From daaa787693be43779da944bc627ed334dd50ff2f Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Wed, 20 Jan 2016 09:21:50 +0100 Subject: Add support for Base64 encoded HTTP header output. --- README | 34 ++++++++++++++++++++++++++++++++-- mod_lookup_identity.c | 24 +++++++++++++++++++++--- 2 files changed, 53 insertions(+), 5 deletions(-) diff --git a/README b/README index e2fffbc..7117397 100644 --- a/README +++ b/README @@ -81,6 +81,8 @@ The default behaviour can be changed with the following directives: Notes: Sets the Apache notes table only Env: Sets environment variables only Headers: Sets HTTP request headers, for use by proxy setups. + Headers-Base64: Sets HTTP request headers with values + Base64-encoded, for use by proxy setups. The default is Notes and Env. @@ -122,6 +124,17 @@ The default behaviour can be changed with the following directives: the value will be either staff or student (the first in the list returned by the sssd dbus call; order not to be relied on). + When + + LookupOutput headers-base64 + + is specified, the values are encoded individually and then + concatenated. For the staff and student values example, + + LookupUserGroups REMOTE-USER-GROUPS : + + will produce c3RhZmY=:c3R1ZGVudA==. + When prefixed with '+' sign and the note/environment variable already has some value set, behaviour differs depending on whether the optional separator is specified or not. If it is, @@ -168,6 +181,22 @@ The default behaviour can be changed with the following directives: (or the values of REMOTE_USER_GROUPS_1 and REMOTE_USER_GROUPS_2 will be flipped). + When + + LookupOutput headers-base64 + + is specified and assuming + + LookupUserGroupsIter REMOTE-USER-GROUPS + + the HTTP header values will be + + REMOTE-USER-GROUPS-N=2 + REMOTE-USER-GROUPS-1=c3RhZmY= + REMOTE-USER-GROUPS-2=c3R1ZGVudA== + + Note that the numerical _N is not Base64-encoded. + If user is not a member of any group, the _N value will be set to 0. @@ -213,7 +242,8 @@ The default behaviour can be changed with the following directives: LookupUserAttr mail REMOTE_USER_MAIL ", " will retrieve all the values and store them as coma-separated - string. + string. The same way as with LookupUserGroups, headers-base64 + will first Base64 encode and then concatenate. When the name is prefixed with '+' sign, similar to LookupUserGroups it will only set the value if not set yet, or append to existing @@ -301,7 +331,7 @@ in and will not be available. License ------- -Copyright 2013--2015 Jan Pazdziora +Copyright 2013--2016 Jan Pazdziora Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/mod_lookup_identity.c b/mod_lookup_identity.c index 1d6adb3..33ae2a0 100644 --- a/mod_lookup_identity.c +++ b/mod_lookup_identity.c @@ -1,6 +1,6 @@ /* - * Copyright 2013--2015 Jan Pazdziora + * Copyright 2013--2016 Jan Pazdziora * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,6 +53,7 @@ static const int LOOKUP_IDENTITY_OUTPUT_NONE = 128; static const int LOOKUP_IDENTITY_OUTPUT_NOTES = 1; static const int LOOKUP_IDENTITY_OUTPUT_ENV = 2; static const int LOOKUP_IDENTITY_OUTPUT_HEADERS = 4; +static const int LOOKUP_IDENTITY_OUTPUT_HEADERS_BASE64 = 8; static char * LOOKUP_IDENTITY_OUTPUT_GECOS = "REMOTE_USER_GECOS"; @@ -304,6 +305,17 @@ static DBusMessage * lookup_identity_dbus_message(request_rec * r, DBusConnectio } #endif +static apr_array_header_t * base64_encode_array(apr_pool_t * p, const apr_array_header_t * values) { + if (! values) + return NULL; + apr_array_header_t * base64_values = apr_array_make(p, values->nelts, sizeof(char *)); + for (int i = 0; i < values->nelts; i++) { + *(char **)apr_array_push(base64_values) = ap_pbase64encode(p, ((char **)values->elts)[i]); + } + ap_assert(values->nelts == base64_values->nelts); + return base64_values; +} + static void lookup_identity_output_iter_to(request_rec * r, apr_table_t * t, const char * key, const char * sep, const apr_array_header_t * values) { int append = 0; if (key[0] == '+') { @@ -330,7 +342,9 @@ static void lookup_identity_output_iter(request_rec * r, int the_output, const c if (the_output & LOOKUP_IDENTITY_OUTPUT_ENV) { lookup_identity_output_iter_to(r, r->subprocess_env, key, "_", values); } - if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS) { + if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS_BASE64) { + lookup_identity_output_iter_to(r, r->headers_in, key, "-", base64_encode_array(r->pool, values)); + } else if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS) { lookup_identity_output_iter_to(r, r->headers_in, key, "-", values); } } @@ -369,7 +383,9 @@ static void lookup_identity_output_data(request_rec * r, int the_output, const c if (the_output & LOOKUP_IDENTITY_OUTPUT_ENV) { lookup_identity_output_data_to(r, r->subprocess_env, key, values, sep); } - if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS) { + if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS_BASE64) { + lookup_identity_output_data_to(r, r->headers_in, key, base64_encode_array(r->pool, values), sep); + } else if (the_output & LOOKUP_IDENTITY_OUTPUT_HEADERS) { lookup_identity_output_data_to(r, r->headers_in, key, values, sep); } } @@ -584,6 +600,8 @@ static const char * set_output(cmd_parms * cmd, void * conf_void, const char * a cfg->output |= LOOKUP_IDENTITY_OUTPUT_ENV; } else if (!strcasecmp(arg, "notes")) { cfg->output |= LOOKUP_IDENTITY_OUTPUT_NOTES; + } else if (!strcasecmp(arg, "headers-base64")) { + cfg->output |= LOOKUP_IDENTITY_OUTPUT_HEADERS_BASE64; } else if (!strcasecmp(arg, "headers")) { cfg->output |= LOOKUP_IDENTITY_OUTPUT_HEADERS; } -- cgit