HCoop / hcoop / debian / libapache-mod-waklog.git / blob
? search:


5d9b2a50000cd49fe924a797df5a1bc93405a7e5
[hcoop/debian/libapache-mod-waklog.git] / mod_waklog.c
1 #include "httpd.h"
2 #include "http_config.h"
3 #include "http_conf_globals.h"
4 #include "http_log.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
7 #include "http_core.h"
8 #include "ap_config.h"
9 #include <krb5.h>
10
11 #if defined(sun)
12 #include <sys/ioccom.h>
13 #endif /* sun */
14 #include <stropts.h>
15 #include <afs/venus.h>
16 #include <afs/auth.h>
17 #include <rx/rxkad.h>
18
19 #define KEYTAB "/home/drh/keytab.umweb.drhtest"
20 #define KEYTAB_PRINCIPAL "umweb/drhtest"
21
22 #define TKT_LIFE 10*60*60
23 #define SLEEP_TIME 5*60 /* should be TKT_LIFE */
24
25 #define AFS_CELL "umich.edu" /* NB: lower case */
26
27 #define K5PATH "FILE:/tmp/waklog.creds.k5"
28 #define K4PATH "/tmp/waklog.creds.k4"
29
30 module waklog_module;
31
32 struct ClearToken {
33 long AuthHandle;
34 char HandShakeKey[ 8 ];
35 long ViceId;
36 long BeginTimestamp;
37 long EndTimestamp;
38 };
39
40 typedef struct {
41 int configured;
42 int protect;
43 char *keytab;
44 char *keytab_principal;
45 char *afs_cell;
46 } waklog_host_config;
47
48 typedef struct {
49 struct ktc_token token;
50 } waklog_child_config;
51 waklog_child_config child;
52
53
54 static void *
55 waklog_create_dir_config( pool *p, char *path )
56 {
57 waklog_host_config *cfg;
58
59 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
60 cfg->configured = 0;
61 cfg->protect = 0;
62 cfg->keytab = KEYTAB;
63 cfg->keytab_principal = KEYTAB_PRINCIPAL;
64 cfg->afs_cell = AFS_CELL;
65
66 return( cfg );
67 }
68
69
70 static void *
71 waklog_create_server_config( pool *p, server_rec *s )
72 {
73 waklog_host_config *cfg;
74
75 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
76 cfg->configured = 0;
77 cfg->protect = 0;
78 cfg->keytab = KEYTAB;
79 cfg->keytab_principal = KEYTAB_PRINCIPAL;
80 cfg->afs_cell = AFS_CELL;
81
82 #if 0
83 ap_set_module_config( s->module_config, &waklog_module, cfg);
84 #endif /* 0 */
85
86 return( cfg );
87 }
88
89
90 static const char *
91 set_waklog_protect( cmd_parms *params, void *mconfig, int flag )
92 {
93 waklog_host_config *cfg;
94
95 if ( params->path == NULL ) {
96 cfg = (waklog_host_config *) ap_get_module_config(
97 params->server->module_config, &waklog_module );
98 } else {
99 cfg = (waklog_host_config *)mconfig;
100 }
101
102 cfg->protect = flag;
103 cfg->configured = 1;
104 return( NULL );
105 }
106
107
108 static const char *
109 set_waklog_use_keytab( cmd_parms *params, void *mconfig, char *file )
110 {
111 waklog_host_config *cfg;
112
113 if ( params->path == NULL ) {
114 cfg = (waklog_host_config *) ap_get_module_config(
115 params->server->module_config, &waklog_module );
116 } else {
117 cfg = (waklog_host_config *)mconfig;
118 }
119
120 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
121 "mod_waklog: using keytab: %s", file );
122
123 cfg->keytab = file;
124 cfg->configured = 1;
125 return( NULL );
126 }
127
128
129 static const char *
130 set_waklog_use_keytab_principal( cmd_parms *params, void *mconfig, char *file )
131 {
132 waklog_host_config *cfg;
133
134 if ( params->path == NULL ) {
135 cfg = (waklog_host_config *) ap_get_module_config(
136 params->server->module_config, &waklog_module );
137 } else {
138 cfg = (waklog_host_config *)mconfig;
139 }
140
141 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
142 "mod_waklog: using keytab_principal: %s", file );
143
144 cfg->keytab_principal = file;
145 cfg->configured = 1;
146 return( NULL );
147 }
148
149
150 static const char *
151 set_waklog_use_afs_cell( cmd_parms *params, void *mconfig, char *file )
152 {
153 waklog_host_config *cfg;
154
155 if ( params->path == NULL ) {
156 cfg = (waklog_host_config *) ap_get_module_config(
157 params->server->module_config, &waklog_module );
158 } else {
159 cfg = (waklog_host_config *)mconfig;
160 }
161
162 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
163 "mod_waklog: using afs_cell: %s", file );
164
165 cfg->afs_cell = file;
166 cfg->configured = 1;
167 return( NULL );
168 }
169
170
171 static void
172 waklog_child_init( server_rec *s, pool *p )
173 {
174
175 memset( &child.token, 0, sizeof( struct ktc_token ) );
176
177 setpag();
178
179 return;
180 }
181
182
183 command_rec waklog_cmds[ ] =
184 {
185 { "WaklogProtected", set_waklog_protect,
186 NULL, RSRC_CONF | ACCESS_CONF, FLAG,
187 "enable waklog on a location or directory basis" },
188
189 { "WaklogUseKeytabPath", set_waklog_use_keytab,
190 NULL, RSRC_CONF, TAKE1,
191 "Use the supplied keytab rather than the default" },
192
193 { "WaklogUseKeytabPrincipal", set_waklog_use_keytab_principal,
194 NULL, RSRC_CONF, TAKE1,
195 "Use the supplied keytab principal rather than the default" },
196
197 { "WaklogUseAFSCell", set_waklog_use_afs_cell,
198 NULL, RSRC_CONF, TAKE1,
199 "Use the supplied AFS cell rather than the default" },
200
201 { NULL }
202 };
203
204
205 static void
206 token_cleanup( void *data )
207 {
208 request_rec *r = (request_rec *)data;
209
210 if ( child.token.ticketLen ) {
211 memset( &child.token, 0, sizeof( struct ktc_token ) );
212
213 ktc_ForgetAllTokens();
214
215 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
216 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d", getpid() );
217 }
218 return;
219 }
220
221
222 static int
223 waklog_kinit( server_rec *s )
224 {
225 krb5_error_code kerror;
226 krb5_context kcontext = NULL;
227 krb5_principal kprinc = NULL;
228 krb5_get_init_creds_opt kopts;
229 krb5_creds v5creds;
230 krb5_ccache kccache = NULL;
231 krb5_keytab keytab = NULL;
232 char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ];
233 waklog_host_config *cfg;
234
235 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
236 "mod_waklog: waklog_kinit called" );
237
238 cfg = (waklog_host_config *) ap_get_module_config( s->module_config,
239 &waklog_module );
240
241 if (( kerror = krb5_init_context( &kcontext ))) {
242 ap_log_error( APLOG_MARK, APLOG_ERR, s,
243 (char *)error_message( kerror ));
244
245 goto cleanup;
246 }
247
248 /* use the path */
249 if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) {
250 ap_log_error( APLOG_MARK, APLOG_ERR, s,
251 (char *)error_message( kerror ));
252
253 goto cleanup;
254 }
255
256 if (( kerror = krb5_parse_name( kcontext, cfg->keytab_principal, &kprinc ))) {
257 ap_log_error( APLOG_MARK, APLOG_ERR, s,
258 (char *)error_message( kerror ));
259
260 goto cleanup;
261 }
262
263 krb5_get_init_creds_opt_init( &kopts );
264 krb5_get_init_creds_opt_set_tkt_life( &kopts, TKT_LIFE );
265 krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
266 krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
267 krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );
268
269 /* keytab from config */
270 strncpy( ktbuf, cfg->keytab, sizeof( ktbuf ) - 1 );
271
272 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
273 "mod_waklog: waklog_kinit using: %s", ktbuf );
274
275 if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) {
276 ap_log_error( APLOG_MARK, APLOG_ERR, s,
277 (char *)error_message( kerror ));
278
279 goto cleanup;
280 }
281
282 /* get the krbtgt */
283 if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds,
284 kprinc, keytab, 0, NULL, &kopts ))) {
285
286 ap_log_error( APLOG_MARK, APLOG_ERR, s,
287 (char *)error_message( kerror ));
288
289 goto cleanup;
290 }
291
292 if (( kerror = krb5_verify_init_creds( kcontext, &v5creds,
293 kprinc, keytab, NULL, NULL )) != 0 ) {
294
295 ap_log_error( APLOG_MARK, APLOG_ERR, s,
296 (char *)error_message( kerror ));
297
298 goto cleanup;
299 }
300
301 if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) {
302 ap_log_error( APLOG_MARK, APLOG_ERR, s,
303 (char *)error_message( kerror ));
304
305 goto cleanup;
306 }
307
308 kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds );
309 krb5_free_cred_contents( kcontext, &v5creds );
310 if ( kerror != 0 ) {
311 ap_log_error( APLOG_MARK, APLOG_ERR, s,
312 (char *)error_message( kerror ));
313
314 goto cleanup;
315 }
316
317 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
318 "mod_waklog: waklog_kinit success" );
319
320 cleanup:
321 if ( keytab )
322 (void)krb5_kt_close( kcontext, keytab );
323 if ( kprinc )
324 krb5_free_principal( kcontext, kprinc );
325 if ( kccache )
326 krb5_cc_close( kcontext, kccache );
327 if ( kcontext )
328 krb5_free_context( kcontext );
329
330 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
331 "mod_waklog: waklog_kinit: exiting" );
332
333 return( 0 );
334 }
335
336
337 static void
338 waklog_aklog( request_rec *r )
339 {
340 int rc;
341 char buf[ 2048 ];
342 const char *k4path = NULL;
343 const char *k5path = NULL;
344 krb5_error_code kerror;
345 krb5_context kcontext = NULL;
346 krb5_creds increds;
347 krb5_creds *v5credsp = NULL;
348 krb5_ccache kccache = NULL;
349 struct ktc_principal server = { "afs", "", "" };
350 struct ktc_principal client;
351 struct ktc_token token;
352 waklog_host_config *cfg;
353 int buflen;
354
355 k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" );
356 k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" );
357
358 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
359 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path );
360
361 if ( !k5path || !k4path ) {
362 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
363 "mod_waklog: waklog_aklog giving up" );
364 goto cleanup;
365 }
366
367 /*
368 ** Get/build creds from file/tgs, then see if we need to SetToken
369 */
370
371 if (( kerror = krb5_init_context( &kcontext ))) {
372 /* Authentication Required ( kerberos error ) */
373 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
374 (char *)error_message( kerror ));
375
376 goto cleanup;
377 }
378
379 memset( (char *)&increds, 0, sizeof(increds));
380
381 cfg = (waklog_host_config *) ap_get_module_config(
382 r->server->module_config, &waklog_module );
383
384 /* afs/<cell> or afs */
385 strncpy( buf, "afs", sizeof( buf ) - 1 );
386 if ( strcmp( cfg->afs_cell, AFS_CELL ) ) {
387 strncat( buf, "/" , sizeof( buf ) - strlen( buf ) - 1 );
388 strncat( buf, cfg->afs_cell, sizeof( buf ) - strlen( buf ) - 1 );
389 }
390
391 /* set server part */
392 if (( kerror = krb5_parse_name( kcontext, buf, &increds.server ))) {
393 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
394 (char *)error_message( kerror ));
395
396 goto cleanup;
397 }
398
399 if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
400 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
401 (char *)error_message( kerror ));
402
403 goto cleanup;
404 }
405
406 /* set client part */
407 krb5_cc_get_principal( kcontext, kccache, &increds.client );
408
409 increds.times.endtime = 0;
410 /* Ask for DES since that is what V4 understands */
411 increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
412
413 /* get the V5 credentials */
414 if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
415 &increds, &v5credsp ) ) ) {
416 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
417 "mod_waklog: krb5_get_credentials: %s", error_message( kerror ));
418 goto cleanup;
419 }
420
421 /* don't overflor */
422 if ( v5credsp->ticket.length >= 344 ) { /* from krb524d.c */
