|
 |
aacfac |
From 46caec4def9fd8df21e560db065b755e1d87354d Mon Sep 17 00:00:00 2001
|
|
|
aacfac |
From: rpm-build <rpm-build>
|
|
|
aacfac |
Date: Fri, 6 May 2022 22:54:45 +0200
|
|
|
aacfac |
Subject: [PATCH 1/2] Add-ability-to-expose-the-used-mechanism.patch
|
|
|
aacfac |
|
|
|
aacfac |
---
|
|
|
aacfac |
README | 15 +++++++++++++++
|
|
|
aacfac |
src/environ.c | 39 +++++++++++++++++++++++++++++++++++++++
|
|
|
aacfac |
src/environ.h | 2 ++
|
|
|
aacfac |
src/mod_auth_gssapi.c | 7 +++++++
|
|
|
aacfac |
src/mod_auth_gssapi.h | 1 +
|
|
|
aacfac |
tests/Makefile.am | 4 +++-
|
|
|
aacfac |
tests/httpd.conf | 15 +++++++++++++++
|
|
|
aacfac |
tests/magtests.py | 18 ++++++++++++++++++
|
|
|
aacfac |
tests/mech.html | 1 +
|
|
|
aacfac |
tests/t_mech_name.py | 19 +++++++++++++++++++
|
|
|
aacfac |
10 files changed, 120 insertions(+), 1 deletion(-)
|
|
|
aacfac |
create mode 100644 tests/mech.html
|
|
|
aacfac |
create mode 100755 tests/t_mech_name.py
|
|
|
aacfac |
|
|
|
aacfac |
diff --git a/README b/README
|
|
|
aacfac |
index 654a8918cc1cd078d84b8e571596444e262e83af..bbf2657d47c9b111e20fdc2b76fde8799c76e3cd 100644
|
|
|
aacfac |
--- a/README
|
|
|
aacfac |
+++ b/README
|
|
|
aacfac |
@@ -109,6 +109,7 @@ Configuration Directives
|
|
|
aacfac |
[GssapiNameAttributes](#gssapinameattributes)
|
|
|
aacfac |
[GssapiNegotiateOnce](#gssapinegotiateonce)
|
|
|
aacfac |
[GssapiPublishErrors](#gssapipublisherrors)
|
|
|
aacfac |
+[GssapiPublishMech](#gssapipublishmech)
|
|
|
aacfac |
[GssapiRequiredNameAttributes](#gssapirequirednameattributes)
|
|
|
aacfac |
[GssapiSessionKey](#gssapisessionkey)
|
|
|
aacfac |
[GssapiSignalPersistentAuth](#gssapisignalpersistentauth)
|
|
|
aacfac |
@@ -527,3 +528,17 @@ Note: the value is specified in seconds.
|
|
|
aacfac |
Sets ticket/session validity to 10 hours.
|
|
|
aacfac |
|
|
|
aacfac |
|
|
|
aacfac |
+### GssapiPublishMech
|
|
|
aacfac |
+
|
|
|
aacfac |
+This option is used to publish the mech used for authentication as an
|
|
|
aacfac |
+Environment variable named GSS_MECH.
|
|
|
aacfac |
+
|
|
|
aacfac |
+It will return a string of the form 'Authtype/Mechname'.
|
|
|
aacfac |
+Authtype represents the type of auth performed by the module. Possible values
|
|
|
aacfac |
+are 'Basic', 'Negotiate', 'NTLM', 'Impersonate'.
|
|
|
aacfac |
+Mechname is the name of the mechanism as reported by GSSAPI or the OID of the
|
|
|
aacfac |
+mechanism if a name is not available. In case of errors the 'Unavailable'
|
|
|
aacfac |
+string may also be returned for either Authtype or Mechname.
