Fix saving delegated credentials for SPNs
This commit is contained in:
Simo Sorce
parent
7980eb6717
commit
db9f42c46c
@ -0,0 +1,90 @@
|
|||||||
|
From 286e3dac69c3d4b32db93de1f9937f434383588f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simo Sorce <simo@redhat.com>
|
||||||
|
Date: Thu, 26 Mar 2015 16:30:56 -0400
|
||||||
|
Subject: [PATCH] Escape principal name to remove the path separator
|
||||||
|
|
||||||
|
The principla name is used as a file name, any embedded path separators
|
||||||
|
are going to cause trouble if used in the file name, so we need to escape
|
||||||
|
them away. Usee ~ as the escape chracter (~~ to escape ~ itself)
|
||||||
|
|
||||||
|
Fixes #14
|
||||||
|
---
|
||||||
|
src/mod_auth_gssapi.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 53 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
||||||
|
index 4f21123a4caa56d748307055be73099cc9a63dc0..c7881bf9e149bb190ad73741250d94541abfd0e8 100644
|
||||||
|
--- a/src/mod_auth_gssapi.c
|
||||||
|
+++ b/src/mod_auth_gssapi.c
|
||||||
|
@@ -119,6 +119,48 @@ static bool mag_conn_is_https(conn_rec *c)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static char *escape(apr_pool_t *pool, const char *name,
|
||||||
|
+ char find, const char *replace)
|
||||||
|
+{
|
||||||
|
+ char *escaped = NULL;
|
||||||
|
+ char *namecopy;
|
||||||
|
+ char *n;
|
||||||
|
+ char *p;
|
||||||
|
+
|
||||||
|
+ namecopy = apr_pstrdup(pool, name);
|
||||||
|
+ if (!namecopy) goto done;
|
||||||
|
+
|
||||||
|
+ p = strchr(namecopy, find);
|
||||||
|
+ if (!p) return namecopy;
|
||||||
|
+
|
||||||
|
+ /* first segment */
|
||||||
|
+ n = namecopy;
|
||||||
|
+ while (p) {
|
||||||
|
+ /* terminate previous segment */
|
||||||
|
+ *p = '\0';
|
||||||
|
+ if (escaped) {
|
||||||
|
+ escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
|
||||||
|
+ } else {
|
||||||
|
+ escaped = apr_pstrcat(pool, n, replace, NULL);
|
||||||
|
+ }
|
||||||
|
+ if (!escaped) goto done;
|
||||||
|
+ /* move to next segment */
|
||||||
|
+ n = p + 1;
|
||||||
|
+ p = strchr(n, find);
|
||||||
|
+ }
|
||||||
|
+ /* append last segment if any */
|
||||||
|
+ if (*n) {
|
||||||
|
+ escaped = apr_pstrcat(pool, escaped, n, NULL);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ if (!escaped) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
|
||||||
|
+ "OOM escaping name");
|
||||||
|
+ }
|
||||||
|
+ return escaped;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void mag_store_deleg_creds(request_rec *req,
|
||||||
|
char *dir, char *clientname,
|
||||||
|
gss_cred_id_t delegated_cred,
|
||||||
|
@@ -128,8 +170,18 @@ static void mag_store_deleg_creds(request_rec *req,
|
||||||
|
gss_key_value_set_desc store;
|
||||||
|
char *value;
|
||||||
|
uint32_t maj, min;
|
||||||
|
+ char *escaped;
|
||||||
|
|
||||||
|
- value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname);
|
||||||
|
+ /* We need to escape away '/', we can't have path separators in
|
||||||
|
+ * a ccache file name */
|
||||||
|
+ /* first double escape the esacping char (~) if any */
|
||||||
|
+ escaped = escape(req->pool, clientname, '~', "~~");
|
||||||
|
+ if (!escaped) return;
|
||||||
|
+ /* then escape away the separator (/) if any */
|
||||||
|
+ escaped = escape(req->pool, escaped, '/', "~");
|
||||||
|
+ if (!escaped) return;
|
||||||
|
+
|
||||||
|
+ value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
|
||||||
|
if (!value) {
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
|
||||||
|
"OOM storing delegated credentials");
|
||||||
|
--
|
||||||
|
2.1.0
|
||||||
|
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: mod_auth_gssapi
|
Name: mod_auth_gssapi
|
||||||
Version: 1.1.0
|
Version: 1.1.0
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: A GSSAPI Authentication module for Apache
|
Summary: A GSSAPI Authentication module for Apache
|
||||||
|
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
@ -12,13 +12,15 @@ BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libt
|
|||||||
Requires: httpd-mmn = %{_httpd_mmn}
|
Requires: httpd-mmn = %{_httpd_mmn}
|
||||||
Requires: krb5-libs >= 1.11.5
|
Requires: krb5-libs >= 1.11.5
|
||||||
|
|
||||||
|
Patch01: 0001-Escape-principal-name-to-remove-the-path-separator.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
The mod_auth_gssapi module is an authentication service that implements the
|
The mod_auth_gssapi module is an authentication service that implements the
|
||||||
SPNEGO based HTTP Authentication protocol defined in RFC4559.
|
SPNEGO based HTTP Authentication protocol defined in RFC4559.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch01 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export APXS=%{_httpd_apxs}
|
export APXS=%{_httpd_apxs}
|
||||||
@ -44,6 +46,9 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
|
|||||||
%{_httpd_moddir}/mod_auth_gssapi.so
|
%{_httpd_moddir}/mod_auth_gssapi.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 26 2015 Simo Sorce <simo@redhat.com> 1.1.0-2
|
||||||
|
- Fix saving delegated credentials for SPNs
|
||||||
|
|
||||||
* Thu Mar 12 2015 Simo Sorce <simo@redhat.com> 1.1.0-1
|
* Thu Mar 12 2015 Simo Sorce <simo@redhat.com> 1.1.0-1
|
||||||
- New minor release 1.1.0
|
- New minor release 1.1.0
|
||||||
- New feature: Basic Auth support
|
- New feature: Basic Auth support
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user