Access to HTML Header?

Hello,

We’re injecting X- headers from our Apache configuration that contain user additional information (GECOS, Email, etc) but I can’t find a good example of how I can access those headers from OOD, for populating default information in a form.

Specifically for we have the following in ood_portal.yml as part of our authentication process with LDAP/Active Directory:

  - 'RequestHeader set X-WEBAUTH-EMAIL %{AUTHORIZE_MAIL}e'
  - 'RequestHeader set X-WEBAUTH-FULLNAME %{AUTHORIZE_DISPLAYNAME}e'
  - 'SetEnv OOD_USER_EMAIL %{AUTHORIZE_MAIL}e'
  - 'SetEnv OOD_USER_FULLNAME %{AUTHORIZE_DISPLAYNAME}e'

I’d like to use either the X-WEBAUTH header or OOD_USER_ values inside an OOD form, and do something like follows:

support_ticket:
  attributes:
    email:
      widget: email_field
      value: "<%= ENV['OOD_USER_EMAIL'] %>"

I’ve tried using request.headers["X-WEBAUTH-EMAIL"] (with causes an error because request is not available) along with ENV['OOD_USER_EMAIL'] without success. I can see where it would be useful/valuable to be able to pass arbitrary data like this from our central authentication system (LDAP / Active Directory / Kerberos) through to the OOD PUN, to be used in a form.

I know the X-WEBAUTH headers are being passed to the PUN correctly. I use them with a ttyd interactive app for Authentication via SSO, but I can’t figure out how to correctly get the Ruby code to be able to query them from YAML in /etc/ood/config/ondemand.d.

Thanks!

SetEnv doesn’t really work like that. It’s not an actual environment variable (in the threads’/processes’ environment), it’s more like an internal apache environment variable (internal to that apache worker).

Right now I don’t know if we have a clear way to access things like email addresses.

Is there a way to access an injected header? Being able to pull X-WEBAUTH-EMAIL from a YAML file like

<%= request.headers["X-WEBAUTH-EMAIL"] %>

would also work.

I know I can always do something like this:

<%-
emailcmd = '/bin/mailLookup.sh ’ + ENV[“USER”]
emailaddr = %x[ #{emailcmd}]
-%>

But since Apache knows the data and it is being passed to the PUN, I wanted to try and make it a little cleaner and not have to spawn a command just to pull in the email I already have.

I can’t say for sure. I don’t know what all contexts the request object could be in.

It certainly isn’t inside /etc/ood/config/ondemand.d/*.yml, which is where I am trying to use it.

Does OOD maybe process and cache all HTML headers someplace? So if there is an X- header injected, is it parsed/stored in a array or hash someplace along with all the other Headers, that I can get access too?

Yea they’re definitly not there in the config as that’s not part of any request, it’s just a part of the boot stack.

If you can get access to any headers, you’d have to do so in the form.yml.erb or submit.yml.erb.

Ok, well, I am trying to automatically inject email value into the support_ticket form, is there a recommended way to capture that?

This is my extremely low-tech way of doing it:

support_ticket:
  attributes:
    username:
      value: "<%= CurrentUser.name %>"
      readonly: true
    email:
      value: "<%= CurrentUser.name %>@university.edu"
      widget: email_field
      required: true

This only works because we only provide access to members of university.edu, so you’d need to come up with something more robust if you have a multi-tenant OOD deployment.

I am a big proponent of configuration profiles, and support_ticket is one of the properties that you can configure on a per-profile basis. If you did have two institutions and each had their own OOD Dashboard, then it would be easy to hard-code the @university.edu value for each profile. Again – very low-tech.

Thanks, that won’t work at our site, usernames and email addresses are not at all connected to each other like that. I just ended up doing:

<%-
emailcmd = "/usr/local/bin/getmail.pl " + ENV["USER"]
emailaddr = %x( #{emailcmd} )
%>
....
    email:
      widget: email_field
      readonly: true
      value: "<%= emailaddr %>"
...

The getmail.pl script is something I wrote that will take the username, query Active Directory and return the email address to stdout. Which works well enough, was just hoping to avoid needing to shell out an external command.

Thanks!

Gotcha. This could also be a good case for initializers, where your script would only be invoked upon initial log-in or when restarting the PUN. I’m not sure how often the ondemand.d files get called, but it would be something to monitor if you see your AD being queried too often.