From fff2a454fa2b0fe38c90add5d75e450564bd6c79 Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Thu, 27 Mar 2014 20:18:52 +0100 Subject: [PATCH] initial import named mod_auth_openidc --- .gitignore | 9 + ChangeLog | 2 + LICENSE.txt | 202 +++ Makefile.in | 70 ++ README | 150 +++ autogen.sh | 3 + configure.ac | 55 + debian/auth_openidc.conf | 277 +++++ debian/auth_openidc.load | 1 + debian/changelog | 5 + debian/compat | 1 + debian/control | 16 + debian/copyright | 28 + debian/dirs | 3 + debian/docs | 2 + debian/libapache2-mod-auth-openidc.apache2 | 3 + debian/lintian-overrides | 2 + debian/rules | 23 + debian/source/format | 1 + src/.gitignore | 5 + src/apr_json.h | 156 +++ src/apr_json_decode.c | 695 +++++++++++ src/authz.c | 295 +++++ src/cache/.gitignore | 4 + src/cache/cache.h | 75 ++ src/cache/file.c | 474 +++++++ src/cache/memcache.c | 259 ++++ src/cache/shm.c | 350 ++++++ src/config.c | 1093 +++++++++++++++++ src/crypto.c | 366 ++++++ src/metadata.c | 999 +++++++++++++++ src/mod_auth_openidc.c | 1287 ++++++++++++++++++++ src/mod_auth_openidc.h | 316 +++++ src/oauth.c | 246 ++++ src/proto.c | 938 ++++++++++++++ src/session.c | 556 +++++++++ src/util.c | 1024 ++++++++++++++++ test/.gitignore | 1 + test/mod_auth_openidc.jmx | 788 ++++++++++++ test/users.txt | 3 + 40 files changed, 10783 insertions(+) create mode 100644 .gitignore create mode 100644 ChangeLog create mode 100644 LICENSE.txt create mode 100644 Makefile.in create mode 100644 README create mode 100755 autogen.sh create mode 100644 configure.ac create mode 100644 debian/auth_openidc.conf create mode 100644 debian/auth_openidc.load create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/dirs create mode 100644 debian/docs create mode 100644 debian/libapache2-mod-auth-openidc.apache2 create mode 100644 debian/lintian-overrides create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 src/.gitignore create mode 100644 src/apr_json.h create mode 100644 src/apr_json_decode.c create mode 100644 src/authz.c create mode 100644 src/cache/.gitignore create mode 100644 src/cache/cache.h create mode 100644 src/cache/file.c create mode 100644 src/cache/memcache.c create mode 100644 src/cache/shm.c create mode 100644 src/config.c create mode 100644 src/crypto.c create mode 100644 src/metadata.c create mode 100644 src/mod_auth_openidc.c create mode 100644 src/mod_auth_openidc.h create mode 100644 src/oauth.c create mode 100644 src/proto.c create mode 100644 src/session.c create mode 100644 src/util.c create mode 100644 test/.gitignore create mode 100644 test/mod_auth_openidc.jmx create mode 100644 test/users.txt diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..9c5936c8 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +/aclocal.m4 +/.cproject +/.project +/config.log +/config.status +/configure +/Makefile +/discover +/metadata diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 00000000..9697d472 --- /dev/null +++ b/ChangeLog @@ -0,0 +1,2 @@ +3/27/2014 +- initial import named mod_auth_openidc diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 00000000..d6456956 --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile.in b/Makefile.in new file mode 100644 index 00000000..cb77abbc --- /dev/null +++ b/Makefile.in @@ -0,0 +1,70 @@ + +# Source files. mod_auth_openidc.c must be the first file. +SRC=src/mod_auth_openidc.c \ + src/cache/file.c \ + src/cache/memcache.c \ + src/cache/shm.c \ + src/oauth.c \ + src/proto.c \ + src/crypto.c \ + src/config.c \ + src/util.c \ + src/authz.c \ + src/session.c \ + src/metadata.c \ + src/apr_json_decode.c + +# Files to include when making a .tar.gz-file for distribution +DISTFILES=$(SRC) \ + src/mod_auth_openidc.h \ + src/apr_json.h \ + src/cache/cache.h \ + configure \ + configure.ac \ + Makefile.in \ + autogen.sh \ + README \ + LICENSE.txt \ + ChangeLog + + +all: src/mod_auth_openidc.la + +src/mod_auth_openidc.la: $(SRC) src/mod_auth_openidc.h src/apr_json.h + @APXS2@ -Wc,"@OPENSSL_CFLAGS@ @CURL_CFLAGS@" -Wl,"@OPENSSL_LIBS@ @CURL_LIBS@" -Wc,-Wall -Wc,-g -c $(SRC) + + +# Building configure (for distribution) +configure: configure.ac + ./autogen.sh + +@NAMEVER@.tar.gz: $(DISTFILES) + tar -c --transform="s#^#@NAMEVER@/#" -vzf $@ $(DISTFILES) + + +.PHONY: install +install: src/mod_auth_openidc.la + @APXS2@ -i -n mod_auth_openidc src/mod_auth_openidc.la + +.PHONY: distfile +distfile: @NAMEVER@.tar.gz + +.PHONY: clean +clean: + rm -f src/mod_auth_openidc.la + rm -f src/*.o src/cache/*.o + rm -f src/*.lo src/cache/*.lo + rm -f src/*.slo src/cache/*.slo + rm -rf src/cache/.libs/ + rm -rf src/.libs/ + +.PHONY: distclean +distclean: clean + rm -f Makefile config.log config.status @NAMEVER@.tar.gz *~ \ + build-stamp config.guess config.sub + rm -rf debian/mod-auth_openidc + rm -f debian/files + +.PHONY: fullclean +fullclean: distclean + rm -f configure aclocal.m4 diff --git a/README b/README new file mode 100644 index 00000000..3b5f9d1e --- /dev/null +++ b/README @@ -0,0 +1,150 @@ +mod_auth_openidc is an Apache authentication/authorization module that allows an Apache +server to operate as an OpenID Connect Relying Party. + +It requires users to authenticate at an external OpenID Connect Identity Provider +using the OpenID Connect Basic Client or Implicit Client profile. + +It sets the REMOTE_USER variable to the id_token sub claim, other id_token claims +are passed in HTTP headers, together with those (optionally) obtained from the user info endpoint + +It allows for authorization rules (based on Requires primitive) that be matched against the +set of claims provided in the id_token/userinfo. + +It supports multiple OpenID Connect Providers by reading provider metadata files from a +metadata directory (set by OIDCMetadataDir). The provider metadata files must follow the +naming convention ".provider" (with the "https://" prefix stripped). + +It supports OpenID Connect Dynamic Client Registration by setting OIDCMetadataDir (which needs +to be writable for the Apache process in this case), a provider metadata file exists but for the +specified issuer, it contains a registration_endpoint setting, but no matching valid client +metadata (cq.".client") file can be found in the metadata directory. + +It supports OpenID Provider Discovery through account names (cq. @) by setting +OIDCMetadataDir (which needs to be writable for the Apache process in this case), and +calling (HTTP GET) the Redirect URI with a "oidc_acct" parameter that contains the user account +name (see sample config for multiple OPs and an external Discovery page below). + +Additionally it can operate as an OAuth 2.0 Resource Server to a PingFederate OAuth 2.0 +Authorization Server, cq. validate Bearer access_tokens against PingFederate. +In that case it sets the REMOTE_USER variable to the "Username" claim and matches the claims +in the intro-spected access_token against the Requires primitive. + +It implements server-side caching across different Apache processes through one of the following options: + a) file storage: in a temp directory - possibly a shared file system across multiple Apache servers + b) shared memory: shared across a single logical Apache server running in multiple Apache processes (mpm_prefork) on the same machine + c) memcache: shared across multiple Apache processes and servers, possibly across different memcache servers living on different machines + + + +Example config for using Google Apps as your OpenID Connect Provider: +(running on localhost and https://localhost/example/redirect_uri/ registered as redirect_uri for the client) +========================================================== +OIDCProviderIssuer accounts.google.com +OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth?approval_prompt=force&[hd=] +OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token +OIDCProviderTokenEndpointAuth client_secret_post +OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect +OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs + +OIDCClientID +OIDCClientSecret + +OIDCScope "openid email profile" +OIDCRedirectURI https://localhost/example/redirect_uri/ +OIDCCryptoPassphrase + + + Authtype openid-connect + require valid-user + +========================================================== + + + +Another example using multiple OpenID Connect providers, which triggers OP discovery first: + +OIDCMetadataDir points to a directory that contains files that contain per-provider configuration +data. For each provider, there are 2 types of files in the directory: + .provider: +contains (standard) OpenID Connect Discovery OP JSON metadata where each name of the file is +the urlencoded issuer name of the OP that is decribed by the metadata in that file. + .client: +contains mod_auth_openidc specific JSON metadata (based on the OpenID Connect Client Registration +specification, with extensions) and the filename is the urlencoded issuer name of the OP that +this client is registered with. + +Sample client metdata for issuer https://localhost:9031, so client metadata filename is: +"https%3a%2f%2fmacbook%3a9031.client" +========================================================== +{ + "ssl_validate_server" : "Off", + "client_id" : "ac_oic_client", + "client_secret" : "abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication", + "scope" : "openid email profile", +} +========================================================== + +And the related mod_auth_openidc Apache config section: +========================================================== +OIDCMetadataDir /metadata + +OIDCRedirectURI https://localhost/example/redirect_uri/ +OIDCCryptoPassphrase + + + Authtype openid-connect + require valid-user + +========================================================== + +If you do not want to use the internal discovery page, you can have the user being redirected to +an external discovery page by setting "OIDCDiscoveryURL". That URL will be accessed with 2 parameters, +"oidc_callback" and "oidc_return" (both URLs). The "oidc_return" parameter needs to be returned to the +"oidc_callback" URL (again in the oidc_return parameter) together with an "oidc_provider" parameter that +contains the URL-encoded issuer value of the selected Provider, or a URL-encoded account name for OpenID +Connect Discovery purposes (aka. e-mail style identifier), or a domain name. + +Sample callback: + ${oidc_callback}?oidc_return=${oidc_return}&oidc_provider=[${issuer}|${domain}|${e-mail-style-account-name}] + + + +Another example config for using PingFederate as your OpenID OP and/or OAuth 2.0 Authorization +server, based on the OAuth 2.0 PlayGround 3.x default configuration and doing claims-based authorization. +(running on localhost and https://localhost/example/redirect_uri/ registerd as redirect_uri for the client "ac_oic_client") + +========================================================== +OIDCProviderIssuer https://macbook:9031 +OIDCProviderAuthorizationEndpoint https://macbook:9031/as/authorization.oauth2 +OIDCProviderTokenEndpoint https://macbook:9031/as/token.oauth2 +OIDCProviderTokenEndpointAuth client_secret_basic +OIDCProviderUserInfoEndpoint https://macbook:9031/idp/userinfo.openid +OIDCProviderJwksUri https://macbook:9031/pf/JWKS + +OIDCSSLValidateServer Off +OIDCClientID ac_oic_client +OIDCClientSecret abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication + +OIDCRedirectURI https://localhost/example/redirect_uri/ +OIDCCryptoPassphrase +OIDCScope "openid email profile" + +OIDCOAuthEndpoint https://macbook:9031/as/token.oauth2 +OIDCOAuthEndpointAuth client_secret_basic + +OIDCOAuthSSLValidateServer Off +OIDCOAuthClientID rs_client +OIDCOAuthClientSecret 2Federate + + + Authtype openid-connect + #require valid-user + require claim sub:joe + + + + Authtype oauth20 + #require valid-user + require claim Username:joe + +========================================================== diff --git a/autogen.sh b/autogen.sh new file mode 100755 index 00000000..832703fc --- /dev/null +++ b/autogen.sh @@ -0,0 +1,3 @@ +#!/bin/sh +autoreconf --force --install +rm -rf autom4te.cache/ diff --git a/configure.ac b/configure.ac new file mode 100644 index 00000000..bb24f513 --- /dev/null +++ b/configure.ac @@ -0,0 +1,55 @@ +AC_INIT([mod_auth_openidc],[1.0],[hzandbelt@pingidentity.com]) + +AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) + +# This section defines the --with-apxs2 option. +AC_ARG_WITH( + [apxs2], + [ --with-apxs2=PATH Full path to the apxs2 executable.], + [ + APXS2=${withval} + ],) + + +if test "x$APXS2" = "x"; then + # The user didn't specify the --with-apxs2-option. + + # Search for apxs2 in the specified directories + AC_PATH_PROG(APXS2, apxs2,, + /usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin) + + if test "x$APXS2" = "x"; then + # Didn't find apxs2 in any of the specified directories. + # Search for apxs instead. + AC_PATH_PROG(APXS2, apxs,, + /usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin) + fi + +fi + +# Test if $APXS2 exists and is an executable. +if test ! -x "$APXS2"; then + # $APXS2 isn't a executable file. + AC_MSG_ERROR([ +Could not find apxs2. Please specify the path to apxs2 +using the --with-apxs2=/full/path/to/apxs2 option. +The executable may also be named 'apxs'. +]) +fi + +# Replace any occurrences of @APXS2@ with the value of $APXS2 in the Makefile. +AC_SUBST(APXS2) + +# We need the curl library for HTTP callouts. +PKG_CHECK_MODULES(CURL, libcurl) +AC_SUBST(CURL_CFLAGS) +AC_SUBST(CURL_LIBS) + +# We need OpenSSL for crypto and HTTPS callouts. +PKG_CHECK_MODULES(OPENSSL, openssl) +AC_SUBST(OPENSSL_CFLAGS) +AC_SUBST(OPENSSL_LIBS) + +# Create Makefile from Makefile.in +AC_CONFIG_FILES([Makefile]) +AC_OUTPUT diff --git a/debian/auth_openidc.conf b/debian/auth_openidc.conf new file mode 100644 index 00000000..e90db9de --- /dev/null +++ b/debian/auth_openidc.conf @@ -0,0 +1,277 @@ +######################################################################################## +# +# Common Settings +# +######################################################################################## + +# (Mandatory) +# The redirect_uri for this OpenID Connect client; must point to a path on your server +# protected by this module but does not front/return any actual content. +#OIDCRedirectURI https://www.example.com/protected/redirect_uri + +# (Mandatory) +# Set a password for crypto purposes, used in state and (optionally) by-value session cookies. +#OIDCCryptoPassphrase + +# (Optional) +# When using multiple OpenID Connect Providers, possibly combined with Dynamic Client +# Registration and account-based OP Discovery. +# Directory that holds metadata files (must be writable for the Apache process/user) +# When not specified, it is assumed that we use a single statically configured provider +# as described under the section "OpenID Connect Provider" below. +OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata + + +######################################################################################## +# +# (Optional) +# +# OpenID Connect Client +# +# Settings used by the client in communication with the OpenID Connect Provider(s), +# cq. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access. +# +######################################################################################## + +# (Optional) +# Require a valid SSL server certificate when communicating with the OP. +# (cq. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint) +# When not defined, the default value is "On". +# NB: this can be overridden on a per-client basis in the client metadata using the proprietary key: ssl_validate_server +#OIDCSSLValidateServer [On|Off] + +# (Optional) +# The response type (or OpenID Connect Flow) used: must be one of \"code\", \"id_token\", or \"id_token token\". +# (this serves as default value for discovered OPs too) +# When not defined the "code" response type is used. +#OIDCResponseType [code|id_token|id_token token] + +# (Optional) +# Only used for a single static provider has been configured, see below in OpenID Connect Provider. +# Client identifier used in calls to the statically configured OpenID Connect Provider. +#OIDCClientID + +# (Optional) +# Only used for a single static provider has been configured, see below in OpenID Connect Provider. +# Client secret used in calls to the statically configured OpenID Connect Provider. +# (not used/required in the Implicit Client Profile, cq. when OIDCResponseType is "code") +#OIDCClientSecret + +# (Optional) +# The client name that the client registers in dynamic registration with the OP. +# When not defined, no client name will be sent with the registration request. +#OIDCClientName + +# (Optional) +# The contacts that the client registers in dynamic registration with the OP. +# Must be formatted as e-mail addresses by specification. +# Single value only; when not defined, no contact e-mail address will be sent with the registration request. +#OIDCClientContact + +# (Optional) +# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile"). +# When not defined, the bare minimal scope "openid" is used. +# NB: this can be overridden on a per-client basis in the client metadata using the proprietary key: scope +#OIDCScope + +######################################################################################## +# +# (Optional) +# +# OpenID Connect Provider +# +# When configuration a single static provider and not using OpenID Connect Provider Discovery. +# +######################################################################################## + +# OpenID Connect Provider issuer identifier (eg. https://localhost:9031 or accounts.google.com) +#OIDCProviderIssuer + +# OpenID Connect Provider Authorization Endpoint URL (eg. https://localhost:9031/as/authorization.oauth2) +#OIDCProviderAuthorizationEndpoint + +# OpenID Connect Provider JWKS URL (eg. https://localhost:9031/pf/JWKS) +# cq. the URL on which the signing keys for this OP are hosted, in JWK formatting +#OIDCProviderJwksUri + +# (Optional) +# OpenID Connect Provider Token Endpoint URL (eg. https://localhost:9031/as/token.oauth2) +#OIDCProviderTokenEndpoint + +# (Optional) +# Authentication method for the OpenID OP Token Endpoint (eg. "client_secret_basic" or "client_secret_post") +# When not defined the default method from the specification is used, cq. "client_secret_basic". +#OIDCProviderTokenEndpointAuth + +# (Optional) +# OpenID Connect Provider UserInfo Endpoint URL (eg. https://localhost:9031/idp/userinfo.openid) +# When not defined no claims will be resolved from such endpoint. +#OIDCProviderUserInfoEndpoint + +######################################################################################## +# +# (Optional) +# +# OAuth 2.0 Settings +# +# Used when this module functions as a Resource Server against a PingFederate Authorization +# Server, validating Bearer reference tokens. +# +######################################################################################## + +# Client identifier used in token validation calls to the OAuth 2.0 Authorization server. +#OIDCOAuthClientID + +# Client secret used in token validation calls to the OAuth 2.0 Authorization server. +#OIDCOAuthClientSecret + +# OAuth 2.0 Authorization Server token validation endpoint (eg. https://localhost:9031/as/token.oauth2) +#OIDCOAuthEndpoint + +# (Optional) +# Authentication method for the OAuth 2.0 Authorization Server validation endpoint, +# cq. either "client_secret_basic" or "client_secret_post; when not defined "client_secret_basic" is used. +#OIDCOAuthEndpointAuth + +# (Optional) +# Require a valid SSL server certificate when communicating with the Authorization Server. +# (cq. on the token validation endpoint) +# When not defined, the default value is "On". +#OIDCOAuthSSLValidateServer [On|Off] + + +######################################################################################## +# +# (Optional) +# +# Cache Settings +# +######################################################################################## + +# (Optional) +# Cache type, used for temporary storage that is shared across Apache processes/servers for: +# a) session state +# b) issued nonce values to prevent replay attacks +# c) validated OAuth 2.0 tokens +# d) JWK sets that have been retrieved from jwk_uri's +# must be one of \"file\", \"memcache\" or \"shm\". When not defined, "file" is used. +#OIDCCacheType [file|memcache|shm] + +# (Optional) +# When using OIDCCacheType "file": +# Directory that holds cache files for session state and validated OAuth 2.0 tokens +# (must be writable for the Apache process/user) +# When not specified a system defined temporary directory (/tmp) will be used. +#OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache + +# (Optional) +# When using OIDCCacheType "file": +# Cache file clean interval in seconds (only triggered on writes). +# When not specified a default of 60 seconds is used. +# OIDCCacheFileCleanInterval + +# (Optional) +# Required when using OIDCCacheType "memcache": +# Specifies the memcache servers used for caching (space separated list of [:] tuples) +#OIDCMemCacheServers ([:])+ + +# (Optional) +# When using OIDCCacheType "shm": +# Specifies the maximum number of name/value pair entries that can be cached. +# When not specified, a default of 500 entries is used. +# OIDCCacheShmMax + +######################################################################################## +# +# (Optional) +# +# Advanced Settings +# +######################################################################################## + +# (Optional) +# OpenID Connect session storage type. +# "file" uses file based server-side caching storage. +# "cookie" uses browser-side sessions stored in a cookie. +# When not defined the default "file" is used. +#OIDCSessionType [file|cookie] + +# (Optional) +# Defines an external OP Discovery page. That page will be called with: +# ?oidc_return=&oidc_callback= +# +# An Issuer selection can be passed back to the callback URL as in: +# ?oidc_return=&oidc_provider=[${issuer}|${domain}|${e-mail-style-account-name}] +# where the parameter contains the URL-encoded issuer value of +# the selected Provider, or a URL-encoded account name for OpenID +# Connect Discovery purposes (aka. e-mail style identifier), or a domain name. +# +# When not defined the bare-bones internal OP Discovery page is used. +#OIDCDiscoverURL + +# (Optional) +# The algorithm that the OP should use to sign the id_token (used only in dynamic client registration) +# When not defined the default is RS256. +#OIDCIDTokenAlg [RS256|RS384|RS512|PS256|PS384|PS512] + +# (Optional) +# the refresh interval in seconds for the JWKs key set that obtained from jwk_uris +# When not defined the default is 3600 seconds. +# NB: this can be overridden on a per-client basis in the client metadata using the proprietary key: jwks_refresh_interval +#OIDCJWKSRefreshInterval + +# (Optional) +# Acceptable offset (both before and after) for checking the \"iat\" (= issued at) timestamp in the id_token. +# When not defined the default is 600 seconds. +# NB: this can be overridden on a per-client basis in the client metadata using the proprietary key: idtoken_iat_slack +#OIDCIDTokenIatSlack + +# (Optional) +# Define the cookie name for the session cookie. +# When not defined the default is "mod-auth-connect". +#OIDCCookie + +# (Optional) +# Specify domain element for OIDC session cookie. +# When not defined the default is the server name. +#OIDCCookieDomain + +# (Optional) +# Define the cookie path for the session cookie. +# When not defined the default is the current path. +#OIDCCookiePath + +# (Optional) +# The prefix to use when setting claims in the HTTP headers. +# When not defined, the default "OIDC_CLAIM_" is used. +#OIDCClaimPrefix + +# (Optional) +# The delimiter to use when setting multi-valued claims in the HTTP headers. +# When not defined the default "," is used. +#OIDCClaimDelimiter + +# (Optional) +# Specify the HTTP header variable name to set with the name of the authenticated user, +# cq. the "sub" claim in the id_token. When not defined no such header is added. +#OIDCAuthNHeader + +# (Optional) +# Timeout in seconds for long duration HTTP calls. This is used for most outgoing calls. +# When not defined the default of 60 seconds is used. +#OIDCHTTPTimeoutLong + +# (Optional) +# Timeout in seconds for short duration HTTP calls; used for Client Registration and OP Discovery calls. +# When not defined the default of 5 seconds is used. +#OIDCHTTPTimeoutShort + +# (Optional) +# Time to live in seconds for state parameter cq. the interval in which the authorization request +# and the corresponding response need to be completed. When not defined the default of 300 seconds is used. +#OIDCStateTimeout + +# (Optional) +# Scrub user name and claim headers (as configured above) from the user's request. +# The default is "On"; use "Off" only for testing and debugging because it renders your system insecure. +#OIDCScrubRequestHeaders [On|Off] \ No newline at end of file diff --git a/debian/auth_openidc.load b/debian/auth_openidc.load new file mode 100644 index 00000000..64ea879a --- /dev/null +++ b/debian/auth_openidc.load @@ -0,0 +1 @@ +LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000..1c4bb20b --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +libapache2-auth-openidc (1.0) unstable; urgency=low + + * Initial release under new name and flag. + + -- Hans Zandbelt Wed, 27 Mar 2014 21:00:00 +0100 diff --git a/debian/compat b/debian/compat new file mode 100644 index 00000000..45a4fb75 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +8 diff --git a/debian/control b/debian/control new file mode 100644 index 00000000..1fd07dd3 --- /dev/null +++ b/debian/control @@ -0,0 +1,16 @@ +Source: libapache2-mod-auth-openidc +Priority: extra +Maintainer: Hans Zandbelt +Build-Depends: debhelper (>= 8.0.0), autotools-dev, dh-apache2, apache2-dev, libcurl3-dev +Standards-Version: 3.9.4 +Section: web +Homepage: https://github.com/pingidentity/mod_auth_openidc +#Vcs-Git: https://github.com/pingidentity/mod_auth_openidc.git + +Package: libapache2-mod-auth-openidc +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: OpenID Connect authentication module for Apache + mod_auth_openidc is an Apache module that enables you to authenticate + users of a web site against an OpenID Connect Identity Provider. It can grant + access to paths and provide attributes to other modules and applications. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000..f3f6513d --- /dev/null +++ b/debian/copyright @@ -0,0 +1,28 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: mod-auth-openidc +Upstream-Contact: Hans Zandbelt +Source: https://github.com/pingidentity/mod_auth_openidc + +Files: * +Copyright: 2013-2014 Hans Zandbelt +License: Apache-2.0 + +Files: debian/* +Copyright: 2014 Hans Zandbelt +License: Apache-2.0 + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the complete text of the Apache License 2.0 can + be found in "/usr/share/common-licenses/Apache-2.0" diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 00000000..617efef8 --- /dev/null +++ b/debian/dirs @@ -0,0 +1,3 @@ +usr/lib/apache2/modules +var/cache/apache2/mod_auth_openidc +var/cache/apache2/mod_auth_openidc/metadata diff --git a/debian/docs b/debian/docs new file mode 100644 index 00000000..fc82724a --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +README +ChangeLog diff --git a/debian/libapache2-mod-auth-openidc.apache2 b/debian/libapache2-mod-auth-openidc.apache2 new file mode 100644 index 00000000..fc5f37f3 --- /dev/null +++ b/debian/libapache2-mod-auth-openidc.apache2 @@ -0,0 +1,3 @@ +mod src/.libs/mod_auth_openidc.so +mod debian/auth_openidc.load +mod debian/auth_openidc.conf diff --git a/debian/lintian-overrides b/debian/lintian-overrides new file mode 100644 index 00000000..4f586c66 --- /dev/null +++ b/debian/lintian-overrides @@ -0,0 +1,2 @@ +libapache2-mod-auth-openidc: non-standard-dir-perm var/cache/apache2/mod_auth_openidc/ 0700 != 0755 +libapache2-mod-auth-openidc: non-standard-dir-perm var/cache/apache2/mod_auth_openidc/metadata/ 0700 != 0755 diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000..58ccc1e9 --- /dev/null +++ b/debian/rules @@ -0,0 +1,23 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +%: + dh $@ --with apache2 + +override_dh_apache2: + dh_apache2 --noscripts + +override_dh_auto_install: + +override_dh_fixperms: + dh_fixperms + chown -R www-data debian/libapache2-mod-auth-openidc/var/cache/apache2/mod_auth_openidc + chmod -R go= debian/libapache2-mod-auth-openidc/var/cache/apache2/mod_auth_openidc diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000..89ae9db8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/src/.gitignore b/src/.gitignore new file mode 100644 index 00000000..4f7a508b --- /dev/null +++ b/src/.gitignore @@ -0,0 +1,5 @@ +/*.lo +/*.o +/*.slo +/*.la +/.libs diff --git a/src/apr_json.h b/src/apr_json.h new file mode 100644 index 00000000..1361ae0d --- /dev/null +++ b/src/apr_json.h @@ -0,0 +1,156 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef APR_JSON_H +#define APR_JSON_H + +/** + * @file apr_json.h + * @brief APR-JSON routines + */ + +#include "apr.h" +#include "apr_pools.h" +#include "apr_tables.h" +#include "apr_hash.h" +#include "apr_strings.h" +#include "apr_buckets.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @defgroup APR_JSON JSON functions + * @{ + */ + +/** + * APJ_DECLARE_EXPORT is defined when building the APR-JSON dynamic library, + * so that all public symbols are exported. + * + * APJ_DECLARE_STATIC is defined when including the APR-JSON public headers, + * to provide static linkage when the dynamic library may be unavailable. + * + * APJ_DECLARE_STATIC and APJ_DECLARE_EXPORT are left undefined when + * including the APR-JSON public headers, to import and link the symbols from + * the dynamic APR-JSON library and assure appropriate indirection and calling + * conventions at compile time. + */ + +#if defined(DOXYGEN) || !defined(WIN32) +/** + * The public APR-JSON functions are declared with APJ_DECLARE(), so they may + * use the most appropriate calling convention. Public APR functions with + * variable arguments must use APJ_DECLARE_NONSTD(). + */ +#define APJ_DECLARE(type) type +/** + * The public APR-JSON functions using variable arguments are declared with + * APJ_DECLARE_NONSTD(), as they must use the C language calling convention. + */ +#define APJ_DECLARE_NONSTD(type) type +/** + * The public APR-JSON variables are declared with APJ_DECLARE_DATA. + * This assures the appropriate indirection is invoked at compile time. + * + * @note APJ_DECLARE_DATA extern type apr_variable; syntax is required for + * declarations within headers to properly import the variable. + */ +#define APJ_DECLARE_DATA +#else + +#if defined(APJ_MODULE_DECLARE_STATIC) +#define APJ_DECLARE(type) type __stdcall +#define APJ_DECLARE_NONSTD(type) type __cdecl +#define APJ_DECLARE_DATA +#elif defined(APJ_DECLARE_EXPORT) +#define APJ_DECLARE(type) __declspec(dllexport) type __stdcall +#define APJ_DECLARE_NONSTD(type) __declspec(dllexport) type __cdecl +#define APJ_DECLARE_DATA __declspec(dllexport) +#else +#define APJ_DECLARE(type) __declspec(dllimport) type __stdcall +#define APJ_DECLARE_NONSTD(type) __declspec(dllimport) type __cdecl +#define APJ_DECLARE_DATA __declspec(dllimport) +#endif + +#endif /* defined(DOXYGEN) || !defined(WIN32) */ + +/** + * Enum that represents the type of the given JSON value. + */ +typedef enum apr_json_type_e { + APR_JSON_OBJECT, + APR_JSON_ARRAY, + APR_JSON_STRING, + APR_JSON_LONG, + APR_JSON_DOUBLE, + APR_JSON_BOOLEAN, + APR_JSON_NULL +} apr_json_type_e; + +/** + * A structure to hold a JSON string. + */ +typedef struct apr_json_string_t { + /** pointer to the buffer */ + const char *p; + /** string length */ + apr_size_t len; +} apr_json_string_t; + +/** + * A structure that holds a JSON value. + */ +typedef struct apr_json_value_t { + /** type of the value */ + apr_json_type_e type; + /** actual value. which member is valid depends on type. */ + union { + apr_hash_t *object; + apr_array_header_t *array; + double dnumber; + long lnumber; + apr_json_string_t string; + int boolean; + } value; +} apr_json_value_t; + +/** + * Decode utf8-encoded JSON string into apr_json_value_t + * @param retval the result + * @param injson utf8-encoded JSON string. + * @param size length of the input string. + * @param pool pool used to allocate the result from. + */ +APJ_DECLARE(apr_status_t) apr_json_decode(apr_json_value_t **retval, const char *injson, apr_size_t size, apr_pool_t *pool); + +/** + * Encode data represented as apr_json_value_t to utf8-encoded JSON string + * and append it to the specified brigade + * @param brigade brigade the result will be appended to. + * @param json the JSON data. + * @param pool pool used to allocate the buckets from. + */ +APJ_DECLARE(void) apr_json_encode(apr_bucket_brigade *brigade, const apr_json_value_t *json, apr_pool_t *pool); + +/** @} */ + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* !APR_JSON_H */ diff --git a/src/apr_json_decode.c b/src/apr_json_decode.c new file mode 100644 index 00000000..b4cb308e --- /dev/null +++ b/src/apr_json_decode.c @@ -0,0 +1,695 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include "apr_json.h" + +typedef struct _json_link_t { + apr_json_value_t *value; + struct _json_link_t *next; +} json_link_t; + +typedef struct apr_json_scanner_t { + const char *p; + const char *e; + apr_pool_t *pool; +} apr_json_scanner_t; + +static apr_status_t apr_json_decode_value(apr_json_scanner_t *self, apr_json_value_t **retval); + +/* stolen from mod_mime_magic.c :) */ +/* Single hex char to int; -1 if not a hex char. */ +static int hex_to_int(int c) +{ + if (isdigit(c)) + return c - '0'; + if ((c >= 'a') && (c <= 'f')) + return c + 10 - 'a'; + if ((c >= 'A') && (c <= 'F')) + return c + 10 - 'A'; + return -1; +} + +static apr_ssize_t ucs4_to_utf8(char *out, int code) +{ + if (code < 0x00000080) { + out[0] = code; + return 1; + } else if (code < 0x00000800) { + out[0] = 0xc0 + (code >> 6); + out[1] = 0x80 + (code & 0x3f); + return 2; + } else if (code < 0x00010000) { + out[0] = 0xe0 + (code >> 12); + out[1] = 0x80 + ((code >> 6) & 0x3f) ; + out[2] = 0x80 + (code & 0x3f); + return 3; + } else if (code < 0x00200000) { + out[0] = 0xd0 + (code >> 18); + out[1] = 0x80 + ((code >> 12) & 0x3f); + out[2] = 0x80 + ((code >> 6) & 0x3f); + out[3] = 0x80 + (code & 0x3F); + return 4; + } + return -1; +} + +static apr_status_t apr_json_decode_string(apr_json_scanner_t *self, apr_json_string_t *retval) +{ + apr_status_t status = APR_SUCCESS; + apr_json_string_t string; + const char *p, *e; + char *q; + + if (self->p >= self->e) { + status = APR_EOF; + goto out; + } + + self->p++; //advance past the \" + string.len = 0; + for (p = self->p, e = self->e; p < e;) { + if (*p == '"') + break; + else if (*p == '\\') { + p++; + if (p >= e) { + status = APR_EOF; + goto out; + } + if (*p == 'u') { + if (p + 4 >= e) { + status = APR_EOF; + goto out; + } + p += 5; + string.len += 4; /* an UTF-8 character spans at most 4 bytes */ + break; + } else { + string.len++; + p++; + } + } + else { + string.len++; + p++; + } + } + + string.p = q = apr_pcalloc(self->pool, string.len + 1); + e = p; + +#define VALIDATE_UTF8_SUCCEEDING_BYTE(p) \ + if (*(unsigned char *)(p) < 0x80 || *(unsigned char *)(p) >= 0xc0) { \ + status = APR_EGENERAL; \ + goto out; \ + } + + for (p = self->p; p < e;) { + switch (*(unsigned char *)p) { + case '\\': + p++; + switch(*p) { + case 'u': + /* THIS IS REQUIRED TO BE A 4 DIGIT HEX NUMBER */ + { + int cp = 0; + while (p < e) { + int d = hex_to_int(*p); + if (d < 0) { + status = APR_EGENERAL; + goto out; + } + cp = (cp << 4) | d; + p++; + } + if (cp >= 0xd800 && cp < 0xdc00) { + /* surrogate pair */ + int sc = 0; + if (p + 6 > e) { + status = APR_EOF; + goto out; + } + if (p[0] != '\\' && p[1] != 'u') { + status = APR_EGENERAL; + goto out; + } + while (p < e) { + int d = hex_to_int(*p); + if (d < 0) { + status = APR_EGENERAL; + goto out; + } + sc = (sc << 4) | d; + p++; + } + cp = ((cp & 0x3ff) << 10) | (sc & 0x3ff); + if ((cp >= 0xd800 && cp < 0xe000) || (cp >= 0x110000)) { + status = APR_EGENERAL; + goto out; + } + } else if (cp >= 0xdc00 && cp < 0xe000) { + status = APR_EGENERAL; + goto out; + } + q += ucs4_to_utf8(q, cp); + } + break; + case '\\': + *q++ = '\\'; + p++; + break; + case '/': + *q++ = '/'; + p++; + break; + case 'n': + *q++ = '\n'; + p++; + break; + case 'r': + *q++ = '\r'; + p++; + break; + case 't': + *q++ = '\t'; + p++; + break; + case 'f': + *q++ = '\f'; + p++; + break; + case 'b': + *q++ = '\b'; + p++; + break; + case '"': + *q++ = '"'; + p++; + break; + default: + status = APR_EGENERAL; + goto out; + } + break; + + case 0xc0: case 0xc1: case 0xc2: case 0xc3: + case 0xc4: case 0xc5: case 0xc6: case 0xc7: + case 0xc8: case 0xc9: case 0xca: case 0xcb: + case 0xcc: case 0xcd: case 0xce: case 0xcf: + case 0xd0: case 0xd1: case 0xd2: case 0xd3: + case 0xd4: case 0xd5: case 0xd6: case 0xd7: + case 0xd8: case 0xd9: case 0xda: case 0xdb: + case 0xdc: case 0xdd: case 0xde: case 0xdf: + if (p + 1 >= e) { + status = APR_EOF; + goto out; + } + *q++ = *p++; + VALIDATE_UTF8_SUCCEEDING_BYTE(p); + *q++ = *p++; + break; + + case 0xe0: case 0xe1: case 0xe2: case 0xe3: + case 0xe4: case 0xe5: case 0xe6: case 0xe7: + case 0xe8: case 0xe9: case 0xea: case 0xeb: + case 0xec: case 0xed: case 0xee: case 0xef: + if (p + 2 >= e) { + status = APR_EOF; + goto out; + } + *q++ = *p++; + VALIDATE_UTF8_SUCCEEDING_BYTE(p); + *q++ = *p++; + VALIDATE_UTF8_SUCCEEDING_BYTE(p); + *q++ = *p++; + break; + + case 0xf0: case 0xf1: case 0xf2: case 0xf3: + case 0xf4: case 0xf5: case 0xf6: case 0xf7: + if (p + 3 >= e) { + status = APR_EOF; + goto out; + } + if (((unsigned char *)p)[0] >= 0xf5 || ((unsigned char *)p)[1] >= 0x90) { + status = APR_EGENERAL; + goto out; + } + *q++ = *p++; + VALIDATE_UTF8_SUCCEEDING_BYTE(p); + *q++ = *p++; + VALIDATE_UTF8_SUCCEEDING_BYTE(p); + *q++ = *p++; + VALIDATE_UTF8_SUCCEEDING_BYTE(p); + *q++ = *p++; + break; + + case 0xf8: case 0xf9: case 0xfa: case 0xfb: + if (p + 4 >= e) { + status = APR_EOF; + goto out; + } + status = APR_EGENERAL; + goto out; + + case 0xfc: case 0xfd: + if (p + 5 >= e) { + status = APR_EOF; + goto out; + } + status = APR_EGENERAL; + goto out; + + default: + *q++ = *p++; + break; + } + } +#undef VALIDATE_UTF8_SUCCEEDING_BYTE + *p++; /* eat the trailing '"' */ + *retval = string; +out: + self->p = p; + return status; +} + +static apr_status_t apr_json_decode_array(apr_json_scanner_t *self, apr_array_header_t **retval) +{ + apr_status_t status = APR_SUCCESS; + apr_pool_t *link_pool = NULL; + json_link_t *head = NULL, *tail = NULL; + apr_size_t count = 0; + + if ((status = apr_pool_create(&link_pool, self->pool))) + return status; + + if (self->p >= self->e) { + status = APR_EOF; + goto out; + } + + self->p++; /* toss of the leading [ */ + + for (;;) { + apr_json_value_t *element; + json_link_t *new_node; + + while (self->p < self->e && isspace(*(unsigned char *)self->p)) + self->p++; + + if (self->p == self->e) { + status = APR_EOF; + goto out; + } + + if (*self->p == ']') { + self->p++; + break; + } + + if ((status = apr_json_decode_value(self, &element))) { + status = APR_EGENERAL; + goto out; + } + + new_node = apr_pcalloc(link_pool, sizeof(json_link_t)); + new_node->value = element; + if (tail) { + tail->next = new_node; + } else { + head = new_node; + } + tail = new_node; + count++; + + while (self->p < self->e && isspace(*(unsigned char *)self->p)) + self->p++; + + if (self->p == self->e) { + status = APR_EOF; + goto out; + } + + if (*self->p == ',') { + self->p++; + } else if (*self->p != ']') { + status = APR_EGENERAL; + goto out; + } + } + + { + json_link_t *node; + apr_array_header_t *array = apr_array_make(self->pool, count, sizeof(apr_json_value_t *)); + for (node = head; node; node = node->next) + *((apr_json_value_t**)(apr_array_push(array))) = node->value; + *retval = array; + } +out: + if (link_pool) + apr_pool_destroy(link_pool); + return status; +} + +static apr_status_t apr_json_decode_object(apr_json_scanner_t *self, apr_hash_t **retval) +{ + apr_status_t status = APR_SUCCESS; + apr_hash_t *object = apr_hash_make(self->pool); + + if (self->p >= self->e) + return APR_EOF; + + self->p++; /* toss of the leading [ */ + + for (;;) { + apr_json_string_t name; + apr_json_value_t *value; + + while (self->p < self->e && isspace(*(unsigned char *)self->p)) + self->p++; + + if (self->p == self->e) { + status = APR_EOF; + goto out; + } + + if (*self->p == '}') { + self->p++; + break; + } + + if (*self->p != '"') { + status = APR_EGENERAL; + goto out; + } + + if ((status = apr_json_decode_string(self, &name))) + goto out; + + while (self->p < self->e && isspace(*(unsigned char *)self->p)) + self->p++; + + if (self->p == self->e) { + status = APR_EOF; + goto out; + } + + if (*self->p != ':') { + status = APR_EGENERAL; + goto out; + } + + self->p++; /* eat the ':' */ + + while (self->p < self->e && isspace(*(unsigned char *)self->p)) + self->p++; + + if (self->p == self->e) { + status = APR_EOF; + goto out; + } + + if ((status = apr_json_decode_value(self, &value))) + goto out; + + apr_hash_set(object, name.p, name.len, value); + + while (self->p < self->e && isspace(*(unsigned char *)self->p)) + self->p++; + + if (self->p == self->e) { + status = APR_EOF; + goto out; + } + + if (*self->p == ',') { + self->p++; + } else if (*self->p != '}') { + status = APR_EGENERAL; + goto out; + } + } + + *retval = object; +out: + return status; +} + +apr_status_t apr_json_decode_boolean(apr_json_scanner_t *self, int *retval) +{ + if (self->p >= self->e) + return APR_EOF; + + if (self->e - self->p >= 4 && strncmp("true", self->p, 4) == 0 && + (self->p == self->e || (!isalnum(((unsigned char *)self->p)[4]) && ((unsigned char *)self->p)[4] != '_'))) { + self->p += 4; + *retval = 1; + return APR_SUCCESS; + } else if (self->e - self->p >= 5 && strncmp("false", self->p, 5) == 0 && + (self->p == self->e || (!isalnum(((unsigned char *)self->p)[5]) && ((unsigned char *)self->p)[5] != '_'))) { + self->p += 5; + *retval = 0; + return APR_SUCCESS; + } + return APR_EGENERAL; +} + +apr_status_t apr_json_decode_number(apr_json_scanner_t *self, apr_json_value_t *retval) +{ + apr_status_t status = APR_SUCCESS; + int treat_as_float = 0, exp_occurred = 0; + const char *p = self->p, *e = self->e; + + if (p >= e) + return APR_EOF; + + { + unsigned char c = *(unsigned char *)p; + if (c == '-') { + p++; + if (p >= e) + return APR_EOF; + c = *(unsigned char *)p; + } + if (c == '.') { + p++; + if (p >= e) + return APR_EOF; + c = *(unsigned char *)p; + treat_as_float = 1; + } + if (!isdigit(c)) { + status = APR_EGENERAL; + goto out; + } + p++; + } + + if (!treat_as_float) { + while (p < e) { + unsigned char c = *(unsigned char *)p; + if (c == 'e' || c == 'E') { + p++; + if (p >= e) + return APR_EOF; + c = *(unsigned char *)p; + if (c == '-') { + p++; + if (p >= e) + return APR_EOF; + c = *(unsigned char *)p; + } + if (!isdigit(c)) { + status = APR_EGENERAL; + goto out; + } + treat_as_float = 1; + exp_occurred = 1; + break; + } + else if (c == '.') { + p++; + treat_as_float = 1; + break; + } + else if (!isdigit(c)) + break; + p++; + } + } else { + while (p < e) { + unsigned char c = *(unsigned char *)p; + if (c == 'e' || c == 'E') { + p++; + if (p >= e) + return APR_EOF; + c = *(unsigned char *)p; + if (c == '-') { + p++; + if (p >= e) + return APR_EOF; + c = *(unsigned char *)p; + } + if (!isdigit(c)) { + status = APR_EGENERAL; + goto out; + } + exp_occurred = 1; + break; + } + else if (!isdigit(c)) + break; + p++; + } + } + + if (treat_as_float) { + if (!exp_occurred) { + while (p < e) { + unsigned char c = *(unsigned char *)p; + if (c == 'e' || c == 'E') { + p++; + if (p >= e) + return APR_EOF; + c = *(unsigned char *)p; + if (c == '-') { + p++; + if (p >= e) + return APR_EOF; + c = *(unsigned char *)p; + } + if (!isdigit(c)) { + status = APR_EGENERAL; + goto out; + } + exp_occurred = 1; + break; + } + else if (!isdigit(c)) + break; + p++; + } + } + if (exp_occurred) { + if (p >= e || !isdigit(*(unsigned char *)p)) + return APR_EOF; + while (++p < e && isdigit(*(unsigned char *)p)); + } + } + + if (treat_as_float) { + retval->type = APR_JSON_DOUBLE; + retval->value.dnumber = strtod(self->p, NULL); + } else { + retval->type = APR_JSON_LONG; + retval->value.lnumber = strtol(self->p, NULL, 10); + } + +out: + self->p = p; + return status; +} + +apr_status_t apr_json_decode_null(apr_json_scanner_t *self) +{ + if (self->e - self->p >= 4 && strncmp("null", self->p, 4) == 0 && + (self->p == self->e || (!isalnum(((unsigned char *)self->p)[4]) && ((unsigned char *)self->p)[4] != '_'))) { + self->p += 4; + return APR_SUCCESS; + } + return APR_EGENERAL; +} + +static apr_status_t apr_json_decode_value(apr_json_scanner_t *self, apr_json_value_t **retval) +{ + apr_json_value_t value; + apr_status_t status; + + while (self->p < self->e && isspace(*(unsigned char *)self->p)) + self->p++; + + switch (*(unsigned char *)self->p) { + case '"': + value.type = APR_JSON_STRING; + status = apr_json_decode_string(self, &value.value.string); + break; + case '[': + value.type = APR_JSON_ARRAY; + status = apr_json_decode_array(self, &value.value.array); + break; + case '{': + value.type = APR_JSON_OBJECT; + status = apr_json_decode_object(self, &value.value.object); + break; + case 'n': + value.type = APR_JSON_NULL; + break; + case 't': + case 'f': + value.type = APR_JSON_BOOLEAN; + status = apr_json_decode_boolean(self, &value.value.boolean); + break; + case '-': + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + status = apr_json_decode_number(self, &value); + break; + default: + status = APR_EGENERAL; + break; + } + + if (status == APR_SUCCESS) { + *retval = apr_palloc(self->pool, sizeof(apr_json_value_t)); + **retval = value; + } + return status; +} + +apr_status_t apr_json_decode(apr_json_value_t **retval, const char *injson, apr_size_t injson_size, apr_pool_t *pool) +{ + apr_status_t status; + apr_pool_t *subpool; + apr_json_scanner_t scanner; + + if ((status = apr_pool_create(&subpool, pool))) + return status; + + scanner.p = injson; + scanner.e = injson + injson_size; + scanner.pool = subpool; + if ((status = apr_json_decode_value(&scanner, retval))) { + apr_pool_destroy(subpool); + return status; + } + while (scanner.p < scanner.e && isspace(*(unsigned char *)scanner.p)) + scanner.p++; + if (scanner.p != scanner.e) { + /* trailing craft */ + apr_pool_destroy(subpool); + return APR_EGENERAL; + } + return APR_SUCCESS; +} diff --git a/src/authz.c b/src/authz.c new file mode 100644 index 00000000..83a1ad0a --- /dev/null +++ b/src/authz.c @@ -0,0 +1,295 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * mostly copied from mod_auth_cas + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include +#include +#include + +#include "mod_auth_openidc.h" + +/* the name of the keyword that follows the Require primitive to indicate claims-based authorization */ +#define OIDC_REQUIRE_NAME "claim" + +/* + * see if a the Require value matches with a set of provided claims + */ +static apr_byte_t oidc_authz_match_claim(request_rec *r, + const char * const attr_spec, const apr_json_value_t * const claims) { + + apr_hash_index_t *hi; + const void *key; + apr_ssize_t klen; + void *hval; + + /* if we don't have any claims, they can never match any Require claim primitive */ + if (claims == NULL) + return FALSE; + + /* loop over all of the user claims */ + for (hi = apr_hash_first(r->pool, claims->value.object); hi; hi = + apr_hash_next(hi)) { + apr_hash_this(hi, &key, &klen, &hval); + + const char *attr_c = (const char *) key; + const char *spec_c = attr_spec; + + /* walk both strings until we get to the end of either or we find a differing character */ + while ((*attr_c) && (*spec_c) && (*attr_c) == (*spec_c)) { + attr_c++; + spec_c++; + } + + /* The match is a success if we walked the whole claim name and the attr_spec is at a colon. */ + if (!(*attr_c) && (*spec_c) == ':') { + const apr_json_value_t *val; + + val = ((apr_json_value_t *) hval); + + /* skip the colon */ + spec_c++; + + /* see if it is a string and it (case-insensitively) matches the Require'd value */ + if (val->type == APR_JSON_STRING) { + + if (apr_strnatcmp(val->value.string.p, spec_c) == 0) { + return TRUE; + } + + /* see if it is a boolean and it (case-insensitively) matches the Require'd value */ + } else if (val->type == APR_JSON_BOOLEAN) { + + if (apr_strnatcmp(val->value.boolean ? "true" : "false", spec_c) + == 0) { + return TRUE; + } + + /* if it is an array, we'll walk it */ + } else if (val->type == APR_JSON_ARRAY) { + + /* compare the claim values */ + int i = 0; + for (i = 0; i < val->value.array->nelts; i++) { + + apr_json_value_t *elem = + APR_ARRAY_IDX(val->value.array, i, apr_json_value_t *); + + if (elem->type == APR_JSON_STRING) { + /* + * approximately compare the claim value (ignoring + * whitespace). At this point, spec_c points to the + * NULL-terminated value pattern. + */ + if (apr_strnatcmp(elem->value.string.p, spec_c) == 0) { + return TRUE; + } + + } else if (elem->type == APR_JSON_BOOLEAN) { + + if (apr_strnatcmp( + elem->value.boolean ? "true" : "false", spec_c) + == 0) { + return TRUE; + } + + } else { + + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_authz_match_claim: unhandled in-array JSON object type [%d] for key \"%s\"", + elem->type, (const char *) key); + continue; + } + } + + } else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_authz_match_claim: unhandled JSON object type [%d] for key \"%s\"", + val->type, (const char *) key); + continue; + } + + } + /* TODO: a tilde (denotes a PCRE match). */ + //else if (!(*attr_c) && (*spec_c) == '~') { + } + return FALSE; +} + +/* + * Apache <2.4 authorizatio routine: match the claims from the authenticated user against the Require primitive + */ +int oidc_authz_worker(request_rec *r, const apr_json_value_t * const claims, + const require_line * const reqs, int nelts) { + const int m = r->method_number; + const char *token; + const char *requirement; + int i; + int have_oauthattr = 0; + int count_oauth_claims = 0; + + /* go through applicable Require directives */ + for (i = 0; i < nelts; ++i) { + + /* ignore this Require if it's in a section that exclude this method */ + if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) { + continue; + } + + /* ignore if it's not a "Require claim ..." */ + requirement = reqs[i].requirement; + + token = ap_getword_white(r->pool, &requirement); + + if (apr_strnatcasecmp(token, OIDC_REQUIRE_NAME) != 0) { + continue; + } + + /* ok, we have a "Require claim" to satisfy */ + have_oauthattr = 1; + + /* + * If we have an applicable claim, but no claims were sent in the request, then we can + * just stop looking here, because it's not satisfiable. The code after this loop will + * give the appropriate response. + */ + if (!claims) { + break; + } + + /* + * iterate over the claim specification strings in this require directive searching + * for a specification that matches one of the claims. + */ + while (*requirement) { + token = ap_getword_conf(r->pool, &requirement); + count_oauth_claims++; + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_authz_worker: evaluating claim specification: %s", + token); + + if (oidc_authz_match_claim(r, token, claims) == TRUE) { + + /* if *any* claim matches, then authorization has succeeded and all of the others are ignored */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_authz_worker: require claim " + "'%s' matched", token); + return OK; + } + } + } + + /* if there weren't any "Require claim" directives, we're irrelevant */ + if (!have_oauthattr) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_authz_worker: no claim statements found, not performing authz"); + return DECLINED; + } + /* if there was a "Require claim", but no actual claims, that's cause to warn the admin of an iffy configuration */ + if (count_oauth_claims == 0) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_authz_worker: 'require claim' missing specification(s) in configuration, declining"); + return DECLINED; + } + + /* log the event, also in Apache speak */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_authz_worker: authorization denied for client session"); + ap_note_auth_failure(r); + + return HTTP_UNAUTHORIZED; +} + +#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714 +/* + * Apache >=2.4 authorization routine: match the claims from the authenticated user against the Require primitive + */ +authz_status oidc_authz_worker24(request_rec *r, const apr_json_value_t * const claims, const char *require_args) { + + int count_oauth_claims = 0; + const char *t, *w; + + /* needed for anonymous authentication */ + if (r->user == NULL) return AUTHZ_DENIED_NO_USER; + + /* if no claims, impossible to satisfy */ + if (!claims) return AUTHZ_DENIED; + + /* loop over the Required specifications */ + t = require_args; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + + count_oauth_claims++; + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_authz_worker24: evaluating claim specification: %s", + w); + + /* see if we can match any of out input claims against this Require'd value */ + if (oidc_authz_match_claim(r, w, claims) == TRUE) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_authz_worker24: require claim " + "'%s' matched", w); + return AUTHZ_GRANTED; + } + } + + /* if there wasn't anything after the Require claims directive... */ + if (count_oauth_claims == 0) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_authz_worker24: 'require claim' missing specification(s) in configuration, denying"); + } + + return AUTHZ_DENIED; +} +#endif diff --git a/src/cache/.gitignore b/src/cache/.gitignore new file mode 100644 index 00000000..06327e77 --- /dev/null +++ b/src/cache/.gitignore @@ -0,0 +1,4 @@ +/*.lo +/*.o +/*.slo +/.libs diff --git a/src/cache/cache.h b/src/cache/cache.h new file mode 100644 index 00000000..677001f3 --- /dev/null +++ b/src/cache/cache.h @@ -0,0 +1,75 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * mem_cache-like interface and semantics (string keys/values) using a storage backend + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#ifndef _MOD_AUTH_CONNECT_CACHE_H_ +#define _MOD_AUTH_CONNECT_CACHE_H_ + +typedef void * (*oidc_cache_cfg_create)(apr_pool_t *pool); +typedef int (*oidc_cache_post_config_function)(server_rec *s); +typedef int (*oidc_cache_child_init_function)(apr_pool_t *p, server_rec *s); +typedef apr_byte_t (*oidc_cache_get_function)(request_rec *r, const char *key, const char **value); +typedef apr_byte_t (*oidc_cache_set_function)(request_rec *r, const char *key, const char *value, apr_time_t expiry); + +typedef struct oidc_cache_t { + oidc_cache_cfg_create create_config; + oidc_cache_post_config_function post_config; + oidc_cache_child_init_function child_init; + oidc_cache_get_function get; + oidc_cache_set_function set; +} oidc_cache_t; + +extern oidc_cache_t oidc_cache_file; +extern oidc_cache_t oidc_cache_memcache; +extern oidc_cache_t oidc_cache_shm; + +#endif /* _MOD_AUTH_CONNECT_CACHE_H_ */ diff --git a/src/cache/file.c b/src/cache/file.c new file mode 100644 index 00000000..b87ba933 --- /dev/null +++ b/src/cache/file.c @@ -0,0 +1,474 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * caching using a file storage backend + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include +#include +#include +#include + +#include +#include + +#include "../mod_auth_openidc.h" + +extern module AP_MODULE_DECLARE_DATA auth_openidc_module; + +/* + * header structure that holds the metadata info for a cache file entry + */ +typedef struct { + /* length of the cached data */ + apr_size_t len; + /* cache expiry timestamp */ + apr_time_t expire; +} oidc_cache_file_info_t; + +/* + * prefix that distinguishes mod_auth_openidc cache files from other files in the same directory (/tmp) + */ +#define OIDC_CACHE_FILE_PREFIX "mod-auth-connect-" + +/* post config routine */ +int oidc_cache_file_post_config(server_rec *s) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(s->module_config, + &auth_openidc_module); + if (cfg->cache_file_dir == NULL) { + /* by default we'll use the OS specified /tmp dir for cache files */ + apr_temp_dir_get((const char **) &cfg->cache_file_dir, + s->process->pool); + } + return OK; +} + +/* + * return the cache file name for a specified key + */ +static const char *oidc_cache_file_name(request_rec *r, const char *key) { + return apr_psprintf(r->pool, "%s%s", OIDC_CACHE_FILE_PREFIX, key); +} + +/* + * return the fully qualified path name to a cache file for a specified key + */ +static const char *oidc_cache_file_path(request_rec *r, const char *key) { + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + return apr_psprintf(r->pool, "%s/%s", cfg->cache_file_dir, + oidc_cache_file_name(r, key)); +} + +/* + * read a specified number of bytes from a cache file in to a preallocated buffer + */ +static apr_status_t oidc_cache_file_read(request_rec *r, const char *path, + apr_file_t *fd, void *buf, const apr_size_t len) { + + apr_status_t rc = APR_SUCCESS; + apr_size_t bytes_read = 0; + char s_err[128]; + + /* (blocking) read the requested number of bytes */ + rc = apr_file_read_full(fd, buf, len, &bytes_read); + + /* test for system errors */ + if (rc != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_read: could not read from: %s (%s)", path, + apr_strerror(rc, s_err, sizeof(s_err))); + } + + /* ensure that we've got the requested number of bytes */ + if (bytes_read != len) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_read: could not read enough bytes from: \"%s\", bytes_read (%" APR_SIZE_T_FMT ") != len (%" APR_SIZE_T_FMT ")", + path, bytes_read, len); + rc = APR_EGENERAL; + } + + return rc; +} + +/* + * write a specified number of bytes from a buffer to a cache file + */ +static apr_status_t oidc_cache_file_write(request_rec *r, const char *path, + apr_file_t *fd, void *buf, const apr_size_t len) { + + apr_status_t rc = APR_SUCCESS; + apr_size_t bytes_written = 0; + char s_err[128]; + + /* (blocking) write the number of bytes in the buffer */ + rc = apr_file_write_full(fd, buf, len, &bytes_written); + + /* check for a system error */ + if (rc != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_write: could not write to: \"%s\" (%s)", path, + apr_strerror(rc, s_err, sizeof(s_err))); + return rc; + } + + /* check that all bytes from the header were written */ + if (bytes_written != len) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_write: could not write enough bytes to: \"%s\", bytes_written (%" APR_SIZE_T_FMT ") != len (%" APR_SIZE_T_FMT ")", + path, bytes_written, len); + return APR_EGENERAL; + } + + return rc; +} + +/* + * get a value for the specified key from the cache + */ +static apr_byte_t oidc_cache_file_get(request_rec *r, const char *key, + const char **value) { + apr_file_t *fd = NULL; + apr_status_t rc = APR_SUCCESS; + char s_err[128]; + + /* get the fully qualified path to the cache file based on the key name */ + const char *path = oidc_cache_file_path(r, key); + + /* open the cache file if it exists, otherwise we just have a "regular" cache miss */ + if (apr_file_open(&fd, path, APR_FOPEN_READ | APR_FOPEN_BUFFERED, + APR_OS_DEFAULT, r->pool) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_file_get: cache miss for key \"%s\"", key); + return TRUE; + } + + /* the file exists, now lock it */ + apr_file_lock(fd, APR_FLOCK_EXCLUSIVE); + + /* move the read pointer to the very start of the cache file */ + apr_off_t begin = 0; + apr_file_seek(fd, APR_SET, &begin); + + /* read a header with metadata */ + oidc_cache_file_info_t info; + if ((rc = oidc_cache_file_read(r, path, fd, &info, + sizeof(oidc_cache_file_info_t))) != APR_SUCCESS) + goto error_close; + + /* check if this cache entry has already expired */ + if (apr_time_now() >= info.expire) { + + /* yep, expired: unlock and close before deleting the cache file */ + apr_file_unlock(fd); + apr_file_close(fd); + + /* log this event */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_file_get: cache entry \"%s\" expired, removing file \"%s\"", + key, path); + + /* and kill it */ + if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_get: could not delete cache file \"%s\" (%s)", + path, apr_strerror(rc, s_err, sizeof(s_err))); + } + + /* nothing strange happened really */ + return TRUE; + } + + /* allocate space for the actual value based on the data size info in the header (+1 for \0 termination) */ + *value = apr_palloc(r->pool, info.len); + + /* (blocking) read the requested data in to the buffer */ + rc = oidc_cache_file_read(r, path, fd, (void *) *value, info.len); + + /* barf on failure */ + if (rc != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_get: could not read cache value from \"%s\"", + path); + goto error_close; + } + + /* we're done, unlock and close the file */ + apr_file_unlock(fd); + apr_file_close(fd); + + /* log a successful cache hit */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_file_get: cache hit for key \"%s\" (%" APR_SIZE_T_FMT " bytes, expiring in: %" APR_TIME_T_FMT ")", + key, info.len, apr_time_sec(info.expire - apr_time_now())); + + return TRUE; + +error_close: + + apr_file_unlock(fd); + apr_file_close(fd); + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_get: return error status %d (%s)", rc, + apr_strerror(rc, s_err, sizeof(s_err))); + + return FALSE; +} + +// TODO: make these configurable? +#define OIDC_CACHE_FILE_LAST_CLEANED "last-cleaned" + +/* + * delete all expired entries from the cache directory + */ +static apr_status_t oidc_cache_file_clean(request_rec *r) { + apr_status_t rc = APR_SUCCESS; + apr_dir_t *dir = NULL; + apr_file_t *fd = NULL; + apr_status_t i; + apr_finfo_t fi; + oidc_cache_file_info_t info; + char s_err[128]; + + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + + /* get the path to the metadata file that holds "last cleaned" metadata info */ + const char *metadata_path = oidc_cache_file_path(r, + OIDC_CACHE_FILE_LAST_CLEANED); + + /* open the metadata file if it exists */ + if ((rc = apr_stat(&fi, metadata_path, APR_FINFO_MTIME, r->pool)) + == APR_SUCCESS) { + + /* really only clean once per so much time, check that we haven not recently run */ + if (apr_time_now() < fi.mtime + apr_time_from_sec(cfg->cache_file_clean_interval)) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_clean: last cleanup call was less than %d seconds ago (next one as early as in %" APR_TIME_T_FMT " secs)", + cfg->cache_file_clean_interval, + apr_time_sec( + fi.mtime + apr_time_from_sec(cfg->cache_file_clean_interval) - apr_time_now())); + return APR_SUCCESS; + } + + /* time to clean, reset the modification time of the metadata file to reflect the timestamp of this cleaning cycle */ + apr_file_mtime_set(metadata_path, apr_time_now(), r->pool); + + } else { + + /* no metadata file exists yet, create one (and open it) */ + if ((rc = apr_file_open(&fd, metadata_path, + (APR_FOPEN_WRITE | APR_FOPEN_CREATE), APR_OS_DEFAULT, r->pool)) + != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_clean: error creating cache timestamp file '%s' (%s)", + metadata_path, apr_strerror(rc, s_err, sizeof(s_err))); + return rc; + } + + /* and cleanup... */ + if ((rc = apr_file_close(fd)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_clean: error closing cache timestamp file '%s' (%s)", + metadata_path, apr_strerror(rc, s_err, sizeof(s_err))); + } + } + + /* time to clean, open the cache directory */ + if ((rc = apr_dir_open(&dir, cfg->cache_file_dir, r->pool)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_clean: error opening cache directory '%s' for cleaning (%s)", + cfg->cache_file_dir, apr_strerror(rc, s_err, sizeof(s_err))); + return rc; + } + + /* loop trough the cache file entries */ + do { + + /* read the next entry from the directory */ + i = apr_dir_read(&fi, APR_FINFO_NAME, dir); + + if (i == APR_SUCCESS) { + + /* skip non-cache entries, cq. the ".", ".." and the metadata file */ + if ((fi.name[0] == '.') + || (strstr(fi.name, OIDC_CACHE_FILE_PREFIX) != fi.name) + || ((apr_strnatcmp(fi.name, oidc_cache_file_name(r, + OIDC_CACHE_FILE_LAST_CLEANED)) == 0))) + continue; + + /* get the fully qualified path to the cache file and open it */ + const char *path = apr_psprintf(r->pool, "%s/%s", + cfg->cache_file_dir, fi.name); + if ((rc = apr_file_open(&fd, path, APR_FOPEN_READ, APR_OS_DEFAULT, + r->pool)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_clean: unable to open cache entry \"%s\" (%s)", + path, apr_strerror(rc, s_err, sizeof(s_err))); + continue; + } + + /* read the header with cache metadata info */ + rc = oidc_cache_file_read(r, path, fd, &info, + sizeof(oidc_cache_file_info_t)); + apr_file_close(fd); + + if (rc == APR_SUCCESS) { + + /* check if this entry expired, if not just continue to the next entry */ + if (apr_time_now() < info.expire) + continue; + + /* the cache entry expired, we're going to remove it so log that event */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_file_clean: cache entry (%s) expired, removing file \"%s\")", + fi.name, path); + + } else { + + /* file open returned an error, log that */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_clean: cache entry (%s) corrupted (%s), removing file \"%s\"", + fi.name, apr_strerror(rc, s_err, sizeof(s_err)), path); + + } + + /* delete the cache file */ + if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) { + + /* hrm, this will most probably happen again on the next run... */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_clean: could not delete cache file \"%s\" (%s)", + path, apr_strerror(rc, s_err, sizeof(s_err))); + } + + } + + } while (i == APR_SUCCESS); + + apr_dir_close(dir); + + return APR_SUCCESS; +} + +/* + * write a value for the specified key to the cache + */ +static apr_byte_t oidc_cache_file_set(request_rec *r, const char *key, + const char *value, apr_time_t expiry) { + apr_file_t *fd = NULL; + apr_status_t rc = APR_SUCCESS; + char s_err[128]; + + /* get the fully qualified path to the cache file based on the key name */ + const char *path = oidc_cache_file_path(r, key); + + /* only on writes (not on reads) we clean the cache first (if not done recently) */ + oidc_cache_file_clean(r); + + /* just remove cache file if value is NULL */ + if (value == NULL) { + if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_set: could not delete cache file \"%s\" (%s)", + path, apr_strerror(rc, s_err, sizeof(s_err))); + } + return TRUE; + } + + /* try to open the cache file for writing, creating it if it does not exist */ + if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE), + APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_file_set: cache file \"%s\" could not be opened (%s)", + path, apr_strerror(rc, s_err, sizeof(s_err))); + return FALSE; + } + + /* lock the file and move the write pointer to the start of it */ + apr_file_lock(fd, APR_FLOCK_EXCLUSIVE); + apr_off_t begin = 0; + apr_file_seek(fd, APR_SET, &begin); + + /* construct the metadata for this cache entry in the header info */ + oidc_cache_file_info_t info; + info.expire = expiry; + info.len = strlen(value) + 1; + + /* write the header */ + if ((rc = oidc_cache_file_write(r, path, fd, &info, + sizeof(oidc_cache_file_info_t))) != APR_SUCCESS) + return FALSE; + + /* next write the value */ + if ((rc = oidc_cache_file_write(r, path, fd, (void *) value, info.len)) + != APR_SUCCESS) + return FALSE; + + /* unlock and close the written file */ + apr_file_unlock(fd); + apr_file_close(fd); + + /* log our success */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_file_set: set entry for key \"%s\" (%" APR_SIZE_T_FMT " bytes, expires in: %" APR_TIME_T_FMT ")", + key, info.len, apr_time_sec(expiry - apr_time_now())); + + return TRUE; +} + +oidc_cache_t oidc_cache_file = { + NULL, + oidc_cache_file_post_config, + NULL, + oidc_cache_file_get, + oidc_cache_file_set +}; diff --git a/src/cache/memcache.c b/src/cache/memcache.c new file mode 100644 index 00000000..1d60155d --- /dev/null +++ b/src/cache/memcache.c @@ -0,0 +1,259 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * caching using a memcache backend + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include "apr_general.h" +#include "apr_strings.h" +#include "apr_hash.h" +#include "apr_memcache.h" + +#include +#include +#include + +#include "../mod_auth_openidc.h" + +// TODO: proper memcache error reporting (server unreachable etc.) + +extern module AP_MODULE_DECLARE_DATA auth_openidc_module; + +typedef struct oidc_cache_cfg_memcache_t { + /* cache_type = memcache: memcache ptr */ + apr_memcache_t *cache_memcache; +} oidc_cache_cfg_memcache_t; + +/* create the cache context */ +static void *oidc_cache_memcache_cfg_create(apr_pool_t *pool) { + oidc_cache_cfg_memcache_t *context = apr_pcalloc(pool, sizeof(oidc_cache_cfg_memcache_t)); + context->cache_memcache = NULL; + return context; +} + +/* + * initialize the memcache struct to a number of memcache servers + */ +static int oidc_cache_memcache_post_config(server_rec *s) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + s->module_config, &auth_openidc_module); + oidc_cache_cfg_memcache_t *context = (oidc_cache_cfg_memcache_t *)cfg->cache_cfg; + + apr_status_t rv = APR_SUCCESS; + int nservers = 0; + char* split; + char* tok; + apr_pool_t *p = s->process->pool; + + if (cfg->cache_memcache_servers == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "oidc_cache_memcache_post_config: cache type is set to \"memcache\", but no valid OIDCMemCacheServers setting was found"); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* loop over the provided memcache servers to find out the number of servers configured */ + char *cache_config = apr_pstrdup(p, cfg->cache_memcache_servers); + split = apr_strtok(cache_config, " ", &tok); + while (split) { + nservers++; + split = apr_strtok(NULL, " ", &tok); + } + + /* allocated space for the number of servers */ + rv = apr_memcache_create(p, nservers, 0, &context->cache_memcache); + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "oidc_cache_memcache_init: failed to create memcache object of '%d' size", + nservers); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* loop again over the provided servers */ + cache_config = apr_pstrdup(p, cfg->cache_memcache_servers); + split = apr_strtok(cache_config, " ", &tok); + while (split) { + apr_memcache_server_t* st; + char* host_str; + char* scope_id; + apr_port_t port; + + /* parse out host and port */ + rv = apr_parse_addr_port(&host_str, &scope_id, &port, split, p); + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "oidc_cache_memcache_init: failed to parse cache server: '%s'", + split); + return HTTP_INTERNAL_SERVER_ERROR; + } + + if (host_str == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "oidc_cache_memcache_init: failed to parse cache server, " + "no hostname specified: '%s'", split); + return HTTP_INTERNAL_SERVER_ERROR; + } + + if (port == 0) + port = 11211; + + /* create the memcache server struct */ + // TODO: tune this + rv = apr_memcache_server_create(p, host_str, port, 0, 1, 1, 60, &st); + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "oidc_cache_memcache_init: failed to create cache server: %s:%d", + host_str, port); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* add the memcache server struct to the list */ + rv = apr_memcache_add_server(context->cache_memcache, st); + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "oidc_cache_memcache_init: failed to add cache server: %s:%d", + host_str, port); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* go to the next entry */ + split = apr_strtok(NULL, " ", &tok); + } + + return OK; +} + +/* + * get a name/value pair from memcache + */ +static apr_byte_t oidc_cache_memcache_get(request_rec *r, const char *key, + const char **value) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_memcache_get: entering \"%s\"", key); + + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + oidc_cache_cfg_memcache_t *context = (oidc_cache_cfg_memcache_t *)cfg->cache_cfg; + + apr_size_t len = 0; + + /* get it */ + apr_status_t rv = apr_memcache_getp(context->cache_memcache, r->pool, key, + (char **)value, &len, NULL); + + // TODO: error strings ? + if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "oidc_cache_memcache_get: apr_memcache_getp returned an error"); + return FALSE; + } + + /* do sanity checking on the string value */ + if ( (*value) && (strlen(*value) != len) ) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "oidc_cache_memcache_get: apr_memcache_getp returned less bytes than expected: strlen(value) [%zu] != len [%" APR_SIZE_T_FMT "]", strlen(*value), len); + return FALSE; + } + + return TRUE; +} + +/* + * store a name/value pair in memcache + */ +static apr_byte_t oidc_cache_memcache_set(request_rec *r, const char *key, + const char *value, apr_time_t expiry) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_memcache_set: entering \"%s\"", key); + + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + oidc_cache_cfg_memcache_t *context = (oidc_cache_cfg_memcache_t *)cfg->cache_cfg; + + apr_status_t rv = APR_SUCCESS; + + /* see if we should be clearing this entry */ + if (value == NULL) { + + rv = apr_memcache_delete(context->cache_memcache, key, 0); + + // TODO: error strings ? + if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "oidc_cache_memcache_set: apr_memcache_delete returned an error"); + } + + } else { + + /* calculate the timeout from now */ + apr_uint32_t timeout = apr_time_sec(expiry - apr_time_now()); + + /* store it */ + rv = apr_memcache_set(context->cache_memcache, key, (char *)value, + strlen(value), timeout, 0); + + // TODO: error strings ? + if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "oidc_cache_memcache_set: apr_memcache_set returned an error"); + } + } + + return (rv == APR_SUCCESS); +} + +oidc_cache_t oidc_cache_memcache = { + oidc_cache_memcache_cfg_create, + oidc_cache_memcache_post_config, + NULL, + oidc_cache_memcache_get, + oidc_cache_memcache_set +}; diff --git a/src/cache/shm.c b/src/cache/shm.c new file mode 100644 index 00000000..175f3b74 --- /dev/null +++ b/src/cache/shm.c @@ -0,0 +1,350 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * caching using a shared memory backend, FIFO-style + * based on mod_auth_mellon code + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include + +#include +#include +#include + +#ifdef AP_NEED_SET_MUTEX_PERMS +#include "unixd.h" +#endif + +#include "../mod_auth_openidc.h" + +extern module AP_MODULE_DECLARE_DATA auth_openidc_module; + +typedef struct oidc_cache_cfg_shm_t { + char *mutex_filename; + apr_shm_t *shm; + apr_global_mutex_t *mutex; +} oidc_cache_cfg_shm_t; + +/* size of key in cached key/value pairs */ +#define OIDC_CACHE_SHM_KEY_MAX 128 +/* max value size */ +#define OIDC_CACHE_SHM_VALUE_MAX 16384 + +/* represents one (fixed size) cache entry, cq. name/value string pair */ +typedef struct oidc_cache_shm_entry_t { + /* name of the cache entry */ + char key[OIDC_CACHE_SHM_KEY_MAX]; + /* value of the cache entry */ + char value[OIDC_CACHE_SHM_VALUE_MAX]; + /* last (read) access timestamp */ + apr_time_t access; + /* expiry timestamp */ + apr_time_t expires; +} oidc_cache_shm_entry_t; + +/* create the cache context */ +static void *oidc_cache_shm_cfg_create(apr_pool_t *pool) { + oidc_cache_cfg_shm_t *context = apr_pcalloc(pool, sizeof(oidc_cache_cfg_shm_t)); + context->mutex_filename = NULL; + context->shm = NULL; + context->mutex = NULL; + return context; +} + +/* + * initialized the shared memory block in the parent process + */ +int oidc_cache_shm_post_config(server_rec *s) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(s->module_config, + &auth_openidc_module); + oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *)cfg->cache_cfg; + + /* create the shared memory segment */ + apr_status_t rv = apr_shm_create(&context->shm, + sizeof(oidc_cache_shm_entry_t) * cfg->cache_shm_size_max, + NULL, s->process->pool); + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "oidc_cache_shm_post_config: apr_shm_create failed to create shared memory segment"); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* initialize the whole segment to '/0' */ + int i; + oidc_cache_shm_entry_t *table = apr_shm_baseaddr_get(context->shm); + for (i = 0; i < cfg->cache_shm_size_max; i++) { + table[i].key[0] = '\0'; + table[i].access = 0; + } + + const char *dir; + apr_temp_dir_get(&dir, s->process->pool); + /* construct the mutex filename */ + context->mutex_filename = apr_psprintf(s->process->pool, + "%s/httpd_mutex.%ld.