From 790e801eb5a4183b7996cdfcd6a372281340e7ce Mon Sep 17 00:00:00 2001 From: Micah Andersen Date: Thu, 30 Nov 2017 23:31:12 -0500 Subject: [PATCH] Add 'GroupExternalAuthNCheck' directive to prevent mod-authz-external from checking whether Authentication has successfully occurred. -'GroupExternalAuthNCheck' is set to 'On' by default for compatibility with all existing configurations. -When set to 'Off', externalgroup_check_authorization() and externalfilegroup_check_authorization() do not perform the Authentication check. -Also, if the User is not set, we now set it to the empty string to prevent a segfault in the Apache process (from trying to print it to stderr). --- mod_authnz_external/mod_authnz_external.c | 27 +++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/mod_authnz_external/mod_authnz_external.c b/mod_authnz_external/mod_authnz_external.c index 7b766fc..995e8e3 100644 --- a/mod_authnz_external/mod_authnz_external.c +++ b/mod_authnz_external/mod_authnz_external.c @@ -122,6 +122,7 @@ typedef struct char *context; /* Context string from AuthExternalContext */ int groupsatonce; /* Check all groups in one call? */ int providecache; /* Provide auth data to mod_authn_socache? */ + int authncheck; /* Check for previous authentication? */ } authnz_external_dir_config_rec; @@ -160,6 +161,7 @@ static void *create_authnz_external_dir_config(apr_pool_t *p, char *d) dir->context= NULL; /* no default */ dir->groupsatonce= 1; /* default to on */ dir->providecache= 0; /* default to off */ + dir->authncheck= 1; /* default to on */ return dir; } @@ -358,6 +360,13 @@ static const command_rec authnz_external_cmds[] = (void *)APR_OFFSETOF(authnz_external_dir_config_rec, groupsatonce), OR_AUTHCFG, "Old version of 'GroupExternalManyAtOnce'" ), + + AP_INIT_FLAG("GroupExternalAuthNCheck", + ap_set_flag_slot, + (void *)APR_OFFSETOF(authnz_external_dir_config_rec, authncheck), + OR_AUTHCFG, + "Set to 'off' if group authenticator should skip checking whether " + "user is validly authenticated"), { NULL } }; @@ -633,8 +642,13 @@ static authz_status externalgroup_check_authorization(request_rec *r, const char *t, *w; int code; - /* If no authenticated user, pass */ - if ( !user ) return AUTHZ_DENIED_NO_USER; + if (dir->authncheck){ + /* If no authenticated user, pass */ + if ( !user ) return AUTHZ_DENIED_NO_USER; + }else{ + /* Prevent crash due to missing user */ + if ( !user ) r->user = ""; + } /* If no external authenticator has been configured, pass */ if ( !extname ) return AUTHZ_DENIED; @@ -693,8 +707,13 @@ static authz_status externalfilegroup_check_authorization(request_rec *r, const char *t, *w; int code; - /* If no authenticated user, pass */ - if ( !user ) return AUTHZ_DENIED_NO_USER; + if (dir->authncheck){ + /* If no authenticated user, pass */ + if ( !user ) return AUTHZ_DENIED_NO_USER; + }else{ + /* Prevent crash due to missing user */ + if ( !user ) r->user = ""; + } /* If no external authenticator has been configured, pass */ if ( !extname ) return AUTHZ_DENIED; -- 2.50.1