Use lasso_server_new_from_buffer if available.

Recent versions of Lasso supports loading the SP metadata,
certificate and private key from memory. This patch changes mod_mellon
to use this function if it is available. This makes it possible to store
the SP private key readable only from root.

Thanks to Emmanuel Dreyfus for this patch.


git-svn-id: https://modmellon.googlecode.com/svn/trunk@35 a716ebb1-153a-0410-b759-cfb97c6a1b53

5 files changed, 108 insertions, 7 deletions

diff --git a/auth_mellon.h b/auth_mellon.h
index b86c921..a8cc81c 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -47,6 +47,8 @@
 #include "apr_strings.h"
 #include "apr_shm.h"
 #include "apr_md5.h"
+#include "apr_file_info.h"
+#include "apr_file_io.h"
 
 #include "ap_config.h"
 #include "httpd.h"
@@ -227,6 +229,7 @@ char *am_extract_query_parameter(apr_pool_t *pool,
 char *am_urlencode(apr_pool_t *pool, const char *str);
 int am_urldecode(char *data);
 char *am_generate_session_id(request_rec *r);
+char *am_getfile(apr_pool_t *conf, server_rec *s, const char *file);
 
 
 int am_auth_mellon_user(request_rec *r);
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
index 6c27e26..878c140 100644
--- a/auth_mellon_config.c
+++ b/auth_mellon_config.c
@@ -40,6 +40,40 @@ static const char *default_user_attribute = "NAME_ID";
 static const char *default_cookie_name = "cookie";
 
 
+/* This function handles configuration directives which set a file
+ * slot in the module configuration. If lasso is recent enough, it
+ * attempts to read the file immediatly.
+ *
+ * Parameters:
+ *  cmd_parms *cmd       The command structure for this configuration
+ *                       directive.
+ *  void *struct_ptr     Pointer to the current directory configuration.
+ *                       NULL if we are not in a directory configuration.
+ *                       This value isn't used by this function.
+ *  const char *arg      The string argument following this configuration
+ *                       directive in the configuraion file.
+ *
+ * Returns:
+ *  NULL on success or an error string on failure.
+ */
+static const char *am_set_filestring_slot(cmd_parms *cmd,
+                                          void *struct_ptr,
+                                          const char *arg)
+{
+    const char *data;
+
+#ifdef HAVE_lasso_server_new_from_buffers
+    if ((data = am_getfile(cmd->pool, cmd->server, arg)) == NULL)
+        return apr_psprintf(cmd->pool, "%s - Cannot read file %s",
+                            cmd->cmd->name, arg);
+#else
+    data = arg;
+#endif
+
+    return ap_set_string_slot(cmd, struct_ptr, data);
+}
+
+
 /* This function handles configuration directives which set a string
  * slot in the module configuration.
  *
@@ -359,21 +393,21 @@ const command_rec auth_mellon_commands[] = {
         ),
     AP_INIT_TAKE1(
         "MellonSPMetadataFile",
-        ap_set_string_slot,
+        am_set_filestring_slot,
         (void *)APR_OFFSETOF(am_dir_cfg_rec, sp_metadata_file),
         OR_AUTHCFG,
         "Full path to xml file with metadata for the SP."
         ),
     AP_INIT_TAKE1(
         "MellonSPPrivateKeyFile",
-        ap_set_string_slot,
+        am_set_filestring_slot,
         (void *)APR_OFFSETOF(am_dir_cfg_rec, sp_private_key_file),
         OR_AUTHCFG,
         "Full path to pem file with the private key for the SP."
         ),
     AP_INIT_TAKE1(
         "MellonSPCertFile",
-        ap_set_string_slot,
+        am_set_filestring_slot,
         (void *)APR_OFFSETOF(am_dir_cfg_rec, sp_cert_file),
         OR_AUTHCFG,
         "Full path to pem file with certificate for the SP."
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index b50ce25..9f57e1e 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -23,6 +23,13 @@
 #include "auth_mellon.h"
 
 
+#ifdef HAVE_lasso_server_new_from_buffers
+#  define SERVER_NEW lasso_server_new_from_buffers
+#else /* HAVE_lasso_server_new_from_buffers */
+#  define SERVER_NEW lasso_server_new
+#endif /* HAVE_lasso_server_new_from_buffers */
+
+
 static LassoServer *am_get_lasso_server(request_rec *r)
 {
     am_dir_cfg_rec *cfg;
@@ -32,10 +39,10 @@ static LassoServer *am_get_lasso_server(request_rec *r)
 
     apr_thread_mutex_lock(cfg->server_mutex);
     if(cfg->server == NULL) {
-        cfg->server = lasso_server_new(cfg->sp_metadata_file,
-				       cfg->sp_private_key_file,
-				       NULL,
-				       cfg->sp_cert_file);
+        cfg->server = SERVER_NEW(cfg->sp_metadata_file,
+                                 cfg->sp_private_key_file,
+                                 NULL,
+                                 cfg->sp_cert_file);
         if(cfg->server == NULL) {
 	    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 			  "Error initializing lasso server object. Please"
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index 4f371cc..6b19fd9 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -516,3 +516,56 @@ char *am_generate_session_id(request_rec *r)
 
     return ret;
 }
+
+/*
+ * malloc a buffer and fill it with a given file
+ *
+ * Parameters:
+ *   apr_pool_t *conf   The configuration pool. Valid as long as this
+ *   server_rec *s      The server record for the current server.
+ *   const char *file   The file path
+ *
+ * Returns:
+ *   char *             The file content
+ */
+char *am_getfile(apr_pool_t *conf, server_rec *s, const char *file)
+{
+    apr_status_t rv;
+    char buffer[512];
+    apr_finfo_t finfo;
+    char *data;
+    apr_file_t *fd;
+    apr_size_t nbytes;
+
+    if (file == NULL)
+        return NULL;
+
+    if ((rv = apr_file_open(&fd, file, APR_READ, 0, conf)) != 0) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "apr_file_open: Error opening \"%s\" [%d] \"%s\"",
+                     file, rv, apr_strerror(rv, buffer, sizeof(buffer)));
+        return NULL;
+    }
+
+    if ((rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fd)) != 0) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "apr_file_info_get: Error opening \"%s\" [%d] \"%s\"",
+                     file, rv, apr_strerror(rv, buffer, sizeof(buffer)));
+        (void)apr_file_close(fd);
+        return NULL;
+    }
+
+    nbytes = finfo.size;
+    data = (char *)apr_palloc(conf, nbytes + 1);
+
+    if ((rv = apr_file_read(fd, (void *)data, &nbytes)) != 0) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "apr_file_read: Error reading \"%s\" [%d] \"%s\"",
+                     file, rv, apr_strerror(rv, buffer, sizeof(buffer)));
+    }
+    data[finfo.size] = '\0';
+
+    (void)apr_file_close(fd);
+
+    return data;
+}
diff --git a/configure.ac b/configure.ac
index 2095bdd..66d2a01 100644
--- a/configure.ac
+++ b/configure.ac
@@ -47,6 +47,10 @@ AC_SUBST(APXS2)
 
 # We need the lasso library for SAML2 communication.
 PKG_CHECK_MODULES(LASSO, lasso)
+saved_LIBS=$LIBS; LIBS="$LIBS $LASSO_LIBS";
+AC_CHECK_LIB(lasso, lasso_server_new_from_buffers,
+	     LASSO_CFLAGS="$LASSO_CFLAGS -DHAVE_lasso_server_new_from_buffers")
+LIBS=$saved_LIBS;
 AC_SUBST(LASSO_CFLAGS)
 AC_SUBST(LASSO_LIBS)