HCoop / hcoop / zz_old / modwaklog.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
fewer #includes
[hcoop/zz_old/modwaklog.git] / mod_waklog.c
1 #include "httpd.h"
2 #include "http_config.h"
3 #include "http_conf_globals.h"
4 #include "http_log.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
7 #include "http_core.h"
8 #include "ap_config.h"
9 #include <krb5.h>
10
11 #if defined(sun)
12 #include <sys/ioccom.h>
13 #endif /* sun */
14 #include <stropts.h>
15 #include <afs/venus.h>
16 #include <afs/auth.h>
17 #include <rx/rxkad.h>
18
19 #define KEYTAB "/home/drh/keytab.umweb.drhtest"
20 #define KEYTAB_PRINCIPAL "umweb/drhtest"
21
22 #define TKT_LIFE 10*60*60
23 #define SLEEP_TIME 5*60 /* should be TKT_LIFE */
24
25 #define AFS_CELL "umich.edu" /* NB: lower case */
26
27 #define K5PATH "FILE:/tmp/waklog.creds.k5"
28 #define K4PATH "/tmp/waklog.creds.k4"
29
30 module waklog_module;
31
32 struct ClearToken {
33 long AuthHandle;
34 char HandShakeKey[ 8 ];
35 long ViceId;
36 long BeginTimestamp;
37 long EndTimestamp;
38 };
39
40 typedef struct {
41 int configured;
42 int protect;
43 char *keytab;
44 char *keytab_principal;
45 char *afs_cell;
46 } waklog_host_config;
47
48 typedef struct {
49 struct ktc_token token;
50 } waklog_child_config;
51 waklog_child_config child;
52
53
54 static void *
55 waklog_create_dir_config( pool *p, char *path )
56 {
57 waklog_host_config *cfg;
58
59 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
60 cfg->configured = 0;
61 cfg->protect = 0;
62 cfg->keytab = KEYTAB;
63 cfg->keytab_principal = KEYTAB_PRINCIPAL;
64 cfg->afs_cell = AFS_CELL;
65
66 return( cfg );
67 }
68
69
70 static void *
71 waklog_create_server_config( pool *p, server_rec *s )
72 {
73 waklog_host_config *cfg;
74
75 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
76 cfg->configured = 0;
77 cfg->protect = 0;
78 cfg->keytab = KEYTAB;
79 cfg->keytab_principal = KEYTAB_PRINCIPAL;
80 cfg->afs_cell = AFS_CELL;
81
82 return( cfg );
83 }
84
85
86 static const char *
87 set_waklog_protect( cmd_parms *params, void *mconfig, int flag )
88 {
89 waklog_host_config *cfg;
90
91 if ( params->path == NULL ) {
92 cfg = (waklog_host_config *) ap_get_module_config(
93 params->server->module_config, &waklog_module );
94 } else {
95 cfg = (waklog_host_config *)mconfig;
96 }
97
98 cfg->protect = flag;
99 cfg->configured = 1;
100 return( NULL );
101 }
102
103
104 static const char *
105 set_waklog_use_keytab( cmd_parms *params, void *mconfig, char *file )
106 {
107 waklog_host_config *cfg;
108
109 if ( params->path == NULL ) {
110 cfg = (waklog_host_config *) ap_get_module_config(
111 params->server->module_config, &waklog_module );
112 } else {
113 cfg = (waklog_host_config *)mconfig;
114 }
115
116 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
117 "mod_waklog: using keytab: %s", file );
118
119 cfg->keytab = file;
120 cfg->configured = 1;
121 return( NULL );
122 }
123
124
125 static const char *
126 set_waklog_use_keytab_principal( cmd_parms *params, void *mconfig, char *file )
127 {
128 waklog_host_config *cfg;
129
130 if ( params->path == NULL ) {
131 cfg = (waklog_host_config *) ap_get_module_config(
132 params->server->module_config, &waklog_module );
133 } else {
134 cfg = (waklog_host_config *)mconfig;
135 }
136
137 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
138 "mod_waklog: using keytab_principal: %s", file );
139
140 cfg->keytab_principal = file;
141 cfg->configured = 1;
142 return( NULL );
143 }
144
145
146 static const char *
147 set_waklog_use_afs_cell( cmd_parms *params, void *mconfig, char *file )
148 {
149 waklog_host_config *cfg;
150
151 if ( params->path == NULL ) {
152 cfg = (waklog_host_config *) ap_get_module_config(
153 params->server->module_config, &waklog_module );
154 } else {
155 cfg = (waklog_host_config *)mconfig;
156 }
157
158 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
159 "mod_waklog: using afs_cell: %s", file );
160
161 cfg->afs_cell = file;
162 cfg->configured = 1;
163 return( NULL );
164 }
165
166
167 static void
168 waklog_child_init( server_rec *s, pool *p )
169 {
170
171 memset( &child.token, 0, sizeof( struct ktc_token ) );
172
173 setpag();
174
175 return;
176 }
177
178
179 command_rec waklog_cmds[ ] =
180 {
181 { "WaklogProtected", set_waklog_protect,
182 NULL, RSRC_CONF | ACCESS_CONF, FLAG,
183 "enable waklog on a location or directory basis" },
184
185 { "WaklogUseKeytabPath", set_waklog_use_keytab,
186 NULL, RSRC_CONF, TAKE1,
187 "Use the supplied keytab rather than the default" },
188
189 { "WaklogUseKeytabPrincipal", set_waklog_use_keytab_principal,
190 NULL, RSRC_CONF, TAKE1,
191 "Use the supplied keytab principal rather than the default" },
192
193 { "WaklogUseAFSCell", set_waklog_use_afs_cell,
194 NULL, RSRC_CONF, TAKE1,
195 "Use the supplied AFS cell rather than the default" },
196
197 { NULL }
198 };
199
200
201 static void
202 token_cleanup( void *data )
203 {
204 request_rec *r = (request_rec *)data;
205
206 if ( child.token.ticketLen ) {
207 memset( &child.token, 0, sizeof( struct ktc_token ) );
208
209 ktc_ForgetAllTokens();
210
211 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
212 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d", getpid() );
213 }
214 return;
215 }
216
217
218 static int
219 waklog_kinit( server_rec *s )
220 {
221 krb5_error_code kerror;
222 krb5_context kcontext = NULL;
223 krb5_principal kprinc = NULL;
224 krb5_get_init_creds_opt kopts;
225 krb5_creds v5creds;
226 krb5_ccache kccache = NULL;
227 krb5_keytab keytab = NULL;
228 char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ];
229 waklog_host_config *cfg;
230
231 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
232 "mod_waklog: waklog_kinit called" );
233
234 cfg = (waklog_host_config *) ap_get_module_config( s->module_config,
235 &waklog_module );
236
237 if (( kerror = krb5_init_context( &kcontext ))) {
238 ap_log_error( APLOG_MARK, APLOG_ERR, s,
239 (char *)error_message( kerror ));
240
241 goto cleanup;
242 }
243
244 /* use the path */
245 if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) {
246 ap_log_error( APLOG_MARK, APLOG_ERR, s,
247 (char *)error_message( kerror ));
248
249 goto cleanup;
250 }
251
252 if (( kerror = krb5_parse_name( kcontext, cfg->keytab_principal, &kprinc ))) {
253 ap_log_error( APLOG_MARK, APLOG_ERR, s,
254 (char *)error_message( kerror ));
255
256 goto cleanup;
257 }
258
259 krb5_get_init_creds_opt_init( &kopts );
260 krb5_get_init_creds_opt_set_tkt_life( &kopts, TKT_LIFE );
261 krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
262 krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
263 krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );
264
265 /* keytab from config */
266 strncpy( ktbuf, cfg->keytab, sizeof( ktbuf ) - 1 );
267
268 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
269 "mod_waklog: waklog_kinit using: %s", ktbuf );
270
271 if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) {
272 ap_log_error( APLOG_MARK, APLOG_ERR, s,
273 (char *)error_message( kerror ));
274
275 goto cleanup;
276 }
277
278 /* get the krbtgt */
279 if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds,
280 kprinc, keytab, 0, NULL, &kopts ))) {
281
282 ap_log_error( APLOG_MARK, APLOG_ERR, s,
283 (char *)error_message( kerror ));
284
285 goto cleanup;
286 }
287
288 if (( kerror = krb5_verify_init_creds( kcontext, &v5creds,
289 kprinc, keytab, NULL, NULL )) != 0 ) {
290
291 ap_log_error( APLOG_MARK, APLOG_ERR, s,
292 (char *)error_message( kerror ));
293
294 goto cleanup;
295 }
296
297 if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) {
298 ap_log_error( APLOG_MARK, APLOG_ERR, s,
299 (char *)error_message( kerror ));
300
301 goto cleanup;
302 }
303
304 kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds );
305 krb5_free_cred_contents( kcontext, &v5creds );
306 if ( kerror != 0 ) {
307 ap_log_error( APLOG_MARK, APLOG_ERR, s,
308 (char *)error_message( kerror ));
309
310 goto cleanup;
311 }
312
313 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
314 "mod_waklog: waklog_kinit success" );
315
316 cleanup:
317 if ( keytab )
318 (void)krb5_kt_close( kcontext, keytab );
319 if ( kprinc )
320 krb5_free_principal( kcontext, kprinc );
321 if ( kccache )
322 krb5_cc_close( kcontext, kccache );
323 if ( kcontext )
324 krb5_free_context( kcontext );
325
326 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
327 "mod_waklog: waklog_kinit: exiting" );
328
329 return( 0 );
330 }
331
332
333 static void
334 waklog_aklog( request_rec *r )
335 {
336 int rc;
337 char buf[ 2048 ];
338 const char *k4path = NULL;
339 const char *k5path = NULL;
340 krb5_error_code kerror;
341 krb5_context kcontext = NULL;
342 krb5_creds increds;
343 krb5_creds *v5credsp = NULL;
344 krb5_ccache kccache = NULL;
345 struct ktc_principal server = { "afs", "", "" };
346 struct ktc_principal client;
347 struct ktc_token token;
348 waklog_host_config *cfg;
349 int buflen;
350
351 k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" );
352 k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" );
353
354 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
355 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path );
356
357 if ( !k5path || !k4path ) {
358 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
359 "mod_waklog: waklog_aklog giving up" );
360 goto cleanup;
361 }
362
363 /*
364 ** Get/build creds from file/tgs, then see if we need to SetToken
365 */
366
367 if (( kerror = krb5_init_context( &kcontext ))) {
368 /* Authentication Required ( kerberos error ) */
369 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
370 (char *)error_message( kerror ));
371
372 goto cleanup;
373 }
374
375 memset( (char *)&increds, 0, sizeof(increds));
376
377 cfg = (waklog_host_config *) ap_get_module_config(
378 r->server->module_config, &waklog_module );
379
380 /* afs/<cell> or afs */
381 strncpy( buf, "afs", sizeof( buf ) - 1 );
382 if ( strcmp( cfg->afs_cell, AFS_CELL ) ) {
383 strncat( buf, "/" , sizeof( buf ) - strlen( buf ) - 1 );
384 strncat( buf, cfg->afs_cell, sizeof( buf ) - strlen( buf ) - 1 );
385 }
386
387 /* set server part */
388 if (( kerror = krb5_parse_name( kcontext, buf, &increds.server ))) {
389 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
390 (char *)error_message( kerror ));
391
392 goto cleanup;
393 }
394
395 if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
396 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
397 (char *)error_message( kerror ));
398
399 goto cleanup;
400 }
401
402 /* set client part */
403 krb5_cc_get_principal( kcontext, kccache, &increds.client );
404
405 increds.times.endtime = 0;
406 /* Ask for DES since that is what V4 understands */
407 increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
408
409 /* get the V5 credentials */
410 if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
411 &increds, &v5credsp ) ) ) {
412 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
413 "mod_waklog: krb5_get_credentials: %s", error_message( kerror ));
414 goto cleanup;
415 }
416
417 /* don't overflor */
418 if ( v5credsp->ticket.length >= 344 ) { /* from krb524d.c */
419 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
420 "mod_waklog: ticket size (%d) to big to fake", v5credsp->ticket.length );
421 goto cleanup;
422 }
423
424 /* assemble the token */
425 memset( &token, 0, sizeof( struct ktc_token ) );
426
427 token.startTime = v5credsp->times.starttime ? v5credsp->times.starttime : v5credsp->times.authtime;
428 token.endTime = v5credsp->times.endtime;
429 memmove( &token.sessionKey, v5credsp->keyblock.contents, v5credsp->keyblock.length );
430 token.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
431 token.ticketLen = v5credsp->ticket.length;
432 memmove( token.ticket, v5credsp->ticket.data, token.ticketLen );
433
434 /* make sure we have to do this */
435 if ( child.token.kvno != token.kvno ||
436 child.token.ticketLen != token.ticketLen ||
437 (memcmp( &child.token.sessionKey, &token.sessionKey,
438 sizeof( token.sessionKey ) )) ||
439 (memcmp( child.token.ticket, token.ticket, token.ticketLen )) ) {
440
441 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
442 "mod_waklog: client: %s", buf );
443
444 /* build the name */
445 memmove( buf, v5credsp->client->data[0].data, v5credsp->client->data[0].length );
446 buf[ v5credsp->client->data[0].length ] = '\0';
447 if ( v5credsp->client->length > 1 ) {
448 strncat( buf, ".", sizeof( buf ) - strlen( buf ) - 1 );
449 buflen = strlen( buf );
450 memmove( buf + buflen, v5credsp->client->data[1].data, v5credsp->client->data[1].length );
451 buf[ buflen + v5credsp->client->data[1].length ] = '\0';
452 }
453
454 /* assemble the client */
455 strncpy( client.name, buf, sizeof( client.name ) - 1 );
456 strncpy( client.instance, "", sizeof( client.instance) - 1 );
457 memmove( buf, v5credsp->client->realm.data, v5credsp->client->realm.length );
458 buf[ v5credsp->client->realm.length ] = '\0';
459 strncpy( client.cell, buf, sizeof( client.cell ) - 1 );
460
461 /* assemble the server's cell */
462 strncpy( server.cell, cfg->afs_cell , sizeof( server.cell ) - 1 );
463
464 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
465 "mod_waklog: server: name=%s, instance=%s, cell=%s",
466 server.name, server.instance, server.cell );
467
468 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
469 "mod_waklog: client: name=%s, instance=%s, cell=%s",
470 client.name, client.instance, client.cell );
471
472 /* use the path */
473 krb_set_tkt_string( (char *)k4path );
474
475 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
476 write( 2, "", 0 );
477
478 if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
479 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
480 "mod_waklog: settoken returned %d", rc );
481 goto cleanup;
482 }
483
484 /* save this */
485 memmove( &child.token, &token, sizeof( struct ktc_token ) );
486
487 /* we'll need to unlog when this connection is done. */
488 ap_register_cleanup( r->pool, (void *)r, token_cleanup, ap_null_cleanup );
489 }
490
491 cleanup:
492 if ( v5credsp )
493 krb5_free_cred_contents( kcontext, v5credsp );
494 if ( increds.client )
495 krb5_free_principal( kcontext, increds.client );
496 if ( increds.server )
497 krb5_free_principal( kcontext, increds.server );
498 if ( kccache )
499 krb5_cc_close( kcontext, kccache );
500 if ( kcontext )
501 krb5_free_context( kcontext );
502
503 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
504 "mod_waklog: finished with waklog_aklog" );
505
506 return;
507
508 }
509
510 static int
511 waklog_child_routine( void *s, child_info *pinfo )
512 {
513 if ( !getuid() ) {
514 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
515 "mod_waklog: waklog_child_routine called as root" );
516
517 /* this was causing the credential file to get owned by root */
518 setgid(ap_group_id);
519 setuid(ap_user_id);
520 }
521
522 while( 1 ) {
523 waklog_kinit( s );
524 sleep( SLEEP_TIME );
