From 841462fdd401eca1a0e9b237ec59f0bec5e171cf Mon Sep 17 00:00:00 2001 From: jadestorm Date: Tue, 3 Sep 2002 02:59:34 +0000 Subject: [PATCH] Added authoritative support. --- ChangeLog | 2 +- TODO | 13 ------------- apache1/auth_cmds.c | 17 +++++++++++++---- apache1/auth_config.h | 1 + apache1/dir_config.c | 1 + apache2/auth_cmds.c | 18 +++++++++++++----- apache2/auth_config.h | 1 + apache2/auth_user.c | 14 ++++++++++++-- apache2/dir_config.c | 1 + 9 files changed, 43 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index a98b99a..c364830 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,7 +10,7 @@ * apache1/auth_user.c: * apache2/auth_user.c: - Added fail_status and kerbauthtype functionality. + Added fail_status, authoritative, and kerbauthtype functionality. * apache1/dir_config.c: * apache2/dir_config.c: diff --git a/TODO b/TODO index 3103f0a..9333f4e 100644 --- a/TODO +++ b/TODO @@ -18,10 +18,6 @@ - Settable Location of Keytab/Srvtab Again, in config instead of compiled in. -- Authoritative Support - If Kerberos check fails, don't fall through to other modules. - Should I used AuthAuthoritative for this or a specific Kerb one? - - Lifetime Settable Set lifetime of tickets in config. @@ -37,21 +33,12 @@ Set a lifetime on tickets, and after expiration, tries to -force- a reauth (brings up login/password window) -- Auth Fail Status - Set how a failure fails. Forbidden or Unauthorized. - - Forwardable/Renewable Tickets Setting in config. - Browser Mutual Auth Support Combined with plugins, use auth user already has. -- AuthKerberosType(name?) - Way to both have a normal AuthType and a Kerberos authtype, - in case you want to turn authoritative off and have it punt - to something else specific - Re: msg 268 "Jason Gilbert" - - Environment Variables KRB5CCNAME, KRBTKFILE KRB_PRINC_NAME? diff --git a/apache1/auth_cmds.c b/apache1/auth_cmds.c index c59a752..3649cb2 100644 --- a/apache1/auth_cmds.c +++ b/apache1/auth_cmds.c @@ -20,19 +20,19 @@ static const char *kerb_set_type_slot(cmd_parms *cmd, char *struct_ptr, if #ifdef KRB5 (!strncasecmp(arg, "v5", 2)) - *(char **) (struct_ptr + offset) = "KerberosV5"; + *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosV5"); else if #endif /* KRB5 */ #ifdef KRB4 (!strncasecmp(arg, "v4", 2)) - *(char **) (struct_ptr + offset) = "KerberosV4"; + *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosV4"); #endif /* KRB4 */ else if (!strncasecmp(arg, "dualv5v4", 2)) - *(char **) (struct_ptr + offset) = "KerberosDualV5V4"; + *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosDualV5V4"); else if (!strncasecmp(arg, "dualv4v5", 2)) - *(char **) (struct_ptr + offset) = "KerberosDualV4V5"; + *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosDualV4V5"); #if defined(KRB4) && defined(KRB5) #endif /* KRB4 && KRB5 */ else @@ -59,5 +59,14 @@ command_rec kerb_auth_cmds[] = { "If auth fails, return status set here." }, + { + "KrbAuthoritative", + ap_set_flag_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_authoritative), + OR_AUTHCFG, + FLAG, + "Refuse to pass request down to lower modules." + }, + { NULL } }; diff --git a/apache1/auth_config.h b/apache1/auth_config.h index 554586e..6c17007 100644 --- a/apache1/auth_config.h +++ b/apache1/auth_config.h @@ -1,4 +1,5 @@ typedef struct { char *krb_auth_type; int krb_fail_status; + int krb_authoritative; } kerb_auth_config; diff --git a/apache1/dir_config.c b/apache1/dir_config.c index 54ba60d..9b0af79 100644 --- a/apache1/dir_config.c +++ b/apache1/dir_config.c @@ -3,6 +3,7 @@ static void *kerb_dir_config(pool *p, char *d) static void *rec; rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config)); ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED; + ((kerb_auth_config *)rec)->krb_authoritative = 0; ((kerb_auth_config *)rec)->krb_auth_type = ap_pstrdup(p, "None"); return rec; } diff --git a/apache2/auth_cmds.c b/apache2/auth_cmds.c index 7ac3f73..7ad4c43 100644 --- a/apache2/auth_cmds.c +++ b/apache2/auth_cmds.c @@ -6,7 +6,7 @@ static const char *kerb_set_fail_slot(cmd_parms *cmd, void *struct_ptr, *(int *) ((char *)struct_ptr + offset) = HTTP_UNAUTHORIZED; else if (!strncasecmp(arg, "forbidden", 9)) *(int *) ((char *)struct_ptr + offset) = HTTP_FORBIDDEN; - else if (!strncasecmp(arg, "declined", 9)) + else if (!strncasecmp(arg, "declined", 8)) *(int *) ((char *)struct_ptr + offset) = DECLINED; else return apr_pstrcat(cmd->pool, "KrbAuthFailStatus must be Forbidden, Unauthorized, or Declined.", NULL); @@ -20,20 +20,20 @@ static const char *kerb_set_type_slot(cmd_parms *cmd, void *struct_ptr, if #ifdef KRB5 (!strncasecmp(arg, "v5", 2)) - *(char **) ((char *)struct_ptr + offset) = "KerberosV5"; + *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosV5"); else if #endif /* KRB5 */ #ifdef KRB4 (!strncasecmp(arg, "v4", 2)) - *(char **) ((char *)struct_ptr + offset) = "KerberosV4"; + *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosV4"); #endif /* KRB4 */ #if defined(KRB5) && defined(KRB4) else if (!strncasecmp(arg, "dualv5v4", 8)) - *(char **) ((char *)struct_ptr + offset) = "KerberosDualV5V4"; + *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosDualV5V4"); else if (!strncasecmp(arg, "dualv4v5", 8)) - *(char **) ((char *)struct_ptr + offset) = "KerberosDualV4V5"; + *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosDualV4V5"); #endif /* KRB5 && KRB4 */ else return "AuthKerberos must be V5, V4, DualV4V5, or DualV5V4."; @@ -57,5 +57,13 @@ static const command_rec kerb_auth_cmds[] = { "If auth fails, return status set here." ), + AP_INIT_FLAG( + "KrbAuthoritative", + ap_set_flag_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative), + OR_AUTHCFG, + "Refuse to pass request down to lower modules." + ), + { NULL } }; diff --git a/apache2/auth_config.h b/apache2/auth_config.h index 554586e..6c17007 100644 --- a/apache2/auth_config.h +++ b/apache2/auth_config.h @@ -1,4 +1,5 @@ typedef struct { char *krb_auth_type; int krb_fail_status; + int krb_authoritative; } kerb_auth_config; diff --git a/apache2/auth_user.c b/apache2/auth_user.c index 444fa9b..955dc0d 100644 --- a/apache2/auth_user.c +++ b/apache2/auth_user.c @@ -52,7 +52,12 @@ int kerb_authenticate_user(request_rec *r) { } if (!KerberosV4 && !KerberosV5) { - return DECLINED; + if (conf->krb_authoritative) { + return HTTP_UNAUTHORIZED; + } + else { + return DECLINED; + } } name = ap_auth_name(r); @@ -112,5 +117,10 @@ int kerb_authenticate_user(request_rec *r) { } #endif /* KRB5 && KRB4 */ - return retcode; + if (conf->krb_authoritative && retcode == DECLINED) { + return HTTP_UNAUTHORIZED; + } + else { + return retcode; + } } diff --git a/apache2/dir_config.c b/apache2/dir_config.c index aa15d9c..ea14a35 100644 --- a/apache2/dir_config.c +++ b/apache2/dir_config.c @@ -3,6 +3,7 @@ static void *kerb_dir_config(apr_pool_t *p, char *d) static void *rec; rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config)); ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED; + ((kerb_auth_config *)rec)->krb_authoritative = 0; ((kerb_auth_config *)rec)->krb_auth_type = apr_pstrdup(p, "None"); return rec; } -- 2.1.4