Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
ai
sso
Commits
2ff21e09
Commit
2ff21e09
authored
Mar 19, 2016
by
godog
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
mod_sso: finish porting to apache2.4, TODO: groups support
parent
6a35f8a2
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
75 additions
and
25 deletions
+75
-25
src/mod_sso/mod_sso.c
src/mod_sso/mod_sso.c
+75
-25
No files found.
src/mod_sso/mod_sso.c
View file @
2ff21e09
...
...
@@ -37,6 +37,11 @@
#include "mod_sso.h"
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
#define SSO_REQUIRE_NAME "sso"
#include "mod_auth.h"
#endif
extern
module
AP_MODULE_DECLARE_DATA
sso_module
;
typedef
struct
{
...
...
@@ -51,6 +56,10 @@ typedef struct {
apr_array_header_t
*
groups
;
}
modsso_config
;
typedef
struct
{
apr_array_header_t
*
user_groups
;
}
modsso_request_notes
;
typedef
const
char
*
(
*
CMD_HAND_TYPE
)
();
/**
...
...
@@ -418,9 +427,14 @@ static int mod_sso_method_handler(request_rec *r)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
uri
=
r
->
uri
;
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: handler
\"
%s
\"
"
,
r
->
handler
);
// Return immediately if there's nothing to do (check the AuthType)
type
=
ap_auth_type
(
r
);
if
(
!
type
||
strcasecmp
(
type
,
"SSO"
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: invalid authentication type
\"
%s
\"
"
,
type
);
return
DECLINED
;
}
...
...
@@ -487,6 +501,7 @@ struct modsso_auth_req {
int
any_user
;
};
#if MODULE_MAGIC_NUMBER_MAJOR < 20100714
static
int
array_contains
(
apr_array_header_t
*
arr
,
const
char
*
s
)
{
int
i
;
...
...
@@ -564,6 +579,7 @@ static void mod_sso_parse_requirements(request_rec *r,
*
(
const
char
**
)
apr_array_push
(
auth
->
groups
)
=
NULL
;
}
}
#endif
static
char
*
encode_groups
(
apr_pool_t
*
p
,
apr_array_header_t
*
groups
)
{
...
...
@@ -632,16 +648,19 @@ static int mod_sso_check_user_id(request_rec *r)
const
char
*
sso_login_path
,
*
sso_logout_path
;
const
char
*
service
=
NULL
,
*
service_host
=
NULL
,
*
service_path
=
NULL
;
struct
modsso_auth_req
auth
;
int
retval
,
err
,
do_redirect
=
1
;
modsso_config
*
s_cfg
=
(
modsso_config
*
)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
apr_array_header_t
*
sso_validate_groups
=
NULL
;
type
=
ap_auth_type
(
r
);
if
(
type
==
NULL
||
apr_strnatcasecmp
(
type
,
"sso"
)
!=
0
)
{
return
DECLINED
;
}
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso (check_user_id): handler '%s'"
,
r
->
handler
);
// If this is a sub-request, pass existing credentials, if any.
if
(
!
ap_is_initial_req
(
r
))
{
if
(
r
->
main
!=
NULL
)
{
...
...
@@ -677,8 +696,6 @@ static int mod_sso_check_user_id(request_rec *r)
return
OK
;
}
//mod_sso_parse_requirements(r, &auth);
// Test for valid cookie
sso_cookie
=
get_cookie
(
r
,
sso_cookie_name
);
if
(
sso_cookie
!=
NULL
)
{
...
...
@@ -702,31 +719,28 @@ static int mod_sso_check_user_id(request_rec *r)
ap_log_error
(
APLOG_MARK
,
APLOG_WARNING
,
0
,
r
->
server
,
"sso: ticket decoding error: %s"
,
sso_strerror
(
err
));
}
else
{
err
=
sso_validate
(
t
,
s_cfg
->
service
,
s_cfg
->
domain
,
apr_is_empty_array
(
auth
.
groups
)
?
NULL
:
(
const
char
**
)
auth
.
groups
->
elts
);
if
(
s_cfg
->
groups
!=
NULL
)
{
sso_validate_groups
=
apr_array_copy
(
r
->
pool
,
s_cfg
->
groups
);
*
(
const
char
**
)
apr_array_push
(
sso_validate_groups
)
=
NULL
;
}
err
=
sso_validate
(
t
,
s_cfg
->
service
,
s_cfg
->
domain
,
apr_is_empty_array
(
s_cfg
->
groups
)
?
NULL
:
(
const
char
**
)
sso_validate_groups
);
if
(
err
!=
SSO_OK
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_WARNING
,
0
,
r
->
server
,
"sso: validation error: %s"
,
sso_strerror
(
err
));
}
else
{
// Check user authorization lists. Group membership has
// already been verified by sso_validate.
if
(
auth
.
any_user
||
(
!
apr_is_empty_array
(
auth
.
users
)
&&
array_contains
(
auth
.
users
,
t
->
user
))
||
!
apr_is_empty_array
(
auth
.
groups
))
{
// Success.
apr_table_setn
(
r
->
subprocess_env
,
"SSO_SERVICE"
,
apr_pstrdup
(
r
->
pool
,
service
));
r
->
user
=
apr_pstrdup
(
r
->
pool
,
t
->
user
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: authorized user '%s'"
,
r
->
user
);
retval
=
OK
;
}
else
{
ap_log_error
(
APLOG_MARK
,
APLOG_WARNING
,
0
,
r
->
server
,
"sso: unauthorized user '%s'"
,
t
->
user
);
retval
=
HTTP_UNAUTHORIZED
;
}
apr_table_setn
(
r
->
subprocess_env
,
"SSO_SERVICE"
,
apr_pstrdup
(
r
->
pool
,
service
));
r
->
user
=
apr_pstrdup
(
r
->
pool
,
t
->
user
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: authorized user '%s'"
,
r
->
user
);
retval
=
OK
;
do_redirect
=
0
;
}
sso_ticket_free
(
t
);
}
}
sso_ticket_free
(
t
);
}
if
(
!
do_redirect
)
{
...
...
@@ -734,7 +748,7 @@ static int mod_sso_check_user_id(request_rec *r)
}
// Redirect to login server
return
redirect_to_login_server
(
r
,
s_cfg
->
login_server
,
service_host
,
service
,
auth
.
groups
);
return
redirect_to_login_server
(
r
,
s_cfg
->
login_server
,
service_host
,
service
,
s_cfg
->
groups
);
}
#else
static
int
mod_sso_check_user_id
(
request_rec
*
r
)
...
...
@@ -853,10 +867,39 @@ static int mod_sso_check_user_id(request_rec *r)
* Apache authorization check callback for mod_sso.
*/
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static
authz_status
mod_sso_auth_checker
(
request_rec
*
r
,
const
char
*
require_args
,
const
void
*
parsed_require_args
)
static
authz_status
sso_check_authorization
(
request_rec
*
r
,
const
char
*
require_args
,
const
void
*
parsed_require_args
)
{
const
char
*
uri
,
*
type
;
const
char
*
service
=
NULL
,
*
service_host
=
NULL
,
*
service_path
=
NULL
;
char
*
sso_logout_path
,
*
sso_login_path
;
modsso_config
*
s_cfg
;
// We already did everything in mod_sso_check_user_id(),
// so just succeed (if SSO is active).
type
=
ap_auth_type
(
r
);
if
(
type
&&
!
strcasecmp
(
type
,
"SSO"
)
&&
r
->
user
)
{
return
OK
;
}
// XXX check groups via e.g. 'Require sso-groups' or 'Require valid-group'
s_cfg
=
(
modsso_config
*
)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
uri
=
r
->
uri
;
if
(
parse_service
(
r
,
s_cfg
,
&
service
,
&
service_host
,
&
service_path
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_ERR
,
0
,
r
->
server
,
"sso (auth_checker): could not parse service
\"
%s
\"
"
,
s_cfg
->
service
);
return
HTTP_BAD_REQUEST
;
}
sso_logout_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_logout"
,
NULL
);
sso_login_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_login"
,
NULL
);
if
(
!
strcmp
(
uri
,
sso_logout_path
)
||
!
strcmp
(
uri
,
sso_login_path
))
{
return
OK
;
}
return
DECLINED
;
}
#else
static
int
mod_sso_auth_checker
(
request_rec
*
r
)
...
...
@@ -894,6 +937,13 @@ static int mod_sso_auth_checker(request_rec *r)
}
#endif
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static
const
authz_provider
authz_sso_provider
=
{
&
sso_check_authorization
,
NULL
,
};
#endif
/**
* Apache register_hooks callback for mod_sso.
...
...
@@ -908,7 +958,7 @@ static void mod_sso_register_hooks (apr_pool_t *p)
ap_hook_handler
(
mod_sso_method_handler
,
NULL
,
NULL
,
APR_HOOK_FIRST
);
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
ap_hook_check_authn
(
mod_sso_check_user_id
,
NULL
,
NULL
,
APR_HOOK_MIDDLE
,
AP_AUTH_INTERNAL_PER_CONF
);
ap_register_auth_provider
(
p
ool
,
AUTHZ_PROVIDER_GROUP
,
SSO_REQUIRE_NAME
,
"0"
,
&
authz_sso_provider
,
AP_AUTH_INTERNAL_PER_CONF
);
ap_register_auth_provider
(
p
,
AUTHZ_PROVIDER_GROUP
,
SSO_REQUIRE_NAME
,
"0"
,
&
authz_sso_provider
,
AP_AUTH_INTERNAL_PER_CONF
);
#else
static
const
char
*
const
authzSucc
[]
=
{
"mod_sso.c"
,
NULL
};
ap_hook_check_user_id
(
mod_sso_check_user_id
,
NULL
,
NULL
,
APR_HOOK_MIDDLE
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment