Benjamin Coddington <[email protected]> writes:
> If the identity ACL file contains entries for a subject, add
> an entry for the subject so they can assert their own identity.
Hm. So, what I was originally thinking when I wrote this code is that the
authz_subject should be omitted if equal to the subject, since I don't
think it quite makes sense to assert an identity that matches one's
default identity. This is implemented in WebLogin's default confirm page
template by adding the user's default identity as the selected default.
Ah, but the WebKDC doesn't special-case the authz_subject in that case!
So you get an error if you actually try to assert that identity.
I'm applying the following patch, which will make this work the way that I
had originally intended. This will go into the next release. Sorry about
that!
diff --git a/lib/webkdc-login.c b/lib/webkdc-login.c
index 73c6680..65a3df8 100644
--- a/lib/webkdc-login.c
+++ b/lib/webkdc-login.c
@@ -1051,7 +1051,7 @@ webauth_webkdc_login(struct webauth_context *ctx,
const void *key_data;
struct webauth_key *key;
struct webauth_keyring *session;
- const char *allowed;
+ const char *allowed, *authz_subject;
/* Basic sanity checking. */
if (request->service == NULL || request->creds == NULL
@@ -1330,17 +1330,23 @@ webauth_webkdc_login(struct webauth_context *ctx,
/*
* If the user attempts to assert an alternate identity, see if that's
- * allowed. If so, copy that into the response.
+ * allowed. If so, copy that into the response. If the requested
+ * authorization subject matches the actual subject, just ignore the
+ * field.
*/
- if (request->authz_subject != NULL && (*response)->permitted_authz != NULL)
+ authz_subject = request->authz_subject;
+ if (authz_subject != NULL)
+ if (strcmp(authz_subject, (*response)->subject) == 0)
+ authz_subject = NULL;
+ if (authz_subject != NULL && (*response)->permitted_authz != NULL)
for (i = 0; i < (*response)->permitted_authz->nelts; i++) {
allowed = APR_ARRAY_IDX((*response)->permitted_authz, i, char *);
- if (strcmp(allowed, request->authz_subject) == 0) {
+ if (strcmp(allowed, authz_subject) == 0) {
(*response)->authz_subject = apr_pstrdup(ctx->pool, allowed);
break;
}
}
- if (request->authz_subject != NULL && (*response)->authz_subject == NULL) {
+ if (authz_subject != NULL && (*response)->authz_subject == NULL) {
(*response)->login_error = WA_PEC_UNAUTHORIZED;
(*response)->login_message = "not authorized to assert that identity";
return WA_ERR_NONE;
--
Russ Allbery <[email protected]>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University
