Add MellonAutnContextClassRef to configuration directives

You can list many class refs they will be concatenated inside an array. Beware that in each directory, if there is any MellonAuthnContextClassRef directive, any settings from the previous level is overwritten. Thanks to Benjamin Dauvergne for implementing this. git-svn-id: https://modmellon.googlecode.com/svn/trunk@140 a716ebb1-153a-0410-b759-cfb97c6a1b53
author: olavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53> 2011-12-07 10:19:35 +0000
committer: olavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53> 2011-12-07 10:19:35 +0000
commit: 463d0450de20d20e1a85ee1c3a447e265bd1a601 (patch)
tree: 7880942243a5f0c7a3bc9a2a75bb83ae61bc7963
parent: 9dfc3a92ef45ebc0761970d74bfbc4ab2423d51d (diff)
download: mod_auth_mellon-463d0450de20d20e1a85ee1c3a447e265bd1a601.tar.gz
mod_auth_mellon-463d0450de20d20e1a85ee1c3a447e265bd1a601.tar.xz
mod_auth_mellon-463d0450de20d20e1a85ee1c3a447e265bd1a601.zip
3 files changed, 55 insertions, 0 deletions
diff --git a/README b/README
index 5e87e07..0fd95e1 100644
--- a/README
+++ b/README
@@ -445,6 +445,16 @@ MellonPostCount 100
         # This option will make the Lasso session available in 
 	# the MELLON_SESSION environement variable. Default is Off.
 	MellonSessionDump Off
+
+	# This option will request specific authentication security-level
+	# through the AuthnContextClassRef element of the AuthnRequest It will
+	# also request enforcement of this level when receiving an
+	# authenticating Assertion.
+	# If the assertion does not have the required security level, an HTTP
+	# Forbidden status code is returned to the browser.
+	# MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"
+	# MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+	# MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"
 </Location>
 
 
diff --git a/auth_mellon.h b/auth_mellon.h
index 274fe12..8846808 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -216,6 +216,10 @@ typedef struct am_dir_cfg_rec {
     struct am_dir_cfg_rec *inherit_server_from;
     /* Mutex to prevent us from creating several lasso server objects. */
     apr_thread_mutex_t *server_mutex;
+
+    /* AuthnContextClassRef list */
+    apr_array_header_t *authn_context_class_ref;
+
     /* Cached lasso server object. */
     LassoServer *server;
 } am_dir_cfg_rec;
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
index 79953e8..a97b911 100644
--- a/auth_mellon_config.c
+++ b/auth_mellon_config.c
@@ -755,6 +755,32 @@ static const char *am_set_langstring_slot(cmd_parms *cmd,
     return NULL;
 }
 
+/* This function handles the MellonAuthnContextClassRef directive.
+ *
+ * Parameters:
+ *  cmd_parms *cmd       The command structure for the MellonAuthnContextClassRef
+ *                       configuration directive.
+ *  void *struct_ptr     Pointer to the current directory configuration.
+ *                       NULL if we are not in a directory configuration.
+ *  const char *arg      An URI for an SAMLv2 AuthnContextClassRef
+ *
+ * Returns:
+ *  This function will always return NULL.
+ */
+static const char *am_set_authn_context_class_ref(cmd_parms *cmd,
+                                                  void *struct_ptr,
+                                                  const char *arg)
+{
+    am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
+    apr_pool_t *p= cmd->pool;
+
+    if(strlen(arg) == 0) {
+         return NULL;
+    }
+    APR_ARRAY_PUSH(d->authn_context_class_ref, char*) = apr_pstrdup(p, arg);
+    return NULL;
+}
+
 /* This array contains all the configuration directive which are handled
  * by auth_mellon.
  */    
@@ -1066,6 +1092,14 @@ const command_rec auth_mellon_commands[] = {
         " \"http://<servername>/mellon/*\". The path you specify must"
         " be contained within the current Location directive."
         ),
+    AP_INIT_TAKE1(
+        "MellonAuthnContextClassRef",
+        am_set_authn_context_class_ref,
+        NULL,
+        OR_AUTHCFG,
+        "A list of AuthnContextClassRef to request in the AuthnRequest and "
+        "to validate upon reception of an Assertion"
+        ),
     {NULL}
 };
 
@@ -1148,6 +1182,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)
     apr_thread_mutex_create(&dir->server_mutex, APR_THREAD_MUTEX_DEFAULT, p);
     dir->inherit_server_from = dir;
     dir->server = NULL;
+    dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *));;
 
     return dir;
 }
@@ -1347,8 +1382,14 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
                                 APR_THREAD_MUTEX_DEFAULT, p);
         new_cfg->inherit_server_from = new_cfg;
     }
+
     new_cfg->server = NULL;
 
+    new_cfg->authn_context_class_ref = (add_cfg->idp_metadata->nelts ?
+                             add_cfg->authn_context_class_ref :
+                             base_cfg->authn_context_class_ref);
+
+
     return new_cfg;
 }
author	olavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53>	2011-12-07 10:19:35 +0000
committer	olavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53>	2011-12-07 10:19:35 +0000
commit	463d0450de20d20e1a85ee1c3a447e265bd1a601 (patch)
tree	7880942243a5f0c7a3bc9a2a75bb83ae61bc7963
parent	9dfc3a92ef45ebc0761970d74bfbc4ab2423d51d (diff)
download	mod_auth_mellon-463d0450de20d20e1a85ee1c3a447e265bd1a601.tar.gz mod_auth_mellon-463d0450de20d20e1a85ee1c3a447e265bd1a601.tar.xz mod_auth_mellon-463d0450de20d20e1a85ee1c3a447e265bd1a601.zip