base/SOURCES/Allow-connection-to-self-wh...

From 0e04be2c1398dac40c50910a59157eed0ad5a7e4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 14 Mar 2017 10:43:17 -0400
Subject: [PATCH] Allow connection to self when impersonator set

If the target of a context establishment is the impersonator itself,
then allow it. This kind of context establishment is used by tools like
mod_auth_gssapi to be able to inspect the ticket just obtained via
impersonation and it is basically a noop as the acceptor and the
impersonator are the same entitiy.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Merges: #172
(cherry picked from commit eada55e831d12b42d3be3a555ff4e133bed7f594)
---
 proxy/src/gp_creds.c                | 57 ++++++++++++++++++++++++++++++++-----
 proxy/src/gp_rpc_creds.h            |  3 +-
 proxy/src/gp_rpc_init_sec_context.c |  2 +-
 proxy/tests/t_impersonate.py        | 35 ++++++++++++++++-------
 4 files changed, 78 insertions(+), 19 deletions(-)

diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
index 95a1c48..7d89b06 100644
--- a/proxy/src/gp_creds.c
+++ b/proxy/src/gp_creds.c
@@ -883,7 +883,8 @@ static uint32_t get_impersonator_name(uint32_t *min, gss_cred_id_t cred,
         }
     } else if (ret_maj == GSS_S_UNAVAILABLE) {
         /* Not supported by krb5 library yet, fallback to raw krb5 calls */
-        /* TODO: Remove once we set a required dependency on MIT 1.15+ */
+        /* TODO: Remove once we set a minimum required dependency on a
+         * release that supports this call */
         ret_maj = get_impersonator_fallback(&ret_min, cred, impersonator);
         if (ret_maj == GSS_S_FAILURE) {
             if (ret_min == KRB5_CC_NOTFOUND) {
@@ -899,9 +900,47 @@ done:
     return ret_maj;
 }
 
+static uint32_t check_impersonator_name(uint32_t *min,
+                                        gss_name_t target_name,
+                                        const char *impersonator)
+{
+    gss_name_t canon_name = NULL;
+    gss_buffer_desc buf;
+    uint32_t ret_maj = 0;
+    uint32_t ret_min = 0;
+    uint32_t discard;
+    bool match;
+
+    ret_maj = gss_canonicalize_name(&discard, target_name, &gp_mech_krb5,
+                                    &canon_name);
+    if (ret_maj != GSS_S_COMPLETE) {
+        *min = ret_min;
+        return ret_maj;
+    }
+
+    ret_maj = gss_display_name(&discard, canon_name, &buf, NULL);
+    gss_release_name(&discard, &canon_name);
+    if (ret_maj != GSS_S_COMPLETE) {
+        *min = ret_min;
+        return ret_maj;
+    }
+
+    match = (strncmp(impersonator, buf.value, buf.length) == 0) &&
+            (strlen(impersonator) == buf.length);
+    gss_release_buffer(&discard, &buf);
+
+    *min = 0;
+    if (match) {
+        return GSS_S_COMPLETE;
+    } else {
+        return GSS_S_UNAUTHORIZED;
+    }
+}
+
 uint32_t gp_cred_allowed(uint32_t *min,
                          struct gp_call_ctx *gpcall,
-                         gss_cred_id_t cred)
+                         gss_cred_id_t cred,
+                         gss_name_t target_name)
 {
     char *impersonator = NULL;
     uint32_t ret_maj = 0;
@@ -924,11 +963,11 @@ uint32_t gp_cred_allowed(uint32_t *min,
     if (ret_maj) goto done;
 
     /* if we find an impersonator entry we bail as that is not authorized,
-     * if it were then gpcall->service->allow_const_deleg would have caused
-     * the ealier check to return GSS_S_COMPLETE already */
+     * *unless* the target is the impersonator itself! If the operation
+     * were authorized then gpcall->service->allow_const_deleg would have
+     * caused the ealier check to return GSS_S_COMPLETE already */
     if (impersonator != NULL) {
-        ret_min = 0;
-        ret_maj = GSS_S_UNAUTHORIZED;
+        ret_maj = check_impersonator_name(&ret_min, target_name, impersonator);
     }
 
