Merge pull request #211 from siemens/feat/authn-context-comparision-type

feat: add MellonAuthnContextComparisonType option
This commit is contained in:
Olav Morken 2019-07-23 13:19:31 +02:00 committed by GitHub
commit 31e324d15c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 67 additions and 4 deletions

View File

@ -532,6 +532,10 @@ MellonDiagnosticsEnable Off
# MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
# MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"
# This option will set the "Comparsion" attribute within the AuthnRequest
# It could be set to "exact", "minimum", "maximum" or "better"
# MellonAuthnContextComparisonType "minimum"
# MellonSubjectConfirmationDataAddressCheck is used to control
# the checking of client IP address against the address returned by the
# IdP in Address attribute of the SubjectConfirmationData node. Can be useful if your SP is

View File

@ -1,7 +1,7 @@
/*
*
* auth_mellon.h: an authentication apache module
* Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
* Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -292,6 +292,9 @@ typedef struct am_dir_cfg_rec {
/* AuthnContextClassRef list */
apr_array_header_t *authn_context_class_ref;
/* AuthnContextComparisonType */
const char *authn_context_comparison_type;
/* Controls the checking of SubjectConfirmationData.Address attribute */
int subject_confirmation_data_address_check;

View File

@ -1,7 +1,7 @@
/*
*
* auth_mellon_config.c: an authentication apache module
* Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
* Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -759,6 +759,42 @@ static const char *am_set_setenv_no_prefix_slot(cmd_parms *cmd,
return NULL;
}
/* This function handles the MellonAuthnContextComparisonType option.
* It could be set to "exact", "minimum", "maximum" or "better"
*
* Parameters:
* cmd_parms *cmd The command structure for this configuration
* directive.
* void *struct_ptr Pointer to the current directory configuration.
* const char *arg The string argument following this configuration
* directive in the configuraion file.
*
* Returns:
* NULL on success or an error string if the argument is wrong.
*/
static const char *am_set_authn_context_comparison_type_slot(cmd_parms *cmd,
void *struct_ptr,
const char *arg)
{
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT)) {
d->authn_context_comparison_type =
LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT;
} else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM)) {
d->authn_context_comparison_type =
LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM;
} else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM)) {
d->authn_context_comparison_type =
LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM;
} else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER)) {
d->authn_context_comparison_type =
LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER;
} else {
return "parameter must be 'exact', 'minimum', 'maximum' or 'better'";
}
return NULL;
}
/* This function decodes MellonCond flags, such as [NOT,REG]
*
@ -1593,6 +1629,13 @@ const command_rec auth_mellon_commands[] = {
"A list of AuthnContextClassRef to request in the AuthnRequest and "
"to validate upon reception of an Assertion"
),
AP_INIT_TAKE1(
"MellonAuthnContextComparisonType",
am_set_authn_context_comparison_type_slot,
NULL,
OR_AUTHCFG,
"An AuthnContextComparisonType attribute as part of the AuthnRequest."
),
AP_INIT_FLAG(
"MellonSubjectConfirmationDataAddressCheck",
ap_set_flag_slot,
@ -1763,6 +1806,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)
dir->inherit_server_from = dir;
dir->server = NULL;
dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *));
dir->authn_context_comparison_type = NULL;
dir->subject_confirmation_data_address_check = inherit_subject_confirmation_data_address_check;
dir->send_cache_control_header = inherit_send_cache_control_header;
dir->do_not_verify_logout_signature = apr_hash_make(p);
@ -2004,6 +2048,10 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
add_cfg->authn_context_class_ref :
base_cfg->authn_context_class_ref);
new_cfg->authn_context_comparison_type = (add_cfg->authn_context_comparison_type != NULL ?
add_cfg->authn_context_comparison_type :
base_cfg->authn_context_comparison_type);
new_cfg->do_not_verify_logout_signature = apr_hash_copy(p,
(apr_hash_count(add_cfg->do_not_verify_logout_signature) > 0) ?
add_cfg->do_not_verify_logout_signature :

View File

@ -620,7 +620,9 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg,
"%s[%2d]: %s\n",
indent(level+2), i, context_class);
}
apr_file_printf(diag_cfg->fd,
"%sMellonAuthnContextComparisonType (authn_context_comparison_type): %s\n",
indent(level+1), cfg->authn_context_comparison_type);
apr_file_printf(diag_cfg->fd,
"%sMellonSubjectConfirmationDataAddressCheck"
" (subject_confirmation_data_address_check): %s\n",

View File

@ -1,7 +1,7 @@
/*
*
* auth_mellon_handler.c: an authentication apache module
* Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
* Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -2895,6 +2895,11 @@ static int am_init_authn_request_common(request_rec *r,
"adding AuthnContextClassRef %s to the "
"AuthnRequest", ref);
}
if (dir_cfg->authn_context_comparison_type != NULL) {
lasso_assign_string(request->RequestedAuthnContext->Comparison,
dir_cfg->authn_context_comparison_type);
}
}
LASSO_PROFILE(login)->msg_relayState = g_strdup(return_to_url);

View File

@ -3598,6 +3598,7 @@ Mellon Directory Configuration for URL: /saml-test/protected.html
MellonProbeDiscoveryTimeout (probe_discovery_timeout): -1
MellonProbeDiscoveryIdP (probe_discovery_idp): 0 items
MellonAuthnContextClassRef (authn_context_class_ref): 0 items
MellonAuthnContextComparisonType (authn_context_comparison_type): (null)
MellonSubjectConfirmationDataAddressCheck (subject_confirmation_data_address_check): On
MellonDoNotVerifyLogoutSignature (do_not_verify_logout_signature): 0 items
MellonPostReplay (post_replay): On