diff options
| author | Simo Sorce <simo@redhat.com> | 2015-06-01 17:48:15 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-06-01 18:16:36 -0400 |
| commit | 4b68f81eb41a5934a952e2326c1226b5ef583269 (patch) | |
| tree | b766c13f768678884d1ca2fa4b93629e95679b5a | |
| parent | 75bba08a6fa21b0f121bf702ca5acf8533921681 (diff) | |
| download | mod_auth_gssapi-4b68f81eb41a5934a952e2326c1226b5ef583269.tar.gz mod_auth_gssapi-4b68f81eb41a5934a952e2326c1226b5ef583269.tar.xz mod_auth_gssapi-4b68f81eb41a5934a952e2326c1226b5ef583269.zip | |
Move acquire_cred functions into a helper
This makes the code more readable and easier to deal with.
Side effect: now we always acquire credentials
Signed-off-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | src/mod_auth_gssapi.c | 79 |
1 files changed, 35 insertions, 44 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 0d4508c..9b8cd08 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -116,6 +116,35 @@ static bool mag_conn_is_https(conn_rec *c) return false; } +static bool mag_acquire_creds(request_rec *req, + struct mag_config *cfg, + gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t *creds) +{ + uint32_t maj, min; +#ifdef HAVE_CRED_STORE + gss_const_key_value_set_t store = cfg->cred_store; + + maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, + desired_mechs, cred_usage, store, creds, + NULL, NULL); +#else + maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, + desired_mechs, cred_usage, creds, NULL, NULL); +#endif + + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", + mag_error(req, "gss_acquire_cred[_from]() " + "failed to get server creds", + maj, min)); + return false; + } + + return true; +} + #ifdef HAVE_CRED_STORE static char *escape(apr_pool_t *pool, const char *name, char find, const char *replace) @@ -403,58 +432,20 @@ static int mag_auth(request_rec *req) if (cfg->use_s4u2proxy) { cred_usage = GSS_C_BOTH; } - if (cfg->cred_store) { - maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, cred_usage, - cfg->cred_store, &acquired_cred, - NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", - mag_error(req, "gss_acquire_cred_from() failed", - maj, min)); - goto done; - } - } #endif + if (!mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, + cred_usage, &acquired_cred)) { + goto done; + } if (is_basic) { - if (!acquired_cred) { - /* Try to acquire default creds */ - maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, cred_usage, - &acquired_cred, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_acquire_cred()" - " failed", maj, min)); - goto done; - } - } if (cred_usage == GSS_C_BOTH) { /* If GSS_C_BOTH is used then inquire_cred will return the client * name instead of the SPN of the server credentials. Therefore we * need to acquire a different set of credential setting * GSS_C_ACCEPT explicitly */ -#ifdef HAVE_CRED_STORE - if (cfg->cred_store) { - maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, - GSS_C_INDEFINITE, GSS_C_NO_OID_SET, - GSS_C_ACCEPT, cfg->cred_store, - &server_cred, NULL, NULL); - } else { -#else - { -#endif - /* Try to acquire default creds */ - maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, GSS_C_ACCEPT, - &server_cred, NULL, NULL); - } - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", - mag_error(req, "gss_acquire_cred[_from]() " - "failed to get server creds", - maj, min)); + if (!mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, + GSS_C_ACCEPT, &server_cred)) { goto done; } } else { |