From: Stefan Fritsch Date: Sun, 19 Sep 2010 17:55:47 +0000 (+0000) Subject: Allow authz providers to check args while reading the config and allow X-Git-Tag: 2.3.9~482 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1008c272602551d6fef0d05e6f214c66f51de5c7;p=apache Allow authz providers to check args while reading the config and allow them to cache parsed args. Use this to check that argument to 'all' provider is 'granted' or 'denied'. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@998706 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 07ccb14dd8..9acc74b41c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.9 + *) mod_authz_core: Allow authz providers to check args while reading the + config and allow to cache parsed args. [Stefan Fritsch] + *) mod_include: Move the request_rec within mod_include to be exposed within include_ctx_t. [Graham Leggett] diff --git a/include/ap_mmn.h b/include/ap_mmn.h index a10c13cc63..8a69b0328e 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -255,12 +255,15 @@ * interface. * 20100918.0 (2.3.9-dev) Move the request_rec within mod_include to be * exposed within include_ctx_t. + * 20100919.0 (2.3.9-dev) Authz providers: Add parsed_require_line parameter + * to check_authorization() function. Add + * parse_require_line() function. */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ #ifndef MODULE_MAGIC_NUMBER_MAJOR -#define MODULE_MAGIC_NUMBER_MAJOR 20100918 +#define MODULE_MAGIC_NUMBER_MAJOR 20100919 #endif #define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ diff --git a/include/mod_auth.h b/include/mod_auth.h index 69cab09b7f..1a424b3147 100644 --- a/include/mod_auth.h +++ b/include/mod_auth.h @@ -103,9 +103,23 @@ struct authn_provider_list { typedef struct { /* Given a request_rec, expected to return AUTHZ_GRANTED * if we can authorize user access. + * @param r the request record + * @param require_line the argument to the authz provider + * @param parsed_require_line the value set by parse_require_line(), if any */ authz_status (*check_authorization)(request_rec *r, - const char *require_line); + const char *require_line, + const void *parsed_require_line); + + /** Check the syntax of a require line and optionally cache the parsed + * line. This function may be NULL. + * @param cmd the config directive + * @param require_line the argument to the authz provider + * @param parsed_require_line place to store parsed require_line for use by provider + * @return Error message or NULL on success + */ + const char *(*parse_require_line)(cmd_parms *cmd, const char *require_line, + const void **parsed_require_line); } authz_provider; /* ap_authn_cache_store: Optional function for authn providers diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index c075dfdc39..111490e50c 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -597,7 +597,8 @@ start_over: } static authz_status ldapuser_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -733,7 +734,8 @@ static authz_status ldapuser_check_authorization(request_rec *r, } static authz_status ldapgroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -948,7 +950,8 @@ static authz_status ldapgroup_check_authorization(request_rec *r, } static authz_status ldapdn_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -1056,7 +1059,8 @@ static authz_status ldapdn_check_authorization(request_rec *r, } static authz_status ldapattribute_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -1171,7 +1175,8 @@ static authz_status ldapattribute_check_authorization(request_rec *r, } static authz_status ldapfilter_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -1730,25 +1735,30 @@ static const authn_provider authn_ldap_provider = static const authz_provider authz_ldapuser_provider = { &ldapuser_check_authorization, + NULL, }; static const authz_provider authz_ldapgroup_provider = { &ldapgroup_check_authorization, + NULL, }; static const authz_provider authz_ldapdn_provider = { &ldapdn_check_authorization, + NULL, }; static const authz_provider authz_ldapattribute_provider = { &ldapattribute_check_authorization, + NULL, }; static const authz_provider authz_ldapfilter_provider = { &ldapfilter_check_authorization, + NULL, }; static void ImportULDAPOptFn(void) diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c index 889951454b..be85879011 100644 --- a/modules/aaa/mod_authz_core.c +++ b/modules/aaa/mod_authz_core.c @@ -50,6 +50,7 @@ typedef struct provider_alias_rec { char *provider_name; char *provider_alias; char *provider_args; + const void *provider_parsed_args; ap_conf_vector_t *sec_auth; const authz_provider *provider; } provider_alias_rec; @@ -65,6 +66,7 @@ typedef struct authz_section_conf authz_section_conf; struct