From 59648dda650a7c58493153c1acfd7d959563ce71 Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Thu, 4 Jul 2019 19:19:42 +0200 Subject: [PATCH] feat: add MellonAuthnContextComparisonType option --- README.md | 4 +++ auth_mellon.h | 5 ++- auth_mellon_config.c | 50 ++++++++++++++++++++++++++- auth_mellon_diagnostics.c | 4 ++- auth_mellon_handler.c | 7 +++- doc/user_guide/mellon_user_guide.adoc | 1 + 6 files changed, 67 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b1e939b..4b531ad 100644 --- a/README.md +++ b/README.md @@ -532,6 +532,10 @@ MellonDiagnosticsEnable Off # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI" + # This option will set the "Comparsion" attribute within the AuthnRequest + # It could be set to "exact", "minimum", "maximum" or "better" + # MellonAuthnContextComparisonType "minimum" + # MellonSubjectConfirmationDataAddressCheck is used to control # the checking of client IP address against the address returned by the # IdP in Address attribute of the SubjectConfirmationData node. Can be useful if your SP is diff --git a/auth_mellon.h b/auth_mellon.h index 2b6eb7c..9cb951c 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -1,7 +1,7 @@ /* * * auth_mellon.h: an authentication apache module - * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) + * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -292,6 +292,9 @@ typedef struct am_dir_cfg_rec { /* AuthnContextClassRef list */ apr_array_header_t *authn_context_class_ref; + /* AuthnContextComparisonType */ + const char *authn_context_comparison_type; + /* Controls the checking of SubjectConfirmationData.Address attribute */ int subject_confirmation_data_address_check; diff --git a/auth_mellon_config.c b/auth_mellon_config.c index 4d1e92a..383cd5d 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -1,7 +1,7 @@ /* * * auth_mellon_config.c: an authentication apache module - * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) + * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -759,6 +759,42 @@ static const char *am_set_setenv_no_prefix_slot(cmd_parms *cmd, return NULL; } +/* This function handles the MellonAuthnContextComparisonType option. + * It could be set to "exact", "minimum", "maximum" or "better" + * + * Parameters: + * cmd_parms *cmd The command structure for this configuration + * directive. + * void *struct_ptr Pointer to the current directory configuration. + * const char *arg The string argument following this configuration + * directive in the configuraion file. + * + * Returns: + * NULL on success or an error string if the argument is wrong. + */ +static const char *am_set_authn_context_comparison_type_slot(cmd_parms *cmd, + void *struct_ptr, + const char *arg) +{ + am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr; + + if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT)) { + d->authn_context_comparison_type = + LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT; + } else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM)) { + d->authn_context_comparison_type = + LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM; + } else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM)) { + d->authn_context_comparison_type = + LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM; + } else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER)) { + d->authn_context_comparison_type = + LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER; + } else { + return "parameter must be 'exact', 'minimum', 'maximum' or 'better'"; + } + return NULL; +} /* This function decodes MellonCond flags, such as [NOT,REG] * @@ -1593,6 +1629,13 @@ const command_rec auth_mellon_commands[] = { "A list of AuthnContextClassRef to request in the AuthnRequest and " "to validate upon reception of an Assertion" ), + AP_INIT_TAKE1( + "MellonAuthnContextComparisonType", + am_set_authn_context_comparison_type_slot, + NULL, + OR_AUTHCFG, + "An AuthnContextComparisonType attribute as part of the AuthnRequest." + ), AP_INIT_FLAG( "MellonSubjectConfirmationDataAddressCheck", ap_set_flag_slot, @@ -1763,6 +1806,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) dir->inherit_server_from = dir; dir->server = NULL; dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *)); + dir->authn_context_comparison_type = NULL; dir->subject_confirmation_data_address_check = inherit_subject_confirmation_data_address_check; dir->send_cache_control_header = inherit_send_cache_control_header; dir->do_not_verify_logout_signature = apr_hash_make(p); @@ -2004,6 +2048,10 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) add_cfg->authn_context_class_ref : base_cfg->authn_context_class_ref); + new_cfg->authn_context_comparison_type = (add_cfg->authn_context_comparison_type != NULL ? + add_cfg->authn_context_comparison_type : + base_cfg->authn_context_comparison_type); + new_cfg->do_not_verify_logout_signature = apr_hash_copy(p, (apr_hash_count(add_cfg->do_not_verify_logout_signature) > 0) ? add_cfg->do_not_verify_logout_signature : diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c index 170ddf1..792e894 100644 --- a/auth_mellon_diagnostics.c +++ b/auth_mellon_diagnostics.c @@ -620,7 +620,9 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg, "%s[%2d]: %s\n", indent(level+2), i, context_class); } - + apr_file_printf(diag_cfg->fd, + "%sMellonAuthnContextComparisonType (authn_context_comparison_type): %s\n", + indent(level+1), cfg->authn_context_comparison_type); apr_file_printf(diag_cfg->fd, "%sMellonSubjectConfirmationDataAddressCheck" " (subject_confirmation_data_address_check): %s\n", diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index e33e6e9..5db9d60 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -1,7 +1,7 @@ /* * * auth_mellon_handler.c: an authentication apache module - * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) + * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -2895,6 +2895,11 @@ static int am_init_authn_request_common(request_rec *r, "adding AuthnContextClassRef %s to the " "AuthnRequest", ref); } + + if (dir_cfg->authn_context_comparison_type != NULL) { + lasso_assign_string(request->RequestedAuthnContext->Comparison, + dir_cfg->authn_context_comparison_type); + } } LASSO_PROFILE(login)->msg_relayState = g_strdup(return_to_url); diff --git a/doc/user_guide/mellon_user_guide.adoc b/doc/user_guide/mellon_user_guide.adoc index af93005..9025ff3 100644 --- a/doc/user_guide/mellon_user_guide.adoc +++ b/doc/user_guide/mellon_user_guide.adoc @@ -3598,6 +3598,7 @@ Mellon Directory Configuration for URL: /saml-test/protected.html MellonProbeDiscoveryTimeout (probe_discovery_timeout): -1 MellonProbeDiscoveryIdP (probe_discovery_idp): 0 items MellonAuthnContextClassRef (authn_context_class_ref): 0 items + MellonAuthnContextComparisonType (authn_context_comparison_type): (null) MellonSubjectConfirmationDataAddressCheck (subject_confirmation_data_address_check): On MellonDoNotVerifyLogoutSignature (do_not_verify_logout_signature): 0 items MellonPostReplay (post_replay): On