Allow sourcing the acceptor_name from httpd

The hostname the client uses to connect to apache is stored in the
request structure for modules to use.
This patch adds an option to specify that the acceptor name to be used
should be constructed on a per-request basis from this name.
This is simply achieved by specifying the literal string {HOSTNAME} to
the existing GssapiAcceptorName option insted of specifying a full
GSSAPI name.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com>
Resolves #138
Closes #139

Author: simo5

README

@@ -407,6 +407,10 @@ This option is used to force the server to accept only for a specific name.
 This allows, for example to select to use a specific credential when multiple
 keys are provided in a keytab.
 
+A special value of {HOSTNAME} will make the code use the name apache sees in
+the httpd request to select the correct name to use. This may be useful to
+allow multiple names and multiple keys to be used on the same apache instance.
+
 Note: By default no name is set and any name in a keytab or mechanism specific
 acceptor credential will be allowed.
 

src/mod_auth_gssapi.c

@@ -185,26 +185,54 @@ static bool mag_acquire_creds(request_rec *req,
                               gss_cred_id_t *creds,
                               gss_OID_set *actual_mechs)
 {
+    gss_name_t acceptor_name = GSS_C_NO_NAME;
     uint32_t maj, min;
+    bool ret;
+
+    if (cfg->acceptor_name_from_req) {
+        gss_buffer_desc bufnam;
+
+        bufnam.value = apr_psprintf(req->pool, "HTTP@%s", req->hostname);
+        bufnam.length = strlen(bufnam.value);
+
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "GSS Server Name: %s",
+                      (char *)bufnam.value);
+
+        maj = gss_import_name(&min, &bufnam, GSS_C_NT_HOSTBASED_SERVICE,
+                              &acceptor_name);
+        if (GSS_ERROR(maj)) {
+            mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,
+                           "gss_import_name() failed to import hostnname");
+            return false;
+        }
+    } else {
+        acceptor_name = cfg->acceptor_name;
+    }
+
 #ifdef HAVE_CRED_STORE
     gss_const_key_value_set_t store = cfg->cred_store;
 
-    maj = gss_acquire_cred_from(&min, cfg->acceptor_name, GSS_C_INDEFINITE,
+    maj = gss_acquire_cred_from(&min, acceptor_name, GSS_C_INDEFINITE,
                                 desired_mechs, cred_usage, store, creds,
                                 actual_mechs, NULL);
 #else
-    maj = gss_acquire_cred(&min, cfg->acceptor_name, GSS_C_INDEFINITE,
+    maj = gss_acquire_cred(&min, acceptor_name, GSS_C_INDEFINITE,
                            desired_mechs, cred_usage, creds,
                            actual_mechs, NULL);
 #endif
 
     if (GSS_ERROR(maj)) {
         mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,
                        "gss_acquire_cred[_from]() failed to get server creds");
-        return false;
+        ret = false;
+    } else {
+        ret = true;
     }
 
-    return true;
+    if (cfg->acceptor_name_from_req) {
+        gss_release_name(&min, &acceptor_name);
+    }
+    return ret;
 }
 
 #ifdef HAVE_CRED_STORE
@@ -1720,6 +1748,11 @@ static const char *mag_acceptor_name(cmd_parms *parms, void *mconfig,
     gss_buffer_desc bufnam = { strlen(w), (void *)w };
     uint32_t maj, min;
 
+    if (strcmp(w, "{HOSTNAME}") == 0) {
+        cfg->acceptor_name_from_req = true;
+        return NULL;
+    }
+
     maj = gss_import_name(&min, &bufnam, GSS_C_NT_HOSTBASED_SERVICE,
                           &cfg->acceptor_name);
     if (GSS_ERROR(maj)) {

src/mod_auth_gssapi.h

@@ -93,6 +93,7 @@ struct mag_config {
     struct mag_name_attributes *name_attributes;
     bool enverrs;
     gss_name_t acceptor_name;
+    bool acceptor_name_from_req;
 };
 
 struct mag_server_config {

tests/httpd.conf

@@ -224,6 +224,19 @@ CoreDumpDirectory "${HTTPROOT}"
   Require valid-user
 </Location>
 
+<Location /hostname_acceptor>
+  AuthType GSSAPI
+  AuthName "Login"
+  GssapiSSLonly Off
+  GssapiCredStore ccache:${HTTPROOT}/tmp/httpd_krb5_ccache
+  GssapiCredStore client_keytab:${HTTPROOT}/http.keytab
+  GssapiCredStore keytab:${HTTPROOT}/http.keytab
+  GssapiBasicAuth Off
+  GssapiAllowedMech krb5
+  GssapiAcceptorName {HOSTNAME}
+  Require valid-user
+</Location>
+
 <VirtualHost *:${PROXYPORT}>
   ProxyRequests On
   ProxyVia On

tests/magtests.py

@@ -28,6 +28,8 @@ def parse_args():
 
 
 WRAP_HOSTNAME = "kdc.mag.dev"
+WRAP_ALIASNAME = "alias.mag.dev"
+WRAP_FAILNAME = "fail.mag.dev"
 WRAP_IPADDR = '127.0.0.9'
 WRAP_HTTP_PORT = '80'
 WRAP_PROXY_PORT = '8080'
@@ -50,7 +52,9 @@ def setup_wrappers(base):
 
     hosts_file = os.path.join(testdir, 'hosts')
     with open(hosts_file, 'w+') as f:
-        f.write('%s %s' % (WRAP_IPADDR, WRAP_HOSTNAME))
+        f.write('%s %s\n' % (WRAP_IPADDR, WRAP_HOSTNAME))
+        f.write('%s %s\n' % (WRAP_IPADDR, WRAP_ALIASNAME))
+        f.write('%s %s\n' % (WRAP_IPADDR, WRAP_FAILNAME))
 
     wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so',
             'SOCKET_WRAPPER_DIR': wrapdir,
@@ -203,6 +207,15 @@ def setup_keys(tesdir, env):
     with (open(testlog, 'a')) as logfile:
         kadmin_local(cmd, env, logfile)
 
+    # alias for multinamed hosts testing
+    alias_name = "HTTP/%s" % WRAP_ALIASNAME
+    cmd = "addprinc -randkey -e %s %s" % (KEY_TYPE, alias_name)
+    with (open(testlog, 'a')) as logfile:
+        kadmin_local(cmd, env, logfile)
+    cmd = "ktadd -k %s -e %s %s" % (svc_keytab, KEY_TYPE, alias_name)
+    with (open(testlog, 'a')) as logfile:
+        kadmin_local(cmd, env, logfile)
+
     keys_env = { "KRB5_KTNAME": svc_keytab }
     keys_env.update(env)
 
@@ -427,6 +440,36 @@ def test_no_negotiate(testdir, testenv, testlog):
             sys.stderr.write('NO Negotiate: SUCCESS\n')
 
 
+def test_hostname_acceptor(testdir, testenv, testlog):
+
+    hdir = os.path.join(testdir, 'httpd', 'html', 'hostname_acceptor')
+    os.mkdir(hdir)
+    shutil.copy('tests/index.html', hdir)
+
+    with (open(testlog, 'a')) as logfile:
+        failed = False
+        for (name, fail) in [(WRAP_HOSTNAME, False),
+                             (WRAP_ALIASNAME,False),
+                             (WRAP_FAILNAME, True)]:
+            res = subprocess.Popen(["tests/t_hostname_acceptor.py", name],
+                                   stdout=logfile, stderr=logfile,
+                                   env=testenv, preexec_fn=os.setsid)
+            res.wait()
+            if fail:
+                if res.returncode == 0:
+                    failed = True
+            else:
+                if res.returncode != 0:
+                    failed = True
+            if failed:
+                break
+
+        if failed:
+            sys.stderr.write('HOSTNAME ACCEPTOR: FAILED\n')
+        else:
+            sys.stderr.write('HOSTNAME ACCEPTOR: SUCCESS\n')
+
+
 if __name__ == '__main__':
 
     args = parse_args()
@@ -462,6 +505,8 @@ def test_no_negotiate(testdir, testenv, testlog):
 
         test_spnego_negotiate_once(testdir, testenv, testlog)
 
+        test_hostname_acceptor(testdir, testenv, testlog)
+
         test_bad_acceptor_name(testdir, testenv, testlog)
 
         testenv = {'MAG_USER_NAME': USR_NAME,

tests/t_hostname_acceptor.py

@@ -0,0 +1,16 @@
+#!/usr/bin/python
+# Copyright (C) 2017 - mod_auth_gssapi contributors, see COPYING for license.
+
+import os
+import requests
+import sys
+from stat import ST_MODE
+from requests_kerberos import HTTPKerberosAuth, OPTIONAL
+
+
+if __name__ == '__main__':
+    sess = requests.Session()
+    url = 'http://%s/hostname_acceptor/' % sys.argv[1]
+    r = sess.get(url, auth=HTTPKerberosAuth(delegate=True))
+    if r.status_code != 200:
+        raise ValueError('Hostname-based acceptor failed')