Add GssapiRequiredNameAttributes option

[mrogers950]

Allow setting the required name attributes for a session, using a flex and
bison based parser to process the attributes specified.

[frozencemetery]

Alright, code with tests! I promise all the stuff I've marked is minor.

[frozencemetery]

Maybe just fold this into the main check target, rather than putting it on its own?

[mrogers950]

I can, that was just for me to be able to run the shell tests separately.

[frozencemetery]

Adding PIE/PIC support is a fine thing to do, but not in scope for this PR.

[mrogers950]

I forgot to comment that building fails without adding -fPIC here;
/usr/bin/ld: lex/libparser.a(libparser_a-lex.o): relocation R_X86_64_PC32 against undefined symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value

I can add it to a separate commit before the main one (and submit a separate PR if you want)

[frozencemetery]

Ah, that makes sense. Maybe just drop a comment above it.

[frozencemetery]

Wrap at <80 characters, please.

[frozencemetery]

<80 here too.

[frozencemetery]

Can be simplified to just return r == 0.

[frozencemetery]

Please use C99 for-loop syntax.

[frozencemetery]

const char **vals should line up with const char *expr.

[frozencemetery]

C99 for-loops please.

[frozencemetery]

Could these be echoed instead of just being comments? Might make the logs easier to read through.

[frozencemetery]

This is kind of gross looking. Can you pull out the apr_pstrndup calls into variables?

[simo5]

nitpick: if they are Required ... then the name should be GssapiRequiredNameAttributes ?

[mrogers950]

I think that might actually be the better name now that you mention it.

[iboukris]

Can auth-indicators be both?

[mrogers950]

Yes, you can have multiple authentication indicators (although that may not be clear with the given example), and the parser will use the list of them when checking for the match on each attribute in the statement.

[iboukris]

Hmm, how are we handling multiple values? from the code it looks like we add _N to the name, is that right? does it parse ok?

[iboukris]

Oh, I now see that you added a copy of each value.

[iboukris]

I think we should return no null here, so it won get silently ignored.

[mrogers950]

I've turned "Expected" to "Required", revised the README text, and now return an error string from expect_name_attrs() (now required_name_attrs()) on a syntax error.

[frozencemetery]

Missed a couple places the first time.

[frozencemetery]

bin and bin_len on their own line; line up with hex

[frozencemetery]

C99

[frozencemetery]

C99

[frozencemetery]

Parens not needed; also applies to rest of function

[iboukris]

Do attributes specified in GssapiRequiredNameAttributes need to be specified in GssapiNameAttributes too? from the code it looks like yes, so maybe we need to clarify it, or address it in code.

[simo5]

Uhmm good point @Frenche I wonder if we should error out if the required is not a subset or if we should automaticaly add the ones in the required parser (do we have a simple way to get a list of them) to the set of items we retrieve, or if we should "shadow" retrieve them.
We may not want to expose named attributes we use for authorization to the application necessarily.

[simo5]

I think we need some changes, but the core is ok.
Any chance we have a way to expose some name attributes in the functional testsuite so we can have a (smoke) test that the whole thing works correctly ?

[simo5]

maybe: "required name attributes check unsatisfied"

[simo5]

so I have been thinking about this.

1. Why are you forcibly re-adding the name attribute here ? This will break the semantics of the Name Attribute interface I think.
2. do not use 1 letter vars
3. in a case like this I think it makes more sense to declare these var in the do{} block, not across the whole function
4. I think we need separate lists for required_name_attributes

This last point is the main one, I think we should have a separate list for required attributes because some people may want to use specific name attribute (say auth indicators) without being forced to expose them as env vars to the application.
So I guess we need a required_nameattr variable on mc where we set attributes use to check required attributes.

[mrogers950]

Sure, I see how this is problematic. I'll separate the required attributes from the env exposed ones. As for the smoke test, against a 1.16 krb5 KDC we could enable the encrypted challenge indicator (does not require as much config as PKINIT/OTP) and test against that, otherwise I'm not sure what other name attribute we could enable in the test suite and test against.

[simo5]

Any name attribute will work, pick the simplest to expose

[iboukris]

+1 on the above.
One way to go about it could be to store raw attributes on the MC struct (if we need it for either env or authz), and defer the parsing to a later point.

[simo5]

-> verify_required_name_attributes()

[simo5]

please prepend functions that are not static with a mag_ prefix

[simo5]

As you change this code to store attributes into a separate required_nameattr structure, store them there already zero terminated. Please also check that the values do not contain embedded zeros by verifying with strlen() that the length match what you expect and fire a debug log if they don't. (Or perhaps auto-base64 the value in this case ?)

[simo5]

I guess if you do the above this function can go away entirely ...

[simo5]

If we support != expressions then this description is not correct.
We should say something like: Required checks for Name Attributes

[simo5]

and perhaps the option should actually be called GssapiCheckNameAttributes ? Or GssapiVerifyNameAttributes now that I think of it ? Sorry for not realizing this sooner.

[simo5]

Seems we do not support !=, is this a conscious decision to avoid "deny" accerss control cases ?
If not what is the reasoning ?
I am perfectly fine not supporting !=, but I think we should add to the README explicitly that we match only on '=' and we do not support '!='

[mrogers950]

No particular reason, though we certainly can support deny rules if you think there will be demand for it.

[simo5]

I guess someone will ask, but in general I tend to be against the concept of "deny ACL" because they do not fail safe.

[simo5]

Is there a reason why these are not being pulled in with a dedicated include file ?

[mrogers950]

I'll make a dedicated include for these.

[mrogers950]

I've pushed my current changes, that should be mostly everything except for the smoke test which I am working on, and will push later.

[simo5]

In the oriignal name attribute code we pull in display_value and fall back to value only if that is not available.

[simo5]

There is no check that value is in fact a string, this code will not handle binary values with embedded zeros well if such are passed in.
Or are we sure name attributes are always guaranteed to be printable strings ?

[simo5]

Should we just set the error env var here and then call mag_set_req_data() to complete ?
It seem like maiing env vars and ccaches available to the error handler may be valuable given yiou are calling mag_export_req_env() here but not mag_set_name_attributes() which is somewhat required to fill the proper tables.

[simo5]

Should this be GSS_REQUIRED_NAME_ATTR_ERROR ?

[simo5]

I understand why you spoon this out in a new function, however, this means we call gss_get_name_attribute twice for each attribute, and it may be an expensive call.
Can we rather restructure mag_get_name_attributes() so it calls gss_get_name_attribute() *once but then internally calls two subfunctions to fill the two arrays ?

EDIT: added *once

[simo5]

I guess someone will ask, but in general I tend to be against the concept of "deny ACL" because they do not fail safe.

[mrogers950]

Sorry about the delay on this update. Here's an overview of the changes:

• Build bison and flex code as source files for the mod_auth_gssapi library instead of its own object. This removes some portability warnings about linking to mod_auth_gssapi. Use a separate header.
• Change the binary value specifier to ':=' (as in name:=value).
• Add the base64 value case to the parser where the incoming name attribute values are converted to base64 before comparing to the expected value.
• Store the environment name attributes and the to-be-verified name attributes separately in mag_conn, and prefer the display value.
• For testing generate x509 certificates and enable PKINIT with multiple PKINIT indicators, and add required attribute test locations. In order to avoid PKINIT messing with the other tests, add a new user (maguser3) and perform PKINIT only before running the required attribute tests.

One issue is that autotools seems to have some problem during libtool linking the standalone parser test program tests/natest.c, where it cannot resolve the apr_base64* functions used by the parser. I've tried quite a few different Makefile.am configurations for it with no luck, so some suggestions would be helpful. For the moment I've left those build statements commented out.

[simo5]

ASCII -> Can we say UTF8? Or do we have no guarntees in which case we should just use a "Null terminated string" ?

[simo5]

Now that I think of it, are spaces allowed in bare strings ?

[mrogers950]

I don't think there is a guarantee for UTF-8 here as I specified just character values in the lex rules (but it might be possible to specify UTF-8 code points instead). And spaces are not allowed in bare strings as that would be considered a token separation, so if there is a space expected in the value then the base64 option should be used. I can update the README with this clarification.

[simo5]

Yes, please, it will help nuderstanding when you must use bse64

[simo5]

Is it legal to have names w/o corresponding value ?

[simo5]

Looking at the code it seem like these two arrays are always allocated and handled in pairs.
Maybe we should have instead a:
struct mag_required_name_attr {
const char *name;
const char *value;
};

And just allocate an array of these ?
Given we often count them, we could also add a size_t req_name_attr_count, and keep their number around.

[mrogers950]

Right, they are a pair. Turning it into a struct with a counter for clarity is OK with me.

[mrogers950]

Actually, I opted to store them in this way to make it simple to pass to the parser. Storing them in a mag_attr struct would need a conversion later on (or a change in the parser). So I'd prefer to keep them this way and add in a comment for clarification.

[simo5]

I have only nits, but I am not requiring them, just wondering if they'd made code more clear.
Otherwise I think we are good to go.
@frozencemetery or @Frenche could you give another quick look ?

[frozencemetery]

I have no non-nit objections

[iboukris]

Great stuff, I plan to review some more over the weekend, (no need to hold the merge however).

[iboukris]

Maybe better to be called once at mc constructor.

[iboukris]

Please ignore this comment, I now see it was modeled after the other directive, so let's leave it for now.

[iboukris]

If raw value may embed null, then the length must be kept along or it should be encoded here, otherwise it will get cut at the first null occurrence when accessed.

[iboukris]

Maybe else {error_out}, and perhaps move this block upper.

[mrogers950]

Updated, now we prepend the value length to the saved value. In the parser we read in the length prefix and use it for the value comparison. I moved the value checks in mag_set_required_name_attr() with an else return as suggested, and also stuck in an ap_log_rdata() call to print out the raw value data.

[simo5]

@mrogers950 github claims there are merge conflicts, can you check ?

[mrogers950]

Rebased to latest master.

[simo5]

@Frenche can you confirm your remarks have been addressed ?

[iboukris]

Looks good to me.
I can't build right now but I think I noticed some warnings last time, if there are it would be nice to silence them.

[mrogers950]

I added in the flex options to silence the remaining warnings.

[simo5]

make test fails for me:
{{{
cd . && ./tests/magtests.py --path /home/simo/devel/git/mod_auth_gssapi/testsdir --so-dir=/home/simo/devel/git/mod_auth_gssapi/src/.libs
/home/simo/devel/git/mod_auth_gssapi/testsdir/key.pem
SPNEGO: SUCCESS
SPNEGO Proxy Auth: SUCCESS
SPNEGO No Auth: SUCCESS
SPNEGO Rewrite: SUCCESS
SPNEGO Negotiate Once: SUCCESS
HOSTNAME ACCEPTOR: SUCCESS
BAD ACCEPTOR: SUCCESS
Traceback (most recent call last):
File "./tests/magtests.py", line 722, in
testenv = kinit_certuser(testdir, testenv)
File "./tests/magtests.py", line 477, in kinit_certuser
raise ValueError('kinit failed')
ValueError: kinit failed
Makefile:821: recipe for target 'check' failed
make: *** [check] Error 1
}}}

Do we require some specific version of some dependency ?
If so can you add a check in configure ?

make test fails still

[simo5]

Please fix make test or fix configure to require the right stuff

[mrogers950]

That happens when krb5-pkinit isn't installed, so I added a dirty check for the pkinit module and skip the name attribute tests with a warning if it's not found, and README.md mentions the krb5-pkinit dependency for the tests.