diff options
| author | Simo Sorce <simo@redhat.com> | 2014-03-13 16:02:03 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2014-03-13 16:02:03 -0400 |
| commit | 66857a8e364591a3f28f47a61f893b400721e1a6 (patch) | |
| tree | 52dfda7f59d8738c389dcbe843b32c853ba65b2a | |
| parent | 7454bf67ffe23a63fd530895b58f048f207b1e4f (diff) | |
| download | mod_auth_gssapi-66857a8e364591a3f28f47a61f893b400721e1a6.tar.gz mod_auth_gssapi-66857a8e364591a3f28f47a61f893b400721e1a6.tar.xz mod_auth_gssapi-66857a8e364591a3f28f47a61f893b400721e1a6.zip | |
Implement checking for TLS connections
Obey the GSSSSLOnly setting.
| -rw-r--r-- | src/mod_auth_gssapi.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 0cb0982..9e3eca3 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -37,6 +37,8 @@ module AP_MODULE_DECLARE_DATA auth_gssapi_module; +APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); + struct mag_config { bool ssl_only; bool map_to_local; @@ -103,6 +105,17 @@ static int mag_pre_connection(conn_rec *c, void *csd) return OK; } +static APR_OPTIONAL_FN_TYPE(ssl_is_https) *mag_is_https = NULL; + +static bool mag_conn_is_https(conn_rec *c) +{ + if (mag_is_https) { + if (mag_is_https(c)) return true; + } + + return false; +} + static int mag_auth(request_rec *req) { const char *type; @@ -134,8 +147,11 @@ static int mag_auth(request_rec *req) cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); if (cfg->ssl_only) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, - "FIXME: check for ssl!"); + if (!mag_conn_is_https(req->connection)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + "Not a TLS connection, refusing to authenticate!"); + goto done; + } } if (cfg->gss_conn_ctx) { |