Cleanup s4u2proxy in mag_auth_basic

[mod_auth_gssapi.git] / src / mod_auth_gssapi.c
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c

index b1b16e5..97e365c 100644 (file)
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -28,13 +28,21 @@ const gss_OID_desc gss_mech_spnego = {
      6, "\x2b\x06\x01\x05\x05\x02"
  };
  
-const gss_OID_desc gss_mech_ntlmssp = {
+#ifdef HAVE_GSSAPI_GSSAPI_NTLMSSP_H
+const gss_OID_desc gss_mech_ntlmssp_desc = {
      GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING
  };
+gss_const_OID gss_mech_ntlmssp = &gss_mech_ntlmssp_desc;
  
-const gss_OID_set_desc gss_mech_set_ntlmssp = {
-    1, discard_const(&gss_mech_ntlmssp)
+const gss_OID_set_desc gss_mech_set_ntlmssp_desc = {
+    1, discard_const(&gss_mech_ntlmssp_desc)
  };
+gss_const_OID_set gss_mech_set_ntlmssp = &gss_mech_set_ntlmssp_desc;
+
+#else
+gss_OID gss_mech_ntlmssp = GSS_C_NO_OID;
+gss_OID_set gss_mech_set_ntlmssp = GSS_C_NO_OID_SET;
+#endif
  
  #define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION
  
@@ -72,8 +80,7 @@ static char *mag_status(request_rec *req, int type, uint32_t err)
      return msg_ret;
  }
  
-static char *mag_error(request_rec *req, const char *msg,
-                       uint32_t maj, uint32_t min)
+char *mag_error(request_rec *req, const char *msg, uint32_t maj, uint32_t min)
  {
      char *msg_maj;
      char *msg_min;
@@ -101,6 +108,7 @@ static int mag_pre_connection(conn_rec *c, void *csd)
      struct mag_conn *mc;
  
      mc = mag_new_conn_ctx(c->pool);
+    mc->is_preserved = true;
      ap_set_module_config(c->conn_config, &auth_gssapi_module, (void*)mc);
      return OK;
  }
@@ -126,7 +134,6 @@ struct mag_conn *mag_new_conn_ctx(apr_pool_t *pool)
       * when the connection/request is terminated */
      apr_pool_cleanup_register(mc->pool, (void *)mc,
                                mag_conn_destroy, apr_pool_cleanup_null);
-
      return mc;
  }
  
@@ -217,8 +224,8 @@ static char *escape(apr_pool_t *pool, const char *name,
      return escaped;
  }
  
-static char *mag_gss_name_to_ccache_name(request_rec *req,
-                                         char *dir, const char *gss_name)
+char *mag_gss_name_to_ccache_name(request_rec *req,
+                                  char *dir, const char *gss_name)
  {
      char *escaped;
  
@@ -232,27 +239,9 @@ static char *mag_gss_name_to_ccache_name(request_rec *req,
      return apr_psprintf(req->pool, "%s/%s", dir, escaped);
  }
  
-static void mag_set_KRB5CCANME(request_rec *req, char *ccname)
-{
-    apr_status_t status;
-    apr_finfo_t finfo;
-    char *value;
-
-    status = apr_stat(&finfo, ccname, APR_FINFO_MIN, req->pool);
-    if (status != APR_SUCCESS && status != APR_INCOMPLETE) {
-        /* set the file cache anyway, but warn */
-        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
-                      "KRB5CCNAME file (%s) lookup failed!", ccname);
-    }
-
-    value = apr_psprintf(req->pool, "FILE:%s", ccname);
-    apr_table_set(req->subprocess_env, "KRB5CCNAME", value);
-}
-
  static void mag_store_deleg_creds(request_rec *req,
-                                  char *dir, char *clientname,
-                                  gss_cred_id_t delegated_cred,
-                                  char **ccachefile)
+                                  char *dir, const char *gss_name,
+                                  gss_cred_id_t delegated_cred)
  {
      gss_key_value_element_desc element;
      gss_key_value_set_desc store;
@@ -262,7 +251,7 @@ static void mag_store_deleg_creds(request_rec *req,
      store.elements = &element;
      store.count = 1;
  
-    ccname = mag_gss_name_to_ccache_name(req, dir, clientname);
+    ccname = mag_gss_name_to_ccache_name(req, dir, gss_name);
      element.value = apr_psprintf(req->pool, "FILE:%s", ccname);
  
      maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE,
@@ -272,8 +261,6 @@ static void mag_store_deleg_creds(request_rec *req,
                        mag_error(req, "failed to store delegated creds",
                                  maj, min));
      }
-
-    *ccachefile = ccname;
  }
  #endif
  
@@ -292,10 +279,12 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header,
      return true;
  }
  
-static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech, 
+static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech,
                              bool multi_step_supported)
  {
-    if (!multi_step_supported && gss_oid_equal(&gss_mech_ntlmssp, mech))
+    if (mech == GSS_C_NO_OID) return false;
+
+    if (!multi_step_supported && gss_oid_equal(gss_mech_ntlmssp, mech))
          return false;
  
      if (allowed_mechs == GSS_C_NO_OID_SET) return true;
@@ -318,26 +307,9 @@ const char *auth_types[] = {
      NULL
  };
  
-static void mag_set_req_data(request_rec *req,
-                             struct mag_config *cfg,
-                             struct mag_conn *mc)
+const char *mag_str_auth_type(int auth_type)
  {
-    apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name);
-    apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION",
-                  apr_psprintf(req->pool,
-                               "%ld", (long)mc->expiration));
-    req->ap_auth_type = apr_pstrdup(req->pool,
-                                    auth_types[mc->auth_type]);
-    req->user = apr_pstrdup(req->pool, mc->user_name);
-    if (cfg->deleg_ccache_dir && mc->delegated) {
-        char *ccname;
-        ccname = mag_gss_name_to_ccache_name(req,
-                                             cfg->deleg_ccache_dir,
-                                             mc->gss_name);
-        if (ccname) {
-            mag_set_KRB5CCANME(req, ccname);
-        }
-    }
+    return auth_types[auth_type];
  }
  
  gss_OID_set mag_filter_unwanted_mechs(gss_OID_set src)
@@ -390,7 +362,6 @@ static bool mag_auth_basic(request_rec *req,
                             struct mag_config *cfg,
                             gss_buffer_desc ba_user,
                             gss_buffer_desc ba_pwd,
-                           gss_cred_usage_t cred_usage,
                             gss_name_t *client,
                             gss_OID *mech_type,
                             gss_cred_id_t *delegated_cred,
@@ -408,7 +379,6 @@ static bool mag_auth_basic(request_rec *req,
      gss_name_t server = GSS_C_NO_NAME;
      gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
      gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT;
-    gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL;
      gss_buffer_desc input = GSS_C_EMPTY_BUFFER;
      gss_buffer_desc output = GSS_C_EMPTY_BUFFER;
      gss_OID_set allowed_mechs;
@@ -522,20 +492,10 @@ static bool mag_auth_basic(request_rec *req,
  
      /* must acquire creds based on the actual mechs we want to try */
      if (!mag_acquire_creds(req, cfg, actual_mechs,
-                           cred_usage, &acquired_cred, NULL)) {
+                           GSS_C_ACCEPT, &server_cred, NULL)) {
          goto done;
      }
  
-    if (cred_usage == GSS_C_BOTH) {
-        /* must acquire with GSS_C_ACCEPT to get the server name */
-        if (!mag_acquire_creds(req, cfg, actual_mechs,
-                               GSS_C_ACCEPT, &server_cred, NULL)) {
-            goto done;
-        }
-    } else {
-        server_cred = acquired_cred;
-    }
-
  #ifdef HAVE_CRED_STORE
      if (cfg->deleg_ccache_dir) {
          /* delegate ourselves credentials so we store them as requested */
@@ -573,7 +533,7 @@ static bool mag_auth_basic(request_rec *req,
                  break;
              }
              gss_release_buffer(&min, &output);
-            maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred,
+            maj = gss_accept_sec_context(&min, &server_ctx, server_cred,
                                           &input, GSS_C_NO_CHANNEL_BINDINGS,
                                           client, mech_type, &output, NULL,
                                           vtime, delegated_cred);
@@ -596,10 +556,8 @@ done:
      gss_release_buffer(&min, &output);
      gss_release_buffer(&min, &input);
      gss_release_name(&min, &server);
-    if (server_cred != acquired_cred)
-        gss_release_cred(&min, &server_cred);
      gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER);
-    gss_release_cred(&min, &acquired_cred);
+    gss_release_cred(&min, &server_cred);
      gss_release_name(&min, &user);
      gss_release_cred(&min, &user_cred);
      gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER);
@@ -638,7 +596,7 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req)
          req_cfg->desired_mechs = scfg->default_mechs;
      }
  
-    if (!req_cfg->cfg->mag_skey) {
+    if (req_cfg->cfg->mag_skey) {
          req_cfg->mag_skey = req_cfg->cfg->mag_skey;
      } else {
          /* Use server random key if not explicitly configured */
@@ -658,6 +616,7 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req)
      return req_cfg;
  }
  
+#ifdef HAVE_CRED_STORE
  static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {
      if (req_cfg->cfg->use_s4u2proxy) {
          if (req_cfg->cfg->deleg_ccache_dir != NULL) {
@@ -670,6 +629,7 @@ static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {
      }
      return false;
  }
+#endif
  
  static int mag_auth(request_rec *req)
  {
@@ -695,13 +655,12 @@ static int mag_auth(request_rec *req)
      uint32_t maj, min;
      char *reply;
      size_t replen;
-    char *clientname;
      gss_OID mech_type = GSS_C_NO_OID;
      gss_OID_set desired_mechs = GSS_C_NO_OID_SET;
      gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
      struct mag_conn *mc = NULL;
-    time_t expiration;
      int i;
+    bool send_auth_header = true;
  
      type = ap_auth_type(req);
      if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) {
@@ -782,6 +741,8 @@ static int mag_auth(request_rec *req)
          }
          pctx = &mc->ctx;
      } else {
+        /* no preserved mc, create one just for this request */
+        mc = mag_new_conn_ctx(req->pool);
          pctx = &ctx;
      }
  
@@ -791,6 +752,9 @@ static int mag_auth(request_rec *req)
      auth_header_type = ap_getword_white(req->pool, &auth_header);
      if (!auth_header_type) goto done;
  
+    /* We got auth header, sending auth header would mean re-auth */
+    send_auth_header = !cfg->negotiate_once;
+
      for (i = 0; auth_types[i] != NULL; i++) {
          if (strcasecmp(auth_header_type, auth_types[i]) == 0) {
              auth_type = i;
@@ -814,6 +778,7 @@ static int mag_auth(request_rec *req)
          ba_user.value = ap_getword_nulls_nc(req->pool,
                                              (char **)&ba_pwd.value, ':');
          if (!ba_user.value) goto done;
+
          if (((char *)ba_user.value)[0] == '\0' ||
              ((char *)ba_pwd.value)[0] == '\0') {
              ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
@@ -823,7 +788,7 @@ static int mag_auth(request_rec *req)
          ba_user.length = strlen(ba_user.value);
          ba_pwd.length = strlen(ba_pwd.value);
  
-        if (mc && mc->established &&
+        if (mc->is_preserved && mc->established &&
              mag_basic_check(req_cfg, mc, ba_user, ba_pwd)) {
              ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
                            "Already established BASIC AUTH context found!");
@@ -835,7 +800,7 @@ static int mag_auth(request_rec *req)
          break;
  
      case AUTH_TYPE_RAW_NTLM:
-        if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp,
+        if (!is_mech_allowed(desired_mechs, gss_mech_ntlmssp,
                               cfg->gss_conn_ctx)) {
              ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
                            "NTLM Authentication is not allowed!");
@@ -846,21 +811,21 @@ static int mag_auth(request_rec *req)
              goto done;
          }
  
-        desired_mechs = discard_const(&gss_mech_set_ntlmssp);
+        desired_mechs = discard_const(gss_mech_set_ntlmssp);
          break;
  
      default:
          goto done;
      }
  
-    if (mc && mc->established) {
+    if (mc->established) {
          /* if we are re-authenticating make sure the conn context
           * is cleaned up so we do not accidentally reuse an existing
           * established context */
          mag_conn_clear(mc);
      }
  
-    req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]);
+    mc->auth_type = auth_type;
  
  #ifdef HAVE_CRED_STORE
      if (use_s4u2proxy(req_cfg)) {
@@ -870,7 +835,7 @@ static int mag_auth(request_rec *req)
  
      if (auth_type == AUTH_TYPE_BASIC) {
          if (mag_auth_basic(req, cfg, ba_user, ba_pwd,
-                           cred_usage, &client, &mech_type,
+                           &client, &mech_type,
                             &delegated_cred, &vtime)) {
              goto complete;
          }
@@ -903,7 +868,7 @@ static int mag_auth(request_rec *req)
                                  maj, min));
          goto done;
      } else if (maj == GSS_S_CONTINUE_NEEDED) {
-        if (!mc) {
+        if (!mc->is_preserved) {
              ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
                            "Mechanism needs continuation but neither "
                            "GssapiConnectionBound nor "
@@ -916,7 +881,6 @@ static int mag_auth(request_rec *req)
      }
  
  complete:
-    /* Always set the GSS name in an env var */
      maj = gss_display_name(&min, client, &name, NULL);
      if (GSS_ERROR(maj)) {
          ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s",
@@ -924,26 +888,20 @@ complete:
                                  maj, min));
          goto done;
      }
-    clientname = apr_pstrndup(req->pool, name.value, name.length);
-    apr_table_set(req->subprocess_env, "GSS_NAME", clientname);
-    expiration = time(NULL) + vtime;
-    apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION",
-                  apr_psprintf(req->pool, "%ld", (long)expiration));
  
-#ifdef HAVE_CRED_STORE
-    if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) {
-        char *ccachefile = NULL;
+    mc->gss_name = apr_pstrndup(req->pool, name.value, name.length);
+    if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) {
+        vtime = MIN_SESS_EXP_TIME;
+    }
+    mc->expiration = time(NULL) + vtime;
  
-        mag_store_deleg_creds(req, cfg->deleg_ccache_dir, clientname,
-                              delegated_cred, &ccachefile);
+    mag_get_name_attributes(req, cfg, client, mc);
  
-        if (ccachefile) {
-            mag_set_KRB5CCANME(req, ccachefile);
-        }
-
-        if (mc) {
-            mc->delegated = true;
-        }
+#ifdef HAVE_CRED_STORE
+    if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) {
+        mag_store_deleg_creds(req, cfg->deleg_ccache_dir, mc->gss_name,
+                              delegated_cred);
+        mc->delegated = true;
      }
  #endif
  
@@ -954,28 +912,22 @@ complete:
                            mag_error(req, "gss_localname() failed", maj, min));
              goto done;
          }
-        req->user = apr_pstrndup(req->pool, lname.value, lname.length);
+        mc->user_name = apr_pstrndup(req->pool, lname.value, lname.length);
      } else {
-        req->user = clientname;
+        mc->user_name = apr_pstrdup(mc->pool, mc->gss_name);
      }
  
-    if (mc) {
-        mc->user_name = apr_pstrdup(mc->pool, req->user);
-        mc->gss_name = apr_pstrdup(mc->pool, clientname);
-        mc->established = true;
-        if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) {
-            vtime = MIN_SESS_EXP_TIME;
-        }
-        mc->expiration = expiration;
-        mc->auth_type = auth_type;
-        if (auth_type == AUTH_TYPE_BASIC) {
-            mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
-        }
-        if (req_cfg->use_sessions) {
-            mag_attempt_session(req_cfg, mc);
-        }
+    mc->established = true;
+    if (auth_type == AUTH_TYPE_BASIC) {
+        mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
+    }
+    if (req_cfg->use_sessions) {
+        mag_attempt_session(req_cfg, mc);
      }
  
+    /* Now set request data and env vars */
+    mag_set_req_data(req, cfg, mc);
+
      if (req_cfg->send_persist)
          apr_table_set(req->headers_out, "Persistent-Auth",
              cfg->gss_conn_ctx ? "true" : "false");
@@ -985,21 +937,24 @@ complete:
  done:
  
      if ((auth_type != AUTH_TYPE_BASIC) && (output.length != 0)) {
-        int prefixlen = strlen(auth_types[auth_type]) + 1;
+        int prefixlen = strlen(mag_str_auth_type(auth_type)) + 1;
          replen = apr_base64_encode_len(output.length) + 1;
          reply = apr_pcalloc(req->pool, prefixlen + replen);
          if (reply) {
-            memcpy(reply, auth_types[auth_type], prefixlen - 1);
+            memcpy(reply, mag_str_auth_type(auth_type), prefixlen - 1);
              reply[prefixlen - 1] = ' ';
              apr_base64_encode(&reply[prefixlen], output.value, output.length);
              apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply);
          }
      } else if (ret == HTTP_UNAUTHORIZED) {
-        apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate");
-
-        if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp,
-                            cfg->gss_conn_ctx)) {
-            apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM");
+        if (send_auth_header) {
+            apr_table_add(req->err_headers_out,
+                          req_cfg->rep_proto, "Negotiate");
+            if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp,
+                                cfg->gss_conn_ctx)) {
+                apr_table_add(req->err_headers_out, req_cfg->rep_proto,
+                              "NTLM");
+            }
          }
          if (cfg->use_basic_auth) {
              apr_table_add(req->err_headers_out, req_cfg->rep_proto,
@@ -1232,7 +1187,7 @@ static bool mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset,
      } else if (strcmp(w, "iakerb") == 0) {
          oid = discard_const(gss_mech_iakerb);
      } else if (strcmp(w, "ntlmssp") == 0) {
-        oid = discard_const(&gss_mech_ntlmssp);
+        oid = discard_const(gss_mech_ntlmssp);
      } else {
          buf.value = discard_const(w);
          buf.length = strlen(w);
@@ -1267,6 +1222,76 @@ static const char *mag_allow_mech(cmd_parms *parms, void *mconfig,
      return NULL;
  }
  
+static const char *mag_negotiate_once(cmd_parms *parms, void *mconfig, int on)
+{
+    struct mag_config *cfg = (struct mag_config *)mconfig;
+
+    cfg->negotiate_once = on ? true : false;
+    return NULL;
+}
+
+#define GSS_NAME_ATTR_USERDATA "GSS Name Attributes Userdata"
+
+static apr_status_t mag_name_attrs_cleanup(void *data)
+{
+    struct mag_config *cfg = (struct mag_config *)data;
+    free(cfg->name_attributes);
+    cfg->name_attributes = NULL;
+    return 0;
+}
+
+static const char *mag_name_attrs(cmd_parms *parms, void *mconfig,
+                                  const char *w)
+{
+    struct mag_config *cfg = (struct mag_config *)mconfig;
+    void *tmp_na;
+    size_t size = 0;
+    char *p;
+    int c;
+
+    if (!cfg->name_attributes) {
+        size = sizeof(struct mag_name_attributes)
+                + (sizeof(struct mag_na_map) * 16);
+    } else if (cfg->name_attributes->map_count % 16 == 0) {
+        size = sizeof(struct mag_name_attributes)
+                + (sizeof(struct mag_na_map)
+                    * (cfg->name_attributes->map_count + 16));
+    }
+    if (size) {
+        tmp_na = realloc(cfg->name_attributes, size);
+        if (!tmp_na) apr_pool_abort_get(cfg->pool)(ENOMEM);
+
+        if (cfg->name_attributes) {
+            size_t empty = (sizeof(struct mag_na_map) * 16);
+            memset(tmp_na + size - empty, 0, empty);
+        } else {
+            memset(tmp_na, 0, size);
+        }
+        cfg->name_attributes = (struct mag_name_attributes *)tmp_na;
+        apr_pool_userdata_setn(cfg, GSS_NAME_ATTR_USERDATA,
+                               mag_name_attrs_cleanup, cfg->pool);
+    }
+
+    p = strchr(w, ' ');
+    if (p == NULL) {
+        if (strcmp(w, "json") == 0) {
+            cfg->name_attributes->output_json = true;
+        } else {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                         "Invalid Name Attributes value [%s].", w);
+        }
+        return NULL;
+    }
+
+    c = cfg->name_attributes->map_count;
+    cfg->name_attributes->map[c].env_name = apr_pstrndup(cfg->pool, w, p-w);
+    p++;
+    cfg->name_attributes->map[c].attr_name = apr_pstrdup(cfg->pool, p);
+    cfg->name_attributes->map_count += 1;
+
+    return NULL;
+}
+
  #ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD
  static const char *mag_basic_auth_mechs(cmd_parms *parms, void *mconfig,
                                          const char *w)
@@ -1336,6 +1361,10 @@ static const command_rec mag_commands[] = {
  #endif
      AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG,
                      "Allowed Mechanisms"),
+    AP_INIT_FLAG("GssapiNegotiateOnce", mag_negotiate_once, NULL, OR_AUTHCFG,
+                    "Don't resend negotiate header on negotiate failure"),
+    AP_INIT_RAW_ARGS("GssapiNameAttributes", mag_name_attrs, NULL, OR_AUTHCFG,
+                     "Name Attributes to be exported as environ variables"),
      { NULL }
  };