 done:
@@ -937,7 +976,11 @@ done:
         GPDEBUGN(2, "Unauthorized impersonator credentials detected\n");
         break;
     case GSS_S_COMPLETE:
-        GPDEBUGN(2, "No impersonator credentials detected\n");
+        if (impersonator) {
+            GPDEBUGN(2, "Credentials allowed for 'self'\n");
+        } else {
+            GPDEBUGN(2, "No impersonator credentials detected\n");
+        }
         break;
     default:
         GPDEBUG("Failure while checking credentials\n");
diff --git a/proxy/src/gp_rpc_creds.h b/proxy/src/gp_rpc_creds.h
index 54fe482..c116e53 100644
--- a/proxy/src/gp_rpc_creds.h
+++ b/proxy/src/gp_rpc_creds.h
@@ -34,7 +34,8 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
 
 uint32_t gp_cred_allowed(uint32_t *min,
                          struct gp_call_ctx *gpcall,
-                         gss_cred_id_t cred);
+                         gss_cred_id_t cred,
+                         gss_name_t target_name);
 
 void gp_filter_flags(struct gp_call_ctx *gpcall, uint32_t *flags);
 
diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c
index 767a3ff..413e2ec 100644
--- a/proxy/src/gp_rpc_init_sec_context.c
+++ b/proxy/src/gp_rpc_init_sec_context.c
@@ -108,7 +108,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
         }
     }
 
-    ret_maj = gp_cred_allowed(&ret_min, gpcall, ich);
+    ret_maj = gp_cred_allowed(&ret_min, gpcall, ich, target_name);
     if (ret_maj) {
         goto done;
     }
diff --git a/proxy/tests/t_impersonate.py b/proxy/tests/t_impersonate.py
index 3e25962..29f9a41 100755
--- a/proxy/tests/t_impersonate.py
+++ b/proxy/tests/t_impersonate.py
@@ -34,19 +34,20 @@ IMPERSONATE_CONF_TEMPLATE = '''
 
 '''
 
-def run_cmd(testdir, env, conf, name, socket, cmd, expected_failure):
+def run_cmd(testdir, env, conf, name, socket, cmd, keytab, expected_failure):
 
     logfile = conf['logfile']
     testenv = env.copy()
     testenv.update({'KRB5CCNAME': os.path.join(testdir, 't' + conf['prefix'] +
                                                '_impersonate.ccache'),
-                    'KRB5_KTNAME': os.path.join(testdir, PROXY_KTNAME),
+                    'KRB5_KTNAME': os.path.join(testdir, keytab),
                     'KRB5_TRACE': os.path.join(testdir, 't' + conf['prefix'] +
                                                '_impersonate.trace'),
                     'GSS_USE_PROXY': 'yes',
                     'GSSPROXY_SOCKET': socket,
                     'GSSPROXY_BEHAVIOR': 'REMOTE_FIRST'})
 
+    print("\nTesting: [%s]" % (name,), file=logfile)
     print("[COMMAND]\n%s\n[ENVIRONMENT]\n%s\n" % (cmd, testenv), file=logfile)
     logfile.flush()
 
@@ -74,45 +75,59 @@ def run(testdir, env, conf):
     rets = []
 
     # Test all permitted
+    msg = "Impersonate"
     socket = os.path.join(testdir, 'impersonate.socket')
     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
            path_prefix + 'impersonate.cache']
-    r = run_cmd(testdir, env, conf, "Impersonate", socket, cmd, False)
+    r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, False)
     rets.append(r)
 
-    #Test fail
+    #Test self fail
+    msg = "Impersonate fail self"
     socket = os.path.join(testdir, 'impersonate-proxyonly.socket')
     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
            path_prefix + 'impersonate.cache']
-    r = run_cmd(testdir, env, conf, "Impersonate fail self", socket, cmd, True)
+    r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, True)
     rets.append(r)
 
-    #Test fail
+    #Test proxy fail
+    msg = "Impersonate fail proxy"
     socket = os.path.join(testdir, 'impersonate-selfonly.socket')
     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
            path_prefix + 'impersonate.cache']
-    r = run_cmd(testdir, env, conf, "Impersonate fail proxy", socket, cmd, True)
+    r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, True)
     rets.append(r)
 
