2007-09-24 11:56:34 +02:00
|
|
|
/*
|
|
|
|
*
|
|
|
|
* auth_mellon_config.c: an authentication apache module
|
2019-07-04 19:19:42 +02:00
|
|
|
* Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
|
2007-09-24 11:56:34 +02:00
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "auth_mellon.h"
|
|
|
|
|
2016-06-25 19:23:16 +02:00
|
|
|
#ifdef APLOG_USE_MODULE
|
|
|
|
APLOG_USE_MODULE(auth_mellon);
|
|
|
|
#endif
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
/* This is the default endpoint path. Remember to update the description of
|
|
|
|
* the MellonEndpointPath configuration directive if you change this.
|
|
|
|
*/
|
|
|
|
static const char *default_endpoint_path = "/mellon/";
|
|
|
|
|
|
|
|
/* This is the default name of the attribute we use as a username. Remember
|
|
|
|
* to update the description of the MellonUser configuration directive if
|
|
|
|
* you change this.
|
|
|
|
*/
|
|
|
|
static const char *default_user_attribute = "NAME_ID";
|
|
|
|
|
2019-04-10 12:58:04 +02:00
|
|
|
/* This is the default prefix to use for attributes received from the
|
|
|
|
* server. Customizable using the MellonEnvPrefix option
|
|
|
|
*/
|
|
|
|
static const char *default_env_prefix = "MELLON_";
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
/* This is the default name of the cookie which mod_auth_mellon will set.
|
|
|
|
* If you change this, then you should also update the description of the
|
|
|
|
* MellonVar configuration directive.
|
|
|
|
*/
|
|
|
|
static const char *default_cookie_name = "cookie";
|
|
|
|
|
2016-04-08 11:14:02 +02:00
|
|
|
/* The default setting for cookie is to not enforce secure flag
|
2009-03-02 14:56:35 +01:00
|
|
|
*/
|
|
|
|
static const int default_secure_cookie = 0;
|
|
|
|
|
2016-04-08 11:14:02 +02:00
|
|
|
/* The default setting for cookie is to not enforce HttpOnly flag
|
|
|
|
*/
|
|
|
|
static const int default_http_only_cookie = 0;
|
|
|
|
|
2009-05-25 22:48:46 +02:00
|
|
|
/* The default setting for setting MELLON_SESSION
|
|
|
|
*/
|
|
|
|
static const int default_dump_session = 0;
|
|
|
|
|
2009-06-01 22:43:17 +02:00
|
|
|
/* The default setting for setting MELLON_SAML_RESPONSE
|
|
|
|
*/
|
|
|
|
static const int default_dump_saml_response = 0;
|
|
|
|
|
2008-11-11 21:07:44 +01:00
|
|
|
/* This is the default IdP initiated login location
|
|
|
|
* the MellonDefaultLoginPath configuration directive if you change this.
|
|
|
|
*/
|
|
|
|
static const char *default_login_path = "/";
|
|
|
|
|
2009-11-09 14:46:28 +01:00
|
|
|
/* saved POST session time to live
|
|
|
|
* the MellonPostTTL configuration directive if you change this.
|
|
|
|
*/
|
|
|
|
static const apr_time_t post_ttl = 15 * 60;
|
|
|
|
|
|
|
|
/* saved POST session maximum size
|
|
|
|
* the MellonPostSize configuration directive if you change this.
|
|
|
|
*/
|
2016-04-27 08:07:31 +02:00
|
|
|
static const apr_size_t post_size = 1024 * 1024;
|
2009-11-09 14:46:28 +01:00
|
|
|
|
|
|
|
/* maximum saved POST sessions
|
|
|
|
* the MellonPostCount configuration directive if you change this.
|
|
|
|
*/
|
|
|
|
static const int post_count = 100;
|
2007-09-24 11:56:34 +02:00
|
|
|
|
Add diagnostic logging
Field experience with Mellon has demonstrated there are many
opportunities for deployment problems. Although there are tools such
as browser plugins which can capture SAML messages it's onerous for
site personnel to install and capture the relevant information. The
problem with this approach is further compounded by the fact the
external SAML messages are not correlated to Mellon's
requests/responses. Mellon currently can dump the Lasso session and
SAML Response messages and place them in Apache environment variables,
however these do not appear in the log file. To get them into the log
you have to add custom logging to the Apache config. Another issue is
the dumps are not human readable, they are base64 encoded, anyone
looking at the logs after setting up the custom logging will have to
find the base64 text and then manually copy the text into an external
base64 decoder. At that point you'll discover the XML is not pretty
printed making human interpretation difficult.
The Mellon debug messages written to the Apache error are often
insufficient to diagnose problems. And since the Mellon log messages
are written to the Apache error log they are interspersed with a lot
of non-Mellon message.
Compounding the problem of writing Mellon debug messages to the Apache
error log is the fact Apache log messages have a fixed maximum length
(currently 8192) which is insufficient to completely write out such
things as SAML Assertions, metadata, etc. Apache logging also escapes
all control characters with the consequence line breaks are not
preserved and what was a nicely formatted human readable piece of text
becomes a single line with escape characters and may be truncated.
It would be really nice if we could capture diagnostic information
with these properties:
* All relevant data is collected in exactly one file.
* Only information relevant to Mellon appears in the file.
* All information is human readable (pretty printed, decrypted) with
no need to rely on other tools.
* The diagnostic information is grouped by requests.
* The requests can be cross correlated with other Apache logs because
they utilize the same unique request identifier.
This patch adds diagnostic logging to a independent Mellon diagnostics
log file. Every piece of relevant information is captured, including:
* Request information which includes:
- Request method
- Request URL (raw and processed)
- Scheme
- Port
- Request query parameters
- Server name
- Unique request ID
- process ID, thread ID
- Request headers
* Mellon per directory configuration
A complete dump of the entire am_dir_cfg_rec structure keyed using
both the Mellon directive it is associated with and it's internal
name. This is emitted once on first use for a given URL.
The per directory dump includes the pathname of each file read as
well as the file contents. This includes:
- IdP metadata
- SP metadata
- SP cert
- SP key
- IdP public key file
- IdP CA file
* All session management operations
- cookie
- session lookup
- session creation
- session deletion
- cache management
- cache entry information
* All SAML messages
Each SAML message is decrypted, decoded and XML pretty printed in
human readable form.
* Request pipeline operations
What operations Mellon performs, what decisions it makes and what
data is being used to make those decisions.
* Response
- response status
- response headers
- Apache user name
- auth_type
- all Apache environment variables
Diagnostics can be enabled/disabled both at compile time and run
time. Compile time inclusion of diagnostics is managed with the
ENABLE_DIAGNOSTICS preprocssor symbol. The configure script now accepts
the
--enable-diagnostics and --disable-diagnostics
option. Building with diagnostics is disabled by default, you must
specify --enable-diagnostics to enable the run time option of generating
diagnostics.
The following server config directives have been added (e.g. may be
specified in the main server config area or within a <VirtualHost>
directive). If Mellon was not built with diagnostics enabled then
these config directives are no-ops and their use will generated a
warning in the log file indicating they have been ignored and to be
effective you must builld Mellon with diagnostics enabled.
MellonDiagnosticsFile:
The name of the diagnostics file or pipe,
(default is logs/mellon_diagnostics)
MellonDiagnosticsEnable:
Currently either On or Off but it is designed so it can take other
flags in the future to control what type of information is
reported.
Signed-off-by: John Dennis <jdennis@redhat.com>
2017-06-14 19:56:18 +02:00
|
|
|
#ifdef ENABLE_DIAGNOSTICS
|
|
|
|
/* Default filename for mellon diagnostics log file.
|
|
|
|
* Relative pathname is relative to server root. */
|
|
|
|
static const char *default_diag_filename = "logs/mellon_diagnostics";
|
|
|
|
|
|
|
|
/* Default state for diagnostics is off */
|
|
|
|
static am_diag_flags_t default_diag_flags = AM_DIAG_FLAG_DISABLE;
|
|
|
|
#endif
|
|
|
|
|
2014-11-11 17:38:57 +01:00
|
|
|
/* whether to merge env. vars or not
|
|
|
|
* the MellonMergeEnvVars configuration directive if you change this.
|
|
|
|
*/
|
2015-04-16 13:42:47 +02:00
|
|
|
static const char *default_merge_env_vars = NULL;
|
2014-11-11 17:38:57 +01:00
|
|
|
|
2015-04-15 10:59:16 +02:00
|
|
|
/* for env. vars with multiple values, the index start
|
|
|
|
* the MellonEnvVarsIndexStart configuration directive if you change this.
|
|
|
|
*/
|
|
|
|
static const int default_env_vars_index_start = -1;
|
|
|
|
|
2015-04-16 11:00:50 +02:00
|
|
|
/* whether to also populate env. var _N with number of values
|
|
|
|
* the MellonEnvVarsSetCount configuration directive if you change this.
|
|
|
|
*/
|
|
|
|
static const int default_env_vars_count_in_n = -1;
|
|
|
|
|
2015-12-11 11:16:54 +01:00
|
|
|
/* The default list of trusted redirect domains. */
|
|
|
|
static const char * const default_redirect_domains[] = { "[self]", NULL };
|
|
|
|
|
2018-01-11 19:05:26 +01:00
|
|
|
|
2011-03-09 07:20:16 +01:00
|
|
|
/* This function handles configuration directives which set a
|
|
|
|
* multivalued string slot in the module configuration (the destination
|
|
|
|
* strucure is a hash).
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* const char *key The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
* const char *value Optional value to be stored in the hash.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_hash_string_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *key,
|
|
|
|
const char *value)
|
|
|
|
{
|
|
|
|
server_rec *s = cmd->server;
|
|
|
|
apr_pool_t *pconf = s->process->pconf;
|
|
|
|
am_dir_cfg_rec *cfg = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
int offset;
|
|
|
|
apr_hash_t **hash;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If no value is given, we just store the key in the hash.
|
|
|
|
*/
|
|
|
|
if (value == NULL || *value == '\0')
|
|
|
|
value = key;
|
|
|
|
|
|
|
|
offset = (int)(long)cmd->info;
|
|
|
|
hash = (apr_hash_t **)((char *)cfg + offset);
|
|
|
|
apr_hash_set(*hash, apr_pstrdup(pconf, key), APR_HASH_KEY_STRING, value);
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
2011-12-05 20:06:44 +01:00
|
|
|
|
|
|
|
/* This function handles configuration directives which set a
|
|
|
|
* multivalued string slot in the module configuration (the destination
|
|
|
|
* strucure is a table).
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* const char *key The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
* const char *value Optional value to be stored in the hash.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_table_string_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *key,
|
|
|
|
const char *value)
|
|
|
|
{
|
|
|
|
server_rec *s = cmd->server;
|
|
|
|
apr_pool_t *pconf = s->process->pconf;
|
|
|
|
am_dir_cfg_rec *cfg = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
int offset;
|
|
|
|
apr_table_t **table;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If no value is given, we just store the key in the hash.
|
|
|
|
*/
|
|
|
|
if (value == NULL || *value == '\0')
|
|
|
|
value = key;
|
|
|
|
|
|
|
|
offset = (int)(long)cmd->info;
|
|
|
|
table = (apr_table_t **)((char *)cfg + offset);
|
|
|
|
apr_table_set(*table, apr_pstrdup(pconf, key), value);
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
2011-03-09 07:20:16 +01:00
|
|
|
|
2017-08-08 16:00:30 +02:00
|
|
|
/* This function handles configuration directives which set a file slot
|
|
|
|
* in the module configuration. The file contents are immediately read.
|
2008-11-10 19:33:55 +01:00
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* This value isn't used by this function.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
2017-08-08 16:00:30 +02:00
|
|
|
static const char *am_set_file_contents_slot(cmd_parms *cmd,
|
2008-11-10 19:33:55 +01:00
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
2013-03-06 13:53:51 +01:00
|
|
|
const char *path;
|
2017-08-08 16:00:30 +02:00
|
|
|
apr_status_t rv;
|
|
|
|
am_dir_cfg_rec *cfg = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
int offset;
|
|
|
|
am_file_data_t **p_file_data, *file_data;
|
2013-03-06 13:53:51 +01:00
|
|
|
|
|
|
|
path = ap_server_root_relative(cmd->pool, arg);
|
|
|
|
if (!path) {
|
|
|
|
return apr_pstrcat(cmd->pool, cmd->cmd->name,
|
|
|
|
": Invalid file path ", arg, NULL);
|
|
|
|
}
|
|
|
|
|
2017-08-08 16:00:30 +02:00
|
|
|
offset = (int)(long)cmd->info;
|
|
|
|
p_file_data = (am_file_data_t **)((char *)cfg + offset);
|
|
|
|
*p_file_data = am_file_data_new(cmd->pool, path);
|
|
|
|
file_data = *p_file_data;
|
|
|
|
rv = am_file_read(file_data);
|
|
|
|
if (rv != APR_SUCCESS) {
|
|
|
|
return file_data->strerror;
|
2013-03-06 13:53:51 +01:00
|
|
|
}
|
2017-08-08 16:00:30 +02:00
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* This function handles configuration directives which set a file
|
|
|
|
* pathname in the module configuration. The file is checked for
|
|
|
|
* existence.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* This value isn't used by this function.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_file_pathname_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
const char *path;
|
2010-09-28 17:54:21 +02:00
|
|
|
apr_status_t rv;
|
2017-08-08 16:00:30 +02:00
|
|
|
am_dir_cfg_rec *cfg = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
int offset;
|
|
|
|
am_file_data_t **p_file_data, *file_data;
|
2010-06-17 09:32:04 +02:00
|
|
|
|
2017-08-08 16:00:30 +02:00
|
|
|
path = ap_server_root_relative(cmd->pool, arg);
|
|
|
|
if (!path) {
|
|
|
|
return apr_pstrcat(cmd->pool, cmd->cmd->name,
|
|
|
|
": Invalid file_data path ", arg, NULL);
|
2010-06-17 09:32:04 +02:00
|
|
|
}
|
|
|
|
|
2017-08-08 16:00:30 +02:00
|
|
|
offset = (int)(long)cmd->info;
|
|
|
|
p_file_data = (am_file_data_t **)((char *)cfg + offset);
|
|
|
|
*p_file_data = am_file_data_new(cmd->pool, path);
|
|
|
|
file_data = *p_file_data;
|
|
|
|
rv = am_file_stat(file_data);
|
|
|
|
if (rv != APR_SUCCESS) {
|
|
|
|
return file_data->strerror;
|
|
|
|
}
|
|
|
|
if (file_data->finfo.filetype != APR_REG) {
|
|
|
|
return apr_psprintf(cmd->pool, "file \"%s\" is not a regular file",
|
|
|
|
file_data->path);
|
|
|
|
}
|
2008-11-10 19:33:55 +01:00
|
|
|
|
2017-08-08 16:00:30 +02:00
|
|
|
return NULL;
|
2008-11-10 19:33:55 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-03-23 16:05:19 +01:00
|
|
|
/* This function handles configuration directives which use
|
2011-05-18 12:49:25 +02:00
|
|
|
* a glob pattern, with a second optional argument
|
2011-03-23 16:05:19 +01:00
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
2011-05-18 12:49:25 +02:00
|
|
|
* const char *glob_pat glob(3) pattern
|
|
|
|
* const char *option Optional argument
|
2011-03-23 16:05:19 +01:00
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
2011-05-18 12:49:25 +02:00
|
|
|
static const char *am_set_glob_fn12(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *glob_pat,
|
|
|
|
const char *option)
|
2011-03-23 16:05:19 +01:00
|
|
|
{
|
2011-05-18 12:49:25 +02:00
|
|
|
const char *(*take_argv)(cmd_parms *, void *, const char *, const char *);
|
2011-03-23 16:05:19 +01:00
|
|
|
apr_array_header_t *files;
|
|
|
|
const char *error;
|
|
|
|
const char *directory;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
take_argv = cmd->info;
|
|
|
|
|
2011-05-18 12:49:25 +02:00
|
|
|
directory = am_filepath_dirname(cmd->pool, glob_pat);
|
2011-03-23 16:05:19 +01:00
|
|
|
|
2011-05-18 12:49:25 +02:00
|
|
|
if (glob_pat == NULL || *glob_pat == '\0')
|
|
|
|
return apr_psprintf(cmd->pool,
|
|
|
|
"%s takes one or two arguments",
|
|
|
|
cmd->cmd->name);
|
|
|
|
|
|
|
|
if (apr_match_glob(glob_pat, &files, cmd->pool) != 0)
|
|
|
|
return take_argv(cmd, struct_ptr, glob_pat, option);
|
2011-03-23 16:05:19 +01:00
|
|
|
|
|
|
|
for (i = 0; i < files->nelts; i++) {
|
|
|
|
const char *path;
|
|
|
|
|
|
|
|
path = apr_pstrcat(cmd->pool, directory, "/",
|
|
|
|
((const char **)(files->elts))[i], NULL);
|
|
|
|
|
2011-05-18 12:49:25 +02:00
|
|
|
error = take_argv(cmd, struct_ptr, path, option);
|
2011-03-23 16:05:19 +01:00
|
|
|
|
|
|
|
if (error != NULL)
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2009-05-12 17:28:49 +02:00
|
|
|
/* This function handles configuration directives which set an
|
|
|
|
* idp related slot in the module configuration.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
2011-05-18 12:49:25 +02:00
|
|
|
* const char *metadata Path to metadata file for one or multiple IdP
|
|
|
|
* const char *chain Optional path to validating chain
|
2009-05-12 17:28:49 +02:00
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
2011-03-09 07:20:16 +01:00
|
|
|
static const char *am_set_idp_string_slot(cmd_parms *cmd,
|
2009-05-12 17:28:49 +02:00
|
|
|
void *struct_ptr,
|
2011-05-18 12:49:25 +02:00
|
|
|
const char *metadata,
|
|
|
|
const char *chain)
|
|
|
|
{
|
|
|
|
server_rec *s = cmd->server;
|
|
|
|
apr_pool_t *pconf = s->process->pconf;
|
|
|
|
am_dir_cfg_rec *cfg = (am_dir_cfg_rec *)struct_ptr;
|
2017-08-08 16:00:30 +02:00
|
|
|
am_file_data_t *idp_file_data = NULL;
|
|
|
|
am_file_data_t *chain_file_data = NULL;
|
2011-05-18 12:49:25 +02:00
|
|
|
|
|
|
|
#ifndef HAVE_lasso_server_load_metadata
|
|
|
|
if (chain != NULL)
|
|
|
|
return apr_psprintf(cmd->pool, "Cannot specify validating chain "
|
|
|
|
"for %s since lasso library lacks "
|
|
|
|
"lasso_server_load_metadata()", cmd->cmd->name);
|
|
|
|
#endif /* HAVE_lasso_server_load_metadata */
|
|
|
|
|
2017-08-08 16:00:30 +02:00
|
|
|
idp_file_data = am_file_data_new(pconf, metadata);
|
|
|
|
if (am_file_stat(idp_file_data) != APR_SUCCESS) {
|
|
|
|
return idp_file_data->strerror;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (chain) {
|
|
|
|
chain_file_data = am_file_data_new(pconf, chain);
|
|
|
|
if (am_file_stat(chain_file_data) != APR_SUCCESS) {
|
|
|
|
return chain_file_data->strerror;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
chain_file_data = NULL;
|
|
|
|
}
|
|
|
|
|
2011-05-18 12:49:25 +02:00
|
|
|
am_metadata_t *idp_metadata = apr_array_push(cfg->idp_metadata);
|
2017-08-08 16:00:30 +02:00
|
|
|
idp_metadata->metadata = idp_file_data;
|
|
|
|
idp_metadata->chain = chain_file_data;
|
2011-05-18 12:49:25 +02:00
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* This function handles configuration directives which set an
|
|
|
|
* idp federation blacklist slot in the module configuration.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* int argc Number of blacklisted providerId.
|
|
|
|
* char *const argv[] List of blacklisted providerId.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success, or errror string
|
|
|
|
*/
|
|
|
|
static const char *am_set_idp_ignore_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
int argc,
|
|
|
|
char *const argv[])
|
2009-05-12 17:28:49 +02:00
|
|
|
{
|
2011-05-18 12:49:25 +02:00
|
|
|
#ifdef HAVE_lasso_server_load_metadata
|
2009-05-12 17:28:49 +02:00
|
|
|
server_rec *s = cmd->server;
|
|
|
|
apr_pool_t *pconf = s->process->pconf;
|
|
|
|
am_dir_cfg_rec *cfg = (am_dir_cfg_rec *)struct_ptr;
|
2011-05-18 12:49:25 +02:00
|
|
|
GList *new_idp_ignore;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
if (argc < 1)
|
|
|
|
return apr_psprintf(cmd->pool, "%s takes at least one arguments",
|
|
|
|
cmd->cmd->name);
|
2009-05-12 17:28:49 +02:00
|
|
|
|
2011-05-18 12:49:25 +02:00
|
|
|
for (i = 0; i < argc; i++) {
|
|
|
|
new_idp_ignore = apr_palloc(pconf, sizeof(GList));
|
|
|
|
new_idp_ignore->data = apr_pstrdup(pconf, argv[i]);
|
|
|
|
|
|
|
|
/* Prepend it to the list. */
|
|
|
|
new_idp_ignore->next = cfg->idp_ignore;
|
|
|
|
if (cfg->idp_ignore != NULL)
|
|
|
|
cfg->idp_ignore->prev = new_idp_ignore;
|
|
|
|
cfg->idp_ignore = new_idp_ignore;
|
|
|
|
}
|
2009-05-12 17:28:49 +02:00
|
|
|
|
|
|
|
return NULL;
|
2011-05-18 12:49:25 +02:00
|
|
|
|
|
|
|
#else /* HAVE_lasso_server_load_metadata */
|
|
|
|
|
|
|
|
return apr_psprintf(cmd->pool, "Cannot use %s since lasso library lacks "
|
|
|
|
"lasso_server_load_metadata()", cmd->cmd->name);
|
|
|
|
|
|
|
|
#endif /* HAVE_lasso_server_load_metadata */
|
2009-05-12 17:28:49 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-03-06 13:53:51 +01:00
|
|
|
/* This function handles configuration directives which set a file path
|
2007-09-24 11:56:34 +02:00
|
|
|
* slot in the module configuration.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* This value isn't used by this function.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
2013-03-06 13:53:51 +01:00
|
|
|
static const char *am_set_module_config_file_slot(cmd_parms *cmd,
|
2007-09-24 11:56:34 +02:00
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
2013-03-06 13:53:51 +01:00
|
|
|
return ap_set_file_slot(cmd, am_get_mod_cfg(cmd->server), arg);
|
2007-09-24 11:56:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* This function handles configuration directives which set an int
|
|
|
|
* slot in the module configuration.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* This value isn't used by this function.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_module_config_int_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
return ap_set_int_slot(cmd, am_get_mod_cfg(cmd->server), arg);
|
|
|
|
}
|
|
|
|
|
Add diagnostic logging
Field experience with Mellon has demonstrated there are many
opportunities for deployment problems. Although there are tools such
as browser plugins which can capture SAML messages it's onerous for
site personnel to install and capture the relevant information. The
problem with this approach is further compounded by the fact the
external SAML messages are not correlated to Mellon's
requests/responses. Mellon currently can dump the Lasso session and
SAML Response messages and place them in Apache environment variables,
however these do not appear in the log file. To get them into the log
you have to add custom logging to the Apache config. Another issue is
the dumps are not human readable, they are base64 encoded, anyone
looking at the logs after setting up the custom logging will have to
find the base64 text and then manually copy the text into an external
base64 decoder. At that point you'll discover the XML is not pretty
printed making human interpretation difficult.
The Mellon debug messages written to the Apache error are often
insufficient to diagnose problems. And since the Mellon log messages
are written to the Apache error log they are interspersed with a lot
of non-Mellon message.
Compounding the problem of writing Mellon debug messages to the Apache
error log is the fact Apache log messages have a fixed maximum length
(currently 8192) which is insufficient to completely write out such
things as SAML Assertions, metadata, etc. Apache logging also escapes
all control characters with the consequence line breaks are not
preserved and what was a nicely formatted human readable piece of text
becomes a single line with escape characters and may be truncated.
It would be really nice if we could capture diagnostic information
with these properties:
* All relevant data is collected in exactly one file.
* Only information relevant to Mellon appears in the file.
* All information is human readable (pretty printed, decrypted) with
no need to rely on other tools.
* The diagnostic information is grouped by requests.
* The requests can be cross correlated with other Apache logs because
they utilize the same unique request identifier.
This patch adds diagnostic logging to a independent Mellon diagnostics
log file. Every piece of relevant information is captured, including:
* Request information which includes:
- Request method
- Request URL (raw and processed)
- Scheme
- Port
- Request query parameters
- Server name
- Unique request ID
- process ID, thread ID
- Request headers
* Mellon per directory configuration
A complete dump of the entire am_dir_cfg_rec structure keyed using
both the Mellon directive it is associated with and it's internal
name. This is emitted once on first use for a given URL.
The per directory dump includes the pathname of each file read as
well as the file contents. This includes:
- IdP metadata
- SP metadata
- SP cert
- SP key
- IdP public key file
- IdP CA file
* All session management operations
- cookie
- session lookup
- session creation
- session deletion
- cache management
- cache entry information
* All SAML messages
Each SAML message is decrypted, decoded and XML pretty printed in
human readable form.
* Request pipeline operations
What operations Mellon performs, what decisions it makes and what
data is being used to make those decisions.
* Response
- response status
- response headers
- Apache user name
- auth_type
- all Apache environment variables
Diagnostics can be enabled/disabled both at compile time and run
time. Compile time inclusion of diagnostics is managed with the
ENABLE_DIAGNOSTICS preprocssor symbol. The configure script now accepts
the
--enable-diagnostics and --disable-diagnostics
option. Building with diagnostics is disabled by default, you must
specify --enable-diagnostics to enable the run time option of generating
diagnostics.
The following server config directives have been added (e.g. may be
specified in the main server config area or within a <VirtualHost>
directive). If Mellon was not built with diagnostics enabled then
these config directives are no-ops and their use will generated a
warning in the log file indicating they have been ignored and to be
effective you must builld Mellon with diagnostics enabled.
MellonDiagnosticsFile:
The name of the diagnostics file or pipe,
(default is logs/mellon_diagnostics)
MellonDiagnosticsEnable:
Currently either On or Off but it is designed so it can take other
flags in the future to control what type of information is
reported.
Signed-off-by: John Dennis <jdennis@redhat.com>
2017-06-14 19:56:18 +02:00
|
|
|
/* This function handles the MellonDiagnosticsFile configuration directive.
|
|
|
|
* It emits as warning in the log file if Mellon is not built with
|
|
|
|
* diagnostics enabled.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_module_diag_file_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
#ifdef ENABLE_DIAGNOSTICS
|
|
|
|
return ap_set_file_slot(cmd, am_get_diag_cfg(cmd->server), arg);
|
|
|
|
#else
|
|
|
|
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
|
|
|
|
"%s has no effect because Mellon was not compiled with"
|
|
|
|
" diagnostics enabled, use ./configure --enable-diagnostics"
|
|
|
|
" at build time to turn this feature on.",
|
|
|
|
cmd->directive->directive);
|
|
|
|
return NULL;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
/* This function handles configuration directives which sets the
|
|
|
|
* diagnostics flags in the module configuration.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_module_diag_flags_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
#ifdef ENABLE_DIAGNOSTICS
|
|
|
|
am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(cmd->server);
|
|
|
|
|
|
|
|
if (strcasecmp(arg, "on") == 0) {
|
|
|
|
diag_cfg->flags = AM_DIAG_FLAG_ENABLE_ALL;
|
|
|
|
}
|
|
|
|
else if (strcasecmp(arg, "off") == 0) {
|
|
|
|
diag_cfg->flags = AM_DIAG_FLAG_DISABLE;
|
|
|
|
} else {
|
|
|
|
return apr_psprintf(cmd->pool, "%s: must be one of: 'on', 'off'",
|
|
|
|
cmd->cmd->name);
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
#else
|
|
|
|
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
|
|
|
|
"%s has no effect because Mellon was not compiled with"
|
|
|
|
" diagnostics enabled, use ./configure --enable-diagnostics"
|
|
|
|
" at build time to turn this feature on.",
|
|
|
|
cmd->directive->directive);
|
|
|
|
return NULL;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2016-09-26 17:21:46 +02:00
|
|
|
/* This function handles the MellonCookieSameSite configuration directive.
|
|
|
|
* This directive can be set to "lax" or "strict"
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string if the argument is wrong.
|
|
|
|
*/
|
|
|
|
static const char *am_set_samesite_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
|
|
|
|
if(!strcasecmp(arg, "lax")) {
|
|
|
|
d->cookie_samesite = am_samesite_lax;
|
|
|
|
} else if(!strcasecmp(arg, "strict")) {
|
|
|
|
d->cookie_samesite = am_samesite_strict;
|
|
|
|
} else {
|
|
|
|
return "The MellonCookieSameSite parameter must be 'lax' or 'strict'";
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
/* This function handles the MellonEnable configuration directive.
|
|
|
|
* This directive can be set to "off", "info" or "auth".
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string if the argument is wrong.
|
|
|
|
*/
|
|
|
|
static const char *am_set_enable_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
|
|
|
|
if(!strcasecmp(arg, "auth")) {
|
|
|
|
d->enable_mellon = am_enable_auth;
|
|
|
|
} else if(!strcasecmp(arg, "info")) {
|
|
|
|
d->enable_mellon = am_enable_info;
|
|
|
|
} else if(!strcasecmp(arg, "off")) {
|
|
|
|
d->enable_mellon = am_enable_off;
|
|
|
|
} else {
|
|
|
|
return "parameter must be 'off', 'info' or 'auth'";
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2016-09-26 17:21:46 +02:00
|
|
|
|
2016-04-08 11:14:02 +02:00
|
|
|
/* This function handles the MellonSecureCookie configuration directive.
|
|
|
|
* This directive can be set to "on", "off", "secure" or "httponly".
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string if the argument is wrong.
|
|
|
|
*/
|
|
|
|
static const char *am_set_secure_slots(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
|
|
|
|
if(!strcasecmp(arg, "on")) {
|
|
|
|
d->secure = 1;
|
|
|
|
d->http_only = 1;
|
|
|
|
} else if(!strcasecmp(arg, "secure")) {
|
|
|
|
d->secure = 1;
|
|
|
|
} else if(!strcasecmp(arg, "httponly")) {
|
|
|
|
d->http_only = 1;
|
|
|
|
} else if(strcasecmp(arg, "off")) {
|
|
|
|
return "parameter must be 'on', 'off', 'secure' or 'httponly'";
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
2007-09-24 11:56:34 +02:00
|
|
|
|
2015-08-31 12:03:38 +02:00
|
|
|
/* This function handles the obsolete MellonDecoder configuration directive.
|
|
|
|
* It is a no-op.
|
2007-09-24 11:56:34 +02:00
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
2015-08-31 12:03:38 +02:00
|
|
|
* NULL
|
2007-09-24 11:56:34 +02:00
|
|
|
*/
|
|
|
|
static const char *am_set_decoder_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* This function handles the MellonEndpointPath configuration directive.
|
|
|
|
* If the path doesn't end with a '/', then we will append one.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for the MellonEndpointPath
|
|
|
|
* configuration directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* const char *arg The string argument containing the path of the
|
|
|
|
* endpoint directory.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* This function will always return NULL.
|
|
|
|
*/
|
|
|
|
static const char *am_set_endpoint_path(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
|
|
|
|
/* Make sure that the path ends with '/'. */
|
|
|
|
if(strlen(arg) == 0 || arg[strlen(arg) - 1] != '/') {
|
2011-03-18 09:58:58 +01:00
|
|
|
d->endpoint_path = apr_pstrcat(cmd->pool, arg, "/", NULL);
|
2007-09-24 11:56:34 +02:00
|
|
|
} else {
|
|
|
|
d->endpoint_path = arg;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* This function handles the MellonSetEnv configuration directive.
|
|
|
|
* This directive allows the user to change the name of attributes.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for the MellonSetEnv
|
|
|
|
* configuration directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *newName The new name of the attribute.
|
|
|
|
* const char *oldName The old name of the attribute.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* This function will always return NULL.
|
|
|
|
*/
|
|
|
|
static const char *am_set_setenv_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *newName,
|
|
|
|
const char *oldName)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
2013-05-30 09:35:54 +02:00
|
|
|
/* Configure as prefixed attribute name */
|
|
|
|
am_envattr_conf_t *envattr_conf = (am_envattr_conf_t *)apr_palloc(cmd->pool, sizeof(am_envattr_conf_t));
|
|
|
|
envattr_conf->name = newName;
|
|
|
|
envattr_conf->prefixed = 1;
|
|
|
|
apr_hash_set(d->envattr, oldName, APR_HASH_KEY_STRING, envattr_conf);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* This function handles the MellonSetEnvNoPrefix configuration directive.
|
|
|
|
* This directive allows the user to change the name of attributes without prefixing them with MELLON_.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for the MellonSetEnv
|
|
|
|
* configuration directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *newName The new name of the attribute.
|
|
|
|
* const char *oldName The old name of the attribute.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* This function will always return NULL.
|
|
|
|
*/
|
|
|
|
static const char *am_set_setenv_no_prefix_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *newName,
|
|
|
|
const char *oldName)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
/* Configure as not prefixed attribute name */
|
|
|
|
am_envattr_conf_t *envattr_conf = (am_envattr_conf_t *)apr_palloc(cmd->pool, sizeof(am_envattr_conf_t));
|
|
|
|
envattr_conf->name = newName;
|
|
|
|
envattr_conf->prefixed = 0;
|
|
|
|
apr_hash_set(d->envattr, oldName, APR_HASH_KEY_STRING, envattr_conf);
|
2007-09-24 11:56:34 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2019-07-04 19:19:42 +02:00
|
|
|
/* This function handles the MellonAuthnContextComparisonType option.
|
|
|
|
* It could be set to "exact", "minimum", "maximum" or "better"
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string if the argument is wrong.
|
|
|
|
*/
|
|
|
|
static const char *am_set_authn_context_comparison_type_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
|
|
|
|
if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT)) {
|
|
|
|
d->authn_context_comparison_type =
|
|
|
|
LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT;
|
|
|
|
} else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM)) {
|
|
|
|
d->authn_context_comparison_type =
|
|
|
|
LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM;
|
|
|
|
} else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM)) {
|
|
|
|
d->authn_context_comparison_type =
|
|
|
|
LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM;
|
|
|
|
} else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER)) {
|
|
|
|
d->authn_context_comparison_type =
|
|
|
|
LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER;
|
|
|
|
} else {
|
|
|
|
return "parameter must be 'exact', 'minimum', 'maximum' or 'better'";
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
2011-03-22 18:19:24 +01:00
|
|
|
|
2011-03-17 06:20:40 +01:00
|
|
|
/* This function decodes MellonCond flags, such as [NOT,REG]
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* const char *arg Pointer to the flags string
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* flags, or -1 on error
|
|
|
|
*/
|
|
|
|
static int am_cond_flags(const char *arg)
|
|
|
|
{
|
|
|
|
int flags = AM_COND_FLAG_NULL;
|
Add diagnostic logging
Field experience with Mellon has demonstrated there are many
opportunities for deployment problems. Although there are tools such
as browser plugins which can capture SAML messages it's onerous for
site personnel to install and capture the relevant information. The
problem with this approach is further compounded by the fact the
external SAML messages are not correlated to Mellon's
requests/responses. Mellon currently can dump the Lasso session and
SAML Response messages and place them in Apache environment variables,
however these do not appear in the log file. To get them into the log
you have to add custom logging to the Apache config. Another issue is
the dumps are not human readable, they are base64 encoded, anyone
looking at the logs after setting up the custom logging will have to
find the base64 text and then manually copy the text into an external
base64 decoder. At that point you'll discover the XML is not pretty
printed making human interpretation difficult.
The Mellon debug messages written to the Apache error are often
insufficient to diagnose problems. And since the Mellon log messages
are written to the Apache error log they are interspersed with a lot
of non-Mellon message.
Compounding the problem of writing Mellon debug messages to the Apache
error log is the fact Apache log messages have a fixed maximum length
(currently 8192) which is insufficient to completely write out such
things as SAML Assertions, metadata, etc. Apache logging also escapes
all control characters with the consequence line breaks are not
preserved and what was a nicely formatted human readable piece of text
becomes a single line with escape characters and may be truncated.
It would be really nice if we could capture diagnostic information
with these properties:
* All relevant data is collected in exactly one file.
* Only information relevant to Mellon appears in the file.
* All information is human readable (pretty printed, decrypted) with
no need to rely on other tools.
* The diagnostic information is grouped by requests.
* The requests can be cross correlated with other Apache logs because
they utilize the same unique request identifier.
This patch adds diagnostic logging to a independent Mellon diagnostics
log file. Every piece of relevant information is captured, including:
* Request information which includes:
- Request method
- Request URL (raw and processed)
- Scheme
- Port
- Request query parameters
- Server name
- Unique request ID
- process ID, thread ID
- Request headers
* Mellon per directory configuration
A complete dump of the entire am_dir_cfg_rec structure keyed using
both the Mellon directive it is associated with and it's internal
name. This is emitted once on first use for a given URL.
The per directory dump includes the pathname of each file read as
well as the file contents. This includes:
- IdP metadata
- SP metadata
- SP cert
- SP key
- IdP public key file
- IdP CA file
* All session management operations
- cookie
- session lookup
- session creation
- session deletion
- cache management
- cache entry information
* All SAML messages
Each SAML message is decrypted, decoded and XML pretty printed in
human readable form.
* Request pipeline operations
What operations Mellon performs, what decisions it makes and what
data is being used to make those decisions.
* Response
- response status
- response headers
- Apache user name
- auth_type
- all Apache environment variables
Diagnostics can be enabled/disabled both at compile time and run
time. Compile time inclusion of diagnostics is managed with the
ENABLE_DIAGNOSTICS preprocssor symbol. The configure script now accepts
the
--enable-diagnostics and --disable-diagnostics
option. Building with diagnostics is disabled by default, you must
specify --enable-diagnostics to enable the run time option of generating
diagnostics.
The following server config directives have been added (e.g. may be
specified in the main server config area or within a <VirtualHost>
directive). If Mellon was not built with diagnostics enabled then
these config directives are no-ops and their use will generated a
warning in the log file indicating they have been ignored and to be
effective you must builld Mellon with diagnostics enabled.
MellonDiagnosticsFile:
The name of the diagnostics file or pipe,
(default is logs/mellon_diagnostics)
MellonDiagnosticsEnable:
Currently either On or Off but it is designed so it can take other
flags in the future to control what type of information is
reported.
Signed-off-by: John Dennis <jdennis@redhat.com>
2017-06-14 19:56:18 +02:00
|
|
|
static const char * const options[] = {
|
2011-03-22 18:19:24 +01:00
|
|
|
"OR", /* AM_EXPIRE_FLAG_OR */
|
|
|
|
"NOT", /* AM_EXPIRE_FLAG_NOT */
|
|
|
|
"REG", /* AM_EXPIRE_FLAG_REG */
|
|
|
|
"NC", /* AM_EXPIRE_FLAG_NC */
|
|
|
|
"MAP", /* AM_EXPIRE_FLAG_MAP */
|
|
|
|
"REF", /* AM_EXPIRE_FLAG_REF */
|
|
|
|
"SUB", /* AM_EXPIRE_FLAG_SUB */
|
|
|
|
/* The other options (IGN, REQ, FSTR, ...) are only internally used */
|
|
|
|
};
|
|
|
|
apr_size_t options_count = sizeof(options) / sizeof(*options);
|
2011-03-17 06:20:40 +01:00
|
|
|
|
|
|
|
/* Skip inital [ */
|
|
|
|
if (arg[0] == '[')
|
|
|
|
arg++;
|
|
|
|
else
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
do {
|
|
|
|
apr_size_t i;
|
|
|
|
|
2011-03-22 18:19:24 +01:00
|
|
|
for (i = 0; i < options_count; i++) {
|
|
|
|
apr_size_t optlen = strlen(options[i]);
|
2011-03-17 06:20:40 +01:00
|
|
|
|
2011-03-22 18:19:24 +01:00
|
|
|
if (strncmp(arg, options[i], optlen) == 0) {
|
2011-03-17 06:20:40 +01:00
|
|
|
/* Make sure we have a separator next */
|
|
|
|
if (arg[optlen] && !strchr("]\t ,", (int)arg[optlen]))
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
flags |= (1 << i);
|
|
|
|
arg += optlen;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2011-03-22 18:19:24 +01:00
|
|
|
/* no match */
|
|
|
|
if (i == options_count)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
/* skip spaces, tabs and commas */
|
|
|
|
arg += strspn(arg, " \t,");
|
|
|
|
|
|
|
|
/*
|
|
|
|
* End of option, but we fire an error if
|
|
|
|
* there is trailing garbage
|
|
|
|
*/
|
|
|
|
if (*arg == ']') {
|
|
|
|
arg++;
|
|
|
|
return (*arg == '\0') ? flags : -1;
|
|
|
|
}
|
2011-03-17 06:20:40 +01:00
|
|
|
}
|
|
|
|
} while (*arg);
|
|
|
|
|
|
|
|
/* Missing trailing ] */
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* This function handles the MellonCond configuration directive, which
|
|
|
|
* allows the user to restrict access based on attributes received from
|
|
|
|
* the IdP.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for the MellonCond
|
|
|
|
* configuration directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *attribute Pointer to the attribute name
|
|
|
|
* const char *value Pointer to the attribute value or regex
|
|
|
|
* const char *options Pointer to options
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_cond_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *attribute,
|
|
|
|
const char *value,
|
|
|
|
const char *options)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = struct_ptr;
|
2011-03-22 18:19:24 +01:00
|
|
|
int flags = AM_COND_FLAG_NULL;
|
2011-03-17 06:20:40 +01:00
|
|
|
am_cond_t *element;
|
|
|
|
|
2011-03-22 18:19:24 +01:00
|
|
|
if (attribute == NULL || *attribute == '\0' ||
|
|
|
|
value == NULL || *value == '\0')
|
2011-03-17 06:20:40 +01:00
|
|
|
return apr_pstrcat(cmd->pool, cmd->cmd->name,
|
2011-03-22 18:19:24 +01:00
|
|
|
" takes at least two arguments", NULL);
|
|
|
|
|
|
|
|
if (options != NULL && *options != '\0')
|
|
|
|
flags = am_cond_flags(options);
|
|
|
|
|
|
|
|
if (flags == -1)
|
|
|
|
return apr_psprintf(cmd->pool, "%s - invalid flags %s",
|
|
|
|
cmd->cmd->name, options);
|
|
|
|
|
2011-03-17 06:20:40 +01:00
|
|
|
element = (am_cond_t *)apr_array_push(d->cond);
|
|
|
|
element->varname = attribute;
|
2011-03-22 18:19:24 +01:00
|
|
|
element->flags = flags;
|
2011-03-17 06:20:40 +01:00
|
|
|
element->str = NULL;
|
|
|
|
element->regex = NULL;
|
|
|
|
element->directive = apr_pstrcat(cmd->pool, cmd->directive->directive,
|
|
|
|
" ", cmd->directive->args, NULL);
|
|
|
|
if (element->flags & AM_COND_FLAG_REG) {
|
|
|
|
int regex_flags = AP_REG_EXTENDED|AP_REG_NOSUB;
|
|
|
|
|
|
|
|
if (element->flags & AM_COND_FLAG_NC)
|
|
|
|
regex_flags |= AP_REG_ICASE;
|
|
|
|
|
|
|
|
element->regex = ap_pregcomp(cmd->pool, value, regex_flags);
|
|
|
|
if (element->regex == NULL)
|
|
|
|
return apr_psprintf(cmd->pool, "%s - invalid regex %s",
|
|
|
|
cmd->cmd->name, value);
|
|
|
|
}
|
|
|
|
|
2011-03-22 18:19:24 +01:00
|
|
|
/*
|
|
|
|
* Flag values containing format strings to that we do
|
|
|
|
* not have to process the others at runtime.
|
|
|
|
*/
|
|
|
|
if (strchr(value, '%') != NULL)
|
|
|
|
element->flags |= AM_COND_FLAG_FSTR;
|
|
|
|
|
2011-03-17 06:20:40 +01:00
|
|
|
/*
|
|
|
|
* We keep the string also for regex, so that we can
|
2011-03-22 18:19:24 +01:00
|
|
|
* print it for debug purpose and perform substitutions on it.
|
2011-03-17 06:20:40 +01:00
|
|
|
*/
|
|
|
|
element->str = value;
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
/* This function handles the MellonRequire configuration directive, which
|
|
|
|
* allows the user to restrict access based on attributes received from
|
|
|
|
* the IdP.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for the MellonRequire
|
|
|
|
* configuration directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *arg Pointer to the configuration string.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_require_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = struct_ptr;
|
|
|
|
char *attribute, *value;
|
2011-03-17 06:20:40 +01:00
|
|
|
int i;
|
|
|
|
am_cond_t *element;
|
|
|
|
am_cond_t *first_element;
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
attribute = ap_getword_conf(cmd->pool, &arg);
|
|
|
|
value = ap_getword_conf(cmd->pool, &arg);
|
|
|
|
|
|
|
|
if (*attribute == '\0' || *value == '\0') {
|
|
|
|
return apr_pstrcat(cmd->pool, cmd->cmd->name,
|
|
|
|
" takes at least two arguments", NULL);
|
|
|
|
}
|
|
|
|
|
2011-03-17 06:20:40 +01:00
|
|
|
/*
|
|
|
|
* MellonRequire overwrites previous conditions on this attribute
|
|
|
|
* We just tag the am_cond_t with the ignore flag, as it is
|
|
|
|
* easier (and probably faster) than to really remove it.
|
|
|
|
*/
|
|
|
|
for (i = 0; i < d->cond->nelts; i++) {
|
|
|
|
am_cond_t *ce = &((am_cond_t *)(d->cond->elts))[i];
|
|
|
|
|
|
|
|
if ((strcmp(ce->varname, attribute) == 0) &&
|
|
|
|
(ce->flags & AM_COND_FLAG_REQ))
|
|
|
|
ce->flags |= AM_COND_FLAG_IGN;
|
|
|
|
}
|
|
|
|
|
|
|
|
first_element = NULL;
|
2007-09-24 11:56:34 +02:00
|
|
|
do {
|
2011-03-17 06:20:40 +01:00
|
|
|
element = (am_cond_t *)apr_array_push(d->cond);
|
|
|
|
element->varname = attribute;
|
|
|
|
element->flags = AM_COND_FLAG_OR|AM_COND_FLAG_REQ;
|
|
|
|
element->str = value;
|
|
|
|
element->regex = NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* When multiple values are given, we track the first one
|
|
|
|
* in order to retreive the directive
|
|
|
|
*/
|
|
|
|
if (first_element == NULL) {
|
|
|
|
element->directive = apr_pstrcat(cmd->pool,
|
|
|
|
cmd->directive->directive, " ",
|
|
|
|
cmd->directive->args, NULL);
|
|
|
|
first_element = element;
|
|
|
|
} else {
|
|
|
|
element->directive = first_element->directive;
|
2007-09-24 11:56:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
} while (*(value = ap_getword_conf(cmd->pool, &arg)) != '\0');
|
|
|
|
|
2011-03-17 06:20:40 +01:00
|
|
|
/*
|
|
|
|
* Remove OR flag on last element
|
|
|
|
*/
|
|
|
|
element->flags &= ~AM_COND_FLAG_OR;
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2009-06-15 15:33:34 +02:00
|
|
|
/* This function handles the MellonOrganization* directives, which
|
|
|
|
* which specify language-qualified strings
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for the MellonOrganization*
|
|
|
|
* configuration directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *lang Pointer to the language string (optional)
|
|
|
|
* const char *value Pointer to the data
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_langstring_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *lang,
|
|
|
|
const char *value)
|
|
|
|
{
|
2009-08-07 14:56:37 +02:00
|
|
|
apr_hash_t *h = *(apr_hash_t **)(struct_ptr + (apr_size_t)cmd->info);
|
2009-06-15 15:33:34 +02:00
|
|
|
|
|
|
|
if (value == NULL || *value == '\0') {
|
|
|
|
value = lang;
|
|
|
|
lang = "";
|
|
|
|
}
|
|
|
|
|
|
|
|
apr_hash_set(h, lang, APR_HASH_KEY_STRING,
|
|
|
|
apr_pstrdup(cmd->server->process->pconf, value));
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
2007-09-24 11:56:34 +02:00
|
|
|
|
2011-12-07 11:19:35 +01:00
|
|
|
/* This function handles the MellonAuthnContextClassRef directive.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for the MellonAuthnContextClassRef
|
|
|
|
* configuration directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* const char *arg An URI for an SAMLv2 AuthnContextClassRef
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* This function will always return NULL.
|
|
|
|
*/
|
|
|
|
static const char *am_set_authn_context_class_ref(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
apr_pool_t *p= cmd->pool;
|
2011-12-14 08:09:17 +01:00
|
|
|
char **context_class_ref_p;
|
2011-12-07 11:19:35 +01:00
|
|
|
|
|
|
|
if(strlen(arg) == 0) {
|
|
|
|
return NULL;
|
|
|
|
}
|
2011-12-14 08:09:17 +01:00
|
|
|
context_class_ref_p = apr_array_push(d->authn_context_class_ref);
|
|
|
|
*context_class_ref_p = apr_pstrdup(p, arg);
|
2011-12-07 11:19:35 +01:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2012-10-09 10:41:45 +02:00
|
|
|
/* This function handles the MellonDoNotVerifyLogoutSignature configuration directive,
|
|
|
|
* it is identical to the am_set_hash_string_slot function. You can refer to it.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* const char *key The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_do_not_verify_logout_signature(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *key)
|
|
|
|
{
|
|
|
|
#ifdef HAVE_lasso_profile_set_signature_verify_hint
|
|
|
|
return am_set_hash_string_slot(cmd, struct_ptr, key, NULL);
|
|
|
|
#else
|
|
|
|
return apr_pstrcat(cmd->pool, cmd->cmd->name,
|
|
|
|
" is not usable as modmellon was compiled against "
|
|
|
|
"a version of the lasso library which miss the "
|
|
|
|
"function lasso_profile_set_signature_verify_hint.",
|
|
|
|
NULL);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2015-04-16 13:42:47 +02:00
|
|
|
/* This function handles the MellonMergeEnvVars configuration directive,
|
|
|
|
* it sets merge_env_vars to nonempty separator (default semicolon),
|
|
|
|
* or empty string to denote no merging.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* const char *flag On/Off flag
|
|
|
|
* const char *sep Optional separator, should be only present with On
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_merge_env_vars(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *flag,
|
|
|
|
const char *sep)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
apr_pool_t *p= cmd->pool;
|
|
|
|
if (strcasecmp(flag, "on") == 0) {
|
|
|
|
if (sep && *sep) {
|
|
|
|
/*
|
|
|
|
* TAKE12 will not give us the second argument if it is
|
|
|
|
* empty string so we cannot complain about it, we will just
|
|
|
|
* silently use semicolon
|
|
|
|
*/
|
|
|
|
d->merge_env_vars = apr_pstrdup(p, sep);
|
|
|
|
} else {
|
|
|
|
d->merge_env_vars = ";";
|
|
|
|
}
|
|
|
|
} else if (strcasecmp(flag, "off") == 0) {
|
|
|
|
if (sep) {
|
|
|
|
return apr_pstrcat(cmd->pool, cmd->cmd->name,
|
|
|
|
" separator should not be used with Off", NULL);
|
|
|
|
}
|
|
|
|
d->merge_env_vars = "";
|
|
|
|
} else {
|
|
|
|
return apr_pstrcat(cmd->pool, cmd->cmd->name,
|
|
|
|
" first parameer must be On or Off", NULL);
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2015-12-11 11:16:54 +01:00
|
|
|
/* Handle MellonRedirectDomains option.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* NULL if we are not in a directory configuration.
|
|
|
|
* int argc Number of redirect domains.
|
|
|
|
* char *const argv[] List of redirect domains.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success, or errror string on failure.
|
|
|
|
*/
|
|
|
|
static const char *am_set_redirect_domains(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
int argc,
|
|
|
|
char *const argv[])
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *cfg = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
const char **redirect_domains;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
if (argc < 1)
|
|
|
|
return apr_psprintf(cmd->pool, "%s takes at least one arguments",
|
|
|
|
cmd->cmd->name);
|
|
|
|
|
|
|
|
redirect_domains = apr_palloc(cmd->pool, sizeof(const char *) * (argc + 1));
|
|
|
|
for (i = 0; i < argc; i++) {
|
|
|
|
redirect_domains[i] = argv[i];
|
|
|
|
}
|
|
|
|
redirect_domains[argc] = NULL;
|
|
|
|
|
|
|
|
cfg->redirect_domains = redirect_domains;
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2018-01-11 19:05:26 +01:00
|
|
|
/* This function handles the MellonSignatureMethod configuration directive.
|
|
|
|
* This directive can be set to one of:
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* cmd_parms *cmd The command structure for this configuration
|
|
|
|
* directive.
|
|
|
|
* void *struct_ptr Pointer to the current directory configuration.
|
|
|
|
* const char *arg The string argument following this configuration
|
|
|
|
* directive in the configuraion file.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* NULL on success or an error string if the argument is wrong.
|
|
|
|
*/
|
|
|
|
static const char *am_set_signature_method_slot(cmd_parms *cmd,
|
|
|
|
void *struct_ptr,
|
|
|
|
const char *arg)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
|
|
|
|
char *valid_methods = "rsa-sha1"
|
|
|
|
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA256
|
|
|
|
" rsa-sha256"
|
|
|
|
#endif
|
|
|
|
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA384
|
|
|
|
" rsa-sha384"
|
|
|
|
#endif
|
|
|
|
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA512
|
|
|
|
" rsa-sha512"
|
|
|
|
#endif
|
|
|
|
;
|
|
|
|
|
|
|
|
if (!strcasecmp(arg, "rsa-sha1")) {
|
|
|
|
d->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
|
|
|
}
|
|
|
|
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA256
|
|
|
|
else if (!strcasecmp(arg, "rsa-sha256")) {
|
|
|
|
d->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA256;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA384
|
|
|
|
else if (!strcasecmp(arg, "rsa-sha384")) {
|
|
|
|
d->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA384;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA512
|
|
|
|
else if (!strcasecmp(arg, "rsa-sha512")) {
|
|
|
|
d->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA512;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
else {
|
|
|
|
return apr_psprintf(cmd->pool,
|
|
|
|
"%s: Invalid method \"%s\", must be one of: %s",
|
|
|
|
cmd->cmd->name, arg, valid_methods);
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
/* This array contains all the configuration directive which are handled
|
|
|
|
* by auth_mellon.
|
|
|
|
*/
|
|
|
|
const command_rec auth_mellon_commands[] = {
|
|
|
|
|
|
|
|
/* Global configuration directives. */
|
|
|
|
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonCacheSize",
|
|
|
|
am_set_module_config_int_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_mod_cfg_rec, cache_size),
|
|
|
|
RSRC_CONF,
|
|
|
|
"The number of sessions we can keep track of at once. You must"
|
|
|
|
" restart the server before any changes to this directive will"
|
|
|
|
" take effect. The default value is 100."
|
|
|
|
),
|
2014-06-20 13:24:38 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonCacheEntrySize",
|
|
|
|
am_set_module_config_int_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_mod_cfg_rec, entry_size),
|
|
|
|
RSRC_CONF,
|
|
|
|
"The maximum size for a single session entry. You must"
|
|
|
|
" restart the server before any changes to this directive will"
|
|
|
|
" take effect. The default value is 192KiB."
|
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonLockFile",
|
2013-03-06 13:53:51 +01:00
|
|
|
am_set_module_config_file_slot,
|
2007-09-24 11:56:34 +02:00
|
|
|
(void *)APR_OFFSETOF(am_mod_cfg_rec, lock_file),
|
|
|
|
RSRC_CONF,
|
|
|
|
"The lock file for session synchronization."
|
2017-02-08 13:42:15 +01:00
|
|
|
" Default value is \"/var/run/mod_auth_mellon.lock\"."
|
2007-09-24 11:56:34 +02:00
|
|
|
),
|
2009-11-09 14:46:28 +01:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonPostDirectory",
|
2013-03-06 13:53:51 +01:00
|
|
|
am_set_module_config_file_slot,
|
2009-11-09 14:46:28 +01:00
|
|
|
(void *)APR_OFFSETOF(am_mod_cfg_rec, post_dir),
|
|
|
|
RSRC_CONF,
|
|
|
|
"The directory for saving POST requests."
|
2017-02-08 13:42:15 +01:00
|
|
|
" Not set by default."
|
2009-11-09 14:46:28 +01:00
|
|
|
),
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonPostTTL",
|
|
|
|
am_set_module_config_int_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_mod_cfg_rec, post_ttl),
|
|
|
|
RSRC_CONF,
|
|
|
|
"The time to live for saved POST requests in seconds."
|
2017-02-08 13:42:15 +01:00
|
|
|
" Default value is 900 (15 minutes)."
|
2009-11-09 14:46:28 +01:00
|
|
|
),
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonPostCount",
|
|
|
|
am_set_module_config_int_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_mod_cfg_rec, post_count),
|
|
|
|
RSRC_CONF,
|
|
|
|
"The maximum saved POST sessions at once."
|
|
|
|
" Default value is 100."
|
|
|
|
),
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonPostSize",
|
|
|
|
am_set_module_config_int_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_mod_cfg_rec, post_size),
|
|
|
|
RSRC_CONF,
|
|
|
|
"The maximum size of a saved POST, in bytes."
|
2017-02-08 13:42:15 +01:00
|
|
|
" Default value is 1048576 (1 MB)."
|
2009-11-09 14:46:28 +01:00
|
|
|
),
|
Add diagnostic logging
Field experience with Mellon has demonstrated there are many
opportunities for deployment problems. Although there are tools such
as browser plugins which can capture SAML messages it's onerous for
site personnel to install and capture the relevant information. The
problem with this approach is further compounded by the fact the
external SAML messages are not correlated to Mellon's
requests/responses. Mellon currently can dump the Lasso session and
SAML Response messages and place them in Apache environment variables,
however these do not appear in the log file. To get them into the log
you have to add custom logging to the Apache config. Another issue is
the dumps are not human readable, they are base64 encoded, anyone
looking at the logs after setting up the custom logging will have to
find the base64 text and then manually copy the text into an external
base64 decoder. At that point you'll discover the XML is not pretty
printed making human interpretation difficult.
The Mellon debug messages written to the Apache error are often
insufficient to diagnose problems. And since the Mellon log messages
are written to the Apache error log they are interspersed with a lot
of non-Mellon message.
Compounding the problem of writing Mellon debug messages to the Apache
error log is the fact Apache log messages have a fixed maximum length
(currently 8192) which is insufficient to completely write out such
things as SAML Assertions, metadata, etc. Apache logging also escapes
all control characters with the consequence line breaks are not
preserved and what was a nicely formatted human readable piece of text
becomes a single line with escape characters and may be truncated.
It would be really nice if we could capture diagnostic information
with these properties:
* All relevant data is collected in exactly one file.
* Only information relevant to Mellon appears in the file.
* All information is human readable (pretty printed, decrypted) with
no need to rely on other tools.
* The diagnostic information is grouped by requests.
* The requests can be cross correlated with other Apache logs because
they utilize the same unique request identifier.
This patch adds diagnostic logging to a independent Mellon diagnostics
log file. Every piece of relevant information is captured, including:
* Request information which includes:
- Request method
- Request URL (raw and processed)
- Scheme
- Port
- Request query parameters
- Server name
- Unique request ID
- process ID, thread ID
- Request headers
* Mellon per directory configuration
A complete dump of the entire am_dir_cfg_rec structure keyed using
both the Mellon directive it is associated with and it's internal
name. This is emitted once on first use for a given URL.
The per directory dump includes the pathname of each file read as
well as the file contents. This includes:
- IdP metadata
- SP metadata
- SP cert
- SP key
- IdP public key file
- IdP CA file
* All session management operations
- cookie
- session lookup
- session creation
- session deletion
- cache management
- cache entry information
* All SAML messages
Each SAML message is decrypted, decoded and XML pretty printed in
human readable form.
* Request pipeline operations
What operations Mellon performs, what decisions it makes and what
data is being used to make those decisions.
* Response
- response status
- response headers
- Apache user name
- auth_type
- all Apache environment variables
Diagnostics can be enabled/disabled both at compile time and run
time. Compile time inclusion of diagnostics is managed with the
ENABLE_DIAGNOSTICS preprocssor symbol. The configure script now accepts
the
--enable-diagnostics and --disable-diagnostics
option. Building with diagnostics is disabled by default, you must
specify --enable-diagnostics to enable the run time option of generating
diagnostics.
The following server config directives have been added (e.g. may be
specified in the main server config area or within a <VirtualHost>
directive). If Mellon was not built with diagnostics enabled then
these config directives are no-ops and their use will generated a
warning in the log file indicating they have been ignored and to be
effective you must builld Mellon with diagnostics enabled.
MellonDiagnosticsFile:
The name of the diagnostics file or pipe,
(default is logs/mellon_diagnostics)
MellonDiagnosticsEnable:
Currently either On or Off but it is designed so it can take other
flags in the future to control what type of information is
reported.
Signed-off-by: John Dennis <jdennis@redhat.com>
2017-06-14 19:56:18 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonDiagnosticsFile",
|
|
|
|
am_set_module_diag_file_slot,
|
|
|
|
#ifdef ENABLE_DIAGNOSTICS
|
|
|
|
(void *)APR_OFFSETOF(am_diag_cfg_rec, filename),
|
|
|
|
#else
|
|
|
|
NULL,
|
|
|
|
#endif
|
|
|
|
RSRC_CONF,
|
|
|
|
"Diagnostics log file. [file|pipe] "
|
|
|
|
"If file then file is a filename, relative to the ServerRoot."
|
|
|
|
"If pipe then the filename is a pipe character \"|\", "
|
|
|
|
"followed by the path to a program to receive the log information "
|
|
|
|
"on its standard input. "
|
|
|
|
" Default value is \"logs/mellon_diagnostics\"."
|
|
|
|
),
|
|
|
|
AP_INIT_ITERATE(
|
|
|
|
"MellonDiagnosticsEnable",
|
|
|
|
am_set_module_diag_flags_slot,
|
|
|
|
NULL,
|
|
|
|
RSRC_CONF,
|
|
|
|
"Diagnostics flags. [on|off] "
|
|
|
|
" Default value is \"off\"."
|
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
|
|
|
|
/* Per-location configuration directives. */
|
|
|
|
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonEnable",
|
|
|
|
am_set_enable_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Enable auth_mellon on a location. This can be set to 'off', 'info'"
|
|
|
|
" and 'auth'. 'off' disables auth_mellon for a location, 'info'"
|
|
|
|
" will only populate the environment with attributes if the user"
|
|
|
|
" has logged in already. 'auth' will redirect the user to the IdP"
|
|
|
|
" if he hasn't logged in yet, but otherwise behaves like 'info'."
|
|
|
|
),
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonDecoder",
|
|
|
|
am_set_decoder_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
2015-08-31 12:03:38 +02:00
|
|
|
"Obsolete option, now a no-op for backwards compatibility."
|
2007-09-24 11:56:34 +02:00
|
|
|
),
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonVariable",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, varname),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"The name of the cookie which auth_mellon will set. Defaults to"
|
|
|
|
" 'cookie'. This string is appended to 'mellon-' to create the"
|
|
|
|
" cookie name, and the default name of the cookie will therefore"
|
|
|
|
" be 'mellon-cookie'."
|
|
|
|
),
|
2016-04-08 11:14:02 +02:00
|
|
|
AP_INIT_TAKE1(
|
2009-03-02 14:56:35 +01:00
|
|
|
"MellonSecureCookie",
|
2016-04-08 11:14:02 +02:00
|
|
|
am_set_secure_slots,
|
|
|
|
NULL,
|
2009-03-02 14:56:35 +01:00
|
|
|
OR_AUTHCFG,
|
|
|
|
"Whether the cookie set by auth_mellon should have HttpOnly and"
|
2016-04-08 11:14:02 +02:00
|
|
|
" secure flags set. Default is 'off'. Once 'on' - both flags will"
|
|
|
|
" be set. Values 'httponly' or 'secure' will respectively set only"
|
|
|
|
" one flag."
|
2009-03-02 14:56:35 +01:00
|
|
|
),
|
2011-04-07 13:32:26 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonCookieDomain",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, cookie_domain),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"The domain of the cookie which auth_mellon will set. Defaults to"
|
|
|
|
" the domain of the current request."
|
|
|
|
),
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonCookiePath",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, cookie_path),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"The path of the cookie which auth_mellon will set. Defaults to"
|
|
|
|
" '/'."
|
|
|
|
),
|
2016-09-26 17:21:46 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonCookieSameSite",
|
|
|
|
am_set_samesite_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"The SameSite value for the auth_mellon cookie. Defaults to"
|
|
|
|
" having no SameSite value. Accepts values of Lax or Strict."
|
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonUser",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, userattr),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Attribute to set as r->user. Defaults to NAME_ID, which is the"
|
|
|
|
" attribute we set to the identifier we receive from the IdP."
|
|
|
|
),
|
2010-05-31 13:15:49 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonIdP",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, idpattr),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Attribute we set to the IdP ProviderId."
|
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
AP_INIT_TAKE2(
|
|
|
|
"MellonSetEnv",
|
|
|
|
am_set_setenv_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
2019-04-10 12:58:04 +02:00
|
|
|
"Renames attributes received from the server while retaining the"
|
|
|
|
" prefix. The prefix defaults to MELLON_ but can be changed with"
|
|
|
|
" MellonEnvPrefix."
|
|
|
|
" The format is MellonSetEnv <old name> <new name>."
|
2007-09-24 11:56:34 +02:00
|
|
|
),
|
2013-05-30 09:35:54 +02:00
|
|
|
AP_INIT_TAKE2(
|
|
|
|
"MellonSetEnvNoPrefix",
|
|
|
|
am_set_setenv_no_prefix_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Renames attributes received from the server without adding prefix. The format is"
|
|
|
|
" MellonSetEnvNoPrefix <old name> <new name>."
|
|
|
|
),
|
2019-04-10 12:58:04 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonEnvPrefix",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, env_prefix),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"The prefix to use for attributes received from the server."
|
|
|
|
),
|
2009-05-25 22:48:46 +02:00
|
|
|
AP_INIT_FLAG(
|
|
|
|
"MellonSessionDump",
|
|
|
|
ap_set_flag_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, dump_session),
|
|
|
|
OR_AUTHCFG,
|
2013-05-21 12:53:30 +02:00
|
|
|
"Dump session in environment. Default is off"
|
2009-05-25 22:48:46 +02:00
|
|
|
),
|
2009-06-01 22:43:17 +02:00
|
|
|
AP_INIT_FLAG(
|
|
|
|
"MellonSamlResponseDump",
|
|
|
|
ap_set_flag_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, dump_saml_response),
|
|
|
|
OR_AUTHCFG,
|
2013-05-21 12:53:30 +02:00
|
|
|
"Dump SAML authentication response in environment. Default is off"
|
2009-06-01 22:43:17 +02:00
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
AP_INIT_RAW_ARGS(
|
|
|
|
"MellonRequire",
|
|
|
|
am_set_require_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Attribute requirements for authorization. Allows you to restrict"
|
|
|
|
" access based on attributes received from the IdP. If you list"
|
|
|
|
" several MellonRequire configuration directives, then all of them"
|
|
|
|
" must match. Every MellonRequire can list several allowed values"
|
|
|
|
" for the attribute. The syntax is:"
|
|
|
|
" MellonRequire <attribute> <value1> [value2....]."
|
|
|
|
),
|
2011-03-17 06:20:40 +01:00
|
|
|
AP_INIT_TAKE23(
|
|
|
|
"MellonCond",
|
|
|
|
am_set_cond_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Attribute requirements for authorization. Allows you to restrict"
|
|
|
|
" access based on attributes received from the IdP. The syntax is:"
|
|
|
|
" MellonRequire <attribute> <value> [<options>]."
|
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonSessionLength",
|
|
|
|
ap_set_int_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, session_length),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Maximum number of seconds a session will be valid for. Defaults"
|
|
|
|
" to 86400 seconds (1 day)."
|
|
|
|
),
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonNoCookieErrorPage",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, no_cookie_error_page),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Web page to display if the user has disabled cookies. We will"
|
|
|
|
" return a 400 Bad Request error if this is unset and the user"
|
|
|
|
" ha disabled cookies."
|
|
|
|
),
|
2014-04-25 11:11:46 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonNoSuccessErrorPage",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, no_success_error_page),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Web page to display if the idp posts with a failed"
|
|
|
|
" authentication error. We will return a 401 Unauthorized error"
|
|
|
|
" if this is unset and the idp posts such assertion."
|
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonSPMetadataFile",
|
2017-08-08 16:00:30 +02:00
|
|
|
am_set_file_contents_slot,
|
2007-09-24 11:56:34 +02:00
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, sp_metadata_file),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Full path to xml file with metadata for the SP."
|
|
|
|
),
|
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonSPPrivateKeyFile",
|
2017-08-08 16:00:30 +02:00
|
|
|
am_set_file_contents_slot,
|
2007-09-24 11:56:34 +02:00
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, sp_private_key_file),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Full path to pem file with the private key for the SP."
|
|
|
|
),
|
2008-10-27 12:08:57 +01:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonSPCertFile",
|
2017-08-08 16:00:30 +02:00
|
|
|
am_set_file_contents_slot,
|
2008-10-27 12:08:57 +01:00
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, sp_cert_file),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Full path to pem file with certificate for the SP."
|
|
|
|
),
|
2011-05-18 12:49:25 +02:00
|
|
|
AP_INIT_TAKE12(
|
2007-09-24 11:56:34 +02:00
|
|
|
"MellonIdPMetadataFile",
|
2011-03-09 07:20:16 +01:00
|
|
|
am_set_idp_string_slot,
|
|
|
|
NULL,
|
2007-09-24 11:56:34 +02:00
|
|
|
OR_AUTHCFG,
|
2011-05-18 12:49:25 +02:00
|
|
|
"Full path to xml metadata file for IdP, "
|
|
|
|
"with optional validating chain."
|
2007-09-24 11:56:34 +02:00
|
|
|
),
|
2011-05-18 12:49:25 +02:00
|
|
|
AP_INIT_TAKE12(
|
2011-03-23 16:05:19 +01:00
|
|
|
"MellonIdPMetadataGlob",
|
2011-05-18 12:49:25 +02:00
|
|
|
am_set_glob_fn12,
|
2011-03-23 16:05:19 +01:00
|
|
|
am_set_idp_string_slot,
|
|
|
|
OR_AUTHCFG,
|
2011-05-18 12:49:25 +02:00
|
|
|
"Full path to xml metadata files for IdP, with glob(3) patterns. "
|
|
|
|
"An optional validating chain can be supplied."
|
2011-03-23 16:05:19 +01:00
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonIdPPublicKeyFile",
|
2017-08-08 16:00:30 +02:00
|
|
|
am_set_file_pathname_slot,
|
2007-09-24 11:56:34 +02:00
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, idp_public_key_file),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Full path to pem file with the public key for the IdP."
|
|
|
|
),
|
2008-10-27 12:08:57 +01:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonIdPCAFile",
|
2017-08-08 16:00:30 +02:00
|
|
|
am_set_file_pathname_slot,
|
2008-10-27 12:08:57 +01:00
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, idp_ca_file),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Full path to pem file with CA chain for the IdP."
|
|
|
|
),
|
2011-05-18 12:49:25 +02:00
|
|
|
AP_INIT_TAKE_ARGV(
|
|
|
|
"MellonIdPIgnore",
|
|
|
|
am_set_idp_ignore_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"List of IdP entityId to ignore."
|
|
|
|
),
|
2013-04-15 16:54:38 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonSPentityId",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, sp_entity_id),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"SP entity Id to be used for metadata auto generation."
|
|
|
|
),
|
2009-06-15 15:33:34 +02:00
|
|
|
AP_INIT_TAKE12(
|
|
|
|
"MellonOrganizationName",
|
|
|
|
am_set_langstring_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, sp_org_name),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Language-qualified oranization name."
|
|
|
|
),
|
|
|
|
AP_INIT_TAKE12(
|
|
|
|
"MellonOrganizationDisplayName",
|
|
|
|
am_set_langstring_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, sp_org_display_name),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Language-qualified oranization name, human redable."
|
|
|
|
),
|
|
|
|
AP_INIT_TAKE12(
|
|
|
|
"MellonOrganizationURL",
|
|
|
|
am_set_langstring_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, sp_org_url),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Language-qualified oranization URL."
|
|
|
|
),
|
2008-11-11 21:07:44 +01:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonDefaultLoginPath",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, login_path),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"The location where to redirect after IdP initiated login."
|
|
|
|
" Default value is \"/\"."
|
|
|
|
),
|
2009-05-12 17:28:49 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonDiscoveryURL",
|
|
|
|
ap_set_string_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, discovery_url),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"The URL of IdP discovery service. Default is unset."
|
|
|
|
),
|
2011-03-09 07:20:16 +01:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonProbeDiscoveryTimeout",
|
|
|
|
ap_set_int_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, probe_discovery_timeout),
|
|
|
|
OR_AUTHCFG,
|
2016-03-14 09:41:15 +01:00
|
|
|
"The timeout in seconds of IdP probe discovery service. "
|
|
|
|
"The default is unset, which means that this feature is disabled."
|
2011-03-09 07:20:16 +01:00
|
|
|
),
|
|
|
|
AP_INIT_TAKE12(
|
|
|
|
"MellonProbeDiscoveryIdP",
|
2011-12-05 20:06:44 +01:00
|
|
|
am_set_table_string_slot,
|
2011-03-09 07:20:16 +01:00
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, probe_discovery_idp),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"An IdP that can be used for IdP probe discovery."
|
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonEndpointPath",
|
|
|
|
am_set_endpoint_path,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"The root directory of the SAML2 endpoints, relative to the root"
|
|
|
|
" of the web server. Default value is \"/mellon/\", which will"
|
|
|
|
" make mod_mellon to the handler for every request to"
|
|
|
|
" \"http://<servername>/mellon/*\". The path you specify must"
|
|
|
|
" be contained within the current Location directive."
|
|
|
|
),
|
2011-12-07 11:19:35 +01:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonAuthnContextClassRef",
|
|
|
|
am_set_authn_context_class_ref,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"A list of AuthnContextClassRef to request in the AuthnRequest and "
|
|
|
|
"to validate upon reception of an Assertion"
|
|
|
|
),
|
2019-07-04 19:19:42 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonAuthnContextComparisonType",
|
|
|
|
am_set_authn_context_comparison_type_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"An AuthnContextComparisonType attribute as part of the AuthnRequest."
|
|
|
|
),
|
2012-02-17 15:01:24 +01:00
|
|
|
AP_INIT_FLAG(
|
|
|
|
"MellonSubjectConfirmationDataAddressCheck",
|
|
|
|
ap_set_flag_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, subject_confirmation_data_address_check),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Check address given in SubjectConfirmationData Address attribute. Default is on."
|
|
|
|
),
|
2016-09-26 15:28:30 +02:00
|
|
|
AP_INIT_FLAG(
|
|
|
|
"MellonSendCacheControlHeader",
|
|
|
|
ap_set_flag_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, send_cache_control_header),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Send the cache-control header on responses. Default is on."
|
|
|
|
),
|
2012-10-09 10:41:45 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonDoNotVerifyLogoutSignature",
|
|
|
|
am_set_do_not_verify_logout_signature,
|
2013-10-28 07:42:44 +01:00
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, do_not_verify_logout_signature),
|
2012-10-09 10:41:45 +02:00
|
|
|
OR_AUTHCFG,
|
|
|
|
"A list of entity of IdP whose logout requests signatures will not "
|
|
|
|
"be valided"
|
|
|
|
),
|
2013-03-06 13:53:38 +01:00
|
|
|
AP_INIT_FLAG(
|
|
|
|
"MellonPostReplay",
|
|
|
|
ap_set_flag_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, post_replay),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Whether we should replay POST requests that trigger authentication. Default is off."
|
|
|
|
),
|
2015-04-16 13:42:47 +02:00
|
|
|
AP_INIT_TAKE12(
|
2014-11-11 17:38:57 +01:00
|
|
|
"MellonMergeEnvVars",
|
2015-04-16 13:42:47 +02:00
|
|
|
am_set_merge_env_vars,
|
|
|
|
NULL,
|
2014-11-11 17:38:57 +01:00
|
|
|
OR_AUTHCFG,
|
2015-09-18 16:35:04 +02:00
|
|
|
"Whether to merge environment variables multi-values or not. Default is off."
|
2015-04-16 13:42:47 +02:00
|
|
|
"When first parameter is on, optional second parameter is the separator, "
|
|
|
|
"defaulting to semicolon."
|
2014-11-11 17:38:57 +01:00
|
|
|
),
|
2015-04-15 10:59:16 +02:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonEnvVarsIndexStart",
|
|
|
|
ap_set_int_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, env_vars_index_start),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Start indexing environment variables for multivalues with 0 or 1. Default is 0."
|
|
|
|
),
|
2015-04-16 11:00:50 +02:00
|
|
|
AP_INIT_FLAG(
|
|
|
|
"MellonEnvVarsSetCount",
|
|
|
|
ap_set_flag_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, env_vars_count_in_n),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Whether to also populate environment variable suffixed _N with number of values. Default is off."
|
|
|
|
),
|
Add support for SAML ECP.
The modifications in this commit address the changes necessary to
support the SP component of SAML ECP. The Lasso library needs
additional modifications before SAML ECP will be fully functional,
those fixes have been submitted to upstream Lasso, mod_auth_mellon
will continue to operate correctly without the Lasso upgrade, it just
won't properly support ECP without the Lasso fixes.
Below are the major logical changes in the commit and the rationale
behind them.
* Allow compilation against older versions of Lasso by conditionally
compiling.
Add the following CPP symbols set by configure:
* HAVE_ECP
* HAVE_LASSO_UTILS_H
* Add lasso_compat.h
If we can't include lasso utils.h than pull in our own
local definitions so we can use some of the valuable
utilities.
* Add ECP specific documentation file
Documentation specific to ECP is now contained in ECP.rst
(using reStructuredText formatting). Information on general ECP
concepts, mod_auth_mellon user information, and internal
mod_auth_mellon coding issues are covered.
* Add am_get_boolean_query_parameter() utility
* Add am_validate_paos_header() utility
This utility routine validates the PAOS HTTP header. It is used
in conjunction with am_header_has_media_type() to determine if a
client is ECP capable.
* Add am_is_paos_request() utility
This utility checks to see if the request is PAOS based on the
required HTTP header content.
* Add utility function am_header_has_media_type() to check if an HTTP
Accept header includes a specific media type. This is necessary
because the SP detects an ECP client by the presence of a
application/vnd.paos+xml media type in the Accept
header. Unfortunately neither Apache nor mod_auth_mellon already had
a function to check Accept media types so this was custom written
and added to mod_auth_mellon.
* Add utility function am_get_assertion_consumer_service_by_binding()
because Lasso does not expose that in it's public API. It's
necessary to get the URL of the PAOS AssertionConsumerService.
* Add MellonECPSendIDPList config option
This option controls whether to include a list of IDP's when
sending an ECP PAOS <AuthnRequest> message to an ECP client.
* We need to do some bookkeeping during the processing of a
request. Some Apache modules call this "adding a
note". mod_auth_mellon was already doing this but because it only
needed to track one value (the cookie value) took a shortcut and
stuffed the cookie value into the per module request slot rather
than defining a struct that could hold a variety of per-request
values. To accommodate multiple per request bookkeeping values we
define a new struct, am_req_cfg_rec, that holds the previously used
cookie value and adds a new ECP specific value. This struct is now
the bookkeeping data item attached to each request. To support the
new am_req_cfg_rec struct the am_get_req_cfg macro was added (mirrors
the existing am_get_srv_cfg, am_get_mod_cfg and am_get_dir_cfg
macros). The am_create_request() Apache hook was added to
initialize the am_req_cfg_rec at the beginning of the request
pipeline.
* A new endpoint was added to handle PAOS responses from the ECP
client. The endpoint is called "paosResponse" and lives along side
of the existing endpoints (e.g. postResponse, artifactResponse,
metadata, auth, logout, etc.). The new endpoint is handled by
am_handle_paos_reply(). The metadata generation implemented in
am_generate_metadata() was augmented to add the paosResponse
endpoint and bind it to the SAML2 PAOS binding.
* am_handle_reply_common() was being called by am_handle_post_reply()
and am_handle_artifact_reply() because replies share a fair amount
of common logic. The new am_handle_paos_reply() also needs to
utilize the same common logic in am_handle_reply_common() but ECP
has slightly different behavior that has to be accounted for. With
ECP there is no SP generated cookie because the SP did not initiate
the process and has no state to track. Also the RelayState is
optional with ECP and is carried in the PAOS header as opposed to an
HTTP query/post parameter. The boolean flag is_paos was added as a
parameter to am_handle_reply_common() so as to be able to
distinguish between the PAOS and non-PAOS logic.
* Add PAOS AssertionConsumerService to automatically generated metadata.