|
|
|
aacfac |
+
|
|
|
aacfac |
+- **Enable with:** GssapiPublishMech On
|
|
|
aacfac |
+- **Default:** GssapiPublishMech Off
|
|
|
aacfac |
\ No newline at end of file
|
|
|
aacfac |
diff --git a/src/environ.c b/src/environ.c
|
|
|
aacfac |
index 7ee56a1ba434d5c1041968fb3f64191340cb0ea7..71a8564284cafa62c4cbeaf7ab8484a48c064e66 100644
|
|
|
aacfac |
--- a/src/environ.c
|
|
|
aacfac |
+++ b/src/environ.c
|
|
|
aacfac |
@@ -498,3 +498,42 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min,
|
|
|
aacfac |
if (mag_err)
|
|
|
aacfac |
apr_table_set(req->subprocess_env, "MAG_ERROR", mag_err);
|
|
|
aacfac |
}
|
|
|
aacfac |
+
|
|
|
aacfac |
+
|
|
|
aacfac |
+void mag_publish_mech(request_rec *req, struct mag_conn *mc,
|
|
|
aacfac |
+ const char *auth_type, gss_OID mech_type)
|
|
|
aacfac |
+{
|
|
|
aacfac |
+ gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER;
|
|
|
aacfac |
+ gss_buffer_desc mech_name = GSS_C_EMPTY_BUFFER;
|
|
|
aacfac |
+ gss_buffer_desc mech_description = GSS_C_EMPTY_BUFFER;
|
|
|
aacfac |
+ char *mechdata;
|
|
|
aacfac |
+ uint32_t maj, min;
|
|
|
aacfac |
+
|
|
|
aacfac |
+ maj = gss_inquire_saslname_for_mech(&min, mech_type, &sasl_mech_name,
|
|
|
aacfac |
+ &mech_name, &mech_description);
|
|
|
aacfac |
+ if (maj != GSS_S_COMPLETE) {
|
|
|
aacfac |
+ /* something failed, let's try to get a string OID */
|
|
|
aacfac |
+ /* and if that fails there is nothing we can do */
|
|
|
aacfac |
+ maj = gss_oid_to_str(&min, mech_type, &mech_name);
|
|
|
aacfac |
+ if (maj != GSS_S_COMPLETE) {
|
|
|
aacfac |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
|
|
|
aacfac |
+ "Failed to source mechanism name or OID");
|
|
|
aacfac |
+ mech_name.value = strdup("Unavailable");
|
|
|
aacfac |
+ mech_name.length = strlen(mech_name.value);
|
|
|
aacfac |
+ }
|
|
|
aacfac |
+ }
|
|
|
aacfac |
+
|
|
|
aacfac |
+ mechdata = apr_psprintf(req->pool, "%s/%.*s", auth_type,
|
|
|
aacfac |
+ (int)mech_name.length,
|
|
|
aacfac |
+ (char *)mech_name.value);
|
|
|
aacfac |
+
|
|
|
aacfac |
+ apr_table_set(mc->env, "GSS_MECH", mechdata);
|
|
|
aacfac |
+
|
|
|
aacfac |
+ /* also log at info level */
|
|
|
aacfac |
+ ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,
|
|
|
aacfac |
+ "User %s authenticated with %s", mc->gss_name, mechdata);
|
|
|
aacfac |
+
|
|
|
aacfac |
+ (void)gss_release_buffer(&min, &sasl_mech_name);
|
|
|
aacfac |
+ (void)gss_release_buffer(&min, &mech_name);
|
|
|
aacfac |
+ (void)gss_release_buffer(&min, &mech_description);
|
|
|
aacfac |
+}
|
|
|
aacfac |
diff --git a/src/environ.h b/src/environ.h
|
|
|
aacfac |
index 40bca9877f600246d19a3bf4be370310636ce6c7..b0813da6508df7c5594b51cada7712dc44393e44 100644
|
|
|
aacfac |
--- a/src/environ.h
|
|
|
aacfac |
+++ b/src/environ.h
|
|
|
aacfac |
@@ -18,3 +18,5 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min,
|
|
|
aacfac |
const char *gss_err, const char *mag_err);
|
|
|
aacfac |
void mag_set_req_attr_fail(request_rec *req, struct mag_config *cfg,
|
|
|
aacfac |
struct mag_conn *mc);
|
|
|
aacfac |
+void mag_publish_mech(request_rec *req, struct mag_conn *mc,
|
|
|
aacfac |
+ const char *auth_type, gss_OID mech_type);
|
|
|
aacfac |
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
|
|
aacfac |
index c91aa60707ba9b237a84f95670d483f1a7eab86b..93c43308585cf140297de82e118a367f69d25a92 100644
|
|
|
aacfac |
--- a/src/mod_auth_gssapi.c
|
|
|
aacfac |
+++ b/src/mod_auth_gssapi.c
|
|
|
aacfac |
