mod_auth_gssapi: implement basic auth forwarding #151
Conversation
(cherry picked from commit d4b190c749fcedf09354322fc8cb5922dfdf5bf6)
|
Sorry for some reason I failed to see this one when the PR was created, I'll review asap |
There was a problem hiding this comment.
I think allowing to fall back to other basic auth providers may be an ok idea, however please change the way this is configured as mentioned in inline comments.
Also you need to add documentation about the new option.
Finally it doesn't look like you ever try the internal auth if forward is set, is this intentional ? If so why ?
| @@ -835,6 +835,51 @@ static gss_OID_set mag_get_negotiate_mechs(apr_pool_t *p, gss_OID_set desired) | |||
| } | |||
| } | |||
|
|
|||
|
|
|||
| static const char *add_authn_provider(cmd_parms *cmd, void *config, | |||
There was a problem hiding this comment.
also move this function below, among the functions that deal with configuration
There was a problem hiding this comment.
This function was copy and pasted from the apache modules/aaa/mod_auth_basic.c file. The idea was to keep it 1:1 as the original function.
Currently each mod_auth_ module has implemented this function:
git grep add_authn_provider
modules/aaa/mod_auth_basic.c:static const char *add_authn_provider(cmd_parms *cmd, void *config,
modules/aaa/mod_auth_basic.c: AP_INIT_ITERATE("AuthBasicProvider", add_authn_provider, NULL, OR_AUTHCFG,
modules/aaa/mod_auth_digest.c:static const char *add_authn_provider(cmd_parms *cmd, void *config,
modules/aaa/mod_auth_digest.c: AP_INIT_ITERATE("AuthDigestProvider", add_authn_provider, NULL, OR_AUTHCFG,
modules/aaa/mod_auth_form.c:static const char *add_authn_provider(cmd_parms * cmd, void *config,
modules/aaa/mod_auth_form.c: AP_INIT_ITERATE("AuthFormProvider", add_authn_provider, NULL, OR_AUTHCFG,
| if (!conf->providers) { | ||
| conf->providers = newp; | ||
| } | ||
| else { |
There was a problem hiding this comment.
copied from the original code - so you use a different coding style than upstream apache?
There was a problem hiding this comment.
Replying to just this comment, but please read it as a reply to several of yours: yes we have our own coding style, and yes it doesn't match upstream apache. It is much closer to the krb5 and freeipa style for reasons you can probably imagine.
In general, consistency within the project (i.e., within m_a_g) is paramount, since it makes maintaining the codebase so much easier.
There was a problem hiding this comment.
See @frozencemetery's comment, if there is some value in keeping the original it would have to be stored in it's own file, with prominent headers that state exactly where it comes from and what is the license on that piece of code (asuming it is compatible, otherwise we cannot keep a copy) so that people can keep it up to date according to the original source.
It would still require a wrapper function named mag_something in that case as you would have to make the funciton public and we definitelyt do not allow non-namespaced function as public.
| conf->providers = newp; | ||
| } | ||
| else { | ||
| authn_provider_list *last = conf->providers; |
There was a problem hiding this comment.
use for loop here please:
/* append to the end */
for (authn_provider_list *last = conf->providers; last->next; last = last->next);
last->next = newp;
There was a problem hiding this comment.
same here: "copied from the original code"
| return OK; | ||
| if (apr_table_get(main_req->notes, "AUTH_BASIC_FORWARD") != NULL) { | ||
| ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, | ||
| req, "auth_type: %s user: %s main req used auth basic.", type, main_req->user); |
There was a problem hiding this comment.
This reflow nests too much add a variable to skip subreq handling like:
if (apr_table_get(main ....) {
ap_log_rerror(....)
skip_subreq = true;
}
if ((!skip_subreq) && (type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
| @@ -1043,6 +1095,59 @@ static int mag_auth(request_rec *req) | |||
| ba_user.length = strlen(ba_user.value); | |||
| ba_pwd.length = strlen(ba_pwd.value); | |||
|
|
|||
| if (cfg->use_basic_auth == BA_FORWARD) { | |||
| authn_provider_list *current_provider; | |||
There was a problem hiding this comment.
call this 'provider', initialize it to NULL
| } | ||
|
|
||
| /* If we're not really configured for providers, stop now. */ | ||
| if (!cfg->providers) { |
There was a problem hiding this comment.
too late to check this here, you already segfaulted above.
|
|
||
| current_provider = cfg->providers; | ||
| do { | ||
| const authn_provider *provider; |
There was a problem hiding this comment.
Do not use this variable, you will use provider->provider once you rename as indicated above.
| { | ||
| struct mag_config *cfg = (struct mag_config *)mconfig; | ||
|
|
||
| cfg->use_basic_auth = on ? true : false; | ||
| if (strcasecmp(value, "on") == 0) { |
There was a problem hiding this comment.
This is not backwards compatible, you would need to handle all ways to "turn on" a boolean value, or existing configurations may break.
Rather than changing the meaning of GssapiBasicAuth, I would use the presence of basic auth providers to decide if forwarding should be done.
There was a problem hiding this comment.
OK i wasn't sure if this is a good idea and may break existing installations where gssapi suddenly starts forwarding auth.
| @@ -1821,6 +1933,8 @@ static void *mag_create_server_config(apr_pool_t *p, server_rec *s) | |||
| } | |||
|
|
|||
| static const command_rec mag_commands[] = { | |||
| AP_INIT_ITERATE("AuthBasicProvider", add_authn_provider, NULL, OR_AUTHCFG, | |||
There was a problem hiding this comment.
change to GssapiBasicAuthProviders
There was a problem hiding this comment.
Oh I see this is an actual variable that is implemented for mod_auth_basic ... is this the canonical way to handle it, parsing it in each module that wants to deelgate basic auth to another provider ?
There was a problem hiding this comment.
Not sure but as mounted out above all original modules implement add_authn_provider and use a specific one. Also ldap itself needs this variable.
| BA_OFF = 0, | ||
| BA_FORWARD = 1, | ||
| BA_ON = 2 | ||
| } use_basic_auth; |
There was a problem hiding this comment.
drop this enum and just use the providers list below to decide whether forwarding will be done or not.
|
@profihost, still around? |
|
Yes, sorry just don't have any spare time these weeks. |
|
Seem this PR got abandoned, I am closing for now, please feel free to reopen (or maybe start with a new one) once you can get back to it. |
This one implements basic auth forwarding as a fallback if tgt does not work.