Add the loginurl to the cache

Ensure that the cache matches the configured CASLoginURL.
dhawes · Oct 18, 2021 · cdf2eb4 · cdf2eb4
1 parent d5d42ba
commit cdf2eb4
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 4 deletions.
diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c
@@ -1047,6 +1047,7 @@ apr_byte_t readCASCacheFile(request_rec *r, cas_cfg *c, char *name, cas_cache_en
 	cache->secure = FALSE;
 	cache->ticket = NULL;
 	cache->attrs = NULL;
+	cache->loginurl = NULL;
 
 	do {
 		if(e == NULL)
@@ -1079,6 +1080,8 @@ apr_byte_t readCASCacheFile(request_rec *r, cas_cfg *c, char *name, cas_cache_en
 			}
 		} else if (apr_strnatcasecmp(e->name, "path") == 0)
 			cache->path = apr_pstrndup(r->pool, val, strlen(val));
+		else if (apr_strnatcasecmp(e->name, "loginurl") == 0)
+			cache->loginurl = apr_pstrndup(r->pool, val, strlen(val));
 		else if (apr_strnatcasecmp(e->name, "renewed") == 0)
 			cache->renewed = TRUE;
 		else if (apr_strnatcasecmp(e->name, "secure") == 0)
@@ -1292,6 +1295,7 @@ apr_byte_t writeCASCacheEntry(request_rec *r, char *name, cas_cache_entry *cache
 	apr_file_printf(f, "<issued>%" APR_TIME_T_FMT "</issued>\n", cache->issued);
 	apr_file_printf(f, "<lastactive>%" APR_TIME_T_FMT "</lastactive>\n", cache->lastactive);
 	apr_file_printf(f, "<path>%s</path>\n", apr_xml_quote_string(r->pool, cache->path, TRUE));
+	apr_file_printf(f, "<loginurl>%s</loginurl>\n", apr_xml_quote_string(r->pool, cache->loginurl, TRUE));
 	apr_file_printf(f, "<ticket>%s</ticket>\n", apr_xml_quote_string(r->pool, cache->ticket, TRUE));
 	if(cache->attrs != NULL) {
 		cas_saml_attr *a = cache->attrs;
@@ -1338,15 +1342,18 @@ char *createCASCookie(request_rec *r, char *user, cas_saml_attr *attrs, char *ti
 	cas_dir_cfg *d = ap_get_module_config(r->per_dir_config, &auth_cas_module);
 	buf = apr_pcalloc(r->pool, c->CASCookieEntropy);
 
-	if(c->CASDebug)
+	if(c->CASDebug) {
 		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "entering createCASCookie()");
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "login URL = %s", getCASLoginURL(r, c));
+	}
 
 	CASCleanCache(r, c);
 
 	e.user = user;
 	e.issued = apr_time_now();
 	e.lastactive = apr_time_now();
 	e.path = getCASPath(r);
+	e.loginurl = getCASLoginURL(r, c);
 	e.renewed = (d->CASRenew == NULL ? 0 : 1);
 	e.secure = (isSSL(r) == TRUE ? 1 : 0);
 	e.ticket = ticket;
@@ -1772,9 +1779,9 @@ apr_byte_t isValidCASCookie(request_rec *r, cas_cfg *c, char *cookie, char **use
 		return FALSE;
 	}
 
-    if((c->CASTimeout > 0 &&
-       (cache.issued < (apr_time_now()-(c->CASTimeout*((apr_time_t) APR_USEC_PER_SEC))))) ||
-       cache.lastactive < (apr_time_now()-(c->CASIdleTimeout*((apr_time_t) APR_USEC_PER_SEC)))) {
+	if((c->CASTimeout > 0 &&
+	   (cache.issued < (apr_time_now()-(c->CASTimeout*((apr_time_t) APR_USEC_PER_SEC))))) ||
+	   cache.lastactive < (apr_time_now()-(c->CASIdleTimeout*((apr_time_t) APR_USEC_PER_SEC)))) {
 		/* delete this file since it is no longer valid */
 		deleteCASCacheFile(r, cookie);
 		if(c->CASDebug)
@@ -1797,6 +1804,18 @@ apr_byte_t isValidCASCookie(request_rec *r, cas_cfg *c, char *cookie, char **use
 		}
 	}
 
+	/* make sure the loginurl matches */
+	if(strcasecmp(cache.loginurl, getCASLoginURL(r, c))) {
+		if(c->CASDebug) {
+			ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "cache.loginurl (%s) does not equal getCASLoginURL (%s)", cache.loginurl, getCASLoginURL(r, c));
+		}
+		return FALSE;
+	} else {
+		if(c->CASDebug) {
+			ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "cache.loginurl (%s) equals getCASLoginURL (%s)", cache.loginurl, getCASLoginURL(r, c));
+		}
+	}
+
 	/* set the user */
 	*user = apr_pstrndup(r->pool, cache.user, strlen(cache.user));
 	*attrs = cas_saml_attr_pdup(r->pool, cache.attrs);

diff --git a/src/mod_auth_cas.h b/src/mod_auth_cas.h
@@ -167,6 +167,7 @@ typedef struct cas_cache_entry {
 	apr_byte_t secure;
 	char *ticket;
 	cas_saml_attr *attrs;
+	char * loginurl;
 } cas_cache_entry;
 
 typedef struct cas_curl_buffer {