From 9698db7fd56b08cc8f9bdeb2182bc9afdbcb4f90 Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <daniel@haxx.se>

Date: Fri, 12 Aug 2011 14:48:32 +0200

Subject: [PATCH 1/2] added --delegation

Using this option with an argument being set to one of

none/policy/always instructs libcurl how to deal with GSS

credentials. Or rather how it tells the server that delegation is fine

or not.

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 src/main.c |   29 ++++++++++++++++++++++++++---

 1 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/src/main.c b/src/main.c

index d85bf62..3a2595c 100644

--- a/src/main.c

+++ b/src/main.c

@@ -659,6 +659,7 @@ struct Configurable {

                              basically each given URL to transfer */

   struct OutStruct *outs;

   bool xattr; /* store metadata in extended attributes */

+  long gssapi_delegation;

 };

 #define WARN_PREFIX "Warning: "

@@ -817,6 +818,7 @@ static void help(void)

     "    --data-binary <data> HTTP POST binary data (H)",

     "    --data-urlencode <name=data/name@filename> "

     "HTTP POST data url encoded (H)",

+    "    --delegation STRING GSS-API delegation permission",

     "    --digest        Use HTTP Digest Authentication (H)",

     "    --disable-eprt  Inhibit using EPRT or LPRT (F)",

     "    --disable-epsv  Inhibit using EPSV (F)",

@@ -1823,6 +1825,18 @@ static int sockoptcallback(void *clientp, curl_socket_t curlfd,

   return 0;

 }

+static long delegation(struct Configurable *config,

+                       char *str)

+{

+  if(curlx_raw_equal("none", str))

+    return CURLGSSAPI_DELEGATION_NONE;

+  if(curlx_raw_equal("policy", str))

+    return CURLGSSAPI_DELEGATION_POLICY_FLAG;

+  if(curlx_raw_equal("always", str))

+    return CURLGSSAPI_DELEGATION_FLAG;

+  warnf(config, "unrecognized delegation method '%s', using none\n", str);

+  return CURLGSSAPI_DELEGATION_NONE;

+}

 static ParameterError getparameter(char *flag, /* f or -long-flag */

                                    char *nextarg, /* NULL if unset */

@@ -1942,6 +1956,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */

     {"$D", "proto",      TRUE},

     {"$E", "proto-redir", TRUE},

     {"$F", "resolve",    TRUE},

+    {"$G", "delegation", TRUE},

     {"0", "http1.0",     FALSE},

     {"1", "tlsv1",       FALSE},

     {"2", "sslv2",       FALSE},

@@ -2516,6 +2531,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */

         if(err)

           return err;

         break;

+      case 'G': /* --delegation LEVEL */

+        config->gssapi_delegation = delegation(config, nextarg);

+        break;

       }

       break;

     case '#': /* --progress-bar */

@@ -5564,9 +5582,14 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])

           /* new in 7.21.3 */

           my_setopt(curl, CURLOPT_RESOLVE, config->resolve);

-        /* TODO: new in ### */

-        curl_easy_setopt(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username);

-        curl_easy_setopt(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password);

+        /* new in 7.21.4 */

+        my_setopt_str(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username);

+        my_setopt_str(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password);

+

+        /* new in 7.22.0 */

+        if(config->gssapi_delegation)

+          my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,

+                        config->gssapi_delegation);

         retry_numretries = config->req_retry;

-- 

1.7.4.4

From 8e404e1c3846cc98a1977514af5b0432ae2de755 Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <daniel@haxx.se>

Date: Fri, 12 Aug 2011 23:51:41 +0200

Subject: [PATCH 2/2] docs: --delegation

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 docs/curl.1 |   12 ++++++++++++

 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/docs/curl.1 b/docs/curl.1

index 812b2eb..eee3481 100644

--- a/docs/curl.1

+++ b/docs/curl.1

@@ -320,6 +320,18 @@ URL-encode that data and pass it on in the POST. The name part gets an equal

 sign appended, resulting in \fIname=urlencoded-file-content\fP. Note that the

 name is expected to be URL-encoded already.

 .RE

+.IP "--delegation LEVEL"

+Set \fILEVEL\fP to tell the server what it is allowed to delegate when it

+comes to user credentials. Used with GSS/kerberos.

+.RS

+.IP "none"

+Don't allow any delegation.

+.IP "policy"

+Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos

+service ticket, which is a matter of realm policy.

+.IP "always"

+Unconditionally allow the server to delegate.

+.RE

 .IP "--digest"

 (HTTP) Enables HTTP Digest authentication. This is a authentication that

 prevents the password from being sent over the wire in clear text. Use this in

-- 

1.7.4.4