authz_section_conf { const char *provider_name; const char *provider_args; + const void *provider_parsed_args; const authz_provider *provider; apr_int64_t limited; authz_logic_op op; @@ -159,7 +161,8 @@ static void *create_authz_core_svr_config(apr_pool_t *p, server_rec *s) * configurations and then invokes them. */ static authz_status authz_alias_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { const char *provider_name; authz_status ret = AUTHZ_DENIED; @@ -192,7 +195,8 @@ static authz_status authz_alias_check_authorization(request_rec *r, prvdraliasrec->sec_auth); ret = prvdraliasrec->provider-> - check_authorization(r, prvdraliasrec->provider_args); + check_authorization(r, prvdraliasrec->provider_args, + prvdraliasrec->provider_parsed_args); r->per_dir_config = orig_dir_config; } @@ -203,7 +207,8 @@ static authz_status authz_alias_check_authorization(request_rec *r, static const authz_provider authz_alias_provider = { - &authz_alias_check_authorization + &authz_alias_check_authorization, + NULL, }; static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig, @@ -370,6 +375,13 @@ static const char *add_authz_provider(cmd_parms *cmd, void *config, section->limited = cmd->limited; + if (section->provider->parse_require_line) { + const char *err = section->provider->parse_require_line(cmd, args, + §ion->provider_parsed_args); + if (err) + return err; + } + if (!conf->section) { conf->section = create_default_section(cmd->pool); } @@ -670,7 +682,8 @@ static authz_status apply_authz_sections(request_rec *r, section->provider_name); auth_result = - section->provider->check_authorization(r, section->provider_args); + section->provider->check_authorization(r, section->provider_args, + section->provider_parsed_args); apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE); } diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c index 50fcc954f5..40de423a9a 100644 --- a/modules/aaa/mod_authz_dbd.c +++ b/modules/aaa/mod_authz_dbd.c @@ -244,7 +244,8 @@ static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg, } static authz_status dbdgroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int i, rv; const char *w; @@ -279,7 +280,8 @@ static authz_status dbdgroup_check_authorization(request_rec *r, } static authz_status dbdlogin_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, &authz_dbd_module); @@ -292,7 +294,8 @@ static authz_status dbdlogin_check_authorization(request_rec *r, } static authz_status dbdlogout_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, &authz_dbd_module); @@ -307,17 +310,20 @@ static authz_status dbdlogout_check_authorization(request_rec *r, static const authz_provider authz_dbdgroup_provider = { &dbdgroup_check_authorization, + NULL, }; static const authz_provider authz_dbdlogin_provider = { &dbdlogin_check_authorization, + NULL, }; static const authz_provider authz_dbdlogout_provider = { &dbdlogout_check_authorization, + NULL, }; static void authz_dbd_hooks(apr_pool_t *p) diff --git a/modules/aaa/mod_authz_dbm.c b/modules/aaa/mod_authz_dbm.c index 2908eee2d3..b18f1483e7 100644 --- a/modules/aaa/mod_authz_dbm.c +++ b/modules/aaa/mod_authz_dbm.c @@ -131,7 +131,8 @@ static apr_status_t get_dbm_grp(request_rec *r, char *key1, char *key2, } static authz_status dbmgroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_dbm_module); @@ -201,7 +202,8 @@ static authz_status dbmgroup_check_authorization(request_rec *r, APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; static authz_status dbmfilegroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_dbm_module); @@ -268,11 +270,13 @@ static authz_status dbmfilegroup_check_authorization(request_rec *r, static const authz_provider authz_dbmgroup_provider = { &dbmgroup_check_authorization, + NULL, }; static const authz_provider authz_dbmfilegroup_provider = { &dbmfilegroup_check_authorization, + NULL, }; diff --git a/modules/aaa/mod_authz_groupfile.c b/modules/aaa/mod_authz_groupfile.c index 0ddf9ad9ea..7da27a455c 100644 --- a/modules/aaa/mod_authz_groupfile.c +++ b/modules/aaa/mod_authz_groupfile.c @@ -138,7 +138,8 @@ static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile, } static authz_status group_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_groupfile_module); @@ -197,7 +198,8 @@ static authz_status group_check_authorization(request_rec *r, APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; static authz_status filegroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_groupfile_module); @@ -263,11 +265,13 @@ static authz_status filegroup_check_authorization(request_rec *r, static const authz_provider authz_group_provider = { &group_check_authorization, + NULL, }; static const authz_provider authz_filegroup_provider = { &filegroup_check_authorization, + NULL, }; static void register_hooks(apr_pool_t *p) diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c index f556b664d4..a56d7738c4 100644 --- a/modules/aaa/mod_authz_host.c +++ b/modules/aaa/mod_authz_host.c @@ -90,7 +90,9 @@ static int in_domain(const char *domain, const char *what) } } -static authz_status env_check_authorization(request_rec *r, const char *require_line) +static authz_status env_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { const char *t, *w; @@ -112,7 +114,9 @@ static authz_status env_check_authorization(request_rec *r, const char *require_ return AUTHZ_DENIED; } -static authz_status ip_check_authorization(request_rec *r, const char *require_line) +static authz_status ip_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { const char *t, *w; @@ -170,7 +174,9 @@ static authz_status ip_check_authorization(request_rec *r, const char *require_l return AUTHZ_DENIED; } -static authz_status host_check_authorization(request_rec *r, const char *require_line) +static authz_status host_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { const char *t, *w; const char *remotehost = NULL; @@ -206,37 +212,60 @@ static authz_status host_check_authorization(request_rec *r, const char *require return AUTHZ_DENIED; } -static authz_status all_check_authorization(request_rec *r, const char *require_line) +static authz_status all_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { - /* If the argument to the 'all' provider is 'granted' then just let - everybody in. This would be equivalent to the previous syntax of - 'allow from all'. If the argument is anything else, this would - be equivalent to 'deny from all' Of course the opposite would be - true if the 'all' provider is invoked by the 'reject' directive */ - if (strcasecmp(require_line, "granted") == 0) { + if (parsed_require_line) { return AUTHZ_GRANTED; } return AUTHZ_DENIED; } +static const char *all_parse_config(cmd_parms *cmd, const char *require_line, + const void **parsed_require_line) +{ + /* + * If the argument to the 'all' provider is 'granted' then just let + * everybody in. This would be equivalent to the previous syntax of + * 'allow from all'. If the argument is 'denied' we reject everbody, + * which is equivalent to 'deny from all'. + */ + if (strcasecmp(require_line, "granted") == 0) { + *parsed_require_line = (void *)1; + return NULL; + } + else if (strcasecmp(require_line, "denied") == 0) { + /* *parsed_require_line is already NULL */ + return NULL; + } + else { + return "Argument for 'Require all' must be 'granted' or 'denied'"; + } +} + static const authz_provider authz_env_provider = { &env_check_authorization, + NULL, }; static const authz_provider authz_ip_provider = { &ip_check_authorization, + NULL, }; static const authz_provider authz_host_provider = { &host_check_authorization, + NULL, }; static const authz_provider authz_all_provider = { &all_check_authorization, + &all_parse_config, }; static void register_hooks(apr_pool_t *p) diff --git a/modules/aaa/mod_authz_owner.c b/modules/aaa/mod_authz_owner.c index 45cf5e2ed4..4cd3cdcd90 100644 --- a/modules/aaa/mod_authz_owner.c +++ b/modules/aaa/mod_authz_owner.c @@ -39,7 +39,8 @@ static const command_rec authz_owner_cmds[] = module AP_MODULE_DECLARE_DATA authz_owner_module; static authz_status fileowner_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { char *reason = NULL; apr_status_t status = 0; @@ -165,6 +166,7 @@ static char *authz_owner_get_file_group(request_rec *r) static const authz_provider authz_fileowner_provider = { &fileowner_check_authorization, + NULL, }; static void register_hooks(apr_pool_t *p) diff --git a/modules/aaa/mod_authz_user.c b/modules/aaa/mod_authz_user.c index 7e536e0a1a..2d16a3c72d 100644 --- a/modules/aaa/mod_authz_user.c +++ b/modules/aaa/mod_authz_user.c @@ -46,7 +46,8 @@ static const command_rec authz_user_cmds[] = module AP_MODULE_DECLARE_DATA authz_user_module; static authz_status user_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { const char *t, *w; @@ -69,7 +70,9 @@ static authz_status user_check_authorization(request_rec *r, return AUTHZ_DENIED; } -static authz_status validuser_check_authorization(request_rec *r, const char *require_line) +static authz_status validuser_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { if (!r->user) { return AUTHZ_DENIED_NO_USER; @@ -81,10 +84,12 @@ static authz_status validuser_check_authorization(request_rec *r, const char *re static const authz_provider authz_user_provider = { &user_check_authorization, + NULL, }; static const authz_provider authz_validuser_provider = { &validuser_check_authorization, + NULL, }; static void register_hooks(apr_pool_t *p)