From 5a869128a4371445471bcd86392680c096240d2c Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Fri, 17 Jan 2014 14:41:19 +0800
Subject: Process incoming HTTP headers in application on backend.

Caution: make sure the application is only accessible via a proxy
which will properly clear and set these headers, so that the end user
cannot gain extra privileges.
---
 README               | 12 +++++++++---
 app.cgi              |  8 ++++++++
 app.conf             | 13 +++++++++++--
 lookup_identity.conf | 23 +++++++++++++++++++++++
 proxy_frontend.conf  | 13 +++++++++++++
 5 files changed, 64 insertions(+), 5 deletions(-)
 create mode 100644 proxy_frontend.conf

diff --git a/README b/README
index 1368955..c191769 100644
--- a/README
+++ b/README
@@ -4,11 +4,17 @@ with login form and logout page. It is intentionally written in simple
 perl with the CGI.pm module only used to parse POST values and HTTP
 cookie values, to make it easy to tweak and explore.
 
-If the script is placed to /var/www/app/app.cgi, the following Apache
-httpd directive will enable it on http://server-name/application
+If the script is placed to /var/www/backend/app.cgi, the following Apache
+httpd directive will enable it on backend http://server-name/bapplication
 location:
 
-	ScriptAlias /application /var/www/app/app.cgi
+	ScriptAlias /bapplication /var/www/backend/app.cgi
+
+Then on the frontend server
+
+	ProxyPass /application http://server-name/bapplication
+
+will ensure redirection to the backend server.
 
 The script uses HTTP cookie the-test-cookie to either have value
 ok:login to mean user login is logged in, or value xx to mean the user
diff --git a/app.cgi b/app.cgi
index badc13a..31a9f4a 100755
--- a/app.cgi
+++ b/app.cgi
@@ -22,6 +22,14 @@ my $LOGIN = '/login';
 my $LOGOUT = '/logout';
 my $AUTH_COOKIE = 'the-test-cookie';
 
+if (defined $ENV{FRONTEND_SCRIPT_NAME}) {
+	$ENV{SCRIPT_NAME} = $ENV{FRONTEND_SCRIPT_NAME};
+
+	for my $x (map { /^HTTP_(REMOTE_USER.*)/ ? ($1) : () } keys %ENV) {
+		$ENV{$x} = $ENV{"HTTP_$x"};
+	}
+}
+
 my $q = new CGI;
 my $cookie = $q->cookie($AUTH_COOKIE);
 my ($user, $name);
diff --git a/app.conf b/app.conf
index bba0242..736123b 100644
--- a/app.conf
+++ b/app.conf
@@ -1,3 +1,12 @@
+Listen localhost:8888
+<VirtualHost localhost:8888>
+ServerName localhost:8888
+ScriptAlias /bapplication /var/www/backend/app.cgi
 
-ScriptAlias /application /var/www/app/app.cgi
-
+<Location /bapplication>
+	SetEnv FRONTEND_SCRIPT_NAME /application
+	Order deny,allow
+	Deny from all
+	Allow from 127.0.0.1 ::1
+</Location>
+</VirtualHost>
diff --git a/lookup_identity.conf b/lookup_identity.conf
index 8022d07..5377c28 100644
--- a/lookup_identity.conf
+++ b/lookup_identity.conf
@@ -6,5 +6,28 @@ LookupUserAttr mail REMOTE_USER_EMAIL " "
 LookupUserAttr givenname REMOTE_USER_FIRSTNAME
 LookupUserAttr sn REMOTE_USER_LASTNAME
 LookupUserGroups REMOTE_USER_GROUPS ":"
+LookupUserGroupsIter REMOTE_USER_GROUP
+
+RequestHeader unset REMOTE-USER-EMAIL
+RequestHeader unset REMOTE-USER-FIRSTNAME
+RequestHeader unset REMOTE-USER-LASTNAME
+RequestHeader unset REMOTE-USER-GECOS
+RequestHeader unset REMOTE-USER-GROUPS
+
+RequestHeader unset REMOTE-USER-GROUP-N
+RequestHeader unset REMOTE-USER-GROUP-1
+RequestHeader unset REMOTE-USER-GROUP-2
+RequestHeader unset REMOTE-USER-GROUP-3
+
+RequestHeader set REMOTE-USER-EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+RequestHeader set REMOTE-USER-FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+RequestHeader set REMOTE-USER-LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+RequestHeader set REMOTE-USER-GECOS %{REMOTE_USER_GECOS}e env=REMOTE_USER_GECOS
+RequestHeader set REMOTE-USER-GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+
+RequestHeader set REMOTE-USER-GROUP-N %{REMOTE_USER_GROUP_N}e env=REMOTE_USER_GROUP_N
+RequestHeader set REMOTE-USER-GROUP-1 %{REMOTE_USER_GROUP_1}e env=REMOTE_USER_GROUP_1
+RequestHeader set REMOTE-USER-GROUP-2 %{REMOTE_USER_GROUP_2}e env=REMOTE_USER_GROUP_2
+RequestHeader set REMOTE-USER-GROUP-3 %{REMOTE_USER_GROUP_3}e env=REMOTE_USER_GROUP_3
 </LocationMatch>
 
diff --git a/proxy_frontend.conf b/proxy_frontend.conf
new file mode 100644
index 0000000..537c820
--- /dev/null
+++ b/proxy_frontend.conf
@@ -0,0 +1,13 @@
+ProxyPass /application http://localhost:8888/bapplication
+
+<LocationMatch ^/application/login>
+RequestHeader unset Authorization
+
+# Put mod_auth_kerb's authentication result (r->user) to env variable
+RewriteEngine on
+RewriteCond %{REMOTE_USER} (.+)
+RewriteRule ^.+$ - [E=REMOTE_USER:%1]
+
+RequestHeader unset REMOTE-USER
+RequestHeader set REMOTE-USER %{REMOTE_USER}e env=REMOTE_USER
+</LocationMatch>
-- 
cgit