diff options
| author | Isaac Boukris <iboukris@gmail.com> | 2015-07-27 04:32:49 +0300 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-08-06 19:06:54 -0400 |
| commit | f476cb32f8103bdf1435d33ea6e81cba9805f576 (patch) | |
| tree | 8bccd042e272b47259902bbf7d8aa9bb28d63bb7 | |
| parent | 09104abbab05f92bf1f489fb8e4ee5ab3c2bec1a (diff) | |
| download | mod_auth_gssapi-f476cb32f8103bdf1435d33ea6e81cba9805f576.tar.gz mod_auth_gssapi-f476cb32f8103bdf1435d33ea6e81cba9805f576.tar.xz mod_auth_gssapi-f476cb32f8103bdf1435d33ea6e81cba9805f576.zip | |
Support forward proxy authentication
Proxy auth headers are a little different.
Sessions cannot be used as we cannot set a cookie.
Reviewed-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | src/mod_auth_gssapi.c | 64 | ||||
| -rw-r--r-- | src/mod_auth_gssapi.h | 9 |
2 files changed, 53 insertions, 20 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 68663e4..d4e2682 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -619,11 +619,41 @@ done: return ret; } +struct mag_req_cfg *mag_init_cfg(request_rec *req) +{ + struct mag_req_cfg *req_cfg = apr_pcalloc(req->pool, + sizeof(struct mag_req_cfg)); + req_cfg->cfg = ap_get_module_config(req->per_dir_config, + &auth_gssapi_module); + + if (req_cfg->cfg->allowed_mechs) { + req_cfg->desired_mechs = req_cfg->cfg->allowed_mechs; + } else { + struct mag_server_config *scfg; + /* Try to fetch the default set if not explicitly configured */ + scfg = ap_get_module_config(req->server->module_config, + &auth_gssapi_module); + req_cfg->desired_mechs = scfg->default_mechs; + } + + if (req->proxyreq == PROXYREQ_PROXY) { + req_cfg->req_proto = "Proxy-Authorization"; + req_cfg->rep_proto = "Proxy-Authenticate"; + } else { + req_cfg->req_proto = "Authorization"; + req_cfg->rep_proto = "WWW-Authenticate"; + req_cfg->use_sessions = req_cfg->cfg->use_sessions; + req_cfg->send_persist = req_cfg->cfg->send_persist; + } + + return req_cfg; +} static int mag_auth(request_rec *req) { const char *type; int auth_type = -1; + struct mag_req_cfg *req_cfg; struct mag_config *cfg; const char *auth_header; char *auth_header_type; @@ -656,17 +686,11 @@ static int mag_auth(request_rec *req) return DECLINED; } - cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + req_cfg = mag_init_cfg(req); - if (cfg->allowed_mechs) { - desired_mechs = cfg->allowed_mechs; - } else { - struct mag_server_config *scfg; - /* Try to fetch the default set if not explicitly configured */ - scfg = ap_get_module_config(req->server->module_config, - &auth_gssapi_module); - desired_mechs = scfg->default_mechs; - } + cfg = req_cfg->cfg; + + desired_mechs = req_cfg->desired_mechs; /* implicit auth for subrequests if main auth already happened */ if (!ap_is_initial_req(req) && req->main != NULL) { @@ -718,11 +742,11 @@ static int mag_auth(request_rec *req) } /* if available, session always supersedes connection bound data */ - if (cfg->use_sessions) { + if (req_cfg->use_sessions) { mag_check_session(req, cfg, &mc); } - auth_header = apr_table_get(req->headers_in, "Authorization"); + auth_header = apr_table_get(req->headers_in, req_cfg->req_proto); if (mc) { if (mc->established && @@ -925,18 +949,19 @@ complete: if (auth_type == AUTH_TYPE_BASIC) { mag_basic_cache(cfg, mc, ba_user, ba_pwd); } - if (cfg->use_sessions) { + if (req_cfg->use_sessions) { mag_attempt_session(req, cfg, mc); } } - if (cfg->send_persist) + if (req_cfg->send_persist) apr_table_set(req->headers_out, "Persistent-Auth", cfg->gss_conn_ctx ? "true" : "false"); ret = OK; done: + if ((auth_type != AUTH_TYPE_BASIC) && (output.length != 0)) { int prefixlen = strlen(auth_types[auth_type]) + 1; replen = apr_base64_encode_len(output.length) + 1; @@ -945,18 +970,17 @@ done: memcpy(reply, auth_types[auth_type], prefixlen - 1); reply[prefixlen - 1] = ' '; apr_base64_encode(&reply[prefixlen], output.value, output.length); - apr_table_add(req->err_headers_out, - "WWW-Authenticate", reply); + apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply); } } else if (ret == HTTP_UNAUTHORIZED) { - apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate"); + apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate"); + if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp, cfg->gss_conn_ctx)) { - apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM"); + apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM"); } if (cfg->use_basic_auth) { - apr_table_add(req->err_headers_out, - "WWW-Authenticate", + apr_table_add(req->err_headers_out, req_cfg->rep_proto, apr_psprintf(req->pool, "Basic realm=\"%s\"", ap_auth_name(req))); } diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h index 5beda2d..46e5c6a 100644 --- a/src/mod_auth_gssapi.h +++ b/src/mod_auth_gssapi.h @@ -65,6 +65,15 @@ struct mag_server_config { gss_OID_set default_mechs; }; +struct mag_req_cfg { + struct mag_config *cfg; + gss_OID_set desired_mechs; + bool use_sessions; + bool send_persist; + const char *req_proto; + const char *rep_proto; +}; + struct mag_conn { apr_pool_t *pool; gss_ctx_id_t ctx; |