Forcibly reset credentials on client request

If a client, by its own initiative, decides to try to reset the
credential status by sending an Authorization header, let's oblige
and kill the current authorization context.

In a connection oriented case we kill the GSS context, and if
sessions are in use we set an expired, NULL session, so that the
client will be effectively logged out unless a complete authentication
is performed again.

1 files changed, 30 insertions, 9 deletions

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 48300e9..931408d 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -303,6 +303,8 @@ static int mag_auth(request_rec *req)
         mag_check_session(req, cfg, &mc);
     }
 
+    auth_header = apr_table_get(req->headers_in, "Authorization");
+
     if (mc) {
         /* register the context in the memory pool, so it can be freed
          * when the connection/request is terminated */
@@ -312,21 +314,40 @@ static int mag_auth(request_rec *req)
         if (mc->established) {
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
                           "Already established context found!");
-            apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name);
-            apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION",
-                          apr_psprintf(req->pool,
-                                       "%ld", (long)mc->expiration));
-            req->ap_auth_type = apr_pstrdup(req->pool, mc->auth_type);
-            req->user = apr_pstrdup(req->pool, mc->user_name);
-            ret = OK;
-            goto done;
+            if (auth_header) {
+                /* although we have credentials, it seem the client wants
+                 * to renegotiate */
+                if (cfg->use_sessions) {
+                    /* force NULL creds iin the session cookie */
+                    mc->expiration = 0;
+                    mc->user_name = "";
+                    mc->gss_name = "";
+                    mag_attempt_session(req, cfg, mc);
+                }
+                /* reset mc now, we want a clean slate */
+                mag_conn_destroy(mc);
+                mc->established = false;
+                mc->user_name = NULL;
+                mc->gss_name = NULL;
+                mc->expiration = 0;
+                mc->auth_type = NULL;
+            } else {
+                apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name);
+                apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION",
+                              apr_psprintf(req->pool,
+                                           "%ld", (long)mc->expiration));
+                req->ap_auth_type = apr_pstrdup(req->pool, mc->auth_type);
+                req->user = apr_pstrdup(req->pool, mc->user_name);
+                ret = OK;
+                goto done;
+            }
         }
         pctx = &mc->ctx;
     } else {
         pctx = &ctx;
     }
 
-    auth_header = apr_table_get(req->headers_in, "Authorization");
+    /* must have an auth header once we get here, otherwise we reject auth */
     if (!auth_header) goto done;
 
     auth_header_type = ap_getword_white(req->pool, &auth_header);