From 8cabd1e6ac6c300f7e603cd61f1a8a7a7da7fb8f Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 11 Apr 2015 17:27:21 -0400 Subject: Set KRB5CCNAME on follow up requests with session If the original context establishment delegated credentials, set the KRB5CCNAME variable to the proper file name for follow up connections that uses the session to validate access. Closes #18 Signed-off-by: Simo Sorce --- src/mod_auth_gssapi.c | 64 +++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 49 insertions(+), 15 deletions(-) (limited to 'src/mod_auth_gssapi.c') diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index a88b653..79d62cd 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -191,33 +191,54 @@ static char *escape(apr_pool_t *pool, const char *name, return escaped; } -static void mag_store_deleg_creds(request_rec *req, - char *dir, char *clientname, - gss_cred_id_t delegated_cred, - char **ccachefile) +static char *mag_gss_name_to_ccache_name(request_rec *req, + char *dir, const char *gss_name) { - gss_key_value_element_desc element; - gss_key_value_set_desc store; - char *value; - uint32_t maj, min; char *escaped; /* We need to escape away '/', we can't have path separators in * a ccache file name */ /* first double escape the esacping char (~) if any */ - escaped = escape(req->pool, clientname, '~', "~~"); - if (!escaped) return; + escaped = escape(req->pool, gss_name, '~', "~~"); /* then escape away the separator (/) if any */ escaped = escape(req->pool, escaped, '/', "~"); - if (!escaped) return; - value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped); + return apr_psprintf(req->pool, "%s/%s", dir, escaped); +} + +static void mag_set_KRB5CCANME(request_rec *req, char *ccname) +{ + apr_status_t status; + apr_finfo_t finfo; + char *value; + status = apr_stat(&finfo, ccname, APR_FINFO_MIN, req->pool); + if (status != APR_SUCCESS && status != APR_INCOMPLETE) { + /* set the file cache anyway, but warn */ + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + "KRB5CCNAME file (%s) lookup failed!", ccname); + } + + value = apr_psprintf(req->pool, "FILE:%s", ccname); + apr_table_set(req->subprocess_env, "KRB5CCNAME", value); +} + +static void mag_store_deleg_creds(request_rec *req, + char *dir, char *clientname, + gss_cred_id_t delegated_cred, + char **ccachefile) +{ + gss_key_value_element_desc element; + gss_key_value_set_desc store; + char *ccname; + uint32_t maj, min; element.key = "ccache"; - element.value = value; store.elements = &element; store.count = 1; + ccname = mag_gss_name_to_ccache_name(req, dir, clientname); + element.value = apr_psprintf(req->pool, "FILE:%s", ccname); + maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE, GSS_C_NULL_OID, 1, 1, &store, NULL, NULL); if (GSS_ERROR(maj)) { @@ -226,7 +247,7 @@ static void mag_store_deleg_creds(request_rec *req, maj, min)); } - *ccachefile = value; + *ccachefile = ccname; } #endif @@ -392,6 +413,15 @@ static int mag_auth(request_rec *req) req->ap_auth_type = apr_pstrdup(req->pool, auth_types[mc->auth_type]); req->user = apr_pstrdup(req->pool, mc->user_name); + if (cfg->deleg_ccache_dir && mc->delegated) { + char *ccname; + ccname = mag_gss_name_to_ccache_name(req, + cfg->deleg_ccache_dir, + mc->gss_name); + if (ccname) { + mag_set_KRB5CCANME(req, ccname); + } + } ret = OK; goto done; } @@ -644,7 +674,11 @@ static int mag_auth(request_rec *req) delegated_cred, &ccachefile); if (ccachefile) { - apr_table_set(req->subprocess_env, "KRB5CCNAME", ccachefile); + mag_set_KRB5CCANME(req, ccachefile); + } + + if (mc) { + mc->delegated = true; } } #endif -- cgit