-/*
- * mod_shib.cpp -- Shibboleth module for Apache-2.0
- *
- * Created by: Derek Atkins <derek@ihtfp.com>
- *
- * $Id$
- */
-
-// SAML Runtime
-#include <saml/saml.h>
-#include <shib/shib.h>
-#include <shib/shib-threads.h>
-#include <shib-target/shib-target.h>
-#include <xercesc/util/regx/RegularExpression.hpp>
-
-// Apache specific header files
-#include <httpd.h>
-#include <http_config.h>
-#include <http_protocol.h>
-#include <http_main.h>
-#include <http_request.h>
-#include <apr_strings.h>
-#define CORE_PRIVATE
-#include <http_core.h>
-#include <http_log.h>
-#include <apr_pools.h>
-
-#include <fstream>
-#include <sstream>
-
-//#include <apreq_params.h>
-
-#ifdef HAVE_UNISTD_H
-#include <unistd.h> // for getpid()
-#endif
-
-using namespace std;
-using namespace saml;
-using namespace shibboleth;
-using namespace shibtarget;
-
-extern "C" AP_MODULE_DECLARE_DATA module mod_shib;
-int shib_handler(request_rec* r, const IApplication* application, const IPropertySet* sessionProps, SHIRE& shire);
-
-namespace {
- char* g_szSHIBConfig = NULL;
- char* g_szSchemaDir = NULL;
- ShibTargetConfig* g_Config = NULL;
- bool g_bApacheConf = false;
- static const char* g_UserDataKey = "_shib_check_user_";
-}
-
-// per-dir module configuration structure
-struct shib_dir_config
-{
- // RM Configuration
- char* szAuthGrpFile; // Auth GroupFile name
- int bRequireAll; // all require directives must match, otherwise OR logic
-
- // SHIRE Configuration
- int bBasicHijack; // activate for AuthType Basic?
- int bRequireSession; // require a session?
- int bExportAssertion; // export SAML assertion to the environment?
-};
-
-// creates per-directory config structure
-extern "C" void* create_shib_dir_config (apr_pool_t* p, char* d)
-{
- shib_dir_config* dc=(shib_dir_config*)apr_pcalloc(p,sizeof(shib_dir_config));
- dc->bBasicHijack = -1;
- dc->bRequireSession = -1;
- dc->bExportAssertion = -1;
- dc->bRequireAll = -1;
- dc->szAuthGrpFile = NULL;
- return dc;
-}
-
-// overrides server configuration in directories
-extern "C" void* merge_shib_dir_config (apr_pool_t* p, void* base, void* sub)
-{
- shib_dir_config* dc=(shib_dir_config*)apr_pcalloc(p,sizeof(shib_dir_config));
- shib_dir_config* parent=(shib_dir_config*)base;
- shib_dir_config* child=(shib_dir_config*)sub;
-
- if (child->szAuthGrpFile)
- dc->szAuthGrpFile=apr_pstrdup(p,child->szAuthGrpFile);
- else if (parent->szAuthGrpFile)
- dc->szAuthGrpFile=apr_pstrdup(p,parent->szAuthGrpFile);
- else
- dc->szAuthGrpFile=NULL;
-
- dc->bBasicHijack=((child->bBasicHijack==-1) ? parent->bBasicHijack : child->bBasicHijack);
- dc->bRequireSession=((child->bRequireSession==-1) ? parent->bRequireSession : child->bRequireSession);
- dc->bExportAssertion=((child->bExportAssertion==-1) ? parent->bExportAssertion : child->bExportAssertion);
- dc->bRequireAll=((child->bRequireAll==-1) ? parent->bRequireAll : child->bRequireAll);
-
- return dc;
-}
-
-// generic global slot handlers
-extern "C" const char* ap_set_global_string_slot(cmd_parms* parms, void*,
- const char* arg)
-{
- *((char**)(parms->info))=apr_pstrdup(parms->pool,arg);
- return NULL;
-}
-
-typedef const char* (*config_fn_t)(void);
-
-static int shib_error_page(request_rec* r, const IApplication* app, const char* page, ShibMLP& mlp)
-{
- const IPropertySet* props=app->getPropertySet("Errors");
- if (props) {
- pair<bool,const char*> p=props->getString(page);
- if (p.first) {
- ifstream infile(p.second);
- if (!infile.fail()) {
- const char* res = mlp.run(infile);
- if (res) {
- r->content_type = apr_psprintf(r->pool, "text/html");
- //ap_send_http_header(r);
- ap_rprintf(r, res);
- return DONE;
- }
- }
- }
- }
-
- ap_log_rerror(APLOG_MARK,APLOG_ERR,0,r,
- "shire_error_page() could not process shire error template for application %s",app->getId());
- return HTTP_INTERNAL_SERVER_ERROR;
-}
-
-extern "C" int shib_check_user(request_rec* r)
-{
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_check_user: ENTER");
- shib_dir_config* dc=(shib_dir_config*)ap_get_module_config(r->per_dir_config,&mod_shib);
-
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_check_user" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- // This will always be normalized, because Apache uses ap_get_server_name in this API call.
- const char* targeturl=ap_construct_url(r->pool,r->unparsed_uri,r);
-
- // We lock the configuration system for the duration.
- IConfig* conf=g_Config->getINI();
- Locker locker(conf);
-
- // Map request to application and content settings.
- IRequestMapper* mapper=conf->getRequestMapper();
- Locker locker2(mapper);
- IRequestMapper::Settings settings=mapper->getSettingsFromParsedURL(
- ap_http_method(r), ap_get_server_name(r), ap_get_server_port(r), r->unparsed_uri
- );
- pair<bool,const char*> application_id=settings.first->getString("applicationId");
- const IApplication* application=conf->getApplication(application_id.second);
- const IPropertySet* sessionProps=application ? application->getPropertySet("Sessions") : NULL;
- if (!application || !sessionProps) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,
- "shib_check_user: unable to map request to application session settings, check configuration");
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- // Declare SHIRE object for this request.
- SHIRE shire(application);
-
- // Get location of this application's assertion consumer service and see if this is it.
- if (strstr(targeturl,shire.getShireURL(targeturl))) {
- return shib_handler(r,application,sessionProps,shire);
- }
-
- // We can short circuit the handler if we run this...
- apr_pool_userdata_setn((const void*)42,g_UserDataKey,NULL,r->pool);
-
- // Regular access to arbitrary resource...check AuthType
- const char *auth_type=ap_auth_type(r);
- if (!auth_type)
- return DECLINED;
-
- if (strcasecmp(auth_type,"shibboleth")) {
- if (!strcasecmp(auth_type,"basic") && dc->bBasicHijack==1) {
- core_dir_config* conf=
- (core_dir_config*)ap_get_module_config(r->per_dir_config,
- ap_find_linked_module("http_core.c"));
- conf->ap_auth_type="shibboleth";
- }
- else
- return DECLINED;
- }
-
- pair<bool,bool> requireSession = pair<bool,bool>(false,false);
- if (g_bApacheConf) {
- // By default, we will require a session.
- if (dc->bRequireSession!=0)
- requireSession.second=true;
- }
- else
- requireSession = settings.first->getBool("requireSession");
-
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_check_user: session check for %s",targeturl);
-
- pair<bool,const char*> shib_cookie=sessionProps->getString("cookieName");
- if (!shib_cookie.first) {
- ap_log_rerror(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,0,r,
- "shib_check_user: no cookieName set for %s", application_id.second);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- // We're in charge, so check for cookie.
- const char* session_id=NULL;
- const char* cookies=apr_table_get(r->headers_in,"Cookie");
-
- if (cookies) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_check_user() cookies found: %s",cookies);
- if (session_id=strstr(cookies,shib_cookie.second)) {
- // Yep, we found a cookie -- pull it out (our session_id)
- session_id+=strlen(shib_cookie.second) + 1; /* Skip over the '=' */
- char* cookiebuf = apr_pstrdup(r->pool,session_id);
- char* cookieend = strchr(cookiebuf,';');
- if (cookieend)
- *cookieend = '\0'; /* Ignore anyting after a ; */
- session_id=cookiebuf;
- }
- }
-
- if (!session_id || !*session_id) {
- // If no session required, bail now.
- if (!requireSession.second)
- return OK;
-
- // No acceptable cookie, and we require a session. Generate an AuthnRequest.
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_check_user: no cookie found -- redirecting to WAYF");
- apr_table_setn(r->headers_out,"Location",apr_pstrdup(r->pool,shire.getAuthnRequest(targeturl)));
- return HTTP_MOVED_TEMPORARILY;
- }
-
- // Make sure this session is still valid
- RPCError* status = NULL;
- ShibMLP markupProcessor(application);
- markupProcessor.insert("requestURL", targeturl);
-
- try {
- status = shire.sessionIsValid(session_id, r->connection->remote_ip);
- }
- catch (ShibTargetException &e) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_check_user(): %s", e.what());
- markupProcessor.insert("errorType", "Session Processing Error");
- markupProcessor.insert("errorText", e.what());
- markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
- return shib_error_page(r, application, "shire", markupProcessor);
- }
-#ifndef _DEBUG
- catch (...) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_check_user(): caught unexpected error");
- markupProcessor.insert("errorType", "Session Processing Error");
- markupProcessor.insert("errorText", "Unexpected Exception");
- markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
- return shib_error_page(r, application, "shire", markupProcessor);
- }
-#endif
-
- // Check the status
- if (status->isError()) {
- ap_log_rerror(APLOG_MARK,APLOG_INFO|APLOG_NOERRNO,0,r,
- "shib_check_user() session invalid: %s", status->getText());
-
- // If no session required, bail now.
- if (!requireSession.second)
- return OK;
- else if (status->isRetryable()) {
- // Oops, session is invalid. Generate AuthnRequest.
- apr_table_setn(r->headers_out,"Location",apr_pstrdup(r->pool,shire.getAuthnRequest(targeturl)));
- delete status;
- return HTTP_MOVED_TEMPORARILY;
- }
- else {
- // return the error page to the user
- markupProcessor.insert(*status);
- delete status;
- return shib_error_page(r, application, "shire", markupProcessor);
- }
- }
-
- delete status;
- // set the authtype
- r->ap_auth_type = "shibboleth";
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_check_user(): session successfully verified");
-
- // This is code transferred in from the auth check to export the attributes.
- // We could even combine the isSessionValid/getAssertions API...?
-
- RM rm(application);
- vector<SAMLAssertion*> assertions;
- SAMLAuthenticationStatement* sso_statement=NULL;
-
- try {
- status = rm.getAssertions(session_id, r->connection->remote_ip, assertions, &sso_statement);
- }
- catch (ShibTargetException &e) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,"shib_check_user(): %s", e.what());
- markupProcessor.insert("errorType", "Attribute Processing Error");
- markupProcessor.insert("errorText", e.what());
- markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
- return shib_error_page(r, application, "rm", markupProcessor);
- }
-#ifndef _DEBUG
- catch (...) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,"shib_check_user(): caught unexpected error");
- markupProcessor.insert("errorType", "Attribute Processing Error");
- markupProcessor.insert("errorText", "Unexpected Exception");
- markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
- return shib_error_page(r, application, "rm", markupProcessor);
- }
-#endif
-
- if (status->isError()) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,
- "shire_check_user() getAssertions failed: %s", status->getText());
-
- markupProcessor.insert(*status);
- delete status;
- return shib_error_page(r, application, "rm", markupProcessor);
- }
- delete status;
-
- // Do we have an access control plugin?
- if (settings.second) {
- Locker acllock(settings.second);
- if (!settings.second->authorized(assertions)) {
- for (int k = 0; k < assertions.size(); k++)
- delete assertions[k];
- delete sso_statement;
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,"shib_check_user(): access control provider denied access");
- return shib_error_page(r, application, "access", markupProcessor);
- }
- }
-
- // Get the AAP providers, which contain the attribute policy info.
- Iterator<IAAP*> provs=application->getAAPProviders();
-
- // Clear out the list of mapped attributes
- while (provs.hasNext()) {
- IAAP* aap=provs.next();
- aap->lock();
- try {
- Iterator<const IAttributeRule*> rules=aap->getAttributeRules();
- while (rules.hasNext()) {
- const char* header=rules.next()->getHeader();
- if (header)
- apr_table_unset(r->headers_in,header);
- }
- }
- catch(...) {
- aap->unlock();
- for (int k = 0; k < assertions.size(); k++)
- delete assertions[k];
- delete sso_statement;
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,
- "shib_check_user(): caught unexpected error while clearing headers");
- markupProcessor.insert("errorType", "Attribute Processing Error");
- markupProcessor.insert("errorText", "Unexpected Exception");
- markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
- return shib_error_page(r, application, "rm", markupProcessor);
- }
- aap->unlock();
- }
- provs.reset();
-
- // Maybe export the first assertion.
- apr_table_unset(r->headers_in,"Shib-Attributes");
- pair<bool,bool> exp=pair<bool,bool>(false,false);
- if (g_bApacheConf && dc->bExportAssertion==1)
- exp.second=exp.first=true;
- else if (!g_bApacheConf)
- exp=settings.first->getBool("exportAssertion");
- if (exp.first && exp.second && assertions.size()) {
- string assertion;
- RM::serialize(*(assertions[0]), assertion);
- apr_table_set(r->headers_in,"Shib-Attributes", assertion.c_str());
- }
-
- // Export the SAML AuthnMethod and the origin site name.
- apr_table_unset(r->headers_in,"Shib-Origin-Site");
- apr_table_unset(r->headers_in,"Shib-Authentication-Method");
- if (sso_statement) {
- auto_ptr_char os(sso_statement->getSubject()->getNameQualifier());
- auto_ptr_char am(sso_statement->getAuthMethod());
- apr_table_set(r->headers_in,"Shib-Origin-Site", os.get());
- apr_table_set(r->headers_in,"Shib-Authentication-Method", am.get());
- }
-
- apr_table_unset(r->headers_in,"Shib-Application-ID");
- apr_table_set(r->headers_in,"Shib-Application-ID",application_id.second);
-
- // Export the attributes.
- Iterator<SAMLAssertion*> a_iter(assertions);
- while (a_iter.hasNext()) {
- SAMLAssertion* assert=a_iter.next();
- Iterator<SAMLStatement*> statements=assert->getStatements();
- while (statements.hasNext()) {
- SAMLAttributeStatement* astate=dynamic_cast<SAMLAttributeStatement*>(statements.next());
- if (!astate)
- continue;
- Iterator<SAMLAttribute*> attrs=astate->getAttributes();
- while (attrs.hasNext()) {
- SAMLAttribute* attr=attrs.next();
-
- // Are we supposed to export it?
- AAP wrapper(provs,attr->getName(),attr->getNamespace());
- if (wrapper.fail())
- continue;
-
- Iterator<string> vals=attr->getSingleByteValues();
- if (!strcmp(wrapper->getHeader(),"REMOTE_USER") && vals.hasNext())
- r->user=apr_pstrdup(r->pool,vals.next().c_str());
- else {
- int it=0;
- char* header = (char*)apr_table_get(r->headers_in, wrapper->getHeader());
- if (header) {
- header=apr_pstrdup(r->pool, header);
- it++;
- }
- else
- header = apr_pstrdup(r->pool, "");
- for (; vals.hasNext(); it++) {
- string value = vals.next();
- for (string::size_type pos = value.find_first_of(";", string::size_type(0));
- pos != string::npos;
- pos = value.find_first_of(";", pos)) {
- value.insert(pos, "\\");
- pos += 2;
- }
- header=apr_pstrcat(r->pool, header, (it ? ";" : ""), value.c_str(), NULL);
- }
- apr_table_setn(r->headers_in, wrapper->getHeader(), header);
- }
- }
- }
- }
-
- // clean up memory
- for (int k = 0; k < assertions.size(); k++)
- delete assertions[k];
- delete sso_statement;
-
- return OK;
-}
-
-extern "C" int shib_post_handler(request_rec* r)
-{
- // With 2.x, this handler always runs, though last. We check if shib_check_user ran,
- // because it will detect a SHIRE request and dispatch it directly.
- void* data;
- apr_pool_userdata_get(&data,g_UserDataKey,r->pool);
- if (data==(const void*)42) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_post_handler skipped since check_user ran");
- return DECLINED;
- }
-
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_post_handler" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- // We lock the configuration system for the duration.
- IConfig* conf=g_Config->getINI();
- Locker locker(conf);
-
- // Map request to application and content settings.
- IRequestMapper* mapper=conf->getRequestMapper();
- Locker locker2(mapper);
- IRequestMapper::Settings settings=mapper->getSettingsFromParsedURL(
- ap_http_method(r), ap_get_server_name(r), ap_get_server_port(r), r->unparsed_uri
- );
- pair<bool,const char*> application_id=settings.first->getString("applicationId");
- const IApplication* application=conf->getApplication(application_id.second);
- const IPropertySet* sessionProps=application ? application->getPropertySet("Sessions") : NULL;
- if (!application || !sessionProps) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,
- "shib_post_handler: unable to map request to application session settings, check configuration");
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- // Declare SHIRE object for this request.
- SHIRE shire(application);
-
- return shib_handler(r, application, sessionProps, shire);
-}
-
-int shib_handler(request_rec* r, const IApplication* application, const IPropertySet* sessionProps, SHIRE& shire)
-{
- // Prime the pump...
- const char* targeturl = ap_construct_url(r->pool,r->unparsed_uri,r);
-
- // Make sure we only process the SHIRE requests.
- if (!strstr(targeturl,shire.getShireURL(targeturl)))
- return DECLINED;
-
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_handler() running");
-
- pair<bool,const char*> shib_cookie=sessionProps->getString("cookieName");
- pair<bool,const char*> shib_cookie_props=sessionProps->getString("cookieProps");
- if (!shib_cookie.first) {
- ap_log_rerror(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,0,r,
- "shire_handler: no cookieName set for %s", application->getId());
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- ShibMLP markupProcessor(application);
- markupProcessor.insert("requestURL", targeturl);
-
- // Process SHIRE request
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_handler() Beginning SHIRE processing");
-
- try {
- pair<bool,bool> shireSSL=sessionProps->getBool("shireSSL");
-
- // Make sure this is SSL, if it should be
- if ((!shireSSL.first || shireSSL.second) && strcmp(ap_http_method(r),"https"))
- throw ShibTargetException(SHIBRPC_OK, "blocked non-SSL access to session creation service");
-
- // If this is a GET, we manufacture an AuthnRequest.
- if (!strcasecmp(r->method,"GET")) {
- const char* areq=r->args ? shire.getLazyAuthnRequest(r->args) : NULL;
- if (!areq)
- throw ShibTargetException(SHIBRPC_OK, "malformed arguments to request a new session");
- apr_table_setn(r->headers_out, "Location", apr_pstrdup(r->pool,areq));
- return HTTP_MOVED_TEMPORARILY;
- }
- else if (strcasecmp(r->method,"POST")) {
- throw ShibTargetException(SHIBRPC_OK, "blocked non-POST to SHIRE POST processor");
- }
-
- // Sure sure this POST is an appropriate content type
- const char *ct = apr_table_get(r->headers_in, "Content-type");
- if (!ct || strcasecmp(ct, "application/x-www-form-urlencoded"))
- throw ShibTargetException (SHIBRPC_OK,
- apr_psprintf(r->pool, "blocked bad content-type to SHIRE POST processor: %s", (ct ? ct : "")));
-
- // Read the posted data
- if (ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))
- throw ShibTargetException (SHIBRPC_OK, "CGI setup_client_block failed");
- if (!ap_should_client_block(r))
- throw ShibTargetException (SHIBRPC_OK, "CGI should_client_block failed");
- if (r->remaining > 1024*1024)
- throw ShibTargetException (SHIBRPC_OK, "CGI length too long...");
-
- string cgistr;
- char buff[HUGE_STRING_LEN];
- //apr_hard_timeout("[mod_shib] CGI Parser", r);
- memset(buff, 0, sizeof(buff));
- while (ap_get_client_block(r, buff, sizeof(buff)-1) > 0) {
- cgistr += buff;
- memset(buff, 0, sizeof(buff));
- }
- //ap_kill_timeout(r);
-
- // Parse the submission.
- pair<const char*,const char*> elements=shire.getFormSubmission(cgistr.c_str(),cgistr.length());
-
- // Make sure the SAML Response parameter exists
- if (!elements.first || !*elements.first)
- throw ShibTargetException(SHIBRPC_OK, "SHIRE POST failed to find SAMLResponse form element");
-
- // Make sure the target parameter exists
- if (!elements.second || !*elements.second)
- throw ShibTargetException(SHIBRPC_OK, "SHIRE POST failed to find TARGET form element");
-
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_handler() Processing POST for target: %s", elements.second);
-
- // process the post
- string cookie;
- RPCError* status = shire.sessionCreate(elements.first, r->connection->remote_ip, cookie);
-
- if (status->isError()) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,
- "shib_handler() POST process failed (%d): %s", status->getCode(), status->getText());
-
- if (status->isRetryable()) {
- ap_log_rerror(APLOG_MARK,APLOG_INFO|APLOG_NOERRNO,0,r,
- "shib_handler() retryable error, generating new AuthnRequest");
- apr_table_setn(r->headers_out,"Location",apr_pstrdup(r->pool,shire.getAuthnRequest(elements.second)));
- return HTTP_MOVED_TEMPORARILY;
- }
-
- // return this error to the user.
- markupProcessor.insert(*status);
- delete status;
- return shib_error_page(r, application, "shire", markupProcessor);
- }
- delete status;
-
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_handler() POST process succeeded. New cookie: %s", cookie.c_str());
-
- // We've got a good session, set the cookie...
- char* val = apr_psprintf(r->pool,"%s=%s%s",shib_cookie.second,cookie.c_str(),
- shib_cookie_props.first ? shib_cookie_props.second : "; path=/");
- apr_table_setn(r->err_headers_out, "Set-Cookie", val);
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_handler() setting cookie: %s",val);
-
- // ... and redirect to the target
- apr_table_setn(r->headers_out, "Location", apr_pstrdup(r->pool,elements.second));
- return HTTP_MOVED_TEMPORARILY;
- }
- catch (ShibTargetException &e) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_post_handler(): %s", e.what());
- markupProcessor.insert("errorType", "Session Creation Service Error");
- markupProcessor.insert("errorText", e.what());
- markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
- return shib_error_page(r, application, "shire", markupProcessor);
- }
-#ifndef _DEBUG
- catch (...) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_handler(): unexpected exception");
- markupProcessor.insert("errorType", "Session Creation Service Error");
- markupProcessor.insert("errorText", "Unknown Exception");
- markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
- return shib_error_page(r, application, "shire", markupProcessor);
- }
-#endif
-
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,"shib_handler() server error");
- return HTTP_INTERNAL_SERVER_ERROR;
-}
-
-static apr_table_t* groups_for_user(request_rec* r, const char* user, char* grpfile)
-{
- ap_configfile_t* f;
- apr_table_t* grps=apr_table_make(r->pool,15);
- char l[MAX_STRING_LEN];
- const char *group_name, *ll, *w;
-
- if (ap_pcfg_openfile(&f,r->pool,grpfile) != APR_SUCCESS) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR,0,r,
- "groups_for_user() could not open group file: %s\n", grpfile);
- return NULL;
- }
-
- apr_pool_t* sp;
- if (apr_pool_create(&sp,r->pool) != APR_SUCCESS) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR,0,r,
- "groups_for_user() could not create a subpool");
- return NULL;
- }
-
- while (!(ap_cfg_getline(l,MAX_STRING_LEN,f))) {
- if ((*l=='#') || (!*l))
- continue;
- ll = l;
- apr_pool_clear(sp);
-
- group_name=ap_getword(sp,&ll,':');
-
- while (*ll) {
- w=ap_getword_conf(sp,&ll);
- if (!strcmp(w,user)) {
- apr_table_setn(grps,apr_pstrdup(r->pool,group_name),"in");
- break;
- }
- }
- }
- ap_cfg_closefile(f);
- apr_pool_destroy(sp);
- return grps;
-}
-
-/*
- * shib_auth_checker() -- a simple resource manager to
- * process the .htaccess settings and copy attributes
- * into the HTTP headers.
- */
-extern "C" int shib_auth_checker(request_rec *r)
-{
- shib_dir_config* dc=
- (shib_dir_config*)ap_get_module_config(r->per_dir_config,&mod_shib);
-
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_auth_checker() executing");
-
- // Regular access to arbitrary resource...check AuthType
- const char* auth_type=ap_auth_type(r);
- if (!auth_type || strcasecmp(auth_type,"shibboleth"))
- return DECLINED;
-
- ostringstream threadid;
- threadid << "[" << getpid() << "] shibrm" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- // We lock the configuration system for the duration.
- IConfig* conf=g_Config->getINI();
- Locker locker(conf);
-
- const char* application_id=apr_table_get(r->headers_in,"Shib-Application-ID");
- const IApplication* application=NULL;
- if (application_id)
- application = conf->getApplication(application_id);
-
- // mod_auth clone
-
- int m=r->method_number;
- bool method_restricted=false;
- const char *t, *w;
-
- const apr_array_header_t* reqs_arr=ap_requires(r);
- if (!reqs_arr)
- return OK;
-
- require_line* reqs=(require_line*)reqs_arr->elts;
-
- //XXX
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"REQUIRE nelts: %d", reqs_arr->nelts);
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"REQUIRE all: %d", dc->bRequireAll);
-
- vector<bool> auth_OK(reqs_arr->nelts,false);
-
-#define SHIB_AP_CHECK_IS_OK { \
- if (dc->bRequireAll < 1) \
- return OK; \
- auth_OK[x] = true; \
- continue; \
-}
-
- for (int x=0; x<reqs_arr->nelts; x++) {
- auth_OK[x] = false;
-
- if (!(reqs[x].method_mask & (1 << m)))
- continue;
- method_restricted=true;
-
- t = reqs[x].requirement;
- w = ap_getword_white(r->pool, &t);
-
- if (!strcmp(w,"valid-user")) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r, "shib_auth_checker() accepting valid-user");
- SHIB_AP_CHECK_IS_OK;
- }
- else if (!strcmp(w,"user") && r->user) {
- bool regexp=false;
- while (*t) {
- w=ap_getword_conf(r->pool,&t);
- if (*w=='~') {
- regexp=true;
- continue;
- }
-
- if (regexp) {
- try {
- // To do regex matching, we have to convert from UTF-8.
- auto_ptr<XMLCh> trans(fromUTF8(w));
- RegularExpression re(trans.get());
- auto_ptr<XMLCh> trans2(fromUTF8(r->user));
- if (re.matches(trans2.get())) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_auth_checker() accepting user: %s",w);
- SHIB_AP_CHECK_IS_OK;
- }
- }
- catch (XMLException& ex) {
- auto_ptr_char tmp(ex.getMessage());
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,
- "shib_auth_checker caught exception while parsing regular expression (%s): %s",w,tmp.get());
- }
- }
- else if (!strcmp(r->user,w)) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_auth_checker() accepting user: %s",w);
- SHIB_AP_CHECK_IS_OK;
- }
- }
- }
- else if (!strcmp(w,"group")) {
- apr_table_t* grpstatus=NULL;
- if (dc->szAuthGrpFile && r->user) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_auth_checker() using groups file: %s\n", dc->szAuthGrpFile);
- grpstatus=groups_for_user(r,r->user,dc->szAuthGrpFile);
- }
- if (!grpstatus)
- return DECLINED;
-
- while (*t) {
- w=ap_getword_conf(r->pool,&t);
- if (apr_table_get(grpstatus,w)) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,"shib_auth_checker() accepting group: %s",w);
- SHIB_AP_CHECK_IS_OK;
- }
- }
- }
- else {
- Iterator<IAAP*> provs=application ? application->getAAPProviders() : EMPTY(IAAP*);
- AAP wrapper(provs,w);
- if (wrapper.fail()) {
- ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,
- "shib_auth_checker() didn't recognize require rule: %s\n",w);
- continue;
- }
-
- bool regexp=false;
- const char* vals=apr_table_get(r->headers_in,wrapper->getHeader());
- while (*t && vals) {
- w=ap_getword_conf(r->pool,&t);
- if (*w=='~') {
- regexp=true;
- continue;
- }
-
- try {
- auto_ptr<RegularExpression> re;
- if (regexp) {
- delete re.release();
- auto_ptr<XMLCh> trans(fromUTF8(w));
- auto_ptr<RegularExpression> temp(new RegularExpression(trans.get()));
- re=temp;
- }
-
- string vals_str(vals);
- int j = 0;
- for (int i = 0; i < vals_str.length(); i++) {
- if (vals_str.at(i) == ';') {
- if (i == 0) {
- ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,
- "shib_auth_checker() invalid header encoding %s: starts with semicolon", vals);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- if (vals_str.at(i-1) == '\\') {
- vals_str.erase(i-1, 1);
- i--;
- continue;
- }
-
- string val = vals_str.substr(j, i-j);
- j = i+1;
- if (regexp) {
- auto_ptr<XMLCh> trans(fromUTF8(val.c_str()));
- if (re->matches(trans.get())) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_auth_checker() expecting %s, got %s: authorization granted", w, val.c_str());
- SHIB_AP_CHECK_IS_OK;
- }
- }
- else if (val==w) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_auth_checker() expecting %s, got %s: authorization granted", w, val.c_str());
- SHIB_AP_CHECK_IS_OK;
- }
- else {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_auth_checker() expecting %s, got %s: authorization not granted", w, val.c_str());
- }
- }
- }
-
- string val = vals_str.substr(j, vals_str.length()-j);
- if (regexp) {
- auto_ptr<XMLCh> trans(fromUTF8(val.c_str()));
- if (re->matches(trans.get())) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_auth_checker() expecting %s, got %s: authorization granted", w, val.c_str());
- SHIB_AP_CHECK_IS_OK;
- }
- }
- else if (val==w) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_auth_checker() expecting %s, got %s: authorization granted", w, val.c_str());
- SHIB_AP_CHECK_IS_OK;
- }
- else {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,r,
- "shib_auth_checker() expecting %s, got %s: authorization not granted", w, val.c_str());
- }
- }
- catch (XMLException& ex) {
- auto_ptr_char tmp(ex.getMessage());
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,
- "shib_auth_checker caught exception while parsing regular expression (%s): %s",w,tmp.get());
- }
- }
- }
- }
-
- // check if all require directives are true
- bool auth_all_OK = true;
- for (int i= 0; i<reqs_arr->nelts; i++) {
- auth_all_OK &= auth_OK[i];
- }
- if (auth_all_OK)
- return OK;
-
- if (!method_restricted)
- return OK;
-
- if (!application_id) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,
- "shib_check_auth: Shib-Application-ID header not found in request");
- return HTTP_FORBIDDEN;
- }
- else if (!application) {
- ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,0,r,
- "shib_check_auth: unable to map request to application settings, check configuration");
- return HTTP_FORBIDDEN;
- }
-
- ShibMLP markupProcessor(application);
- markupProcessor.insert("requestURL", ap_construct_url(r->pool,r->unparsed_uri,r));
- return shib_error_page(r, application, "access", markupProcessor);
-}
-
-/*
- * shib_exit()
- * Cleanup the (per-process) pool info.
- */
-extern "C" apr_status_t shib_exit(void* data)
-{
- g_Config->shutdown();
- g_Config = NULL;
- ap_log_error(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,NULL,"shib_exit() done");
- return OK;
-}
-
-static const XMLCh Apache[] =
-{ chLatin_A, chLatin_p, chLatin_a, chLatin_c, chLatin_h, chLatin_e, chNull };
-static const XMLCh apacheConfig[] =
-{ chLatin_a, chLatin_p, chLatin_a, chLatin_c, chLatin_h, chLatin_e,
- chLatin_C, chLatin_o, chLatin_n, chLatin_f, chLatin_i, chLatin_g, chNull
-};
-static const XMLCh Implementation[] =
-{ chLatin_I, chLatin_m, chLatin_p, chLatin_l, chLatin_e, chLatin_m, chLatin_e, chLatin_n, chLatin_t, chLatin_a, chLatin_t, chLatin_i, chLatin_o, chLatin_n, chNull };
-
-/*
- * shib_post_config()
- * Things to do at process startup after the configs are read
- */
-extern "C" int shib_post_config(apr_pool_t* pconf, apr_pool_t* plog,
- apr_pool_t* ptemp, server_rec* s)
-{
- // Initialize runtime components.
