FreeBSD で OpenAM の Web Policy Agents を動かす

FreeBSD 用 Web Policy Agents は提供されていませんが、ソースコードは公開されていますので、ソースコードから認証モジュールを構築して動かします。

前提条件

Linux 互換機能が使用可能であること ==> FreeBSD で Linux 互換機能を使うを参照
Apache が使用可能であること ==> FreeBSD で Apache Tomcat を動かすを参照
OpenAM が使用可能であること ==> FreeBSD で OpenAM を動かすを参照

開発環境のインストール

gcc は 4.4 以上が必要です。

# pkg install gcc48
# pkg install gmake
# pkg install nss
# pkg install libxml2

Web Policy Agents のコンパイル

ソースコードの取得

登録済のユーザIDとパスワードを使って、ソースコードを入手します。

% svn checkout https://svn.forgerock.org/openam/tags/Agents-3.3.4

ソースコードの修正

Agents-3.3.4/opensso/products/webagents/arch

--- arch/components.mk.orig	2016-10-16 00:29:24.120631000 +0900
+++ arch/components.mk	2016-10-16 06:57:54.457608000 +0900
@@ -83,8 +83,8 @@
 ##########################################
 # Apache 2.4 defines
 ##########################################
-APACHE24_DIR = $(EXTERNAL_DIR)/apache24
-APACHE24_INC_DIR = $(APACHE24_DIR)/include
+APACHE24_DIR =  /usr/local
+APACHE24_INC_DIR = $(APACHE24_DIR)/include/apache24
 APACHE24_LIB_DIR = $(APACHE24_DIR)/lib
 
 ######################################################
@@ -115,7 +115,7 @@
 ##########################################
 # LIBXML defines
 ##########################################
-LIBXML_DIR := $(EXTERNAL_DIR)/libxml2
+LIBXML_DIR := /usr/local
 ifeq ($(BUILD_TYPE), 64)
 LIBXML_DIR := $(EXTERNAL_DIR)/libxml2_64
 endif
@@ -135,7 +135,7 @@
 LIBXML_LIBS := -llibxml2
 endif
 else
-LIBXML_LIBS := -lxml2
+LIBXML_LIBS := -lxml2 -liconv
 endif
 endif
 
@@ -143,11 +143,12 @@
 # PCRE defines
 ##########################################
 
-PCRE_DIR := $(EXTERNAL_DIR)/pcre
+PCRE_DIR := /usr/local
+PCRE_LIBS := -lpcre
 ifeq ($(BUILD_TYPE), 64)
 PCRE_DIR := $(EXTERNAL_DIR)/pcre_64
 endif
-PCRE_INC_DIR := $(PCRE_DIR)/include
+PCRE_INC_DIR := $(PCRE_DIR)/include/pcre
 PCRE_LIB_DIR := $(PCRE_DIR)/lib
 ifndef	PCRE_LIBS
 PCRE_LIBS := $(PCRE_LIB_DIR)/libpcre.a
@@ -157,7 +158,7 @@
 # NSPR defines
 ##########################################
 
-NSPR_DIR := $(EXTERNAL_DIR)/nspr
+NSPR_DIR := /usr/local
 ifeq ($(BUILD_TYPE), 64)
 NSPR_DIR := $(EXTERNAL_DIR)/nspr_64
 endif
@@ -166,7 +167,7 @@
 NSPR_DIR := $(EXTERNAL_DIR)/nspr_64
 endif
 endif
-NSPR_INC_DIR := $(NSPR_DIR)/include
+NSPR_INC_DIR := $(NSPR_DIR)/include/nspr
 NSPR_LIB_DIR := $(NSPR_DIR)/lib
 
 ifndef	NSPR_LIBS
@@ -185,7 +186,7 @@
 # NSS defines
 ##########################################
 
-NSS_DIR := $(EXTERNAL_DIR)/nss
+NSS_DIR := /usr/local
 ifeq ($(BUILD_TYPE), 64)
 NSS_DIR := $(EXTERNAL_DIR)/nss_64
 endif
@@ -195,8 +196,8 @@
 endif
 endif
 NSS_BIN_DIR := $(NSS_DIR)/bin
-NSS_INC_DIR := $(NSS_DIR)/include
-NSS_LIB_DIR := $(NSS_DIR)/lib
+NSS_INC_DIR := $(NSS_DIR)/include/nss/nss
+NSS_LIB_DIR := $(NSS_DIR)/lib/nss
 
 ifeq ($(OS_ARCH), WINNT)
 ifdef OS_IS_CYGWIN
--- /dev/null	2016-10-16 22:55:00.000000000 +0900
+++ arch/defines_FreeBSD.mk	2016-10-16 22:31:34.606752000 +0900
@@ -0,0 +1,116 @@
+#
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+#
+# Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
+#
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+#
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: openam-agent.shtml,v 1.2 2016/11/02 22:32:36 hiraga Exp hiraga $
+# 
+#
+
+# "Portions Copyrighted [2010] [ForgeRock AS]"
+
+#
+# This makefile defines a number of standard OS-dependent symbols
+# used in by the makefiles that build the Agent Pack.
+#
+
+PATH_SEP := :
+
+ECHO := echo -e
+NM := nm
+RMDIR := rmdir -p --ignore-fail-on-non-empty
+
+#
+# C/C++ Compiler related symbols
+#
+COMPILERS_DIR :=
+GCC_WARNING_FLAGS := -Wall -Wshadow -gdwarf-2
+CC := gcc
+CXX := g++
+GCC_33 := $(shell $(CC) -v 2>&1 | grep version | /usr/bin/awk '{print $$3}')
+
+CFLAGS += -DFREEBSD -pthread $(GCC_WARNING_FLAGS) -fexceptions
+CXXFLAGS += -DFREEBSD -pthread $(GCC_WARNING_FLAGS) -Woverloaded-virtual -fexceptions
+CXX_STD_LIBS := -lstdc++
+LDFLAGS += -pthread -lrt
+LD_ORIGIN_FLAG := -Xlinker '-R$$ORIGIN'
+LD_COMMON_ORIGIN_FLAG := -Xlinker '-R$$ORIGIN/../../lib'
+# NOTE: '-z defs' should probably be added to the following definition.
+LD_FILTER_SYMS_FLAG = -Xlinker --version-script -Xlinker $(filter %.mapfile, $^)
+LD_MAKE_SHARED_LIB_FLAG := -fPIC -shared -rdynamic
+LD_SHARED_FLAG := -Wl,-Bdynamic
+LD_STATIC_FLAG := -Wl,-Bstatic
+LD_VERSION_LIB_FLAG = -Xlinker -h$@
+PIC_FLAG := -fPIC
+
+INSTALL_DIR := opt/agents
+RPM_DIR :=  $(DEST_PACKAGE_SCRATCH_DIR)/RPMS/$(MC_ARCH)
+BUILDROOT := /tmp/$(USER)/agent-buildroot
+BUILDROOT_LIB_DIR := $(BUILDROOT)/$(INSTALL_DIR)/lib
+BUILDROOT_CONF_DIR := $(BUILDROOT)/$(INSTALL_DIR)/config
+BUILDROOT_BIN_DIR:= $(BUILDROOT)/$(INSTALL_DIR)/bin
+BUILDROOT_INC_DIR:= $(BUILDROOT)/$(INSTALL_DIR)/include
+BUILDROOT_SAMPLES_DIR:= $(BUILDROOT)/$(INSTALL_DIR)/samples
+BUILDROOT_RPM_DIR:= $(BUILDROOT)/RPMS/$(MC_ARCH)
+
+
+BUILD_DEBUG := full
+
+
+#
+# Give DEBUG_FLAGS a default setting based on the build type
+#
+ifeq ($(BUILD_DEBUG), full)
+  DEBUG_FLAGS := -g3 -DDEBUG -fno-inline -O0 -Wall
+endif
+ifeq ($(BUILD_DEBUG), optimize)
+  DEBUG_FLAGS := -O2 -DNDEBUG
+endif
+ifndef DEBUG_FLAGS
+  DEBUG_FLAGS := -g -O1 -DDEBUG
+endif
+
+SHELL_EXEC_EXTENSION :=
+
+LN_s := ln -s
+
+ifeq ($(BUILD_TYPE), 64)
+CFLAGS += -fPIC
+CXXFLAGS += -m64
+endif
+
+ifeq ($(BUILD_TYPE), 32)
+CFLAGS += -fPIC -m32
+CXXFLAGS += -m32
+endif
+
+
+#
+# the following is the name of the tar ball for dsame drop,.
+#
+DSAME_DROP_FILE_NAME := common_3_0_$(OS_ARCH)_$(MC_ARCH)
+
+MAKE_STATIC_LIB = $(AR) $(ARFLAGS) $@ $(filter %.o, $^)
--- /dev/null	2016-10-16 22:55:00.000000000 +0900
+++ arch/rules_FreeBSD.mk	2016-10-16 00:33:20.379170000 +0900
@@ -0,0 +1,62 @@
+#
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+#
+# Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
+#
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+#
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: openam-agent.shtml,v 1.2 2016/11/02 22:32:36 hiraga Exp hiraga $
+# 
+#
+
+#
+# This makefile defines the Solaris-specific rules needed to build
+# the Agent Pack.
+#
+
+%.cpp %.cxx %.d:
+
+%.o: %.cpp
+	$(COMPILE.cc) $< $(OUTPUT_OPTION)
+
+%.o: %.cxx
+	$(COMPILE.cc) $< $(OUTPUT_OPTION)
+
+%.d: %.c
+	set -e; $(filter-out -g3,$(COMPILE.c)) -MM $< \
+		| sed 's;\($*\.o\)[ :]*;\1 $@ : ;' > $@; [ -s $@ ] || $(RM) $@
+
+%.d: %.cpp
+	set -e; $(filter-out -g3,$(COMPILE.cc)) -MM $< \
+		| sed 's;\($*\.o\)[ :]*;\1 $@ : ;' > $@; [ -s $@ ] || $(RM) $@
+
+%.d: %.cxx
+	set -e; $(filter-out -g3,$(COMPILE.cc)) -MM $< \
+		| sed 's;\($*\.o\)[ :]*;\1 $@ : ;' > $@; [ -s $@ ] || $(RM) $@
+
+#
+# Clean up OS/compiler specific junk. 
+#
+clean_objs:
+	$(RM) $(OBJS) $(DEPENDS)

Agents-3.3.4/opensso/products/webagents/agents/source

--- ./agents/source/apache24/Makefile.orig	2016-10-16 00:29:10.152122000 +0900
+++ ./agents/source/apache24/Makefile	2016-10-16 17:33:33.843027000 +0900
@@ -38,7 +38,7 @@
 
 APACHE24_LIB := $(APACHE24_LIB_NAME)$(SO_EXT)
 	
-APACHE24_INCLUDE_FLAGS := -I$(DEST_INC_DIR) -I../common
+APACHE24_INCLUDE_FLAGS := -I$(DEST_INC_DIR) -I../common -I$(USERX_ROOT)/am/source -I/usr/local/include/apr-1
 
 ifeq ($(OS_ARCH), Linux)
    ifeq ($(OS_ARCH_VER), 2.2.20-compact)
@@ -49,6 +49,10 @@
 
 APACHE24_CFLAGS += -DAPACHE2 -DAPACHE24 -DEAPI -DMOD_PERL -DUSE_EXPAT -DXP_UNIX $(PIC_FLAG) -DCORE_PRIVATE $(APACHE24_INCLUDE_FLAGS) -I$(APACHE24_INC_DIR)
 
+ifeq ($(OS_ARCH), FreeBSD)
+APACHE24_CFLAGS += -D_LARGEFILE64_SOURCE
+endif
+
 ifeq ($(OS_ARCH), Linux)
 APACHE24_CFLAGS += -D_LARGEFILE64_SOURCE
 endif
@@ -66,6 +70,9 @@
 
 ifeq ($(OS_ARCH), SunOS)
 SYSTEM_LIBS := -lc 
+endif
+ifeq ($(OS_ARCH), FreeBSD)
+SYSTEM_LIBS := -lpthread -lc -lm
 else
 SYSTEM_LIBS := -lpthread -ldl -lc -lm
 endif
--- ./agents/source/Makefile.orig	2016-10-16 00:29:11.430484000 +0900
+++ ./agents/source/Makefile	2016-10-16 19:54:15.152513000 +0900
@@ -86,6 +86,10 @@
 SUBDIRS += $(BUILD_AGENT)
 endif 
 
+ifeq ($(OS_ARCH), FreeBSD)
+SUBDIRS += apache24
+endif
+
 all: all_subdirs
 
 clean: clean_subdirs

Agents-3.3.4/opensso/products/webagents/am/source

--- ./am/source/xml_utilities.h.orig	2016-10-16 00:29:17.067982000 +0900
+++ ./am/source/xml_utilities.h	2016-10-16 06:13:56.594916000 +0900
@@ -35,7 +35,7 @@
 
 #include <string>
 
-#if	defined(SOLARIS) || defined(LINUX)
+#if	defined(SOLARIS) || defined(LINUX) || defined(FREEBSD)
 #include <strings.h>
 #elif	(defined(WINNT) || defined(_AMD64_))
 #endif
@@ -46,7 +46,7 @@
 
 inline bool matchesXMLString(const std::string& str1, const xmlChar *str2)
 {
-#if	defined(SOLARIS) || defined(LINUX) || defined(HPUX) || defined(AIX)
+#if	defined(SOLARIS) || defined(LINUX) || defined(HPUX) || defined(AIX) || defined(FREEBSD)
     return (0 == strcasecmp(str1.c_str(),
 			    reinterpret_cast<const char *>(str2)));
 #elif	(defined(WINNT) || defined(_AMD64_))
--- ./am/source/am_types.h.orig	2016-10-16 00:29:17.061495000 +0900
+++ ./am/source/am_types.h	2016-10-16 05:37:47.826649000 +0900
@@ -63,7 +63,7 @@
 
 AM_BEGIN_EXTERN_C
 
-#if defined(WINNT) || defined(_AMD64_) || defined(LINUX) || defined(HPUX)
+#if defined(WINNT) || defined(_AMD64_) || defined(LINUX) || defined(HPUX) || defined(FREEBSD)
 #include <sys/stat.h>     /* for time_t */
 typedef enum { 
     B_FALSE, 
--- ./am/source/am_web.cpp.orig	2016-10-16 00:29:17.453856000 +0900
+++ ./am/source/am_web.cpp	2016-10-16 06:20:56.827193000 +0900
@@ -422,7 +422,7 @@
 #else
 void mbyte_to_wchar(const char * orig_str,char *dest_str,int dest_len)
 {
-#if defined(LINUX) || defined(HPUX) || defined(AIX)
+#if defined(LINUX) || defined(HPUX) || defined(AIX) || defined(FREEBSD)
     char *origstr = const_cast<char *>(orig_str);
 #else
     const char *origstr = orig_str;
@@ -452,7 +452,7 @@
 	/* Perform iconv conversion */
 	Log::log(boot_info.log_module, Log::LOG_MAX_DEBUG,
 		 "i18n b4 convlen = %d  size = %d", len, size);
-#if defined(LINUX_64) || defined(LINUX)
+#if defined(LINUX_64) || defined(LINUX) || defined(FREEBSD)
 	int ret = iconv(encoder, &origstr, (size_t*)&len, &dest_str, (size_t*)&size);
 #else
 	int ret = iconv(encoder, &origstr, &len, &dest_str, &size);
--- ./am/source/thread_pool.cpp.orig	2016-10-16 00:29:17.069942000 +0900
+++ ./am/source/thread_pool.cpp	2016-10-16 06:22:29.818029000 +0900
@@ -245,7 +245,7 @@
 	     "ThreadPool::~ThreadPool(): ThreadPool destroyed.");
 }
 
-#if defined(HPUX) || defined(LINUX)
+#if defined(HPUX) || defined(LINUX) || defined(FREEBSD)
 void
 spin(void *args) {
 #else
--- ./am/source/hash_table.h.orig	2016-10-16 00:29:17.462753000 +0900
+++ ./am/source/hash_table.h	2016-10-16 06:23:17.353717000 +0900
@@ -347,7 +347,7 @@
     const EntryType &entry = buckets[bucketNumber].find(key);
 
     if (entry && entry->getExpirationTime() < PR_Now()) {
-        #if defined(LINUX) 
+        #if defined(LINUX)  || defined(FREEBSD)
 	return (typename HashTable<Element>::EntryType)NULL;
         #else
 	return (HashTable<Element>::EntryType)NULL;

ソースコードのコンパイル

パッケージ作成でエラーになりますが、気にせずにモジュールのみ構築します。

% cd Agents-3.3.4/opensso/products/webagents
% gmake
% cd Agents-3.3.4/opensso/products/webagents/agents/source
% gmake

Web Policy Agents for Apache のインストール

# cp Agents-3.3.4/opensso/products/webagents/agents/source/apache24/libamapc24.so /usr/local/libexec/apache24

Web Policy Agents for Apache の設定

ダミーhttpd.confの用意

# mkdir /compat/linux/etc/httpd
# mkdir /compat/linux/etc/httpd/conf
# touch /compat/linux/etc/httpd/conf/httpd.conf

Web Policy Agents for Linux パッケージの入手

ForgeRockの OpenAMプロジェクトページから Apache 2.4 for Linux 用 Web Policy Agents パッケージ
Apache-v2.4-Linux-32-Agent-3.3.4.zip をダウンロードします。
FreeBSD 11 以降であれば 64 bit 版 Apache-v2.4-Linux-64-Agent-3.3.4.zip でもいいでしょう。
なお、ダウンロードには OpenAM のダウンロードと同じくユーザ登録(無料)が必要です。

Web Policy Agents for Linux のインストール

入手したパッケージを展開して実行します。

# echo password > /tmp/pw.txt
# chmod 600 /tmp/pw.txt
# cd /compat/linux/opt
# unzip Apache-v2.4-Linux-32-Agent-3.3.4.zip
# service apache24 stop
# web_agents/apache24_agent/bin/agentadmin --install

Please read the following License Agreement carefully:

[Press <Enter> to continue...] or [Enter n To Finish]
n

Do you completely agree with all the terms and conditions of this License
Agreement (yes/no): [no]: yes

************************************************************************
Welcome to the OpenAM Policy Agent for Apache Server.

************************************************************************

Enter the complete path to the directory which is used by Apache Server to
store its configuration Files. This directory uniquely identifies the
Apache Server instance that is secured by this Agent.
[ ? : Help, ! : Exit ]
Enter the Apache Server Config Directory Path [/opt/apache24/conf]: /compat/linux/etc/httpd/conf

Enter the URL where the OpenAM server is running. Please include the
deployment URI also as shown below:
(http://openam.sample.com:58080/openam)
[ ? : Help, < : Back, ! : Exit ]
OpenAM server URL: https://openam.next-hop.net:8443/openam

Enter the Agent URL as shown below: (http://agent1.sample.com:1234)
[ ? : Help, < : Back, ! : Exit ]
Agent URL: http://www.next-hop.net:80

Enter the Agent profile name
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Profile name: ApacheAgent

Enter the path to a file that contains the password to be used for identifying
the Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file: /tmp/pw.txt

WARNING:
Password validation cannot be done as OpenAM server is not running.

-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Apache Server Config Directory : /compat/linux/etc/httpd/conf
OpenAM server URL : https://openam.next-hop.net:8443/openam
Agent URL : http://www.next-hop.net:80
Agent Profile name : ApacheAgent
Agent Profile Password file name : /tmp/pw.txt

Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]: 1

Creating directory layout and configuring Agent file for Agent_001
instance ...DONE.

Reading data from file /tmp/pw.txt and encrypting it ...DONE.

Generating audit log file name ...DONE.

Creating tag swapped OpenSSOAgentBootstrap.properties file for instance
Agent_001 ...DONE.

Creating a backup for file /compat/linux/etc/httpd/conf/httpd.conf ...DONE.

Adding Agent parameters to
/compat/linux/opt/web_agents/apache24_agent/Agent_001/config/dsame.conf
file ...DONE.

Adding Agent parameters to /compat/linux/etc/httpd/conf/httpd.conf
file ...DONE.

SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/compat/linux/opt/web_agents/apache24_agent/Agent_001/config/OpenSSOAgentBootstrap.properties
Agent Configuration Tag file location
/compat/linux/opt/web_agents/apache24_agent/Agent_001/config/OpenSSOAgentConfiguration.properties
Agent Audit directory location:
/compat/linux/opt/web_agents/apache24_agent/Agent_001/logs/audit
Agent Debug directory location:
/compat/linux/opt/web_agents/apache24_agent/Agent_001/logs/debug

Install log file location:
/compat/linux/opt/web_agents/apache24_agent/installer-logs/audit/install.log

Thank you for using OpenAM Policy Agent

# rm /tmp/pw.txt

OpenAM のエージェント設定

Authorization Policy 設定

まず新しくポリシーを設定します。

Name	Authenticated users can get Apache HTTP home page
Description	This policy lets users who have authenticated to OpenAM access the Apache home page.
Resource Type	URL
Resources	://:/

Agent 設定

続いてエージェントを追加します。

OpenAM Agent

適用されない URL の反転を有効にし、認証が適用される URL を列挙します。

OpenAM Agent

Apache の設定

/usr/local/etc/apache24/Includes/dsame.conf

LoadModule dsame_module libexec/apache24/libamapc24.so
Agent_Config_File /compat/linux/opt/web_agents/apache24_agent/Agent_001/config/OpenSSOAgentConfiguration.properties
Agent_Bootstrap_File /compat/linux/opt/web_agents/apache24_agent/Agent_001/config/OpenSSOAgentBootstrap.properties

httpd を再起動します。

# service apache24 restart

httpd が起動したら認証エージェントが読み込まれているか HTTP ヘッダを確認します。

Server: Apache/2.4.23 (FreeBSD) OpenAM WPA/3.3.4 OpenSSL/1.0.1s-freebsd