HCoop / hcoop / zz_old / modwaklog.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
buffer issues
[hcoop/zz_old/modwaklog.git] / mod_waklog.c
1 #include "httpd.h"
2 #include "http_config.h"
3 #include "http_conf_globals.h"
4 #include "http_log.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
7 #include "http_core.h"
8 #include "ap_config.h"
9 #include <krb5.h>
10
11 #if defined(sun)
12 #include <sys/ioccom.h>
13 #endif /* sun */
14 #include <stropts.h>
15 #include <kerberosIV/krb.h>
16 #include <kerberosIV/des.h>
17 #include <afs/venus.h>
18 #include <afs/auth.h>
19 #include <rx/rxkad.h>
20
21 #include <asm/bitops.h>
22 #include <sys/shm.h>
23
24 #define KEYTAB_PATH "/home/drh/keytab.umweb.drhtest"
25 #define PRINCIPAL "umweb/drhtest"
26
27 #define K5PATH "FILE:/tmp/waklog.creds.k5"
28 #define K4PATH "/tmp/waklog.creds.k4"
29
30 module waklog_module;
31
32 struct ClearToken {
33 long AuthHandle;
34 char HandShakeKey[ 8 ];
35 long ViceId;
36 long BeginTimestamp;
37 long EndTimestamp;
38 };
39
40 typedef struct {
41 int configured;
42 int protect;
43 char *keytab;
44 char *keytab_principal;
45 char *afs_cell;
46 } waklog_host_config;
47
48 typedef struct {
49 struct ktc_token token;
50 } waklog_child_config;
51 waklog_child_config *child = NULL;
52
53
54 static void *
55 waklog_create_dir_config( pool *p, char *path )
56 {
57 waklog_host_config *cfg;
58
59 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
60 cfg->configured = 0;
61 cfg->protect = 0;
62 cfg->keytab = 0;
63 cfg->keytab_principal = 0;
64 cfg->afs_cell = "umich.edu";
65
66 return( cfg );
67 }
68
69
70 static void *
71 waklog_create_server_config( pool *p, server_rec *s )
72 {
73 waklog_host_config *cfg;
74
75 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
76 cfg->configured = 0;
77 cfg->protect = 0;
78 cfg->keytab = 0;
79 cfg->keytab_principal = 0;
80 cfg->afs_cell = "umich.edu";
81
82 return( cfg );
83 }
84
85
86 static const char *
87 set_waklog_protect( cmd_parms *params, void *mconfig, int flag )
88 {
89 waklog_host_config *cfg;
90
91 if ( params->path == NULL ) {
92 cfg = (waklog_host_config *) ap_get_module_config(
93 params->server->module_config, &waklog_module );
94 } else {
95 cfg = (waklog_host_config *)mconfig;
96 }
97
98 cfg->protect = flag;
99 cfg->configured = 1;
100 return( NULL );
101 }
102
103
104 static const char *
105 set_waklog_use_keytab( cmd_parms *params, void *mconfig, char *file )
106 {
107 waklog_host_config *cfg;
108
109 if ( params->path == NULL ) {
110 cfg = (waklog_host_config *) ap_get_module_config(
111 params->server->module_config, &waklog_module );
112 } else {
113 cfg = (waklog_host_config *)mconfig;
114 }
115
116 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
117 "mod_waklog: using keytab: %s", file );
118
119 cfg->keytab = file;
120 cfg->configured = 1;
121 return( NULL );
122 }
123
124
125 static void
126 waklog_child_init( server_rec *s, pool *p )
127 {
128
129 if ( child == NULL ) {
130 child = (waklog_child_config *) ap_palloc( p, sizeof( waklog_child_config ) );
131 }
132
133 memset( &child->token, 0, sizeof( struct ktc_token ) );
134
135 setpag();
136
137 return;
138 }
139
140
141 command_rec waklog_cmds[ ] =
142 {
143 { "WaklogProtected", set_waklog_protect,
144 NULL, RSRC_CONF | ACCESS_CONF, FLAG,
145 "enable waklog on a location or directory basis" },
146
147 { "WaklogUseKeytab", set_waklog_use_keytab,
148 NULL, RSRC_CONF, TAKE1,
149 "Use the supplied keytab file rather than the user's TGT" },
150
151 { NULL }
152 };
153
154
155 static void
156 token_cleanup( void *data )
157 {
158 request_rec *r = (request_rec *)data;
159
160 if ( child->token.ticketLen ) {
161 memset( &child->token, 0, sizeof( struct ktc_token ) );
162
163 ktc_ForgetAllTokens();
164
165 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
166 "mod_waklog: ktc_ForgetAllTokens succeeded" );
167 }
168 return;
169 }
170
171
172 static int
173 waklog_kinit( server_rec *s )
174 {
175 krb5_error_code kerror;
176 krb5_context kcontext = NULL;
177 krb5_principal kprinc = NULL;
178 krb5_get_init_creds_opt kopts;
179 krb5_creds v5creds;
180 CREDENTIALS v4creds;
181 krb5_ccache kccache = NULL;
182 krb5_keytab keytab = NULL;
183 char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ];
184 waklog_host_config *cfg;
185
186 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
187 "mod_waklog: waklog_kinit called" );
188
189 if (( kerror = krb5_init_context( &kcontext ))) {
190 ap_log_error( APLOG_MARK, APLOG_ERR, s,
191 (char *)error_message( kerror ));
192
193 goto cleanup;
194 }
195
196 /* use the path */
197 if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) {
198 ap_log_error( APLOG_MARK, APLOG_ERR, s,
199 (char *)error_message( kerror ));
200
201 goto cleanup;
202 }
203
204 if (( kerror = krb5_parse_name( kcontext, PRINCIPAL, &kprinc ))) {
205 ap_log_error( APLOG_MARK, APLOG_ERR, s,
206 (char *)error_message( kerror ));
207
208 goto cleanup;
209 }
210
211 krb5_get_init_creds_opt_init( &kopts );
212 krb5_get_init_creds_opt_set_tkt_life( &kopts, 10*60*60 );
213 krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
214 krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
215 krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );
216
217 cfg = (waklog_host_config *) ap_get_module_config( s->module_config,
218 &waklog_module );
219
220 /* which keytab should we use? */
221 strncpy( ktbuf, cfg->keytab ? cfg->keytab : KEYTAB_PATH, sizeof( ktbuf ) - 1 );
222
223 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
224 "mod_waklog: waklog_kinit using: %s", ktbuf );
225
226 if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) {
227 ap_log_error( APLOG_MARK, APLOG_ERR, s,
228 (char *)error_message( kerror ));
229
230 goto cleanup;
231 }
232
233 /* get the krbtgt */
234 if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds,
235 kprinc, keytab, 0, NULL, &kopts ))) {
236
237 ap_log_error( APLOG_MARK, APLOG_ERR, s,
238 (char *)error_message( kerror ));
239
240 goto cleanup;
241 }
242
243 if (( kerror = krb5_verify_init_creds( kcontext, &v5creds,
244 kprinc, keytab, NULL, NULL )) != 0 ) {
245
246 ap_log_error( APLOG_MARK, APLOG_ERR, s,
247 (char *)error_message( kerror ));
248
249 goto cleanup;
250 }
251
252 if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) {
253 ap_log_error( APLOG_MARK, APLOG_ERR, s,
254 (char *)error_message( kerror ));
255
256 goto cleanup;
257 }
258
259 kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds );
260 krb5_free_cred_contents( kcontext, &v5creds );
261 if ( kerror != 0 ) {
262 ap_log_error( APLOG_MARK, APLOG_ERR, s,
263 (char *)error_message( kerror ));
264
265 goto cleanup;
266 }
267
268 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
269 "mod_waklog: waklog_kinit success" );
270
271 cleanup:
272 if ( keytab )
273 (void)krb5_kt_close( kcontext, keytab );
274 if ( kprinc )
275 krb5_free_principal( kcontext, kprinc );
276 if ( kccache )
277 krb5_cc_close( kcontext, kccache );
278 if ( kcontext )
279 krb5_free_context( kcontext );
280
281 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
282 "mod_waklog: waklog_kinit: exiting" );
283
284 return( 0 );
285 }
286
287
288 static void
289 waklog_aklog( request_rec *r )
290 {
291 int rc;
292 char buf[ 1024 ];
293 const char *k4path = NULL;
294 const char *k5path = NULL;
295 krb5_error_code kerror;
296 krb5_context kcontext = NULL;
297 krb5_creds increds;
298 krb5_creds *v5credsp = NULL;
299 CREDENTIALS v4creds;
300 krb5_ccache kccache = NULL;
301 struct ktc_principal server = { "afs", "", "" };
302 struct ktc_principal client;
303 struct ktc_token token;
304 waklog_host_config *cfg;
305
306 k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" );
307 k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" );
308
309 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
310 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path );
311
312 if ( !k5path || !k4path ) {
313 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
314 "mod_waklog: waklog_aklog giving up" );
315 goto cleanup;
316 }
317
318 /*
319 ** Get/build creds from file/tgs, then see if we need to SetToken
320 */
321
322 if (( kerror = krb5_init_context( &kcontext ))) {
323 /* Authentication Required ( kerberos error ) */
324 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
325 (char *)error_message( kerror ));
326
327 goto cleanup;
328 }
329
330 krb524_init_ets(kcontext);
331
332 memset( (char *)&increds, 0, sizeof(increds));
333
334 cfg = (waklog_host_config *) ap_get_module_config(
335 r->server->module_config, &waklog_module );
336
337 /* afs/<cell> or afs */
338 strncpy( buf, "afs", sizeof( buf ) - 1 );
339 if ( strcmp( cfg->afs_cell, "umich.edu" ) ) {
340 strncat( buf, "/" , sizeof( buf ) - strlen( buf ) - 1 );
341 strncat( buf, cfg->afs_cell, sizeof( buf ) - strlen( buf ) - 1 );
342 }
343
344 /* set server part */
345 if (( kerror = krb5_parse_name( kcontext, buf, &increds.server ))) {
346 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
347 (char *)error_message( kerror ));
348
349 goto cleanup;
350 }
351
352 if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
353 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
354 (char *)error_message( kerror ));
355
356 goto cleanup;
357 }
358
359 /* set client part */
360 krb5_cc_get_principal( kcontext, kccache, &increds.client );
361
362 increds.times.endtime = 0;
363 /* Ask for DES since that is what V4 understands */
364 increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
365
366 /* get the V5 credentials */
367 if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
368 &increds, &v5credsp ) ) ) {
369 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
370 "mod_waklog: krb5_get_credentials: %s", error_message( kerror ));
371 goto cleanup;
372 }
373
374 /* get the V4 credentials */
375 if (( kerror = krb524_convert_creds_kdc( kcontext, v5credsp, &v4creds ) ) ) {
376 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
377 "mod_waklog: krb524_convert_creds_kdc: %s", error_message( kerror ));
378 goto cleanup;
379 }
380
381 /* assemble the token */
382 token.kvno = v4creds.kvno;
383 token.startTime = v4creds.issue_date;
384 token.endTime = v5credsp->times.endtime;
385 memmove( &token.sessionKey, v4creds.session, 8 );
386 token.ticketLen = v4creds.ticket_st.length ;
387 memmove( token.ticket, v4creds.ticket_st.dat, token.ticketLen );
388
389 /* make sure we have to do this */
390 if ( child->token.kvno != token.kvno ||
391 child->token.ticketLen != token.ticketLen ||
392 memcmp( &child->token.sessionKey, &token.sessionKey,
393 sizeof( token.sessionKey ) ) ||
394 memcmp( child->token.ticket, token.ticket, token.ticketLen ) ) {
395
396 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
397 "mod_waklog: %s.%s@%s", v4creds.service, v4creds.instance,
398 v4creds.realm );
399 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
400 "mod_waklog: %d %d %d", v4creds.lifetime, v4creds.kvno,
401 v4creds.issue_date );
402 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
403 "mod_waklog: %s %s", v4creds.pname, v4creds.pinst );
404 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
405 "mod_waklog: %d", v4creds.ticket_st.length );
406
407 /* build the name */
408 strncpy( buf, v4creds.pname, sizeof( buf ) - 1 );
409 if ( v4creds.pinst[ 0 ] ) {
410 strncat( buf, ".", sizeof( buf ) - strlen( buf ) - 1 );
411 strncat( buf, v4creds.pinst, sizeof( buf ) - strlen( buf ) - 1 );
412 }
413
414 /* assemble the client */
415 strncpy( client.name, buf, sizeof( client.name ) - 1 );
416 strncpy( client.instance, "", sizeof( client.instance) - 1 );
417 strncpy( client.cell, v4creds.realm, sizeof( client.cell ) - 1 );
418
419 strncpy( server.cell, cfg->afs_cell , sizeof( server.cell ) - 1 );
420
421 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
422 "mod_waklog: server: name=%s, instance=%s, cell=%s",
423 server.name, server.instance, server.cell );
424
425 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
426 "mod_waklog: client: name=%s, instance=%s, cell=%s",
427 client.name, client.instance, client.cell );
428
429 /* use the path */
430 krb_set_tkt_string( (char *)k4path );
431
432 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
433 write( 2, "", 0 );
434
435 if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
436 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
437 "mod_waklog: settoken returned %d", rc );
438 }
439
440 /* save this */
441 memmove( &child->token, &token, sizeof( struct ktc_token ) );
442
443 /* we'll need to unlog when this connection is done. */
444 ap_register_cleanup( r->pool, (void *)r, token_cleanup, ap_null_cleanup );
445 }
446
447 cleanup:
448 if ( v5credsp )
449 krb5_free_cred_contents( kcontext, v5credsp );
450 if ( increds.client )
451 krb5_free_principal( kcontext, increds.client );
452 if ( increds.server )
453 krb5_free_principal( kcontext, increds.server );
454 if ( kccache )
455 krb5_cc_close( kcontext, kccache );
456 if ( kcontext )
457 krb5_free_context( kcontext );
458
459 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
460 "mod_waklog: finished with waklog_aklog" );
461
462 return;
463
464 }
465
466 static int
467 waklog_child_routine( void *s, child_info *pinfo )
468 {
469 if ( !getuid() ) {
470 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
471 "mod_waklog: waklog_child_routine called as root" );
472
473 /* this was causing the credential file to get owned by root */
474 setgid(ap_group_id);
475 setuid(ap_user_id);
476 }
477
478 while( 1 ) {
479 waklog_kinit( s );
480 sleep( 300 /* 10*60*60 - 5*60 */ );
481 }
482
483 }
484
485
486 static void
487 waklog_init( server_rec *s, pool *p )
488 {
489 extern char *version;
490 int pid;
491
492 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
493 "mod_waklog: version %s initialized.", version );
494
495 pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
496 NULL, NULL, NULL );
497
498 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
499 "mod_waklog: ap_bspawn_child: %d.", pid );
500 }
501
502
503 static int
504 waklog_phase0( request_rec *r )
505 {
506 waklog_host_config *cfg;
507
508 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
509 "mod_waklog: phase0 called" );
510
511 /* directory config? */
512 cfg = (waklog_host_config *)ap_get_module_config(
513 r->per_dir_config, &waklog_module);
514
515 /* server config? */
516 if ( !cfg->configured ) {
517 cfg = (waklog_host_config *)ap_get_module_config(
518 r->server->module_config, &waklog_module);
519 }
520
521 if ( !cfg->protect ) {
522 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
523 "mod_waklog: phase0 declining" );
524 return( DECLINED );
525 }
526
527 /* do this only if we are still unauthenticated */
528 if ( !child->token.ticketLen ) {
529
530 /* set our environment variables */
531 ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH );
532 ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH );
533
534 /* stuff the credentials into the kernel */
535 waklog_aklog( r );
536 }
537
538 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
539 "mod_waklog: phase0 returning" );
540 return DECLINED;
541 }
542
543
544 static int
545 waklog_phase7( request_rec *r )
546 {
547 waklog_host_config *cfg;
548
549 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
550 "mod_waklog: phase7 called" );
551
552 /* directory config? */
553 cfg = (waklog_host_config *)ap_get_module_config(
554 r->per_dir_config, &waklog_module);
555
556 /* server config? */
557 if ( !cfg->configured ) {
558 cfg = (waklog_host_config *)ap_get_module_config(
559 r->server->module_config, &waklog_module);
560 }
561
562 if ( !cfg->protect ) {
563 return( DECLINED );
564 }
565
566 /* stuff the credentials into the kernel */
567 waklog_aklog( r );
568
569 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
570 "mod_waklog: phase7 returning" );
571
572 return DECLINED;
573 }
574
575 static void
576 waklog_new_connection( conn_rec *c ) {
577 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, c->server,
578 "mod_waklog: new_connection called: conn_rec: 0x%08x pid: %d", c, getpid() );
579 return;
580 }
581
582 module MODULE_VAR_EXPORT waklog_module = {
583 STANDARD_MODULE_STUFF,
584 waklog_init, /* module initializer */
585 waklog_create_dir_config, /* create per-dir config structures */
586 NULL, /* merge per-dir config structures */
587 waklog_create_server_config, /* create per-server config structures */
588 NULL, /* merge per-server config structures */
589 waklog_cmds, /* table of config file commands */
590 NULL, /* [#8] MIME-typed-dispatched handlers */
591 NULL, /* [#1] URI to filename translation */
592 NULL, /* [#4] validate user id from request */
593 NULL, /* [#5] check if the user is ok _here_ */
594 NULL, /* [#3] check access by host address */
595 NULL, /* [#6] determine MIME type */
596 waklog_phase7, /* [#7] pre-run fixups */
597 NULL, /* [#9] log a transaction */
598 NULL, /* [#2] header parser */
599 waklog_child_init, /* child_init */
600 NULL, /* child_exit */
601 waklog_phase0 /* [#0] post read-request */
602 #ifdef EAPI
603 ,NULL, /* EAPI: add_module */
604 NULL, /* EAPI: remove_module */
605 NULL, /* EAPI: rewrite_command */
606 waklog_new_connection /* EAPI: new_connection */
607 #endif
608 };
Unnamed repository; edit this file 'description' to name the repository.