From 9698db7fd56b08cc8f9bdeb2182bc9afdbcb4f90 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 12 Aug 2011 14:48:32 +0200 Subject: [PATCH 1/2] added --delegation Using this option with an argument being set to one of none/policy/always instructs libcurl how to deal with GSS credentials. Or rather how it tells the server that delegation is fine or not. Signed-off-by: Kamil Dudka --- src/main.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) diff --git a/src/main.c b/src/main.c index d85bf62..3a2595c 100644 --- a/src/main.c +++ b/src/main.c @@ -659,6 +659,7 @@ struct Configurable { basically each given URL to transfer */ struct OutStruct *outs; bool xattr; /* store metadata in extended attributes */ + long gssapi_delegation; }; #define WARN_PREFIX "Warning: " @@ -817,6 +818,7 @@ static void help(void) " --data-binary HTTP POST binary data (H)", " --data-urlencode " "HTTP POST data url encoded (H)", + " --delegation STRING GSS-API delegation permission", " --digest Use HTTP Digest Authentication (H)", " --disable-eprt Inhibit using EPRT or LPRT (F)", " --disable-epsv Inhibit using EPSV (F)", @@ -1823,6 +1825,18 @@ static int sockoptcallback(void *clientp, curl_socket_t curlfd, return 0; } +static long delegation(struct Configurable *config, + char *str) +{ + if(curlx_raw_equal("none", str)) + return CURLGSSAPI_DELEGATION_NONE; + if(curlx_raw_equal("policy", str)) + return CURLGSSAPI_DELEGATION_POLICY_FLAG; + if(curlx_raw_equal("always", str)) + return CURLGSSAPI_DELEGATION_FLAG; + warnf(config, "unrecognized delegation method '%s', using none\n", str); + return CURLGSSAPI_DELEGATION_NONE; +} static ParameterError getparameter(char *flag, /* f or -long-flag */ char *nextarg, /* NULL if unset */ @@ -1942,6 +1956,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ {"$D", "proto", TRUE}, {"$E", "proto-redir", TRUE}, {"$F", "resolve", TRUE}, + {"$G", "delegation", TRUE}, {"0", "http1.0", FALSE}, {"1", "tlsv1", FALSE}, {"2", "sslv2", FALSE}, @@ -2516,6 +2531,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ if(err) return err; break; + case 'G': /* --delegation LEVEL */ + config->gssapi_delegation = delegation(config, nextarg); + break; } break; case '#': /* --progress-bar */ @@ -5564,9 +5582,14 @@ operate(struct Configurable *config, int argc, argv_item_t argv[]) /* new in 7.21.3 */ my_setopt(curl, CURLOPT_RESOLVE, config->resolve); - /* TODO: new in ### */ - curl_easy_setopt(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username); - curl_easy_setopt(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password); + /* new in 7.21.4 */ + my_setopt_str(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username); + my_setopt_str(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password); + + /* new in 7.22.0 */ + if(config->gssapi_delegation) + my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION, + config->gssapi_delegation); retry_numretries = config->req_retry; -- 1.7.4.4 From 8e404e1c3846cc98a1977514af5b0432ae2de755 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 12 Aug 2011 23:51:41 +0200 Subject: [PATCH 2/2] docs: --delegation Signed-off-by: Kamil Dudka --- docs/curl.1 | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) diff --git a/docs/curl.1 b/docs/curl.1 index 812b2eb..eee3481 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -320,6 +320,18 @@ URL-encode that data and pass it on in the POST. The name part gets an equal sign appended, resulting in \fIname=urlencoded-file-content\fP. Note that the name is expected to be URL-encoded already. .RE +.IP "--delegation LEVEL" +Set \fILEVEL\fP to tell the server what it is allowed to delegate when it +comes to user credentials. Used with GSS/kerberos. +.RS +.IP "none" +Don't allow any delegation. +.IP "policy" +Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos +service ticket, which is a matter of realm policy. +.IP "always" +Unconditionally allow the server to delegate. +.RE .IP "--digest" (HTTP) Enables HTTP Digest authentication. This is a authentication that prevents the password from being sent over the wire in clear text. Use this in -- 1.7.4.4