Fix annoying incorrect behavior with simple configuration where

GssapiAllowedMech is not used.

0001-Escape-principal-name-to-remove-the-path-separator.patch

@@ -1,90 +0,0 @@
-From 286e3dac69c3d4b32db93de1f9937f434383588f Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Thu, 26 Mar 2015 16:30:56 -0400
-Subject: [PATCH] Escape principal name to remove the path separator
-
-The principla name is used as a file name, any embedded path separators
-are going to cause trouble if used in the file name, so we need to escape
-them away. Usee ~ as the escape chracter (~~ to escape ~ itself)
-
-Fixes #14
----
- src/mod_auth_gssapi.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 53 insertions(+), 1 deletion(-)
-
-diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
-index 4f21123a4caa56d748307055be73099cc9a63dc0..c7881bf9e149bb190ad73741250d94541abfd0e8 100644
---- a/src/mod_auth_gssapi.c
-+++ b/src/mod_auth_gssapi.c
-@@ -119,6 +119,48 @@ static bool mag_conn_is_https(conn_rec *c)
-     return false;
- }
- 
-+static char *escape(apr_pool_t *pool, const char *name,
-+                    char find, const char *replace)
-+{
-+    char *escaped = NULL;
-+    char *namecopy;
-+    char *n;
-+    char *p;
-+
-+    namecopy = apr_pstrdup(pool, name);
-+    if (!namecopy) goto done;
-+
-+    p = strchr(namecopy, find);
-+    if (!p) return namecopy;
-+
-+    /* first segment */
-+    n = namecopy;
-+    while (p) {
-+        /* terminate previous segment */
-+        *p = '\0';
-+        if (escaped) {
-+            escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
-+        } else {
-+            escaped = apr_pstrcat(pool, n, replace, NULL);
-+        }
-+        if (!escaped) goto done;
-+        /* move to next segment */
-+        n = p + 1;
-+        p = strchr(n, find);
-+    }
-+    /* append last segment if any */
-+    if (*n) {
-+        escaped = apr_pstrcat(pool, escaped, n, NULL);
-+    }
-+
-+done:
-+    if (!escaped) {
-+        ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
-+                     "OOM escaping name");
-+    }
-+    return escaped;
-+}
-+
- static void mag_store_deleg_creds(request_rec *req,
-                                   char *dir, char *clientname,
-                                   gss_cred_id_t delegated_cred,
-@@ -128,8 +170,18 @@ static void mag_store_deleg_creds(request_rec *req,
-     gss_key_value_set_desc store;
-     char *value;
-     uint32_t maj, min;
-+    char *escaped;
- 
--    value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname);
-+    /* We need to escape away '/', we can't have path separators in
-+     * a ccache file name */
-+    /* first double escape the esacping char (~) if any */
-+    escaped = escape(req->pool, clientname, '~', "~~");
-+    if (!escaped) return;
-+    /* then escape away the separator (/) if any */
-+    escaped = escape(req->pool, escaped, '/', "~");
-+    if (!escaped) return;
-+
-+    value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
-     if (!value) {
-         ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
-                      "OOM storing delegated credentials");
--- 
-2.1.0
-

0001-Fix-checks-on-allowed-mechs.patch

@@ -0,0 +1,62 @@
+From 4e7967e797e5c8912a67c0de8f172bb95b5172ff Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 7 Jul 2015 13:23:57 -0400
+Subject: [PATCH] Fix checks on allowed mechs
+
+We need to check if a mech is allowed against the desired_mechs set.
+Otherwise in case the admin does not explicitly specify an allowed set
+then all mechs are allowed, including NTLM. This causes annoying issues
+with browsers like Firefox and Chrome/ium which end up popping up an
+authentication dialog if they see NTLM is supported and they have no
+Kerberos tickets around.
+Authentication will then simply fail because NTLM is not actually supported.
+By using desired_mechs we use a list of mechanism the machine actually
+has a chance to support in the default case.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/mod_auth_gssapi.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
+index 6cb8d3a532370212f8fc2e708b066511575fbd7e..763b625cef106923afca753e4c3e192df24bb49e 100644
+--- a/src/mod_auth_gssapi.c
++++ b/src/mod_auth_gssapi.c
+@@ -292,12 +292,12 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header,
+     return true;
+ }
+ 
+-static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech)
++static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech)
+ {
+-    if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true;
++    if (allowed_mechs == GSS_C_NO_OID_SET) return true;
+ 
+-    for (int i = 0; i < cfg->allowed_mechs->count; i++) {
+-        if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) {
++    for (int i = 0; i < allowed_mechs->count; i++) {
++        if (gss_oid_equal(&allowed_mechs->elements[i], mech)) {
+             return true;
+         }
+     }
+@@ -785,7 +785,7 @@ static int mag_auth(request_rec *req)
+         break;
+ 
+     case AUTH_TYPE_RAW_NTLM:
+-        if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) {
++        if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {
+             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
+                           "NTLM Authentication is not allowed!");
+             goto done;
+@@ -945,7 +945,7 @@ done:
+         }
+     } else if (ret == HTTP_UNAUTHORIZED) {
+         apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate");
+-        if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) {
++        if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {
+             apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM");
+         }
+         if (cfg->use_basic_auth) {
+-- 
+2.4.2
+

