NSAPI scripting - continued...

I've been working on the scripting plugin whenever i could find time - mostly weekends - and it's around 7k lines of code now. As it develops, its proving to be useful for realistic/practical scenarios; and im pleasantly surprised. But most of the test scripts that i wrote, they were all rather small, and did very few things - mainly looking at a couple of values in the request, setting a few, and then say do a redirect etc. For a change, i decided to use it for something larger, something more realistic.

Recently there was this Proxy bug, an RFE actually, where the requirement was a Single Sign On (SSO) plugin for proxy. Attached to the bug was the C source code for an SSO plugin which the customer was using. It wasn't big - around 500 lines or so. So i thought i will try implementing the same using scripting.

It wasn't too difficult, and i could come up with a working script within a day. This was the first time i was attempting something of this scale with the scripting plugin - so in the process, inevitably, i found some new bugs and had to fix them.

Anway, here is the first working version of an SSO nsapi script:


#
# nsapi script for SSO (Single Sign On)
#

cookiename = "nsh_sso"
sessionmax = 3600
authfield = $rq.headers.authorization
cookievalue = call getcookie

call main


# functions...

function main()
{
    # Check if there is an "Authorization:" header
    if test $authfield == ""
    then
        # No "Authorization:" header. Check if there is a cookie
        if $cookievalue == ""
        then
            # No cookie either. move on.    
            req noaction
        else
            # There is a cookie. Check if the cookie is valid.  
            authval = call checkcookie 
            if $authval != ""
            then
                # Valid cookie. use it's contents to set the "Authorization" header.        
                authval = "Basic $authval"
                setheader "Authorization" $authval
                req proceed     
            else  
                # Invalid cookie. send a 401.      
                rq.srvhdrs.www-authenticate = "basic realm=\\"SSO Session Expired\\""
                rq.srvhdrs.status = "401 Unauthorized"
                req aborted     
            fi          
        fi      
    else
        # There is an "Authorization:" header. Check if there is a cookie.
        if $cookievalue != ""
        then
            # There is a cookie. If it is valid, let the request proceed.    
            authval = call checkcookie 
            if $authval != ""
            then        
                cauthval = substr $authfield 7
                if test $cauthval == $authval
                then            
                    req proceed         
                fi              
            fi          
        fi
        # Either there is no cookie, or the cookie is not valid.
        # So wrap the value of the "Authorization:" header into
        # a cookie, set it, and send a 302.      
        call setcookie
    fi  
}

function setcookie()
{
    ncval = call makecookie
    rq.srvhdrs.set-cookie = $ncval
    rq.srvhdrs.location = $rq.reqpb.uri
    rq.srvhdrs.status = "302 Moved"
    req aborted 
}


function makecookie()
{
    bi = index $authfield "Basic "
    if $bi != 0
    then
        req proceed
    fi
    authstr = substr $authfield 6
    domain = call getdomain
    if $domain == ""
    then
        req proceed
    fi
    newcookie = "$authstr|"
    newcookie += now
    newcookie = b64encode $newcookie
    newcookieval = "$cookiename=$newcookie; path=/; domain=$domain"
    return $newcookieval
}

function getcookie()
{
    c = $rq.headers.cookie
    if test $c != ""
    then
        cin = index $c $cookiename
        l = length $cookiename
        cin = expr $cin + $l
        cin = expr $cin + 1
        csub = substr $c $cin
        semicol = index $csub ";"
        if test $semicol > 0
        then
            cval = substr $csub 0 $semicol
            return $cval
        else
            return $csub
        fi
    else
        return ""
    fi
}

function checkcookie()
{
    cookievalue = b64decode $cookievalue
    ctindex = index $cookievalue "|"
    authval = substr $cookievalue 0 $ctindex
    ctindex = expr $ctindex + 1
    ctime = substr $cookievalue $ctindex
    ctime = expr $ctime + $sessionmax
    if test $ctime <= now
    then
        return ""
    else
        return $authval
    fi
}

function getdomain()
{
    h = $rq.headers.host
    if $h == ""
    then
        # no host header
        return ""
    else
        di = index $h "."
        di = expr $di + 1
        dom = substr $h $di
        dp = index $dom ":"
        if $dp > 0
        then
            newdom = substr $dom 0 $dp
            return $newdom
        else
            return $dom
        fi
    fi
}

Anyway, i have put up the plugin for download: libnsh for Solaris sparc . gunzip and untar the file, and you get the plugin (libnsh.so), along with a README, examples, installation instructions, etc. Please go through the DISCLAIMER carefully - this is not a supported product of sun. Use at your own risk.


Comments:

What about libnsh for Solaris x86 ?

Posted by Thorleif Wiik on maj 26, 2006 at 04:27 PD PDT #

Sorry - I havent yet built this on x86; but will do that for sure and put up the plugin for download.

Posted by motor on maj 29, 2006 at 01:52 MD PDT #

I have uploaded the plugin for Solaris x86 <a href="http://blogs.sun.com/roller/resources/motor/nsh-so lx86.tar.gz"> here. Please use with discretion - this is purely experimental and totally untested :)

Posted by motor on maj 29, 2006 at 06:39 MD PDT #

Re-posting the link: http://blogs.sun.com/roller/resources/motor/nsh-solx86.tar.gz

Posted by guest on maj 29, 2006 at 06:41 MD PDT #

This looks \*awesome\*... thank you for sharing it! Note that your "INSTALL" instructions in the tarball you provide mention adding an Init line to obj.conf... for webserver starting (i think) after 6.0 (certainly in 6.1), Init lines go in magnus.conf, and will complain and not work if you put 'em in obj.conf. thanks again!

Posted by ryan nelson on maj 30, 2006 at 03:34 MD PDT #

Thanks for the correction, Nelson. i will change the file accordingly. I have been testing this all along on proxy 4.0 - yet to check with Webserver 6.1 or 7.0.

Posted by motor on maj 30, 2006 at 06:06 MD PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

user13334066

Search

Archives
« prill 2014
DieHënMarMërEnjPreSht
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today