Support the newer mod_auth_cas config options

mod_auth_cas supports a number of per-directory options
https://github.com/Jasig/mod_auth_cas/blob/master/README#L333-384

A number of the options aren't supported in directory stanzas
despite what the documentation suggests. The options are
supported globally and in vhost configurations, so they're
supported there accordingly.
https://github.com/Jasig/mod_auth_cas/blob/master/README#L386-413

README.md

@@ -1386,6 +1386,10 @@ The `cas_login_url` and `cas_validate_url` parameters are required; several othe
 
 **Parameters within `apache::mod::auth_cas`**:
 
+- `cas_attribute_prefix`: Adds a header with the value of this header being the attribute values when SAML
+  validation is enabled. Default: CAS_
+- `cas_attribute_delimiter`: The delimiter between attribute values in the header created by `cas_attribute_prefix`.
+  Default: ,
 - `cas_authoritative`: Determines whether an optional authorization directive is authoritative and binding. Default: undef.
 - `cas_certificate_path`: Sets the path to the X509 certificate of the Certificate Authority for the server in `cas_login_url` and `cas_validate_url`. Default: undef.
 - `cas_cache_clean_interval`: Sets the minimum number of seconds that must pass between cache cleanings. Default: undef.
@@ -1396,8 +1400,11 @@ The `cas_login_url` and `cas_validate_url` parameters are required; several othe
 - `cas_idle_timeout`: Default: undef.
 - `cas_login_url`: **Required**. Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and don't have an active session.
 - `cas_root_proxied_as`: Sets the URL end users see when access to this Apache server is proxied. Default: undef.
+- `cas_scrub_request_headers`: Remove inbound request headers that may have special meaning within mod_auth_cas.
+- `cas_sso_enabled`: Enables experimental support for single sign out (may mangle POST data). Default: off
 - `cas_timeout`: Limits the number of seconds a `mod_auth_cas` session can remain active. Default: undef.
 - `cas_validate_depth`: Limits the depth for chained certificate validation. Default: undef.
+- `cas_validate_saml`: Parse response from CAS server for SAML. Default: Off
 - `cas_validate_url`: **Required**. Sets the URL to use when validating a client-presented ticket in an HTTP query string.
 - `cas_version`: The CAS protocol version to adhere to. Valid options: '1', '2'. Default: '2'.
 
@@ -2074,6 +2081,40 @@ Sets the [`AllowEncodedSlashes`][] declaration for the virtual host, overriding
 
 Specifies the list of things to which Apache blocks access. Valid option: 'scm', which blocks web access to `.svn`, `.git`, and `.bzr` directories. Default: an empty [array][].
 
+##### `cas_attribute_prefix`
+
+Adds a header with the value of this header being the attribute values when SAML validation is enabled. Defaults to
+the value set by [`apache::mod::auth_cas`][]
+
+##### `cas_attribute_delimiter`
+
+The delimiter between attribute values in the header created by `cas_attribute_prefix`.  Defaults to the value
+set by [`apache::mod::auth_cas`][]
+
+##### `cas_login_url`
+
+Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and
+don't have an active session. Defaults to the value set by [`apache::mod::auth_cas`][]
+
+##### `cas_scrub_request_headers`
+
+Remove inbound request headers that may have special meaning within mod_auth_cas. Defaults to the value
+set by [`apache::mod::auth_cas`][]
+
+##### `cas_sso_enabled`
+
+Enables experimental support for single sign out (may mangle POST data). Defaults to the value
+set by [`apache::mod::auth_cas`][]
+
+##### `cas_validate_saml`
+
+Parse response from CAS server for SAML. Defaults to the value set by [`apache::mod::auth_cas`][]
+
+##### `cas_validate_url`
+
+Sets the URL to use when validating a client-presented ticket in an HTTP query string. Defaults to the value set by
+[`apache::mod::auth_cas`][]
+
 ##### `custom_fragment`
 
 Passes a string of custom configuration directives to place at the end of the virtual host configuration. Default: undef.

manifests/mod/auth_cas.pp

@@ -1,21 +1,26 @@
 class apache::mod::auth_cas (
   $cas_login_url,
   $cas_validate_url,
-  $cas_cookie_path          = $::apache::params::cas_cookie_path,
-  $cas_version              = 2,
-  $cas_debug                = 'Off',
-  $cas_validate_depth       = undef,
-  $cas_certificate_path     = undef,
-  $cas_proxy_validate_url   = undef,
-  $cas_root_proxied_as      = undef,
-  $cas_cookie_entropy       = undef,
-  $cas_timeout              = undef,
-  $cas_idle_timeout         = undef,
-  $cas_cache_clean_interval = undef,
-  $cas_cookie_domain        = undef,
-  $cas_cookie_http_only     = undef,
-  $cas_authoritative        = undef,
-  $suppress_warning         = false,
+  $cas_cookie_path           = $::apache::params::cas_cookie_path,
+  $cas_version               = 2,
+  $cas_debug                 = 'Off',
+  $cas_validate_depth        = undef,
+  $cas_certificate_path      = undef,
+  $cas_proxy_validate_url    = undef,
+  $cas_root_proxied_as       = undef,
+  $cas_cookie_entropy        = undef,
+  $cas_timeout               = undef,
+  $cas_idle_timeout          = undef,
+  $cas_cache_clean_interval  = undef,
+  $cas_cookie_domain         = undef,
+  $cas_cookie_http_only      = undef,
+  $cas_authoritative         = undef,
+  $cas_validate_saml         = undef,
+  $cas_sso_enabled           = undef,
+  $cas_attribute_prefix      = undef,
+  $cas_attribute_delimiter   = undef,
+  $cas_scrub_request_headers = undef,
+  $suppress_warning          = false,
 ) inherits ::apache::params {
 
   validate_string($cas_login_url, $cas_validate_url, $cas_cookie_path)

manifests/vhost.pp

@@ -152,6 +152,13 @@
   $keepalive                   = undef,
   $keepalive_timeout           = undef,
   $max_keepalive_requests      = undef,
+  $cas_attribute_prefix        = undef,
+  $cas_attribute_delimiter     = undef,
+  $cas_scrub_request_headers   = undef,
+  $cas_sso_enabled             = undef,
+  $cas_login_url               = undef,
+  $cas_validate_url            = undef,
+  $cas_validate_saml           = undef,
 ) {
   # The base class must be included first because it is used by parameter defaults
   if ! defined(Class['apache']) {
@@ -345,6 +352,9 @@
   # Is apache::mod::shib enabled (or apache::mod['shib2'])
   $shibboleth_enabled = defined(Apache::Mod['shib2'])
 
+  # Is apache::mod::cas enabled (or apache::mod['cas'])
+  $cas_enabled = defined(Apache::Mod['auth_cas'])
+
   if $access_log and !$access_logs {
     if $access_log_file {
       $_logs_dest = "${logroot}/${access_log_file}"
@@ -1070,6 +1080,16 @@
     }
   }
 
+  # Template uses:
+  # - $cas_*
+  if $cas_enabled {
+    concat::fragment { "${name}-auth_cas":
+      target  => "${priority_real}${filename}.conf",
+      order   => 350,
+      content => template('apache/vhost/_auth_cas.erb'),
+    }
+  }
+
   # Template uses no variables
   concat::fragment { "${name}-file_footer":
     target  => "${priority_real}${filename}.conf",

templates/mod/auth_cas.conf.erb

@@ -38,3 +38,18 @@ CASCookieHttpOnly <%= @cas_cookie_http_only %>
 <% if @cas_authoritative -%>
 CASAuthoritative <%= @cas_authoritative %>
 <% end -%>
+<%- if @cas_sso_enabled -%>
+CASSSOEnabled On
+<%- end -%>
+<%- if @cas_validate_saml -%>
+CASValidateSAML On
+<%- end -%>
+<%- if @cas_attribute_prefix -%>
+CASAttributePrefix <%= @cas_attribute_prefix %>
+<%- end -%>
+<%- if @cas_attribute_delimiter -%>
+CASAttributeDelimiter <%= @cas_attribute_delimiter %>
+<%- end -%>
+<%- if @cas_scrub_request_headers -%>
+CASAttributeDelimiter On
+<%- end -%>

