From c5c43e09f690276024f51bdf9d436ffbe3d60f09 Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Sun, 5 Jan 2014 16:11:44 +0000
Subject: [PATCH] Merge r1554175, r1554184 from trunk:

mod_authnz_groupfile: Support the expression parser within the require directives.


Pass the correct pointer that made it past the test suite.

Submitted by: minfrin
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555543 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                                 |  3 +++
 STATUS                                  | 12 ---------
 docs/manual/mod/mod_authz_groupfile.xml | 35 ++++++++++++++++++++++++
 modules/aaa/mod_authz_groupfile.c       | 36 +++++++++++++++++++++++--
 4 files changed, 72 insertions(+), 14 deletions(-)

diff --git a/CHANGES b/CHANGES
index 179e25dfb3..4a22d57d19 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.8
 
+  *) mod_authnz_groupfile: Support the expression parser within the require
+     directives. [Graham Leggett]
+
   *) mod_authnz_dbm: Support the expression parser within the require
      directives. [Graham Leggett]
 
diff --git a/STATUS b/STATUS
index d04ff87cde..155d2ca710 100644
--- a/STATUS
+++ b/STATUS
@@ -98,18 +98,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * mod_authz_dbm: Support the expression parser within the require directives.
-    trunk patch: http://svn.apache.org/r1554170
-                 http://svn.apache.org/r1554181
-    2.4.x patch: trunk works (modulo CHANGES and log-message-tags)
-    +1: minfrin, jim, covener
-
-  * mod_authz_groupfile: Support the expression parser within the require directives.
-    trunk patch: http://svn.apache.org/r1554175
-                 http://svn.apache.org/r1554184
-    2.4.x patch: trunk works (modulo CHANGES and log-message-tags)
-    +1: minfrin, jim, covener
-
   * mod_authz_host: Support the expression parser within the require directives.
     trunk patch: http://svn.apache.org/r1554188
     2.4.x patch: trunk works (modulo CHANGES and log-message-tags)
diff --git a/docs/manual/mod/mod_authz_groupfile.xml b/docs/manual/mod/mod_authz_groupfile.xml
index 5ebe885aad..1099776d49 100644
--- a/docs/manual/mod/mod_authz_groupfile.xml
+++ b/docs/manual/mod/mod_authz_groupfile.xml
@@ -38,6 +38,41 @@
 
 <seealso><directive module="mod_authz_core">Require</directive></seealso>
 
+<section id="requiredirectives"><title>The Require Directives</title>
+
+    <p>Apache's <directive module="mod_authz_core">Require</directive>
+    directives are used during the authorization phase to ensure that
+    a user is allowed to access a resource.  mod_authz_groupfile extends the
+    authorization types with <code>group</code> and <code>group-file</code>.
+    </p>
+
+    <p>Since v2.5.0, <a href="../expr.html">expressions</a> are supported
+    within the groupfile require directives.</p>
+
+<section id="reqgroup"><title>Require group</title>
+
+    <p>This directive specifies group membership that is required for the
+    user to gain access.</p>
+
+    <highlight language="config">
+      Require group admin
+    </highlight>
+
+</section>
+
+<section id="reqfilegroup"><title>Require file-group</title>
+
+    <p>When this directive is specified, the user must be a member of the group
+    assigned to the file being accessed.</p>
+
+    <highlight language="config">
+      Require file-group
+    </highlight>
+
+</section>
+
+</section>
+
 <directivesynopsis>
 <name>AuthGroupFile</name>
 <description>Sets the name of a text file containing the list
diff --git a/modules/aaa/mod_authz_groupfile.c b/modules/aaa/mod_authz_groupfile.c
index c7fd13b6c4..590e8da296 100644
--- a/modules/aaa/mod_authz_groupfile.c
+++ b/modules/aaa/mod_authz_groupfile.c
@@ -139,6 +139,11 @@ static authz_status group_check_authorization(request_rec *r,
     authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
             &authz_groupfile_module);
     char *user = r->user;
+
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t, *w;
     apr_table_t *grpstatus = NULL;
     apr_status_t status;
@@ -175,7 +180,15 @@ static authz_status group_check_authorization(request_rec *r,
         return AUTHZ_DENIED;
     }
 
-    t = require_args;
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02592)
+                      "authz_groupfile authorize: require group: Can't "
+                      "evaluate require expression: %s", err);
+        return AUTHZ_DENIED;
+    }
+
+    t = require;
     while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
         if (apr_table_get(grpstatus, w)) {
             return AUTHZ_GRANTED;
@@ -257,10 +270,29 @@ static authz_status filegroup_check_authorization(request_rec *r,
     return AUTHZ_DENIED;
 }
 
+static const char *groupfile_parse_config(cmd_parms *cmd, const char *require_line,
+                                          const void **parsed_require_line)
+{
+    const char *expr_err = NULL;
+    ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr));
+
+    expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
+            &expr_err, NULL);
+
+    if (expr_err)
+        return apr_pstrcat(cmd->temp_pool,
+                           "Cannot parse expression in require line: ",
+                           expr_err, NULL);
+
+    *parsed_require_line = expr;
+
+    return NULL;
+}
+
 static const authz_provider authz_group_provider =
 {
     &group_check_authorization,
-    NULL,
+    &groupfile_parse_config,
 };
 
 static const authz_provider authz_filegroup_provider =
-- 
2.40.0