1 /* Copyright (C) 2014 mod_auth_gssapi authors - See COPYING for (C) terms */
3 #include "mod_auth_gssapi.h"
5 APLOG_USE_MODULE(auth_gssapi);
7 static APR_OPTIONAL_FN_TYPE(ap_session_load) *mag_sess_load_fn = NULL;
8 static APR_OPTIONAL_FN_TYPE(ap_session_get) *mag_sess_get_fn = NULL;
9 static APR_OPTIONAL_FN_TYPE(ap_session_set) *mag_sess_set_fn = NULL;
11 void mag_post_config_session(void)
13 mag_sess_load_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_load);
14 mag_sess_get_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_get);
15 mag_sess_set_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_set);
18 static apr_status_t mag_session_load(request_rec *req, session_rec **sess)
20 if (mag_sess_load_fn) {
21 return mag_sess_load_fn(req, sess);
26 static apr_status_t mag_session_get(request_rec *req, session_rec *sess,
27 const char *key, const char **value)
29 if (mag_sess_get_fn) {
30 return mag_sess_get_fn(req, sess, key, value);
35 static apr_status_t mag_session_set(request_rec *req, session_rec *sess,
36 const char *key, const char *value)
38 if (mag_sess_set_fn) {
39 return mag_sess_set_fn(req, sess, key, value);
44 #define MAG_BEARER_KEY "MagBearerToken"
46 void mag_check_session(request_rec *req,
47 struct mag_config *cfg, struct mag_conn **conn)
51 session_rec *sess = NULL;
52 const char *sessval = NULL;
54 struct databuf ctxbuf = { 0 };
55 struct databuf cipherbuf = { 0 };
59 rc = mag_session_load(req, &sess);
60 if (rc != OK || sess == NULL) {
61 ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,
62 "Sessions not available, no cookies!");
68 mc = apr_pcalloc(req->pool, sizeof(struct mag_conn));
71 mc->parent = req->pool;
75 rc = mag_session_get(req, sess, MAG_BEARER_KEY, &sessval);
77 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
78 "Failed to get session data!");
82 /* no session established, just return */
87 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
88 "Session key not available, no cookies!");
89 /* we do not have a key, just return */
94 declen = apr_base64_decode_len(sessval);
95 cipherbuf.value = apr_palloc(req->pool, declen);
96 if (!cipherbuf.value) return;
97 cipherbuf.length = (int)apr_base64_decode((char *)cipherbuf.value, sessval);
99 rc = UNSEAL_BUFFER(req->pool, cfg->mag_skey, &cipherbuf, &ctxbuf);
101 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
102 "Failed to unseal session data!");
107 next = apr_strtok((char *)ctxbuf.value, ":", &last);
108 expiration = (time_t)apr_atoi64(next);
109 if (expiration < time(NULL)) {
110 /* credentials fully expired, return nothing */
114 /* user name is next */
115 next = apr_strtok(NULL, ":", &last);
116 mc->user_name = apr_pstrdup(mc->parent, next);
117 if (!mc->user_name) return;
119 /* gssapi name (often a principal) is last.
120 * (because it may contain the separator as a valid char we
121 * just read last as is, without further tokenizing */
122 mc->gss_name = apr_pstrdup(mc->parent, last);
123 if (!mc->gss_name) return;
125 /* OK we have a valid token */
126 mc->established = true;
129 void mag_attempt_session(request_rec *req,
130 struct mag_config *cfg, struct mag_conn *mc)
132 session_rec *sess = NULL;
133 char *sessval = NULL;
134 struct databuf plainbuf = { 0 };
135 struct databuf cipherbuf = { 0 };
136 struct databuf ctxbuf = { 0 };
139 /* we save the session only if the authentication is established */
141 if (!mc->established) return;
142 rc = mag_session_load(req, &sess);
143 if (rc != OK || sess == NULL) {
144 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
145 "Sessions not available, can't send cookies!");
149 if (!cfg->mag_skey) {
150 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
151 "Session key not available, generating new one.");
152 rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, NULL);
154 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
155 "Failed to create sealing key!");
160 sessval = apr_psprintf(req->pool, "%ld:%s:%s",
161 (long)mc->expiration, mc->user_name, mc->gss_name);
162 if (!sessval) return;
164 plainbuf.length = strlen(sessval) + 1;
165 plainbuf.value = (unsigned char *)sessval;
167 rc = SEAL_BUFFER(req->pool, cfg->mag_skey, &plainbuf, &cipherbuf);
169 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
170 "Failed to seal session data!");
174 ctxbuf.length = apr_base64_encode_len(cipherbuf.length);
175 ctxbuf.value = apr_pcalloc(req->pool, ctxbuf.length);
176 if (!ctxbuf.value) return;
178 ctxbuf.length = apr_base64_encode((char *)ctxbuf.value,
179 (char *)cipherbuf.value,
182 rc = mag_session_set(req, sess, MAG_BEARER_KEY, (char *)ctxbuf.value);
184 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
185 "Failed to set session data!");