%pp", dir, (long int) getpid(), s); + + /* create the mutex lock */ + rv = apr_global_mutex_create(&context->mutex, + (const char *) context->mutex_filename, APR_LOCK_DEFAULT, + s->process->pool); + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "oidc_cache_shm_post_config: apr_global_mutex_create failed to create mutex on file %s", + context->mutex_filename); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* need this on Linux */ +#ifdef AP_NEED_SET_MUTEX_PERMS +#if MODULE_MAGIC_NUMBER_MAJOR >= 20081201 + rv = ap_unixd_set_global_mutex_perms(context->mutex); +#else + rv = unixd_set_global_mutex_perms(context->mutex); +#endif + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "oidc_cache_shm_post_config: unixd_set_global_mutex_perms failed; could not set permissions "); + return HTTP_INTERNAL_SERVER_ERROR; + } +#endif + + return OK; +} + +/* + * initialize the shared memory segment in a child process + */ +int oidc_cache_shm_child_init(apr_pool_t *p, server_rec *s) { + oidc_cfg *cfg = ap_get_module_config(s->module_config, &auth_openidc_module); + oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *)cfg->cache_cfg; + + /* initialize the lock for the child process */ + apr_status_t rv = apr_global_mutex_child_init(&context->mutex, + (const char *) context->mutex_filename, p); + + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, + "oic_cache_shm_child_init: apr_global_mutex_child_init failed to reopen mutex on file %s", + context->mutex_filename); + } + + return rv; +} + +/* + * get a value from the shared memory cache + */ +static apr_byte_t oidc_cache_shm_get(request_rec *r, const char *key, + const char **value) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_shm_get: entering \"%s\"", key); + + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *)cfg->cache_cfg; + + apr_status_t rv; + int i; + *value = NULL; + + /* grab the global lock */ + if ((rv = apr_global_mutex_lock(context->mutex)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "oidc_cache_shm_get: apr_global_mutex_lock() failed [%d]", rv); + return FALSE; + } + + /* get the pointer to the start of the shared memory block */ + oidc_cache_shm_entry_t *table = apr_shm_baseaddr_get(context->shm); + + /* loop over the block, looking for the key */ + for (i = 0; i < cfg->cache_shm_size_max; i++) { + const char *tablekey = table[i].key; + + if (tablekey == NULL) + continue; + + if (strcmp(tablekey, key) == 0) { + + /* found a match, check if it has expired */ + if (table[i].expires > apr_time_now()) { + + /* update access timestamp */ + table[i].access = apr_time_now(); + *value = table[i].value; + } + } + } + + /* release the global lock */ + apr_global_mutex_unlock(context->mutex); + + return (*value == NULL) ? FALSE : TRUE; +} + +/* + * store a value in the shared memory cache + */ +static apr_byte_t oidc_cache_shm_set(request_rec *r, const char *key, + const char *value, apr_time_t expiry) { + + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *)cfg->cache_cfg; + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_cache_shm_set: entering \"%s\" (value size=(%zu)", key, + value ? strlen(value) : 0); + + oidc_cache_shm_entry_t *match, *free, *lru; + oidc_cache_shm_entry_t *table; + apr_time_t current_time; + int i; + apr_time_t age; + + /* check that the passed in key is valid */ + if (key == NULL || strlen(key) > OIDC_CACHE_SHM_KEY_MAX) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_shm_set: could not set value since key is NULL or too long (%s)", + key); + return FALSE; + } + + /* check that the passed in value is valid */ + if ( (value != NULL) && strlen(value) > OIDC_CACHE_SHM_VALUE_MAX) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_shm_set: could not set value since value is too long (%zu > %d)", + strlen(value), OIDC_CACHE_SHM_VALUE_MAX); + return FALSE; + } + + /* grab the global lock */ + if (apr_global_mutex_lock(context->mutex) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_cache_shm_set: apr_global_mutex_lock() failed"); + return FALSE; + } + + /* get a pointer to the shared memory block */ + table = apr_shm_baseaddr_get(context->shm); + + /* get the current time */ + current_time = apr_time_now(); + + /* loop over the block, looking for the key */ + match = NULL; + free = NULL; + lru = &table[0]; + for (i = 0; i < cfg->cache_shm_size_max; i++) { + + /* see if this slot is free */ + if (table[i].key[0] == '\0') { + if (free == NULL) free = &table[i]; + continue; + } + + /* see if a value already exists for this key */ + if (strcmp(table[i].key, key) == 0) { + match = &table[i]; + break; + } + + /* see if this slot has expired */ + if (table[i].expires <= current_time) { + if (free == NULL) free = &table[i]; + continue; + } + + /* see if this slot was less recently used than the current pointer */ + if (table[i].access < lru->access) { + lru = &table[i]; + } + + } + + /* if we have no free slots, issue a warning about the LRU entry */ + if (match == NULL && free == NULL) { + age = (current_time - lru->access) / 1000000; + if (age < 3600) { + ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "oidc_cache_shm_set: dropping LRU entry with age = %" APR_TIME_T_FMT "s, which is less than one hour; consider increasing the shared memory caching space (which is %d now) with the (global) OIDCCacheShmMax setting.", + age, cfg->cache_shm_size_max); + } + } + + oidc_cache_shm_entry_t *t = match ? match : (free ? free : lru); + + if (value != NULL) { + + /* fill out the entry with the provided data */ + strcpy(t->key, key); + strcpy(t->value, value); + t->expires = expiry; + t->access = current_time; + + } else { + + t->key[0] = '\0'; + } + + /* release the global lock */ + apr_global_mutex_unlock(context->mutex); + + return TRUE; +} + +oidc_cache_t oidc_cache_shm = { + oidc_cache_shm_cfg_create, + oidc_cache_shm_post_config, + oidc_cache_shm_child_init, + oidc_cache_shm_get, + oidc_cache_shm_set +}; diff --git a/src/config.c b/src/config.c new file mode 100644 index 00000000..67bb44d7 --- /dev/null +++ b/src/config.c @@ -0,0 +1,1093 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include + +#include "mod_auth_openidc.h" + +/* validate SSL server certificates by default */ +#define OIDC_DEFAULT_SSL_VALIDATE_SERVER 1 +/* default token endpoint authentication method */ +#define OIDC_DEFAULT_ENDPOINT_AUTH "client_secret_basic" +/* default scope requested from the OP */ +#define OIDC_DEFAULT_SCOPE "openid" +/* default claim delimiter for multi-valued claims passed in a HTTP header */ +#define OIDC_DEFAULT_CLAIM_DELIMITER "," +/* default prefix for claim names being passed in HTTP headers */ +#define OIDC_DEFAULT_CLAIM_PREFIX "OIDC_CLAIM_" +/* default name of the session cookie */ +#define OIDC_DEFAULT_COOKIE "mod_auth_openidc_session" +/* default for the HTTP header name in which the remote user name is passed */ +#define OIDC_DEFAULT_AUTHN_HEADER NULL +/* scrub HTTP headers by default unless overridden (and insecure) */ +#define OIDC_DEFAULT_SCRUB_REQUEST_HEADERS 1 +/* default client_name the client uses for dynamic client registration */ +#define OIDC_DEFAULT_CLIENT_NAME "OpenID Connect Apache Module (mod_auth_openidc)" +/* timeouts in seconds for HTTP calls that may take a long time */ +#define OIDC_DEFAULT_HTTP_TIMEOUT_LONG 60 +/* timeouts in seconds for HTTP calls that should take a short time (registry/discovery related) */ +#define OIDC_DEFAULT_HTTP_TIMEOUT_SHORT 5 +/* default session storage type */ +#define OIDC_DEFAULT_SESSION_TYPE OIDC_SESSION_TYPE_22_CACHE_FILE +/* timeout in seconds after which state expires */ +#define OIDC_DEFAULT_STATE_TIMEOUT 300 +/* default OpenID Connect authorization response type */ +#define OIDC_DEFAULT_RESPONSE_TYPE "code" +/* default duration in seconds after which retrieved JWS should be refreshed */ +#define OIDC_DEFAULT_JWKS_REFRESH_INTERVAL 3600 +/* default max cache size for shm */ +#define OIDC_DEFAULT_CACHE_SHM_SIZE 500 +/* for issued-at timestamp (iat) checking */ +#define OIDC_DEFAULT_IDTOKEN_IAT_SLACK 600 +/* for file-based caching: clean interval in seconds */ +#define OIDC_DEFAULT_CACHE_FILE_CLEAN_INTERVAL 60 + +extern module AP_MODULE_DECLARE_DATA auth_openidc_module; + +/* + * set a boolean value in the server config + */ +const char *oidc_set_flag_slot(cmd_parms *cmd, void *struct_ptr, int arg) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + return ap_set_flag_slot(cmd, cfg, arg); +} + +/* + * set a string value in the server config + */ +const char *oidc_set_string_slot(cmd_parms *cmd, void *struct_ptr, + const char *arg) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + return ap_set_string_slot(cmd, cfg, arg); +} + +/* + * set an integer value in the server config + */ +const char *oidc_set_int_slot(cmd_parms *cmd, void *struct_ptr, const char *arg) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + return ap_set_int_slot(cmd, cfg, arg); +} + +/* + * set a URL value in the server config + */ +static const char *oidc_set_url_slot_type(cmd_parms *cmd, void *ptr, + const char *arg, const char *type) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + apr_uri_t url; + if (apr_uri_parse(cmd->pool, arg, &url) != APR_SUCCESS) { + return apr_psprintf(cmd->pool, + "oidc_set_url_slot_type: configuration value '%s' could not be parsed as a URL!", + arg); + } + + if (url.scheme == NULL) { + return apr_psprintf(cmd->pool, + "oidc_set_url_slot_type: configuration value '%s' could not be parsed as a URL (no scheme set)!", + arg); + } + + if (type == NULL) { + if ((strcmp(url.scheme, "http") != 0) + && (strcmp(url.scheme, "https") != 0)) { + return apr_psprintf(cmd->pool, + "oidc_set_url_slot_type: configuration value '%s' could not be parsed as a HTTP/HTTPs URL (scheme != http/https)!", + arg); + } + } else if (strcmp(url.scheme, type) != 0) { + return apr_psprintf(cmd->pool, + "oidc_set_url_slot_type: configuration value '%s' could not be parsed as a \"%s\" URL (scheme == %s != \"%s\")!", + arg, type, url.scheme, type); + } + + if (url.hostname == NULL) { + return apr_psprintf(cmd->pool, + "oidc_set_url_slot_type: configuration value '%s' could not be parsed as a HTTP/HTTPs URL (no hostname set, check your slashes)!", + arg); + } + return ap_set_string_slot(cmd, cfg, arg); +} + +/* + * set a HTTPS value in the server config + */ +const char *oidc_set_https_slot(cmd_parms *cmd, void *ptr, const char *arg) { + return oidc_set_url_slot_type(cmd, ptr, arg, "https"); +} + +/* + * set a HTTPS/HTTP value in the server config + */ +const char *oidc_set_url_slot(cmd_parms *cmd, void *ptr, const char *arg) { + return oidc_set_url_slot_type(cmd, ptr, arg, NULL); +} + +/* + * set a directory value in the server config + */ +// TODO: it's not really a syntax error... (could be fixed at runtime but then we'd have to restart the server) +const char *oidc_set_dir_slot(cmd_parms *cmd, void *ptr, const char *arg) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + + char s_err[128]; + apr_dir_t *dir; + apr_status_t rc = APR_SUCCESS; + + /* ensure the directory exists */ + if ((rc = apr_dir_open(&dir, arg, cmd->pool)) != APR_SUCCESS) { + return apr_psprintf(cmd->pool, + "oidc_set_dir_slot: could not access directory '%s' (%s)", arg, + apr_strerror(rc, s_err, sizeof(s_err))); + } + + /* and cleanup... */ + if ((rc = apr_dir_close(dir)) != APR_SUCCESS) { + return apr_psprintf(cmd->pool, + "oidc_set_dir_slot: could not close directory '%s' (%s)", arg, + apr_strerror(rc, s_err, sizeof(s_err))); + } + + return ap_set_string_slot(cmd, cfg, arg); +} + +/* + * set the cookie domain in the server config and check it syntactically + */ +const char *oidc_set_cookie_domain(cmd_parms *cmd, void *ptr, const char *value) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + size_t sz, limit; + char d; + limit = strlen(value); + for (sz = 0; sz < limit; sz++) { + d = value[sz]; + if ((d < '0' || d > '9') && (d < 'a' || d > 'z') && (d < 'A' || d > 'Z') + && d != '.' && d != '-') { + return (apr_psprintf(cmd->pool, + "oidc_set_cookie_domain: invalid character (%c) in OIDCCookieDomain", + d)); + } + } + cfg->cookie_domain = apr_pstrdup(cmd->pool, value); + return NULL; +} + +/* + * set the session storage type + */ +const char *oidc_set_session_type(cmd_parms *cmd, void *ptr, const char *arg) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + + if (strcmp(arg, "file") == 0) { + cfg->session_type = OIDC_SESSION_TYPE_22_CACHE_FILE; + } else if (strcmp(arg, "cookie") == 0) { + cfg->session_type = OIDC_SESSION_TYPE_22_COOKIE; + } else { + return (apr_psprintf(cmd->pool, + "oidc_set_session_type: invalid value for OIDCSessionType (%s); must be one of \"file\" or \"cookie\"", + arg)); + } + + return NULL; +} + +/* + * set the cache type + */ +const char *oidc_set_cache_type(cmd_parms *cmd, void *ptr, const char *arg) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + + if (strcmp(arg, "file") == 0) { + cfg->cache = &oidc_cache_file; + } else if (strcmp(arg, "memcache") == 0) { + cfg->cache = &oidc_cache_memcache; + } else if (strcmp(arg, "shm") == 0) { + cfg->cache = &oidc_cache_shm; + } else { + return (apr_psprintf(cmd->pool, + "oidc_set_cache_type: invalid value for OIDCCacheType (%s); must be one of \"file\", \"memcache\" or \"shm\"", + arg)); + } + + cfg->cache_cfg = cfg->cache->create_config ? cfg->cache->create_config(cmd->server->process->pool) : NULL; + + return NULL; +} + +/* + * set an authentication method for an endpoint and check it is one that we support + */ +const char *oidc_set_endpoint_auth_slot(cmd_parms *cmd, void *struct_ptr, + const char *arg) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + + if ((apr_strnatcmp(arg, "client_secret_post") == 0) + || (apr_strnatcmp(arg, "client_secret_basic") == 0)) { + + return ap_set_string_slot(cmd, cfg, arg); + } + return "parameter must be 'client_secret_post' or 'client_secret_basic'"; +} + +/* + * set the response type used + */ +const char *oidc_set_response_type(cmd_parms *cmd, void *struct_ptr, + const char *arg) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + + if ((apr_strnatcmp(arg, "code") == 0) + || (apr_strnatcmp(arg, "id_token") == 0) + || (apr_strnatcmp(arg, "id_token token") == 0) + || (apr_strnatcmp(arg, "token id_token") == 0)) { + + return ap_set_string_slot(cmd, cfg, arg); + } + return "parameter must be one of 'code', 'id_token', 'id_token token' or 'token id_token'"; +} + +/* + * set the id_token signing algorithm to be used by the OP + * TODO: align supported functions with oidc_crypto_jwt_alg2padding and metadata_is_valid function + */ +const char *oidc_set_id_token_alg(cmd_parms *cmd, void *struct_ptr, + const char *arg) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config( + cmd->server->module_config, &auth_openidc_module); + + if ((apr_strnatcmp(arg, "RS256") == 0) || (apr_strnatcmp(arg, "RS384") == 0) + || (apr_strnatcmp(arg, "RS512") == 0) + || (apr_strnatcmp(arg, "PS256") == 0) + || (apr_strnatcmp(arg, "PS384") == 0) + || (apr_strnatcmp(arg, "PS512") == 0) + || (apr_strnatcmp(arg, "HS256") == 0) + || (apr_strnatcmp(arg, "HS384") == 0) + || (apr_strnatcmp(arg, "HS512") == 0)) { + + return ap_set_string_slot(cmd, cfg, arg); + } + return "parameter must be one of 'RS256', 'RS384', 'RS512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384' or 'PS512'"; +} + +/* + * get the current path from the request in a normalized way + */ +static char *oidc_get_path(request_rec *r) { + size_t i; + char *p; + p = r->parsed_uri.path; + if (p[0] == '\0') + return apr_pstrdup(r->pool, "/"); + for (i = strlen(p) - 1; i > 0; i--) + if (p[i] == '/') + break; + return apr_pstrndup(r->pool, p, i + 1); +} + +/* + * get the cookie path setting and check that it matches the request path; cook it up if it is not set + */ +char *oidc_get_cookie_path(request_rec *r) { + char *rv = NULL, *requestPath = oidc_get_path(r); + oidc_dir_cfg *d = ap_get_module_config(r->per_dir_config, &auth_openidc_module); + if (d->cookie_path != NULL) { + if (strncmp(d->cookie_path, requestPath, strlen(d->cookie_path)) == 0) + rv = d->cookie_path; + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_get_cookie_path: OIDCCookiePath (%s) not a substring of request path, using request path (%s) for cookie", + d->cookie_path, requestPath); + rv = requestPath; + } + } else { + rv = requestPath; + } + return (rv); +} + +/* + * create a new server config record with defaults + */ +void *oidc_create_server_config(apr_pool_t *pool, server_rec *svr) { + oidc_cfg *c = apr_pcalloc(pool, sizeof(oidc_cfg)); + + c->merged = FALSE; + + c->redirect_uri = NULL; + c->discover_url = NULL; + c->id_token_alg = NULL; + + c->provider.issuer = NULL; + c->provider.authorization_endpoint_url = NULL; + c->provider.token_endpoint_url = NULL; + c->provider.token_endpoint_auth = OIDC_DEFAULT_ENDPOINT_AUTH; + c->provider.userinfo_endpoint_url = NULL; + c->provider.client_id = NULL; + c->provider.client_secret = NULL; + + c->provider.ssl_validate_server = OIDC_DEFAULT_SSL_VALIDATE_SERVER; + c->provider.client_name = OIDC_DEFAULT_CLIENT_NAME; + c->provider.client_contact = NULL; + c->provider.scope = OIDC_DEFAULT_SCOPE; + c->provider.response_type = OIDC_DEFAULT_RESPONSE_TYPE; + c->provider.jwks_refresh_interval = OIDC_DEFAULT_JWKS_REFRESH_INTERVAL; + c->provider.idtoken_iat_slack = OIDC_DEFAULT_IDTOKEN_IAT_SLACK; + + c->oauth.ssl_validate_server = OIDC_DEFAULT_SSL_VALIDATE_SERVER; + c->oauth.client_id = NULL; + c->oauth.client_secret = NULL; + c->oauth.validate_endpoint_url = NULL; + c->oauth.validate_endpoint_auth = OIDC_DEFAULT_ENDPOINT_AUTH; + + c->cache = &oidc_cache_file; + c->cache_cfg = c->cache->create_config? c->cache->create_config(pool) : NULL; + c->cache_file_dir = NULL; + c->cache_file_clean_interval = OIDC_DEFAULT_CACHE_FILE_CLEAN_INTERVAL; + c->cache_memcache_servers = NULL; + c->cache_shm_size_max = OIDC_DEFAULT_CACHE_SHM_SIZE; + + c->metadata_dir = NULL; + c->session_type = OIDC_DEFAULT_SESSION_TYPE; + + c->http_timeout_long = OIDC_DEFAULT_HTTP_TIMEOUT_LONG; + c->http_timeout_short = OIDC_DEFAULT_HTTP_TIMEOUT_SHORT; + c->state_timeout = OIDC_DEFAULT_STATE_TIMEOUT; + + c->cookie_domain = NULL; + c->claim_delimiter = OIDC_DEFAULT_CLAIM_DELIMITER; + c->claim_prefix = OIDC_DEFAULT_CLAIM_PREFIX; + c->crypto_passphrase = NULL; + + c->scrub_request_headers = OIDC_DEFAULT_SCRUB_REQUEST_HEADERS; + + return c; +} + +/* + * merge a new server config with a base one + */ +void *oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) { + oidc_cfg *c = apr_pcalloc(pool, sizeof(oidc_cfg)); + oidc_cfg *base = BASE; + oidc_cfg *add = ADD; + + c->merged = TRUE; + + c->redirect_uri = + add->redirect_uri != NULL ? add->redirect_uri : base->redirect_uri; + c->discover_url = + add->discover_url != NULL ? add->discover_url : base->discover_url; + c->id_token_alg = + add->id_token_alg != NULL ? add->id_token_alg : base->id_token_alg; + + c->provider.issuer = + add->provider.issuer != NULL ? + add->provider.issuer : base->provider.issuer; + c->provider.authorization_endpoint_url = + add->provider.authorization_endpoint_url != NULL ? + add->provider.authorization_endpoint_url : + base->provider.authorization_endpoint_url; + c->provider.token_endpoint_url = + add->provider.token_endpoint_url != NULL ? + add->provider.token_endpoint_url : + base->provider.token_endpoint_url; + c->provider.token_endpoint_auth = + strcmp(add->provider.token_endpoint_auth, + OIDC_DEFAULT_ENDPOINT_AUTH) != 0 ? + add->provider.token_endpoint_auth : + base->provider.token_endpoint_auth; + c->provider.userinfo_endpoint_url = + add->provider.userinfo_endpoint_url != NULL ? + add->provider.userinfo_endpoint_url : + base->provider.userinfo_endpoint_url; + c->provider.client_id = + add->provider.client_id != NULL ? + add->provider.client_id : base->provider.client_id; + c->provider.client_secret = + add->provider.client_secret != NULL ? + add->provider.client_secret : base->provider.client_secret; + + c->provider.ssl_validate_server = + add->provider.ssl_validate_server + != OIDC_DEFAULT_SSL_VALIDATE_SERVER ? + add->provider.ssl_validate_server : + base->provider.ssl_validate_server; + c->provider.client_name = + strcmp(add->provider.client_name, OIDC_DEFAULT_CLIENT_NAME) != 0 ? + add->provider.client_name : base->provider.client_name; + c->provider.client_contact = + add->provider.client_contact != NULL ? + add->provider.client_contact : + base->provider.client_contact; + c->provider.scope = + strcmp(add->provider.scope, OIDC_DEFAULT_SCOPE) != 0 ? + add->provider.scope : base->provider.scope; + c->provider.response_type = + strcmp(add->provider.response_type, OIDC_DEFAULT_RESPONSE_TYPE) + != 0 ? + add->provider.response_type : base->provider.response_type; + c->provider.jwks_refresh_interval = + add->provider.jwks_refresh_interval + != OIDC_DEFAULT_JWKS_REFRESH_INTERVAL ? + add->provider.jwks_refresh_interval : + base->provider.jwks_refresh_interval; + c->provider.idtoken_iat_slack = + add->provider.idtoken_iat_slack != OIDC_DEFAULT_IDTOKEN_IAT_SLACK ? + add->provider.idtoken_iat_slack : + base->provider.idtoken_iat_slack; + + + c->oauth.ssl_validate_server = + add->oauth.ssl_validate_server != OIDC_DEFAULT_SSL_VALIDATE_SERVER ? + add->oauth.ssl_validate_server : + base->oauth.ssl_validate_server; + c->oauth.client_id = + add->oauth.client_id != NULL ? + add->oauth.client_id : base->oauth.client_id; + c->oauth.client_secret = + add->oauth.client_secret != NULL ? + add->oauth.client_secret : base->oauth.client_secret; + c->oauth.validate_endpoint_url = + add->oauth.validate_endpoint_url != NULL ? + add->oauth.validate_endpoint_url : + base->oauth.validate_endpoint_url; + c->oauth.validate_endpoint_auth = + strcmp(add->oauth.validate_endpoint_auth, + OIDC_DEFAULT_ENDPOINT_AUTH) != 0 ? + add->oauth.validate_endpoint_auth : + base->oauth.validate_endpoint_auth; + + c->http_timeout_long = + add->http_timeout_long != OIDC_DEFAULT_HTTP_TIMEOUT_LONG ? + add->http_timeout_long : base->http_timeout_long; + c->http_timeout_short = + add->http_timeout_short != OIDC_DEFAULT_HTTP_TIMEOUT_SHORT ? + add->http_timeout_short : base->http_timeout_short; + c->state_timeout = + add->state_timeout != OIDC_DEFAULT_STATE_TIMEOUT ? + add->state_timeout : base->state_timeout; + + if (add->cache != &oidc_cache_file) { + c->cache = add->cache; + c->cache_cfg = add->cache_cfg; + } else { + c->cache = base->cache; + c->cache_cfg = base->cache_cfg; + } + + c->cache_file_dir = + add->cache_file_dir != NULL ? + add->cache_file_dir : base->cache_file_dir; + c->cache_file_clean_interval = + add->cache_file_clean_interval + != OIDC_DEFAULT_CACHE_FILE_CLEAN_INTERVAL ? + add->cache_file_clean_interval : + base->cache_file_clean_interval; + + c->cache_memcache_servers = + add->cache_memcache_servers != NULL ? + add->cache_memcache_servers : base->cache_memcache_servers; + c->cache_shm_size_max = + add->cache_shm_size_max != OIDC_DEFAULT_CACHE_SHM_SIZE ? + add->cache_shm_size_max : base->cache_shm_size_max; + + c->metadata_dir = + add->metadata_dir != NULL ? add->metadata_dir : base->metadata_dir; + c->session_type = + add->session_type != OIDC_DEFAULT_SESSION_TYPE ? + add->session_type : base->session_type; + + c->cookie_domain = + add->cookie_domain != NULL ? + add->cookie_domain : base->cookie_domain; + c->claim_delimiter = + strcmp(add->claim_delimiter, OIDC_DEFAULT_CLAIM_DELIMITER) != 0 ? + add->claim_delimiter : base->claim_delimiter; + c->claim_prefix = + strcmp(add->claim_prefix, OIDC_DEFAULT_CLAIM_PREFIX) != 0 ? + add->claim_prefix : base->claim_prefix; + c->crypto_passphrase = + add->crypto_passphrase != NULL ? + add->crypto_passphrase : base->crypto_passphrase; + + c->scrub_request_headers = + add->scrub_request_headers != OIDC_DEFAULT_SCRUB_REQUEST_HEADERS ? + add->scrub_request_headers : base->scrub_request_headers; + + return c; +} + +/* + * create a new directory config record with defaults + */ +void *oidc_create_dir_config(apr_pool_t *pool, char *path) { + oidc_dir_cfg *c = apr_pcalloc(pool, sizeof(oidc_dir_cfg)); + c->cookie = OIDC_DEFAULT_COOKIE; + c->cookie_path = NULL; + c->authn_header = OIDC_DEFAULT_AUTHN_HEADER; + return (c); +} + +/* + * merge a new directory config with a base one + */ +void *oidc_merge_dir_config(apr_pool_t *pool, void *BASE, void *ADD) { + oidc_dir_cfg *c = apr_pcalloc(pool, sizeof(oidc_dir_cfg)); + oidc_dir_cfg *base = BASE; + oidc_dir_cfg *add = ADD; + c->cookie = ( + apr_strnatcasecmp(add->cookie, OIDC_DEFAULT_COOKIE) != 0 ? + add->cookie : base->cookie); + c->cookie_path = ( + add->cookie_path != NULL ? add->cookie_path : base->cookie_path); + c->authn_header = ( + add->authn_header != OIDC_DEFAULT_AUTHN_HEADER ? + add->authn_header : base->authn_header); + return (c); +} + +/* + * report a config error + */ +static int oidc_check_config_error(server_rec *s, const char *config_str) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "oidc_check_config_error: mandatory parameter '%s' is not set", + config_str); + return HTTP_INTERNAL_SERVER_ERROR; +} + +/* + * check the config required for the OpenID Connect RP role + */ +static int oidc_check_config_openid_openidc(server_rec *s, oidc_cfg *c) { + + if ((c->metadata_dir == NULL) && (c->provider.issuer == NULL)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "oidc_check_config_openid_openidc: one of 'OIDCProviderIssuer' or 'OIDCMetadataDir' must be set"); + return HTTP_INTERNAL_SERVER_ERROR; + } + + if (c->redirect_uri == NULL) + return oidc_check_config_error(s, "OIDCRedirectURI"); + if (c->crypto_passphrase == NULL) + return oidc_check_config_error(s, "OIDCCryptoPassphrase"); + + if (c->metadata_dir == NULL) { + if (c->provider.issuer == NULL) + return oidc_check_config_error(s, "OIDCProviderIssuer"); + if (c->provider.authorization_endpoint_url == NULL) + return oidc_check_config_error(s, + "OIDCProviderAuthorizationEndpoint"); + // TODO: this depends on the configured OIDCResponseType now + if (c->provider.token_endpoint_url == NULL) + return oidc_check_config_error(s, "OIDCProviderTokenEndpoint"); + if (c->provider.client_id == NULL) + return oidc_check_config_error(s, "OIDCClientID"); + // TODO: this depends on the configured OIDCResponseType now + if (c->provider.client_secret == NULL) + return oidc_check_config_error(s, "OIDCClientSecret"); + } + + return OK; +} + +/* + * check the config required for the OAuth 2.0 RS role + */ +static int oidc_check_config_oauth(server_rec *s, oidc_cfg *c) { + + if (c->oauth.client_id == NULL) + return oidc_check_config_error(s, "OIDCOAuthClientID"); + + if (c->oauth.client_secret == NULL) + return oidc_check_config_error(s, "OIDCOAuthClientSecret"); + + if (c->oauth.validate_endpoint_url == NULL) + return oidc_check_config_error(s, "OIDCOAuthEndpoint"); + + return OK; +} + +/* + * check the config of a vhost + */ +static int oidc_config_check_vhost_config(apr_pool_t *pool, server_rec *s) { + oidc_cfg *cfg = ap_get_module_config(s->module_config, &auth_openidc_module); + + ap_log_error(APLOG_MARK, OIDC_DEBUG, 0, s, + "oidc_config_check_vhost_config: entering"); + + if ((cfg->metadata_dir != NULL) || (cfg->provider.issuer == NULL) + || (cfg->redirect_uri != NULL) + || (cfg->crypto_passphrase != NULL)) { + if (oidc_check_config_openid_openidc(s, cfg) != OK) + return HTTP_INTERNAL_SERVER_ERROR; + } + + if ((cfg->oauth.client_id != NULL) || (cfg->oauth.client_secret != NULL) + || (cfg->oauth.validate_endpoint_url != NULL)) { + if (oidc_check_config_oauth(s, cfg) != OK) + return HTTP_INTERNAL_SERVER_ERROR; + } + + return OK; +} + +/* + * check the config of a merged vhost + */ +static int oidc_config_check_merged_vhost_configs(apr_pool_t *pool, + server_rec *s) { + int status = OK; + while (s != NULL && status == OK) { + oidc_cfg *cfg = ap_get_module_config(s->module_config, &auth_openidc_module); + if (cfg->merged) { + status = oidc_config_check_vhost_config(pool, s); + } + s = s->next; + } + return status; +} + +/* + * check if any merged vhost configs exist + */ +static int oidc_config_merged_vhost_configs_exist(server_rec *s) { + while (s != NULL) { + oidc_cfg *cfg = ap_get_module_config(s->module_config, &auth_openidc_module); + if (cfg->merged) { + return TRUE; + } + s = s->next; + } + return FALSE; +} + +/* + * SSL initialization magic copied from mod_auth_cas + */ +#if defined(OPENSSL_THREADS) && APR_HAS_THREADS + +static apr_thread_mutex_t **ssl_locks; +static int ssl_num_locks; + +static void oidc_ssl_locking_callback(int mode, int type, const char *file, + int line) { + if (type < ssl_num_locks) { + if (mode & CRYPTO_LOCK) + apr_thread_mutex_lock(ssl_locks[type]); + else + apr_thread_mutex_unlock(ssl_locks[type]); + } +} + +#ifdef OPENSSL_NO_THREADID +static unsigned long oidc_ssl_id_callback(void) { + return (unsigned long) apr_os_thread_current(); +} +#else +static void oidc_ssl_id_callback(CRYPTO_THREADID *id) { + CRYPTO_THREADID_set_numeric(id, (unsigned long) apr_os_thread_current()); +} +#endif /* OPENSSL_NO_THREADID */ + +#endif /* defined(OPENSSL_THREADS) && APR_HAS_THREADS */ + +apr_status_t oidc_cleanup(void *data) { +#if (defined (OPENSSL_THREADS) && APR_HAS_THREADS) + if (CRYPTO_get_locking_callback() == oidc_ssl_locking_callback) + CRYPTO_set_locking_callback(NULL); +#ifdef OPENSSL_NO_THREADID + if (CRYPTO_get_id_callback() == oidc_ssl_id_callback) + CRYPTO_set_id_callback(NULL); +#else + if (CRYPTO_THREADID_get_callback() == oidc_ssl_id_callback) + CRYPTO_THREADID_set_callback(NULL); +#endif /* OPENSSL_NO_THREADID */ + +#endif /* defined(OPENSSL_THREADS) && APR_HAS_THREADS */ + curl_global_cleanup(); + return APR_SUCCESS; +} + +/* + * handler that is called (twice) after the configuration phase; check if everything is OK + */ +int oidc_post_config(apr_pool_t *pool, apr_pool_t *p1, apr_pool_t *p2, + server_rec *s) { + const char *userdata_key = "oidc_post_config"; + void *data = NULL; + int i; + + /* Since the post_config hook is invoked twice (once + * for 'sanity checking' of the config and once for + * the actual server launch, we have to use a hack + * to not run twice + */ + apr_pool_userdata_get(&data, userdata_key, s->process->pool); + if (data == NULL) { + apr_pool_userdata_set((const void *) 1, userdata_key, + apr_pool_cleanup_null, s->process->pool); + return OK; + } + + curl_global_init(CURL_GLOBAL_ALL); + +#if (defined(OPENSSL_THREADS) && APR_HAS_THREADS) + ssl_num_locks = CRYPTO_num_locks(); + ssl_locks = apr_pcalloc(s->process->pool, + ssl_num_locks * sizeof(*ssl_locks)); + + for (i = 0; i < ssl_num_locks; i++) + apr_thread_mutex_create(&(ssl_locks[i]), APR_THREAD_MUTEX_DEFAULT, + s->process->pool); + +#ifdef OPENSSL_NO_THREADID + if (CRYPTO_get_locking_callback() == NULL && CRYPTO_get_id_callback() == NULL) { + CRYPTO_set_locking_callback(oidc_ssl_locking_callback); + CRYPTO_set_id_callback(oidc_ssl_id_callback); + } +#else + if (CRYPTO_get_locking_callback() == NULL + && CRYPTO_THREADID_get_callback() == NULL) { + CRYPTO_set_locking_callback(oidc_ssl_locking_callback); + CRYPTO_THREADID_set_callback(oidc_ssl_id_callback); + } +#endif /* OPENSSL_NO_THREADID */ +#endif /* defined(OPENSSL_THREADS) && APR_HAS_THREADS */ + apr_pool_cleanup_register(pool, s, oidc_cleanup, apr_pool_cleanup_null); + + oidc_session_init(); + + server_rec *sp = s; + while (sp != NULL) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(sp->module_config, + &auth_openidc_module); + if (cfg->cache->post_config != NULL) { + if (cfg->cache->post_config(sp) != OK) return HTTP_INTERNAL_SERVER_ERROR; + } + sp = sp->next; + } + + /* + * Apache has a base vhost that true vhosts derive from. + * There are two startup scenarios: + * + * 1. Only the base vhost contains OIDC settings. + * No server configs have been merged. + * Only the base vhost needs to be checked. + * + * 2. The base vhost contains zero or more OIDC settings. + * One or more vhosts override these. + * These vhosts have a merged config. + * All merged configs need to be checked. + */ + if (!oidc_config_merged_vhost_configs_exist(s)) { + /* nothing merged, only check the base vhost */ + return oidc_config_check_vhost_config(pool, s); + } + return oidc_config_check_merged_vhost_configs(pool, s); +} + +#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714 +static const authz_provider authz_oidc_provider = { + &oidc_authz_checker, + NULL, +}; +#endif + +/* + * initialize cache context in child process if required + */ +void oidc_child_init(apr_pool_t *p, server_rec *s) { + while (s != NULL) { + oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(s->module_config, + &auth_openidc_module); + if (cfg->cache->child_init != NULL) { + if (cfg->cache->child_init(p, s) != APR_SUCCESS) { + // TODO: ehrm... + exit(-1); + } + } + s = s->next; + } +} + +/* + * register our authentication and authorization functions + */ +void oidc_register_hooks(apr_pool_t *pool) { + ap_hook_post_config(oidc_post_config, NULL, NULL, APR_HOOK_LAST); + ap_hook_child_init(oidc_child_init, NULL, NULL, APR_HOOK_MIDDLE); +#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714 + ap_hook_check_authn(oidc_check_user_id, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF); + ap_register_auth_provider(pool, AUTHZ_PROVIDER_GROUP, "attribute", "0", &authz_oidc_provider, AP_AUTH_INTERNAL_PER_CONF); +#else + static const char * const authzSucc[] = { "mod_authz_user.c", NULL }; + ap_hook_check_user_id(oidc_check_user_id, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_auth_checker(oidc_auth_checker, NULL, authzSucc, APR_HOOK_MIDDLE); +#endif +} + +/* + * set of configuration primitives + */ +const command_rec oidc_config_cmds[] = { + + AP_INIT_TAKE1("OIDCProviderIssuer", oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, provider.issuer), + RSRC_CONF, "OpenID Connect OP issuer identifier."), + AP_INIT_TAKE1("OIDCProviderAuthorizationEndpoint", + oidc_set_https_slot, + (void *)APR_OFFSETOF(oidc_cfg, provider.authorization_endpoint_url), + RSRC_CONF, + "Define the OpenID OP Authorization Endpoint URL (e.g.: https://localhost:9031/as/authorization.oauth2)"), + AP_INIT_TAKE1("OIDCProviderTokenEndpoint", + oidc_set_https_slot, + (void *)APR_OFFSETOF(oidc_cfg, provider.token_endpoint_url), + RSRC_CONF, + "Define the OpenID OP Token Endpoint URL (e.g.: https://localhost:9031/as/token.oauth2)"), + AP_INIT_TAKE1("OIDCProviderTokenEndpointAuth", + oidc_set_endpoint_auth_slot, + (void *)APR_OFFSETOF(oidc_cfg, provider.token_endpoint_auth), + RSRC_CONF, + "Specify an authentication method for the OpenID OP Token Endpoint (e.g.: client_secret_basic)"), + AP_INIT_TAKE1("OIDCProviderUserInfoEndpoint", + oidc_set_https_slot, + (void *)APR_OFFSETOF(oidc_cfg, provider.userinfo_endpoint_url), + RSRC_CONF, + "Define the OpenID OP UserInfo Endpoint URL (e.g.: https://localhost:9031/idp/userinfo.openid)"), + AP_INIT_TAKE1("OIDCProviderJwksUri", + oidc_set_https_slot, + (void *)APR_OFFSETOF(oidc_cfg, provider.jwks_uri), + RSRC_CONF, + "Define the OpenID OP JWKS URL (e.g.: https://macbook:9031/pf/JWKS)"), + AP_INIT_TAKE1("OIDCResponseType", + oidc_set_response_type, + (void *)APR_OFFSETOF(oidc_cfg, provider.response_type), + RSRC_CONF, + "The response type (or OpenID Connect Flow) used; must be one of \"code\", \"id_token\", \"id_token token\" or \"token id_token\" (serves as default value for discovered OPs too)"), + AP_INIT_TAKE1("OIDCIDTokenAlg", oidc_set_id_token_alg, + (void *)APR_OFFSETOF(oidc_cfg, id_token_alg), + RSRC_CONF, + "The algorithm that the OP should use to sign the id_token (used only in dynamic client registration); must be one of [RS256|RS384|RS512|PS256|PS384|PS512]"), + AP_INIT_FLAG("OIDCSSLValidateServer", + oidc_set_flag_slot, + (void*)APR_OFFSETOF(oidc_cfg, provider.ssl_validate_server), + RSRC_CONF, + "Require validation of the OpenID Connect OP SSL server certificate for successful authentication (On or Off)"), + AP_INIT_TAKE1("OIDCClientName", oidc_set_string_slot, + (void *) APR_OFFSETOF(oidc_cfg, provider.client_name), + RSRC_CONF, + "Define the (client_name) name that the client uses for dynamic registration to the OP."), + AP_INIT_TAKE1("OIDCClientContact", oidc_set_string_slot, + (void *) APR_OFFSETOF(oidc_cfg, provider.client_contact), + RSRC_CONF, + "Define the contact that the client registers in dynamic registration with the OP."), + AP_INIT_TAKE1("OIDCScope", oidc_set_string_slot, + (void *) APR_OFFSETOF(oidc_cfg, provider.scope), + RSRC_CONF, + "Define the OpenID Connect scope that is requested from the OP."), + AP_INIT_TAKE1("OIDCJWKSRefreshInterval", + oidc_set_int_slot, + (void*)APR_OFFSETOF(oidc_cfg, provider.jwks_refresh_interval), + RSRC_CONF, + "Duration in seconds after which retrieved JWS should be refreshed."), + AP_INIT_TAKE1("OIDCIDTokenIatSlack", + oidc_set_int_slot, + (void*)APR_OFFSETOF(oidc_cfg, provider.idtoken_iat_slack), + RSRC_CONF, + "Acceptable offset (both before and after) for checking the \"iat\" (= issued at) timestamp in the id_token."), + + AP_INIT_TAKE1("OIDCClientID", oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, provider.client_id), + RSRC_CONF, + "Client identifier used in calls to OpenID Connect OP."), + AP_INIT_TAKE1("OIDCClientSecret", oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, provider.client_secret), + RSRC_CONF, + "Client secret used in calls to OpenID Connect OP."), + + AP_INIT_TAKE1("OIDCRedirectURI", oidc_set_url_slot, + (void *)APR_OFFSETOF(oidc_cfg, redirect_uri), + RSRC_CONF, + "Define the Redirect URI (e.g.: https://localhost:9031/protected/example/)"), + AP_INIT_TAKE1("OIDCDiscoverURL", oidc_set_url_slot, + (void *)APR_OFFSETOF(oidc_cfg, discover_url), + RSRC_CONF, + "Defines an external IDP Discovery page"), + AP_INIT_TAKE1("OIDCCookieDomain", + oidc_set_cookie_domain, NULL, RSRC_CONF, + "Specify domain element for OIDC session cookie."), + AP_INIT_TAKE1("OIDCCryptoPassphrase", + oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, crypto_passphrase), + RSRC_CONF, + "Passphrase used for AES crypto on cookies and state."), + AP_INIT_TAKE1("OIDCClaimDelimiter", + oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, claim_delimiter), + RSRC_CONF, + "The delimiter to use when setting multi-valued claims in the HTTP headers."), + AP_INIT_TAKE1("OIDCClaimPrefix", oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, claim_prefix), + RSRC_CONF, + "The prefix to use when setting claims in the HTTP headers."), + + AP_INIT_TAKE1("OIDCOAuthClientID", oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, oauth.client_id), + RSRC_CONF, + "Client identifier used in calls to OAuth 2.0 Authorization server validation calls."), + AP_INIT_TAKE1("OIDCOAuthClientSecret", + oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, oauth.client_secret), + RSRC_CONF, + "Client secret used in calls to OAuth 2.0 Authorization server validation calls."), + AP_INIT_TAKE1("OIDCOAuthEndpoint", oidc_set_https_slot, + (void *)APR_OFFSETOF(oidc_cfg, oauth.validate_endpoint_url), + RSRC_CONF, + "Define the OAuth AS Validation Endpoint URL (e.g.: https://localhost:9031/as/token.oauth2)"), + AP_INIT_TAKE1("OIDCOAuthEndpointAuth", + oidc_set_endpoint_auth_slot, + (void *)APR_OFFSETOF(oidc_cfg, oauth.validate_endpoint_auth), + RSRC_CONF, + "Specify an authentication method for the OAuth AS Validation Endpoint (e.g.: client_auth_basic)"), + AP_INIT_FLAG("OIDCOAuthSSLValidateServer", + oidc_set_flag_slot, + (void*)APR_OFFSETOF(oidc_cfg, oauth.ssl_validate_server), + RSRC_CONF, + "Require validation of the OAuth 2.0 AS Validation Endpoint SSL server certificate for successful authentication (On or Off)"), + + AP_INIT_TAKE1("OIDCHTTPTimeoutLong", oidc_set_int_slot, + (void*)APR_OFFSETOF(oidc_cfg, http_timeout_long), + RSRC_CONF, + "Timeout for long duration HTTP calls (default)."), + AP_INIT_TAKE1("OIDCHTTPTimeoutShort", oidc_set_int_slot, + (void*)APR_OFFSETOF(oidc_cfg, http_timeout_short), + RSRC_CONF, + "Timeout for short duration HTTP calls (registry/discovery)."), + AP_INIT_TAKE1("OIDCStateTimeout", oidc_set_int_slot, + (void*)APR_OFFSETOF(oidc_cfg, state_timeout), + RSRC_CONF, + "Time to live in seconds for state parameter (cq. interval in which the authorization request and the corresponding response need to be completed)."), + + AP_INIT_TAKE1("OIDCMetadataDir", oidc_set_dir_slot, + (void*)APR_OFFSETOF(oidc_cfg, metadata_dir), + RSRC_CONF, + "Directory that contains provider and client metadata files."), + AP_INIT_TAKE1("OIDCSessionType", oidc_set_session_type, + (void*)APR_OFFSETOF(oidc_cfg, session_type), + RSRC_CONF, + "OpenID Connect session storage type (Apache 2.0/2.2 only). Must be one of \"file\" or \"cookie\"."), + AP_INIT_FLAG("OIDCScrubRequestHeaders", + oidc_set_flag_slot, + (void *) APR_OFFSETOF(oidc_cfg, scrub_request_headers), + RSRC_CONF, + "Scrub user name and claim headers from the user's request."), + + AP_INIT_TAKE1("OIDCAuthNHeader", ap_set_string_slot, + (void *) APR_OFFSETOF(oidc_dir_cfg, authn_header), + ACCESS_CONF|OR_AUTHCFG, + "Specify the HTTP header variable to set with the name of the authenticated user. By default no headers are added."), + AP_INIT_TAKE1("OIDCCookiePath", ap_set_string_slot, + (void *) APR_OFFSETOF(oidc_dir_cfg, cookie_path), + ACCESS_CONF|OR_AUTHCFG, + "Define the cookie path for the session cookie."), + AP_INIT_TAKE1("OIDCCookie", ap_set_string_slot, + (void *) APR_OFFSETOF(oidc_dir_cfg, cookie), + ACCESS_CONF|OR_AUTHCFG, + "Define the cookie name for the session cookie."), + + AP_INIT_TAKE1("OIDCCacheType", oidc_set_cache_type, + (void*)APR_OFFSETOF(oidc_cfg, cache), RSRC_CONF, + "Cache type; must be one of \"file\", \"memcache\" or \"shm\"."), + + AP_INIT_TAKE1("OIDCCacheDir", oidc_set_dir_slot, + (void*)APR_OFFSETOF(oidc_cfg, cache_file_dir), + RSRC_CONF, + "Directory used for file-based caching."), + AP_INIT_TAKE1("OIDCCacheFileCleanInterval", oidc_set_int_slot, + (void*)APR_OFFSETOF(oidc_cfg, cache_file_clean_interval), + RSRC_CONF, + "Cache file clean interval in seconds."), + AP_INIT_TAKE1("OIDCMemCacheServers", + oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, cache_memcache_servers), + RSRC_CONF, + "Memcache servers used for caching (space separated list of [:] tuples)"), + AP_INIT_TAKE1("OIDCCacheShmMax", oidc_set_int_slot, + (void*)APR_OFFSETOF(oidc_cfg, cache_shm_size_max), + RSRC_CONF, + "Maximum number of cache entries to use for \"shm\" caching."), + + { NULL } +}; diff --git a/src/crypto.c b/src/crypto.c new file mode 100644 index 00000000..340c163d --- /dev/null +++ b/src/crypto.c @@ -0,0 +1,366 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * based on http://saju.net.in/code/misc/openssl_aes.c.txt + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "mod_auth_openidc.h" + +/* + * initialize the crypto context in the server configuration record; the passphrase is set already + */ +static apr_byte_t oidc_crypto_init(oidc_cfg *cfg, server_rec *s) { + + if (cfg->encrypt_ctx != NULL) + return TRUE; + + unsigned char *key_data = (unsigned char *) cfg->crypto_passphrase; + int key_data_len = strlen(cfg->crypto_passphrase); + + unsigned int s_salt[] = { 41892, 72930 }; + unsigned char *salt = (unsigned char *) &s_salt; + + int i, nrounds = 5; + unsigned char key[32], iv[32]; + + /* + * Gen key & IV for AES 256 CBC mode. A SHA1 digest is used to hash the supplied key material. + * nrounds is the number of times the we hash the material. More rounds are more secure but + * slower. + */ + i = EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), salt, key_data, + key_data_len, nrounds, key, iv); + if (i != 32) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "oidc_crypto_init: key size must be 256 bits!"); + return FALSE; + } + + cfg->encrypt_ctx = apr_palloc(s->process->pool, sizeof(EVP_CIPHER_CTX)); + cfg->decrypt_ctx = apr_palloc(s->process->pool, sizeof(EVP_CIPHER_CTX)); + + /* initialize the encoding context */ + EVP_CIPHER_CTX_init(cfg->encrypt_ctx); + if (!EVP_EncryptInit_ex(cfg->encrypt_ctx, EVP_aes_256_cbc(), NULL, key, + iv)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "oidc_crypto_init: EVP_EncryptInit_ex on the encrypt context failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return FALSE; + } + + /* initialize the decoding context */ + EVP_CIPHER_CTX_init(cfg->decrypt_ctx); + if (!EVP_DecryptInit_ex(cfg->decrypt_ctx, EVP_aes_256_cbc(), NULL, key, + iv)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "oidc_crypto_init: EVP_DecryptInit_ex on the decrypt context failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return FALSE; + } + + return TRUE; +} + +/* + * AES encrypt plaintext + */ +unsigned char *oidc_crypto_aes_encrypt(request_rec *r, oidc_cfg *cfg, + unsigned char *plaintext, int *len) { + + if (oidc_crypto_init(cfg, r->server) == FALSE) return NULL; + + /* max ciphertext len for a n bytes of plaintext is n + AES_BLOCK_SIZE -1 bytes */ + int c_len = *len + AES_BLOCK_SIZE, f_len = 0; + unsigned char *ciphertext = apr_palloc(r->pool, c_len); + + /* allows reusing of 'e' for multiple encryption cycles */ + if (!EVP_EncryptInit_ex(cfg->encrypt_ctx, NULL, NULL, NULL, NULL)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_aes_encrypt: EVP_EncryptInit_ex failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + + /* update ciphertext, c_len is filled with the length of ciphertext generated, len is the size of plaintext in bytes */ + if (!EVP_EncryptUpdate(cfg->encrypt_ctx, ciphertext, &c_len, plaintext, + *len)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_aes_encrypt: EVP_EncryptUpdate failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + + /* update ciphertext with the final remaining bytes */ + if (!EVP_EncryptFinal_ex(cfg->encrypt_ctx, ciphertext + c_len, &f_len)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_aes_encrypt: EVP_EncryptFinal_ex failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + + *len = c_len + f_len; + + return ciphertext; +} + +/* + * AES decrypt ciphertext + */ +unsigned char *oidc_crypto_aes_decrypt(request_rec *r, oidc_cfg *cfg, + unsigned char *ciphertext, int *len) { + + if (oidc_crypto_init(cfg, r->server) == FALSE) return NULL; + + /* because we have padding ON, we must allocate an extra cipher block size of memory */ + int p_len = *len, f_len = 0; + unsigned char *plaintext = apr_palloc(r->pool, p_len + AES_BLOCK_SIZE); + + /* allows reusing of 'e' for multiple encryption cycles */ + if (!EVP_DecryptInit_ex(cfg->decrypt_ctx, NULL, NULL, NULL, NULL)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_aes_decrypt: EVP_DecryptInit_ex failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + + /* update plaintext, p_len is filled with the length of plaintext generated, len is the size of ciphertext in bytes */ + if (!EVP_DecryptUpdate(cfg->decrypt_ctx, plaintext, &p_len, ciphertext, + *len)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_aes_decrypt: EVP_DecryptUpdate failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + + /* update plaintext with the final remaining bytes */ + if (!EVP_DecryptFinal_ex(cfg->decrypt_ctx, plaintext + p_len, &f_len)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_aes_decrypt: EVP_DecryptFinal_ex failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + + *len = p_len + f_len; + + return plaintext; +} + +/* + * return OpenSSL digest for JWK algorithm + */ +char *oidc_crypto_jwt_alg2digest(const char *alg) { + if ((strcmp(alg, "RS256") == 0) || (strcmp(alg, "PS256") == 0) || (strcmp(alg, "HS256") == 0)) { + return "sha256"; + } + if ((strcmp(alg, "RS384") == 0) || (strcmp(alg, "PS384") == 0) || (strcmp(alg, "HS384") == 0)) { + return "sha384"; + } + if ((strcmp(alg, "RS512") == 0) || (strcmp(alg, "PS512") == 0) || (strcmp(alg, "HS512") == 0)) { + return "sha512"; + } + if (strcmp(alg, "NONE") == 0) { + return "NONE"; + } + return NULL; +} + +/* + * return OpenSSL padding type for JWK RSA algorithm + */ +static int oidc_crypto_jwt_alg2rsa_padding(const char *alg) { + if ((strcmp(alg, "RS256") == 0) || (strcmp(alg, "RS384") == 0) || (strcmp(alg, "RS512") == 0)) { + return RSA_PKCS1_PADDING; + } + if ((strcmp(alg, "PS256") == 0) || (strcmp(alg, "PS384") == 0) || (strcmp(alg, "PS512") == 0)) { + return RSA_PKCS1_PSS_PADDING; + } + return -1; +} + +static const EVP_MD *oidc_crypto_alg2evp(request_rec *r, const char *alg) { + const EVP_MD *result = NULL; + + char *digest = oidc_crypto_jwt_alg2digest(alg); + + if (digest == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_alg2evp: unsupported algorithm: %s", alg); + return NULL; + } + + result = EVP_get_digestbyname(digest); + + if (result == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_alg2evp: EVP_get_digestbyname failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + + return result; +} + +/* + * verify RSA signature + */ +apr_byte_t oidc_crypto_rsa_verify(request_rec *r, const char *alg, unsigned char* sig, int sig_len, unsigned char* msg, + int msg_len, unsigned char *mod, int mod_len, unsigned char *exp, int exp_len) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_crypto_rsa_verify: entering (%s)", alg); + + const EVP_MD *digest = NULL; + if ((digest = oidc_crypto_alg2evp(r, alg)) == NULL) return FALSE; + + apr_byte_t rc = FALSE; + + EVP_MD_CTX ctx; + EVP_MD_CTX_init(&ctx); + + RSA * pubkey = RSA_new(); + + BIGNUM * modulus = BN_new(); + BIGNUM * exponent = BN_new(); + + BN_bin2bn(mod, mod_len, modulus); + BN_bin2bn(exp, exp_len, exponent); + + pubkey->n = modulus; + pubkey->e = exponent; + + EVP_PKEY* pRsaKey = EVP_PKEY_new(); + if (!EVP_PKEY_assign_RSA(pRsaKey, pubkey)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_rsa_verify: EVP_PKEY_assign_RSA failed: %s", ERR_error_string(ERR_get_error(), NULL)); + pRsaKey = NULL; + goto end; + } + + ctx.pctx = EVP_PKEY_CTX_new(pRsaKey, NULL); + if (!EVP_PKEY_verify_init(ctx.pctx)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_rsa_verify: EVP_PKEY_verify_init failed: %s", ERR_error_string(ERR_get_error(), NULL)); + goto end; + } + if (!EVP_PKEY_CTX_set_rsa_padding(ctx.pctx, oidc_crypto_jwt_alg2rsa_padding(alg))) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_rsa_verify: EVP_PKEY_CTX_set_rsa_padding failed: %s", ERR_error_string(ERR_get_error(), NULL)); + goto end; + } + + if (!EVP_VerifyInit_ex(&ctx, digest, NULL)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_rsa_verify: EVP_VerifyInit_ex failed: %s", ERR_error_string(ERR_get_error(), NULL)); + goto end; + } + + if (!EVP_VerifyUpdate(&ctx, msg, msg_len)){ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_rsa_verify: EVP_VerifyUpdate failed: %s", ERR_error_string(ERR_get_error(), NULL)); + goto end; + } + + if (!EVP_VerifyFinal(&ctx, sig, sig_len, pRsaKey)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_rsa_verify: EVP_VerifyFinal failed: %s", ERR_error_string(ERR_get_error(), NULL)); + goto end; + } + + rc = TRUE; + +end: + if (pRsaKey) { + EVP_PKEY_free(pRsaKey); + } else if (pubkey) { + RSA_free(pubkey); + } + EVP_MD_CTX_cleanup(&ctx); + + return rc; +} + +/* + * verify HOIDC signature + */ +apr_byte_t oidc_crypto_hoidc_verify(request_rec *r, const char *alg, unsigned char* sig, int sig_len, unsigned char* msg, + int msg_len, unsigned char *key, int key_len) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_crypto_hoidc_verify: entering (%s)", alg); + + const EVP_MD *digest = NULL; + if ((digest = oidc_crypto_alg2evp(r, alg)) == NULL) return FALSE; + + unsigned int md_len = 0; + unsigned char md[EVP_MAX_MD_SIZE]; + + if (!HMAC(digest, key, key_len, msg, msg_len, md, &md_len)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_hoidc_verify: HOIDC failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return FALSE; + } + + if (md_len != sig_len) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_hoidc_verify: hash length does not match signature length"); + return FALSE; + } + + if (memcmp(md, sig, md_len) != 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_crypto_hoidc_verify: HOIDC verification failed"); + return FALSE; + } + + return TRUE; +} diff --git a/src/metadata.c b/src/metadata.c new file mode 100644 index 00000000..08804eb0 --- /dev/null +++ b/src/metadata.c @@ -0,0 +1,999 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * OpenID Connect metadata handling routines, for both OP discovery and client registration + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include +#include +#include +#include + +#include +#include + +// for converting JWKs +#include +#include +#include +#include + +#include "mod_auth_openidc.h" + +extern module AP_MODULE_DECLARE_DATA auth_openidc_module; + +#define OIDC_METADATA_SUFFIX_PROVIDER "provider" +#define OIDC_METADATA_SUFFIX_CLIENT "client" +#define OIDC_METADATA_SUFFIX_JWKS "jwks" + +/* + * get the metadata filename for a specified issuer (cq. urlencode it) + */ +static const char *oidc_metadata_issuer_to_filename(request_rec *r, + const char *issuer) { + + /* strip leading https:// */ + char *p = strstr(issuer, "https://"); + if (p == issuer) { + p = apr_pstrdup(r->pool, issuer + strlen("https://")); + } else { + p = apr_pstrdup(r->pool, issuer); + } + + /* strip trailing '/' */ + int n = strlen(p); + if (p[n - 1] == '/') p[n - 1] = '\0'; + + return oidc_util_escape_string(r, p); +} + +/* + * get the issuer from a metadata filename (cq. urldecode it) + */ +static const char *oidc_metadata_filename_to_issuer(request_rec *r, + const char *filename) { + char *result = apr_pstrdup(r->pool, filename); + char *p = strrchr(result, '.'); + *p = '\0'; + p = oidc_util_unescape_string(r, result); + return (strcmp(p, "accounts.google.com") == 0) ? p : apr_psprintf(r->pool, "https://%s", p); +} + +/* + * get the full path to the metadata file for a specified issuer and directory + */ +static const char *oidc_metadata_file_path(request_rec *r, oidc_cfg *cfg, + const char *issuer, const char *type) { + return apr_psprintf(r->pool, "%s/%s.%s", cfg->metadata_dir, + oidc_metadata_issuer_to_filename(r, issuer), type); +} + +/* + * get the full path to the provider metadata file for a specified issuer + */ +static const char *oidc_metadata_provider_file_path(request_rec *r, + const char *issuer) { + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + return oidc_metadata_file_path(r, cfg, issuer, + OIDC_METADATA_SUFFIX_PROVIDER); +} + +/* + * get the full path to the client metadata file for a specified issuer + */ +static const char *oidc_metadata_client_file_path(request_rec *r, + const char *issuer) { + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + return oidc_metadata_file_path(r, cfg, issuer, OIDC_METADATA_SUFFIX_CLIENT); +} + +/* + * get the full path to the jwks metadata file for a specified issuer + */ +static const char *oidc_metadata_jwks_cache_key(request_rec *r, + const char *issuer) { + return apr_psprintf(r->pool, "%s.jwks", issuer); +} + +/* + * read a JSON metadata file from disk + */ +static apr_byte_t oidc_metadata_file_read_json(request_rec *r, const char *path, + apr_json_value_t **result) { + apr_status_t rc = APR_SUCCESS; + char *buf = NULL; + + /* read the file contents */ + if (oidc_util_file_read(r, path, &buf) == FALSE) + return FALSE; + + /* decode the JSON contents of the buffer */ + if ((rc = apr_json_decode(result, buf, strlen(buf), r->pool)) != APR_SUCCESS) { + /* something went wrong */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_file_read_json: JSON parsing (%s) returned an error: (%d)", + path, rc); + return FALSE; + } + + if ((*result == NULL) || ((*result)->type != APR_JSON_OBJECT)) { + /* oops, no JSON */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_file_read_json: parsed JSON from (%s) did not contain a JSON object", + path); + return FALSE; + } + + /* log successful metadata retrieval */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_file_read_json: JSON parsed from file \"%s\"", path); + + return TRUE; +} + +/* + * check to see if JSON provider metadata is valid + */ +static apr_byte_t oidc_metadata_provider_is_valid(request_rec *r, + apr_json_value_t *j_provider, const char *issuer) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_provider_is_valid: entering"); + + /* get the "issuer" from the provider metadata and double-check that it matches what we looked for */ + apr_json_value_t *j_issuer = apr_hash_get(j_provider->value.object, + "issuer", APR_HASH_KEY_STRING); + if ((j_issuer == NULL) || (j_issuer->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_provider_is_valid: provider JSON object did not contain an \"issuer\" string"); + return FALSE; + } + + /* check that the issuer matches */ + if (oidc_util_issuer_match(issuer, j_issuer->value.string.p) == FALSE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_provider_is_valid: requested issuer (%s) does not match the \"issuer\" value in the provider metadata file: %s", + issuer, j_issuer->value.string.p); + return FALSE; + } + + /* verify that the provider supports the a flow that we implement */ + apr_json_value_t *j_response_types_supported = apr_hash_get( + j_provider->value.object, "response_types_supported", + APR_HASH_KEY_STRING); + if ((j_response_types_supported != NULL) + && (j_response_types_supported->type == APR_JSON_ARRAY)) { + if ((oidc_util_json_array_has_value(r, j_response_types_supported, + "code") == FALSE) + && (oidc_util_json_array_has_value(r, + j_response_types_supported, "id_token") == FALSE) + && (oidc_util_json_array_has_value(r, + j_response_types_supported, "token id_token") == FALSE) + && (oidc_util_json_array_has_value(r, + j_response_types_supported, "id_token token") == FALSE)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_metadata_provider_is_valid: could not find a supported value [\"code\" | \"id_token\" | \"token id_token\" | \"id_token token\"] in provider metadata for entry \"response_types_supported\"; assuming that \"code\" flow is supported..."); + //return FALSE; + } + } else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_metadata_provider_is_valid: provider JSON object did not contain a \"response_types_supported\" array; assuming that \"code\" flow is supported..."); + // TODO: hey, this is required-by-spec stuff right? + } + + /* get a handle to the authorization endpoint */ + apr_json_value_t *j_authorization_endpoint = apr_hash_get( + j_provider->value.object, "authorization_endpoint", + APR_HASH_KEY_STRING); + if ((j_authorization_endpoint == NULL) + || (j_authorization_endpoint->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_provider_is_valid: provider JSON object did not contain an \"authorization_endpoint\" string"); + return FALSE; + } + + /* get a handle to the token endpoint */ + apr_json_value_t *j_token_endpoint = apr_hash_get(j_provider->value.object, + "token_endpoint", APR_HASH_KEY_STRING); + if ((j_token_endpoint == NULL) + || (j_token_endpoint->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_metadata_provider_is_valid: provider JSON object did not contain a \"token_endpoint\" string"); + //return FALSE; + } + + /* get a handle to the user_info endpoint */ + apr_json_value_t *j_userinfo_endpoint = apr_hash_get( + j_provider->value.object, "userinfo_endpoint", APR_HASH_KEY_STRING); + if ((j_userinfo_endpoint != NULL) + && (j_userinfo_endpoint->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_provider_is_valid: provider JSON object contains a \"userinfo_endpoint\" entry, but it is not a string value"); + } + // TODO: check for valid URL + + /* get a handle to the jwks_uri */ + apr_json_value_t *j_jwks_uri = apr_hash_get(j_provider->value.object, + "jwks_uri", APR_HASH_KEY_STRING); + if ((j_jwks_uri == NULL) || (j_jwks_uri->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_metadata_provider_is_valid: provider JSON object did not contain a \"jwks_uri\" string"); + //return FALSE; + } + + /* find out what type of authentication the token endpoint supports (we only support post or basic) */ + apr_json_value_t *j_token_endpoint_auth_methods_supported = apr_hash_get( + j_provider->value.object, "token_endpoint_auth_methods_supported", + APR_HASH_KEY_STRING); + if ((j_token_endpoint_auth_methods_supported == NULL) + || (j_token_endpoint_auth_methods_supported->type != APR_JSON_ARRAY)) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_provider_is_valid: provider JSON object did not contain a \"token_endpoint_auth_methods_supported\" array, assuming \"client_secret_basic\" is supported"); + } else { + int i; + for (i = 0; + i < j_token_endpoint_auth_methods_supported->value.array->nelts; + i++) { + apr_json_value_t *elem = APR_ARRAY_IDX( + j_token_endpoint_auth_methods_supported->value.array, i, + apr_json_value_t *); + if (elem->type != APR_JSON_STRING) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_metadata_provider_is_valid: unhandled in-array JSON object type [%d] in provider metadata for entry \"token_endpoint_auth_methods_supported\"", + elem->type); + continue; + } + if (strcmp(elem->value.string.p, "client_secret_post") == 0) { + break; + } + if (strcmp(elem->value.string.p, "client_secret_basic") == 0) { + break; + } + } + if (i == j_token_endpoint_auth_methods_supported->value.array->nelts) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_provider_is_valid: could not find a supported value [client_secret_post|client_secret_basic] in provider metadata for entry \"token_endpoint_auth_methods_supported\""); + return FALSE; + } + } + + return TRUE; +} + +/* + * check to see if dynamically registered JSON client metadata has not expired + */ +static apr_byte_t oidc_metadata_client_is_valid(request_rec *r, + apr_json_value_t *j_client, const char *issuer) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_client_is_valid: entering"); + + /* get a handle to the client_id we need to use for this provider */ + apr_json_value_t *j_client_id = apr_hash_get(j_client->value.object, + "client_id", APR_HASH_KEY_STRING); + if ((j_client_id == NULL) || (j_client_id->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_client_is_valid: client JSON object did not contain a \"client_id\" string"); + return FALSE; + } + + /* get a handle to the client_secret we need to use for this provider */ + apr_json_value_t *j_client_secret = apr_hash_get(j_client->value.object, + "client_secret", APR_HASH_KEY_STRING); + if ((j_client_secret == NULL) + || (j_client_secret->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_client_is_valid: client JSON object did not contain a \"client_secret\" string"); + return FALSE; + } + + /* the expiry timestamp from the JSON object */ + apr_json_value_t *expires_at = apr_hash_get(j_client->value.object, + "client_secret_expires_at", APR_HASH_KEY_STRING); + if ((expires_at == NULL) || (expires_at->type != APR_JSON_LONG)) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_client_is_valid: client metadata for \"%s\" did not contain a \"client_secret_expires_at\" setting", + issuer); + /* assume that it never expires */ + return TRUE; + } + + /* see if it is unrestricted */ + if (expires_at->value.lnumber == 0) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_client_is_valid: client metadata for \"%s\" never expires (client_secret_expires_at=0)", + issuer); + return TRUE; + } + + /* check if the value >= now */ + if (apr_time_sec(apr_time_now()) > expires_at->value.lnumber) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_metadata_client_is_valid: client secret for \"%s\" expired", + issuer); + return FALSE; + } + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_client_is_valid: client secret for \"%s\" has not expired, return OK", + issuer); + + /* all ok, not expired */ + return TRUE; +} + +/* + * checks if a parsed JWKs file is a valid one, cq. contains "keys" + */ +static apr_byte_t oidc_metadata_jwks_is_valid(request_rec *r, + apr_json_value_t *j_jwks, const char *issuer) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_jwks_is_valid: entering"); + + apr_json_value_t *keys = apr_hash_get(j_jwks->value.object, "keys", + APR_HASH_KEY_STRING); + if ((keys == NULL) || (keys->type != APR_JSON_ARRAY)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_jwks_is_valid: JWKS JSON object did not contain a \"keys\" array"); + return FALSE; + } + return TRUE; +} + +/* + * write JSON metadata to a file + */ +static apr_byte_t oidc_metadata_file_write(request_rec *r, const char *path, + const char *data) { + + // TODO: completely erase the contents of the file if it already exists.... + + apr_file_t *fd = NULL; + apr_status_t rc = APR_SUCCESS; + apr_size_t bytes_written = 0; + char s_err[128]; + + /* try to open the metadata file for writing, creating it if it does not exist */ + if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE), + APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_file_write: file \"%s\" could not be opened (%s)", + path, apr_strerror(rc, s_err, sizeof(s_err))); + return FALSE; + } + + /* lock the file and move the write pointer to the start of it */ + apr_file_lock(fd, APR_FLOCK_EXCLUSIVE); + apr_off_t begin = 0; + apr_file_seek(fd, APR_SET, &begin); + + /* calculate the length of the data, which is a string length */ + apr_size_t len = strlen(data); + + /* (blocking) write the number of bytes in the buffer */ + rc = apr_file_write_full(fd, data, len, &bytes_written); + + /* check for a system error */ + if (rc != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_file_write: could not write to: \"%s\" (%s)", + path, apr_strerror(rc, s_err, sizeof(s_err))); + return FALSE; + } + + /* check that all bytes from the header were written */ + if (bytes_written != len) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_file_write: could not write enough bytes to: \"%s\", bytes_written (%" APR_SIZE_T_FMT ") != len (%" APR_SIZE_T_FMT ")", + path, bytes_written, len); + return FALSE; + } + + /* unlock and close the written file */ + apr_file_unlock(fd); + apr_file_close(fd); + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_file_write: file \"%s\" written; number of bytes (%" APR_SIZE_T_FMT ")", + path, len); + + return TRUE; +} + +/* callback function type for checking metadata validity (provider or client) */ +typedef apr_byte_t (*oidc_is_valid_function_t)(request_rec *, + apr_json_value_t *, const char *); + +/* + * helper function to get the JSON (client or provider) metadata from the specified file path and check its validity + */ +static apr_byte_t oidc_metadata_get_and_check(request_rec *r, const char *path, + const char *issuer, oidc_is_valid_function_t metadata_is_valid, + apr_json_value_t **j_metadata) { + + apr_finfo_t fi; + apr_status_t rc = APR_SUCCESS; + char s_err[128]; + + /* read the metadata from a file in to a variable */ + if (oidc_metadata_file_read_json(r, path, j_metadata) == FALSE) + goto error_delete; + + /* we've got metadata that is JSON and no error-JSON, but now we check provider/client validity */ + if (metadata_is_valid(r, *j_metadata, issuer) == FALSE) + goto error_delete; + + /* all OK if we got here */ + return TRUE; + +error_delete: + + /* + * this is expired or otherwise invalid metadata, we're probably going to get + * new metadata, so delete the file first, if it (still) exists at all + */ + if (apr_stat(&fi, path, APR_FINFO_MTIME, r->pool) == APR_SUCCESS) { + + if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_get_and_check: could not delete invalid metadata file %s (%s)", + path, apr_strerror(rc, s_err, sizeof(s_err))); + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_get_and_check: removed invalid metadata file %s", + path); + } + } + + return FALSE; +} + +/* + * helper function to retrieve (client or provider) metadata from a URL, check it and store it + */ +static apr_byte_t oidc_metadata_retrieve_and_store(request_rec *r, + oidc_cfg *cfg, const char *url, int action, apr_table_t *params, + int ssl_validate_server, const char *issuer, + oidc_is_valid_function_t f_is_valid, const char *path, + apr_json_value_t **j_metadata) { + const char *response = NULL; + + /* no valid provider metadata, get it at the specified URL with the specified parameters */ + if (oidc_util_http_call(r, url, action, params, NULL, NULL, + ssl_validate_server, &response, cfg->http_timeout_short) == FALSE) + return FALSE; + + /* decode and see if it is not an error response somehow */ + if (oidc_util_decode_json_and_check_error(r, response, j_metadata) == FALSE) + return FALSE; + + /* check to see if it is valid metadata */ + if (f_is_valid(r, *j_metadata, issuer) == FALSE) + return FALSE; + + /* since it is valid, write the obtained provider metadata file */ + if (oidc_metadata_file_write(r, path, response) == FALSE) + return FALSE; + + /* all OK */ + return TRUE; +} + +/* + * helper function to get the JWKs for the specified issuer + */ +static apr_byte_t oidc_metadata_jwks_retrieve_and_store(request_rec *r, + oidc_cfg *cfg, oidc_provider_t *provider, apr_json_value_t **j_jwks) { + + const char *response = NULL; + + /* no valid provider metadata, get it at the specified URL with the specified parameters */ + if (oidc_util_http_call(r, provider->jwks_uri, OIDC_HTTP_GET, NULL, NULL, + NULL, provider->ssl_validate_server, &response, + cfg->http_timeout_short) == FALSE) + return FALSE; + + /* decode and see if it is not an error response somehow */ + if (oidc_util_decode_json_and_check_error(r, response, j_jwks) == FALSE) + return FALSE; + + /* check to see if it is valid metadata */ + if (oidc_metadata_jwks_is_valid(r, *j_jwks, provider->issuer) == FALSE) + return FALSE; + + /* store the JWKs in the cache */ + cfg->cache->set(r, oidc_metadata_jwks_cache_key(r, provider->issuer), + response, + apr_time_now() + apr_time_from_sec(provider->jwks_refresh_interval)); + + return TRUE; +} + +/* + * return JWKs for the specified issuer + */ +apr_byte_t oidc_metadata_jwks_get(request_rec *r, oidc_cfg *cfg, + oidc_provider_t *provider, apr_json_value_t **j_jwks, + apr_byte_t *refresh) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_jwks_get: entering (issuer=%s, refresh=%d)", + provider->issuer, *refresh); + + /* see if we need to do a forced refresh */ + if (*refresh == TRUE) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_jwks_get: doing a forced refresh of the JWKs for issuer \"%s\"", + provider->issuer); + if (oidc_metadata_jwks_retrieve_and_store(r, cfg, provider, + j_jwks) == TRUE) + return TRUE; + // else: fallback on any cached JWKs + } + + /* see if the JWKs is cached */ + const char *value = NULL; + cfg->cache->get(r, oidc_metadata_jwks_cache_key(r, provider->issuer), + &value); + + if (value == NULL) { + /* it is non-existing or expired: do a forced refresh */ + *refresh = TRUE; + return oidc_metadata_jwks_retrieve_and_store(r, cfg, provider, j_jwks); + } + + /* decode and see if it is not an error response somehow */ + if (oidc_util_decode_json_and_check_error(r, value, j_jwks) == FALSE) + return FALSE; + + return TRUE; +} + +/* + * see if we have provider metadata and check its validity + * if not, use OpenID Connect Provider Issuer Discovery to get it, check it and store it + */ +static apr_byte_t oidc_metadata_provider_get(request_rec *r, oidc_cfg *cfg, + const char *issuer, apr_json_value_t **j_provider) { + + /* get the full file path to the provider metadata for this issuer */ + const char *provider_path = oidc_metadata_provider_file_path(r, issuer); + + /* see if we have valid metadata already, if so, return it */ + if (oidc_metadata_get_and_check(r, provider_path, issuer, + oidc_metadata_provider_is_valid, j_provider) == TRUE) + return TRUE; + + // TODO: how to do validity/expiry checks on provider metadata + + /* assemble the URL to the .well-known OpenID metadata */ + const char *url = apr_psprintf(r->pool, "%s", + ((strstr(issuer, "http://") == issuer) + || (strstr(issuer, "https://") == issuer)) ? + issuer : apr_psprintf(r->pool, "https://%s", issuer)); + url = apr_psprintf(r->pool, "%s%s.well-known/openid-configuration", url, + url[strlen(url) - 1] != '/' ? "/" : ""); + + /* try and get it from there, checking it and storing it if successful */ + return oidc_metadata_retrieve_and_store(r, cfg, url, OIDC_HTTP_GET, NULL, + cfg->provider.ssl_validate_server, issuer, + oidc_metadata_provider_is_valid, provider_path, j_provider); +} + +/* + * see if we have client metadata and check its validity + * if not, use OpenID Connect Client Registration to get it, check it and store it + */ +static apr_byte_t oidc_metadata_client_get(request_rec *r, oidc_cfg *cfg, + const char *issuer, const char *registration_url, + apr_json_value_t **j_client) { + + /* get the full file path to the provider metadata for this issuer */ + const char *client_path = oidc_metadata_client_file_path(r, issuer); + + /* see if we already have valid client metadata, if so, return TRUE */ + if (oidc_metadata_get_and_check(r, client_path, issuer, + oidc_metadata_client_is_valid, j_client) == TRUE) + return TRUE; + + /* at this point we have no valid client metadata, see if there's a registration endpoint for this provider */ + if (registration_url == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_client_get: no (valid) client metadata exists and provider JSON object did not contain a (valid) \"registration_endpoint\" string"); + return FALSE; + } + + /* go and use Dynamic Client registration to fetch ourselves new client metadata */ + apr_table_t *params = apr_table_make(r->pool, 3); + apr_table_addn(params, "client_name", cfg->provider.client_name); + + if (cfg->id_token_alg != NULL) { + apr_table_addn(params, "id_token_signed_response_alg", + cfg->id_token_alg); + } + + int action = OIDC_HTTP_POST_JSON; + + /* hack away for pre-standard PingFederate client registration... */ + if (strstr(registration_url, "idp/client-registration.openid") != NULL) { + + /* add PF specific client registration parameters */ + apr_table_addn(params, "operation", "client_register"); + apr_table_addn(params, "redirect_uris", cfg->redirect_uri); + if (cfg->provider.client_contact != NULL) { + apr_table_addn(params, "contacts", cfg->provider.client_contact); + } + + action = OIDC_HTTP_POST_FORM; + + } else { + + // TODO also hacky, we need arrays for the next two values + apr_table_addn(params, "redirect_uris", + apr_psprintf(r->pool, "[\"%s\"]", cfg->redirect_uri)); + if (cfg->provider.client_contact != NULL) { + apr_table_addn(params, "contacts", + apr_psprintf(r->pool, "[\"%s\"]", + cfg->provider.client_contact)); + } + } + + /* try and get it from there, checking it and storing it if successful */ + return oidc_metadata_retrieve_and_store(r, cfg, registration_url, action, + params, cfg->provider.ssl_validate_server, issuer, + oidc_metadata_client_is_valid, client_path, j_client); +} + +/* + * return both provider and client metadata for the specified issuer + * + * TODO: should we use a modification timestamp on client metadata to skip + * validation if it has been done recently, or is that overkill? + * + * at least it is not overkill for blacklisting providers that registration fails for + * but maybe we should just delete the provider data for those? + */ +static apr_byte_t oidc_metadata_get_provider_and_client(request_rec *r, + oidc_cfg *cfg, const char *issuer, apr_json_value_t **j_provider, + apr_json_value_t **j_client) { + + const char *registration_url = NULL; + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_metadata_get_provider_and_client: entering; issuer=\"%s\"", + issuer); + + /* see if we can get valid provider metadata (possibly bootstrapping with Discovery), if not, return FALSE */ + if (oidc_metadata_provider_get(r, cfg, issuer, j_provider) == FALSE) + return FALSE; + + /* get a reference to the registration endpoint, if it exists */ + apr_json_value_t *j_registration_endpoint = apr_hash_get( + (*j_provider)->value.object, "registration_endpoint", + APR_HASH_KEY_STRING); + if ((j_registration_endpoint != NULL) + && (j_registration_endpoint->type == APR_JSON_STRING)) { + registration_url = j_registration_endpoint->value.string.p; + } + + if (oidc_metadata_client_get(r, cfg, issuer, registration_url, + j_client) == FALSE) + return FALSE; + + /* all OK */ + return TRUE; +} + +/* + * get a list of configured OIDC providers based on the entries in the provider metadata directory + */ +apr_byte_t oidc_metadata_list(request_rec *r, oidc_cfg *cfg, + apr_array_header_t **list) { + apr_status_t rc; + apr_dir_t *dir; + apr_finfo_t fi; + char s_err[128]; + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_metadata_list: entering"); + + /* open the metadata directory */ + if ((rc = apr_dir_open(&dir, cfg->metadata_dir, r->pool)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_list: error opening metadata directory '%s' (%s)", + cfg->metadata_dir, apr_strerror(rc, s_err, sizeof(s_err))); + return FALSE; + } + + /* allocate some space in the array that will hold the list of providers */ + *list = apr_array_make(r->pool, 5, sizeof(sizeof(const char*))); + /* BTW: we could estimate the number in the array based on # directory entries... */ + + /* loop over the entries in the provider metadata directory */ + while (apr_dir_read(&fi, APR_FINFO_NAME, dir) == APR_SUCCESS) { + + /* skip "." and ".." entries */ + if (fi.name[0] == '.') + continue; + /* skip other non-provider entries */ + char *ext = strrchr(fi.name, '.'); + if ((ext == NULL) + || (strcmp(++ext, OIDC_METADATA_SUFFIX_PROVIDER) != 0)) + continue; + + /* get the issuer from the filename */ + const char *issuer = oidc_metadata_filename_to_issuer(r, fi.name); + + /* pointer to the parsed JSON metadata for the provider */ + apr_json_value_t *j_provider = NULL; + /* pointer to the parsed JSON metadata for the client */ + apr_json_value_t *j_client = NULL; + + /* get the provider and client metadata, do all checks and registration if possible */ + if (oidc_metadata_get_provider_and_client(r, cfg, issuer, &j_provider, + &j_client) == FALSE) + continue; + + /* push the decoded issuer filename in to the array */ + *(const char**) apr_array_push(*list) = issuer; + } + + /* we're done, cleanup now */ + apr_dir_close(dir); + + return TRUE; +} + +/* + * find out what type of authentication we must provide to the token endpoint (we only support post or basic) + */ +static const char * oidc_metadata_token_endpoint_auth(request_rec *r, + apr_json_value_t *j_client, apr_json_value_t *j_provider) { + + const char *result = "client_secret_basic"; + + /* see if one is defined in the client metadata */ + apr_json_value_t *token_endpoint_auth_method = apr_hash_get( + j_client->value.object, "token_endpoint_auth_method", + APR_HASH_KEY_STRING); + if (token_endpoint_auth_method != NULL) { + if (token_endpoint_auth_method->type == APR_JSON_STRING) { + if (strcmp(token_endpoint_auth_method->value.string.p, + "client_secret_post") == 0) { + result = "client_secret_post"; + return result; + } + if (strcmp(token_endpoint_auth_method->value.string.p, + "client_secret_basic") == 0) { + result = "client_secret_basic"; + return result; + } + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_metadata_token_endpoint_auth: unsupported client auth method \"%s\" in client metadata for entry \"token_endpoint_auth_method\"", + token_endpoint_auth_method->value.string.p); + } else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_metadata_token_endpoint_auth: unexpected JSON object type [%d] (!