[mod_auth_kerb] Add support for Constrained Delegation/S4U2Proxy (#767740) - scm-commits - Fedora mailing-lists

31 Jan 2012

commit 8a0f0082e7699aa145410ddf3c17624f80dab980
Author: Rob Crittenden rcritten@redhat.com
Date:   Tue Jan 31 15:43:18 2012 -0500
Add support for Constrained Delegation/S4U2Proxy (#767740)
The S4U2Proxy patch includes locking code inspired by mod_rewrite
    so the ASL license is being added.
LICENSE.ASL                       |  201 +++++++++++++
 mod_auth_kerb-5.4-s4u2proxy.patch |  570 +++++++++++++++++++++++++++++++++++++
 mod_auth_kerb.spec                |   15 +-
 3 files changed, 783 insertions(+), 3 deletions(-)
---

diff --git a/LICENSE.ASL b/LICENSE.ASL
new file mode 100644
index 0000000..261eeb9
--- /dev/null
+++ b/LICENSE.ASL
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/mod_auth_kerb-5.4-s4u2proxy.patch b/mod_auth_kerb-5.4-s4u2proxy.patch
new file mode 100644
index 0000000..d1793c6
--- /dev/null
+++ b/mod_auth_kerb-5.4-s4u2proxy.patch
@@ -0,0 +1,570 @@
+diff -up --recursive mod_auth_kerb-5.4.orig/README mod_auth_kerb-5.4/README
+--- mod_auth_kerb-5.4.orig/README	2008-11-26 11:51:05.000000000 -0500
++++ mod_auth_kerb-5.4/README	2012-01-04 11:17:22.000000000 -0500
+@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be 
+ credential cache that will be available for the request handler. The ticket
+ file will be removed after request is handled.
+ 
++Constrained Delegation
++----------------------
++S4U2Proxy, or constrained delegation, enables a service to use a client's
++ticket to itself to request another ticket for delegation. The KDC
++checks krbAllowedToDelegateTo to decide if it will issue a new ticket.
++If KrbConstrainedDelegation is enabled the server will use its own credentials
++to retrieve a delegated ticket for the user. For this to work the user must
++have a forwardable ticket (though the delegation flag need not be set).
++The server needs a valid credentials cache for this to work.
++
++The module itself will obtain and manage the necessary credentials.
++
+ $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
+diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c	2011-12-09 17:55:05.000000000 -0500
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c	2012-01-31 15:05:47.000000000 -0500
+@@ -42,6 +42,31 @@
+  * POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++/*
++ * Locking mechanism inspired by mod_rewrite.
++ *
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *     http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++/*
++ * S4U2Proxy code
++ *
++ * Copyright (C) 2012  Red Hat
++ */
++
+ #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"
+ 
+ #include "config.h"
+@@ -49,6 +74,7 @@
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <stdarg.h>
++#include <unixd.h>
+ 
+ #define MODAUTHKERB_VERSION "5.4"
+ 
+@@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_
+ module auth_kerb_module;
+ #endif
+ 
++#ifdef STANDARD20_MODULE_STUFF
++/* s4u2proxy only supported in 2.0+ */
++static const char *lockname;
++static apr_global_mutex_t *s4u2proxy_lock = NULL;
++#endif
++
+ /*************************************************************************** 
+  Macros To Ease Compatibility
+  ***************************************************************************/
+@@ -165,6 +197,7 @@ typedef struct {
+ 	int krb_method_gssapi;
+ 	int krb_method_k5pass;
+ 	int krb5_do_auth_to_local;
++       int krb5_s4u2proxy;
+ #endif
+ #ifdef KRB4
+ 	char *krb_4_srvtab;
+@@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co
+ 
+ static const char*
+ krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
++
++static int
++obtain_server_credentials(request_rec *r, const char *service_name);
+ 
+ #ifdef STANDARD20_MODULE_STUFF
+ #define command(name, func, var, type, usage)           \
+@@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[
+ 
+    command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
+      FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
++
++   command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,
++     FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),
++
++    AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
++     RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
+ #endif 
+ 
+ #ifdef KRB4
+@@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P
+ #endif
+ #ifdef KRB5
+   ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
++	((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;
+ 	((kerb_auth_config *)rec)->krb_method_k5pass = 1;
+ 	((kerb_auth_config *)rec)->krb_method_gssapi = 1;
+ #endif
+@@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v
+    return NULL;
+ }
+ 
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
++{
++    const char *error;
++
++    if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
++        return error;
++
++    /* fixup the path, especially for s4u2proxylock_remove() */
++    lockname = ap_server_root_relative(cmd->pool, a1);
++
++    if (!lockname) {
++        return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);
++    }
++
++    return NULL;
++}
++
+ static void
+ log_rerror(const char *file, int line, int level, int status,
+            const request_rec *r, const char *fmt, ...)
