Commit eda0d422 authored by godog's avatar godog

mod_sso: check /sso_login /sso_logout during access checker exception

parent 2ff21e09
......@@ -427,19 +427,22 @@ static int mod_sso_method_handler(request_rec *r)
ap_get_module_config(r->per_dir_config, &sso_module);
uri = r->uri;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso: handler \"%s\"", r->handler);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso: handler \"%s\"", r->handler);
// Return immediately if there's nothing to do (check the AuthType)
type = ap_auth_type(r);
if (!type || strcasecmp(type, "SSO") != 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso: invalid authentication type \"%s\"", type);
"sso: invalid authentication type \"%s\"", type);
return DECLINED;
}
sso_cookie_name = get_cookie_name(r);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso: cookie_name \"%s\"", sso_cookie_name);
// Check if the required parameters are defined.
if (!check_config(r, s_cfg)) {
return HTTP_INTERNAL_SERVER_ERROR;
......@@ -448,13 +451,15 @@ static int mod_sso_method_handler(request_rec *r)
// Parse the service into host/path (guess it if not specified).
if (parse_service(r, s_cfg, &service, &service_host, &service_path) != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"sso: could not parse service \"%s\"",
s_cfg->service);
"sso: could not parse service \"%s\"",
s_cfg->service);
return HTTP_BAD_REQUEST;
}
// Handle /sso_logout
sso_logout_path = apr_pstrcat(r->pool, service_path, "sso_logout", NULL);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso: logout? \"%s\" \"%s\"", sso_logout_path, uri);
if (!strcmp(uri, sso_logout_path)) {
modsso_del_cookie(r, sso_cookie_name);
return http_sendstring(r, "OK");
......@@ -462,6 +467,8 @@ static int mod_sso_method_handler(request_rec *r)
// Handle /sso_login
sso_login_path = apr_pstrcat(r->pool, service_path, "sso_login", NULL);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso: login? \"%s\" \"%s\"", sso_login_path, uri);
if (!strcmp(uri, sso_login_path)) {
struct modsso_params params;
char *redir;
......@@ -620,6 +627,8 @@ static int redirect_to_login_server(request_rec *r,
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"sso: unauthorized access to %s", dest);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso: redirecting to %s", login_url);
return http_redirect(r, login_url);
}
......@@ -642,10 +651,47 @@ static char *pkey_to_string(const unsigned char *pkey, char *buf) {
* @param r Pointer to the request_rec structure.
*/
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static int mod_sso_check_user_id(request_rec *r)
static int mod_sso_check_access_ex(request_rec *r)
{
const char *type, *sso_cookie_name, *sso_cookie, *uri;
const char *type, *uri;
const char *sso_login_path, *sso_logout_path;
const char *service = NULL, *service_host = NULL,
*service_path = NULL;
modsso_config *s_cfg = (modsso_config *)
ap_get_module_config(r->per_dir_config, &sso_module);
type = ap_auth_type(r);
if (type == NULL || apr_strnatcasecmp(type, "sso") != 0) {
return DECLINED;
}
// Check if the required parameters are defined.
if (!check_config(r, s_cfg)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
uri = r->uri;
if (parse_service(r, s_cfg, &service, &service_host, &service_path) != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"sso (check_access_ex): could not parse service (cfg->service=%s)",
s_cfg->service);
return HTTP_BAD_REQUEST;
}
// Everyone is allowed access to /sso_login and /sso_logout
sso_logout_path = apr_pstrcat(r->pool, service_path, "sso_logout", NULL);
sso_login_path = apr_pstrcat(r->pool, service_path, "sso_login", NULL);
if (!strcmp(uri, sso_logout_path) || !strcmp(uri, sso_login_path)) {
return OK;
}
return DECLINED;
}
static int mod_sso_check_user_id(request_rec *r)
{
const char *type, *sso_cookie_name, *sso_cookie;
const char *service = NULL, *service_host = NULL,
*service_path = NULL;
int retval, err, do_redirect = 1;
......@@ -658,9 +704,6 @@ static int mod_sso_check_user_id(request_rec *r)
return DECLINED;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso (check_user_id): handler '%s'", r->handler);
// If this is a sub-request, pass existing credentials, if any.
if (!ap_is_initial_req(r)) {
if (r->main != NULL) {
......@@ -673,6 +716,9 @@ static int mod_sso_check_user_id(request_rec *r)
}
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso (check_user_id): handler '%s' uri '%s'", r->handler, r->uri);
sso_cookie_name = get_cookie_name(r);
// Check if the required parameters are defined.
......@@ -680,8 +726,6 @@ static int mod_sso_check_user_id(request_rec *r)
return HTTP_INTERNAL_SERVER_ERROR;
}
uri = r->uri;
if (parse_service(r, s_cfg, &service, &service_host, &service_path) != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"sso (check_user_id): could not parse service (cfg->service=%s)",
......@@ -689,13 +733,6 @@ static int mod_sso_check_user_id(request_rec *r)
return HTTP_BAD_REQUEST;
}
// Everyone is allowed access to /sso_login and /sso_logout
sso_logout_path = apr_pstrcat(r->pool, service_path, "sso_logout", NULL);
sso_login_path = apr_pstrcat(r->pool, service_path, "sso_login", NULL);
if (!strcmp(uri, sso_logout_path) || !strcmp(uri, sso_login_path)) {
return OK;
}
// Test for valid cookie
sso_cookie = get_cookie(r, sso_cookie_name);
if (sso_cookie != NULL) {
......@@ -958,6 +995,7 @@ static void mod_sso_register_hooks (apr_pool_t *p)
ap_hook_handler(mod_sso_method_handler, NULL, NULL, APR_HOOK_FIRST);
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
ap_hook_check_authn(mod_sso_check_user_id, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF);
ap_hook_check_access_ex(mod_sso_check_access_ex, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF);
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, SSO_REQUIRE_NAME, "0", &authz_sso_provider, AP_AUTH_INTERNAL_PER_CONF);
#else
static const char * const authzSucc[] = { "mod_sso.c", NULL };
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment