Solution: use either a wildcard IPC, or where the codepath needs to
be tested a file named after the test, so that it is unique and there
is no clash on the filesystem, allowing parallel test runs.
Solution: use ZMQ_LAST_ENDPOINT in most places. This alllows running
tests in paralle, and on over-booked shared machines where many of
the ports would be already in use.
Keep 3 tests with an hardcoded port, as there are some code paths that
require it (eg: connect before bind), but list those ports in
tests/testutil.hpp as macros so that they do not overlap and still
allow parallel runs.
These changes were inspired by a patch uploaded to Ubuntu by the
package maintainer, Steve Langasek <steve.langasek@ubuntu.com>.
Thank you Steve!
Solution: add new tokens to .travis.yml and change ci_deploy.sh
script to use Github APIs to create a temporary branch at the tag,
and the OBS APIs to trigger a source service run in the stable and
draft release projects:
network:messaging:zeromq:release-stable
network:messaging:zeromq:release-draft
The branch hack is unfortunately necessary as it is not possible to
modify OBS sources with the token APIs, and it is also not possible
to automatically fetch the latest tag in the service files.
The temporary branch is immediately deleted.
Solution: a new option has been added to the tar_scm service, so use
it to set the version to last_tag+git<last commit date> which is more
useful.
Unfortunately it's not possible to set it to the current version as
set in the header files, as it's not possible to parse files, only
commit ids, dates and git tags. But it's a step forward.
Solution: do not define ZMQ_HAVE_POLLER in src/zmq_drafts.h otherwise
src/zmq.cpp will implement zmq_poll using the new poller classes.
Same for ZMQ_HAVE_TIMERS, even though it has no internal effect, but
to be safe against future development.
Problem: there is no test coverage for GSSAPI.
Solution: add a test structured like the CURVE test.
The test is not built if libzmq is not configured with
--with-libgssapi_krb5. It will report SKIPPED status
if the required environment is missing (see below).
Environment: KRB5_KTNAME and KRB5_CLIENT_KTNAME
environment variables must point to a keytab file
containing creds for a host-based test principal
(see comment at top of source for details).
Kerberos must be configured and a KDC containing the
test principal must be running, otherwise the test
will fail/hang.
N.B. For now, the test must use the same principal for
both client and server roles because it seems impossible
to set them to different principals when they are
threads in the same process. Once one principal is
cached in credential cache, attempts to acquire creds
for a different "desired name" seem to be ignored and
the cached principal is used instead.
Problem: GSSAPI DRAFT code was made conditional on
ZMQ_BUILD_DRAFT_API, but zmq_draft.h duplicates the DRAFT
symbols definitions from zmq.h so this is unnecessary.
Solution: drop the extra ifdefs
Problem: GSSAPI NAMETYPE socket option numbers were modified
+1000 when moved to DRAFT section, but should use the definitive
values while in DRAFT to minimize disruption later.
Solution: renumber the socket options
Problem: GSSAPI NAMETYPE options were not documented in man
pages for zmq_getsockopt() and zmq_setsockopt().
Solution: add new options to these manual pages.
Problem: The new GSSAPI NAMESPACE options should have been
added to the DRAFT section of the API so they can be changed
until stabilized.
Solution:
- Move defines to the DRAFT section of zmq.h
- Duplicate them in zmq_draft.h, as is the local custom
- Compile only if defined (ZMQ_BUILD_DRAFT_API)
- Refactor internals slightly to avoid #ifdef hell
Problem: principals are looked up unconditionally
with the GSS_C_NT_HOSTBASED_SERVICE name type.
Solution: Add two new socket options to set the name type
for ZMQ_GSSAPI_PRINCIPAL and ZMQ_GSSAPI_SERVICE_PRINCIPAL:
ZMQ_GSSAPI_PRINCIPAL_NAMETYPE
ZMQ_GSSAPI_SERVICE_PRINCIPAL_NAMETYPE
They take an integer argument which must be one of
ZMQ_GSSAPI_NT_HOSTBASED (0) - default
ZMQ_GSSAPI_NT_USER_NAME (1)
ZMQ_GSSAPI_NT_KRB5_PRINCIPAL (2)
These correspond to GSSAPI name types of:
GSS_C_NT_HOSTBASED_SERVICE
GSS_C_NT_USER_NAME
GSS_KRB5_NT_PRINCIPAL_NAME
Fixes#2542
Problem: one call to gss_import_name() includes the terminating
NULL in a gss_buffer_desc.length, and one doesn't.
According to the examples at:
http://docs.oracle.com/cd/E19253-01/816-4863/overview-22/index.html
the NULL should be included in the length.
Solution: Fix one case to include the terminating NULL in the length.
Problem: if client sets ZMQ_GSSAPI_PRINCIPAL to a name
for which credentials cannot be obtained, authentication
proceeds with default credentials.
Solution: Before initializing the security context, check
whether there was a failed attempt to acquire credentials
for a specific principal and bail out if so.
Fixes#2531
Problem: if client sets the ZMQ_GSSAPI_PRINCIPAL to a valid
principal, authentication fails.
When an application sets ZMQ_GSSAPI_PRINCIPAL, whether as a
client or a server, libzmq internally calls gss_acquire_cred()
with cred_usage=GSS_C_ACCEPT. This cred_usage setting is for
acceptors (servers) only, thus it doesn't work for initiators
(clients).
Solution: Change the cred_usage parameter to GSS_C_BOTH to allow
initiators to set ZMQ_GSSAPI_PRINCIPAL.
Problem: the ZMQ_GSSAPI_PRINCIPAL socket option is described
as mandatory in the zmq_gssapi(7) manual page. In fact it
is optional.
Solution: Describe ZMQ_GSSAPI_PRINCIPAL as optional.
If unspecified, default credentials are used.