= APR_JSON_STRING) in client metadata for entry \"token_endpoint_auth_method\"", + token_endpoint_auth_method->type); + } + } + + /* no supported value in the client metadata, find a supported one in the provider metadata */ + apr_json_value_t *j_token_endpoint_auth_methods_supported = apr_hash_get( + j_provider->value.object, "token_endpoint_auth_methods_supported", + APR_HASH_KEY_STRING); + + if ((j_token_endpoint_auth_methods_supported != NULL) + && (j_token_endpoint_auth_methods_supported->type == APR_JSON_ARRAY)) { + int i; + for (i = 0; + i < j_token_endpoint_auth_methods_supported->value.array->nelts; + i++) { + apr_json_value_t *elem = APR_ARRAY_IDX( + j_token_endpoint_auth_methods_supported->value.array, i, + apr_json_value_t *); + if (elem->type != APR_JSON_STRING) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_metadata_token_endpoint_auth: unhandled in-array JSON object type [%d] in provider metadata for entry \"token_endpoint_auth_methods_supported\"", + elem->type); + continue; + } + if (strcmp(elem->value.string.p, "client_secret_post") == 0) { + result = "client_secret_post"; + break; + } + if (strcmp(elem->value.string.p, "client_secret_basic") == 0) { + result = "client_secret_basic"; + break; + } + } + } + + return result; +} + +/* + * get the metadata for a specified issuer + * + * this fill the oidc_op_meta_t struct based on the issuer filename by reading and merging + * contents from both provider metadata directory and client metadata directory + */ +apr_byte_t oidc_metadata_get(request_rec *r, oidc_cfg *cfg, const char *issuer, + oidc_provider_t **result) { + + /* pointer to the parsed JSON metadata for the provider */ + apr_json_value_t *j_provider = NULL; + /* pointer to the parsed JSON metadata for the client */ + apr_json_value_t *j_client = NULL; + + /* get the provider and client metadata */ + if (oidc_metadata_get_provider_and_client(r, cfg, issuer, &j_provider, + &j_client) == FALSE) + return FALSE; + + /* allocate space for a parsed-and-merged metadata struct */ + *result = apr_pcalloc(r->pool, sizeof(oidc_provider_t)); + /* provide easy pointer */ + oidc_provider_t *provider = *result; + + // PROVIDER + + /* get the "issuer" from the provider metadata and double-check that it matches what we looked for */ + apr_json_value_t *j_issuer = apr_hash_get(j_provider->value.object, + "issuer", APR_HASH_KEY_STRING); + + /* get a handle to the authorization endpoint */ + apr_json_value_t *j_authorization_endpoint = apr_hash_get( + j_provider->value.object, "authorization_endpoint", + APR_HASH_KEY_STRING); + + /* get a handle to the token endpoint */ + apr_json_value_t *j_token_endpoint = apr_hash_get(j_provider->value.object, + "token_endpoint", APR_HASH_KEY_STRING); + + /* get a handle to the user_info endpoint */ + apr_json_value_t *j_userinfo_endpoint = apr_hash_get( + j_provider->value.object, "userinfo_endpoint", APR_HASH_KEY_STRING); + + /* get a handle to the jwks_uri endpoint */ + apr_json_value_t *j_jwks_uri = apr_hash_get(j_provider->value.object, + "jwks_uri", APR_HASH_KEY_STRING); + + /* get the flow to use, client defined takes priority over provider defined */ + const char *response_type = cfg->provider.response_type; + + /* this is an array as by spec but we'll default to the first element */ + apr_json_value_t *j_response_types = apr_hash_get(j_client->value.object, + "response_types", APR_HASH_KEY_STRING); + if ((j_response_types != NULL) + && (j_response_types->type == APR_JSON_ARRAY)) { + apr_json_value_t *j_response_type = APR_ARRAY_IDX( + j_response_types->value.array, 0, apr_json_value_t *); + if (j_response_type->type == APR_JSON_STRING) { + response_type = j_response_type->value.string.p; + } + } + + /* put whatever we've found out about the provider in (the provider part of) the metadata struct */ + provider->issuer = apr_pstrdup(r->pool, j_issuer->value.string.p); + provider->authorization_endpoint_url = apr_pstrdup(r->pool, + j_authorization_endpoint->value.string.p); + if (j_token_endpoint != NULL) + provider->token_endpoint_url = apr_pstrdup(r->pool, + j_token_endpoint->value.string.p); + provider->token_endpoint_auth = apr_pstrdup(r->pool, + oidc_metadata_token_endpoint_auth(r, j_client, j_provider)); + if (j_userinfo_endpoint != NULL) + provider->userinfo_endpoint_url = apr_pstrdup(r->pool, + j_userinfo_endpoint->value.string.p); + if (j_jwks_uri != NULL) + provider->jwks_uri = apr_pstrdup(r->pool, j_jwks_uri->value.string.p); + provider->response_type = apr_pstrdup(r->pool, response_type); + + // CLIENT + + /* get a handle to the client_id we need to use for this provider */ + apr_json_value_t *j_client_id = apr_hash_get(j_client->value.object, + "client_id", APR_HASH_KEY_STRING); + + /* get a handle to the client_secret we need to use for this provider */ + apr_json_value_t *j_client_secret = apr_hash_get(j_client->value.object, + "client_secret", APR_HASH_KEY_STRING); + + /* find out if we need to perform SSL server certificate validation on the token_endpoint and user_info_endpoint for this provider */ + int validate = cfg->provider.ssl_validate_server; + apr_json_value_t *j_ssl_validate_server = apr_hash_get( + j_client->value.object, "ssl_validate_server", APR_HASH_KEY_STRING); + if ((j_ssl_validate_server != NULL) + && (j_ssl_validate_server->type == APR_JSON_STRING) + && (strcmp(j_ssl_validate_server->value.string.p, "Off") == 0)) { + validate = 0; + } + + /* find out what scopes we should be requesting from this provider */ + // TODO: use the provider "scopes_supported" to mix-and-match with what we've configured for the client + // TODO: check that "openid" is always included in the configured scopes, right? + const char *scope = cfg->provider.scope; + apr_json_value_t *j_scope = apr_hash_get(j_client->value.object, "scope", + APR_HASH_KEY_STRING); + if ((j_scope != NULL) && (j_scope->type == APR_JSON_STRING)) { + scope = j_scope->value.string.p; + } + + /* see if we've got a custom JWKs refresh interval */ + int jwks_refresh_interval = cfg->provider.jwks_refresh_interval; + apr_json_value_t *j_jwks_refresh_interval = apr_hash_get(j_client->value.object, "jwks_refresh_interval", + APR_HASH_KEY_STRING); + if ((j_jwks_refresh_interval != NULL) && (j_jwks_refresh_interval->type == APR_JSON_LONG)) { + jwks_refresh_interval = j_jwks_refresh_interval->value.lnumber; + } + + /* see if we've got a custom IAT slack interval */ + int idtoken_iat_slack = cfg->provider.idtoken_iat_slack; + apr_json_value_t *j_idtoken_iat_slack = apr_hash_get(j_client->value.object, "idtoken_iat_slack", + APR_HASH_KEY_STRING); + if ((j_idtoken_iat_slack != NULL) && (j_idtoken_iat_slack->type == APR_JSON_LONG)) { + idtoken_iat_slack = j_idtoken_iat_slack->value.lnumber; + } + + /* put whatever we've found out about the provider in (the client part of) the metadata struct */ + provider->ssl_validate_server = validate; + provider->client_id = apr_pstrdup(r->pool, j_client_id->value.string.p); + provider->client_secret = apr_pstrdup(r->pool, + j_client_secret->value.string.p); + provider->scope = apr_pstrdup(r->pool, scope); + provider->jwks_refresh_interval = jwks_refresh_interval; + provider->idtoken_iat_slack = idtoken_iat_slack; + + return TRUE; +} + diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c new file mode 100644 index 00000000..6f8ee8cd --- /dev/null +++ b/src/mod_auth_openidc.c @@ -0,0 +1,1287 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Initially based on mod_auth_cas.c: + * https://github.com/Jasig/mod_auth_cas + * + * Other code copied/borrowed/adapted: + * JSON decoding: apr_json.h apr_json_decode.c: https://github.com/moriyoshi/apr-json/ + * AES crypto: http://saju.net.in/code/misc/openssl_aes.c.txt + * session handling: Apache 2.4 mod_session.c + * session handling backport: http://contribsoft.caixamagica.pt/browser/internals/2012/apachecc/trunk/mod_session-port/src/util_port_compat.c + * shared memory caching: mod_auth_mellon + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + * + **************************************************************************/ + +#include "apr_hash.h" +#include "apr_strings.h" +#include "ap_config.h" +#include "ap_provider.h" +#include "apr_lib.h" +#include "apr_file_io.h" +#include "apr_sha1.h" +#include "apr_base64.h" + +#include "httpd.h" +#include "http_core.h" +#include "http_config.h" +#include "http_log.h" +#include "http_protocol.h" +#include "http_request.h" + +#include "mod_auth_openidc.h" + +// TODO: rigid input checking on discovery responses and authorization responses + +// TODO: use oidc_get_current_url + configured RedirectURIPath to determine the RedirectURI more dynamically +// TODO: support more hybrid flows ("code id_token" (for MS), "code token" etc.) +// TODO: support PS??? and EC??? algorithms +// TODO: override more stuff (eg. client_name, id_token_signed_response_alg) using client metadata + +// TODO: do we always want to refresh keys when signature does not validate? (risking DOS attacks, or does the nonce help against that?) +// do we now still want to refresh jkws once per hour (it helps to reduce the number of failed verifications, at the cost of too-many-downloads overhead) +// refresh metadata once-per too? (for non-signing key changes) +// TODO: check the Apache 2.4 compilation/#defines + +extern module AP_MODULE_DECLARE_DATA auth_openidc_module; + +/* + * clean any suspicious headers in the HTTP request sent by the user agent + */ +static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix, + const char *authn_header) { + + const int prefix_len = claim_prefix ? strlen(claim_prefix) : 0; + + /* get an array representation of the incoming HTTP headers */ + const apr_array_header_t * const h = apr_table_elts(r->headers_in); + + /* table to keep the non-suspicious headers */ + apr_table_t *clean_headers = apr_table_make(r->pool, h->nelts); + + /* loop over the incoming HTTP headers */ + const apr_table_entry_t * const e = (const apr_table_entry_t *) h->elts; + int i; + for (i = 0; i < h->nelts; i++) { + const char * const k = e[i].key; + + /* is this header's name equivalent to the header that mod_auth_openidc would set for the authenticated user? */ + const int authn_header_matches = (k != NULL) && authn_header + && (oidc_strnenvcmp(k, authn_header, -1) == 0); + + /* + * would this header be interpreted as a mod_auth_openidc attribute? Note + * that prefix_len will be zero if no attr_prefix is defined, + * so this will always be false. Also note that we do not + * scrub headers if the prefix is empty because every header + * would match. + */ + const int prefix_matches = (k != NULL) && prefix_len + && (oidc_strnenvcmp(k, claim_prefix, prefix_len) == 0); + + /* add to the clean_headers if non-suspicious, skip and report otherwise */ + if (!prefix_matches && !authn_header_matches) { + apr_table_addn(clean_headers, k, e[i].val); + } else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_scrub_request_headers: scrubbed suspicious request header (%s: %.32s)", + k, e[i].val); + } + } + + /* overwrite the incoming headers with the cleaned result */ + r->headers_in = clean_headers; +} + +/* + * calculates a hash value based on request fingerprint plus a provided state string. + */ +static char *oidc_get_browser_state_hash(request_rec *r, const char *state) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_get_browser_state_hash: entering"); + + /* helper to hold to header values */ + const char *value = NULL; + /* the hash context */ + apr_sha1_ctx_t sha1; + + /* Initialize the hash context */ + apr_sha1_init(&sha1); + + /* get the X_FORWARDED_FOR header value */ + value = (char *) apr_table_get(r->headers_in, "X_FORWARDED_FOR"); + /* if we have a value for this header, concat it to the hash input */ + if (value != NULL) + apr_sha1_update(&sha1, value, strlen(value)); + + /* get the USER_AGENT header value */ + value = (char *) apr_table_get(r->headers_in, "USER_AGENT"); + /* if we have a value for this header, concat it to the hash input */ + if (value != NULL) + apr_sha1_update(&sha1, value, strlen(value)); + + /* get the remote client IP address or host name */ + int remotehost_is_ip; + value = ap_get_remote_host(r->connection, r->per_dir_config, + REMOTE_NOLOOKUP, &remotehost_is_ip); + /* concat the remote IP address/hostname to the hash input */ + apr_sha1_update(&sha1, value, strlen(value)); + + /* concat the state parameter to the hash input */ + apr_sha1_update(&sha1, state, strlen(state)); + + /* finalize the hash input and calculate the resulting hash output */ + const int sha1_len = 20; + unsigned char hash[sha1_len]; + apr_sha1_final(hash, &sha1); + + /* base64 encode the resulting hash and return it */ + char *result = apr_palloc(r->pool, apr_base64_encode_len(sha1_len) + 1); + apr_base64_encode(result, (const char *) hash, sha1_len); + return result; +} + +/* + * see if the state that came back from the OP matches what we've stored in the cookie + */ +static int oidc_check_state(request_rec *r, oidc_cfg *c, const char *state, + char **original_url, char **issuer, char **nonce) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_check_state: entering"); + + /* get the state cookie value first */ + char *cookieValue = oidc_get_cookie(r, OIDCStateCookieName); + if (cookieValue == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_check_state: no \"%s\" state cookie found", + OIDCStateCookieName); + return FALSE; + } + + /* clear state cookie because we don't need it anymore */ + oidc_set_cookie(r, OIDCStateCookieName, ""); + + /* decrypt the state obtained from the cookie */ + char *svalue; + if (oidc_base64url_decode_decrypt_string(r, &svalue, cookieValue) <= 0) + return FALSE; + + /* context to iterate over the entries in the decrypted state cookie value */ + char *ctx = NULL; + + /* first get the base64-encoded random value */ + *nonce = apr_strtok(svalue, OIDCStateCookieSep, &ctx); + if (*nonce == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_check_state: no nonce element found in \"%s\" cookie (%s)", + OIDCStateCookieName, cookieValue); + return FALSE; + } + + /* calculate the hash of the browser fingerprint concatenated with the nonce */ + char *calc = oidc_get_browser_state_hash(r, *nonce); + + /* compare the calculated hash with the value provided in the authorization response */ + if (apr_strnatcmp(calc, state) != 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_check_state: calculated state from cookie does not match state parameter passed back in URL: \"%s\" != \"%s\"", + state, calc); + return FALSE; + } + + /* since we're OK, get the original URL as the next value in the decrypted cookie */ + *original_url = apr_strtok(NULL, OIDCStateCookieSep, &ctx); + if (*original_url == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_check_state: no separator (%s) found in \"%s\" cookie (%s)", + OIDCStateCookieSep, OIDCStateCookieName, cookieValue); + return FALSE; + } + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_check_state: \"original_url\" restored from cookie: %s", + *original_url); + + /* thirdly, get the issuer value stored in the cookie */ + *issuer = apr_strtok(NULL, OIDCStateCookieSep, &ctx); + if (*issuer == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_check_state: no second separator (%s) found in \"%s\" cookie (%s)", + OIDCStateCookieSep, OIDCStateCookieName, cookieValue); + return FALSE; + } + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_check_state: \"issuer\" restored from cookie: %s", *issuer); + + /* lastly, get the timestamp value stored in the cookie */ + char *timestamp = apr_strtok(NULL, OIDCStateCookieSep, &ctx); + if (timestamp == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_check_state: no third separator (%s) found in \"%s\" cookie (%s)", + OIDCStateCookieSep, OIDCStateCookieName, cookieValue); + return FALSE; + } + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_check_state: \"timestamp\" restored from cookie: %s", + timestamp); + + apr_time_t then; + if (sscanf(timestamp, "%" APR_TIME_T_FMT, &then) != 1) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_check_state: could not parse timestamp restored from state cookie (%s)", + timestamp); + return FALSE; + } + + apr_time_t now = apr_time_sec(apr_time_now()); + if (now > then + c->state_timeout) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_check_state: state has expired"); + return FALSE; + } + + /* we've made it */ + return TRUE; +} + +/* + * create a state parameter to be passed in an authorization request to an OP + * and set a cookie in the browser that is cryptographically bound to that + */ +static char *oidc_create_state_and_set_cookie(request_rec *r, const char *url, + const char *issuer, const char *nonce) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_create_state_and_set_cookie: entering"); + + char *cookieValue = NULL; + + /* + * create a cookie consisting of 4 elements: + * random value, original URL, issuer and timestamp separated by a defined separator + */ + apr_time_t now = apr_time_sec(apr_time_now()); + char *rvalue = apr_psprintf(r->pool, "%s%s%s%s%s%s%" APR_TIME_T_FMT "", + nonce, + OIDCStateCookieSep, url, OIDCStateCookieSep, issuer, + OIDCStateCookieSep, now); + + /* encrypt the resulting value and set it as a cookie */ + oidc_encrypt_base64url_encode_string(r, &cookieValue, rvalue); + oidc_set_cookie(r, OIDCStateCookieName, cookieValue); + + /* return a hash value that fingerprints the browser concatenated with the random input */ + return oidc_get_browser_state_hash(r, nonce); +} + +/* + * get the mod_auth_openidc related context from the (userdata in the) request + * (used for passing state between various Apache request processing stages and hook callbacks) + */ +static apr_table_t *oidc_request_state(request_rec *rr) { + + /* our state is always stored in the main request */ + request_rec *r = (rr->main != NULL) ? rr->main : rr; + + /* our state is a table, get it */ + apr_table_t *state = NULL; + apr_pool_userdata_get((void **) &state, OIDC_USERDATA_KEY, r->pool); + + /* if it does not exist, we'll create a new table */ + if (state == NULL) { + state = apr_table_make(r->pool, 5); + apr_pool_userdata_set(state, OIDC_USERDATA_KEY, NULL, r->pool); + } + + /* return the resulting table, always non-null now */ + return state; +} + +/* + * set a name/value pair in the mod_auth_openidc-specific request context + * (used for passing state between various Apache request processing stages and hook callbacks) + */ +void oidc_request_state_set(request_rec *r, const char *key, const char *value) { + + /* get a handle to the global state, which is a table */ + apr_table_t *state = oidc_request_state(r); + + /* put the name/value pair in that table */ + apr_table_setn(state, key, value); +} + +/* + * get a name/value pair from the mod_auth_openidc-specific request context + * (used for passing state between various Apache request processing stages and hook callbacks) + */ +const char*oidc_request_state_get(request_rec *r, const char *key) { + + /* get a handle to the global state, which is a table */ + apr_table_t *state = oidc_request_state(r); + + /* return the value from the table */ + return apr_table_get(state, key); +} + +/* + * set an HTTP header to pass information to the application + */ +static void oidc_set_app_header(request_rec *r, const char *s_key, + const char *s_value, const char *claim_prefix) { + + /* construct the header name, cq. put the prefix in front of a normalized key name */ + const char *s_name = apr_psprintf(r->pool, "%s%s", claim_prefix, + oidc_normalize_header_name(r, s_key)); + + /* do some logging about this event */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_set_app_header: setting header \"%s: %s\"", s_name, s_value); + + /* now set the actual header name/value */ + apr_table_set(r->headers_in, s_name, s_value); +} + +/* + * set the user/claims information from the session in HTTP headers passed on to the application + */ +static void oidc_set_app_headers(request_rec *r, + const apr_json_value_t *j_attrs, const char *authn_header, + const char *claim_prefix, const char *claim_delimiter) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_set_app_headers: entering"); + + apr_json_value_t *j_value = NULL; + apr_hash_index_t *hi = NULL; + const char *s_key = NULL; + + /* set the user authentication HTTP header if set and required */ + if ((r->user != NULL) && (authn_header != NULL)) + apr_table_set(r->headers_in, authn_header, r->user); + + /* if not attributes are set, nothing needs to be done */ + if (j_attrs == NULL) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_set_app_headers: no attributes to set (j_attrs=NULL)"); + return; + } + + /* loop over the claims in the JSON structure */ + for (hi = apr_hash_first(r->pool, j_attrs->value.object); hi; hi = + apr_hash_next(hi)) { + + /* get the next key/value entry */ + apr_hash_this(hi, (const void**) &s_key, NULL, (void**) &j_value); + + /* check if it is a single value string */ + if (j_value->type == APR_JSON_STRING) { + + /* set the single string in the application header whose name is based on the key and the prefix */ + oidc_set_app_header(r, s_key, j_value->value.string.p, + claim_prefix); + + } else if (j_value->type == APR_JSON_BOOLEAN) { + + /* set boolean value in the application header whose name is based on the key and the prefix */ + oidc_set_app_header(r, s_key, j_value->value.boolean ? "1" : "0", + claim_prefix); + + } else if (j_value->type == APR_JSON_LONG) { + + /* set long value in the application header whose name is based on the key and the prefix */ + oidc_set_app_header(r, s_key, + apr_psprintf(r->pool, "%ld", j_value->value.lnumber), + claim_prefix); + + } else if (j_value->type == APR_JSON_DOUBLE) { + + /* set float value in the application header whose name is based on the key and the prefix */ + oidc_set_app_header(r, s_key, + apr_psprintf(r->pool, "%lf", j_value->value.dnumber), + claim_prefix); + + /* check if it is a multi-value string */ + } else if (j_value->type == APR_JSON_ARRAY) { + + /* some logging about what we're going to do */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_set_app_headers: parsing attribute array for key \"%s\" (#nr-of-elems: %d)", + s_key, j_value->value.array->nelts); + + /* string to hold the concatenated array string values */ + char *s_concat = apr_pstrdup(r->pool, ""); + int i = 0; + + /* loop over the array */ + for (i = 0; i < j_value->value.array->nelts; i++) { + + /* get the current element */ + apr_json_value_t *elem = APR_ARRAY_IDX(j_value->value.array, i, + apr_json_value_t *); + + /* check if it is a string */ + if (elem->type == APR_JSON_STRING) { + + /* concatenate the string to the s_concat value using the configured separator char */ + // TODO: escape the delimiter in the values (maybe reuse/extract url-formatted code from oidc_session_identity_encode) + if (apr_strnatcmp(s_concat, "") != 0) { + s_concat = apr_psprintf(r->pool, "%s%s%s", s_concat, + claim_delimiter, elem->value.string.p); + } else { + s_concat = apr_psprintf(r->pool, "%s", + elem->value.string.p); + } + + } else if (elem->type == APR_JSON_BOOLEAN) { + + if (apr_strnatcmp(s_concat, "") != 0) { + s_concat = apr_psprintf(r->pool, "%s%s%s", s_concat, + claim_delimiter, + j_value->value.boolean ? "1" : "0"); + } else { + s_concat = apr_psprintf(r->pool, "%s", + j_value->value.boolean ? "1" : "0"); + } + + } else { + + /* don't know how to handle a non-string array element */ + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_set_app_headers: unhandled in-array JSON object type [%d] for key \"%s\" when parsing claims array elements", + elem->type, s_key); + } + } + + /* set the concatenated string */ + oidc_set_app_header(r, s_key, s_concat, claim_prefix); + + } else { + + /* no string and no array, so unclear how to handle this */ + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_set_app_headers: unhandled JSON object type [%d] for key \"%s\" when parsing claims", + j_value->type, s_key); + } + } +} + +/* + * handle the case where we have identified an existing authentication session for a user + */ +static int oidc_handle_existing_session(request_rec *r, + const oidc_cfg * const cfg, session_rec *session) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_handle_existing_session: entering"); + + const char *s_attrs = NULL; + apr_json_value_t *j_attrs = NULL; + + /* get a handle to the director config */ + oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, + &auth_openidc_module); + + /* + * we're going to pass the information that we have to the application, + * but first we need to scrub the headers that we're going to use for security reasons + */ + if (cfg->scrub_request_headers != 0) { + oidc_scrub_request_headers(r, cfg->claim_prefix, dir_cfg->authn_header); + } + + /* get the string-encoded attributes from the session */ + oidc_session_get(r, session, OIDC_CLAIMS_SESSION_KEY, &s_attrs); + + /* decode the string-encoded attributes in to a JSON structure */ + if ((s_attrs != NULL) + && (apr_json_decode(&j_attrs, s_attrs, strlen(s_attrs), r->pool) + != APR_SUCCESS)) { + + /* whoops, attributes have been corrupted */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_handle_existing_session: unable to parse string-encoded claims stored in the session, returning internal server error"); + + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* pass the user/claims in the session to the application by setting the appropriate headers */ + // TODO: combine already resolved attrs from id_token with those from user_info endpoint + oidc_set_app_headers(r, j_attrs, dir_cfg->authn_header, cfg->claim_prefix, + cfg->claim_delimiter); + + /* set the attributes JSON structure in the request state so it is available for authz purposes later on */ + oidc_request_state_set(r, OIDC_CLAIMS_SESSION_KEY, (const char *) j_attrs); + + /* return "user authenticated" status */ + return OK; +} + +/* + * helper function for basic/implicit client flows upon receiving an authorization response: + * check that it matches the state stored in the browser and return the variables associated + * with the state, such as original_url and OP oidc_provider_t pointer. + */ +static apr_byte_t oidc_authorization_response_match_state(request_rec *r, + oidc_cfg *c, const char *state, char **original_url, + struct oidc_provider_t **provider, char **nonce) { + char *issuer = NULL; + + /* check the state parameter against what we stored in a cookie */ + if (oidc_check_state(r, c, state, original_url, &issuer, nonce) == FALSE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_authorization_response_match_state: unable to restore state"); + return FALSE; + } + + /* by default we'll assume that we're dealing with a single statically configured OP */ + *provider = &c->provider; + + /* unless a metadata directory was configured, so we'll try and get the provider settings from there */ + if (c->metadata_dir != NULL) { + + /* try and get metadata from the metadata directory for the OP that sent this response */ + if ((oidc_metadata_get(r, c, issuer, provider) == FALSE) + || (provider == NULL)) { + + // something went wrong here between sending the request and receiving the response + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_authorization_response_match_state: no provider metadata found for provider \"%s\"", + issuer); + return FALSE; + } + } + + return TRUE; +} + +/* + * helper function for basic/implicit client flows: + * complete the handling of an authorization response by storing the + * authenticated user state in the session + */ +static int oidc_authorization_response_finalize(request_rec *r, oidc_cfg *c, + session_rec *session, const char *id_token, const char *claims, + char *remoteUser, apr_time_t expires, const char *original_url) { + + /* set the resolved stuff in the session */ + session->remote_user = remoteUser; + + /* expires is the value from the id_token */ + session->expiry = expires; + + /* store the whole contents of the id_token for later reference too */ + oidc_session_set(r, session, OIDC_IDTOKEN_SESSION_KEY, id_token); + + /* see if we've resolved any claims */ + if (claims != NULL) { + /* + * Successfully decoded a set claims from the response so we can store them + * (well actually the stringified representation in the response) + * in the session context safely now + */ + oidc_session_set(r, session, OIDC_CLAIMS_SESSION_KEY, claims); + } + + /* store the session */ + oidc_session_save(r, session); + + /* not sure whether this is required, but it won't hurt */ + r->user = remoteUser; + + /* now we've authenticated the user so go back to the URL that he originally tried to access */ + apr_table_add(r->headers_out, "Location", original_url); + + /* log the successful response */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_authorization_response_finalize: session created and stored, redirecting to original url: %s", + original_url); + + /* do the actual redirect to the original URL */ + return HTTP_MOVED_TEMPORARILY; +} + +/* + * handle an OpenID Connect Authorization Response using the Basic Client profile from the OP + */ +static int oidc_handle_basic_authorization_response(request_rec *r, oidc_cfg *c, + session_rec *session) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_handle_basic_authorization_response: entering"); + + /* initialize local variables */ + char *code = NULL, *state = NULL; + + /* by now we're pretty sure the code & state parameters exist */ + oidc_util_get_request_parameter(r, "code", &code); + oidc_util_get_request_parameter(r, "state", &state); + + /* match the returned state parameter against the state stored in the browser */ + struct oidc_provider_t *provider = NULL; + char *original_url = NULL; + char *nonce = NULL; + if (oidc_authorization_response_match_state(r, c, state, &original_url, + &provider, &nonce) == FALSE) + return HTTP_INTERNAL_SERVER_ERROR; + + /* now we've got the metadata for the provider that sent the response to us */ + char *id_token = NULL, *access_token = NULL; + const char *response = NULL; + char *remoteUser = NULL; + apr_time_t expires; + apr_json_value_t *j_idtoken_payload = NULL; + + /* + * resolve the code against the token endpoint of the OP + * TODO: now I'm setting the nonce to NULL since google does not allow using a nonce in the "code" flow... + */ + nonce = NULL; + if (oidc_proto_resolve_code(r, c, provider, code, nonce, &remoteUser, + &j_idtoken_payload, &id_token, &access_token, &expires) == FALSE) { + /* errors have already been reported */ + return HTTP_UNAUTHORIZED; + } + + /* + * optionally resolve additional claims against the userinfo endpoint + * parsed claims are not actually used here but need to be parsed anyway for error checking purposes + */ + apr_json_value_t *claims = NULL; + if (oidc_proto_resolve_userinfo(r, c, provider, access_token, &response, + &claims) == FALSE) { + response = NULL; + } + + /* complete handling of the response by storing stuff in the session and redirecting to the original URL */ + return oidc_authorization_response_finalize(r, c, session, id_token, + response, remoteUser, expires, original_url); +} + +/* + * handle an OpenID Connect Authorization Response using the Implicit Client profile from the OP + */ +static int oidc_handle_implicit_authorization_response(request_rec *r, + oidc_cfg *c, session_rec *session, const char *state, + const char *id_token, const char *access_token, const char *token_type) { + + /* log what we've received */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_handle_implicit_authorization_response: state = \"%s\", id_token= \"%s\", access_token=\"%s\", token_type=\"%s\"", + state, id_token, access_token, token_type); + + /* match the returned state parameter against the state stored in the browser */ + struct oidc_provider_t *provider = NULL; + char *original_url = NULL; + char *nonce = NULL; + if (oidc_authorization_response_match_state(r, c, state, &original_url, + &provider, &nonce) == FALSE) + return HTTP_INTERNAL_SERVER_ERROR; + + /* initialize local variables for the id_token contents */ + char *remoteUser = NULL; + apr_json_value_t *j_idtoken_payload = NULL; + apr_time_t expires; + char *s_idtoken_payload = NULL; + + /* parse and validate the id_token */ + if (oidc_proto_parse_idtoken(r, c, provider, id_token, nonce, &remoteUser, + &j_idtoken_payload, &s_idtoken_payload, &expires) != TRUE) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_handle_implicit_authorization_response: could not verify the id_token contents, return HTTP_UNAUTHORIZED"); + return HTTP_UNAUTHORIZED; + } + + // TODO: all id_token stuff in/as claims, should probably filter...? + + const char *s_claims = s_idtoken_payload; + + /* strip empty parameters (eg. connect.openid4.us on response on "id_token" flow) */ + if ((access_token != NULL) && (strcmp(access_token, "") == 0)) + access_token = NULL; + + /* assert that the token_type is Bearer before using it */ + if ((token_type != NULL) && (strcmp(token_type, "") != 0)) { + if (apr_strnatcasecmp(token_type, "Bearer") != 0) { + ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "oidc_handle_implicit_authorization_response: dropping unsupported (cq. non \"Bearer\") token_type: \"%s\"", + token_type); + access_token = NULL; + } + } + + /* + * if we (still) have an access_token, let's use to resolve claims from the user_info endpoint + * we don't do anything with the optional expires_in, since we don't cache the access_token or re-use + * it in any way after this initial call that should happen right after issuing the access_token + * (and it is optional anyway) + */ + if (access_token != NULL) { + + /* parsed claims are not actually used here but need to be parsed anyway for error checking purposes */ + apr_json_value_t *claims = NULL; + if (oidc_proto_resolve_userinfo(r, c, provider, access_token, &s_claims, + &claims) == FALSE) { + s_claims = NULL; + } + } + + /* complete handling of the response by storing stuff in the session and redirecting to the original URL */ + return oidc_authorization_response_finalize(r, c, session, id_token, + s_claims, remoteUser, expires, original_url); +} + +/* + * handle an OpenID Connect Authorization Response using the fragment(+POST) response_mode with the Implicit Client profile from the OP + */ +static int oidc_handle_implicit_post(request_rec *r, oidc_cfg *c, + session_rec *session) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_handle_implicit_post: entering"); + + /* read the parameters that are POST-ed to us */ + apr_table_t *params = apr_table_make(r->pool, 8); + if (oidc_util_read_post(r, params) == FALSE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_handle_implicit_post: something went wrong when reading the POST parameters"); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* see if we've got any POST-ed data at all */ + if (apr_is_empty_table(params)) { + return oidc_util_http_sendstring(r, + apr_psprintf(r->pool, + "mod_auth_openidc: you've hit an OpenID Connect callback URL with no parameters; this is an invalid request (you should not open this URL in your browser directly)"), + HTTP_INTERNAL_SERVER_ERROR); + } + + /* see if the response is an error response */ + char *error = (char *) apr_table_get(params, "error"); + char *error_description = (char *) apr_table_get(params, + "error_description"); + if (error != NULL) + return oidc_util_html_send_error(r, error, error_description, OK); + + /* get the state */ + char *state = (char *) apr_table_get(params, "state"); + if (state == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_handle_implicit_post: no state parameter found in the POST, returning internal server error"); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* get the id_token */ + char *id_token = (char *) apr_table_get(params, "id_token"); + if (id_token == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_handle_implicit_post: no id_token parameter found in the POST, returning internal server error"); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* get the (optional) access_token */ + char *access_token = (char *) apr_table_get(params, "access_token"); + + /* get the (optional) token_type */ + char *token_type = (char *) apr_table_get(params, "token_type"); + + /* do the actual implicit work */ + return oidc_handle_implicit_authorization_response(r, c, session, state, + id_token, access_token, token_type); +} + +/* + * handle an OpenID Connect Authorization Response using the redirect response_mode with the Implicit Client profile from the OP + */ +static int oidc_handle_implicit_redirect(request_rec *r, oidc_cfg *c, + session_rec *session) { + + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_handle_implicit_redirect: handling non-spec-compliant authorization response since the default response_mode when using the Implicit Client flow must be \"fragment\""); + + /* initialize local variables */ + char *state = NULL, *id_token = NULL, *access_token = NULL, *token_type = + NULL; + + /* by now we're pretty sure the state & id_token parameters exist */ + oidc_util_get_request_parameter(r, "state", &state); + oidc_util_get_request_parameter(r, "id_token", &id_token); + oidc_util_get_request_parameter(r, "access_token", &access_token); + oidc_util_get_request_parameter(r, "token_type", &token_type); + + /* do the actual implicit work */ + return oidc_handle_implicit_authorization_response(r, c, session, state, + id_token, access_token, token_type); +} + +/* + * present the user with an OP selection screen + */ +static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_discovery: entering"); + + /* obtain the URL we're currently accessing, to be stored in the state/session */ + char *current_url = oidc_get_current_url(r, cfg); + + /* see if there's an external discovery page configured */ + if (cfg->discover_url != NULL) { + + /* yes, assemble the parameters for external discovery */ + char *url = apr_psprintf(r->pool, "%s%s%s=%s&%s=%s", cfg->discover_url, + strchr(cfg->discover_url, '?') != NULL ? "&" : "?", + OIDC_DISC_RT_PARAM, oidc_util_escape_string(r, current_url), + OIDC_DISC_CB_PARAM, + oidc_util_escape_string(r, cfg->redirect_uri)); + + /* log what we're about to do */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_discovery: redirecting to external discovery page: %s", + url); + + /* do the actual redirect to an external discovery page */ + apr_table_add(r->headers_out, "Location", url); + return HTTP_MOVED_TEMPORARILY; + } + + /* get a list of all providers configured in the metadata directory */ + apr_array_header_t *arr = NULL; + if (oidc_metadata_list(r, cfg, &arr) == FALSE) + return oidc_util_http_sendstring(r, + "mod_auth_openidc: no configured providers found, contact your administrator", + HTTP_UNAUTHORIZED); + + /* assemble a where-are-you-from IDP discovery HTML page */ + // TODO: yes, we could use some templating here... + const char *s = + "" + "\n" + " \n" + " \n" + " OpenID Connect Provider Discovery\n" + " \n" + " \n" + "
\n" + "

