From: Michael R Sweet Date: Thu, 1 May 2025 19:21:19 +0000 (-0400) Subject: Wire up support for CUPS_BEARER cookie in authentication, and add X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b4586e76f4af4bb224d6953415daaaddde6ae3e;p=thirdparty%2Fcups.git Wire up support for CUPS_BEARER cookie in authentication, and add REMOTE_USER (username/sub), REMOTE_NAME (real name), and REMOTE_EMAIL (email address) environment variables that get copied from the JWT or GECOS data. --- diff --git a/cgi-bin/home.c b/cgi-bin/home.c index c9cf49d787..0067f66377 100644 --- a/cgi-bin/home.c +++ b/cgi-bin/home.c @@ -81,5 +81,5 @@ do_dashboard(void) static void do_search(char *query) /* I - Search string */ { - + (void)query; } diff --git a/doc/cups.css b/doc/cups.css index 455f735cd2..d6b277a9b3 100644 --- a/doc/cups.css +++ b/doc/cups.css @@ -54,7 +54,15 @@ } .cups-header form { display: block; - padding: 15px 30px !important; + margin: 0px 30px; + padding: 15px 0px !important; +} +.cups-header span.label { + color: #ccc; + display: block; + font-style: italic; + margin: 0px 30px; + padding: 15px 0px !important; } .cups-body { diff --git a/scheduler/auth.c b/scheduler/auth.c index d6063bfc3a..6efafe47d9 100644 --- a/scheduler/auth.c +++ b/scheduler/auth.c @@ -317,6 +317,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ int type; /* Authentication type */ const char *authorization; /* Pointer into Authorization string */ char *ptr, /* Pointer into string */ + bearer[2048], /* CUPS_BEARER cookie string */ username[HTTP_MAX_VALUE], /* Username string */ password[HTTP_MAX_VALUE]; @@ -350,6 +351,9 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ authorization = httpGetField(con->http, HTTP_FIELD_AUTHORIZATION); + if (!*authorization && type == CUPSD_AUTH_BEARER && httpGetCookieValue(con->http, "CUPS_BEARER", bearer, sizeof(bearer))) + authorization = "Bearer COOKIE"; + username[0] = '\0'; password[0] = '\0'; @@ -627,7 +631,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ int pamerr; /* PAM error code */ struct pam_conv pamdata; /* PAM conversation data */ cupsd_authdata_t data; /* Authentication data */ - + struct passwd *userinfo; /* User information */ cupsCopyString(data.username, username, sizeof(data.username)); cupsCopyString(data.password, password, sizeof(data.password)); @@ -685,6 +689,13 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ } pam_end(pamh, PAM_SUCCESS); + + /* + * Copy GECOS information, if available, to get the user's real name... + */ + + if ((userinfo = getpwnam(username)) != NULL && userinfo->pw_gecos) + cupsCopyString(con->realname, userinfo->pw_gecos, sizeof(con->realname)); #else cupsdLogClient(con, CUPSD_LOG_ERROR, "No authentication support is available."); return; @@ -707,6 +718,9 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ while (isspace(*authorization & 255)) authorization ++; + if (!strcmp(authorization, "COOKIE")) + authorization = bearer; // Use the cookie value for authorization + // Decode and validate the JWT... if ((jwt = cupsJWTImportString(authorization, CUPS_JWS_FORMAT_COMPACT)) == NULL) { @@ -765,7 +779,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ /* Output token for username */ gss_name_t client_name; /* Client name */ -# ifdef __APPLE__ +# ifdef __APPLE__DISABLED // Remove DISABLED if ever this code is used for macOS installer /* * If the weak-linked GSSAPI/Kerberos library is not present, don't try * to use it... @@ -776,7 +790,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ cupsdLogClient(con, CUPSD_LOG_WARN, "GSSAPI/Kerberos authentication failed because the Kerberos framework is not present."); return; } -# endif /* __APPLE__ */ +# endif /* __APPLE__DISABLED */ /* * Find the start of the Kerberos input token... @@ -915,6 +929,10 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ */ cupsCopyString(con->username, username, sizeof(con->username)); + + if (!con->realname[0]) + cupsCopyString(con->realname, username, sizeof(con->realname)); + cupsCopyString(con->password, password, sizeof(con->password)); } diff --git a/scheduler/client.c b/scheduler/client.c index 8f89b0801a..469569839a 100644 --- a/scheduler/client.c +++ b/scheduler/client.c @@ -3266,7 +3266,9 @@ pipe_command(cupsd_client_t *con, /* I - Client connection */ lang[1024], /* LANG environment variable */ path_info[1024], /* PATH_INFO environment variable */ remote_addr[1024], /* REMOTE_ADDR environment variable */ + remote_email[1024], /* REMOTE_EMAIL environment variable */ remote_host[1024], /* REMOTE_HOST environment variable */ + remote_name[1024], /* REMOTE_NAME ("real name") environment variable */ remote_user[1024], /* REMOTE_USER environment variable */ script_filename[1024], /* SCRIPT_FILENAME environment variable */ script_name[1024], /* SCRIPT_NAME environment variable */ @@ -3478,10 +3480,21 @@ pipe_command(cupsd_client_t *con, /* I - Client connection */ if (path_info[0]) envp[envc ++] = path_info; + if (con->email[0]) + { + snprintf(remote_email, sizeof(remote_email), "REMOTE_EMAIL=%s", con->email); + envp[envc ++] = remote_email; + } + + if (con->realname[0]) + { + snprintf(remote_name, sizeof(remote_name), "REMOTE_NAME=%s", con->realname); + envp[envc ++] = remote_name; + } + if (con->username[0]) { snprintf(remote_user, sizeof(remote_user), "REMOTE_USER=%s", con->username); - envp[envc ++] = remote_user; } diff --git a/scheduler/colorman.c b/scheduler/colorman.c index 5784c1c75b..cc9c30e0ab 100644 --- a/scheduler/colorman.c +++ b/scheduler/colorman.c @@ -360,12 +360,14 @@ apple_register_profiles( CFStringRef dict_key; /* Key in factory profile dictionary */ +# ifdef __APPLE__DISABLED // Remove DISABLED if ever this code is used for macOS installer /* * Make sure ColorSync is available... */ if (&ColorSyncRegisterDevice == NULL) return; +# endif // __APPLE__DISABLED /* * Try opening the PPD file for this printer... diff --git a/templates/da/header.tmpl.in b/templates/da/header.tmpl.in index e2dd37138f..a824d611d1 100644 --- a/templates/da/header.tmpl.in +++ b/templates/da/header.tmpl.in @@ -24,18 +24,22 @@ } } --> - {title} - CUPS @CUPS_VERSION@ + {title} - {ENV:CUPS_VERSION}
diff --git a/templates/de/header.tmpl.in b/templates/de/header.tmpl.in index 3a40093d3f..2bb6a91f30 100644 --- a/templates/de/header.tmpl.in +++ b/templates/de/header.tmpl.in @@ -24,18 +24,22 @@ } } --> - {title} - CUPS @CUPS_VERSION@ + {title} - {ENV:CUPS_VERSION}
