📄 mod_cspace.c
字号:
} return UNAUTHORIZED_REDIRECT(r, dir_cfg->redir_uri);}static int process_token(const char *buf, request_rec *r, cspace_svr_cfg *svr_cfg){ int state = FAIL; process_context_t *ctx = NULL; cspace_log_error(buf, APLOG_DEBUG, r->server);#ifdef CSPACE_DEBUG fprintf(stderr, "TOKEN: %s\n", buf);#endif /*TODO: create with pool allocator*/ ctx = cspace_process_context_create_default(); if (!ctx) { cspace_log_error("process context could not be created", APLOG_ERR, r->server); return HTTP_INTERNAL_SERVER_ERROR; } cspace_process_context_set_key_file(ctx, svr_cfg->key_file); if (svr_cfg->ca_file) cspace_process_context_set_ca_file(ctx, svr_cfg->ca_file); cspace_process_context_set_logger(ctx, cspace_log_error, r->server); cspace_process_context_set_header_callback(ctx, &set_header, (void*)(r->subprocess_env)); /*is the pool necessary here? YES (look at the set_header fn)*/ cspace_process_context_set_header_callback_context(ctx, (void *)(r->pool)); /*MAGIC: 9 == strlen("xmlToken=")*/ state = cspace_process_request(ctx, buf + 9); /* should not be necessary... * when only only pool allocators are used*/ cspace_process_context_free(ctx); return state;}#if 0static int is_valid_ppid(const char *ppid, const char *uri, const char *dso_filename, apr_pool_t *p){ apr_status_t rv; apr_dso_handle_sym_t sym = NULL; apr_dso_handle_t *hand = NULL; int (*func)(const char*, const char *); /*ppid, uri*/ char *fname = NULL; if (!ppid || !dso_filename) return FAIL; apr_filepath_merge(&fname, NULL, dso_filename, 0, p); rv = apr_dso_load(&hand, dso_filename, p); if (rv) { /*read error using: apr_dso_error(hand, char [128], 128)*/ /*log error*/ apr_dso_unload(hand); return FAIL; } rv = apr_dso_sym(&sym, hand, "validate_ppid"); if (rv) { /*read error using: apr_dso_error(hand, char [128], 128)*/ /*log error*/ apr_dso_unload(hand); return FAIL; } /*is it meaningful to do a if(func)?*/ func = (int (*)(const char *, const char *))sym; rv = (*func)(ppid, uri); apr_dso_unload(hand); return rv;}static X509 *x509_create_with_buffer(unsigned char *input, int length){ BIO *b64, *bmem; X509 *x509 = NULL; char *buffer = (char *)malloc(length); memset(buffer, 0, length); b64 = BIO_new(BIO_f_base64()); BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); bmem = BIO_new_mem_buf(input, length); bmem = BIO_push(b64, bmem); x509 = d2i_X509_bio(bmem, NULL); BIO_free_all(bmem); free(buffer); return x509;}static int is_valid_cert(const char *cert, const char *uri, const char *dso_filename, apr_pool_t *p){ X509 *x509; apr_status_t rv; apr_dso_handle_sym_t sym = NULL; apr_dso_handle_t *hand = NULL; int (*func)(X509 *, const char *); /*ppid, uri*/ char *fname = NULL; if (!cert || !dso_filename) return FAIL; x509 = x509_create_with_buffer((unsigned char *)cert, strlen(cert)); if (!x509) return FAIL; apr_filepath_merge(&fname, NULL, dso_filename, 0, p); rv = apr_dso_load(&hand, dso_filename, p); if (rv) { /*read error using: apr_dso_error(hand, char [128], 128)*/ /*log error*/ apr_dso_unload(hand); return FAIL; } rv = apr_dso_sym(&sym, hand, "validate_cert"); if (rv) { /*read error using: apr_dso_error(hand, char [128], 128)*/ /*log error*/ apr_dso_unload(hand); return FAIL; } /*is it meaningful to do a if(func)?