From b29716025411d91c0554fa24bf55e5434aac32c9 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Sun, 5 Jan 2014 16:09:07 +0000 Subject: [PATCH] Merge r1554161 from trunk: mod_authnz_ldap: Support the expression parser within the require directives. Submitted by: minfrin Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555539 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 + STATUS | 5 -- docs/manual/expr.xml | 5 ++ docs/manual/mod/mod_authnz_ldap.xml | 13 ++++ modules/aaa/mod_authnz_ldap.c | 103 +++++++++++++++++++++++++--- 5 files changed, 113 insertions(+), 16 deletions(-) diff --git a/CHANGES b/CHANGES index 0427552081..17a0638a21 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.4.8 + *) mod_authnz_ldap: Support the expression parser within the require + directives. [Graham Leggett] + * mod_proxy_http: Core dumped under high load. PR 50335 [Jan Kaluza ] diff --git a/STATUS b/STATUS index 47858dff19..07331bc629 100644 --- a/STATUS +++ b/STATUS @@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_authnz_ldap: Support the expression parser within the require directives. - trunk patch: http://svn.apache.org/r1554161 - 2.4.x patch: trunk works (modulo CHANGES and log-message-tags) - +1: minfrin, jim, covener - * mod_authz_dbd: Support the expression parser within the require directives. trunk patch: http://svn.apache.org/r1554168 http://svn.apache.org/r1554176 diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml index 50eb436fce..2674f8d646 100644 --- a/docs/manual/expr.xml +++ b/docs/manual/expr.xml @@ -51,6 +51,11 @@ RequestHeader FilterProvider Require expr +Require ldap-user +Require ldap-group +Require ldap-dn +Require ldap-attribute +Require ldap-filter SSLRequire LogMessage mod_include diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 44bf395561..91acb9656d 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -323,6 +323,9 @@ for HTTP Basic authentication. ldap-filter. Other authorization types may also be used but may require that additional authorization modules be loaded.

+

Since v2.5.0, expressions are supported + within the LDAP require directives.

+
Require ldap-user

The Require ldap-user directive specifies what @@ -543,6 +546,16 @@ Require ldap-group cn=Administrators, o=Example +

  • + Grant access to anybody in the group whose name matches the + hostname of the virtual host. In this example an + expression is used to build the filter. + +AuthLDAPURL ldap://ldap.example.com/o=Example?uid +Require ldap-group cn=%{SERVER_NAME}, o=Example + +
  • +
  • The next example assumes that everyone at Example who carries an alphanumeric pager will have an LDAP attribute diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index d46eeb44ed..50921cde3d 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -607,6 +607,10 @@ static authz_status ldapuser_check_authorization(request_rec *r, util_ldap_connection_t *ldc = NULL; + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_args; + const char *require; + const char *t; char *w; @@ -680,11 +684,19 @@ static authz_status ldapuser_check_authorization(request_rec *r, return AUTHZ_DENIED; } + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585) + "auth_ldap authorize: require user: Can't evaluate expression: %s", + err); + return AUTHZ_DENIED; + } + /* * First do a whole-line compare, in case it's something like * require user Babs Jensen */ - result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args); + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require); switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703) @@ -704,7 +716,7 @@ static authz_status ldapuser_check_authorization(request_rec *r, /* * Now break apart the line and compare each word on it */ - t = require_args; + t = require; while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w); switch(result) { @@ -744,6 +756,10 @@ static authz_status ldapgroup_check_authorization(request_rec *r, util_ldap_connection_t *ldc = NULL; + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_args; + const char *require; + const char *t; char filtbuf[FILTER_LENGTH]; @@ -863,7 +879,15 @@ static authz_status ldapgroup_check_authorization(request_rec *r, } } - t = require_args; + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586) + "auth_ldap authorize: require group: Can't evaluate expression: %s", + err); + return AUTHZ_DENIED; + } + + t = require; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713) "auth_ldap authorize: require group: testing for group " @@ -959,6 +983,10 @@ static authz_status ldapdn_check_authorization(request_rec *r, util_ldap_connection_t *ldc = NULL; + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_args; + const char *require; + const char *t; char filtbuf[FILTER_LENGTH]; @@ -1021,7 +1049,15 @@ static authz_status ldapdn_check_authorization(request_rec *r, req->user = r->user; } - t = require_args; + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587) + "auth_ldap authorize: require dn: Can't evaluate expression: %s", + err); + return AUTHZ_DENIED; + } + + t = require; if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725) @@ -1068,6 +1104,10 @@ static authz_status ldapattribute_check_authorization(request_rec *r, util_ldap_connection_t *ldc = NULL; + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_args; + const char *require; + const char *t; char *w, *value; @@ -1138,7 +1178,16 @@ static authz_status ldapattribute_check_authorization(request_rec *r, return AUTHZ_DENIED; } - t = require_args; + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588) + "auth_ldap authorize: require ldap-attribute: Can't " + "evaluate expression: %s", err); + return AUTHZ_DENIED; + } + + t = require; + while (t[0]) { w = ap_getword(r->pool, &t, '='); value = ap_getword_conf(r->pool, &t); @@ -1183,6 +1232,11 @@ static authz_status ldapfilter_check_authorization(request_rec *r, (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; + + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_args; + const char *require; + const char *t; char filtbuf[FILTER_LENGTH]; @@ -1252,7 +1306,15 @@ static authz_status ldapfilter_check_authorization(request_rec *r, return AUTHZ_DENIED; } - t = require_args; + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589) + "auth_ldap authorize: require ldap-filter: Can't " + "evaluate require expression: %s", err); + return AUTHZ_DENIED; + } + + t = require; if (t[0]) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743) @@ -1311,6 +1373,25 @@ static authz_status ldapfilter_check_authorization(request_rec *r, return AUTHZ_DENIED; } +static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line, + const void **parsed_require_line) +{ + const char *expr_err = NULL; + ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr)); + + expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT, + &expr_err, NULL); + + if (expr_err) + return apr_pstrcat(cmd->temp_pool, + "Cannot parse expression in require line: ", + expr_err, NULL); + + *parsed_require_line = expr; + + return NULL; +} + /* * Use the ldap url parsing routines to break up the ldap url into @@ -1769,30 +1850,30 @@ static const authn_provider authn_ldap_provider = static const authz_provider authz_ldapuser_provider = { &ldapuser_check_authorization, - NULL, + &ldap_parse_config, }; static const authz_provider authz_ldapgroup_provider = { &ldapgroup_check_authorization, - NULL, + &ldap_parse_config, }; static const authz_provider authz_ldapdn_provider = { &ldapdn_check_authorization, - NULL, + &ldap_parse_config, }; static const authz_provider authz_ldapattribute_provider = { &ldapattribute_check_authorization, - NULL, + &ldap_parse_config, }; static const authz_provider authz_ldapfilter_provider = { &ldapfilter_check_authorization, - NULL, + &ldap_parse_config, }; static void ImportULDAPOptFn(void) -- 2.40.0