Skip to content
GitLab
Commit 5cb573e5 authored by ale's avatar ale
Browse files

implement group_check_authorization

parent 3b84a2f6
Hide whitespace changes
Inline Side-by-side
src/mod_sso/mod_sso.c
View file @ 5cb573e5
......@@ -170,7 +170,7 @@ static apr_array_header_t *parse_commasep_groups(apr_pool_t *pool, const char *c
static const char *set_modsso_groups(cmd_parms *parms, void *mconfig, const char *arg)
{
modsso_config *s_cfg = (modsso_config *)mconfig;
s_cfg->groups = parse_commasep_groups(/* global pool?? */NULL, arg);
s_cfg->groups = parse_commasep_groups(parms->pool, arg);
return NULL;
}
......@@ -590,17 +590,19 @@ static void mod_sso_parse_requirements(request_rec *r,
static char *encode_groups(apr_pool_t *p, apr_array_header_t *groups)
{
/**
apr_array_header_t *arr = apr_array_make(p, (groups->nelts - 1) * 2 - 1, sizeof(const char *));
int i;
/* Create a temporary array with strings and commas. */
for (i = 0; i < groups->nelts - 1; i++) {
for (i = 0; i < groups->nelts; i++) {
if (i > 0) {
*(const char **)apr_array_push(arr) = ",";
}
*(const char **)apr_array_push(arr) = ((const char **)groups->elts)[i];
}
return apr_array_pstrcat(p, arr, 0);
**/
return apr_array_pstrcat(p, groups, ',');
}
static int redirect_to_login_server(request_rec *r,
......@@ -689,6 +691,17 @@ static int mod_sso_check_access_ex(request_rec *r)
return DECLINED;
}
static char *parse_ticket_groups(apr_pool_t *pool, char **groups) {
apr_array_header_t *arr = apr_array_make(pool, 1, sizeof(char *));
if (groups) {
while (*groups) {
*(char **)apr_array_push(arr) = apr_pstrdup(pool, *groups);
groups++;
}
}
return apr_array_pstrcat(pool, arr, ',');
}
static int mod_sso_check_user_id(request_rec *r)
{
const char *type, *sso_cookie_name, *sso_cookie;
......@@ -697,7 +710,7 @@ static int mod_sso_check_user_id(request_rec *r)
int retval, err, do_redirect = 1;
modsso_config *s_cfg = (modsso_config *)
ap_get_module_config(r->per_dir_config, &sso_module);
apr_array_header_t *sso_validate_groups = NULL;
//apr_array_header_t *sso_validate_groups = NULL;
type = ap_auth_type(r);
if (type == NULL || apr_strnatcasecmp(type, "sso") != 0) {
......@@ -756,17 +769,20 @@ static int mod_sso_check_user_id(request_rec *r)
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
"sso: ticket decoding error: %s", sso_strerror(err));
} else {
if (s_cfg->groups != NULL) {
sso_validate_groups = apr_array_copy(r->pool, s_cfg->groups);
*(const char **)apr_array_push(sso_validate_groups) = NULL;
}
// TODO: remove this so as to skip group membership check in sso_validate.
/* if (s_cfg->groups != NULL) { */
/* sso_validate_groups = apr_array_copy(r->pool, s_cfg->groups); */
/* *(const char **)apr_array_push(sso_validate_groups) = NULL; */
/* } */
err = sso_validate(t, s_cfg->service, s_cfg->domain,
apr_is_empty_array(s_cfg->groups) ? NULL : (const char **)sso_validate_groups);
//apr_is_empty_array(s_cfg->groups) ? NULL : (const char **)sso_validate_groups
NULL);
if (err != SSO_OK) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
"sso: validation error: %s", sso_strerror(err));
} else {
apr_table_setn(r->notes, "SSO_GROUPS", parse_ticket_groups(r->pool, t->groups));
apr_table_setn(r->subprocess_env, "SSO_SERVICE",
apr_pstrdup(r->pool, service));
r->user = apr_pstrdup(r->pool, t->user);
......@@ -776,8 +792,8 @@ static int mod_sso_check_user_id(request_rec *r)
retval = OK;
do_redirect = 0;
}
sso_ticket_free(t);
}
sso_ticket_free(t);
}
if (!do_redirect) {
......@@ -938,6 +954,46 @@ static authz_status sso_check_authorization(request_rec *r, const char *require_
return DECLINED;
}
static authz_status group_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) {
const ap_expr_info_t *expr = parsed_require_args;
const char *err = NULL;
const char *group_str, *require, *w, *t;
apr_array_header_t *user_groups = NULL;
int i;
// Retrieve the comma-separated group list from r->notes.
group_str = apr_table_get(r->notes, "SSO_GROUPS");
if (!group_str) {
return DECLINED;
}
user_groups = parse_commasep_groups(r->pool, group_str);
require = ap_expr_str_exec(r, expr, &err);
if (err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02592)
"mod_sso authorize: require group: Can't "
"evaluate require expression: %s", err);
return AUTHZ_DENIED;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso (check_group): user '%s' user_groups '%s'", r->user, group_str);
t = require;
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
// Check if w is in user_groups.
for (i = 0; i < user_groups->nelts; i++) {
char *el = APR_ARRAY_IDX(user_groups, i, char *);
if (!strcasecmp(w, el)) {
return AUTHZ_GRANTED;
}
}
}
return DECLINED;
}
#else
static int mod_sso_auth_checker(request_rec *r)
{
......@@ -980,6 +1036,12 @@ static const authz_provider authz_sso_provider =
&sso_check_authorization,
NULL,
};
static const authz_provider authz_sso_group_provider =
{
&group_check_authorization,
NULL,
};
#endif
/**
......@@ -997,6 +1059,7 @@ static void mod_sso_register_hooks (apr_pool_t *p)
ap_hook_check_authn(mod_sso_check_user_id, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF);
ap_hook_check_access_ex(mod_sso_check_access_ex, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF);
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, SSO_REQUIRE_NAME, "0", &authz_sso_provider, AP_AUTH_INTERNAL_PER_CONF);
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "group", "0", &authz_sso_group_provider, AP_AUTH_INTERNAL_PER_CONF);
#else
static const char * const authzSucc[] = { "mod_sso.c", NULL };
ap_hook_check_user_id(mod_sso_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment