HCoop / hcoop / zz_old / modwaklog.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
"#if 0" removed
[hcoop/zz_old/modwaklog.git] / mod_waklog.c
1 #include "httpd.h"
2 #include "http_config.h"
3 #include "http_conf_globals.h"
4 #include "http_log.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
7 #include "http_core.h"
8 #include "ap_config.h"
9 #include <krb5.h>
10
11 #if defined(sun)
12 #include <sys/ioccom.h>
13 #endif /* sun */
14 #include <stropts.h>
15 #include <kerberosIV/krb.h>
16 #include <kerberosIV/des.h>
17 #include <afs/venus.h>
18 #include <afs/auth.h>
19 #include <rx/rxkad.h>
20
21 #include <asm/bitops.h>
22 #include <sys/shm.h>
23
24 #define KEYTAB_PATH "/home/drh/keytab.umweb.drhtest"
25 #define PRINCIPAL "umweb/drhtest"
26 #define AFS "afs"
27 #define IN_TKT_SERVICE "krbtgt/UMICH.EDU"
28
29 #define K5PATH "FILE:/tmp/waklog.creds.k5"
30 #define K4PATH "/tmp/waklog.creds.k4"
31
32 module waklog_module;
33
34 struct ClearToken {
35 long AuthHandle;
36 char HandShakeKey[ 8 ];
37 long ViceId;
38 long BeginTimestamp;
39 long EndTimestamp;
40 };
41
42 typedef struct {
43 int configured;
44 int protect;
45 char *keytab;
46 char *keytab_principal;
47 char *afs_instance;
48 } waklog_host_config;
49
50 typedef struct {
51 struct ktc_token token;
52 } waklog_child_config;
53 waklog_child_config *child = NULL;
54
55
56 static void *
57 waklog_create_dir_config( pool *p, char *path )
58 {
59 waklog_host_config *cfg;
60
61 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
62 cfg->configured = 0;
63 cfg->protect = 0;
64 cfg->keytab = 0;
65 cfg->keytab_principal = 0;
66 cfg->afs_instance = 0;
67
68 return( cfg );
69 }
70
71
72 static void *
73 waklog_create_server_config( pool *p, server_rec *s )
74 {
75 waklog_host_config *cfg;
76
77 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
78 cfg->configured = 0;
79 cfg->protect = 0;
80 cfg->keytab = 0;
81 cfg->keytab_principal = 0;
82 cfg->afs_instance = 0;
83
84 return( cfg );
85 }
86
87
88 static const char *
89 set_waklog_protect( cmd_parms *params, void *mconfig, int flag )
90 {
91 waklog_host_config *cfg;
92
93 if ( params->path == NULL ) {
94 cfg = (waklog_host_config *) ap_get_module_config(
95 params->server->module_config, &waklog_module );
96 } else {
97 cfg = (waklog_host_config *)mconfig;
98 }
99
100 cfg->protect = flag;
101 cfg->configured = 1;
102 return( NULL );
103 }
104
105
106 static const char *
107 set_waklog_use_keytab( cmd_parms *params, void *mconfig, char *file )
108 {
109 waklog_host_config *cfg;
110
111 if ( params->path == NULL ) {
112 cfg = (waklog_host_config *) ap_get_module_config(
113 params->server->module_config, &waklog_module );
114 } else {
115 cfg = (waklog_host_config *)mconfig;
116 }
117
118 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
119 "mod_waklog: using keytab: %s", file );
120
121 cfg->keytab = file;
122 cfg->configured = 1;
123 return( NULL );
124 }
125
126
127 static void
128 waklog_child_init( server_rec *s, pool *p )
129 {
130
131 if ( child == NULL ) {
132 child = (waklog_child_config *) ap_palloc( p, sizeof( waklog_child_config ) );
133 }
134
135 memset( &child->token, 0, sizeof( struct ktc_token ) );
136
137 setpag();
138
139 return;
140 }
141
142
143 command_rec waklog_cmds[ ] =
144 {
145 { "WaklogProtected", set_waklog_protect,
146 NULL, RSRC_CONF | ACCESS_CONF, FLAG,
147 "enable waklog on a location or directory basis" },
148
149 { "WaklogUseKeytab", set_waklog_use_keytab,
150 NULL, RSRC_CONF, TAKE1,
151 "Use the supplied keytab file rather than the user's TGT" },
152
153 { NULL }
154 };
155
156
157 static void
158 pioctl_cleanup( void *data )
159 {
160 request_rec *r = (request_rec *)data;
161
162 if ( child->token.ticketLen ) {
163 memset( &child->token, 0, sizeof( struct ktc_token ) );
164
165 ktc_ForgetAllTokens();
166
167 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
168 "mod_waklog: ktc_ForgetAllTokens succeeded" );
169 }
170 return;
171 }
172
173
174 static int
175 waklog_ktinit( server_rec *s )
176 {
177 krb5_error_code kerror;
178 krb5_context kcontext;
179 krb5_principal kprinc;
180 krb5_get_init_creds_opt kopts;
181 krb5_creds v5creds;
182 CREDENTIALS v4creds;
183 krb5_ccache kccache;
184 krb5_keytab keytab = 0;
185 char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ];
186 krb5_timestamp now;
187 waklog_host_config *cfg;
188
189 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
190 "mod_waklog: waklog_ktinit called" );
191
192 if (( kerror = krb5_init_context( &kcontext ))) {
193 ap_log_error( APLOG_MARK, APLOG_ERR, s,
194 (char *)error_message( kerror ));
195
196 goto cleanup1;
197 }
198
199 /* use the path */
200 if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) {
201 ap_log_error( APLOG_MARK, APLOG_ERR, s,
202 (char *)error_message( kerror ));
203
204 goto cleanup2;
205 }
206
207 if (( kerror = krb5_parse_name( kcontext, PRINCIPAL, &kprinc ))) {
208 ap_log_error( APLOG_MARK, APLOG_ERR, s,
209 (char *)error_message( kerror ));
210
211 goto cleanup3;
212 }
213
214 krb5_get_init_creds_opt_init( &kopts );
215 krb5_get_init_creds_opt_set_tkt_life( &kopts, 10*60*60 );
216 krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
217 krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
218 krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );
219
220 cfg = (waklog_host_config *) ap_get_module_config( s->module_config,
221 &waklog_module );
222
223 /* which keytab should we use? */
224 strcpy( ktbuf, cfg->keytab ? cfg->keytab : KEYTAB_PATH );
225
226 if ( strlen( ktbuf ) > MAX_KEYTAB_NAME_LEN ) {
227 ap_log_error( APLOG_MARK, APLOG_ERR, s,
228 "server configuration error" );
229
230 goto cleanup4;
231 }
232
233 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
234 "mod_waklog: waklog_ktinit using: %s", ktbuf );
235
236 if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) {
237 ap_log_error( APLOG_MARK, APLOG_ERR, s,
238 (char *)error_message( kerror ));
239
240 goto cleanup4;
241 }
242
243 /* get the krbtgt */
244 if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds,
245 kprinc, keytab, 0, IN_TKT_SERVICE, &kopts ))) {
246
247 ap_log_error( APLOG_MARK, APLOG_ERR, s,
248 (char *)error_message( kerror ));
249
250 goto cleanup5;
251 }
252
253 if (( kerror = krb5_verify_init_creds( kcontext, &v5creds,
254 kprinc, keytab, NULL, NULL )) != 0 ) {
255
256 ap_log_error( APLOG_MARK, APLOG_ERR, s,
257 (char *)error_message( kerror ));
258
259 goto cleanup6;
260 }
261
262 if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) {
263 ap_log_error( APLOG_MARK, APLOG_ERR, s,
264 (char *)error_message( kerror ));
265
266 goto cleanup6;
267 }
268
269 if (( kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds )) != 0 ) {
270 ap_log_error( APLOG_MARK, APLOG_ERR, s,
271 (char *)error_message( kerror ));
272
273 goto cleanup6;
274 }
275
276 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
277 "mod_waklog: waklog_ktinit success" );
278
279 cleanup6: if ( v5creds.client == kprinc ) {
280 v5creds.client = 0;
281 }
282 krb5_free_cred_contents( kcontext, &v5creds );
283 cleanup5: (void)krb5_kt_close( kcontext, keytab );
284 cleanup4: krb5_free_principal( kcontext, kprinc );
285 cleanup3: krb5_cc_close( kcontext, kccache );
286 cleanup2: krb5_free_context( kcontext );
287 cleanup1:
288
289 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
290 "mod_waklog: waklog_ktinit: exiting" );
291
292 return( 0 );
293 }
294
295
296 static void
297 waklog_aklog( request_rec *r )
298 {
299 int rc;
300 char buf[ 1024 ];
301 const char *k4path = NULL;
302 const char *k5path = NULL;
303 krb5_error_code kerror;
304 krb5_context kcontext;
305 krb5_creds increds;
306 krb5_creds *v5credsp = NULL;
307 CREDENTIALS v4creds;
308 krb5_ccache kccache;
309 struct ktc_principal server = { "afs", "", "umich.edu" };
310 struct ktc_principal client;
311 struct ktc_token token;
312
313 k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" );
314 k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" );
315
316 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
317 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path );
318
319 if ( !k5path || !k4path ) {
320 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
321 "mod_waklog: waklog_aklog giving up" );
322 return;
323 }
324
325 /*
326 ** Get/build creds from file/tgs, then see if we need to SetToken
