mod_sso: XXX provide check_user_id

6a35f8a2 · godog · f4416285 · 6a35f8a2
Commit 6a35f8a2 authored Mar 13, 2016 by godog
Hide whitespace changes
Inline Side-by-side

Showing with 113 additions and 0 deletions

src/mod_sso/mod_sso.c src/mod_sso/mod_sso.c +113 -0

No files found.
--- a/src/mod_sso/mod_sso.c
+++ b/src/mod_sso/mod_sso.c
@@ -625,6 +625,118 @@ static char *pkey_to_string(const unsigned char *pkey, char *buf) {
 *
 * @param r Pointer to the request_rec structure.
 */
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
+static int mod_sso_check_user_id(request_rec *r)
+{
+  const char *type, *sso_cookie_name, *sso_cookie, *uri;
+  const char *sso_login_path, *sso_logout_path;
+  const char *service = NULL, *service_host = NULL,
+    *service_path = NULL;
+  struct modsso_auth_req auth;
+  int retval, err, do_redirect = 1;
+  modsso_config *s_cfg = (modsso_config *)
+    ap_get_module_config(r->per_dir_config, &sso_module);
+
+  type = ap_auth_type(r);
+  if (type == NULL || apr_strnatcasecmp(type, "sso") != 0) {
+    return DECLINED;
+  }
+
+  // If this is a sub-request, pass existing credentials, if any.
+  if (!ap_is_initial_req(r)) {
+    if (r->main != NULL) {
+      r->user = r->main->user;
+    } else if (r->prev != NULL) {
+      r->user = r->prev->user;
+    }
+    if (r->user != NULL) {
+      return OK;
+    }
+  }
+
+  sso_cookie_name = get_cookie_name(r);
+
+  // Check if the required parameters are defined.
+  if (!check_config(r, s_cfg)) {
+    return HTTP_INTERNAL_SERVER_ERROR;
+  }
+
+  uri = r->uri;
+
+  if (parse_service(r, s_cfg, &service, &service_host, &service_path) != 0) {
+    ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+         "sso (check_user_id): could not parse service (cfg->service=%s)",
+         s_cfg->service);
+    return HTTP_BAD_REQUEST;
+  }
+
+  // Everyone is allowed access to /sso_login and /sso_logout
+  sso_logout_path = apr_pstrcat(r->pool, service_path, "sso_logout", NULL);
+  sso_login_path = apr_pstrcat(r->pool, service_path, "sso_login", NULL);
+  if (!strcmp(uri, sso_logout_path) || !strcmp(uri, sso_login_path)) {
+    return OK;
+  }
+
+  //mod_sso_parse_requirements(r, &auth);
+
+  // Test for valid cookie
+  sso_cookie = get_cookie(r, sso_cookie_name);
+  if (sso_cookie != NULL) {
+    sso_ticket_t t;
+
+    // Print some debugging information about the service
+    {
+      char pkeybuf[512];
+      const char *host_hdr = apr_table_get(r->headers_in, "Host");
+      if (!host_hdr) {
+        host_hdr = "null";
+      }
+      ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+         "sso request: uri=%s, service=%s, orig=%s, host=%s, tkt=%s, pkey=%s",
+         r->uri, service, s_cfg->service, host_hdr, sso_cookie,
+         pkey_to_string(s_cfg->public_key, pkeybuf));
+    }
+
+    err = sso_ticket_open(&t, sso_cookie, s_cfg->public_key);
+    if (err != SSO_OK) {
+      ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
+                   "sso: ticket decoding error: %s", sso_strerror(err));
+    } else {
+      err = sso_validate(t, s_cfg->service, s_cfg->domain, apr_is_empty_array(auth.groups) ? NULL : (const char **)auth.groups->elts);
+      if (err != SSO_OK) {
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
+                     "sso: validation error: %s", sso_strerror(err));
+      } else {
+        // Check user authorization lists. Group membership has
+	// already been verified by sso_validate.
+        if (auth.any_user || (!apr_is_empty_array(auth.users) && array_contains(auth.users, t->user)) || !apr_is_empty_array(auth.groups)) {
+          // Success.
+          apr_table_setn(r->subprocess_env, "SSO_SERVICE", 
+                         apr_pstrdup(r->pool, service));
+          r->user = apr_pstrdup(r->pool, t->user);
+          ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                       "sso: authorized user '%s'", r->user);
+          retval = OK;
+        } else {
+          ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
+                       "sso: unauthorized user '%s'", t->user);
+          retval = HTTP_UNAUTHORIZED;
+        }
+        do_redirect = 0;
+      }	
+
+      sso_ticket_free(t);
+    }
+  }
+
+  if (!do_redirect) {
+    return retval;
+  }
+
+  // Redirect to login server
+  return redirect_to_login_server(r, s_cfg->login_server, service_host, service, auth.groups);
+}
+#else
 static int mod_sso_check_user_id(request_rec *r)
 {
  const char *type, *sso_cookie_name, *sso_cookie, *uri;
@@ -735,6 +847,7 @@ static int mod_sso_check_user_id(request_rec *r)
  // Redirect to login server
  return redirect_to_login_server(r, s_cfg->login_server, service_host, service, auth.groups);
 }
+#endif /* apache 2.2 */

 /** 
 * Apache authorization check callback for mod_sso.