From 24a71450d71cb493a2fc72bd657bf3db35406ce7 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Sun, 5 Jan 2014 16:10:09 +0000 Subject: [PATCH] Merge r1554168, r1554176 from trunk: mod_authnz_dbd: Support the expression parser within the require directives. Pass the correct pointer that made it past the test suite. Submitted by: minfrin Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555540 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 ++ STATUS | 6 ---- docs/manual/expr.xml | 1 + docs/manual/mod/mod_authz_dbd.xml | 49 +++++++++++++++++++++++++++++++ modules/aaa/mod_authz_dbd.c | 36 +++++++++++++++++++++-- 5 files changed, 87 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 17a0638a21..551a227a0a 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.4.8 + *) mod_authnz_dbd: Support the expression parser within the require + directives. [Graham Leggett] + *) mod_authnz_ldap: Support the expression parser within the require directives. [Graham Leggett] diff --git a/STATUS b/STATUS index 07331bc629..d04ff87cde 100644 --- a/STATUS +++ b/STATUS @@ -98,12 +98,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_authz_dbd: Support the expression parser within the require directives. - trunk patch: http://svn.apache.org/r1554168 - http://svn.apache.org/r1554176 - 2.4.x patch: trunk works (modulo CHANGES and log-message-tags) - +1: minfrin, jim, covener - * mod_authz_dbm: Support the expression parser within the require directives. trunk patch: http://svn.apache.org/r1554170 http://svn.apache.org/r1554181 diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml index 2674f8d646..63e9382a86 100644 --- a/docs/manual/expr.xml +++ b/docs/manual/expr.xml @@ -56,6 +56,7 @@ Require ldap-dn Require ldap-attribute Require ldap-filter +Require dbd-group SSLRequire LogMessage mod_include diff --git a/docs/manual/mod/mod_authz_dbd.xml b/docs/manual/mod/mod_authz_dbd.xml index 8b57120ea1..e878cb28a4 100644 --- a/docs/manual/mod/mod_authz_dbd.xml +++ b/docs/manual/mod/mod_authz_dbd.xml @@ -52,6 +52,55 @@ DBDriver DBDParams +
The Require Directives + +

Apache's Require + directives are used during the authorization phase to ensure that + a user is allowed to access a resource. mod_authz_dbd extends the + authorization types with dbd-group, dbd-login and + dbd-logout.

+ +

Since v2.5.0, expressions are supported + within the DBD require directives.

+ +
Require dbd-group + +

This directive specifies group membership that is required for the + user to gain access.

+ + + Require dbd-group team + AuthzDBDQuery "SELECT group FROM authz WHERE user = %s" + + +
+ +
Require dbd-login + +

This directive specifies a query to be run indicating the user + has logged in.

+ + + Require dbd-login + AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s" + + +
+ +
Require dbd-logout + +

This directive specifies a query to be run indicating the user + has logged out.

+ + + Require dbd-logout + AuthzDBDQuery "UPDATE authn SET login = 'false' WHERE user = %s" + + +
+ +
+
Database Login

diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c index 2d4925f522..8da0ccaec3 100644 --- a/modules/aaa/mod_authz_dbd.c +++ b/modules/aaa/mod_authz_dbd.c @@ -253,6 +253,11 @@ static authz_status dbdgroup_check_authorization(request_rec *r, int i, rv; const char *w; apr_array_header_t *groups = NULL; + + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_args; + const char *require; + const char *t; authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, &authz_dbd_module); @@ -269,7 +274,15 @@ static authz_status dbdgroup_check_authorization(request_rec *r, } } - t = require_args; + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02590) + "authz_dbd authorize: require dbd-group: Can't " + "evaluate require expression: %s", err); + return AUTHZ_DENIED; + } + + t = require; while (t[0]) { w = ap_getword_white(r->pool, &t); for (i=0; i < groups->nelts; ++i) { @@ -310,10 +323,29 @@ static authz_status dbdlogout_check_authorization(request_rec *r, return (authz_dbd_login(r, cfg, "logout") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED); } +static const char *dbd_parse_config(cmd_parms *cmd, const char *require_line, + const void **parsed_require_line) +{ + const char *expr_err = NULL; + ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr)); + + expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT, + &expr_err, NULL); + + if (expr_err) + return apr_pstrcat(cmd->temp_pool, + "Cannot parse expression in require line: ", + expr_err, NULL); + + *parsed_require_line = expr; + + return NULL; +} + static const authz_provider authz_dbdgroup_provider = { &dbdgroup_check_authorization, - NULL, + &dbd_parse_config, }; static const authz_provider authz_dbdlogin_provider = -- 2.40.0