void TheoryIdl::check(Effort level) {
if (done() && !fullEffort(level)) {
return;
}
TimerStat::CodeTimer checkTimer(d_checkTime);
while(!done()) {
// Get the next assertion
Assertion assertion = get();
Debug("theory::idl") << "TheoryIdl::check(): processing " << assertion.assertion << std::endl;
// Convert the assertion into the internal representation
IDLAssertion idlAssertion(assertion.assertion);
Debug("theory::idl") << "TheoryIdl::check(): got " << idlAssertion << std::endl;
if (idlAssertion.ok()) {
if (idlAssertion.getOp() == kind::DISTINCT) {
// We don't handle dis-equalities
d_out->setIncomplete();
} else {
// Process the convex assertions immediately
bool ok = processAssertion(idlAssertion);
if (!ok) {
// In conflict, we're done
return;
}
}
} else {
// Not an IDL assertion, set incomplete
d_out->setIncomplete();
}
}
}
/**************************************************
* Authentication phase
*
* - If AuthType != Persona, do nothing
* - Handle POSTed assertions ("null" -> logout)
* - If we have a cookie, set up user context
**************************************************/
static int Auth_persona_check_cookie(request_rec *r)
{
char *szCookieValue=NULL;
char *szRemoteIP=NULL;
const char *assertion=NULL;
if (!persona_authn_active(r)) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, ERRTAG "Auth_persona_check_cookie");
// We'll trade you a valid assertion for a session cookie!
// this is a programmatic XHR request.
persona_config_t *conf = ap_get_module_config(r->server->module_config, &authnz_persona_module);
assertion = apr_table_get(r->headers_in, PERSONA_ASSERTION_HEADER);
if (assertion) {
if (strcmp(r->method, "POST")) {
r->status = HTTP_METHOD_NOT_ALLOWED;
ap_set_content_type(r, "application/json");
const char *error = "{\"status\": \"failure\", \"reason\":"
"\"login must be performed with POST\"}";
ap_rwrite(error, strlen(error), r);
return DONE;
}
if (!strcmp(assertion, "null")) {
sendResetCookie(r);
r->status = HTTP_OK;
const char *status = "{\"status\": \"okay\"}";
ap_set_content_type(r, "application/json");
ap_rwrite(status, strlen(status), r);
return DONE;
}
VerifyResult res = processAssertion(r, assertion);
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG
"Assertion received '%s'", assertion);
if (res->verifiedEmail) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, 0, r, ERRTAG
"email '%s' verified, vouched for by issuer '%s'",
res->verifiedEmail, res->identityIssuer);
Cookie cookie = apr_pcalloc(r->pool, sizeof(struct _Cookie));
cookie->verifiedEmail = res->verifiedEmail;
cookie->identityIssuer = res->identityIssuer;
cookie->created = apr_time_sec(r->request_time);
sendSignedCookie(r, conf->secret, cookie);
return DONE;
} else {
assert(res->errorResponse != NULL);
r->status = HTTP_INTERNAL_SERVER_ERROR;
ap_set_content_type(r, "application/json");
ap_rwrite(res->errorResponse, strlen(res->errorResponse), r);
// upon assertion verification failure we return JSON explaining why
return DONE;
}
}
// handle logout via LogoutPath hit before letting valid cookies through
if (conf->logout_path->len && !strncmp(r->uri, conf->logout_path->data, conf->logout_path->len)) {
return process_logout(r);
}
// if there's a valid cookie, allow the user through
szCookieValue = extractCookie(r, conf->secret, PERSONA_COOKIE_NAME);
Cookie cookie = NULL;
if (szCookieValue &&
(cookie = validateCookie(r, conf->secret, szCookieValue))) {
r->user = (char *) cookie->verifiedEmail;
apr_table_setn(r->notes, PERSONA_ISSUER_NOTE, cookie->identityIssuer);
apr_table_setn(r->subprocess_env, "REMOTE_USER", cookie->verifiedEmail);
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r, ERRTAG "Valid auth cookie found, passthrough");
ap_custom_response(r, 401, (const char*) build_error_html);
ap_custom_response(r, 403, (const char*) build_error_html);
return OK;
}
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r, ERRTAG "Persona cookie not found; not authorized! RemoteIP:%s",szRemoteIP);
r->status = HTTP_UNAUTHORIZED;
ap_set_content_type(r, "text/html");
ap_rwrite(src_signin_html, sizeof(src_signin_html), r);
ap_rprintf(r, "var loggedInUser = undefined;\n");
ap_rwrite(PERSONA_END_PAGE, sizeof(PERSONA_END_PAGE), r);
return DONE;
}