Note, am_get_assertion_consumer_service_by_binding() should be able
to locate this endpoint.
* Refactor code to send <AuthnRequest>, now also supports PAOS
The creation and initialization of a LassoLogin object is different
for the ECP case. We want to share as much common code as possible,
the following refactoring was done to achieve that goal.
The function am_send_authn_request() was removed and it's logic
moved to am_init_authn_request_common(),
am_send_login_authn_request() and
am_set_authn_request_content(). This allows the logic used to create
and initialize a LassoLogin object to be shared between the PAOS and
non-PAOS cases. am_send_paos_authn_request() also calls
am_init_authn_request_common() and
am_set_authn_request_content(). The function
am_set_authn_request_content() replaces the logic at the end of
am_send_authn_request(), it is responsible for setting the HTTP
headers and body content based on the LassoLogin.
Signed-off-by: John Dennis <jdennis@redhat.com>
2015-07-06 22:04:55 +02:00
|
|
|
AP_INIT_FLAG(
|
|
|
|
"MellonECPSendIDPList",
|
|
|
|
ap_set_flag_slot,
|
|
|
|
(void *)APR_OFFSETOF(am_dir_cfg_rec, ecp_send_idplist),
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Whether to send an ECP client a list of IdP's. Default is off."
|
|
|
|
),
|
2015-12-11 11:16:54 +01:00
|
|
|
AP_INIT_TAKE_ARGV(
|
|
|
|
"MellonRedirectDomains",
|
|
|
|
am_set_redirect_domains,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"List of domains we can redirect to."
|
|
|
|
),
|
2018-01-11 19:05:26 +01:00
|
|
|
AP_INIT_TAKE1(
|
|
|
|
"MellonSignatureMethod",
|
|
|
|
am_set_signature_method_slot,
|
|
|
|
NULL,
|
|
|
|
OR_AUTHCFG,
|
|
|
|
"Signature method used to sign SAML messages sent by Mellon"
|
|
|
|
),
|
2007-09-24 11:56:34 +02:00
|
|
|
{NULL}
|
|
|
|
};
|
|
|
|
|
2014-04-25 11:11:40 +02:00
|
|
|
const am_error_map_t auth_mellon_errormap[] = {
|
|
|
|
{ LASSO_PROFILE_ERROR_STATUS_NOT_SUCCESS, HTTP_UNAUTHORIZED },
|
|
|
|
#ifdef LASSO_PROFILE_ERROR_REQUEST_DENIED
|
|
|
|
{ LASSO_PROFILE_ERROR_REQUEST_DENIED, HTTP_UNAUTHORIZED },
|
|
|
|
#endif
|
|
|
|
{ 0, 0 }
|
|
|
|
};
|
2007-09-24 11:56:34 +02:00
|
|
|
|
2011-03-30 09:40:15 +02:00
|
|
|
/* Release a lasso_server object associated with this configuration.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* void *data The pointer to the configuration data.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* Always APR_SUCCESS.
|
|
|
|
*/
|
|
|
|
static apr_status_t auth_mellon_free_server(void *data)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *dir = data;
|
|
|
|
|
|
|
|
if (dir->server != NULL) {
|
|
|
|
lasso_server_destroy(dir->server);
|
|
|
|
dir->server = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return APR_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
/* This function creates and initializes a directory configuration
|
|
|
|
* object for auth_mellon.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* apr_pool_t *p The pool we should allocate memory from.
|
|
|
|
* char *d Unused, always NULL.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* The new directory configuration object.
|
|
|
|
*/
|
|
|
|
void *auth_mellon_dir_config(apr_pool_t *p, char *d)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *dir = apr_palloc(p, sizeof(*dir));
|
|
|
|
|
2011-03-30 09:40:15 +02:00
|
|
|
apr_pool_cleanup_register(p, dir, auth_mellon_free_server,
|
|
|
|
auth_mellon_free_server);
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
dir->enable_mellon = am_enable_default;
|
|
|
|
|
|
|
|
dir->varname = default_cookie_name;
|
2009-03-02 14:56:35 +01:00
|
|
|
dir->secure = default_secure_cookie;
|
2016-04-08 11:14:02 +02:00
|
|
|
dir->http_only = default_http_only_cookie;
|
2014-11-11 17:38:57 +01:00
|
|
|
dir->merge_env_vars = default_merge_env_vars;
|
2015-04-15 10:59:16 +02:00
|
|
|
dir->env_vars_index_start = default_env_vars_index_start;
|
2015-04-16 11:00:50 +02:00
|
|
|
dir->env_vars_count_in_n = default_env_vars_count_in_n;
|
2011-03-17 06:20:40 +01:00
|
|
|
dir->cond = apr_array_make(p, 0, sizeof(am_cond_t));
|
2011-04-07 13:32:26 +02:00
|
|
|
dir->cookie_domain = NULL;
|
|
|
|
dir->cookie_path = NULL;
|
2016-09-26 17:21:46 +02:00
|
|
|
dir->cookie_samesite = am_samesite_default;
|
2007-09-24 11:56:34 +02:00
|
|
|
dir->envattr = apr_hash_make(p);
|
2019-04-10 12:58:04 +02:00
|
|
|
dir->env_prefix = default_env_prefix;
|
2007-09-24 11:56:34 +02:00
|
|
|
dir->userattr = default_user_attribute;
|
2010-05-31 13:15:49 +02:00
|
|
|
dir->idpattr = NULL;
|
2018-01-11 19:05:26 +01:00
|
|
|
dir->signature_method = inherit_signature_method;
|
2009-05-25 22:48:46 +02:00
|
|
|
dir->dump_session = default_dump_session;
|
2009-06-01 22:43:17 +02:00
|
|
|
dir->dump_saml_response = default_dump_saml_response;
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
dir->endpoint_path = default_endpoint_path;
|
|
|
|
|
|
|
|
dir->session_length = -1; /* -1 means use default. */
|
|
|
|
|
|
|
|
dir->no_cookie_error_page = NULL;
|
2014-04-25 11:11:46 +02:00
|
|
|
dir->no_success_error_page = NULL;
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
dir->sp_metadata_file = NULL;
|
|
|
|
dir->sp_private_key_file = NULL;
|
2008-10-27 12:08:57 +01:00
|
|
|
dir->sp_cert_file = NULL;
|
2011-05-18 12:49:25 +02:00
|
|
|
dir->idp_metadata = apr_array_make(p, 0, sizeof(am_metadata_t));
|
2007-09-24 11:56:34 +02:00
|
|
|
dir->idp_public_key_file = NULL;
|
2008-10-27 12:08:57 +01:00
|
|
|
dir->idp_ca_file = NULL;
|
2011-05-18 12:49:25 +02:00
|
|
|
dir->idp_ignore = NULL;
|
2008-11-11 21:07:44 +01:00
|
|
|
dir->login_path = default_login_path;
|
2009-05-12 17:28:49 +02:00
|
|
|
dir->discovery_url = NULL;
|
2011-03-09 07:20:16 +01:00
|
|
|
dir->probe_discovery_timeout = -1; /* -1 means no probe discovery */
|
2011-12-05 20:06:44 +01:00
|
|
|
dir->probe_discovery_idp = apr_table_make(p, 0);
|
2007-09-24 11:56:34 +02:00
|
|
|
|
2013-04-15 16:54:38 +02:00
|
|
|
dir->sp_entity_id = NULL;
|
2009-06-15 15:33:34 +02:00
|
|
|
dir->sp_org_name = apr_hash_make(p);
|
|
|
|
dir->sp_org_display_name = apr_hash_make(p);
|
|
|
|
dir->sp_org_url = apr_hash_make(p);
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
apr_thread_mutex_create(&dir->server_mutex, APR_THREAD_MUTEX_DEFAULT, p);
|
2011-05-18 12:49:32 +02:00
|
|
|
dir->inherit_server_from = dir;
|
2007-09-24 11:56:34 +02:00
|
|
|
dir->server = NULL;
|
2012-10-09 10:41:45 +02:00
|
|
|
dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *));
|
2019-07-04 19:19:42 +02:00
|
|
|
dir->authn_context_comparison_type = NULL;
|
2012-02-17 15:01:24 +01:00
|
|
|
dir->subject_confirmation_data_address_check = inherit_subject_confirmation_data_address_check;
|
2016-09-26 15:28:30 +02:00
|
|
|
dir->send_cache_control_header = inherit_send_cache_control_header;
|
2012-10-09 10:41:45 +02:00
|
|
|
dir->do_not_verify_logout_signature = apr_hash_make(p);
|
2013-03-06 13:53:38 +01:00
|
|
|
dir->post_replay = inherit_post_replay;
|
2015-12-11 11:16:54 +01:00
|
|
|
dir->redirect_domains = default_redirect_domains;
|
2007-09-24 11:56:34 +02:00
|
|
|
|
Add support for SAML ECP.
The modifications in this commit address the changes necessary to
support the SP component of SAML ECP. The Lasso library needs
additional modifications before SAML ECP will be fully functional,
those fixes have been submitted to upstream Lasso, mod_auth_mellon
will continue to operate correctly without the Lasso upgrade, it just
won't properly support ECP without the Lasso fixes.
Below are the major logical changes in the commit and the rationale
behind them.
* Allow compilation against older versions of Lasso by conditionally
compiling.
Add the following CPP symbols set by configure:
* HAVE_ECP
* HAVE_LASSO_UTILS_H
* Add lasso_compat.h
If we can't include lasso utils.h than pull in our own
local definitions so we can use some of the valuable
utilities.
* Add ECP specific documentation file
Documentation specific to ECP is now contained in ECP.rst
(using reStructuredText formatting). Information on general ECP
concepts, mod_auth_mellon user information, and internal
mod_auth_mellon coding issues are covered.
* Add am_get_boolean_query_parameter() utility
* Add am_validate_paos_header() utility
This utility routine validates the PAOS HTTP header. It is used
in conjunction with am_header_has_media_type() to determine if a
client is ECP capable.
* Add am_is_paos_request() utility
This utility checks to see if the request is PAOS based on the
required HTTP header content.
* Add utility function am_header_has_media_type() to check if an HTTP
Accept header includes a specific media type. This is necessary
because the SP detects an ECP client by the presence of a
application/vnd.paos+xml media type in the Accept
header. Unfortunately neither Apache nor mod_auth_mellon already had
a function to check Accept media types so this was custom written
and added to mod_auth_mellon.
* Add utility function am_get_assertion_consumer_service_by_binding()
because Lasso does not expose that in it's public API. It's
necessary to get the URL of the PAOS AssertionConsumerService.
* Add MellonECPSendIDPList config option
This option controls whether to include a list of IDP's when
sending an ECP PAOS <AuthnRequest> message to an ECP client.
* We need to do some bookkeeping during the processing of a
request. Some Apache modules call this "adding a
note". mod_auth_mellon was already doing this but because it only
needed to track one value (the cookie value) took a shortcut and
stuffed the cookie value into the per module request slot rather
than defining a struct that could hold a variety of per-request
values. To accommodate multiple per request bookkeeping values we
define a new struct, am_req_cfg_rec, that holds the previously used
cookie value and adds a new ECP specific value. This struct is now
the bookkeeping data item attached to each request. To support the
new am_req_cfg_rec struct the am_get_req_cfg macro was added (mirrors
the existing am_get_srv_cfg, am_get_mod_cfg and am_get_dir_cfg
macros). The am_create_request() Apache hook was added to
initialize the am_req_cfg_rec at the beginning of the request
pipeline.
* A new endpoint was added to handle PAOS responses from the ECP
client. The endpoint is called "paosResponse" and lives along side
of the existing endpoints (e.g. postResponse, artifactResponse,
metadata, auth, logout, etc.). The new endpoint is handled by
am_handle_paos_reply(). The metadata generation implemented in
am_generate_metadata() was augmented to add the paosResponse
endpoint and bind it to the SAML2 PAOS binding.
* am_handle_reply_common() was being called by am_handle_post_reply()
and am_handle_artifact_reply() because replies share a fair amount
of common logic. The new am_handle_paos_reply() also needs to
utilize the same common logic in am_handle_reply_common() but ECP
has slightly different behavior that has to be accounted for. With
ECP there is no SP generated cookie because the SP did not initiate
the process and has no state to track. Also the RelayState is
optional with ECP and is carried in the PAOS header as opposed to an
HTTP query/post parameter. The boolean flag is_paos was added as a
parameter to am_handle_reply_common() so as to be able to
distinguish between the PAOS and non-PAOS logic.
* Add PAOS AssertionConsumerService to automatically generated metadata.
Note, am_get_assertion_consumer_service_by_binding() should be able
to locate this endpoint.
* Refactor code to send <AuthnRequest>, now also supports PAOS
The creation and initialization of a LassoLogin object is different
for the ECP case. We want to share as much common code as possible,
the following refactoring was done to achieve that goal.
The function am_send_authn_request() was removed and it's logic
moved to am_init_authn_request_common(),
am_send_login_authn_request() and
am_set_authn_request_content(). This allows the logic used to create
and initialize a LassoLogin object to be shared between the PAOS and
non-PAOS cases. am_send_paos_authn_request() also calls
am_init_authn_request_common() and
am_set_authn_request_content(). The function
am_set_authn_request_content() replaces the logic at the end of
am_send_authn_request(), it is responsible for setting the HTTP
headers and body content based on the LassoLogin.
Signed-off-by: John Dennis <jdennis@redhat.com>
2015-07-06 22:04:55 +02:00
|
|
|
dir->ecp_send_idplist = inherit_ecp_send_idplist;
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
return dir;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-05-18 12:49:32 +02:00
|
|
|
/* Determine whether this configuration changes anything relevant to the
|
|
|
|
* lasso_server configuration.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* am_dir_cfg_rec *add_cfg The new configuration.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* true if we can inherit the lasso_server object, false if not.
|
|
|
|
*/
|
|
|
|
static bool cfg_can_inherit_lasso_server(const am_dir_cfg_rec *add_cfg)
|
|
|
|
{
|
|
|
|
if (add_cfg->endpoint_path != default_endpoint_path)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (add_cfg->sp_metadata_file != NULL
|
|
|
|
|| add_cfg->sp_private_key_file != NULL
|
|
|
|
|| add_cfg->sp_cert_file != NULL)
|
|
|
|
return false;
|
|
|
|
if (add_cfg->idp_metadata->nelts > 0
|
|
|
|
|| add_cfg->idp_public_key_file != NULL
|
|
|
|
|| add_cfg->idp_ca_file != NULL
|
|
|
|
|| add_cfg->idp_ignore != NULL)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (apr_hash_count(add_cfg->sp_org_name) > 0
|
|
|
|
|| apr_hash_count(add_cfg->sp_org_display_name) > 0
|
|
|
|
|| apr_hash_count(add_cfg->sp_org_url) > 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
/* This function merges two am_dir_cfg_rec structures.
|
|
|
|
* It will try to inherit from the base where possible.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* apr_pool_t *p The pool we should allocate memory from.
|
|
|
|
* void *base The original structure.
|
|
|
|
* void *add The structure we should add to base.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* The merged structure.
|
|
|
|
*/
|
|
|
|
void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
|
|
|
|
{
|
|
|
|
am_dir_cfg_rec *base_cfg = (am_dir_cfg_rec *)base;
|
|
|
|
am_dir_cfg_rec *add_cfg = (am_dir_cfg_rec *)add;
|
|
|
|
am_dir_cfg_rec *new_cfg;
|
|
|
|
|
|
|
|
new_cfg = (am_dir_cfg_rec *)apr_palloc(p, sizeof(*new_cfg));
|
|
|
|
|
2011-03-30 09:40:15 +02:00
|
|
|
apr_pool_cleanup_register(p, new_cfg, auth_mellon_free_server,
|
|
|
|
auth_mellon_free_server);
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
new_cfg->enable_mellon = (add_cfg->enable_mellon != am_enable_default ?
|
|
|
|
add_cfg->enable_mellon :
|
|
|
|
base_cfg->enable_mellon);
|
|
|
|
|
|
|
|
|
|
|
|
new_cfg->varname = (add_cfg->varname != default_cookie_name ?
|
|
|
|
add_cfg->varname :
|
|
|
|
base_cfg->varname);
|
|
|
|
|
2011-04-07 13:32:26 +02:00
|
|
|
|
2009-03-02 14:56:35 +01:00
|
|
|
new_cfg->secure = (add_cfg->secure != default_secure_cookie ?
|
|
|
|
add_cfg->secure :
|
|
|
|
base_cfg->secure);
|
|
|
|
|
2016-04-08 11:14:02 +02:00
|
|
|
new_cfg->http_only = (add_cfg->http_only != default_http_only_cookie ?
|
|
|
|
add_cfg->http_only :
|
|
|
|
base_cfg->http_only);
|
|
|
|
|
2014-11-11 17:38:57 +01:00
|
|
|
new_cfg->merge_env_vars = (add_cfg->merge_env_vars != default_merge_env_vars ?
|
|
|
|
add_cfg->merge_env_vars :
|
|
|
|
base_cfg->merge_env_vars);
|
|
|
|
|
2015-04-15 10:59:16 +02:00
|
|
|
new_cfg->env_vars_index_start = (add_cfg->env_vars_index_start != default_env_vars_index_start ?
|
|
|
|
add_cfg->env_vars_index_start :
|
|
|
|
base_cfg->env_vars_index_start);
|
|
|
|
|
2015-04-16 11:00:50 +02:00
|
|
|
new_cfg->env_vars_count_in_n = (add_cfg->env_vars_count_in_n != default_env_vars_count_in_n ?
|
|
|
|
add_cfg->env_vars_count_in_n :
|
|
|
|
base_cfg->env_vars_count_in_n);
|
|
|
|
|
2011-04-07 13:32:26 +02:00
|
|
|
new_cfg->cookie_domain = (add_cfg->cookie_domain != NULL ?
|
|
|
|
add_cfg->cookie_domain :
|
|
|
|
base_cfg->cookie_domain);
|
|
|
|
|
|
|
|
new_cfg->cookie_path = (add_cfg->cookie_path != NULL ?
|
|
|
|
add_cfg->cookie_path :
|
|
|
|
base_cfg->cookie_path);
|
2009-03-02 14:56:35 +01:00
|
|
|
|
2016-09-26 17:21:46 +02:00
|
|
|
new_cfg->cookie_samesite = (add_cfg->cookie_samesite != am_samesite_default ?
|
|
|
|
add_cfg->cookie_samesite :
|
|
|
|
base_cfg->cookie_samesite);
|
|
|
|
|
2011-03-17 06:20:40 +01:00
|
|
|
new_cfg->cond = apr_array_copy(p,
|
|
|
|
(!apr_is_empty_array(add_cfg->cond)) ?
|
|
|
|
add_cfg->cond :
|
|
|
|
base_cfg->cond);
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
new_cfg->envattr = apr_hash_copy(p,
|
|
|
|
(apr_hash_count(add_cfg->envattr) > 0) ?
|
|
|
|
add_cfg->envattr :
|
|
|
|
base_cfg->envattr);
|
|
|
|
|
2019-04-10 12:58:04 +02:00
|
|
|
new_cfg->env_prefix = (add_cfg->env_prefix != default_env_prefix ?
|
|
|
|
add_cfg->env_prefix :
|
|
|
|
base_cfg->env_prefix);
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
new_cfg->userattr = (add_cfg->userattr != default_user_attribute ?
|
|
|
|
add_cfg->userattr :
|
|
|
|
base_cfg->userattr);
|
|
|
|
|
2010-05-31 13:15:49 +02:00
|
|
|
new_cfg->idpattr = (add_cfg->idpattr != NULL ?
|
|
|
|
add_cfg->idpattr :
|
|
|
|
base_cfg->idpattr);
|
|
|
|
|
2018-01-11 19:05:26 +01:00
|
|
|
new_cfg->signature_method = CFG_MERGE(add_cfg, base_cfg, signature_method);
|
|
|
|
|
2009-05-25 22:48:46 +02:00
|
|
|
new_cfg->dump_session = (add_cfg->dump_session != default_dump_session ?
|
|
|
|
add_cfg->dump_session :
|
|
|
|
base_cfg->dump_session);
|
2007-09-24 11:56:34 +02:00
|
|
|
|
2009-06-01 22:43:17 +02:00
|
|
|
new_cfg->dump_saml_response =
|
|
|
|
(add_cfg->dump_saml_response != default_dump_saml_response ?
|
|
|
|
add_cfg->dump_saml_response :
|
|
|
|
base_cfg->dump_saml_response);
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
new_cfg->endpoint_path = (
|
|
|
|
add_cfg->endpoint_path != default_endpoint_path ?
|
|
|
|
add_cfg->endpoint_path :
|
|
|
|
base_cfg->endpoint_path
|
|
|
|
);
|
|
|
|
|
|
|
|
new_cfg->session_length = (add_cfg->session_length != -1 ?
|
|
|
|
add_cfg->session_length :
|
|
|
|
base_cfg->session_length);
|
|
|
|
|
|
|
|
new_cfg->no_cookie_error_page = (add_cfg->no_cookie_error_page != NULL ?
|
|
|
|
add_cfg->no_cookie_error_page :
|
|
|
|
base_cfg->no_cookie_error_page);
|
|
|
|
|
2014-04-25 11:11:46 +02:00
|
|
|
new_cfg->no_success_error_page = (add_cfg->no_success_error_page != NULL ?
|
|
|
|
add_cfg->no_success_error_page :
|
|
|
|
base_cfg->no_success_error_page);
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
new_cfg->sp_metadata_file = (add_cfg->sp_metadata_file ?
|
|
|
|
add_cfg->sp_metadata_file :
|
|
|
|
base_cfg->sp_metadata_file);
|
|
|
|
|
|
|
|
new_cfg->sp_private_key_file = (add_cfg->sp_private_key_file ?
|
|
|
|
add_cfg->sp_private_key_file :
|
|
|
|
base_cfg->sp_private_key_file);
|
|
|
|
|
2008-10-27 12:08:57 +01:00
|
|
|
new_cfg->sp_cert_file = (add_cfg->sp_cert_file ?
|
|
|
|
add_cfg->sp_cert_file :
|
|
|
|
base_cfg->sp_cert_file);
|
|
|
|
|
2011-05-18 12:49:25 +02:00
|
|
|
new_cfg->idp_metadata = (add_cfg->idp_metadata->nelts ?
|
|
|
|
add_cfg->idp_metadata :
|
|
|
|
base_cfg->idp_metadata);
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
new_cfg->idp_public_key_file = (add_cfg->idp_public_key_file ?
|
|
|
|
add_cfg->idp_public_key_file :
|
|
|
|
base_cfg->idp_public_key_file);
|
|
|
|
|
2008-10-27 12:08:57 +01:00
|
|
|
new_cfg->idp_ca_file = (add_cfg->idp_ca_file ?
|
|
|
|
add_cfg->idp_ca_file :
|
|
|
|
base_cfg->idp_ca_file);
|
|
|
|
|
2011-05-18 12:49:25 +02:00
|
|
|
new_cfg->idp_ignore = add_cfg->idp_ignore != NULL ?
|
|
|
|
add_cfg->idp_ignore :
|
|
|
|
base_cfg->idp_ignore;
|
|
|
|
|
2013-04-15 16:54:38 +02:00
|
|
|
new_cfg->sp_entity_id = (add_cfg->sp_entity_id ?
|
|
|
|
add_cfg->sp_entity_id :
|
|
|
|
base_cfg->sp_entity_id);
|
|
|
|
|
2009-06-15 15:33:34 +02:00
|
|
|
new_cfg->sp_org_name = apr_hash_copy(p,
|
|
|
|
(apr_hash_count(add_cfg->sp_org_name) > 0) ?
|
|
|
|
add_cfg->sp_org_name :
|
|
|
|
base_cfg->sp_org_name);
|
|
|
|
|
|
|
|
new_cfg->sp_org_display_name = apr_hash_copy(p,
|
|
|
|
(apr_hash_count(add_cfg->sp_org_display_name) > 0) ?
|
|
|
|
add_cfg->sp_org_display_name :
|
|
|
|
base_cfg->sp_org_display_name);
|
|
|
|
|
|
|
|
new_cfg->sp_org_url = apr_hash_copy(p,
|
|
|
|
(apr_hash_count(add_cfg->sp_org_url) > 0) ?
|
|
|
|
add_cfg->sp_org_url :
|
|
|
|
base_cfg->sp_org_url);
|
|
|
|
|
2008-11-11 21:07:44 +01:00
|
|
|
new_cfg->login_path = (add_cfg->login_path != default_login_path ?
|
|
|
|
add_cfg->login_path :
|
|
|
|
base_cfg->login_path);
|
2007-09-24 11:56:34 +02:00
|
|
|
|
2009-05-12 17:28:49 +02:00
|
|
|
new_cfg->discovery_url = (add_cfg->discovery_url ?
|
|
|
|
add_cfg->discovery_url :
|
|
|
|
base_cfg->discovery_url);
|
|
|
|
|
2011-03-09 07:20:16 +01:00
|
|
|
new_cfg->probe_discovery_timeout =
|
|
|
|
(add_cfg->probe_discovery_timeout != -1 ?
|
|
|
|
add_cfg->probe_discovery_timeout :
|
|
|
|
base_cfg->probe_discovery_timeout);
|
|
|
|
|
2011-12-05 20:06:44 +01:00
|
|
|
new_cfg->probe_discovery_idp = apr_table_copy(p,
|
|
|
|
(!apr_is_empty_table(add_cfg->probe_discovery_idp)) ?
|
|
|
|
add_cfg->probe_discovery_idp :
|
|
|
|
base_cfg->probe_discovery_idp);
|
2011-03-09 07:20:16 +01:00
|
|
|
|
2011-05-18 12:49:32 +02:00
|
|
|
|
|
|
|
if (cfg_can_inherit_lasso_server(add_cfg)) {
|
|
|
|
new_cfg->inherit_server_from = base_cfg->inherit_server_from;
|
|
|
|
} else {
|
|
|
|
apr_thread_mutex_create(&new_cfg->server_mutex,
|
|
|
|
APR_THREAD_MUTEX_DEFAULT, p);
|
|
|
|
new_cfg->inherit_server_from = new_cfg;
|
|
|
|
}
|
2011-12-07 11:19:35 +01:00
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
new_cfg->server = NULL;
|
|
|
|
|
2012-06-28 12:44:03 +02:00
|
|
|
new_cfg->authn_context_class_ref = (add_cfg->authn_context_class_ref->nelts ?
|
2011-12-07 11:19:35 +01:00
|
|
|
add_cfg->authn_context_class_ref :
|
|
|
|
base_cfg->authn_context_class_ref);
|
|
|
|
|
2019-07-04 19:19:42 +02:00
|
|
|
new_cfg->authn_context_comparison_type = (add_cfg->authn_context_comparison_type != NULL ?
|
|
|
|
add_cfg->authn_context_comparison_type :
|
|
|
|
base_cfg->authn_context_comparison_type);
|
|
|
|
|
2012-10-09 10:41:45 +02:00
|
|
|
new_cfg->do_not_verify_logout_signature = apr_hash_copy(p,
|
|
|
|
(apr_hash_count(add_cfg->do_not_verify_logout_signature) > 0) ?
|
|
|
|
add_cfg->do_not_verify_logout_signature :
|
|
|
|
base_cfg->do_not_verify_logout_signature);
|
|
|
|
|
2012-02-17 15:01:24 +01:00
|
|
|
new_cfg->subject_confirmation_data_address_check =
|
|
|
|
CFG_MERGE(add_cfg, base_cfg, subject_confirmation_data_address_check);
|
2016-09-26 15:28:30 +02:00
|
|
|
|
|
|
|
new_cfg->send_cache_control_header =
|
|
|
|
CFG_MERGE(add_cfg, base_cfg, send_cache_control_header);
|
|
|
|
|
2013-03-06 13:53:38 +01:00
|
|
|
new_cfg->post_replay = CFG_MERGE(add_cfg, base_cfg, post_replay);
|
2011-12-07 11:19:35 +01:00
|
|
|
|
Add support for SAML ECP.
The modifications in this commit address the changes necessary to
support the SP component of SAML ECP. The Lasso library needs
additional modifications before SAML ECP will be fully functional,
those fixes have been submitted to upstream Lasso, mod_auth_mellon
will continue to operate correctly without the Lasso upgrade, it just
won't properly support ECP without the Lasso fixes.
Below are the major logical changes in the commit and the rationale
behind them.
* Allow compilation against older versions of Lasso by conditionally
compiling.
Add the following CPP symbols set by configure:
* HAVE_ECP
* HAVE_LASSO_UTILS_H
* Add lasso_compat.h
If we can't include lasso utils.h than pull in our own
local definitions so we can use some of the valuable
utilities.
* Add ECP specific documentation file
Documentation specific to ECP is now contained in ECP.rst
(using reStructuredText formatting). Information on general ECP
concepts, mod_auth_mellon user information, and internal
mod_auth_mellon coding issues are covered.
* Add am_get_boolean_query_parameter() utility
* Add am_validate_paos_header() utility
This utility routine validates the PAOS HTTP header. It is used
in conjunction with am_header_has_media_type() to determine if a
client is ECP capable.
* Add am_is_paos_request() utility
This utility checks to see if the request is PAOS based on the
required HTTP header content.
* Add utility function am_header_has_media_type() to check if an HTTP
Accept header includes a specific media type. This is necessary
because the SP detects an ECP client by the presence of a
application/vnd.paos+xml media type in the Accept
header. Unfortunately neither Apache nor mod_auth_mellon already had
a function to check Accept media types so this was custom written
and added to mod_auth_mellon.
* Add utility function am_get_assertion_consumer_service_by_binding()
because Lasso does not expose that in it's public API. It's
necessary to get the URL of the PAOS AssertionConsumerService.
* Add MellonECPSendIDPList config option
This option controls whether to include a list of IDP's when
sending an ECP PAOS <AuthnRequest> message to an ECP client.
* We need to do some bookkeeping during the processing of a
request. Some Apache modules call this "adding a
note". mod_auth_mellon was already doing this but because it only
needed to track one value (the cookie value) took a shortcut and
stuffed the cookie value into the per module request slot rather
than defining a struct that could hold a variety of per-request
values. To accommodate multiple per request bookkeeping values we
define a new struct, am_req_cfg_rec, that holds the previously used
cookie value and adds a new ECP specific value. This struct is now
the bookkeeping data item attached to each request. To support the
new am_req_cfg_rec struct the am_get_req_cfg macro was added (mirrors
the existing am_get_srv_cfg, am_get_mod_cfg and am_get_dir_cfg
macros). The am_create_request() Apache hook was added to
initialize the am_req_cfg_rec at the beginning of the request
pipeline.
* A new endpoint was added to handle PAOS responses from the ECP
client. The endpoint is called "paosResponse" and lives along side
of the existing endpoints (e.g. postResponse, artifactResponse,
metadata, auth, logout, etc.). The new endpoint is handled by
am_handle_paos_reply(). The metadata generation implemented in
am_generate_metadata() was augmented to add the paosResponse
endpoint and bind it to the SAML2 PAOS binding.
* am_handle_reply_common() was being called by am_handle_post_reply()
and am_handle_artifact_reply() because replies share a fair amount
of common logic. The new am_handle_paos_reply() also needs to
utilize the same common logic in am_handle_reply_common() but ECP
has slightly different behavior that has to be accounted for. With
ECP there is no SP generated cookie because the SP did not initiate
the process and has no state to track. Also the RelayState is
optional with ECP and is carried in the PAOS header as opposed to an
HTTP query/post parameter. The boolean flag is_paos was added as a
parameter to am_handle_reply_common() so as to be able to
distinguish between the PAOS and non-PAOS logic.
* Add PAOS AssertionConsumerService to automatically generated metadata.
Note, am_get_assertion_consumer_service_by_binding() should be able
to locate this endpoint.
* Refactor code to send <AuthnRequest>, now also supports PAOS
The creation and initialization of a LassoLogin object is different
for the ECP case. We want to share as much common code as possible,
the following refactoring was done to achieve that goal.
The function am_send_authn_request() was removed and it's logic
moved to am_init_authn_request_common(),
am_send_login_authn_request() and
am_set_authn_request_content(). This allows the logic used to create
and initialize a LassoLogin object to be shared between the PAOS and
non-PAOS cases. am_send_paos_authn_request() also calls
am_init_authn_request_common() and
am_set_authn_request_content(). The function
am_set_authn_request_content() replaces the logic at the end of
am_send_authn_request(), it is responsible for setting the HTTP
headers and body content based on the LassoLogin.
Signed-off-by: John Dennis <jdennis@redhat.com>
2015-07-06 22:04:55 +02:00
|
|
|
new_cfg->ecp_send_idplist = CFG_MERGE(add_cfg, base_cfg, ecp_send_idplist);
|
|
|
|
|
2015-12-11 11:16:54 +01:00
|
|
|
new_cfg->redirect_domains =
|
|
|
|
(add_cfg->redirect_domains != default_redirect_domains ?
|
|
|
|
add_cfg->redirect_domains :
|
|
|
|
base_cfg->redirect_domains);
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
return new_cfg;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* This function creates a new per-server configuration.
|
|
|
|
* auth_mellon uses the server configuration to store a pointer
|
|
|
|
* to the global module configuration.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* apr_pool_t *p The pool we should allocate memory from.
|
|
|
|
* server_rec *s The server we should add our configuration to.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* The new per-server configuration.
|
|
|
|
*/
|
|
|
|
void *auth_mellon_server_config(apr_pool_t *p, server_rec *s)
|
|
|
|
{
|
|
|
|
am_srv_cfg_rec *srv;
|
|
|
|
am_mod_cfg_rec *mod;
|
|
|
|
const char key[] = "auth_mellon_server_config";
|
|
|
|
|
|
|
|
srv = apr_palloc(p, sizeof(*srv));
|
|
|
|
|
Add diagnostic logging
Field experience with Mellon has demonstrated there are many
opportunities for deployment problems. Although there are tools such
as browser plugins which can capture SAML messages it's onerous for
site personnel to install and capture the relevant information. The
problem with this approach is further compounded by the fact the
external SAML messages are not correlated to Mellon's
requests/responses. Mellon currently can dump the Lasso session and
SAML Response messages and place them in Apache environment variables,
however these do not appear in the log file. To get them into the log
you have to add custom logging to the Apache config. Another issue is
the dumps are not human readable, they are base64 encoded, anyone
looking at the logs after setting up the custom logging will have to
find the base64 text and then manually copy the text into an external
base64 decoder. At that point you'll discover the XML is not pretty
printed making human interpretation difficult.
The Mellon debug messages written to the Apache error are often
insufficient to diagnose problems. And since the Mellon log messages
are written to the Apache error log they are interspersed with a lot
of non-Mellon message.
Compounding the problem of writing Mellon debug messages to the Apache
error log is the fact Apache log messages have a fixed maximum length
(currently 8192) which is insufficient to completely write out such
things as SAML Assertions, metadata, etc. Apache logging also escapes
all control characters with the consequence line breaks are not
preserved and what was a nicely formatted human readable piece of text
becomes a single line with escape characters and may be truncated.
It would be really nice if we could capture diagnostic information
with these properties:
* All relevant data is collected in exactly one file.
* Only information relevant to Mellon appears in the file.
* All information is human readable (pretty printed, decrypted) with
no need to rely on other tools.
* The diagnostic information is grouped by requests.
* The requests can be cross correlated with other Apache logs because
they utilize the same unique request identifier.
This patch adds diagnostic logging to a independent Mellon diagnostics
log file. Every piece of relevant information is captured, including:
* Request information which includes:
- Request method
- Request URL (raw and processed)
- Scheme
- Port
- Request query parameters
- Server name
- Unique request ID
- process ID, thread ID
- Request headers
* Mellon per directory configuration
A complete dump of the entire am_dir_cfg_rec structure keyed using
both the Mellon directive it is associated with and it's internal
name. This is emitted once on first use for a given URL.
The per directory dump includes the pathname of each file read as
well as the file contents. This includes:
- IdP metadata
- SP metadata
- SP cert
- SP key
- IdP public key file
- IdP CA file
* All session management operations
- cookie
- session lookup
- session creation
- session deletion
- cache management
- cache entry information
* All SAML messages
Each SAML message is decrypted, decoded and XML pretty printed in
human readable form.
* Request pipeline operations
What operations Mellon performs, what decisions it makes and what
data is being used to make those decisions.
* Response
- response status
- response headers
- Apache user name
- auth_type
- all Apache environment variables
Diagnostics can be enabled/disabled both at compile time and run
time. Compile time inclusion of diagnostics is managed with the
ENABLE_DIAGNOSTICS preprocssor symbol. The configure script now accepts
the
--enable-diagnostics and --disable-diagnostics
option. Building with diagnostics is disabled by default, you must
specify --enable-diagnostics to enable the run time option of generating
diagnostics.
The following server config directives have been added (e.g. may be
specified in the main server config area or within a <VirtualHost>
directive). If Mellon was not built with diagnostics enabled then
these config directives are no-ops and their use will generated a
warning in the log file indicating they have been ignored and to be
effective you must builld Mellon with diagnostics enabled.
MellonDiagnosticsFile:
The name of the diagnostics file or pipe,
(default is logs/mellon_diagnostics)
MellonDiagnosticsEnable:
Currently either On or Off but it is designed so it can take other
flags in the future to control what type of information is
reported.
Signed-off-by: John Dennis <jdennis@redhat.com>
2017-06-14 19:56:18 +02:00
|
|
|
#ifdef ENABLE_DIAGNOSTICS
|
|
|
|
srv->diag_cfg.filename = default_diag_filename;
|
|
|
|
srv->diag_cfg.fd = NULL;
|
|
|
|
srv->diag_cfg.flags = default_diag_flags;
|
|
|
|
srv->diag_cfg.dir_cfg_emitted = apr_table_make(p, 0);
|
|
|
|
#endif
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
/* we want to keeep our global configuration of shared memory and
|
|
|
|
* mutexes, so we try to find it in the userdata before doing anything
|
|
|
|
* else */
|
|
|
|
apr_pool_userdata_get((void **)&mod, key, p);
|
|
|
|
if (mod) {
|
|
|
|
srv->mc = mod;
|
|
|
|
return srv;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* the module has not been initiated at all */
|
|
|
|
mod = apr_palloc(p, sizeof(*mod));
|
|
|
|
|
|
|
|
mod->cache_size = 100; /* ought to be enough for everybody */
|
2013-03-06 13:53:34 +01:00
|
|
|
mod->lock_file = "/var/run/mod_auth_mellon.lock";
|
2013-03-06 13:53:42 +01:00
|
|
|
mod->post_dir = NULL;
|
2009-11-09 14:46:28 +01:00
|
|
|
mod->post_ttl = post_ttl;
|
|
|
|
mod->post_count = post_count;
|
|
|
|
mod->post_size = post_size;
|
2007-09-24 11:56:34 +02:00
|
|
|
|
2014-06-20 13:24:38 +02:00
|
|
|
mod->entry_size = AM_CACHE_DEFAULT_ENTRY_SIZE;
|
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
mod->init_cache_size = 0;
|
|
|
|
mod->init_lock_file = NULL;
|
2014-06-20 13:24:38 +02:00
|
|
|
mod->init_entry_size = 0;
|
2007-09-24 11:56:34 +02:00
|
|
|
|
|
|
|
mod->cache = NULL;
|
|
|
|
mod->lock = NULL;
|
|
|
|
|
|
|
|
apr_pool_userdata_set(mod, key, apr_pool_cleanup_null, p);
|
|
|
|
|
|
|
|
srv->mc = mod;
|
Add diagnostic logging
Field experience with Mellon has demonstrated there are many
opportunities for deployment problems. Although there are tools such
as browser plugins which can capture SAML messages it's onerous for
site personnel to install and capture the relevant information. The
problem with this approach is further compounded by the fact the
external SAML messages are not correlated to Mellon's
requests/responses. Mellon currently can dump the Lasso session and
SAML Response messages and place them in Apache environment variables,
however these do not appear in the log file. To get them into the log
you have to add custom logging to the Apache config. Another issue is
the dumps are not human readable, they are base64 encoded, anyone
looking at the logs after setting up the custom logging will have to
find the base64 text and then manually copy the text into an external
base64 decoder. At that point you'll discover the XML is not pretty
printed making human interpretation difficult.
The Mellon debug messages written to the Apache error are often
insufficient to diagnose problems. And since the Mellon log messages
are written to the Apache error log they are interspersed with a lot
of non-Mellon message.
Compounding the problem of writing Mellon debug messages to the Apache
error log is the fact Apache log messages have a fixed maximum length
(currently 8192) which is insufficient to completely write out such
things as SAML Assertions, metadata, etc. Apache logging also escapes
all control characters with the consequence line breaks are not
preserved and what was a nicely formatted human readable piece of text
becomes a single line with escape characters and may be truncated.
It would be really nice if we could capture diagnostic information
with these properties:
* All relevant data is collected in exactly one file.
* Only information relevant to Mellon appears in the file.
* All information is human readable (pretty printed, decrypted) with
no need to rely on other tools.
* The diagnostic information is grouped by requests.
* The requests can be cross correlated with other Apache logs because
they utilize the same unique request identifier.
This patch adds diagnostic logging to a independent Mellon diagnostics
log file. Every piece of relevant information is captured, including:
* Request information which includes:
- Request method
- Request URL (raw and processed)
- Scheme
- Port
- Request query parameters
- Server name
- Unique request ID
- process ID, thread ID
- Request headers
* Mellon per directory configuration
A complete dump of the entire am_dir_cfg_rec structure keyed using
both the Mellon directive it is associated with and it's internal
name. This is emitted once on first use for a given URL.
The per directory dump includes the pathname of each file read as
well as the file contents. This includes:
- IdP metadata
- SP metadata
- SP cert
- SP key
- IdP public key file
- IdP CA file
* All session management operations
- cookie
- session lookup
- session creation
- session deletion
- cache management
- cache entry information
* All SAML messages
Each SAML message is decrypted, decoded and XML pretty printed in
human readable form.
* Request pipeline operations
What operations Mellon performs, what decisions it makes and what
data is being used to make those decisions.
* Response
- response status
- response headers
- Apache user name
- auth_type
- all Apache environment variables
Diagnostics can be enabled/disabled both at compile time and run
time. Compile time inclusion of diagnostics is managed with the
ENABLE_DIAGNOSTICS preprocssor symbol. The configure script now accepts
the
--enable-diagnostics and --disable-diagnostics
option. Building with diagnostics is disabled by default, you must
specify --enable-diagnostics to enable the run time option of generating
diagnostics.
The following server config directives have been added (e.g. may be
specified in the main server config area or within a <VirtualHost>
directive). If Mellon was not built with diagnostics enabled then
these config directives are no-ops and their use will generated a
warning in the log file indicating they have been ignored and to be
effective you must builld Mellon with diagnostics enabled.
MellonDiagnosticsFile:
The name of the diagnostics file or pipe,
(default is logs/mellon_diagnostics)
MellonDiagnosticsEnable:
Currently either On or Off but it is designed so it can take other
flags in the future to control what type of information is
reported.
Signed-off-by: John Dennis <jdennis@redhat.com>
2017-06-14 19:56:18 +02:00
|
|
|
|
2007-09-24 11:56:34 +02:00
|
|
|
return srv;
|
|
|
|
}
|
|
|
|
|
Add diagnostic logging
Field experience with Mellon has demonstrated there are many
opportunities for deployment problems. Although there are tools such
as browser plugins which can capture SAML messages it's onerous for
site personnel to install and capture the relevant information. The
problem with this approach is further compounded by the fact the
external SAML messages are not correlated to Mellon's
requests/responses. Mellon currently can dump the Lasso session and
SAML Response messages and place them in Apache environment variables,
however these do not appear in the log file. To get them into the log
you have to add custom logging to the Apache config. Another issue is
the dumps are not human readable, they are base64 encoded, anyone
looking at the logs after setting up the custom logging will have to
find the base64 text and then manually copy the text into an external
base64 decoder. At that point you'll discover the XML is not pretty
printed making human interpretation difficult.
The Mellon debug messages written to the Apache error are often
insufficient to diagnose problems. And since the Mellon log messages
are written to the Apache error log they are interspersed with a lot
of non-Mellon message.
Compounding the problem of writing Mellon debug messages to the Apache
error log is the fact Apache log messages have a fixed maximum length
(currently 8192) which is insufficient to completely write out such
things as SAML Assertions, metadata, etc. Apache logging also escapes
all control characters with the consequence line breaks are not
preserved and what was a nicely formatted human readable piece of text
becomes a single line with escape characters and may be truncated.
It would be really nice if we could capture diagnostic information
with these properties:
* All relevant data is collected in exactly one file.
* Only information relevant to Mellon appears in the file.
* All information is human readable (pretty printed, decrypted) with
no need to rely on other tools.
* The diagnostic information is grouped by requests.
* The requests can be cross correlated with other Apache logs because
they utilize the same unique request identifier.
This patch adds diagnostic logging to a independent Mellon diagnostics
log file. Every piece of relevant information is captured, including:
* Request information which includes:
- Request method
- Request URL (raw and processed)
- Scheme
- Port
- Request query parameters
- Server name
- Unique request ID
- process ID, thread ID
- Request headers
* Mellon per directory configuration
A complete dump of the entire am_dir_cfg_rec structure keyed using
both the Mellon directive it is associated with and it's internal
name. This is emitted once on first use for a given URL.
The per directory dump includes the pathname of each file read as
well as the file contents. This includes:
- IdP metadata
- SP metadata
- SP cert
- SP key
- IdP public key file
- IdP CA file
* All session management operations
- cookie
- session lookup
- session creation
- session deletion
- cache management
- cache entry information
* All SAML messages
Each SAML message is decrypted, decoded and XML pretty printed in
human readable form.
* Request pipeline operations
What operations Mellon performs, what decisions it makes and what
data is being used to make those decisions.
* Response
- response status
- response headers
- Apache user name
- auth_type
- all Apache environment variables
Diagnostics can be enabled/disabled both at compile time and run
time. Compile time inclusion of diagnostics is managed with the
ENABLE_DIAGNOSTICS preprocssor symbol. The configure script now accepts
the
--enable-diagnostics and --disable-diagnostics
option. Building with diagnostics is disabled by default, you must
specify --enable-diagnostics to enable the run time option of generating
diagnostics.
The following server config directives have been added (e.g. may be
specified in the main server config area or within a <VirtualHost>
directive). If Mellon was not built with diagnostics enabled then
these config directives are no-ops and their use will generated a
warning in the log file indicating they have been ignored and to be
effective you must builld Mellon with diagnostics enabled.
MellonDiagnosticsFile:
The name of the diagnostics file or pipe,
(default is logs/mellon_diagnostics)
MellonDiagnosticsEnable:
Currently either On or Off but it is designed so it can take other
flags in the future to control what type of information is
reported.
Signed-off-by: John Dennis <jdennis@redhat.com>
2017-06-14 19:56:18 +02:00
|
|
|
/* This function merges two am_srv_cfg_rec structures.
|
|
|
|
* It will try to inherit from the base where possible.
|
|
|
|
*
|
|
|
|
* Parameters:
|
|
|
|
* apr_pool_t *p The pool we should allocate memory from.
|
|
|
|
* void *base The original structure.
|
|
|
|
* void *add The structure we should add to base.
|
|
|
|
*
|
|
|
|
* Returns:
|
|
|
|
* The merged structure.
|
|
|
|
*/
|
|
|
|
void *auth_mellon_srv_merge(apr_pool_t *p, void *base, void *add)
|
|
|
|
{
|
|
|
|
am_srv_cfg_rec *base_cfg = (am_srv_cfg_rec *)base;
|
|
|
|
am_srv_cfg_rec *new_cfg;
|
|
|
|
|
|
|
|
new_cfg = (am_srv_cfg_rec *)apr_palloc(p, sizeof(*new_cfg));
|
|
|
|
|
|
|
|
new_cfg->mc = base_cfg->mc;
|
|
|
|
|
|
|
|
#ifdef ENABLE_DIAGNOSTICS
|
|
|
|
am_srv_cfg_rec *add_cfg = (am_srv_cfg_rec *)add;
|
|
|
|
new_cfg->diag_cfg.filename = (add_cfg->diag_cfg.filename !=
|
|
|
|
default_diag_filename ?
|
|
|
|
add_cfg->diag_cfg.filename :
|
|
|
|
base_cfg->diag_cfg.filename);
|
|
|
|
|
|
|
|
new_cfg->diag_cfg.fd = NULL;
|
|
|
|
|
|
|
|
new_cfg->diag_cfg.flags = (add_cfg->diag_cfg.flags !=
|
|
|
|
default_diag_flags ?
|
|
|
|
add_cfg->diag_cfg.flags :
|
|
|
|
base_cfg->diag_cfg.flags);
|
|
|
|
|
|
|
|
new_cfg->diag_cfg.dir_cfg_emitted = apr_table_make(p, 0);
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
return new_cfg;
|
|
|
|
}
|