mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-26 05:02:18 +00:00
Code Issues Releases Activity

- Use USES=gssapi.

Browse Source 
- Add LICENSE.
- Fix a bug in KrbSaveCredentials option (RHBA-2012:0877-1).
This commit is contained in:
Hiroki Sato 2015-02-01 18:40:57 +00:00
parent 9ff3a43f10
commit d7e5cdff7e
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=378260
3 changed files with 92 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
www/mod_auth_kerb2/Makefile
View File

@ -3,7 +3,7 @@
PORTNAME= mod_auth_kerb
PORTVERSION= 5.4
PORTREVISION= 6
PORTREVISION= 7
CATEGORIES= www
MASTER_SITES= SF/modauthkerb/${PORTNAME}/${PORTNAME}-${PORTVERSION}
PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX}
@ -12,39 +12,24 @@ PKGNAMESUFFIX= 2
MAINTAINER= apache@FreeBSD.org
COMMENT= Apache module for authenticating users with Kerberos v5
USE_APACHE= 22+
USES= gmake
GNU_CONFIGURE= yes
LICENSE= MIT BSD3CLAUSE
LICENSE_COMB= multi
LICENSE_FILE_MIT= ${WRKSRC}/LICENSE
LICENSE_FILE_BSD3CLAUSE= ${WRKSRC}/LICENSE
LATEST_LINK= mod_auth_kerb2
PORTSCOUT= limit:^5.4
.if defined(KRB5_HOME)
BUILD_DEPENDS+= ${KRB5_HOME}/lib/libgssapi_krb5.so:${PORTSDIR}/security/krb5
RUN_DEPENDS+= ${KRB5_HOME}/lib/libgssapi_krb5.so:${PORTSDIR}/security/krb5
CONFIGURE_ARGS+= --with-krb5=${KRB5_HOME} --without-krb4
USE_APACHE= 22+
USE_GMAKE= yes
GNU_CONFIGURE= yes
CONFIGURE_ARGS= -with-krb5=${GSSAPIBASEDIR} --without-krb4
.elif defined(HEIMDAL_HOME)
BUILD_DEPENDS+= ${HEIMDAL_HOME}/lib/libgssapi.so:${PORTSDIR}/security/heimdal
RUN_DEPENDS+= ${HEIMDAL_HOME}/lib/libgssapi.so:${PORTSDIR}/security/heimdal
CONFIGURE_ARGS+= --with-krb5=${HEIMDAL_HOME} --without-krb4
.elif exists(${DESTDIR}/usr/lib/libkrb5.a) && exists(${DESTDIR}/usr/bin/krb5-config)
CONFIGURE_ARGS+= --with-krb5=${DESTDIR}/usr --without-krb4
.else
LIB_DEPENDS+= libgssapi_krb5.so:${PORTSDIR}/security/krb5
CONFIGURE_ARGS+= --with-krb5=${LOCALBASE} --without-krb4
.endif
post-patch:
${REINPLACE_CMD} -e 's|@APXS_STAGE@|-S LIBEXECDIR=${STAGEDIR}${PREFIX}/${APACHEMODDIR}|' \
${WRKSRC}/Makefile.in
.if !defined(HEIMDAL_HOME)
${REINPLACE_CMD} -e 's|@KRB5_LDFLAGS@|@KRB5_LDFLAGS@ -lgssapi_krb5|' \
${WRKSRC}/Makefile.in
.endif
pre-install:
@${MKDIR} ${STAGEDIR}${PREFIX}/${APACHEMODDIR}
OPTIONS_RADIO= GSSAPI
OPTIONS_DEFAULT= GSSAPI_BASE
OPTIONS_RADIO_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
GSSAPI_BASE_USES= gssapi
GSSAPI_HEIMDAL_USES= gssapi:heimdal
GSSAPI_MIT_USES= gssapi:mit
.include <bsd.port.mk>

16
www/mod_auth_kerb2/files/patch-Makefile.in
View File

@ -1,17 +1,13 @@
--- Makefile.in.orig 2008-12-02 09:07:10.000000000 -0500
+++ Makefile.in 2014-06-17 14:09:26.000000000 -0400
@@ -1,4 +1,5 @@
APXS = @APXS@
+APXS_STAGE = @APXS_STAGE@
KRB5_CPPFLAGS = @KRB5_CPPFLAGS@
KRB5_LDFLAGS = @KRB5_LDFLAGS@
KRB4_CPPFLAGS = @KRB4_CPPFLAGS@
@@ -16,7 +17,7 @@
--- Makefile.in.orig 2008-12-02 23:07:10.000000000 +0900
+++ Makefile.in 2014-11-22 19:29:08.000000000 +0900
@@ -16,7 +16,9 @@
./apxs.sh "${CPPFLAGS}" "${LDFLAGS}" "${SPNEGO_SRCS}" "${APXS}" "-c" "src/mod_auth_kerb.c"
install:
- ./apxs.sh "${CPPFLAGS}" "${LDFLAGS}" "${SPNEGO_SRCS}" "${APXS}" "-c -i" "src/mod_auth_kerb.c"
+ ${APXS} $(APXS_STAGE) -i -n auth_kerb src/mod_auth_kerb.la
+ mkdir -p "$(DESTDIR)$$(${APXS} -q libexecdir)"
+ ${APXS} -S LIBEXECDIR="$(DESTDIR)$$(${APXS} -q libexecdir)" \
+ -i -n auth_kerb src/mod_auth_kerb.la
clean:
for i in . src spnegokrb5; do \

