Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
ai
sso
Commits
2ff21e09
Commit
2ff21e09
authored
Mar 19, 2016
by
godog
Browse files
mod_sso: finish porting to apache2.4, TODO: groups support
parent
6a35f8a2
Changes
1
Hide whitespace changes
Inline
Side-by-side
src/mod_sso/mod_sso.c
View file @
2ff21e09
...
...
@@ -37,6 +37,11 @@
#include
"mod_sso.h"
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
#define SSO_REQUIRE_NAME "sso"
#include
"mod_auth.h"
#endif
extern
module
AP_MODULE_DECLARE_DATA
sso_module
;
typedef
struct
{
...
...
@@ -51,6 +56,10 @@ typedef struct {
apr_array_header_t
*
groups
;
}
modsso_config
;
typedef
struct
{
apr_array_header_t
*
user_groups
;
}
modsso_request_notes
;
typedef
const
char
*
(
*
CMD_HAND_TYPE
)
();
/**
...
...
@@ -418,9 +427,14 @@ static int mod_sso_method_handler(request_rec *r)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
uri
=
r
->
uri
;
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: handler
\"
%s
\"
"
,
r
->
handler
);
// Return immediately if there's nothing to do (check the AuthType)
type
=
ap_auth_type
(
r
);
if
(
!
type
||
strcasecmp
(
type
,
"SSO"
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: invalid authentication type
\"
%s
\"
"
,
type
);
return
DECLINED
;
}
...
...
@@ -487,6 +501,7 @@ struct modsso_auth_req {
int
any_user
;
};
#if MODULE_MAGIC_NUMBER_MAJOR < 20100714
static
int
array_contains
(
apr_array_header_t
*
arr
,
const
char
*
s
)
{
int
i
;
...
...
@@ -564,6 +579,7 @@ static void mod_sso_parse_requirements(request_rec *r,
*
(
const
char
**
)
apr_array_push
(
auth
->
groups
)
=
NULL
;
}
}
#endif
static
char
*
encode_groups
(
apr_pool_t
*
p
,
apr_array_header_t
*
groups
)
{
...
...
@@ -632,16 +648,19 @@ static int mod_sso_check_user_id(request_rec *r)
const
char
*
sso_login_path
,
*
sso_logout_path
;
const
char
*
service
=
NULL
,
*
service_host
=
NULL
,
*
service_path
=
NULL
;
struct
modsso_auth_req
auth
;
int
retval
,
err
,
do_redirect
=
1
;
modsso_config
*
s_cfg
=
(
modsso_config
*
)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
apr_array_header_t
*
sso_validate_groups
=
NULL
;
type
=
ap_auth_type
(
r
);
if
(
type
==
NULL
||
apr_strnatcasecmp
(
type
,
"sso"
)
!=
0
)
{
return
DECLINED
;
}
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso (check_user_id): handler '%s'"
,
r
->
handler
);
// If this is a sub-request, pass existing credentials, if any.
if
(
!
ap_is_initial_req
(
r
))
{
if
(
r
->
main
!=
NULL
)
{
...
...
@@ -677,8 +696,6 @@ static int mod_sso_check_user_id(request_rec *r)
return
OK
;
}
//mod_sso_parse_requirements(r, &auth);
// Test for valid cookie
sso_cookie
=
get_cookie
(
r
,
sso_cookie_name
);
if
(
sso_cookie
!=
NULL
)
{
...
...
@@ -702,31 +719,28 @@ static int mod_sso_check_user_id(request_rec *r)
ap_log_error
(
APLOG_MARK
,
APLOG_WARNING
,
0
,
r
->
server
,
"sso: ticket decoding error: %s"
,
sso_strerror
(
err
));
}
else
{
err
=
sso_validate
(
t
,
s_cfg
->
service
,
s_cfg
->
domain
,
apr_is_empty_array
(
auth
.
groups
)
?
NULL
:
(
const
char
**
)
auth
.
groups
->
elts
);
if
(
s_cfg
->
groups
!=
NULL
)
{
sso_validate_groups
=
apr_array_copy
(
r
->
pool
,
s_cfg
->
groups
);
*
(
const
char
**
)
apr_array_push
(
sso_validate_groups
)
=
NULL
;
}
err
=
sso_validate
(
t
,
s_cfg
->
service
,
s_cfg
->
domain
,
apr_is_empty_array
(
s_cfg
->
groups
)
?
NULL
:
(
const
char
**
)
sso_validate_groups
);
if
(
err
!=
SSO_OK
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_WARNING
,
0
,
r
->
server
,
"sso: validation error: %s"
,
sso_strerror
(
err
));
}
else
{
// Check user authorization lists. Group membership has
// already been verified by sso_validate.
if
(
auth
.
any_user
||
(
!
apr_is_empty_array
(
auth
.
users
)
&&
array_contains
(
auth
.
users
,
t
->
user
))
||
!
apr_is_empty_array
(
auth
.
groups
))
{
// Success.
apr_table_setn
(
r
->
subprocess_env
,
"SSO_SERVICE"
,
apr_pstrdup
(
r
->
pool
,
service
));
r
->
user
=
apr_pstrdup
(
r
->
pool
,
t
->
user
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: authorized user '%s'"
,
r
->
user
);
retval
=
OK
;
}
else
{
ap_log_error
(
APLOG_MARK
,
APLOG_WARNING
,
0
,
r
->
server
,
"sso: unauthorized user '%s'"
,
t
->
user
);
retval
=
HTTP_UNAUTHORIZED
;
}
apr_table_setn
(
r
->
subprocess_env
,
"SSO_SERVICE"
,
apr_pstrdup
(
r
->
pool
,
service
));
r
->
user
=
apr_pstrdup
(
r
->
pool
,
t
->
user
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: authorized user '%s'"
,
r
->
user
);
retval
=
OK
;
do_redirect
=
0
;
}
sso_ticket_free
(
t
);
}
}
sso_ticket_free
(
t
);
}
if
(
!
do_redirect
)
{
...
...
@@ -734,7 +748,7 @@ static int mod_sso_check_user_id(request_rec *r)
}
// Redirect to login server
return
redirect_to_login_server
(
r
,
s_cfg
->
login_server
,
service_host
,
service
,
auth
.
groups
);
return
redirect_to_login_server
(
r
,
s_cfg
->
login_server
,
service_host
,
service
,
s_cfg
->
groups
);
}
#else
static
int
mod_sso_check_user_id
(
request_rec
*
r
)
...
...
@@ -853,10 +867,39 @@ static int mod_sso_check_user_id(request_rec *r)
* Apache authorization check callback for mod_sso.
*/
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static
authz_status
mod_sso_auth_checker
(
request_rec
*
r
,
const
char
*
require_args
,
const
void
*
parsed_require_args
)
static
authz_status
sso_check_authorization
(
request_rec
*
r
,
const
char
*
require_args
,
const
void
*
parsed_require_args
)
{
const
char
*
uri
,
*
type
;
const
char
*
service
=
NULL
,
*
service_host
=
NULL
,
*
service_path
=
NULL
;
char
*
sso_logout_path
,
*
sso_login_path
;
modsso_config
*
s_cfg
;
// We already did everything in mod_sso_check_user_id(),
// so just succeed (if SSO is active).
type
=
ap_auth_type
(
r
);
if
(
type
&&
!
strcasecmp
(
type
,
"SSO"
)
&&
r
->
user
)
{
return
OK
;
}
// XXX check groups via e.g. 'Require sso-groups' or 'Require valid-group'
s_cfg
=
(
modsso_config
*
)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
uri
=
r
->
uri
;
if
(
parse_service
(
r
,
s_cfg
,
&
service
,
&
service_host
,
&
service_path
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_ERR
,
0
,
r
->
server
,
"sso (auth_checker): could not parse service
\"
%s
\"
"
,
s_cfg
->
service
);
return
HTTP_BAD_REQUEST
;
}
sso_logout_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_logout"
,
NULL
);
sso_login_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_login"
,
NULL
);
if
(
!
strcmp
(
uri
,
sso_logout_path
)
||
!
strcmp
(
uri
,
sso_login_path
))
{
return
OK
;
}
return
DECLINED
;
}
#else
static
int
mod_sso_auth_checker
(
request_rec
*
r
)
...
...
@@ -894,6 +937,13 @@ static int mod_sso_auth_checker(request_rec *r)
}
#endif
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static
const
authz_provider
authz_sso_provider
=
{
&
sso_check_authorization
,
NULL
,
};
#endif
/**
* Apache register_hooks callback for mod_sso.
...
...
@@ -908,7 +958,7 @@ static void mod_sso_register_hooks (apr_pool_t *p)
ap_hook_handler
(
mod_sso_method_handler
,
NULL
,
NULL
,
APR_HOOK_FIRST
);
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
ap_hook_check_authn
(
mod_sso_check_user_id
,
NULL
,
NULL
,
APR_HOOK_MIDDLE
,
AP_AUTH_INTERNAL_PER_CONF
);
ap_register_auth_provider
(
p
ool
,
AUTHZ_PROVIDER_GROUP
,
SSO_REQUIRE_NAME
,
"0"
,
&
authz_sso_provider
,
AP_AUTH_INTERNAL_PER_CONF
);
ap_register_auth_provider
(
p
,
AUTHZ_PROVIDER_GROUP
,
SSO_REQUIRE_NAME
,
"0"
,
&
authz_sso_provider
,
AP_AUTH_INTERNAL_PER_CONF
);
#else
static
const
char
*
const
authzSucc
[]
=
{
"mod_sso.c"
,
NULL
};
ap_hook_check_user_id
(
mod_sso_check_user_id
,
NULL
,
NULL
,
APR_HOOK_MIDDLE
);
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment