URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: opened
PR body: """ I had to switch to libcurl as a client in order to communicate properly over HTTPS protocol. I added several new options that are necessary to initialize SSL (which certificates should be used and whether to check hostname in server's certificate or not).
* Example SSSD configuration: ``` [secrets] debug_level = 0x3ff0
[secrets/users/10001] provider = proxy proxy_url = https://custodia.pb:10443/secrets auth_type = header auth_header_name = REMOTE_USER auth_header_value = mysecretkey cacert = /home/pbrezina/Downloads/cer/custodia-ca.pem cert = /home/pbrezina/Downloads/cer/custodia-client.pem key = /home/pbrezina/Downloads/cer/custodia-client.key verify_host = false ```
* Example custodia configuration (just modify default configuration, keeping the rest options intact): ``` [global] server_version = "Secret/0.0.7" debug = True server_url = https://0.0.0.0:10443 tls_certfile = tests/ca/custodia-server.pem tls_keyfile = tests/ca/custodia-server.key tls_cafile = tests/ca/custodia-ca.pem tls_verify_client = true umask = 027
[auth:header] handler = SimpleHeaderAuth header = REMOTE_USER value = mysecretkey
[authz:paths] handler = SimplePathAuthz paths = /. ```
* Download certificates and key to your client and you can use it like this ```shell curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X POST http://localhost/secrets/mysecretkey/
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X PUT http://localhost/secrets/mysecretkey/foo -d'{"type":"simple","value":"foosecret"}'
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X POST http://localhost/secrets/mysecretkey/foo
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X DELETE http://localhost/secrets/mysecretkey/foo
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X DELETE http://localhost/secrets/mysecretkey/ ``` """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: edited
Changed field: body Original value: """ I had to switch to libcurl as a client in order to communicate properly over HTTPS protocol. I added several new options that are necessary to initialize SSL (which certificates should be used and whether to check hostname in server's certificate or not).
* Example SSSD configuration: ``` [secrets] debug_level = 0x3ff0
[secrets/users/10001] provider = proxy proxy_url = https://custodia.pb:10443/secrets auth_type = header auth_header_name = REMOTE_USER auth_header_value = mysecretkey cacert = /home/pbrezina/Downloads/cer/custodia-ca.pem cert = /home/pbrezina/Downloads/cer/custodia-client.pem key = /home/pbrezina/Downloads/cer/custodia-client.key verify_host = false ```
* Example custodia configuration (just modify default configuration, keeping the rest options intact): ``` [global] server_version = "Secret/0.0.7" debug = True server_url = https://0.0.0.0:10443 tls_certfile = tests/ca/custodia-server.pem tls_keyfile = tests/ca/custodia-server.key tls_cafile = tests/ca/custodia-ca.pem tls_verify_client = true umask = 027
[auth:header] handler = SimpleHeaderAuth header = REMOTE_USER value = mysecretkey
[authz:paths] handler = SimplePathAuthz paths = /. ```
* Download certificates and key to your client and you can use it like this ```shell curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X POST http://localhost/secrets/mysecretkey/
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X PUT http://localhost/secrets/mysecretkey/foo -d'{"type":"simple","value":"foosecret"}'
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X POST http://localhost/secrets/mysecretkey/foo
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X DELETE http://localhost/secrets/mysecretkey/foo
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X DELETE http://localhost/secrets/mysecretkey/ ``` """
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ retest this please """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-287043707
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
