yale_cas_authz.irule

# yale_cas_authz iRule
#
# iRule to do authorization when paired with the yale_cas_auth iRule
#
# This rule expects a header (which it looks up in a static variable)
# that contains the netid.  The netid will be cross referenced with a
# data group/class of the name "sso_authz_<virtual_server_name>".
#
# Failure to find a netid or failure to find the netid in the data group
# will result in a 403 error.
# 
# E. Camden Fisher
# [email protected]
#
#
when CLIENT_ACCEPTED {
  set hsl [HSL::open -proto UDP -pool dcsunix_syslog_hosts] 
}

when HTTP_REQUEST {

	set virtual_name [URI::basename [virtual name]]
	set data_group "sso_authz_$virtual_name"

	if { [HTTP::header exists $static::sso_authz_header] } {
		if { $static::cas_auth_debug == 1 } { log local0. "Got $static::sso_authz_header header to do authz. netid: [HTTP::header $static::sso_authz_header] data group: $data_group" }

		set netid [HTTP::header $static::sso_authz_header]

		if { [class match $netid equals $data_group] } {
			if { $static::cas_auth_debug == 1 } { log local0. "Allowing netid $netid from data group: $data_group to virtual: $virtual_name" }
		} else {
			if { $static::cas_auth_debug == 1 } { log local0. "Denying netid $netid from data group: $data_group to virtual: $virtual_name" }
			HTTP::respond 403 content "<html><H3>Access Denied</H3><p>Netid: $netid is denied access</p><p>IP:[IP::client_addr]</p></html>" "Content-Type" "text/html"
		}
	} else {
		if { $static::cas_auth_debug == 1 } { log local0. "Denying access to virtual: $virtual_name because of missing netid: [IP::client_addr]" }
		HTTP::respond 403 content "<html><H3>Access Denied</H3><p>Netid: NULL is denied access</p><p>IP: [IP::client_addr]</p></html>" "Content-Type" "text/html"
	}
}