     #Test s4u2self half succeed
+    msg = "s4u2self delegation"
     socket = os.path.join(testdir, 'impersonate-selfonly.socket')
     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
            path_prefix + 'impersonate.cache', 's4u2self']
-    r = run_cmd(testdir, env, conf, "s4u2self delegation", socket, cmd, False)
+    r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, False)
+    rets.append(r)
+
+    #Test proxy to self succeed
+    msg = "Impersonate to self"
+    socket = os.path.join(testdir, 'impersonate-selfonly.socket')
+    cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, HOST_GSS,
+           path_prefix + 'impersonate.cache', 's4u2proxy']
+    r = run_cmd(testdir, env, conf, msg, socket, cmd, SVC_KTNAME, False)
     rets.append(r)
 
     #Test s4u2proxy half fail
+    msg = "s4u2proxy fail"
     socket = os.path.join(testdir, 'impersonate-selfonly.socket')
     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
            path_prefix + 'impersonate.cache', 's4u2proxy']
-    r = run_cmd(testdir, env, conf, "s4u2proxy fail", socket, cmd, True)
+    r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, True)
     rets.append(r)
 
     #Test s4u2proxy half succeed
+    msg = "s4u2proxy"
     socket = os.path.join(testdir, 'impersonate-proxyonly.socket')
     cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,
            path_prefix + 'impersonate.cache', 's4u2proxy']
-    r = run_cmd(testdir, env, conf, "s4u2proxy", socket, cmd, False)
+    r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, False)
     rets.append(r)
 
     # Reset back gssproxy conf
gssproxy package update Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org> 7 years ago			`From 0e04be2c1398dac40c50910a59157eed0ad5a7e4 Mon Sep 17 00:00:00 2001`
			`From: Simo Sorce <simo@redhat.com>`
			`Date: Tue, 14 Mar 2017 10:43:17 -0400`
			`Subject: [PATCH] Allow connection to self when impersonator set`

			`If the target of a context establishment is the impersonator itself,`
			`then allow it. This kind of context establishment is used by tools like`
			`mod_auth_gssapi to be able to inspect the ticket just obtained via`
			`impersonation and it is basically a noop as the acceptor and the`
			`impersonator are the same entitiy.`

			`Signed-off-by: Simo Sorce <simo@redhat.com>`
			`Reviewed-by: Robbie Harwood <rharwood@redhat.com>`
			`Merges: #172`
			`(cherry picked from commit eada55e831d12b42d3be3a555ff4e133bed7f594)`
			`---`
			`proxy/src/gp_creds.c \| 57 ++++++++++++++++++++++++++++++++-----`
			`proxy/src/gp_rpc_creds.h \| 3 +-`
			`proxy/src/gp_rpc_init_sec_context.c \| 2 +-`
			`proxy/tests/t_impersonate.py \| 35 ++++++++++++++++-------`
			`4 files changed, 78 insertions(+), 19 deletions(-)`

			`diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c`
			`index 95a1c48..7d89b06 100644`
			`--- a/proxy/src/gp_creds.c`
			`+++ b/proxy/src/gp_creds.c`
			`@@ -883,7 +883,8 @@ static uint32_t get_impersonator_name(uint32_t *min, gss_cred_id_t cred,`
			`}`
			`} else if (ret_maj == GSS_S_UNAVAILABLE) {`
			`/* Not supported by krb5 library yet, fallback to raw krb5 calls */`
			`- /* TODO: Remove once we set a required dependency on MIT 1.15+ */`
			`+ /* TODO: Remove once we set a minimum required dependency on a`
			`+ * release that supports this call */`
			`ret_maj = get_impersonator_fallback(&ret_min, cred, impersonator);`
			`if (ret_maj == GSS_S_FAILURE) {`
			`if (ret_min == KRB5_CC_NOTFOUND) {`
			`@@ -899,9 +900,47 @@ done:`
			`return ret_maj;`
			`}`

