diff options
author | manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2009-06-01 20:43:17 +0000 |
---|---|---|
committer | manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2009-06-01 20:43:17 +0000 |
commit | 168300298027322956ed3c50ddb56197111f58ef (patch) | |
tree | 38e42092654a65846e1e11de13f05bd91e65c568 | |
parent | 4efd2ad895795b7a61d70da76e32fac5d319e2c1 (diff) | |
download | mod_auth_mellon-168300298027322956ed3c50ddb56197111f58ef.tar.gz mod_auth_mellon-168300298027322956ed3c50ddb56197111f58ef.tar.xz mod_auth_mellon-168300298027322956ed3c50ddb56197111f58ef.zip |
Add a MellonSamlResponseDump option to dump the SAML authentication response in
the environement
git-svn-id: https://modmellon.googlecode.com/svn/trunk@51 a716ebb1-153a-0410-b759-cfb97c6a1b53
-rw-r--r-- | README | 5 | ||||
-rw-r--r-- | auth_mellon.h | 8 | ||||
-rw-r--r-- | auth_mellon_cache.c | 26 | ||||
-rw-r--r-- | auth_mellon_config.c | 17 | ||||
-rw-r--r-- | auth_mellon_handler.c | 17 |
5 files changed, 63 insertions, 10 deletions
@@ -186,6 +186,11 @@ MellonLockFile "/tmp/mellonLock" # available in the MELLON_SESSION environment variable MellonSessionDump Off + # If MellonSamlResponseDump is set, then the SAML authentication + # response will be available in the MELLON_SAML_RESPONSE environment + # variable + MellonSamlResponseDump Off + # MellonRequire allows you to limit access to those with specific # attributes. The syntax is # 'MellonRequire <attribute name> <list of valid values>'. diff --git a/auth_mellon.h b/auth_mellon.h index 000159d..10fee35 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -69,7 +69,8 @@ #define AM_CACHE_ENVSIZE 128 #define AM_CACHE_USERSIZE 512 #define AM_CACHE_MAX_LASSO_IDENTITY_SIZE 1024 -#define AM_CACHE_MAX_LASSO_SESSION_SIZE 16384 +#define AM_CACHE_MAX_LASSO_SESSION_SIZE 8192 +#define AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE 16384 /* This is the length of the session id we use. @@ -133,6 +134,7 @@ typedef struct am_dir_cfg_rec { apr_hash_t *envattr; const char *userattr; int dump_session; + int dump_saml_response; /* The "root directory" of our SAML2 endpoints. This path is relative * to the root of the web server. @@ -186,6 +188,7 @@ typedef struct am_cache_entry_t { */ char lasso_identity[AM_CACHE_MAX_LASSO_IDENTITY_SIZE]; char lasso_session[AM_CACHE_MAX_LASSO_SESSION_SIZE]; + char lasso_saml_response[AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE]; am_cache_env_t env[AM_CACHE_ENVSIZE]; } am_cache_entry_t; @@ -223,7 +226,8 @@ void am_cache_delete(server_rec *s, am_cache_entry_t *session); int am_cache_set_lasso_state(am_cache_entry_t *session, const char *lasso_identity, - const char *lasso_session); + const char *lasso_session, + const char *lasso_saml_response); const char *am_cache_get_lasso_identity(am_cache_entry_t *session); const char *am_cache_get_lasso_session(am_cache_entry_t *session); diff --git a/auth_mellon_cache.c b/auth_mellon_cache.c index fbb1173..0bfc057 100644 --- a/auth_mellon_cache.c +++ b/auth_mellon_cache.c @@ -435,7 +435,7 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) ++(*count); } - /* Populate with the assertion? */ + /* Populate with the session? */ if (d->dump_session) { char *session; int srclen, dstlen; @@ -447,6 +447,11 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) (void)apr_base64_encode(session, t->lasso_session, srclen); apr_table_set(r->subprocess_env, "MELLON_SESSION", session); } + + if (d->dump_saml_response) + apr_table_set(r->subprocess_env, + "MELLON_SAML_RESPONSE", + t->lasso_saml_response); } @@ -485,7 +490,8 @@ void am_cache_delete(server_rec *s, am_cache_entry_t *cache) */ int am_cache_set_lasso_state(am_cache_entry_t *session, const char *lasso_identity, - const char *lasso_session) + const char *lasso_session, + const char *lasso_saml_response) { if(lasso_identity != NULL) { if(strlen(lasso_identity) < AM_CACHE_MAX_LASSO_IDENTITY_SIZE) { @@ -518,6 +524,22 @@ int am_cache_set_lasso_state(am_cache_entry_t *session, strcpy(session->lasso_session, ""); } + if(lasso_saml_response != NULL) { + if(strlen(lasso_saml_response) < AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE) { + strcpy(session->lasso_saml_response, lasso_saml_response); + } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Lasso SAML response is to big for storage. " + "Size of lasso session is %u, max size is %u.", + strlen(lasso_saml_response), + AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE - 1); + return HTTP_INTERNAL_SERVER_ERROR; + } + } else { + /* No session dump to save. */ + strcpy(session->lasso_saml_response, ""); + } + return OK; } diff --git a/auth_mellon_config.c b/auth_mellon_config.c index ec60328..bcb74ac 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -47,6 +47,10 @@ static const int default_secure_cookie = 0; */ static const int default_dump_session = 0; +/* The default setting for setting MELLON_SAML_RESPONSE + */ +static const int default_dump_saml_response = 0; + /* This is the default IdP initiated login location * the MellonDefaultLoginPath configuration directive if you change this. */ @@ -487,6 +491,13 @@ const command_rec auth_mellon_commands[] = { OR_AUTHCFG, "Dump session in environement. Default is off" ), + AP_INIT_FLAG( + "MellonSamlResponseDump", + ap_set_flag_slot, + (void *)APR_OFFSETOF(am_dir_cfg_rec, dump_saml_response), + OR_AUTHCFG, + "Dump SAML authentication response in environement. Default is off" + ), AP_INIT_RAW_ARGS( "MellonRequire", am_set_require_slot, @@ -612,6 +623,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) dir->envattr = apr_hash_make(p); dir->userattr = default_user_attribute; dir->dump_session = default_dump_session; + dir->dump_saml_response = default_dump_saml_response; dir->endpoint_path = default_endpoint_path; @@ -694,6 +706,11 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) add_cfg->dump_session : base_cfg->dump_session); + new_cfg->dump_saml_response = + (add_cfg->dump_saml_response != default_dump_saml_response ? + add_cfg->dump_saml_response : + base_cfg->dump_saml_response); + new_cfg->endpoint_path = ( add_cfg->endpoint_path != default_endpoint_path ? add_cfg->endpoint_path : diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index a776a6b..d4983b7 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -402,7 +402,9 @@ static LassoServer *am_get_lasso_server(request_rec *r) * Returns: * OK on success or HTTP_INTERNAL_SERVER_ERROR on failure. */ -static int am_save_lasso_profile_state(request_rec *r, LassoProfile *profile) +static int am_save_lasso_profile_state(request_rec *r, + LassoProfile *profile, + char *saml_response) { am_cache_entry_t *am_session; LassoIdentity *lasso_identity; @@ -456,7 +458,10 @@ static int am_save_lasso_profile_state(request_rec *r, LassoProfile *profile) } /* Save the profile state. */ - ret = am_cache_set_lasso_state(am_session, identity_dump, session_dump); + ret = am_cache_set_lasso_state(am_session, + identity_dump, + session_dump, + saml_response); am_release_request_session(r, am_session); @@ -1309,7 +1314,7 @@ static int add_attributes(am_cache_entry_t *session, request_rec *r, * A HTTP status code which should be returned to the client. */ static int am_handle_reply_common(request_rec *r, LassoLogin *login, - char *relay_state) + char *relay_state, char *saml_response) { const char *name_id; GList *assertions; @@ -1385,7 +1390,7 @@ static int am_handle_reply_common(request_rec *r, LassoLogin *login, /* Save the profile state. */ - rc = am_save_lasso_profile_state(r, LASSO_PROFILE(login)); + rc = am_save_lasso_profile_state(r, LASSO_PROFILE(login), saml_response); if(rc != OK) { lasso_login_destroy(login); return rc; @@ -1509,7 +1514,7 @@ static int am_handle_post_reply(request_rec *r) "RelayState"); /* Finish handling the reply with the common handler. */ - return am_handle_reply_common(r, login, relay_state); + return am_handle_reply_common(r, login, relay_state, saml_response); } @@ -1611,7 +1616,7 @@ static int am_handle_artifact_reply(request_rec *r) "RelayState"); /* Finish handling the reply with the common handler. */ - return am_handle_reply_common(r, login, relay_state); + return am_handle_reply_common(r, login, relay_state, ""); } |