From 4d27bb9e099dc0becbd7eeb20f950a5969db6272 Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Tue, 19 Nov 2013 10:58:59 +0800 Subject: Call lookup_identity_hook from mod_lookup_identity if it exists, after the (new) r->user was set. --- README | 13 +++++++++---- mod_intercept_form_submit.c | 14 ++++++++++++++ 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/README b/README index ffec64b..2c2c884 100644 --- a/README +++ b/README @@ -7,10 +7,15 @@ retrieves the login and password information from the POST HTTP request, runs PAM authentication with those credentials, and sets the REMOTE_USER environment variable if the authentication passes. The internal r->user field is also set so other modules can use it (even -if the module is invoked very late in the request processing). If the -REMOTE_USER is already set (presumably by some previous module), no -authentication takes place. If the PAM authentication fails, environment -variable EXTERNAL_AUTH_ERROR is set to the string describing the error. +if the module is invoked very late in the request processing). The +lookup_identity_hook from mod_lookup_identity is explicitly called +after the r->user is set. + +If the REMOTE_USER is already set (presumably by some previous module), +no authentication takes place. + +If the PAM authentication fails, environment variable +EXTERNAL_AUTH_ERROR is set to the string describing the error. The assumption is that the application will be amended to trust the REMOTE_USER value if it is set and skip its own login/password diff --git a/mod_intercept_form_submit.c b/mod_intercept_form_submit.c index 833b29a..b95d1ec 100644 --- a/mod_intercept_form_submit.c +++ b/mod_intercept_form_submit.c @@ -16,6 +16,7 @@ */ #include "apr_strings.h" +#include "apr_optional.h" #include "http_core.h" #include "http_log.h" #include "http_config.h" @@ -37,6 +38,9 @@ typedef struct { module AP_MODULE_DECLARE_DATA intercept_form_submit_module; +APR_DECLARE_OPTIONAL_FN(int, lookup_identity_hook, (request_rec * r)); +static APR_OPTIONAL_FN_TYPE(lookup_identity_hook) * lookup_identity_hook_fn = NULL; + const char * add_login_to_blacklist(cmd_parms * cmd, void * conf_void, const char * arg) { ifs_config * cfg = (ifs_config *) conf_void; if (cfg) { @@ -103,8 +107,17 @@ int pam_authenticate_with_login_password(request_rec * r, const char * pam_servi r->user = login; ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, r->server, "mod_intercept_form_submit: PAM authentication passed for user %s", login); pam_end(pamh, ret); + if (lookup_identity_hook_fn) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "calling lookup_identity_hook"); + lookup_identity_hook_fn(r); + } else { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "not calling lookup_identity_hook, is NULL"); + } return 1; } +void register_lookup_identity_hook_fn(void) { + lookup_identity_hook_fn = APR_RETRIEVE_OPTIONAL_FN(lookup_identity_hook); +} int hex2char(int c) { if (c >= '0' && c <= '9') @@ -361,6 +374,7 @@ void * merge_dir_conf(apr_pool_t * pool, void * base_void, void * add_void) { static void register_hooks(apr_pool_t * pool) { ap_hook_insert_filter(intercept_form_submit_init, NULL, NULL, APR_HOOK_MIDDLE); ap_register_input_filter("intercept_form_submit_filter", intercept_form_submit_filter, NULL, AP_FTYPE_RESOURCE); + ap_hook_optional_fn_retrieve(register_lookup_identity_hook_fn, NULL, NULL, APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA intercept_form_submit_module = { -- cgit