From b1c9654346a4938acb38ff84a9fa69839e077c88 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Sun, 5 Jan 2014 16:10:54 +0000 Subject: [PATCH] Merge r1554170, r1554181 from trunk: mod_authnz_dbm: Support the expression parser within the require directives. Pass the correct pointer that made it past the test suite. Submitted by: minfrin Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555541 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ docs/manual/expr.xml | 1 + docs/manual/mod/mod_authz_dbm.xml | 34 +++++++++++++++++++++++++++++ modules/aaa/mod_authz_dbm.c | 36 +++++++++++++++++++++++++++++-- 4 files changed, 72 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 551a227a0a..179e25dfb3 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.4.8 + *) mod_authnz_dbm: Support the expression parser within the require + directives. [Graham Leggett] + *) mod_authnz_dbd: Support the expression parser within the require directives. [Graham Leggett] diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml index 63e9382a86..d5a41ba29c 100644 --- a/docs/manual/expr.xml +++ b/docs/manual/expr.xml @@ -57,6 +57,7 @@ Require ldap-attribute Require ldap-filter Require dbd-group +Require dbm-group SSLRequire LogMessage mod_include diff --git a/docs/manual/mod/mod_authz_dbm.xml b/docs/manual/mod/mod_authz_dbm.xml index bd3a734644..60233262df 100644 --- a/docs/manual/mod/mod_authz_dbm.xml +++ b/docs/manual/mod/mod_authz_dbm.xml @@ -37,6 +37,40 @@ Require +
The Require Directives + +

Apache's Require + directives are used during the authorization phase to ensure that + a user is allowed to access a resource. mod_authz_dbm extends the + authorization types with dbm-group.

+ +

Since v2.5.0, expressions are supported + within the DBM require directives.

+ +
Require dbm-group + +

This directive specifies group membership that is required for the + user to gain access.

+ + + Require dbm-group admin + + +
+ +
Require dbm-file-group + +

When this directive is specified, the user must be a member of the group + assigned to the file being accessed.

+ + + Require dbm-file-group + + +
+ +
+
Example usage

Note that using mod_authz_dbm requires you to require dbm-group diff --git a/modules/aaa/mod_authz_dbm.c b/modules/aaa/mod_authz_dbm.c index bb893d4442..cabe65601b 100644 --- a/modules/aaa/mod_authz_dbm.c +++ b/modules/aaa/mod_authz_dbm.c @@ -137,6 +137,11 @@ static authz_status dbmgroup_check_authorization(request_rec *r, authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_dbm_module); char *user = r->user; + + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_args; + const char *require; + const char *t; char *w; const char *orig_groups = NULL; @@ -180,7 +185,15 @@ static authz_status dbmgroup_check_authorization(request_rec *r, orig_groups = groups; } - t = require_args; + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02591) + "authz_dbm authorize: require dbm-group: Can't " + "evaluate require expression: %s", err); + return AUTHZ_DENIED; + } + + t = require; while ((w = ap_getword_white(r->pool, &t)) && w[0]) { groups = orig_groups; while (groups[0]) { @@ -263,10 +276,29 @@ static authz_status dbmfilegroup_check_authorization(request_rec *r, return AUTHZ_DENIED; } +static const char *dbm_parse_config(cmd_parms *cmd, const char *require_line, + const void **parsed_require_line) +{ + const char *expr_err = NULL; + ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr)); + + expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT, + &expr_err, NULL); + + if (expr_err) + return apr_pstrcat(cmd->temp_pool, + "Cannot parse expression in require line: ", + expr_err, NULL); + + *parsed_require_line = expr; + + return NULL; +} + static const authz_provider authz_dbmgroup_provider = { &dbmgroup_check_authorization, - NULL, + &dbm_parse_config, }; static const authz_provider authz_dbmfilegroup_provider = -- 2.40.0