525 }
526
527 }
528
529
530 static void
531 waklog_init( server_rec *s, pool *p )
532 {
533 extern char *version;
534 int pid;
535
536 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
537 "mod_waklog: version %s initialized.", version );
538
539 pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
540 NULL, NULL, NULL );
541
542 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
543 "mod_waklog: ap_bspawn_child: %d.", pid );
544 }
545
546
547 static int
548 waklog_phase0( request_rec *r )
549 {
550 waklog_host_config *cfg;
551
552 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
553 "mod_waklog: phase0 called" );
554
555 /* directory config? */
556 cfg = (waklog_host_config *)ap_get_module_config(
557 r->per_dir_config, &waklog_module);
558
559 /* server config? */
560 if ( !cfg->configured ) {
561 cfg = (waklog_host_config *)ap_get_module_config(
562 r->server->module_config, &waklog_module);
563 }
564
565 if ( !cfg->protect ) {
566 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
567 "mod_waklog: phase0 declining" );
568 return( DECLINED );
569 }
570
571 /* do this only if we are still unauthenticated */
572 if ( !child.token.ticketLen ) {
573
574 /* set our environment variables */
575 ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH );
576 ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH );
577
578 /* stuff the credentials into the kernel */
579 waklog_aklog( r );
580 }
581
582 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
583 "mod_waklog: phase0 returning" );
584 return DECLINED;
585 }
586
587
588 static int
589 waklog_phase7( request_rec *r )
590 {
591 waklog_host_config *cfg;
592
593 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
594 "mod_waklog: phase7 called" );
595
596 /* directory config? */
597 cfg = (waklog_host_config *)ap_get_module_config(
598 r->per_dir_config, &waklog_module);
599
600 /* server config? */
601 if ( !cfg->configured ) {
602 cfg = (waklog_host_config *)ap_get_module_config(
603 r->server->module_config, &waklog_module);
604 }
605
606 if ( !cfg->protect ) {
607 return( DECLINED );
608 }
609
610 /* stuff the credentials into the kernel */
611 waklog_aklog( r );
612
613 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
614 "mod_waklog: phase7 returning" );
615
616 return DECLINED;
617 }
618
619 static void
620 waklog_new_connection( conn_rec *c ) {
621 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, c->server,
622 "mod_waklog: new_connection called: pid: %d", getpid() );
623 return;
624 }
625
626 module MODULE_VAR_EXPORT waklog_module = {
627 STANDARD_MODULE_STUFF,
628 waklog_init, /* module initializer */
629 waklog_create_dir_config, /* create per-dir config structures */
630 NULL, /* merge per-dir config structures */
631 waklog_create_server_config, /* create per-server config structures */
632 NULL, /* merge per-server config structures */
633 waklog_cmds, /* table of config file commands */
634 NULL, /* [#8] MIME-typed-dispatched handlers */
635 NULL, /* [#1] URI to filename translation */
636 NULL, /* [#4] validate user id from request */
637 NULL, /* [#5] check if the user is ok _here_ */
638 NULL, /* [#3] check access by host address */
639 NULL, /* [#6] determine MIME type */
640 waklog_phase7, /* [#7] pre-run fixups */
641 NULL, /* [#9] log a transaction */
642 NULL, /* [#2] header parser */
643 waklog_child_init, /* child_init */
644 NULL, /* child_exit */
645 waklog_phase0 /* [#0] post read-request */
646 #ifdef EAPI
647 ,NULL, /* EAPI: add_module */
648 NULL, /* EAPI: remove_module */
649 NULL, /* EAPI: rewrite_command */
650 waklog_new_connection /* EAPI: new_connection */
651 #endif
652 };
Unnamed repository; edit this file 'description' to name the repository.