Mailing-List: contact modules-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: modules-dev@httpd.apache.org
Received-SPF: pass (nike.apache.org: domain of ohaya@cox.net designates
 68.230.241.213 as permitted sender)
Message-ID: <20120626175633.4MX92.246555.imail@eastrmwml304>
Date: Tue, 26 Jun 2012 17:56:33 -0400
From: <ohaya@cox.net>
To: modules-dev@httpd.apache.org
Subject: Re: ssl_var_lookup snippet was Re: Confused about modules
 processing order...
Cc: Sorin Manolache <sorinm@gmail.com>
In-Reply-To: <4FEA2735.9060201@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sensitivity: Normal


---- Sorin Manolache <sorinm@gmail.com> wrote: 
> On 2012-06-26 22:17, ohaya@cox.net wrote:
> >
> > ---- Sorin Manolache<sorinm@gmail.com>  wrote:
> >> On 2012-06-26 19:56, ohaya@cox.net wrote:
> >>>>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
> >>>>> the hooks that execute earlier than webgate's check_user_id or
> >>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
> >>>>> your hook, you have to get yourself the values of the server
> >>>>> certificates, client certificate, etc, everything that mod_ssl would
> >>>>> have given you, but too late.
> >>> "
> >>>
> >>> I guess that what I'm seeing is exactly what you said would happen, i.e., my check_user_id hook function is being called, but none of the SSL vars are populated (since, as you said mod_ssl doesn't populate them until the fixup phase).
> >>>
> >>> What mechanisms/methods could I use to get those SSL vars ("you have to get yourself the values of the server certificates, client certificate, etc, ") at this point?
> >>
> >> I don't know, unfortunately. Have a look at the sources
> >> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl
> >> does it.
> >>
> >> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c.
> >> Maybe you can use it in check_user_id already.
> >>
> >> Sorin
> >
> >
> > Sorin,
> >
> > THANKS for that pointer to ssl_var_lookup.
> >
> > As a very small payback (VERY small) for your help (and others), and for the record, I put the following code (assembled from various places) in the ap_headers_early, and it seems to work "somewhat")
> >
> >
> > static apr_status_t ap_headers_early(request_rec *r)
> > {
> >
> > printf("In ap_headers_early\n");
> >
> > printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
> >
> > typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*, char*);
> >
> > ssl_var_lookup_t ssl_var_lookup = 0;
> >
> > ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
> >
> > const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
> >
> > printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> > .
> > .
> >
> > and it seems to work perfectly!!
> >
> >
> > Do you think that such calls would work in ANY hook?  In other words, would I be at my leisure to use that in ANY of the module hooks?
> 
> No, it won't work in any hook, in my opinion. The availability of the 
> data depends on the phase (hook) in which you run the ssl_var_lookup.
> 
> I think, though I'm not sure, that the data are gathered in the 
> post_read_request hook. If so, ssl_var_lookup would work in any hook 
> that is called after post_read_request.
> 
> ap_headers_early is run in post_read_request. My intuition is that 
> putting your code there is slightly too early. This is because the 
> directory-wide configuration of the request is not yet correctly set in 
> this phase and URL rewrite rules have not yet been applied, although I 
> don't know if this would affect your functionality.
> 
> I'd put the code either in header_parser or in check_user_id and I'd try 
> to make sure that my check_user_id is run before webgate's check_user_id.
> 
> I'd go for header_parser as it is always run for main requests. 
> check_user_id is run only when some conditions are satisfied (check the 
> ap_process_request_internal in server/request.c).
> 
> If you go for check_user_id, make sure that it is run before Oracle's 
> check_user_id. In order to do so, you can use APR_HOOK_FIRST 
> (ap_hook_check_user_id(&my_check_user_id, NULL, NULL, APR_HOOK_FIRST)), 
> or you can use something like
> 
> static const char *successor[] = {nameoftheoraclesourcefile, NULL};
> ap_hook_check_user_id(&my_check_user_id, NULL, successor, APR_HOOK_MIDDLE);
> 
> (See how mod_ssl places its post_read_request _after_ mod_setenvif's in 
> modules/ssl/mod_ssl.c)
> 
> Also, I would not change mod_headers, I would write my own module in 
> which I'd place my header_parser hook.
> 
> Sorin


Hi Sorin,

FYI, it looks like that ssl_var_lookup() call DOES work, even in the post_read_request/ap_headers_early hook!!

I moved the code that I had before in the insert_header hook to the post_read_request hook, then modified it to do the ssl_var_lookup() call to get the SSL_CLIENT_CERT PEM rather than getting it from r->subprocess_env.

I didn't describe what I'm trying to do clearly earlier with this module, but basically, with my module, I'm trying to intercept the Apache request processing and, in my module, get a SSO-type cookie/token that, normally, the webgate looks for to determine if the user has been previously authenticated, and inject that cookie into the request.  

Right now, as I said, my code is in the post_read_request hook, and it's working (thanks in large part to your help!), but only to a point.  It's able to get the cookie, and inject it into the request, and then, I *think* the webgate is doing its processing.

The problem I'm now having is that I end up getting 403/Forbidden response from Apache after all of that.  I'm not quite sure why yet.

If I disable the webgate, everything works ok.  

Also, this is a prototype.  My intention is that if I can get it working, I'd implement a new module from scratch, as you recommended, but I need to get this prototype working first, I think....

Thanks,
Jim