From 1948864cc8ace15d2e0bbb527091cca6a025676e Mon Sep 17 00:00:00 2001

From: Robbie Harwood <rharwood@redhat.com>

Date: Mon, 30 Sep 2019 15:00:56 -0400

Subject: [PATCH] Make syslog of call status configurable

Add a parameter (syslog_status) to configuration and

CLI (--syslog-status).  This logs the results of GSSAPI calls at

LOG_DEBUG.  Typically these calls resemble:

    gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS

    failure.  Minor code may provide more information, No credentials

    cache found

Since these messages worry some admins, turn them off by default.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

(cherry picked from commit 116618e1523038691fcb481107ba15ffd42942ac)

(cherry picked from commit cc61409b7b20974332549dd028d889b87dbff98d)

(cherry picked from commit 07b32184ee337ec06a405724b4b88cad22829c6d)

[conflict: gssproxy.conf.5.xml over program being added]

---

 proxy/man/gssproxy.8.xml      |  8 ++++++++

 proxy/man/gssproxy.conf.5.xml | 10 ++++++++++

 proxy/src/gp_config.c         |  6 ++++++

 proxy/src/gp_log.c            |  9 +++++++--

 proxy/src/gp_log.h            |  3 +++

 proxy/src/gssproxy.c          |  6 ++++++

 6 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/proxy/man/gssproxy.8.xml b/proxy/man/gssproxy.8.xml

index 21f7e6a..4019135 100644

--- a/proxy/man/gssproxy.8.xml

+++ b/proxy/man/gssproxy.8.xml

@@ -151,6 +151,14 @@

                 </listitem>

             </varlistentry>

+            <varlistentry>

+                <term>

+                    <option>--syslog-status</option>

+                </term>

+                <listitem>

+                    <para>Enable additional logging to syslog.</para>

+                </listitem>

+            </varlistentry>

             <varlistentry>

                 <term>

                     <option>--version</option>

diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml

index 7874c6e..79f64e7 100644

--- a/proxy/man/gssproxy.conf.5.xml

+++ b/proxy/man/gssproxy.conf.5.xml

@@ -361,6 +361,16 @@

                     </listitem>

                     </varlistentry>

+                <varlistentry>

+                    <term>syslog_status (boolean)</term>

+                    <listitem>

+                        <para>Enable per-call debugging output to the syslog.

+                        This may be useful for investigating problems in

+                        applications using gssproxy.</para>

+                        <para>Default: syslog_status = false</para>

+                    </listitem>

+                </varlistentry>

+

                 <varlistentry>

                     <term>trusted (boolean)</term>

                         <listitem><para>Defines whether this service is considered trusted. Use with caution, this enables impersonation.</para>

diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c

index cd057a0..57dcfc6 100644

--- a/proxy/src/gp_config.c

+++ b/proxy/src/gp_config.c

@@ -586,6 +586,12 @@ int load_config(struct gp_config *cfg)

         goto done;

     }

+    ret = gp_config_get_string(ctx, "gssproxy", "syslog_status", &tmpstr);

+    if (ret == 0)

+        gp_syslog_status = gp_boolean_is_true(tmpstr);

+    else if (ret != ENOENT)

+        goto done;

+

     ret = gp_config_get_string(ctx, "gssproxy", "run_as_user", &tmpstr);

     if (ret == 0) {

         cfg->proxy_user = strdup(tmpstr);

diff --git a/proxy/src/gp_log.c b/proxy/src/gp_log.c

index b6eb161..e67e8d3 100644

--- a/proxy/src/gp_log.c

+++ b/proxy/src/gp_log.c

@@ -5,6 +5,9 @@

 #include <stdio.h>

 #include <stdarg.h>

+/* global logging switch */

+bool gp_syslog_status = false;

+

 void gp_logging_init(void)

 {

     openlog("gssproxy",

@@ -55,7 +58,9 @@ void gp_log_status(gss_OID mech, uint32_t maj, uint32_t min)

 {

     char buf[MAX_LOG_LINE];

-    gp_fmt_status(mech, maj, min, buf, MAX_LOG_LINE);

+    if (!gp_syslog_status)

+        return;

-    GPERROR("%s\n", buf);

+    gp_fmt_status(mech, maj, min, buf, MAX_LOG_LINE);

+    syslog(LOG_DEBUG, "%s\n", buf);

 }

diff --git a/proxy/src/gp_log.h b/proxy/src/gp_log.h

index fc8cbdb..31ad648 100644

--- a/proxy/src/gp_log.h

+++ b/proxy/src/gp_log.h

@@ -3,9 +3,12 @@

 #ifndef _GP_LOG_H_

 #define _GP_LOG_H_

+#include <stdbool.h>

 #include <syslog.h>

 #include <gssapi/gssapi.h>

+extern bool gp_syslog_status;

+

 #define MAX_LOG_LINE 1024

 #define GPERROR(...) syslog(LOG_ERR, __VA_ARGS__);

 #define GPAUDIT(...) syslog(LOG_INFO, __VA_ARGS__);

diff --git a/proxy/src/gssproxy.c b/proxy/src/gssproxy.c

index 3221615..5112ebf 100644

--- a/proxy/src/gssproxy.c

+++ b/proxy/src/gssproxy.c

@@ -157,6 +157,7 @@ int main(int argc, const char *argv[])

     int opt_version = 0;

     int opt_debug = 0;

     int opt_debug_level = 0;

+    int opt_syslog_status = 0;

     verto_ctx *vctx;

     verto_ev *ev;

     int wait_fd;

@@ -182,6 +183,8 @@ int main(int argc, const char *argv[])

          _("Enable debugging"), NULL}, \

         {"debug-level", '\0', POPT_ARG_INT, &opt_debug_level, 0, \

          _("Set debugging level"), NULL}, \

+        {"syslog-status", '\0', POPT_ARG_NONE, &opt_syslog_status, 0, \

+         _("Enable GSSAPI status logging to syslog"), NULL}, \

         {"version", '\0', POPT_ARG_NONE, &opt_version, 0, \

          _("Print version number and exit"), NULL }, \

         POPT_TABLEEND

@@ -211,6 +214,9 @@ int main(int argc, const char *argv[])

         gp_debug_toggle(opt_debug_level);

     }

+    if (opt_syslog_status)

+        gp_syslog_status = true;

+

     if (opt_daemon && opt_interactive) {

         fprintf(stderr, "Option -i|--interactive is not allowed together with -D|--daemon\n");

         poptPrintUsage(pc, stderr, 0);