apache mod mellon protection don't allow auth headers from the user d…

…irectly
camptocamp · Jun 14, 2024 · f0ef679 · f0ef679
1 parent 5226dac
commit f0ef679
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 67 deletions.
diff --git a/apache-mod-mellon/Chart.yaml b/apache-mod-mellon/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: apache-mod-mellon
 description: A Helm chart for deploying an Apache HTTPd configured with the mod_mellon
 type: application
-version: 1.0.0
+version: 1.0.1
 appVersion: "1.16.0"
diff --git a/apache-mod-mellon/templates/apache-config-httpd.yaml b/apache-mod-mellon/templates/apache-config-httpd.yaml
@@ -180,78 +180,90 @@ data:
       </IfModule>
 
       <Location />
-          Options -Indexes
+        Options -Indexes
 
-          MellonEnable "info"
-          MellonSecureCookie On
-          MellonUser eppn
-          MellonMergeEnvVars On
-          MellonSubjectConfirmationDataAddressCheck Off
-          MellonSPPrivateKeyFile  /etc/mod-mellon-config/mellon.key
-          MellonSPCertFile        /etc/mod-mellon-config/mellon.cert
-          MellonSPentityId        {{ .Values.mellon_config.entity_id }}
-          MellonOrganizationName "{{ .Values.mellon_config.organization_url }}"
-          MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}"
-          MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml
-          MellonDiscoveryURL     "{{ .Values.mellon_config.discovery_url }}"
-          MellonIdPCAFile        /etc/mod-mellon-config/metadata-signing-cert.pem
-          MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem
-          MellonProbeDiscoveryTimeout 1
-          MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}"
-          MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}"
-          MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}"
-          MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}"
-          MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}"
-          MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}"
+        MellonEnable "info"
+        MellonSecureCookie On
+        MellonUser eppn
+        MellonMergeEnvVars On
+        MellonSubjectConfirmationDataAddressCheck Off
+        MellonSPPrivateKeyFile  /etc/mod-mellon-config/mellon.key
+        MellonSPCertFile        /etc/mod-mellon-config/mellon.cert
+        MellonSPentityId        {{ .Values.mellon_config.entity_id }}
+        MellonOrganizationName "{{ .Values.mellon_config.organization_url }}"
+        MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}"
+        MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml
+        MellonDiscoveryURL     "{{ .Values.mellon_config.discovery_url }}"
+        MellonIdPCAFile        /etc/mod-mellon-config/metadata-signing-cert.pem
+        MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem
+        MellonProbeDiscoveryTimeout 1
+        MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}"
+        MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}"
+        MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}"
+        MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}"
+        MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}"
+        MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}"
 
-          MellonEndpointPath /mellon
+        MellonEndpointPath /mellon
 
-          # it is this proxy's responsability to make sure the value of these headers are legit
-          # See a list of headers used by geOrchestra here:
-          # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67
-          RequestHeader unset sec-georchestra-preauthenticated
-          RequestHeader unset sec-mellon-name-id
-          RequestHeader unset sec-username
-          RequestHeader unset sec-name
-          RequestHeader unset sec-givenname
-          RequestHeader unset sec-email
-          RequestHeader unset sec-org
-          RequestHeader unset sec-proxy
-          RequestHeader unset sec-user
-          RequestHeader unset sec-organization
-          RequestHeader unset sec-userid
-          RequestHeader unset sec-lastupdated
-          RequestHeader unset sec-roles
-          RequestHeader unset sec-firstname
-          RequestHeader unset sec-lastname
-          RequestHeader unset sec-tel
-          RequestHeader unset sec-orgid
-          RequestHeader unset sec-orgname
-          RequestHeader unset sec-org-lastupdated
-          RequestHeader unset imp-roles
-          RequestHeader unset imp-username
+        # it is this proxy's responsability to make sure the value of these headers are legit
+        # See a list of headers used by geOrchestra here:
+        # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67
+        RequestHeader unset sec-georchestra-preauthenticated
+        RequestHeader unset sec-mellon-name-id
+        RequestHeader unset sec-username
+        RequestHeader unset sec-name
+        RequestHeader unset sec-givenname
+        RequestHeader unset sec-email
+        RequestHeader unset sec-org
+        RequestHeader unset sec-proxy
+        RequestHeader unset sec-user
+        RequestHeader unset sec-organization
+        RequestHeader unset sec-userid
+        RequestHeader unset sec-lastupdated
+        RequestHeader unset sec-roles
+        RequestHeader unset sec-firstname
+        RequestHeader unset sec-lastname
+        RequestHeader unset sec-tel
+        RequestHeader unset sec-orgid
+        RequestHeader unset sec-orgname
+        RequestHeader unset sec-org-lastupdated
+        RequestHeader unset imp-roles
+        RequestHeader unset imp-username
 
-          {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')"
-          {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')"
-          {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')"
-          {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')"
-          {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')"
-          {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')"
-          {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')"
+        {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')"
+        {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')"
+        {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')"
+        {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')"
+        {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')"
+        {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')"
+        {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')"
 
-          {{- if .Values.georchestra_proxypass_endpoint -}}
-          ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}"
-          ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}"
-          ProxyPreserveHost On
-          {{- end }}
+        {{- if .Values.georchestra_proxypass_endpoint -}}
+        ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}"
+        ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}"
+        ProxyPreserveHost On
+        {{- end }}
 
-          RewriteEngine on
-          RewriteCond %{QUERY_STRING} ^$
-          RewriteCond %{REQUEST_METHOD}  =GET
-          RewriteCond %{REQUEST_URI}  ^/login$
-          RewriteRule /login /login/mellon [R,L]
-          RewriteCond %{ENV:MELLON_NAME_ID} !^$
-          RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }}
+        RewriteEngine on
+        
+        RewriteCond %{QUERY_STRING} ^$
+        RewriteCond %{REQUEST_METHOD}  =GET
+        RewriteCond %{REQUEST_URI}  ^/login$
+        RewriteRule /login /login/mellon [R,L]
+
+        RewriteCond %{ENV:MELLON_NAME_ID} !^$
+        RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }}
+
+        # protection: don't allow auth headers from the user directly
+        RewriteCond %{HTTP:preauth-username}  !^$ [NC,OR]
+        RewriteCond %{HTTP:preauth-email}  !^$ [NC,OR]
+        RewriteCond %{HTTP:preauth-org}  !^$ [NC,OR]
+        RewriteCond %{HTTP:preauth-firstname}  !^$ [NC,OR]
+        RewriteCond %{HTTP:preauth-lastname}  !^$ [NC,OR]
+        RewriteCond %{HTTP:sec-mellon-name-id}  !^$ [NC,OR]
+        RewriteCond %{HTTP:sec-georchestra-preauthenticated}  !^$ [NC]
+        RewriteRule . - [R=403,L]
 
       </Location>