Motor's Weblog

« Scripting alternativ... | Main | Touring, Rain, and a... »
NSAPI scripting - continued...

I've been working on the scripting plugin whenever i could find time - mostly weekends - and it's around 7k lines of code now. As it develops, its proving to be useful for realistic/practical scenarios; and im pleasantly surprised. But most of the test scripts that i wrote, they were all rather small, and did very few things - mainly looking at a couple of values in the request, setting a few, and then say do a redirect etc. For a change, i decided to use it for something larger, something more realistic.
Recently there was this Proxy bug, an RFE actually, where the requirement was a Single Sign On (SSO) plugin for proxy. Attached to the bug was the C source code for an SSO plugin which the customer was using. It wasn't big - around 500 lines or so. So i thought i will try implementing the same using scripting.
It wasn't too difficult, and i could come up with a working script within a day. This was the first time i was attempting something of this scale with the scripting plugin - so in the process, inevitably, i found some new bugs and had to fix them.
Anway, here is the first working version of an SSO nsapi script:
# # nsapi script for SSO (Single Sign On) # cookiename = "nsh_sso" sessionmax = 3600 authfield = $rq.headers.authorization cookievalue = call getcookie call main # functions... function main() { # Check if there is an "Authorization:" header if test $authfield == "" then # No "Authorization:" header. Check if there is a cookie if $cookievalue == "" then # No cookie either. move on. req noaction else # There is a cookie. Check if the cookie is valid. authval = call checkcookie if $authval != "" then # Valid cookie. use it's contents to set the "Authorization" header. authval = "Basic $authval" setheader "Authorization" $authval req proceed else # Invalid cookie. send a 401. rq.srvhdrs.www-authenticate = "basic realm=\"SSO Session Expired\"" rq.srvhdrs.status = "401 Unauthorized" req aborted fi fi else # There is an "Authorization:" header. Check if there is a cookie. if $cookievalue != "" then # There is a cookie. If it is valid, let the request proceed. authval = call checkcookie if $authval != "" then cauthval = substr $authfield 7 if test $cauthval == $authval then req proceed fi fi fi # Either there is no cookie, or the cookie is not valid. # So wrap the value of the "Authorization:" header into # a cookie, set it, and send a 302. call setcookie fi } function setcookie() { ncval = call makecookie rq.srvhdrs.set-cookie = $ncval rq.srvhdrs.location = $rq.reqpb.uri rq.srvhdrs.status = "302 Moved" req aborted } function makecookie() { bi = index $authfield "Basic " if $bi != 0 then req proceed fi authstr = substr $authfield 6 domain = call getdomain if $domain == "" then req proceed fi newcookie = "$authstr|" newcookie += now newcookie = b64encode $newcookie newcookieval = "$cookiename=$newcookie; path=/; domain=$domain" return $newcookieval } function getcookie() { c = $rq.headers.cookie if test $c != "" then cin = index $c $cookiename l = length $cookiename cin = expr $cin + $l cin = expr $cin + 1 csub = substr $c $cin semicol = index $csub ";" if test $semicol > 0 then cval = substr $csub 0 $semicol return $cval else return $csub fi else return "" fi } function checkcookie() { cookievalue = b64decode $cookievalue ctindex = index $cookievalue "|" authval = substr $cookievalue 0 $ctindex ctindex = expr $ctindex + 1 ctime = substr $cookievalue $ctindex ctime = expr $ctime + $sessionmax if test $ctime <= now then return "" else return $authval fi } function getdomain() { h = $rq.headers.host if $h == "" then # no host header return "" else di = index $h "." di = expr $di + 1 dom = substr $h $di dp = index $dom ":" if $dp > 0 then newdom = substr $dom 0 $dp return $newdom else return $dom fi fi }
Anyway, i have put up the plugin for download: libnsh for Solaris sparc . gunzip and untar the file, and you get the plugin (libnsh.so), along with a README, examples, installation instructions, etc. Please go through the DISCLAIMER carefully - this is not a supported product of sun. Use at your own risk.

Comments [6]
Trackback URL: http://blogs.sun.com/motor/entry/nsapi_scripting_continued

Comments:

What about libnsh for Solaris x86 ?
Posted by Thorleif Wiik on maj 26, 2006 at 11:27 PD PDT #

Sorry - I havent yet built this on x86; but will do that for sure and put up the plugin for download.
Posted by motor on maj 29, 2006 at 08:52 MD PDT #

I have uploaded the plugin for Solaris x86 <a href="http://blogs.sun.com/roller/resources/motor/nsh-so lx86.tar.gz"> here. Please use with discretion - this is purely experimental and totally untested :)
Posted by motor on maj 30, 2006 at 01:39 PD PDT #

Re-posting the link: http://blogs.sun.com/roller/resources/motor/nsh-solx86.tar.gz
Posted by 192.18.43.10 on maj 30, 2006 at 01:41 PD PDT #

This looks *awesome*... thank you for sharing it! Note that your "INSTALL" instructions in the tarball you provide mention adding an Init line to obj.conf... for webserver starting (i think) after 6.0 (certainly in 6.1), Init lines go in magnus.conf, and will complain and not work if you put 'em in obj.conf. thanks again!
Posted by ryan nelson on maj 30, 2006 at 10:34 MD PDT #

Thanks for the correction, Nelson. i will change the file accordingly. I have been testing this all along on proxy 4.0 - yet to check with Webserver 6.1 or 7.0.
Posted by motor on maj 31, 2006 at 01:06 PD PDT #

Post a Comment:

Name:

E-Mail:

URL:

Notify me by email of new comments

Remember Information?

Your Comment:

HTML Syntax: NOT allowed