From: Jim Jagielski <jim@apache.org>
Date: Sun, 5 Jan 2014 16:09:07 +0000 (+0000)
Subject: Merge r1554161 from trunk:
X-Git-Tag: 2.4.8~293
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b29716025411d91c0554fa24bf55e5434aac32c9;p=apache

Merge r1554161 from trunk:

mod_authnz_ldap: Support the expression parser within the require
directives.

Submitted by: minfrin
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555539 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 0427552081..17a0638a21 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.8
 
+  *) mod_authnz_ldap: Support the expression parser within the require
+     directives. [Graham Leggett]
+
   * mod_proxy_http: Core dumped under high load. PR 50335
     [Jan Kaluza <jkaluza redhat.com>]
 
diff --git a/STATUS b/STATUS
index 47858dff19..07331bc629 100644
--- a/STATUS
+++ b/STATUS
@@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * mod_authnz_ldap: Support the expression parser within the require directives.
-    trunk patch: http://svn.apache.org/r1554161
-    2.4.x patch: trunk works (modulo CHANGES and log-message-tags)
-    +1: minfrin, jim, covener
-
   * mod_authz_dbd: Support the expression parser within the require directives.
     trunk patch: http://svn.apache.org/r1554168
                  http://svn.apache.org/r1554176
diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml
index 50eb436fce..2674f8d646 100644
--- a/docs/manual/expr.xml
+++ b/docs/manual/expr.xml
@@ -51,6 +51,11 @@
 <seealso><directive module="mod_headers">RequestHeader</directive></seealso>
 <seealso><directive module="mod_filter">FilterProvider</directive></seealso>
 <seealso><a href="mod/mod_authz_core.html#reqexpr">Require expr</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#requser">Require ldap-user</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#reqgroup">Require ldap-group</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#reqdn">Require ldap-dn</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#reqattribute">Require ldap-attribute</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#reqfilter">Require ldap-filter</a></seealso>
 <seealso><directive module="mod_ssl">SSLRequire</directive></seealso>
 <seealso><directive module="mod_log_debug">LogMessage</directive></seealso>
 <seealso><module>mod_include</module></seealso>
diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index 44bf395561..91acb9656d 100644
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -323,6 +323,9 @@ for HTTP Basic authentication.</description>
     <code>ldap-filter</code>.  Other authorization types may also be
     used but may require that additional authorization modules be loaded.</p>
 
+    <p>Since v2.5.0, <a href="../expr.html">expressions</a> are supported
+    within the LDAP require directives.</p>
+
 <section id="requser"><title>Require ldap-user</title>
 
     <p>The <code>Require ldap-user</code> directive specifies what
@@ -543,6 +546,16 @@ Require ldap-group cn=Administrators, o=Example
 </highlight>
       </li>
 
+      <li>
+        Grant access to anybody in the group whose name matches the
+        hostname of the virtual host. In this example an
+        <a href="../expr.html">expression</a> is used to build the filter.
+<highlight language="config">
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid
+Require ldap-group cn=%{SERVER_NAME}, o=Example
+</highlight>
+      </li>
+
       <li>
         The next example assumes that everyone at Example who
         carries an alphanumeric pager will have an LDAP attribute
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index d46eeb44ed..50921cde3d 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -607,6 +607,10 @@ static authz_status ldapuser_check_authorization(request_rec *r,
 
     util_ldap_connection_t *ldc = NULL;
 
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
     char *w;
 
@@ -680,11 +684,19 @@ static authz_status ldapuser_check_authorization(request_rec *r,
         return AUTHZ_DENIED;
     }
 
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585)
+                      "auth_ldap authorize: require user: Can't evaluate expression: %s",
+                      err);
+        return AUTHZ_DENIED;
+    }
+
     /*
      * First do a whole-line compare, in case it's something like
      *   require user Babs Jensen
      */
-    result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args);
+    result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require);
     switch(result) {
         case LDAP_COMPARE_TRUE: {
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703)
@@ -704,7 +716,7 @@ static authz_status ldapuser_check_authorization(request_rec *r,
     /*
      * Now break apart the line and compare each word on it
      */
-    t = require_args;
+    t = require;
     while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
         result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
         switch(result) {
@@ -744,6 +756,10 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
 
     util_ldap_connection_t *ldc = NULL;
 
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
 
     char filtbuf[FILTER_LENGTH];
@@ -863,7 +879,15 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
         }
     }
 
-    t = require_args;
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586)
+                      "auth_ldap authorize: require group: Can't evaluate expression: %s",
+                      err);
+        return AUTHZ_DENIED;
+    }
+
+    t = require;
 
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713)
                   "auth_ldap authorize: require group: testing for group "
@@ -959,6 +983,10 @@ static authz_status ldapdn_check_authorization(request_rec *r,
 
     util_ldap_connection_t *ldc = NULL;
 
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
 
     char filtbuf[FILTER_LENGTH];
@@ -1021,7 +1049,15 @@ static authz_status ldapdn_check_authorization(request_rec *r,
         req->user = r->user;
     }
 
-    t = require_args;
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587)
+                      "auth_ldap authorize: require dn: Can't evaluate expression: %s",
+                      err);
+        return AUTHZ_DENIED;
+    }
+
+    t = require;
 
     if (req->dn == NULL || strlen(req->dn) == 0) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725)
@@ -1068,6 +1104,10 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
 
     util_ldap_connection_t *ldc = NULL;
 
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
     char *w, *value;
 
@@ -1138,7 +1178,16 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
         return AUTHZ_DENIED;
     }
 
-    t = require_args;
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588)
+                      "auth_ldap authorize: require ldap-attribute: Can't "
+                      "evaluate expression: %s", err);
+        return AUTHZ_DENIED;
+    }
+
+    t = require;
+
     while (t[0]) {
         w = ap_getword(r->pool, &t, '=');
         value = ap_getword_conf(r->pool, &t);
@@ -1183,6 +1232,11 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
         (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
 
     util_ldap_connection_t *ldc = NULL;
+
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
 
     char filtbuf[FILTER_LENGTH];
@@ -1252,7 +1306,15 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
         return AUTHZ_DENIED;
     }
 
-    t = require_args;
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589)
+                      "auth_ldap authorize: require ldap-filter: Can't "
+                      "evaluate require expression: %s", err);
+        return AUTHZ_DENIED;
+    }
+
+    t = require;
 
     if (t[0]) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743)
@@ -1311,6 +1373,25 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
     return AUTHZ_DENIED;
 }
 
+static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line,
+                                     const void **parsed_require_line)
+{
+    const char *expr_err = NULL;
+    ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr));
+
+    expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
+            &expr_err, NULL);
+
+    if (expr_err)
+        return apr_pstrcat(cmd->temp_pool,
+                           "Cannot parse expression in require line: ",
+                           expr_err, NULL);
+
+    *parsed_require_line = expr;
+
+    return NULL;
+}
+
 
 /*
  * Use the ldap url parsing routines to break up the ldap url into
@@ -1769,30 +1850,30 @@ static const authn_provider authn_ldap_provider =
 static const authz_provider authz_ldapuser_provider =
 {
     &ldapuser_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 static const authz_provider authz_ldapgroup_provider =
 {
     &ldapgroup_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 
 static const authz_provider authz_ldapdn_provider =
 {
     &ldapdn_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 
 static const authz_provider authz_ldapattribute_provider =
 {
     &ldapattribute_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 
 static const authz_provider authz_ldapfilter_provider =
 {
     &ldapfilter_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 
 static void ImportULDAPOptFn(void)