automatic import of mod_auth_mellonopeneuler20.03

1 files changed, 78 insertions, 0 deletions

diff --git a/0008-Set-SameSite-to-None-on-test-cookie.patch b/0008-Set-SameSite-to-None-on-test-cookie.patch
new file mode 100644
index 0000000..89bb5a6
--- /dev/null
+++ b/0008-Set-SameSite-to-None-on-test-cookie.patch
@@ -0,0 +1,78 @@
+From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <r.pluem@gmx.de>
+Date: Thu, 30 Apr 2020 07:56:01 +0200
+Subject: [PATCH] Set SameSite to None on test cookie
+
+If the SameSite cookie attribute is to be set because
+MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
+for this particular request set it to None for the test cookie.
+This ensures that the test cookie with the static test content does not
+get lost in the HTTP-POST binding request issued by the autosubmit form
+returned by the IDP.
+Addresses #20
+
+* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
+
+* auth_mellon_handler.c (am_send_login_authn_request): Set request note
+  to set SameSite to None if appropriate.
+
+* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
+  requested via request note.
+---
+ auth_mellon.h         | 3 +++
+ auth_mellon_cookie.c  | 6 +++++-
+ auth_mellon_handler.c | 5 +++++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/auth_mellon.h b/auth_mellon.h
+index fd39b28..401ed9c 100644
+--- a/auth_mellon.h
++++ b/auth_mellon.h
+@@ -100,6 +100,9 @@ typedef enum {
+ /* Disable SameSite Environment Value */
+ #define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
+ 
++/* Force setting SameSite to None */
++#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
++
+ 
+ /* This is the length of the id we use (for session IDs and
+  * replaying POST data).
+diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
+index 55f77a5..6bff81e 100644
+--- a/auth_mellon_cookie.c
++++ b/auth_mellon_cookie.c
+@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
+     }
+ 
+     if (env_var_value == NULL){
+-        if (cfg->cookie_samesite == am_samesite_lax) {
++        if ((cfg->cookie_samesite != am_samesite_default) &&
++            (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
++            cookie_samesite = "; SameSite=None";
++        }
++        else if (cfg->cookie_samesite == am_samesite_lax) {
+             cookie_samesite = "; SameSite=Lax";
+         } else if (cfg->cookie_samesite == am_samesite_strict) {
+             cookie_samesite = "; SameSite=Strict";
+diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
+index 395ee1d..40c9bcd 100644
+--- a/auth_mellon_handler.c
++++ b/auth_mellon_handler.c
+@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
+     /* Add cookie for cookie test. We know that we should have
+      * a valid cookie when we return from the IdP after SP-initiated
+      * login.
++     * Ensure that SameSite is set to None for this cookie if SameSite
++     * is allowed to be set as the cookie otherwise gets lost on
++     * HTTP-POST binding messages.
+      */
++    apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
+     am_cookie_set(r, "cookietest");
++    apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
+ 
+     server = am_get_lasso_server(r);
+     if(server == NULL) {
+-- 
+2.26.2
+