Several options have incorrect description of their default values in
their help texts. Update the values in the description.
This patch only changes the help texts Apache print if it fails to
parse an option. It doesn't change any defaults.
The `am_hc_block_write()` used recursion when writing multiple blocks
of data. This patch changes it to a simple loop. This ensures that
there is no way that we can end up in a situation where recursion
overflows the stack here.
(curl would only call this function with 16 KiB of data, which isn't
enough to overflow the stack, but this patch makes it safe in case
curl at any point changes its behavior.)
Formerly we were setting the response header "Content-Type" in
r->headers_out directly via the apr_table_setn() call. Although using
apr_table_setn() is appropriate for many HTTP headers Apache actively
manages a small set of headers in
http_filters.c:ap_http_header_filter(). These managed headers are
derived from values maintained in the request_rec. "Content-Type" is
one of the managed headers.
Because we didn't set r->content_type field via the
ap_set_content_type() call and instead directly updated the
r->headers_out table our value for "Content-Type" was overwriten when
the ap_http_header_filter() was run just prior to emitting the
response with the result the "Content-Type" header returned to the
client was incorrect.
Signed-off-by: John Dennis <jdennis@redhat.com>
The SAML 2.0 specification requires the name to be present, but we still
should not crash when it is missing. This patch fixes the crash by skipping
over attributes without a name.
Fixes issue #101.
When MellonEnable is "auth" and we get an unauthenticated AJAX
request (identified by the X-Request-With: XMLHttpRequest HTTP
header), fail with HTTP code 403 Forbidden instead of redirecting
to the IdP. This saves resources, as the client has no opportunity
to interract with the user to complete authentification.
MellonCookieSameSite allows control over the SameSite cookie
attribute. With this, authentication cookies can be protected
against CRFS type attacks.
The configuration directive can have values of Strict or Lax.
If not set, the attribute is not used on the authentication cookie.
https://github.com/UNINETT/mod_auth_mellon/issues/2 raises the issue
of the Cache-Control header always being set, but with some users
needing to turn it off.
This update adds the MellonSendCacheControlHeader configuration
directive which can be set to Off, resulting in the cache-control
header not being set.
All other log messages containing lasso errors already use the idiom
Some message. Lasso error: [%i] %s", ..., rc, lasso_strerror(rc)
The different log format here leads e.g. to a double "." at the
end of the log message. Example:
Error adding metadata "/path/to/idp-metadata.xml" to lasso
server objects: Parsed XML is invalid..
Use APLOG_USE_MODULE if available.
This will also add the module name to its error log messages,
e.g. "[auth_mellon:error]" instead of just "[:error]".
No change for Apache 2.2.
Curl timeouts in auth_mellon_httpclient should be given as long
values and have semantic meaning of seconds.
The code currently passes them in as apr_time_t type which
contains seconds, although apr_time_t should contain
microseconds.
I suggest to not use apr_time_t here, because it is misleading,
and instead use a plain int. The code calling httpclient already
prepares the value as an int. Furthermore convert the value to a
long when curl_easy_setopt() is being called.
If the logout message is badly formed, we won't get the entityID in
`logout->parent.remote_providerID`. If we call `apr_hash_get()` with a
null pointer, it will cause a segmentation fault.
Add a check to validate that the entityID is correctly set.
In am_check_uid() if am_check_permissions() denies access then the
proper HTTP return code is FORBIDDEN (which is what
am_check_permissions() returns on failure). Returning the result of
am_check_permissions() is what is already done in
am_auth_mellon_user(), this just makes the behavior
consistent. Returning UNAUTHORIZED is clearly wrong, that is meant to
indicate authentication needs to be performed.
Signed-off-by: John Dennis <jdennis@redhat.com>
There was an error in the example for POST'ing the the AuthnRequest to
the IdP, the Content-Type header erroneously was
"application/soap+xml" when in fact it should have been "text/xml".
As background the Content-Type for SOAP 1.1 is "text/xml" but in SOAP
1.2 it was changed to "application/soap+xml". ECP is specificed to
used SOAP 1.1.
Signed-off-by: John Dennis <jdennis@redhat.com>
mod_auth_mellon was interferring with other Apache authentication
modules (e.g. mod_auth_kerb) because when the Apache check_user_id
hook ran the logic in am_check_uid would execute even if mellon was
not enabled for the location. This short circuited the hook execution
and never allowed the authentication enabled for the location to
execute. It resulted in HTTP_UNAUTHORIZED being returned with the
client then expecting a WWW-Authenticate header field causing the
client to attempt to authenticate again.
Signed-off-by: John Dennis <jdennis@redhat.com>
flags.
Introduce new values for MellonSecureCookie configuration option:
'secure' and 'httponly' for setting just one particular cookie flag. Old
'On' and 'Off' values remain supported and behave the same way as
before.
If we don't, we can end up sending an authentication request to an IdP
that is not in the MellonProbeDiscoveryIdP list, which is probably not
what the user wants.
Patch by Emmanuel Dreyfus.