Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
ai
sso
Commits
eda0d422
Commit
eda0d422
authored
Mar 20, 2016
by
godog
Browse files
mod_sso: check /sso_login /sso_logout during access checker exception
parent
2ff21e09
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
57 additions
and
19 deletions
+57
-19
src/mod_sso/mod_sso.c
src/mod_sso/mod_sso.c
+57
-19
No files found.
src/mod_sso/mod_sso.c
View file @
eda0d422
...
...
@@ -427,19 +427,22 @@ static int mod_sso_method_handler(request_rec *r)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
uri
=
r
->
uri
;
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: handler
\"
%s
\"
"
,
r
->
handler
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: handler
\"
%s
\"
"
,
r
->
handler
);
// Return immediately if there's nothing to do (check the AuthType)
type
=
ap_auth_type
(
r
);
if
(
!
type
||
strcasecmp
(
type
,
"SSO"
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: invalid authentication type
\"
%s
\"
"
,
type
);
"sso: invalid authentication type
\"
%s
\"
"
,
type
);
return
DECLINED
;
}
sso_cookie_name
=
get_cookie_name
(
r
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: cookie_name
\"
%s
\"
"
,
sso_cookie_name
);
// Check if the required parameters are defined.
if
(
!
check_config
(
r
,
s_cfg
))
{
return
HTTP_INTERNAL_SERVER_ERROR
;
...
...
@@ -448,13 +451,15 @@ static int mod_sso_method_handler(request_rec *r)
// Parse the service into host/path (guess it if not specified).
if
(
parse_service
(
r
,
s_cfg
,
&
service
,
&
service_host
,
&
service_path
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_ERR
,
0
,
r
->
server
,
"sso: could not parse service
\"
%s
\"
"
,
s_cfg
->
service
);
"sso: could not parse service
\"
%s
\"
"
,
s_cfg
->
service
);
return
HTTP_BAD_REQUEST
;
}
// Handle /sso_logout
sso_logout_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_logout"
,
NULL
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: logout?
\"
%s
\"
\"
%s
\"
"
,
sso_logout_path
,
uri
);
if
(
!
strcmp
(
uri
,
sso_logout_path
))
{
modsso_del_cookie
(
r
,
sso_cookie_name
);
return
http_sendstring
(
r
,
"OK"
);
...
...
@@ -462,6 +467,8 @@ static int mod_sso_method_handler(request_rec *r)
// Handle /sso_login
sso_login_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_login"
,
NULL
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: login?
\"
%s
\"
\"
%s
\"
"
,
sso_login_path
,
uri
);
if
(
!
strcmp
(
uri
,
sso_login_path
))
{
struct
modsso_params
params
;
char
*
redir
;
...
...
@@ -620,6 +627,8 @@ static int redirect_to_login_server(request_rec *r,
}
ap_log_error
(
APLOG_MARK
,
APLOG_INFO
,
0
,
r
->
server
,
"sso: unauthorized access to %s"
,
dest
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: redirecting to %s"
,
login_url
);
return
http_redirect
(
r
,
login_url
);
}
...
...
@@ -642,10 +651,47 @@ static char *pkey_to_string(const unsigned char *pkey, char *buf) {
* @param r Pointer to the request_rec structure.
*/
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static
int
mod_sso_check_
user_id
(
request_rec
*
r
)
static
int
mod_sso_check_
access_ex
(
request_rec
*
r
)
{
const
char
*
type
,
*
sso_cookie_name
,
*
sso_cookie
,
*
uri
;
const
char
*
type
,
*
uri
;
const
char
*
sso_login_path
,
*
sso_logout_path
;
const
char
*
service
=
NULL
,
*
service_host
=
NULL
,
*
service_path
=
NULL
;
modsso_config
*
s_cfg
=
(
modsso_config
*
)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
type
=
ap_auth_type
(
r
);
if
(
type
==
NULL
||
apr_strnatcasecmp
(
type
,
"sso"
)
!=
0
)
{
return
DECLINED
;
}
// Check if the required parameters are defined.
