send HTTP 200 on state expiry; fixes #467

- if content was already returned via html/http send then don't return 500 but send 200 to avoid extraneous internal error document text to be sent on some Apache 2.4.x versions e.g. CentOS 7 - bump to 2.4.2rc1 Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
OpenIDC · Feb 19, 2020 · a1d982d · a1d982d
1 parent a706d15
commit a1d982d
Show file tree

Hide file tree

Showing 4 changed files with 198 additions and 31 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+02/19/2020
+- if content was already returned via html/http send then don't return 500
+  but send 200 to avoid extraneous internal error document text to be sent
+  on some Apache 2.4.x versions e.g. CentOS 7
+- bump to 2.4.2rc1
+
 02/03/2020
 - if OIDCPublicKeyFiles contains a certificate, the corresponding x5c, x5t and x5t#256 
   parameters will be added to the generated jwkset available at "<redirect_uri>?jwks=rsa"

diff --git a/Dockerfile b/Dockerfile
@@ -1,37 +1,195 @@
-FROM ubuntu:bionic
-MAINTAINER hans.zandbelt@zmartzone.eu
+FROM centos:latest
 
-RUN apt-get update && apt-get install -y pkg-config make gcc gdb lcov valgrind vim curl iputils-ping wget
-RUN apt-get update && apt-get install -y autoconf automake libtool
-RUN apt-get update && apt-get install -y libssl-dev libjansson-dev libcurl4-openssl-dev check
-#RUN apt-get update && apt-get install -y libcjose-dev
-RUN apt-get update && apt-get install -y apache2 apache2-dev
+# systemd integration (see https://hub.docker.com/_/centos)
+ENV container docker
+RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
+systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+rm -f /lib/systemd/system/multi-user.target.wants/*;\
+rm -f /etc/systemd/system/*.wants/*;\
+rm -f /lib/systemd/system/local-fs.target.wants/*; \
+rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+rm -f /lib/systemd/system/basic.target.wants/*;\
+rm -f /lib/systemd/system/anaconda.target.wants/*;
+VOLUME [ "/sys/fs/cgroup" ]
+CMD ["/usr/sbin/init"]
 
-RUN apt-get update && apt-get install -y libpcre3-dev zlib1g-dev
+# enable powertools repo
+RUN sed -i '/enabled\=0/s/0$/1/' /etc/yum.repos.d/CentOS-PowerTools.repo
 
-RUN wget https://mod-auth-openidc.org/download/libcjose0_0.6.1.5-1~bionic+1_amd64.deb
-RUN wget https://mod-auth-openidc.org/download/libcjose-dev_0.6.1.5-1~bionic+1_amd64.deb
-RUN dpkg -i libcjose0_0.6.1.5-1~bionic+1_amd64.deb
-RUN dpkg -i libcjose-dev_0.6.1.5-1~bionic+1_amd64.deb
+# enable debuginfo repo
+RUN sed -i '/enabled\=0/s/0$/1/' /etc/yum.repos.d/CentOS-Debuginfo.repo
 
-RUN a2enmod ssl
-RUN a2ensite default-ssl
+# install dependencies
+RUN yum install -y \
+        bzip2 \ 
+        gcc \
+        gcc-c++ \
+        make \
+        expat-devel.x86_64 \
+        pcre-devel.x86_64 \
+        openssl-devel.x86_64 \
+        libxml2-devel.x86_64 \
+        yajl-devel.x86_64 \
+        ruby-devel.x86_64 \
+        zlib-devel.x86_64 \
+        jansson-devel.x86_64 \
+        libcurl-devel.x86_64 \
+        autoconf \
+        automake \
+        gdb
 
-RUN echo "/usr/sbin/apache2ctl start && tail -f /var/log/apache2/error.log " >> /root/run.sh
-RUN chmod a+x /root/run.sh
+# install debuginfo
+RUN yum debuginfo-install -y \
+        expat-2.2.5-3.el8.x86_64 \
+        glibc-2.28-72.el8.x86_64 \
+        jansson-2.11-3.el8.x86_64 \
+        keyutils-libs-1.5.10-6.el8.x86_64 \
+        krb5-libs-1.17-9.el8.x86_64 \
+        libblkid-2.32.1-17.el8.x86_64 \
+        libcap-2.26-1.el8.x86_64 \
+        libcom_err-1.44.6-3.el8.x86_64 \
+        libcurl-minimal-7.61.1-11.el8.x86_64 \
+        libgcc-8.3.1-4.5.el8.x86_64 \
+        libmount-2.32.1-17.el8.x86_64 \
+        libnghttp2-1.33.0-1.el8_0.1.x86_64 \
+        libselinux-2.9-2.1.el8.x86_64 \
+        libuuid-2.32.1-17.el8.x86_64 \
+        libxcrypt-4.1.1-4.el8.x86_64 \
+        openssl-libs-1.1.1c-2.el8.x86_64 \
+        pcre-8.42-4.el8.x86_64 \
+        pcre2-10.32-1.el8.x86_64 \
+        systemd-libs-239-18.el8_1.1.x86_64 \
+        zlib-1.2.11-10.el8.x86_64
 
