|
 |
d64f60 |
commit e8579f6387d9841ce619d836110050fb18117753
|
|
|
d64f60 |
Author: John Dennis <jdennis@redhat.com>
|
|
|
d64f60 |
Date: Wed Jun 14 13:56:18 2017 -0400
|
|
|
d64f60 |
|
|
|
d64f60 |
Add diagnostic logging
|
|
|
d64f60 |
|
|
|
d64f60 |
Field experience with Mellon has demonstrated there are many
|
|
|
d64f60 |
opportunities for deployment problems. Although there are tools such
|
|
|
d64f60 |
as browser plugins which can capture SAML messages it's onerous for
|
|
|
d64f60 |
site personnel to install and capture the relevant information. The
|
|
|
d64f60 |
problem with this approach is further compounded by the fact the
|
|
|
d64f60 |
external SAML messages are not correlated to Mellon's
|
|
|
d64f60 |
requests/responses. Mellon currently can dump the Lasso session and
|
|
|
d64f60 |
SAML Response messages and place them in Apache environment variables,
|
|
|
d64f60 |
however these do not appear in the log file. To get them into the log
|
|
|
d64f60 |
you have to add custom logging to the Apache config. Another issue is
|
|
|
d64f60 |
the dumps are not human readable, they are base64 encoded, anyone
|
|
|
d64f60 |
looking at the logs after setting up the custom logging will have to
|
|
|
d64f60 |
find the base64 text and then manually copy the text into an external
|
|
|
d64f60 |
base64 decoder. At that point you'll discover the XML is not pretty
|
|
|
d64f60 |
printed making human interpretation difficult.
|
|
|
d64f60 |
|
|
|
d64f60 |
The Mellon debug messages written to the Apache error are often
|
|
|
d64f60 |
insufficient to diagnose problems. And since the Mellon log messages
|
|
|
d64f60 |
are written to the Apache error log they are interspersed with a lot
|
|
|
d64f60 |
of non-Mellon message.
|
|
|
d64f60 |
|
|
|
d64f60 |
Compounding the problem of writing Mellon debug messages to the Apache
|
|
|
d64f60 |
error log is the fact Apache log messages have a fixed maximum length
|
|
|
d64f60 |
(currently 8192) which is insufficient to completely write out such
|
|
|
d64f60 |
things as SAML Assertions, metadata, etc. Apache logging also escapes
|
|
|
d64f60 |
all control characters with the consequence line breaks are not
|
|
|
d64f60 |
preserved and what was a nicely formatted human readable piece of text
|
|
|
d64f60 |
becomes a single line with escape characters and may be truncated.
|
|
|
d64f60 |
|
|
|
d64f60 |
It would be really nice if we could capture diagnostic information
|
|
|
d64f60 |
with these properties:
|
|
|
d64f60 |
|
|
|
d64f60 |
* All relevant data is collected in exactly one file.
|
|
|
d64f60 |
|
|
|
d64f60 |
* Only information relevant to Mellon appears in the file.
|
|
|
d64f60 |
|
|
|
d64f60 |
* All information is human readable (pretty printed, decrypted) with
|
|
|
d64f60 |
no need to rely on other tools.
|
|
|
d64f60 |
|
|
|
d64f60 |
* The diagnostic information is grouped by requests.
|
|
|
d64f60 |
|
|
|
d64f60 |
* The requests can be cross correlated with other Apache logs because
|
|
|
d64f60 |
they utilize the same unique request identifier.
|
|
|
d64f60 |
|
|
|
d64f60 |
This patch adds diagnostic logging to a independent Mellon diagnostics
|
|
|
d64f60 |
log file. Every piece of relevant information is captured, including:
|
|
|
d64f60 |
|
|
|
d64f60 |
* Request information which includes:
|
|
|
d64f60 |
|
|
|
d64f60 |
- Request method
|
|
|
d64f60 |
- Request URL (raw and processed)
|
|
|
d64f60 |
- Scheme
|
|
|
d64f60 |
- Port
|
|
|
d64f60 |
- Request query parameters
|
|
|
d64f60 |
- Server name
|
|
|
d64f60 |
- Unique request ID
|
|
|
d64f60 |
- process ID, thread ID
|
|
|
d64f60 |
- Request headers
|
|
|
d64f60 |
|
|
|
d64f60 |
* Mellon per directory configuration
|
|
|
d64f60 |
|
|
|
d64f60 |
A complete dump of the entire am_dir_cfg_rec structure keyed using
|
|
|
d64f60 |
both the Mellon directive it is associated with and it's internal
|
|
|
d64f60 |
name. This is emitted once on first use for a given URL.
|
|
|
d64f60 |
|
|
|
d64f60 |
The per directory dump includes the pathname of each file read as
|
|
|
d64f60 |
well as the file contents. This includes:
|
|
|
d64f60 |
|
|
|
d64f60 |
- IdP metadata
|
|
|
d64f60 |
- SP metadata
|
|
|
d64f60 |
- SP cert
|
|
|
d64f60 |
- SP key
|
|
|
d64f60 |
- IdP public key file
|
|
|
d64f60 |
- IdP CA file
|
|
|
d64f60 |
|
|
|
d64f60 |
* All session management operations
|
|
|
d64f60 |
|
|
|
d64f60 |
- cookie
|
|
|
d64f60 |
- session lookup
|
|
|
d64f60 |
- session creation
|
|
|
d64f60 |
- session deletion
|
|
|
d64f60 |
- cache management
|
|
|
d64f60 |
- cache entry information
|
|
|
d64f60 |
|
|
|
d64f60 |
* All SAML messages
|
|
|
d64f60 |
|
|
|
d64f60 |
Each SAML message is decrypted, decoded and XML pretty printed in
|
|
|
d64f60 |
human readable form.
|
|
|
d64f60 |
|
|
|
d64f60 |
* Request pipeline operations
|
|
|
d64f60 |
|
|
|
d64f60 |
What operations Mellon performs, what decisions it makes and what
|
|
|
d64f60 |
data is being used to make those decisions.
|
|
|
d64f60 |
|
|
|
d64f60 |
* Response
|
|
|
d64f60 |
|
|
|
d64f60 |
- response status
|
|
|
d64f60 |
- response headers
|
|
|
d64f60 |
- Apache user name
|
|
|
d64f60 |
- auth_type
|
|
|
d64f60 |
- all Apache environment variables
|
|
|
d64f60 |
|
|
|
d64f60 |
Diagnostics can be enabled/disabled both at compile time and run
|
|
|
d64f60 |
time. Compile time inclusion of diagnostics is managed with the
|
|
|
d64f60 |
ENABLE_DIAGNOSTICS preprocssor symbol. The configure script now accepts
|
|
|
d64f60 |
the
|
|
|
d64f60 |
|
|
|
d64f60 |
--enable-diagnostics and --disable-diagnostics
|
|
|
d64f60 |
|
|
|
d64f60 |
option. Building with diagnostics is disabled by default, you must
|
|
|
d64f60 |
specify --enable-diagnostics to enable the run time option of generating
|
|
|
d64f60 |
diagnostics.
|
|
|
d64f60 |
|
|
|
d64f60 |
The following server config directives have been added (e.g. may be
|
|
|
d64f60 |
specified in the main server config area or within a <VirtualHost>
|
|
|
d64f60 |
directive). If Mellon was not built with diagnostics enabled then
|
|
|
d64f60 |
these config directives are no-ops and their use will generated a
|
|
|
d64f60 |
warning in the log file indicating they have been ignored and to be
|
|
|
d64f60 |
effective you must builld Mellon with diagnostics enabled.
|
|
|
d64f60 |
|
|
|
d64f60 |
MellonDiagnosticsFile:
|
|
|
d64f60 |
The name of the diagnostics file or pipe,
|
|
|
d64f60 |
(default is logs/mellon_diagnostics)
|
|
|
d64f60 |
|
|
|
d64f60 |
MellonDiagnosticsEnable:
|
|
|
d64f60 |
Currently either On or Off but it is designed so it can take other
|
|
|
d64f60 |
flags in the future to control what type of information is
|
|
|
d64f60 |
reported.
|
|
|
d64f60 |
|
|
|
d64f60 |
Signed-off-by: John Dennis <jdennis@redhat.com>
|
|
|
d64f60 |
|
|
|
d64f60 |
diff --git a/Makefile.in b/Makefile.in
|
|
|
d64f60 |
index 731919e..3656bec 100644
|
|
|
d64f60 |
--- a/Makefile.in
|
|
|
d64f60 |
+++ b/Makefile.in
|
|
|
d64f60 |
@@ -1,8 +1,11 @@
|
|
|
d64f60 |
|
|
|
d64f60 |
# Source files. mod_auth_mellon.c must be the first file.
|
|
|
d64f60 |
SRC=mod_auth_mellon.c \
|
|
|
d64f60 |
- auth_mellon_cache.c auth_mellon_config.c \
|
|
|
d64f60 |
- auth_mellon_cookie.c auth_mellon_handler.c \
|
|
|
d64f60 |
+ auth_mellon_cache.c \
|
|
|
d64f60 |
+ auth_mellon_config.c \
|
|
|
d64f60 |
+ auth_mellon_cookie.c \
|
|
|
d64f60 |
+ auth_mellon_diagnostics.c \
|
|
|
d64f60 |
+ auth_mellon_handler.c \
|
|
|
d64f60 |
auth_mellon_util.c \
|
|
|
d64f60 |
auth_mellon_session.c \
|
|
|
d64f60 |
auth_mellon_httpclient.c
|
|
|
d64f60 |
@@ -25,7 +28,7 @@ DISTFILES=$(SRC) \
|
|
|
d64f60 |
all: mod_auth_mellon.la
|
|
|
d64f60 |
|
|
|
d64f60 |
mod_auth_mellon.la: $(SRC) auth_mellon.h auth_mellon_compat.h
|
|
|
d64f60 |
- @APXS2@ -Wc,"-std=c99 @OPENSSL_CFLAGS@ @LASSO_CFLAGS@ @CURL_CFLAGS@ @GLIB_CFLAGS@ @CFLAGS@" -Wl,"@OPENSSL_LIBS@ @LASSO_LIBS@ @CURL_LIBS@ @GLIB_LIBS@" -Wc,-Wall -Wc,-g -c $(SRC)
|
|
|
d64f60 |
+ @APXS2@ -Wc,"-std=c99 @MELLON_CFLAGS@ @OPENSSL_CFLAGS@ @LASSO_CFLAGS@ @CURL_CFLAGS@ @GLIB_CFLAGS@ @CFLAGS@" -Wl,"@OPENSSL_LIBS@ @LASSO_LIBS@ @CURL_LIBS@ @GLIB_LIBS@" -Wc,-Wall -Wc,-g -c $(SRC)
|
|
|
d64f60 |
|
|
|
d64f60 |
|
|
|
d64f60 |
# Building configure (for distribution)
|
|
|
d64f60 |
@@ -46,6 +49,7 @@ distfile: @NAMEVER@.tar.gz
|
|
|
d64f60 |
.PHONY: clean
|
|
|
d64f60 |
clean:
|
|
|
d64f60 |
rm -f mod_auth_mellon.la
|
|
|
d64f60 |
+ rm -f $(SRC:%.c=%.o)
|
|
|
d64f60 |
rm -f $(SRC:%.c=%.lo)
|
|
|
d64f60 |
rm -f $(SRC:%.c=%.slo)
|
|
|
d64f60 |
rm -rf .libs/
|
|
|
d64f60 |
diff --git a/README b/README
|
|
|
d64f60 |
index e084ef4..8211d66 100644
|
|
|
d64f60 |
--- a/README
|
|
|
d64f60 |
+++ b/README
|
|
|
d64f60 |
@@ -132,6 +132,24 @@ MellonPostSize 1048576
|
|
|
d64f60 |
# Default: MellonPostCount 100
|
|
|
d64f60 |
MellonPostCount 100
|
|
|
d64f60 |
|
|
|
d64f60 |
+# MellonDiagnosticsFile If Mellon was built with diagnostic capability
|
|
|
d64f60 |
+# then diagnostic is written here, it may be either a filename or a pipe.
|
|
|
d64f60 |
+# If it's a filename then the resulting path is relative to the ServerRoot.
|
|
|
d64f60 |
+# If the value is preceeded by the pipe character "|" it should be followed
|
|
|
d64f60 |
+# by a path to a program to receive the log information on its standard input.
|
|
|
d64f60 |
+# This is a server context directive, hence it may be specified in the
|
|
|
d64f60 |
+# main server config area or within a <VirtualHost> directive.
|
|
|
d64f60 |
+# Default: logs/mellon_diagnostics
|
|
|
d64f60 |
+MellonDiagnosticsFile logs/mellon_diagnostics
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+# MellonDiagnosticsEnable If Mellon was built with diagnostic capability
|
|
|
d64f60 |
+# then this is a list of words controlling diagnostic output.
|
|
|
d64f60 |
+# Currently only On and Off are supported.
|
|
|
d64f60 |
+# This is a server context directive, hence it may be specified in the
|
|
|
d64f60 |
+# main server config area or within a <VirtualHost> directive.
|
|
|
d64f60 |
+# Default: Off
|
|
|
d64f60 |
+MellonDiagnosticsEnable Off
|
|
|
d64f60 |
+
|
|
|
d64f60 |
###########################################################################
|
|
|
d64f60 |
# End of global configuration for mod_auth_mellon.
|
|
|
d64f60 |
###########################################################################
|
|
|
d64f60 |
diff --git a/auth_mellon.h b/auth_mellon.h
|
|
|
d64f60 |
index a6fa34c..6ce6a8e 100644
|
|
|
d64f60 |
--- a/auth_mellon.h
|
|
|
d64f60 |
+++ b/auth_mellon.h
|
|
|
d64f60 |
@@ -85,6 +85,14 @@
|
|
|
d64f60 |
#define AM_ERROR_MISSING_PAOS_MEDIA_TYPE 3
|
|
|
d64f60 |
|
|
|
d64f60 |
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+typedef enum {
|
|
|
d64f60 |
+ AM_DIAG_FLAG_ENABLED = (1 << 0),
|
|
|
d64f60 |
+ AM_DIAG_FLAG_DISABLE = 0,
|
|
|
d64f60 |
+ AM_DIAG_FLAG_ENABLE_ALL = ~0,
|
|
|
d64f60 |
+} am_diag_flags_t;
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* This is the length of the id we use (for session IDs and
|
|
|
d64f60 |
* replaying POST data).
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
@@ -100,6 +108,9 @@
|
|
|
d64f60 |
|
|
|
d64f60 |
#define am_get_req_cfg(r) (am_req_cfg_rec *)ap_get_module_config((r)->request_config, &auth_mellon_module)
|
|
|
d64f60 |
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+#define am_get_diag_cfg(s) (&(am_get_srv_cfg((s)))->diag_cfg)
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
|
|
|
d64f60 |
typedef struct am_mod_cfg_rec {
|
|
|
d64f60 |
int cache_size;
|
|
|
d64f60 |
@@ -124,8 +135,20 @@ typedef struct am_mod_cfg_rec {
|
|
|
d64f60 |
} am_mod_cfg_rec;
|
|
|
d64f60 |
|
|
|
d64f60 |
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+typedef struct am_diag_cfg_rec {
|
|
|
d64f60 |
+ const char *filename;
|
|
|
d64f60 |
+ apr_file_t *fd;
|
|
|
d64f60 |
+ am_diag_flags_t flags;
|
|
|
d64f60 |
+ apr_table_t *dir_cfg_emitted;
|
|
|
d64f60 |
+} am_diag_cfg_rec;
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+
|
|
|
d64f60 |
typedef struct am_srv_cfg_rec {
|
|
|
d64f60 |
am_mod_cfg_rec *mc;
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+ am_diag_cfg_rec diag_cfg;
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
} am_srv_cfg_rec;
|
|
|
d64f60 |
|
|
|
d64f60 |
typedef enum {
|
|
|
d64f60 |
@@ -284,7 +307,6 @@ typedef struct am_dir_cfg_rec {
|
|
|
d64f60 |
|
|
|
d64f60 |
/* List of domains we can redirect to. */
|
|
|
d64f60 |
const char * const *redirect_domains;
|
|
|
d64f60 |
-
|
|
|
d64f60 |
} am_dir_cfg_rec;
|
|
|
d64f60 |
|
|
|
d64f60 |
/* Bitmask for PAOS service options */
|
|
|
d64f60 |
@@ -301,6 +323,9 @@ typedef struct am_req_cfg_rec {
|
|
|
d64f60 |
bool ecp_authn_req;
|
|
|
d64f60 |
ECPServiceOptions ecp_service_options;
|
|
|
d64f60 |
#endif /* HAVE_ECP */
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+ bool diag_emitted;
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
} am_req_cfg_rec;
|
|
|
d64f60 |
|
|
|
d64f60 |
typedef struct am_cache_storage_t {
|
|
|
d64f60 |
@@ -393,6 +418,7 @@ static const int inherit_ecp_send_idplist = -1;
|
|
|
d64f60 |
void *auth_mellon_dir_config(apr_pool_t *p, char *d);
|
|
|
d64f60 |
void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add);
|
|
|
d64f60 |
void *auth_mellon_server_config(apr_pool_t *p, server_rec *s);
|
|
|
d64f60 |
+void *auth_mellon_srv_merge(apr_pool_t *p, void *base, void *add);
|
|
|
d64f60 |
|
|
|
d64f60 |
|
|
|
d64f60 |
const char *am_cookie_get(request_rec *r);
|
|
|
d64f60 |
@@ -503,4 +529,72 @@ int am_httpclient_post_str(request_rec *r, const char *uri,
|
|
|
d64f60 |
|
|
|
d64f60 |
extern module AP_MODULE_DECLARE_DATA auth_mellon_module;
|
|
|
d64f60 |
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+/* Initializing an apr_time_t to 0x7fffffffffffffffLL yields an
|
|
|
d64f60 |
+ * iso 8601 time with 1 second precision of "294247-01-10T04:00:54Z"
|
|
|
d64f60 |
+ * this is 22 characters, +1 for null terminator. */
|
|
|
d64f60 |
+#define ISO_8601_BUF_SIZE 23
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+typedef struct {
|
|
|
d64f60 |
+ bool req_headers_written;
|
|
|
d64f60 |
+} am_diag_request_data;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+const char *
|
|
|
d64f60 |
+am_diag_cache_key_type_str(am_cache_key_t key_type);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+const char *
|
|
|
d64f60 |
+am_diag_cond_str(request_rec *r, const am_cond_t *cond);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+int
|
|
|
d64f60 |
+am_diag_finalize_request(request_rec *r);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+const char *
|
|
|
d64f60 |
+am_diag_lasso_http_method_str(LassoHttpMethod http_method);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_log_cache_entry(request_rec *r, int level, am_cache_entry_t *entry,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+ __attribute__((format(printf,4,5)));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_log_file_data(request_rec *r, int level, am_file_data_t *file_data,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+ __attribute__((format(printf,4,5)));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+int
|
|
|
d64f60 |
+am_diag_log_init(apr_pool_t *pc, apr_pool_t *p, apr_pool_t *pt, server_rec *s);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_log_lasso_node(request_rec *r, int level, LassoNode *node,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+ __attribute__((format(printf,4,5)));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_log_profile(request_rec *r, int level, LassoProfile *profile,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+ __attribute__((format(printf,4,5)));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_printf(request_rec *r, const char *fmt, ...)
|
|
|
d64f60 |
+ __attribute__((format(printf,2,3)));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_rerror(const char *file, int line, int module_index,
|
|
|
d64f60 |
+ int level, apr_status_t status,
|
|
|
d64f60 |
+ request_rec *r, const char *fmt, ...);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+char *
|
|
|
d64f60 |
+am_diag_time_t_to_8601(request_rec *r, apr_time_t t);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#else /* ENABLE_DIAGNOSTICS */
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#define am_diag_log_cache_entry(...) do {} while(0)
|
|
|
d64f60 |
+#define am_diag_log_file_data(...) do {} while(0)
|
|
|
d64f60 |
+#define am_diag_log_lasso_node(...) do {} while(0)
|
|
|
d64f60 |
+#define am_diag_log_profile(...) do {} while(0)
|
|
|
d64f60 |
+#define am_diag_printf(...) do {} while(0)
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#endif /* ENABLE_DIAGNOSTICS */
|
|
|
d64f60 |
+
|
|
|
d64f60 |
#endif /* MOD_AUTH_MELLON_H */
|
|
|
d64f60 |
diff --git a/auth_mellon_cache.c b/auth_mellon_cache.c
|
|
|
d64f60 |
index af5c267..2115acc 100644
|
|
|
d64f60 |
--- a/auth_mellon_cache.c
|
|
|
d64f60 |
+++ b/auth_mellon_cache.c
|
|
|
d64f60 |
@@ -144,11 +144,17 @@ am_cache_entry_t *am_cache_lock(request_rec *r,
|
|
|
d64f60 |
continue;
|
|
|
d64f60 |
|
|
|
d64f60 |
if(strcmp(tablekey, key) == 0) {
|
|
|
d64f60 |
+ apr_time_t now = apr_time_now();
|
|
|
d64f60 |
/* We found the entry. */
|
|
|
d64f60 |
- if(e->expires > apr_time_now()) {
|
|
|
d64f60 |
+ if(e->expires > now) {
|
|
|
d64f60 |
/* And it hasn't expired. */
|
|
|
d64f60 |
return e;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
+ else {
|
|
|
d64f60 |
+ am_diag_log_cache_entry(r, 0, e,
|
|
|
d64f60 |
+ "found expired session, now %s\n",
|
|
|
d64f60 |
+ am_diag_time_t_to_8601(r, now));
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
}
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
@@ -342,6 +348,10 @@ am_cache_entry_t *am_cache_new(request_rec *r,
|
|
|
d64f60 |
* Update 't' and exit loop.
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
t = e;
|
|
|
d64f60 |
+ am_diag_log_cache_entry(r, 0, e,
|
|
|
d64f60 |
+ "%s ejecting expired sessions, now %s\n",
|
|
|
d64f60 |
+ __func__,
|
|
|
d64f60 |
+ am_diag_time_t_to_8601(r, current_time));
|
|
|
d64f60 |
break;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
@@ -400,6 +410,11 @@ am_cache_entry_t *am_cache_new(request_rec *r,
|
|
|
d64f60 |
return NULL;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "%s created new session, id=%s at %s"
|
|
|
d64f60 |
+ " cookie_token=\"%s\"\n",
|
|
|
d64f60 |
+ __func__, t->key, am_diag_time_t_to_8601(r, current_time),
|
|
|
d64f60 |
+ cookie_token);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
return t;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
|
|
|
d64f60 |
index c3cb5e0..66966fc 100644
|
|
|
d64f60 |
--- a/auth_mellon_config.c
|
|
|
d64f60 |
+++ b/auth_mellon_config.c
|
|
|
d64f60 |
@@ -78,6 +78,15 @@ static const apr_size_t post_size = 1024 * 1024;
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
static const int post_count = 100;
|
|
|
d64f60 |
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+/* Default filename for mellon diagnostics log file.
|
|
|
d64f60 |
+ * Relative pathname is relative to server root. */
|
|
|
d64f60 |
+static const char *default_diag_filename = "logs/mellon_diagnostics";
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+/* Default state for diagnostics is off */
|
|
|
d64f60 |
+static am_diag_flags_t default_diag_flags = AM_DIAG_FLAG_DISABLE;
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* whether to merge env. vars or not
|
|
|
d64f60 |
* the MellonMergeEnvVars configuration directive if you change this.
