Commit 6a35f8a2 authored by godog's avatar godog

mod_sso: XXX provide check_user_id

parent f4416285
......@@ -625,6 +625,118 @@ static char *pkey_to_string(const unsigned char *pkey, char *buf) {
*
* @param r Pointer to the request_rec structure.
*/
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static int mod_sso_check_user_id(request_rec *r)
{
const char *type, *sso_cookie_name, *sso_cookie, *uri;
const char *sso_login_path, *sso_logout_path;
const char *service = NULL, *service_host = NULL,
*service_path = NULL;
struct modsso_auth_req auth;
int retval, err, do_redirect = 1;
modsso_config *s_cfg = (modsso_config *)
ap_get_module_config(r->per_dir_config, &sso_module);
type = ap_auth_type(r);
if (type == NULL || apr_strnatcasecmp(type, "sso") != 0) {
return DECLINED;
}
// If this is a sub-request, pass existing credentials, if any.
if (!ap_is_initial_req(r)) {
if (r->main != NULL) {
r->user = r->main->user;
} else if (r->prev != NULL) {
r->user = r->prev->user;
}
if (r->user != NULL) {
return OK;
}
}
sso_cookie_name = get_cookie_name(r);
// Check if the required parameters are defined.
if (!check_config(r, s_cfg)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
uri = r->uri;
if (parse_service(r, s_cfg, &service, &service_host, &service_path) != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"sso (check_user_id): could not parse service (cfg->service=%s)",
s_cfg->service);
return HTTP_BAD_REQUEST;
}
// Everyone is allowed access to /sso_login and /sso_logout
sso_logout_path = apr_pstrcat(r->pool, service_path, "sso_logout", NULL);
sso_login_path = apr_pstrcat(r->pool, service_path, "sso_login", NULL);
if (!strcmp(uri, sso_logout_path) || !strcmp(uri, sso_login_path)) {
return OK;
}
//mod_sso_parse_requirements(r, &auth);
// Test for valid cookie
sso_cookie = get_cookie(r, sso_cookie_name);
if (sso_cookie != NULL) {
sso_ticket_t t;
// Print some debugging information about the service
{
char pkeybuf[512];
const char *host_hdr = apr_table_get(r->headers_in, "Host");
if (!host_hdr) {
host_hdr = "null";
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso request: uri=%s, service=%s, orig=%s, host=%s, tkt=%s, pkey=%s",
r->uri, service, s_cfg->service, host_hdr, sso_cookie,
pkey_to_string(s_cfg->public_key, pkeybuf));
}
err = sso_ticket_open(&t, sso_cookie, s_cfg->public_key);
if (err != SSO_OK) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
"sso: ticket decoding error: %s", sso_strerror(err));
} else {
err = sso_validate(t, s_cfg->service, s_cfg->domain, apr_is_empty_array(auth.groups) ? NULL : (const char **)auth.groups->elts);
if (err != SSO_OK) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
"sso: validation error: %s", sso_strerror(err));
} else {
// Check user authorization lists. Group membership has
// already been verified by sso_validate.
if (auth.any_user || (!apr_is_empty_array(auth.users) && array_contains(auth.users, t->user)) || !apr_is_empty_array(auth.groups)) {
// Success.
apr_table_setn(r->subprocess_env, "SSO_SERVICE",
apr_pstrdup(r->pool, service));
r->user = apr_pstrdup(r->pool, t->user);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso: authorized user '%s'", r->user);
retval = OK;
} else {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
"sso: unauthorized user '%s'", t->user);
retval = HTTP_UNAUTHORIZED;
}
do_redirect = 0;
}
sso_ticket_free(t);
}
}
if (!do_redirect) {
return retval;
}
// Redirect to login server
return redirect_to_login_server(r, s_cfg->login_server, service_host, service, auth.groups);
}
#else
static int mod_sso_check_user_id(request_rec *r)
{
const char *type, *sso_cookie_name, *sso_cookie, *uri;
......@@ -735,6 +847,7 @@ static int mod_sso_check_user_id(request_rec *r)
// Redirect to login server
return redirect_to_login_server(r, s_cfg->login_server, service_host, service, auth.groups);
}
#endif /* apache 2.2 */
/**
* Apache authorization check callback for mod_sso.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment