config: Add code to source flag filters

2 New configuration options are made available: - filter_flags - enforce_flags Any GSS Flags listed in the filter_flags option is forcibly filtered out before a gss_init_sec_context() call is invoked. Any GSS Flags listed in the enforce_flags option is forcibly added to the list of flags requested by a gss_init_sec_context() call is invoked. Flags can be either literals or numeric and must be preceded by the sign + (to add to the list) or - (to remove from the list). Resolves: https://fedorahosted.org/gss-proxy/ticket/109 Reviewed-by: Günther Deschner <gdeschner@redhat.com>
author: Simo Sorce <simo@redhat.com> 2013-11-16 17:01:24 -0500
committer: Günther Deschner <gdeschner@redhat.com> 2013-11-20 15:25:12 +0100
commit: 6a096c0a0a37d2fa9e0b03edce05929a7d98f390 (patch)
tree: 2615b4d416103a50e5c64abad4d1179103a2a6ba
parent: 32b1d5aa0497c4e3677b4575cc7e299590df5618 (diff)
download: gss-proxy-6a096c0a0a37d2fa9e0b03edce05929a7d98f390.tar.gz
gss-proxy-6a096c0a0a37d2fa9e0b03edce05929a7d98f390.tar.xz
gss-proxy-6a096c0a0a37d2fa9e0b03edce05929a7d98f390.zip
2 files changed, 90 insertions, 0 deletions
diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
index 8da291b..e21e70d 100644
--- a/proxy/src/gp_config.c
+++ b/proxy/src/gp_config.c
@@ -32,6 +32,27 @@
 #include "gp_config.h"
 #include "gp_selinux.h"
 
+#include <gssapi/gssapi.h>
+
+struct gp_flag_def {
+    const char *name;
+    uint32_t value;
+};
+
+struct gp_flag_def flag_names[] = {
+    { "DELEGATE", GSS_C_DELEG_FLAG },
+    { "MUTUAL_AUTH", GSS_C_MUTUAL_FLAG },
+    { "REPLAY_DETECT", GSS_C_REPLAY_FLAG },
+    { "SEQUENCE", GSS_C_SEQUENCE_FLAG },
+    { "CONFIDENTIALITY", GSS_C_CONF_FLAG },
+    { "INTEGRITIY", GSS_C_INTEG_FLAG },
+    { "ANONYMOUS", GSS_C_ANON_FLAG },
+    { NULL, 0 }
+};
+
+#define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG
+#define DEFAULT_ENFORCED_FLAGS 0
+
 static void free_str_array(const char ***a, int *count)
 {
     const char **array;
@@ -117,6 +138,60 @@ static int get_krb5_mech_cfg(struct gp_service *svc,
     return ret;
 }
 
+static int parse_flags(const char *value, uint32_t *storage)
+{
+    char *handle;
+    char *token;
+    char *str;
+    bool add;
+    unsigned long int conv;
+    uint32_t flagval;
+    int i;
+
+    str = strdup(value);
+    if (!str) {
+        return ENOMEM;
+    }
+
+    token = strtok_r(str, ", ", &handle);
+    for (token = strtok_r(str, ", ", &handle);
+         token != NULL;
+         token = strtok_r(NULL, ", ", &handle)) {
+        switch (token[0]) {
+        case '+':
+            add = true;
+            break;
+        case '-':
+            add = false;
+            break;
+        default:
+            GPERROR("Ignoring flag [%s], missing +/- qualifier.\n", token);
+            continue;
+        }
+        token++;
+        for (i = 0; flag_names[i].name != NULL; i++) {
+            if (strcasecmp(token, flag_names[i].name) == 0) {
+                flagval = flag_names[i].value;
+                break;
+            }
+        }
+        if (flag_names[i].name == NULL) {
+            conv = strtoul(token, &handle, 0);
+            if (conv == 0 || conv == ULONG_MAX || *handle != '\0') {
+                GPERROR("Ignoring flag [%s], unrecognized value.\n", token);
+                continue;
+            }
+            flagval = conv;
+        }
+        GPDEBUG("%s Flag %s (%u).\n", add?"Add":"Remove", token, flagval);
+        if (add) *storage |= flagval;
+        else *storage &= ~flagval;
+    }
+    safefree(str);
+
+    return 0;
+}
+
 static int setup_service_creds_handle(struct gp_service *svc)
 {
     uint32_t ret_maj, ret_min;
@@ -297,6 +372,19 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
                     goto done;
                 }
             }
+
+            cfg->svcs[n]->filter_flags = DEFAULT_FILTERED_FLAGS;
+            ret = gp_config_get_string(ctx, secname, "filter_flags", &value);
+            if (ret == 0) {
+                parse_flags(value, &cfg->svcs[n]->filter_flags);
+            }
+
+            cfg->svcs[n]->enforce_flags = DEFAULT_ENFORCED_FLAGS;
+            ret = gp_config_get_string(ctx, secname, "enforce_flags", &value);
+            if (ret == 0) {
+                ret = parse_flags(value, &cfg->svcs[n]->enforce_flags);
+                if (ret) goto done;
+            }
         }
         safefree(secname);
     }
diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h
index 8390f5d..b6c64ae 100644
--- a/proxy/src/gp_proxy.h
+++ b/proxy/src/gp_proxy.h
@@ -57,6 +57,8 @@ struct gp_service {
     char *socket;
     SELINUX_CTX selinux_ctx;
     gss_cred_usage_t cred_usage;
+    uint32_t filter_flags;
+    uint32_t enforce_flags;
 
     uint32_t mechs;
     struct gp_cred_krb5 krb5;
author	Simo Sorce <simo@redhat.com>	2013-11-16 17:01:24 -0500
committer	Günther Deschner <gdeschner@redhat.com>	2013-11-20 15:25:12 +0100
commit	6a096c0a0a37d2fa9e0b03edce05929a7d98f390 (patch)
tree	2615b4d416103a50e5c64abad4d1179103a2a6ba
parent	32b1d5aa0497c4e3677b4575cc7e299590df5618 (diff)
download	gss-proxy-6a096c0a0a37d2fa9e0b03edce05929a7d98f390.tar.gz gss-proxy-6a096c0a0a37d2fa9e0b03edce05929a7d98f390.tar.xz gss-proxy-6a096c0a0a37d2fa9e0b03edce05929a7d98f390.zip