From bceb10aa2ad5709b63dd79c2db32359d6a7efacb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 12 Aug 2011 14:48:32 +0200
Subject: [PATCH 1/2] added --delegation
Using this option with an argument being set to one of
none/policy/always instructs libcurl how to deal with GSS
credentials. Or rather how it tells the server that delegation is fine
or not.
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/main.c | 23 +++++++++++++++++++++++
1 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/src/main.c b/src/main.c
index 2b7cc83..5302b31 100644
--- a/src/main.c
+++ b/src/main.c
@@ -621,6 +621,7 @@ struct Configurable {
int default_node_flags; /* default flags to seach for each 'node', which is
basically each given URL to transfer */
struct OutStruct *outs;
+ long gssapi_delegation;
};
#define WARN_PREFIX "Warning: "
@@ -778,6 +779,7 @@ static void help(void)
" --data-ascii <data> HTTP POST ASCII data (H)",
" --data-binary <data> HTTP POST binary data (H)",
" --data-urlencode <name=data/name@filename> HTTP POST data url encoded (H)",
+ " --delegation STRING GSS-API delegation permission",
" --digest Use HTTP Digest Authentication (H)",
" --disable-eprt Inhibit using EPRT or LPRT (F)",
" --disable-epsv Inhibit using EPSV (F)",
@@ -1746,6 +1748,18 @@ static int sockoptcallback(void *clientp, curl_socket_t curlfd,
return 0;
}
+static long delegation(struct Configurable *config,
+ char *str)
+{
+ if(curlx_raw_equal("none", str))
+ return CURLGSSAPI_DELEGATION_NONE;
+ if(curlx_raw_equal("policy", str))
+ return CURLGSSAPI_DELEGATION_POLICY_FLAG;
+ if(curlx_raw_equal("always", str))
+ return CURLGSSAPI_DELEGATION_FLAG;
+ warnf(config, "unrecognized delegation method '%s', using none\n", str);
+ return CURLGSSAPI_DELEGATION_NONE;
+}
static ParameterError getparameter(char *flag, /* f or -long-flag */
char *nextarg, /* NULL if unset */
@@ -1863,6 +1877,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
{"$C", "ftp-pret", FALSE},
{"$D", "proto", TRUE},
{"$E", "proto-redir", TRUE},
+ {"$G", "delegation", TRUE},
{"0", "http1.0", FALSE},
{"1", "tlsv1", FALSE},
{"2", "sslv2", FALSE},
@@ -2415,6 +2430,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
if(proto2num(config, &config->proto_redir, nextarg))
return PARAM_BAD_USE;
break;
+ case 'G': /* --delegation LEVEL */
+ config->gssapi_delegation = delegation(config, nextarg);
+ break;
}
break;
case '#': /* --progress-bar */
@@ -5351,6 +5369,11 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
my_setopt(curl, CURLOPT_HEADERDATA, &outs);
}
+ /* new in 7.22.0 */
+ if(config->gssapi_delegation)
+ my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
+ config->gssapi_delegation);
+
retry_numretries = config->req_retry;
retrystart = cutil_tvnow();
--
1.7.4.4
From 92ed91e886437f0aea8e6866180f1f788ba270f0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 12 Aug 2011 23:51:41 +0200
Subject: [PATCH 2/2] docs: --delegation
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/curl.1 | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/docs/curl.1 b/docs/curl.1
index aec3e48..3515d38 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -283,6 +283,18 @@ URL-encode that data and pass it on in the POST. The name part gets an equal
sign appended, resulting in \fIname=urlencoded-file-content\fP. Note that the
name is expected to be URL-encoded already.
.RE
+.IP "--delegation LEVEL"
+Set \fILEVEL\fP to tell the server what it is allowed to delegate when it
+comes to user credentials. Used with GSS/kerberos.
+.RS
+.IP "none"
+Don't allow any delegation.
+.IP "policy"
+Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos
+service ticket, which is a matter of realm policy.
+.IP "always"
+Unconditionally allow the server to delegate.
+.RE
.IP "--digest"
(HTTP) Enables HTTP Digest authentication. This is a authentication that
prevents the password from being sent over the wire in clear text. Use this in
--
1.7.4.4