From 35616e937a86621bcb202497417174ce617e1ed8 Mon Sep 17 00:00:00 2001 From: Kevin Sandy Date: Thu, 28 May 2020 10:45:44 -0400 Subject: [PATCH 1/2] Separate HTTP headers from subprocess environment --- README.md | 22 ++++--- mod_auth_memcookie.c | 133 +++++++++++++++++++++++++++++-------------- 2 files changed, 104 insertions(+), 51 deletions(-) diff --git a/README.md b/README.md index 9f94945..0581e9e 100644 --- a/README.md +++ b/README.md @@ -154,15 +154,21 @@ This option can be used in `location` or `directory` apache context. Set to `on` to set session information to http header of the authenticated users, is set to `off` by default. Each session field are sended to backend. - Each session field name are prefixed by `Auth_memCookie_SetSessionHTTPHeaderPrefix` changed to uppercase. + Each session field name are prefixed by `Auth_memCookie_SetSessionPrefix` changed to uppercase. -- **Auth_memCookie_SetSessionHTTPHeaderEncode** +- **Auth_memCookie_SetSessionSubprocessEnv** - Set to `on` to mime64 encode session information to http header, is set to `off` by default. + Set to `on` to set session information to subprocess environment of the authenticated users, is set to `off` by default. + Each session field is set in the local web server environment. + Each session field name are prefixed by `Auth_memCookie_SetSessionPrefix` changed to uppercase. -- **Auth_memCookie_SetSessionHTTPHeaderPrefix** +- **Auth_memCookie_SetSessionEncode** - Set HTTP header prefix, is set to `MCAC_` by default. + Set to `on` to mime64 encode session information to http header and subprocess environment, is set to `off` by default. + +- **Auth_memCookie_SetSessionPrefix** + + Set prefix for header and subprocess environment key names, is set to `MCAC_` by default. - **Auth_memCookie_CookieName** @@ -216,10 +222,10 @@ This option can be used in `location` or `directory` apache context. The application recieve this information: - `REMOTE_USER` are set to the user logged name -- `AUTHMEMCOOKIE_PREFIX` are set to value of `Auth_memCookie_SetSessionHTTPHeaderPrefix` +- `AUTHMEMCOOKIE_PREFIX` are set to value of `Auth_memCookie_SetSessionPrefix` - `AUTHMEMCOOKIE_AUTH` are set to `yes` when protected, `no` when in public zone. -And all session field (prefixed by `Auth_memCookie_SetSessionHTTPHeaderPrefix`/`AUTHMEMCOOKIE_PREFIX`) if `Auth_memCookie_SetSessionHTTPHeader` is `on`. +And all session field (prefixed by `Auth_memCookie_SetSessionPrefix`/`AUTHMEMCOOKIE_PREFIX`) if `Auth_memCookie_SetSessionHTTPHeader` or `Auth_memCookie_SetSessionSubprocessEnv` is `on`. And if `Auth_memCookie_SilmulateAuthBasic` is set, they recieve also this `$_SERVER` variable : @@ -250,7 +256,7 @@ The module add some [`Require`/`authz`](https://httpd.apache.org/docs/2.4/mod/mo They make possible to specify public access zone. - In that zone authenticated or not are granted but authenticated can send session information to backend depend on `Auth_memCookie_SetSessionHTTPHeader` flag. + In that zone authenticated or not are granted but authenticated can send session information to backend depend on `Auth_memCookie_SetSessionHTTPHeader` and `Auth_memCookie_SetSessionSubprocessEnv` flags. ``` diff --git a/mod_auth_memcookie.c b/mod_auth_memcookie.c index 006cb95..834b7da 100644 --- a/mod_auth_memcookie.c +++ b/mod_auth_memcookie.c @@ -62,8 +62,9 @@ typedef struct { int nAuth_memCookie_MemcacheObjectExpiryReset; int nAuth_memCookie_SetSessionHTTPHeader; - int nAuth_memCookie_SetSessionHTTPHeaderEncode; - char * szAuth_memCookie_SetSessionHTTPHeaderPrefix; + int nAuth_memCookie_SetSessionSubprocessEnv; + int nAuth_memCookie_SetSessionEncode; + char * szAuth_memCookie_SetSessionPrefix; int nAuth_memCookie_SessionTableSize; char * szAuth_memCookie_CookieName; @@ -359,6 +360,50 @@ char* strupr(char* s) return s; } +/************************************************************** + * + * Auth_memCookie_DoSetSubprocessEnv + * + * Set session information in the subprocess environment table + * + *************************************************************/ +static int Auth_memCookie_DoSetSubprocessEnv(void *rec, const char *szKey, const char *szValue) +{ + strAuth_memCookie_config_rec *conf = NULL; + request_rec *r = (request_rec*)rec; + char *szKeyName = NULL; + char *szKeyValue = NULL; + + /* get apache config */ + conf = ap_get_module_config(r->per_dir_config, &mod_auth_memcookie_module); + + /* prefix each variable with "szAuth_memCookie_SetSessionPrefix" (by default MCAC_) */ + szKeyName = apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionPrefix,szKey,NULL); + strupr(szKeyName); + + if (conf->nAuth_memCookie_SetSessionEncode) { + /* alloc memory for the estimated encode size of the string */ + szKeyValue = (char*)apr_palloc(r->pool,apr_base64_encode_len(strlen(szValue))+1); + unless (szKeyValue) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "memory alloc for encoding subprocess env failed!"); + return 0; + } + + /* encode string in base64 format */ + apr_base64_encode(szKeyValue,szValue,strlen(szValue)); + } + else + { + szKeyValue = (char*)szValue; + } + + /* set key in subprocess environment */ + apr_table_setn(r->subprocess_env,szKeyName,szKeyValue); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "Set subprocess env %s=%s", szKeyName,szKeyValue); + + return 1; +} + /*************************************************************** * * Auth_memCookie_DoSetHeader @@ -375,11 +420,11 @@ static int Auth_memCookie_DoSetHeader(void*rec,const char *szKey, const char *sz /* get apache config */ conf = ap_get_module_config(r->per_dir_config, &mod_auth_memcookie_module); - /* prefix each variable with "szAuth_memCookie_SetSessionHTTPHeaderPrefix" (by default MCAC_) */ - char*szHeaderName=apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix,szKey,NULL); + /* prefix each variable with "szAuth_memCookie_SetSessionPrefix" (by default MCAC_) */ + char*szHeaderName=apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionPrefix,szKey,NULL); strupr(szHeaderName); - if (conf->nAuth_memCookie_SetSessionHTTPHeaderEncode) { + if (conf->nAuth_memCookie_SetSessionEncode) { /* alloc memory for the estimated encode size of the string */ szB64_enc_string=(char*)apr_palloc(r->pool,apr_base64_encode_len(strlen(szValue))+1); unless (szB64_enc_string) { @@ -391,14 +436,12 @@ static int Auth_memCookie_DoSetHeader(void*rec,const char *szKey, const char *sz apr_base64_encode(szB64_enc_string,szValue,strlen(szValue)); /* set string header */ - apr_table_setn(r->subprocess_env,szHeaderName,(char*)szB64_enc_string); apr_table_setn(r->headers_in,szHeaderName,(char*)szB64_enc_string); ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "Send HTTP Header %s=%s", szHeaderName,szB64_enc_string); } else { /* set string header */ - apr_table_setn(r->subprocess_env,szHeaderName,(char*)szValue); apr_table_setn(r->headers_in,szHeaderName,(char*)szValue); ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "Send HTTP Header %s=%s", szHeaderName,szValue); } @@ -540,28 +583,26 @@ static int Auth_memCookie_check_cookie(request_rec *r) } } + /* add session data to the subprocess environment */ + if (conf->nAuth_memCookie_SetSessionSubprocessEnv) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "nAuth_memCookie_SetSessionSubprocessEnv is set then set subprocess environment..."); + apr_table_do(Auth_memCookie_DoSetSubprocessEnv,r,pAuthSession,NULL); + apr_table_setn(r->subprocess_env, apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionPrefix,"SESSIONKEY",NULL),szCookieValue); + apr_table_setn(r->subprocess_env,"AUTHMEMCOOKIE_PREFIX",conf->szAuth_memCookie_SetSessionPrefix); + apr_table_setn(r->subprocess_env,"AUTHMEMCOOKIE_AUTH","yes"); + apr_table_setn(r->subprocess_env,"REMOTE_USER",apr_table_get(pAuthSession,"UserName")); + } + /* send http header of the session value to the backend */ if (conf->nAuth_memCookie_SetSessionHTTPHeader) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "nAuth_memCookie_SetSessionHTTPHeader is set then send http header..."); apr_table_do(Auth_memCookie_DoSetHeader,r,pAuthSession,NULL); + apr_table_setn(r->headers_in, apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionPrefix,"SESSIONKEY",NULL),szCookieValue); + apr_table_setn(r->headers_in,"AUTHMEMCOOKIE_PREFIX",conf->szAuth_memCookie_SetSessionPrefix); + apr_table_setn(r->headers_in,"AUTHMEMCOOKIE_AUTH","yes"); + apr_table_setn(r->headers_in,"REMOTE_USER",apr_table_get(pAuthSession,"UserName")); } - /* set MCAC_SESSIONKEY var for scripts language */ - apr_table_setn(r->subprocess_env, apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix,"SESSIONKEY",NULL),szCookieValue); - apr_table_setn(r->headers_in, apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix,"SESSIONKEY",NULL),szCookieValue); - - /* HTTP Header Prefix */ - apr_table_setn(r->subprocess_env,"AUTHMEMCOOKIE_PREFIX",conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix); - apr_table_setn(r->headers_in,"AUTHMEMCOOKIE_PREFIX",conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix); - - /* cookie found the user is authentified */ - apr_table_setn(r->subprocess_env,"AUTHMEMCOOKIE_AUTH","yes"); - apr_table_setn(r->headers_in,"AUTHMEMCOOKIE_AUTH","yes"); - - /* set REMOTE_USER var for scripts language */ - apr_table_setn(r->subprocess_env,"REMOTE_USER",apr_table_get(pAuthSession,"UserName")); - apr_table_setn(r->headers_in,"REMOTE_USER",apr_table_get(pAuthSession,"UserName")); - /* log authorisation ok */ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "authentication ok"); @@ -610,24 +651,24 @@ static authz_status Auth_memCookie_public_authz_checker(request_rec *r, const ch return nReturn; } + /* set session data in the subprocess environment */ + if (conf->nAuth_memCookie_SetSessionHTTPHeader) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "nAuth_memCookie_SetSessionSubprocessEnv is set then set subprocess environment..."); + apr_table_do(Auth_memCookie_DoSetSubprocessEnv,r,pAuthSession,NULL); + apr_table_setn(r->subprocess_env, apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionPrefix,"SESSIONKEY",NULL),szCookieValue); + apr_table_setn(r->subprocess_env,"AUTHMEMCOOKIE_PREFIX",conf->szAuth_memCookie_SetSessionPrefix); + apr_table_setn(r->subprocess_env,"AUTHMEMCOOKIE_AUTH","no"); + } + /* send http header of the session value to the backend */ if (conf->nAuth_memCookie_SetSessionHTTPHeader) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "nAuth_memCookie_SetSessionHTTPHeader is set then send http header..."); apr_table_do(Auth_memCookie_DoSetHeader,r,pAuthSession,NULL); + apr_table_setn(r->headers_in, apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionPrefix,"SESSIONKEY",NULL),szCookieValue); + apr_table_setn(r->headers_in,"AUTHMEMCOOKIE_PREFIX",conf->szAuth_memCookie_SetSessionPrefix); + apr_table_setn(r->headers_in,"AUTHMEMCOOKIE_AUTH","no"); } - /* set MCAC_SESSIONKEY var for scripts language */ - apr_table_setn(r->subprocess_env, apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix,"SESSIONKEY",NULL),szCookieValue); - apr_table_setn(r->headers_in, apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix,"SESSIONKEY",NULL),szCookieValue); - - /* HTTP Header Prefix */ - apr_table_setn(r->subprocess_env,"AUTHMEMCOOKIE_PREFIX",conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix); - apr_table_setn(r->headers_in,"AUTHMEMCOOKIE_PREFIX",conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix); - - /* cookie found but they are in public zone */ - apr_table_setn(r->subprocess_env,"AUTHMEMCOOKIE_AUTH","no"); - apr_table_setn(r->headers_in,"AUTHMEMCOOKIE_AUTH","no"); - } return nReturn; } @@ -891,8 +932,9 @@ static void *create_Auth_memCookie_dir_config(apr_pool_t *p, char *d) conf->nAuth_memCookie_Authoritative = 1; /* is set by default */ conf->nAuth_memCookie_authbasicfix = 1; /* fix header for php auth by default */ conf->nAuth_memCookie_SetSessionHTTPHeader = 0; /* set session information in http header of authenticated user */ - conf->nAuth_memCookie_SetSessionHTTPHeaderEncode = 0; /* encode http header groups value by default */ - conf->szAuth_memCookie_SetSessionHTTPHeaderPrefix = apr_pstrdup(p,"MCAC_"); + conf->nAuth_memCookie_SetSessionSubprocessEnv = 0; /* set session information in subprocess env of authenticated user */ + conf->nAuth_memCookie_SetSessionEncode = 0; /* encode headers / session env values by default */ + conf->szAuth_memCookie_SetSessionPrefix = apr_pstrdup(p,"MCAC_"); conf->nAuth_memCookie_SessionTableSize=10; /* Max number of element in session information table, 10 by default */ conf->nAuth_memCookie_disable_no_store=0; /* no store cache option are the default */ #ifdef HAVE_MEMCACHED_SASL @@ -945,12 +987,15 @@ static const command_rec Auth_memCookie_cmds[] = AP_INIT_FLAG ("Auth_memCookie_SetSessionHTTPHeader", ap_set_flag_slot, (void *)APR_OFFSETOF(strAuth_memCookie_config_rec, nAuth_memCookie_SetSessionHTTPHeader), OR_AUTHCFG, "Set to 'on' to set session information to http header of the authenticated users, is set 'off' by default"), - AP_INIT_FLAG ("Auth_memCookie_SetSessionHTTPHeaderEncode", ap_set_flag_slot, - (void *)APR_OFFSETOF(strAuth_memCookie_config_rec, nAuth_memCookie_SetSessionHTTPHeaderEncode), - OR_AUTHCFG, "Set to 'on' to mime64 encode session information to http header, is set 'off' by default"), - AP_INIT_TAKE1("Auth_memCookie_SetSessionHTTPHeaderPrefix", ap_set_string_slot, - (void *)APR_OFFSETOF(strAuth_memCookie_config_rec, szAuth_memCookie_SetSessionHTTPHeaderPrefix), - OR_AUTHCFG, "Set HTTP header prefix - set to 'MCAC_' by default"), + AP_INIT_FLAG ("Auth_memCookie_SetSessionSubprocessEnv", ap_set_flag_slot, + (void *)APR_OFFSETOF(strAuth_memCookie_config_rec, nAuth_memCookie_SetSessionSubprocessEnv), + OR_AUTHCFG, "Set to 'on' to set session information to subprocess environment of the authenticated users, is set 'off' by default"), + AP_INIT_FLAG ("Auth_memCookie_SetSessionEncode", ap_set_flag_slot, + (void *)APR_OFFSETOF(strAuth_memCookie_config_rec, nAuth_memCookie_SetSessionEncode), + OR_AUTHCFG, "Set to 'on' to mime64 encode session information to http header / subprocess environment, is set 'off' by default"), + AP_INIT_TAKE1("Auth_memCookie_SetSessionPrefix", ap_set_string_slot, + (void *)APR_OFFSETOF(strAuth_memCookie_config_rec, szAuth_memCookie_SetSessionPrefix), + OR_AUTHCFG, "Set session data key name prefix - set to 'MCAC_' by default"), AP_INIT_TAKE1("Auth_memCookie_CookieName", ap_set_string_slot, (void *)APR_OFFSETOF(strAuth_memCookie_config_rec, szAuth_memCookie_CookieName), OR_AUTHCFG, "Name of cookie to set"), @@ -1003,3 +1048,5 @@ module AP_MODULE_DECLARE_DATA mod_auth_memcookie_module = Auth_memCookie_cmds, /* command apr_table_t */ register_hooks /* register hooks */ }; + +/* vim: set noexpandtab tabstop=8 shiftwidth=2 : */ From 439bfbca537fe898dbbe01657cb47dcdcd3a0b36 Mon Sep 17 00:00:00 2001 From: Kevin Sandy Date: Thu, 28 May 2020 14:48:45 -0400 Subject: [PATCH 2/2] Fix SubprocessEnv check in Auth_memCookie_public_authz_checker --- mod_auth_memcookie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod_auth_memcookie.c b/mod_auth_memcookie.c index 834b7da..9f69bc8 100644 --- a/mod_auth_memcookie.c +++ b/mod_auth_memcookie.c @@ -652,7 +652,7 @@ static authz_status Auth_memCookie_public_authz_checker(request_rec *r, const ch } /* set session data in the subprocess environment */ - if (conf->nAuth_memCookie_SetSessionHTTPHeader) { + if (conf->nAuth_memCookie_SetSessionSubprocessEnv) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, LOGTAG_PREFIX "nAuth_memCookie_SetSessionSubprocessEnv is set then set subprocess environment..."); apr_table_do(Auth_memCookie_DoSetSubprocessEnv,r,pAuthSession,NULL); apr_table_setn(r->subprocess_env, apr_pstrcat(r->pool,conf->szAuth_memCookie_SetSessionPrefix,"SESSIONKEY",NULL),szCookieValue);