From abd1ee22aabe2a7cbe8b719544499485e7037bb4 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Fri, 24 Apr 2015 13:34:18 +0200
Subject: Add support for replacement placeholders %s and %u.

---
 README           | 14 ++++++++++++++
 mod_authnz_pam.c | 37 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/README b/README
index 3f5d8e9..4e5d11e 100644
--- a/README
+++ b/README
@@ -80,6 +80,20 @@ FreeIPA server, the setting would be
 
     AuthPAMExpiredRedirect https://<IPA-server>/ipa/ui/reset_password.html
 
+It is also possible to use placeholders in the URL that will be replaced
+with current location (for backreference) and username (to prefill)
+on the target page:
+
+	%s	URL of the current page
+	%u	The username that was used for the PAM authentication
+	%%	The character % itself.
+
+For example for FreeIPA 4.1+, the value can actually be
+
+    https://<IPA-server>/ipa/ui/reset_password.html?url=%s
+
+SELinux:
+
 On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to
 be enabled:
 
diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c
index 0568fdf..3de486e 100644
--- a/mod_authnz_pam.c
+++ b/mod_authnz_pam.c
@@ -71,6 +71,41 @@ static int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, s
 	return PAM_SUCCESS;
 }
 
+static const char * format_location(request_rec * r, const char * url, const char *login) {
+	const char * out = "";
+	const char * p = url;
+	const char * append = NULL;
+	while (*p) {
+		if (*p == '%') {
+			if (*(p + 1) == '%') {
+				append = "%";
+			} else if (*(p + 1) == 's') {
+				append = ap_construct_url(r->pool, r->uri, r);
+				if (r->args) {
+					append = apr_pstrcat(r->pool, append, "?", r->args, NULL);
+				}
+			} else if (*(p + 1) == 'u') {
+				append = login;
+			}
+		}
+		if (append) {
+			char * prefix = "";
+			if (p != url) {
+				prefix = apr_pstrndup(r->pool, url, p - url);
+			}
+			out = apr_pstrcat(r->pool, out, prefix, ap_escape_urlencoded(r->pool, append), NULL);
+			p++;
+			url = p + 1;
+			append = NULL;
+		}
+		p++;
+	}
+	if (p != url) {
+		out = apr_pstrcat(r->pool, out, url, NULL);
+	}
+	return out;
+}
+
 module AP_MODULE_DECLARE_DATA authnz_pam_module;
 
 #define _REMOTE_USER_ENV_NAME "REMOTE_USER"
@@ -109,7 +144,7 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const
 					ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
 						"mod_authnz_pam: PAM_NEW_AUTHTOK_REQD: redirect to [%s]",
 						conf->expired_redirect_url);
-					apr_table_addn(r->headers_out, "Location", conf->expired_redirect_url);
+					apr_table_addn(r->headers_out, "Location", format_location(r, conf->expired_redirect_url, login));
 					return HTTP_TEMPORARY_REDIRECT;
 				}
 			}
-- 
cgit