diff options
author | Jan Pazdziora <jpazdziora@redhat.com> | 2016-01-20 09:21:50 +0100 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2016-01-20 11:41:55 +0100 |
commit | daaa787693be43779da944bc627ed334dd50ff2f (patch) | |
tree | 50a137e2e78d54f8fd151b3df685d821c1c0d79c | |
parent | 9c8d405a957063289cefc08ff9b4bb82f831a5a5 (diff) | |
download | mod_lookup_identity-daaa787693be43779da944bc627ed334dd50ff2f.tar.gz mod_lookup_identity-daaa787693be43779da944bc627ed334dd50ff2f.tar.xz mod_lookup_identity-daaa787693be43779da944bc627ed334dd50ff2f.zip |
Add support for Base64 encoded HTTP header output.
-rw-r--r-- | README | 34 | ||||
-rw-r--r-- | mod_lookup_identity.c | 24 |
2 files changed, 53 insertions, 5 deletions
@@ -81,6 +81,8 @@ The default behaviour can be changed with the following directives: Notes: Sets the Apache notes table only Env: Sets environment variables only Headers: Sets HTTP request headers, for use by proxy setups. + Headers-Base64: Sets HTTP request headers with values + Base64-encoded, for use by proxy setups. The default is Notes and Env. @@ -122,6 +124,17 @@ The default behaviour can be changed with the following directives: the value will be either staff or student (the first in the list returned by the sssd dbus call; order not to be relied on). + When + + LookupOutput headers-base64 + + is specified, the values are encoded individually and then + concatenated. For the staff and student values example, + + LookupUserGroups REMOTE-USER-GROUPS : + + will produce c3RhZmY=:c3R1ZGVudA==. + When prefixed with '+' sign and the note/environment variable already has some value set, behaviour differs depending on whether the optional separator is specified or not. If it is, @@ -168,6 +181,22 @@ The default behaviour can be changed with the following directives: (or the values of REMOTE_USER_GROUPS_1 and REMOTE_USER_GROUPS_2 will be flipped). + When + + LookupOutput headers-base64 + + is specified and assuming + + LookupUserGroupsIter REMOTE-USER-GROUPS + + the HTTP header values will be + + REMOTE-USER-GROUPS-N=2 + REMOTE-USER-GROUPS-1=c3RhZmY= + REMOTE-USER-GROUPS-2=c3R1ZGVudA== + + Note that the numerical <name>_N is not Base64-encoded. + If user is not a member of any group, the <name>_N value will be set to 0. @@ -213,7 +242,8 @@ The default behaviour can be changed with the following directives: LookupUserAttr mail REMOTE_USER_MAIL ", " will retrieve all the values and store them as coma-separated - string. + string. The same way as with LookupUserGroups, headers-base64 + will first Base64 encode and then concatenate. When the name is prefixed with '+' sign, similar to LookupUserGroups it will only set the value if not set yet, or append to existing @@ -301,7 +331,7 @@ in and will not be available. License ------- -Copyright 2013--2015 Jan Pazdziora +Copyright 2013--2016 Jan Pazdziora Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/mod_lookup_identity.c b/mod_lookup_identity.c index 1d6adb3..33ae2a0 100644 --- a/mod_lookup_identity.c +++ b/mod_lookup_identity.c @@ -1,6 +1,6 @@ /* - * Copyright 2013--2015 Jan Pazdziora + * Copyright 2013--2016 Jan Pazdziora * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,6 +53,7 @@ static const int LOOKUP_IDENTITY_OUTPUT_NONE = 128; static const int LOOKUP_IDENTITY_OUTPUT_NOTES = 1; static const int LOOKUP_IDENTITY_OUTPUT_ENV = 2; static const int LOOKUP_IDENTITY_OUTPUT_HEADERS = 4; +static const int LOOKUP_IDENTITY_OUTPUT_HEADERS_BASE64 = 8; static char * LOOKUP_IDENTITY_OUTPUT_GECOS = "REMOTE_USER_GECOS"; @@ -304,6 +305,17 @@ static DBusMessage * lookup_identity_dbus_message(request_rec * r, DBusConnectio } #endif +static apr_array_header_t * base64_encode_array(apr_pool_t * p, const apr_array_header_t * values) { + if (! values) + return NULL; + apr_array_header_t * base64_values = apr_array_make(p, values->nelts, sizeof(char *)); + for (int i = 0; i < values->nelts; i++) { + *(char **)apr_array_push(base64_values) = ap_pbase64encode(p, ((char **)values->elts)[i]); + } + ap_assert(values->nelts == base64_values->nelts); + return base64_values; +} + static void lookup_identity_output_iter_to(request_rec * r, apr_table_t * t, const char * key, const char * sep, const apr_array_header_t * values) { int append = 0; if (key[0] == '+') { @@ -330,7 +342,9 @@ static void lookup_identity_output_iter(request_rec * r, int the_output, const c if (the_output & LOOKUP_IDENTITY_OUTPUT_ENV) { lookup_identity_output_iter_to(r, r->subprocess_env, key, "_", values); } - if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS) { + if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS_BASE64) { + lookup_identity_output_iter_to(r, r->headers_in, key, "-", base64_encode_array(r->pool, values)); + } else if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS) { lookup_identity_output_iter_to(r, r->headers_in, key, "-", values); } } @@ -369,7 +383,9 @@ static void lookup_identity_output_data(request_rec * r, int the_output, const c if (the_output & LOOKUP_IDENTITY_OUTPUT_ENV) { lookup_identity_output_data_to(r, r->subprocess_env, key, values, sep); } - if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS) { + if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS_BASE64) { + lookup_identity_output_data_to(r, r->headers_in, key, base64_encode_array(r->pool, values), sep); + } else if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS) { lookup_identity_output_data_to(r, r->headers_in, key, values, sep); } } @@ -584,6 +600,8 @@ static const char * set_output(cmd_parms * cmd, void * conf_void, const char * a cfg->output |= LOOKUP_IDENTITY_OUTPUT_ENV; } else if (!strcasecmp(arg, "notes")) { cfg->output |= LOOKUP_IDENTITY_OUTPUT_NOTES; + } else if (!strcasecmp(arg, "headers-base64")) { + cfg->output |= LOOKUP_IDENTITY_OUTPUT_HEADERS_BASE64; } else if (!strcasecmp(arg, "headers")) { cfg->output |= LOOKUP_IDENTITY_OUTPUT_HEADERS; } |