diff options
| -rw-r--r-- | README | 7 | ||||
| -rw-r--r-- | auth_mellon.h | 22 | ||||
| -rw-r--r-- | auth_mellon_config.c | 10 | ||||
| -rw-r--r-- | auth_mellon_handler.c | 3 |
4 files changed, 41 insertions, 1 deletions
@@ -455,6 +455,13 @@ MellonPostCount 100 # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI" + + # MellonSubjectConfirmationDataAddressCheck is used to control + # the checking of client IP address against the address returned by the + # IdP in Address attribute of the SubjectConfirmationData node. Can be useful if your SP is + # behind a reverse proxy or any kind of strange network topology making IP address of client + # different for the IdP and the SP. Default is on. + # MellonSubjectConfirmationDataAddressCheck On </Location> diff --git a/auth_mellon.h b/auth_mellon.h index 8846808..0ec0e11 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -219,6 +219,8 @@ typedef struct am_dir_cfg_rec { /* AuthnContextClassRef list */ apr_array_header_t *authn_context_class_ref; + /* Controls the checking of SubjectConfirmationData.Address attribute */ + int subject_confirmation_data_address_check; /* Cached lasso server object. */ LassoServer *server; @@ -255,6 +257,26 @@ typedef enum { extern const command_rec auth_mellon_commands[]; +/* When using a value from a directory configuration structure, a special value is used + * to state "inherit" from parent, when reading a value and the value is still inherit from, it + * means that no value has ever been set for this directive, in this case, we use the default + * value. + * + * This macro expects that if your variable is called "name" there is a static const variable named + * "default_name" which holds the default value for this variable. + */ +#define CFG_VALUE(container, name) \ + (container->name == inherit_##name ? default_##name : container->name) + +#define CFG_MERGE(add_cfg, base_cfg, name) \ + (add_cfg->name == inherit_##name ? base_cfg->name : add_cfg->name) + +/** Default and inherit value for SubjectConfirmationData Address check setting. + */ +static const int default_subject_confirmation_data_address_check = 1; +static const int inherit_subject_confirmation_data_address_check = -1; + + void *auth_mellon_dir_config(apr_pool_t *p, char *d); void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add); void *auth_mellon_server_config(apr_pool_t *p, server_rec *s); diff --git a/auth_mellon_config.c b/auth_mellon_config.c index 66a4032..7607668 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -1102,6 +1102,13 @@ const command_rec auth_mellon_commands[] = { "A list of AuthnContextClassRef to request in the AuthnRequest and " "to validate upon reception of an Assertion" ), + AP_INIT_FLAG( + "MellonSubjectConfirmationDataAddressCheck", + ap_set_flag_slot, + (void *)APR_OFFSETOF(am_dir_cfg_rec, subject_confirmation_data_address_check), + OR_AUTHCFG, + "Check address given in SubjectConfirmationData Address attribute. Default is on." + ), {NULL} }; @@ -1185,6 +1192,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) dir->inherit_server_from = dir; dir->server = NULL; dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *));; + dir->subject_confirmation_data_address_check = inherit_subject_confirmation_data_address_check; return dir; } @@ -1391,6 +1399,8 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) add_cfg->authn_context_class_ref : base_cfg->authn_context_class_ref); + new_cfg->subject_confirmation_data_address_check = + CFG_MERGE(add_cfg, base_cfg, subject_confirmation_data_address_check); return new_cfg; } diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index e1d4c3b..abbdab0 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -1150,6 +1150,7 @@ static int am_validate_subject(request_rec *r, LassoSaml2Assertion *assertion, apr_time_t t; LassoSaml2SubjectConfirmation *sc; LassoSaml2SubjectConfirmationData *scd; + am_dir_cfg_rec *cfg = am_get_dir_cfg(r); if (assertion->Subject == NULL) { /* No Subject to validate. */ @@ -1226,7 +1227,7 @@ static int am_validate_subject(request_rec *r, LassoSaml2Assertion *assertion, } } - if (scd->Address) { + if (scd->Address && CFG_VALUE(cfg, subject_confirmation_data_address_check)) { if (strcasecmp(scd->Address, r->connection->remote_ip)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Wrong Address in SubjectConfirmationData." |