templates/vhost/_auth_cas.erb

@@ -0,0 +1,67 @@
+<% if @cas_enabled -%>
+
+  # mod_auth_cas configuration
+  <%- if @cas_cookie_path -%>
+  CASCookiePath <%= @cas_cookie_path %>
+  <%- end -%>
+  <%- if @cas_login_url -%>
+  CASLoginURL <%= @cas_login_url %>
+  <%- end -%>
+  <%- if @cas_validate_url -%>
+  CASValidateURL <%= @cas_validate_url %>
+  <%- end -%>
+  <%- if @cas_version -%>
+  CASVersion <%= @cas_version %>
+  <%- end -%>
+  <%- if @cas_debug -%>
+  CASDebug <%= @cas_debug %>
+  <%- end -%>
+  <%- if @cas_certificate_path -%>
+  CASCertificatePath <%= @cas_certificate_path %>
+  <%- end -%>
+  <%- if @cas_proxy_validate_url -%>
+  CASProxyValidateURL <%= @cas_proxy_validate_url %>
+  <%- end -%>
+  <%- if @cas_validate_depth -%>
+  CASValidateDepth <%= @cas_validate_depth %>
+  <%- end -%>
+  <%- if @cas_root_proxied_as -%>
+  CASRootProxiedAs <%= @cas_root_proxied_as %>
+  <%- end -%>
+  <%- if @cas_cookie_entropy -%>
+  CASCookieEntropy <%= @cas_cookie_entropy %>
+  <%- end -%>
+  <%- if @cas_timeout -%>
+  CASTimeout <%= @cas_timeout %>
+  <%- end -%>
+  <%- if @cas_idle_timeout -%>
+  CASIdleTimeout <%= @cas_idle_timeout %>
+  <%- end -%>
+  <%- if @cas_cache_clean_interval -%>
+  CASCacheCleanInterval <%= @cas_cache_clean_interval %>
+  <%- end -%>
+  <%- if @cas_cookie_domain -%>
+  CASCookieDomain <%= @cas_cookie_domain %>
+  <%- end -%>
+  <%- if @cas_cookie_http_only -%>
+  CASCookieHttpOnly <%= @cas_cookie_http_only %>
+  <%- end -%>
+  <%- if @cas_authoritative -%>
+  CASAuthoritative <%= @cas_authoritative %>
+  <%- end -%>
+  <%- if @cas_sso_enabled -%>
+  CASSSOEnabled On
+  <%- end -%>
+  <%- if @cas_validate_saml -%>
+  CASValidateSAML On
+  <%- end -%>
+  <%- if @cas_attribute_prefix -%>
+  CASAttributePrefix <%= @cas_attribute_prefix %>
+  <%- end -%>
+  <%- if @cas_attribute_delimiter -%>
+  CASAttributeDelimiter <%= @cas_attribute_delimiter %>
+  <%- end -%>
+  <%- if @cas_scrub_request_headers -%>
+  CASAttributeDelimiter On
+  <%- end -%>
+<%- end -%>

templates/vhost/_directories.erb

@@ -240,6 +240,29 @@
     ShibUseHeaders <%= directory['shib_use_headers'] %>
       <%- end -%>
     <%- end -%>
+    <%- if @cas_enabled -%>
+      <%- if directory['cas_scope'] -%>
+    CASScope <%= directory['cas_scope'] %>
+      <%- end -%>
+      <%- if directory['cas_renew'] -%>
+    CASRenew <%= directory['cas_renew'] %>
+      <%- end -%>
+      <%- if directory['cas_gateway'] -%>
+    CASGateway <%= directory['cas_gateway'] %>
+      <%- end -%>
+      <%- if directory['cas_cookie'] -%>
+    CASCookie <%= directory['cas_cookie'] %>
+      <%- end -%>
+      <%- if directory['cas_secure_cookie'] -%>
+    CASSecureCookie <%= directory['cas_secure_cookie'] %>
+      <%- end -%>
+      <%- if directory['cas_gateway_cookie'] -%>
+    CASGatewayCookie <%= directory['cas_gateway_cookie'] %>
+      <%- end -%>
+      <%- if directory['cas_authn_header'] -%>
+    CASAuthNHeader <%= directory['cas_authn_header'] %>
+      <%- end -%>
+    <%- end -%>
     <%- if directory['mellon_enable'] -%>
     MellonEnable "<%= directory['mellon_enable'] %>"
       <%- if directory['mellon_endpoint_path'] -%>