+@@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r,
+    gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+    OM_uint32 major_status, minor_status, minor_status2;
+    gss_name_t server_name = GSS_C_NO_NAME;
++   gss_cred_usage_t usage = GSS_C_ACCEPT;
+    char buf[1024];
+    int have_server_princ;
+ 
+@@ -1212,10 +1276,13 @@ get_gss_creds(request_rec *r,
+ 
+    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
+ 	      token.value);
++   if (conf->krb5_s4u2proxy)
++       usage = GSS_C_BOTH;
++       obtain_server_credentials(r, conf->krb_service_name);
+    gss_release_buffer(&minor_status, &token);
+    
+    major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
+-			           GSS_C_NO_OID_SET, GSS_C_ACCEPT,
++			           GSS_C_NO_OID_SET, usage,
+ 				   server_creds, NULL, NULL);
+    gss_release_name(&minor_status2, &server_name);
+    if (GSS_ERROR(major_status)) {
+@@ -1257,6 +1324,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+ }
+ #endif
+ 
++/* Renew the ticket if it will expire in under a minute */
++#define RENEWAL_TIME 60
++
++/*
++ * Services4U2Proxy lets a server prinicipal request another service
++ * principal on behalf of a user. To do this the Apache service needs
++ * to have its own ccache. This will ensure that the ccache has a valid
++ * principal and will initialize or renew new credentials when needed.
++ */
++
++static int
++verify_server_credentials(request_rec *r,
++                          krb5_context kcontext,
++                          krb5_ccache ccache,
++                          krb5_principal princ,
++                          int *renew
++)
++{
++    krb5_creds match_cred;
++    krb5_creds creds;
++    char * princ_name = NULL;
++    char *tgs_princ_name = NULL;
++    krb5_timestamp now;
++    krb5_error_code kerr = 0;
++
++    *renew = 0;
++
++    memset (&match_cred, 0, sizeof(match_cred));
++    memset (&creds, 0, sizeof(creds));
++
++    if (NULL == ccache || NULL == princ) {
++        /* Nothing to verify */
++        *renew = 1;
++        goto cleanup;
++    }
++
++    if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Could not unparse principal %s (%d)",
++                   error_message(kerr), kerr);
++        goto cleanup;
++    }
++
++    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++        "Using principal %s for s4u2proxy", princ_name);
++
++    tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++                                  krb5_princ_realm(kcontext, princ)->length,
++                                  krb5_princ_realm(kcontext, princ)->data,
++                                  krb5_princ_realm(kcontext, princ)->length,
++                                  krb5_princ_realm(kcontext, princ)->data);
++
++    if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server))) 
++    {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                        "Could not parse principal %s: %s (%d)",
++                        tgs_princ_name, error_message(kerr), kerr);
++        goto cleanup;
++    }
++
++    match_cred.client = princ;
++
++    if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))
++    {
++        krb5_unparse_name(kcontext, princ, &princ_name);
++        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                   "Could not unparse principal %s: %s (%d)",
++                   princ_name, error_message(kerr), kerr);
++        goto cleanup;
++    }
++
++    if ((kerr = krb5_timeofday(kcontext, &now))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                        "Could not get current time: %d (%s)",
++                        kerr, error_message(kerr));
++        goto cleanup;
++    }
++
++    if (now > (creds.times.endtime + RENEWAL_TIME)) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Credentials for %s have expired or will soon "
++                   "expire - now %d endtime %d",
++                   princ_name, now, creds.times.endtime);
++        *renew = 1;
++    } else {
++        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                   "Credentials for %s will expire at "
++                   "%d, it is now %d", princ_name, creds.times.endtime, now);
++    }
++
++cleanup:
++    /* Closing context, ccache, etc happens elsewhere */
++    if (match_cred.server) {
++        krb5_free_principal(kcontext, match_cred.server);
++    }
++    if (creds.client) {
++        krb5_free_cred_contents(kcontext, &creds);
++    }
++
++    return kerr;
++}
++
++static int
++obtain_server_credentials(request_rec *r,
++                          const char *service_name)
++{
++    krb5_context kcontext = NULL;
++    krb5_keytab keytab = NULL;
++    krb5_ccache ccache = NULL;
++    char * princ_name = NULL;
++    char *tgs_princ_name = NULL;
++    krb5_error_code kerr = 0;
++    krb5_principal princ = NULL;
++    krb5_creds creds;
++    krb5_get_init_creds_opt gicopts;
++    int renew = 0;
++    apr_status_t rv = 0;
++
++    memset(&creds, 0, sizeof(creds));
++
++    if ((kerr = krb5_init_context(&kcontext))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++            "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);
++        goto done;
++    }
++
++    if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                        "Could not get default Kerberos ccache: %s (%d)",
++                        error_message(kerr), kerr);
++        goto done;
++    }
++
++    if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {
++        char * name = NULL;
++
++        if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),
++          krb5_cc_get_name(kcontext, ccache))) == -1) {
++            kerr = KRB5_CC_NOMEM;
++            goto done;
++        }
++
++        if (KRB5_FCC_NOFILE == kerr) {
++            log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                       "Credentials cache %s not found, create one", name);
++            krb5_cc_close(kcontext, ccache);
++            ccache = NULL;
++            free(name);
++        } else {
++            log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                       "Failure to open credentials cache %s: %s (%d)",
++                       name, error_message(kerr), kerr);
++            free(name);
++            goto done;
++        }
++    }
++
++    kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++
++    if (kerr || !renew) {
++        goto done;
++    }
++
++#ifdef STANDARD20_MODULE_STUFF
++    if (s4u2proxy_lock) {
++        rv = apr_global_mutex_lock(s4u2proxy_lock);
++        if (rv != APR_SUCCESS) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++                          "apr_global_mutex_lock(s4u2proxy_lock) "
++                          "failed");
++        }
++    }
++#endif
++
++    /* We have the lock, check again to be sure another process hasn't already
++     * renewed the ticket.
++     */
++    kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++    if (kerr || !renew) {
++        goto unlock;
++    }
++
++    if (NULL == princ) {
++        princ_name = apr_psprintf(r->pool, "%s/%s",
++            (service_name) ? service_name : SERVICE_NAME,
++            ap_get_server_name(r));
++
++        if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
++            log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                       "Could not parse principal %s: %s (%d) ",
++                       princ_name, error_message(kerr), kerr);
++            goto unlock;
++        }
++    } else if (NULL == princ_name) {
++        if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++            log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                       "Could not unparse principal %s: %s (%d)",
++                       princ_name, error_message(kerr), kerr);
++            goto unlock;
++        }
++    }
++
++    if ((kerr = krb5_kt_default(kcontext, &keytab))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Unable to get default keytab: %s (%d)",
++                   error_message(kerr), kerr);
++        goto unlock;
++    }
++
++    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++               "Obtaining new credentials for %s", princ_name);
++    krb5_get_init_creds_opt_init(&gicopts);
++    krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
++
++    tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++                                  krb5_princ_realm(kcontext, princ)->length,
++                                  krb5_princ_realm(kcontext, princ)->data,
++                                  krb5_princ_realm(kcontext, princ)->length,
++                                  krb5_princ_realm(kcontext, princ)->data);
++
++    if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
++         0, tgs_princ_name, &gicopts))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Failed to obtain credentials for principal %s: "
++                   "%s (%d)", princ_name, error_message(kerr), kerr);
++        goto unlock;
++    }
++
++    krb5_kt_close(kcontext, keytab);
++    keytab = NULL;
++
++    if (NULL == ccache) {
++        if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++            log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                      "Failed to open default ccache: %s (%d)",
++                      error_message(kerr), kerr);
++            goto unlock;
++        }
++    }
++
++    if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Failed to initialize ccache for %s: %s (%d)",
++                   princ_name, error_message(kerr), kerr);
++        goto unlock;
++    }
++
++    if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Failed to store %s in ccache: %s (%d)",
++                   princ_name, error_message(kerr), kerr);
++        goto unlock;
++    }
++
++unlock:
++#ifdef STANDARD20_MODULE_STUFF
++    if (s4u2proxy_lock) {
++        apr_global_mutex_unlock(s4u2proxy_lock);
++        if (rv != APR_SUCCESS) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++                          "apr_global_mutex_unlock(s4u2proxy_lock) "
++                          "failed");
++        }
++    }
++#endif
++
++done:
++    if (0 == kerr)
++        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                   "Done obtaining credentials for s4u2proxy");
++    else
++        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                   "Failed to obtain credentials for s4u2proxy");
++
++    if (creds.client) {
++        krb5_free_cred_contents(kcontext, &creds);
++    }
++    if (ccache) {
++        krb5_cc_close(kcontext, ccache);
++    }
++    if (kcontext) {
++        krb5_free_context(kcontext);
++    }
++
++    return kerr;
++}
++
+ static int
+ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ 		      const char *auth_line, char **negotiate_ret_value)
+@@ -1697,10 +2051,60 @@ have_rcache_type(const char *type)
+ /*************************************************************************** 
+  Module Setup/Configuration
+  ***************************************************************************/
++#ifdef STANDARD20_MODULE_STUFF
++static apr_status_t
++s4u2proxylock_create(server_rec *s, apr_pool_t *p)
++{
++    apr_status_t rc;
++
++    /* only operate if a lockfile is used */
++    if (lockname == NULL || *(lockname) == '\0') {
++        return APR_SUCCESS;
++    }
++
++    /* create the lockfile */
++    rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,