jhrozek commented: """ Looks like the curl version on RHEL-7 is too old to support some features: ``` /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c: In function 'curl_code2errno': /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c:98:10: error: 'CURLE_SSL_INVALIDCERTSTATUS' undeclared (first use in this function) case CURLE_SSL_INVALIDCERTSTATUS: ^ /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c:98:10: note: each undeclared identifier is reported only once for each function it appears in /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c:99:10: error: 'CURLE_SSL_PINNEDPUBKEYNOTMATCH' undeclared (first use in this function) case CURLE_SSL_PINNEDPUBKEYNOTMATCH: ^ /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c: In function 'curlm_code2errno': /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c:138:10: error: 'CURLM_ADDED_ALREADY' undeclared (first use in this function) case CURLM_ADDED_ALREADY: ^ gcc -DHAVE_CONFIG_H -I. -I/var/lib/jenkins/workspace/ci/label/rhel7 -Wall -I.. -I/var/lib/jenkins/workspace/ci/label/rhel7/src/sss_client -I/var/lib/jenkins/workspace/ci/label/rhel7/src -I. -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/libnl3 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -DLIBDIR="/usr/local/lib" -DVARDIR="/usr/local/var" -DSSS_STATEDIR="/usr/local/var/lib/sss" -DSYSCONFDIR="/usr/local/etc" -DSHLIBEXT="" -DSSSDDATADIR="/usr/local/share/sssd" -DSSSD_LIBEXEC_PATH="/usr/local/libexec/sssd" -DSSSD_CONF_DIR="/usr/local/etc/sssd" -DSSS_NSS_MCACHE_DIR="/usr/local/var/lib/sss/mc" -DSSS_NSS_SOCKET_NAME="/usr/local/var/lib/sss/pipes/nss" -DSSS_PAM_SOCKET_NAME="/usr/local/var/lib/sss/pipes/pam" -DSSS_PAC_SOCKET_NAME="/usr/local/var/lib/sss/pipes/pac" -DSSS_PAM_PRIV_SOCKET_NAME="/usr/local/var/lib/sss/pipes/private/pam" -DSSS_SEC_SOCKET_NAME="/usr/local/var/run/secrets.socket" -DSSS_SUDO_SOCKET_NAME="/usr/local/var/lib/sss/pipes/sudo" -DSSS_AUTOFS_SOCKET_NAME="/usr/local/var/lib/sss/pipes/autofs" -DSSS_SSH_SOCKET_NAME="/usr/local/var/lib/sss/pipes/ssh" -DLOCALEDIR="/usr/local/share/locale" -DBASE_FILE_STEM="monitor" -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wundef -Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99 -g3 -O2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -c -o src/monitor/monitor.o /var/lib/jenkins/workspace/ci/label/rhel7/src/monitor/monitor.c ``` """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-288338780
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
jhrozek commented: """ Looks like the CI tests fail even on fedora..: ``` =================================== FAILURES =================================== ____________________________ test_curlwrap_crd_ops _____________________________ Traceback (most recent call last): File "/var/lib/jenkins/workspace/ci/label/fedora25/src/tests/intg/test_secrets.py", line 226, in test_curlwrap_crd_ops 404) File "/var/lib/jenkins/workspace/ci/label/fedora25/src/tests/intg/test_secrets.py", line 203, in run_curlwrap_tool assert cmd.returncode == 0 AssertionError: assert -11 == 0 + where -11 = <subprocess.Popen object at 0x7ffa175d4e50>.returncode ____________________________ test_curlwrap_parallel ____________________________ Traceback (most recent call last): File "/var/lib/jenkins/workspace/ci/label/fedora25/src/tests/intg/test_secrets.py", line 294, in test_curlwrap_parallel run_curlwrap_tool(args, 200) File "/var/lib/jenkins/workspace/ci/label/fedora25/src/tests/intg/test_secrets.py", line 203, in run_curlwrap_tool assert cmd.returncode == 0 AssertionError: assert -11 == 0 + where -11 = <subprocess.Popen object at 0x7ffa175ecc10>.returncode ==================== 2 failed, 169 passed in 453.18 seconds ==================== Makefile:737: recipe for target 'intgcheck-installed' failed make[2]: *** [intgcheck-installed] Error 1 ``` """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-288342668
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
jhrozek commented: """ I think you need to make libcurl detection not optional, but required if sssd is build with sssd-secrets to avoid errors like: ``` /builddir/build/BUILD/sssd-1.15.3/src/util/tev_curl.c:32:23: fatal error: curl/curl.h: No such file or directory <--[gcc] ```
I already did that in the KCM patchset for KCM, so chances are you need to do the same modification in your patches and we'll sort out any potential conflicts when we merge the patches. """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-288343137
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
jhrozek commented: """ About the missing Content-Lenght, did you check with @tiran if this is a bug in Custodia?
Finally, I'm conflicted if we need to allow the options to disable peer verification and hostname verification. I would prefer to push admins towards fixing their setups, not just putting a bandaid over their issues. """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-288351065
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
Label: +Changes requested
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
pbrezina commented: """ On 03/22/2017 10:09 AM, Jakub Hrozek wrote:
Looks like the curl version on RHEL-7 is too old to support some features:
|/var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c: In function 'curl_code2errno': /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c:98:10: error: 'CURLE_SSL_INVALIDCERTSTATUS' undeclared (first use in this function) case CURLE_SSL_INVALIDCERTSTATUS: ^ /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c:98:10: note: each undeclared identifier is reported only once for each function it appears in /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c:99:10: error: 'CURLE_SSL_PINNEDPUBKEYNOTMATCH' undeclared (first use in this function) case CURLE_SSL_PINNEDPUBKEYNOTMATCH: ^ /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c: In function 'curlm_code2errno': /var/lib/jenkins/workspace/ci/label/rhel7/src/util/tev_curl.c:138:10: error: 'CURLM_ADDED_ALREADY' undeclared (first use in this function) case CURLM_ADDED_ALREADY: ^ gcc -DHAVE_CONFIG_H -I.
Given those are just error codes I think we can avoid them.
"""
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-288363707
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ I can reproduce crash on my local machine ``` $./tcurl-test-tool --debug 9 -v -s /tmp/sssd-intg.mv9upf1l/var/run/secrets.socket 'http://localhost/secrets/foo' (Thu Mar 23 16:22:28:098962 2017) [sssd] [tcurl_request_send] (0x0400): Sending TCURL request for http://localhost/secrets/foo, at socket /tmp/sssd-intg.mv9upf1l/var/run/secrets.socket (Thu Mar 23 16:22:28:099005 2017) [sssd] [schedule_fd_processing] (0x2000): timeout_ms: 0 (Thu Mar 23 16:22:28:099080 2017) [sssd] [handle_socket] (0x2000): Activity on curl socket 4 socket data (nil) (Thu Mar 23 16:22:28:099097 2017) [sssd] [schedule_fd_processing] (0x2000): timeout_ms: 0 (Thu Mar 23 16:22:28:099111 2017) [sssd] [check_curl_timeouts] (0x4000): Still tracking 1 outstanding requests (Thu Mar 23 16:22:28:099124 2017) [sssd] [schedule_fd_processing] (0x2000): timeout_ms: 199 (Thu Mar 23 16:22:28:099132 2017) [sssd] [check_curl_timeouts] (0x4000): Still tracking 1 outstanding requests (Thu Mar 23 16:22:28:099307 2017) [sssd] [tcurl_write_data] (0x2000): ---> begin libcurl data (Thu Mar 23 16:22:28:099321 2017) [sssd] [tcurl_write_data] (0x2000): <html> <head> <title>404 Not Found</title></head> <body> <h1>Not Found</h1> <p>The requested resource was not found.</p> </body> (Thu Mar 23 16:22:28:099335 2017) [sssd] [tcurl_write_data] (0x2000): <--- end libcurl data (Thu Mar 23 16:22:28:099346 2017) [sssd] [handle_socket] (0x2000): Activity on curl socket 4 socket data 0x160b570 (Thu Mar 23 16:22:28:099355 2017) [sssd] [handle_curlmsg_done] (0x0400): Handled http://localhost/secrets/foo (Thu Mar 23 16:22:28:099367 2017) [sssd] [tcurl_request_done] (0x0400): TCURL request finished [0]: Success Segmentation fault (core dumped) ``` and backtrace is clear that request is NULL ``` (gdb) bt #0 _tevent_req_data (req=req@entry=0x0) at ../tevent_req.c:334 #1 0x0000000000402efc in tcurl_request_done (response_code=404, process_error=0, req=0x0) at src/util/tev_curl.c:725 #2 handle_curlmsg_done (message=<optimized out>) at src/util/tev_curl.c:234 #3 process_curl_activity (tctx=<optimized out>) at src/util/tev_curl.c:245 #4 0x000000000040335a in tcurlsock_input_available (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, data=<optimized out>) at src/util/tev_curl.c:288 #5 0x00007f948ca53a50 in epoll_event_loop (tvalp=0x7ffc3bcf32c0, epoll_ev=0x131e330) at ../tevent_epoll.c:728 #6 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:930 #7 0x00007f948ca51ec7 in std_event_loop_once (ev=0x131e0b0, location=0x404d90 "src/tests/tcurl_test_tool.c:283") at ../tevent_standard.c:114 #8 0x00007f948ca4dcad in _tevent_loop_once (ev=ev@entry=0x131e0b0, location=location@entry=0x404d90 "src/tests/tcurl_test_tool.c:283") at ../tevent.c:721 #9 0x0000000000402603 in run_requests (requests=<optimized out>, tool_ctx=0x130bb90) at src/tests/tcurl_test_tool.c:283 #10 main (argc=<optimized out>, argv=<optimized out>) at src/tests/tcurl_test_tool.c:360 ``` """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-288755316
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ Just for the record. Crash was caused by setting `long` value into variable `response_code` which had type `int`. And variables `req` and `response_code` were on the stack near each other.
``` CC src/util/tcurl_test_tool-tev_curl.o In function ‘handle_curlmsg_done’, inlined from ‘process_curl_activity.isra.0’ at src/util/tev_curl.c:245:13: src/util/tev_curl.c:224:11: error: call to ‘_curl_easy_getinfo_err_long’ declared with attribute warning: curl_easy_getinfo expects a pointer to long for this info [-Werror] crv = curl_easy_getinfo(easy_handle, CURLINFO_RESPONSE_CODE, &response_code); ^~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors ``` """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-289436128
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
pbrezina commented: """ retest this please """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-289439821
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ Build failed on rehl6 and rhel7 http://sssd-ci.duckdns.org/logs/job/65/71/summary.html
rhel7 ``` make-tests /var/lib/jenkins/workspace/ci/label/rhel7/src/tests/tcurl_test_tool.c: In function 'main': /var/lib/jenkins/workspace/ci/label/rhel7/src/tests/tcurl_test_tool.c:320:26: error: 'POPT_ARG_ARGV' undeclared (first use in this function) /var/lib/jenkins/workspace/ci/label/rhel7/src/tests/tcurl_test_tool.c:320:26: error: 'POPT_ARG_ARGV' undeclared (first use in this function) { "header", 'h', POPT_ARG_ARGV, &opts.headers, '\0', "Add HTTP header", NULL }, ^ ```
rhel6 ``` /var/lib/jenkins/workspace/ci/label/rhel6/src/util/tev_curl.c:890: error: 'CURLOPT_UNIX_SOCKET_PATH' undeclared (first use in this function) /var/lib/jenkins/workspace/ci/label/rhel6/src/util/tev_curl.c:890: error: (Each undeclared identifier is reported only once /var/lib/jenkins/workspace/ci/label/rhel6/src/util/tev_curl.c:890: error: for each function it appears in.) /var/lib/jenkins/workspace/ci/label/rhel6/src/util/tev_curl.c:919: warning: declaration of 'socket' shadows a global declaration ``` """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-289563435
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
Label: +Changes requested
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
pbrezina commented: """ I fixed simo's comments.
The compilation issue on RHEL7 is fixed simple by removing the argument -- give it's only a test tool I don't think it is worth spending time implementing this myself.
```c --- a/src/tests/tcurl_test_tool.c +++ b/src/tests/tcurl_test_tool.c @@ -317,7 +317,9 @@ int main(int argc, const char *argv[]) { "put", 'p', POPT_ARG_NONE, NULL, 'p', "Perform a HTTP PUT", NULL }, { "post", 'o', POPT_ARG_NONE, NULL, 'o', "Perform a HTTP POST", NULL }, { "del", 'd', POPT_ARG_NONE, NULL, 'd', "Perform a HTTP DELETE", NULL }, +#ifdef POPT_ARG_ARGV { "header", 'h', POPT_ARG_ARGV, &opts.headers, '\0', "Add HTTP header", NULL }, +#endif { "raw", 'r', POPT_ARG_NONE, &opts.raw, '\0', "Print raw protocol output", NULL }, { "verbose", 'v', POPT_ARG_NONE, &opts.verbose, '\0', "Print response code and body", NULL }, /* TLS */ ```
I renamed `socket` to `socket_path` so I don't shadow global. And we do not support secrets nor kcm in rhel6 so it should be configured `--without-secrets --without-kcm`. """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-289719387
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ On (28/03/17 02:48), Pavel Březina wrote:
I fixed simo's comments.
The compilation issue on RHEL7 is fixed simple by removing the argument -- give it's only a test tool I don't think it is worth spending time implementing this myself.
