From c62616386e31c65eff648bb5524f7928286a5a0e Mon Sep 17 00:00:00 2001 From: Sean Timothy Noonan Date: Mon, 29 Nov 2021 21:51:36 +0000 Subject: [PATCH] Add formatting rules and format main file --- clang-format | 178 ++++++ ngx_http_auth_spnego_module.c | 1089 ++++++++++++++++----------------- 2 files changed, 700 insertions(+), 567 deletions(-) create mode 100644 clang-format diff --git a/clang-format b/clang-format new file mode 100644 index 0000000..5fcec57 --- /dev/null +++ b/clang-format @@ -0,0 +1,178 @@ +--- +Language: Cpp +# BasedOnStyle: LLVM +AccessModifierOffset: -2 +AlignAfterOpenBracket: Align +AlignArrayOfStructures: None +AlignConsecutiveMacros: None +AlignConsecutiveAssignments: None +AlignConsecutiveBitFields: None +AlignConsecutiveDeclarations: None +AlignEscapedNewlines: Right +AlignOperands: Align +AlignTrailingComments: true +AllowAllArgumentsOnNextLine: true +AllowAllConstructorInitializersOnNextLine: true +AllowAllParametersOfDeclarationOnNextLine: true +AllowShortEnumsOnASingleLine: true +AllowShortBlocksOnASingleLine: Never +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: All +AllowShortLambdasOnASingleLine: All +AllowShortIfStatementsOnASingleLine: Never +AllowShortLoopsOnASingleLine: false +AlwaysBreakAfterDefinitionReturnType: None +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: false +AlwaysBreakTemplateDeclarations: MultiLine +AttributeMacros: + - __capability +BinPackArguments: true +BinPackParameters: true +BraceWrapping: + AfterCaseLabel: false + AfterClass: false + AfterControlStatement: Never + AfterEnum: false + AfterFunction: false + AfterNamespace: false + AfterObjCDeclaration: false + AfterStruct: false + AfterUnion: false + AfterExternBlock: false + BeforeCatch: false + BeforeElse: false + BeforeLambdaBody: false + BeforeWhile: false + IndentBraces: false + SplitEmptyFunction: true + SplitEmptyRecord: true + SplitEmptyNamespace: true +BreakBeforeBinaryOperators: None +BreakBeforeConceptDeclarations: true +BreakBeforeBraces: Attach +BreakBeforeInheritanceComma: false +BreakInheritanceList: BeforeColon +BreakBeforeTernaryOperators: true +BreakConstructorInitializersBeforeComma: false +BreakConstructorInitializers: BeforeColon +BreakAfterJavaFieldAnnotations: false +BreakStringLiterals: true +ColumnLimit: 80 +CommentPragmas: '^ IWYU pragma:' +CompactNamespaces: false +ConstructorInitializerAllOnOneLineOrOnePerLine: false +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 +Cpp11BracedListStyle: true +DeriveLineEnding: true +DerivePointerAlignment: false +DisableFormat: false +EmptyLineAfterAccessModifier: Never +EmptyLineBeforeAccessModifier: LogicalBlock +ExperimentalAutoDetectBinPacking: false +FixNamespaceComments: true +ForEachMacros: + - foreach + - Q_FOREACH + - BOOST_FOREACH +IfMacros: + - KJ_IF_MAYBE +IncludeBlocks: Preserve +IncludeCategories: + - Regex: '^"(llvm|llvm-c|clang|clang-c)/' + Priority: 2 + SortPriority: 0 + CaseSensitive: false + - Regex: '^(<|"(gtest|gmock|isl|json)/)' + Priority: 3 + SortPriority: 0 + CaseSensitive: false + - Regex: '.*' + Priority: 1 + SortPriority: 0 + CaseSensitive: false +IncludeIsMainRegex: '(Test)?$' +IncludeIsMainSourceRegex: '' +IndentAccessModifiers: false +IndentCaseLabels: false +IndentCaseBlocks: false +IndentGotoLabels: true +IndentPPDirectives: None +IndentExternBlock: AfterExternBlock +IndentRequires: false +IndentWidth: 4 +IndentWrappedFunctionNames: false +InsertTrailingCommas: None +JavaScriptQuotes: Leave +JavaScriptWrapImports: true +KeepEmptyLinesAtTheStartOfBlocks: true +LambdaBodyIndentation: Signature +MacroBlockBegin: '' +MacroBlockEnd: '' +MaxEmptyLinesToKeep: 1 +NamespaceIndentation: None +ObjCBinPackProtocolList: Auto +ObjCBlockIndentWidth: 2 +ObjCBreakBeforeNestedBlockParam: true +ObjCSpaceAfterProperty: false +ObjCSpaceBeforeProtocolList: true +PenaltyBreakAssignment: 2 +PenaltyBreakBeforeFirstCallParameter: 19 +PenaltyBreakComment: 300 +PenaltyBreakFirstLessLess: 120 +PenaltyBreakString: 1000 +PenaltyBreakTemplateDeclaration: 10 +PenaltyExcessCharacter: 1000000 +PenaltyReturnTypeOnItsOwnLine: 60 +PenaltyIndentedWhitespace: 0 +PointerAlignment: Right +PPIndentWidth: -1 +ReferenceAlignment: Pointer +ReflowComments: true +ShortNamespaceLines: 1 +SortIncludes: CaseSensitive +SortJavaStaticImport: Before +SortUsingDeclarations: true +SpaceAfterCStyleCast: false +SpaceAfterLogicalNot: false +SpaceAfterTemplateKeyword: true +SpaceBeforeAssignmentOperators: true +SpaceBeforeCaseColon: false +SpaceBeforeCpp11BracedList: false +SpaceBeforeCtorInitializerColon: true +SpaceBeforeInheritanceColon: true +SpaceBeforeParens: ControlStatements +SpaceAroundPointerQualifiers: Default +SpaceBeforeRangeBasedForLoopColon: true +SpaceInEmptyBlock: false +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 1 +SpacesInAngles: Never +SpacesInConditionalStatement: false +SpacesInContainerLiterals: true +SpacesInCStyleCastParentheses: false +SpacesInLineCommentPrefix: + Minimum: 1 + Maximum: -1 +SpacesInParentheses: false +SpacesInSquareBrackets: false +SpaceBeforeSquareBrackets: false +BitFieldColonSpacing: Both +Standard: Latest +StatementAttributeLikeMacros: + - Q_EMIT +StatementMacros: + - Q_UNUSED + - QT_REQUIRE_VERSION +TabWidth: 8 +UseCRLF: false +UseTab: Never +WhitespaceSensitiveMacros: + - STRINGIZE + - PP_STRINGIZE + - BOOST_PP_STRINGIZE + - NS_SWIFT_NAME + - CF_SWIFT_NAME +... + diff --git a/ngx_http_auth_spnego_module.c b/ngx_http_auth_spnego_module.c index 3eb44fe..24847f3 100644 --- a/ngx_http_auth_spnego_module.c +++ b/ngx_http_auth_spnego_module.c @@ -31,10 +31,10 @@ #include #include -#include #include #include #include +#include #define CCACHE_VARIABLE_NAME "krb5_cc_name" #define SHM_ZONE_NAME "shm_zone" @@ -42,85 +42,80 @@ #define discard_const(ptr) ((void *)((uintptr_t)(ptr))) -#define spnego_log_krb5_error(context,code) {\ - const char* ___kerror = krb5_get_error_message(context, code);\ - spnego_debug2("Kerberos error: %d, %s", code , ___kerror);\ - krb5_free_error_message( context, ___kerror ); } -#define spnego_error(code) ret = code; goto end -#define spnego_debug0(msg) ngx_log_debug0(\ - NGX_LOG_DEBUG_HTTP, r->connection->log, 0, msg) -#define spnego_debug1(msg, one) ngx_log_debug1(\ - NGX_LOG_DEBUG_HTTP, r->connection->log, 0, msg, one) -#define spnego_debug2(msg, one, two) ngx_log_debug2(\ - NGX_LOG_DEBUG_HTTP, r->connection->log, 0, msg, one, two) -#define spnego_debug3(msg, one, two, three) ngx_log_debug3(\ - NGX_LOG_DEBUG_HTTP, r->connection->log, 0, msg, one, two, three) -#define spnego_log_error(fmt, args...) ngx_log_error(\ - NGX_LOG_ERR, r->connection->log, 0, fmt, ##args) +#define spnego_log_krb5_error(context, code) \ + { \ + const char *___kerror = krb5_get_error_message(context, code); \ + spnego_debug2("Kerberos error: %d, %s", code, ___kerror); \ + krb5_free_error_message(context, ___kerror); \ + } +#define spnego_error(code) \ + ret = code; \ + goto end +#define spnego_debug0(msg) \ + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, msg) +#define spnego_debug1(msg, one) \ + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, msg, one) +#define spnego_debug2(msg, one, two) \ + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, msg, one, two) +#define spnego_debug3(msg, one, two, three) \ + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, msg, one, two, \ + three) +#define spnego_log_error(fmt, args...) \ + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, fmt, ##args) /* Module handler */ static ngx_int_t ngx_http_auth_spnego_handler(ngx_http_request_t *); static void *ngx_http_auth_spnego_create_loc_conf(ngx_conf_t *); -static char *ngx_http_auth_spnego_merge_loc_conf( - ngx_conf_t *, void *, void *); +static char *ngx_http_auth_spnego_merge_loc_conf(ngx_conf_t *, void *, void *); static ngx_int_t ngx_http_auth_spnego_init(ngx_conf_t *); #if (NGX_PCRE) -static char * ngx_conf_set_regex_array_slot(ngx_conf_t * cf, ngx_command_t * cmd, void * conf); +static char *ngx_conf_set_regex_array_slot(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); #endif -ngx_int_t ngx_http_auth_spnego_set_bogus_authorization(ngx_http_request_t * r); +ngx_int_t ngx_http_auth_spnego_set_bogus_authorization(ngx_http_request_t *r); - const char * -get_gss_error( - ngx_pool_t * p, - OM_uint32 error_status, - char *prefix) -{ +const char *get_gss_error(ngx_pool_t *p, OM_uint32 error_status, char *prefix) { OM_uint32 maj_stat, min_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; char buf[1024]; size_t len; ngx_str_t str; - ngx_snprintf((u_char *) buf, sizeof(buf), "%s: %Z", prefix); + ngx_snprintf((u_char *)buf, sizeof(buf), "%s: %Z", prefix); len = ngx_strlen(buf); do { - maj_stat = - gss_display_status(&min_stat, error_status, GSS_C_MECH_CODE, - GSS_C_NO_OID, &msg_ctx, &status_string); + maj_stat = gss_display_status(&min_stat, error_status, GSS_C_MECH_CODE, + GSS_C_NO_OID, &msg_ctx, &status_string); if (sizeof(buf) > len + status_string.length + 1) { - ngx_sprintf((u_char *) buf + len, "%s:%Z", - (char *) status_string.value); + ngx_sprintf((u_char *)buf + len, "%s:%Z", + (char *)status_string.value); len += (status_string.length + 1); } gss_release_buffer(&min_stat, &status_string); - } - while (!GSS_ERROR(maj_stat) && msg_ctx != 0); + } while (!GSS_ERROR(maj_stat) && msg_ctx != 0); str.len = len + 1; /* "include" '\0' */ - str.data = (u_char *) buf; - return (char *) (ngx_pstrdup(p, &str)); + str.data = (u_char *)buf; + return (char *)(ngx_pstrdup(p, &str)); } -static ngx_shm_zone_t * shm_zone; +static ngx_shm_zone_t *shm_zone; -typedef enum { - TYPE_KRB5_CREDS, - TYPE_GSS_CRED_ID_T -} creds_type; +typedef enum { TYPE_KRB5_CREDS, TYPE_GSS_CRED_ID_T } creds_type; typedef struct { - void * data; + void *data; creds_type type; } creds_info; /* per request/connection */ typedef struct { - ngx_str_t token; /* decoded Negotiate token */ - ngx_int_t head; /* non-zero flag if headers set */ - ngx_int_t ret; /* current return code */ + ngx_str_t token; /* decoded Negotiate token */ + ngx_int_t head; /* non-zero flag if headers set */ + ngx_int_t ret; /* current return code */ ngx_str_t token_out_b64; /* base64 encoded output tokent */ } ngx_http_auth_spnego_ctx_t; @@ -133,164 +128,125 @@ typedef struct { ngx_flag_t fqun; ngx_flag_t force_realm; ngx_flag_t allow_basic; - ngx_array_t * auth_princs; + ngx_array_t *auth_princs; #if (NGX_PCRE) - ngx_array_t * auth_princs_regex; + ngx_array_t *auth_princs_regex; #endif ngx_flag_t map_to_local; ngx_flag_t delegate_credentials; ngx_flag_t constrained_delegation; } ngx_http_auth_spnego_loc_conf_t; -#define SPNEGO_NGX_CONF_FLAGS NGX_HTTP_MAIN_CONF\ - | NGX_HTTP_SRV_CONF\ -| NGX_HTTP_LOC_CONF\ -| NGX_HTTP_LMT_CONF\ -| NGX_CONF_FLAG +#define SPNEGO_NGX_CONF_FLAGS \ + NGX_HTTP_MAIN_CONF \ + | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_FLAG /* Module Directives */ static ngx_command_t ngx_http_auth_spnego_commands[] = { - {ngx_string("auth_gss"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_flag_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, protect), - NULL}, - - {ngx_string("auth_gss_realm"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_str_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, realm), - NULL}, - - {ngx_string("auth_gss_keytab"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_str_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, keytab), - NULL}, - - {ngx_string("auth_gss_service_ccache"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_str_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, service_ccache), - NULL}, - - {ngx_string("auth_gss_service_name"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_str_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, srvcname), - NULL}, - - {ngx_string("auth_gss_format_full"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_flag_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, fqun), - NULL}, - - {ngx_string("auth_gss_force_realm"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_flag_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, force_realm), - NULL}, - - {ngx_string("auth_gss_allow_basic_fallback"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_flag_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, allow_basic), - NULL}, + {ngx_string("auth_gss"), SPNEGO_NGX_CONF_FLAGS, ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, protect), NULL}, + + {ngx_string("auth_gss_realm"), SPNEGO_NGX_CONF_FLAGS, ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_auth_spnego_loc_conf_t, realm), + NULL}, + + {ngx_string("auth_gss_keytab"), SPNEGO_NGX_CONF_FLAGS, + ngx_conf_set_str_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, keytab), NULL}, + + {ngx_string("auth_gss_service_ccache"), SPNEGO_NGX_CONF_FLAGS, + ngx_conf_set_str_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, service_ccache), NULL}, + + {ngx_string("auth_gss_service_name"), SPNEGO_NGX_CONF_FLAGS, + ngx_conf_set_str_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, srvcname), NULL}, + + {ngx_string("auth_gss_format_full"), SPNEGO_NGX_CONF_FLAGS, + ngx_conf_set_flag_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, fqun), NULL}, + + {ngx_string("auth_gss_force_realm"), SPNEGO_NGX_CONF_FLAGS, + ngx_conf_set_flag_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, force_realm), NULL}, + + {ngx_string("auth_gss_allow_basic_fallback"), SPNEGO_NGX_CONF_FLAGS, + ngx_conf_set_flag_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, allow_basic), NULL}, {ngx_string("auth_gss_authorized_principal"), - SPNEGO_NGX_CONF_FLAGS | NGX_CONF_1MORE, - ngx_conf_set_str_array_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, auth_princs), - NULL}, + SPNEGO_NGX_CONF_FLAGS | NGX_CONF_1MORE, ngx_conf_set_str_array_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, auth_princs), NULL}, #if (NGX_PCRE) {ngx_string("auth_gss_authorized_principal_regex"), - SPNEGO_NGX_CONF_FLAGS | NGX_CONF_1MORE, - ngx_conf_set_regex_array_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, auth_princs_regex), - NULL}, + SPNEGO_NGX_CONF_FLAGS | NGX_CONF_1MORE, ngx_conf_set_regex_array_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, auth_princs_regex), NULL}, #endif - {ngx_string("auth_gss_map_to_local"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_flag_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, map_to_local), - NULL}, - - {ngx_string("auth_gss_delegate_credentials"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_flag_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, delegate_credentials), - NULL}, - - {ngx_string("auth_gss_constrained_delegation"), - SPNEGO_NGX_CONF_FLAGS, - ngx_conf_set_flag_slot, - NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_auth_spnego_loc_conf_t, constrained_delegation), - NULL}, - - ngx_null_command -}; + {ngx_string("auth_gss_map_to_local"), SPNEGO_NGX_CONF_FLAGS, + ngx_conf_set_flag_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, map_to_local), NULL}, + + {ngx_string("auth_gss_delegate_credentials"), SPNEGO_NGX_CONF_FLAGS, + ngx_conf_set_flag_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, delegate_credentials), NULL}, + + {ngx_string("auth_gss_constrained_delegation"), SPNEGO_NGX_CONF_FLAGS, + ngx_conf_set_flag_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, constrained_delegation), NULL}, + + ngx_null_command}; /* Module Context */ static ngx_http_module_t ngx_http_auth_spnego_module_ctx = { - NULL, /* preconf */ + NULL, /* preconf */ ngx_http_auth_spnego_init, /* postconf */ - NULL, /* create main conf (defaults) */ - NULL, /* init main conf (what's in nginx.conf) */ - NULL, /* create server conf */ - NULL, /* merge with main */ + NULL, /* create main conf (defaults) */ + NULL, /* init main conf (what's in nginx.conf) */ + NULL, /* create server conf */ + NULL, /* merge with main */ ngx_http_auth_spnego_create_loc_conf, /* create location conf */ - ngx_http_auth_spnego_merge_loc_conf, /* merge with server */ + ngx_http_auth_spnego_merge_loc_conf, /* merge with server */ }; /* Module Definition */ ngx_module_t ngx_http_auth_spnego_module = { /* ngx_uint_t ctx_index, index, spare{0-3}, version; */ - NGX_MODULE_V1, /* 0, 0, 0, 0, 0, 0, 1 */ + NGX_MODULE_V1, /* 0, 0, 0, 0, 0, 0, 1 */ &ngx_http_auth_spnego_module_ctx, /* void *ctx */ - ngx_http_auth_spnego_commands, /* ngx_command_t *commands */ - NGX_HTTP_MODULE, /* ngx_uint_t type = 0x50545448 */ - NULL, /* ngx_int_t (*init_master)(ngx_log_t *log) */ - NULL, /* ngx_int_t (*init_module)(ngx_cycle_t *cycle) */ - NULL, /* ngx_int_t (*init_process)(ngx_cycle_t *cycle) */ - NULL, /* ngx_int_t (*init_thread)(ngx_cycle_t *cycle) */ - NULL, /* void (*exit_thread)(ngx_cycle_t *cycle) */ - NULL, /* void (*exit_process)(ngx_cycle_t *cycle) */ - NULL, /* void (*exit_master)(ngx_cycle_t *cycle) */ + ngx_http_auth_spnego_commands, /* ngx_command_t *commands */ + NGX_HTTP_MODULE, /* ngx_uint_t type = 0x50545448 */ + NULL, /* ngx_int_t (*init_master)(ngx_log_t *log) */ + NULL, /* ngx_int_t (*init_module)(ngx_cycle_t *cycle) */ + NULL, /* ngx_int_t (*init_process)(ngx_cycle_t *cycle) */ + NULL, /* ngx_int_t (*init_thread)(ngx_cycle_t *cycle) */ + NULL, /* void (*exit_thread)(ngx_cycle_t *cycle) */ + NULL, /* void (*exit_process)(ngx_cycle_t *cycle) */ + NULL, /* void (*exit_master)(ngx_cycle_t *cycle) */ NGX_MODULE_V1_PADDING, /* 0, 0, 0, 0, 0, 0, 0, 0 */ /* uintptr_t spare_hook{0-7}; */ }; #if (NGX_PCRE) -static char * ngx_conf_set_regex_array_slot(ngx_conf_t * cf, ngx_command_t * cmd, void * conf){ - char * p = conf; +static char *ngx_conf_set_regex_array_slot(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf) { + char *p = conf; u_char errstr[NGX_MAX_CONF_ERRSTR]; - ngx_str_t * value; - ngx_regex_elt_t * re; + ngx_str_t *value; + ngx_regex_elt_t *re; ngx_regex_compile_t rc; - ngx_array_t ** a; - ngx_conf_post_t * post; + ngx_array_t **a; + ngx_conf_post_t *post; - a = (ngx_array_t **) (p + cmd->offset); + a = (ngx_array_t **)(p + cmd->offset); if (*a == NGX_CONF_UNSET_PTR) { *a = ngx_array_create(cf->pool, 4, sizeof(ngx_regex_elt_t)); if (*a == NULL) { - return NGX_CONF_ERROR; + return NGX_CONF_ERROR; } } @@ -308,7 +264,7 @@ static char * ngx_conf_set_regex_array_slot(ngx_conf_t * cf, ngx_command_t * cmd rc.err.len = NGX_MAX_CONF_ERRSTR; rc.err.data = errstr; - if(ngx_regex_compile(&rc) != NGX_OK) { + if (ngx_regex_compile(&rc) != NGX_OK) { return NGX_CONF_ERROR; } @@ -324,10 +280,7 @@ static char * ngx_conf_set_regex_array_slot(ngx_conf_t * cf, ngx_command_t * cmd } #endif - static void * -ngx_http_auth_spnego_create_loc_conf( - ngx_conf_t * cf) -{ +static void *ngx_http_auth_spnego_create_loc_conf(ngx_conf_t *cf) { ngx_http_auth_spnego_loc_conf_t *conf; conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_spnego_loc_conf_t)); @@ -350,12 +303,8 @@ ngx_http_auth_spnego_create_loc_conf( return conf; } - static char * -ngx_http_auth_spnego_merge_loc_conf( - ngx_conf_t * cf, - void *parent, - void *child) -{ +static char *ngx_http_auth_spnego_merge_loc_conf(ngx_conf_t *cf, void *parent, + void *child) { ngx_http_auth_spnego_loc_conf_t *prev = parent; ngx_http_auth_spnego_loc_conf_t *conf = child; @@ -373,82 +322,95 @@ ngx_http_auth_spnego_merge_loc_conf( ngx_conf_merge_off_value(conf->force_realm, prev->force_realm, 0); ngx_conf_merge_off_value(conf->allow_basic, prev->allow_basic, 1); - ngx_conf_merge_ptr_value(conf->auth_princs, prev->auth_princs, NGX_CONF_UNSET_PTR); + ngx_conf_merge_ptr_value(conf->auth_princs, prev->auth_princs, + NGX_CONF_UNSET_PTR); #if (NGX_PCRE) - ngx_conf_merge_ptr_value(conf->auth_princs_regex, prev->auth_princs_regex, NGX_CONF_UNSET_PTR); + ngx_conf_merge_ptr_value(conf->auth_princs_regex, prev->auth_princs_regex, + NGX_CONF_UNSET_PTR); #endif ngx_conf_merge_off_value(conf->map_to_local, prev->map_to_local, 0); - ngx_conf_merge_off_value(conf->delegate_credentials, prev->delegate_credentials, 0); - ngx_conf_merge_off_value(conf->constrained_delegation, prev->constrained_delegation, 0); + ngx_conf_merge_off_value(conf->delegate_credentials, + prev->delegate_credentials, 0); + ngx_conf_merge_off_value(conf->constrained_delegation, + prev->constrained_delegation, 0); #if (NGX_DEBUG) ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: protect = %i", - conf->protect); + conf->protect); ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: realm@0x%p = %s", - conf->realm.data, conf->realm.data); - ngx_conf_log_error(NGX_LOG_INFO, cf, 0, - "auth_spnego: keytab@0x%p = %s", conf->keytab.data, - conf->keytab.data); + conf->realm.data, conf->realm.data); + ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: keytab@0x%p = %s", + conf->keytab.data, conf->keytab.data); ngx_conf_log_error(NGX_LOG_INFO, cf, 0, - "auth_spnego: service_ccache@0x%p = %s", conf->service_ccache.data, - conf->service_ccache.data); - ngx_conf_log_error(NGX_LOG_INFO, cf, 0, - "auth_spnego: srvcname@0x%p = %s", - conf->srvcname.data, conf->srvcname.data); + "auth_spnego: service_ccache@0x%p = %s", + conf->service_ccache.data, conf->service_ccache.data); + ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: srvcname@0x%p = %s", + conf->srvcname.data, conf->srvcname.data); ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: fqun = %i", - conf->fqun); + conf->fqun); ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: allow_basic = %i", - conf->allow_basic); + conf->allow_basic); ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: force_realm = %i", - conf->force_realm); + conf->force_realm); if (NGX_CONF_UNSET_PTR != conf->auth_princs) { size_t ii = 0; ngx_str_t *auth_princs = conf->auth_princs->elts; for (; ii < conf->auth_princs->nelts; ++ii) { ngx_conf_log_error(NGX_LOG_DEBUG, cf, 0, - "auth_spnego: auth_princs = %.*s", auth_princs[ii].len, auth_princs[ii].data); + "auth_spnego: auth_princs = %.*s", + auth_princs[ii].len, auth_princs[ii].data); } } #if (NGX_PCRE) - if (NGX_CONF_UNSET_PTR != conf->auth_princs_regex){ + if (NGX_CONF_UNSET_PTR != conf->auth_princs_regex) { size_t ii = 0; - ngx_regex_elt_t * auth_princs_regex = conf->auth_princs_regex->elts; + ngx_regex_elt_t *auth_princs_regex = conf->auth_princs_regex->elts; for (; ii < conf->auth_princs_regex->nelts; ++ii) { ngx_conf_log_error(NGX_LOG_DEBUG, cf, 0, - "auth_spnego: auth_princs_regex = %.*s", ngx_strlen(auth_princs_regex[ii].name), auth_princs_regex[ii].name); + "auth_spnego: auth_princs_regex = %.*s", + ngx_strlen(auth_princs_regex[ii].name), + auth_princs_regex[ii].name); } } #endif ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: map_to_local = %i", - conf->map_to_local); + conf->map_to_local); - ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: delegate_credentials = %i", - conf->delegate_credentials); + ngx_conf_log_error(NGX_LOG_INFO, cf, 0, + "auth_spnego: delegate_credentials = %i", + conf->delegate_credentials); - ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "auth_spnego: constrained_delegation = %i", - conf->constrained_delegation); + ngx_conf_log_error(NGX_LOG_INFO, cf, 0, + "auth_spnego: constrained_delegation = %i", + conf->constrained_delegation); #endif return NGX_CONF_OK; } -static ngx_int_t ngx_http_auth_spnego_get_handler(ngx_http_request_t * r, ngx_http_variable_value_t * v, uintptr_t data){ return NGX_OK; } +static ngx_int_t ngx_http_auth_spnego_get_handler(ngx_http_request_t *r, + ngx_http_variable_value_t *v, + uintptr_t data) { + return NGX_OK; +} -static ngx_int_t ngx_http_auth_spnego_set_variable(ngx_http_request_t * r, ngx_str_t * name, ngx_str_t * value){ - u_char * lowercase = ngx_palloc(r->pool, name->len); +static ngx_int_t ngx_http_auth_spnego_set_variable(ngx_http_request_t *r, + ngx_str_t *name, + ngx_str_t *value) { + u_char *lowercase = ngx_palloc(r->pool, name->len); ngx_uint_t key = ngx_hash_strlow(lowercase, name->data, name->len); ngx_pfree(r->pool, lowercase); - ngx_http_variable_value_t * v = ngx_http_get_variable(r, name, key); + ngx_http_variable_value_t *v = ngx_http_get_variable(r, name, key); - if(v == NULL){ + if (v == NULL) { return NGX_ERROR; } @@ -458,10 +420,12 @@ static ngx_int_t ngx_http_auth_spnego_set_variable(ngx_http_request_t * r, ngx_s return NGX_OK; } -static ngx_int_t ngx_http_auth_spnego_add_variable(ngx_conf_t * cf, ngx_str_t * name){ - ngx_http_variable_t * var = ngx_http_add_variable(cf, name, NGX_HTTP_VAR_NOCACHEABLE); +static ngx_int_t ngx_http_auth_spnego_add_variable(ngx_conf_t *cf, + ngx_str_t *name) { + ngx_http_variable_t *var = + ngx_http_add_variable(cf, name, NGX_HTTP_VAR_NOCACHEABLE); - if(var == NULL){ + if (var == NULL) { return NGX_ERROR; } @@ -471,7 +435,8 @@ static ngx_int_t ngx_http_auth_spnego_add_variable(ngx_conf_t * cf, ngx_str_t * return NGX_OK; } -static ngx_int_t ngx_http_auth_spnego_init_shm_zone(ngx_shm_zone_t * shm_zone, void * data){ +static ngx_int_t ngx_http_auth_spnego_init_shm_zone(ngx_shm_zone_t *shm_zone, + void *data) { if (data) { shm_zone->data = data; return NGX_OK; @@ -481,10 +446,11 @@ static ngx_int_t ngx_http_auth_spnego_init_shm_zone(ngx_shm_zone_t * shm_zone, v return NGX_OK; } -static ngx_int_t ngx_http_auth_spnego_create_shm_zone(ngx_conf_t * cf){ +static ngx_int_t ngx_http_auth_spnego_create_shm_zone(ngx_conf_t *cf) { ngx_str_t name = ngx_string(SHM_ZONE_NAME); - shm_zone = ngx_shared_memory_add(cf, &name, 65536, &ngx_http_auth_spnego_module); + shm_zone = + ngx_shared_memory_add(cf, &name, 65536, &ngx_http_auth_spnego_module); if (shm_zone == NULL) { return NGX_ERROR; } @@ -494,10 +460,7 @@ static ngx_int_t ngx_http_auth_spnego_create_shm_zone(ngx_conf_t * cf){ return NGX_OK; } - static ngx_int_t -ngx_http_auth_spnego_init( - ngx_conf_t * cf) -{ +static ngx_int_t ngx_http_auth_spnego_init(ngx_conf_t *cf) { ngx_http_handler_pt *h; ngx_http_core_main_conf_t *cmcf; @@ -510,12 +473,12 @@ ngx_http_auth_spnego_init( *h = ngx_http_auth_spnego_handler; - if(ngx_http_auth_spnego_create_shm_zone(cf) != NGX_OK){ + if (ngx_http_auth_spnego_create_shm_zone(cf) != NGX_OK) { return NGX_ERROR; } ngx_str_t var_name = ngx_string(CCACHE_VARIABLE_NAME); - if(ngx_http_auth_spnego_add_variable(cf, &var_name) != NGX_OK){ + if (ngx_http_auth_spnego_add_variable(cf, &var_name) != NGX_OK) { return NGX_ERROR; } @@ -523,28 +486,24 @@ ngx_http_auth_spnego_init( } static ngx_int_t -ngx_http_auth_spnego_headers_basic_only( - ngx_http_request_t *r, - ngx_http_auth_spnego_ctx_t *ctx, - ngx_http_auth_spnego_loc_conf_t *alcf) -{ +ngx_http_auth_spnego_headers_basic_only(ngx_http_request_t *r, + ngx_http_auth_spnego_ctx_t *ctx, + ngx_http_auth_spnego_loc_conf_t *alcf) { ngx_str_t value = ngx_null_string; value.len = sizeof("Basic realm=\"\"") - 1 + alcf->realm.len; value.data = ngx_pcalloc(r->pool, value.len); if (NULL == value.data) { return NGX_ERROR; } - ngx_snprintf(value.data, value.len, "Basic realm=\"%V\"", - &alcf->realm); - r->headers_out.www_authenticate = - ngx_list_push(&r->headers_out.headers); + ngx_snprintf(value.data, value.len, "Basic realm=\"%V\"", &alcf->realm); + r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); if (NULL == r->headers_out.www_authenticate) { return NGX_ERROR; } r->headers_out.www_authenticate->hash = 1; r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; - r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; + r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate"; r->headers_out.www_authenticate->value.len = value.len; r->headers_out.www_authenticate->value.data = value.data; @@ -554,20 +513,18 @@ ngx_http_auth_spnego_headers_basic_only( } static ngx_int_t -ngx_http_auth_spnego_headers( - ngx_http_request_t *r, - ngx_http_auth_spnego_ctx_t *ctx, - ngx_str_t *token, - ngx_http_auth_spnego_loc_conf_t *alcf) -{ +ngx_http_auth_spnego_headers(ngx_http_request_t *r, + ngx_http_auth_spnego_ctx_t *ctx, ngx_str_t *token, + ngx_http_auth_spnego_loc_conf_t *alcf) { ngx_str_t value = ngx_null_string; /* only use token if authorized as there appears to be a bug in * Google Chrome when parsing a 401 Negotiate with a token */ if (NULL == token || ctx->ret != NGX_OK) { value.len = sizeof("Negotiate") - 1; - value.data = (u_char *) "Negotiate"; + value.data = (u_char *)"Negotiate"; } else { - value.len = sizeof("Negotiate") + token->len; /* space accounts for \0 */ + value.len = + sizeof("Negotiate") + token->len; /* space accounts for \0 */ value.data = ngx_pcalloc(r->pool, value.len); if (NULL == value.data) { return NGX_ERROR; @@ -575,15 +532,14 @@ ngx_http_auth_spnego_headers( ngx_snprintf(value.data, value.len, "Negotiate %V", token); } - r->headers_out.www_authenticate = - ngx_list_push(&r->headers_out.headers); + r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); if (NULL == r->headers_out.www_authenticate) { return NGX_ERROR; } r->headers_out.www_authenticate->hash = 1; r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; - r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; + r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate"; r->headers_out.www_authenticate->value.len = value.len; r->headers_out.www_authenticate->value.data = value.data; @@ -595,7 +551,7 @@ ngx_http_auth_spnego_headers( return NGX_ERROR; } ngx_snprintf(value2.data, value2.len, "Basic realm=\"%V\"", - &alcf->realm); + &alcf->realm); r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); if (NULL == r->headers_out.www_authenticate) { @@ -603,8 +559,10 @@ ngx_http_auth_spnego_headers( } r->headers_out.www_authenticate->hash = 2; - r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; - r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; + r->headers_out.www_authenticate->key.len = + sizeof("WWW-Authenticate") - 1; + r->headers_out.www_authenticate->key.data = + (u_char *)"WWW-Authenticate"; r->headers_out.www_authenticate->value.len = value2.len; r->headers_out.www_authenticate->value.data = value2.data; } @@ -614,40 +572,41 @@ ngx_http_auth_spnego_headers( return NGX_OK; } - static bool -ngx_spnego_authorized_principal( - ngx_http_request_t * r, - ngx_str_t *princ, - ngx_http_auth_spnego_loc_conf_t *alcf) -{ +static bool +ngx_spnego_authorized_principal(ngx_http_request_t *r, ngx_str_t *princ, + ngx_http_auth_spnego_loc_conf_t *alcf) { if (NGX_CONF_UNSET_PTR == alcf->auth_princs #if (NGX_PCRE) - && NGX_CONF_UNSET_PTR == alcf->auth_princs_regex + && NGX_CONF_UNSET_PTR == alcf->auth_princs_regex #endif ) { return true; } - if(NGX_CONF_UNSET_PTR != alcf->auth_princs){ - spnego_debug1("Testing against %d auth princs", alcf->auth_princs->nelts); + if (NGX_CONF_UNSET_PTR != alcf->auth_princs) { + spnego_debug1("Testing against %d auth princs", + alcf->auth_princs->nelts); ngx_str_t *auth_princs = alcf->auth_princs->elts; size_t i = 0; for (; i < alcf->auth_princs->nelts; ++i) { - if(auth_princs[i].len != princ->len) { + if (auth_princs[i].len != princ->len) { continue; } - if(ngx_strncmp(auth_princs[i].data, princ->data, princ->len) == 0) { + if (ngx_strncmp(auth_princs[i].data, princ->data, princ->len) == + 0) { spnego_debug2("Authorized user %.*s", princ->len, princ->data); return true; } } } #if (NGX_PCRE) - if(NGX_CONF_UNSET_PTR != alcf->auth_princs_regex){ - spnego_debug1("Testing against %d auth princs regex", alcf->auth_princs_regex->nelts); + if (NGX_CONF_UNSET_PTR != alcf->auth_princs_regex) { + spnego_debug1("Testing against %d auth princs regex", + alcf->auth_princs_regex->nelts); - if(ngx_regex_exec_array(alcf->auth_princs_regex, princ, r->connection->log) == NGX_OK){ + if (ngx_regex_exec_array(alcf->auth_princs_regex, princ, + r->connection->log) == NGX_OK) { return true; } } @@ -656,11 +615,8 @@ ngx_spnego_authorized_principal( return false; } - ngx_int_t -ngx_http_auth_spnego_token( - ngx_http_request_t *r, - ngx_http_auth_spnego_ctx_t *ctx) -{ +ngx_int_t ngx_http_auth_spnego_token(ngx_http_request_t *r, + ngx_http_auth_spnego_ctx_t *ctx) { ngx_str_t token; ngx_str_t decoded; size_t nego_sz = sizeof("Negotiate"); @@ -676,9 +632,9 @@ ngx_http_auth_spnego_token( token = r->headers_in.authorization->value; if (token.len < nego_sz || - ngx_strncasecmp(token.data, (u_char *) "Negotiate ", nego_sz) != 0) { - if (ngx_strncasecmp( - token.data, (u_char *) "NTLM", sizeof("NTLM")) == 0) { + ngx_strncasecmp(token.data, (u_char *)"Negotiate ", nego_sz) != 0) { + if (ngx_strncasecmp(token.data, (u_char *)"NTLM", sizeof("NTLM")) == + 0) { spnego_log_error("Detected unsupported mechanism: NTLM"); } return NGX_DECLINED; @@ -713,16 +669,18 @@ ngx_http_auth_spnego_token( return NGX_OK; } -static krb5_error_code ngx_http_auth_spnego_store_krb5_creds(ngx_http_request_t * r,krb5_context kcontext, krb5_principal principal, krb5_ccache ccache, krb5_creds creds){ +static krb5_error_code ngx_http_auth_spnego_store_krb5_creds( + ngx_http_request_t *r, krb5_context kcontext, krb5_principal principal, + krb5_ccache ccache, krb5_creds creds) { krb5_error_code kerr = 0; - if((kerr = krb5_cc_initialize(kcontext, ccache, principal))){ + if ((kerr = krb5_cc_initialize(kcontext, ccache, principal))) { spnego_log_error("Kerberos error: Cannot initialize ccache"); spnego_log_krb5_error(kcontext, kerr); return kerr; } - if((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))){ + if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) { spnego_log_error("Kerberos error: Cannot store credentials"); spnego_log_krb5_error(kcontext, kerr); return kerr; @@ -731,19 +689,23 @@ static krb5_error_code ngx_http_auth_spnego_store_krb5_creds(ngx_http_request_t return kerr; } -static krb5_error_code ngx_http_auth_spnego_store_gss_creds(ngx_http_request_t * r, krb5_context kcontext, krb5_principal principal, krb5_ccache ccache, gss_cred_id_t creds){ +static krb5_error_code ngx_http_auth_spnego_store_gss_creds( + ngx_http_request_t *r, krb5_context kcontext, krb5_principal principal, + krb5_ccache ccache, gss_cred_id_t creds) { OM_uint32 major_status, minor_status; krb5_error_code kerr = 0; - if((kerr = krb5_cc_initialize(kcontext, ccache, principal))){ + if ((kerr = krb5_cc_initialize(kcontext, ccache, principal))) { spnego_log_error("Kerberos error: Cannot initialize ccache"); spnego_log_krb5_error(kcontext, kerr); return kerr; } major_status = gss_krb5_copy_ccache(&minor_status, creds, ccache); - if(GSS_ERROR(major_status)){ - const char * gss_error = get_gss_error(r->pool, minor_status, "ngx_http_auth_spnego_store_gss_creds() failed"); + if (GSS_ERROR(major_status)) { + const char *gss_error = + get_gss_error(r->pool, minor_status, + "ngx_http_auth_spnego_store_gss_creds() failed"); spnego_log_error("%s", gss_error); spnego_debug1("%s", gss_error); return KRB5_CC_WRITE; @@ -752,135 +714,136 @@ static krb5_error_code ngx_http_auth_spnego_store_gss_creds(ngx_http_request_t * return kerr; } -static void ngx_http_auth_spnego_krb5_destroy_ccache(void * data){ +static void ngx_http_auth_spnego_krb5_destroy_ccache(void *data) { krb5_context kcontext; krb5_ccache ccache; krb5_error_code kerr = 0; - char * ccname = (char *) data; + char *ccname = (char *)data; - if((kerr = krb5_init_context(&kcontext))){ + if ((kerr = krb5_init_context(&kcontext))) { goto done; } - if((kerr = krb5_cc_resolve(kcontext, ccname, &ccache))){ + if ((kerr = krb5_cc_resolve(kcontext, ccname, &ccache))) { goto done; } krb5_cc_destroy(kcontext, ccache); done: - if(kcontext) krb5_free_context(kcontext); + if (kcontext) + krb5_free_context(kcontext); } -static char * ngx_http_auth_spnego_replace(ngx_http_request_t * r, char * str, char find, char replace){ - char * result = (char *) ngx_palloc(r->pool, ngx_strlen(str) + 1); +static char *ngx_http_auth_spnego_replace(ngx_http_request_t *r, char *str, + char find, char replace) { + char *result = (char *)ngx_palloc(r->pool, ngx_strlen(str) + 1); ngx_memcpy(result, str, ngx_strlen(str) + 1); - char * index = NULL; - while ((index = ngx_strchr(result,find)) != NULL){ + char *index = NULL; + while ((index = ngx_strchr(result, find)) != NULL) { *index = replace; } return result; } -static ngx_int_t ngx_http_auth_spnego_store_delegated_creds(ngx_http_request_t * r, ngx_str_t * principal_name, creds_info delegated_creds) { +static ngx_int_t +ngx_http_auth_spnego_store_delegated_creds(ngx_http_request_t *r, + ngx_str_t *principal_name, + creds_info delegated_creds) { krb5_context kcontext; krb5_principal principal = NULL; krb5_ccache ccache = NULL; krb5_error_code kerr = 0; - char * ccname = NULL; - char * escaped = NULL; - - if(!delegated_creds.data){ - spnego_log_error("ngx_http_auth_spnego_store_delegated_creds() NULL credentials"); - spnego_debug0("ngx_http_auth_spnego_store_delegated_creds() NULL credentials"); + char *ccname = NULL; + char *escaped = NULL; + + if (!delegated_creds.data) { + spnego_log_error( + "ngx_http_auth_spnego_store_delegated_creds() NULL credentials"); + spnego_debug0( + "ngx_http_auth_spnego_store_delegated_creds() NULL credentials"); goto done; } - if((kerr = krb5_init_context(&kcontext))){ + if ((kerr = krb5_init_context(&kcontext))) { spnego_log_error("Kerberos error: Cannot initialize kerberos context"); spnego_log_krb5_error(kcontext, kerr); goto done; } - if((kerr = krb5_parse_name(kcontext, (char *) principal_name->data, &principal))){ - spnego_log_error("Kerberos error: Cannot parse principal %s", principal_name); + if ((kerr = krb5_parse_name(kcontext, (char *)principal_name->data, + &principal))) { + spnego_log_error("Kerberos error: Cannot parse principal %s", + principal_name); spnego_log_krb5_error(kcontext, kerr); goto done; } - escaped = ngx_http_auth_spnego_replace(r, (char *) principal_name->data, '/', '_'); + escaped = + ngx_http_auth_spnego_replace(r, (char *)principal_name->data, '/', '_'); - size_t ccname_size = (ngx_strlen("FILE:") + ngx_strlen(P_tmpdir) + ngx_strlen("/") + ngx_strlen(escaped)) + 1; - ccname = (char *) ngx_pcalloc(r->pool, ccname_size); + size_t ccname_size = (ngx_strlen("FILE:") + ngx_strlen(P_tmpdir) + + ngx_strlen("/") + ngx_strlen(escaped)) + + 1; + ccname = (char *)ngx_pcalloc(r->pool, ccname_size); - ngx_snprintf( - (u_char *) ccname, - ccname_size, - "FILE:%s/%*s", - P_tmpdir, - ngx_strlen(escaped), - escaped - ); + ngx_snprintf((u_char *)ccname, ccname_size, "FILE:%s/%*s", P_tmpdir, + ngx_strlen(escaped), escaped); - if((kerr = krb5_cc_resolve(kcontext, ccname, &ccache))){ + if ((kerr = krb5_cc_resolve(kcontext, ccname, &ccache))) { spnego_log_error("Kerberos error: Cannot resolve ccache %s", ccname); spnego_log_krb5_error(kcontext, kerr); goto done; } - switch(delegated_creds.type){ - case TYPE_GSS_CRED_ID_T: - kerr = ngx_http_auth_spnego_store_gss_creds( - r, - kcontext, - principal, - ccache, - (gss_cred_id_t) delegated_creds.data - ); - break; - case TYPE_KRB5_CREDS: - kerr = ngx_http_auth_spnego_store_krb5_creds( - r, - kcontext, - principal, - ccache, - (*(krb5_creds *) delegated_creds.data) - ); - break; - default: - kerr = KRB5KRB_ERR_GENERIC; - } - - if(kerr) goto done; + switch (delegated_creds.type) { + case TYPE_GSS_CRED_ID_T: + kerr = ngx_http_auth_spnego_store_gss_creds( + r, kcontext, principal, ccache, + (gss_cred_id_t)delegated_creds.data); + break; + case TYPE_KRB5_CREDS: + kerr = ngx_http_auth_spnego_store_krb5_creds( + r, kcontext, principal, ccache, + (*(krb5_creds *)delegated_creds.data)); + break; + default: + kerr = KRB5KRB_ERR_GENERIC; + } + + if (kerr) + goto done; ngx_str_t var_name = ngx_string(CCACHE_VARIABLE_NAME); ngx_str_t var_value = ngx_null_string; - var_value.data = (u_char *) ccname; + var_value.data = (u_char *)ccname; var_value.len = ngx_strlen(ccname); ngx_http_auth_spnego_set_variable(r, &var_name, &var_value); - ngx_pool_cleanup_t * cln = ngx_pool_cleanup_add(r->pool, 0); + ngx_pool_cleanup_t *cln = ngx_pool_cleanup_add(r->pool, 0); cln->handler = ngx_http_auth_spnego_krb5_destroy_ccache; cln->data = ccname; done: - if(escaped) ngx_pfree(r->pool, escaped); - if(ccname) ngx_pfree(r->pool, ccname); - if(principal) krb5_free_principal(kcontext, principal); - if(ccache) krb5_cc_close(kcontext, ccache); - if(kcontext) krb5_free_context(kcontext); + if (escaped) + ngx_pfree(r->pool, escaped); + if (ccname) + ngx_pfree(r->pool, ccname); + if (principal) + krb5_free_principal(kcontext, principal); + if (ccache) + krb5_cc_close(kcontext, ccache); + if (kcontext) + krb5_free_context(kcontext); return kerr ? NGX_ERROR : NGX_OK; } - ngx_int_t -ngx_http_auth_spnego_basic( - ngx_http_request_t * r, - ngx_http_auth_spnego_ctx_t * ctx, - ngx_http_auth_spnego_loc_conf_t * alcf) -{ +ngx_int_t ngx_http_auth_spnego_basic(ngx_http_request_t *r, + ngx_http_auth_spnego_ctx_t *ctx, + ngx_http_auth_spnego_loc_conf_t *alcf) { ngx_str_t host_name; ngx_str_t service; ngx_str_t user; @@ -913,8 +876,8 @@ ngx_http_auth_spnego_basic( spnego_error(NGX_ERROR); } - ngx_snprintf(service.data, service.len, "%V@%V%Z", - &alcf->srvcname, &alcf->realm); + ngx_snprintf(service.data, service.len, "%V@%V%Z", &alcf->srvcname, + &alcf->realm); } else { service.len += host_name.len; service.data = ngx_palloc(r->pool, service.len); @@ -922,11 +885,11 @@ ngx_http_auth_spnego_basic( spnego_error(NGX_ERROR); } - ngx_snprintf(service.data, service.len, "%V/%V@%V%Z", - &alcf->srvcname, &host_name, &alcf->realm); + ngx_snprintf(service.data, service.len, "%V/%V@%V%Z", &alcf->srvcname, + &host_name, &alcf->realm); } - kret = krb5_parse_name(kcontext, (const char *) service.data, &server); + kret = krb5_parse_name(kcontext, (const char *)service.data, &server); if (kret) { spnego_log_error("Kerberos error: Unable to parse service name"); @@ -947,7 +910,7 @@ ngx_http_auth_spnego_basic( p = ngx_strchr(r->headers_in.user.data, '@'); user.len = r->headers_in.user.len + 1; if (NULL == p) { - if (alcf->force_realm && alcf->realm.len && alcf->realm.data ) { + if (alcf->force_realm && alcf->realm.len && alcf->realm.data) { user.len += alcf->realm.len + 1; /* +1 for @ */ user.data = ngx_palloc(r->pool, user.len); if (NULL == user.data) { @@ -955,7 +918,7 @@ ngx_http_auth_spnego_basic( spnego_error(NGX_ERROR); } ngx_snprintf(user.data, user.len, "%V@%V%Z", &r->headers_in.user, - &alcf->realm); + &alcf->realm); } else { user.data = ngx_palloc(r->pool, user.len); if (NULL == user.data) { @@ -965,15 +928,14 @@ ngx_http_auth_spnego_basic( ngx_snprintf(user.data, user.len, "%V%Z", &r->headers_in.user); } } else { - if (alcf->realm.len && alcf->realm.data && ngx_strncmp(p + 1, - alcf->realm.data, alcf->realm.len) == 0) { + if (alcf->realm.len && alcf->realm.data && + ngx_strncmp(p + 1, alcf->realm.data, alcf->realm.len) == 0) { user.data = ngx_palloc(r->pool, user.len); if (NULL == user.data) { spnego_log_error("Not enough memory"); spnego_error(NGX_ERROR); } - ngx_snprintf(user.data, user.len, "%V%Z", - &r->headers_in.user); + ngx_snprintf(user.data, user.len, "%V%Z", &r->headers_in.user); if (alcf->fqun == 0) { /* * Specified realm is identical to configured realm. @@ -993,10 +955,10 @@ ngx_http_auth_spnego_basic( } if (alcf->realm.len && alcf->realm.data) ngx_snprintf(user.data, user.len, "%s@%V%Z", - r->headers_in.user.data, &alcf->realm); + r->headers_in.user.data, &alcf->realm); else ngx_snprintf(user.data, user.len, "%s%Z", - r->headers_in.user.data); + r->headers_in.user.data); /* * Rewrite $remote_user with the forced realm. * If the forced realm is shorter than the @@ -1017,7 +979,7 @@ ngx_http_auth_spnego_basic( r->headers_in.user.len = new_user.len; } ngx_memcpy(r->headers_in.user.data, user.data, - r->headers_in.user.len); + r->headers_in.user.len); } else { user.data = ngx_palloc(r->pool, user.len); if (NULL == user.data) { @@ -1029,12 +991,12 @@ ngx_http_auth_spnego_basic( } spnego_debug1("Attempting authentication with principal %s", - (const char *)user.data); + (const char *)user.data); - code = krb5_parse_name(kcontext, (const char *) user.data, &client); + code = krb5_parse_name(kcontext, (const char *)user.data, &client); if (code) { spnego_log_error("Kerberos error: Unable to parse username"); - spnego_debug1("username is %s.", (const char *) user.data); + spnego_debug1("username is %s.", (const char *)user.data); spnego_log_krb5_error(kcontext, code); spnego_error(NGX_ERROR); } @@ -1051,8 +1013,8 @@ ngx_http_auth_spnego_basic( krb5_get_init_creds_opt_alloc(kcontext, &gic_options); code = krb5_get_init_creds_password(kcontext, &creds, client, - (char *) r->headers_in.passwd.data, - NULL, NULL, 0, NULL, gic_options); + (char *)r->headers_in.passwd.data, NULL, + NULL, 0, NULL, gic_options); if (code) { spnego_log_error("Kerberos error: Credentials failed"); @@ -1060,17 +1022,15 @@ ngx_http_auth_spnego_basic( spnego_error(NGX_DECLINED); } - if(alcf->delegate_credentials){ - creds_info delegated_creds = { - &creds, - TYPE_KRB5_CREDS - }; + if (alcf->delegate_credentials) { + creds_info delegated_creds = {&creds, TYPE_KRB5_CREDS}; ngx_str_t principal_name = ngx_null_string; - principal_name.data = (u_char *) name; + principal_name.data = (u_char *)name; principal_name.len = ngx_strlen(name); - ngx_http_auth_spnego_store_delegated_creds(r, &principal_name, delegated_creds); + ngx_http_auth_spnego_store_delegated_creds(r, &principal_name, + delegated_creds); } krb5_free_cred_contents(kcontext, &creds); @@ -1094,7 +1054,7 @@ ngx_http_auth_spnego_basic( spnego_error(NGX_ERROR); } ngx_snprintf(new_user.data, new_user.len, "%V@%s", - &r->headers_in.user, realm); + &r->headers_in.user, realm); ngx_pfree(r->pool, r->headers_in.user.data); r->headers_in.user.data = new_user.data; r->headers_in.user.len = new_user.len; @@ -1134,15 +1094,13 @@ ngx_http_auth_spnego_basic( * non-Negotiate authorization header. This may possibly clobber Negotiate * token too soon. */ - ngx_int_t -ngx_http_auth_spnego_set_bogus_authorization( - ngx_http_request_t *r) -{ +ngx_int_t ngx_http_auth_spnego_set_bogus_authorization(ngx_http_request_t *r) { const char *bogus_passwd = "bogus_auth_gss_passwd"; ngx_str_t plain, encoded, final; if (r->headers_in.user.len == 0) { - spnego_debug0("ngx_http_auth_spnego_set_bogus_authorization: no user NGX_DECLINED"); + spnego_debug0("ngx_http_auth_spnego_set_bogus_authorization: no user " + "NGX_DECLINED"); return NGX_DECLINED; } @@ -1153,8 +1111,8 @@ ngx_http_auth_spnego_set_bogus_authorization( return NGX_ERROR; } - ngx_snprintf(plain.data, plain.len, "%V:%s", - &r->headers_in.user, bogus_passwd); + ngx_snprintf(plain.data, plain.len, "%V:%s", &r->headers_in.user, + bogus_passwd); encoded.len = ngx_base64_encoded_length(plain.len); encoded.data = ngx_pnalloc(r->pool, encoded.len); @@ -1176,27 +1134,25 @@ ngx_http_auth_spnego_set_bogus_authorization( r->headers_in.authorization->value.len = final.len; r->headers_in.authorization->value.data = final.data; - spnego_debug0("ngx_http_auth_spnego_set_bogus_authorization: bogus user set"); + spnego_debug0( + "ngx_http_auth_spnego_set_bogus_authorization: bogus user set"); return NGX_OK; } - static bool -use_keytab( - ngx_http_request_t * r, - ngx_str_t *keytab) -{ +static bool use_keytab(ngx_http_request_t *r, ngx_str_t *keytab) { size_t kt_sz = keytab->len + 1; - char *kt = (char *) ngx_pcalloc(r->pool, kt_sz); + char *kt = (char *)ngx_pcalloc(r->pool, kt_sz); if (NULL == kt) { return false; } - ngx_snprintf((u_char *) kt, kt_sz, "%V%Z", keytab); + ngx_snprintf((u_char *)kt, kt_sz, "%V%Z", keytab); OM_uint32 major_status, minor_status = 0; major_status = gsskrb5_register_acceptor_identity(kt); if (GSS_ERROR(major_status)) { - spnego_log_error("%s failed to register keytab", get_gss_error( - r->pool, minor_status, - "gsskrb5_register_acceptor_identity() failed")); + spnego_log_error( + "%s failed to register keytab", + get_gss_error(r->pool, minor_status, + "gsskrb5_register_acceptor_identity() failed")); return false; } @@ -1204,59 +1160,60 @@ use_keytab( return true; } -static krb5_error_code ngx_http_auth_spnego_verify_server_credentials(ngx_http_request_t * r, krb5_context kcontext, ngx_str_t * principal_name, krb5_ccache ccache){ +static krb5_error_code ngx_http_auth_spnego_verify_server_credentials( + ngx_http_request_t *r, krb5_context kcontext, ngx_str_t *principal_name, + krb5_ccache ccache) { krb5_creds match_creds; krb5_creds creds; krb5_timestamp now; krb5_error_code kerr = 0; krb5_principal principal = NULL; - char * tgs_principal_name = NULL; - char * princ_name = NULL; + char *tgs_principal_name = NULL; + char *princ_name = NULL; - memset (&match_creds, 0, sizeof(match_creds)); - memset (&creds, 0, sizeof(creds)); + memset(&match_creds, 0, sizeof(match_creds)); + memset(&creds, 0, sizeof(creds)); - if((kerr = krb5_cc_get_principal(kcontext, ccache, &principal))){ + if ((kerr = krb5_cc_get_principal(kcontext, ccache, &principal))) { spnego_log_error("Kerberos error: Cannot get principal from ccache"); spnego_log_krb5_error(kcontext, kerr); goto done; } - if((kerr = krb5_unparse_name(kcontext, principal, &princ_name))){ + if ((kerr = krb5_unparse_name(kcontext, principal, &princ_name))) { spnego_log_error("Kerberos error: Cannot unparse principal"); spnego_log_krb5_error(kcontext, kerr); goto done; } - if(ngx_strncmp(principal_name->data, princ_name, ngx_strlen(princ_name)) != 0){ + if (ngx_strncmp(principal_name->data, princ_name, ngx_strlen(princ_name)) != + 0) { spnego_log_error("Kerberos error: Principal name mismatch"); spnego_debug0("Kerberos error: Principal name mismatch"); kerr = KRB5KRB_ERR_GENERIC; goto done; } - size_t tgs_principal_name_size = (ngx_strlen(KRB5_TGS_NAME) + (principal->realm.length * 2) + 2) + 1; - tgs_principal_name = (char *) ngx_pcalloc(r->pool, tgs_principal_name_size); - ngx_snprintf( - (u_char *) tgs_principal_name, - tgs_principal_name_size, - "%s/%*s@%*s", - KRB5_TGS_NAME, - principal->realm.length, - principal->realm.data, - principal->realm.length, - principal->realm.data - ); - - if ((kerr = krb5_parse_name(kcontext, tgs_principal_name, &match_creds.server))){ - spnego_log_error("Kerberos error: Cannot parse principal: %s", tgs_principal_name); + size_t tgs_principal_name_size = + (ngx_strlen(KRB5_TGS_NAME) + (principal->realm.length * 2) + 2) + 1; + tgs_principal_name = (char *)ngx_pcalloc(r->pool, tgs_principal_name_size); + ngx_snprintf((u_char *)tgs_principal_name, tgs_principal_name_size, + "%s/%*s@%*s", KRB5_TGS_NAME, principal->realm.length, + principal->realm.data, principal->realm.length, + principal->realm.data); + + if ((kerr = krb5_parse_name(kcontext, tgs_principal_name, + &match_creds.server))) { + spnego_log_error("Kerberos error: Cannot parse principal: %s", + tgs_principal_name); spnego_log_krb5_error(kcontext, kerr); goto done; } match_creds.client = principal; - if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_creds, &creds))){ + if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_creds, + &creds))) { spnego_log_error("Kerberos error: Cannot retrieve credentials"); spnego_log_krb5_error(kcontext, kerr); goto done; @@ -1269,20 +1226,28 @@ static krb5_error_code ngx_http_auth_spnego_verify_server_credentials(ngx_http_r } if ((now + RENEWAL_TIME) > creds.times.endtime) { - spnego_debug2("Credentials for %s have expired or will expire soon at %d - renewing", princ_name, creds.times.endtime); + spnego_debug2("Credentials for %s have expired or will expire soon at " + "%d - renewing", + princ_name, creds.times.endtime); kerr = KRB5KRB_AP_ERR_TKT_EXPIRED; - }else{ - spnego_debug2("Credentials for %s will expire at %d", princ_name, creds.times.endtime); + } else { + spnego_debug2("Credentials for %s will expire at %d", princ_name, + creds.times.endtime); } done: - if(principal) krb5_free_principal(kcontext, principal); - if(match_creds.server) krb5_free_principal(kcontext, match_creds.server); - if(creds.client) krb5_free_cred_contents(kcontext, &creds); + if (principal) + krb5_free_principal(kcontext, principal); + if (match_creds.server) + krb5_free_principal(kcontext, match_creds.server); + if (creds.client) + krb5_free_cred_contents(kcontext, &creds); return kerr; } -static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials(ngx_http_request_t * r, ngx_str_t * service_name, ngx_str_t * keytab_path, ngx_str_t * service_ccache) { +static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials( + ngx_http_request_t *r, ngx_str_t *service_name, ngx_str_t *keytab_path, + ngx_str_t *service_ccache) { krb5_context kcontext = NULL; krb5_keytab keytab = NULL; krb5_ccache ccache = NULL; @@ -1291,80 +1256,80 @@ static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials(ngx_http_request krb5_get_init_creds_opt gicopts; krb5_creds creds; - char * principal_name = NULL; - char * tgs_principal_name = NULL; + char *principal_name = NULL; + char *tgs_principal_name = NULL; char kt_path[1024]; char cc_name[1024]; memset(&creds, 0, sizeof(creds)); - if((kerr = krb5_init_context(&kcontext))){ + if ((kerr = krb5_init_context(&kcontext))) { spnego_log_error("Kerberos error: Cannot initialize kerberos context"); spnego_log_krb5_error(kcontext, kerr); goto done; } - if(service_ccache->len && service_ccache->data){ - ngx_snprintf( - (u_char *) cc_name, - sizeof(cc_name), - "FILE:%V%Z", - service_ccache - ); + if (service_ccache->len && service_ccache->data) { + ngx_snprintf((u_char *)cc_name, sizeof(cc_name), "FILE:%V%Z", + service_ccache); - if((kerr = krb5_cc_resolve(kcontext, cc_name, &ccache))){ - spnego_log_error("Kerberos error: Cannot resolve ccache %s", cc_name); + if ((kerr = krb5_cc_resolve(kcontext, cc_name, &ccache))) { + spnego_log_error("Kerberos error: Cannot resolve ccache %s", + cc_name); spnego_log_krb5_error(kcontext, kerr); goto done; } - }else{ + } else { if ((kerr = krb5_cc_default(kcontext, &ccache))) { spnego_log_error("Kerberos error: Cannot get default ccache"); spnego_log_krb5_error(kcontext, kerr); goto done; } - ngx_snprintf( - (u_char *) cc_name, - sizeof(cc_name), - "%s:%s", - krb5_cc_get_type(kcontext, ccache), - krb5_cc_get_name(kcontext, ccache) - ); + ngx_snprintf((u_char *)cc_name, sizeof(cc_name), "%s:%s", + krb5_cc_get_type(kcontext, ccache), + krb5_cc_get_name(kcontext, ccache)); } - if((kerr = ngx_http_auth_spnego_verify_server_credentials(r, kcontext, service_name, ccache))){ + if ((kerr = ngx_http_auth_spnego_verify_server_credentials( + r, kcontext, service_name, ccache))) { if (kerr == KRB5_FCC_NOFILE || kerr == KRB5KRB_AP_ERR_TKT_EXPIRED) { - if((kerr = krb5_parse_name(kcontext, (char *) service_name->data, &principal))){ - spnego_log_error("Kerberos error: Cannot parse principal %s", (char *) service_name->data); + if ((kerr = krb5_parse_name(kcontext, (char *)service_name->data, + &principal))) { + spnego_log_error("Kerberos error: Cannot parse principal %s", + (char *)service_name->data); spnego_log_krb5_error(kcontext, kerr); goto done; } - if((kerr = krb5_unparse_name(kcontext, principal, &principal_name))){ + if ((kerr = + krb5_unparse_name(kcontext, principal, &principal_name))) { spnego_log_error("Kerberos error: Cannot unparse principal"); spnego_log_krb5_error(kcontext, kerr); goto done; } - }else{ - spnego_log_error("Kerberos error: Error verifying server credentials"); + } else { + spnego_log_error( + "Kerberos error: Error verifying server credentials"); spnego_log_krb5_error(kcontext, kerr); goto done; } - }else{ + } else { spnego_debug0("Server credentials valid"); goto done; } - ngx_slab_pool_t * shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; + ngx_slab_pool_t *shpool = (ngx_slab_pool_t *)shm_zone->shm.addr; ngx_shmtx_lock(&shpool->mutex); - kerr = ngx_http_auth_spnego_verify_server_credentials(r, kcontext, service_name, ccache); - if((kerr != KRB5_FCC_NOFILE && kerr != KRB5KRB_AP_ERR_TKT_EXPIRED)) goto unlock; + kerr = ngx_http_auth_spnego_verify_server_credentials(r, kcontext, + service_name, ccache); + if ((kerr != KRB5_FCC_NOFILE && kerr != KRB5KRB_AP_ERR_TKT_EXPIRED)) + goto unlock; - ngx_snprintf((u_char *) kt_path, sizeof(kt_path), "FILE:%V%Z", keytab_path); + ngx_snprintf((u_char *)kt_path, sizeof(kt_path), "FILE:%V%Z", keytab_path); - if((kerr = krb5_kt_resolve(kcontext, kt_path, &keytab))){ + if ((kerr = krb5_kt_resolve(kcontext, kt_path, &keytab))) { spnego_log_error("Kerberos error: Cannot resolve keytab %s", kt_path); spnego_log_krb5_error(kcontext, kerr); goto unlock; @@ -1375,36 +1340,27 @@ static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials(ngx_http_request krb5_get_init_creds_opt_init(&gicopts); krb5_get_init_creds_opt_set_forwardable(&gicopts, 1); - size_t tgs_principal_name_size = (ngx_strlen(KRB5_TGS_NAME) + (principal->realm.length * 2) + 2) + 1; - tgs_principal_name = (char *) ngx_pcalloc(r->pool, tgs_principal_name_size); - - ngx_snprintf( - (u_char *) tgs_principal_name, - tgs_principal_name_size, - "%s/%*s@%*s", - KRB5_TGS_NAME, - principal->realm.length, - principal->realm.data, - principal->realm.length, - principal->realm.data - ); - - kerr = krb5_get_init_creds_keytab( - kcontext, - &creds, - principal, - keytab, - 0, - tgs_principal_name, - &gicopts - ); - if(kerr){ - spnego_log_error("Kerberos error: Cannot obtain credentials for principal %s", principal_name); + size_t tgs_principal_name_size = + (ngx_strlen(KRB5_TGS_NAME) + (principal->realm.length * 2) + 2) + 1; + tgs_principal_name = (char *)ngx_pcalloc(r->pool, tgs_principal_name_size); + + ngx_snprintf((u_char *)tgs_principal_name, tgs_principal_name_size, + "%s/%*s@%*s", KRB5_TGS_NAME, principal->realm.length, + principal->realm.data, principal->realm.length, + principal->realm.data); + + kerr = krb5_get_init_creds_keytab(kcontext, &creds, principal, keytab, 0, + tgs_principal_name, &gicopts); + if (kerr) { + spnego_log_error( + "Kerberos error: Cannot obtain credentials for principal %s", + principal_name); spnego_log_krb5_error(kcontext, kerr); goto unlock; } - if((kerr = ngx_http_auth_spnego_store_krb5_creds(r, kcontext, principal, ccache, creds))){ + if ((kerr = ngx_http_auth_spnego_store_krb5_creds(r, kcontext, principal, + ccache, creds))) { spnego_debug0("ngx_http_auth_spnego_store_krb5_creds() failed"); goto unlock; } @@ -1412,28 +1368,31 @@ static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials(ngx_http_request unlock: ngx_shmtx_unlock(&shpool->mutex); done: - if(!kerr){ + if (!kerr) { spnego_debug0("Successfully obtained server credentials"); setenv("KRB5CCNAME", cc_name, 1); - }else{ + } else { spnego_debug0("Failed to obtain server credentials"); } - if (tgs_principal_name) ngx_pfree(r->pool, tgs_principal_name); - if (creds.client) krb5_free_cred_contents(kcontext, &creds); - if (keytab) krb5_kt_close(kcontext, keytab); - if (ccache) krb5_cc_close(kcontext, ccache); - if (kcontext) krb5_free_context(kcontext); + if (tgs_principal_name) + ngx_pfree(r->pool, tgs_principal_name); + if (creds.client) + krb5_free_cred_contents(kcontext, &creds); + if (keytab) + krb5_kt_close(kcontext, keytab); + if (ccache) + krb5_cc_close(kcontext, ccache); + if (kcontext) + krb5_free_context(kcontext); return kerr ? NGX_ERROR : NGX_OK; } - ngx_int_t -ngx_http_auth_spnego_auth_user_gss( - ngx_http_request_t * r, - ngx_http_auth_spnego_ctx_t * ctx, - ngx_http_auth_spnego_loc_conf_t * alcf) -{ +ngx_int_t +ngx_http_auth_spnego_auth_user_gss(ngx_http_request_t *r, + ngx_http_auth_spnego_ctx_t *ctx, + ngx_http_auth_spnego_loc_conf_t *alcf) { ngx_int_t ret = NGX_DECLINED; u_char *pu; ngx_str_t spnego_token = ngx_null_string; @@ -1461,77 +1420,74 @@ ngx_http_auth_spnego_auth_user_gss( if (alcf->srvcname.len > 0) { /* if there is a specific service prinicipal set in the configuration - * file, we need to use it. Otherwise, use the default of no credentials + * file, we need to use it. Otherwise, use the default of no + * credentials */ service.length = alcf->srvcname.len + alcf->realm.len + 2; service.value = ngx_palloc(r->pool, service.length); if (NULL == service.value) { spnego_error(NGX_ERROR); } - ngx_snprintf(service.value, service.length, "%V@%V%Z", - &alcf->srvcname, &alcf->realm); + ngx_snprintf(service.value, service.length, "%V@%V%Z", &alcf->srvcname, + &alcf->realm); spnego_debug1("Using service principal: %s", service.value); - major_status = gss_import_name(&minor_status, &service, - (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &my_gss_name); + major_status = + gss_import_name(&minor_status, &service, + (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &my_gss_name); if (GSS_ERROR(major_status)) { - spnego_log_error("%s Used service principal: %s", get_gss_error( - r->pool, minor_status, "gss_import_name() failed"), - (u_char *) service.value); + spnego_log_error("%s Used service principal: %s", + get_gss_error(r->pool, minor_status, + "gss_import_name() failed"), + (u_char *)service.value); spnego_error(NGX_ERROR); } gss_buffer_desc human_readable_gss_name = GSS_C_EMPTY_BUFFER; major_status = gss_display_name(&minor_status, my_gss_name, - &human_readable_gss_name, NULL); + &human_readable_gss_name, NULL); if (GSS_ERROR(major_status)) { - spnego_log_error("%s Used service principal: %s ", get_gss_error( - r->pool, minor_status, "gss_display_name() failed"), - (u_char *) service.value); + spnego_log_error("%s Used service principal: %s ", + get_gss_error(r->pool, minor_status, + "gss_display_name() failed"), + (u_char *)service.value); } spnego_debug1("my_gss_name %s", human_readable_gss_name.value); - if(alcf->constrained_delegation){ + if (alcf->constrained_delegation) { ngx_str_t service_name = ngx_null_string; - service_name.data = (u_char *) service.value; + service_name.data = (u_char *)service.value; service_name.len = service.length; ngx_http_auth_spnego_obtain_server_credentials( - r, - &service_name, - &alcf->keytab, - &alcf->service_ccache - ); + r, &service_name, &alcf->keytab, &alcf->service_ccache); } /* Obtain credentials */ major_status = gss_acquire_cred( - &minor_status, my_gss_name, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - (alcf->constrained_delegation ? GSS_C_BOTH : GSS_C_ACCEPT), - &my_gss_creds, - NULL, - NULL - ); + &minor_status, my_gss_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, + (alcf->constrained_delegation ? GSS_C_BOTH : GSS_C_ACCEPT), + &my_gss_creds, NULL, NULL); if (GSS_ERROR(major_status)) { - spnego_log_error("%s Used service principal: %s", get_gss_error( - r->pool, minor_status, "gss_acquire_cred() failed"), - (u_char *) service.value); + spnego_log_error("%s Used service principal: %s", + get_gss_error(r->pool, minor_status, + "gss_acquire_cred() failed"), + (u_char *)service.value); spnego_error(NGX_ERROR); } } input_token.length = ctx->token.len; - input_token.value = (void *) ctx->token.data; + input_token.value = (void *)ctx->token.data; - major_status = gss_accept_sec_context(&minor_status, &gss_context, - my_gss_creds, &input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, - NULL, &output_token, NULL, NULL, &delegated_creds); + major_status = gss_accept_sec_context( + &minor_status, &gss_context, my_gss_creds, &input_token, + GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, &output_token, NULL, + NULL, &delegated_creds); if (GSS_ERROR(major_status)) { - spnego_debug1("%s", get_gss_error( - r->pool, minor_status, "gss_accept_sec_context() failed")); + spnego_debug1("%s", get_gss_error(r->pool, minor_status, + "gss_accept_sec_context() failed")); spnego_error(NGX_DECLINED); } @@ -1541,11 +1497,12 @@ ngx_http_auth_spnego_auth_user_gss( } if (output_token.length) { - spnego_token.data = (u_char *) output_token.value; + spnego_token.data = (u_char *)output_token.value; spnego_token.len = output_token.length; ctx->token_out_b64.len = ngx_base64_encoded_length(spnego_token.len); - ctx->token_out_b64.data = ngx_pcalloc(r->pool, ctx->token_out_b64.len + 1); + ctx->token_out_b64.data = + ngx_pcalloc(r->pool, ctx->token_out_b64.len + 1); if (NULL == ctx->token_out_b64.data) { spnego_log_error("Not enough memory"); gss_release_buffer(&minor_status2, &output_token); @@ -1558,10 +1515,11 @@ ngx_http_auth_spnego_auth_user_gss( } /* getting user name at the other end of the request */ - major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); + major_status = + gss_display_name(&minor_status, client_name, &output_token, NULL); if (GSS_ERROR(major_status)) { spnego_log_error("%s", get_gss_error(r->pool, minor_status, - "gss_display_name() failed")); + "gss_display_name() failed")); spnego_error(NGX_ERROR); } @@ -1569,21 +1527,18 @@ ngx_http_auth_spnego_auth_user_gss( /* Apply local rules to map Kerberos Principals to short names */ if (alcf->map_to_local) { gss_OID mech_type = discard_const(gss_mech_krb5); - output_token = (gss_buffer_desc) GSS_C_EMPTY_BUFFER; - major_status = gss_localname(&minor_status, client_name, - mech_type, &output_token); + output_token = (gss_buffer_desc)GSS_C_EMPTY_BUFFER; + major_status = gss_localname(&minor_status, client_name, mech_type, + &output_token); if (GSS_ERROR(major_status)) { spnego_log_error("%s", get_gss_error(r->pool, minor_status, - "gss_localname() failed")); + "gss_localname() failed")); spnego_error(NGX_ERROR); } } /* TOFIX dirty quick trick for now (no "-1" i.e. include '\0' */ - ngx_str_t user = { - output_token.length, - (u_char *) output_token.value - }; + ngx_str_t user = {output_token.length, (u_char *)output_token.value}; r->headers_in.user.data = ngx_pstrdup(r->pool, &user); if (NULL == r->headers_in.user.data) { @@ -1594,8 +1549,10 @@ ngx_http_auth_spnego_auth_user_gss( r->headers_in.user.len = user.len; if (alcf->fqun == 0) { pu = ngx_strlchr(r->headers_in.user.data, - r->headers_in.user.data + r->headers_in.user.len, '@'); - if (pu != NULL && ngx_strncmp(pu + 1, alcf->realm.data, alcf->realm.len) == 0) { + r->headers_in.user.data + r->headers_in.user.len, + '@'); + if (pu != NULL && + ngx_strncmp(pu + 1, alcf->realm.data, alcf->realm.len) == 0) { *pu = '\0'; r->headers_in.user.len = ngx_strlen(r->headers_in.user.data); } @@ -1608,14 +1565,11 @@ ngx_http_auth_spnego_auth_user_gss( spnego_debug1("user is %V", &r->headers_in.user); } - if(alcf->delegate_credentials){ - creds_info creds = { - delegated_creds, - TYPE_GSS_CRED_ID_T - }; + if (alcf->delegate_credentials) { + creds_info creds = {delegated_creds, TYPE_GSS_CRED_ID_T}; ngx_str_t principal_name = ngx_null_string; - principal_name.data = (u_char *) output_token.value; + principal_name.data = (u_char *)output_token.value; principal_name.len = output_token.length; ngx_http_auth_spnego_store_delegated_creds(r, &principal_name, creds); @@ -1648,10 +1602,7 @@ ngx_http_auth_spnego_auth_user_gss( return ret; } - static ngx_int_t -ngx_http_auth_spnego_handler( - ngx_http_request_t * r) -{ +static ngx_int_t ngx_http_auth_spnego_handler(ngx_http_request_t *r) { ngx_int_t ret = NGX_DECLINED; ngx_http_auth_spnego_ctx_t *ctx; ngx_http_auth_spnego_loc_conf_t *alcf; @@ -1676,7 +1627,7 @@ ngx_http_auth_spnego_handler( } spnego_debug3("SSO auth handling IN: token.len=%d, head=%d, ret=%d", - ctx->token.len, ctx->head, ctx->ret); + ctx->token.len, ctx->head, ctx->ret); if (ctx->token.len && ctx->head) { spnego_debug1("Found token and head, returning %d", ctx->ret); @@ -1700,14 +1651,16 @@ ngx_http_auth_spnego_handler( * not fall through to real SPNEGO */ if (NGX_OK != ngx_http_auth_spnego_basic(r, ctx, alcf)) { spnego_debug0("Basic auth failed"); - if (NGX_ERROR == ngx_http_auth_spnego_headers_basic_only(r, ctx, alcf)) { + if (NGX_ERROR == + ngx_http_auth_spnego_headers_basic_only(r, ctx, alcf)) { spnego_debug0("Error setting headers"); return (ctx->ret = NGX_HTTP_INTERNAL_SERVER_ERROR); } return (ctx->ret = NGX_HTTP_UNAUTHORIZED); } - if (!ngx_spnego_authorized_principal(r, &r->headers_in.user, alcf)) { + if (!ngx_spnego_authorized_principal(r, &r->headers_in.user, + alcf)) { spnego_debug0("User not authorized"); return (ctx->ret = NGX_HTTP_FORBIDDEN); } @@ -1732,10 +1685,11 @@ ngx_http_auth_spnego_handler( * back to basic here... */ if (NGX_DECLINED == ret) { spnego_debug0("GSSAPI failed"); - if(!alcf->allow_basic) { + if (!alcf->allow_basic) { return (ctx->ret = NGX_HTTP_FORBIDDEN); } - if (NGX_ERROR == ngx_http_auth_spnego_headers_basic_only(r, ctx, alcf)) { + if (NGX_ERROR == + ngx_http_auth_spnego_headers_basic_only(r, ctx, alcf)) { spnego_debug0("Error setting headers"); return (ctx->ret = NGX_HTTP_INTERNAL_SERVER_ERROR); } @@ -1751,26 +1705,27 @@ ngx_http_auth_spnego_handler( } ngx_str_t *token_out_b64 = NULL; - switch(ret) { - case NGX_DECLINED: /* DECLINED, but not yet FORBIDDEN */ - ctx->ret = NGX_HTTP_UNAUTHORIZED; - break; - case NGX_OK: - ctx->ret = NGX_OK; - token_out_b64 = &ctx->token_out_b64; - break; - case NGX_ERROR: - default: - ctx->ret = NGX_HTTP_INTERNAL_SERVER_ERROR; - break; - } - - if (NGX_ERROR == ngx_http_auth_spnego_headers(r, ctx, token_out_b64, alcf)) { + switch (ret) { + case NGX_DECLINED: /* DECLINED, but not yet FORBIDDEN */ + ctx->ret = NGX_HTTP_UNAUTHORIZED; + break; + case NGX_OK: + ctx->ret = NGX_OK; + token_out_b64 = &ctx->token_out_b64; + break; + case NGX_ERROR: + default: + ctx->ret = NGX_HTTP_INTERNAL_SERVER_ERROR; + break; + } + + if (NGX_ERROR == + ngx_http_auth_spnego_headers(r, ctx, token_out_b64, alcf)) { spnego_debug0("Error setting headers"); ctx->ret = NGX_HTTP_INTERNAL_SERVER_ERROR; } spnego_debug3("SSO auth handling OUT: token.len=%d, head=%d, ret=%d", - ctx->token.len, ctx->head, ctx->ret); + ctx->token.len, ctx->head, ctx->ret); return ctx->ret; }