From caea8d78dd1953d507be70a6b9eae932deae72be Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 10 Apr 2019 12:58:04 +0200 Subject: [PATCH] Make the environment variable prefix configurable mellon passes on every attribute received in a SAML assertion as an Apache variable. By default, the variable is prefixed with "MELLON_". In some cases, for example when migrating from a different SP to mellon it might be beneficial to change the prefix. And while using MellonSetEnvNoPrefix is an option as well, the MellonSetEnvNoPrefix has to be specified for each variable independently. --- README.md | 5 +++++ auth_mellon.h | 1 + auth_mellon_cache.c | 2 +- auth_mellon_config.c | 23 +++++++++++++++++++++-- auth_mellon_diagnostics.c | 5 ++++- doc/user_guide/mellon_user_guide.adoc | 23 ++++++++++++++++++----- 6 files changed, 50 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index bb39a01..b1e939b 100644 --- a/README.md +++ b/README.md @@ -253,6 +253,11 @@ MellonDiagnosticsEnable Off # Default. None set. MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName" + # MellonEnvPrefix changes the string the variables passed from the + # IdP are prefixed with. + # Default: MELLON_ + MellonEnvPrefix "NOLLEM_" + # MellonMergeEnvVars merges multiple values of environment variables # set using MellonSetEnv into single variable: # ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of: diff --git a/auth_mellon.h b/auth_mellon.h index a10d2a4..73aa230 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -237,6 +237,7 @@ typedef struct am_dir_cfg_rec { am_samesite_t cookie_samesite; apr_array_header_t *cond; apr_hash_t *envattr; + const char *env_prefix; const char *userattr; const char *idpattr; LassoSignatureMethod signature_method; diff --git a/auth_mellon_cache.c b/auth_mellon_cache.c index fe6c910..bb50202 100644 --- a/auth_mellon_cache.c +++ b/auth_mellon_cache.c @@ -589,7 +589,7 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) */ for(i = 0; i < t->size; ++i) { varname = am_cache_entry_get_string(t, &t->env[i].varname); - varname_prefix = "MELLON_"; + varname_prefix = d->env_prefix; /* Check if we should map this name into another name. */ env_varname_conf = (am_envattr_conf_t *)apr_hash_get( diff --git a/auth_mellon_config.c b/auth_mellon_config.c index 396ff1e..4d1e92a 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -36,6 +36,11 @@ static const char *default_endpoint_path = "/mellon/"; */ static const char *default_user_attribute = "NAME_ID"; +/* This is the default prefix to use for attributes received from the + * server. Customizable using the MellonEnvPrefix option + */ +static const char *default_env_prefix = "MELLON_"; + /* This is the default name of the cookie which mod_auth_mellon will set. * If you change this, then you should also update the description of the * MellonVar configuration directive. @@ -1372,8 +1377,10 @@ const command_rec auth_mellon_commands[] = { am_set_setenv_slot, NULL, OR_AUTHCFG, - "Renames attributes received from the server while retaining prefix MELLON_. The format is" - " MellonSetEnv ." + "Renames attributes received from the server while retaining the" + " prefix. The prefix defaults to MELLON_ but can be changed with" + " MellonEnvPrefix." + " The format is MellonSetEnv ." ), AP_INIT_TAKE2( "MellonSetEnvNoPrefix", @@ -1383,6 +1390,13 @@ const command_rec auth_mellon_commands[] = { "Renames attributes received from the server without adding prefix. The format is" " MellonSetEnvNoPrefix ." ), + AP_INIT_TAKE1( + "MellonEnvPrefix", + ap_set_string_slot, + (void *)APR_OFFSETOF(am_dir_cfg_rec, env_prefix), + OR_AUTHCFG, + "The prefix to use for attributes received from the server." + ), AP_INIT_FLAG( "MellonSessionDump", ap_set_flag_slot, @@ -1714,6 +1728,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) dir->cookie_path = NULL; dir->cookie_samesite = am_samesite_default; dir->envattr = apr_hash_make(p); + dir->env_prefix = default_env_prefix; dir->userattr = default_user_attribute; dir->idpattr = NULL; dir->signature_method = inherit_signature_method; @@ -1868,6 +1883,10 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) add_cfg->envattr : base_cfg->envattr); + new_cfg->env_prefix = (add_cfg->env_prefix != default_env_prefix ? + add_cfg->env_prefix : + base_cfg->env_prefix); + new_cfg->userattr = (add_cfg->userattr != default_user_attribute ? add_cfg->userattr : base_cfg->userattr); diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c index 0e6d914..170ddf1 100644 --- a/auth_mellon_diagnostics.c +++ b/auth_mellon_diagnostics.c @@ -442,6 +442,9 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg, "%sMellonCookieSameSite (cookie_samesite): %s\n", indent(level+1), am_diag_samesite_str(r, cfg->cookie_samesite)); + apr_file_printf(diag_cfg->fd, + "%sMellonEnvPrefix (env_prefix): %s\n", + indent(level+1), cfg->env_prefix); apr_file_printf(diag_cfg->fd, "%sMellonCond (cond): %d items\n", @@ -466,7 +469,7 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg, apr_hash_this(hash_item, (void *)&key, NULL, (void *)&envattr_conf); if (envattr_conf->prefixed) { - name = apr_pstrcat(r->pool, "MELLON_", + name = apr_pstrcat(r->pool, cfg->env_prefix, envattr_conf->name, NULL); } else { name = envattr_conf->name; diff --git a/doc/user_guide/mellon_user_guide.adoc b/doc/user_guide/mellon_user_guide.adoc index 000b07d..af93005 100644 --- a/doc/user_guide/mellon_user_guide.adoc +++ b/doc/user_guide/mellon_user_guide.adoc @@ -2007,11 +2007,13 @@ attributes. assertion to a name of your choosing when it is placed in the Apache environment. This is controlled by `MellonSetEnv` and `MellonSetEnvNoPrefix` directives. The distinction - is `MellonSetEnv` always prepends the `MELLON_` prefix to the + is `MellonSetEnv` always prepends a prefix to the environment variable name to help to prevent name collisions. The + prefix defaults to `MELLON_` and can be configured using the + `MellonEnvPrefix` configuration option. The `MellonSetEnvNoPrefix` directive also remaps the assertion name to a name of your choosing but it omits prepending the environment - variable name with `MELLON_`. See <> + variable name with the prefix. See <> Using the <> Mellon places these environment variables in the Apache environment. See @@ -2096,10 +2098,12 @@ and `MellonSetEnvNoPrefix` directives. These allow you to rename an assertion attribute to a name of your choosing. The `MellonSetEnv` directive follows the same convention as all other assertion attributes added by Mellon in that it always prefixes the environment -variable name with `MELLON_` to help avoid name collisions in the +variable name with a configurable prefix, which defaults to `MELLON_` to help avoid name collisions in the Apache environment. However sometimes you do not want the `MELLON_` -prefix added and instead you want to use exactly the environment -variable name as specified., `MellonSetEnvNoPrefix` serves this role. +prefix added. In case you simply want the variables prefixed with +a different string, use the `MellonEnvPrefix` configuration option. If, +instead you want to use exactly the environment variable name as specified., +`MellonSetEnvNoPrefix` serves this role. To illustrate let's look at an example. Suppose your web app is expecting an attribute which is the user's last name, specifically it @@ -2117,6 +2121,15 @@ MellonSetEnvNoPrefix REMOTE_USER_LASTNAME sn Also see <> for an example of setting the `REMOTE_USER` environment variable using `MellonSetEnvNoPrefix`. +The `MellonEnvPrefix` variable might be useful e.g. if you +are migrating from a different SP which used its own prefix +for the variables passed by the IdP. For example, to prefix +all variables with `NOLLEM_` you would use: + +---- +MellonEnvPrefix NOLLEM_ +---- + If you recieved an attribute-map.xml from your IDP that uses the `urn:mace:shibboleth:2.0:attribute-map` namespace, it can be converted to `MellonSetEnvNoPrefix` entries with `docs/mellon-attribute-map.xsl`