HCoop / hcoop / debian / libapache-mod-waklog.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
no dir config
[hcoop/debian/libapache-mod-waklog.git] / mod_waklog.c
1 #include "httpd.h"
2 #include "http_config.h"
3 #include "http_conf_globals.h"
4 #include "http_log.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
7 #include "http_core.h"
8 #include "ap_config.h"
9 #include <krb5.h>
10
11 #if defined(sun)
12 #include <sys/ioccom.h>
13 #endif /* sun */
14 #include <stropts.h>
15 #include <afs/venus.h>
16 #include <afs/auth.h>
17 #include <rx/rxkad.h>
18
19 #define KEYTAB "/home/drh/keytab.umweb.drhtest"
20 #define KEYTAB_PRINCIPAL "umweb/drhtest"
21
22 #define TKT_LIFE 10*60*60
23 #define SLEEP_TIME 5*60 /* should be TKT_LIFE */
24
25 #define AFS_CELL "umich.edu" /* NB: lower case */
26
27 #define K5PATH "FILE:/tmp/waklog.creds.k5"
28 #define K4PATH "/tmp/waklog.creds.k4"
29
30 module waklog_module;
31
32 struct ClearToken {
33 long AuthHandle;
34 char HandShakeKey[ 8 ];
35 long ViceId;
36 long BeginTimestamp;
37 long EndTimestamp;
38 };
39
40 typedef struct {
41 int configured;
42 int protect;
43 char *keytab;
44 char *keytab_principal;
45 char *afs_cell;
46 } waklog_host_config;
47
48 typedef struct {
49 struct ktc_token token;
50 } waklog_child_config;
51 waklog_child_config child;
52
53
54 static void *
55 waklog_create_server_config( pool *p, server_rec *s )
56 {
57 waklog_host_config *cfg;
58
59 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
60 cfg->configured = 0;
61 cfg->protect = 0;
62 cfg->keytab = KEYTAB;
63 cfg->keytab_principal = KEYTAB_PRINCIPAL;
64 cfg->afs_cell = AFS_CELL;
65
66 return( cfg );
67 }
68
69
70 static const char *
71 set_waklog_protect( cmd_parms *params, void *mconfig, int flag )
72 {
73 waklog_host_config *cfg;
74
75 if ( params->path == NULL ) {
76 cfg = (waklog_host_config *) ap_get_module_config(
77 params->server->module_config, &waklog_module );
78 } else {
79 cfg = (waklog_host_config *)mconfig;
80 }
81
82 cfg->protect = flag;
83 cfg->configured = 1;
84 return( NULL );
85 }
86
87
88 static const char *
89 set_waklog_use_keytab( cmd_parms *params, void *mconfig, char *file )
90 {
91 waklog_host_config *cfg;
92
93 if ( params->path == NULL ) {
94 cfg = (waklog_host_config *) ap_get_module_config(
95 params->server->module_config, &waklog_module );
96 } else {
97 cfg = (waklog_host_config *)mconfig;
98 }
99
100 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
101 "mod_waklog: using keytab: %s", file );
102
103 cfg->keytab = file;
104 cfg->configured = 1;
105 return( NULL );
106 }
107
108
109 static const char *
110 set_waklog_use_keytab_principal( cmd_parms *params, void *mconfig, char *file )
111 {
112 waklog_host_config *cfg;
113
114 if ( params->path == NULL ) {
115 cfg = (waklog_host_config *) ap_get_module_config(
116 params->server->module_config, &waklog_module );
117 } else {
118 cfg = (waklog_host_config *)mconfig;
119 }
120
121 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
122 "mod_waklog: using keytab_principal: %s", file );
123
124 cfg->keytab_principal = file;
125 cfg->configured = 1;
126 return( NULL );
127 }
128
129
130 static const char *
131 set_waklog_use_afs_cell( cmd_parms *params, void *mconfig, char *file )
132 {
133 waklog_host_config *cfg;
134
135 if ( params->path == NULL ) {
136 cfg = (waklog_host_config *) ap_get_module_config(
137 params->server->module_config, &waklog_module );
138 } else {
139 cfg = (waklog_host_config *)mconfig;
140 }
141
142 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
143 "mod_waklog: using afs_cell: %s", file );
144
145 cfg->afs_cell = file;
146 cfg->configured = 1;
147 return( NULL );
148 }
149
150
151 static void
152 waklog_child_init( server_rec *s, pool *p )
153 {
154
155 memset( &child.token, 0, sizeof( struct ktc_token ) );
156
157 setpag();
158
159 return;
160 }
161
162
163 command_rec waklog_cmds[ ] =
164 {
165 { "WaklogProtected", set_waklog_protect,
166 NULL, RSRC_CONF | ACCESS_CONF, FLAG,
167 "enable waklog on a location or directory basis" },
168
169 { "WaklogUseKeytabPath", set_waklog_use_keytab,
170 NULL, RSRC_CONF, TAKE1,
171 "Use the supplied keytab rather than the default" },
172
173 { "WaklogUseKeytabPrincipal", set_waklog_use_keytab_principal,
174 NULL, RSRC_CONF, TAKE1,
175 "Use the supplied keytab principal rather than the default" },
176
177 { "WaklogUseAFSCell", set_waklog_use_afs_cell,
178 NULL, RSRC_CONF, TAKE1,
179 "Use the supplied AFS cell rather than the default" },
180
181 { NULL }
182 };
183
184
185 static void
186 token_cleanup( void *data )
187 {
188 request_rec *r = (request_rec *)data;
189
190 if ( child.token.ticketLen ) {
191 memset( &child.token, 0, sizeof( struct ktc_token ) );
192
193 ktc_ForgetAllTokens();
194
195 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
196 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d", getpid() );
197 }
198 return;
199 }
200
201
202 static int
203 waklog_kinit( server_rec *s )
204 {
205 krb5_error_code kerror;
206 krb5_context kcontext = NULL;
207 krb5_principal kprinc = NULL;
208 krb5_get_init_creds_opt kopts;
209 krb5_creds v5creds;
210 krb5_ccache kccache = NULL;
211 krb5_keytab keytab = NULL;
212 char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ];
213 waklog_host_config *cfg;
214
215 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
216 "mod_waklog: waklog_kinit called" );
217
218 cfg = (waklog_host_config *) ap_get_module_config( s->module_config,
219 &waklog_module );
220
221 if (( kerror = krb5_init_context( &kcontext ))) {
222 ap_log_error( APLOG_MARK, APLOG_ERR, s,
223 (char *)error_message( kerror ));
224
225 goto cleanup;
226 }
227
228 /* use the path */
229 if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) {
230 ap_log_error( APLOG_MARK, APLOG_ERR, s,
231 (char *)error_message( kerror ));
232
233 goto cleanup;
234 }
235
236 if (( kerror = krb5_parse_name( kcontext, cfg->keytab_principal, &kprinc ))) {
237 ap_log_error( APLOG_MARK, APLOG_ERR, s,
238 (char *)error_message( kerror ));
239
240 goto cleanup;
241 }
242
243 krb5_get_init_creds_opt_init( &kopts );
244 krb5_get_init_creds_opt_set_tkt_life( &kopts, TKT_LIFE );
245 krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
246 krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
247 krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );
248
249 /* keytab from config */
250 strncpy( ktbuf, cfg->keytab, sizeof( ktbuf ) - 1 );
251
252 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
253 "mod_waklog: waklog_kinit using: %s", ktbuf );
254
255 if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) {
256 ap_log_error( APLOG_MARK, APLOG_ERR, s,
257 (char *)error_message( kerror ));
258
259 goto cleanup;
260 }
261
262 /* get the krbtgt */
263 if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds,
264 kprinc, keytab, 0, NULL, &kopts ))) {
265
266 ap_log_error( APLOG_MARK, APLOG_ERR, s,
267 (char *)error_message( kerror ));
268
269 goto cleanup;
270 }
271
272 if (( kerror = krb5_verify_init_creds( kcontext, &v5creds,
273 kprinc, keytab, NULL, NULL )) != 0 ) {
274
275 ap_log_error( APLOG_MARK, APLOG_ERR, s,
276 (char *)error_message( kerror ));
277
278 goto cleanup;
279 }
280
281 if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) {
282 ap_log_error( APLOG_MARK, APLOG_ERR, s,
283 (char *)error_message( kerror ));
284
285 goto cleanup;
286 }
287
288 kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds );
289 krb5_free_cred_contents( kcontext, &v5creds );
290 if ( kerror != 0 ) {
291 ap_log_error( APLOG_MARK, APLOG_ERR, s,
292 (char *)error_message( kerror ));
293
294 goto cleanup;
295 }
296
297 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
298 "mod_waklog: waklog_kinit success" );
299
300 cleanup:
301 if ( keytab )
302 (void)krb5_kt_close( kcontext, keytab );
303 if ( kprinc )
304 krb5_free_principal( kcontext, kprinc );
305 if ( kccache )
306 krb5_cc_close( kcontext, kccache );
307 if ( kcontext )
308 krb5_free_context( kcontext );
309
310 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
311 "mod_waklog: waklog_kinit: exiting" );
312
313 return( 0 );
314 }
315
316
317 static void
318 waklog_aklog( request_rec *r )
319 {
320 int rc;
321 char buf[ 2048 ];
322 const char *k4path = NULL;
323 const char *k5path = NULL;
324 krb5_error_code kerror;
325 krb5_context kcontext = NULL;
326 krb5_creds increds;
327 krb5_creds *v5credsp = NULL;
328 krb5_ccache kccache = NULL;
329 struct ktc_principal server = { "afs", "", "" };
330 struct ktc_principal client;
331 struct ktc_token token;
332 waklog_host_config *cfg;
333 int buflen;
334
335 k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" );
336 k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" );
337
338 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
339 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path );
340
341 if ( !k5path || !k4path ) {
342 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
343 "mod_waklog: waklog_aklog giving up" );
344 goto cleanup;
345 }
346
347 /*
348 ** Get/build creds from file/tgs, then see if we need to SetToken
349 */
350
351 if (( kerror = krb5_init_context( &kcontext ))) {
352 /* Authentication Required ( kerberos error ) */
353 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
354 (char *)error_message( kerror ));
355
356 goto cleanup;
357 }
358
359 memset( (char *)&increds, 0, sizeof(increds));
360
361 cfg = (waklog_host_config *) ap_get_module_config(
362 r->server->module_config, &waklog_module );
363
364 /* afs/<cell> or afs */
365 strncpy( buf, "afs", sizeof( buf ) - 1 );
366 if ( strcmp( cfg->afs_cell, AFS_CELL ) ) {
367 strncat( buf, "/" , sizeof( buf ) - strlen( buf ) - 1 );
368 strncat( buf, cfg->afs_cell, sizeof( buf ) - strlen( buf ) - 1 );
369 }
370
371 /* set server part */
372 if (( kerror = krb5_parse_name( kcontext, buf, &increds.server ))) {
373 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
374 (char *)error_message( kerror ));
375
376 goto cleanup;
377 }
378
379 if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
380 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
381 (char *)error_message( kerror ));
382
383 goto cleanup;
384 }
385
386 /* set client part */
387 krb5_cc_get_principal( kcontext, kccache, &increds.client );
388
389 increds.times.endtime = 0;
390 /* Ask for DES since that is what V4 understands */
391 increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
392
393 /* get the V5 credentials */
394 if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
395 &increds, &v5credsp ) ) ) {
396 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
397 "mod_waklog: krb5_get_credentials: %s", error_message( kerror ));
398 goto cleanup;
399 }
400
401 /* don't overflor */
402 if ( v5credsp->ticket.length >= 344 ) { /* from krb524d.c */
403 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
404 "mod_waklog: ticket size (%d) to big to fake", v5credsp->ticket.length );
405 goto cleanup;
406 }
407