--- a/src/tests/tcurl_test_tool.c +++ b/src/tests/tcurl_test_tool.c @@ -317,7 +317,9 @@ int main(int argc, const char *argv[]) { "put", 'p', POPT_ARG_NONE, NULL, 'p', "Perform a HTTP PUT", NULL }, { "post", 'o', POPT_ARG_NONE, NULL, 'o', "Perform a HTTP POST", NULL }, { "del", 'd', POPT_ARG_NONE, NULL, 'd', "Perform a HTTP DELETE", NULL }, +#ifdef POPT_ARG_ARGV { "header", 'h', POPT_ARG_ARGV, &opts.headers, '\0', "Add HTTP header", NULL }, +#endif { "raw", 'r', POPT_ARG_NONE, &opts.raw, '\0', "Print raw protocol output", NULL }, { "verbose", 'v', POPT_ARG_NONE, &opts.verbose, '\0', "Print response code and body", NULL }, /* TLS */I renamed `socket` to `socket_path` so I don't shadow global. And we do not support secrets nor kcm in rhel6 so it should be configured `--without-secrets --without-kcm`.
The socket was just a warning. But there is an error 'CURLOPT_UNIX_SOCKET_PATH' because libcurl in el6 does not support unix sockets. So this binary `tcurl-test-tool` should not be built there. In `Makefile. am we have
``` if BUILD_WITH_LIBCURL noinst_PROGRAMS += tcurl-test-tool endif ```
I assume it was related to the latest patch `build: make curl required by secrets`. I will need to check with latest version.
BTW the change in configure was done much later then in code. It shoudl be either in the same patch when curl is required for sssd-secrets or before.
LS
"""
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-289766710
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
pbrezina commented: """ Ok, I switched order of patches and added two more: * ci: do not build secrets on rhel6 -- this should suppress building secrets on rhel6 * sss_iobuf: fix 'read' shadows a global declaration -- one more shadowed name """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-289771297
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ hmm, it still fails with rhel{6,7}.
http://sssd-ci.duckdns.org/logs/job/66/07/summary.html """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-289998205
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ BTW the 1st patch "tcurl: add support for ssl and raw output" caused a hang in test_secrets and therefore internal CI was blocked whole night. The 2nd patch "tcurl test: refactor so new options can be added more easily" fixed the test. """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290006897
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
jhrozek commented: """ On Wed, Mar 29, 2017 at 12:29:27AM -0700, lslebodn wrote:
BTW the 1st patch "tcurl: add support for ssl and raw output" caused a hang in test_secrets and therefore internal CI was blocked whole night. The 2nd patch "tcurl test: refactor so new options can be added more easily" fixed the test.
Then I propose we merge the patches.
"""
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290007997
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
pbrezina commented: """ I fixed the hang. It was created due to newly added test in KCM patches that uses POST to create a container. Tcurl test tool can provide body to POST operation which was mandatory in the first patch, optional in the second. """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290040746
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ We should skip secrets test on rhel6.
So the patch "ci: do not build secrets on rhel6" should also contain ``` diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py index d71c19045..6dc4c81ed 100644 --- a/src/tests/intg/test_secrets.py +++ b/src/tests/intg/test_secrets.py @@ -32,6 +32,14 @@ from util import unindent from secrets import SecretsLocalClient
+RESP_PATH = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_secrets") +if not os.access(RESP_PATH, os.X_OK): + if pytest.__version__ < "3.0.0": + pytest.skip() + else: + pytestmark = pytest.mark.skip + + def create_conf_fixture(request, contents): """Generate sssd.conf and add teardown for removing it""" conf = open(config.CONF_PATH, "w") ```
@jhrozek Did you mean something like this in comment "It would be cleaner to use pytest.mark.skipif on the package level" in `test_kcm.py` :-) BTW I am not sure whether it's the best pythonic way but it works :-) """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290040874
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
