Add option to select acceptor name

simo5 · simo5 · commit 5ffeb6cdcefe · 2017-02-23T19:22:17.000-05:00
This optionis usueful to select and allow only a specific credential
when keys for multiple principals are available in a keytab.

Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/README b/README
@@ -398,3 +398,23 @@ an additional message that provides more context.
 
 - **Enable with:** GssapiPublishErrors On
 - **Default:** GssapiPublishErrors Off
+
+
+### GssapiAcceptorName
+
+This option is used to force the server to accept only for a specific name.
+
+This allows, for example to select to use a specific credential when multiple
+keys are provided in a keytab.
+
+Note: By default no name is set and any name in a keytab or mechanism specific
+acceptor credential will be allowed.
+
+Note: Global gssapi options set in krb5.conf like 'ignore_acceptor_hostname'
+may affect the ability to restrict names.
+
+Note: The GSS_C_NT_HOSTBASED_SERVICE format is used for names (see example).
+
+#### Example
+    GssapiAcceptorName HTTP@www.example.com
+
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
@@ -189,11 +189,11 @@ static bool mag_acquire_creds(request_rec *req,
 #ifdef HAVE_CRED_STORE
     gss_const_key_value_set_t store = cfg->cred_store;
 
-    maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
+    maj = gss_acquire_cred_from(&min, cfg->acceptor_name, GSS_C_INDEFINITE,
                                 desired_mechs, cred_usage, store, creds,
                                 actual_mechs, NULL);
 #else
-    maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
+    maj = gss_acquire_cred(&min, cfg->acceptor_name, GSS_C_INDEFINITE,
                            desired_mechs, cred_usage, creds,
                            actual_mechs, NULL);
 #endif
@@ -1706,6 +1706,23 @@ static const char *mag_basic_auth_mechs(cmd_parms *parms, void *mconfig,
 }
 #endif
 
+static const char *mag_acceptor_name(cmd_parms *parms, void *mconfig,
+                                     const char *w)
+{
+    struct mag_config *cfg = (struct mag_config *)mconfig;
+    gss_buffer_desc bufnam = { strlen(w), (void *)w };
+    uint32_t maj, min;
+
+    maj = gss_import_name(&min, &bufnam, GSS_C_NT_HOSTBASED_SERVICE,
+                          &cfg->acceptor_name);
+    if (GSS_ERROR(maj)) {
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, parms->server,
+                     "gss_import_name([%s]) failed", w);
+    }
+
+    return NULL;
+}
+
 static void *mag_create_server_config(apr_pool_t *p, server_rec *s)
 {
     struct mag_server_config *scfg;
@@ -1780,6 +1797,8 @@ static const command_rec mag_commands[] = {
     AP_INIT_FLAG("GssapiPublishErrors", ap_set_flag_slot,
                  (void *)APR_OFFSETOF(struct mag_config, enverrs), OR_AUTHCFG,
                  "Publish GSSAPI Errors in Envionment Variables"),
+    AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG,
+                     "Name of the acceptor credentials."),
     { NULL }
 };
 
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
@@ -92,6 +92,7 @@ struct mag_config {
     bool negotiate_once;
     struct mag_name_attributes *name_attributes;
     bool enverrs;
+    gss_name_t acceptor_name;
 };
 
 struct mag_server_config {
diff --git a/tests/httpd.conf b/tests/httpd.conf
@@ -200,6 +200,17 @@ CoreDumpDirectory "${HTTPROOT}"
   Require valid-user
 </Location>
 
+<Location /bad_acceptor_name>
+  AuthType GSSAPI
+  AuthName "Bad Acceptor Name"
+  GssapiSSLonly Off
+  GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiAcceptorName BAD@example.com
+  Require valid-user
+</Location>
+
 <VirtualHost *:${PROXYPORT}>
   ProxyRequests On
   ProxyVia On
diff --git a/tests/magtests.py b/tests/magtests.py
@@ -391,6 +391,23 @@ def test_basic_auth_krb5(testdir, testenv, testlog):
             sys.stderr.write('BASIC Proxy Auth: SUCCESS\n')
 
 
+def test_bad_acceptor_name(testdir, testenv, testlog):
+
+    bandir = os.path.join(testdir, 'httpd', 'html', 'bad_acceptor_name')
+    os.mkdir(bandir)
+    shutil.copy('tests/index.html', bandir)
+
+    with (open(testlog, 'a')) as logfile:
+        ban = subprocess.Popen(["tests/t_bad_acceptor_name.py"],
+                               stdout=logfile, stderr=logfile,
+                               env=testenv, preexec_fn=os.setsid)
+        ban.wait()
+        if ban.returncode != 0:
+            sys.stderr.write('BAD ACCEPTOR: SUCCESS\n')
+        else:
+            sys.stderr.write('BAD ACCEPTOR: FAILED\n')
+
+
 if __name__ == '__main__':
 
     args = parse_args()
@@ -425,6 +442,8 @@ def test_basic_auth_krb5(testdir, testenv, testlog):
 
         test_spnego_negotiate_once(testdir, testenv, testlog)
 
+        test_bad_acceptor_name(testdir, testenv, testlog)
+
         testenv = {'MAG_USER_NAME': USR_NAME,
                    'MAG_USER_PASSWORD': USR_PWD,
                    'MAG_USER_NAME_2': USR_NAME_2,
