From c337508282c4a4ff7308bc1033e7c1a8ab6bf9dc Mon Sep 17 00:00:00 2001 From: Sebastian Lederer Date: Thu, 6 Jan 2022 09:46:24 +0100 Subject: [PATCH 1/7] fix check ticket for constrained delegation for the ticket is present in a different format using constrained delegation the isValid() test does not work properly. Signed-off-by: Arthur Schiwon --- src/KerberosApacheAuth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/KerberosApacheAuth.php b/src/KerberosApacheAuth.php index 03551aa..bc4e256 100644 --- a/src/KerberosApacheAuth.php +++ b/src/KerberosApacheAuth.php @@ -59,7 +59,7 @@ public function checkTicket(): bool { $krb5 = new \KRB5CCache(); $krb5->open($cacheFile); - return (bool)$krb5->isValid(); + return count($krb5->getEntries()) > 0; } private function init(): void { From ab262dd70622d51a5a94f80c18dd9dd0e3b5c2b8 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Thu, 6 Jan 2022 09:53:30 +0100 Subject: [PATCH 2/7] suppress exceptions with extra krb auth options - unsure yet whether this is really needed Signed-off-by: Arthur Schiwon --- src/KerberosApacheAuth.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/KerberosApacheAuth.php b/src/KerberosApacheAuth.php index bc4e256..dc87dc5 100644 --- a/src/KerberosApacheAuth.php +++ b/src/KerberosApacheAuth.php @@ -106,7 +106,11 @@ public function getExtraCommandLineArguments(): string { public function setExtraSmbClientOptions($smbClientState): void { $this->init(); - parent::setExtraSmbClientOptions($smbClientState); + try { + parent::setExtraSmbClientOptions($smbClientState); + } catch (Exception $e) { + // suppress + } } public function __destruct() { From fdf1051bd6b0832785fde2f9410f5bda99e457c2 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Mon, 17 Jan 2022 16:01:29 +0100 Subject: [PATCH 3/7] fix ticket check, remove unnecessary(?) code provided by downstream --- src/KerberosApacheAuth.php | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/src/KerberosApacheAuth.php b/src/KerberosApacheAuth.php index dc87dc5..766c7d7 100644 --- a/src/KerberosApacheAuth.php +++ b/src/KerberosApacheAuth.php @@ -76,27 +76,10 @@ private function init(): void { //read apache kerberos ticket cache $cacheFile = getenv("KRB5CCNAME"); - if (!$cacheFile) { + if (!$this->checkTicket()) { throw new Exception('No kerberos ticket cache environment variable (KRB5CCNAME) found.'); } - - $krb5 = new \KRB5CCache(); - $krb5->open($cacheFile); - if (!$krb5->isValid()) { - throw new Exception('Kerberos ticket cache is not valid.'); - } - - - if ($this->saveTicketInMemory) { - putenv("KRB5CCNAME=" . (string)$krb5->getName()); - } else { - //workaround: smbclient is not working with the original apache ticket cache. - $tmpFilename = tempnam("/tmp", "krb5cc_php_"); - $tmpCacheFile = "FILE:" . $tmpFilename; - $krb5->save($tmpCacheFile); - $this->ticketPath = $tmpFilename; - putenv("KRB5CCNAME=" . $tmpCacheFile); - } + putenv("KRB5CCNAME=" . $cacheFile); } public function getExtraCommandLineArguments(): string { From 49b33e08544e9f0d5fc45cdee85b9a786e868184 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Mon, 17 Jan 2022 16:02:04 +0100 Subject: [PATCH 4/7] removed unused member --- src/KerberosApacheAuth.php | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/src/KerberosApacheAuth.php b/src/KerberosApacheAuth.php index 766c7d7..5d4794a 100644 --- a/src/KerberosApacheAuth.php +++ b/src/KerberosApacheAuth.php @@ -31,20 +31,9 @@ class KerberosApacheAuth extends KerberosAuth implements IAuth { /** @var string */ private $ticketPath = ""; - // only working with specific library (mod_auth_kerb, krb5, smbclient) versions - /** @var bool */ - private $saveTicketInMemory = false; - /** @var bool */ private $init = false; - /** - * @param bool $saveTicketInMemory - */ - public function __construct(bool $saveTicketInMemory = false) { - $this->saveTicketInMemory = $saveTicketInMemory; - } - /** * Check if a valid kerberos ticket is present * From 3a87f21b83249d26f70f6a84741d6d73591a6eb4 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Thu, 20 Jan 2022 14:36:37 +0100 Subject: [PATCH 5/7] re-add option for passing ticket by memory and copying the ticket to a new temp location --- src/KerberosApacheAuth.php | 51 ++++++++++++++++++++++++++++++++++---- 1 file changed, 46 insertions(+), 5 deletions(-) diff --git a/src/KerberosApacheAuth.php b/src/KerberosApacheAuth.php index 5d4794a..c708536 100644 --- a/src/KerberosApacheAuth.php +++ b/src/KerberosApacheAuth.php @@ -34,6 +34,46 @@ class KerberosApacheAuth extends KerberosAuth implements IAuth { /** @var bool */ private $init = false; + /** @var string|false */ + private $ticketName; + + public function __construct() { + $this->ticketName = getenv("KRB5CCNAME"); + } + + + /** + * Copy the ticket to a temporary location and use that ticket for authentication + * + * @return void + */ + public function copyTicket(): void { + if (!$this->checkTicket()) { + return; + } + $krb5 = new \KRB5CCache(); + $krb5->open($this->ticketName); + $tmpFilename = tempnam("/tmp", "krb5cc_php_"); + $tmpCacheFile = "FILE:" . $tmpFilename; + $krb5->save($tmpCacheFile); + $this->ticketPath = $tmpFilename; + $this->ticketName = $tmpCacheFile; + } + + /** + * Pass the ticket to smbclient by memory instead of path + * + * @return void + */ + public function passTicketFromMemory(): void { + if (!$this->checkTicket()) { + return; + } + $krb5 = new \KRB5CCache(); + $krb5->open($this->ticketName); + $this->ticketName = (string)$krb5->getName(); + } + /** * Check if a valid kerberos ticket is present * @@ -41,13 +81,12 @@ class KerberosApacheAuth extends KerberosAuth implements IAuth { */ public function checkTicket(): bool { //read apache kerberos ticket cache - $cacheFile = getenv("KRB5CCNAME"); - if (!$cacheFile) { + if (!$this->ticketName) { return false; } $krb5 = new \KRB5CCache(); - $krb5->open($cacheFile); + $krb5->open($this->ticketName); return count($krb5->getEntries()) > 0; } @@ -64,11 +103,13 @@ private function init(): void { } //read apache kerberos ticket cache - $cacheFile = getenv("KRB5CCNAME"); if (!$this->checkTicket()) { throw new Exception('No kerberos ticket cache environment variable (KRB5CCNAME) found.'); } - putenv("KRB5CCNAME=" . $cacheFile); + + // note that even if the ticketname is the value we got from `getenv("KRB5CCNAME")` we still need to set the env variable ourselves + // this is because `getenv` also reads the variables passed from the SAPI (apache-php) and we need to set the variable in the OS's env + putenv("KRB5CCNAME=" . $this->ticketName); } public function getExtraCommandLineArguments(): string { From 4c8e50f1413118665123c7ca558dc79fc48db6ee Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Thu, 20 Jan 2022 14:41:23 +0100 Subject: [PATCH 6/7] psalm fixes --- src/KerberosApacheAuth.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/KerberosApacheAuth.php b/src/KerberosApacheAuth.php index c708536..c49918b 100644 --- a/src/KerberosApacheAuth.php +++ b/src/KerberosApacheAuth.php @@ -78,6 +78,7 @@ public function passTicketFromMemory(): void { * Check if a valid kerberos ticket is present * * @return bool + * @psalm-assert-if-true string $this->ticketName */ public function checkTicket(): bool { //read apache kerberos ticket cache @@ -87,6 +88,7 @@ public function checkTicket(): bool { $krb5 = new \KRB5CCache(); $krb5->open($this->ticketName); + /** @psalm-suppress MixedArgument */ return count($krb5->getEntries()) > 0; } From baaded2d3c8bc7901271e3b55bbdec34662b0dce Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Thu, 20 Jan 2022 14:44:50 +0100 Subject: [PATCH 7/7] no fast fail for psalm --- .github/workflows/ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f80ba1f..cc23e91 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -208,6 +208,7 @@ jobs: name: Psalm static analysis strategy: + fail-fast: false matrix: php-version: - "7.2"