From: Simo Sorce <simo@redhat.com>
Date: Mon, 30 Mar 2015 16:48:30 +0000 (-0400)
Subject: Handle authentication on subrequests
X-Git-Tag: v1.1.1~1
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=commitdiff_plain;h=e5db7c1f5738c7874e73869a2f4511193f956b81

Handle authentication on subrequests

In some cases (like during directory listing) Apache will re-run the
authentication code. Many GSSAPI mechanism have replay detection so
we cannot simply rerun the accept_sec_context phase. Others require
multiple steps. When authntication has already been estalished just
implicitly consider the authentication successfully performed and
copy the user name. Otherwise fail.
If a subrequest hits a location with a different mod_auth_gssapi
configuration warn but do not error off right away.

Fixes #15
---

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index c7881bf..e233110 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req)
         return DECLINED;
     }
 
-    /* ignore auth for subrequests */
+    cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
+
+    /* implicit auth for subrequests if main auth already happened */
     if (!ap_is_initial_req(req)) {
-        return OK;
+        type = ap_auth_type(req->main);
+        if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
+            /* warn if the subrequest location and the main request
+             * location have different configs */
+            if (cfg != ap_get_module_config(req->main->per_dir_config,
+                                            &auth_gssapi_module)) {
+                ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
+                              req, "Subrequest authentication bypass on "
+                                   "location with different configuration!");
+            }
+            if (req->main->user) {
+                req->user = apr_pstrdup(req->pool, req->main->user);
+                return OK;
+            } else {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+                              "The main request is tasked to establish the "
+                              "security context, can't proceed!");
+                return HTTP_UNAUTHORIZED;
+            }
+        } else {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
+                          "Subrequest GSSAPI auth with no auth on the main "
+                          "request. This operation may fail if other "
+                          "subrequests already established a context or the "
+                          "mechanism requires multiple roundtrips.");
+        }
     }
 
-    cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
-
     if (cfg->ssl_only) {
         if (!mag_conn_is_https(req->connection)) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,