pbrezina commented: """ I'm going to run CI before pushing these patches. """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290040911
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ rhel7 error ``` test_secrets.py::test_crd_ops PASSED test_secrets.py::test_curlwrap_crd_ops FAILED test_secrets.py::test_curlwrap_parallel PASSED test_secrets.py::test_containers PASSED
======================= FAILURES================================== _____________ test_curlwrap_crd_ops __________________________________ Traceback (most recent call last): File "/home/build/sssd/src/tests/intg/test_secrets.py", line 278, in test_curlwrap_crd_ops 200) File "/home/build/sssd/src/tests/intg/test_secrets.py", line 207, in run_curlwrap_tool assert exp_http_code_str in out AssertionError: assert 'Request HTTP code: 200' in '' ```
+ test_kcm_sec_* are failing as well on rhel7 `` """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290052915
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ There is still the same problem on rhel7 even with the latest version
``` (gdb) l 563 558 return; 559 } 560 561 len = http_parser_execute(&prctx->parser, &prctx->callbacks, 562 data.data, data.length); 563 if (len != data.length) { 564 DEBUG(SSSDBG_FATAL_FAILURE, 565 "Failed to parse request, aborting client!\n"); 566 talloc_free(cctx); 567 return; (gdb) p len != data.length $4 = 1 (gdb) p len $5 = 116 (gdb) p data $6 = {data = 0x7ffc8fec2190 "POST /secrets/cont/ HTTP/1.1\r\nHost: localhost\r\nAccept: */*\r\nContent-type: application/octet-stream\r\nContent-Length: -1\r\n\r\n", length = 122}
```
"""
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290092914
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
pbrezina commented: """ I changed `POST` method from `CURLOPT_POST` to `CURLOPT_CUSTOMREQUEST = "POST"` since it the first option uses different options to pass data and data length to curl. Now it works even on rhel7. """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290394404
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ http://sssd-ci.duckdns.org/logs/job/66/78/summary.html
master: * dc186bfe90665c13d589b3b4efd9009293e62c46 * 18e4fe9d836e8f7bee52724374ffc0011172329f * 13d720de13e490850c1139eea865bcd5195a2630 * db826f57b4c2ee814823057cc536386889f7aa1d * af026ea6a6e812b7d6c5c889dda64ba7b7c433ee * 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 * 06744bf5a47d5971a338281c8243b11cf72dac90 * df99d709c8cbef3c378c111944d83b7345e4c1ea * 793f2573b2beaf8b48eab850429482acf68ec2b1 * 6698d40512e55e7c2d03e14c227c51b1edc77ffa * ae6b11229d9961e26922918183c7c1de7780b8d6 * d1ed11fc50922aab2332758a9300f3fbf814f112 * c2ea75da72b426d98ba489039e220d417bfb4c2a * 886e0f75e6f4c7877a23a3625f8a20c09109b09d * 36e49a842e257ac9bde71728ee3bef4299b6e6e2 * b800a6d09244359959404aca81c6796a58cafbcb * 300b9e9217ee1ed8d845ed2370c5ccf5c87afb36 * 7d73049884e3a96ca3b00b5bd4104f4edd6287ab """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290479039
URL: https://github.com/SSSD/sssd/pull/198 Author: pbrezina Title: #198: secrets: support https in proxy provider Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/198/head:pr198 git checkout pr198
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
lslebodn commented: """ http://sssd-ci.duckdns.org/logs/job/66/78/summary.html
master: * dc186bfe90665c13d589b3b4efd9009293e62c46 * 18e4fe9d836e8f7bee52724374ffc0011172329f * 13d720de13e490850c1139eea865bcd5195a2630 * db826f57b4c2ee814823057cc536386889f7aa1d * af026ea6a6e812b7d6c5c889dda64ba7b7c433ee * 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 * 06744bf5a47d5971a338281c8243b11cf72dac90 * df99d709c8cbef3c378c111944d83b7345e4c1ea * 793f2573b2beaf8b48eab850429482acf68ec2b1 * 6698d40512e55e7c2d03e14c227c51b1edc77ffa * ae6b11229d9961e26922918183c7c1de7780b8d6 * d1ed11fc50922aab2332758a9300f3fbf814f112 * c2ea75da72b426d98ba489039e220d417bfb4c2a * 886e0f75e6f4c7877a23a3625f8a20c09109b09d * 36e49a842e257ac9bde71728ee3bef4299b6e6e2 * b800a6d09244359959404aca81c6796a58cafbcb * 300b9e9217ee1ed8d845ed2370c5ccf5c87afb36 * 7d73049884e3a96ca3b00b5bd4104f4edd6287ab """
See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290479039
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider
Label: +Pushed
sssd-devel@lists.fedorahosted.org
-
fidencio -
jhrozek
-
lslebodn
-
pbrezina