++                                 APR_LOCK_DEFAULT, p);
++    if (rc != APR_SUCCESS) {
++        ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++                     "Parent could not create lock file %s", lockname);
++        return rc;
++    }
++
++#ifdef AP_NEED_SET_MUTEX_PERMS
++    rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
++    if (rc != APR_SUCCESS) {
++        ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++                     "mod_auth_kerb: Parent could not set permissions "
++                     "on lock; check User and Group directives");
++        return rc;
++    }
++#endif
++
++    return APR_SUCCESS;
++}
++
++static apr_status_t
++s4u2proxylock_remove(void *unused)
++{
++    /* only operate if a lockfile is used */
++    if (lockname == NULL || *(lockname) == '\0') {
++        return APR_SUCCESS;
++    }
++
++    /* destroy the rewritelock */
++    apr_global_mutex_destroy(s4u2proxy_lock);
++    s4u2proxy_lock = NULL;
++    lockname = NULL;
++    return APR_SUCCESS;
++}
++#endif
++
+ #ifndef STANDARD20_MODULE_STUFF
+ static void
+ kerb_module_init(server_rec *dummy, pool *p)
+ {
++   apr_status_t status;
+ #ifndef HEIMDAL
+    /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+       1.3.x are covered by the hack overiding the replay calls */
+@@ -1741,6 +2145,7 @@ static int
+ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
+       		  apr_pool_t *ptemp, server_rec *s)
+ {
++   apr_status_t rv;
+    ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
+ #ifndef HEIMDAL
+    /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+@@ -1748,14 +2153,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
+    if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+       putenv(strdup("KRB5RCACHETYPE=none"));
+ #endif
++#ifdef STANDARD20_MODULE_STUFF
++    rv = s4u2proxylock_create(s, p);
++    if (rv != APR_SUCCESS) {
++        return HTTP_INTERNAL_SERVER_ERROR;
++    }
++
++    apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,
++                              apr_pool_cleanup_null);
++#endif
+    
+    return OK;
+ }
+ 
+ static void
++initialize_child(apr_pool_t *p, server_rec *s)
++{
++    apr_status_t rv = 0;
++
++#ifdef STANDARD20_MODULE_STUFF
++    if (lockname != NULL && *(lockname) != '\0') {
++        rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);
++        if (rv != APR_SUCCESS) {
++            ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
++                         "mod_auth_kerb: could not init s4u2proxy_lock"
++                         " in child");
++        }
++    }
++#endif
++}
++
++static void
+ kerb_register_hooks(apr_pool_t *p)
+ {
+    ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
++   ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);
+    ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
+ }
+ 
diff --git a/mod_auth_kerb.spec b/mod_auth_kerb.spec
index d10d99c..eb42c2f 100644
--- a/mod_auth_kerb.spec
+++ b/mod_auth_kerb.spec
@@ -2,14 +2,16 @@
 Summary: Kerberos authentication module for HTTP
 Name: mod_auth_kerb
 Version: 5.4
-Release: 8%{?dist}
-License: BSD and MIT
+Release: 9%{?dist}
+License: BSD and MIT and ASL 2.0
 Group: System Environment/Daemons
 URL: http://modauthkerb.sourceforge.net/
 Source0: http://downloads.sourceforge.net/modauthkerb/%%7Bname%7D-%%7Bversion%7D.tar....
 Source1: auth_kerb.conf
+Source2: LICENSE.ASL
 Patch1: mod_auth_kerb-5.4-rcopshack.patch
 Patch2: mod_auth_kerb-5.4-fixes.patch
+Patch3: mod_auth_kerb-5.4-s4u2proxy.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: httpd-devel, krb5-devel
 Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing)
@@ -24,6 +26,7 @@ authentication based on ticket exchanges.
 %setup -q -n %{name}-%{version}
 %patch1 -p1 -b .rcopshack
 %patch2 -p1 -b .fixes
+%patch3 -p1 -b .s4u2proxy
%build
 %configure --without-krb4 --with-krb5=%{_prefix} \
@@ -39,16 +42,22 @@ install -m 755 src/.libs/mod_auth_kerb.so \
 install -p -m 644 %{SOURCE1} \
         $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/auth_kerb.conf
+# Copy the license files here so we can include them in %doc
+cp -p %{SOURCE2} .
+
 %clean
 rm -rf $RPM_BUILD_ROOT
%files
 %defattr(-,root,root,-)
-%doc README
+%doc README LICENSE.ASL
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/auth_kerb.conf
 %{_libdir}/httpd/modules/*.so
%changelog
+* Tue Jan 31 2012 Rob Crittenden rcritten@redhat.com - 5.4-9
+- Add support for Constrained Delegation/su42proxy (#767740)
+
 * Fri Jan 13 2012 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 5.4-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

    