gss-proxy.git/proxy/src, branch master-impersonation gssproxy wip repository Add "impersonate" configuration option. No implementation yet. 2013-06-25T13:22:12+00:00 Günther Deschner gdeschner@redhat.com 2013-06-25T13:15:43+00:00 fee1a555bbfeb4fb091aca4df47ec34b60640115 






Further improve debugging, mention servicename, socket and euid.
2013-06-24T15:51:39+00:00

Günther Deschner
gdeschner@redhat.com

2013-06-21T16:39:42+00:00

6cf727aad695466f45125bd30da5b2c2e2e9d48d

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>





Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>







Properly check socket for connection matching.
2013-06-21T15:04:45+00:00

Simo Sorce
simo@redhat.com

2013-06-19T16:18:31+00:00

aadc71e0b4ded19a4dbfeafd509d265e42659c92

We always need to chekc if the socket matches otherwise the worng service may
be selected if a specific socket is being used but a service allowing the same
euid is confgured to use the deault socket as well.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>





We always need to chekc if the socket matches otherwise the worng service may
be selected if a specific socket is being used but a service allowing the same
euid is confgured to use the deault socket as well.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>







Use verbose ding-libs error reporting when config parsing failed.
2013-06-05T12:15:18+00:00

Günther Deschner
gdeschner@redhat.com

2013-06-03T15:55:07+00:00

e4ac6f8ac8b31d7e08e66c7ae50b12f520c005f9

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>





Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>







gssproxy: report an error message on event loop failure.
2013-06-03T10:40:05+00:00

Günther Deschner
gdeschner@redhat.com

2013-05-31T17:51:59+00:00

7f104596939af61bf20ce9efe6408572f2378a80

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>





Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>







Fix realloc size in gp_get_cred_environment().
2013-05-22T15:37:52+00:00

Günther Deschner
gdeschner@redhat.com

2013-05-22T15:26:00+00:00

4ceed9a85484bdde3d355d21ceb666dc8d910910

This fixes a segfault when no client_keytab is passed in via cred_store api.
See https://fedorahosted.org/gss-proxy/ticket/85 for details.

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>





This fixes a segfault when no client_keytab is passed in via cred_store api.
See https://fedorahosted.org/gss-proxy/ticket/85 for details.

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>







Overwrite existing GSS_USE_PROXY variable in the server.
2013-05-16T10:11:43+00:00

Günther Deschner
gdeschner@redhat.com

2013-05-16T07:30:17+00:00

2bd59288ca3625c4d03f68b967a8c4c1f50022cd

This is required to make sure we never recurse into ourselves.

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>





This is required to make sure we never recurse into ourselves.

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>







Fix socket error handling.
2013-05-16T10:11:43+00:00

Simo Sorce
simo@redhat.com

2013-05-15T17:22:05+00:00

4d95d30532e2509a07285614b2f17a26dcb44725

1. Grab the socket lock for the whole conversation.

We need to keep the lock until the whole conversation is over.
Otherwise we may have concurrency issues where communication gets intermixed
and errors in one thread can cause a thread to hang.

Here is what we observed:

thread 1: grabs lock and send a request.
thread 2: grabs lock and sends a request
server: thread 2 request causes a fatal error and the server close the
connection
thread 2: grabs the lock and waits for a reply.
thread 2: gets the error and returns to caller with it (connection is closed).
thread 1: grabs the lock (which reopens the closed channel) and reads ...
... forever as the server has already killed all the previous state.

2. Fail immediately on short reads for the initial 4 byte length header.

If the first 4 bytes do not come at once don't bother retrying. In 99.9% of the
cases what we are witnessing here is a fatal error from the proxy that closed
the socket. Reopening the scket cannot accomplish anything as the request sent
down the channel is tied to the specific socket, so once the socket is closed
there is no hope to ever get back a reply.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>





1. Grab the socket lock for the whole conversation.

We need to keep the lock until the whole conversation is over.
Otherwise we may have concurrency issues where communication gets intermixed
and errors in one thread can cause a thread to hang.

Here is what we observed:

thread 1: grabs lock and send a request.
thread 2: grabs lock and sends a request
server: thread 2 request causes a fatal error and the server close the
connection
thread 2: grabs the lock and waits for a reply.
thread 2: gets the error and returns to caller with it (connection is closed).
thread 1: grabs the lock (which reopens the closed channel) and reads ...
... forever as the server has already killed all the previous state.

2. Fail immediately on short reads for the initial 4 byte length header.

If the first 4 bytes do not come at once don't bother retrying. In 99.9% of the
cases what we are witnessing here is a fatal error from the proxy that closed
the socket. Reopening the scket cannot accomplish anything as the request sent
down the channel is tied to the specific socket, so once the socket is closed
there is no hope to ever get back a reply.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>







Fix secondary socket detection at runtime.
2013-05-16T10:11:42+00:00

Simo Sorce
simo@redhat.com

2013-05-15T16:11:30+00:00

b693f4680a3dfadc2289ca1b1d83725f395bec49

We were failing to find the right service as the test was reversed.
It works with the default socket as it is not stored per service.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>





We were failing to find the right service as the test was reversed.
It works with the default socket as it is not stored per service.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>







Disable gss_export_name_composite() for now.
2013-05-16T10:11:42+00:00

Günther Deschner
gdeschner@redhat.com

2013-05-16T10:06:19+00:00

94d395f36e996f19d7e10a54c734f8bc0dc21da1

We first need to fix our tests and implementation.

Temporary workaround for:
https://fedorahosted.org/gss-proxy/ticket/81

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>





We first need to fix our tests and implementation.

Temporary workaround for:
https://fedorahosted.org/gss-proxy/ticket/81

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>