Project

General

Profile

Feature #2967 » 0001-mod_authn_gssapi-add-store-credentials-config-option.patch

lameventanas, 2019-07-19 09:34

View differences:

src/mod_authn_gssapi.c
41 41
typedef struct {
42 42
    buffer *auth_gssapi_keytab;
43 43
    buffer *auth_gssapi_principal;
44
    unsigned short auth_gssapi_store_credentials;
44 45
} plugin_config;
45 46

  
46 47
typedef struct {
......
99 100
    plugin_data *p = p_d;
100 101
    size_t i;
101 102
    config_values_t cv[] = {
102
        { "auth.backend.gssapi.keytab",     NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
103
        { "auth.backend.gssapi.principal",  NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
104
        { NULL,                             NULL, T_CONFIG_UNSET,  T_CONFIG_SCOPE_UNSET }
103
        { "auth.backend.gssapi.keytab",             NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_CONNECTION },
104
        { "auth.backend.gssapi.principal",          NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_CONNECTION },
105
        { "auth.backend.gssapi.store-credentials",  NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },
106
        { NULL,                                     NULL, T_CONFIG_UNSET,   T_CONFIG_SCOPE_UNSET }
105 107
    };
106 108

  
107 109
    p->config_storage = calloc(srv->config_context->used, sizeof(plugin_config *));
......
117 119

  
118 120
        cv[0].destination = s->auth_gssapi_keytab;
119 121
        cv[1].destination = s->auth_gssapi_principal;
122
        cv[2].destination = &(s->auth_gssapi_store_credentials);
120 123

  
121 124
        p->config_storage[i] = s;
122 125

  
......
137 140

  
138 141
    PATCH(auth_gssapi_keytab);
139 142
    PATCH(auth_gssapi_principal);
143
    PATCH(auth_gssapi_store_credentials);
140 144

  
141 145
    /* skip the first, the global context */
142 146
    for (i = 1; i < srv->config_context->used; i++) {
......
154 158
                PATCH(auth_gssapi_keytab);
155 159
            } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.principal"))) {
156 160
                PATCH(auth_gssapi_principal);
161
            } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.store-credentials"))) {
162
                PATCH(auth_gssapi_store_credentials);
157 163
            }
158 164
        }
159 165
    }
......
170 176
    return HANDLER_FINISHED;
171 177
}
172 178

  
179
static handler_t mod_authn_gssapi_send_500_server_error (connection *con)
180
{
181
    con->http_status = 500;
182
    con->mode = DIRECT;
183
    return HANDLER_FINISHED;
184
}
185

  
173 186
static void mod_authn_gssapi_log_gss_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, OM_uint32 err_maj, OM_uint32 err_min)
174 187
{
175 188
    buffer * const msg = buffer_init_string(func);
......
421 434
        goto end;
422 435
    }
423 436

  
424
    if (!(acc_flags & GSS_C_DELEG_FLAG)) {
425
        log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
426
        goto end;
427
    }
428

  
429 437
    /* check the allow-rules */
430 438
    if (!http_auth_match_rules(require, token_out.value, NULL, NULL)) {
431 439
        goto end;
432 440
    }
433 441

  
434
    ret = mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred);
435
    if (ret)
436
        http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
442
    http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
443
    ret = 1; /* success */
444

  
445
    if (p->conf.auth_gssapi_store_credentials && (acc_flags & GSS_C_DELEG_FLAG)) {
446
        if (!mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred)) {
447
            ret = 2; /* server error */
448
            goto end;
449
        }
450
    }
437 451

  
438 452
    end:
439 453
        buffer_free(t_in);
......
459 473
        if (token_out.length)
460 474
            gss_release_buffer(&st_minor, &token_out);
461 475

  
476
        if (ret == 2)
477
            return mod_authn_gssapi_send_500_server_error(con);
478

  
462 479
        return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(con);
463 480
}
464 481

  
(2-2/2)