-
- ap_log_error(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,s,"shib_post_config() starting");
-
- if (g_Config) {
- ap_log_error(APLOG_MARK,APLOG_INFO|APLOG_NOERRNO,0,s,"shib_post_config(): already initialized");
- return OK;
- }
-
- try {
- g_Config=&ShibTargetConfig::getConfig();
- g_Config->setFeatures(
- ShibTargetConfig::Listener |
- ShibTargetConfig::Metadata |
- ShibTargetConfig::AAP |
- ShibTargetConfig::RequestMapper |
- ShibTargetConfig::SHIREExtensions
- );
- if (!g_Config->init(g_szSchemaDir,g_szSHIBConfig)) {
- ap_log_error(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,0,s,"shib_post_config(): already initialized!");
- exit(1);
- }
-
- // Access the implementation-specifics for whether to use old Apache config style...
- IConfig* conf=g_Config->getINI();
- Locker locker(conf);
- const IPropertySet* props=conf->getPropertySet("SHIRE");
- if (props) {
- const DOMElement* impl=saml::XML::getFirstChildElement(
- props->getElement(),ShibTargetConfig::SHIBTARGET_NS,Implementation
- );
- if (impl && (impl=saml::XML::getFirstChildElement(impl,ShibTargetConfig::SHIBTARGET_NS,Apache))) {
- const XMLCh* flag=impl->getAttributeNS(NULL,apacheConfig);
- if (flag && (*flag==chDigit_1 || *flag==chLatin_t))
- g_bApacheConf=true;
- }
- }
- }
- catch (...) {
- ap_log_error(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,s,
- "shib_post_config() failed to initialize SHIB Target");
- exit (1);
- }
-
- // Set the cleanup handler
- apr_pool_cleanup_register(pconf, NULL, shib_exit, NULL);
-
- ap_log_error(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,0,s,"shib_post_config() done");
-
- return OK;
-}
-
-extern "C" void shib_register_hooks (apr_pool_t *p)
-{
- ap_hook_post_config(shib_post_config, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_check_user_id(shib_check_user, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_auth_checker(shib_auth_checker, NULL, NULL, APR_HOOK_FIRST);
- ap_hook_handler(shib_post_handler, NULL, NULL, APR_HOOK_LAST);
-}
-
-// SHIB Module commands
-
-extern "C" {
-static command_rec shib_cmds[] = {
- AP_INIT_TAKE1("ShibConfig",
- (config_fn_t)ap_set_global_string_slot, &g_szSHIBConfig,
- RSRC_CONF, "Path to shibboleth.xml config file."),
- AP_INIT_TAKE1("ShibSchemaDir",
- (config_fn_t)ap_set_global_string_slot, &g_szSchemaDir,
- RSRC_CONF, "Path to Shibboleth XML schema directory."),
-
- AP_INIT_FLAG("ShibBasicHijack", (config_fn_t)ap_set_flag_slot,
- (void *) offsetof (shib_dir_config, bBasicHijack),
- OR_AUTHCFG, "Respond to AuthType Basic and convert to shib?"),
- AP_INIT_FLAG("ShibRequireSession", (config_fn_t)ap_set_flag_slot,
- (void *) offsetof (shib_dir_config, bRequireSession),
- OR_AUTHCFG, "Initiates a new session if one does not exist."),
- AP_INIT_FLAG("ShibExportAssertion", (config_fn_t)ap_set_flag_slot,
- (void *) offsetof (shib_dir_config, bExportAssertion),
- OR_AUTHCFG, "Export SAML assertion to Shibboleth-defined header?"),
- AP_INIT_TAKE1("AuthGroupFile", (config_fn_t)ap_set_file_slot,
- (void *) offsetof (shib_dir_config, szAuthGrpFile),
- OR_AUTHCFG, "text file containing group names and member user IDs"),
- AP_INIT_FLAG("ShibRequireAll", (config_fn_t)ap_set_flag_slot,
- (void *) offsetof (shib_dir_config, bRequireAll),
- OR_AUTHCFG, "All require directives must match!"),
-
- {NULL}
-};
-
-module AP_MODULE_DECLARE_DATA mod_shib = {
- STANDARD20_MODULE_STUFF,
- create_shib_dir_config, /* create dir config */
- merge_shib_dir_config, /* merge dir config --- default is to override */
- NULL, /* create server config */
- NULL, /* merge server config */
- shib_cmds, /* command table */
- shib_register_hooks /* register hooks */
-};
-} // extern "C"