From 0e35cd2063aa3e9857e59e62a9ffddcdbd21aaa0 Mon Sep 17 00:00:00 2001 From: "benjamin.dauvergne" Date: Tue, 9 Oct 2012 08:41:45 +0000 Subject: Add configuration directive MellonDoNotVerifyLogoutSignature This directive allows to list IdP entityID for which the signature of their logout request must not be verified. git-svn-id: https://modmellon.googlecode.com/svn/trunk@168 a716ebb1-153a-0410-b759-cfb97c6a1b53 --- README | 3 +++ auth_mellon.h | 2 ++ auth_mellon_config.c | 47 ++++++++++++++++++++++++++++++++++++++++++++--- auth_mellon_handler.c | 24 ++++++++++++++++++++++++ configure.ac | 2 ++ 5 files changed, 75 insertions(+), 3 deletions(-) diff --git a/README b/README index 13fbbe3..9de7309 100644 --- a/README +++ b/README @@ -461,6 +461,9 @@ MellonPostCount 100 # behind a reverse proxy or any kind of strange network topology making IP address of client # different for the IdP and the SP. Default is on. # MellonSubjectConfirmationDataAddressCheck On + + # Does not check signature on logout messages exchanges with idp1 + # MellonDoNotVerifyLogoutSignature http://idp1.example.com/saml/metadata diff --git a/auth_mellon.h b/auth_mellon.h index 0ec0e11..c1c8086 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -221,6 +221,8 @@ typedef struct am_dir_cfg_rec { apr_array_header_t *authn_context_class_ref; /* Controls the checking of SubjectConfirmationData.Address attribute */ int subject_confirmation_data_address_check; + /* MellonDoNotVerifyLogoutSignature idp set */ + apr_hash_t *do_not_verify_logout_signature; /* Cached lasso server object. */ LassoServer *server; diff --git a/auth_mellon_config.c b/auth_mellon_config.c index 89f33ac..793d7af 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -77,7 +77,6 @@ static const apr_size_t post_size = 1024 * 1024 * 1024; */ static const int post_count = 100; -#if unused /* This function handles configuration directives which set a * multivalued string slot in the module configuration (the destination * strucure is a hash). @@ -117,7 +116,6 @@ static const char *am_set_hash_string_slot(cmd_parms *cmd, return NULL; } -#endif /* unused */ /* This function handles configuration directives which set a * multivalued string slot in the module configuration (the destination @@ -783,6 +781,35 @@ static const char *am_set_authn_context_class_ref(cmd_parms *cmd, return NULL; } +/* This function handles the MellonDoNotVerifyLogoutSignature configuration directive, + * it is identical to the am_set_hash_string_slot function. You can refer to it. + * + * Parameters: + * cmd_parms *cmd The command structure for this configuration + * directive. + * void *struct_ptr Pointer to the current directory configuration. + * NULL if we are not in a directory configuration. + * const char *key The string argument following this configuration + * directive in the configuraion file. + * + * Returns: + * NULL on success or an error string on failure. + */ +static const char *am_set_do_not_verify_logout_signature(cmd_parms *cmd, + void *struct_ptr, + const char *key) +{ +#ifdef HAVE_lasso_profile_set_signature_verify_hint + return am_set_hash_string_slot(cmd, struct_ptr, key, NULL); +#else + return apr_pstrcat(cmd->pool, cmd->cmd->name, + " is not usable as modmellon was compiled against " + "a version of the lasso library which miss the " + "function lasso_profile_set_signature_verify_hint.", + NULL); +#endif +} + /* This array contains all the configuration directive which are handled * by auth_mellon. */ @@ -1109,6 +1136,14 @@ const command_rec auth_mellon_commands[] = { OR_AUTHCFG, "Check address given in SubjectConfirmationData Address attribute. Default is on." ), + AP_INIT_TAKE1( + "MellonDoNotVerifyLogoutSignature", + am_set_do_not_verify_logout_signature, + NULL, + OR_AUTHCFG, + "A list of entity of IdP whose logout requests signatures will not " + "be valided" + ), {NULL} }; @@ -1191,8 +1226,9 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) apr_thread_mutex_create(&dir->server_mutex, APR_THREAD_MUTEX_DEFAULT, p); dir->inherit_server_from = dir; dir->server = NULL; - dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *));; + dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *)); dir->subject_confirmation_data_address_check = inherit_subject_confirmation_data_address_check; + dir->do_not_verify_logout_signature = apr_hash_make(p); return dir; } @@ -1399,6 +1435,11 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) add_cfg->authn_context_class_ref : base_cfg->authn_context_class_ref); + new_cfg->do_not_verify_logout_signature = apr_hash_copy(p, + (apr_hash_count(add_cfg->do_not_verify_logout_signature) > 0) ? + add_cfg->do_not_verify_logout_signature : + base_cfg->do_not_verify_logout_signature); + new_cfg->subject_confirmation_data_address_check = CFG_MERGE(add_cfg, base_cfg, subject_confirmation_data_address_check); diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index 4877aa8..2d4003a 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -660,9 +660,21 @@ static int am_handle_logout_request(request_rec *r, { gint res = 0, rc = HTTP_OK; am_cache_entry_t *session; + am_dir_cfg_rec *cfg = am_get_dir_cfg(r); /* Process the logout message. Ignore missing signature. */ res = lasso_logout_process_request_msg(logout, msg); +#ifdef HAVE_lasso_profile_set_signature_verify_hint + if(res != 0 && res != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { + if (apr_hash_get(cfg->do_not_verify_logout_signature, + logout->parent.remote_providerID, + APR_HASH_KEY_STRING)) { + lasso_profile_set_signature_verify_hint(&logout->parent, + LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); + res = lasso_logout_process_request_msg(logout, msg); + } + } +#endif if(res != 0 && res != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Error processing logout request message." @@ -753,8 +765,20 @@ static int am_handle_logout_response(request_rec *r, LassoLogout *logout) int rc; am_cache_entry_t *session; char *return_to; + am_dir_cfg_rec *cfg = am_get_dir_cfg(r); res = lasso_logout_process_response_msg(logout, r->args); +#ifdef HAVE_lasso_profile_set_signature_verify_hint + if(res != 0 && res != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { + if (apr_hash_get(cfg->do_not_verify_logout_signature, + logout->parent.remote_providerID, + APR_HASH_KEY_STRING)) { + lasso_profile_set_signature_verify_hint(&logout->parent, + LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); + res = lasso_logout_process_response_msg(logout, r->args); + } + } +#endif if(res != 0) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Unable to process logout response." diff --git a/configure.ac b/configure.ac index 3d5b833..4455a13 100644 --- a/configure.ac +++ b/configure.ac @@ -48,6 +48,8 @@ AC_CHECK_LIB(lasso, lasso_server_new_from_buffers, LASSO_CFLAGS="$LASSO_CFLAGS -DHAVE_lasso_server_new_from_buffers") AC_CHECK_LIB(lasso, lasso_server_load_metadata, LASSO_CFLAGS="$LASSO_CFLAGS -DHAVE_lasso_server_load_metadata") +AC_CHECK_LIB(lasso, lasso_profile_set_signature_verify_hint, + LASSO_CFLAGS="$LASSO_CFLAGS -DHAVE_lasso_profile_set_signature_verify_hint") LIBS=$saved_LIBS; AC_SUBST(LASSO_CFLAGS) AC_SUBST(LASSO_LIBS) -- cgit