From 1fe6cb8d62f31ecace45ccc28ffc774b33f3c226 Mon Sep 17 00:00:00 2001 From: Phil Fenstermacher Date: Wed, 20 Apr 2016 15:11:01 -0400 Subject: [PATCH] Support the newer mod_auth_cas config options mod_auth_cas supports a number of per-directory options https://github.com/Jasig/mod_auth_cas/blob/master/README#L333-384 A number of the options aren't supported in directory stanzas despite what the documentation suggests. The options are supported globally and in vhost configurations, so they're supported there accordingly. https://github.com/Jasig/mod_auth_cas/blob/master/README#L386-413 --- README.md | 41 +++++++++++++++++++ manifests/mod/auth_cas.pp | 35 ++++++++++------- manifests/vhost.pp | 20 ++++++++++ templates/mod/auth_cas.conf.erb | 15 +++++++ templates/vhost/_auth_cas.erb | 67 ++++++++++++++++++++++++++++++++ templates/vhost/_directories.erb | 23 +++++++++++ 6 files changed, 186 insertions(+), 15 deletions(-) create mode 100644 templates/vhost/_auth_cas.erb diff --git a/README.md b/README.md index c35cee3d04..999ac4fe63 100644 --- a/README.md +++ b/README.md @@ -1386,6 +1386,10 @@ The `cas_login_url` and `cas_validate_url` parameters are required; several othe **Parameters within `apache::mod::auth_cas`**: +- `cas_attribute_prefix`: Adds a header with the value of this header being the attribute values when SAML + validation is enabled. Default: CAS_ +- `cas_attribute_delimiter`: The delimiter between attribute values in the header created by `cas_attribute_prefix`. + Default: , - `cas_authoritative`: Determines whether an optional authorization directive is authoritative and binding. Default: undef. - `cas_certificate_path`: Sets the path to the X509 certificate of the Certificate Authority for the server in `cas_login_url` and `cas_validate_url`. Default: undef. - `cas_cache_clean_interval`: Sets the minimum number of seconds that must pass between cache cleanings. Default: undef. @@ -1396,8 +1400,11 @@ The `cas_login_url` and `cas_validate_url` parameters are required; several othe - `cas_idle_timeout`: Default: undef. - `cas_login_url`: **Required**. Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and don't have an active session. - `cas_root_proxied_as`: Sets the URL end users see when access to this Apache server is proxied. Default: undef. +- `cas_scrub_request_headers`: Remove inbound request headers that may have special meaning within mod_auth_cas. +- `cas_sso_enabled`: Enables experimental support for single sign out (may mangle POST data). Default: off - `cas_timeout`: Limits the number of seconds a `mod_auth_cas` session can remain active. Default: undef. - `cas_validate_depth`: Limits the depth for chained certificate validation. Default: undef. +- `cas_validate_saml`: Parse response from CAS server for SAML. Default: Off - `cas_validate_url`: **Required**. Sets the URL to use when validating a client-presented ticket in an HTTP query string. - `cas_version`: The CAS protocol version to adhere to. Valid options: '1', '2'. Default: '2'. @@ -2074,6 +2081,40 @@ Sets the [`AllowEncodedSlashes`][] declaration for the virtual host, overriding Specifies the list of things to which Apache blocks access. Valid option: 'scm', which blocks web access to `.svn`, `.git`, and `.bzr` directories. Default: an empty [array][]. +##### `cas_attribute_prefix` + +Adds a header with the value of this header being the attribute values when SAML validation is enabled. Defaults to +the value set by [`apache::mod::auth_cas`][] + +##### `cas_attribute_delimiter` + +The delimiter between attribute values in the header created by `cas_attribute_prefix`. Defaults to the value +set by [`apache::mod::auth_cas`][] + +##### `cas_login_url` + +Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and +don't have an active