if
(
!
check_config
(
r
,
s_cfg
))
{
return
HTTP_INTERNAL_SERVER_ERROR
;
}
uri
=
r
->
uri
;
if
(
parse_service
(
r
,
s_cfg
,
&
service
,
&
service_host
,
&
service_path
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_ERR
,
0
,
r
->
server
,
"sso (check_access_ex): could not parse service (cfg->service=%s)"
,
s_cfg
->
service
);
return
HTTP_BAD_REQUEST
;
}
// Everyone is allowed access to /sso_login and /sso_logout
sso_logout_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_logout"
,
NULL
);
sso_login_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_login"
,
NULL
);
if
(
!
strcmp
(
uri
,
sso_logout_path
)
||
!
strcmp
(
uri
,
sso_login_path
))
{
return
OK
;
}
return
DECLINED
;
}
static
int
mod_sso_check_user_id
(
request_rec
*
r
)
{
const
char
*
type
,
*
sso_cookie_name
,
*
sso_cookie
;
const
char
*
service
=
NULL
,
*
service_host
=
NULL
,
*
service_path
=
NULL
;
int
retval
,
err
,
do_redirect
=
1
;
...
...
@@ -658,9 +704,6 @@ static int mod_sso_check_user_id(request_rec *r)
return
DECLINED
;
}
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso (check_user_id): handler '%s'"
,
r
->
handler
);
// If this is a sub-request, pass existing credentials, if any.
if
(
!
ap_is_initial_req
(
r
))
{
if
(
r
->
main
!=
NULL
)
{
...
...
@@ -673,6 +716,9 @@ static int mod_sso_check_user_id(request_rec *r)
}
}
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso (check_user_id): handler '%s' uri '%s'"
,
r
->
handler
,
r
->
uri
);
sso_cookie_name
=
get_cookie_name
(
r
);
// Check if the required parameters are defined.
...
...
@@ -680,8 +726,6 @@ static int mod_sso_check_user_id(request_rec *r)
return
HTTP_INTERNAL_SERVER_ERROR
;
}
uri
=
r
->
uri
;
if
(
parse_service
(
r
,
s_cfg
,
&
service
,
&
service_host
,
&
service_path
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_ERR
,
0
,
r
->
server
,
"sso (check_user_id): could not parse service (cfg->service=%s)"
,
...
...
@@ -689,13 +733,6 @@ static int mod_sso_check_user_id(request_rec *r)
return
HTTP_BAD_REQUEST
;
}
// Everyone is allowed access to /sso_login and /sso_logout
sso_logout_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_logout"
,
NULL
);
sso_login_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_login"
,
NULL
);
if
(
!
strcmp
(
uri
,
sso_logout_path
)
||
!
strcmp
(
uri
,
sso_login_path
))
{
return
OK
;
}
// Test for valid cookie
sso_cookie
=
get_cookie
(
r
,
sso_cookie_name
);
if
(
sso_cookie
!=
NULL
)
{
...
...
@@ -958,6 +995,7 @@ static void mod_sso_register_hooks (apr_pool_t *p)
ap_hook_handler
(
mod_sso_method_handler
,
NULL
,
NULL
,
APR_HOOK_FIRST
);
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
ap_hook_check_authn
(
mod_sso_check_user_id
,
NULL
,
NULL
,
APR_HOOK_MIDDLE
,
AP_AUTH_INTERNAL_PER_CONF
);
ap_hook_check_access_ex
(
mod_sso_check_access_ex
,
NULL
,
NULL
,
APR_HOOK_MIDDLE
,
AP_AUTH_INTERNAL_PER_CONF
);
ap_register_auth_provider
(
p
,
AUTHZ_PROVIDER_GROUP
,
SSO_REQUIRE_NAME
,
"0"
,
&
authz_sso_provider
,
AP_AUTH_INTERNAL_PER_CONF
);
#else
static
const
char
*
const
authzSucc
[]
=
{
"mod_sso.c"
,
NULL
};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
