From 38856d02536cc9d5d528cfba4f2e5e43bcf02511 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Sun, 5 Jan 2014 16:13:20 +0000 Subject: [PATCH] Merge r1554195 from trunk: mod_authz_user: Support the expression parser within the require directives. Submitted by: minfrin Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555548 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 11 ++++++---- STATUS | 5 ----- docs/manual/mod/mod_authz_user.xml | 35 ++++++++++++++++++++++++++++++ modules/aaa/mod_authz_user.c | 35 ++++++++++++++++++++++++++++-- 4 files changed, 75 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index b61d12795b..dd980233f2 100644 --- a/CHANGES +++ b/CHANGES @@ -2,16 +2,19 @@ Changes with Apache 2.4.8 - *) mod_authnz_host: Support the expression parser within the require + *) mod_authz_user: Support the expression parser within the require directives. [Graham Leggett] - *) mod_authnz_groupfile: Support the expression parser within the require + *) mod_authz_host: Support the expression parser within the require directives. [Graham Leggett] - *) mod_authnz_dbm: Support the expression parser within the require + *) mod_authz_groupfile: Support the expression parser within the require directives. [Graham Leggett] - *) mod_authnz_dbd: Support the expression parser within the require + *) mod_authz_dbm: Support the expression parser within the require + directives. [Graham Leggett] + + *) mod_authz_dbd: Support the expression parser within the require directives. [Graham Leggett] *) mod_authnz_ldap: Support the expression parser within the require diff --git a/STATUS b/STATUS index 2790a42515..158d4e17bf 100644 --- a/STATUS +++ b/STATUS @@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_authz_user: Support the expression parser within the require directives. - trunk patch: http://svn.apache.org/r1554195 - 2.4.x patch: trunk works (modulo CHANGES and log-message-tags) - +1: minfrin, jim, covener - * core: Support named groups and backreferences within the LocationMatch, DirectoryMatch, FilesMatch and ProxyMatch directives. trunk patch: http://svn.apache.org/r1554300 diff --git a/docs/manual/mod/mod_authz_user.xml b/docs/manual/mod/mod_authz_user.xml index fea8c72d9b..86711f4c7d 100644 --- a/docs/manual/mod/mod_authz_user.xml +++ b/docs/manual/mod/mod_authz_user.xml @@ -39,4 +39,39 @@ Require +
The Require Directives + +

Apache's Require + directives are used during the authorization phase to ensure that + a user is allowed to access a resource. mod_authz_user extends the + authorization types with user and valid-user. +

+ +

Since v2.5.0, expressions are supported + within the user require directives.

+ +
Require user + +

This directive specifies a list of users that are allowed to gain + access.

+ + + Require user john paul george ringo + + +
+ +
Require valid-user + +

When this directive is specified, any successfully authenticated + user will be allowed to gain access.

+ + + Require valid-user + + +
+ +
+ diff --git a/modules/aaa/mod_authz_user.c b/modules/aaa/mod_authz_user.c index e4af7946a4..0f45395ed8 100644 --- a/modules/aaa/mod_authz_user.c +++ b/modules/aaa/mod_authz_user.c @@ -49,13 +49,25 @@ static authz_status user_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_args; + const char *require; + const char *t, *w; if (!r->user) { return AUTHZ_DENIED_NO_USER; } - t = require_args; + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02594) + "authz_user authorize: require user: Can't " + "evaluate require expression: %s", err); + return AUTHZ_DENIED; + } + + t = require; while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { if (!strcmp(r->user, w)) { return AUTHZ_GRANTED; @@ -81,10 +93,29 @@ static authz_status validuser_check_authorization(request_rec *r, return AUTHZ_GRANTED; } +static const char *user_parse_config(cmd_parms *cmd, const char *require_line, + const void **parsed_require_line) +{ + const char *expr_err = NULL; + ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr)); + + expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT, + &expr_err, NULL); + + if (expr_err) + return apr_pstrcat(cmd->temp_pool, + "Cannot parse expression in require line: ", + expr_err, NULL); + + *parsed_require_line = expr; + + return NULL; +} + static const authz_provider authz_user_provider = { &user_check_authorization, - NULL, + &user_parse_config, }; static const authz_provider authz_validuser_provider = { -- 2.40.0