Commit Graph

150 Commits

Author SHA1 Message Date
Benjamin Dauvergne 8e5efe300b Add configuration directive MellonDoNotVerifyLogoutSignature
This directive allows to list IdP entityID for which the signature of
their logout request must not be verified.
2012-06-28 12:42:14 +02:00
Benjamin Dauvergne da5a0dd573 Fix commit 140: error in the merge statement for authn_context_class_ref configuration variable 2012-06-28 12:41:44 +02:00
olavmrk 11319a7326 Add support for double-quoted cookie values.
JMeter may apparently use this.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@157 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-05-14 10:14:33 +00:00
olavmrk 1f848fec89 Version 0.5.0
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@156 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-04-16 09:13:16 +00:00
olavmrk 3fdc37c529 Update NEWS-file for version 0.5.0.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@155 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-04-16 09:13:09 +00:00
olavmrk 080e08fe1a Deprecate «MellonDecoder "feide"»
This attribute encoding has not been required since Moria3, which was
shut down in July 2010. This value should therefore no longer be used.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@154 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-04-12 06:38:04 +00:00
benjamin.dauvergne fd4ad9a744 Add directive MellonSubjectConfirmationDataAddressCheck
MellonSubjectConfirmationDataAddressCheck allows to block client address
checking as given in IdP assertion in the SubjectConfirmationData node,
it can be necessary when client and IdP or SP are in a NAT-ed network or
when the SP is behind a reverse proxy.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@152 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-02-17 14:01:24 +00:00
olavmrk fc9faaec9c Support for HTTP-POST SingleSignOnService endpoint.
This patch extends mod_mellon with support for sending authentication
requests with the HTTP-POST binding.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@151 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-01-12 13:31:07 +00:00
olavmrk f97990aece Always redirect to the login URL when starting authentication.
We cannot display any pages from the am_start_auth()-function since
it runs from the access checker. We therefore need to redirect to the
login handler, which can then display web pages.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@150 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-01-12 13:31:03 +00:00
olavmrk 09c3d144e4 Split am_auth_new_ticket() into am_handle_auth() and am_start_auth().
The code in am_auth_new_ticket() was shared between the "auth"
endpoint and the code to start authentication from other requests. This
results in the possibility of unpredictable interactions between those
functions.

For example, it was possible to select the IdP from a random page by
adding the "IdP" parameter. The "ReturnTo" parameter could also affect
where the user was sent after authentication.

The result of this change is two new functions, one for starting
authentication from other requests, and one for handling the "auth"
endpoint. The "auth"-endpoint is no longer used by code, but may
be used elsewhere. It is therefore included for backwards
compatibility.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@149 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-01-12 13:30:58 +00:00
olavmrk 0e01d78375 Extract am_start_disco() from am_auth_new_ticket().
In preparation of splitting am_auth_new_ticket() into two functions,
extract the code to redirect to the discovery service into its own
function.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@148 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-01-12 13:30:54 +00:00
olavmrk 192940fa93 Move discovery response endpoint to "login" instead of "auth".
We now have a "login" endpoint that can be used for triggering
authentication. Make the discovery service send its response to that
page.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@147 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-01-12 13:30:50 +00:00
olavmrk d08bab7148 Fix entityID sent to discovery service.
We assumed that the SP entityID was always the endpoint path
followed by "metadata". This does not need to be the case. This patch
changes it to fetch the SP entityID from the SP metadata.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@146 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-01-12 13:30:45 +00:00
olavmrk 3ebab79c16 Do not set headers twice.
For historic reasons, we added several headers to both "headers_out"
and "err_headers_out". This has the unfortunate side effect of sending
the headers twice. This change modifies the code to only add those
headers to "err_headers_out", which is sent both for successful
requests and for errors.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@145 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-01-12 13:30:39 +00:00
olavmrk aca9396809 Merge am_endpoint_handler() and am_handler().
We currently handle requests to many endpoints from the access control
hooks. This change bypasses access control in those cases, and handles
the requests from the "handler" hook instead.

This change is necessary to be able to do anything else than redirects
from the handlers. As a side effect, it also simplifies the code.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@144 a716ebb1-153a-0410-b759-cfb97c6a1b53
2012-01-12 13:30:34 +00:00
olavmrk 9b10315fa3 Compatibility with older versions of the apr library.
The APR_ARRAY_PUSH() macro was recently added to apr. Instead of using
it, just use apr_array_push().

Thanks to Benjamin Dauver for providing this patch!

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@143 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-12-14 07:09:17 +00:00
olavmrk 5a9e2ef0ce Initialize AuthnRequest with asked AuthnContextClassRef if needed
Thanks to Benjamin Dauvergne for implementing this.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@142 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-12-07 10:19:44 +00:00
olavmrk f5852c98ce Add checking for AuthContextClassRef
- If request miss needed elements AuthnStatement or AuthnContext, HTTP
  status BadRequest is returned.
- If request does not match one of the required AuthnContextClassRef,
  HTTP status Forbidden is returned.

Thanks to Benjamin Dauvergne for implementing this.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@141 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-12-07 10:19:40 +00:00
olavmrk 2c8f97649f Add MellonAutnContextClassRef to configuration directives
You can list many class refs they will be concatenated inside an array.
Beware that in each directory, if there is any
MellonAuthnContextClassRef directive, any settings from the previous
level is overwritten.

Thanks to Benjamin Dauvergne for implementing this.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@140 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-12-07 10:19:35 +00:00
manu@netbsd.org 08c4663f33 Honour MellonProbeDiscoveryIdP order when sending probes
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@139 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-12-05 19:06:44 +00:00
olavmrk c7ebc20d0a Check for version 2.14 of GLib.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@138 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-09-23 11:27:49 +00:00
olavmrk 624e77012b Avoid dependency on GLib 2.16.
We used GHashTableIter, which wasn't introduced before version 2.16 of
GLib. This patch changes the code to simply use g_hash_table_get_keys
instead.

(This means that we depend on GLib 2.14.)

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@137 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-09-23 11:27:43 +00:00
olavmrk bd75567ca2 Avoid using APR_ARRAY_IDX.
APR_ARRAY_IDX is a relatively new macro in the APR package, so we
should avoid using it.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@134 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 12:45:23 +00:00
olavmrk afd97cbed8 Version 0.4.0.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@132 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:49:43 +00:00
olavmrk 2918dd0846 Update news for version 0.4.0.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@131 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:49:37 +00:00
olavmrk 6781ff90ac Add support for inheriting lasso_server objects.
Change configuration to inherit the lasso_server objects when nothing
affecting the lasso_server object changes from the parent configuration
object.

This should speed up processing of requests where you have
request-specific configuration changes, such as access control rules.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@130 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:49:32 +00:00
olavmrk b68c7c641d Add support for loading federation metadata files.
Patch originally created by Emmanuel Dreyfus, some changes by me.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@129 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:49:25 +00:00
olavmrk 433634737d Remove unused function am_get_provider_id().
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@128 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:49:21 +00:00
olavmrk 2d9911f4d0 Change am_server_add_providers to return number of providers from LassoServer object.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@127 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:49:14 +00:00
olavmrk 5e43170724 Change cfg->idp_metadata_files to an array instead of an hash.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@126 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:49:08 +00:00
olavmrk e48e01904c Change am_handle_probe_discovery() to use providers from LassoServer.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@125 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:49:03 +00:00
olavmrk fbd59b5a1d Change am_get_idp() to use providers from LassoServer.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@124 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:48:57 +00:00
olavmrk 8a4748cd64 Change am_first_idp() to retrieve the entityID from the LassoServer object.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@123 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:48:52 +00:00
olavmrk 7f217a0356 Move am_get_idp() and am_first_idp() to after am_get_lasso_server().
This is in preparation of using am_get_lasso_server from those functions.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@122 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-18 10:48:47 +00:00
benjamin.dauvergne 1f7b8d8e60 Unbreak logout for lasso version >= 2.3.0
Lasso initializes the SessionIndex attribute of LogoutRequest message
itself since release 2.3.4 and directly remove the related assertions
since 2.3.0, so the old way to initialize the SessionIndex cannot work
anymore. Between version 2.3.0 and 2.3.4 it just cannot work at all but
it is better to send a broken logout request missing the SessionIndex
attribute than to raise a segmentation fault.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@121 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-05-04 07:50:21 +00:00
benjamin.dauvergne f2f5880039 Add MellonCookieDomain and MellonCookiePath directives
These allows respectively to set the domain and the path of the domain
of the mellon cookie. Without these the domain defaults to the domain
return by ap_get_server_name() (see
http://httpd.apache.org/dev/apidoc/apidoc_ap_get_server_name.html)
and the path to "/".

