Added class/decl support to authz plugins, also added reserved user rule to XML plugin.

author cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>

Thu, 4 Oct 2007 17:06:09 +0000 (17:06 +0000)

committer cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>

Thu, 4 Oct 2007 17:06:09 +0000 (17:06 +0000)
author cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Thu, 4 Oct 2007 17:06:09 +0000 (17:06 +0000)
committer cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Thu, 4 Oct 2007 17:06:09 +0000 (17:06 +0000)
diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp

index a7a60a7..ef42915 100644 (file)
--- a/apache/mod_apache.cpp
+++ b/apache/mod_apache.cpp
@@ -1003,6 +1003,26 @@ AccessControl::aclresult_t htAccessControl::authorized(const SPRequest& request,
                  }
              }
          }
+        else if (!strcmp(w,"authnContextClassRef")) {
+            const char* ref = session->getAuthnContextClassRef();
+            while (ref && *t) {
+                w=ap_getword_conf(sta->m_req->pool,&t);
+                if (!strcmp(w, ref)) {
+                    request.log(SPRequest::SPDebug, string("htAccessControl plugin accepting authnContextClassRef (") + w + ")");
+                    SHIB_AP_CHECK_IS_OK;
+                }
+            }
+        }
+        else if (!strcmp(w,"authnContextDeclRef")) {
+            const char* ref = session->getAuthnContextDeclRef();
+            while (ref && *t) {
+                w=ap_getword_conf(sta->m_req->pool,&t);
+                if (!strcmp(w, ref)) {
+                    request.log(SPRequest::SPDebug, string("htAccessControl plugin accepting authnContextDeclRef (") + w + ")");
+                    SHIB_AP_CHECK_IS_OK;
+                }
+            }
+        }
          else {
              // Map alias in rule to the attribute.
              if (!session) {
diff --git a/shibsp/impl/XMLAccessControl.cpp b/shibsp/impl/XMLAccessControl.cpp

index 123dbc6..f82d955 100644 (file)
--- a/shibsp/impl/XMLAccessControl.cpp
+++ b/shibsp/impl/XMLAccessControl.cpp
@@ -158,6 +158,36 @@ AccessControl::aclresult_t Rule::authorized(const SPRequest& request, const Sess
          return shib_acl_false;\r
      }\r
      \r
+    if (m_alias == "user") {\r
+        for (vector<string>::const_iterator i=m_vals.begin(); i!=m_vals.end(); ++i) {\r
+            if (*i == request.getRemoteUser()) {\r
+                request.log(SPRequest::SPDebug, string("AccessControl plugin expecting REMOTE_USER (") + *i + "), authz granted");\r
+                return shib_acl_true;\r
+            }\r
+        }\r
+        return shib_acl_false;\r
+    }\r
+    else if (m_alias == "authnContextClassRef") {\r
+        const char* ref = session->getAuthnContextClassRef();\r
+        for (vector<string>::const_iterator i=m_vals.begin(); ref && i!=m_vals.end(); ++i) {\r
+            if (!strcmp(i->c_str(),ref)) {\r
+                request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextClassRef (") + *i + "), authz granted");\r
+                return shib_acl_true;\r
+            }\r
+        }\r
+        return shib_acl_false;\r
+    }\r
+    else if (m_alias == "authnContextDeclRef") {\r
+        const char* ref = session->getAuthnContextDeclRef();\r
+        for (vector<string>::const_iterator i=m_vals.begin(); ref && i!=m_vals.end(); ++i) {\r
+            if (!strcmp(i->c_str(),ref)) {\r
+                request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextDeclRef (") + *i + "), authz granted");\r
+                return shib_acl_true;\r
+            }\r
+        }\r
+        return shib_acl_false;\r
+    }\r
+\r
      // Find the attribute(s) matching the require rule.\r
      pair<multimap<string,const Attribute*>::const_iterator, multimap<string,const Attribute*>::const_iterator> attrs =\r
          session->getIndexedAttributes().equal_range(m_alias);\r
@@ -174,7 +204,7 @@ AccessControl::aclresult_t Rule::authorized(const SPRequest& request, const Sess
          for (vector<string>::const_iterator i=m_vals.begin(); i!=m_vals.end(); ++i) {\r
              for (vector<string>::const_iterator j=vals.begin(); j!=vals.end(); ++j) {\r
                  if ((caseSensitive && *i == *j) || (!caseSensitive && !strcasecmp(i->c_str(),j->c_str()))) {\r
-                    request.log(SPRequest::SPDebug, string("AccessControl plugin expecting ") + *j + ", authz granted");\r
+                    request.log(SPRequest::SPDebug, string("AccessControl plugin expecting (") + *j + "), authz granted");\r
                      return shib_acl_true;\r
                  }\r
              }\r
author	cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
	Thu, 4 Oct 2007 17:06:09 +0000 (17:06 +0000)
committer	cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
	Thu, 4 Oct 2007 17:06:09 +0000 (17:06 +0000)
apache/mod_apache.cpp		patch \| blob \| history
shibsp/impl/XMLAccessControl.cpp		patch \| blob \| history