HCoop / hcoop / debian / libapache-mod-waklog.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
from Simon Wilkinson <sxw@inf.ed.ac.uk>: fix configuration file merging
[hcoop/debian/libapache-mod-waklog.git] / mod_waklog.c
CommitLineData
87822447 1#define _LARGEFILE64_SOURCE
ff47641b 2#define _GNU_SOURCE
87822447 3
bed98ff9 4#include "httpd.h"
5#include "http_config.h"
bed98ff9 6#include "http_log.h"
7193eb01 7#include "http_protocol.h"
8#include "http_request.h"
9#include "http_core.h"
87822447 10
ff47641b 11#ifdef sun
12#include <synch.h>
13#elif linux
14#define use_pthreads
15#include <features.h>
16#include <sys/types.h>
17#include <sys/mman.h>
18#include <pthread.h>
19#else
20#error "make sure you include the right stuff here"
21#endif
22
23#ifndef MAXNAMELEN
24#define MAXNAMELEN 1024
25#endif
26
891fb458 27#ifdef STANDARD20_MODULE_STUFF
c9d59a9c 28#define APACHE2
29#endif
30
31/********************* APACHE1 ******************************************************************************/
32#ifndef APACHE2
ebb1f61c 33#include "ap_config.h"
34#if defined(sun)
35#include <sys/ioccom.h>
36#endif /* sun */
37#include <http_conf_globals.h>
38#define MK_POOL pool
39#define MK_TABLE_GET ap_table_get
40#define MK_TABLE_SET ap_table_set
41#define command(name, func, var, type, usage) \
42 { name, func, \
43 NULL , \
44 RSRC_CONF | ACCESS_CONF , type, usage }
21a7788b 45module waklog_module;
ebb1f61c 46
47/********************* APACHE2 ******************************************************************************/
48#else
87822447 49#include <apr_strings.h>
50#include <apr_base64.h>
ebb1f61c 51#define ap_pcalloc apr_pcalloc
52#define ap_pdupstr apr_pdupstr
53#define ap_pstrdup apr_pstrdup
87822447 54#define MK_POOL apr_pool_t
55#define MK_TABLE_GET apr_table_get
d06251b1 56#define MK_TABLE_SET apr_table_set
87822447 57#include "unixd.h"
58extern unixd_config_rec unixd_config;
59#define ap_user_id unixd_config.user_id
60#define ap_group_id unixd_config.group_id
61#define ap_user_name unixd_config.user_name
62#define command(name, func, var, type, usage) \
63 AP_INIT_ ## type (name, (void*) func, \
ebb1f61c 64 NULL, \
65 RSRC_CONF | ACCESS_CONF, usage)
21a7788b 66module AP_MODULE_DECLARE_DATA waklog_module;
67typedef struct { int dummy; } child_info;
87822447 68const char *userdata_key = "waklog_init";
21a7788b 69
c9d59a9c 70#endif /* APACHE2 */
ebb1f61c 71/**************************************************************************************************/
877d453f 72
73#include <krb5.h>
877d453f 74#include <stropts.h>
75#include <afs/venus.h>
76#include <afs/auth.h>
77#include <afs/dirpath.h>
78#include <afs/ptuser.h>
79#include <rx/rxkad.h>
80
81#define TKT_LIFE ( 12 * 60 * 60 )
42d78dfb 82#define SLEEP_TIME ( TKT_LIFE - 5*60 )
877d453f 83
5d0827ae 84#define WAKLOG_UNSET -1
877d453f 85
86#ifdef WAKLOG_DEBUG
87#undef APLOG_DEBUG
88#define APLOG_DEBUG APLOG_ERR
89#endif
90
877d453f 91/* this is used to turn off pag generation for the backround worker child during startup */
92int pag_for_children = 1;
93
94typedef struct
95{
96 int forked;
97 int configured;
98 int protect;
99 int usertokens;
c8563f50 100 int cell_in_principal;
21a7788b 101 int disable_token_cache;
877d453f 102 char *keytab;
103 char *principal;
104 char *default_principal;
105 char *default_keytab;
106 char *afs_cell;
98534230 107 char *afs_cell_realm;
877d453f 108 char *path;
109 MK_POOL *p;
110}
111waklog_config;
112
113typedef struct
114{
115 struct ktc_token token;
116 char clientprincipal[MAXNAMELEN];
117 krb5_context kcontext;
118 krb5_ccache ccache;
119 struct ktc_principal server;
120 struct ktc_principal client;
121 int pr_init;
122} waklog_child_config;
123
124waklog_child_config child;
125
126struct tokencache_ent {
127 char clientprincipal[MAXNAMELEN];
128 struct ktc_token token;
129 struct ktc_principal client;
130 struct ktc_principal server;
131 time_t lastused;
132 int persist;
133};
134
135#define SHARED_TABLE_SIZE 512
136
137struct sharedspace_s {
138 int renewcount;
139 struct tokencache_ent sharedtokens[SHARED_TABLE_SIZE];
140};
141
142struct sharedspace_s *sharedspace = NULL;
143
144struct renew_ent {
145 char *keytab;
146 char *principal;
147 int lastrenewed;
148};
149
150#ifdef use_pthreads
151pthread_rwlock_t *sharedlock = NULL;
152#else
153rwlock_t *sharedlock = NULL;
154#endif
155
156struct renew_ent renewtable[SHARED_TABLE_SIZE];
157
158int renewcount = 0;
159
ebb1f61c 160
87822447 161
c69d952f 162#define getModConfig(P, X) P = (waklog_config *) ap_get_module_config( (X)->module_config, &waklog_module );
87822447 163
4e1ae1cd 164#include <krb5.h>
bed98ff9 165
7193eb01 166#if defined(sun)
bed98ff9 167#include <sys/ioccom.h>
7193eb01 168#endif /* sun */
bed98ff9 169#include <stropts.h>
bed98ff9 170#include <afs/venus.h>
7193eb01 171#include <afs/auth.h>
d06251b1 172#include <afs/dirpath.h>
173#include <afs/ptuser.h>
7193eb01 174#include <rx/rxkad.h>
175
58bbdc54 176
87822447 177static void
3f4fda20 178log_error (const char *file, int line, int level, int status,
42d78dfb 179 const server_rec * s, const char *fmt, ...)
4d47a8d9 180{
3f4fda20 181 char errstr[4096];
182 va_list ap;
4d47a8d9 183
3f4fda20 184 va_start (ap, fmt);
185 vsnprintf (errstr, 1024, fmt, ap);
186 va_end (ap);
4d47a8d9 187
c9d59a9c 188#ifdef APACHE2
3f4fda20 189 ap_log_error (file, line, level | APLOG_NOERRNO, status, s, "(%d) %s", getpid(), errstr);
87822447 190#else
3f4fda20 191 ap_log_error (file, line, level | APLOG_NOERRNO, s, "(%d) %s", getpid(), errstr);
87822447 192#endif
4d47a8d9 193
87822447 194}
4d47a8d9 195
3f4fda20 196waklog_config *retrieve_config(request_rec *r) {
197
198 request_rec *my;
199 waklog_config *cfg;
200
201 if ( r && r->main ) {
202 my = r->main;
203 } else if (r) {
204 my = r;
205 } else {
206 return NULL;
207 }
208
209 if ( my && ( cfg = (waklog_config *) ap_get_module_config(my->per_dir_config, &waklog_module ) ) ) {
210 return cfg;
211 } else {
212 getModConfig (cfg, r->server);
213 }
214
215 return cfg;
216
217}
313dde40 218
3f4fda20 219/* set_auth -- sets the tokens of the current process to this user.
220 if "self" is set, it divines the user from the current requests' environment.
221 otherwise, it's gettng it from principal/keytab */
222
223int
224set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keytab, int storeonly ) {
225
226 int i;
227 int usecached = 0;
228 krb5_error_code kerror = 0;
229 krb5_principal kprinc = NULL;
230 krb5_get_init_creds_opt kopts;
231 krb5_creds v5creds;
232 krb5_creds increds;
c760f0a1 233 krb5_ccache clientccache;
3f4fda20 234 struct ktc_principal server = { "afs", "", "" };
235 struct ktc_principal client;
236 struct ktc_token token;
237 krb5_creds *v5credsp = NULL;
238 krb5_keytab krb5kt = NULL;
239 char buf[MAXNAMELEN];
240 waklog_config *cfg;
241 int rc = 0;
242 int buflen = 0;
243 time_t oldest_time = 0;
c760f0a1 244 int oldest = 0;
3f4fda20 245 int stored = -1;
246 time_t mytime;
247 int indentical;
c8563f50 248 int cell_in_principal;
249 int attempt;
7c53b5d0 250 int use_client_credentials = 0;
3f4fda20 251
c760f0a1 252 char k5user[MAXNAMELEN] = "";
253 char *k5secret = NULL;
254
7c53b5d0 255 char *k5path = NULL;
3f4fda20 256
257 memset((char *) &increds, 0, sizeof(increds));
3f4fda20 258 /* init some stuff if it ain't already */
c760f0a1 259 /* XXX - In what situation will these not be initialized? */
260
3f4fda20 261 if ( ! child.kcontext ) {
c760f0a1 262 if ((kerror = krb5_init_context(&child.kcontext))) {
263 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: can't initialize Kerberos context err=%d",
264 kerror);
265 return(-1);
266 }
7c53b5d0 267 }
c760f0a1 268
269 if ( !child.ccache) {
270 if ((kerror = krb5_cc_resolve(child.kcontext, "MEMORY:tmpcache", &child.ccache))) {
271 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: can't initialize credentials cache %s err=%d",
272 k5path, kerror );
273 return(-1);
274 }
3f4fda20 275 }
276
d3bea354 277 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: set_auth: %d, %s, %s, %d, KRB5CC=%s user=%s",
7c53b5d0 278 self, principal ? principal : "NULL",
d3bea354 279 keytab ? keytab : "NULL",
280 storeonly,
281 k5path ? k5path : "NULL",
282#ifdef APACHE2
283 (r && r->user) ? r->user : "NULL"
284#else
c760f0a1 285 (r && r->connection && r->connection->user) ? r->connection->user : "NULL"
d3bea354 286#endif
287 );
3f4fda20 288
289 /* pull the server config record that we care about... */
290
291 if ( r ) {
292 cfg = retrieve_config(r);
293 } else {
294 log_error (APLOG_MARK, APLOG_DEBUG, 0, s,
42d78dfb 295 "mod_waklog: set_auth using no config" );
3f4fda20 296 getModConfig (cfg, s);
297 }
298
299 if ( ! cfg ) {
300 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: cfg is %d", cfg );
301 }
c760f0a1 302
303
3f4fda20 304 if ( self ) {
305 /* pull out our principal name and stuff from the environment -- webauth better have sent
c760f0a1 306 through. */
307
308#ifdef APACHE2
3f4fda20 309 if ( ! ( r && r->connection && r->user )) {
310 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: self authentication selected, but no data available");
7c53b5d0 311 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: r->user=%s", (r->user==NULL ? "null" : r->user==NULL));
3f4fda20 312 return -1;
313 }
314
315 strncpy(k5user, r->user, sizeof(k5user));
c760f0a1 316#else
317 if ( ! (r && r->connection && r->connection->user)) {
318 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: self authentication selected, but no username available");
3f4fda20 319 return -1;
c760f0a1 320 }
321
322 strncpy(k5user, r->connection->user, sizeof(k5user));
323#endif
324 /* if they've supplied a credentials cache */
325 k5path = (char *) MK_TABLE_GET( r->subprocess_env, "KRB5CCNAME" );
326
327 /* the other thing we need is someone's password */
328 k5secret = (char *) MK_TABLE_GET( r->notes, "ATTR_PASSWORD" );
3f4fda20 329
330 /* we'll pick this up later after we've checked the cache and current state */
331
332 } else
c760f0a1 333 if ( principal ) {
334 strncpy(k5user, principal, sizeof(k5user));
98534230 335 } else
c760f0a1 336#ifdef APACHE2
337 if (r && r->user) {
338 strncpy(k5user, r->user, sizeof(k5user));
339 }
340#else
341 if (r && r->connection && r->connection->user) {
342 strncpy(k5user, r->connection->user, sizeof(k5user));
3f4fda20 343 }
c760f0a1 344#endif
3f4fda20 345
7c53b5d0 346 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: set_auth: k5user=%s", k5user ? k5user : "NULL");
3f4fda20 347 mytime = time(0);
348
349 /* see if we should just go ahead and ignore this call, since we already should be set to these
350 credentials */
313dde40 351
3f4fda20 352 if ( ! storeonly ) {
313dde40 353
3f4fda20 354#ifdef use_pthreads
355 pthread_rwlock_rdlock( sharedlock );
356#else
357 rw_rdlock( sharedlock );
358#endif
313dde40 359
3f4fda20 360 for ( i = 0; i < SHARED_TABLE_SIZE; ++i ) {
361
362 /* if it's a token for the principal we're looking for, and it hasn't expired yet */
363
364 if ( ( !strcmp( k5user,
365 sharedspace->sharedtokens[i].clientprincipal ) ) &&
366 ( sharedspace->sharedtokens[i].token.endTime > mytime ) ) {
367
368 if ( ! memcmp(&child.token, &sharedspace->sharedtokens[i].token, sizeof(child.token) ) ) {
369 indentical = 1;
370 } else {
371 indentical = 0;
372 }
373
374 /* copy the token out of the cache and into the child object */
375
376 strcpy(child.clientprincipal, sharedspace->sharedtokens[i].clientprincipal );
377 memcpy(&child.token, &sharedspace->sharedtokens[i].token, sizeof(child.token));
378 memcpy(&child.server, &sharedspace->sharedtokens[i].server, sizeof(child.server));
379 memcpy(&child.client, &sharedspace->sharedtokens[i].client, sizeof(child.client));
380
381 /* set our last used time thing */
382 sharedspace->sharedtokens[i].lastused = mytime;
383
384 usecached = 1;
385
386 break;
387
388 }
389
390 }
391
392 /* release the lock on the token cache */
393#ifdef use_pthreads
394 pthread_rwlock_unlock( sharedlock );
395#else
396 rw_unlock( sharedlock );
397#endif
313dde40 398
3f4fda20 399 if ( usecached ) {
400 /* release the lock on the token cache */
401 log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
402 "mod_waklog: set_auth using shared token %d for %s", i, k5user );
403
404 }
405
406 /* if this is something that was in the cache, and it's the same as the token we already have stored,
407 and we weren't calling this just to renew it... */
408
409 if ( usecached && indentical ) {
410 log_error (APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: token is identical for %s", k5user );
411 return 0;
412 }
413
414 }
7c53b5d0 415
3f4fda20 416 /* if 'usecached' isn't set, we've got to get our tokens from somewhere... */
3f4fda20 417 if (( ! usecached ) && ( k5user )) {
313dde40 418
3f4fda20 419 /* clear out the creds structure */
420 memset((void *) &v5creds, 0, sizeof(v5creds));
421
422 /* create a principal out of our k5user string */
423
c760f0a1 424 if ( ( kerror = krb5_parse_name (child.kcontext, k5user, &kprinc ) ) ) {
3f4fda20 425 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse_name %s", (char *) error_message(kerror) );
426 goto cleanup;
427 }
428
429 /* create the credentials options */
430
431 krb5_get_init_creds_opt_init ( &kopts );
432 krb5_get_init_creds_opt_set_tkt_life ( &kopts, TKT_LIFE );
433 krb5_get_init_creds_opt_set_renew_life ( &kopts, 0 );
434 krb5_get_init_creds_opt_set_forwardable ( &kopts, 0 );
435 krb5_get_init_creds_opt_set_proxiable ( &kopts, 0 );
436
c760f0a1 437 if ( keytab || k5secret ) {
3f4fda20 438
c760f0a1 439 if (keytab) {
440 /* if we've been passed a keytab, we're going to be getting our credentials from it */
3f4fda20 441
c760f0a1 442 log_error( APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: using keytab %s", keytab);
3f4fda20 443
c760f0a1 444 if ( ( kerror = krb5_kt_resolve(child.kcontext, keytab, &krb5kt ) ) ) {
445 log_error( APLOG_MARK, APLOG_ERR, 0, s,
446 "mod_waklog: krb5_kt_resolve %s", error_message(kerror) );
447 goto cleanup;
448 }
3f4fda20 449
c760f0a1 450 if ((kerror = krb5_get_init_creds_keytab (child.kcontext, &v5creds,
451 kprinc, krb5kt, 0, NULL, &kopts ) ) ) {
452 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_init_creds_keytab %s",
453 error_message(kerror) );
454 goto cleanup;
455 }
456 } else if (k5secret) {
3f4fda20 457
c760f0a1 458 /* If the WebSSO is lame enough to provide a secret, then try and use that to get a token */
3f4fda20 459
c760f0a1 460 if ((kerror = krb5_get_init_creds_password ( child.kcontext, &v5creds,
461 kprinc, k5secret, NULL, NULL, 0, NULL, &kopts ) ) ) {
462 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_init_creds_password %s",
463 error_message(kerror) );
464 /* nuke the password so it doesn't end up in core files */
465 memset(k5secret, 0, sizeof(k5secret));
466 goto cleanup;
467 }
3f4fda20 468
c760f0a1 469 memset(k5secret, 0, sizeof(k5secret));
3f4fda20 470 }
c760f0a1 471
3f4fda20 472 /* initialize the credentials cache and store the stuff we just got */
c760f0a1 473 if ( ( kerror = krb5_cc_initialize (child.kcontext, child.ccache, kprinc) ) ) {
7c53b5d0 474 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: init credentials cache %s",
475 error_message(kerror));
476 goto cleanup;
477 }
3f4fda20 478
c760f0a1 479 if ( ( kerror = krb5_cc_store_cred(child.kcontext, child.ccache, &v5creds) ) ) {
7c53b5d0 480 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: cannot store credentials %s",
481 error_message(kerror));
482 goto cleanup;
483 }
3f4fda20 484
c760f0a1 485 krb5_free_cred_contents(child.kcontext, &v5creds);
486
487 if ( kerror ) {
488 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: store cred %s", error_message(kerror));
489 goto cleanup;
490 }
491
492 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: kinit ok for %s", k5user );
493
494 } else if (k5path) {
495 /* If we've got a path to a credentials cache, then try and use that. We can't just
496 * replace child.creds, because we want to ensure that only this request gets access to
497 * that cache */
498
499 if ( ( kerror = krb5_cc_resolve(child.kcontext, k5path, &clientccache ) ) ) {
500 log_error(APLOG_MARK, APLOG_ERR, 0, s,
501 "mod_waklog: can't open provided credentials cache %s err=%d",
502 k5path, kerror );
503 goto cleanup;
504 }
505
506 use_client_credentials = 1;
507 }
3f4fda20 508
3f4fda20 509 /* now, to the 'aklog' portion of our program. */
510
c8563f50 511 /** we make two attempts here, one for afs@REALM and one for afs/cell@REALM */
512 for(attempt = 0; attempt <= 1; attempt++) {
98534230 513 strncpy( buf, "afs", sizeof(buf) - 1 );
c8563f50 514 cell_in_principal = (cfg->cell_in_principal + attempt) % 2;
515
516 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: cell_in_principal=%d", cell_in_principal );
517 if (cell_in_principal) {
98534230 518 strncat(buf, "/", sizeof(buf) - strlen(buf) - 1);
c8563f50 519 strncat(buf, cfg->afs_cell, sizeof(buf) - strlen(buf) - 1);
520 }
5d0827ae 521 if (cfg->afs_cell_realm != NULL) {
98534230 522 strncat(buf, "@", sizeof(buf) - strlen(buf) - 1);
523 strncat(buf, cfg->afs_cell_realm, sizeof(buf) - strlen(buf) - 1);
524 }
c8563f50 525
526 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: using AFS principal: %s", buf);
527
528 if ((kerror = krb5_parse_name (child.kcontext, buf, &increds.server))) {
529 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse name %s", error_message(kerror));
530 goto cleanup;
531 }
7c53b5d0 532
c760f0a1 533 if (!use_client_credentials) {
534 clientccache = child.ccache;
535 }
536
537 if ((kerror = krb5_cc_get_principal(child.kcontext, clientccache, &increds.client))) {
538 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_cc_get_princ %s %p", error_message(kerror), clientccache);
c8563f50 539 goto cleanup;
540 }
541
542 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: retrieved data from ccache for %s", k5user);
543
544 increds.times.endtime = 0;
545
546 increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
547
c760f0a1 548 if ( ( kerror = krb5_get_credentials (child.kcontext, 0, clientccache, &increds, &v5credsp ) ) ) {
c8563f50 549 /* only complain once we've tried both afs@REALM and afs/cell@REALM */
550 if (attempt>=1) {
551 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_credentials: %s",
552 error_message(kerror));
553 goto cleanup;
554 } else {
555 continue;
556 }
557 }
558 cfg->cell_in_principal = cell_in_principal;
559 break;
3f4fda20 560 }
c8563f50 561
3f4fda20 562 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: get_credentials passed for %s", k5user);
563
564 if ( v5credsp->ticket.length >= MAXKTCTICKETLEN ) {
565 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: ticket size (%d) too big to fake",
566 v5credsp->ticket.length);
567 goto cleanup;
568 }
313dde40 569
3f4fda20 570 memset(&token, 0, sizeof(struct ktc_token));
571
572 token.startTime = v5credsp->times.starttime ? v5credsp->times.starttime : v5credsp->times.authtime;
573 token.endTime = v5credsp->times.endtime;
574
575 memmove( &token.sessionKey, v5credsp->keyblock.contents, v5credsp->keyblock.length);
576 token.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
577 token.ticketLen = v5credsp->ticket.length;
578 memmove( token.ticket, v5credsp->ticket.data, token.ticketLen);
579
580 /* build the name */
581
582 memmove( buf, v5credsp->client->data[0].data, min(v5credsp->client->data[0].length,
583 MAXKTCNAMELEN -1 ));
584 buf[v5credsp->client->data[0].length] = '\0';
585 if ( v5credsp->client->length > 1 ) {
586 strncat(buf, ".", sizeof(buf) - strlen(buf) - 1);
587 buflen = strlen(buf);
588 memmove(buf + buflen, v5credsp->client->data[1].data,
589 min(v5credsp->client->data[1].length,
590 MAXKTCNAMELEN - strlen(buf) - 1));
591 buf[buflen + v5credsp->client->data[1].length] = '\0';
592 }
593
594 /* assemble the client */
595 strncpy(client.name, buf, sizeof(client.name) - 1 );
596 strncpy(client.instance, "", sizeof(client.instance) - 1 );
597 memmove(buf, v5credsp->client->realm.data, min(v5credsp->client->realm.length,
598 MAXKTCNAMELEN - 1));
599 buf[v5credsp->client->realm.length] = '\0';
600 strncpy(client.cell, buf, sizeof(client.cell));
601
602 /* assemble the server's cell */
891fb458 603 strncpy(server.cell, cfg->afs_cell, sizeof(server.cell) - 1);
3f4fda20 604
605 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: preparing to init PTS connection for %s", server.cell);
606
607 /* fill out the AFS ID in the client name */
608 /* we've done a pr_Initialize in the child_init -- once, per process. If you try to do it more
609 * strange things seem to happen. */
610
611 {
612 afs_int32 viceId = 0;
613
614 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: making PTS call to look up %s", client.name);
615
616 if ( ( rc = pr_SNameToId( client.name, &viceId ) ) == 0 ) {
617 snprintf( client.name, sizeof(client.name), "AFS ID %d", viceId );
618 } else {
619 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: PTS call returned error %d ", rc);
620 }
621
622 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: PTS call returned %s ", client.name);
623
624 }
625
626 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: server: name %s, instance %s, cell %s",
627 server.name, server.instance, server.cell );
628
629 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: client: name %s, instance %s, cell %s",
630 client.name, client.instance, client.cell );
631
632 /* copy the resulting stuff into the child structure */
633
634 strncpy(child.clientprincipal, k5user, sizeof(child.clientprincipal));
635 memcpy(&child.token, &token, sizeof(child.token));
636 memcpy(&child.server, &server, sizeof(child.server));
637 memcpy(&child.client, &client, sizeof(child.client));
638
639 /* stuff the resulting token-related stuff into our shared token cache */
640 /* note, that anything that was set from a keytab is "persistant", and is immune
641 * from LRU-aging. This is because nothing but the process that's running as root
642 * can update these, and it's running every hour or so and renewing these tokens.
643 * and we don't want them aged out.
644 */
645
646 mytime = oldest_time = time(0);
647
648 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: waiting for shared space for %s ", k5user);
4e1ae1cd 649
3f4fda20 650#ifdef use_pthreads
651 pthread_rwlock_wrlock(sharedlock);
652#else
653 rw_wrlock(sharedlock);
654#endif
4e1ae1cd 655
3f4fda20 656 for( i = ( SHARED_TABLE_SIZE - 1 ); i >= 0; i-- ) {
657 if ( ( sharedspace->sharedtokens[i].lastused <= oldest_time) &&
658 ( sharedspace->sharedtokens[i].persist == 0 ) ) {
659 oldest = i;
660 oldest_time = sharedspace->sharedtokens[i].lastused;
661 }
662 if ( ! strcmp ( sharedspace->sharedtokens[i].clientprincipal,
663 child.clientprincipal ) ) {
664 memcpy(&sharedspace->sharedtokens[i].token, &child.token, sizeof(child.token) );
665 memcpy(&sharedspace->sharedtokens[i].client, &child.client, sizeof(child.client) );
666 memcpy(&sharedspace->sharedtokens[i].server, &child.server, sizeof(child.server) );
667 sharedspace->sharedtokens[i].lastused = mytime;
668 sharedspace->sharedtokens[i].persist = keytab ? 1 : 0;
669 stored = i;
670 break;
671 }
672 }
673
674 if ( stored == -1 ) {
675 memcpy(&sharedspace->sharedtokens[oldest].token, &child.token, sizeof(child.token) );
676 memcpy(&sharedspace->sharedtokens[oldest].client, &child.client, sizeof(child.client) );
677 memcpy(&sharedspace->sharedtokens[oldest].server, &child.server, sizeof(child.server) );
678 strcpy(sharedspace->sharedtokens[oldest].clientprincipal, child.clientprincipal );
679 sharedspace->sharedtokens[oldest].lastused = mytime;
680 sharedspace->sharedtokens[oldest].persist = keytab ? 1 : 0;
681 stored = oldest;
682 }
3ed1e28a 683
3f4fda20 684#ifdef use_pthreads
685 pthread_rwlock_unlock(sharedlock);
686#else
687 rw_unlock(sharedlock);
688#endif
689
690 log_error( APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: token stored in slot %d for %s", stored,
691 child.clientprincipal );
692
693 } else if ( ! usecached ) {
694 log_error( APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: set_auth divergent case");
695 }
696
697 if ( storeonly ) {
698 goto cleanup;
699 }
700
701 usecachedtoken:
702
703 /* don't ask. Something about AIX. We're leaving it here.*/
704 /* write(2, "", 0); */
705
706 /* we try twice, because sometimes the first one fails. Dunno why, but it always works the second time */
707
708 if ((rc = ktc_SetToken(&child.server, &child.token, &child.client, 0))) {
709 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: settoken returned %s for %s -- trying again",
710 error_message(rc), k5user);
711 if ((rc = ktc_SetToken(&child.server, &child.token, &child.client, 0))) {
712 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: settoken2 returned %s for %s",
713 error_message(rc), k5user);
714 goto cleanup;
715 }
716 }
717
718 cleanup:
c760f0a1 719 if (use_client_credentials)
720 krb5_cc_close(child.kcontext, clientccache);
3f4fda20 721 if ( v5credsp )
722 krb5_free_cred_contents(child.kcontext, v5credsp);
723 if ( increds.client )
724 krb5_free_principal (child.kcontext, increds.client);
725 if ( increds.server )
726 krb5_free_principal (child.kcontext, increds.server);
727 if ( krb5kt )
728 (void) krb5_kt_close(child.kcontext, krb5kt);
729 if ( kprinc )
730 krb5_free_principal (child.kcontext, kprinc);
731
732 if ( rc ) {
733 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: set_auth ending with %d", rc );
734 } else if ( kerror ) {
735 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: set_auth ending with krb5 error %d, %s", kerror, error_message(kerror));
736 } else {
737 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: set_auth ending ok");
738 }
739
740 return kerror ? (int) kerror : (int) rc;
741
4e1ae1cd 742}
743
744
7193eb01 745
3f4fda20 746static void *
747waklog_create_server_config (MK_POOL * p, server_rec * s)
748{
749 waklog_config *cfg;
750
751 cfg = (waklog_config *) ap_pcalloc (p, sizeof (waklog_config));
752 cfg->p = p;
753 memset(cfg, 0, sizeof(waklog_config));
754 cfg->path = "(server)";
755 cfg->protect = WAKLOG_UNSET;
756 cfg->usertokens = WAKLOG_UNSET;
21a7788b 757 cfg->disable_token_cache = WAKLOG_UNSET;
5d0827ae 758 cfg->keytab = NULL;
759 cfg->principal = NULL;
760 cfg->default_principal = NULL;
761 cfg->default_keytab = NULL;
762 cfg->afs_cell = NULL;
763 cfg->afs_cell_realm = NULL;
3f4fda20 764 cfg->forked = 0;
765 cfg->configured = 0;
766
767 log_error (APLOG_MARK, APLOG_DEBUG, 0, s,
42d78dfb 768 "mod_waklog: server config created.");
3f4fda20 769
770 return (cfg);
771}
7193eb01 772
3f4fda20 773/* initialize with host-config information */
58bbdc54 774
3f4fda20 775static void *
776waklog_create_dir_config (MK_POOL * p, char *dir)
777{
778 waklog_config *cfg;
779
780 cfg = (waklog_config *) ap_pcalloc (p, sizeof (waklog_config));
781 memset(cfg, 0, sizeof(waklog_config));
782 cfg->p = p;
783 cfg->path = ap_pstrdup(p, dir );
784 cfg->protect = WAKLOG_UNSET;
785 cfg->usertokens = WAKLOG_UNSET;
21a7788b 786 cfg->disable_token_cache = WAKLOG_UNSET;
5d0827ae 787 cfg->keytab = NULL;
788 cfg->principal = NULL;
789 cfg->default_principal = NULL;
790 cfg->default_keytab = NULL;
791 cfg->afs_cell = NULL;
792 cfg->afs_cell_realm = NULL;
3f4fda20 793 cfg->forked = 0;
794 cfg->configured = 0;
795
796 return (cfg);
58bbdc54 797}
798
3f4fda20 799static void *waklog_merge_dir_config(MK_POOL *p, void *parent_conf, void *newloc_conf) {
58bbdc54 800
3f4fda20 801 waklog_config *merged = ( waklog_config * ) ap_pcalloc(p, sizeof(waklog_config ) );
802 waklog_config *parent = ( waklog_config * ) parent_conf;
803 waklog_config *child = ( waklog_config * ) newloc_conf;
804
805 merged->protect = child->protect != WAKLOG_UNSET ? child->protect : parent->protect;
806
5d0827ae 807 merged->path = child->path != NULL ? child->path : parent->path;
3f4fda20 808
809 merged->usertokens = child->usertokens != WAKLOG_UNSET ? child->usertokens : parent->usertokens;
21a7788b 810
811 merged->disable_token_cache = child->disable_token_cache != WAKLOG_UNSET ? child->disable_token_cache : parent->disable_token_cache;
3f4fda20 812
5d0827ae 813 merged->principal = child->principal != NULL ? child->principal : parent->principal;
3f4fda20 814
5d0827ae 815 merged->keytab = child->keytab != NULL ? child->keytab : parent->keytab;
3f4fda20 816
5d0827ae 817 merged->default_keytab = child->default_keytab != NULL ? child->default_keytab : parent->default_keytab;
3f4fda20 818
5d0827ae 819 merged->default_principal = child->default_principal != NULL ? child->default_principal : parent->default_principal;
3f4fda20 820
5d0827ae 821 merged->afs_cell = child->afs_cell != NULL ? child->afs_cell : parent->afs_cell;
98534230 822
5d0827ae 823 merged->afs_cell_realm = child->afs_cell_realm != NULL ? child->afs_cell_realm : parent->afs_cell_realm;
3f4fda20 824
825 return (void *) merged;
826
827}
58bbdc54 828
3f4fda20 829static void *waklog_merge_server_config(MK_POOL *p, void *parent_conf, void *newloc_conf) {
58bbdc54 830
3f4fda20 831 waklog_config *merged = ( waklog_config * ) ap_pcalloc(p, sizeof(waklog_config ) );
832 waklog_config *pconf = ( waklog_config * ) parent_conf;
833 waklog_config *nconf = ( waklog_config * ) newloc_conf;
834
835 merged->protect = nconf->protect == WAKLOG_UNSET ? pconf->protect : nconf->protect;
58bbdc54 836
3f4fda20 837 merged->usertokens = nconf->usertokens == WAKLOG_UNSET ? pconf->usertokens : nconf->usertokens;
58bbdc54 838
bce7d4d9 839 merged->disable_token_cache = nconf->disable_token_cache == WAKLOG_UNSET ? pconf->disable_token_cache : nconf->disable_token_cache;
21a7788b 840
5d0827ae 841 merged->keytab = nconf->keytab == NULL ? ap_pstrdup(p, pconf->keytab) :
842 ( nconf->keytab == NULL ? NULL : ap_pstrdup(p, nconf->keytab) );
3f4fda20 843
5d0827ae 844 merged->principal = nconf->principal == NULL ? ap_pstrdup(p, pconf->principal) :
845 ( nconf->principal == NULL ? NULL : ap_pstrdup(p, nconf->principal) );
3f4fda20 846
5d0827ae 847 merged->afs_cell = nconf->afs_cell == NULL ? ap_pstrdup(p, pconf->afs_cell) :
848 ( nconf->afs_cell == NULL ? NULL : ap_pstrdup(p, nconf->afs_cell) );
3f4fda20 849
5d0827ae 850 merged->afs_cell_realm = nconf->afs_cell_realm == NULL ? ap_pstrdup(p, pconf->afs_cell_realm) :
851 ( nconf->afs_cell_realm == NULL ? NULL : ap_pstrdup(p, nconf->afs_cell_realm) );
98534230 852
5d0827ae 853 merged->default_keytab = nconf->default_keytab == NULL ? ap_pstrdup(p, pconf->default_keytab) :
854 ( nconf->default_keytab == NULL ? NULL : ap_pstrdup(p, nconf->default_keytab) );
58bbdc54 855
5d0827ae 856 merged->default_principal = nconf->default_principal == NULL ? ap_pstrdup(p, pconf->default_principal) :
857 ( nconf->default_principal == NULL ? NULL : ap_pstrdup(p, nconf->default_principal) );
3f4fda20 858
859
860 return (void *) merged;
861
862}
863
864static const char *
21a7788b 865set_waklog_enabled (cmd_parms * params, void *mconfig, int flag)
58bbdc54 866{
3f4fda20 867 waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig :
868 ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
869
870 cfg->protect = flag;
871 cfg->configured = 1;
872 log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server,
21a7788b 873 "mod_waklog: waklog_enabled set on %s", cfg->path ? cfg->path : "NULL");
3f4fda20 874 return (NULL);
875}
58bbdc54 876
7193eb01 877
3f4fda20 878/* this adds a principal/keytab pair to get their tokens renewed by the
879 child process every few centons. */
7193eb01 880
3f4fda20 881void add_to_renewtable(MK_POOL *p, char *keytab, char *principal) {
87822447 882
3f4fda20 883 int i;
884
885 if ( renewcount >= SHARED_TABLE_SIZE ) {
886 log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "mod_waklog: big problem. Increase the SHARED_TABLE_SIZE or \
887 decrease your tokens.");
b74fad73 888 return;
3f4fda20 889 }
890
891 /* check to see if it's already there */
892
893 for ( i = 0; i < renewcount; i++ ) {
894 if ( ! strcmp(renewtable[i].principal, principal ) ) {
895 return;
896 }
897 }
898
899 renewtable[renewcount].keytab = ap_pstrdup(p, keytab);
900 renewtable[renewcount].principal = ap_pstrdup(p, principal);
901 renewtable[renewcount].lastrenewed = 0;
902 ++renewcount;
903
b74fad73 904}
905
3f4fda20 906static const char *
21a7788b 907set_waklog_location_principal (cmd_parms *params, void *mconfig, char *principal, char *keytab)
3f4fda20 908{
909 waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig :
910 ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
911
912 log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server,
42d78dfb 913 "mod_waklog: configuring principal: %s, keytab: %s", principal, keytab);
914
915 cfg->principal = ap_pstrdup(params->pool, principal);
3f4fda20 916 cfg->keytab = ap_pstrdup (params->pool, keytab);
917
918 add_to_renewtable(params->pool, keytab, principal);
919
920 cfg->configured = 1;
921
922 return (NULL);
923}
b74fad73 924
3f4fda20 925static const char *
21a7788b 926set_waklog_afs_cell (cmd_parms * params, void *mconfig, char *file)
313dde40 927{
891fb458 928 waklog_config *waklog_mconfig = ( waklog_config * ) mconfig;
929 waklog_config *waklog_srvconfig =
3f4fda20 930 ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
931
891fb458 932 log_error (APLOG_MARK, APLOG_INFO, 0, params->server,
42d78dfb 933 "mod_waklog: will use afs_cell: %s", file);
313dde40 934
678051d7 935 // Prefer afs/cell@REALM over afs@REALM, just like the OpenAFS tools
936 waklog_srvconfig->cell_in_principal = 1;
937
891fb458 938 waklog_srvconfig->afs_cell = ap_pstrdup (params->pool, file);
939 waklog_srvconfig->configured = 1;
940
941 if (waklog_mconfig != NULL) {
c8563f50 942 waklog_mconfig->cell_in_principal = waklog_srvconfig->cell_in_principal;
891fb458 943 waklog_mconfig->afs_cell = ap_pstrdup (params->pool, file);
944 waklog_mconfig->configured = 1;
945 }
3f4fda20 946 return (NULL);
947}
58bbdc54 948
98534230 949static const char *
950set_waklog_afs_cell_realm (cmd_parms * params, void *mconfig, char *file)
951{
952 waklog_config *waklog_mconfig = ( waklog_config * ) mconfig;
953 waklog_config *waklog_srvconfig =
954 ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
955
956 log_error (APLOG_MARK, APLOG_INFO, 0, params->server,
957 "mod_waklog: will use afs_cell_realm: %s", file);
958
959 waklog_srvconfig->afs_cell_realm = ap_pstrdup (params->pool, file);
960
961 if (waklog_mconfig != NULL) {
962 waklog_mconfig->afs_cell_realm = ap_pstrdup (params->pool, file);
963 }
964 return (NULL);
965}
966
3f4fda20 967static const char *
968set_waklog_default_principal (cmd_parms * params, void *mconfig, char *principal, char *keytab)
969{
970 waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig :
971 ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
58bbdc54 972
3f4fda20 973 waklog_config *srvcfg = ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
4e1ae1cd 974
3f4fda20 975 log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server,
42d78dfb 976 "mod_waklog: set default princ/keytab: %s, %s for %s", principal, keytab, cfg->path ? cfg->path : "NULL");
313dde40 977
3f4fda20 978 cfg->default_principal = ap_pstrdup (params->pool, principal);
979 cfg->default_keytab = ap_pstrdup(params->pool, keytab );
980
981 /* this also gets set at the server level */
982 if ( mconfig && ( ! cfg->path ) ) {
983 srvcfg->default_principal = ap_pstrdup (params->pool, principal);
984 srvcfg->default_keytab = ap_pstrdup(params->pool, keytab );
985 } else {
986 log_error(APLOG_MARK, APLOG_ERR, 0, params->server, "only able to set default principal on a global level!");
987 return "Unable to set DefaultPrincipal outside of top level config!";
988 }
989
990 add_to_renewtable( params->pool, keytab, principal );
991
992 cfg->configured = 1;
993
994 return (NULL);
995}
313dde40 996
3f4fda20 997static const char *
998set_waklog_use_usertokens (cmd_parms * params, void *mconfig, int flag)
bed98ff9 999{
3f4fda20 1000 waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig :
1001 ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
bed98ff9 1002
3f4fda20 1003 cfg->usertokens = flag;
bed98ff9 1004
3f4fda20 1005 cfg->configured = 1;
bed98ff9 1006
3f4fda20 1007 log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server,
42d78dfb 1008 "mod_waklog: waklog_use_user_tokens set");
3f4fda20 1009 return (NULL);
bed98ff9 1010}
1011
1012
21a7788b 1013static const char *
1014set_waklog_disable_token_cache (cmd_parms * params, void *mconfig, int flag)
1015{
1016 waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig :
1017 ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
1018
1019 cfg->disable_token_cache = flag;
1020
1021 cfg->configured = 1;
1022
1023 log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server,
1024 "mod_waklog: waklog_disable_token_cache set");
1025 return (NULL);
1026}
1027
1028
c9d59a9c 1029#ifndef APACHE2
3f4fda20 1030static void waklog_child_exit( server_rec *s, MK_POOL *p ) {
1031#else
1032apr_status_t waklog_child_exit( void *sr ) {
4e1ae1cd 1033
3f4fda20 1034 server_rec *s = (server_rec *) sr;
1035#endif
1036
1037 if ( child.ccache ) {
1038 krb5_cc_close(child.kcontext, child.ccache);
1039 }
1040
1041 if ( child.kcontext ) {
1042 krb5_free_context(child.kcontext);
1043 }
1044
1045 /* forget our tokens */
1046
1047 ktc_ForgetAllTokens ();
1048
1049 log_error (APLOG_MARK, APLOG_DEBUG, 0, s,
42d78dfb 1050 "mod_waklog: waklog_child_exit complete");
4e1ae1cd 1051
c9d59a9c 1052#ifdef APACHE2
3f4fda20 1053 return APR_SUCCESS;
1054#endif
1055
1056}
4e1ae1cd 1057
3f4fda20 1058static void
c9d59a9c 1059#ifdef APACHE2
3f4fda20 1060waklog_child_init (MK_POOL * p, server_rec * s)
1061#else
1062waklog_child_init (server_rec * s, MK_POOL * p)
1063#endif
1064{
b52ccbb1 1065
3f4fda20 1066 krb5_error_code code;
1067 waklog_config *cfg;
1068
1069 char *cell;
1070
3f4fda20 1071 log_error (APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: child_init called for pid %d", getpid());
1072
1073 if ( !sharedspace ) {
1074 log_error( APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: child_init called without shared space? %d", getpid());
1075 return;
1076 }
1077
1078 log_error (APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: child_init called for pid %d", getpid());
7193eb01 1079
3f4fda20 1080 memset (&child, 0, sizeof(child));
1081
c760f0a1 1082 if ( ( code = krb5_init_context(&child.kcontext) ) ) {
3f4fda20 1083 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: can't init kerberos context %d", code );
1084 }
1085
c760f0a1 1086 if ( ( code = krb5_cc_resolve(child.kcontext, "MEMORY:tmpcache", &child.ccache) ) ) {
3f4fda20 1087 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: can't initialize in-memory credentials cache %d", code );
1088 }
1089
1090 if ( pag_for_children ) {
1091 setpag ();
1092 }
7193eb01 1093
3f4fda20 1094 getModConfig (cfg, s);
7193eb01 1095
5d0827ae 1096 if ( cfg->default_principal != NULL ) {
3f4fda20 1097 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: child_init setting default user %s, %s", cfg->default_principal, cfg->default_keytab);
1098 set_auth( s, NULL, 0, cfg->default_principal, cfg->default_keytab, 0);
1099 }
7193eb01 1100
891fb458 1101 cell = strdup(cfg->afs_cell);
3f4fda20 1102 pr_Initialize( 0, AFSDIR_CLIENT_ETC_DIR, cell );
7193eb01 1103
c9d59a9c 1104#ifdef APACHE2
3f4fda20 1105 apr_pool_cleanup_register(p, s, waklog_child_exit, apr_pool_cleanup_null);
1106#endif
7193eb01 1107
3f4fda20 1108 log_error (APLOG_MARK, APLOG_DEBUG, 0, s,
42d78dfb 1109 "mod_waklog: child_init returned");
7193eb01 1110
3f4fda20 1111 return;
1112}
b52ccbb1 1113
3f4fda20 1114command_rec waklog_cmds[] = {
1115
21a7788b 1116 command ("WaklogAFSCell", set_waklog_afs_cell, 0, TAKE1,
1117 "Use the supplied AFS cell (required)"),
7193eb01 1118
98534230 1119 command ("WaklogAFSCellRealm", set_waklog_afs_cell_realm, 0, TAKE1,
1120 "Assume that the AFS cell belongs to the specified Kerberos realm (optional)"),
1121
21a7788b 1122 command ("WaklogEnabled", set_waklog_enabled, 0, FLAG,
1123 "enable waklog on a server, location, or directory basis"),
7193eb01 1124
21a7788b 1125 command ("WaklogDefaultPrincipal", set_waklog_default_principal, 0, TAKE2,
1126 "Set the default principal that the server runs as"),
7193eb01 1127
21a7788b 1128 command ("WaklogLocationPrincipal", set_waklog_location_principal, 0, TAKE2,
1129 "Set the principal on a <Location>-specific basis"),
7193eb01 1130
21a7788b 1131 command ("WaklogDisableTokenCache", set_waklog_disable_token_cache, 0, FLAG,
1132 "Ignore the token cache (location-specific); useful for scripts that need kerberos tickets."),
1133
1134 command ("WaklogUseUserTokens", set_waklog_use_usertokens, 0, FLAG,
1135 "Use the requesting user tokens (from webauth)"),
1136
3f4fda20 1137 {NULL}
1138};
7193eb01 1139
7193eb01 1140
3f4fda20 1141/* not currently using this */
7193eb01 1142
3f4fda20 1143static int
1144token_cleanup (void *data)
1145{
1146 request_rec *r = (request_rec *) data;
e2df6441 1147
3f4fda20 1148 if (child.token.ticketLen)
1149 {
1150 memset (&child.token, 0, sizeof (struct ktc_token));
e21f34f0 1151
3f4fda20 1152 ktc_ForgetAllTokens ();
7193eb01 1153
3f4fda20 1154 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1155 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d",
1156 getpid ());
3f4fda20 1157 }
1158 return 0;
7193eb01 1159}
1160
3f4fda20 1161static int
1162waklog_child_routine (void *data, child_info * pinfo)
7193eb01 1163{
3f4fda20 1164 int i;
1165 server_rec *s = (server_rec *) data;
1166 krb5_error_code code;
1167 char *cell;
1168 time_t sleep_time = ( TKT_LIFE / 2 ) ;
1169 time_t when;
1170 time_t left;
1171 waklog_config *cfg;
1172
1173 getModConfig( cfg, s );
1174
1175 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: waklog_child_routine started, running as %d", getuid());
1176
1177 memset (&child, 0, sizeof(child));
1178
c760f0a1 1179 if ( ( code = krb5_init_context(&child.kcontext) ) ) {
3f4fda20 1180 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: can't init kerberos context %d", code );
1181 }
1182
c760f0a1 1183 if ( ( code = krb5_cc_resolve(child.kcontext, "MEMORY:tmpcache", &child.ccache) ) ) {
3f4fda20 1184 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: can't initialize in-memory credentials cache %d", code );
1185 }
1186
c760f0a1 1187 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: about to pr_Initialize");
1188
3f4fda20 1189 /* need to do this so we can make PTS calls */
891fb458 1190 cell = strdup(cfg->afs_cell); /* stupid */
3f4fda20 1191 pr_Initialize( 0, AFSDIR_CLIENT_ETC_DIR, cell );
c760f0a1 1192
1193 log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: still here");
1194
3f4fda20 1195 while(1) {
1196
1197 for ( i = 0; i < renewcount; ++i ) {
1198 renewtable[i].lastrenewed = time(0);
1199 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: (pid %d) renewing %s / %s", getpid(), renewtable[i].principal,
1200 renewtable[i].keytab);
1201
1202 set_auth( s, NULL, 0, renewtable[i].principal, renewtable[i].keytab, 1 );
1203
1204 /* if this is our default token, we want to "stash" it in our current PAG so the parent maintains readability of
1205 things that it needs to read */
1206
1207 if ( cfg && cfg->default_principal && ( ! strcmp(cfg->default_principal, renewtable[i].principal ) ) ) {
1208 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: renewing/setting default tokens" );
1209 set_auth( s, NULL, 0, renewtable[i].principal, renewtable[i].keytab, 0 );
1210 }
1211
4e1ae1cd 1212 }
1213
3f4fda20 1214 sharedspace->renewcount++;
1215
1216 left = sleep_time;
1217
1218 while( left > 5 ) {
1219 when = time(0);
1220
1221 sleep(left);
1222
1223 left -= ( time(0) - when );
4e1ae1cd 1224 }
3f4fda20 1225
1226 }
4e1ae1cd 1227
3f4fda20 1228 pr_End();
403921ef 1229
3f4fda20 1230}
4e1ae1cd 1231
c9d59a9c 1232#ifdef APACHE2
3f4fda20 1233static int
1234waklog_init_handler (apr_pool_t * p, apr_pool_t * plog,
42d78dfb 1235 apr_pool_t * ptemp, server_rec * s)
3f4fda20 1236{
1237 int rv;
1238 extern char *version;
1239 apr_proc_t *proc;
1240 waklog_config *cfg;
1241 void *data;
1242 int fd = -1;
1243 int use_existing = 1;
1244 int oldrenewcount;
1245 char cache_file[MAXNAMELEN];
1246#ifdef use_pthreads
1247 pthread_rwlockattr_t rwlock_attr;
1248#endif
4e1ae1cd 1249
1250
3f4fda20 1251 getModConfig (cfg, s);
4e1ae1cd 1252
3f4fda20 1253 /* initialize_module() will be called twice, and if it's a DSO
1254 * then all static data from the first call will be lost. Only
1255 * set up our static data on the second call.
1256 * see http://issues.apache.org/bugzilla/show_bug.cgi?id=37519 */
1257 apr_pool_userdata_get (&data, userdata_key, s->process->pool);
7193eb01 1258
891fb458 1259
1260 if (cfg->afs_cell==NULL) {
1261 log_error (APLOG_MARK, APLOG_ERR, 0, s,
21a7788b 1262 "mod_waklog: afs_cell==NULL; please provide the WaklogAFSCell directive");
891fb458 1263 /** clobber apache */
1264 exit(-1);
1265 }
1266
3f4fda20 1267 if (!data)
1268 {
1269 apr_pool_userdata_set ((const void *) 1, userdata_key,
42d78dfb 1270 apr_pool_cleanup_null, s->process->pool);
4e1ae1cd 1271 }
3f4fda20 1272 else
1273 {
1274 log_error (APLOG_MARK, APLOG_INFO, 0, s,
891fb458 1275 "mod_waklog: version %s initialized for cell %s", version, cfg->afs_cell);
3f4fda20 1276
1277 if ( sharedspace ) {
1278 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: shared memory already allocated." );
1279 } else {
1280
1281 snprintf( cache_file, MAXNAMELEN, "/tmp/waklog_cache.%d", getpid() );
1282
1283 if ( ( fd = open( cache_file, O_RDWR, 0600 ) ) == -1 ) {
1284
1285 if ( errno == ENOENT ) {
1286
1287 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: creating shared token cache file %s", cache_file );
1288 use_existing = 0;
1289 if ( ( fd = open( cache_file, O_RDWR|O_CREAT|O_TRUNC, 0600 ) ) == -1 ) {
1290 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: cannot create shared token cache file %s (%d)", cache_file, errno );
1291 exit(errno);
1292 }
1293 } else {
1294 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: cannot open existing shared token cache file %s (%d)", cache_file, errno );
1295 }
1296 }
1297
1298 if ( use_existing == 0 ) {
1299 struct sharedspace_s bob;
1300 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: sizing our cache file %d to %d", fd, sizeof(struct sharedspace_s) );
1301 memset( &bob, 0, sizeof(struct sharedspace_s));
1302 write(fd, &bob, sizeof(struct sharedspace_s));
1303 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: done sizing our cache file to %d", sizeof(struct sharedspace_s) );
1304 }
1305
1306 /* mmap the region */
1307
1308 if ( ( sharedspace = (struct sharedspace_s *) mmap ( NULL, sizeof(struct sharedspace_s), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0 ) ) != MAP_FAILED ) {
1309 log_error( APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: shared mmap region ok %d", sharedspace );
1310 close(fd);
1311 } else {
1312 log_error( APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: mmap failed %d", errno );
1313 exit(errno);
1314 }
1315 }
4e1ae1cd 1316
3f4fda20 1317#ifdef use_pthreads
1318#define locktype pthread_rwlock_t
1319#else
1320#define locktype rwlock_t
1321#endif
4e1ae1cd 1322
3f4fda20 1323 if ( sharedlock = ( locktype * ) mmap ( NULL, sizeof(locktype), PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANON, -1, 0 ) ) {
1324#ifndef use_pthreads
1325 rwlock_init(sharedlock, USYNC_PROCESS, NULL );
1326#else
1327 pthread_rwlockattr_init(&rwlock_attr);
1328 pthread_rwlockattr_setpshared(&rwlock_attr, PTHREAD_PROCESS_SHARED);
1329 pthread_rwlock_init(sharedlock, &rwlock_attr );
1330#endif
1331 } else {
1332 log_error( APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: rwlock mmap failed %d", errno );
1333 }
58bbdc54 1334
3f4fda20 1335#undef locktype
7193eb01 1336
3f4fda20 1337 /* set our default tokens */
403921ef 1338
3f4fda20 1339 oldrenewcount = sharedspace->renewcount;
7193eb01 1340
3f4fda20 1341 pag_for_children = 0;
7193eb01 1342
3f4fda20 1343 proc = (apr_proc_t *) ap_pcalloc (s->process->pool, sizeof (apr_proc_t));
7193eb01 1344
3f4fda20 1345 rv = apr_proc_fork (proc, s->process->pool);
7193eb01 1346
3f4fda20 1347 if (rv == APR_INCHILD)
42d78dfb 1348 {
1349 waklog_child_routine (s, NULL);
1350 }
3f4fda20 1351 else
42d78dfb 1352 {
1353 apr_pool_note_subprocess (s->process->pool, proc, APR_KILL_ALWAYS);
1354 }
3f4fda20 1355 /* parent and child */
1356 cfg->forked = proc->pid;
1357 pag_for_children = 1;
1358
1359 if ( use_existing == 0 ) {
1360 /* wait here until our child process has gone and done it's renewing thing. */
1361 while( sharedspace->renewcount == oldrenewcount ) {
1362 log_error( APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: waiting for tokens..." );
1363 sleep(2);
1364 }
1365 }
1366
1367 if ( cfg->default_principal ) {
1368 set_auth( s, NULL, 0, cfg->default_principal, cfg->default_keytab, 0);
1369 }
1370 }
1371 return 0;
1372}
ebb1f61c 1373#else
3f4fda20 1374static void
1375waklog_init (server_rec * s, MK_POOL * p)
1376{
1377 extern char *version;
1378 int pid;
1379 waklog_config *cfg;
3f4fda20 1380 int fd = -1;
1381 int use_existing = 1;
1382 int oldrenewcount;
1383 char cache_file[MAXNAMELEN];
1384#ifdef use_pthreads
1385 pthread_rwlockattr_t rwlock_attr;
ebb1f61c 1386#endif
7193eb01 1387
3f4fda20 1388 log_error (APLOG_MARK, APLOG_DEBUG, 0, s,
42d78dfb 1389 "mod_waklog: version %s initialized.", version);
7193eb01 1390
3f4fda20 1391 if ( sharedspace ) {
1392 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: shared memory already allocated." );
1393 } else {
1394
1395 snprintf( cache_file, MAXNAMELEN, "/tmp/waklog_cache.%d", getpid() );
1396
1397 if ( ( fd = open( cache_file, O_RDWR, 0600 ) ) == -1 ) {
1398
1399 if ( errno == ENOENT ) {
1400
1401 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: creating shared token cache file %s", cache_file );
1402 use_existing = 0;
1403 if ( ( fd = open( cache_file, O_RDWR|O_CREAT|O_TRUNC, 0600 ) ) == -1 ) {
1404 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: cannot create shared token cache file %s (%d)", cache_file, errno );
1405 exit(errno);
1406 }
1407 } else {
1408 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: cannot open existing shared token cache file %s (%d)", cache_file, errno );
1409 }
1410
1411 }
1412
1413 if ( use_existing == 0 ) {
1414 struct sharedspace_s bob;
1415 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: sizing our cache file %d to %d", fd, sizeof(struct sharedspace_s) );
1416 memset( &bob, 0, sizeof(struct sharedspace_s));
1417 write(fd, &bob, sizeof(struct sharedspace_s));
1418 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: done sizing our cache file to %d", sizeof(struct sharedspace_s) );
1419 }
4e1ae1cd 1420
3f4fda20 1421 /* mmap the region */
1422
c760f0a1 1423 if ( ( sharedspace = (struct sharedspace_s *) mmap ( NULL, sizeof(struct sharedspace_s), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0 ) ) != (void *) -1 ) {
3f4fda20 1424 log_error( APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: shared mmap region ok %d", sharedspace );
1425 close(fd);
1426 } else {
1427 log_error( APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: mmap failed %d", errno );
1428 exit(errno);
1429 }
1430 }
e21f34f0 1431
3f4fda20 1432#ifdef use_pthreads
1433#define locktype pthread_rwlock_t
1434#else
1435#define locktype rwlock_t
ea3e8708 1436#endif
e21f34f0 1437
3f4fda20 1438 /* mmap our shared space for our lock */
c760f0a1 1439 if ( ( sharedlock = ( locktype * ) mmap ( NULL, sizeof(locktype), PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANON, -1, 0 ) ) ) {
3f4fda20 1440#ifndef use_pthreads
1441 rwlock_init(sharedlock, USYNC_PROCESS, NULL );
1442#else
1443 pthread_rwlockattr_init(&rwlock_attr);
1444 pthread_rwlockattr_setpshared(&rwlock_attr, PTHREAD_PROCESS_SHARED);
1445 pthread_rwlock_init(sharedlock, &rwlock_attr );
1446#endif
1447 } else {
1448 log_error( APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: rwlock mmap failed %d", errno );
1449 }
e21f34f0 1450
3f4fda20 1451#undef locktype
e21f34f0 1452
3f4fda20 1453 /* set our default tokens */
1454
1455 getModConfig (cfg, s);
42d78dfb 1456
1457 oldrenewcount = sharedspace->renewcount;
1458
1459 pag_for_children = 0;
1460
1461 pid = ap_bspawn_child (p, waklog_child_routine, s, kill_always,
1462 NULL, NULL, NULL);
1463
1464 pag_for_children = 1;
1465
3f4fda20 1466 log_error (APLOG_MARK, APLOG_DEBUG, 0, s,
42d78dfb 1467 "mod_waklog: ap_bspawn_child: %d.", pid);
3f4fda20 1468
1469 if ( use_existing == 0 ) {
1470 /* wait here until our child process has gone and done it's renewing thing. */
1471 while( sharedspace->renewcount == oldrenewcount ) {
1472 log_error( APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: waiting for tokens..." );
1473 sleep(2);
87822447 1474 }
3f4fda20 1475 }
1476
1477 if ( cfg->default_principal ) {
1478 set_auth( s, NULL, 0, cfg->default_principal, cfg->default_keytab, 0);
1479 }
1480
87822447 1481}
3f4fda20 1482#endif
1483
1484static int
1485waklog_phase0 (request_rec * r)
e21f34f0 1486{
3f4fda20 1487 waklog_config *cfg;
e21f34f0 1488
3f4fda20 1489 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1490 "mod_waklog: phase0 called");
3f4fda20 1491
1492 cfg = retrieve_config(r);
e21f34f0 1493
3f4fda20 1494 if ( cfg->protect && cfg->principal ) {
1495 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase0 using user %s", cfg->principal);
1496 set_auth(r->server, r, 0, cfg->principal, cfg->keytab, 0);
1497 } else if ( cfg->default_principal ) {
1498 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase0 using default user %s", cfg->default_principal);
1499 set_auth(r->server, r, 0, cfg->default_principal, cfg->default_keytab, 0);
1500 } else {
c760f0a1 1501
1502 if (child.token.ticketLen) {
1503 memset( &child.token, 0, sizeof (struct ktc_token) );
1504 ktc_ForgetAllTokens();
1505 }
1506
3f4fda20 1507 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase0 not doing nothin.");
1508 }
e21f34f0 1509
3f4fda20 1510 return DECLINED;
e21f34f0 1511}
4e1ae1cd 1512
3f4fda20 1513static int
1514waklog_phase1 (request_rec * r)
bed98ff9 1515{
3f4fda20 1516 waklog_config *cfg;
313dde40 1517
3f4fda20 1518 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1519 "mod_waklog: phase1 called");
7193eb01 1520
3f4fda20 1521 cfg = retrieve_config(r);
313dde40 1522
3f4fda20 1523 if ( cfg->protect && cfg->principal ) {
1524 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase1 using user %s", cfg->principal);
1525 set_auth(r->server, r, 0, cfg->principal, cfg->keytab, 0);
1526 } else if ( cfg->default_principal ) {
1527 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase1 using default user %s", cfg->default_principal);
1528 set_auth(r->server, r, 0, cfg->default_principal, cfg->default_keytab, 0);
1529 } else {
1530 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase1 not doing nothin.");
1531 }
4e1ae1cd 1532
3f4fda20 1533 return DECLINED;
7193eb01 1534}
4e1ae1cd 1535
3f4fda20 1536static int
1537waklog_phase3 (request_rec * r)
7193eb01 1538{
3f4fda20 1539 waklog_config *cfg;
1e18ef7d 1540
3f4fda20 1541 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1542 "mod_waklog: phase 3 called");
1e18ef7d 1543
3f4fda20 1544 cfg = retrieve_config(r);
1545
1546 if ( cfg->protect && cfg->principal ) {
1547 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase3 using user %s", cfg->principal);
1548 set_auth(r->server, r, 0, cfg->principal, cfg->keytab, 0);
1549 } else if ( cfg->default_principal ) {
1550 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase3 using default user %s", cfg->default_principal);
1551 set_auth(r->server, r, 0, cfg->default_principal, cfg->default_keytab, 0);
1552 } else {
1553 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase3 not doing nothin.");
1554 }
1555
1556 return DECLINED;
1557}
bed98ff9 1558
3f4fda20 1559static int
1560waklog_phase6 (request_rec * r)
1561{
1562 waklog_config *cfg;
1563
1564 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1565 "mod_waklog: phase6 called");
3f4fda20 1566
1567 cfg = retrieve_config(r);
1568
1569 if ( cfg->protect && cfg->principal ) {
1570 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase6 using user %s", cfg->principal);
1571 set_auth(r->server, r, 0, cfg->principal, cfg->keytab, 0);
1572 } else if ( cfg->default_principal ) {
1573 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase6 using default user %s", cfg->default_principal);
1574 set_auth(r->server, r, 0, cfg->default_principal, cfg->default_keytab, 0);
1575 } else {
1576 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase6 not doing nothin.");
1577 }
1578
1579 return DECLINED;
1580}
bed98ff9 1581
3f4fda20 1582static int
1583waklog_phase7 (request_rec * r)
1584{
1585 waklog_config *cfg;
1586 int rc = 0;
1587
1588 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1589 "mod_waklog: phase7 called");
3f4fda20 1590
1591 cfg = retrieve_config (r);
1592
1593 if ( cfg->protect && cfg->usertokens ) {
1594 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase7 using usertokens");
1595 rc = set_auth( r->server, r, 1, NULL, NULL, 0);
1596 } else if ( cfg->protect && cfg->principal ) {
1597 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase7 using user %s", cfg->principal);
1598 rc = set_auth( r->server, r, 0, cfg->principal, cfg->keytab, 0);
1599 } else if ( cfg->default_principal ) {
1600 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase7 using default user %s", cfg->default_principal);
1601 rc = set_auth( r->server, r, 0, cfg->default_principal, cfg->default_keytab, 0);
d3bea354 1602 } else {
c760f0a1 1603 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: no tokens");
1604 if (child.token.ticketLen) {
1605 memset(&child.token, 0, sizeof(struct ktc_token));
1606 ktc_ForgetAllTokens();
1607 }
3f4fda20 1608 }
1609
1610 if ( rc ) {
1611 return 400;
1612 }
1613
1614 return DECLINED;
1615}
87822447 1616
3f4fda20 1617static int
1618waklog_phase9 (request_rec * r)
1619{
1620 waklog_config *cfg;
bed98ff9 1621
3f4fda20 1622 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1623 "mod_waklog: phase9 called");
bed98ff9 1624
3f4fda20 1625 getModConfig (cfg, r->server);
1626
1627 if ( cfg->default_principal ) {
1628 log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "mod_waklog: phase9 using default user %s", cfg->default_principal);
1629 set_auth( r->server, r, 0, cfg->default_principal, cfg->default_keytab, 0);
1630 }
1631
1632 return DECLINED;
bed98ff9 1633}
1634
ff47641b 1635
87822447 1636static
c9d59a9c 1637#ifdef APACHE2
ff47641b 1638 int
87822447 1639#else
ff47641b 1640 void
87822447 1641#endif
ff47641b 1642waklog_new_connection (conn_rec * c
c9d59a9c 1643#ifdef APACHE2
42d78dfb 1644 , void *dummy
87822447 1645#endif
ff47641b 1646 )
1647{
1648
3f4fda20 1649 waklog_config *cfg;
ff47641b 1650
1651 log_error (APLOG_MARK, APLOG_DEBUG, 0, c->base_server,
42d78dfb 1652 "mod_waklog: new_connection called: pid: %d", getpid ());
1653
1654 getModConfig(cfg, c->base_server);
1655
1656 if ( cfg->default_principal ) {
1657 log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server, "mod_waklog: new conn setting default user %s",
1658 cfg->default_principal);
1659 set_auth( c->base_server, NULL, 0, cfg->default_principal, cfg->default_keytab, 0);
1660 }
1661
1662
3f4fda20 1663 return
c9d59a9c 1664#ifdef APACHE2
3f4fda20 1665 0
87822447 1666#endif
3f4fda20 1667 ;
7193eb01 1668}
bed98ff9 1669
c4ad0387 1670
1196adfe 1671/*
1672** Here's a quick explaination for phase0 and phase2:
1673** Apache does a stat() on the path between phase0 and
1674** phase2, and must by ACLed rl to succeed. So, at
1675** phase0 we acquire credentials for umweb:servers from
1676** a keytab, and at phase2 we must ensure we remove them.
1677**
1678** Failure to "unlog" would be a security risk.
1679*/
ff47641b 1680static int
1681waklog_phase2 (request_rec * r)
c4ad0387 1682{
161ffd84 1683
ff47641b 1684 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1685 "mod_waklog: phase2 called");
1196adfe 1686
ff47641b 1687 if (child.token.ticketLen)
1688 {
1689 memset (&child.token, 0, sizeof (struct ktc_token));
c4ad0387 1690
ff47641b 1691 ktc_ForgetAllTokens ();
c4ad0387 1692
ff47641b 1693 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1694 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d",
1695 getpid ());
c4ad0387 1696 }
1196adfe 1697
ff47641b 1698 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
42d78dfb 1699 "mod_waklog: phase2 returning");
1196adfe 1700
3f4fda20 1701 return DECLINED;
c4ad0387 1702}
1703
c9d59a9c 1704#ifndef APACHE2
313dde40 1705module MODULE_VAR_EXPORT waklog_module = {
3f4fda20 1706 STANDARD_MODULE_STUFF,
866ccfbd 1707 waklog_init, /* module initializer */
42d78dfb 1708 waklog_create_dir_config, /* create per-dir config structures */
866ccfbd 1709 waklog_merge_dir_config, /* merge per-dir config structures */
1710 waklog_create_server_config, /* create per-server config structures */
1711 waklog_merge_dir_config, /* merge per-server config structures */
1712 waklog_cmds, /* table of config file commands */
1713 NULL, /* [#8] MIME-typed-dispatched handlers */
1714 waklog_phase1, /* [#1] URI to filename translation */
1715 NULL, /* [#4] validate user id from request */
1716 NULL, /* [#5] check if the user is ok _here_ */
1717 waklog_phase3, /* [#3] check access by host address */
1718 waklog_phase6, /* [#6] determine MIME type */
1719 waklog_phase7, /* [#7] pre-run fixups */
1720 waklog_phase9, /* [#9] log a transaction */
c760f0a1 1721 waklog_phase2, /* [#2] header parser */
866ccfbd 1722 waklog_child_init, /* child_init */
1723 waklog_child_exit, /* child_exit */
1724 waklog_phase0 /* [#0] post read-request */
bed98ff9 1725#ifdef EAPI
866ccfbd 1726 , NULL, /* EAPI: add_module */
1727 NULL, /* EAPI: remove_module */
1728 NULL, /* EAPI: rewrite_command */
1729 waklog_new_connection /* EAPI: new_connection */
bed98ff9 1730#endif
1731};
87822447 1732#else
1733static void
ff47641b 1734waklog_register_hooks (apr_pool_t * p)
87822447 1735{
3f4fda20 1736 ap_hook_translate_name (waklog_phase1, NULL, NULL, APR_HOOK_FIRST);
ff47641b 1737 ap_hook_header_parser (waklog_phase2, NULL, NULL, APR_HOOK_FIRST);
3f4fda20 1738 ap_hook_access_checker (waklog_phase3, NULL, NULL, APR_HOOK_FIRST);
1739 ap_hook_type_checker (waklog_phase6, NULL, NULL, APR_HOOK_FIRST);
ff47641b 1740 ap_hook_fixups (waklog_phase7, NULL, NULL, APR_HOOK_FIRST);
3f4fda20 1741 ap_hook_log_transaction (waklog_phase9, NULL, NULL, APR_HOOK_FIRST);
ff47641b 1742 ap_hook_child_init (waklog_child_init, NULL, NULL, APR_HOOK_FIRST);
1743 ap_hook_post_read_request (waklog_phase0, NULL, NULL, APR_HOOK_FIRST);
1744 ap_hook_pre_connection (waklog_new_connection, NULL, NULL, APR_HOOK_FIRST);
1745 ap_hook_post_config (waklog_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
87822447 1746}
1747
1748
3f4fda20 1749module AP_MODULE_DECLARE_DATA waklog_module = {
1750 STANDARD20_MODULE_STUFF,
42d78dfb 1751 waklog_create_dir_config, /* create per-dir conf structures */
1752 waklog_merge_dir_config, /* merge per-dir conf structures */
1753 waklog_create_server_config, /* create per-server conf structures */
1754 waklog_merge_dir_config, /* merge per-server conf structures */
1755 waklog_cmds, /* table of configuration directives */
1756 waklog_register_hooks /* register hooks */
87822447 1757};
1758#endif
libapache-mod-waklog packaging