 |
cosign-discuss at umich.edu
|
|
general discussion of cosign development and deployment
|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cosign or IP-based access control
Hi all,
I have a patch for the apache2 filter only which will allow you to
specify an ip range for which the cosign module will not authenticate.
The format for the apache conf is:
CosignDisableIP [ip]/[mask in dot notation]
eg:
CosignDisableIP 130.216.0.0/255.255.0.0
Brett
On Wed, 2005-01-19 at 09:07, Jim Zajkowski wrote:
> Hi folks,
>
> We want to put up a site that is instantly available from a UM IP
> address, or requires Cosign from outside those addresses.
>
> Any ideas?
>
> Thanks,
>
> --Jim
Index: cosign.h
===================================================================
--- cosign.h (revision 10)
+++ cosign.h (working copy)
@@ -1,4 +1,11 @@
+#include <netinet/in.h>
+
typedef struct {
+ in_addr_t baseip;
+ in_addr_t mask;
+} iprange;
+
+typedef struct {
char *host;
char *service;
char *siteentry;
@@ -26,6 +33,8 @@
int krbtkt;
int krb524;
#endif /* KRB */
+
+ iprange pubaccessips;
} cosign_host_config;
Index: mod_cosign.c
===================================================================
--- mod_cosign.c (revision 10)
+++ mod_cosign.c (working copy)
@@ -76,6 +76,10 @@
cfg->krb524 = 0;
#endif /* KRB4 */
#endif /* KRB */
+
+ /* Set up to ip address of 0.0.0.0 and mask of 255.255.255.255 */
+ cfg->pubaccessips.baseip=0;
+ cfg->pubaccessips.mask=0xFFFFFFFF;
return( cfg );
}
@@ -115,6 +119,10 @@
cfg->krb524 = 0;
#endif /* KRB4 */
#endif /* KRB */
+
+ /* Set up to ip address of 0.0.0.0 and mask of 255.255.255.255 */
+ cfg->pubaccessips.baseip=0;
+ cfg->pubaccessips.mask=0xFFFFFFFF;
return( cfg );
}
@@ -209,6 +217,7 @@
if ( strcasecmp( authn, "Cosign" ) != 0 ) {
return( DECLINED );
}
+
/* we OK here to claim this as our AuthZ call.
* otherwise, we'll get a 503 as basic auth will
* try and nab it, but things won't be set up
@@ -275,6 +284,16 @@
return( HTTP_SERVICE_UNAVAILABLE );
}
+ if((r->connection->remote_addr->sa.sin.sin_addr.s_addr&cfg->pubaccessips.mask) ==
+ (cfg->pubaccessips.baseip&cfg->pubaccessips.mask))
+ {
+ ap_log_error( APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r->server,
+ "mod_cosign: Declining to service client on ip %s because of config",
+ r->connection->remote_ip );
+
+ return DECLINED;
+ }
+
/*
* Look for cfg->service cookie. if there isn't one,
* set it and redirect.
@@ -366,7 +385,82 @@
return( HTTP_MOVED_TEMPORARILY );
}
+static void
+convertIPRange(char *rangestr, struct in_addr *ip, struct in_addr *mask)
+{
+ char ipstr[16],maskstr[16],*ptr;
+
+ memset(ipstr,'\0',16);
+ memset(maskstr,'\0',16);
+ if(!(ptr=strchr(rangestr,'/')))
+ return;
+
+ *ptr='\0';
+
+ strncpy(ipstr,rangestr,15);
+ strncpy(maskstr,ptr+1,15);
+
+ inet_aton(ipstr,ip);
+ inet_aton(maskstr,mask);
+
+ *ptr='/';
+}
+
static const char *
+set_cosign_ip_disable( cmd_parms *params, void *mconfig, char *arg )
+{
+ cosign_host_config *cfg, *scfg;
+ struct in_addr ip,mask;
+
+ scfg = (cosign_host_config *) ap_get_module_config(
+ params->server->module_config, &cosign_module );
+ if ( params->path == NULL ) {
+ cfg = scfg;
+ } else {
+ cfg = (cosign_host_config *)mconfig;
+ cfg->redirect = apr_pstrdup( params->pool, scfg->redirect );
+ cfg->filterdb = apr_pstrdup( params->pool, scfg->filterdb );
+ cfg->proxydb = apr_pstrdup( params->pool, scfg->proxydb);
+ cfg->tkt_prefix = apr_pstrdup( params->pool, scfg->tkt_prefix );
+ if ( cfg->siteentry != NULL ) {
+ cfg->siteentry = apr_pstrdup( params->pool, scfg->siteentry );
+ }
+ cfg->public = scfg->public;
+ cfg->posterror = apr_pstrdup( params->pool, scfg->posterror );
+ cfg->host = apr_pstrdup( params->pool, scfg->host );
+ cfg->cl = scfg->cl;
+ cfg->port = scfg->port;
+ cfg->ctx = scfg->ctx;
+ if ( cfg->service == NULL ) {
+ cfg->service = apr_pstrdup( params->pool, scfg->service );
+ }
+ cfg->proxy = scfg->proxy;
+ cfg->http = scfg->http;
+ cfg->expiretime = scfg->expiretime;
+#ifdef KRB
+ cfg->krbtkt = scfg->krbtkt;
+#ifdef GSS
+ cfg->gss = scfg->gss;
+#endif /* GSS */
+#ifdef KRB4
+ cfg->krb524 = scfg->krb524;
+#endif /* KRB4 */
+#endif /* KRB */
+ if(!cfg->pubaccessips.baseip)
+ {
+ cfg->pubaccessips.baseip=scfg->pubaccessips.baseip;
+ cfg->pubaccessips.mask=scfg->pubaccessips.mask;
+ }
+ }
+
+ convertIPRange(arg,&ip,&mask);
+ cfg->pubaccessips.baseip=ip.s_addr;
+ cfg->pubaccessips.mask=mask.s_addr;
+
+ return( NULL );
+}
+
+ static const char *
set_cosign_protect( cmd_parms *params, void *mconfig, int flag )
{
cosign_host_config *cfg, *scfg;
@@ -406,6 +500,11 @@
#endif /* KRB4 */
#endif /* KRB */
+ if(!cfg->pubaccessips.baseip)
+ {
+ cfg->pubaccessips.baseip=scfg->pubaccessips.baseip;
+ cfg->pubaccessips.mask=scfg->pubaccessips.mask;
+ }
}
cfg->protect = flag;
@@ -470,6 +569,11 @@
cfg->krb524 = scfg->krb524;
#endif /* KRB4 */
#endif /* KRB */
+ if(!cfg->pubaccessips.baseip)
+ {
+ cfg->pubaccessips.baseip=scfg->pubaccessips.baseip;
+ cfg->pubaccessips.mask=scfg->pubaccessips.mask;
+ }
}
cfg->service = apr_psprintf( params->pool,"cosign-%s", arg );
@@ -513,6 +617,11 @@
cfg->krb524 = scfg->krb524;
#endif /* KRB4 */
#endif /* KRB */
+ if(!cfg->pubaccessips.baseip)
+ {
+ cfg->pubaccessips.baseip=scfg->pubaccessips.baseip;
+ cfg->pubaccessips.mask=scfg->pubaccessips.mask;
+ }
}
if ( strcasecmp( arg, "none" ) != 0 ) {
@@ -562,6 +671,12 @@
cfg->krb524 = scfg->krb524;
#endif /* KRB4 */
#endif /* KRB */
+ if(!cfg->pubaccessips.baseip)
+ {
+ cfg->pubaccessips.baseip=scfg->pubaccessips.baseip;
+ cfg->pubaccessips.mask=scfg->pubaccessips.mask;
+ }
+
}
cfg->public = flag;
@@ -886,6 +1001,10 @@
static command_rec cosign_cmds[ ] =
{
+ AP_INIT_TAKE1( "CosignDisableIP", set_cosign_ip_disable,
+ NULL, RSRC_CONF|ACCESS_CONF,
+ "An IP address or ranges list to not cosign authenticate for" ),
+
AP_INIT_TAKE1( "CosignPostErrorRedirect", set_cosign_post_error,
NULL, RSRC_CONF,
"the URL to deliver bad news about POSTed data" ),
|
