldap
-    environment:
-      LDAP_ORGANISATION: "Example Org"
-      LDAP_DOMAIN: "example.com"
-      LDAP_BASE_DN: "dc=example,dc=com"
-      LDAP_ADMIN_PASSWORD: "admin"
-    ports:
-      - "1389:389"
-
-volumes:
-  krb5-keytab: