| 41 |
41 |
typedef struct {
|
| 42 |
42 |
buffer *auth_gssapi_keytab;
|
| 43 |
43 |
buffer *auth_gssapi_principal;
|
|
44 |
unsigned short auth_gssapi_store_credentials;
|
| 44 |
45 |
} plugin_config;
|
| 45 |
46 |
|
| 46 |
47 |
typedef struct {
|
| ... | ... | |
| 99 |
100 |
plugin_data *p = p_d;
|
| 100 |
101 |
size_t i;
|
| 101 |
102 |
config_values_t cv[] = {
|
| 102 |
|
{ "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
|
| 103 |
|
{ "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
|
| 104 |
|
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
|
103 |
{ "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
|
|
104 |
{ "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
|
|
105 |
{ "auth.backend.gssapi.store-credentials", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },
|
|
106 |
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
| 105 |
107 |
};
|
| 106 |
108 |
|
| 107 |
109 |
p->config_storage = calloc(srv->config_context->used, sizeof(plugin_config *));
|
| ... | ... | |
| 117 |
119 |
|
| 118 |
120 |
cv[0].destination = s->auth_gssapi_keytab;
|
| 119 |
121 |
cv[1].destination = s->auth_gssapi_principal;
|
|
122 |
cv[2].destination = &(s->auth_gssapi_store_credentials);
|
| 120 |
123 |
|
| 121 |
124 |
p->config_storage[i] = s;
|
| 122 |
125 |
|
| ... | ... | |
| 137 |
140 |
|
| 138 |
141 |
PATCH(auth_gssapi_keytab);
|
| 139 |
142 |
PATCH(auth_gssapi_principal);
|
|
143 |
PATCH(auth_gssapi_store_credentials);
|
| 140 |
144 |
|
| 141 |
145 |
/* skip the first, the global context */
|
| 142 |
146 |
for (i = 1; i < srv->config_context->used; i++) {
|
| ... | ... | |
| 154 |
158 |
PATCH(auth_gssapi_keytab);
|
| 155 |
159 |
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.principal"))) {
|
| 156 |
160 |
PATCH(auth_gssapi_principal);
|
|
161 |
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.store-credentials"))) {
|
|
162 |
PATCH(auth_gssapi_store_credentials);
|
| 157 |
163 |
}
|
| 158 |
164 |
}
|
| 159 |
165 |
}
|
| ... | ... | |
| 170 |
176 |
return HANDLER_FINISHED;
|
| 171 |
177 |
}
|
| 172 |
178 |
|
|
179 |
static handler_t mod_authn_gssapi_send_500_server_error (connection *con)
|
|
180 |
{
|
|
181 |
con->http_status = 500;
|
|
182 |
con->mode = DIRECT;
|
|
183 |
return HANDLER_FINISHED;
|
|
184 |
}
|
|
185 |
|
| 173 |
186 |
static void mod_authn_gssapi_log_gss_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, OM_uint32 err_maj, OM_uint32 err_min)
|
| 174 |
187 |
{
|
| 175 |
188 |
buffer * const msg = buffer_init_string(func);
|
| ... | ... | |
| 421 |
434 |
goto end;
|
| 422 |
435 |
}
|
| 423 |
436 |
|
| 424 |
|
if (!(acc_flags & GSS_C_DELEG_FLAG)) {
|
| 425 |
|
log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
|
| 426 |
|
goto end;
|
| 427 |
|
}
|
| 428 |
|
|
| 429 |
437 |
/* check the allow-rules */
|
| 430 |
438 |
if (!http_auth_match_rules(require, token_out.value, NULL, NULL)) {
|
| 431 |
439 |
goto end;
|
| 432 |
440 |
}
|
| 433 |
441 |
|
| 434 |
|
ret = mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred);
|
| 435 |
|
if (ret)
|
| 436 |
|
http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
|
|
442 |
http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
|
|
443 |
ret = 1; /* success */
|
|
444 |
|
|
445 |
if (p->conf.auth_gssapi_store_credentials && (acc_flags & GSS_C_DELEG_FLAG)) {
|
|
446 |
if (!mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred)) {
|
|
447 |
ret = 2; /* server error */
|
|
448 |
goto end;
|
|
449 |
}
|
|
450 |
}
|
| 437 |
451 |
|
| 438 |
452 |
end:
|
| 439 |
453 |
buffer_free(t_in);
|
| ... | ... | |
| 459 |
473 |
if (token_out.length)
|
| 460 |
474 |
gss_release_buffer(&st_minor, &token_out);
|
| 461 |
475 |
|
|
476 |
if (ret == 2)
|
|
477 |
return mod_authn_gssapi_send_500_server_error(con);
|
|
478 |
|
| 462 |
479 |
return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(con);
|
| 463 |
480 |
}
|
| 464 |
481 |
|