@@ -1289,6 +1289,10 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
|
|
aacfac |
mc->user_name = apr_pstrdup(mc->pool, mc->gss_name);
|
|
|
aacfac |
}
|
|
|
aacfac |
|
|
|
aacfac |
+ if (cfg->pubmech) {
|
|
|
aacfac |
+ mag_publish_mech(req, mc, mag_str_auth_type(mc->auth_type), mech_type);
|
|
|
aacfac |
+ }
|
|
|
aacfac |
+
|
|
|
aacfac |
mc->established = true;
|
|
|
aacfac |
if (req_cfg->use_sessions) {
|
|
|
aacfac |
mag_attempt_session(req_cfg, mc);
|
|
|
aacfac |
@@ -1894,6 +1898,9 @@ static const command_rec mag_commands[] = {
|
|
|
aacfac |
AP_INIT_FLAG("GssapiPublishErrors", ap_set_flag_slot,
|
|
|
aacfac |
(void *)APR_OFFSETOF(struct mag_config, enverrs), OR_AUTHCFG,
|
|
|
aacfac |
"Publish GSSAPI Errors in Envionment Variables"),
|
|
|
aacfac |
+ AP_INIT_FLAG("GssapiPublishMech", ap_set_flag_slot,
|
|
|
aacfac |
+ (void *)APR_OFFSETOF(struct mag_config, pubmech), OR_AUTHCFG,
|
|
|
aacfac |
+ "Publish GSSAPI Mech Name in Envionment Variables"),
|
|
|
aacfac |
AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG,
|
|
|
aacfac |
"Name of the acceptor credentials."),
|
|
|
aacfac |
AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL,
|
|
|
aacfac |
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
|
|
|
aacfac |
index 2312ab57f4b2e0bd50f191018b081a3ecb86f15a..8ab3bdc57be793cc493176c02910219e905900e9 100644
|
|
|
aacfac |
--- a/src/mod_auth_gssapi.h
|
|
|
aacfac |
+++ b/src/mod_auth_gssapi.h
|
|
|
aacfac |
@@ -91,6 +91,7 @@ struct mag_config {
|
|
|
aacfac |
struct mag_name_attributes *name_attributes;
|
|
|
aacfac |
const char *required_na_expr;
|
|
|
aacfac |
int enverrs;
|
|
|
aacfac |
+ int pubmech;
|
|
|
aacfac |
gss_name_t acceptor_name;
|
|
|
aacfac |
bool acceptor_name_from_req;
|
|
|
aacfac |
uint32_t basic_timeout;
|
|
|
aacfac |
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
|
aacfac |
index c830e951d04316e4cbc76fa3b5961baedb516ec6..2ddb46ea30e6ebf9ff0b30278c609178d02c1efc 100644
|
|
|
aacfac |
--- a/tests/Makefile.am
|
|
|
aacfac |
+++ b/tests/Makefile.am
|
|
|
aacfac |
@@ -6,14 +6,16 @@ EXTRA_DIST = \
|
|
|
aacfac |
index.html \
|
|
|
aacfac |
localname.html \
|
|
|
aacfac |
magtests.py \
|
|
|
aacfac |
+ mech.html \
|
|
|
aacfac |
t_bad_acceptor_name.py \
|
|
|
aacfac |
t_basic_k5_fail_second.py \
|
|
|
aacfac |
t_basic_k5.py \
|
|
|
aacfac |
t_basic_k5_two_users.py \
|
|
|
aacfac |
t_basic_proxy.py \
|
|
|
aacfac |
t_basic_timeout.py \
|
|
|
aacfac |
- t_localname.py \
|
|
|
aacfac |
t_hostname_acceptor.py \
|
|
|
aacfac |
+ t_localname.py \
|
|
|
aacfac |
+ t_mech_name.py \
|
|
|
aacfac |
t_nonego.py \
|
|
|
aacfac |
t_required_name_attr.py \
|
|
|
aacfac |
t_spnego_negotiate_once.py \
|
|
|
aacfac |
diff --git a/tests/httpd.conf b/tests/httpd.conf
|
|
|
aacfac |
index b3777574d9f0547560f24eff992fc1018569b5cc..775294b7d600e82c3955316a2d5b667c8b3c5581 100644
|
|
|
aacfac |
--- a/tests/httpd.conf
|
|
|
aacfac |
+++ b/tests/httpd.conf
|
|
|
aacfac |
@@ -331,3 +331,18 @@ CoreDumpDirectory "{HTTPROOT}"
|
|
|
aacfac |
GssapiSessionKey file:{HTTPROOT}/session.key
|
|
|
aacfac |
Require valid-user
|
|
|
aacfac |
</Location>
|
|
|
aacfac |
+
|
|
|
aacfac |
+<Location /mech_name>
|
|
|
aacfac |
+ Options +Includes
|
|
|
aacfac |
+ AddOutputFilter INCLUDES .html
|
|
|
aacfac |
+ AuthType GSSAPI
|
|
|
aacfac |
+ AuthName "Password Login"
|
|
|
aacfac |
+ GssapiSSLonly Off
|
|
|
aacfac |
+ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
|
|
|
aacfac |
+ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
|
|
|
aacfac |
+ GssapiCredStore keytab:{HTTPROOT}/http.keytab
|
|
|
aacfac |
+ GssapiBasicAuth On
|
|
|
aacfac |
+ GssapiBasicAuthMech krb5
|
|
|
aacfac |
+ GssapiPublishMech On
|
|
|
aacfac |
+ Require valid-user
|
|
|
aacfac |
+</Location>
|
|
|
aacfac |
\ No newline at end of file
|
|
|
aacfac |
diff --git a/tests/magtests.py b/tests/magtests.py
|
|
|
aacfac |
index d100413b371e7ecf4e09d944b7ff6e9bec7e316f..9aba68f826a37a890bfefb62665697eef7d07dfa 100755
|
|
|
aacfac |
--- a/tests/magtests.py
|
|
|
aacfac |
+++ b/tests/magtests.py
|
|
|
aacfac |
@@ -786,6 +786,22 @@ def test_gss_localname(testdir, testenv, logfile):
|
|
|
aacfac |
return error_count
|
|
|
aacfac |
|
|
|
aacfac |
|
|
|
aacfac |
+def test_mech_name(testdir, testenv, logfile):
|
|
|
aacfac |
+ basicdir = os.path.join(testdir, 'httpd', 'html', 'mech_name')
|
|
|
aacfac |
+ os.mkdir(basicdir)
|
|
|
aacfac |
+ shutil.copy('tests/mech.html', basicdir)
|
|
|
aacfac |
+
|
|
|
aacfac |
+ mname = subprocess.Popen(["tests/t_mech_name.py"],
|
|
|
aacfac |
+ stdout=logfile, stderr=logfile,
|
|
|
aacfac |
+ env=testenv, preexec_fn=os.setsid)
|
|
|
aacfac |
+ mname.wait()
|
|
|
aacfac |
+ if mname.returncode != 0:
|
|
|
aacfac |
+ sys.stderr.write('MECH-NAME: FAILED\n')
|
|
|
aacfac |
+ return 1
|
|
|
aacfac |
+ sys.stderr.write('MECH-NAME: SUCCESS\n')
|
|
|
aacfac |
+ return 0
|
|
|
aacfac |
+
|
|
|
aacfac |
+
|
|
|
aacfac |
if __name__ == '__main__':
|
|
|
aacfac |
args = parse_args()
|
|
|
aacfac |
|
|
|
aacfac |
@@ -847,6 +863,8 @@ if __name__ == '__main__':
|
|
|
aacfac |
|
|
|
aacfac |
errs += test_no_negotiate(testdir, testenv, logfile)
|
|
|
aacfac |
|
|
|
aacfac |
+ errs += test_mech_name(testdir, testenv, logfile)
|
|
|
aacfac |
+
|
|
|
aacfac |
# After this point we need to speed up httpd to test creds timeout
|
|
|
aacfac |
try:
|
|
|
aacfac |
fakeenv = faketime_setup(kdcenv)
|
|
|
aacfac |
diff --git a/tests/mech.html b/tests/mech.html
|
|
|
aacfac |
new file mode 100644
|
|
|
aacfac |
index 0000000000000000000000000000000000000000..bb7b3cd5278f055e278a7dfde73c15aa400a6a17
|
|
|
aacfac |
--- /dev/null
|
|
|
aacfac |
+++ b/tests/mech.html
|
|
|
aacfac |
@@ -0,0 +1 @@
|
|
|
aacfac |
+
|
|
|
aacfac |
diff --git a/tests/t_mech_name.py b/tests/t_mech_name.py
|
|
|
aacfac |
new file mode 100755
|
|
|
aacfac |
index 0000000000000000000000000000000000000000..69f451f2bbe58a16f61418f96eca26e7994bcb8a
|
|
|
aacfac |
--- /dev/null
|
|
|
aacfac |
+++ b/tests/t_mech_name.py
|
|
|
aacfac |
@@ -0,0 +1,19 @@
|
|
|
aacfac |
+#!/usr/bin/env python3
|
|
|
aacfac |
+# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
|
|
|
aacfac |
+
|
|
|
aacfac |
+import os
|
|
|
aacfac |
+import requests
|
|
|
aacfac |
+from requests.auth import HTTPBasicAuth
|
|
|
aacfac |
+
|
|
|
aacfac |
+
|
|
|
aacfac |
+if __name__ == '__main__':
|
|
|
aacfac |
+ url = 'http://%s/mech_name/mech.html' % os.environ['NSS_WRAPPER_HOSTNAME']
|
|
|
aacfac |
+ r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'],
|
|
|
aacfac |
+ os.environ['MAG_USER_PASSWORD']))
|
|
|
aacfac |
+ if r.status_code != 200:
|
|
|
aacfac |
+ raise ValueError('Basic Auth Failed')
|
|
|
aacfac |
+
|
|
|
aacfac |
+ if r.text.rstrip() != 'Basic/krb5':
|
|
|
aacfac |
+ raise ValueError(
|
|
|
aacfac |
+ 'GSS_MECH check failed, expected Basic/krb5, got "%s"' %
|
|
|
aacfac |
+ r.text.rstrip())
|
|
|
aacfac |
--
|
|
|
aacfac |
2.35.3
|
|
|
aacfac |
|