summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add cleanup function for mag_conn->name_attributesHEADmasterAlejandro Perez2017-02-133-2/+11
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #127
* JSON strings need to be escaped (i.e. replace " with \")Alejandro Perez2017-02-091-2/+33
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #125
* Add option to set alternative ccname env varFraser Tweedale2017-02-084-6/+21
| | | | | | | | | | | | | In some cases (e.g. if you want to convey the ccname over AJP) the request environment variable name "KRB5CCNAME" is not appropriate. Add the GssapiDelegCcacheEnvVar option that allows the env var name to be changed. Fixes: https://github.com/modauthgssapi/mod_auth_gssapi/issues/123 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #124 Closes #123
* Release 1.5.0Simo Sorce2017-01-161-1/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* tests: move core dumps to scratchdirIsaac Boukris2017-01-111-1/+1
| | | | | | Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #121
* rewrite: implicitly handle internal redirectsIsaac Boukris2017-01-117-16/+117
| | | | | | | | | | | | | | Internal redirects are a special case of subrequest - they have no req->main but req->prev instead, so we should check for that too in case the request is not initial. Also, make sure to export MAG environment variables to subrequests and internal redirects. Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reported-by: scopev24 Closes #119
* Run the test suite using `make check`Robbie Harwood2017-01-031-1/+3
| | | | | | | | `make test` continues to be provided for compatibility. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #120
* Add option to store the session encryption key.Simo Sorce2017-01-033-16/+99
| | | | | | | | | | With the new 'file:' sytnax a session key can be automatically generated the first time mod_auth_gssapi runs and stored on the filesystem. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> Closes #117
* Make test suite runnable on Debian-likesRobbie Harwood2017-01-032-7/+24
| | | | | | | | | | | This is mostly gunk around how the webserver is called and what is built-in versus a module. I have mostly added templating logic for commenting pieces of the conf file. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Closes #118
* Fix memory pool used to hold ccache nameMarcel Ritter2016-12-191-1/+1
| | | | | | | | | broken ccache name when "GssapiDelegCcacheUnique Off" (default) Signed-off-by: Marcel Ritter <ritter.marcel@googlemail.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #116 Fixes #115
* Add docs for new GssapiDelegCcachePerms optionSimo Sorce2016-12-011-0/+32
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Closes #113
* Add tests for delegation and ccache mode settingSimo Sorce2016-11-303-2/+10
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> Closes #112
* Add option to set custom permissions on ccacheSimo Sorce2016-11-303-7/+123
| | | | | | | | | This allows apache to set permission so that another user in the default group can access the ccache. Useful when apache passes the request to a process running under a different user or group id number. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Write 'Persistent-Auth' header to err_headers_outMichael Osipov2016-10-111-1/+1
| | | | | | | | | | | | | | In some cases, like internal redirects, authentication is completed but our 'Persistent-Auth' header is dropped by the server because headers_out is ignored with errors (4xx, 5xx) and internal redirects. See: https://ci.apache.org/projects/httpd/trunk/doxygen/structrequest__rec.html#a9f49c2d5680987c0c28466ea37d41a62 This fixes #110 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Closes #111
* Declare mag_complete outside the ifdef blockSimo Sorce2016-10-111-4/+4
| | | | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> Fixes #106 Closes #107
* Add simple script for generating session keysRobbie Harwood2016-10-111-0/+12
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #105
* Update configure.ac using `autoupdate`Dennis Schridde2016-08-291-5/+5
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #103
* Fix path to magtests.py for out-of-tree buildsDennis Schridde2016-08-291-1/+1
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #102
* Release 1.4.1Simo Sorce2016-08-151-1/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Ensure gssapi_session actually contains MagBearerTokenRobbie Harwood2016-08-151-0/+4
| | | | | | | | Fallout from #98 Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #100
* Fix behavior of NULL ccname for cookie creationRobbie Harwood2016-08-151-1/+6
| | | | | | | | | | | This resolves an issue where the session cookie would not be populated when sesions were used but unique ccaches were not. Based on a report from Bhagavan Das. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #98
* Check at top level for python-requests{,-kerberos}Robbie Harwood2016-07-251-0/+4
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Merges #99
* Add compatibility with OpenSSL 1.1.0Simo Sorce2016-07-061-31/+76
| | | | | | | | | In their continued wisdom OpenSSL developers keep breaking APIs left and right with very poor documentation and forward/backward source compatibility. Signed-off-by: Simo Sorce <simo@redhat.com> Closes #96 Closes #97
* Release 1.4.0Simo Sorce2016-06-171-1/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Add release scriptSimo Sorce2016-06-171-0/+35
| | | | | | This automates release prepping a bit. Signed-off-by: Simo Sorce <simo@redhat.com>
* Move version number to a seprate fileSimo Sorce2016-06-172-1/+3
| | | | | | This allow easier handling of releases Signed-off-by: Simo Sorce <simo@redhat.com>
* Insure the asn1 definitions are in the tarballSimo Sorce2016-06-151-0/+2
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Close #95
* Move context loops to a helper functionSimo Sorce2016-06-151-110/+72
| | | | | | | | This work simplifies the calling code and reduces duplication. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #94
* Postpone adding spnego mech to mech listSimo Sorce2016-06-091-23/+65
| | | | | | | | | | | Add the SPNEGO mech oid only if we are performing negotiate auth. This cacthes earlier, with a hard failure, the case where a mechanism defined on the command line is not available, by checking if there are any desired mechs. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #93
* Add support for GssapiImpersonate.Jan Pazdziora2016-06-093-1/+173
| | | | | | | | | | | | | | | | This is can be enabled on locations that are authenticated by another module to obtain a ticket for the user, so that the application gets access to krb5 credentials and all named attributes for the client. The service needs to be authorized by the KDC if there is the need to use credentials for further ticket acquisition by setting the ok_to_auth_as_delegate flag on the service principal. This will provide a forwardable ticket that can be used to obtain additional tickets via consrained delegation (also subkect to KDC access control). Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> Close #92
* Split the book keeping operations into a functionSimo Sorce2016-06-091-48/+66
| | | | | | | | | This will be used in a following patch that perform gssapi operations using a different path but need to perform the same bookj keeping as the main auth path. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com>
* Fix cred cache detectionSimo Sorce2016-06-091-3/+6
| | | | | | | | | The stat call was not using the full path name, therefore it was always failing. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com> Close #91
* Fix function name spellingSimo Sorce2016-06-091-2/+2
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com> Close #90
* Additional python modules are needed.Jan Pazdziora2016-06-061-1/+2
| | | | | | | | Failed imports were found in tracebacks in ./scratchdir/tests.log. Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #89
* The distribution does not ship ./configure, generate it.Jan Pazdziora2016-06-061-0/+1
| | | | | | Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #88
* Clarify make test dependencies.Jan Pazdziora2016-06-021-3/+5
| | | | | | Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #85
* Do not use ap_hook_check_user_id on Apache 2.4Jan Pazdziora2016-06-021-0/+5
| | | | | | | | On Apache 2.4 this method is deprecated, use the recommended hook. Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #84
* Obey SessionMaxAge for session expirationMatt Rogers2016-05-251-0/+6
| | | | | | | | | Set the session and cookie expiration to the mod_session SessionMaxAge expiry time, if it is shorter than the credential lifetime. Signed-off-by: Matt Rogers <mrogers@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #82
* Add example script for ccache cleaning to contribRobbie Harwood2016-05-181-0/+66
| | | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #80
* Implement unique ccache namesRobbie Harwood2016-05-1810-34/+103
| | | | | | | | | | | Unique ccache names may be requested using the GssapiDelegCcacheUnique configuration option. This option is off by default. If both unique ccache names and session use are enabled, then a mechanism for removing old ccaches must be supplied. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Also-authored-by: Petr Vobornik <pvoborni@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Unify copyright conventionRobbie Harwood2016-05-189-30/+9
| | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* GSS-Proxy configuration file for mod_auth_gssapiRobbie Harwood2016-05-181-0/+6
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #81
* Fix APXS error "cannot determine bootstrap symbol name"Dennis Schridde2016-04-121-1/+1
| | | | | | | | | | | | | | | Maybe related to out-of-source builds? ``` test -d /target/usr/lib/apache2/modules || mkdir -p /target/usr/lib/apache2/modules /usr/bin/apxs2 -i -S LIBEXECDIR=/target/usr/lib/apache2/modules mod_auth_gssapi.la apxs:Error: Sorry, cannot determine bootstrap symbol name. apxs:Error: Please specify one with option `-n'. Makefile:725: recipe for target 'install-exec-local' failed ``` Reviewed-by: Simo Sorce <simo@redhat.com> Close #79
* Respect DESTDIR when installing Apache moduleDennis Schridde2016-04-121-2/+2
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Close #78
* Tests: use urandom instead of randomIsaac Boukris2016-04-121-1/+1
| | | | | | | Useful when running tests on VM with low entropy Reviewed-by: Simo Sorce <simo@redhat.com> Closexs #77
* Release 1.3.2 - NEAR Shoemaker launchSimo Sorce2016-02-222-2/+5
| | | | | | | On February 17th, 1996 the NEAR Shoemaker probe is launched. The first probe to soft-land on a Near Earth Asteroid (Eros). Signed-off-by: Simo Sorce <simo@redhat.com>
* Cleanup s4u2proxy in mag_auth_basicIsaac Boukris2016-02-172-18/+7
| | | | | | | | | | | | | | It doesn't have any effect since we set GSS_C_DELEG_FLAG when we initiate client credentials so we always get delegated TGT regardless of constrained delegation. This commit is not intended to change the current behaviour. See #70 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #70 Closes #72
* Add option to not send a Negotiate headersJames Groffen2016-02-177-5/+152
| | | | | | | | | | | | | | | | If negotiation was attempted but failed do not send a new Negotiate header. Useful when only one single sign on mechanism is allowed and to avoid misleading login prompts in some browsers. Added a test of the GssapiDontReauth option to the test suite. Also added SPNEGO no auth test. [SS: reworded and fixed commit subject/comment] [SS: fixed whitespace errors and 80 column wrappings] Reviewed-by: Simo Sorce <simo@redhat.com> Close #65
* Corrected two typos in the README file.James Groffen2016-02-171-2/+2
| | | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Close #71
* Minor formatting changes to the README.James Groffen2016-02-031-7/+7
| | | | | | | | [Changes to original commit: removed trailing whitespace] Reviewed-by: Simo Sorce <simo@redhat.com> Closes #67
generated by cgit (git 2.34.1) at 2025-07-01 08:32:39 +0000