Add a MellonSamlResponseDump option to dump the SAML authentication response in

the environement git-svn-id: https://modmellon.googlecode.com/svn/trunk@51 a716ebb1-153a-0410-b759-cfb97c6a1b53
author: manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> 2009-06-01 20:43:17 +0000
committer: manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> 2009-06-01 20:43:17 +0000
commit: 168300298027322956ed3c50ddb56197111f58ef (patch)
tree: 38e42092654a65846e1e11de13f05bd91e65c568
parent: 4efd2ad895795b7a61d70da76e32fac5d319e2c1 (diff)
download: mod_auth_mellon-168300298027322956ed3c50ddb56197111f58ef.tar.gz
mod_auth_mellon-168300298027322956ed3c50ddb56197111f58ef.tar.xz
mod_auth_mellon-168300298027322956ed3c50ddb56197111f58ef.zip
5 files changed, 63 insertions, 10 deletions
diff --git a/README b/README
index 52c4492..3916311 100644
--- a/README
+++ b/README
@@ -186,6 +186,11 @@ MellonLockFile "/tmp/mellonLock"
         # available in the MELLON_SESSION environment variable
         MellonSessionDump Off
  
+        # If MellonSamlResponseDump is set, then the SAML authentication
+        # response will be available in the MELLON_SAML_RESPONSE environment 
+        # variable
+        MellonSamlResponseDump Off
+ 
         # MellonRequire allows you to limit access to those with specific
         # attributes. The syntax is
         # 'MellonRequire <attribute name> <list of valid values>'.
diff --git a/auth_mellon.h b/auth_mellon.h
index 000159d..10fee35 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -69,7 +69,8 @@
 #define AM_CACHE_ENVSIZE 128
 #define AM_CACHE_USERSIZE 512
 #define AM_CACHE_MAX_LASSO_IDENTITY_SIZE 1024
-#define AM_CACHE_MAX_LASSO_SESSION_SIZE 16384
+#define AM_CACHE_MAX_LASSO_SESSION_SIZE 8192
+#define AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE 16384
 
 
 /* This is the length of the session id we use.
@@ -133,6 +134,7 @@ typedef struct am_dir_cfg_rec {
     apr_hash_t *envattr;
     const char *userattr;
     int dump_session;
+    int dump_saml_response;
 
     /* The "root directory" of our SAML2 endpoints. This path is relative
      * to the root of the web server.
@@ -186,6 +188,7 @@ typedef struct am_cache_entry_t {
      */
     char lasso_identity[AM_CACHE_MAX_LASSO_IDENTITY_SIZE];
     char lasso_session[AM_CACHE_MAX_LASSO_SESSION_SIZE];
+    char lasso_saml_response[AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE];
 
     am_cache_env_t env[AM_CACHE_ENVSIZE];
 } am_cache_entry_t;
@@ -223,7 +226,8 @@ void am_cache_delete(server_rec *s, am_cache_entry_t *session);
 
 int am_cache_set_lasso_state(am_cache_entry_t *session,
                              const char *lasso_identity,
-                             const char *lasso_session);
+                             const char *lasso_session,
+                             const char *lasso_saml_response);
 const char *am_cache_get_lasso_identity(am_cache_entry_t *session);
 const char *am_cache_get_lasso_session(am_cache_entry_t *session);
 
diff --git a/auth_mellon_cache.c b/auth_mellon_cache.c
index fbb1173..0bfc057 100644
--- a/auth_mellon_cache.c
+++ b/auth_mellon_cache.c
@@ -435,7 +435,7 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t)
         ++(*count);
     }
 
-    /* Populate with the assertion? */
+    /* Populate with the session? */
     if (d->dump_session) {
         char *session;
         int srclen, dstlen;
@@ -447,6 +447,11 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t)
         (void)apr_base64_encode(session, t->lasso_session, srclen);
         apr_table_set(r->subprocess_env, "MELLON_SESSION", session);
     }
+
+    if (d->dump_saml_response)
+        apr_table_set(r->subprocess_env, 
+		      "MELLON_SAML_RESPONSE", 
+		       t->lasso_saml_response);
 }
 
 
@@ -485,7 +490,8 @@ void am_cache_delete(server_rec *s, am_cache_entry_t *cache)
  */
 int am_cache_set_lasso_state(am_cache_entry_t *session,
                              const char *lasso_identity,
-                             const char *lasso_session)
+                             const char *lasso_session,
+                             const char *lasso_saml_response)
 {
     if(lasso_identity != NULL) {
         if(strlen(lasso_identity) < AM_CACHE_MAX_LASSO_IDENTITY_SIZE) {
@@ -518,6 +524,22 @@ int am_cache_set_lasso_state(am_cache_entry_t *session,
         strcpy(session->lasso_session, "");
     }
 
+    if(lasso_saml_response != NULL) {
+        if(strlen(lasso_saml_response) < AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE) {
+            strcpy(session->lasso_saml_response, lasso_saml_response);
+        } else {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+                         "Lasso SAML response is to big for storage. "
+                         "Size of lasso session is %u, max size is %u.", 
+                         strlen(lasso_saml_response),
+                         AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE - 1);
+            return HTTP_INTERNAL_SERVER_ERROR;
+        }
+    } else {
+        /* No session dump to save. */
+        strcpy(session->lasso_saml_response, "");
+    }
+
     return OK;
 }
 
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
index ec60328..bcb74ac 100644
--- a/auth_mellon_config.c
+++ b/auth_mellon_config.c
@@ -47,6 +47,10 @@ static const int default_secure_cookie = 0;
  */
 static const int default_dump_session = 0; 
 
+/* The default setting for setting MELLON_SAML_RESPONSE
+ */
+static const int default_dump_saml_response = 0; 
+
 /* This is the default IdP initiated login location
  * the MellonDefaultLoginPath configuration directive if you change this.
  */
@@ -487,6 +491,13 @@ const command_rec auth_mellon_commands[] = {
         OR_AUTHCFG,
         "Dump session in environement. Default is off"
         ),
+    AP_INIT_FLAG(
+        "MellonSamlResponseDump",
+        ap_set_flag_slot,
+        (void *)APR_OFFSETOF(am_dir_cfg_rec, dump_saml_response),
+        OR_AUTHCFG,
+        "Dump SAML authentication response in environement. Default is off"
+        ),
     AP_INIT_RAW_ARGS(
         "MellonRequire",
         am_set_require_slot,
@@ -612,6 +623,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)
     dir->envattr   = apr_hash_make(p);
     dir->userattr  = default_user_attribute;
     dir->dump_session = default_dump_session;
+    dir->dump_saml_response = default_dump_saml_response;
 
     dir->endpoint_path = default_endpoint_path;
 
@@ -694,6 +706,11 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
                              add_cfg->dump_session :
                              base_cfg->dump_session);
 
+    new_cfg->dump_saml_response = 
+        (add_cfg->dump_saml_response != default_dump_saml_response ?
+         add_cfg->dump_saml_response :
+         base_cfg->dump_saml_response);
+
     new_cfg->endpoint_path = (
         add_cfg->endpoint_path != default_endpoint_path ?
         add_cfg->endpoint_path :
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index a776a6b..d4983b7 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -402,7 +402,9 @@ static LassoServer *am_get_lasso_server(request_rec *r)
  * Returns:
  *  OK on success or HTTP_INTERNAL_SERVER_ERROR on failure.
  */
-static int am_save_lasso_profile_state(request_rec *r, LassoProfile *profile)
+static int am_save_lasso_profile_state(request_rec *r, 
+                                       LassoProfile *profile, 
+                                       char *saml_response)
 {
     am_cache_entry_t *am_session;
     LassoIdentity *lasso_identity;
@@ -456,7 +458,10 @@ static int am_save_lasso_profile_state(request_rec *r, LassoProfile *profile)
     }
 
     /* Save the profile state. */
-    ret = am_cache_set_lasso_state(am_session, identity_dump, session_dump);
+    ret = am_cache_set_lasso_state(am_session, 
+                                   identity_dump, 
+                                   session_dump,
+                                   saml_response);
 
     am_release_request_session(r, am_session);
 
@@ -1309,7 +1314,7 @@ static int add_attributes(am_cache_entry_t *session, request_rec *r,
  *  A HTTP status code which should be returned to the client.
  */
 static int am_handle_reply_common(request_rec *r, LassoLogin *login,
-                                  char *relay_state)
+                                  char *relay_state, char *saml_response)
 {
     const char *name_id;
     GList *assertions;
@@ -1385,7 +1390,7 @@ static int am_handle_reply_common(request_rec *r, LassoLogin *login,
 
 
     /* Save the profile state. */
-    rc = am_save_lasso_profile_state(r, LASSO_PROFILE(login));
+    rc = am_save_lasso_profile_state(r, LASSO_PROFILE(login), saml_response);
     if(rc != OK) {
         lasso_login_destroy(login);
         return rc;
@@ -1509,7 +1514,7 @@ static int am_handle_post_reply(request_rec *r)
                                                "RelayState");
 
     /* Finish handling the reply with the common handler. */
-    return am_handle_reply_common(r, login, relay_state);
+    return am_handle_reply_common(r, login, relay_state, saml_response);
 }
 
 
@@ -1611,7 +1616,7 @@ static int am_handle_artifact_reply(request_rec *r)
                                                "RelayState");
 
     /* Finish handling the reply with the common handler. */
-    return am_handle_reply_common(r, login, relay_state);
+    return am_handle_reply_common(r, login, relay_state, "");
 }
author	manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53>	2009-06-01 20:43:17 +0000
committer	manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53>	2009-06-01 20:43:17 +0000
commit	168300298027322956ed3c50ddb56197111f58ef (patch)
tree	38e42092654a65846e1e11de13f05bd91e65c568
parent	4efd2ad895795b7a61d70da76e32fac5d319e2c1 (diff)
download	mod_auth_mellon-168300298027322956ed3c50ddb56197111f58ef.tar.gz mod_auth_mellon-168300298027322956ed3c50ddb56197111f58ef.tar.xz mod_auth_mellon-168300298027322956ed3c50ddb56197111f58ef.zip