97
www/mod_auth_kerb2/files/patch-src__mod_auth_kerb.c
View File

@ -2,8 +2,12 @@
# Rev in latest src archive is r150.
# http://modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_auth_kerb/src/mod_auth_kerb.c?revision=1.157
# Further patched to work with Apache 2.4.
--- src/mod_auth_kerb.c.orig 2008-12-04 11:14:03.000000000 +0100
+++ src/mod_auth_kerb.c 2014-06-01 14:51:14.681087749 +0200
#
# Patch to fix a bug in KrbSaveCredentials:
# https://bugzilla.redhat.com/show_bug.cgi?id=688210
#
--- src/mod_auth_kerb.c.orig 2008-12-04 19:14:03.000000000 +0900
+++ src/mod_auth_kerb.c 2014-11-22 19:34:12.000000000 +0900
@@ -11,6 +11,12 @@
*/
@ -60,7 +64,15 @@
module AP_MODULE_DECLARE_DATA auth_kerb_module;
#else
module auth_kerb_module;
@@ -298,7 +313,7 @@
@@ -176,6 +191,7 @@
char *authline;
char *user;
char *mech;
+ char *ccname;
int last_return;
} krb5_conn_data;
@@ -298,7 +314,7 @@
}
/* And this is the operations vector for our replay cache */
@ -69,7 +81,7 @@
0,
"dfl",
krb5_rc_dfl_init,
@@ -329,7 +344,7 @@
@@ -329,7 +345,7 @@
((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
#endif
#ifdef KRB5
@ -78,7 +90,7 @@
((kerb_auth_config *)rec)->krb_method_k5pass = 1;
((kerb_auth_config *)rec)->krb_method_gssapi = 1;
#endif
@@ -347,9 +362,15 @@
@@ -347,9 +363,15 @@
return NULL;
}
@ -94,7 +106,7 @@
{
char errstr[1024];
va_list ap;
@@ -359,7 +380,9 @@
@@ -359,7 +381,9 @@
va_end(ap);
@ -105,7 +117,7 @@
ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errstr);
#else
ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errstr);
@@ -527,7 +550,7 @@
@@ -527,7 +551,7 @@
user = apr_pstrcat(r->pool, user, "@", realm, NULL);
MK_USER = user;
@ -114,7 +126,7 @@
apr_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
if (!conf->krb_save_credentials)
@@ -677,7 +700,8 @@
@@ -677,7 +701,8 @@
static krb5_error_code
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
const char *password, krb5_principal server,
@ -124,7 +136,18 @@
{
krb5_creds creds;
krb5_get_init_creds_opt options;
@@ -926,7 +950,6 @@
@@ -869,8 +894,8 @@
}
apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
- apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup,
- apr_pool_cleanup_null);
+ apr_pool_cleanup_register(r->connection->pool, ccname, krb5_cache_cleanup,
+ apr_pool_cleanup_null);
*ccache = tmp_ccache;
tmp_ccache = NULL;
@@ -926,7 +951,6 @@
return OK;
}
@ -132,7 +155,7 @@
static int
authenticate_user_krb5pwd(request_rec *r,
kerb_auth_config *conf,
@@ -1061,7 +1084,7 @@
@@ -1061,7 +1085,7 @@
goto end;
}
MK_USER = apr_pstrdup (r->pool, name);
@ -141,7 +164,7 @@
free(name);
if (conf->krb_save_credentials)
@@ -1280,6 +1303,7 @@
@@ -1280,6 +1304,7 @@
return 0;
}
@ -149,7 +172,7 @@
static int
cmp_gss_type(gss_buffer_t token, gss_OID oid)
{
@@ -1306,6 +1330,7 @@
@@ -1306,6 +1331,7 @@
return memcmp(p, oid->elements, oid->length);
}
@ -157,7 +180,7 @@
static int
authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
@@ -1438,15 +1463,15 @@
@@ -1438,15 +1464,15 @@
goto end;
}
@ -178,7 +201,7 @@
major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
gss_release_name(&minor_status, &client_name);
@@ -1549,13 +1574,13 @@
@@ -1549,28 +1575,52 @@
#endif /* KRB5 */
static krb5_conn_data *
@ -195,7 +218,24 @@
r->connection->id);
if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
@@ -1571,6 +1596,24 @@
return NULL;
- if(conn_data) {
- if(strcmp(conn_data->authline, auth_line) == 0) {
- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
- return conn_data;
+ if(conn_data && conn_data->ccname != NULL) {
+ apr_finfo_t finfo;
+
+ if (apr_stat(&finfo, conn_data->ccname + strlen("FILE:"),
+ APR_FINFO_NORM, r->pool) == APR_SUCCESS
+ && (finfo.valid & APR_FINFO_TYPE)
+ && finfo.filetype == APR_REG) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
+ return conn_data;
}
}
return NULL;
}
static void
@ -208,6 +248,7 @@
+ prevauth->user = apr_pstrdup(r->connection->pool, MK_USER);
+ prevauth->authline = apr_pstrdup(r->connection->pool, auth_line);
+ prevauth->mech = apr_pstrdup(r->connection->pool, auth_type);
+ prevauth->ccname = apr_pstrdup(r->connection->pool, apr_table_get(r->subprocess_env, "KRB5CCNAME"));
+ prevauth->last_return = ret;
+
+ snprintf(keyname, sizeof(keyname) - 1,
@ -220,7 +261,7 @@
set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
int use_krb4, int use_krb5pwd, char *negotiate_ret_value)
{
@@ -1607,51 +1650,16 @@
@@ -1607,51 +1657,16 @@
}
static int
@ -279,7 +320,7 @@
if (!auth_line) {
set_kerb_auth_headers(r, conf, use_krb4, use_krb5,
(use_krb5) ? "\0" : NULL);
@@ -1669,60 +1677,108 @@
@@ -1669,60 +1684,110 @@
#endif
(strcasecmp(auth_type, "Basic") == 0))
return DECLINED;
@ -319,6 +360,8 @@
+ ret = prevauth->last_return;
+ MK_USER = prevauth->user;
+ MK_AUTH_TYPE = prevauth->mech;
+ if (prevauth->ccname)
+ apr_table_setn(r->subprocess_env, "KRB5CCNAME", prevauth->ccname);
}
/*
@ -336,30 +379,30 @@
- apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool);
+ if(!prevauth) {
+ save_authorized(r, auth_line, auth_type, ret);
+ }
+
+ if (ret == OK && conf->krb5_do_auth_to_local) {
+ ret = do_krb5_an_to_ln(r);
}
+ return ret;
+}
- if (ret == OK && conf->krb5_do_auth_to_local)
- ret = do_krb5_an_to_ln(r);
+ if (ret == OK && conf->krb5_do_auth_to_local) {
+ ret = do_krb5_an_to_ln(r);
+ }
+ return ret;
+}
+
+static authn_status authn_krb_password(request_rec *r, const char *user,
+ const char *password)
+{
+ char *auth_line = NULL;
+ int ret;
+ const char *type = NULL;
+
- /* XXX log_debug: if ret==OK, log(user XY authenticated) */
+ type = ap_auth_type(r);
+ auth_line = ap_pbase64encode (r->pool, apr_psprintf(r->pool, "%s:%s", user, password));
+ auth_line = apr_psprintf(r->pool, "Basic %s", auth_line);
+
+ ret = authenticate_user(r, auth_line, type, 1, 1);
- /* XXX log_debug: if ret==OK, log(user XY authenticated) */
+
+ if (ret == OK) return AUTH_GRANTED;
+ else return AUTH_USER_NOT_FOUND;
+}
@ -415,7 +458,7 @@
have_rcache_type(const char *type)
{
krb5_error_code ret;
@@ -1805,6 +1861,12 @@
@@ -1805,6 +1870,12 @@
static void
kerb_register_hooks(apr_pool_t *p)
{