From bbc850ee3312f1a2541dbbaca93a3f3fa80eea5d Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 29 Jun 2008 16:42:43 +0000
Subject: [PATCH] mod_auth_digest: Detect during startup when
 AuthDigestProvider is configured to use an incompatible provider via
 AuthnProviderAlias. PR 45196

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@672639 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                       |  4 ++++
 include/ap_mmn.h              |  3 ++-
 include/mod_auth.h            |  4 ++++
 modules/aaa/mod_auth_digest.c |  4 +++-
 modules/aaa/mod_authn_core.c  | 22 ++++++++++++++++++++++
 modules/aaa/mod_authn_dbm.c   |  8 +++++++-
 modules/aaa/mod_authn_file.c  |  6 ++++++
 modules/aaa/mod_authnz_ldap.c | 14 ++++++++++++++
 8 files changed, 62 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1cf8648e22..fb64b7feb7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_auth_digest: Detect during startup when AuthDigestProvider
+     is configured to use an incompatible provider via AuthnProviderAlias.
+     PR 45196 [Eric Covener] 
+
   *) mod_rewrite: Preserve the query string with [proxy,noescape]. PR 45247
      [Tom Donovan]
 
diff --git a/include/ap_mmn.h b/include/ap_mmn.h
index ffd3f4005d..e430a5927c 100644
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@@ -161,6 +161,7 @@
  * 20080528.0 (2.3.0-dev)  Switch order of ftp_directory_charset and
  *                         interpolate_env in proxy_dir_conf.
  *                         Rationale: see r661069.
+ * 20080528.1 (2.3.0-dev)  add get_realm_hash() to mod_auth.h
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
@@ -168,7 +169,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20080528
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 0                     /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 1                     /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
diff --git a/include/mod_auth.h b/include/mod_auth.h
index c8e8570289..867c0f8dab 100644
--- a/include/mod_auth.h
+++ b/include/mod_auth.h
@@ -93,6 +93,10 @@ typedef struct {
      */
     authn_status (*get_realm_hash)(request_rec *r, const char *user,
                                    const char *realm, char **rethash);
+
+    /* OK if provider can satisfy get_realm_hash(), APR_ENOTIMPL otherwise. */
+    apr_status_t (*has_realm_hash)(cmd_parms *cmd, const char *provider_name);
+
 } authn_provider;
 
 /* A linked-list of authn providers. */
diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
index 6dfbea615f..f9e3e68d29 100644
--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -463,7 +463,9 @@ static const char *add_authn_provider(cmd_parms *cmd, void *config,
                             newp->provider_name);
     }
 
-    if (!newp->provider->get_realm_hash) {
+    if (!newp->provider->get_realm_hash ||
+       (newp->provider->has_realm_hash && 
+        newp->provider->has_realm_hash(cmd, newp->provider_name) == APR_ENOTIMPL)) { 
         /* if it doesn't provide the appropriate function, reject it */
         return apr_psprintf(cmd->pool,
                             "The '%s' Authn provider doesn't support "
diff --git a/modules/aaa/mod_authn_core.c b/modules/aaa/mod_authn_core.c
index 649f6c6f08..827f416e5b 100644
--- a/modules/aaa/mod_authn_core.c
+++ b/modules/aaa/mod_authn_core.c
@@ -132,6 +132,27 @@ static authn_status authn_alias_check_password(request_rec *r, const char *user,
     return ret;
 }
 
+static apr_status_t authn_alias_has_realm_hash(cmd_parms *cmd, const char *provider_name) 
+{
+    /* No merge, just a query to be passed on to the provider */
+    authn_alias_srv_conf *authcfg =
+        (authn_alias_srv_conf *)ap_get_module_config(cmd->server->module_config,
+                                                     &authn_core_module);
+    apr_status_t ret = APR_ENOTIMPL;
+
+    provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
+                                                     provider_name, 
+                                                     APR_HASH_KEY_STRING);
+    if (prvdraliasrec->provider->has_realm_hash) { 
+        ret = prvdraliasrec->provider->has_realm_hash(cmd, provider_name);
+    }
+    else if (prvdraliasrec->provider->get_realm_hash) { 
+        /* provider didn't register has_realm_hash, but does have get_realm_hash */
+        ret = OK;
+    }
+
+    return ret;
+}
 static authn_status authn_alias_get_realm_hash(request_rec *r, const char *user,
                                                const char *realm, char **rethash)
 {
@@ -179,6 +200,7 @@ static const authn_provider authn_alias_provider =
 {
     &authn_alias_check_password,
     &authn_alias_get_realm_hash,
+    &authn_alias_has_realm_hash,
 };
 
 static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *arg)
diff --git a/modules/aaa/mod_authn_dbm.c b/modules/aaa/mod_authn_dbm.c
index 767e8bb8ef..ff29481977 100644
--- a/modules/aaa/mod_authn_dbm.c
+++ b/modules/aaa/mod_authn_dbm.c
@@ -147,6 +147,11 @@ static authn_status check_dbm_pw(request_rec *r, const char *user,
     return AUTH_GRANTED;
 }
 
+static apr_status_t has_dbm_realm_hash(cmd_parms *cmd, const char *provider_name)
+{
+    return OK;
+}
+
 static authn_status get_dbm_realm_hash(request_rec *r, const char *user,
                                        const char *realm, char **rethash)
 {
@@ -184,7 +189,8 @@ static authn_status get_dbm_realm_hash(request_rec *r, const char *user,
 static const authn_provider authn_dbm_provider =
 {
     &check_dbm_pw,
-    &get_dbm_realm_hash
+    &get_dbm_realm_hash,
+    &has_dbm_realm_hash
 };
 
 static void register_hooks(apr_pool_t *p)
diff --git a/modules/aaa/mod_authn_file.c b/modules/aaa/mod_authn_file.c
index 76aa2e15ee..1ac8464a65 100644
--- a/modules/aaa/mod_authn_file.c
+++ b/modules/aaa/mod_authn_file.c
@@ -108,6 +108,11 @@ static authn_status check_password(request_rec *r, const char *user,
     return AUTH_GRANTED;
 }
 
+static apr_status_t has_realm_hash(cmd_parms *cmd, const char *provider_name)
+{
+    return OK;
+}
+
 static authn_status get_realm_hash(request_rec *r, const char *user,
                                    const char *realm, char **rethash)
 {
@@ -159,6 +164,7 @@ static const authn_provider authn_file_provider =
 {
     &check_password,
     &get_realm_hash,
+    &has_realm_hash,
 };
 
 static void register_hooks(apr_pool_t *p)
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index d617f5bca6..8a68759ce6 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -1538,9 +1538,23 @@ static int authnz_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *
     return OK;
 }
 
+static authn_status authn_ldap_get_realm_hash(request_rec *r, const char *user,
+                                              const char *realm, char **rethash)
+{
+    return AUTH_GENERAL_ERROR;
+
+}
+
+static apr_status_t authn_ldap_has_realm_hash(cmd_parms *cmd, const char *provider_name)
+{
+    return APR_ENOTIMPL;
+}
+
 static const authn_provider authn_ldap_provider =
 {
     &authn_ldap_check_password,
+    authn_ldap_get_realm_hash,
+    &authn_ldap_has_realm_hash
 };
 
 static const authz_provider authz_ldapuser_provider =
-- 
2.40.0