2013-08-14: C TAP Harness 2.2
I've been incredibly, overwhelmingly busy lately, and I'm still fairly
consumed by things other than writing journal posts (or reviews, sigh),
but hopefully it's letting up a bit now. At the least, I'm back to
writing code instead of doing other things, which is quite a relief.
There's nothing particularly exciting in this release of my C test harness
software, but since I'm doing some general releases anyway, it seemed like
a good time to flush out pending changes. This release changes the exit
status of the bail and sysbail functions to 255 to more closely match the
BAIL_OUT function in Perl's Test::More, and documents why the runtests
test harness does not match Test::More's handling of a bailing test case.
You can get the latest version from the
C TAP Harness distribution page.
2013-08-14: rra-c-util 4.9
This is another rollup of various pending changes in my collection of
supporting software.
The libkafs portability layer now supports k_pioctl somewhat more
completely by providing a fallback to lpioctl when using the AFS libraries
and a system call failure when no library was found. The libkafs
functions are also now properly prototyped if the library was found but no
header files were available.
The network_connection function, when given a timeout, restarts waiting
for a non-blocking connect if interrupted by a signal. That means the
timeout could in theory be much longer than intended if it's interrupted
by a signal repeatedly, but hopefully that situation will be rare enough
to not pose any problems. There are also a few fixes to the networking
test suite.
The standard Perl tests now check for POD in more places, don't check the
Perl syntax of SYNOPSIS for scripts, work with packages without Build.PL
or a t directory, and also check style for files under a usr directory.
The PCRE Autoconf probe now copes with Mac OS X, which has the library but
no headers.
Finally, this release incorporates a combination test suite and utility
script that checks that the versions of embedded Perl modules stay in sync
with the overall package version.
You can get the latest release from the rra-c-util distribution page.
2013-08-14: remctl 3.6
remctl is the network protocol that we use for nearly all of our
middleware at Stanford. It's a flexible combination of GSS-API network
authentication, ACLs, and mappings of commands to arbitrary local
programs.
The primary goal of this release is to fix a problem that I ran into with
WebAuth: if a user of the remctl client
library catches a signal during a connect with a timeout, the non-blocking
connect support in the client library returned an error. Now, it returns
to waiting for the connect if the select failed with EINTR.
Also in this release, the Net::Remctl::Backend help formatting does
something more reasonable with commands that have a very long syntax.
Rather than push all of the command summaries into a tiny right-hand
column, syntax lines that are too long will not affect the start column of
the summary, just force the summary down one line.
This release also fixes multiple compilation errors on Mac OS X and older
Red Hat from a missing include, missing portability probes, and a
workaround for Mac OS X's broken PCRE library installation. (The library
exists, but without any header files.)
You can get the latest release from the remctl distribution page.
2013-08-16: WebAuth 4.5.4
WebAuth is the site-wide centralized web authentication system that we use
at Stanford. This release is a bug-fix release for the central login
server, mostly focused on multifactor authentication but also featuring a
wide variety of random bug fixes. Going into this release, I filtered the
Apache error logs on all of our production servers for a period of a month
and then set out to fix every log anomaly or odd behavior pattern that I
detected.
The most significant bug fix is to support for requiring non-password
session factors. The code handled this entirely incorrectly, resulting in
the user being stuck at the password authentication prompt and never able
to proceed. It also cleans up several corner cases involving REMOTE_USER
authentication to sites that require a Kerberos authenticator (such as for
delegated credentials).
This release downgrades a mismatch of login credentials and a webkdc-proxy
token (single sign-on credentials) to a log warning rather than a fatal
error and just discards the non-matching single sign-on credentials. This
case ideally shouldn't happen, but sometimes users share devices, and if
they hit a site with forced login or session factors, it's easy for this
case to arise.
WebLogin now retries the WebKDC POST once and ignores SIGPIPE errors to
work around problems with signals from the FastCGI process manager. It
also rewrites non-ASCII characters in XML from the WebKDC to work around
XML validation errors created by non-ASCII characters in Kerberos error
messages, pending a better fix on the WebKDC side. Password changes no
longer go through the replay detection logic, which should not apply to
them. Several error messages in WebLogin are now clearer.
The WebKDC now requires that the return URL in a WebAuth request be an
absolute URL and not contain any non-ASCII characters.
A bug in the way that errors during the authentication process were
reported has been fixed and should produce better error output for the
user.
There are also a few other, more minor bug fixes, particularly to logging
and error reporting.
You can get the latest release from the official WebAuth distribution site
or from my WebAuth distribution pages.
2013-08-29: WebAuth 4.5.5
Testing uncovered additional bugs in the WebLogin and mod_webkdc
components of WebAuth (our site-wide web authentication system), so this
is another bug-fix release. It only affects the central login server; the
application module hasn't changed and doesn't need to be updated.
The biggest changes are around multifactor authentication, and
particularly around error reporting and handling. The handling of errors
such as invalid codes or rejections by the validation service was somewhat
broken in 4.5.3 and earlier and even more broken in 4.5.4 (although in
different ways). This release now avoids sending the user to dead-end
error pages in more circumstances, displays better and more specific
errors, and remembers if the user has already been sent an SMS message and
doesn't force them to send another if they enter the code incorrectly.
(This last change will require changes to the local multifactor template.)
This release also fixes replay detection, which had been broken by a
partially-made change in the memcached key format, and applies rate
limiting and replay detection to second factor logins as well as
passwords. As a side effect, this corrects a UI issue where people can
send themselves additional SMS messages by accident when using the back
button on the browser.
You can get the latest release from the official WebAuth distribution site
or from my WebAuth distribution pages.
All posts