Handle authentication on subrequests

simo5 · simo5 · commit e5db7c1f5738 · 2015-03-31T12:18:05.000-04:00
In some cases (like during directory listing) Apache will re-run the authentication code. Many GSSAPI mechanism have replay detection so we cannot simply rerun the accept_sec_context phase. Others require multiple steps. When authntication has already been estalished just implicitly consider the authentication successfully performed and copy the user name. Otherwise fail. If a subrequest hits a location with a different mod_auth_gssapi configuration warn but do not error off right away. Fixes #15
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req)
         return DECLINED;
     }
 
-    /* ignore auth for subrequests */
+    cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
+
+    /* implicit auth for subrequests if main auth already happened */
     if (!ap_is_initial_req(req)) {
-        return OK;
+        type = ap_auth_type(req->main);
+        if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
+            /* warn if the subrequest location and the main request
+             * location have different configs */
+            if (cfg != ap_get_module_config(req->main->per_dir_config,
+                                            &auth_gssapi_module)) {
+                ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
+                              req, "Subrequest authentication bypass on "
+                                   "location with different configuration!");
+            }
+            if (req->main->user) {
+                req->user = apr_pstrdup(req->pool, req->main->user);
+                return OK;
+            } else {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+                              "The main request is tasked to establish the "
+                              "security context, can't proceed!");
+                return HTTP_UNAUTHORIZED;
+            }
+        } else {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
+                          "Subrequest GSSAPI auth with no auth on the main "
+                          "request. This operation may fail if other "
+                          "subrequests already established a context or the "
+                          "mechanism requires multiple roundtrips.");
+        }
     }
 
-    cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
-
     if (cfg->ssl_only) {
         if (!mag_conn_is_https(req->connection)) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