			`+static uint32_t check_impersonator_name(uint32_t *min,`
			`+ gss_name_t target_name,`
			`+ const char *impersonator)`
			`+{`
			`+ gss_name_t canon_name = NULL;`
			`+ gss_buffer_desc buf;`
			`+ uint32_t ret_maj = 0;`
			`+ uint32_t ret_min = 0;`
			`+ uint32_t discard;`
			`+ bool match;`
			`+`
			`+ ret_maj = gss_canonicalize_name(&discard, target_name, &gp_mech_krb5,`
			`+ &canon_name);`
			`+ if (ret_maj != GSS_S_COMPLETE) {`
			`+ *min = ret_min;`
			`+ return ret_maj;`
			`+ }`
			`+`
			`+ ret_maj = gss_display_name(&discard, canon_name, &buf, NULL);`
			`+ gss_release_name(&discard, &canon_name);`
			`+ if (ret_maj != GSS_S_COMPLETE) {`
			`+ *min = ret_min;`
			`+ return ret_maj;`
			`+ }`
			`+`
			`+ match = (strncmp(impersonator, buf.value, buf.length) == 0) &&`
			`+ (strlen(impersonator) == buf.length);`
			`+ gss_release_buffer(&discard, &buf);`
			`+`
			`+ *min = 0;`
			`+ if (match) {`
			`+ return GSS_S_COMPLETE;`
			`+ } else {`
			`+ return GSS_S_UNAUTHORIZED;`
			`+ }`
			`+}`
			`+`
			`uint32_t gp_cred_allowed(uint32_t *min,`
			`struct gp_call_ctx *gpcall,`
			`- gss_cred_id_t cred)`
			`+ gss_cred_id_t cred,`
			`+ gss_name_t target_name)`
			`{`
			`char *impersonator = NULL;`
			`uint32_t ret_maj = 0;`
			`@@ -924,11 +963,11 @@ uint32_t gp_cred_allowed(uint32_t *min,`
			`if (ret_maj) goto done;`

			`/* if we find an impersonator entry we bail as that is not authorized,`
			`- * if it were then gpcall->service->allow_const_deleg would have caused`
			`- * the ealier check to return GSS_S_COMPLETE already */`
			`+ * unless the target is the impersonator itself! If the operation`
			`+ * were authorized then gpcall->service->allow_const_deleg would have`
			`+ * caused the ealier check to return GSS_S_COMPLETE already */`
			`if (impersonator != NULL) {`
			`- ret_min = 0;`
			`- ret_maj = GSS_S_UNAUTHORIZED;`
			`+ ret_maj = check_impersonator_name(&ret_min, target_name, impersonator);`
			`}`

			`done:`
			`@@ -937,7 +976,11 @@ done:`
			`GPDEBUGN(2, "Unauthorized impersonator credentials detected\n");`
			`break;`
			`case GSS_S_COMPLETE:`
			`- GPDEBUGN(2, "No impersonator credentials detected\n");`
			`+ if (impersonator) {`
			`+ GPDEBUGN(2, "Credentials allowed for 'self'\n");`
			`+ } else {`
			`+ GPDEBUGN(2, "No impersonator credentials detected\n");`
			`+ }`
			`break;`
			`default:`
			`GPDEBUG("Failure while checking credentials\n");`
			`diff --git a/proxy/src/gp_rpc_creds.h b/proxy/src/gp_rpc_creds.h`
			`index 54fe482..c116e53 100644`
			`--- a/proxy/src/gp_rpc_creds.h`
			`+++ b/proxy/src/gp_rpc_creds.h`
			`@@ -34,7 +34,8 @@ uint32_t gp_add_krb5_creds(uint32_t *min,`

			`uint32_t gp_cred_allowed(uint32_t *min,`
			`struct gp_call_ctx *gpcall,`
			`- gss_cred_id_t cred);`
			`+ gss_cred_id_t cred,`
			`+ gss_name_t target_name);`

			`void gp_filter_flags(struct gp_call_ctx gpcall, uint32_t flags);`

			`diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c`
			`index 767a3ff..413e2ec 100644`
			`--- a/proxy/src/gp_rpc_init_sec_context.c`
			`+++ b/proxy/src/gp_rpc_init_sec_context.c`
			`@@ -108,7 +108,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,`
			`}`
			`}`

			`- ret_maj = gp_cred_allowed(&ret_min, gpcall, ich);`
			`+ ret_maj = gp_cred_allowed(&ret_min, gpcall, ich, target_name);`
			`if (ret_maj) {`
			`goto done;`
			`}`
			`diff --git a/proxy/tests/t_impersonate.py b/proxy/tests/t_impersonate.py`
			`index 3e25962..29f9a41 100755`
			`--- a/proxy/tests/t_impersonate.py`
			`+++ b/proxy/tests/t_impersonate.py`
			`@@ -34,19 +34,20 @@ IMPERSONATE_CONF_TEMPLATE = '''`

			`'''`

			`-def run_cmd(testdir, env, conf, name, socket, cmd, expected_failure):`
			`+def run_cmd(testdir, env, conf, name, socket, cmd, keytab, expected_failure):`

			`logfile = conf['logfile']`
			`testenv = env.copy()`
			`testenv.update({'KRB5CCNAME': os.path.join(testdir, 't' + conf['prefix'] +`
			`'_impersonate.ccache'),`
			`- 'KRB5_KTNAME': os.path.join(testdir, PROXY_KTNAME),`
			`+ 'KRB5_KTNAME': os.path.join(testdir, keytab),`
			`'KRB5_TRACE': os.path.join(testdir, 't' + conf['prefix'] +`
			`'_impersonate.trace'),`
			`'GSS_USE_PROXY': 'yes',`
			`'GSSPROXY_SOCKET': socket,`
			`'GSSPROXY_BEHAVIOR': 'REMOTE_FIRST'})`

			`+ print("\nTesting: [%s]" % (name,), file=logfile)`
			`print("[COMMAND]\n%s\n[ENVIRONMENT]\n%s\n" % (cmd, testenv), file=logfile)`
			`logfile.flush()`

			`@@ -74,45 +75,59 @@ def run(testdir, env, conf):`
			`rets = []`

			`# Test all permitted`
			`+ msg = "Impersonate"`
			`socket = os.path.join(testdir, 'impersonate.socket')`
			`cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,`
			`path_prefix + 'impersonate.cache']`
			`- r = run_cmd(testdir, env, conf, "Impersonate", socket, cmd, False)`
			`+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, False)`
			`rets.append(r)`

			`- #Test fail`
			`+ #Test self fail`
			`+ msg = "Impersonate fail self"`
			`socket = os.path.join(testdir, 'impersonate-proxyonly.socket')`
			`cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,`
			`path_prefix + 'impersonate.cache']`
			`- r = run_cmd(testdir, env, conf, "Impersonate fail self", socket, cmd, True)`
			`+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, True)`
			`rets.append(r)`

			`- #Test fail`
			`+ #Test proxy fail`
			`+ msg = "Impersonate fail proxy"`
			`socket = os.path.join(testdir, 'impersonate-selfonly.socket')`
			`cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,`
			`path_prefix + 'impersonate.cache']`
			`- r = run_cmd(testdir, env, conf, "Impersonate fail proxy", socket, cmd, True)`
			`+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, True)`
			`rets.append(r)`

			`#Test s4u2self half succeed`
			`+ msg = "s4u2self delegation"`
			`socket = os.path.join(testdir, 'impersonate-selfonly.socket')`
			`cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,`
			`path_prefix + 'impersonate.cache', 's4u2self']`
			`- r = run_cmd(testdir, env, conf, "s4u2self delegation", socket, cmd, False)`
			`+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, False)`
			`+ rets.append(r)`
			`+`
			`+ #Test proxy to self succeed`
			`+ msg = "Impersonate to self"`
			`+ socket = os.path.join(testdir, 'impersonate-selfonly.socket')`
			`+ cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, HOST_GSS,`
			`+ path_prefix + 'impersonate.cache', 's4u2proxy']`
			`+ r = run_cmd(testdir, env, conf, msg, socket, cmd, SVC_KTNAME, False)`
			`rets.append(r)`

			`#Test s4u2proxy half fail`
			`+ msg = "s4u2proxy fail"`
			`socket = os.path.join(testdir, 'impersonate-selfonly.socket')`
			`cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,`
			`path_prefix + 'impersonate.cache', 's4u2proxy']`
			`- r = run_cmd(testdir, env, conf, "s4u2proxy fail", socket, cmd, True)`
			`+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, True)`
			`rets.append(r)`

			`#Test s4u2proxy half succeed`
			`+ msg = "s4u2proxy"`
			`socket = os.path.join(testdir, 'impersonate-proxyonly.socket')`
			`cmd = ["./tests/t_impersonate", USR_NAME, HOST_GSS, PROXY_GSS,`
			`path_prefix + 'impersonate.cache', 's4u2proxy']`
			`- r = run_cmd(testdir, env, conf, "s4u2proxy", socket, cmd, False)`
			`+ r = run_cmd(testdir, env, conf, msg, socket, cmd, PROXY_KTNAME, False)`
			`rets.append(r)`

			`# Reset back gssproxy conf`