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@120 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-04-07 11:32:26 +00:00
olavmrk 900f46ce16 Makefile: Fix invocation of apxs.
New versions of apxs requires the use of -Wc and -Wl for passing flags
to the compiler and linker.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@119 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-03-30 07:40:23 +00:00
olavmrk 576c273226 Fix leak of lasso_server objects.
Unfortunately, the lasso_server objects were never destroyed, which
led to a memory leak when using request-specific configuration.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@118 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-03-30 07:40:15 +00:00
manu@netbsd.org e95de17171 New MellonIdPMetadataGlob directive to load mulitple IdP metadata
using a glob(3) pattern.


git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@117 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-03-23 15:05:19 +00:00
manu@netbsd.org 738cde54f8 Regexp backreference substitution in MellonCond
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@116 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-03-22 17:19:24 +00:00
olavmrk adc2367c38 Properly terminate parameter list for apr_pstrcat.
On 64-bit, "0" is an 32-bit integer while the parameter list should be
terminated by a 64-bit NULL pointer. Change the parameter to NULL to
avoid possible misbehaviour due to this.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@115 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-03-18 08:58:58 +00:00
manu@netbsd.org 4a774de00c New MellonCond directive to enable attribute filtering beyond MellonRequire
functionalities. Supports regexp, negations, and attribute name remapping
though MellonSetEnv



git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@114 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-03-17 05:20:40 +00:00
manu@netbsd.org 7cb7b968e3 A /mellon/probeDisco endpoint replaces the builtin:get-metadata IdP
dicovery URL scheme. It is configured using the MellonProbeDiscoveryTimeout
and MellonProbeDiscoveryIdP directives.


git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@113 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-03-09 06:20:16 +00:00
manu@netbsd.org 0a47fe1972 Allow MellonUser variable to be translated through MellonSetEnv
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@112 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-03-02 13:08:09 +00:00
olavmrk 73553d9987 Fix references to MellonPostDirectory in README and in a comment.
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@111 a716ebb1-153a-0410-b759-cfb97c6a1b53
2011-02-18 14:03:19 +00:00
benjamin.dauvergne f0ca39b15e Change implementation of am_get_endpoint_url to use ap_construct_url
ap_construct_url() use the ServerName directive to reconstruct an
absolute URL. It allows to force the use of an https:// URL (when you
are behind an SSL proxy it is needed) by configuring your VirtualHost
like that:

ServerName https://example.com

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@110 a716ebb1-153a-0410-b759-cfb97c6a1b53
2010-10-21 13:07:50 +00:00
benjamin.dauvergne 808bb7f277 Report the received Recipient for error on SubjectConfirmationData
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@109 a716ebb1-153a-0410-b759-cfb97c6a1b53
2010-09-28 15:54:33 +00:00
benjamin.dauvergne 07deabfce4 Fix error for query string starting character
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@108 a716ebb1-153a-0410-b759-cfb97c6a1b53
2010-09-28 15:54:29 +00:00
benjamin.dauvergne 7204edb1ef Fix segfault when no assertion is found
git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@107 a716ebb1-153a-0410-b759-cfb97c6a1b53
2010-09-28 15:54:25 +00:00
benjamin.dauvergne be8b61df15 Remove compiler warning
Those unused variable are only used by one branch of the preprocessor
conditional.

git-svn-id: https://modmellon.googlecode.com/svn/trunk/mod_mellon2@106 a716ebb1-153a-0410-b759-cfb97c6a1b53
2010-09-28 15:54:21 +00:00