Switch to session-based form login

liggitt · liggitt · commit d5cff156b12e · 2017-04-20T10:13:19.000-04:00
diff --git a/Dockerfile b/Dockerfile
@@ -11,6 +11,8 @@ RUN dnf install -y \
   krb5-libs \
   krb5-server \
   krb5-workstation \
+  php \
+  mod_php \
   mod_auth_gssapi \
   mod_auth_kerb \
   mod_auth_mellon \
@@ -33,7 +35,8 @@ ADD mellon_create_metadata.sh /usr/sbin/mellon_create_metadata.sh
 ADD proxy.conf /etc/httpd/conf.d/proxy.conf
 
 # Add form login files
-ADD login.html /var/www/html/login.html
+ADD login.php /var/www/html/login/index.php
+ADD logout.php /var/www/html/logout/index.php
 
 # 80  = http
 # 443 = https
diff --git a/login.html b/login.html
diff --git a/login.php b/login.php
@@ -0,0 +1,44 @@
+<?php
+$user        = apache_getenv("REMOTE_USER");
+$error       = apache_getenv("EXTERNAL_AUTH_ERROR");
+$csrf_cookie = $_COOKIE["csrf"]  ?: "";
+$csrf_form   = $_POST["csrf"]    ?: "";
+$then        = $_REQUEST["then"] ?: "/";
+if (!empty($user) && $csrf_cookie == $csrf_form) {
+        header("HTTPDSession: httpd_user=" . urlencode($user), true);
+        header("Location: " . $then, true, 302);
+        exit;
+}
+?><!DOCTYPE html>
+<html>
+  <head>
+    <title>Log In</title>
+    <style>
+        body   { margin-top: 5em; font-family: sans-serif;}
+        form   { display: inline-block; margin: 0 auto; }
+        label  { display: inline-block; width: 100px; text-align: right; }
+        input  { display: inline-block; width: 200px; }
+        button { width: 200px; }
+        .row   { margin-top: 10px;}
+        .error { color: red; }
+    </style>
+  </head>
+  <body>
+    <form action="" method="POST">
+      <div class="error"><?php echo htmlspecialchars($error) ?></div>
+      <input name="then" type="hidden" value="<?php echo htmlspecialchars($then) ?>">
+      <input name="csrf" type="hidden" value="<?php echo htmlspecialchars($csrf_cookie) ?>">
+      <div class="row">
+        <label for="inputUsername">Username:</label>
+        <input id="inputUsername" autofocus="autofocus" name="httpd_username" type="text" value="<?php echo htmlspecialchars($_POST["httpd_username"]) ?>">
+      </div>
+      <div class="row">
+        <label for="inputPassword">Password:</label>
+          <input id="inputPassword" name="httpd_password" value="" type="password">
+      </div>
+      <div class="row">
+        <button type="submit" name="login" value="Log In">Log In</button>
+      </div>
+    </form>
+  </body>
+</html>
diff --git a/logout.php b/logout.php
@@ -0,0 +1,7 @@
+<?php
+
+$then = $_REQUEST["then"] ?: "/";
+header("HTTPDSession: httpd_user=", true);
+header("Location: " . $then, true, 302);
+
+?>
diff --git a/proxy.conf b/proxy.conf
@@ -177,28 +177,60 @@ RewriteRule ^.* - [F,L]
 LoadModule authnz_pam_module modules/mod_authnz_pam.so
 LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
 
-<Location /mod_intercept_form_submit/>
-    ProxyPass https://backend.example.com/
+LoadModule session_crypto_module modules/mod_session_crypto.so
+
+# Enable sessions
+Session On
+SessionMaxAge 300
+# Specify a passphrase to encrypt the session with
+SessionCryptoPassphrase replace-me-with-a-unique-secret
+# Enable cookie sessions
+SessionCookieName httpd_session path=/;httponly;secure;
+# Prevent cookies from reaching the backend
+SessionCookieRemove On
+
+<Location /logout>
+    # Allow the backend to adjust the session by setting headers
+    SessionHeader HTTPDSession
+</Location>
+
+<Location /login>
+    # Allow the backend to adjust the session by setting headers
+    SessionHeader HTTPDSession
 
     # Defined in /etc/pam.d/httpd-pam
     InterceptFormPAMService httpd-pam
-
     # Use the httpd_username/httpd_password fields from the login POST
     InterceptFormLogin httpd_username
     InterceptFormPassword httpd_password
-
     # Automatically append the correct realm
-    InterceptFormLoginRealms EXAMPLE.COM
-
-    # Show the login page for GET requests
-    RewriteCond %{REQUEST_METHOD} GET
-    RewriteRule ^.*$ /login.html [L]
-
-    # Set the request header from the envvar if it exists
-    RequestHeader set Remote-User %{REMOTE_USER}s env=REMOTE_USER
+    InterceptFormLoginRealms AUTH.EXAMPLE.COM
 </Location>
 
-
+<Location /mod_intercept_form_submit/>
+    # Surface the session as an apache envvar
+    SessionEnv On
+
+    # extract the encoded username (via a URL-based lookahead, since HTTP_SESSION is populated later in the request handling)
+    RewriteCond %{LA-U:ENV:HTTP_SESSION} ^(.*&)?httpd_user=([^&]+)(&.*)?$
+    # and store it an an envvar
+    RewriteRule .* - [E=ENCODED_SESSION_USER:%2]
+
+    # if we don't have a session user
+    RewriteCond %{ENV:ENCODED_SESSION_USER} ^$
+    # capture the raw request URL path and query
+    RewriteCond %{THE_REQUEST} ^[^\s]+\ ([^\s]+)
+    # and redirect to the login path with a back link to our current URL
+    # NE = don't double-encode
+    # B  = encode the backreference
+    # R  = redirect with 302 code
+    # L  = stop processing
+    RewriteRule .* /login/?then=%1 [NE,B,R=302,L]
+
+    # Set the session user into a request header and proxy
+    RequestHeader set Remote-User "expr=%{unescape:%{env:ENCODED_SESSION_USER}}" env=ENCODED_SESSION_USER
+    ProxyPass https://backend.example.com/
+</Location>
 
 RequestHeader unset Remote-User
 RequestHeader unset X-Remote-User