-COPY . /root/mod_auth_openidc
-WORKDIR /root/mod_auth_openidc
+# download and install hiredis
+RUN mkdir -p /usr/src/rpm
+RUN curl -L -o /usr/src/rpm/hiredis-0.13.3-12.el8.x86_64.rpm \
+        https://cbs.centos.org/kojifiles/packages/hiredis/0.13.3/12.el8/x86_64/hiredis-0.13.3-12.el8.x86_64.rpm
+RUN curl -L -o /usr/src/rpm/hiredis-devel-0.13.3-12.el8.x86_64.rpm \
+        https://cbs.centos.org/kojifiles/packages/hiredis/0.13.3/12.el8/x86_64/hiredis-devel-0.13.3-12.el8.x86_64.rpm
+RUN curl -L -o /usr/src/rpm/hiredis-debuginfo-0.13.3-12.el8.x86_64.rpm \
+        https://cbs.centos.org/kojifiles/packages/hiredis/0.13.3/12.el8/x86_64/hiredis-debuginfo-0.13.3-12.el8.x86_64.rpm
+RUN curl -L -o /usr/src/rpm/hiredis-debugsource-0.13.3-12.el8.x86_64.rpm \
+        https://cbs.centos.org/kojifiles/packages/hiredis/0.13.3/12.el8/x86_64/hiredis-debugsource-0.13.3-12.el8.x86_64.rpm
+RUN yum install -y /usr/src/rpm/hiredis-0.13.3-12.el8.x86_64.rpm \
+        /usr/src/rpm/hiredis-devel-0.13.3-12.el8.x86_64.rpm \
+        /usr/src/rpm/hiredis-debuginfo-0.13.3-12.el8.x86_64.rpm \
+        /usr/src/rpm/hiredis-debugsource-0.13.3-12.el8.x86_64.rpm
 
-RUN ./autogen.sh
-RUN ./configure CFLAGS="-g -O0" LDFLAGS="-lrt"
-#-I/usr/include/apache2
-RUN make clean && make test 
-RUN make install
+# download and install cjose
+RUN curl -L -o /usr/src/rpm/cjose-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm \
+        http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/cjose-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm
+RUN curl -L -o /usr/src/rpm/cjose-devel-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm \
+        http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/cjose-devel-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm
+RUN curl -L -o /usr/src/rpm/cjose-debuginfo-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm \
+        http://debuginfo.centos.org/8/x86_64/Packages/cjose-debuginfo-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm
+RUN curl -L -o /usr/src/rpm/cjose-debugsource-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm \
+        http://debuginfo.centos.org/8/x86_64/Packages/cjose-debugsource-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm
+RUN yum install -y /usr/src/rpm/cjose-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm \
+        /usr/src/rpm/cjose-devel-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm \
+        /usr/src/rpm/cjose-debuginfo-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm \
+        /usr/src/rpm/cjose-debugsource-0.6.1-2.module_el8.0.0+13+fe691f1d.x86_64.rpm
 
-WORKDIR /root
+# compile apr
+RUN mkdir -p /usr/src/apache
+#RUN curl -L -o /usr/src/apache/apr-1.6.5.tar.bz2 \
+#        https://downloads.apache.org/apr/apr-1.6.5.tar.bz2
+#RUN tar -C /usr/src/apache -xjf /usr/src/apache/apr-1.6.5.tar.bz2
+#RUN cd /usr/src/apache/apr-1.6.5 && \
+#        ./configure --prefix=/usr/local/apr && \
+#        make && \
+#        make install && \
+#        cd -
 
-ADD openidc.conf /etc/apache2/conf-available
-RUN a2enconf openidc
-RUN /usr/sbin/apache2ctl start
+#RUN yum install -y apr-devel libuuid-devel redhat-rpm-config
 
+# compile apr-util
+#RUN curl -L -o /usr/src/apache/apr-util-1.6.1.tar.bz2 \
+#        https://downloads.apache.org/apr/apr-util-1.6.1.tar.bz2
+#RUN tar -C /usr/src/apache -xjf /usr/src/apache/apr-util-1.6.1.tar.bz2
+#RUN cd /usr/src/apache/apr-util-1.6.1 && \
+#        ./configure --prefix=/usr/local/apr --with-apr=/usr/local/apr && \
+#        make && \
+#        make install && \
+#        cd -
+
+#RUN cd /usr/src/apache/apr-util-1.6.1 && \
+#        ./configure --prefix=/usr/local/apr --with-apr=/usr && \
+#        make && \
+#        make install && \
+#        cd -
+
+#RUN yum install -y apr-devel apr-util-devel redhat-rpm-config
+
+# compile httpd
+#RUN curl -L -o /usr/src/apache/httpd-2.4.41.tar.bz2 \
+#        https://downloads.apache.org//httpd/httpd-2.4.41.tar.bz2
+#RUN tar -C /usr/src/apache -xjf /usr/src/apache/httpd-2.4.41.tar.bz2
+#RUN cd /usr/src/apache/httpd-2.4.41 && \
+#        ./configure --prefix=/opt/apache-2.4.41 \
+#            --with-apr=/usr/local/apr/bin/apr-1-config \
+#            --with-apr-util=/usr/local/apr/bin/apu-1-config \
+#            --enable-mpms-shared=event \
+#            --enable-mods-shared=all \
+#            --enable-nonportable-atomics=yes && \
+#        make && \
+#        make install && \
+#        cd -
+#RUN cd /usr/src/apache/httpd-2.4.41 && \
+#        ./configure --prefix=/opt/apache-2.4.41 \
+#            --with-apr-util=/usr/local/apr/bin/apu-1-config \
+#            --enable-mpms-shared=event \
+#            --enable-mods-shared=all \
+#            --enable-nonportable-atomics=yes && \
+#        make && \
+#        make install && \
+#        cd -
+
+RUN yum install -y httpd mod_ssl httpd httpd-devel redhat-rpm-config
+
+# compile mod_auth_openidc
+RUN mkdir -p /usr/src/mod_auth_openidc
+ADD . /usr/src/mod_auth_openidc
+#RUN curl -L -o /usr/src/mod_auth_openidc/mod_auth_openidc-2.4.1.tar.gz \
+#        https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.4.1/mod_auth_openidc-2.4.1.tar.gz
+#RUN tar -C /usr/src/mod_auth_openidc -xf /usr/src/mod_auth_openidc/mod_auth_openidc-2.4.1.tar.gz
+#ENV APR_LIBS=-L/usr/local/apr/lib
+#ENV APR_CFLAGS=-I/usr/local/apr/include
+#RUN sed -i '1 s/^.*$/\#\!\/usr\/bin\/perl -w/' /opt/apache-2.4.41/bin/apxs
+#RUN cd /usr/src/mod_auth_openidc/mod_auth_openidc-2.4.1 && \
+#        ./autogen.sh && \
+#        ./configure CFLAGS="-g" --with-apxs2=/opt/apache-2.4.41/bin/apxs \
+#            --with-apr=/usr/local/apr/bin/apr-1-config \
+#            --with-apr-util=/usr/local/apr/bin/apu-1-config && \
+#        make && \
+#        make install && \
+#        cd -
+
+ENV APXS2_OPTS="-S LIBEXECDIR=/usr/lib64/httpd/modules/"
+RUN cd /usr/src/mod_auth_openidc && \
+        ./autogen.sh && \
+        ./configure CFLAGS="-g -I/usr/include/httpd" && \
+        make clean && make && \
+        make install && \
+        cd -
+
+#RUN cd /usr/src/mod_auth_openidc/mod_auth_openidc-2.4.1 && \
+#        ./autogen.sh && \
+#        ./configure CFLAGS="-g" --with-apxs2=/opt/apache-2.4.41/bin/apxs \
+#            --with-apr-util=/usr/local/apr/bin/apu-1-config && \
+#        make && \
+#        make install && \
+#        cd -
+
+# create coredump directory
+RUN mkdir -p /tmp/coredump
+RUN chmod 0777 /tmp/coredump
+
+# copy the httpd.conf
+#COPY httpd.conf /opt/apache-2.4.41/conf/httpd.conf
+COPY httpd.conf /etc/httpd/conf/httpd.conf
+
+# set ulimit for apachectl
+#RUN sed -i '1 a ulimit -c unlimited' /opt/apache-2.4.41/bin/apachectl
+RUN sed -i '1 a ulimit -c unlimited' /usr/sbin/apachectl
diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.2rc0],[hans.zandbelt@zmartzone.eu])
+AC_INIT([mod_auth_openidc],[2.4.2rc1],[hans.zandbelt@zmartzone.eu])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -2046,8 +2046,8 @@ static int oidc_handle_authorization_response(request_rec *r, oidc_cfg *c,
 
 	/* match the returned state parameter against the state stored in the browser */
 	if (oidc_authorization_response_match_state(r, c,
-			apr_table_get(params, OIDC_PROTO_STATE), &provider,
-			&proto_state) == FALSE) {
+			apr_table_get(params, OIDC_PROTO_STATE), &provider, &proto_state)
+			== FALSE) {
 		if (c->default_sso_url != NULL) {
 			oidc_warn(r,
 					"invalid authorization response state; a default SSO URL is set, sending the user there: %s",
@@ -2057,7 +2057,10 @@ static int oidc_handle_authorization_response(request_rec *r, oidc_cfg *c,
 		}
 		oidc_error(r,
 				"invalid authorization response state and no default SSO URL is set, sending an error...");
-		return HTTP_INTERNAL_SERVER_ERROR;
+		// if content was already returned via html/http send then don't return 500
+		// but send 200 to avoid extraneous internal error document text to be sent
+		return ((r->user) && (strncmp(r->user, "", 1) == 0)) ?
+				OK : HTTP_INTERNAL_SERVER_ERROR;
 	}
 
 	/* see if the response is an error response */