X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=95838d383d1ca9bbee9da9b0f71333dc2b55b43f;hp=a88b653870980b71163e9da9125343491a9c6c7f;hb=81d89f77d878ac5131ef760aef23b220e45dd435;hpb=9cfa62da9119d2cd62314e5328215f8ea45c64b1

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index a88b653..95838d3 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -191,33 +191,54 @@ static char *escape(apr_pool_t *pool, const char *name,
     return escaped;
 }
 
-static void mag_store_deleg_creds(request_rec *req,
-                                  char *dir, char *clientname,
-                                  gss_cred_id_t delegated_cred,
-                                  char **ccachefile)
+static char *mag_gss_name_to_ccache_name(request_rec *req,
+                                         char *dir, const char *gss_name)
 {
-    gss_key_value_element_desc element;
-    gss_key_value_set_desc store;
-    char *value;
-    uint32_t maj, min;
     char *escaped;
 
     /* We need to escape away '/', we can't have path separators in
      * a ccache file name */
     /* first double escape the esacping char (~) if any */
-    escaped = escape(req->pool, clientname, '~', "~~");
-    if (!escaped) return;
+    escaped = escape(req->pool, gss_name, '~', "~~");
     /* then escape away the separator (/) if any */
     escaped = escape(req->pool, escaped, '/', "~");
-    if (!escaped) return;
 
-    value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
+    return apr_psprintf(req->pool, "%s/%s", dir, escaped);
+}
+
+static void mag_set_KRB5CCANME(request_rec *req, char *ccname)
+{
+    apr_status_t status;
+    apr_finfo_t finfo;
+    char *value;
+
+    status = apr_stat(&finfo, ccname, APR_FINFO_MIN, req->pool);
+    if (status != APR_SUCCESS && status != APR_INCOMPLETE) {
+        /* set the file cache anyway, but warn */
+        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+                      "KRB5CCNAME file (%s) lookup failed!", ccname);
+    }
+
+    value = apr_psprintf(req->pool, "FILE:%s", ccname);
+    apr_table_set(req->subprocess_env, "KRB5CCNAME", value);
+}
 
+static void mag_store_deleg_creds(request_rec *req,
+                                  char *dir, char *clientname,
+                                  gss_cred_id_t delegated_cred,
+                                  char **ccachefile)
+{
+    gss_key_value_element_desc element;
+    gss_key_value_set_desc store;
+    char *ccname;
+    uint32_t maj, min;
     element.key = "ccache";
-    element.value = value;
     store.elements = &element;
     store.count = 1;
 
+    ccname = mag_gss_name_to_ccache_name(req, dir, clientname);
+    element.value = apr_psprintf(req->pool, "FILE:%s", ccname);
+
     maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE,
                               GSS_C_NULL_OID, 1, 1, &store, NULL, NULL);
     if (GSS_ERROR(maj)) {
@@ -226,7 +247,7 @@ static void mag_store_deleg_creds(request_rec *req,
                                 maj, min));
     }
 
-    *ccachefile = value;
+    *ccachefile = ccname;
 }
 #endif
 
@@ -392,8 +413,21 @@ static int mag_auth(request_rec *req)
             req->ap_auth_type = apr_pstrdup(req->pool,
                                             auth_types[mc->auth_type]);
             req->user = apr_pstrdup(req->pool, mc->user_name);
-            ret = OK;
-            goto done;
+            if (cfg->deleg_ccache_dir && mc->delegated) {
+                char *ccname;
+                ccname = mag_gss_name_to_ccache_name(req,
+                                                     cfg->deleg_ccache_dir,
+                                                     mc->gss_name);
+                if (ccname) {
+                    mag_set_KRB5CCANME(req, ccname);
+                }
+            }
+            if (mc->auth_type != AUTH_TYPE_BASIC) {
+                /* In case we have basic auth, we need to check if the session
+                 * matches the credentials that have been sent */
+                ret = OK;
+                goto done;
+            }
         }
         pctx = &mc->ctx;
     } else {
@@ -437,6 +471,12 @@ static int mag_auth(request_rec *req)
         }
         ba_user.length = strlen(ba_user.value);
         ba_pwd.length = strlen(ba_pwd.value);
+
+        if (mc && mag_basic_check(cfg, mc, ba_user, ba_pwd)) {
+            ret = OK;
+            goto done;
+        }
+
         maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client);
         if (GSS_ERROR(maj)) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
@@ -579,10 +619,6 @@ static int mag_auth(request_rec *req)
         goto done;
     }
     if (auth_type == AUTH_TYPE_BASIC) {
-        if (mc) {
-            apr_pool_cleanup_run(mc->parent, mc, mag_conn_destroy);
-            mc = NULL;
-        }
         while (maj == GSS_S_CONTINUE_NEEDED) {
             gss_release_buffer(&min, &input);
             /* output and input are inverted here, this is intentional */
@@ -644,7 +680,11 @@ static int mag_auth(request_rec *req)
                               delegated_cred, &ccachefile);
 
         if (ccachefile) {
-            apr_table_set(req->subprocess_env, "KRB5CCNAME", ccachefile);
+            mag_set_KRB5CCANME(req, ccachefile);
+        }
+
+        if (mc) {
+            mc->delegated = true;
         }
     }
 #endif
@@ -669,10 +709,13 @@ static int mag_auth(request_rec *req)
             vtime = MIN_SESS_EXP_TIME;
         }
         mc->expiration = expiration;
+        mc->auth_type = auth_type;
+        if (auth_type == AUTH_TYPE_BASIC) {
+            mag_basic_cache(cfg, mc, ba_user, ba_pwd);
+        }
         if (cfg->use_sessions) {
             mag_attempt_session(req, cfg, mc);
         }
-        mc->auth_type = auth_type;
     }
 
     if (cfg->send_persist)