408 /* assemble the token */
409 memset( &token, 0, sizeof( struct ktc_token ) );
410
411 token.startTime = v5credsp->times.starttime ? v5credsp->times.starttime : v5credsp->times.authtime;
412 token.endTime = v5credsp->times.endtime;
413 memmove( &token.sessionKey, v5credsp->keyblock.contents, v5credsp->keyblock.length );
414 token.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
415 token.ticketLen = v5credsp->ticket.length;
416 memmove( token.ticket, v5credsp->ticket.data, token.ticketLen );
417
418 /* make sure we have to do this */
419 if ( child.token.kvno != token.kvno ||
420 child.token.ticketLen != token.ticketLen ||
421 (memcmp( &child.token.sessionKey, &token.sessionKey,
422 sizeof( token.sessionKey ) )) ||
423 (memcmp( child.token.ticket, token.ticket, token.ticketLen )) ) {
424
425 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
426 "mod_waklog: client: %s", buf );
427
428 /* build the name */
429 memmove( buf, v5credsp->client->data[0].data, v5credsp->client->data[0].length );
430 buf[ v5credsp->client->data[0].length ] = '\0';
431 if ( v5credsp->client->length > 1 ) {
432 strncat( buf, ".", sizeof( buf ) - strlen( buf ) - 1 );
433 buflen = strlen( buf );
434 memmove( buf + buflen, v5credsp->client->data[1].data, v5credsp->client->data[1].length );
435 buf[ buflen + v5credsp->client->data[1].length ] = '\0';
436 }
437
438 /* assemble the client */
439 strncpy( client.name, buf, sizeof( client.name ) - 1 );
440 strncpy( client.instance, "", sizeof( client.instance) - 1 );
441 memmove( buf, v5credsp->client->realm.data, v5credsp->client->realm.length );
442 buf[ v5credsp->client->realm.length ] = '\0';
443 strncpy( client.cell, buf, sizeof( client.cell ) - 1 );
444
445 /* assemble the server's cell */
446 strncpy( server.cell, cfg->afs_cell , sizeof( server.cell ) - 1 );
447
448 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
449 "mod_waklog: server: name=%s, instance=%s, cell=%s",
450 server.name, server.instance, server.cell );
451
452 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
453 "mod_waklog: client: name=%s, instance=%s, cell=%s",
454 client.name, client.instance, client.cell );
455
456 /* use the path */
457 krb_set_tkt_string( (char *)k4path );
458
459 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
460 write( 2, "", 0 );
461
462 if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
463 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
464 "mod_waklog: settoken returned %d", rc );
465 goto cleanup;
466 }
467
468 /* save this */
469 memmove( &child.token, &token, sizeof( struct ktc_token ) );
470
471 /* we'll need to unlog when this connection is done. */
472 ap_register_cleanup( r->pool, (void *)r, token_cleanup, ap_null_cleanup );
473 }
474
475 cleanup:
476 if ( v5credsp )
477 krb5_free_cred_contents( kcontext, v5credsp );
478 if ( increds.client )
479 krb5_free_principal( kcontext, increds.client );
480 if ( increds.server )
481 krb5_free_principal( kcontext, increds.server );
482 if ( kccache )
483 krb5_cc_close( kcontext, kccache );
484 if ( kcontext )
485 krb5_free_context( kcontext );
486
487 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
488 "mod_waklog: finished with waklog_aklog" );
489
490 return;
491
492 }
493
494 static int
495 waklog_child_routine( void *s, child_info *pinfo )
496 {
497 if ( !getuid() ) {
498 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
499 "mod_waklog: waklog_child_routine called as root" );
500
501 /* this was causing the credential file to get owned by root */
502 setgid(ap_group_id);
503 setuid(ap_user_id);
504 }
505
506 while( 1 ) {
507 waklog_kinit( s );
508 sleep( SLEEP_TIME );
509 }
510