423 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
424 "mod_waklog: ticket size (%d) to big to fake", v5credsp->ticket.length );
425 goto cleanup;
426 }
427
428 /* assemble the token */
429 memset( &token, 0, sizeof( struct ktc_token ) );
430
431 token.startTime = v5credsp->times.starttime ? v5credsp->times.starttime : v5credsp->times.authtime;
432 token.endTime = v5credsp->times.endtime;
433 memmove( &token.sessionKey, v5credsp->keyblock.contents, v5credsp->keyblock.length );
434 token.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
435 token.ticketLen = v5credsp->ticket.length;
436 memmove( token.ticket, v5credsp->ticket.data, token.ticketLen );
437
438 /* make sure we have to do this */
439 if ( child.token.kvno != token.kvno ||
440 child.token.ticketLen != token.ticketLen ||
441 (memcmp( &child.token.sessionKey, &token.sessionKey,
442 sizeof( token.sessionKey ) )) ||
443 (memcmp( child.token.ticket, token.ticket, token.ticketLen )) ) {
444
445 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
446 "mod_waklog: client: %s", buf );
447
448 /* build the name */
449 memmove( buf, v5credsp->client->data[0].data, v5credsp->client->data[0].length );
450 buf[ v5credsp->client->data[0].length ] = '\0';
451 if ( v5credsp->client->length > 1 ) {
452 strncat( buf, ".", sizeof( buf ) - strlen( buf ) - 1 );
453 buflen = strlen( buf );
454 memmove( buf + buflen, v5credsp->client->data[1].data, v5credsp->client->data[1].length );
455 buf[ buflen + v5credsp->client->data[1].length ] = '\0';
456 }
457
458 /* assemble the client */
459 strncpy( client.name, buf, sizeof( client.name ) - 1 );
460 strncpy( client.instance, "", sizeof( client.instance) - 1 );
461 memmove( buf, v5credsp->client->realm.data, v5credsp->client->realm.length );
462 buf[ v5credsp->client->realm.length ] = '\0';
463 strncpy( client.cell, buf, sizeof( client.cell ) - 1 );
464
465 /* assemble the server's cell */
466 strncpy( server.cell, cfg->afs_cell , sizeof( server.cell ) - 1 );
467
468 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
469 "mod_waklog: server: name=%s, instance=%s, cell=%s",
470 server.name, server.instance, server.cell );
471
472 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
473 "mod_waklog: client: name=%s, instance=%s, cell=%s",
474 client.name, client.instance, client.cell );
475
476 /* use the path */
477 krb_set_tkt_string( (char *)k4path );
478
479 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
480 write( 2, "", 0 );
481
482 if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
483 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
484 "mod_waklog: settoken returned %d", rc );
485 goto cleanup;
486 }
487
488 /* save this */
489 memmove( &child.token, &token, sizeof( struct ktc_token ) );
490
491 /* we'll need to unlog when this connection is done. */
492 ap_register_cleanup( r->pool, (void *)r, token_cleanup, ap_null_cleanup );
493 }
494
495 cleanup:
496 if ( v5credsp )
497 krb5_free_cred_contents( kcontext, v5credsp );
498 if ( increds.client )
499 krb5_free_principal( kcontext, increds.client );
500 if ( increds.server )
501 krb5_free_principal( kcontext, increds.server );
502 if ( kccache )
503 krb5_cc_close( kcontext, kccache );
504 if ( kcontext )
505 krb5_free_context( kcontext );
506
507 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
508 "mod_waklog: finished with waklog_aklog" );
509
510 return;
511
512 }
513
514 static int
515 waklog_child_routine( void *s, child_info *pinfo )
516 {
517 if ( !getuid() ) {
518 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
519 "mod_waklog: waklog_child_routine called as root" );
520
521 /* this was causing the credential file to get owned by root */
522 setgid(ap_group_id);
523 setuid(ap_user_id);
524 }
525