*/ func = (int (*)(X509 *, const char *))sym; rv = (*func)(x509, uri); apr_dso_unload(hand); return rv;}#endif/*#define DUMMY_VALIDATOR_PATH "dummy_ppid_validator.so"*/ static int handle_session_nosso(request_rec *r, cspace_dir_cfg *dir_cfg, cspace_svr_cfg *svr_cfg){ char *session_id; int valid_session; int status; char *buf = NULL; int ret = -1; const char *auth_state; char *cookies = NULL; void *session_ctx = NULL; if (excluded_uri(r->uri, dir_cfg->login_page)) return OK; status = get_cookie(r, &cookies); if (status == HTTP_INTERNAL_SERVER_ERROR) { cspace_log_error("Could not retrieve the session cookie", APLOG_NOTICE, r->server); return status; } session_ctx = session_ctx_create(r->pool, dir_cfg->session_file, svr_cfg->session_expire); if ((cookies) && (session_id = get_session_id_from_cookies(cookies))) { if ((valid_session = handle_session(session_id, SESSION_ID_LEN, session_ctx))) return OK; } /*NB: should we return HTTP_METHOD_NOT_ALLOWED if not POST?*/ /* TODO: make the argument (tag identifying login page) a config option */ if ((cspace_login_arg_avail(r)) && (r->method_number == M_POST)) { if (cspace_read_request(r, &buf, &ret)) { /*TODO:DONE xmlToken can be different! yet another config option*/ if ((buf) && (buf = ap_strstr(buf, dir_cfg->xml_token))) { int state = FAIL; char *tmp = buf; /*remove any trailing params*/ while (*tmp && *tmp != '&') { tmp++; } *tmp = '\0'; cspace_decode_url((char *)buf); state = process_token(buf, r, svr_cfg); /*check the return state*/ auth_state = apr_table_get(r->subprocess_env, CARDSPACE_HEADER_PFX CARDSPACE_HEADER_STATE); if ((auth_state) && (strcmp(auth_state, CARDSPACE_STATE_SUCCESS) == 0)) { const char *issuer = NULL; const char *ppid = NULL; const char *cert = NULL; int allowed_flag = FAIL; ppid = apr_table_get(r->subprocess_env, CARDSPACE_HEADER_PFX CARDSPACE_HEADER_PPID); cert = apr_table_get(r->subprocess_env, CARDSPACE_HEADER_PFX CARDSPACE_HEADER_CERTIFICATE); issuer = apr_table_get(r->subprocess_env, CARDSPACE_HEADER_PFX CARDSPACE_HEADER_ISSUER); if (!svr_cfg->validator) { /* if the validator is not present assume cert by default*/ svr_cfg->validator = "cert"; } allowed_flag = validate_with_op_mode(svr_cfg->validator, r->uri, issuer, ppid, cert, svr_cfg->validator_data, r->pool); if (allowed_flag) { if (!gen_session(SESSION_ID_LEN, session_ctx, &session_id)) return HTTP_INTERNAL_SERVER_ERROR; if (session_id) set_cookie(r, session_id); /*log success/failure of this*/ return OK; } else { return UNAUTHORIZED_REDIRECT(r, dir_cfg->redir_uri); }#if 0 validate_using_ppid = 0; /*TODO: remove magic*/ if (validate_using_ppid) { const char *ppid; ppid = apr_table_get(r->subprocess_env, CARDSPACE_HEADER_PPID); if (is_valid_ppid(ppid, r->uri, DUMMY_VALIDATOR_PATH, r->pool)) { if (!gen_session(SESSION_ID_LEN, session_ctx, &session_id)) return HTTP_INTERNAL_SERVER_ERROR; if (session_id) set_cookie(r, session_id); /*log success/failure of this*/ return OK; } } else { /*do not check ppids*/ const char *cert; cert = apr_table_get(r->subprocess_env, CARDSPACE_HEADER_CERTIFICATE); if (is_valid_cert(cert, r->uri, DUMMY_VALIDATOR_PATH, r->pool)) { if (!gen_session(SESSION_ID_LEN, session_ctx, &session_id)) return HTTP_INTERNAL_SERVER_ERROR; if (session_id) set_cookie(r, session_id); /*log success/failure of this*/ return OK; } }#endif } else { return UNAUTHORIZED_REDIRECT(r, dir_cfg->redir_uri); } } } else {#ifdef CSPACE_DEBUG printf("ERR: request null! can't read?");#endif cspace_log_error("could not extract the token from the request", APLOG_NOTICE, r->server); if (ret != OK) return ret; } } return UNAUTHORIZED_REDIRECT(r, dir_cfg->redir_uri);}static int handle_nosession_nosso(request_rec *r, cspace_dir_cfg *dir_cfg, cspace_svr_cfg *svr_cfg){ char *buf = NULL; int ret = -1; /*NB: should we return HTTP_METHOD_NOT_ALLOWED if not POST?