Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
ai
sso
Commits
6a35f8a2
Commit
6a35f8a2
authored
Mar 13, 2016
by
godog
Browse files
mod_sso: XXX provide check_user_id
parent
f4416285
Changes
1
Hide whitespace changes
Inline
Side-by-side
src/mod_sso/mod_sso.c
View file @
6a35f8a2
...
...
@@ -625,6 +625,118 @@ static char *pkey_to_string(const unsigned char *pkey, char *buf) {
*
* @param r Pointer to the request_rec structure.
*/
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static
int
mod_sso_check_user_id
(
request_rec
*
r
)
{
const
char
*
type
,
*
sso_cookie_name
,
*
sso_cookie
,
*
uri
;
const
char
*
sso_login_path
,
*
sso_logout_path
;
const
char
*
service
=
NULL
,
*
service_host
=
NULL
,
*
service_path
=
NULL
;
struct
modsso_auth_req
auth
;
int
retval
,
err
,
do_redirect
=
1
;
modsso_config
*
s_cfg
=
(
modsso_config
*
)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
type
=
ap_auth_type
(
r
);
if
(
type
==
NULL
||
apr_strnatcasecmp
(
type
,
"sso"
)
!=
0
)
{
return
DECLINED
;
}
// If this is a sub-request, pass existing credentials, if any.
if
(
!
ap_is_initial_req
(
r
))
{
if
(
r
->
main
!=
NULL
)
{
r
->
user
=
r
->
main
->
user
;
}
else
if
(
r
->
prev
!=
NULL
)
{
r
->
user
=
r
->
prev
->
user
;
}
if
(
r
->
user
!=
NULL
)
{
return
OK
;
}
}
sso_cookie_name
=
get_cookie_name
(
r
);
// Check if the required parameters are defined.
if
(
!
check_config
(
r
,
s_cfg
))
{
return
HTTP_INTERNAL_SERVER_ERROR
;
}
uri
=
r
->
uri
;
if
(
parse_service
(
r
,
s_cfg
,
&
service
,
&
service_host
,
&
service_path
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_ERR
,
0
,
r
->
server
,
"sso (check_user_id): could not parse service (cfg->service=%s)"
,
s_cfg
->
service
);
return
HTTP_BAD_REQUEST
;
}
// Everyone is allowed access to /sso_login and /sso_logout
sso_logout_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_logout"
,
NULL
);
sso_login_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_login"
,
NULL
);
if
(
!
strcmp
(
uri
,
sso_logout_path
)
||
!
strcmp
(
uri
,
sso_login_path
))
{
return
OK
;
}
//mod_sso_parse_requirements(r, &auth);
// Test for valid cookie
sso_cookie
=
get_cookie
(
r
,
sso_cookie_name
);
if
(
sso_cookie
!=
NULL
)
{
sso_ticket_t
t
;
// Print some debugging information about the service
{
char
pkeybuf
[
512
];
const
char
*
host_hdr
=
apr_table_get
(
r
->
headers_in
,
"Host"
);
if
(
!
host_hdr
)
{
host_hdr
=
"null"
;
}
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso request: uri=%s, service=%s, orig=%s, host=%s, tkt=%s, pkey=%s"
,
r
->
uri
,
service
,
s_cfg
->
service
,
host_hdr
,
sso_cookie
,
pkey_to_string
(
s_cfg
->
public_key
,
pkeybuf
));
}
err
=
sso_ticket_open
(
&
t
,
sso_cookie
,
s_cfg
->
public_key
);
if
(
err
!=
SSO_OK
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_WARNING
,
0
,
r
->
server
,
"sso: ticket decoding error: %s"
,
sso_strerror
(
err
));
}
else
{
err
=
sso_validate
(
t
,
s_cfg
->
service
,
s_cfg
->
domain
,
apr_is_empty_array
(
auth
.
groups
)
?
NULL
:
(
const
char
**
)
auth
.
groups
->
elts
);
if
(
err
!=
SSO_OK
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_WARNING
,
0
,
r
->
server
,
"sso: validation error: %s"
,
sso_strerror
(
err
));
}
else
{
// Check user authorization lists. Group membership has
// already been verified by sso_validate.
if
(
auth
.
any_user
||
(
!
apr_is_empty_array
(
auth
.
users
)
&&
array_contains
(
auth
.
users
,
t
->
user
))
||
!
apr_is_empty_array
(
auth
.
groups
))
{
// Success.
apr_table_setn
(
r
->
subprocess_env
,
"SSO_SERVICE"
,
apr_pstrdup
(
r
->
pool
,
service
));
r
->
user
=
apr_pstrdup
(
r
->
pool
,
t
->
user
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: authorized user '%s'"
,
r
->
user
);
retval
=
OK
;
}
else
{
ap_log_error
(
APLOG_MARK
,
APLOG_WARNING
,
0
,
r
->
server
,
"sso: unauthorized user '%s'"
,
t
->
user
);
retval
=
HTTP_UNAUTHORIZED
;
}
do_redirect
=
0
;
}
sso_ticket_free
(
t
);
}
}
if
(
!
do_redirect
)
{
return
retval
;
}
// Redirect to login server
return
redirect_to_login_server
(
r
,
s_cfg
->
login_server
,
service_host
,
service
,
auth
.
groups
);
}
#else
static
int
mod_sso_check_user_id
(
request_rec
*
r
)
{
const
char
*
type
,
*
sso_cookie_name
,
*
sso_cookie
,
*
uri
;
...
...
@@ -735,6 +847,7 @@ static int mod_sso_check_user_id(request_rec *r)
// Redirect to login server
return
redirect_to_login_server
(
r
,
s_cfg
->
login_server
,
service_host
,
service
,
auth
.
groups
);
}
#endif
/* apache 2.2 */
/**
* Apache authorization check callback for mod_sso.
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment