X-Git-Url: http://git.hcoop.net/hcoop/zz_old/modwaklog.git/blobdiff_plain/891fb45869db9d1aaa33e6951d3a200917b05fdd..21a7788b0100cb157e0123325b320fec4aef6f43:/mod_waklog.c diff --git a/mod_waklog.c b/mod_waklog.c index c85352a..70b202f 100644 --- a/mod_waklog.c +++ b/mod_waklog.c @@ -42,18 +42,15 @@ { name, func, \ NULL , \ RSRC_CONF | ACCESS_CONF , type, usage } +module waklog_module; /********************* APACHE2 ******************************************************************************/ #else #include #include -//#include #define ap_pcalloc apr_pcalloc #define ap_pdupstr apr_pdupstr #define ap_pstrdup apr_pstrdup - -module AP_MODULE_DECLARE_DATA waklog_module; - #define MK_POOL apr_pool_t #define MK_TABLE_GET apr_table_get #define MK_TABLE_SET apr_table_set @@ -66,13 +63,10 @@ extern unixd_config_rec unixd_config; AP_INIT_ ## type (name, (void*) func, \ NULL, \ RSRC_CONF | ACCESS_CONF, usage) -typedef struct -{ - int dummy; -} -child_info; - +module AP_MODULE_DECLARE_DATA waklog_module; +typedef struct { int dummy; } child_info; const char *userdata_key = "waklog_init"; + #endif /* APACHE2 */ /**************************************************************************************************/ @@ -96,12 +90,6 @@ const char *userdata_key = "waklog_init"; #define APLOG_DEBUG APLOG_ERR #endif -#ifndef CELL_IN_PRINCIPAL -int cell_in_principal = 1; -#else -int cell_in_principal = 0; -#endif - /* this is used to turn off pag generation for the backround worker child during startup */ int pag_for_children = 1; @@ -111,6 +99,8 @@ typedef struct int configured; int protect; int usertokens; + int cell_in_principal; + int disable_token_cache; char *keytab; char *principal; char *default_principal; @@ -168,7 +158,6 @@ struct renew_ent renewtable[SHARED_TABLE_SIZE]; int renewcount = 0; -module waklog_module; #define getModConfig(P, X) P = (waklog_config *) ap_get_module_config( (X)->module_config, &waklog_module ); @@ -185,11 +174,6 @@ module waklog_module; #include #include -/* If there's an error, retry more aggressively */ -#define ERR_SLEEP_TIME 5*60 - - -#define K5PATH "FILE:/tmp/waklog.creds.k5" static void log_error (const char *file, int line, int level, int status, @@ -261,6 +245,8 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta int stored = -1; time_t mytime; int indentical; + int cell_in_principal; + int attempt; char k5user[MAXNAMELEN]; char *k5secret; @@ -487,36 +473,49 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta /* now, to the 'aklog' portion of our program. */ strncpy( buf, "afs", sizeof(buf) - 1 ); - - if (cell_in_principal) { - strncat(buf, "/", sizeof(buf) - strlen(buf) - 1); - strncat(buf, cfg->afs_cell, sizeof(buf) - strlen(buf) - 1); - } - log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: using AFS principal: %s", buf); - - if ((kerror = krb5_parse_name (child.kcontext, buf, &increds.server))) { - log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse name %s", error_message(kerror)); - goto cleanup; - } - - if ((kerror = krb5_cc_get_principal(child.kcontext, child.ccache, &increds.client))) { - log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_cc_get_princ %s", error_message(kerror)); - goto cleanup; - } - - log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: retrieved data from ccache for %s", k5user); - - increds.times.endtime = 0; - - increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; - - if (kerror = krb5_get_credentials (child.kcontext, 0, child.ccache, &increds, &v5credsp )) { - log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_credentials: %s", - error_message(kerror)); - goto cleanup; + /** we make two attempts here, one for afs@REALM and one for afs/cell@REALM */ + for(attempt = 0; attempt <= 1; attempt++) { + cell_in_principal = (cfg->cell_in_principal + attempt) % 2; + + log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: cell_in_principal=%d", cell_in_principal ); + if (cell_in_principal) { + strncat(buf, "/", sizeof(buf) - strlen(buf) - 1); + strncat(buf, cfg->afs_cell, sizeof(buf) - strlen(buf) - 1); + } + + log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: using AFS principal: %s", buf); + + if ((kerror = krb5_parse_name (child.kcontext, buf, &increds.server))) { + log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse name %s", error_message(kerror)); + goto cleanup; + } + + if ((kerror = krb5_cc_get_principal(child.kcontext, child.ccache, &increds.client))) { + log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_cc_get_princ %s", error_message(kerror)); + goto cleanup; + } + + log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: retrieved data from ccache for %s", k5user); + + increds.times.endtime = 0; + + increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; + + if (kerror = krb5_get_credentials (child.kcontext, 0, child.ccache, &increds, &v5credsp )) { + /* only complain once we've tried both afs@REALM and afs/cell@REALM */ + if (attempt>=1) { + log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_credentials: %s", + error_message(kerror)); + goto cleanup; + } else { + continue; + } + } + cfg->cell_in_principal = cell_in_principal; + break; } - + log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: get_credentials passed for %s", k5user); if ( v5credsp->ticket.length >= MAXKTCTICKETLEN ) { @@ -710,6 +709,7 @@ waklog_create_server_config (MK_POOL * p, server_rec * s) cfg->path = "(server)"; cfg->protect = WAKLOG_UNSET; cfg->usertokens = WAKLOG_UNSET; + cfg->disable_token_cache = WAKLOG_UNSET; cfg->keytab = WAKLOG_UNSET; cfg->principal = WAKLOG_UNSET; cfg->default_principal = WAKLOG_UNSET; @@ -737,6 +737,7 @@ waklog_create_dir_config (MK_POOL * p, char *dir) cfg->path = ap_pstrdup(p, dir ); cfg->protect = WAKLOG_UNSET; cfg->usertokens = WAKLOG_UNSET; + cfg->disable_token_cache = WAKLOG_UNSET; cfg->keytab = WAKLOG_UNSET; cfg->principal = WAKLOG_UNSET; cfg->default_principal = WAKLOG_UNSET; @@ -759,6 +760,8 @@ static void *waklog_merge_dir_config(MK_POOL *p, void *parent_conf, void *newloc merged->path = child->path != WAKLOG_UNSET ? child->path : parent->path; merged->usertokens = child->usertokens != WAKLOG_UNSET ? child->usertokens : parent->usertokens; + + merged->disable_token_cache = child->disable_token_cache != WAKLOG_UNSET ? child->disable_token_cache : parent->disable_token_cache; merged->principal = child->principal != WAKLOG_UNSET ? child->principal : parent->principal; @@ -784,6 +787,8 @@ static void *waklog_merge_server_config(MK_POOL *p, void *parent_conf, void *new merged->usertokens = nconf->usertokens == WAKLOG_UNSET ? pconf->usertokens : nconf->usertokens; + merged->disable_token_cache = nconf->disable_token_cache == WAKLOG_UNSET ? pconf->udisable_token_cache : nconf->disable_token_cache; + merged->keytab = nconf->keytab == WAKLOG_UNSET ? ap_pstrdup(p, pconf->keytab) : ( nconf->keytab == WAKLOG_UNSET ? WAKLOG_UNSET : ap_pstrdup(p, pconf->keytab) ); @@ -805,7 +810,7 @@ static void *waklog_merge_server_config(MK_POOL *p, void *parent_conf, void *new } static const char * -set_waklog_protect (cmd_parms * params, void *mconfig, int flag) +set_waklog_enabled (cmd_parms * params, void *mconfig, int flag) { waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig : ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module ); @@ -813,7 +818,7 @@ set_waklog_protect (cmd_parms * params, void *mconfig, int flag) cfg->protect = flag; cfg->configured = 1; log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server, - "mod_waklog: waklog_protect set on %s", cfg->path ? cfg->path : "NULL"); + "mod_waklog: waklog_enabled set on %s", cfg->path ? cfg->path : "NULL"); return (NULL); } @@ -847,7 +852,7 @@ void add_to_renewtable(MK_POOL *p, char *keytab, char *principal) { } static const char * -set_waklog_principal (cmd_parms *params, void *mconfig, char *principal, char *keytab) +set_waklog_location_principal (cmd_parms *params, void *mconfig, char *principal, char *keytab) { waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig : ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module ); @@ -866,7 +871,7 @@ set_waklog_principal (cmd_parms *params, void *mconfig, char *principal, char *k } static const char * -set_waklog_use_afs_cell (cmd_parms * params, void *mconfig, char *file) +set_waklog_afs_cell (cmd_parms * params, void *mconfig, char *file) { waklog_config *waklog_mconfig = ( waklog_config * ) mconfig; waklog_config *waklog_srvconfig = @@ -875,10 +880,12 @@ set_waklog_use_afs_cell (cmd_parms * params, void *mconfig, char *file) log_error (APLOG_MARK, APLOG_INFO, 0, params->server, "mod_waklog: will use afs_cell: %s", file); + waklog_srvconfig->cell_in_principal = 0; waklog_srvconfig->afs_cell = ap_pstrdup (params->pool, file); waklog_srvconfig->configured = 1; if (waklog_mconfig != NULL) { + waklog_mconfig->cell_in_principal = waklog_srvconfig->cell_in_principal; waklog_mconfig->afs_cell = ap_pstrdup (params->pool, file); waklog_mconfig->configured = 1; } @@ -931,6 +938,22 @@ set_waklog_use_usertokens (cmd_parms * params, void *mconfig, int flag) } +static const char * +set_waklog_disable_token_cache (cmd_parms * params, void *mconfig, int flag) +{ + waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig : + ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module ); + + cfg->disable_token_cache = flag; + + cfg->configured = 1; + + log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server, + "mod_waklog: waklog_disable_token_cache set"); + return (NULL); +} + + #ifndef APACHE2 static void waklog_child_exit( server_rec *s, MK_POOL *p ) { #else @@ -1018,21 +1041,24 @@ waklog_child_init (server_rec * s, MK_POOL * p) command_rec waklog_cmds[] = { - command ("WaklogProtected", set_waklog_protect, 0, FLAG, - "enable waklog on a location or directory basis"), + command ("WaklogAFSCell", set_waklog_afs_cell, 0, TAKE1, + "Use the supplied AFS cell (required)"), - command ("WaklogPrincipal", set_waklog_principal, 0, TAKE2, - "Use the supplied keytab rather than the default"), + command ("WaklogEnabled", set_waklog_enabled, 0, FLAG, + "enable waklog on a server, location, or directory basis"), - command ("WaklogUseAFSCell", set_waklog_use_afs_cell, 0, TAKE1, - "Use the supplied AFS cell rather than the default"), + command ("WaklogDefaultPrincipal", set_waklog_default_principal, 0, TAKE2, + "Set the default principal that the server runs as"), - command ("WaklogUseUserTokens", set_waklog_use_usertokens, 0, FLAG, - "Use the requesting user tokens (from webauth)"), + command ("WaklogLocationPrincipal", set_waklog_location_principal, 0, TAKE2, + "Set the principal on a -specific basis"), - command ("WaklogDefaultPrincipal", set_waklog_default_principal, 0, TAKE2, - "Set the default principal that the server runs as"), - + command ("WaklogDisableTokenCache", set_waklog_disable_token_cache, 0, FLAG, + "Ignore the token cache (location-specific); useful for scripts that need kerberos tickets."), + + command ("WaklogUseUserTokens", set_waklog_use_usertokens, 0, FLAG, + "Use the requesting user tokens (from webauth)"), + {NULL} }; @@ -1154,7 +1180,7 @@ waklog_init_handler (apr_pool_t * p, apr_pool_t * plog, if (cfg->afs_cell==NULL) { log_error (APLOG_MARK, APLOG_ERR, 0, s, - "mod_waklog: afs_cell==NULL; please provide the WaklogUseAFSCell directive"); + "mod_waklog: afs_cell==NULL; please provide the WaklogAFSCell directive"); /** clobber apache */ exit(-1); }