From ec305efe59208668b665ff387ffaf8d6f8ade9e8 Mon Sep 17 00:00:00 2001 From: Andrew Stitcher Date: Mon, 21 Feb 2022 13:06:56 -0500 Subject: [PATCH 1/2] PROTON-2502: Stop testing using MD5 SASL mechanisms MD5 based mechanisms are now considered insecure and future systems will be configured without them available. We should stop using them to test Proton so we can build on securely configured machines. --- INSTALL.md | 6 ++--- python/setuputils/misc.py | 2 -- python/tests/proton_tests/sasl.py | 41 +++++++++---------------------- 3 files changed, 15 insertions(+), 34 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 5cdeb2c893..19d15daa14 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -19,10 +19,10 @@ Linux dependencies - GNU Make 3.81+ - GCC 4.8.4+ - - Cyrus SASL 2.1+ (for SASL support) + - Cyrus SASL 2.1.26+ (for SASL support) - OpenSSL 1.0+ (for SSL support) - JsonCpp 1.8+ for C++ connection configuration file support - - Python 2.7, 3.5+ (for the Python binding) + - Python 3.5+ (for the Python binding) Windows dependencies @@ -44,7 +44,7 @@ language. $ yum install openssl-devel # Dependencies needed for Cyrus SASL support - $ yum install cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-md5 + $ yum install cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-scram # Dependencies needed for bindings $ yum install swig # Required for all bindings diff --git a/python/setuputils/misc.py b/python/setuputils/misc.py index 009190d1ea..a993b8f64d 100644 --- a/python/setuputils/misc.py +++ b/python/setuputils/misc.py @@ -13,9 +13,7 @@ import errno -import os import subprocess -import sys from . import log diff --git a/python/tests/proton_tests/sasl.py b/python/tests/proton_tests/sasl.py index c5a6e721df..365654dae8 100644 --- a/python/tests/proton_tests/sasl.py +++ b/python/tests/proton_tests/sasl.py @@ -326,20 +326,6 @@ def testANON(self): self.t2.bind(self.c2) _testSaslMech(self, 'ANONYMOUS', authUser='anonymous') - def testCRAMMD5(self): - common.ensureCanTestExtendedSASL() - - self.t1.bind(self.c1) - self.t2.bind(self.c2) - _testSaslMech(self, 'CRAM-MD5') - - def testDIGESTMD5(self): - common.ensureCanTestExtendedSASL() - - self.t1.bind(self.c1) - self.t2.bind(self.c2) - _testSaslMech(self, 'DIGEST-MD5') - # PLAIN shouldn't work without encryption without special setting def testPLAINfail(self): common.ensureCanTestExtendedSASL() @@ -367,15 +353,12 @@ def testPLAIN(self): self.t2.bind(self.c2) _testSaslMech(self, 'PLAIN') -# SCRAM not supported before Cyrus SASL 2.1.26 -# so not universal and hence need a test for support -# to keep it in tests. -# def testSCRAMSHA1(self): -# common.ensureCanTestExtendedSASL() -# -# self.t1.bind(self.c1) -# self.t2.bind(self.c2) -# _testSaslMech(self, 'SCRAM-SHA-1') + def testSCRAMSHA1(self): + common.ensureCanTestExtendedSASL() + + self.t1.bind(self.c1) + self.t2.bind(self.c2) + _testSaslMech(self, 'SCRAM-SHA-1') def _sslConnection(domain, transport, connection): @@ -550,7 +533,7 @@ def testNormalAuthenticationClient(self): self.c1.collect(self.collector) self.t1.bind(self.c1) self.t2.bind(self.c2) - _testSaslMech(self, 'DIGEST-MD5') + _testSaslMech(self, 'SCRAM-SHA-1') self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND, Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT, Event.CONNECTION_REMOTE_OPEN) @@ -560,7 +543,7 @@ def testNormalAuthenticationServer(self): self.c2.collect(self.collector) self.t1.bind(self.c1) self.t2.bind(self.c2) - _testSaslMech(self, 'DIGEST-MD5') + _testSaslMech(self, 'SCRAM-SHA-1') self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND, Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT, Event.CONNECTION_REMOTE_OPEN) @@ -572,7 +555,7 @@ def testFailedAuthenticationClient(self): self.c1.collect(self.collector) self.t1.bind(self.c1) self.t2.bind(self.c2) - _testSaslMech(self, 'DIGEST-MD5', clientUser=clientUser, authenticated=False) + _testSaslMech(self, 'SCRAM-SHA-1', clientUser=clientUser, authenticated=False) self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND, Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT, Event.TRANSPORT_ERROR, @@ -586,7 +569,7 @@ def testFailedAuthenticationServer(self): self.c2.collect(self.collector) self.t1.bind(self.c1) self.t2.bind(self.c2) - _testSaslMech(self, 'DIGEST-MD5', clientUser=clientUser, authenticated=False) + _testSaslMech(self, 'SCRAM-SHA-1', clientUser=clientUser, authenticated=False) self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND, Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT, Event.TRANSPORT_ERROR, @@ -599,7 +582,7 @@ def testNoMechClient(self): self.s2.allowed_mechs('IMPOSSIBLE') self.t1.bind(self.c1) self.t2.bind(self.c2) - _testSaslMech(self, 'DIGEST-MD5', authenticated=False) + _testSaslMech(self, 'SCRAM-SHA-1', authenticated=False) self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND, Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT, Event.TRANSPORT_ERROR, @@ -611,7 +594,7 @@ def testNoMechServer(self): self.s2.allowed_mechs('IMPOSSIBLE') self.t1.bind(self.c1) self.t2.bind(self.c2) - _testSaslMech(self, 'DIGEST-MD5', authenticated=False) + _testSaslMech(self, 'SCRAM-SHA-1', authenticated=False) self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND, Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT, Event.TRANSPORT_TAIL_CLOSED, From 239454e5ec2ec0402c95e929e529355bd3c3e527 Mon Sep 17 00:00:00 2001 From: Andrew Stitcher Date: Mon, 21 Feb 2022 18:00:21 -0500 Subject: [PATCH 2/2] NO-JIRA: Allow azure CI to test sasl properly --- azure-pipelines/azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines/azure-pipelines.yml b/azure-pipelines/azure-pipelines.yml index 67b3429d1c..d78cb7dc76 100644 --- a/azure-pipelines/azure-pipelines.yml +++ b/azure-pipelines/azure-pipelines.yml @@ -49,7 +49,7 @@ jobs: pool: vmImage: 'ubuntu-18.04' steps: - - script: sudo apt-get install -y swig libpython3-dev libsasl2-dev libjsoncpp-dev + - script: sudo apt-get install -y swig sasl2-bin libpython3-dev libsasl2-dev libjsoncpp-dev name: InstallExtraStuff - template: steps.yml - job: MacOS