526 while( 1 ) {
527 waklog_kinit( s );
528 sleep( SLEEP_TIME );
529 }
530
531 }
532
533
534 static void
535 waklog_init( server_rec *s, pool *p )
536 {
537 extern char *version;
538 int pid;
539
540 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
541 "mod_waklog: version %s initialized.", version );
542
543 pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
544 NULL, NULL, NULL );
545
546 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
547 "mod_waklog: ap_bspawn_child: %d.", pid );
548 }
549
550
551 static int
552 waklog_phase0( request_rec *r )
553 {
554 waklog_host_config *cfg;
555
556 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
557 "mod_waklog: phase0 called" );
558
559 /* directory config? */
560 cfg = (waklog_host_config *)ap_get_module_config(
561 r->per_dir_config, &waklog_module);
562
563 /* server config? */
564 if ( !cfg->configured ) {
565 cfg = (waklog_host_config *)ap_get_module_config(
566 r->server->module_config, &waklog_module);
567 }
568
569 if ( !cfg->protect ) {
570 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
571 "mod_waklog: phase0 declining" );
572 return( DECLINED );
573 }
574
575 /* do this only if we are still unauthenticated */
576 if ( !child.token.ticketLen ) {
577
578 /* set our environment variables */
579 ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH );
580 ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH );
581
582 /* stuff the credentials into the kernel */
583 waklog_aklog( r );
584 }
585
586 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
587 "mod_waklog: phase0 returning" );
588 return DECLINED;
589 }
590
591
592 static int
593 waklog_phase7( request_rec *r )
594 {
595 waklog_host_config *cfg;
596
597 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
598 "mod_waklog: phase7 called" );
599
600 /* directory config? */
601 cfg = (waklog_host_config *)ap_get_module_config(
602 r->per_dir_config, &waklog_module);
603
604 /* server config? */
605 if ( !cfg->configured ) {
606 cfg = (waklog_host_config *)ap_get_module_config(
607 r->server->module_config, &waklog_module);
608 }
609
610 if ( !cfg->protect ) {
611 return( DECLINED );
612 }
613
614 /* stuff the credentials into the kernel */
615 waklog_aklog( r );
616
617 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
618 "mod_waklog: phase7 returning" );
619
620 return DECLINED;
621 }
622
623 static void
624 waklog_new_connection( conn_rec *c ) {
625 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, c->server,
626 "mod_waklog: new_connection called: pid: %d", getpid() );
627 return;
628 }
629
630 module MODULE_VAR_EXPORT waklog_module = {
631 STANDARD_MODULE_STUFF,
632 waklog_init, /* module initializer */
633 waklog_create_dir_config, /* create per-dir config structures */
634 NULL, /* merge per-dir config structures */
635 waklog_create_server_config, /* create per-server config structures */
636 NULL, /* merge per-server config structures */
637 waklog_cmds, /* table of config file commands */
638 NULL, /* [#8] MIME-typed-dispatched handlers */
639 NULL, /* [#1] URI to filename translation */
640 NULL, /* [#4] validate user id from request */
641 NULL, /* [#5] check if the user is ok _here_ */
642 NULL, /* [#3] check access by host address */
643 NULL, /* [#6] determine MIME type */
644 waklog_phase7, /* [#7] pre-run fixups */
645 NULL, /* [#9] log a transaction */
646 NULL, /* [#2] header parser */
647 waklog_child_init, /* child_init */
648 NULL, /* child_exit */
649 waklog_phase0 /* [#0] post read-request */
650 #ifdef EAPI
651 ,NULL, /* EAPI: add_module */
652 NULL, /* EAPI: remove_module */
653 NULL, /* EAPI: rewrite_command */
654 waklog_new_connection /* EAPI: new_connection */
655 #endif
656 };
libapache-mod-waklog packaging