*/ /* TODO: make the argument (tag identifying login page) a config option */ if ((cspace_login_arg_avail(r)) && (r->method_number == M_POST)) { if (cspace_read_request(r, &buf, &ret)) { /*TODO: xmlToken can be different! yet another config option*/ if ((buf) && (buf = ap_strstr(buf, dir_cfg->xml_token))) { int state = FAIL; char *tmp = buf; /*remove any trailing params*/ while (*tmp && *tmp != '&') { tmp++; } *tmp = '\0'; cspace_decode_url((char *)buf); state = process_token(buf, r, svr_cfg); if (state) return OK; } } else {#ifdef CSPACE_DEBUG printf("ERR: request null! can't read?");#endif cspace_log_error("could not extract the token from the request", APLOG_NOTICE, r->server); /*Should it be UNAUTHORIZED_REDIRECT(r, dir_cfg->redir_uri) that should go here*/ if (ret != OK) return ret; } } return OK;}static int cspace_access_check(request_rec *r){ cspace_dir_cfg *dir_cfg = NULL; cspace_svr_cfg *svr_cfg = NULL; dir_cfg = (cspace_dir_cfg *)ap_get_module_config(r->per_dir_config, &cspace_module); svr_cfg = (cspace_svr_cfg *)ap_get_module_config(r->server->module_config, &cspace_module);#ifdef CSPACE_DEBUG printf("\n\n\nCSPACE_ACCESS_CHECK\n"); cfg_svr_printf("\tsvr cfg:", svr_cfg, "\n"); cfg_dir_printf("\tdir cfg:", dir_cfg, "\n"); printf("\tURI: %s\n\n\n\n", r->uri);#endif if (!(dir_cfg->use_cspace_auth)) return DECLINED; if (strcmp(ap_http_scheme(r), "https") != 0) { cspace_log_error("https scheme expected for cardspace requests", APLOG_NOTICE, r->server); return UNAUTHORIZED_REDIRECT(r, dir_cfg->redir_uri); } /*Don't send us CARDSPACE headers*/ if (!check_valid_headers(r)) { cspace_log_error("client sent cardspace headers. denied access", APLOG_NOTICE, r->server); return UNAUTHORIZED_REDIRECT(r, dir_cfg->redir_uri); } if (dir_cfg->session && !dir_cfg->session_overridden) { if (dir_cfg->sso) { return handle_session_sso(r, dir_cfg, svr_cfg); } else { return handle_session_nosso(r, dir_cfg, svr_cfg); } } else { /*do not perform session_handling*/ if (dir_cfg->sso) { return handle_nosession_sso(r, dir_cfg, svr_cfg); } else { return handle_nosession_nosso(r, dir_cfg, svr_cfg); } } /* unreachable code*/ /* return UNAUTHORIZED_REDIRECT(r, dir_cfg->redir_uri); */}/*char data[] = "MIIDRDCCAq2gAwIBAgIJAIhSvW2QQbDDMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYDVQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEeMBwGA1UEChMVV1NPMiBMYW5rYSAoUHZ0KSBMdGQuMREwDwYDVQQLEwhTZWN1cml0eTEiMCAGA1UEAxMZV1NPMiBJZGVudGl0eSBTb2x1dGlvbiBDQTEkMCIGCSqGSIb3DQEJARYVaWRlbnRpdHktZGV2QHdzbzIub3JnMB4XDTA3MDkyODEyNTkzNloXDTI0MDMwMjEyNTkzNlowezELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzIxGjAYBgNVBAsTEUlkZW50aXR5IFNvbHV0aW9uMR0wGwYDVQQDExRpZGVudGl0eS5say53c28yLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwUgh+jegaVAoCBbYg9gsUzxlpoD7UeX3R39rMpqQpAsTtCC7Jks1CCpF1jFttyPcXagRoOL6xXAbpjKyyzU08DoC8Gsnzlmj8nyPw1n8hr5e1g+5ZMxf7S+P5Op7QzASoQUQhMyEOlM24KtombTsg+0YZV4g7YndauDckNSIGlUCAwEAAaOBrTCBqjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUOq/5DXiozYJeuwbT8VFH3rHjoVYwHwYDVR0jBBgwFoAU2NAfBYUWO847BEWZGDwwBtsmB2swLwYJYIZIAYb4QgEEBCIWIGh0dHA6Ly9jYS5pcy53c28yLm9yZy9jYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUAA4GBAANDXhknYtcrXReWSkvkUJgUvfEWlBnB93SUC8G5JYjojDCjGYeb3kSVJGtUqO3U4M3iXNFJHdoVD7ytrNSoR9KlbSsk5OXeK/zSIZ9Dj18NMeAXk6nIu8Zj4sbN6MIDhHBCpR9T3lUe4JmkgNp78l/eibH9btEq/e+mp5UXVcQ/";*/static int cspace_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s){ cspace_process_context_init(); return OK;}static void cspace_reg_hooks(apr_pool_t *p){ ap_hook_post_config(cspace_post_config, NULL, NULL, APR_HOOK_MIDDLE); /*ap_hook_child_init(cspace_child_init, NULL, NULL, APR_HOOK_MIDDLE);*/ ap_hook_access_checker(cspace_access_check, NULL, NULL, APR_HOOK_FIRST);}module AP_MODULE_DECLARE_DATA cspace_module = { STANDARD20_MODULE_STUFF, cspace_dir_cfg_create, cspace_dir_cfg_merge, cspace_svr_cfg_create, cspace_svr_cfg_merge, cspace_cmds, cspace_reg_hooks};⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -