diff options
author | Simo Sorce <simo@redhat.com> | 2016-06-07 05:20:23 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2016-06-09 10:11:18 -0400 |
commit | 17c292a0b4f7ce7c08780c17c1300721c3256031 (patch) | |
tree | 0c3e21905662d41995aac687a06560d08812b126 | |
parent | b3b115bcde2550d2b3f84ae4e1cd7872da829fd3 (diff) | |
download | mod_auth_gssapi-17c292a0b4f7ce7c08780c17c1300721c3256031.tar.gz mod_auth_gssapi-17c292a0b4f7ce7c08780c17c1300721c3256031.tar.xz mod_auth_gssapi-17c292a0b4f7ce7c08780c17c1300721c3256031.zip |
Split the book keeping operations into a function
This will be used in a following patch that perform gssapi operations
using a different path but need to perform the same bookj keeping as the
main auth path.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com>
-rw-r--r-- | src/mod_auth_gssapi.c | 114 |
1 files changed, 66 insertions, 48 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index b8583ea..97d875e 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -620,6 +620,10 @@ static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) { } #endif +static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, + gss_name_t client, gss_OID mech_type, + uint32_t vtime, gss_cred_id_t delegated_cred); + static int mag_auth(request_rec *req) { const char *type; @@ -633,7 +637,6 @@ static int mag_auth(request_rec *req) gss_ctx_id_t *pctx; gss_buffer_desc input = GSS_C_EMPTY_BUFFER; gss_buffer_desc output = GSS_C_EMPTY_BUFFER; - gss_buffer_desc name = GSS_C_EMPTY_BUFFER; gss_buffer_desc ba_user; gss_buffer_desc ba_pwd; gss_name_t client = GSS_C_NO_NAME; @@ -646,7 +649,6 @@ static int mag_auth(request_rec *req) size_t replen; gss_OID mech_type = GSS_C_NO_OID; gss_OID_set desired_mechs = GSS_C_NO_OID_SET; - gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; struct mag_conn *mc = NULL; int i; bool send_auth_header = true; @@ -826,7 +828,11 @@ static int mag_auth(request_rec *req) if (mag_auth_basic(req, cfg, ba_user, ba_pwd, &client, &mech_type, &delegated_cred, &vtime)) { - goto complete; + + ret = mag_complete(req_cfg, mc, client, mech_type, vtime, + delegated_cred); + if (ret == OK) + mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); } goto done; } @@ -869,7 +875,60 @@ static int mag_auth(request_rec *req) goto done; } -complete: + ret = mag_complete(req_cfg, mc, client, mech_type, vtime, delegated_cred); + + if (ret == OK && req_cfg->send_persist) + apr_table_set(req->headers_out, "Persistent-Auth", + cfg->gss_conn_ctx ? "true" : "false"); + +done: + if ((auth_type != AUTH_TYPE_BASIC) && (output.length != 0)) { + int prefixlen = strlen(mag_str_auth_type(auth_type)) + 1; + replen = apr_base64_encode_len(output.length) + 1; + reply = apr_pcalloc(req->pool, prefixlen + replen); + if (reply) { + memcpy(reply, mag_str_auth_type(auth_type), prefixlen - 1); + reply[prefixlen - 1] = ' '; + apr_base64_encode(&reply[prefixlen], output.value, output.length); + apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply); + } + } else if (ret == HTTP_UNAUTHORIZED) { + if (send_auth_header) { + apr_table_add(req->err_headers_out, + req_cfg->rep_proto, "Negotiate"); + if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { + apr_table_add(req->err_headers_out, req_cfg->rep_proto, + "NTLM"); + } + } + if (cfg->use_basic_auth) { + apr_table_add(req->err_headers_out, req_cfg->rep_proto, + apr_psprintf(req->pool, "Basic realm=\"%s\"", + ap_auth_name(req))); + } + } + + if (ctx != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER); + gss_release_cred(&min, &acquired_cred); + gss_release_cred(&min, &delegated_cred); + gss_release_buffer(&min, &output); + gss_release_name(&min, &client); + return ret; +} + +static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc, + gss_name_t client, gss_OID mech_type, + uint32_t vtime, gss_cred_id_t delegated_cred) +{ + gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; + gss_buffer_desc name = GSS_C_EMPTY_BUFFER; + struct mag_config *cfg = req_cfg->cfg; + request_rec *req = req_cfg->req; + int ret = HTTP_UNAUTHORIZED; + uint32_t maj, min; + maj = gss_display_name(&min, client, &name, NULL); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", @@ -887,7 +946,8 @@ complete: mag_get_name_attributes(req, cfg, client, mc); #ifdef HAVE_CRED_STORE - if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { + if (cfg->deleg_ccache_dir && + delegated_cred != GSS_C_NO_CREDENTIAL) { char *ccache_path; mc->ccname = 0; @@ -922,15 +982,12 @@ complete: mag_error(req, "gss_localname() failed", maj, min)); goto done; } - mc->user_name = apr_pstrndup(req->pool, lname.value, lname.length); + mc->user_name = apr_pstrndup(mc->pool, lname.value, lname.length); } else { mc->user_name = apr_pstrdup(mc->pool, mc->gss_name); } mc->established = true; - if (auth_type == AUTH_TYPE_BASIC) { - mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); - } if (req_cfg->use_sessions) { mag_attempt_session(req_cfg, mc); } @@ -938,53 +995,14 @@ complete: /* Now set request data and env vars */ mag_set_req_data(req, cfg, mc); - if (req_cfg->send_persist) - apr_table_set(req->headers_out, "Persistent-Auth", - cfg->gss_conn_ctx ? "true" : "false"); - ret = OK; done: - - if ((auth_type != AUTH_TYPE_BASIC) && (output.length != 0)) { - int prefixlen = strlen(mag_str_auth_type(auth_type)) + 1; - replen = apr_base64_encode_len(output.length) + 1; - reply = apr_pcalloc(req->pool, prefixlen + replen); - if (reply) { - memcpy(reply, mag_str_auth_type(auth_type), prefixlen - 1); - reply[prefixlen - 1] = ' '; - apr_base64_encode(&reply[prefixlen], output.value, output.length); - apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply); - } - } else if (ret == HTTP_UNAUTHORIZED) { - if (send_auth_header) { - apr_table_add(req->err_headers_out, - req_cfg->rep_proto, "Negotiate"); - if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp, - cfg->gss_conn_ctx)) { - apr_table_add(req->err_headers_out, req_cfg->rep_proto, - "NTLM"); - } - } - if (cfg->use_basic_auth) { - apr_table_add(req->err_headers_out, req_cfg->rep_proto, - apr_psprintf(req->pool, "Basic realm=\"%s\"", - ap_auth_name(req))); - } - } - - if (ctx != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER); - gss_release_cred(&min, &acquired_cred); - gss_release_cred(&min, &delegated_cred); - gss_release_buffer(&min, &output); - gss_release_name(&min, &client); gss_release_buffer(&min, &name); gss_release_buffer(&min, &lname); return ret; } - static void *mag_create_dir_config(apr_pool_t *p, char *dir) { struct mag_config *cfg; |