From f476cb32f8103bdf1435d33ea6e81cba9805f576 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 27 Jul 2015 04:32:49 +0300
Subject: [PATCH] Support forward proxy authentication

Proxy auth headers are a little different.

Sessions cannot be used as we cannot set a cookie.

Reviewed-by: Simo Sorce <simo@redhat.com>
---
 src/mod_auth_gssapi.c | 64 +++++++++++++++++++++++++++++++++++----------------
 src/mod_auth_gssapi.h |  9 ++++++++
 2 files changed, 53 insertions(+), 20 deletions(-)

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 68663e4..d4e2682 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -619,11 +619,41 @@ done:
     return ret;
 }
 
+struct mag_req_cfg *mag_init_cfg(request_rec *req)
+{
+    struct mag_req_cfg *req_cfg = apr_pcalloc(req->pool,
+                                              sizeof(struct mag_req_cfg));
+    req_cfg->cfg = ap_get_module_config(req->per_dir_config,
+                                        &auth_gssapi_module);
+
+    if (req_cfg->cfg->allowed_mechs) {
+        req_cfg->desired_mechs = req_cfg->cfg->allowed_mechs;
+    } else {
+        struct mag_server_config *scfg;
+        /* Try to fetch the default set if not explicitly configured */
+        scfg = ap_get_module_config(req->server->module_config,
+                                    &auth_gssapi_module);
+        req_cfg->desired_mechs = scfg->default_mechs;
+    }
+
+    if (req->proxyreq == PROXYREQ_PROXY) {
+        req_cfg->req_proto = "Proxy-Authorization";
+        req_cfg->rep_proto = "Proxy-Authenticate";
+    } else {
+        req_cfg->req_proto = "Authorization";
+        req_cfg->rep_proto = "WWW-Authenticate";
+        req_cfg->use_sessions = req_cfg->cfg->use_sessions;
+        req_cfg->send_persist = req_cfg->cfg->send_persist;
+    }
+
+    return req_cfg;
+}
 
 static int mag_auth(request_rec *req)
 {
     const char *type;
     int auth_type = -1;
+    struct mag_req_cfg *req_cfg;
     struct mag_config *cfg;
     const char *auth_header;
     char *auth_header_type;
@@ -656,17 +686,11 @@ static int mag_auth(request_rec *req)
         return DECLINED;
     }
 
-    cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
+    req_cfg = mag_init_cfg(req);
 
-    if (cfg->allowed_mechs) {
-        desired_mechs = cfg->allowed_mechs;
-    } else {
-        struct mag_server_config *scfg;
-        /* Try to fetch the default set if not explicitly configured */
-        scfg = ap_get_module_config(req->server->module_config,
-                                    &auth_gssapi_module);
-        desired_mechs = scfg->default_mechs;
-    }
+    cfg = req_cfg->cfg;
+
+    desired_mechs = req_cfg->desired_mechs;
 
     /* implicit auth for subrequests if main auth already happened */
     if (!ap_is_initial_req(req) && req->main != NULL) {
@@ -718,11 +742,11 @@ static int mag_auth(request_rec *req)
     }
 
     /* if available, session always supersedes connection bound data */
-    if (cfg->use_sessions) {
+    if (req_cfg->use_sessions) {
         mag_check_session(req, cfg, &mc);
     }
 
-    auth_header = apr_table_get(req->headers_in, "Authorization");
+    auth_header = apr_table_get(req->headers_in, req_cfg->req_proto);
 
     if (mc) {
         if (mc->established &&
@@ -925,18 +949,19 @@ complete:
         if (auth_type == AUTH_TYPE_BASIC) {
             mag_basic_cache(cfg, mc, ba_user, ba_pwd);
         }
-        if (cfg->use_sessions) {
+        if (req_cfg->use_sessions) {
             mag_attempt_session(req, cfg, mc);
         }
     }
 
-    if (cfg->send_persist)
+    if (req_cfg->send_persist)
         apr_table_set(req->headers_out, "Persistent-Auth",
             cfg->gss_conn_ctx ? "true" : "false");
 
     ret = OK;
 
 done:
+
     if ((auth_type != AUTH_TYPE_BASIC) && (output.length != 0)) {
         int prefixlen = strlen(auth_types[auth_type]) + 1;
         replen = apr_base64_encode_len(output.length) + 1;
@@ -945,18 +970,17 @@ done:
             memcpy(reply, auth_types[auth_type], prefixlen - 1);
             reply[prefixlen - 1] = ' ';
             apr_base64_encode(&reply[prefixlen], output.value, output.length);
-            apr_table_add(req->err_headers_out,
-                          "WWW-Authenticate", reply);
+            apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply);
         }
     } else if (ret == HTTP_UNAUTHORIZED) {
-        apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate");
+        apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate");
+
         if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp,
                             cfg->gss_conn_ctx)) {
-            apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM");
+            apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM");
         }
         if (cfg->use_basic_auth) {
-            apr_table_add(req->err_headers_out,
-                          "WWW-Authenticate",
+            apr_table_add(req->err_headers_out, req_cfg->rep_proto,
                           apr_psprintf(req->pool, "Basic realm=\"%s\"",
                                        ap_auth_name(req)));
         }
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
index 5beda2d..46e5c6a 100644
--- a/src/mod_auth_gssapi.h
+++ b/src/mod_auth_gssapi.h
@@ -65,6 +65,15 @@ struct mag_server_config {
     gss_OID_set default_mechs;
 };
 
+struct mag_req_cfg {
+    struct mag_config *cfg;
+    gss_OID_set desired_mechs;
+    bool use_sessions;
+    bool send_persist;
+    const char *req_proto;
+    const char *rep_proto;
+};
+
 struct mag_conn {
     apr_pool_t *pool;
     gss_ctx_id_t ctx;
-- 
2.1.4