Commit b39c0602 authored by ale's avatar ale

base64-encode the SSO tickets saved as cookies in the browser; fixes issue #19

parent 8522ab91
......@@ -396,8 +396,7 @@ static int mod_sso_method_handler (request_rec *r)
modsso::params_t params = modsso::parse_query_string(query_string);
string t(params["t"]);
string d(params["d"]);
modsso::set_cookie(r, sso_cookie_name, modsso::base64_decode(t),
service_path);
modsso::set_cookie(r, sso_cookie_name, t, service_path);
string redir(modsso::url_decode(d));
if (!is_valid_redir(redir, service)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
......@@ -513,7 +512,7 @@ static int mod_sso_authenticate_user(request_rec *r)
mod_sso_parse_requirements(r, req_groups, req_users, &allow_any_user);
// Test for valid cookie
string sso_cookie = get_cookie(r, sso_cookie_name);
string sso_cookie = modsso::base64_decode(get_cookie(r, sso_cookie_name));
if (!sso_cookie.empty()) {
sso::Verifier verifier(s_cfg->public_key, s_cfg->service,
s_cfg->domain, req_groups);
......
......@@ -63,7 +63,7 @@ class HttpdIntegrationTest(unittest.TestCase):
def testRedirectionUrls(self):
def mkcookie(tkt):
return "SSO_test=%s" % tkt
return "SSO_test=%s" % base64.b64encode(tkt)
# Tests have a name so that we can recognize failures.
checks = [
......@@ -154,7 +154,7 @@ class HttpdIntegrationTest(unittest.TestCase):
self.assertEquals(302, resp.status)
set_cookie = resp.getheader("Set-Cookie")
self.assertTrue(set_cookie)
self.assertTrue(tkt in set_cookie)
self.assertTrue(base64.b64encode(tkt) in set_cookie)
conn.close()
# test the /sso_logout endpoint
......
......@@ -82,7 +82,7 @@ class SSOMiddleware:
uri = environ['SCRIPT_NAME'] + environ['PATH_INFO']
if uri == '/sso_login':
query = cgi.parse(environ=environ, keep_blank_values=True)
ticket = base64.b64decode(query['t'][0])
ticket = query['t'][0]
hdrs = [('Set-Cookie', set_cookie(self.cookie_name, ticket))]
return redirect(query['d'][0], hdrs, environ, start_response)
elif uri == '/sso_logout':
......@@ -96,11 +96,11 @@ class SSOMiddleware:
if self.cookie_name in cookies:
ticket = cookies[self.cookie_name].value
try:
tkt = self.verifier.verify(ticket)
tkt = self.verifier.verify(base64.b64decode(ticket))
environ['sso.ok'] = True
environ['REMOTE_USER'] = tkt.user()
return self.next_app(environ, start_response)
except ValueError, e:
except (TypeError, ValueError) as e:
log.error('SSO authentication failed for %s: %s', uri, e)
full_url = get_full_url(environ, self.base_url)
......
import base64
import functools
import json
import logging
......@@ -83,8 +84,12 @@ def login():
# form.
local_ticket_str = request.cookies.get(SSO_COOKIE_NAME)
if local_ticket_str:
local_ticket = app.login_service.local_authorize(
_tostr(local_ticket_str))
try:
local_ticket = app.login_service.local_authorize(
_tostr(base64.b64decode(local_ticket_str)))
except:
log.warn('error decoding ticket')
local_ticket = None
else:
local_ticket = None
......@@ -108,7 +113,8 @@ def login():
return show_login_page(params, 'Authentication failed')
# Set local auth cookie.
local_ticket_str = app.login_service.local_generate(username)
local_ticket_str = base64.b64encode(
app.login_service.local_generate(username))
# At this point the user is authenticated, check authorization
# and create the single sign-on ticket.
......
import base64
import logging
import os
import re
......@@ -55,7 +56,7 @@ class SSOServerTest(unittest.TestCase):
shutil.rmtree(self.tmpdir)
def get_local_ticket(self, user):
return self.app.login_service.local_generate(user)
return base64.b64encode(self.app.login_service.local_generate(user))
def get_auth_client(self, user='user', ticketstr=None):
if not ticketstr:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment