Update multi-backend branch and resolve merge conflicts. #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<https://issues.jasig.org/browse/MAS-60>: * Use ap_getword_conf to tokenize the Require directive. This means that attribute specifications can use any character (including whitespace). For example: Require cas-attribute "last-name:de Soto" * Pass a reference to the struct of attributes that's parsed out of the SAML response in order to do authorization rather than using attributes serialized into a notes field. This eliminates ambiguity due to serialization, as well as being more efficient. * Factor out the routine that evaluates an attribute specification against the set of attributes. This improves readability as well as testability. Also, be explicit about exactly what will match an attribute specification, and the behavior in the face of ambiguity.
…tributes The parameter was incorrectly set to the request_rec pointer itself rather than the request_config field of the request. Depending on Apache's configuration, this resulted in different parts of the request structure being overwritten with the attribute pointer. In many cases, it worked correctly by accident. This change correctly uses the request_config conf_vector for ap_get/set_module_config. In addition to that change, cas_get_attributes also works better in a subrequest: if no attributes are found in the subrequest, it will look in the parent request for attributes.
<https://issues.jasig.org/browse/MAS-60>: * Use ap_getword_conf to tokenize the Require directive. This means that attribute specifications can use any character (including whitespace). For example: Require cas-attribute "last-name:de Soto" * Pass a reference to the struct of attributes that's parsed out of the SAML response in order to do authorization rather than using attributes serialized into a notes field. This eliminates ambiguity due to serialization, as well as being more efficient. * Factor out the routine that evaluates an attribute specification against the set of attributes. This improves readability as well as testability. Also, be explicit about exactly what will match an attribute specification, and the behavior in the face of ambiguity.
…tributes The parameter was incorrectly set to the request_rec pointer itself rather than the request_config field of the request. Depending on Apache's configuration, this resulted in different parts of the request structure being overwritten with the attribute pointer. In many cases, it worked correctly by accident. This change correctly uses the request_config conf_vector for ap_get/set_module_config. In addition to that change, cas_get_attributes also works better in a subrequest: if no attributes are found in the subrequest, it will look in the parent request for attributes.
…n the config file, but no actual attributes are specified. had to add <openssl/crypto.h> in includes to get module to compile on 64-bit system (regression testing needed - did I break 32-bit?) started adding hooks for unit testing cas-attribute parsing and enforcement
…h_cas into folini-authz Conflicts: README src/mod_auth_cas.c src/mod_auth_cas.h
…g-free GCC compiles. Had to pull in some attribute parsing code from apache to get authz unit tests to go through.
Setting the CASTimeout option to 0 should allow a non-idle session to not expire. Instead, it initiated an endless redirect loop to the CAS server and back. This happened because the CAS cache file was instantly deleted upon being created. This commit prevents the cache from being deleted when CASTimeout is set to 0.
This allows "Satisy Any" and the 2.4-style multiple Require(Any|All) lines to work properly. The Apache 2.4 docs say the following about ap_hook_check_authn(): This hook is used to analyze the request headers, authenticate the user, and set the user information in the request record (r->user and r->ap_auth_type). This hook is only run when Apache determines that authentication/authorization is required for this resource (as determined by the 'Require' directive). It runs after the access_checker hook, and before the auth_checker hook. This hook should be registered with ap_hook_check_authn(). If "Satisfy any" is in effect, this hook may be skipped. AUTHZ_DENIED_NO_USER needs to be returned in cas_check_authorization() in case the user hasn't been authenticated yet. Add stub for ap_hook_check_authn().
Use ap_hook_check_authn() instead of ap_hook_check_access().
when using Apache 2.4.
Add Google Group link to README
Add note that CASAuthoritative isn't available when using Apache 2.4.
Issue apereo#106. Allow per-module loglevel configuration.
Fixed redirect loop with CASTimeout=0
[Feature] Support CASv2 Attributes
CASv2 attributes may need to be scrubbed now.
Following the approach for converting //Response/Assertion/AuthenticationStatement/AuthenticationMethod in the SAML 1 response to a CAS attribute, this will convert //Response/Assertion/AuthenticationStatement/AuthenticationInstant as well.
…attr Add AuthenticationInstant as CAS attribute in samlValidate
CASValidateSAML is defined in the RSRC_CONF context.
'int flags' was added to the end of the module_struct.
Move CASValidateSAML to "Valid Server/VirtualHost Directives".
Also add this logging for SAML attributes.
It's no longer SAML-only; also clarify SAML vs. CAS protocols where appropriate. Note that attributes are not set in HTTP headers unless CASAuthNHeader is set. Mention that Apache 2.4 drops headers containing underscores.
fix warning for Apache >= 2.4.30
log attributes at debug; improve attribute documentation
# Conflicts: # src/mod_auth_cas.c # src/mod_auth_cas.h
|
@bnoordhuis prefers that I create a pull request that directly targets the official project instead of his fork. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request resolves the merge conflicts of the following pull request: apereo#36.