41 |
41 |
typedef struct {
|
42 |
42 |
buffer *auth_gssapi_keytab;
|
43 |
43 |
buffer *auth_gssapi_principal;
|
|
44 |
unsigned short auth_gssapi_store_credentials;
|
44 |
45 |
} plugin_config;
|
45 |
46 |
|
46 |
47 |
typedef struct {
|
... | ... | |
99 |
100 |
plugin_data *p = p_d;
|
100 |
101 |
size_t i;
|
101 |
102 |
config_values_t cv[] = {
|
102 |
|
{ "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
|
103 |
|
{ "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
|
104 |
|
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
|
103 |
{ "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
|
|
104 |
{ "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
|
|
105 |
{ "auth.backend.gssapi.store-credentials", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },
|
|
106 |
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
105 |
107 |
};
|
106 |
108 |
|
107 |
109 |
p->config_storage = calloc(srv->config_context->used, sizeof(plugin_config *));
|
... | ... | |
117 |
119 |
|
118 |
120 |
cv[0].destination = s->auth_gssapi_keytab;
|
119 |
121 |
cv[1].destination = s->auth_gssapi_principal;
|
|
122 |
cv[2].destination = &(s->auth_gssapi_store_credentials);
|
120 |
123 |
|
121 |
124 |
p->config_storage[i] = s;
|
122 |
125 |
|
... | ... | |
137 |
140 |
|
138 |
141 |
PATCH(auth_gssapi_keytab);
|
139 |
142 |
PATCH(auth_gssapi_principal);
|
|
143 |
PATCH(auth_gssapi_store_credentials);
|
140 |
144 |
|
141 |
145 |
/* skip the first, the global context */
|
142 |
146 |
for (i = 1; i < srv->config_context->used; i++) {
|
... | ... | |
154 |
158 |
PATCH(auth_gssapi_keytab);
|
155 |
159 |
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.principal"))) {
|
156 |
160 |
PATCH(auth_gssapi_principal);
|
|
161 |
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.store-credentials"))) {
|
|
162 |
PATCH(auth_gssapi_store_credentials);
|
157 |
163 |
}
|
158 |
164 |
}
|
159 |
165 |
}
|
... | ... | |
170 |
176 |
return HANDLER_FINISHED;
|
171 |
177 |
}
|
172 |
178 |
|
|
179 |
static handler_t mod_authn_gssapi_send_500_server_error (connection *con)
|
|
180 |
{
|
|
181 |
con->http_status = 500;
|
|
182 |
con->mode = DIRECT;
|
|
183 |
return HANDLER_FINISHED;
|
|
184 |
}
|
|
185 |
|
173 |
186 |
static void mod_authn_gssapi_log_gss_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, OM_uint32 err_maj, OM_uint32 err_min)
|
174 |
187 |
{
|
175 |
188 |
buffer * const msg = buffer_init_string(func);
|
... | ... | |
421 |
434 |
goto end;
|
422 |
435 |
}
|
423 |
436 |
|
424 |
|
if (!(acc_flags & GSS_C_DELEG_FLAG)) {
|
425 |
|
log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
|
426 |
|
goto end;
|
427 |
|
}
|
428 |
|
|
429 |
437 |
/* check the allow-rules */
|
430 |
438 |
if (!http_auth_match_rules(require, token_out.value, NULL, NULL)) {
|
431 |
439 |
goto end;
|
432 |
440 |
}
|
433 |
441 |
|
434 |
|
ret = mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred);
|
435 |
|
if (ret)
|
436 |
|
http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
|
|
442 |
http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
|
|
443 |
ret = 1; /* success */
|
|
444 |
|
|
445 |
if (p->conf.auth_gssapi_store_credentials && (acc_flags & GSS_C_DELEG_FLAG)) {
|
|
446 |
if (!mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred)) {
|
|
447 |
ret = 2; /* server error */
|
|
448 |
goto end;
|
|
449 |
}
|
|
450 |
}
|
437 |
451 |
|
438 |
452 |
end:
|
439 |
453 |
buffer_free(t_in);
|
... | ... | |
459 |
473 |
if (token_out.length)
|
460 |
474 |
gss_release_buffer(&st_minor, &token_out);
|
461 |
475 |
|
|
476 |
if (ret == 2)
|
|
477 |
return mod_authn_gssapi_send_500_server_error(con);
|
|
478 |
|
462 |
479 |
return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(con);
|
463 |
480 |
}
|
464 |
481 |
|