diff --git a/templates/es/header.tmpl.in b/templates/es/header.tmpl.in index e71ea9f3d1..b1e07a1344 100644 --- a/templates/es/header.tmpl.in +++ b/templates/es/header.tmpl.in @@ -24,18 +24,22 @@ } } --> - {title} - CUPS @CUPS_VERSION@ + {title} - {ENV:CUPS_VERSION}
diff --git a/templates/fr/header.tmpl.in b/templates/fr/header.tmpl.in index 9012cedbf4..860b030c9e 100644 --- a/templates/fr/header.tmpl.in +++ b/templates/fr/header.tmpl.in @@ -24,18 +24,22 @@ } } --> - {title} - CUPS @CUPS_VERSION@ + {title} - {ENV:CUPS_VERSION}
diff --git a/templates/header.tmpl.in b/templates/header.tmpl.in index c8423d0c9d..6808a4667a 100644 --- a/templates/header.tmpl.in +++ b/templates/header.tmpl.in @@ -36,7 +36,9 @@
  • Help
  • Jobs
  • Printers
    • - {?ENV:CUPS_OAUTH_SERVER=?{?ENV:REMOTE_USER}:{?ENV:CUPS_OAUTH_USERNAME}
    • } +
  • {?ENV:REMOTE_USER=?Guest:{ENV:REMOTE_USER}} + {?ENV:CUPS_OAUTH_SERVER=?:
    } +
    • diff --git a/templates/ja/header.tmpl.in b/templates/ja/header.tmpl.in index 3513e538e6..35a600af49 100644 --- a/templates/ja/header.tmpl.in +++ b/templates/ja/header.tmpl.in @@ -16,18 +16,22 @@ } } --> - {title} - CUPS @CUPS_VERSION@ + {title} - {ENV:CUPS_VERSION}
    diff --git a/templates/pl/header.tmpl.in b/templates/pl/header.tmpl.in index 497a5c4d32..f45ce523af 100644 --- a/templates/pl/header.tmpl.in +++ b/templates/pl/header.tmpl.in @@ -24,18 +24,22 @@ } } --> - {title} - CUPS @CUPS_VERSION@ + {title} - {ENV:CUPS_VERSION}
    diff --git a/templates/pt_BR/header.tmpl.in b/templates/pt_BR/header.tmpl.in index e9027427d5..51332bd3b9 100644 --- a/templates/pt_BR/header.tmpl.in +++ b/templates/pt_BR/header.tmpl.in @@ -24,18 +24,22 @@ } } --> - {title} - CUPS @CUPS_VERSION@ + {title} - {ENV:CUPS_VERSION}
    diff --git a/templates/ru/header.tmpl.in b/templates/ru/header.tmpl.in index ccb9d9d9a4..ce208d79cc 100644 --- a/templates/ru/header.tmpl.in +++ b/templates/ru/header.tmpl.in @@ -24,18 +24,22 @@ } } --> - {title} - CUPS @CUPS_VERSION@ + {title} - {ENV:CUPS_VERSION}
    diff --git a/templates/sv/header.tmpl.in b/templates/sv/header.tmpl.in index 2ef0b70fd7..e4a62eee83 100644 --- a/templates/sv/header.tmpl.in +++ b/templates/sv/header.tmpl.in @@ -24,18 +24,22 @@ } } --> - {title} - CUPS @CUPS_VERSION@ + {title} - {ENV:CUPS_VERSION}
    diff --git a/xcode/CUPS.xcodeproj/project.pbxproj b/xcode/CUPS.xcodeproj/project.pbxproj index 81467535a3..4571f87a2b 100644 --- a/xcode/CUPS.xcodeproj/project.pbxproj +++ b/xcode/CUPS.xcodeproj/project.pbxproj @@ -7997,7 +7997,7 @@ isa = PBXProject; attributes = { BuildIndependentTargetsInParallel = YES; - LastUpgradeCheck = 1540; + LastUpgradeCheck = 1600; ORGANIZATIONNAME = "Apple Inc."; TargetAttributes = { 270695FD1CADF3E200FFE5FB = { @@ -11778,7 +11778,7 @@ GCC_WARN_UNDECLARED_SELECTOR = YES; GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; INSTALL_PATH = /usr/sbin; - MACOSX_DEPLOYMENT_TARGET = "$(RECOMMENDED_MACOSX_DEPLOYMENT_TARGET)"; + MACOSX_DEPLOYMENT_TARGET = 11.0; MTL_ENABLE_DEBUG_INFO = YES; PRODUCT_NAME = "$(TARGET_NAME)"; SDKROOT = macosx; @@ -11812,7 +11812,7 @@ GCC_WARN_UNDECLARED_SELECTOR = YES; GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; INSTALL_PATH = /usr/sbin; - MACOSX_DEPLOYMENT_TARGET = "$(RECOMMENDED_MACOSX_DEPLOYMENT_TARGET)"; + MACOSX_DEPLOYMENT_TARGET = 11.0; MTL_ENABLE_DEBUG_INFO = NO; PRODUCT_NAME = "$(TARGET_NAME)"; SDKROOT = macosx;