0001-Handle-authentication-on-subrequests.patch

@@ -1,70 +0,0 @@
-From e5db7c1f5738c7874e73869a2f4511193f956b81 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Mon, 30 Mar 2015 12:48:30 -0400
-Subject: [PATCH] Handle authentication on subrequests
-
-In some cases (like during directory listing) Apache will re-run the
-authentication code. Many GSSAPI mechanism have replay detection so
-we cannot simply rerun the accept_sec_context phase. Others require
-multiple steps. When authntication has already been estalished just
-implicitly consider the authentication successfully performed and
-copy the user name. Otherwise fail.
-If a subrequest hits a location with a different mod_auth_gssapi
-configuration warn but do not error off right away.
-
-Fixes #15
----
- src/mod_auth_gssapi.c | 35 ++++++++++++++++++++++++++++++-----
- 1 file changed, 30 insertions(+), 5 deletions(-)
-
-diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
-index c7881bf9e149bb190ad73741250d94541abfd0e8..e2331107b89734bd5da3a742a884c6a92489d5a8 100644
---- a/src/mod_auth_gssapi.c
-+++ b/src/mod_auth_gssapi.c
-@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req)
-         return DECLINED;
-     }
- 
--    /* ignore auth for subrequests */
--    if (!ap_is_initial_req(req)) {
--        return OK;
--    }
--
-     cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
- 
-+    /* implicit auth for subrequests if main auth already happened */
-+    if (!ap_is_initial_req(req)) {
-+        type = ap_auth_type(req->main);
-+        if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
-+            /* warn if the subrequest location and the main request
-+             * location have different configs */
-+            if (cfg != ap_get_module_config(req->main->per_dir_config,
-+                                            &auth_gssapi_module)) {
-+                ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
-+                              req, "Subrequest authentication bypass on "
-+                                   "location with different configuration!");
-+            }
-+            if (req->main->user) {
-+                req->user = apr_pstrdup(req->pool, req->main->user);
-+                return OK;
-+            } else {
-+                ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
-+                              "The main request is tasked to establish the "
-+                              "security context, can't proceed!");
-+                return HTTP_UNAUTHORIZED;
-+            }
-+        } else {
-+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
-+                          "Subrequest GSSAPI auth with no auth on the main "
-+                          "request. This operation may fail if other "
-+                          "subrequests already established a context or the "
-+                          "mechanism requires multiple roundtrips.");
-+        }
-+    }
-+
-     if (cfg->ssl_only) {
-         if (!mag_conn_is_https(req->connection)) {
-             ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
--- 
-2.1.0
-

mod_auth_gssapi.spec

@@ -1,6 +1,6 @@
 Name:           mod_auth_gssapi
 Version:        1.3.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A GSSAPI Authentication module for Apache
 
 Group:          System Environment/Daemons
@@ -13,6 +13,7 @@ BuildRequires:  gssntlmssp-devel
 Requires:       httpd-mmn = %{_httpd_mmn}
 Requires:       krb5-libs >= 1.11.5
 
+Patch01: 0001-Fix-checks-on-allowed-mechs.patch
 
 %description
 The mod_auth_gssapi module is an authentication service that implements the
@@ -20,6 +21,7 @@ SPNEGO based HTTP Authentication protocol defined in RFC4559.
 
 %prep
 %setup -q
+%patch01 -p1
 
 %build
 export APXS=%{_httpd_apxs}
@@ -44,6 +46,10 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
 %{_httpd_moddir}/mod_auth_gssapi.so
 
 %changelog
+* Tue Jul  7 2015 Simo Sorce <simo@redhat.com> 1.3.0-2
+- Fix annoying incorrect behavior with simple configuration where
+  GssapiAllowedMech is not used.
+
 * Sat Jul  4 2015 Simo Sorce <simo@redhat.com> 1.3.0-1
 - US Independence Day Release