session. Defaults to the value set by [`apache::mod::auth_cas`][] + +##### `cas_scrub_request_headers` + +Remove inbound request headers that may have special meaning within mod_auth_cas. Defaults to the value +set by [`apache::mod::auth_cas`][] + +##### `cas_sso_enabled` + +Enables experimental support for single sign out (may mangle POST data). Defaults to the value +set by [`apache::mod::auth_cas`][] + +##### `cas_validate_saml` + +Parse response from CAS server for SAML. Defaults to the value set by [`apache::mod::auth_cas`][] + +##### `cas_validate_url` + +Sets the URL to use when validating a client-presented ticket in an HTTP query string. Defaults to the value set by +[`apache::mod::auth_cas`][] + ##### `custom_fragment` Passes a string of custom configuration directives to place at the end of the virtual host configuration. Default: undef. diff --git a/manifests/mod/auth_cas.pp b/manifests/mod/auth_cas.pp index 2b5338d1e6..3bba643a08 100644 --- a/manifests/mod/auth_cas.pp +++ b/manifests/mod/auth_cas.pp @@ -1,21 +1,26 @@ class apache::mod::auth_cas ( $cas_login_url, $cas_validate_url, - $cas_cookie_path = $::apache::params::cas_cookie_path, - $cas_version = 2, - $cas_debug = 'Off', - $cas_validate_depth = undef, - $cas_certificate_path = undef, - $cas_proxy_validate_url = undef, - $cas_root_proxied_as = undef, - $cas_cookie_entropy = undef, - $cas_timeout = undef, - $cas_idle_timeout = undef, - $cas_cache_clean_interval = undef, - $cas_cookie_domain = undef, - $cas_cookie_http_only = undef, - $cas_authoritative = undef, - $suppress_warning = false, + $cas_cookie_path = $::apache::params::cas_cookie_path, + $cas_version = 2, + $cas_debug = 'Off', + $cas_validate_depth = undef, + $cas_certificate_path = undef, + $cas_proxy_validate_url = undef, + $cas_root_proxied_as = undef, + $cas_cookie_entropy = undef, + $cas_timeout = undef, + $cas_idle_timeout = undef, + $cas_cache_clean_interval = undef, + $cas_cookie_domain = undef, + $cas_cookie_http_only = undef, + $cas_authoritative = undef, + $cas_validate_saml = undef, + $cas_sso_enabled = undef, + $cas_attribute_prefix = undef, + $cas_attribute_delimiter = undef, + $cas_scrub_request_headers = undef, + $suppress_warning = false, ) inherits ::apache::params { validate_string($cas_login_url, $cas_validate_url, $cas_cookie_path) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 88e9c1b071..4d74706ce2 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -152,6 +152,13 @@ $keepalive = undef, $keepalive_timeout = undef, $max_keepalive_requests = undef, + $cas_attribute_prefix = undef, + $cas_attribute_delimiter = undef, + $cas_scrub_request_headers = undef, + $cas_sso_enabled = undef, + $cas_login_url = undef, + $cas_validate_url = undef, + $cas_validate_saml = undef, ) { # The base class must be included first because it is used by parameter defaults if ! defined(Class['apache']) { @@ -345,6 +352,9 @@ # Is apache::mod::shib enabled (or apache::mod['shib2']) $shibboleth_enabled = defined(Apache::Mod['shib2']) + # Is apache::mod::cas enabled (or apache::mod['cas']) + $cas_enabled = defined(Apache::Mod['auth_cas']) + if $access_log and !$access_logs { if $access_log_file { $_logs_dest = "${logroot}/${access_log_file}" @@ -1070,6 +1080,16 @@ } } + # Template uses: + # - $cas_* + if $cas_enabled { + concat::fragment { "${name}-auth_cas": + target => "${priority_real}${filename}.conf", + order => 350, + content => template('apache/vhost/_auth_cas.erb'), + } + } + # Template uses no variables concat::fragment { "${name}-file_footer": target => "${priority_real}${filename}.conf", diff --git a/templates/mod/auth_cas.conf.erb b/templates/mod/auth_cas.conf.erb index 926bd65f52..8fd696f18a 100644 --- a/templates/mod/auth_cas.conf.erb +++ b/templates/mod/auth_cas.conf.erb @@ -38,3 +38,18 @@ CASCookieHttpOnly <%= @cas_cookie_http_only %> <% if @cas_authoritative -%> CASAuthoritative <%= @cas_authoritative %> <% end -%> +<%- if @cas_sso_enabled -%> +CASSSOEnabled On +<%- end -%> +<%- if @cas_validate_saml -%> +CASValidateSAML On +<%- end -%> +<%- if @cas_attribute_prefix -%> +CASAttributePrefix <%= @cas_attribute_prefix %> +<%- end -%> +<%- if @cas_attribute_delimiter -%> +CASAttributeDelimiter <%= @cas_attribute_delimiter %> +<%- end -%> +<%- if @cas_scrub_request_headers -%> +CASAttributeDelimiter On +<%- end -%> diff --git a/templates/vhost/_auth_cas.erb b/templates/vhost/_auth_cas.erb new file mode 100644 index 0000000000..fa26c00626 --- /dev/null +++ b/templates/vhost/_auth_cas.erb @@ -0,0 +1,67 @@ +<% if @cas_enabled -%> + + # mod_auth_cas configuration + <%- if @cas_cookie_path -%> + CASCookiePath <%= @cas_cookie_path %> + <%- end -%> + <%- if @cas_login_url -%> + CASLoginURL <%= @cas_login_url %> + <%- end -%> + <%- if @cas_validate_url -%> + CASValidateURL <%= @cas_validate_url %> + <%- end -%> + <%- if @cas_version -%> + CASVersion <%= @cas_version %> + <%- end -%> + <%- if @cas_debug -%> + CASDebug <%= @cas_debug %> + <%- end -%> + <%- if @cas_certificate_path -%> + CASCertificatePath <%= @cas_certificate_path %> + <%- end -%> + <%- if @cas_proxy_validate_url -%> + CASProxyValidateURL <%= @cas_proxy_validate_url %> + <%- end -%> + <%- if @cas_validate_depth -%> + CASValidateDepth <%= @cas_validate_depth %> + <%- end -%> + <%- if @cas_root_proxied_as -%> + CASRootProxiedAs <%= @cas_root_proxied_as %> + <%- end -%> + <%- if @cas_cookie_entropy -%> + CASCookieEntropy <%= @cas_cookie_entropy %> + <%- end -%> + <%- if @cas_timeout -%> + CASTimeout <%= @cas_timeout %> + <%- end -%> + <%- if @cas_idle_timeout -%> + CASIdleTimeout <%= @cas_idle_timeout %> + <%- end -%> + <%- if @cas_cache_clean_interval -%> + CASCacheCleanInterval <%= @cas_cache_clean_interval %> + <%- end -%> + <%- if @cas_cookie_domain -%> + CASCookieDomain <%= @cas_cookie_domain %> + <%- end -%> + <%- if @cas_cookie_http_only -%> + CASCookieHttpOnly <%= @cas_cookie_http_only %> + <%- end -%> + <%- if @cas_authoritative -%> + CASAuthoritative <%= @cas_authoritative %> + <%- end -%> + <%- if @cas_sso_enabled -%> + CASSSOEnabled On + <%- end -%> + <%- if @cas_validate_saml -%> + CASValidateSAML On + <%- end -%> + <%- if @cas_attribute_prefix -%> + CASAttributePrefix <%= @cas_attribute_prefix %> + <%- end -%> + <%- if @cas_attribute_delimiter -%> + CASAttributeDelimiter <%= @cas_attribute_delimiter %> + <%- end -%> + <%- if @cas_scrub_request_headers -%> + CASAttributeDelimiter On + <%- end -%> +<%- end -%> diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index df2690c431..416cf16fc8 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -240,6 +240,29 @@ ShibUseHeaders <%= directory['shib_use_headers'] %> <%- end -%> <%- end -%> + <%- if @cas_enabled -%> + <%- if directory['cas_scope'] -%> + CASScope <%= directory['cas_scope'] %> + <%- end -%> + <%- if directory['cas_renew'] -%> + CASRenew <%= directory['cas_renew'] %> + <%- end -%> + <%- if directory['cas_gateway'] -%> + CASGateway <%= directory['cas_gateway'] %> + <%- end -%> + <%- if directory['cas_cookie'] -%> + CASCookie <%= directory['cas_cookie'] %> + <%- end -%> + <%- if directory['cas_secure_cookie'] -%> + CASSecureCookie <%= directory['cas_secure_cookie'] %> + <%- end -%> + <%- if directory['cas_gateway_cookie'] -%> + CASGatewayCookie <%= directory['cas_gateway_cookie'] %> + <%- end -%> + <%- if directory['cas_authn_header'] -%> + CASAuthNHeader <%= directory['cas_authn_header'] %> + <%- end -%> + <%- end -%> <%- if directory['mellon_enable'] -%> MellonEnable "<%= directory['mellon_enable'] %>" <%- if directory['mellon_endpoint_path'] -%>