Bug 1678873

Summary: mod_auth_gssapi: test failure due to wrong int sizing
Product: Red Hat Enterprise Linux 7 Reporter: Robbie Harwood <rharwood>
Component: mod_auth_gssapiAssignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: anuja <amore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: amore, bnater, ipa-qe, jorton, luhliari
Target Milestone: rcKeywords: TestCaseNotNeeded
Target Release: ---   
Hardware: s390x   
OS: Unspecified   
URL: https://github.com/modauthgssapi/mod_auth_gssapi/pull/198
Whiteboard:
Fixed In Version: mod_auth_gssapi-1.5.1-6.el7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1674501 Environment:
Last Closed: 2020-09-29 20:09:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1674501, 1678872    
Bug Blocks:    

Description Robbie Harwood 2019-02-19 19:01:55 UTC 
+++ This bug was initially created as a clone of Bug #1674501 +++

Description of problem:
Upstream test suite, namely "BASIC Fail Second User" test is failing on s390x. No failures appear on x86_64, aarch64 or ppc64le.

--- Additional comment from Joe Orton on 2019-02-19 03:56:48 EST ---

mod_auth_gssapi is using:

    AP_INIT_FLAG("GssapiPublishErrors", ap_set_flag_slot,
                 (void *)APR_OFFSETOF(struct mag_config, enverrs), OR_AUTHCFG,
                 "Publish GSSAPI Errors in Envionment Variables"),

but enverrs is a bool:

    bool enverrs;

ap_set_flag_slot() requires a variable with sizeof(int) whereas it looks like sizeof(bool) is not fixed by C99, only "big enough to store one bit".  On x86_64 sizeof(bool) is sizeof(char) anyway, so it's broken everywhere.

The simplest fix would be to change envvers to type int.

--- Additional comment from Joe Orton on 2019-02-19 04:04:39 EST ---

The other use of ap_set_flag_slot in this module:

    AP_INIT_FLAG("GssapiImpersonate", ap_set_flag_slot,
          (void *)APR_OFFSETOF(struct mag_config, s4u2self), OR_AUTHCFG,
               "Do impersonation call (S4U2Self) "
               "based on already authentication username"),

also has the same problem; using either these directives may be splatting over other config fields in nasty ways depending on the struct padding.

--- Additional comment from Robbie Harwood on 2019-02-19 13:59:07 EST ---

Thanks Joe.  Posted fix upstream.
Comment 4 anuja 2020-04-22 10:04:14 UTC 
Verified using version :
ipa-server.x86_64 0:4.6.8-2.el7
mod_auth_gssapi-1.5.1-7.el7.x86_64

pytest:fuctional_services test console log:
----------------------------------------------------------------------------
Passed 	src/functional_services/test_0001_http_tests.py::TestHttpTests::()::IPA-TC: Functional Services: Access http server with valid credentials 	0.79 	
Passed 	src/functional_services/test_0001_http_tests.py::TestHttpTests::()::IPA-TC: Functional Services: Access http server without valid credentials 	0.17 	
Passed 	src/functional_services/test_0001_http_tests.py::TestHttpTests::()::IPA-TC: Functional Services: Access https server with valid credentials 	0.59 	
Passed 	src/functional_services/test_0001_http_tests.py::TestHttpTests::()::IPA-TC: Functional Services: Access https server without valid credentials 	0.33 	
Passed 	src/functional_services/test_0002_ldap_tests.py::TestLdap::()::IPA-TC: Functional Services: Access ldap with valid credentials 	0.91 	
Passed 	src/functional_services/test_0002_ldap_tests.py::TestLdap::()::IPA-TC: Functional Services: deny access to ldap without valid credentials 	0.18 	
Passed 	src/functional_services/test_0002_ldap_tests.py::TestLdap::()::IPA-TC: Functional Services: Access ldaps with valid credentials 	1.26 	
Passed 	src/functional_services/test_0002_ldap_tests.py::TestLdap::()::IPA-TC: Functional Services: deny access to ldaps without valid credentials 	0.28 	
Passed 	src/functional_services/test_0002_ldap_tests.py::TestLdap::()::IPA-TC: Functional Services: Access ldap with simple bind 	0.39 	
Passed 	src/functional_services/test_0002_ldap_tests.py::TestLdap::()::IPA-TC: Functional Services: Revoke ldap certificate 	2.79 	
Passed 	src/functional_services/test_0002_ldap_tests.py::TestLdap::()::IPA-TC: Functional Services: Verify certificate is revoked when master is down 	30.90 	
Passed 	src/functional_services/test_0002_ldap_tests.py::TestLdap::()::IPA-TC: Functional Services: Verify certificate is revoked when replica is down 	32.91 	
Passed 	src/functional_services/test_0002_ldap_tests.py::TestLdap::()::IPA-TC: Functional Services: Verify OCSP URI has redundant DNS name 	3.29 	
Passed 	src/functional_services/test_0006_cleanup.py::TestCleanup::()::class level setup...should do nothing here 	0.00 	
Passed 	src/functional_services/test_0006_cleanup.py::TestCleanup::()::Full suite teardown

Based on this marking bz as verified.
Comment 6 errata-xmlrpc 2020-09-29 20:09:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (mod_auth_gssapi bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3962