Select your OpenID Connect Identity Provider

\n"; + + /* list all configured providers in there */ + int i; + for (i = 0; i < arr->nelts; i++) { + const char *issuer = ((const char**) arr->elts)[i]; + // TODO: html escape (especially & character) + + char *display = + (strstr(issuer, "https://") == NULL) ? + apr_pstrdup(r->pool, issuer) : + apr_pstrdup(r->pool, issuer + strlen("https://")); + + /* strip port number */ + //char *p = strstr(display, ":"); + //if (p != NULL) *p = '\0'; + /* point back to the redirect_uri, where the selection is handled, with an IDP selection and return_to URL */ + s = apr_psprintf(r->pool, + "%s

%s

\n", s, + cfg->redirect_uri, OIDC_DISC_OP_PARAM, + oidc_util_escape_string(r, issuer), OIDC_DISC_RT_PARAM, + oidc_util_escape_string(r, current_url), display); + } + + /* add an option to enter an account or issuer name for dynamic OP discovery */ + s = apr_psprintf(r->pool, "%s
\n", s, + cfg->redirect_uri); + s = apr_psprintf(r->pool, + "%s
\n", s, + OIDC_DISC_RT_PARAM, current_url); + s = + apr_psprintf(r->pool, + "%sOr enter your account name (eg. \"mike@seed.gluu.org\", or an IDP identifier (eg. \"mitreid.org\"):
\n", + s); + s = apr_psprintf(r->pool, + "%s

\n", s, + OIDC_DISC_OP_PARAM, ""); + s = apr_psprintf(r->pool, "%s\n", + s); + s = apr_psprintf(r->pool, "%s
\n", s); + + /* footer */ + s = apr_psprintf(r->pool, "%s" + "
\n" + " \n" + "\n", s); + + /* now send the HTML contents to the user agent */ + return oidc_util_http_sendstring(r, s, HTTP_UNAUTHORIZED); +} + +/* + * authenticate the user to the selected OP, if the OP is not selected yet perform discovery first + */ +static int oidc_authenticate_user(request_rec *r, oidc_cfg *c, + oidc_provider_t *provider, const char *original_url) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_authenticate_user: entering"); + + if (provider == NULL) { + + // TODO: should we use an explicit redirect to the discovery endpoint (maybe a "discovery" param to the redirect_uri)? + if (c->metadata_dir != NULL) + return oidc_discovery(r, c); + + /* we're not using multiple OP's configured in a metadata directory, pick the statically configured OP */ + provider = &c->provider; + } + + char *nonce = NULL; + oidc_util_generate_random_base64url_encoded_value(r, 32, &nonce); + + /* create state that restores the context when the authorization response comes in; cryptographically bind it to the browser */ + const char *state = oidc_create_state_and_set_cookie(r, original_url, + provider->issuer, nonce); + + // TODO: maybe show intermediate/progress screen "redirecting to" + + /* send off to the OpenID Connect Provider */ + return oidc_proto_authorization_request(r, provider, c->redirect_uri, state, + original_url, nonce); +} + +/* + * find out whether the request is a response from an IDP discovery page + */ +static apr_byte_t oidc_is_discovery_response(request_rec *r, oidc_cfg *cfg) { + /* + * see if this is a call to the configured redirect_uri and + * the OIDC_RT_PARAM_NAME parameter is present and + * the OIDC_DISC_ACCT_PARAM or OIDC_DISC_OP_PARAM is present + */ + return ((oidc_util_request_matches_url(r, cfg->redirect_uri) == TRUE) + && oidc_util_request_has_parameter(r, OIDC_DISC_RT_PARAM) + && (oidc_util_request_has_parameter(r, OIDC_DISC_OP_PARAM))); +} + +/* + * handle a response from an IDP discovery page + */ +static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) { + + /* variables to hold the values (original_url+issuer or original_url+acct) returned in the response */ + char *issuer = NULL, *original_url = NULL; + oidc_provider_t *provider = NULL; + + oidc_util_get_request_parameter(r, OIDC_DISC_OP_PARAM, &issuer); + oidc_util_get_request_parameter(r, OIDC_DISC_RT_PARAM, &original_url); + + // TODO: trim issuer/accountname/domain input and do more input validation + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_handle_discovery_response: issuer=\"%s\", original_url=\"%s\"", + issuer, original_url); + + if ((issuer == NULL) || (original_url == NULL)) { + return oidc_util_http_sendstring(r, + "mod_auth_openidc: wherever you came from, it sent you here with the wrong parameters...", + HTTP_INTERNAL_SERVER_ERROR); + } + + /* find out if the user entered an account name or selected an OP manually */ + if (strstr(issuer, "@") != NULL) { + + /* got an account name as input, perform OP discovery with that */ + if (oidc_proto_account_based_discovery(r, c, issuer, &issuer) == FALSE) { + + /* something did not work out, show a user facing error */ + return oidc_util_http_sendstring(r, + "mod_auth_openidc: could not resolve the provided account name to an OpenID Connect provider; check your syntax", + HTTP_NOT_FOUND); + } + + /* issuer is set now, so let's continue as planned */ + + } else if (strcmp(issuer, "accounts.google.com") != 0) { + + /* allow issuer/domain entries that don't start with https */ + issuer = apr_psprintf(r->pool, "%s", + ((strstr(issuer, "http://") == issuer) + || (strstr(issuer, "https://") == issuer)) ? + issuer : apr_psprintf(r->pool, "https://%s", issuer)); + } + + /* strip trailing '/' */ + int n = strlen(issuer); + if (issuer[n - 1] == '/') + issuer[n - 1] = '\0'; + + /* try and get metadata from the metadata directories for the selected OP */ + if ((oidc_metadata_get(r, c, issuer, &provider) == TRUE) + && (provider != NULL)) { + + /* now we've got a selected OP, send the user there to authenticate */ + return oidc_authenticate_user(r, c, provider, original_url); + } + + /* something went wrong */ + return oidc_util_http_sendstring(r, + "mod_auth_openidc: could not find valid provider metadata for the selected OpenID Connect provider; contact the administrator", + HTTP_NOT_FOUND); +} + +/* + * handle "all other" requests to the redirect_uri + */ +int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c) { + if (r->args == NULL) + /* this is a "bare" request to the redirect URI, indicating implicit flow using the fragment response_mode */ + return oidc_proto_javascript_implicit(r, c); + + /* TODO: check for "error" response */ + if (oidc_util_request_has_parameter(r, "error")) { + + char *error = NULL, *descr = NULL; + oidc_util_get_request_parameter(r, "error", &error); + oidc_util_get_request_parameter(r, "error_description", &descr); + + return oidc_util_html_send_error(r, error, descr, OK); + } + + /* something went wrong */ + return oidc_util_http_sendstring(r, + apr_psprintf(r->pool, + "mod_auth_openidc: the OpenID Connect callback URL received an invalid request: %s", + r->args), HTTP_INTERNAL_SERVER_ERROR); +} + +/* + * kill session + */ +int oidc_handle_logout(request_rec *r, session_rec *session) { + char *url = NULL; + + /* if there's no remote_user then there's no (stored) session to kill */ + if (session->remote_user != NULL) { + + /* remove session state (cq. cache entry and cookie) */ + oidc_session_kill(r, session); + } + + /* pickup the URL where the user wants to go after logout */ + oidc_util_get_request_parameter(r, "logout", &url); + + /* send him there */ + apr_table_add(r->headers_out, "Location", url); + return HTTP_MOVED_TEMPORARILY; +} + +/* + * main routine: handle OpenID Connect authentication + */ +static int oidc_check_userid_openid_openidc(request_rec *r, oidc_cfg *c) { + + /* check if this is a sub-request or an initial request */ + if (ap_is_initial_req(r)) { + + /* load the session from the request state; this will be a new "empty" session if no state exists */ + session_rec *session = NULL; + oidc_session_load(r, &session); + + /* see if this is a logout trigger */ + if ((oidc_util_request_matches_url(r, c->redirect_uri) == TRUE) + && (oidc_util_request_has_parameter(r, "logout") == TRUE)) { + + /* handle logout */ + return oidc_handle_logout(r, session); + } + + /* initial request, first check if we have an existing session */ + if (session->remote_user != NULL) { + + /* set the user in the main request for further (incl. sub-request) processing */ + r->user = (char *) session->remote_user; + + /* this is initial request and we already have a session */ + return oidc_handle_existing_session(r, c, session); + + } else if (oidc_is_discovery_response(r, c)) { + + /* this is response from the OP discovery page */ + return oidc_handle_discovery_response(r, c); + + } else if (oidc_proto_is_basic_authorization_response(r, c)) { + + /* this is an authorization response from the OP using the Basic Client profile */ + return oidc_handle_basic_authorization_response(r, c, session); + + } else if (oidc_proto_is_implicit_post(r, c)) { + + /* this is an authorization response using the fragment(+POST) response_mode with the Implicit Client profile */ + return oidc_handle_implicit_post(r, c, session); + + } else if (oidc_proto_is_implicit_redirect(r, c)) { + + /* this is an authorization response using the redirect response_mode with the Implicit Client profile */ + return oidc_handle_implicit_redirect(r, c, session); + + } else if (oidc_util_request_matches_url(r, c->redirect_uri) == TRUE) { + + /* some other request to the redirect_uri */ + return oidc_handle_redirect_uri_request(r, c); + } + /* + * else: initial request, we have no session and it is not an authorization or + * discovery response: just hit the default flow for unauthenticated users + */ + } else { + + /* not an initial request, try to recycle what we've already established in the main request */ + if (r->main != NULL) + r->user = r->main->user; + else if (r->prev != NULL) + r->user = r->prev->user; + + if (r->user != NULL) { + + /* this is a sub-request and we have a session (headers will have been scrubbed and set already) */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_check_userid_openid_openidc: recycling user '%s' from initial request for sub-request", + r->user); + + return OK; + } + /* + * else: not initial request, but we could not find a session, so: + * just hit the default flow for unauthenticated users + */ + } + + /* no session (regardless of whether it is main or sub-request), go and authenticate the user */ + return oidc_authenticate_user(r, c, NULL, oidc_get_current_url(r, c)); +} + +/* + * generic Apache authentication hook for this module: dispatches to OpenID Connect or OAuth 2.0 specific routines + */ +int oidc_check_user_id(request_rec *r) { + + oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); + + /* log some stuff about the incoming HTTP request */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_check_user_id: incoming request: \"%s?%s\", ap_is_initial_req(r)=%d", + r->parsed_uri.path, r->args, ap_is_initial_req(r)); + + /* see if any authentication has been defined at all */ + if (ap_auth_type(r) == NULL) + return DECLINED; + + /* see if we've configured OpenID Connect user authentication for this request */ + if (apr_strnatcasecmp((const char *) ap_auth_type(r), "openid-connect") + == 0) + return oidc_check_userid_openid_openidc(r, c); + + /* see if we've configured OAuth 2.0 access control for this request */ + if (apr_strnatcasecmp((const char *) ap_auth_type(r), "oauth20") == 0) + return oidc_oauth_check_userid(r, c); + + /* this is not for us but for some other handler */ + return DECLINED; +} + +#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714 +/* + * generic Apache >=2.4 authorization hook for this module + * handles both OpenID Connect or OAuth 2.0 in the same way, based on the claims stored in the session + */ +authz_status oidc_authz_checker(request_rec *r, const char *require_args, const void *parsed_require_args) { + + /* get the set of claims from the request state (they've been set in the authentication part earlier */ + apr_json_value_t *attrs = (apr_json_value_t *)oidc_request_state_get(r, OIDC_CLAIMS_SESSION_KEY); + + /* dispatch to the >=2.4 specific authz routine */ + return oidc_authz_worker24(r, attrs, require_args); +} +#else +/* + * generic Apache <2.4 authorization hook for this module + * handles both OpenID Connect and OAuth 2.0 in the same way, based on the claims stored in the request context + */ +int oidc_auth_checker(request_rec *r) { + + /* get the set of claims from the request state (they've been set in the authentication part earlier) */ + apr_json_value_t *attrs = (apr_json_value_t *) oidc_request_state_get(r, + OIDC_CLAIMS_SESSION_KEY); + + /* get the Require statements */ + const apr_array_header_t * const reqs_arr = ap_requires(r); + + /* see if we have any */ + const require_line * const reqs = + reqs_arr ? (require_line *) reqs_arr->elts : NULL; + if (!reqs_arr) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "No require statements found, " + "so declining to perform authorization."); + return DECLINED; + } + + /* dispatch to the <2.4 specific authz routine */ + return oidc_authz_worker(r, attrs, reqs, reqs_arr->nelts); +} +#endif + +extern const command_rec oidc_config_cmds[]; + +module AP_MODULE_DECLARE_DATA auth_openidc_module = { + STANDARD20_MODULE_STUFF, + oidc_create_dir_config, + oidc_merge_dir_config, + oidc_create_server_config, + oidc_merge_server_config, + oidc_config_cmds, + oidc_register_hooks +}; diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h new file mode 100644 index 00000000..0af7a457 --- /dev/null +++ b/src/mod_auth_openidc.h @@ -0,0 +1,316 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#ifndef MOD_AUTH_CONNECT_H_ +#define MOD_AUTH_CONNECT_H_ + +#include +#include +#include +#include +#include +#include +#include + +#include "apr_memcache.h" +#include "apr_shm.h" +#include "apr_global_mutex.h" + +#include "apr_json.h" + +#include "cache/cache.h" + +#ifndef OIDC_DEBUG +#define OIDC_DEBUG APLOG_DEBUG +#endif + +/* key for storing the claims in the session context */ +#define OIDC_CLAIMS_SESSION_KEY "claims" +/* key for storing the id_token in the session context */ +#define OIDC_IDTOKEN_SESSION_KEY "id_token" + +/* parameter name of the callback URL in the discovery response */ +#define OIDC_DISC_CB_PARAM "oidc_callback" +/* parameter name of the OP provider selection in the discovery response */ +#define OIDC_DISC_OP_PARAM "oidc_provider" +/* parameter name of the original URL in the discovery response */ +#define OIDC_DISC_RT_PARAM "oidc_return" + +/* value that indicates to use cache-file based session tracking */ +#define OIDC_SESSION_TYPE_22_CACHE_FILE 0 +/* value that indicates to use cookie based session tracking */ +#define OIDC_SESSION_TYPE_22_COOKIE 1 + +/* name of the cookie that binds the state in the authorization request/response to the browser */ +#define OIDCStateCookieName "mod_auth_openidc_state" +/* separator used to distinguish different values in the state cookie */ +#define OIDCStateCookieSep " " + +/* the (global) key for the mod_auth_openidc related state that is stored in the request userdata context */ +#define OIDC_USERDATA_KEY "mod_auth_openidc_state" + +/* use for plain GET in HTTP calls to endpoints */ +#define OIDC_HTTP_GET 0 +/* use for url-form-encoded HTTP POST calls to endpoints */ +#define OIDC_HTTP_POST_FORM 1 +/* use for JSON encoded POST calls to endpoints */ +#define OIDC_HTTP_POST_JSON 2 + +/* input filter hook name */ +#define OIDC_UTIL_HTTP_SENDSTRING "OIDC_UTIL_HTTP_SENDSTRING" + +typedef struct oidc_provider_t { + char *issuer; + char *authorization_endpoint_url; + char *token_endpoint_url; + char *token_endpoint_auth; + char *userinfo_endpoint_url; + char *jwks_uri; + char *client_id; + char *client_secret; + + // the next ones function as global default settings too + int ssl_validate_server; + char *client_name; + char *client_contact; + char *scope; + char *response_type; + int jwks_refresh_interval; + int idtoken_iat_slack; +} oidc_provider_t ; + +typedef struct oidc_oauth_t { + int ssl_validate_server; + char *client_id; + char *client_secret; + char *validate_endpoint_url; + char *validate_endpoint_auth; +} oidc_oauth_t; + +typedef struct oidc_cfg { + /* indicates whether this is a derived config, merged from a base one */ + unsigned int merged; + + /* the redirect URI as configured with the OpenID Connect OP's that we talk to */ + char *redirect_uri; + /* (optional) external OP discovery page */ + char *discover_url; + /* (optional) the signing algorithm the OP should use (used in dynamic client registration only) */ + char *id_token_alg; + + /* a pointer to the (single) provider that we connect to */ + /* NB: if metadata_dir is set, these settings will function as defaults for the metadata read from there) */ + oidc_provider_t provider; + /* a pointer to the oauth server settings */ + oidc_oauth_t oauth; + + /* directory that holds the provider & client metadata files */ + char *metadata_dir; + /* type of session management/storage */ + int session_type; + + /* pointer to cache functions */ + oidc_cache_t *cache; + void *cache_cfg; + /* cache_type = file: directory that holds the cache files (if not set, we'll try and use an OS defined one like "/tmp" */ + char *cache_file_dir; + /* cache_type = file: clean interval */ + int cache_file_clean_interval; + /* cache_type= memcache: list of memcache host/port servers to use */ + char *cache_memcache_servers; + /* cache_type = shm: size of the shared memory segment (cq. max number of cached entries) */ + int cache_shm_size_max; + + /* tell the module to strip any mod_auth_openidc related headers that already have been set by the user-agent, normally required for secure operation */ + int scrub_request_headers; + + int http_timeout_long; + int http_timeout_short; + int state_timeout; + + char *cookie_domain; + char *claim_delimiter; + char *claim_prefix; + + char *crypto_passphrase; + + EVP_CIPHER_CTX *encrypt_ctx; + EVP_CIPHER_CTX *decrypt_ctx; +} oidc_cfg; + +typedef struct oidc_dir_cfg { + char *cookie_path; + char *cookie; + char *authn_header; +} oidc_dir_cfg; + +int oidc_check_user_id(request_rec *r); +#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714 +authz_status oidc_authz_checker(request_rec *r, const char *require_args, const void *parsed_require_args); +#else +int oidc_auth_checker(request_rec *r); +#endif +void oidc_request_state_set(request_rec *r, const char *key, const char *value); +const char*oidc_request_state_get(request_rec *r, const char *key); + +// oidc_oauth +int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c); + +// oidc_proto.c +int oidc_proto_authorization_request(request_rec *r, struct oidc_provider_t *provider, const char *redirect_uri, const char *state, const char *original_url, const char *nonce); +apr_byte_t oidc_proto_is_basic_authorization_response(request_rec *r, oidc_cfg *cfg); +apr_byte_t oidc_proto_is_implicit_post(request_rec *r, oidc_cfg *cfg); +apr_byte_t oidc_proto_is_implicit_redirect(request_rec *r, oidc_cfg *cfg); +apr_byte_t oidc_proto_resolve_code(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, char *code, const char *nonce, char **user, apr_json_value_t **j_idtoken_payload, char **s_id_token, char **s_access_token, apr_time_t *expires); +apr_byte_t oidc_proto_resolve_userinfo(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, const char *access_token, const char **response, apr_json_value_t **claims); +apr_byte_t oidc_proto_account_based_discovery(request_rec *r, oidc_cfg *cfg, const char *acct, char **issuer); +apr_byte_t oidc_proto_parse_idtoken(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, const char *id_token, const char *nonce, char **user, apr_json_value_t **j_payload, char **s_payload, apr_time_t *expires); +int oidc_proto_javascript_implicit(request_rec *r, oidc_cfg *c); + +// oidc_authz.c +int oidc_authz_worker(request_rec *r, const apr_json_value_t *const claims, const require_line *const reqs, int nelts); +#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714 +authz_status oidc_authz_worker24(request_rec *r, const apr_json_value_t * const claims, const char *require_line); +#endif + +// oidc_config.c +void *oidc_create_server_config(apr_pool_t *pool, server_rec *svr); +void *oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD); +void *oidc_create_dir_config(apr_pool_t *pool, char *path); +void *oidc_merge_dir_config(apr_pool_t *pool, void *BASE, void *ADD); +void oidc_register_hooks(apr_pool_t *pool); + +const char *oidc_set_flag_slot(cmd_parms *cmd, void *struct_ptr, int arg); +const char *oidc_set_int_slot(cmd_parms *cmd, void *struct_ptr, const char *arg); +const char *oidc_set_string_slot(cmd_parms *cmd, void *struct_ptr, const char *arg); +const char *oidc_set_https_slot(cmd_parms *cmd, void *struct_ptr, const char *arg); +const char *oidc_set_url_slot(cmd_parms *cmd, void *struct_ptr, const char *arg); +const char *oidc_set_endpoint_auth_slot(cmd_parms *cmd, void *struct_ptr, const char *arg); +const char *oidc_set_cookie_domain(cmd_parms *cmd, void *ptr, const char *value); +const char *oidc_set_dir_slot(cmd_parms *cmd, void *ptr, const char *arg); +const char *oidc_set_session_type(cmd_parms *cmd, void *ptr, const char *arg); +const char *oidc_set_cache_type(cmd_parms *cmd, void *ptr, const char *arg); +const char *oidc_set_response_type(cmd_parms *cmd, void *struct_ptr, const char *arg); +const char *oidc_set_id_token_alg(cmd_parms *cmd, void *struct_ptr, const char *arg); +const char *oidc_set_cache_shm_max(cmd_parms *cmd, void *ptr, const char *arg); + +char *oidc_get_cookie_path(request_rec *r); + +// oidc_util.c +int oidc_strnenvcmp(const char *a, const char *b, int len); +int oidc_base64url_encode(request_rec *r, char **dst, const char *src, int src_len); +int oidc_base64url_decode(request_rec *r, char **dst, const char *src, int padding); +void oidc_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue); +char *oidc_get_cookie(request_rec *r, char *cookieName); +int oidc_encrypt_base64url_encode_string(request_rec *r, char **dst, const char *src); +int oidc_base64url_decode_decrypt_string(request_rec *r, char **dst, const char *src); +char *oidc_get_current_url(const request_rec *r, const oidc_cfg *c); +char *oidc_url_encode(const request_rec *r, const char *str, const char *charsToEncode); +char *oidc_normalize_header_name(const request_rec *r, const char *str); + +apr_byte_t oidc_util_http_call(request_rec *r, const char *url, int action, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout); +apr_byte_t oidc_util_request_matches_url(request_rec *r, const char *url); +apr_byte_t oidc_util_request_has_parameter(request_rec *r, const char* param); +apr_byte_t oidc_util_get_request_parameter(request_rec *r, char *name, char **value); +apr_byte_t oidc_util_decode_json_and_check_error(request_rec *r, const char *str, apr_json_value_t **json); +int oidc_util_http_sendstring(request_rec *r, const char *html, int success_rvalue); +char *oidc_util_escape_string(const request_rec *r, const char *str); +char *oidc_util_unescape_string(const request_rec *r, const char *str); +apr_byte_t oidc_util_read_post(request_rec *r, apr_table_t *table); +apr_byte_t oidc_util_generate_random_base64url_encoded_value(request_rec *r, int randomLen, char **randomB64); +apr_byte_t oidc_util_file_read(request_rec *r, const char *path, char **result); +apr_byte_t oidc_util_issuer_match(const char *a, const char *b); +int oidc_util_html_send_error(request_rec *r, const char *error, const char *description, int status_code); +int oidc_base64url_decode_rsa_verify(request_rec *r, const char *alg, const char *signature, const char *message, const char *modulus, const char *exponent); +apr_byte_t oidc_util_json_array_has_value(request_rec *r, apr_json_value_t *haystack, const char *needle); + +// oidc_crypto.c +unsigned char *oidc_crypto_aes_encrypt(request_rec *r, oidc_cfg *cfg, unsigned char *plaintext, int *len); +unsigned char *oidc_crypto_aes_decrypt(request_rec *r, oidc_cfg *cfg, unsigned char *ciphertext, int *len); +char *oidc_crypto_jwt_alg2digest(const char *alg); +apr_byte_t oidc_crypto_rsa_verify(request_rec *r, const char *alg, unsigned char* sig, int sig_len, unsigned char* msg, int msg_len, unsigned char *mod, int mod_len, unsigned char *exp, int exp_len); +apr_byte_t oidc_crypto_hoidc_verify(request_rec *r, const char *alg, unsigned char* sig, int sig_len, unsigned char* msg, int msg_len, unsigned char *key, int key_len); + +// oidc_metadata.c +apr_byte_t oidc_metadata_list(request_rec *r, oidc_cfg *cfg, apr_array_header_t **arr); +apr_byte_t oidc_metadata_get(request_rec *r, oidc_cfg *cfg, const char *selected, oidc_provider_t **provider); +apr_byte_t oidc_metadata_jwks_get(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, apr_json_value_t **j_jwks, apr_byte_t *refresh); + +// oidc_session.c +#if MODULE_MAGIC_NUMBER_MAJOR >= 20081201 +// this stuff should make it easy to migrate to the post 2.3 mod_session infrastructure +#include "mod_session.h" +#else +typedef struct { + apr_pool_t *pool; /* pool to be used for this session */ + apr_uuid_t *uuid; /* anonymous uuid of this particular session */ + const char *remote_user; /* user who owns this particular session */ + apr_table_t *entries; /* key value pairs */ + const char *encoded; /* the encoded version of the key value pairs */ + apr_time_t expiry; /* if > 0, the time of expiry of this session */ + long maxage; /* if > 0, the maxage of the session, from + * which expiry is calculated */ + int dirty; /* dirty flag */ + int cached; /* true if this session was loaded from a + * cache of some kind */ + int written; /* true if this session has already been + * written */ +} session_rec; +#endif + +apr_status_t oidc_session_init(); +apr_status_t oidc_session_load(request_rec *r, session_rec **z); +apr_status_t oidc_session_get(request_rec *r, session_rec *z, const char *key, const char **value); +apr_status_t oidc_session_set(request_rec *r, session_rec *z, const char *key, const char *value); +apr_status_t oidc_session_save(request_rec *r, session_rec *z); +apr_status_t oidc_session_kill(request_rec *r, session_rec *z); + +#endif /* MOD_AUTH_CONNECT_H_ */ diff --git a/src/oauth.c b/src/oauth.c new file mode 100644 index 00000000..f62b4470 --- /dev/null +++ b/src/oauth.c @@ -0,0 +1,246 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include + +#include +#include +#include +#include + +#include "mod_auth_openidc.h" + +/* the grant type string that the Authorization server expects when validating access tokens */ +#define OIDC_OAUTH_VALIDATION_GRANT_TYPE "urn:pingidentity.com:oauth2:grant_type:validate_bearer" + +/* + * validates an access token against the validation endpoint of the Authorization server and gets a response back + */ +static int oidc_oauth_validate_access_token(request_rec *r, oidc_cfg *c, + const char *token, const char **response) { + + /* assemble parameters to call the token endpoint for validation */ + apr_table_t *params = apr_table_make(r->pool, 4); + apr_table_addn(params, "grant_type", OIDC_OAUTH_VALIDATION_GRANT_TYPE); + apr_table_addn(params, "token", token); + + /* see if we want to do basic auth or post-param-based auth */ + const char *basic_auth = NULL; + if ((apr_strnatcmp(c->oauth.validate_endpoint_auth, "client_secret_post")) + == 0) { + apr_table_addn(params, "client_id", c->oauth.client_id); + apr_table_addn(params, "client_secret", c->oauth.client_secret); + } else { + basic_auth = apr_psprintf(r->pool, "%s:%s", c->oauth.client_id, + c->oauth.client_secret); + } + + /* call the endpoint with the constructed parameter set and return the resulting response */ + return oidc_util_http_call(r, c->oauth.validate_endpoint_url, + OIDC_HTTP_POST_FORM, params, basic_auth, NULL, + c->oauth.ssl_validate_server, response, c->http_timeout_long); +} + +/* + * get the authorization header that should contain a bearer token + */ +static apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, + const char **access_token) { + + /* get the authorization header */ + const char *auth_line; + auth_line = apr_table_get(r->headers_in, "Authorization"); + if (!auth_line) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_oauth_get_bearer_token: no authorization header found"); + return FALSE; + } + + /* look for the Bearer keyword */ + if (apr_strnatcasecmp(ap_getword(r->pool, &auth_line, ' '), "Bearer")) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_oauth_get_bearer_token: client used unsupported authentication scheme: %s", + r->uri); + return FALSE; + } + + /* skip any spaces after the Bearer keyword */ + while (apr_isspace(*auth_line)) { + auth_line++; + } + + /* copy the result in to the access_token */ + *access_token = apr_pstrdup(r->pool, auth_line); + + /* log some stuff */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_oauth_get_bearer_token: bearer token: %s", *access_token); + + return TRUE; +} + +static apr_byte_t oidc_oauth_resolve_access_token(request_rec *r, oidc_cfg *c, + const char *access_token, apr_json_value_t **token) { + + apr_json_value_t *result = NULL; + const char *json = NULL; + + /* see if we've got the claims for this access_token cached already */ + c->cache->get(r, access_token, &json); + + if (json == NULL) { + + /* not cached, go out and validate the access_token against the Authorization server and get the JSON claims back */ + if (oidc_oauth_validate_access_token(r, c, access_token, &json) == FALSE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_oauth_resolve_access_token: could not get a validation response from the Authorization server"); + return FALSE; + } + + /* decode and see if it is not an error response somehow */ + if (oidc_util_decode_json_and_check_error(r, json, &result) == FALSE) + return FALSE; + + /* get and check the expiry timestamp */ + apr_json_value_t *expires_in = apr_hash_get(result->value.object, + "expires_in", APR_HASH_KEY_STRING); + if ((expires_in == NULL) || (expires_in->type != APR_JSON_LONG)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_oauth_resolve_access_token: response JSON object did not contain an \"expires_in\" number"); + return FALSE; + } + if (expires_in->value.lnumber <= 0) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_oauth_resolve_access_token: \"expires_in\" number <= 0 (%ld); token already expired...", + expires_in->value.lnumber); + return FALSE; + } + + /* set it in the cache so subsequent request don't need to validate the access_token and get the claims anymore */ + c->cache->set(r, access_token, json, + apr_time_now() + apr_time_from_sec(expires_in->value.lnumber)); + + } else { + + /* we got the claims for this access_token in our cache, decode it in to a JSON structure */ + if (apr_json_decode(&result, json, strlen(json), r->pool) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_oauth_resolve_access_token: cached JSON was corrupted"); + return FALSE; + } + /* the NULL and APR_JSON_OBJECT checks really are superfluous here */ + } + + /* return the access_token JSON object */ + *token = apr_hash_get(result->value.object, "access_token", + APR_HASH_KEY_STRING); + if ((*token == NULL) || ((*token)->type != APR_JSON_OBJECT)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_oauth_resolve_access_token: response JSON object did not contain an access_token object"); + return FALSE; + } + + return TRUE; +} + +int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c) { + + /* check if this is a sub-request or an initial request */ + if (!ap_is_initial_req(r)) { + + if (r->main != NULL) + r->user = r->main->user; + else if (r->prev != NULL) + r->user = r->prev->user; + + if (r->user != NULL) { + + /* this is a sub-request and we have a session */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_oauth_check_userid: recycling user '%s' from initial request for sub-request", + r->user); + + return OK; + } + } + + /* we don't have a session yet */ + + /* get the bearer access token from the Authorization header */ + const char *access_token = NULL; + if (oidc_oauth_get_bearer_token(r, &access_token) == FALSE) + return HTTP_UNAUTHORIZED; + + /* validate the obtained access token against the OAuth AS validation endpoint */ + apr_json_value_t *token = NULL; + if (oidc_oauth_resolve_access_token(r, c, access_token, &token) == FALSE) + return HTTP_UNAUTHORIZED; + + /* store the parsed token (cq. the claims from the response) in the request state so it can be accessed by the authz routines */ + oidc_request_state_set(r, OIDC_CLAIMS_SESSION_KEY, (const char *) token); + + // TODO: user attribute header settings & scrubbing ? + + /* get the username from the response to use as the REMOTE_USER key */ + apr_json_value_t *username = apr_hash_get(token->value.object, "Username", + APR_HASH_KEY_STRING); + if ((username == NULL) || (username->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_oauth_check_userid: response JSON object did not contain a Username string"); + } else { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_oauth_check_userid: returned username: %s", + username->value.string.p); + r->user = apr_pstrdup(r->pool, username->value.string.p); + } + + return OK; +} diff --git a/src/proto.c b/src/proto.c new file mode 100644 index 00000000..da97e12a --- /dev/null +++ b/src/proto.c @@ -0,0 +1,938 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include +#include +#include +#include + +#include "mod_auth_openidc.h" + +extern module AP_MODULE_DECLARE_DATA auth_openidc_module; + +/* + * send an OpenID Connect authorization request to the specified provider + */ +int oidc_proto_authorization_request(request_rec *r, + struct oidc_provider_t *provider, const char *redirect_uri, + const char *state, const char *original_url, const char *nonce) { + + /* log some stuff */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_authorization_request: entering (issuer=%s, redirect_uri=%s, original_url=%s, state=%s, nonce=%s)", + provider->issuer, redirect_uri, original_url, state, nonce); + + /* assemble the full URL as the authorization request to the OP where we want to redirect to */ + char *destination = + apr_psprintf(r->pool, + "%s%sresponse_type=%s&scope=%s&client_id=%s&state=%s&redirect_uri=%s", + provider->authorization_endpoint_url, + (strchr(provider->authorization_endpoint_url, '?') != NULL ? + "&" : "?"), oidc_util_escape_string(r, provider->response_type), + oidc_util_escape_string(r, provider->scope), + oidc_util_escape_string(r, provider->client_id), + oidc_util_escape_string(r, state), + oidc_util_escape_string(r, redirect_uri)); + + /* + * see if the chosen flow requires a nonce parameter + * + * TODO: I'd like to include the nonce in the code flow as well but Google does not allow me to do that: + * Error: invalid_request: Parameter not allowed for this message type: nonce + */ + if ( (strstr(provider->response_type, "id_token") != NULL) || (strcmp(provider->response_type, "token") == 0) ) { + destination = apr_psprintf(r->pool, "%s&nonce=%s", destination, oidc_util_escape_string(r, nonce)); + //destination = apr_psprintf(r->pool, "%s&response_mode=fragment", destination); + } + + /* add the redirect location header */ + apr_table_add(r->headers_out, "Location", destination); + + /* some more logging */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_authorization_request: adding outgoing header: Location: %s", + destination); + + /* and tell Apache to return an HTTP Redirect (302) message */ + return HTTP_MOVED_TEMPORARILY; +} + +/* + * indicate whether the incoming HTTP request is an OpenID Connect Authorization Response from a Basic Client flow, syntax-wise + */ +apr_byte_t oidc_proto_is_basic_authorization_response(request_rec *r, oidc_cfg *cfg) { + + /* see if this is a call to the configured redirect_uri and the "code" and "state" parameters are present */ + return ((oidc_util_request_matches_url(r, cfg->redirect_uri) == TRUE) + && oidc_util_request_has_parameter(r, "code") + && oidc_util_request_has_parameter(r, "state")); +} + +/* + * indicate whether the incoming HTTP request is an OpenID Connect Authorization Response from an Implicit Client flow, syntax-wise + */ +apr_byte_t oidc_proto_is_implicit_post(request_rec *r, oidc_cfg *cfg) { + + /* see if this is a call to the configured redirect_uri and it is a POST */ + return ((oidc_util_request_matches_url(r, cfg->redirect_uri) == TRUE) + && (r->method_number == M_POST)); +} + +/* + * indicate whether the incoming HTTP request is an OpenID Connect Authorization Response from an Implicit Client flow using the query parameter response type, syntax-wise + */ +apr_byte_t oidc_proto_is_implicit_redirect(request_rec *r, oidc_cfg *cfg) { + + /* see if this is a call to the configured redirect_uri and it is a POST */ + return ((oidc_util_request_matches_url(r, cfg->redirect_uri) == TRUE) + && (r->method_number == M_GET) + && oidc_util_request_has_parameter(r, "state") + && oidc_util_request_has_parameter(r, "id_token")); +} + +/* + * check whether the provided JSON payload (in the j_payload parameter) is a valid id_token for the specified "provider" + */ +static apr_byte_t oidc_proto_is_valid_idtoken(request_rec *r, + oidc_provider_t *provider, apr_json_value_t *j_payload, const char *nonce, + apr_time_t *expires) { + + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_is_valid_idtoken: entering (looking for nonce=%s)", nonce); + + /* if a nonce is not passed, we're doing a ("code") flow where the nonce is optional */ + if (nonce != NULL) { + + /* see if we've this nonce cached already */ + const char *replay = NULL; + cfg->cache->get(r, nonce, &replay); + if (replay != NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: nonce was found in cache already; replay attack!?"); + return FALSE; + } + + apr_json_value_t *j_nonce = apr_hash_get(j_payload->value.object, "nonce", + APR_HASH_KEY_STRING); + if ((j_nonce == NULL) || (j_nonce->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: response JSON object did not contain a \"nonce\" string"); + return FALSE; + } + if (strcmp(nonce, j_nonce->value.string.p) != 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: the nonce value in the id_token did not match the one stored in the browser session"); + return FALSE; + } + } + + /* get the "issuer" value from the JSON payload */ + apr_json_value_t *iss = apr_hash_get(j_payload->value.object, "iss", + APR_HASH_KEY_STRING); + if ((iss == NULL) || (iss->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: response JSON object did not contain an \"iss\" string"); + return FALSE; + } + + /* check if the issuer matches the requested value */ + if (oidc_util_issuer_match(provider->issuer, iss->value.string.p) == FALSE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: configured issuer (%s) does not match received \"iss\" value in id_token (%s)", + provider->issuer, iss->value.string.p); + return FALSE; + } + + /* get the "exp" value from the JSON payload */ + apr_json_value_t *exp = apr_hash_get(j_payload->value.object, "exp", + APR_HASH_KEY_STRING); + if ((exp == NULL) || (exp->type != APR_JSON_LONG)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: response JSON object did not contain an \"exp\" number value"); + return FALSE; + } + + /* check if this id_token has already expired */ + if (apr_time_sec(apr_time_now()) > exp->value.lnumber) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: id_token expired"); + return FALSE; + } + + /* return the "exp" value in the "expires" return parameter */ + *expires = apr_time_from_sec(exp->value.lnumber); + + /* get the "iat" value from the JSON payload */ + apr_json_value_t *iat = apr_hash_get(j_payload->value.object, "iat", + APR_HASH_KEY_STRING); + if ((iat == NULL) || (iat->type != APR_JSON_LONG)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: response JSON object did not contain an \"iat\" number value"); + return FALSE; + } + + /* check if this id_token has been issued just now +- slack (default 10 minutes) */ + if ((apr_time_sec(apr_time_now()) - provider->idtoken_iat_slack) > iat->value.lnumber) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: token was issued more than %d seconds ago", provider->idtoken_iat_slack); + return FALSE; + } + if ((apr_time_sec(apr_time_now()) + provider->idtoken_iat_slack) < iat->value.lnumber) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: token was issued more than %d seconds in the future", provider->idtoken_iat_slack); + return FALSE; + } + + if (nonce != NULL) { + /* cache the nonce for the window time of the token for replay prevention plus 10 seconds for safety */ + cfg->cache->set(r, nonce, nonce, apr_time_from_sec(provider->idtoken_iat_slack * 2 + 10)); + } + + /* get the "azp" value from the JSON payload, which may be NULL */ + apr_json_value_t *azp = apr_hash_get(j_payload->value.object, "azp", + APR_HASH_KEY_STRING); + if ((azp != NULL) && (azp->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: id_token JSON payload contained an \"azp\" value, but it was not a string"); + return FALSE; + } + + /* + * This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. + * It MAY be included even when the authorized party is the same as the sole audience. + */ + if ((azp != NULL) + && (strcmp(azp->value.string.p, provider->client_id) != 0)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "\"azp\" claim (%s) is not equal to configured client_id (%s)", + azp->value.string.p, provider->client_id); + return FALSE; + } + + /* get the "aud" value from the JSON payload */ + apr_json_value_t *aud = apr_hash_get(j_payload->value.object, "aud", + APR_HASH_KEY_STRING); + + if (aud != NULL) { + + /* check if it is a single-value */ + if (aud->type == APR_JSON_STRING) { + + /* a single-valued audience must be equal to our client_id */ + if (strcmp(aud->value.string.p, provider->client_id) != 0) { + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: configured client_id (%s) did not match the JSON \"aud\" entry (%s)", + provider->client_id, aud->value.string.p); + return FALSE; + } + + /* check if this is a multi-valued audience */ + } else if (aud->type == APR_JSON_ARRAY) { + + if ((aud->value.array->nelts > 1) && (azp == NULL)) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_is_valid_idtoken: \"aud\" is an array with more than 1 element, but \"azp\" claim is not present (a SHOULD in the spec...)"); + } + + /* loop over the audience values */ + int i; + for (i = 0; i < aud->value.array->nelts; i++) { + + apr_json_value_t *elem = + APR_ARRAY_IDX(aud->value.array, i, apr_json_value_t *); + + /* check if it is a string, warn otherwise */ + if (elem->type != APR_JSON_STRING) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_proto_is_valid_idtoken: unhandled in-array JSON object type [%d]", + elem->type); + continue; + } + + /* we're looking for a value in the list that matches our client id */ + if (strcmp(elem->value.string.p, provider->client_id) == 0) { + break; + } + } + + /* check if we've found a match or not */ + if (i == aud->value.array->nelts) { + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: configured client_id (%s) could not be found in the JSON \"aud\" array object", + provider->client_id); + return FALSE; + } + + } else { + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: response JSON \"aud\" object is not a string nor an array"); + return FALSE; + } + + } else { + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken: response JSON object did not contain an \"aud\" element"); + return FALSE; + } + + return TRUE; +} + +/* + * check whether the provider string is a valid id_token for the specified "provider" + */ +static apr_byte_t oidc_proto_is_valid_idtoken_payload(request_rec *r, + oidc_provider_t *provider, const char *s_idtoken_payload, const char *nonce, + apr_json_value_t **result, apr_time_t *expires) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_is_valid_idtoken_payload: entering (%s)", s_idtoken_payload); + + /* decode the string in to a JSON structure */ + if (apr_json_decode(result, s_idtoken_payload, strlen(s_idtoken_payload), + r->pool) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken_payload: could not decode id_token payload string in to a JSON structure"); + return FALSE; + } + + /* a convenient helper pointer */ + apr_json_value_t *j_payload = *result; + + /* check that we've actually got a JSON object back */ + if ((j_payload == NULL) || (j_payload->type != APR_JSON_OBJECT)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_is_valid_idtoken_payload: payload from id_token did not contain a JSON object"); + return FALSE; + } + + /* now check if the JSON is a valid id_token */ + return oidc_proto_is_valid_idtoken(r, provider, j_payload, nonce, expires); +} + +/* + * check whether the provided string is a valid id_token header + */ +static apr_byte_t oidc_proto_parse_idtoken_header(request_rec *r, + const char *s_header, apr_json_value_t **result) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_parse_idtoken_header: entering (%s)", s_header); + + /* decode the string in to a JSON structure */ + if (apr_json_decode(result, s_header, strlen(s_header), + r->pool) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_parse_idtoken_header: could not decode header from id_token successfully"); + return FALSE; + } + + /* a convenient helper pointer */ + apr_json_value_t *j_header = *result; + + /* check that we've actually got a JSON object back */ + if ((j_header == NULL) || (j_header->type != APR_JSON_OBJECT)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_parse_idtoken_header: header from id_token did not contain a JSON object"); + return FALSE; + } + + apr_json_value_t *algorithm = apr_hash_get(j_header->value.object, "alg", + APR_HASH_KEY_STRING); + if ((algorithm == NULL) || (algorithm->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_parse_idtoken_header: header JSON object did not contain a \"alg\" string"); + return FALSE; + } + + if (oidc_crypto_jwt_alg2digest(algorithm->value.string.p) == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_parse_idtoken_header: unsupported signing algorithm: %s", algorithm->value.string.p); + return FALSE; + } + + return TRUE; +} + +/* + * get the key from the JWKs that corresponds with the key specified in the header + */ +static apr_json_value_t *oidc_proto_get_key_from_jwks(request_rec *r, apr_json_value_t *j_header, apr_json_value_t *j_jwks) { + + const char *s_kid_match = NULL; + + apr_json_value_t *kid = apr_hash_get(j_header->value.object, "kid", APR_HASH_KEY_STRING); + if (kid != NULL) { + if (kid->type != APR_JSON_STRING) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_get_key_from_jwks: \"kid\" is not a string"); + return NULL;; + } + s_kid_match = kid->value.string.p; + } + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_proto_get_key_from_jwks: search for kid \"%s\"", s_kid_match); + + apr_json_value_t *keys = apr_hash_get(j_jwks->value.object, "keys", APR_HASH_KEY_STRING); + + int i; + for (i = 0; i < keys->value.array->nelts; i++) { + + apr_json_value_t *elem = APR_ARRAY_IDX(keys->value.array, i, apr_json_value_t *); + if (elem->type != APR_JSON_OBJECT) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_proto_get_key_from_jwks: \"keys\" array element is not a JSON object, skipping"); + continue; + } + apr_json_value_t *kty = apr_hash_get(elem->value.object, "kty", APR_HASH_KEY_STRING); + if (strcmp(kty->value.string.p, "RSA") != 0) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_get_key_from_jwks: \"keys\" array element is not an RSA key type (%s), skipping", kty->value.string.p); + continue; + } + if (s_kid_match == NULL) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_proto_get_key_from_jwks: no kid to match, return first key found"); + return elem; + } + apr_json_value_t *ekid = apr_hash_get(elem->value.object, "kid", APR_HASH_KEY_STRING); + if (ekid == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_proto_get_key_from_jwks: \"keys\" array element does not have a \"kid\" entry, skipping"); + continue; + } + if (strcmp(s_kid_match, ekid->value.string.p) == 0) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_proto_get_key_from_jwks: found matching kid: \"%s\"", s_kid_match); + return elem; + } + } + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_proto_get_key_from_jwks: return NULL"); + + return NULL; +} + +/* + * get the key from the (possibly cached) set of JWKs on the jwk_uri that corresponds with the key specified in the header + */ +static apr_json_value_t * oidc_proto_get_key_from_jwk_uri(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, apr_json_value_t *j_header, apr_byte_t *refresh) { + apr_json_value_t *j_jwks = NULL; + apr_json_value_t *key = NULL; + + /* get the set of JSON Web Keys for this provider (possibly by downloading them from the specified provider->jwk_uri) */ + oidc_metadata_jwks_get(r, cfg, provider, &j_jwks, refresh); + if (j_jwks == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_get_key_from_jwk_uri: could not resolve JSON Web Keys"); + return NULL; + } + + /* get the key corresponding to the kid from the header, referencing the key that was used to sign this message */ + key = oidc_proto_get_key_from_jwks(r, j_header, j_jwks); + + /* see what we've got back */ + if ( (key == NULL) && (refresh == FALSE) ) { + + /* we did not get a key, but we have not refreshed the JWKs from the jwks_uri yet */ + + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_proto_get_key_from_jwk_uri: could not find a key in the cached JSON Web Keys, doing a forced refresh"); + + /* get the set of JSON Web Keys for this provider forcing a fresh download from the specified provider->jwk_uri) */ + *refresh = TRUE; + oidc_metadata_jwks_get(r, cfg, provider, &j_jwks, refresh); + if (j_jwks == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_get_key_from_jwk_uri: could not refresh JSON Web Keys"); + return NULL; + } + + key = oidc_proto_get_key_from_jwks(r, j_header, j_jwks); + + } + + return key; +} + +static apr_byte_t oidc_proto_idtoken_verify_hmac(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, apr_json_value_t *j_header, const char *signature, const char *message) { + + unsigned char *key = (unsigned char *)provider->client_secret; + int key_len = strlen(provider->client_secret); + + unsigned char *sig = NULL; + int sig_len = oidc_base64url_decode(r, (char **)&sig, signature, 1); + + apr_json_value_t *alg = apr_hash_get(j_header->value.object, "alg", + APR_HASH_KEY_STRING); + + return oidc_crypto_hoidc_verify(r, alg->value.string.p, sig, sig_len, (unsigned char *)message, strlen(message), key, key_len); +} + +/* + * verify the signature on an id_token + */ +static apr_byte_t oidc_proto_idtoken_verify_signature(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, apr_json_value_t *j_header, const char *signature, const char *message, apr_byte_t *refresh) { + + /* get the key from the JWKs that corresponds with the key specified in the header */ + apr_json_value_t *key = oidc_proto_get_key_from_jwk_uri(r, cfg, provider, j_header, refresh); + if (key == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_idtoken_verify_signature: could not find a key in the JSON Web Keys"); + if (*refresh == FALSE) { + *refresh = TRUE; + return oidc_proto_idtoken_verify_signature(r, cfg, provider, j_header, signature, message, refresh); + } + return FALSE; + } + + /* get the modulus */ + apr_json_value_t *modulus = apr_hash_get(key->value.object, "n", APR_HASH_KEY_STRING); + if ((modulus == NULL) || (modulus->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_idtoken_verify_signature: response JSON object did not contain a \"n\" string"); + return FALSE; + } + + /* get the exponent */ + apr_json_value_t *exponent = apr_hash_get(key->value.object, "e", APR_HASH_KEY_STRING); + if ((exponent == NULL) || (exponent->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_idtoken_verify_signature: response JSON object did not contain a \"e\" string"); + return FALSE; + } + + /* do the actual signature verification */ + apr_json_value_t *algorithm = apr_hash_get(j_header->value.object, "alg", + APR_HASH_KEY_STRING); + + if (oidc_base64url_decode_rsa_verify(r, algorithm->value.string.p, signature, message, modulus->value.string.p, exponent->value.string.p) != TRUE) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_proto_idtoken_verify_signature: signature verification on id_token failed"); + + if (*refresh == FALSE) { + *refresh = TRUE; + return oidc_proto_idtoken_verify_signature(r, cfg, provider, j_header, signature, message, refresh); + } + return FALSE; + } + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_proto_idtoken_verify_signature: signature with algorithm \"%s\" verified OK!", algorithm->value.string.p); + + /* if we've made it this far, all is OK */ + return TRUE; +} + +/* + * check whether the provided string is a valid id_token and return its parsed contents + */ +apr_byte_t oidc_proto_parse_idtoken(request_rec *r, oidc_cfg *cfg, + oidc_provider_t *provider, const char *id_token, const char *nonce, char **user, + apr_json_value_t **j_payload, char **s_payload, apr_time_t *expires) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_parse_idtoken: entering"); + + /* find the header */ + const char *s = apr_pstrdup(r->pool, id_token); + char *p = strchr(s, '.'); + if (p == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_parse_id_token: could not find first \".\" in id_token"); + return FALSE; + } + *p = '\0'; + + /* add to the message part that is signed */ + char *header = apr_pstrdup(r->pool, s); + + /* parse the header (base64decode, json_decode) and validate it */ + char *s_header = NULL; + oidc_base64url_decode(r, &s_header, s, 1); + apr_json_value_t *j_header = NULL; + if (oidc_proto_parse_idtoken_header(r, s_header, &j_header) != TRUE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_parse_id_token: header parsing failure"); + return FALSE; + } + + /* find the payload */ + s = ++p; + p = strchr(s, '.'); + if (p == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_parse_id_token: could not find second \".\" in id_token"); + return FALSE; + } + *p = '\0'; + + char *payload = apr_pstrdup(r->pool, s); + + s = ++p; + + char *signature = apr_pstrdup(r->pool, s); + + // verify signature unless we did 'code' flow and the algorithm is NONE + // TODO: should improve "detection": in principle nonce can be used in "code" flow too +// apr_json_value_t *algorithm = apr_hash_get(j_header->value.object, "alg", APR_HASH_KEY_STRING); +// if ((strcmp(algorithm->value.string.p, "NONE") != 0) || (nonce != NULL)) { +// /* verify the signature on the id_token */ +// apr_byte_t refresh = FALSE; +// if (oidc_proto_idtoken_verify_signature(r, cfg, provider, j_header, signature, apr_pstrcat(r->pool, header, ".", payload, NULL), &refresh) == FALSE) return FALSE; +// } + + apr_json_value_t *algorithm = apr_hash_get(j_header->value.object, "alg", APR_HASH_KEY_STRING); + if (strncmp(algorithm->value.string.p, "HS", 2) == 0) { + /* verify the HOIDC signature on the id_token */ + if (oidc_proto_idtoken_verify_hmac(r, cfg, provider, j_header, signature, apr_pstrcat(r->pool, header, ".", payload, NULL)) == FALSE) return FALSE; + } else { + /* verify the RSA signature on the id_token */ + apr_byte_t refresh = FALSE; + if (oidc_proto_idtoken_verify_signature(r, cfg, provider, j_header, signature, apr_pstrcat(r->pool, header, ".", payload, NULL), &refresh) == FALSE) return FALSE; + } + + /* parse the payload */ + oidc_base64url_decode(r, s_payload, payload, 1); + + /* this is where the meat is */ + if (oidc_proto_is_valid_idtoken_payload(r, provider, *s_payload, nonce, j_payload, + expires) == FALSE) + return FALSE; + + /* extract and return the user name claim ("sub" or something similar) */ + apr_json_value_t *username = apr_hash_get((*j_payload)->value.object, "sub", + APR_HASH_KEY_STRING); + if ((username == NULL) || (username->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_proto_parse_id_token: response JSON object did not contain a \"sub\" string, falback to non-spec compliant (MS) \"unique_name\""); + + username = apr_hash_get((*j_payload)->value.object, "unique_name", + APR_HASH_KEY_STRING); + + if ((username == NULL) || (username->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_proto_parse_id_token: response JSON object did not contain a \"unique_name\" string either, second falback to non-spec compliant \"email\""); + + username = apr_hash_get((*j_payload)->value.object, "email", + APR_HASH_KEY_STRING); + + if ((username == NULL) || (username->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_proto_parse_id_token: response JSON object did not contain an \"email\" string either, now fail..."); + + return FALSE; + } + } + } + + /* set the unique username in the session (r->user) */ + *user = apr_pstrdup(r->pool, username->value.string.p); + + /* log our results */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_parse_idtoken: valid id_token for user \"%s\" (expires in %" APR_TIME_T_FMT " seconds)", + *user, *expires - apr_time_sec(apr_time_now())); + + /* since we've made it so far, we may as well say it is a valid id_token */ + return TRUE; +} + +/* + * resolves the code received from the OP in to an access_token and id_token and returns the parsed contents + */ +apr_byte_t oidc_proto_resolve_code(request_rec *r, oidc_cfg *cfg, + oidc_provider_t *provider, char *code, const char *nonce, char **user, + apr_json_value_t **j_idtoken_payload, char **s_id_token, + char **s_access_token, apr_time_t *expires) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_resolve_code: entering"); + const char *response = NULL; + + /* assemble the parameters for a call to the token endpoint */ + apr_table_t *params = apr_table_make(r->pool, 5); + apr_table_addn(params, "grant_type", "authorization_code"); + apr_table_addn(params, "code", code); + apr_table_addn(params, "redirect_uri", cfg->redirect_uri); + + /* see if we need to do basic auth or auth-through-post-params (both applied through the HTTP POST method though) */ + const char *basic_auth = NULL; + if ((apr_strnatcmp(provider->token_endpoint_auth, "client_secret_basic")) + == 0) { + basic_auth = apr_psprintf(r->pool, "%s:%s", provider->client_id, + provider->client_secret); + } else { + apr_table_addn(params, "client_id", provider->client_id); + apr_table_addn(params, "client_secret", provider->client_secret); + } +/* + if (strcmp(provider->issuer, "https://sts.windows.net/b4ea3de6-839e-4ad1-ae78-c78e5c0cdc06/") == 0) { + apr_table_addn(params, "resource", "https://graph.windows.net"); + } +*/ + /* resolve the code against the token endpoint */ + if (oidc_util_http_call(r, provider->token_endpoint_url, + OIDC_HTTP_POST_FORM, params, basic_auth, NULL, + provider->ssl_validate_server, &response, + cfg->http_timeout_long) == FALSE) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_resolve_code: could not successfully resolve the \"code\" (%s) against the token endpoint (%s)", + code, provider->token_endpoint_url); + return FALSE; + } + + /* check for errors, the response itself will have been logged already */ + apr_json_value_t *result = NULL; + if (oidc_util_decode_json_and_check_error(r, response, &result) == FALSE) + return FALSE; + + /* get the access_token from the parsed response */ + apr_json_value_t *access_token = apr_hash_get(result->value.object, + "access_token", APR_HASH_KEY_STRING); + if ((access_token == NULL) || (access_token->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_resolve_code: response JSON object did not contain an access_token string"); + return FALSE; + } + + /* log and set the obtained acces_token */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_resolve_code: returned access_token: %s", + access_token->value.string.p); + *s_access_token = apr_pstrdup(r->pool, access_token->value.string.p); + + /* the provider must the token type */ + apr_json_value_t *token_type = apr_hash_get(result->value.object, + "token_type", APR_HASH_KEY_STRING); + if ((token_type == NULL) || (token_type->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_resolve_code: response JSON object did not contain a token_type string"); + return FALSE; + } + + /* we got the type, we only support bearer/Bearer, check that */ + if ((apr_strnatcasecmp(token_type->value.string.p, "Bearer") != 0) + && (provider->userinfo_endpoint_url != NULL)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_resolve_code: token_type is \"%s\" and UserInfo endpoint is set: can only deal with Bearer authentication against the UserInfo endpoint!", + token_type->value.string.p); + return FALSE; + } + + /* get the id_token from the response */ + apr_json_value_t *id_token = apr_hash_get(result->value.object, "id_token", + APR_HASH_KEY_STRING); + if ((id_token == NULL) || (id_token->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_resolve_code: response JSON object did not contain an id_token string"); + return FALSE; + } + + /* log and set the obtained id_token */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_resolve_code: returned id_token: %s", + id_token->value.string.p); + *s_id_token = apr_pstrdup(r->pool, id_token->value.string.p); + + char *s_payload = NULL; + + /* parse and validate the obtained id_token and return success/failure of that */ + return oidc_proto_parse_idtoken(r, cfg, provider, id_token->value.string.p, nonce, user, + j_idtoken_payload, &s_payload, expires); +} + +/* + * get claims from the OP UserInfo endpoint using the provided access_token + */ +apr_byte_t oidc_proto_resolve_userinfo(request_rec *r, oidc_cfg *cfg, + oidc_provider_t *provider, const char *access_token, + const char **response, apr_json_value_t **claims) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_resolve_userinfo: entering, endpoint=%s, access_token=%s", + provider->userinfo_endpoint_url, access_token); + + /* only do this if an actual endpoint was set */ + if (provider->userinfo_endpoint_url == NULL) + return FALSE; + + /* get the JSON response */ + if (oidc_util_http_call(r, provider->userinfo_endpoint_url, OIDC_HTTP_GET, + NULL, NULL, access_token, provider->ssl_validate_server, response, + cfg->http_timeout_long) == FALSE) + return FALSE; + + /* decode and check for an "error" response */ + return oidc_util_decode_json_and_check_error(r, *response, claims); +} + +/* + * based on an account name, perform OpenID Connect Provider Issuer Discovery to find out the issuer and obtain and store its metadata + */ +apr_byte_t oidc_proto_account_based_discovery(request_rec *r, oidc_cfg *cfg, + const char *acct, char **issuer) { + + // TODO: maybe show intermediate/progress screen "discovering..." + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_account_based_discovery: entering, acct=%s", acct); + + const char *resource = apr_psprintf(r->pool, "acct:%s", acct); + const char *domain = strrchr(acct, '@'); + if (domain == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_account_based_discovery: invalid account name"); + return FALSE; + } + domain++; + const char *url = apr_psprintf(r->pool, "https://%s/.well-known/webfinger", + domain); + + apr_table_t *params = apr_table_make(r->pool, 1); + apr_table_addn(params, "resource", resource); + apr_table_addn(params, "rel", "http://openid.net/specs/connect/1.0/issuer"); + + const char *response = NULL; + if (oidc_util_http_call(r, url, OIDC_HTTP_GET, params, NULL, NULL, + cfg->provider.ssl_validate_server, &response, + cfg->http_timeout_short) == FALSE) { + /* errors will have been logged by now */ + return FALSE; + } + + /* decode and see if it is not an error response somehow */ + apr_json_value_t *j_response = NULL; + if (oidc_util_decode_json_and_check_error(r, response, &j_response) == FALSE) + return FALSE; + + /* get the links parameter */ + apr_json_value_t *j_links = apr_hash_get(j_response->value.object, "links", + APR_HASH_KEY_STRING); + if ((j_links == NULL) || (j_links->type != APR_JSON_ARRAY)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_account_based_discovery: response JSON object did not contain a \"links\" array"); + return FALSE; + } + + /* get the one-and-only object in the "links" array */ + apr_json_value_t *j_object = + ((apr_json_value_t**) j_links->value.array->elts)[0]; + if ((j_object == NULL) || (j_object->type != APR_JSON_OBJECT)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_account_based_discovery: response JSON object did not contain a JSON object as the first element in the \"links\" array"); + return FALSE; + } + + /* get the href from that object, which is the issuer value */ + apr_json_value_t *j_href = apr_hash_get(j_object->value.object, "href", + APR_HASH_KEY_STRING); + if ((j_href == NULL) || (j_href->type != APR_JSON_STRING)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_proto_account_based_discovery: response JSON object did not contain a \"href\" element in the first \"links\" array object"); + return FALSE; + } + + *issuer = (char *) j_href->value.string.p; + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_proto_account_based_discovery: returning issuer \"%s\" for account \"%s\" after doing succesful webfinger-based discovery", + *issuer, acct); + + return TRUE; +} + +int oidc_proto_javascript_implicit(request_rec *r, oidc_cfg *c) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_proto_javascript_implicit: entering"); + +// char *java_script = NULL; +// if (oidc_util_file_read(r, "/Users/hzandbelt/eclipse-workspace/mod_auth_openidc/src/implicit_post.html", &java_script) == FALSE) return HTTP_INTERNAL_SERVER_ERROR; + + const char *java_script = + "\n" + "\n" + " \n" + " \n" + " \n" + " Submitting...\n" + " \n" + " \n" + "

Submitting...

\n" + "
\n" + " \n" + "\n"; + + //return oidc_util_http_sendstring(r, apr_psprintf(r->pool, java_script, c->redirect_uri), OK); + //return oidc_util_http_sendstring(r, apr_psprintf(r->pool, java_script, c->redirect_uri), HTTP_MOVED_TEMPORARILY); + return oidc_util_http_sendstring(r, java_script, HTTP_UNAUTHORIZED); +} + diff --git a/src/session.c b/src/session.c new file mode 100644 index 00000000..dcbdcbb2 --- /dev/null +++ b/src/session.c @@ -0,0 +1,556 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include +#include + +#include +#include +#include +#include + +#include "mod_auth_openidc.h" + +extern module AP_MODULE_DECLARE_DATA auth_openidc_module; + +/* the name of the remote-user attribute in the session */ +#define OIDC_SESSION_REMOTE_USER_KEY "remote-user" +/* the name of the session expiry attribute in the session */ +#define OIDC_SESSION_EXPIRY_KEY "mac-expiry" +/* the name of the uuid attribute in the session */ +#define OIDC_SESSION_UUID_KEY "mac-uuid" + +static apr_status_t (*ap_session_load_fn)(request_rec *r, session_rec **z) = NULL; +static apr_status_t (*ap_session_get_fn)(request_rec *r, session_rec *z, const char *key, const char **value) = NULL; +static apr_status_t (*ap_session_set_fn)(request_rec *r, session_rec *z, const char *key, const char *value) = NULL; +static apr_status_t (*ap_session_save_fn)(request_rec *r, session_rec *z) = NULL; + +apr_status_t oidc_session_load(request_rec *r, session_rec **zz) { + apr_status_t rc = ap_session_load_fn(r, zz); + (*zz)->remote_user = apr_table_get((*zz)->entries, OIDC_SESSION_REMOTE_USER_KEY); + const char *uuid = apr_table_get((*zz)->entries, OIDC_SESSION_UUID_KEY); + if (uuid != NULL) apr_uuid_parse((*zz)->uuid, uuid); + return rc; +} + +apr_status_t oidc_session_save(request_rec *r, session_rec *z) { + oidc_session_set(r, z, OIDC_SESSION_REMOTE_USER_KEY, z->remote_user); + char key[APR_UUID_FORMATTED_LENGTH + 1]; + apr_uuid_format((char *) &key, z->uuid); + oidc_session_set(r, z, OIDC_SESSION_UUID_KEY, key); + return ap_session_save_fn(r, z); +} + +apr_status_t oidc_session_get(request_rec *r, session_rec *z, const char *key, const char **value) { + return ap_session_get_fn(r, z, key, value); +} + +apr_status_t oidc_session_set(request_rec *r, session_rec *z, const char *key, const char *value) { + return ap_session_set_fn(r, z, key, value); +} + +apr_status_t oidc_session_kill(request_rec *r, session_rec *z) { + apr_table_clear(z->entries); + z->expiry = 0; + z->encoded = NULL; + return ap_session_save_fn(r, z); +} + +#ifndef OIDC_SESSION_USE_APACHE_SESSIONS + +// compatibility stuff copied from: +// http://contribsoft.caixamagica.pt/browser/internals/2012/apachecc/trunk/mod_session-port/src/util_port_compat.c +#define T_ESCAPE_URLENCODED (64) + +static const unsigned char test_c_table[256] = { 32, 126, 126, 126, 126, 126, + 126, 126, 126, 126, 127, 126, 126, 126, 126, 126, 126, 126, 126, 126, + 126, 126, 126, 126, 126, 126, 126, 126, 126, 126, 126, 126, 14, 64, 95, + 70, 65, 102, 65, 65, 73, 73, 1, 64, 72, 0, 0, 74, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 104, 79, 79, 72, 79, 79, 72, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 79, 95, 79, 71, 0, 71, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 79, 103, 79, 65, 126, 118, 118, 118, 118, 118, 118, 118, 118, 118, + 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, + 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, + 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, + 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, + 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, + 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, + 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, + 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, 118, + 118, 118, 118, 118, 118, 118, 118 }; + +#define TEST_CHAR(c, f) (test_c_table[(unsigned)(c)] & (f)) + +static const char c2x_table[] = "0123456789abcdef"; + +static APR_INLINE unsigned char *c2x(unsigned what, unsigned char prefix, + unsigned char *where) { +#if APR_CHARSET_EBCDIC + what = apr_xlate_conv_byte(ap_hdrs_to_ascii, (unsigned char)what); +#endif /*APR_CHARSET_EBCDIC*/ + *where++ = prefix; + *where++ = c2x_table[what >> 4]; + *where++ = c2x_table[what & 0xf]; + return where; +} + +static char x2c(const char *what) { + register char digit; + +#if !APR_CHARSET_EBCDIC + digit = + ((what[0] >= 'A') ? ((what[0] & 0xdf) - 'A') + 10 : (what[0] - '0')); + digit *= 16; + digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A') + 10 : (what[1] - '0')); +#else /*APR_CHARSET_EBCDIC*/ + char xstr[5]; + xstr[0]='0'; + xstr[1]='x'; + xstr[2]=what[0]; + xstr[3]=what[1]; + xstr[4]='\0'; + digit = apr_xlate_conv_byte(ap_hdrs_from_ascii, + 0xFF & strtol(xstr, NULL, 16)); +#endif /*APR_CHARSET_EBCDIC*/ + return (digit); +} + +AP_DECLARE(char *) ap_escape_urlencoded_buffer(char *copy, const char *buffer) { + const unsigned char *s = (const unsigned char *) buffer; + unsigned char *d = (unsigned char *) copy; + unsigned c; + + while ((c = *s)) { + if (TEST_CHAR(c, T_ESCAPE_URLENCODED)) { + d = c2x(c, '%', d); + } else if (c == ' ') { + *d++ = '+'; + } else { + *d++ = c; + } + ++s; + } + *d = '\0'; + return copy; +} + +static int oidc_session_unescape_url(char *url, const char *forbid, + const char *reserved) { + register int badesc, badpath; + char *x, *y; + + badesc = 0; + badpath = 0; + /* Initial scan for first '%'. Don't bother writing values before + * seeing a '%' */ + y = strchr(url, '%'); + if (y == NULL) { + return OK; + } + for (x = y; *y; ++x, ++y) { + if (*y != '%') { + *x = *y; + } else { + if (!apr_isxdigit(*(y + 1)) || !apr_isxdigit(*(y + 2))) { + badesc = 1; + *x = '%'; + } else { + char decoded; + decoded = x2c(y + 1); + if ((decoded == '\0') + || (forbid && ap_strchr_c(forbid, decoded))) { + badpath = 1; + *x = decoded; + y += 2; + } else if (reserved && ap_strchr_c(reserved, decoded)) { + *x++ = *y++; + *x++ = *y++; + *x = *y; + } else { + *x = decoded; + y += 2; + } + } + } + } + *x = '\0'; + if (badesc) { + return HTTP_BAD_REQUEST; + } else if (badpath) { + return HTTP_NOT_FOUND; + } else { + return OK; + } +} + +AP_DECLARE(int) ap_unescape_urlencoded(char *query) { + char *slider; + /* replace plus with a space */ + if (query) { + for (slider = query; *slider; slider++) { + if (*slider == '+') { + *slider = ' '; + } + } + } + /* unescape everything else */ + return oidc_session_unescape_url(query, NULL, NULL); +} + +// copied from mod_session.c +static apr_status_t oidc_session_identity_decode(request_rec * r, + session_rec * z) { + char *last = NULL; + char *encoded, *pair; + const char *sep = "&"; + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_session_identity_decode: decoding %s", z->encoded); + + /* sanity check - anything to decode? */ + if (!z->encoded) { + return APR_SUCCESS; + } + + /* decode what we have */ + encoded = apr_pstrdup(r->pool, z->encoded); + pair = apr_strtok(encoded, sep, &last); + while (pair && pair[0]) { + char *plast = NULL; + const char *psep = "="; + char *key = apr_strtok(pair, psep, &plast); + char *val = apr_strtok(NULL, psep, &plast); + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_session_identity_decode: decoding %s=%s", key, val); + + if (key && *key) { + if (!val || !*val) { + apr_table_unset(z->entries, key); + } else if (!ap_unescape_urlencoded(key) + && !ap_unescape_urlencoded(val)) { + if (!strcmp(OIDC_SESSION_EXPIRY_KEY, key)) { + z->expiry = (apr_time_t) apr_atoi64(val); + } else { + apr_table_set(z->entries, key, val); + } + } + } + pair = apr_strtok(NULL, sep, &last); + } + z->encoded = NULL; + return APR_SUCCESS; +} + +// copied from mod_session.c +static int oidc_identity_count(int *count, const char *key, const char *val) { + *count += strlen(key) * 3 + strlen(val) * 3 + 1; + return 1; +} + +// copied from mod_session.c +static int oidc_identity_concat(char *buffer, const char *key, const char *val) { + char *slider = buffer; + int length = strlen(slider); + slider += length; + if (length) { + *slider = '&'; + slider++; + } + ap_escape_urlencoded_buffer(slider, key); + slider += strlen(slider); + *slider = '='; + slider++; + ap_escape_urlencoded_buffer(slider, val); + return 1; +} + +// copied from mod_session.c +static apr_status_t oidc_session_identity_encode(request_rec * r, + session_rec * z) { + char *buffer = NULL; + int length = 0; + if (z->expiry) { + char *expiry = apr_psprintf(z->pool, "%" APR_INT64_T_FMT, z->expiry); + apr_table_setn(z->entries, OIDC_SESSION_EXPIRY_KEY, expiry); + } + apr_table_do( + (int (*)(void *, const char *, const char *)) oidc_identity_count, + &length, z->entries, NULL); + buffer = apr_pcalloc(r->pool, length + 1); + apr_table_do( + (int (*)(void *, const char *, const char *)) oidc_identity_concat, + buffer, z->entries, NULL); + z->encoded = buffer; + return APR_SUCCESS; + +} + +/* load the session from the cache using the cookie as the index */ +static apr_status_t oidc_session_load_cache(request_rec *r, session_rec *z) { + oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); + oidc_dir_cfg *d = ap_get_module_config(r->per_dir_config, &auth_openidc_module); + + /* get the cookie that should be our uuid/key */ + char *uuid = oidc_get_cookie(r, d->cookie); + + /* get the string-encoded session from the cache based on the key */ + if (uuid != NULL) + if (c->cache->get(r, uuid, &z->encoded) == TRUE) return APR_SUCCESS; + + return APR_EGENERAL; +} + +/* + * save the session to the cache using a cookie for the index + */ +static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) { + oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); + oidc_dir_cfg *d = ap_get_module_config(r->per_dir_config, &auth_openidc_module); + + char key[APR_UUID_FORMATTED_LENGTH + 1]; + apr_uuid_format((char *) &key, z->uuid); + + if (z->encoded && z->encoded[0]) { + + /* set the uuid in the cookie */ + oidc_set_cookie(r, d->cookie, key); + + /* store the string-encoded session in the cache */ + c->cache->set(r, key, z->encoded, z->expiry); + + } else { + + /* clear the cookie */ + oidc_set_cookie(r, d->cookie, ""); + + /* remove the session from the cache */ + c->cache->set(r, key, NULL, 0); + } + + return APR_SUCCESS; +} + +static apr_status_t oidc_session_load_cookie(request_rec *r, session_rec *z) { + oidc_dir_cfg *d = ap_get_module_config(r->per_dir_config, &auth_openidc_module); + + char *cookieValue = oidc_get_cookie(r, d->cookie); + if (cookieValue != NULL) { + if (oidc_base64url_decode_decrypt_string(r, (char **)&z->encoded, cookieValue) <= 0) return APR_EGENERAL; + } + + return APR_SUCCESS; +} + +static apr_status_t oidc_session_save_cookie(request_rec *r, session_rec *z) { + oidc_dir_cfg *d = ap_get_module_config(r->per_dir_config, &auth_openidc_module); + + char *cookieValue = ""; + if (z->encoded && z->encoded[0]) { + oidc_encrypt_base64url_encode_string(r, &cookieValue, z->encoded); + } + oidc_set_cookie(r, d->cookie, cookieValue); + + return APR_SUCCESS; +} + +/* + * load the session from the request context, create a new one if no luck + */ +static apr_status_t oidc_session_load_22(request_rec *r, session_rec **zz) { + + oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); + + /* first see if this is a sub-request and it was set already in the main request */ + if (((*zz) = (session_rec *) oidc_request_state_get(r, "session")) != NULL) { + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_session_load: loading session from request state"); + return APR_SUCCESS; + } + + /* allocate space for the session object and fill it */ + session_rec *z = (*zz = apr_pcalloc(r->pool, sizeof(session_rec))); + z->pool = r->pool; + + /* get a new uuid for this session */ + z->uuid = (apr_uuid_t *) apr_pcalloc(z->pool, sizeof(apr_uuid_t)); + apr_uuid_get(z->uuid); + + z->remote_user = NULL; + z->encoded = NULL; + z->entries = apr_table_make(z->pool, 10); + + apr_status_t rc = APR_SUCCESS; + if (c->session_type == OIDC_SESSION_TYPE_22_CACHE_FILE) { + /* load the session from the cache */ + rc = oidc_session_load_cache(r, z); + } else if (c->session_type == OIDC_SESSION_TYPE_22_COOKIE) { + /* load the session from a self-contained cookie */ + rc = oidc_session_load_cookie(r, z); + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_session_load_22: unknown session type: %d", + c->session_type); + rc = APR_EGENERAL; + } + + /* see if it worked out */ + if (rc != APR_SUCCESS) + return rc; + + /* yup, now decode the info */ + if (oidc_session_identity_decode(r, z) != APR_SUCCESS) + return APR_EGENERAL; + + /* check whether it has expired */ + if (apr_time_now() > z->expiry) { + + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_session_load_22: session restored from cache has expired"); + apr_table_clear(z->entries); + return APR_EGENERAL; + } + + /* store this session in the request context, so it is available to sub-requests */ + oidc_request_state_set(r, "session", (const char *) z); + + return APR_SUCCESS; +} + +/* + * save a session to the cache + */ +static apr_status_t oidc_session_save_22(request_rec *r, session_rec *z) { + + oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); + + /* encode the actual state in to the encoded string */ + oidc_session_identity_encode(r, z); + + /* store this session in the request context, so it is available to sub-requests as a quicker-than-file-backend cache */ + oidc_request_state_set(r, "session", (const char *) z); + + apr_status_t rc = APR_SUCCESS; + if (c->session_type == OIDC_SESSION_TYPE_22_CACHE_FILE) { + /* store the session in the cache */ + rc = oidc_session_save_cache(r, z); + } else if (c->session_type == OIDC_SESSION_TYPE_22_COOKIE) { + /* store the session in a self-contained cookie */ + rc = oidc_session_save_cookie(r, z); + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_session_save_22: unknown session type: %d", c->session_type); + rc = APR_EGENERAL; + } + + return rc; +} + +/* + * get a value from the session based on the name from a name/value pair + */ +static apr_status_t oidc_session_get_22(request_rec *r, session_rec *z, const char *key, + const char **value) { + + /* just return the value for the key */ + *value = apr_table_get(z->entries, key); + + return OK; +} + +/* + * set a name/value key pair in the session + */ +static apr_status_t oidc_session_set_22(request_rec *r, session_rec *z, const char *key, + const char *value) { + + /* only set it if non-NULL, otherwise delete the entry */ + if (value) { + apr_table_set(z->entries, key, value); + } else { + apr_table_unset(z->entries, key); + } + return OK; +} + +/* + * session initialization for pre-2.4 + */ +apr_status_t oidc_session_init() { + if (!ap_session_load_fn || !ap_session_get_fn || !ap_session_set_fn || !ap_session_save_fn) { + ap_session_load_fn = oidc_session_load_22; + ap_session_get_fn = oidc_session_get_22; + ap_session_set_fn = oidc_session_set_22; + ap_session_save_fn = oidc_session_save_22; + } + return OK; +} + +#else + +/* + * use Apache 2.4 session handling + */ + +#include + +apr_status_t oidc_session_init() { + if (!ap_session_load_fn || !ap_session_get_fn || !ap_session_set_fn || !ap_session_save_fn) { + ap_session_load_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_load); + ap_session_get_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_get); + ap_session_set_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_set); + ap_session_save_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_save); + } + return OK; +} + +#endif diff --git a/src/util.c b/src/util.c new file mode 100644 index 00000000..86b18307 --- /dev/null +++ b/src/util.c @@ -0,0 +1,1024 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2014 Ping Identity Corporation + * All rights reserved. + * + * The contents of this file are the property of Ping Identity Corporation. + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @Author: Hans Zandbelt - hzandbelt@pingidentity.com + */ + +#include +#include +#include + +#include +#include +#include +#include +#include "http_protocol.h" + +#include + +#include "mod_auth_openidc.h" + +/* hrm, should we get rid of this by adding parameters to the (3) functions? */ +extern module AP_MODULE_DECLARE_DATA auth_openidc_module; + +/* + * base64url encode a string + */ +int oidc_base64url_encode(request_rec *r, char **dst, const char *src, + int src_len) { + // TODO: always padded now, do we need an option to remove the padding? + if ((src == NULL) || (src_len <= 0)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_base64url_encode: not encoding anything; src=NULL and/or src_len<1"); + return -1; + } + int enc_len = apr_base64_encode_len(src_len); + char *enc = apr_palloc(r->pool, enc_len); + apr_base64_encode(enc, (const char *) src, src_len); + int i = 0; + while (enc[i] != '\0') { + if (enc[i] == '+') + enc[i] = '-'; + if (enc[i] == '/') + enc[i] = '_'; + if (enc[i] == '=') + enc[i] = ','; + i++; + } + *dst = enc; + return enc_len; +} + +/* + * base64url decode a string + */ +int oidc_base64url_decode(request_rec *r, char **dst, const char *src, + int padding) { + // TODO: check base64url decoding/encoding code and look for alternatives? + if (src == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_base64url_decode: not decoding anything; src=NULL"); + return -1; + } + char *dec = apr_pstrdup(r->pool, src); + int i = 0; + while (dec[i] != '\0') { + if (dec[i] == '-') + dec[i] = '+'; + if (dec[i] == '_') + dec[i] = '/'; + if (dec[i] == ',') + dec[i] = '='; + i++; + } + if (padding == 1) { + switch (strlen(dec) % 4) { + case 0: + break; + case 2: + dec = apr_pstrcat(r->pool, dec, "==", NULL); + break; + case 3: + dec = apr_pstrcat(r->pool, dec, "=", NULL); + break; + default: + return 0; + } + } + int dlen = apr_base64_decode_len(dec); + *dst = apr_palloc(r->pool, dlen); + return apr_base64_decode(*dst, dec); +} + +/* + * encrypt and base64url encode a string + */ +int oidc_encrypt_base64url_encode_string(request_rec *r, char **dst, + const char *src) { + oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); + int crypted_len = strlen(src) + 1; + unsigned char *crypted = oidc_crypto_aes_encrypt(r, c, + (unsigned char *) src, &crypted_len); + if (crypted == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_encrypt_base64url_encode_string: oidc_crypto_aes_encrypt failed"); + return -1; + } + return oidc_base64url_encode(r, dst, (const char *) crypted, crypted_len); +} + +/* + * decrypt and base64url decode a string + */ +int oidc_base64url_decode_decrypt_string(request_rec *r, char **dst, + const char *src) { + oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); + char *decbuf = NULL; + int dec_len = oidc_base64url_decode(r, &decbuf, src, 0); + if (dec_len <= 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_base64url_decode_decrypt_string: oidc_base64url_decode failed"); + return -1; + } + *dst = (char *) oidc_crypto_aes_decrypt(r, c, (unsigned char *) decbuf, + &dec_len); + if (*dst == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_base64url_decode_decrypt_string: oidc_crypto_aes_decrypt failed"); + return -1; + } + return dec_len; +} + +/* + * convert a character to an ENVIRONMENT-variable-safe variant + */ +int oidc_char_to_env(int c) { + return apr_isalnum(c) ? apr_toupper(c) : '_'; +} + +/* + * compare two strings based on how they would be converted to an + * environment variable, as per oidc_char_to_env. If len is specified + * as less than zero, then the full strings will be compared. Returns + * less than, equal to, or greater than zero based on whether the + * first argument's conversion to an environment variable is less + * than, equal to, or greater than the second. + */ +int oidc_strnenvcmp(const char *a, const char *b, int len) { + int d, i = 0; + while (1) { + /* If len < 0 then we don't stop based on length */ + if (len >= 0 && i >= len) + return 0; + + /* If we're at the end of both strings, they're equal */ + if (!*a && !*b) + return 0; + + /* If the second string is shorter, pick it: */ + if (*a && !*b) + return 1; + + /* If the first string is shorter, pick it: */ + if (!*a && *b) + return -1; + + /* Normalize the characters as for conversion to an + * environment variable. */ + d = oidc_char_to_env(*a) - oidc_char_to_env(*b); + if (d) + return d; + + a++; + b++; + i++; + } + return 0; +} + +/* + * escape a string + */ +char *oidc_util_escape_string(const request_rec *r, const char *str) { + CURL *curl = curl_easy_init(); + if (curl == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_escape_string: curl_easy_init() error"); + return NULL; + } + char *result = curl_easy_escape(curl, str, 0); + if (result == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_escape_string: curl_easy_escape() error"); + return NULL; + } + char *rv = apr_pstrdup(r->pool, result); + curl_free(result); + curl_easy_cleanup(curl); + return rv; +} + +/* + * escape a string + */ +char *oidc_util_unescape_string(const request_rec *r, const char *str) { + CURL *curl = curl_easy_init(); + if (curl == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_unescape_string: curl_easy_init() error"); + return NULL; + } + char *result = curl_easy_unescape(curl, str, 0, 0); + if (result == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_unescape_string: curl_easy_unescape() error"); + return NULL; + } + char *rv = apr_pstrdup(r->pool, result); + curl_free(result); + curl_easy_cleanup(curl); + //ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_util_unescape_string: input=\"%s\", output=\"%s\"", str, rv); + return rv; +} + +/* + * get the URL that is currently being accessed + * TODO: seems hard enough, maybe look for other existing code...? + */ +char *oidc_get_current_url(const request_rec *r, const oidc_cfg *c) { + const apr_port_t port = r->connection->local_addr->port; + char *scheme, *port_str = "", *url; + apr_byte_t print_port = TRUE; +#ifdef APACHE2_0 + scheme = (char *) ap_http_method(r); +#else + scheme = (char *) ap_http_scheme(r); +#endif + if ((apr_strnatcmp(scheme, "https") == 0) && port == 443) + print_port = FALSE; + else if ((apr_strnatcmp(scheme, "http") == 0) && port == 80) + print_port = FALSE; + if (print_port) + port_str = apr_psprintf(r->pool, ":%u", port); + url = apr_pstrcat(r->pool, scheme, "://", + apr_table_get(r->headers_in, "Host"), port_str, r->uri, + (r->args != NULL && *r->args != '\0' ? "?" : ""), r->args, NULL); + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_get_current_url: current URL '%s'", url); + return url; +} + +/* maximum size of any response returned in HTTP calls */ +#define OIDC_CURL_MAX_RESPONSE_SIZE 65536 + +/* buffer to hold HTTP call responses */ +typedef struct oidc_curl_buffer { + char buf[OIDC_CURL_MAX_RESPONSE_SIZE]; + size_t written; +} oidc_curl_buffer; + +/* + * callback for CURL to write bytes that come back from an HTTP call + */ +size_t oidc_curl_write(const void *ptr, size_t size, size_t nmemb, void *stream) { + oidc_curl_buffer *curlBuffer = (oidc_curl_buffer *) stream; + + if ((nmemb * size) + curlBuffer->written >= OIDC_CURL_MAX_RESPONSE_SIZE) + return 0; + + memcpy((curlBuffer->buf + curlBuffer->written), ptr, (nmemb*size)); + curlBuffer->written += (nmemb * size); + + return (nmemb * size); +} + +/* context structure for encoding parameters */ +typedef struct oidc_http_encode_t { + request_rec *r; + const char *encoded_params; +} oidc_http_encode_t; + +/* + * add a url-form-encoded name/value pair + */ +static int oidc_http_add_form_url_encoded_param(void* rec, const char* key, + const char* value) { + // TODO: handle arrays of strings? + oidc_http_encode_t *ctx = (oidc_http_encode_t*) rec; + const char *sep = apr_strnatcmp(ctx->encoded_params, "") == 0 ? "" : "&"; + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, ctx->r, + "oidc_http_add_post_param: adding parameter: %s=%s to %s (sep=%s)", + key, value, ctx->encoded_params, sep); + ctx->encoded_params = apr_psprintf(ctx->r->pool, "%s%s%s=%s", + ctx->encoded_params, sep, oidc_util_escape_string(ctx->r, key), + oidc_util_escape_string(ctx->r, value)); + return 1; +} + +/* + * add a JSON name/value pair + */ +static int oidc_http_add_json_param(void* rec, const char* key, + const char* value) { + oidc_http_encode_t *ctx = (oidc_http_encode_t*) rec; + const char *sep = apr_strnatcmp(ctx->encoded_params, "") == 0 ? "" : ","; + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, ctx->r, + "oidc_http_add_json_param: adding parameter: %s=%s to %s", key, + value, ctx->encoded_params); + if (value[0] == '[') { + // TODO hacky hacky, we need an array so we already encoded it :-) + ctx->encoded_params = apr_psprintf(ctx->r->pool, "%s%s\"%s\" : %s", + ctx->encoded_params, sep, key, value); + } else { + ctx->encoded_params = apr_psprintf(ctx->r->pool, "%s%s\"%s\": \"%s\"", + ctx->encoded_params, sep, key, value); + } + return 1; +} + +/* + * execute a HTTP (GET or POST) request + */ +apr_byte_t oidc_util_http_call(request_rec *r, const char *url, int action, + const apr_table_t *params, const char *basic_auth, + const char *bearer_token, int ssl_validate_server, + const char **response, int timeout) { + char curlError[CURL_ERROR_SIZE]; + oidc_curl_buffer curlBuffer; + CURL *curl; + struct curl_slist *h_list = NULL; + int nr_of_params = (params != NULL) ? apr_table_elts(params)->nelts : 0; + + /* do some logging about the inputs */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_util_http_call: entering, url=%s, action=%d, #params=%d, basic_auth=%s, bearer_token=%s, ssl_validate_server=%d", + url, action, nr_of_params, basic_auth, bearer_token, + ssl_validate_server); + + curl = curl_easy_init(); + if (curl == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_http_call: curl_easy_init() error"); + return FALSE; + } + + /* some of these are not really required */ + curl_easy_setopt(curl, CURLOPT_HEADER, 0L); + curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L); + curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1L); + curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, curlError); + curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); + curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 5L); + + /* set the timeout */ + curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout); + + /* setup the buffer where the response will be written to */ + curlBuffer.written = 0; + memset(curlBuffer.buf, '\0', sizeof(curlBuffer.buf)); + curl_easy_setopt(curl, CURLOPT_WRITEDATA, &curlBuffer); + curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, oidc_curl_write); + +#ifndef LIBCURL_NO_CURLPROTO + curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, + CURLPROTO_HTTP|CURLPROTO_HTTPS); + curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS); +#endif + + /* set the options for validating the SSL server certificate that the remote site presents */ + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, + (ssl_validate_server != FALSE ? 1L : 0L)); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, + (ssl_validate_server != FALSE ? 2L : 0L)); + + /* identify this HTTP client */ + curl_easy_setopt(curl, CURLOPT_USERAGENT, "mod_auth_openidc"); + + /* see if we need to add token in the Bearer Authorization header */ + if (bearer_token != NULL) { + struct curl_slist *headers = NULL; + headers = curl_slist_append(headers, + apr_psprintf(r->pool, "Authorization: Bearer %s", + bearer_token)); + curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); + } + + /* see if we need to perform HTTP basic authentication to the remote site */ + if (basic_auth != NULL) { + curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); + curl_easy_setopt(curl, CURLOPT_USERPWD, basic_auth); + } + + /* the POST contents */ + oidc_http_encode_t data = { r, "" }; + + if (action == OIDC_HTTP_POST_JSON) { + + /* POST JSON data */ + + if (nr_of_params > 0) { + + /* add the parameters in JSON formatting */ + apr_table_do(oidc_http_add_json_param, &data, params, NULL); + /* surround it by brackets to make it a valid JSON object */ + data.encoded_params = apr_psprintf(r->pool, "{ %s }", + data.encoded_params); + + /* set the data and log the event */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_util_http_call: setting JSON parameters: %s", + data.encoded_params); + curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data.encoded_params); + } + + /* set HTTP method to POST */ + curl_easy_setopt(curl, CURLOPT_POST, 1); + + /* and overwrite the default url-form-encoded content-type */ +// h_list = curl_slist_append(h_list, +// "Content-type: application/json; charset=UTF-8"); + h_list = curl_slist_append(h_list, + "Content-type: application/json"); + + } else if (action == OIDC_HTTP_POST_FORM) { + + /* POST url-form-encoded data */ + + if (nr_of_params > 0) { + + apr_table_do(oidc_http_add_form_url_encoded_param, &data, params, + NULL); + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_util_http_call: setting post parameters: %s", + data.encoded_params); + curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data.encoded_params); + } // else: probably should warn here... + + /* CURLOPT_POST needed at least to set: Content-Type: application/x-www-form-urlencoded */ + curl_easy_setopt(curl, CURLOPT_POST, 1); + + } else if (nr_of_params > 0) { + + /* HTTP GET with #params > 0 */ + + apr_table_do(oidc_http_add_form_url_encoded_param, &data, params, NULL); + const char *sep = strchr(url, '?') != NULL ? "&" : "?"; + url = apr_psprintf(r->pool, "%s%s%s", url, sep, data.encoded_params); + + /* log that the URL has changed now */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_util_http_call: added query parameters to URL: %s", url); + } + + /* see if we need to add any custom headers */ + if (h_list != NULL) + curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h_list); + + /* set the target URL */ + curl_easy_setopt(curl, CURLOPT_URL, url); + + /* call it and record the result */ + int rv = TRUE; + if (curl_easy_perform(curl) != CURLE_OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_http_call: curl_easy_perform() failed on: %s (%s)", + url, curlError); + rv = FALSE; + goto out; + } + + *response = apr_pstrndup(r->pool, curlBuffer.buf, curlBuffer.written); + + /* set and log the response */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_util_http_call: response=%s", *response); + + out: + + /* cleanup and return the result */ + if (h_list != NULL) + curl_slist_free_all(h_list); + curl_easy_cleanup(curl); + + return rv; +} + +/* + * set a cookie in the HTTP response headers + */ +void oidc_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue) { + + oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); + char *headerString, *currentCookies; + + /* construct the cookie value */ + headerString = apr_psprintf(r->pool, "%s=%s;Secure;Path=%s%s", cookieName, + cookieValue, oidc_get_cookie_path(r), + c->cookie_domain != NULL ? + apr_psprintf(r->pool, ";Domain=%s", c->cookie_domain) : ""); + + /* see if we need to clear the cookie */ + if (apr_strnatcmp(cookieValue, "") == 0) + headerString = apr_psprintf(r->pool, "%s;expires=0;Max-Age=0", + headerString); + + /* use r->err_headers_out so we always print our headers (even on 302 redirect) - headers_out only prints on 2xx responses */ + apr_table_add(r->err_headers_out, "Set-Cookie", headerString); + + /* see if we need to add it to existing cookies */ + if ((currentCookies = (char *) apr_table_get(r->headers_in, "Cookie")) + == NULL) + apr_table_add(r->headers_in, "Cookie", headerString); + else + apr_table_set(r->headers_in, "Cookie", + (apr_pstrcat(r->pool, headerString, ";", currentCookies, NULL))); + + /* do some logging */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_set_cookie: adding outgoing header: Set-Cookie: %s", + headerString); +} + +/* + * get a cookie from the HTTP request + */ +char *oidc_get_cookie(request_rec *r, char *cookieName) { + char *cookie, *tokenizerCtx, *rv = NULL; + + /* get the Cookie value */ + char *cookies = apr_pstrdup(r->pool, + (char *) apr_table_get(r->headers_in, "Cookie")); + + if (cookies != NULL) { + + /* tokenize on ; to find the cookie we want */ + cookie = apr_strtok(cookies, ";", &tokenizerCtx); + + do { + + while (cookie != NULL && *cookie == ' ') + cookie++; + + /* see if we've found the cookie that we're looking for */ + if (strncmp(cookie, cookieName, strlen(cookieName)) == 0) { + + /* skip to the meat of the parameter (the value after the '=') */ + cookie += (strlen(cookieName) + 1); + rv = apr_pstrdup(r->pool, cookie); + + break; + } + + /* go to the next cookie */ + cookie = apr_strtok(NULL, ";", &tokenizerCtx); + + } while (cookie != NULL); + } + + /* log what we've found */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_get_cookie: returning %s", + rv); + + return rv; +} + +/* + * normalize a string for use as an HTTP Header Name. Any invalid + * characters (per http://tools.ietf.org/html/rfc2616#section-4.2 and + * http://tools.ietf.org/html/rfc2616#section-2.2) are replaced with + * a dash ('-') character. + */ +char *oidc_normalize_header_name(const request_rec *r, const char *str) { + /* token = 1* + * CTL = + * separators = "(" | ")" | "<" | ">" | "@" + * | "," | ";" | ":" | "\" | <"> + * | "/" | "[" | "]" | "?" | "=" + * | "{" | "}" | SP | HT */ + const char *separators = "()<>@,;:\\\"/[]?={} \t"; + + char *ns = apr_pstrdup(r->pool, str); + size_t i; + for (i = 0; i < strlen(ns); i++) { + if (ns[i] < 32 || ns[i] == 127) + ns[i] = '-'; + else if (strchr(separators, ns[i]) != NULL) + ns[i] = '-'; + } + return ns; +} + +/* + * see if the currently accessed path matches a path from a defined URL + */ +apr_byte_t oidc_util_request_matches_url(request_rec *r, const char *url) { + apr_uri_t uri; + apr_uri_parse(r->pool, url, &uri); + apr_byte_t rc = + (apr_strnatcmp(r->parsed_uri.path, uri.path) == 0) ? TRUE : FALSE; + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_request_matches_url: comparing \"%s\"==\"%s\" (%d)", + r->parsed_uri.path, uri.path, rc); + return rc; +} + +/* + * see if the currently accessed path has a certain query parameter + */ +apr_byte_t oidc_util_request_has_parameter(request_rec *r, const char* param) { + if (r->args == NULL) + return FALSE; + const char *option1 = apr_psprintf(r->pool, "%s=", param); + const char *option2 = apr_psprintf(r->pool, "&%s=", param); + return ((strstr(r->args, option1) == r->args) + || (strstr(r->args, option2) != NULL)) ? TRUE : FALSE; +} + +/* + * get a query parameter + */ +apr_byte_t oidc_util_get_request_parameter(request_rec *r, char *name, + char **value) { + // TODO: we should really check with ? and & and avoid any code= stuff to trigger true + char *tokenizer_ctx, *p, *args; + const char *k_param = apr_psprintf(r->pool, "%s=", name); + const size_t k_param_sz = strlen(k_param); + + *value = NULL; + + if (r->args == NULL || strlen(r->args) == 0) + return FALSE; + + /* not sure why we do this, but better be safe than sorry */ + args = apr_pstrndup(r->pool, r->args, strlen(r->args)); + + p = apr_strtok(args, "&", &tokenizer_ctx); + do { + if (p && strncmp(p, k_param, k_param_sz) == 0) { + *value = apr_pstrdup(r->pool, p + k_param_sz); + *value = oidc_util_unescape_string(r, *value); + } + p = apr_strtok(NULL, "&", &tokenizer_ctx); + } while (p); + + return (*value != NULL ? TRUE : FALSE); +} + +/* + * printout a JSON string value + */ +static apr_byte_t oidc_util_json_string_print(request_rec *r, + apr_json_value_t *result, const char *key, const char *log) { + apr_json_value_t *value = apr_hash_get(result->value.object, key, + APR_HASH_KEY_STRING); + if (value != NULL) { + if (value->type == APR_JSON_STRING) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s: response contained a \"%s\" key with string value: \"%s\"", + log, key, value->value.string.p); + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s: response contained an \"%s\" key but no string value", + log, key); + } + return TRUE; + } + return FALSE; +} + +/* + * check a JSON object for "error" results and printout + */ +static apr_byte_t oidc_util_check_json_error(request_rec *r, + apr_json_value_t *json) { + if (oidc_util_json_string_print(r, json, "error", + "oidc_util_check_json_error") == TRUE) { + oidc_util_json_string_print(r, json, "error_description", + "oidc_util_check_json_error"); + return TRUE; + } + return FALSE; +} + +/* + * decode a JSON string, check for "error" results and printout + */ +apr_byte_t oidc_util_decode_json_and_check_error(request_rec *r, + const char *str, apr_json_value_t **json) { + + /* decode the JSON contents of the buffer */ + if (apr_json_decode(json, str, strlen(str), r->pool) != APR_SUCCESS) { + /* something went wrong */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_check_json_error: JSON parsing returned an error"); + return FALSE; + } + + if ((*json == NULL) || ((*json)->type != APR_JSON_OBJECT)) { + /* oops, no JSON */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_check_json_error: parsed JSON did not contain a JSON object"); + return FALSE; + } + + // see if it is not an error response somehow + if (oidc_util_check_json_error(r, *json) == TRUE) + return FALSE; + + return TRUE; +} + +/* + * sends HTML content to the user agent + */ +int oidc_util_http_sendstring(request_rec *r, const char *html, int success_rvalue) { + ap_set_content_type(r, "text/html"); + apr_bucket_brigade *bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); + apr_bucket *b = apr_bucket_transient_create(html, strlen(html), r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, b); + b = apr_bucket_eos_create(r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, b); + if (ap_pass_brigade(r->output_filters, bb) != APR_SUCCESS) + return HTTP_INTERNAL_SERVER_ERROR; + //r->status = success_rvalue; + return success_rvalue; +} + +int oidc_base64url_decode_rsa_verify(request_rec *r, const char *alg, const char *signature, const char *message, const char *modulus, const char *exponent) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_base64url_decode_rsa_verify: alg = \"%s\"", alg); + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_base64url_decode_rsa_verify: signature = \"%s\"", signature); + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_base64url_decode_rsa_verify: message = \"%s\"", message); + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_base64url_decode_rsa_verify: modulus = \"%s\"", modulus); + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_base64url_decode_rsa_verify: exponent = \"%s\"", exponent); + + unsigned char *mod = NULL; + int mod_len = oidc_base64url_decode(r, (char **)&mod, modulus, 1); + + unsigned char *exp = NULL; + int exp_len = oidc_base64url_decode(r, (char **)&exp, exponent, 1); + + unsigned char *sig = NULL; + int sig_len = oidc_base64url_decode(r, (char **)&sig, signature, 1); + + return oidc_crypto_rsa_verify(r, alg, sig, sig_len, (unsigned char *)message, strlen(message), mod, mod_len, exp, exp_len); +} + +/* + * read all bytes from the HTTP request + */ +static apr_byte_t oidc_util_read(request_rec *r, const char **rbuf) { + + if (ap_setup_client_block(r, REQUEST_CHUNKED_ERROR) != OK) + return FALSE; + + if (ap_should_client_block(r)) { + + char argsbuffer[HUGE_STRING_LEN]; + int rsize, len_read, rpos = 0; + long length = r->remaining; + *rbuf = apr_pcalloc(r->pool, length + 1); + + while ((len_read = ap_get_client_block(r, argsbuffer, + sizeof(argsbuffer))) > 0) { + if ((rpos + len_read) > length) { + rsize = length - rpos; + } else { + rsize = len_read; + } + memcpy((char*)*rbuf + rpos, argsbuffer, rsize); + rpos += rsize; + } + } + + return TRUE; +} + +/* + * read the POST parameters in to a table + */ + apr_byte_t oidc_util_read_post(request_rec *r, apr_table_t *table) { + const char *data = NULL; + const char *key, *val; + + if (r->method_number != M_POST) + return FALSE; + + if (oidc_util_read(r, &data) != TRUE) + return FALSE; + + while (data && *data && (val = ap_getword(r->pool, &data, '&'))) { + key = ap_getword(r->pool, &val, '='); + key = oidc_util_unescape_string(r, key); + val = oidc_util_unescape_string(r, val); + //ap_unescape_url((char*) key); + //ap_unescape_url((char*) val); + apr_table_set(table, key, val); + } + + return TRUE; +} + + // TODO: check return values + apr_byte_t oidc_util_generate_random_base64url_encoded_value(request_rec *r, int randomLen, char **randomB64) { + unsigned char *brnd = apr_pcalloc(r->pool, randomLen); + apr_generate_random_bytes((unsigned char *) brnd, randomLen); + *randomB64 = apr_palloc(r->pool, apr_base64_encode_len(randomLen) + 1); + char *enc = *randomB64; + apr_base64_encode(enc, (const char *) brnd, randomLen); + int i = 0; + while (enc[i] != '\0') { + if (enc[i] == '+') + enc[i] = '-'; + if (enc[i] == '/') + enc[i] = '_'; + if (enc[i] == '=') + enc[i] = ','; + i++; + } + return TRUE; + } + +/* + * read a file from a path on disk + */ +apr_byte_t oidc_util_file_read(request_rec *r, const char *path, + char **result) { + apr_file_t *fd = NULL; + apr_status_t rc = APR_SUCCESS; + char s_err[128]; + apr_finfo_t finfo; + + /* open the file if it exists */ + if ((rc = apr_file_open(&fd, path, APR_FOPEN_READ | APR_FOPEN_BUFFERED, + APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "oidc_util_file_read: no file found at: \"%s\"", + path); + return FALSE; + } + + /* the file exists, now lock it */ + apr_file_lock(fd, APR_FLOCK_EXCLUSIVE); + + /* move the read pointer to the very start of the cache file */ + apr_off_t begin = 0; + apr_file_seek(fd, APR_SET, &begin); + + /* get the file info so we know its size */ + if ((rc = apr_file_info_get(&finfo, APR_FINFO_SIZE, fd)) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_file_read: error calling apr_file_info_get on file: \"%s\" (%s)", + path, apr_strerror(rc, s_err, sizeof(s_err))); + goto error_close; + } + + /* now that we have the size of the file, allocate a buffer that can contain its contents */ + *result = apr_palloc(r->pool, finfo.size + 1); + + /* read the file in to the buffer */ + apr_size_t bytes_read = 0; + if ((rc = apr_file_read_full(fd, *result, finfo.size, &bytes_read)) + != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_file_read: apr_file_read_full on (%s) returned an error: %s", + path, apr_strerror(rc, s_err, sizeof(s_err))); + goto error_close; + } + + /* just to be sure, we set a \0 (we allocated space for it anyway) */ + (*result)[bytes_read] = '\0'; + + /* check that we've got all of it */ + if (bytes_read != finfo.size) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_file_read: apr_file_read_full on (%s) returned less bytes (%" APR_SIZE_T_FMT ") than expected: (%" APR_OFF_T_FMT ")", + path, bytes_read, finfo.size); + goto error_close; + } + + /* we're done, unlock and close the file */ + apr_file_unlock(fd); + apr_file_close(fd); + + /* log successful content retrieval */ + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_util_file_read: file read successfully \"%s\"", path); + + return TRUE; + +error_close: + + apr_file_unlock(fd); + apr_file_close(fd); + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_file_read: returning error"); + + return FALSE; +} + +/* + * see if two provided issuer identifiers match (cq. ignore trailing slash) + */ +apr_byte_t oidc_util_issuer_match(const char *a, const char *b) { + + /* check the "issuer" value against the one configure for the provider we got this id_token from */ + if (strcmp(a, b) != 0) { + + /* no strict match, but we are going to accept if the difference is only a trailing slash */ + int n1 = strlen(a); + int n2 = strlen(b); + int n = ((n1 == n2 + 1) && (a[n1 - 1] == '/')) ? + n2 : (((n2 == n1 + 1) && (b[n2 - 1] == '/')) ? n1 : 0); + if ((n == 0) || (strncmp(a, b, n) != 0)) + return FALSE; + } + + return TRUE; +} + +/* + * send a user-facing error to the browser + * TODO: more templating + */ +int oidc_util_html_send_error(request_rec *r, const char *error, const char *description, int status_code) { + char *msg = "

the OpenID Connect Provider returned an error:

"; + + if (error != NULL) { + msg = apr_psprintf(r->pool, "%s

Error: 

%s

", msg, + error); + } + if (description != NULL) { + msg = apr_psprintf(r->pool, "%s

Description: 

%s

", + msg, description); + } + + return oidc_util_http_sendstring(r, msg, status_code); +} + +/* + * see if a certain string value is part of a JSON array with string elements + */ +apr_byte_t oidc_util_json_array_has_value(request_rec *r, + apr_json_value_t *haystack, const char *needle) { + + ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, + "oidc_util_json_array_has_value: entering (%s)", needle); + + if ( (haystack == NULL) || (haystack->type != APR_JSON_ARRAY) ) return FALSE; + + int i; + for (i = 0; i < haystack->value.array->nelts; i++) { + apr_json_value_t *elem = APR_ARRAY_IDX(haystack->value.array, i, + apr_json_value_t *); + if (elem->type != APR_JSON_STRING) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "oidc_util_json_array_has_value: unhandled in-array JSON non-string object type [%d]", + elem->type); + continue; + } + if (strcmp(elem->value.string.p, needle) == 0) { + break; + } + } + +// ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, +// "oidc_util_json_array_has_value: returning (%d=%d)", i, +// haystack->value.array->nelts); + + return (i == haystack->value.array->nelts) ? FALSE : TRUE; +} diff --git a/test/.gitignore b/test/.gitignore new file mode 100644 index 00000000..087313a4 --- /dev/null +++ b/test/.gitignore @@ -0,0 +1 @@ +/jmeter.log diff --git a/test/mod_auth_openidc.jmx b/test/mod_auth_openidc.jmx new file mode 100644 index 00000000..23e9f9b5 --- /dev/null +++ b/test/mod_auth_openidc.jmx @@ -0,0 +1,788 @@ + + + + + + false + false + + + + APP_SERVER + localhost.pingidentity.nl + = + + + APP_PORT + 443 + = + + + APP_PATH_USER + /protected/index.php?param=sample + = + + + AS_HOST + localhost + = + + + AS_PORT + 9031 + = + + + AS_PATH_TOKEN + /as/token.oauth2 + = + + + AS_CLIENT_ID + ro_client + false + = + + + AS_USERNAME + joe + false + = + + + AS_PASSWORD + 2Federate + false + = + + + APP_PATH_ACCESS + /protected2/ + = + + + + + + + + stoptest + + false + 10 + + 25 + 0 + 1299167831000 + 1299167831000 + false + + + + + + + + + true + piet + = + true + jan + + + + ${APP_SERVER} + ${APP_PORT} + + + https + + ${APP_PATH_USER} + GET + false + false + true + false + HttpClient4 + false + + + + + true + AuthorizationRequestPath + Location: https://(.*?)/(.*) + $2$ + REGEX_FAILED + 1 + + + + + + + + ${AS_HOST} + ${AS_PORT} + + + https + + /${AuthorizationRequestPath} + GET + false + false + true + false + HttpClient4 + false + + + + + false + AuthzResumePath + <form method=\"GET\" action=\"(.+)\"> + $1$ + REGEX_FAILED + 1 + + + + + + + + true + OTIdPJava + = + true + pfidpadapterid + + + + ${AS_HOST} + ${AS_PORT} + + + https + + ${AuthzResumePath} + GET + true + false + true + false + HttpClient4 + false + + + + + false + ResumeParam + <input type=\"hidden\" name=\"resume\" value=\"(.+)\"> + $1$ + REGEX_FAILED + 1 + + + + + + + + true + ${ResumeParam} + = + true + resume + + + true + ${USERNAME} + = + true + userName + + + true + ${PASSWORD} + = + true + password + + + + ${AS_HOST} + ${AS_PORT} + + + https + + /IdpSample/MainPage?cmd=login + POST + false + false + true + false + HttpClient4 + false + + + + + true + ResumePath + Location: https://(.*?)/(.*) + $2$ + REGEX_FAILED + 1 + + + + + + + + ${AS_HOST} + ${AS_PORT} + + + https + + ${ResumePath} + POST + false + false + true + false + HttpClient4 + false + + + + + true + RedirectURIPath + Location: https://(.*?)/(.*)# + $2$ + REGEX_FAILED + 1 + + + + true + StateFragment + Location: https://(.*?)#(.*?)state=(.*?)& + $3$ + REGEX_FAILED + 1 + + + + true + IDTokenFragment + Location: https://(.*?)#(.*?)id_token=(.*) + $3$ + REGEX_FAILED + 1 + + + + + + + + false + ${StateFragment} + = + true + state + + + false + ${IDTokenFragment} + = + true + id_token + + + + ${APP_SERVER} + ${APP_PORT} + + + https + + /${RedirectURIPath} + POST + false + false + true + false + HttpClient4 + false + + + + + true + ApplicationPath + Location: https://(.*?)/(.*) + $2$ + REGEX_FAILED + 1 + + + + + + + + true + ${ResumeParam} + = + true + resume + + + true + ${USERNAME} + = + true + userName + + + true + ${PASSWORD} + = + true + password + + + + ${AS_HOST} + ${AS_PORT} + + + https + + /IdpSample/MainPage?cmd=login + POST + true + false + true + false + HttpClient4 + false + + + + + false + cSRFTokenParam + <input type=\"hidden\" name=\"cSRFToken\" value=\"(.+)\"/> + $1$ + REGEX_FAILED + 1 + + + + + + + + true + true + = + true + check-user-approved-scope + + + true + openid + = + true + scope + + + true + email + = + true + scope + + + true + profile + = + true + scope + + + true + ${cSRFTokenParam} + = + true + cSRFToken + + + true + allow + = + true + pf.oauth.authz.consent + + + + ${AS_HOST} + ${AS_PORT} + + + https + + ${AuthzResumePath} + POST + false + false + true + false + HttpClient4 + false + + + + + true + LocationPath + Location: https://(.*?)/(.*) + $2$ + REGEX_FAILED + 1 + + + + + + + + ${APP_SERVER} + ${APP_PORT} + + + https + + /${LocationPath} + POST + false + false + true + false + HttpClient4 + false + + + + + true + ApplicationPath + Location: https://(.*?)/(.*) + $2$ + REGEX_FAILED + 1 + + + + + + + OIDC_CLAIM_BOGUS + bogus + + + + + + true + 10 + + + + + + + ${APP_SERVER} + ${APP_PORT} + + + https + + /${ApplicationPath} + GET + false + false + true + false + HttpClient4 + false + + + + + + \[OIDC_CLAIM_sub\] => ${USERNAME} + + Assertion.response_data + false + 2 + + + + + \[OIDC_CLAIM_BOGUS\] => bogus + + Assertion.response_data + false + 6 + + + + + + + true + rfc2109 + + + + , + + users.txt + false + true + shareMode.all + false + USERNAME,PASSWORD + + + + + stoptest + + false + 10 + + 25 + 0 + 1388176686000 + 1388176686000 + false + + + + + + + + + false + ${AS_CLIENT_ID} + = + true + client_id + + + false + password + = + true + grant_type + + + false + ${AS_USERNAME} + = + true + username + + + false + ${AS_PASSWORD} + = + true + password + + + + ${AS_HOST} + ${AS_PORT} + + + https + + ${AS_PATH_TOKEN} + POST + false + false + true + false + false + + + + + false + AccessToken + \"access_token\":\"(.+)\" + $1$ + REGEX_FAILED + 1 + + + + + + + Authorization + bearer ${AccessToken} + + + + + + true + 10 + + + + + + + ${APP_SERVER} + ${APP_PORT} + + + https + + ${APP_PATH_ACCESS} + GET + false + false + true + false + false + + + + + + ${AS_USERNAME}\*\*\* + + Assertion.response_data + false + 2 + + + + + + + true + + saveConfig + + + true + true + true + + true + true + true + true + false + false + false + false + false + false + true + false + false + false + false + 0 + + + + + + + false + + saveConfig + + + true + true + true + + true + true + true + true + false + true + true + false + false + false + false + false + false + false + false + 0 + true + + + + + + + false + + saveConfig + + + true + true + true + + true + true + true + true + false + true + true + false + false + false + false + false + false + false + false + 0 + true + + + + + + + + diff --git a/test/users.txt b/test/users.txt new file mode 100644 index 00000000..caab3c51 --- /dev/null +++ b/test/users.txt @@ -0,0 +1,3 @@ +joe,test +sarah,test +idp,test