Changes with Apache 2.3.9
+ *) mod_authz_core: Allow authz providers to check args while reading the
+ config and allow to cache parsed args. [Stefan Fritsch]
+
*) mod_include: Move the request_rec within mod_include to be
exposed within include_ctx_t. [Graham Leggett]
* interface.
* 20100918.0 (2.3.9-dev) Move the request_rec within mod_include to be
* exposed within include_ctx_t.
+ * 20100919.0 (2.3.9-dev) Authz providers: Add parsed_require_line parameter
+ * to check_authorization() function. Add
+ * parse_require_line() function.
*/
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20100918
+#define MODULE_MAGIC_NUMBER_MAJOR 20100919
#endif
#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */
typedef struct {
/* Given a request_rec, expected to return AUTHZ_GRANTED
* if we can authorize user access.
+ * @param r the request record
+ * @param require_line the argument to the authz provider
+ * @param parsed_require_line the value set by parse_require_line(), if any
*/
authz_status (*check_authorization)(request_rec *r,
- const char *require_line);
+ const char *require_line,
+ const void *parsed_require_line);
+
+ /** Check the syntax of a require line and optionally cache the parsed
+ * line. This function may be NULL.
+ * @param cmd the config directive
+ * @param require_line the argument to the authz provider
+ * @param parsed_require_line place to store parsed require_line for use by provider
+ * @return Error message or NULL on success
+ */
+ const char *(*parse_require_line)(cmd_parms *cmd, const char *require_line,
+ const void **parsed_require_line);
} authz_provider;
/* ap_authn_cache_store: Optional function for authn providers
}
static authz_status ldapuser_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
}
static authz_status ldapgroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
}
static authz_status ldapdn_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
}
static authz_status ldapattribute_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
}
static authz_status ldapfilter_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
static const authz_provider authz_ldapuser_provider =
{
&ldapuser_check_authorization,
+ NULL,
};
static const authz_provider authz_ldapgroup_provider =
{
&ldapgroup_check_authorization,
+ NULL,
};
static const authz_provider authz_ldapdn_provider =
{
&ldapdn_check_authorization,
+ NULL,
};
static const authz_provider authz_ldapattribute_provider =
{
&ldapattribute_check_authorization,
+ NULL,
};
static const authz_provider authz_ldapfilter_provider =
{
&ldapfilter_check_authorization,
+ NULL,
};
static void ImportULDAPOptFn(void)
char *provider_name;
char *provider_alias;
char *provider_args;
+ const void *provider_parsed_args;
ap_conf_vector_t *sec_auth;
const authz_provider *provider;
} provider_alias_rec;
struct authz_section_conf {
const char *provider_name;
const char *provider_args;
+ const void *provider_parsed_args;
const authz_provider *provider;
apr_int64_t limited;
authz_logic_op op;
* configurations and then invokes them.
*/
static authz_status authz_alias_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
const char *provider_name;
authz_status ret = AUTHZ_DENIED;
prvdraliasrec->sec_auth);
ret = prvdraliasrec->provider->
- check_authorization(r, prvdraliasrec->provider_args);
+ check_authorization(r, prvdraliasrec->provider_args,
+ prvdraliasrec->provider_parsed_args);
r->per_dir_config = orig_dir_config;
}
static const authz_provider authz_alias_provider =
{
- &authz_alias_check_authorization
+ &authz_alias_check_authorization,
+ NULL,
};
static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig,
section->limited = cmd->limited;
+ if (section->provider->parse_require_line) {
+ const char *err = section->provider->parse_require_line(cmd, args,
+ §ion->provider_parsed_args);
+ if (err)
+ return err;
+ }
+
if (!conf->section) {
conf->section = create_default_section(cmd->pool);
}
section->provider_name);
auth_result =
- section->provider->check_authorization(r, section->provider_args);
+ section->provider->check_authorization(r, section->provider_args,
+ section->provider_parsed_args);
apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
}
}
static authz_status dbdgroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int i, rv;
const char *w;
}
static authz_status dbdlogin_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
&authz_dbd_module);
}
static authz_status dbdlogout_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
&authz_dbd_module);
static const authz_provider authz_dbdgroup_provider =
{
&dbdgroup_check_authorization,
+ NULL,
};
static const authz_provider authz_dbdlogin_provider =
{
&dbdlogin_check_authorization,
+ NULL,
};
static const authz_provider authz_dbdlogout_provider =
{
&dbdlogout_check_authorization,
+ NULL,
};
static void authz_dbd_hooks(apr_pool_t *p)
}
static authz_status dbmgroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_dbm_module);
APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
static authz_status dbmfilegroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_dbm_module);
static const authz_provider authz_dbmgroup_provider =
{
&dbmgroup_check_authorization,
+ NULL,
};
static const authz_provider authz_dbmfilegroup_provider =
{
&dbmfilegroup_check_authorization,
+ NULL,
};
}
static authz_status group_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_groupfile_module);
APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
static authz_status filegroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_groupfile_module);
static const authz_provider authz_group_provider =
{
&group_check_authorization,
+ NULL,
};
static const authz_provider authz_filegroup_provider =
{
&filegroup_check_authorization,
+ NULL,
};
static void register_hooks(apr_pool_t *p)
}
}
-static authz_status env_check_authorization(request_rec *r, const char *require_line)
+static authz_status env_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
const char *t, *w;
return AUTHZ_DENIED;
}
-static authz_status ip_check_authorization(request_rec *r, const char *require_line)
+static authz_status ip_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
const char *t, *w;
return AUTHZ_DENIED;
}
-static authz_status host_check_authorization(request_rec *r, const char *require_line)
+static authz_status host_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
const char *t, *w;
const char *remotehost = NULL;
return AUTHZ_DENIED;
}
-static authz_status all_check_authorization(request_rec *r, const char *require_line)
+static authz_status all_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
- /* If the argument to the 'all' provider is 'granted' then just let
- everybody in. This would be equivalent to the previous syntax of
- 'allow from all'. If the argument is anything else, this would
- be equivalent to 'deny from all' Of course the opposite would be
- true if the 'all' provider is invoked by the 'reject' directive */
- if (strcasecmp(require_line, "granted") == 0) {
+ if (parsed_require_line) {
return AUTHZ_GRANTED;
}
return AUTHZ_DENIED;
}
+static const char *all_parse_config(cmd_parms *cmd, const char *require_line,
+ const void **parsed_require_line)
+{
+ /*
+ * If the argument to the 'all' provider is 'granted' then just let
+ * everybody in. This would be equivalent to the previous syntax of
+ * 'allow from all'. If the argument is 'denied' we reject everbody,
+ * which is equivalent to 'deny from all'.
+ */
+ if (strcasecmp(require_line, "granted") == 0) {
+ *parsed_require_line = (void *)1;
+ return NULL;
+ }
+ else if (strcasecmp(require_line, "denied") == 0) {
+ /* *parsed_require_line is already NULL */
+ return NULL;
+ }
+ else {
+ return "Argument for 'Require all' must be 'granted' or 'denied'";
+ }
+}
+
static const authz_provider authz_env_provider =
{
&env_check_authorization,
+ NULL,
};
static const authz_provider authz_ip_provider =
{
&ip_check_authorization,
+ NULL,
};
static const authz_provider authz_host_provider =
{
&host_check_authorization,
+ NULL,
};
static const authz_provider authz_all_provider =
{
&all_check_authorization,
+ &all_parse_config,
};
static void register_hooks(apr_pool_t *p)
module AP_MODULE_DECLARE_DATA authz_owner_module;
static authz_status fileowner_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
char *reason = NULL;
apr_status_t status = 0;
static const authz_provider authz_fileowner_provider =
{
&fileowner_check_authorization,
+ NULL,
};
static void register_hooks(apr_pool_t *p)
module AP_MODULE_DECLARE_DATA authz_user_module;
static authz_status user_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
const char *t, *w;
return AUTHZ_DENIED;
}
-static authz_status validuser_check_authorization(request_rec *r, const char *require_line)
+static authz_status validuser_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
if (!r->user) {
return AUTHZ_DENIED_NO_USER;
static const authz_provider authz_user_provider =
{
&user_check_authorization,
+ NULL,
};
static const authz_provider authz_validuser_provider =
{
&validuser_check_authorization,
+ NULL,
};
static void register_hooks(apr_pool_t *p)