511 }
512
513
514 static void
515 waklog_init( server_rec *s, pool *p )
516 {
517 extern char *version;
518 int pid;
519
520 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
521 "mod_waklog: version %s initialized.", version );
522
523 pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
524 NULL, NULL, NULL );
525
526 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
527 "mod_waklog: ap_bspawn_child: %d.", pid );
528 }
529
530
531 static int
532 waklog_phase0( request_rec *r )
533 {
534 waklog_host_config *cfg;
535
536 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
537 "mod_waklog: phase0 called" );
538
539 /* directory config? */
540 cfg = (waklog_host_config *)ap_get_module_config(
541 r->per_dir_config, &waklog_module);
542
543 /* server config? */
544 if ( !cfg->configured ) {
545 cfg = (waklog_host_config *)ap_get_module_config(
546 r->server->module_config, &waklog_module);
547 }
548
549 if ( !cfg->protect ) {
550 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
551 "mod_waklog: phase0 declining" );
552 return( DECLINED );
553 }
554
555 /* do this only if we are still unauthenticated */
556 if ( !child.token.ticketLen ) {
557
558 /* set our environment variables */
559 ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH );
560 ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH );
561
562 /* stuff the credentials into the kernel */
563 waklog_aklog( r );
564 }
565
566 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
567 "mod_waklog: phase0 returning" );
568 return DECLINED;
569 }
570
571
572 static int
573 waklog_phase7( request_rec *r )
574 {
575 waklog_host_config *cfg;
576
577 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
578 "mod_waklog: phase7 called" );
579
580 /* directory config? */
581 cfg = (waklog_host_config *)ap_get_module_config(
582 r->per_dir_config, &waklog_module);
583
584 /* server config? */
585 if ( !cfg->configured ) {
586 cfg = (waklog_host_config *)ap_get_module_config(
587 r->server->module_config, &waklog_module);
588 }
589
590 if ( !cfg->protect ) {
591 return( DECLINED );
592 }
593
594 /* stuff the credentials into the kernel */
595 waklog_aklog( r );
596
597 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
598 "mod_waklog: phase7 returning" );
599
600 return DECLINED;
601 }
602
603 static void
604 waklog_new_connection( conn_rec *c ) {
605 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, c->server,
606 "mod_waklog: new_connection called: pid: %d", getpid() );
607 return;
608 }
609
610 module MODULE_VAR_EXPORT waklog_module = {
611 STANDARD_MODULE_STUFF,
612 waklog_init, /* module initializer */
613 NULL, /* create per-dir config structures */
614 NULL, /* merge per-dir config structures */
615 waklog_create_server_config, /* create per-server config structures */
616 NULL, /* merge per-server config structures */
617 waklog_cmds, /* table of config file commands */
618 NULL, /* [#8] MIME-typed-dispatched handlers */
619 NULL, /* [#1] URI to filename translation */
620 NULL, /* [#4] validate user id from request */
621 NULL, /* [#5] check if the user is ok _here_ */
622 NULL, /* [#3] check access by host address */
623 NULL, /* [#6] determine MIME type */
624 waklog_phase7, /* [#7] pre-run fixups */
625 NULL, /* [#9] log a transaction */
626 NULL, /* [#2] header parser */
627 waklog_child_init, /* child_init */
628 NULL, /* child_exit */
629 waklog_phase0 /* [#0] post read-request */
630 #ifdef EAPI
631 ,NULL, /* EAPI: add_module */
632 NULL, /* EAPI: remove_module */
633 NULL, /* EAPI: rewrite_command */
634 waklog_new_connection /* EAPI: new_connection */
635 #endif
636 };
libapache-mod-waklog packaging