327 */
328
329 if (( kerror = krb5_init_context( &kcontext ))) {
330 /* Authentication Required ( kerberos error ) */
331 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
332 (char *)error_message( kerror ));
333
334 return;
335 }
336
337 memset( (char *)&increds, 0, sizeof(increds));
338
339 /* set server part */
340 if (( kerror = krb5_parse_name( kcontext, AFS, &increds.server ))) {
341 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
342 (char *)error_message( kerror ));
343
344 return;
345 }
346
347 if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
348 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
349 (char *)error_message( kerror ));
350
351 return;
352 }
353
354 /* set client part */
355 krb5_cc_get_principal( kcontext, kccache, &increds.client );
356
357 increds.times.endtime = 0;
358 /* Ask for DES since that is what V4 understands */
359 increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
360
361 /* get the V5 credentials */
362 if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
363 &increds, &v5credsp ) ) ) {
364 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
365 "mod_waklog: krb5_get_credentials: %s", krb_err_txt[ kerror ] );
366 return;
367 }
368
369 /* get the V4 credentials */
370 if (( kerror = krb524_convert_creds_kdc( kcontext, v5credsp, &v4creds ) ) ) {
371 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
372 "mod_waklog: krb524_convert_creds_kdc: %s", krb_err_txt[ kerror ] );
373 return;
374 }
375
376 /* assemble the token */
377 token.kvno = v4creds.kvno;
378 token.startTime = v4creds.issue_date;
379 token.endTime = v5credsp->times.endtime;
380 memmove( &token.sessionKey, v4creds.session, 8 );
381 token.ticketLen = v4creds.ticket_st.length ;
382 memmove( token.ticket, v4creds.ticket_st.dat, token.ticketLen );
383
384 /* make sure we have to do this */
385 if ( child->token.kvno != token.kvno ||
386 child->token.ticketLen != token.ticketLen ||
387 memcmp( &child->token.sessionKey, &token.sessionKey,
388 sizeof( token.sessionKey ) ) ||
389 memcmp( child->token.ticket, token.ticket, token.ticketLen ) ) {
390
391 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
392 "mod_waklog: %s.%s@%s", v4creds.service, v4creds.instance,
393 v4creds.realm );
394 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
395 "mod_waklog: %d %d %d", v4creds.lifetime, v4creds.kvno,
396 v4creds.issue_date );
397 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
398 "mod_waklog: %s %s", v4creds.pname, v4creds.pinst );
399 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
400 "mod_waklog: %d", v4creds.ticket_st.length );
401
402 /* build the name */
403 strcpy( buf, v4creds.pname );
404 if ( v4creds.pinst[ 0 ] ) {
405 strcat( buf, "." );
406 strcat( buf, v4creds.pinst );
407 }
408
409 /* assemble the client */
410 strncpy( client.name, buf, MAXKTCNAMELEN - 1 );
411 strcpy( client.instance, "" );
412 strncpy( client.cell, v4creds.realm, MAXKTCNAMELEN - 1 );
413
414 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
415 "mod_waklog: server: name=%s, instance=%s, cell=%s",
416 server.name, server.instance, server.cell );
417
418 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
419 "mod_waklog: client: name=%s, instance=%s, cell=%s",
420 client.name, client.instance, client.cell );
421
422 /* use the path */
423 krb_set_tkt_string( (char *)k4path );
424
425 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
426 write( 2, "", 0 );
427
428 if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
429 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
430 "mod_waklog: settoken returned %d", rc );
431 }
432
433 /* save this */
434 memmove( &child->token, &token, sizeof( struct ktc_token ) );
435
436 /* we'll need to unlog when this connection is done. */
437 ap_register_cleanup( r->pool, (void *)r, pioctl_cleanup, ap_null_cleanup );
438 }
439
440 krb5_free_cred_contents( kcontext, v5credsp );
441 krb5_free_principal( kcontext, increds.client );
442 krb5_cc_close( kcontext, kccache );
443 krb5_free_context( kcontext );
444
445 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
446 "mod_waklog: finished with waklog_aklog" );
447
448 }
449
450 static int
451 waklog_child_routine( void *s, child_info *pinfo )
452 {
453 if ( !getuid() ) {
454 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
455 "mod_waklog: waklog_child_routine called as root" );
456
457 /* this was causing the credential file to get owned by root */
458 setgid(ap_group_id);
459 setuid(ap_user_id);
460 }
461
462 while( 1 ) {
463 waklog_ktinit( s );
464 sleep( 300 /* 10*60*60 - 5*60 */ );
465 }
466
467 }
468
469
470 static void
471 waklog_init( server_rec *s, pool *p )
472 {
473 extern char *version;
474 int pid;
475
476 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
477 "mod_waklog: version %s initialized.", version );
478
479 pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
480 NULL, NULL, NULL );
481
482 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
483 "mod_waklog: ap_bspawn_child: %d.", pid );
484 }
485
486
487 static int
488 waklog_phase0( request_rec *r )
489 {
490 waklog_host_config *cfg;
491
492 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
493 "mod_waklog: phase0 called" );
494
495 /* directory config? */
496 cfg = (waklog_host_config *)ap_get_module_config(
497 r->per_dir_config, &waklog_module);
498
499 /* server config? */
500 if ( !cfg->configured ) {
501 cfg = (waklog_host_config *)ap_get_module_config(
502 r->server->module_config, &waklog_module);
503 }
504
505 if ( !cfg->protect ) {
506 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
507 "mod_waklog: phase0 declining" );
508 return( DECLINED );
509 }
510
511 /* do this only if we are still unauthenticated */
512 if ( !child->token.ticketLen ) {
513
514 /* set our environment variables */
515 ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH );
516 ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH );
517
518 /* stuff the credentials into the kernel */
519 waklog_aklog( r );
520 }
521
522 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
523 "mod_waklog: phase0 returning" );
524 return DECLINED;
525 }
526
527
528 static int
529 waklog_phase7( request_rec *r )
530 {
531 waklog_host_config *cfg;
532
533 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
534 "mod_waklog: phase7 called" );
535
536 /* directory config? */
537 cfg = (waklog_host_config *)ap_get_module_config(
538 r->per_dir_config, &waklog_module);
539
540 /* server config? */
541 if ( !cfg->configured ) {
542 cfg = (waklog_host_config *)ap_get_module_config(
543 r->server->module_config, &waklog_module);
544 }
545
546 if ( !cfg->protect ) {
547 return( DECLINED );
548 }
549
550 /* stuff the credentials into the kernel */
551 waklog_aklog( r );
552
553 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
554 "mod_waklog: phase7 returning" );
555
556 return DECLINED;
557 }
558
559 static void
560 waklog_new_connection( conn_rec *c ) {
561 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, c->server,
562 "mod_waklog: new_connection called: conn_rec: 0x%08x pid: %d", c, getpid() );
563 return;
564 }
565
566 module MODULE_VAR_EXPORT waklog_module = {
567 STANDARD_MODULE_STUFF,
568 waklog_init, /* module initializer */
569 waklog_create_dir_config, /* create per-dir config structures */
570 NULL, /* merge per-dir config structures */
571 waklog_create_server_config, /* create per-server config structures */
572 NULL, /* merge per-server config structures */
573 waklog_cmds, /* table of config file commands */
574 NULL, /* [#8] MIME-typed-dispatched handlers */
575 NULL, /* [#1] URI to filename translation */
576 NULL, /* [#4] validate user id from request */
577 NULL, /* [#5] check if the user is ok _here_ */
578 NULL, /* [#3] check access by host address */
579 NULL, /* [#6] determine MIME type */
580 waklog_phase7, /* [#7] pre-run fixups */
581 NULL, /* [#9] log a transaction */
582 NULL, /* [#2] header parser */
583 waklog_child_init, /* child_init */
584 NULL, /* child_exit */
585 waklog_phase0 /* [#0] post read-request */
586 #ifdef EAPI
587 ,NULL, /* EAPI: add_module */
588 NULL, /* EAPI: remove_module */
589 NULL, /* EAPI: rewrite_command */
590 waklog_new_connection /* EAPI: new_connection */
591 #endif
592 };
Unnamed repository; edit this file 'description' to name the repository.