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
@@ -470,6 +479,78 @@ static const char *am_set_module_config_int_slot(cmd_parms *cmd,
|
|
|
d64f60 |
return ap_set_int_slot(cmd, am_get_mod_cfg(cmd->server), arg);
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
+/* This function handles the MellonDiagnosticsFile configuration directive.
|
|
|
d64f60 |
+ * It emits as warning in the log file if Mellon is not built with
|
|
|
d64f60 |
+ * diagnostics enabled.
|
|
|
d64f60 |
+ *
|
|
|
d64f60 |
+ * Parameters:
|
|
|
d64f60 |
+ * cmd_parms *cmd The command structure for this configuration
|
|
|
d64f60 |
+ * directive.
|
|
|
d64f60 |
+ * void *struct_ptr Pointer to the current directory configuration.
|
|
|
d64f60 |
+ * NULL if we are not in a directory configuration.
|
|
|
d64f60 |
+ * const char *arg The string argument following this configuration
|
|
|
d64f60 |
+ * directive in the configuraion file.
|
|
|
d64f60 |
+ *
|
|
|
d64f60 |
+ * Returns:
|
|
|
d64f60 |
+ * NULL on success or an error string on failure.
|
|
|
d64f60 |
+ */
|
|
|
d64f60 |
+static const char *am_set_module_diag_file_slot(cmd_parms *cmd,
|
|
|
d64f60 |
+ void *struct_ptr,
|
|
|
d64f60 |
+ const char *arg)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+ return ap_set_file_slot(cmd, am_get_diag_cfg(cmd->server), arg);
|
|
|
d64f60 |
+#else
|
|
|
d64f60 |
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
|
|
|
d64f60 |
+ "%s has no effect because Mellon was not compiled with"
|
|
|
d64f60 |
+ " diagnostics enabled, use ./configure --enable-diagnostics"
|
|
|
d64f60 |
+ " at build time to turn this feature on.",
|
|
|
d64f60 |
+ cmd->directive->directive);
|
|
|
d64f60 |
+ return NULL;
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+/* This function handles configuration directives which sets the
|
|
|
d64f60 |
+ * diagnostics flags in the module configuration.
|
|
|
d64f60 |
+ *
|
|
|
d64f60 |
+ * Parameters:
|
|
|
d64f60 |
+ * cmd_parms *cmd The command structure for this configuration
|
|
|
d64f60 |
+ * directive.
|
|
|
d64f60 |
+ * void *struct_ptr Pointer to the current directory configuration.
|
|
|
d64f60 |
+ * NULL if we are not in a directory configuration.
|
|
|
d64f60 |
+ * const char *arg The string argument following this configuration
|
|
|
d64f60 |
+ * directive in the configuraion file.
|
|
|
d64f60 |
+ *
|
|
|
d64f60 |
+ * Returns:
|
|
|
d64f60 |
+ * NULL on success or an error string on failure.
|
|
|
d64f60 |
+ */
|
|
|
d64f60 |
+static const char *am_set_module_diag_flags_slot(cmd_parms *cmd,
|
|
|
d64f60 |
+ void *struct_ptr,
|
|
|
d64f60 |
+ const char *arg)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(cmd->server);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (strcasecmp(arg, "on") == 0) {
|
|
|
d64f60 |
+ diag_cfg->flags = AM_DIAG_FLAG_ENABLE_ALL;
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ else if (strcasecmp(arg, "off") == 0) {
|
|
|
d64f60 |
+ diag_cfg->flags = AM_DIAG_FLAG_DISABLE;
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ return apr_psprintf(cmd->pool, "%s: must be one of: 'on', 'off'",
|
|
|
d64f60 |
+ cmd->cmd->name);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ return NULL;
|
|
|
d64f60 |
+#else
|
|
|
d64f60 |
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
|
|
|
d64f60 |
+ "%s has no effect because Mellon was not compiled with"
|
|
|
d64f60 |
+ " diagnostics enabled, use ./configure --enable-diagnostics"
|
|
|
d64f60 |
+ " at build time to turn this feature on.",
|
|
|
d64f60 |
+ cmd->directive->directive);
|
|
|
d64f60 |
+ return NULL;
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* This function handles the MellonCookieSameSite configuration directive.
|
|
|
d64f60 |
* This directive can be set to "lax" or "strict"
|
|
|
d64f60 |
*
|
|
|
d64f60 |
@@ -684,7 +765,7 @@ static const char *am_set_setenv_no_prefix_slot(cmd_parms *cmd,
|
|
|
d64f60 |
static int am_cond_flags(const char *arg)
|
|
|
d64f60 |
{
|
|
|
d64f60 |
int flags = AM_COND_FLAG_NULL;
|
|
|
d64f60 |
- static const char const *options[] = {
|
|
|
d64f60 |
+ static const char * const options[] = {
|
|
|
d64f60 |
"OR", /* AM_EXPIRE_FLAG_OR */
|
|
|
d64f60 |
"NOT", /* AM_EXPIRE_FLAG_NOT */
|
|
|
d64f60 |
"REG", /* AM_EXPIRE_FLAG_REG */
|
|
|
d64f60 |
@@ -1123,6 +1204,30 @@ const command_rec auth_mellon_commands[] = {
|
|
|
d64f60 |
"The maximum size of a saved POST, in bytes."
|
|
|
d64f60 |
" Default value is 1048576 (1 MB)."
|
|
|
d64f60 |
),
|
|
|
d64f60 |
+ AP_INIT_TAKE1(
|
|
|
d64f60 |
+ "MellonDiagnosticsFile",
|
|
|
d64f60 |
+ am_set_module_diag_file_slot,
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+ (void *)APR_OFFSETOF(am_diag_cfg_rec, filename),
|
|
|
d64f60 |
+#else
|
|
|
d64f60 |
+ NULL,
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+ RSRC_CONF,
|
|
|
d64f60 |
+ "Diagnostics log file. [file|pipe] "
|
|
|
d64f60 |
+ "If file then file is a filename, relative to the ServerRoot."
|
|
|
d64f60 |
+ "If pipe then the filename is a pipe character \"|\", "
|
|
|
d64f60 |
+ "followed by the path to a program to receive the log information "
|
|
|
d64f60 |
+ "on its standard input. "
|
|
|
d64f60 |
+ " Default value is \"logs/mellon_diagnostics\"."
|
|
|
d64f60 |
+ ),
|
|
|
d64f60 |
+ AP_INIT_ITERATE(
|
|
|
d64f60 |
+ "MellonDiagnosticsEnable",
|
|
|
d64f60 |
+ am_set_module_diag_flags_slot,
|
|
|
d64f60 |
+ NULL,
|
|
|
d64f60 |
+ RSRC_CONF,
|
|
|
d64f60 |
+ "Diagnostics flags. [on|off] "
|
|
|
d64f60 |
+ " Default value is \"off\"."
|
|
|
d64f60 |
+ ),
|
|
|
d64f60 |
|
|
|
d64f60 |
|
|
|
d64f60 |
/* Per-location configuration directives. */
|
|
|
d64f60 |
@@ -1855,6 +1960,13 @@ void *auth_mellon_server_config(apr_pool_t *p, server_rec *s)
|
|
|
d64f60 |
|
|
|
d64f60 |
srv = apr_palloc(p, sizeof(*srv));
|
|
|
d64f60 |
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+ srv->diag_cfg.filename = default_diag_filename;
|
|
|
d64f60 |
+ srv->diag_cfg.fd = NULL;
|
|
|
d64f60 |
+ srv->diag_cfg.flags = default_diag_flags;
|
|
|
d64f60 |
+ srv->diag_cfg.dir_cfg_emitted = apr_table_make(p, 0);
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* we want to keeep our global configuration of shared memory and
|
|
|
d64f60 |
* mutexes, so we try to find it in the userdata before doing anything
|
|
|
d64f60 |
* else */
|
|
|
d64f60 |
@@ -1886,6 +1998,47 @@ void *auth_mellon_server_config(apr_pool_t *p, server_rec *s)
|
|
|
d64f60 |
apr_pool_userdata_set(mod, key, apr_pool_cleanup_null, p);
|
|
|
d64f60 |
|
|
|
d64f60 |
srv->mc = mod;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
return srv;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
+/* This function merges two am_srv_cfg_rec structures.
|
|
|
d64f60 |
+ * It will try to inherit from the base where possible.
|
|
|
d64f60 |
+ *
|
|
|
d64f60 |
+ * Parameters:
|
|
|
d64f60 |
+ * apr_pool_t *p The pool we should allocate memory from.
|
|
|
d64f60 |
+ * void *base The original structure.
|
|
|
d64f60 |
+ * void *add The structure we should add to base.
|
|
|
d64f60 |
+ *
|
|
|
d64f60 |
+ * Returns:
|
|
|
d64f60 |
+ * The merged structure.
|
|
|
d64f60 |
+ */
|
|
|
d64f60 |
+void *auth_mellon_srv_merge(apr_pool_t *p, void *base, void *add)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ am_srv_cfg_rec *base_cfg = (am_srv_cfg_rec *)base;
|
|
|
d64f60 |
+ am_srv_cfg_rec *new_cfg;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ new_cfg = (am_srv_cfg_rec *)apr_palloc(p, sizeof(*new_cfg));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ new_cfg->mc = base_cfg->mc;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+ am_srv_cfg_rec *add_cfg = (am_srv_cfg_rec *)add;
|
|
|
d64f60 |
+ new_cfg->diag_cfg.filename = (add_cfg->diag_cfg.filename !=
|
|
|
d64f60 |
+ default_diag_filename ?
|
|
|
d64f60 |
+ add_cfg->diag_cfg.filename :
|
|
|
d64f60 |
+ base_cfg->diag_cfg.filename);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ new_cfg->diag_cfg.fd = NULL;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ new_cfg->diag_cfg.flags = (add_cfg->diag_cfg.flags !=
|
|
|
d64f60 |
+ default_diag_flags ?
|
|
|
d64f60 |
+ add_cfg->diag_cfg.flags :
|
|
|
d64f60 |
+ base_cfg->diag_cfg.flags);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ new_cfg->diag_cfg.dir_cfg_emitted = apr_table_make(p, 0);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ return new_cfg;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c
|
|
|
d64f60 |
new file mode 100644
|
|
|
d64f60 |
index 0000000..519a44f
|
|
|
d64f60 |
--- /dev/null
|
|
|
d64f60 |
+++ b/auth_mellon_diagnostics.c
|
|
|
d64f60 |
@@ -0,0 +1,1017 @@
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#include "auth_mellon.h"
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#if APR_HAVE_UNISTD_H
|
|
|
d64f60 |
+#include <unistd.h>
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+#if APR_HAVE_PROCESS_H
|
|
|
d64f60 |
+#include <process.h> /* for getpid() on Win32 */
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+/*============================= Internal Static ==============================*/
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+/*------------------ Defines ------------------*/
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#define AM_DIAG_ENABLED(diag_cfg) \
|
|
|
d64f60 |
+ (diag_cfg && diag_cfg->fd && (diag_cfg->flags & AM_DIAG_FLAG_ENABLED))
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+/*------------------ Typedefs ------------------*/
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+typedef struct iter_callback_data {
|
|
|
d64f60 |
+ apr_file_t *diag_fd;
|
|
|
d64f60 |
+ int level;
|
|
|
d64f60 |
+} iter_callback_data;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+/*------------------ Prototypes ------------------*/
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+indent(int level);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static void
|
|
|
d64f60 |
+write_indented_text(apr_file_t *diag_fd, int level, const char* text);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static void
|
|
|
d64f60 |
+am_diag_format_line(apr_pool_t *pool, apr_file_t *diag_fd, int level,
|
|
|
d64f60 |
+ const char *fmt, va_list ap);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+am_diag_cond_flag_str(request_rec *r, am_cond_flag_t flags);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+am_diag_enable_str(am_enable_t enable);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+am_diag_samesite_str(am_samesite_t samesite);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+am_diag_httpd_error_level_str(request_rec *r, int level);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static apr_size_t
|
|
|
d64f60 |
+am_diag_time_t_to_8601_buf(char *buf, apr_size_t buf_size, apr_time_t t);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static int
|
|
|
d64f60 |
+am_diag_open_log(server_rec *s, apr_pool_t *p);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static int
|
|
|
d64f60 |
+am_table_count(void *rec, const char *key, const char *value);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static int
|
|
|
d64f60 |
+log_headers(void *rec, const char *key, const char *value);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static int
|
|
|
d64f60 |
+log_probe_discovery_idp(void *rec, const char *key, const char *value);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static void
|
|
|
d64f60 |
+am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+ __attribute__((format(printf,4,5)));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static bool
|
|
|
d64f60 |
+am_diag_initialize_req(request_rec *r, am_diag_cfg_rec *diag_cfg,
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+/*------------------ Functions ------------------*/
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+indent(int level)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ static const char * const indents[] = {
|
|
|
d64f60 |
+ "", /* 0 */
|
|
|
d64f60 |
+ " ", /* 1 */
|
|
|
d64f60 |
+ " ", /* 2 */
|
|
|
d64f60 |
+ " ", /* 3 */
|
|
|
d64f60 |
+ " ", /* 4 */
|
|
|
d64f60 |
+ " ", /* 5 */
|
|
|
d64f60 |
+ " ", /* 6 */
|
|
|
d64f60 |
+ " ", /* 7 */
|
|
|
d64f60 |
+ " ", /* 8 */
|
|
|
d64f60 |
+ " ", /* 9 */
|
|
|
d64f60 |
+ };
|
|
|
d64f60 |
+ int n_indents = sizeof(indents)/sizeof(indents[0]);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (level < 0) {
|
|
|
d64f60 |
+ return "";
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ if (level < n_indents) {
|
|
|
d64f60 |
+ return indents[level];
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ return indents[n_indents-1];
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static void
|
|
|
d64f60 |
+write_indented_text(apr_file_t *diag_fd, int level, const char* text)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ const char *start, *end, *prefix;
|
|
|
d64f60 |
+ size_t len, prefix_len;
|
|
|
d64f60 |
+ bool crlf = false;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!text) return;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ prefix = indent(level);
|
|
|
d64f60 |
+ prefix_len = strlen(prefix);
|
|
|
d64f60 |
+ start = end = text;
|
|
|
d64f60 |
+ while (*end) {
|
|
|
d64f60 |
+ /* find end of line */
|
|
|
d64f60 |
+ for (; *end && *end != '\n'; end++);
|
|
|
d64f60 |
+ if (*end == '\n') {
|
|
|
d64f60 |
+ /* was this a crlf sequence? */
|
|
|
d64f60 |
+ if (end > text && end[-1] == '\r') crlf = true;
|
|
|
d64f60 |
+ /* advance past line ending */
|
|
|
d64f60 |
+ end += 1;
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ /* length of line including line ending */
|
|
|
d64f60 |
+ len = end - start;
|
|
|
d64f60 |
+ /* write indent prefix */
|
|
|
d64f60 |
+ apr_file_write_full(diag_fd, prefix, prefix_len, NULL);
|
|
|
d64f60 |
+ /* write line including line ending */
|
|
|
d64f60 |
+ apr_file_write_full(diag_fd, start, len, NULL);
|
|
|
d64f60 |
+ /* begin again where we left off */
|
|
|
d64f60 |
+ start = end;
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ /* always write a trailing line ending */
|
|
|
d64f60 |
+ if (end > text && end[-1] != '\n') {
|
|
|
d64f60 |
+ if (crlf) {
|
|
|
d64f60 |
+ apr_file_write_full(diag_fd, "\r\n", 2, NULL);
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ apr_file_write_full(diag_fd, "\n", 1, NULL);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static void
|
|
|
d64f60 |
+am_diag_format_line(apr_pool_t *pool, apr_file_t *diag_fd, int level,
|
|
|
d64f60 |
+ const char *fmt, va_list ap)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ char * buf = NULL;
|
|
|
d64f60 |
+ apr_size_t buf_len;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (fmt) {
|
|
|
d64f60 |
+ buf = apr_pvsprintf(pool, fmt, ap);
|
|
|
d64f60 |
+ buf_len = strlen(buf);
|
|
|
d64f60 |
+ if (buf_len > 0) {
|
|
|
d64f60 |
+ const char *prefix = indent(level);
|
|
|
d64f60 |
+ apr_size_t prefix_len = strlen(prefix);
|
|
|
d64f60 |
+ apr_file_write_full(diag_fd, prefix, prefix_len, NULL);
|
|
|
d64f60 |
+ apr_file_write_full(diag_fd, buf, buf_len, NULL);
|
|
|
d64f60 |
+ apr_file_putc('\n', diag_fd);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+am_diag_cond_flag_str(request_rec *r, am_cond_flag_t flags)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ char *str;
|
|
|
d64f60 |
+ char *comma;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ str = apr_pstrcat(r->pool,
|
|
|
d64f60 |
+ "[",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_OR ? "OR," : "",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_NOT ? "NOT," : "",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_REG ? "REG," : "",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_NC ? "NC," : "",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_MAP ? "MAP," : "",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_REF ? "REF," : "",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_SUB ? "SUB," : "",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_IGN ? "IGN," : "",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_REQ ? "REQ," : "",
|
|
|
d64f60 |
+ flags & AM_COND_FLAG_FSTR ? "FSTR," : "",
|
|
|
d64f60 |
+ "]",
|
|
|
d64f60 |
+ NULL);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ /* replace trailing ",]" with "]" */
|
|
|
d64f60 |
+ comma = rindex(str, ',');
|
|
|
d64f60 |
+ if (comma) {
|
|
|
d64f60 |
+ *comma = ']';
|
|
|
d64f60 |
+ *(comma+1) = 0;
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ return str;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+am_diag_enable_str(am_enable_t enable)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ switch(enable) {
|
|
|
d64f60 |
+ case am_enable_default: return "default";
|
|
|
d64f60 |
+ case am_enable_off: return "off";
|
|
|
d64f60 |
+ case am_enable_info: return "info";
|
|
|
d64f60 |
+ case am_enable_auth: return "auth";
|
|
|
d64f60 |
+ default: return "unknown";
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+am_diag_samesite_str(am_samesite_t samesite)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ switch(samesite) {
|
|
|
d64f60 |
+ case am_samesite_default: return "default";
|
|
|
d64f60 |
+ case am_samesite_lax: return "lax";
|
|
|
d64f60 |
+ case am_samesite_strict: return "strict";
|
|
|
d64f60 |
+ default: return "unknown";
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static const char *
|
|
|
d64f60 |
+am_diag_httpd_error_level_str(request_rec *r, int level)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ switch(level) {
|
|
|
d64f60 |
+ case APLOG_EMERG: return "APLOG_EMERG";
|
|
|
d64f60 |
+ case APLOG_ALERT: return "APLOG_ALERT";
|
|
|
d64f60 |
+ case APLOG_CRIT: return "APLOG_CRIT";
|
|
|
d64f60 |
+ case APLOG_ERR: return "APLOG_ERR";
|
|
|
d64f60 |
+ case APLOG_WARNING: return "APLOG_WARNING";
|
|
|
d64f60 |
+ case APLOG_NOTICE: return "APLOG_NOTICE";
|
|
|
d64f60 |
+ case APLOG_INFO: return "APLOG_INFO";
|
|
|
d64f60 |
+ case APLOG_DEBUG: return "APLOG_DEBUG";
|
|
|
d64f60 |
+ case APLOG_TRACE1: return "APLOG_TRACE1";
|
|
|
d64f60 |
+ case APLOG_TRACE2: return "APLOG_TRACE2";
|
|
|
d64f60 |
+ case APLOG_TRACE3: return "APLOG_TRACE3";
|
|
|
d64f60 |
+ case APLOG_TRACE4: return "APLOG_TRACE4";
|
|
|
d64f60 |
+ case APLOG_TRACE5: return "APLOG_TRACE5";
|
|
|
d64f60 |
+ case APLOG_TRACE6: return "APLOG_TRACE6";
|
|
|
d64f60 |
+ case APLOG_TRACE7: return "APLOG_TRACE7";
|
|
|
d64f60 |
+ case APLOG_TRACE8: return "APLOG_TRACE8";
|
|
|
d64f60 |
+ default:
|
|
|
d64f60 |
+ return apr_psprintf(r->pool, "APLOG_%d", level);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static apr_size_t
|
|
|
d64f60 |
+am_diag_time_t_to_8601_buf(char *buf, apr_size_t buf_size, apr_time_t t)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ apr_size_t ret_size;
|
|
|
d64f60 |
+ apr_time_exp_t tm;
|
|
|
d64f60 |
+ const char fmt[] = "%FT%TZ";
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_time_exp_gmt(&tm, t);
|
|
|
d64f60 |
+ apr_strftime(buf, &ret_size, buf_size, fmt, &tm;;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ /* on errror assure string is null terminated */
|
|
|
d64f60 |
+ if (ret_size == 0) buf[0] = 0;
|
|
|
d64f60 |
+ return ret_size;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static int
|
|
|
d64f60 |
+am_diag_open_log(server_rec *s, apr_pool_t *p)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ const char *server_name = NULL;
|
|
|
d64f60 |
+ const char *server_desc = NULL;
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(s);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ /* Build the ServerName as it would appear in the ServerName directive */
|
|
|
d64f60 |
+ if (s->server_scheme) {
|
|
|
d64f60 |
+ server_name = apr_psprintf(p, "%s://%s",
|
|
|
d64f60 |
+ s->server_scheme, s->server_hostname);
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ server_name = apr_psprintf(p, "%s", s->server_hostname);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ if (s->port) {
|
|
|
d64f60 |
+ server_name = apr_psprintf(p, "%s:%u", server_name, s->port);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (s->is_virtual) {
|
|
|
d64f60 |
+ server_desc = apr_psprintf(p, "virtual server %s:%d (%s:%u)"
|
|
|
d64f60 |
+ " ServerName=%s",
|
|
|
d64f60 |
+ s->addrs->virthost, s->addrs->host_port,
|
|
|
d64f60 |
+ s->defn_name, s->defn_line_number,
|
|
|
d64f60 |
+ server_name);
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ server_desc = apr_psprintf(p, "main server, ServerName=%s",
|
|
|
d64f60 |
+ server_name);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) {
|
|
|
d64f60 |
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
|
|
d64f60 |
+ "mellon diagnostics disabled for %s", server_desc);
|
|
|
d64f60 |
+ return 1;
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
|
|
d64f60 |
+ "mellon diagnostics enabled for %s, "
|
|
|
d64f60 |
+ "diagnostics filename=%s",
|
|
|
d64f60 |
+ server_desc, diag_cfg->filename);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!diag_cfg->filename || diag_cfg->fd)
|
|
|
d64f60 |
+ return 1;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (*diag_cfg->filename == '|') {
|
|
|
d64f60 |
+ piped_log *pl;
|
|
|
d64f60 |
+ const char *pname = ap_server_root_relative(p, diag_cfg->filename + 1);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ pl = ap_open_piped_log(p, pname);
|
|
|
d64f60 |
+ if (pl == NULL) {
|
|
|
d64f60 |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
d64f60 |
+ "couldn't spawn mellon diagnostics log pipe %s",
|
|
|
d64f60 |
+ diag_cfg->filename);
|
|
|
d64f60 |
+ return 0;
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ diag_cfg->fd = ap_piped_log_write_fd(pl);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ else {
|
|
|
d64f60 |
+ const char *fname = ap_server_root_relative(p, diag_cfg->filename);
|
|
|
d64f60 |
+ apr_status_t rv;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if ((rv = apr_file_open(&diag_cfg->fd, fname,
|
|
|
d64f60 |
+ APR_WRITE | APR_APPEND | APR_CREATE,
|
|
|
d64f60 |
+ APR_OS_DEFAULT, p)) != APR_SUCCESS) {
|
|
|
d64f60 |
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
|
|
|
d64f60 |
+ "could not open mellon diagnostics log file %s.",
|
|
|
d64f60 |
+ fname);
|
|
|
d64f60 |
+ return 0;
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ return 1;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static int
|
|
|
d64f60 |
+am_table_count(void *rec, const char *key, const char *value)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ int *n_items = (int *)rec;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ (*n_items)++;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ return 1;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static int
|
|
|
d64f60 |
+log_headers(void *rec, const char *key, const char *value)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ iter_callback_data *iter_data = (iter_callback_data *)rec;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(iter_data->diag_fd, "%s%s: %s\n",
|
|
|
d64f60 |
+ indent(iter_data->level), key, value);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ return 1;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static int
|
|
|
d64f60 |
+log_probe_discovery_idp(void *rec, const char *key, const char *value)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ iter_callback_data *iter_data = (iter_callback_data *)rec;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(iter_data->diag_fd,
|
|
|
d64f60 |
+ "%s%s: %s\n", indent(iter_data->level), key, value);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ return 1;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static void
|
|
|
d64f60 |
+am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ va_list ap;
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(r->server);
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
|
|
|
d64f60 |
+ int i, n_items;
|
|
|
d64f60 |
+ apr_hash_index_t *hash_item;
|
|
|
d64f60 |
+ GList *list_item;
|
|
|
d64f60 |
+ iter_callback_data iter_data;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!AM_DIAG_ENABLED(diag_cfg)) return;
|
|
|
d64f60 |
+ if (!am_diag_initialize_req(r, diag_cfg, req_cfg)) return;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ iter_data.diag_fd = diag_cfg->fd;
|
|
|
d64f60 |
+ iter_data.level = level+1;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ va_start(ap, fmt);
|
|
|
d64f60 |
+ am_diag_format_line(r->pool, diag_cfg->fd, level, fmt, ap);
|
|
|
d64f60 |
+ va_end(ap);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!cfg) {
|
|
|
d64f60 |
+ apr_file_flush(diag_cfg->fd);
|
|
|
d64f60 |
+ return;
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonEnable (enable): %s\n",
|
|
|
d64f60 |
+ indent(level+1), am_diag_enable_str(cfg->enable_mellon));
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonVariable (varname): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->varname);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonSecureCookie (secure): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->secure ? "On":"Off"); /* FIXME, should be combined? */
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonSecureCookie (httpd_only): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->http_only ? "On":"Off");
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonMergeEnvVars (merge_env_vars): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->merge_env_vars);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonEnvVarsIndexStart (env_vars_index_start): %d\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->env_vars_index_start);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonEnvVarsSetCount (env_vars_count_in_n): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->env_vars_count_in_n ? "On":"Off");
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonCookieDomain (cookie_domain): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->cookie_domain);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonCookiePath (cookie_path): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->cookie_path);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonCookieSameSite (cookie_samesite): %s\n",
|
|
|
d64f60 |
+ indent(level+1),
|
|
|
d64f60 |
+ am_diag_samesite_str(cfg->cookie_samesite));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonCond (cond): %d items\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->cond->nelts);
|
|
|
d64f60 |
+ for (i = 0; i < cfg->cond->nelts; i++) {
|
|
|
d64f60 |
+ const am_cond_t *cond = &((am_cond_t *)(cfg->cond->elts))[i];
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s[%2d]: %s\n",
|
|
|
d64f60 |
+ indent(level+2), i, am_diag_cond_str(r, cond));
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonSetEnv (envattr): %u items\n",
|
|
|
d64f60 |
+ indent(level+1), apr_hash_count(cfg->envattr));
|
|
|
d64f60 |
+ for (hash_item = apr_hash_first(r->pool, cfg->envattr);
|
|
|
d64f60 |
+ hash_item;
|
|
|
d64f60 |
+ hash_item = apr_hash_next(hash_item)) {
|
|
|
d64f60 |
+ const char *key;
|
|
|
d64f60 |
+ const am_envattr_conf_t *envattr_conf;
|
|
|
d64f60 |
+ const char *name;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_hash_this(hash_item, (void *)&key, NULL, (void *)&envattr_conf);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (envattr_conf->prefixed) {
|
|
|
d64f60 |
+ name = apr_pstrcat(r->pool, "MELLON_",
|
|
|
d64f60 |
+ envattr_conf->name, NULL);
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ name = envattr_conf->name;
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s%s ==> %s\n",
|
|
|
d64f60 |
+ indent(level+2), key, name);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonUser (userattr): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->userattr);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonIdP (idpattr): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->idpattr);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonSessionDump (dump_session): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->dump_session ? "On":"Off");
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonSamlResponseDump (dump_saml_response): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->dump_saml_response ? "On":"Off");
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonEndpointPath (endpoint_path): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->endpoint_path);
|
|
|
d64f60 |
+ am_diag_log_file_data(r, level+1, cfg->sp_metadata_file,
|
|
|
d64f60 |
+ "MellonSPMetadataFile (sp_metadata_file):");
|
|
|
d64f60 |
+ am_diag_log_file_data(r, level+1, cfg->sp_private_key_file,
|
|
|
d64f60 |
+ "MellonSPPrivateKeyFile (sp_private_key_file):");
|
|
|
d64f60 |
+ am_diag_log_file_data(r, level+1, cfg->sp_cert_file,
|
|
|
d64f60 |
+ "MellonSPCertFile (sp_cert_file):");
|
|
|
d64f60 |
+ am_diag_log_file_data(r, level+1, cfg->idp_public_key_file,
|
|
|
d64f60 |
+ "MellonIdPPublicKeyFile (idp_public_key_file):");
|
|
|
d64f60 |
+ am_diag_log_file_data(r, level+1, cfg->idp_ca_file,
|
|
|
d64f60 |
+ "MellonIdPCAFile (idp_ca_file):");
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonIdPMetadataFile (idp_metadata): %d items\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->idp_metadata->nelts);
|
|
|
d64f60 |
+ for (i = 0; i < cfg->idp_metadata->nelts; i++) {
|
|
|
d64f60 |
+ const am_metadata_t *idp_metadata;
|
|
|
d64f60 |
+ idp_metadata = &(((const am_metadata_t*)cfg->idp_metadata->elts)[i]);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_log_file_data(r, level+1, idp_metadata->metadata,
|
|
|
d64f60 |
+ "[%2d] Metadata", i);
|
|
|
d64f60 |
+ am_diag_log_file_data(r, level+1, idp_metadata->chain,
|
|
|
d64f60 |
+ "[%2d] Chain File", i);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonIdPIgnore (idp_ignore):\n",
|
|
|
d64f60 |
+ indent(level+1));
|
|
|
d64f60 |
+ for (list_item = cfg->idp_ignore, i = 0;
|
|
|
d64f60 |
+ list_item;
|
|
|
d64f60 |
+ list_item = g_list_next(list_item), i++) {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s[%2d]: %s\n",
|
|
|
d64f60 |
+ indent(level+2), i, (char *)list_item->data);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonSPentityId (sp_entity_id): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->sp_entity_id);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonOrganizationName (sp_org_name): %u items\n",
|
|
|
d64f60 |
+ indent(level+1), apr_hash_count(cfg->sp_org_name));
|
|
|
d64f60 |
+ for (hash_item = apr_hash_first(r->pool, cfg->sp_org_name);
|
|
|
d64f60 |
+ hash_item;
|
|
|
d64f60 |
+ hash_item = apr_hash_next(hash_item)) {
|
|
|
d64f60 |
+ const char *lang;
|
|
|
d64f60 |
+ const char *value;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_hash_this(hash_item, (void *)&lang, NULL, (void *)&value);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s(lang=%s): %s\n",
|
|
|
d64f60 |
+ indent(level+2), lang, value);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonOrganizationDisplayName (sp_org_display_name):"
|
|
|
d64f60 |
+ " %u items\n",
|
|
|
d64f60 |
+ indent(level+1), apr_hash_count(cfg->sp_org_display_name));
|
|
|
d64f60 |
+ for (hash_item = apr_hash_first(r->pool, cfg->sp_org_display_name);
|
|
|
d64f60 |
+ hash_item;
|
|
|
d64f60 |
+ hash_item = apr_hash_next(hash_item)) {
|
|
|
d64f60 |
+ const char *lang;
|
|
|
d64f60 |
+ const char *value;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_hash_this(hash_item, (void *)&lang, NULL, (void *)&value);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s(lang=%s): %s\n",
|
|
|
d64f60 |
+ indent(level+2), lang, value);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonOrganizationURL (sp_org_url): %u items\n",
|
|
|
d64f60 |
+ indent(level+1), apr_hash_count(cfg->sp_org_url));
|
|
|
d64f60 |
+ for (hash_item = apr_hash_first(r->pool, cfg->sp_org_url);
|
|
|
d64f60 |
+ hash_item;
|
|
|
d64f60 |
+ hash_item = apr_hash_next(hash_item)) {
|
|
|
d64f60 |
+ const char *lang;
|
|
|
d64f60 |
+ const char *value;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_hash_this(hash_item, (void *)&lang, NULL, (void *)&value);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s(lang=%s): %s\n",
|
|
|
d64f60 |
+ indent(level+2), lang, value);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonSessionLength (session_length): %d\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->session_length);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonNoCookieErrorPage (no_cookie_error_page): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->no_cookie_error_page);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonNoSuccessErrorPage (no_success_error_page): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->no_success_error_page);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonDefaultLoginPath (login_path): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->login_path);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonDiscoveryURL (discovery_url): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->discovery_url);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonProbeDiscoveryTimeout (probe_discovery_timeout):"
|
|
|
d64f60 |
+ " %d\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->probe_discovery_timeout);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ n_items = 0;
|
|
|
d64f60 |
+ apr_table_do(am_table_count, &n_items, cfg->probe_discovery_idp, NULL);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonProbeDiscoveryIdP (probe_discovery_idp):"
|
|
|
d64f60 |
+ " %d items\n",
|
|
|
d64f60 |
+ indent(level+1), n_items);
|
|
|
d64f60 |
+ apr_table_do(log_probe_discovery_idp, &iter_data,
|
|
|
d64f60 |
+ cfg->probe_discovery_idp, NULL);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonAuthnContextClassRef (authn_context_class_ref):"
|
|
|
d64f60 |
+ " %d items\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->authn_context_class_ref->nelts);
|
|
|
d64f60 |
+ for(i = 0; i < cfg->authn_context_class_ref->nelts; i++) {
|
|
|
d64f60 |
+ const char *context_class;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ context_class = APR_ARRAY_IDX(cfg->authn_context_class_ref, i, char *);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s[%2d]: %s\n",
|
|
|
d64f60 |
+ indent(level+2), i, context_class);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonSubjectConfirmationDataAddressCheck"
|
|
|
d64f60 |
+ " (subject_confirmation_data_address_check): %s\n",
|
|
|
d64f60 |
+ indent(level+1),
|
|
|
d64f60 |
+ cfg->subject_confirmation_data_address_check ? "On":"Off");
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonDoNotVerifyLogoutSignature"
|
|
|
d64f60 |
+ " (do_not_verify_logout_signature): %u items\n",
|
|
|
d64f60 |
+ indent(level+1),
|
|
|
d64f60 |
+ apr_hash_count(cfg->do_not_verify_logout_signature));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ for (hash_item = apr_hash_first(r->pool,
|
|
|
d64f60 |
+ cfg->do_not_verify_logout_signature);
|
|
|
d64f60 |
+ hash_item;
|
|
|
d64f60 |
+ hash_item = apr_hash_next(hash_item)) {
|
|
|
d64f60 |
+ const char *entity_id;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_hash_this(hash_item, (void *)&entity_id, NULL, NULL);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s%s\n",
|
|
|
d64f60 |
+ indent(level+2), entity_id);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonSendCacheControlHeader"
|
|
|
d64f60 |
+ " (send_cache_control_header): %s\n",
|
|
|
d64f60 |
+ indent(level+1),
|
|
|
d64f60 |
+ cfg->send_cache_control_header ? "On":"Off");
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonPostReplay (post_replay): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->post_replay ? "On":"Off");
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonECPSendIDPList (ecp_send_idplist): %s\n",
|
|
|
d64f60 |
+ indent(level+1), cfg->ecp_send_idplist ? "On":"Off");
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ for (n_items = 0; cfg->redirect_domains[n_items] != NULL; n_items++);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sMellonRedirectDomains (redirect_domains): %d items\n",
|
|
|
d64f60 |
+ indent(level+1), n_items);
|
|
|
d64f60 |
+ for (i = 0; cfg->redirect_domains[i] != NULL; i++) {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s%s\n",
|
|
|
d64f60 |
+ indent(level+2), cfg->redirect_domains[i]);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_flush(diag_cfg->fd);
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+static bool
|
|
|
d64f60 |
+am_diag_initialize_req(request_rec *r, am_diag_cfg_rec *diag_cfg,
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ server_rec *s = r->server;
|
|
|
d64f60 |
+ am_dir_cfg_rec *dir_cfg;
|
|
|
d64f60 |
+ apr_os_thread_t tid = apr_os_thread_current();
|
|
|
d64f60 |
+ iter_callback_data iter_data;
|
|
|
d64f60 |
+ int level = 0;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!diag_cfg) return false;
|
|
|
d64f60 |
+ if (!diag_cfg->fd) return false;
|
|
|
d64f60 |
+ if (!req_cfg) return false;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (req_cfg->diag_emitted) return true;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ iter_data.diag_fd = diag_cfg->fd;
|
|
|
d64f60 |
+ iter_data.level = level+1;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_puts("---------------------------------- New Request"
|
|
|
d64f60 |
+ " ---------------------------------\n", diag_cfg->fd);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "%s - %s\n", r->method, r->uri);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "log_id: %s\n", r->log_id);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "server: scheme=%s hostname=%s port=%d\n",
|
|
|
d64f60 |
+ s->server_scheme, s->server_hostname, s->port);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "pid: %" APR_PID_T_FMT ", tid: %pT\n",
|
|
|
d64f60 |
+ getpid(), &tid;;
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "unparsed_uri: %s\n", r->unparsed_uri);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "uri: %s\n", r->uri);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "path_info: %s\n", r->path_info);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "filename: %s\n", r->filename);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "query args: %s\n", r->args);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "Request Headers:\n");
|
|
|
d64f60 |
+ apr_table_do(log_headers, &iter_data, r->headers_in, NULL);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ req_cfg->diag_emitted = true;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ /* Only emit directory configuration once */
|
|
|
d64f60 |
+ if (!apr_table_get(diag_cfg->dir_cfg_emitted, r->uri)) {
|
|
|
d64f60 |
+ dir_cfg = am_get_dir_cfg(r);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_log_dir_cfg(r, level, dir_cfg,
|
|
|
d64f60 |
+ "Mellon Directory Configuration for URL: %s",
|
|
|
d64f60 |
+ r->uri);
|
|
|
d64f60 |
+ apr_table_set(diag_cfg->dir_cfg_emitted, r->uri, "1");
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ return true;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+/*=============================== Public API =================================*/
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+int
|
|
|
d64f60 |
+am_diag_log_init(apr_pool_t *pc, apr_pool_t *p, apr_pool_t *pt, server_rec *s)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ for ( ; s ; s = s->next) {
|
|
|
d64f60 |
+ if (!am_diag_open_log(s, p)) {
|
|
|
d64f60 |
+ return HTTP_INTERNAL_SERVER_ERROR;
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ return OK;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+int
|
|
|
d64f60 |
+am_diag_finalize_request(request_rec *r)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(r->server);
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
|
|
|
d64f60 |
+ int level = 0;
|
|
|
d64f60 |
+ iter_callback_data iter_data;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!AM_DIAG_ENABLED(diag_cfg)) return OK;
|
|
|
d64f60 |
+ if (!req_cfg) return OK;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!req_cfg->diag_emitted) return OK;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ iter_data.diag_fd = diag_cfg->fd;
|
|
|
d64f60 |
+ iter_data.level = level+1;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_puts("\n=== Response ===\n", diag_cfg->fd);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "Status: %s(%d)\n",
|
|
|
d64f60 |
+ r->status_line, r->status);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "user: %s auth_type=%s\n",
|
|
|
d64f60 |
+ r->user, r->ap_auth_type);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "Response Headers:\n");
|
|
|
d64f60 |
+ apr_table_do(log_headers, &iter_data, r->headers_out, NULL);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "Response Error Headers:\n");
|
|
|
d64f60 |
+ apr_table_do(log_headers, &iter_data, r->err_headers_out, NULL);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "Environment:\n");
|
|
|
d64f60 |
+ apr_table_do(log_headers, &iter_data, r->subprocess_env, NULL);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ return OK;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+char *
|
|
|
d64f60 |
+am_diag_time_t_to_8601(request_rec *r, apr_time_t t)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ char *buf;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ buf = apr_palloc(r->pool, ISO_8601_BUF_SIZE);
|
|
|
d64f60 |
+ if (!buf) return NULL;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_time_t_to_8601_buf(buf, ISO_8601_BUF_SIZE, t);
|
|
|
d64f60 |
+ return buf;
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+const char *
|
|
|
d64f60 |
+am_diag_cond_str(request_rec *r, const am_cond_t *cond)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ return apr_psprintf(r->pool,
|
|
|
d64f60 |
+ "varname=\"%s\" flags=%s str=\"%s\" directive=\"%s\"",
|
|
|
d64f60 |
+ cond->varname, am_diag_cond_flag_str(r, cond->flags),
|
|
|
d64f60 |
+ cond->str, cond->directive);
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+const char *
|
|
|
d64f60 |
+am_diag_cache_key_type_str(am_cache_key_t key_type)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ switch(key_type) {
|
|
|
d64f60 |
+ case AM_CACHE_SESSION: return "session";
|
|
|
d64f60 |
+ case AM_CACHE_NAMEID : return "name id";
|
|
|
d64f60 |
+ default: return "unknown";
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+const char *
|
|
|
d64f60 |
+am_diag_lasso_http_method_str(LassoHttpMethod http_method)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ switch(http_method) {
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_NONE: return "LASSO_HTTP_METHOD_NONE";
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_ANY: return "LASSO_HTTP_METHOD_ANY";
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_IDP_INITIATED: return "LASSO_HTTP_METHOD_IDP_INITIATED";
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_GET: return "LASSO_HTTP_METHOD_GET";
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_POST: return "LASSO_HTTP_METHOD_POST";
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_REDIRECT: return "LASSO_HTTP_METHOD_REDIRECT";
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_SOAP: return "LASSO_HTTP_METHOD_SOAP";
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_ARTIFACT_GET: return "LASSO_HTTP_METHOD_ARTIFACT_GET";
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_ARTIFACT_POST: return "LASSO_HTTP_METHOD_ARTIFACT_POST";
|
|
|
d64f60 |
+ case LASSO_HTTP_METHOD_PAOS: return "LASSO_HTTP_METHOD_PAOS";
|
|
|
d64f60 |
+ default: return "unknown";
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_printf(request_rec *r, const char *fmt, ...)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ va_list ap;
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(r->server);
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
|
|
|
d64f60 |
+ char *buf;
|
|
|
d64f60 |
+ apr_size_t buf_len;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!AM_DIAG_ENABLED(diag_cfg)) return;
|
|
|
d64f60 |
+ if (!am_diag_initialize_req(r, diag_cfg, req_cfg)) return;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ va_start(ap, fmt);
|
|
|
d64f60 |
+ buf = apr_pvsprintf(r->pool, fmt, ap);
|
|
|
d64f60 |
+ va_end(ap);
|
|
|
d64f60 |
+ buf_len = strlen(buf);
|
|
|
d64f60 |
+ if (buf_len > 0) {
|
|
|
d64f60 |
+ apr_file_write_full(diag_cfg->fd, buf, buf_len, NULL);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ apr_file_flush(diag_cfg->fd);
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_rerror(const char *file, int line, int module_index,
|
|
|
d64f60 |
+ int level, apr_status_t status,
|
|
|
d64f60 |
+ request_rec *r, const char *fmt, ...)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ va_list ap;
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(r->server);
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
|
|
|
d64f60 |
+ char *buf;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!AM_DIAG_ENABLED(diag_cfg)) return;
|
|
|
d64f60 |
+ if (!am_diag_initialize_req(r, diag_cfg, req_cfg)) return;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ buf = apr_psprintf(r->pool, "[%s %s:%d] ",
|
|
|
d64f60 |
+ am_diag_httpd_error_level_str(r, level), file, line);
|
|
|
d64f60 |
+ apr_file_puts(buf, diag_cfg->fd);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ va_start(ap, fmt);
|
|
|
d64f60 |
+ buf = apr_pvsprintf(r->pool, fmt, ap);
|
|
|
d64f60 |
+ va_end(ap);
|
|
|
d64f60 |
+ apr_file_puts(buf, diag_cfg->fd);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_puts(APR_EOL_STR, diag_cfg->fd);
|
|
|
d64f60 |
+ apr_file_flush(diag_cfg->fd);
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_log_lasso_node(request_rec *r, int level, LassoNode *node,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ va_list ap;
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(r->server);
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
|
|
|
d64f60 |
+ gchar *xml = NULL;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!AM_DIAG_ENABLED(diag_cfg)) return;
|
|
|
d64f60 |
+ if (!am_diag_initialize_req(r, diag_cfg, req_cfg)) return;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ va_start(ap, fmt);
|
|
|
d64f60 |
+ am_diag_format_line(r->pool, diag_cfg->fd, level, fmt, ap);
|
|
|
d64f60 |
+ va_end(ap);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (node) {
|
|
|
d64f60 |
+ xml = lasso_node_debug(node, 0);
|
|
|
d64f60 |
+ write_indented_text(diag_cfg->fd, level+1, xml);
|
|
|
d64f60 |
+ lasso_release_string(xml);
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd, "node is NULL\n");
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ apr_file_flush(diag_cfg->fd);
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_log_file_data(request_rec *r, int level, am_file_data_t *file_data,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ va_list ap;
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(r->server);
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!AM_DIAG_ENABLED(diag_cfg)) return;
|
|
|
d64f60 |
+ if (!am_diag_initialize_req(r, diag_cfg, req_cfg)) return;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ va_start(ap, fmt);
|
|
|
d64f60 |
+ am_diag_format_line(r->pool, diag_cfg->fd, level, fmt, ap);
|
|
|
d64f60 |
+ va_end(ap);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (file_data) {
|
|
|
d64f60 |
+ if (file_data->generated) {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sGenerated file contents:\n",
|
|
|
d64f60 |
+ indent(level+1));
|
|
|
d64f60 |
+ write_indented_text(diag_cfg->fd,
|
|
|
d64f60 |
+ level+2, file_data->contents);
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%spathname: \"%s\"\n",
|
|
|
d64f60 |
+ indent(level+1), file_data->path);
|
|
|
d64f60 |
+ if (!file_data->read_time) {
|
|
|
d64f60 |
+ am_file_read(file_data);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ if (file_data->rv == APR_SUCCESS) {
|
|
|
d64f60 |
+ write_indented_text(diag_cfg->fd,
|
|
|
d64f60 |
+ level+2, file_data->contents);
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%s%s\n",
|
|
|
d64f60 |
+ indent(level+1), file_data->strerror);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sfile_data: NULL\n",
|
|
|
d64f60 |
+ indent(level+1));
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_flush(diag_cfg->fd);
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_log_profile(request_rec *r, int level, LassoProfile *profile,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ va_list ap;
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(r->server);
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
|
|
|
d64f60 |
+ LassoSession *session = lasso_profile_get_session(profile);
|
|
|
d64f60 |
+ GList *assertions = lasso_session_get_assertions(session, NULL);
|
|
|
d64f60 |
+ GList *iter = NULL;
|
|
|
d64f60 |
+ int i;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!AM_DIAG_ENABLED(diag_cfg)) return;
|
|
|
d64f60 |
+ if (!am_diag_initialize_req(r, diag_cfg, req_cfg)) return;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ va_start(ap, fmt);
|
|
|
d64f60 |
+ am_diag_format_line(r->pool, diag_cfg->fd, level, fmt, ap);
|
|
|
d64f60 |
+ va_end(ap);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (profile) {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sProfile Type: %s\n",
|
|
|
d64f60 |
+ indent(level+1), G_OBJECT_TYPE_NAME(profile));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ for (iter = assertions, i=0;
|
|
|
d64f60 |
+ iter != NULL;
|
|
|
d64f60 |
+ iter = g_list_next(iter), i++) {
|
|
|
d64f60 |
+ LassoSaml2Assertion *assertion = NULL;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ assertion = LASSO_SAML2_ASSERTION(iter->data);
|
|
|
d64f60 |
+ if (!LASSO_IS_SAML2_ASSERTION(assertion)) {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sObject at index %d in session assertion"
|
|
|
d64f60 |
+ " list is not LassoSaml2Assertion",
|
|
|
d64f60 |
+ indent(level+1), i);
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ am_diag_log_lasso_node(r, level+1, &assertion->parent,
|
|
|
d64f60 |
+ "Assertion %d", i);
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sprofile is NULL\n",
|
|
|
d64f60 |
+ indent(level+1));
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_flush(diag_cfg->fd);
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+void
|
|
|
d64f60 |
+am_diag_log_cache_entry(request_rec *r, int level, am_cache_entry_t *entry,
|
|
|
d64f60 |
+ const char *fmt, ...)
|
|
|
d64f60 |
+{
|
|
|
d64f60 |
+ va_list ap;
|
|
|
d64f60 |
+ am_diag_cfg_rec *diag_cfg = am_get_diag_cfg(r->server);
|
|
|
d64f60 |
+ am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ const char *name_id = NULL;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (!AM_DIAG_ENABLED(diag_cfg)) return;
|
|
|
d64f60 |
+ if (!am_diag_initialize_req(r, diag_cfg, req_cfg)) return;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ va_start(ap, fmt);
|
|
|
d64f60 |
+ am_diag_format_line(r->pool, diag_cfg->fd, level, fmt, ap);
|
|
|
d64f60 |
+ va_end(ap);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ if (entry) {
|
|
|
d64f60 |
+ name_id = am_cache_env_fetch_first(entry, "NAME_ID");
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%skey: %s\n",
|
|
|
d64f60 |
+ indent(level+1), entry->key);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sname_id: %s\n",
|
|
|
d64f60 |
+ indent(level+1), name_id);
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sexpires: %s\n",
|
|
|
d64f60 |
+ indent(level+1),
|
|
|
d64f60 |
+ am_diag_time_t_to_8601(r, entry->expires));
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%saccess: %s\n",
|
|
|
d64f60 |
+ indent(level+1),
|
|
|
d64f60 |
+ am_diag_time_t_to_8601(r, entry->access));
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%slogged_in: %s\n",
|
|
|
d64f60 |
+ indent(level+1), entry->logged_in ? "True" : "False");
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ apr_file_printf(diag_cfg->fd,
|
|
|
d64f60 |
+ "%sentry is NULL\n",
|
|
|
d64f60 |
+ indent(level+1));
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+ apr_file_flush(diag_cfg->fd);
|
|
|
d64f60 |
+}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#endif /* ENABLE_DIAGNOSTICS */
|
|
|
d64f60 |
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
|
|
|
d64f60 |
index 08b7869..0cbc0ad 100644
|
|
|
d64f60 |
--- a/auth_mellon_handler.c
|
|
|
d64f60 |
+++ b/auth_mellon_handler.c
|
|
|
d64f60 |
@@ -121,6 +121,8 @@ static char *am_generate_metadata(apr_pool_t *p, request_rec *r)
|
|
|
d64f60 |
char *cert = "";
|
|
|
d64f60 |
const char *sp_entity_id;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "Generating SP metadata\n");
|
|
|
d64f60 |
+
|
|
|
d64f60 |
sp_entity_id = cfg->sp_entity_id ? cfg->sp_entity_id : url;
|
|
|
d64f60 |
|
|
|
d64f60 |
if (cfg->sp_cert_file && cfg->sp_cert_file->contents) {
|
|
|
d64f60 |
@@ -251,6 +253,13 @@ static guint am_server_add_providers(am_dir_cfg_rec *cfg, request_rec *r)
|
|
|
d64f60 |
|
|
|
d64f60 |
idp_metadata = &( ((const am_metadata_t*)cfg->idp_metadata->elts) [index] );
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_log_file_data(r, 0, idp_metadata->metadata,
|
|
|
d64f60 |
+ "Loading IdP Metadata");
|
|
|
d64f60 |
+ if (idp_metadata->chain) {
|
|
|
d64f60 |
+ am_diag_log_file_data(r, 0, idp_metadata->chain,
|
|
|
d64f60 |
+ "Loading IdP metadata chain");
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
#ifdef HAVE_lasso_server_load_metadata
|
|
|
d64f60 |
error = lasso_server_load_metadata(cfg->server,
|
|
|
d64f60 |
LASSO_PROVIDER_ROLE_IDP,
|
|
|
d64f60 |
@@ -674,6 +683,9 @@ static void am_restore_lasso_profile_state(request_rec *r,
|
|
|
d64f60 |
am_release_request_session(r, am_session);
|
|
|
d64f60 |
}
|
|
|
d64f60 |
}
|
|
|
d64f60 |
+ am_diag_log_cache_entry(r, 0, am_session, "%s: Session Cache Entry", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_log_profile(r, 0, profile, "%s: Restored Profile", __func__);
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
/* This function handles an IdP initiated logout request.
|
|
|
d64f60 |
@@ -693,6 +705,8 @@ static int am_handle_logout_request(request_rec *r,
|
|
|
d64f60 |
am_cache_entry_t *session = NULL;
|
|
|
d64f60 |
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* Process the logout message. Ignore missing signature. */
|
|
|
d64f60 |
res = lasso_logout_process_request_msg(logout, msg);
|
|
|
d64f60 |
#ifdef HAVE_lasso_profile_set_signature_verify_hint
|
|
|
d64f60 |
@@ -724,6 +738,10 @@ static int am_handle_logout_request(request_rec *r,
|
|
|
d64f60 |
rc = HTTP_BAD_REQUEST;
|
|
|
d64f60 |
goto exit;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_printf(r, "%s name id %s\n", __func__,
|
|
|
d64f60 |
+ ((LassoSaml2NameID*)logout->parent.nameIdentifier)->content);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
session = am_get_request_session_by_nameid(r,
|
|
|
d64f60 |
((LassoSaml2NameID*)logout->parent.nameIdentifier)->content);
|
|
|
d64f60 |
if (session == NULL) {
|
|
|
d64f60 |
@@ -733,6 +751,9 @@ static int am_handle_logout_request(request_rec *r,
|
|
|
d64f60 |
((LassoSaml2NameID*)logout->parent.nameIdentifier)->content);
|
|
|
d64f60 |
|
|
|
d64f60 |
}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_log_cache_entry(r, 0, session, "%s", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
if (session == NULL) {
|
|
|
d64f60 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
|
|
d64f60 |
"Error processing logout request message."
|
|
|
d64f60 |
@@ -830,6 +851,9 @@ static int am_handle_logout_response(request_rec *r, LassoLogout *logout)
|
|
|
d64f60 |
|
|
|
d64f60 |
/* Delete the session. */
|
|
|
d64f60 |
session = am_get_request_session(r);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_log_cache_entry(r, 0, session, "%s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
if(session != NULL) {
|
|
|
d64f60 |
am_delete_request_session(r, session);
|
|
|
d64f60 |
}
|
|
|
d64f60 |
@@ -1482,6 +1506,9 @@ static void am_handle_session_expire(request_rec *r, am_cache_entry_t *session,
|
|
|
d64f60 |
/* Find timestamp. */
|
|
|
d64f60 |
not_on_or_after = authn->SessionNotOnOrAfter;
|
|
|
d64f60 |
if(not_on_or_after == NULL) {
|
|
|
d64f60 |
+ am_diag_printf(r, "%s failed to find"
|
|
|
d64f60 |
+ " Assertion.AuthnStatement.SessionNotOnOrAfter\n",
|
|
|
d64f60 |
+ __func__);
|
|
|
d64f60 |
continue;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
@@ -1492,6 +1519,10 @@ static void am_handle_session_expire(request_rec *r, am_cache_entry_t *session,
|
|
|
d64f60 |
continue;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "%s Assertion.AuthnStatement.SessionNotOnOrAfter:"
|
|
|
d64f60 |
+ " %s\n",
|
|
|
d64f60 |
+ __func__, am_diag_time_t_to_8601(r, t));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* Updates the expires timestamp if this one is earlier than the
|
|
|
d64f60 |
* previous timestamp.
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
@@ -1629,6 +1660,10 @@ static int add_attributes(am_cache_entry_t *session, request_rec *r,
|
|
|
d64f60 |
g_free(dump);
|
|
|
d64f60 |
}
|
|
|
d64f60 |
/* Decode and save the attribute. */
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_printf(r, "%s name=%s value=%s\n",
|
|
|
d64f60 |
+ __func__, attribute->Name, content);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
ret = am_cache_env_append(session, attribute->Name, content);
|
|
|
d64f60 |
if(ret != OK) {
|
|
|
d64f60 |
return ret;
|
|
|
d64f60 |
@@ -1725,6 +1760,9 @@ static int am_handle_reply_common(request_rec *r, LassoLogin *login,
|
|
|
d64f60 |
int rc;
|
|
|
d64f60 |
const char *idp;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_log_lasso_node(r, 0, LASSO_PROFILE(login)->response,
|
|
|
d64f60 |
+ "SAMLResponse:");
|
|
|
d64f60 |
+
|
|
|
d64f60 |
url = am_reconstruct_url(r);
|
|
|
d64f60 |
chr = strchr(url, '?');
|
|
|
d64f60 |
if (! chr) {
|
|
|
d64f60 |
@@ -1867,7 +1905,6 @@ static int am_handle_reply_common(request_rec *r, LassoLogin *login,
|
|
|
d64f60 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
-
|
|
|
d64f60 |
/* Save the profile state. */
|
|
|
d64f60 |
rc = am_save_lasso_profile_state(r, session, LASSO_PROFILE(login),
|
|
|
d64f60 |
saml_response);
|
|
|
d64f60 |
@@ -1941,6 +1978,8 @@ static int am_handle_post_reply(request_rec *r)
|
|
|
d64f60 |
am_dir_cfg_rec *dir_cfg = am_get_dir_cfg(r);
|
|
|
d64f60 |
int i, err;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* Make sure that this is a POST request. */
|
|
|
d64f60 |
if(r->method_number != M_POST) {
|
|
|
d64f60 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
|
|
d64f60 |
@@ -2050,6 +2089,8 @@ static int am_handle_paos_reply(request_rec *r)
|
|
|
d64f60 |
char *relay_state = NULL;
|
|
|
d64f60 |
int i, err;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* Make sure that this is a POST request. */
|
|
|
d64f60 |
if(r->method_number != M_POST) {
|
|
|
d64f60 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
|
|
d64f60 |
@@ -2137,6 +2178,8 @@ static int am_handle_artifact_reply(request_rec *r)
|
|
|
d64f60 |
char *saml_art;
|
|
|
d64f60 |
char *post_data;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* Make sure that this is a GET request. */
|
|
|
d64f60 |
if(r->method_number != M_GET && r->method_number != M_POST) {
|
|
|
d64f60 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
|
|
d64f60 |
@@ -2408,6 +2451,8 @@ static int am_handle_repost(request_rec *r)
|
|
|
d64f60 |
const char *(*post_mkform)(request_rec *, const char *);
|
|
|
d64f60 |
int rc;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
if (am_cookie_get(r) == NULL) {
|
|
|
d64f60 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
|
|
d64f60 |
"Repost query without a session");
|
|
|
d64f60 |
@@ -2570,6 +2615,8 @@ static int am_handle_metadata(request_rec *r)
|
|
|
d64f60 |
LassoServer *server;
|
|
|
d64f60 |
const char *data;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
server = am_get_lasso_server(r);
|
|
|
d64f60 |
if(server == NULL)
|
|
|
d64f60 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
|
d64f60 |
@@ -2898,6 +2945,11 @@ static int am_init_authn_request_common(request_rec *r,
|
|
|
d64f60 |
static int am_set_authn_request_content(request_rec *r, LassoLogin *login)
|
|
|
d64f60 |
|
|
|
d64f60 |
{
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_log_lasso_node(r, 0, LASSO_PROFILE(login)->request,
|
|
|
d64f60 |
+ "SAML AuthnRequest: http_method=%s",
|
|
|
d64f60 |
+ am_diag_lasso_http_method_str(login->http_method));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
switch (login->http_method) {
|
|
|
d64f60 |
case LASSO_HTTP_METHOD_REDIRECT:
|
|
|
d64f60 |
return am_set_authn_request_redirect_content(r, login);
|
|
|
d64f60 |
@@ -3112,6 +3164,8 @@ static int am_handle_auth(request_rec *r)
|
|
|
d64f60 |
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
|
|
|
d64f60 |
const char *relay_state;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
relay_state = am_reconstruct_url(r);
|
|
|
d64f60 |
|
|
|
d64f60 |
/* Check if IdP discovery is in use and no IdP was selected yet */
|
|
|
d64f60 |
@@ -3151,6 +3205,8 @@ static int am_handle_login(request_rec *r)
|
|
|
d64f60 |
int is_passive;
|
|
|
d64f60 |
int ret;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
return_to = am_extract_query_parameter(r->pool, r->args, "ReturnTo");
|
|
|
d64f60 |
if(return_to == NULL) {
|
|
|
d64f60 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
|
|
d64f60 |
@@ -3255,6 +3311,8 @@ static int am_handle_probe_discovery(request_rec *r) {
|
|
|
d64f60 |
char *redirect_url;
|
|
|
d64f60 |
int ret;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
server = am_get_lasso_server(r);
|
|
|
d64f60 |
if(server == NULL) {
|
|
|
d64f60 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
|
d64f60 |
@@ -3488,6 +3546,8 @@ static int am_start_auth(request_rec *r)
|
|
|
d64f60 |
const char *idp;
|
|
|
d64f60 |
const char *login_url;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
return_to = am_reconstruct_url(r);
|
|
|
d64f60 |
|
|
|
d64f60 |
/* If this is a POST request, attempt to save it */
|
|
|
d64f60 |
@@ -3539,6 +3599,8 @@ int am_auth_mellon_user(request_rec *r)
|
|
|
d64f60 |
return DECLINED;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* Set defaut Cache-Control headers within this location */
|
|
|
d64f60 |
if (CFG_VALUE(dir, send_cache_control_header)) {
|
|
|
d64f60 |
am_set_cache_control_headers(r);
|
|
|
d64f60 |
@@ -3563,6 +3625,9 @@ int am_auth_mellon_user(request_rec *r)
|
|
|
d64f60 |
if(session == NULL || !session->logged_in) {
|
|
|
d64f60 |
/* We don't have a valid session. */
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "%s am_enable_auth, no valid session\n",
|
|
|
d64f60 |
+ __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
if(session) {
|
|
|
d64f60 |
/* Release the session. */
|
|
|
d64f60 |
am_release_request_session(r, session);
|
|
|
d64f60 |
@@ -3613,9 +3678,14 @@ int am_auth_mellon_user(request_rec *r)
|
|
|
d64f60 |
#endif /* HAVE_ECP */
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "%s am_enable_auth, have valid session\n",
|
|
|
d64f60 |
+ __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* Verify that the user has access to this resource. */
|
|
|
d64f60 |
return_code = am_check_permissions(r, session);
|
|
|
d64f60 |
if(return_code != OK) {
|
|
|
d64f60 |
+ am_diag_printf(r, "%s failed am_check_permissions, status=%d\n",
|
|
|
d64f60 |
+ __func__, return_code);
|
|
|
d64f60 |
am_release_request_session(r, session);
|
|
|
d64f60 |
|
|
|
d64f60 |
return return_code;
|
|
|
d64f60 |
@@ -3643,11 +3713,17 @@ int am_auth_mellon_user(request_rec *r)
|
|
|
d64f60 |
&& session->logged_in
|
|
|
d64f60 |
&& am_check_permissions(r, session) == OK) {
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "%s am_enable_info, have valid session\n",
|
|
|
d64f60 |
+ __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* The user is authenticated and has access to the resource.
|
|
|
d64f60 |
* Now we populate the environment with information about
|
|
|
d64f60 |
* the user.
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
am_cache_env_populate(r, session);
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ am_diag_printf(r, "%s am_enable_info, no valid session\n",
|
|
|
d64f60 |
+ __func__);
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
if(session != NULL) {
|
|
|
d64f60 |
@@ -3688,6 +3764,8 @@ int am_check_uid(request_rec *r)
|
|
|
d64f60 |
return DECLINED;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "enter function %s\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
#ifdef HAVE_ECP
|
|
|
d64f60 |
am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
|
|
|
d64f60 |
if (req_cfg->ecp_authn_req) {
|
|
|
d64f60 |
@@ -3744,11 +3822,15 @@ int am_check_uid(request_rec *r)
|
|
|
d64f60 |
|
|
|
d64f60 |
/* If we don't have a session, then we can't authorize the user. */
|
|
|
d64f60 |
if(session == NULL) {
|
|
|
d64f60 |
+ am_diag_printf(r, "%s no session, return HTTP_UNAUTHORIZED\n",
|
|
|
d64f60 |
+ __func__);
|
|
|
d64f60 |
return HTTP_UNAUTHORIZED;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
/* If the user isn't logged in, then we can't authorize the user. */
|
|
|
d64f60 |
if(!session->logged_in) {
|
|
|
d64f60 |
+ am_diag_printf(r, "%s session not logged in,"
|
|
|
d64f60 |
+ " return HTTP_UNAUTHORIZED\n", __func__);
|
|
|
d64f60 |
am_release_request_session(r, session);
|
|
|
d64f60 |
return HTTP_UNAUTHORIZED;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
@@ -3756,6 +3838,8 @@ int am_check_uid(request_rec *r)
|
|
|
d64f60 |
/* Verify that the user has access to this resource. */
|
|
|
d64f60 |
return_code = am_check_permissions(r, session);
|
|
|
d64f60 |
if(return_code != OK) {
|
|
|
d64f60 |
+ am_diag_printf(r, "%s failed am_check_permissions, status=%d\n",
|
|
|
d64f60 |
+ __func__, return_code);
|
|
|
d64f60 |
am_release_request_session(r, session);
|
|
|
d64f60 |
return return_code;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
diff --git a/auth_mellon_session.c b/auth_mellon_session.c
|
|
|
d64f60 |
index 3eae4a0..31ae5db 100644
|
|
|
d64f60 |
--- a/auth_mellon_session.c
|
|
|
d64f60 |
+++ b/auth_mellon_session.c
|
|
|
d64f60 |
@@ -39,9 +39,18 @@ am_cache_entry_t *am_lock_and_validate(request_rec *r,
|
|
|
d64f60 |
am_cache_key_t type,
|
|
|
d64f60 |
const char *key)
|
|
|
d64f60 |
{
|
|
|
d64f60 |
- am_cache_entry_t *session = am_cache_lock(r, type, key);
|
|
|
d64f60 |
+ am_cache_entry_t *session = NULL;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_printf(r, "searching for session with key %s (%s) ... ",
|
|
|
d64f60 |
+ key, am_diag_cache_key_type_str(type));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ session = am_cache_lock(r, type, key);
|
|
|
d64f60 |
if (session == NULL) {
|
|
|
d64f60 |
+ am_diag_printf(r, "not found\n");
|
|
|
d64f60 |
return NULL;
|
|
|
d64f60 |
+ } else {
|
|
|
d64f60 |
+ am_diag_printf(r, "found.\n");
|
|
|
d64f60 |
+ am_diag_log_cache_entry(r, 0, session, "Session Cache Entry");
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
const char *cookie_token_session = am_cache_entry_get_string(
|
|
|
d64f60 |
@@ -123,6 +132,10 @@ am_cache_entry_t *am_new_request_session(request_rec *r)
|
|
|
d64f60 |
am_cookie_set(r, session_id);
|
|
|
d64f60 |
|
|
|
d64f60 |
const char *cookie_token = am_cookie_token(r);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_printf(r, "%s id=%s cookie_token=\"%s\"\n",
|
|
|
d64f60 |
+ __func__, session_id, cookie_token);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
return am_cache_new(r, session_id, cookie_token);
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
@@ -155,6 +168,8 @@ void am_release_request_session(request_rec *r, am_cache_entry_t *session)
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
void am_delete_request_session(request_rec *r, am_cache_entry_t *session)
|
|
|
d64f60 |
{
|
|
|
d64f60 |
+ am_diag_log_cache_entry(r, 0, session, "delete session");
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/* Delete the cookie. */
|
|
|
d64f60 |
am_cookie_delete(r);
|
|
|
d64f60 |
|
|
|
d64f60 |
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
|
|
d64f60 |
index 7f8d52b..46036a9 100644
|
|
|
d64f60 |
--- a/auth_mellon_util.c
|
|
|
d64f60 |
+++ b/auth_mellon_util.c
|
|
|
d64f60 |
@@ -370,6 +370,10 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session)
|
|
|
d64f60 |
|
|
|
d64f60 |
ce = &((am_cond_t *)(dir_cfg->cond->elts))[i];
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "%s processing condition %d of %d: %s ",
|
|
|
d64f60 |
+ __func__, i, dir_cfg->cond->nelts,
|
|
|
d64f60 |
+ am_diag_cond_str(r, ce));
|
|
|
d64f60 |
+
|
|
|
d64f60 |
/*
|
|
|
d64f60 |
* Rule with ignore flog?
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
@@ -384,9 +388,11 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session)
|
|
|
d64f60 |
if (!(ce->flags & AM_COND_FLAG_OR))
|
|
|
d64f60 |
skip_or = 0;
|
|
|
d64f60 |
|
|
|
d64f60 |
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
|
|
|
d64f60 |
- "Skip %s, [OR] rule matched previously",
|
|
|
d64f60 |
- ce->directive);
|
|
|
d64f60 |
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
|
|
|
d64f60 |
+ "Skip %s, [OR] rule matched previously",
|
|
|
d64f60 |
+ ce->directive);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_printf(r, "Skip, [OR] rule matched previously\n");
|
|
|
d64f60 |
continue;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
@@ -433,6 +439,8 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session)
|
|
|
d64f60 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
|
|
|
d64f60 |
"Evaluate %s vs \"%s\"",
|
|
|
d64f60 |
ce->directive, value);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_printf(r, "evaluate value \"%s\" ", value);
|
|
|
d64f60 |
|
|
|
d64f60 |
if (value == NULL) {
|
|
|
d64f60 |
match = 0; /* can not happen */
|
|
|
d64f60 |
@@ -463,11 +471,16 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session)
|
|
|
d64f60 |
} else {
|
|
|
d64f60 |
match = !strcmp(ce->str, value);
|
|
|
d64f60 |
}
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_printf(r, "match=%s, ", match ? "yes" : "no");
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
- if (ce->flags & AM_COND_FLAG_NOT)
|
|
|
d64f60 |
+ if (ce->flags & AM_COND_FLAG_NOT) {
|
|
|
d64f60 |
match = !match;
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "negating now match=%s ", match ? "yes" : "no");
|
|
|
d64f60 |
+ }
|
|
|
d64f60 |
+
|
|
|
d64f60 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
|
|
|
d64f60 |
"%s: %smatch", ce->directive,
|
|
|
d64f60 |
(match == 0) ? "no ": "");
|
|
|
d64f60 |
@@ -479,6 +492,9 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session)
|
|
|
d64f60 |
ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
|
|
|
d64f60 |
"Client failed to match %s",
|
|
|
d64f60 |
ce->directive);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_printf(r, "failed (no OR condition)"
|
|
|
d64f60 |
+ " returning HTTP_FORBIDDEN\n");
|
|
|
d64f60 |
return HTTP_FORBIDDEN;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
@@ -488,8 +504,12 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session)
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
if (match && (ce->flags & AM_COND_FLAG_OR))
|
|
|
d64f60 |
skip_or = 1;
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+ am_diag_printf(r, "\n");
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
+ am_diag_printf(r, "%s succeeds\n", __func__);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
return OK;
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
diff --git a/configure.ac b/configure.ac
|
|
|
d64f60 |
index 5ca2c8a..ae313e0 100644
|
|
|
d64f60 |
--- a/configure.ac
|
|
|
d64f60 |
+++ b/configure.ac
|
|
|
d64f60 |
@@ -41,6 +41,16 @@ The executable may also be named 'apxs'.
|
|
|
d64f60 |
])
|
|
|
d64f60 |
fi
|
|
|
d64f60 |
|
|
|
d64f60 |
+AC_ARG_ENABLE(
|
|
|
d64f60 |
+ [diagnostics],
|
|
|
d64f60 |
+ [AS_HELP_STRING([--enable-diagnostics],
|
|
|
d64f60 |
+ [Build with diagnostic support])],
|
|
|
d64f60 |
+ [],
|
|
|
d64f60 |
+ [enable_diagnostics=no])
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+AS_IF([test "x$enable_diagnostics" != xno],
|
|
|
d64f60 |
+ [MELLON_CFLAGS="$MELLON_CFLAGS -DENABLE_DIAGNOSTICS"])
|
|
|
d64f60 |
+
|
|
|
d64f60 |
# Replace any occurances of @APXS2@ with the value of $APXS2 in the Makefile.
|
|
|
d64f60 |
AC_SUBST(APXS2)
|
|
|
d64f60 |
|
|
|
d64f60 |
@@ -74,6 +84,8 @@ PKG_CHECK_MODULES([GLIB], [glib-2.0 >= 2.12])
|
|
|
d64f60 |
AC_SUBST(GLIB_CFLAGS)
|
|
|
d64f60 |
AC_SUBST(GLIB_LIBS)
|
|
|
d64f60 |
|
|
|
d64f60 |
+AC_SUBST(MELLON_CFLAGS)
|
|
|
d64f60 |
+
|
|
|
d64f60 |
# Test to see if we can include lasso/utils.h
|
|
|
d64f60 |
# AC_CHECK_HEADER won't work correctly unless we specifiy the include directories
|
|
|
d64f60 |
# found in the LASSO_CFLAGS. Save and restore CFLAGS and CPPFLAGS.
|
|
|
d64f60 |
diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c
|
|
|
d64f60 |
index f632d37..74bd328 100644
|
|
|
d64f60 |
--- a/mod_auth_mellon.c
|
|
|
d64f60 |
+++ b/mod_auth_mellon.c
|
|
|
d64f60 |
@@ -195,6 +195,9 @@ static int am_create_request(request_rec *r)
|
|
|
d64f60 |
#ifdef HAVE_ECP
|
|
|
d64f60 |
req_cfg->ecp_authn_req = false;
|
|
|
d64f60 |
#endif /* HAVE_ECP */
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+ req_cfg->diag_emitted = false;
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
|
|
|
d64f60 |
ap_set_module_config(r->request_config, &auth_mellon_module, req_cfg);
|
|
|
d64f60 |
|
|
|
d64f60 |
@@ -220,6 +223,11 @@ static void register_hooks(apr_pool_t *p)
|
|
|
d64f60 |
* r->handler and decide that it is the only handler for this URL.
|
|
|
d64f60 |
*/
|
|
|
d64f60 |
ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
|
|
|
d64f60 |
+
|
|
|
d64f60 |
+#ifdef ENABLE_DIAGNOSTICS
|
|
|
d64f60 |
+ ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
|
|
|
d64f60 |
+ ap_hook_log_transaction(am_diag_finalize_request,NULL,NULL,APR_HOOK_REALLY_LAST);
|
|
|
d64f60 |
+#endif
|
|
|
d64f60 |
}
|
|
|
d64f60 |
|
|
|
d64f60 |
|
|
|
d64f60 |
@@ -229,7 +237,7 @@ module AP_MODULE_DECLARE_DATA auth_mellon_module =
|
|
|
d64f60 |
auth_mellon_dir_config,
|
|
|
d64f60 |
auth_mellon_dir_merge,
|
|
|
d64f60 |
auth_mellon_server_config,
|
|
|
d64f60 |
- NULL,
|
|
|
d64f60 |
+ auth_mellon_srv_merge,
|
|
|
d64f60 |
auth_mellon_commands,
|
|
|
d64f60 |
register_hooks
|
|
|
d64f60 |
};
|