diff --git a/CHANGES b/CHANGES index 07ccb14dd8..9acc74b41c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.9 + *) mod_authz_core: Allow authz providers to check args while reading the + config and allow to cache parsed args. [Stefan Fritsch] + *) mod_include: Move the request_rec within mod_include to be exposed within include_ctx_t. [Graham Leggett] diff --git a/include/ap_mmn.h b/include/ap_mmn.h index a10c13cc63..8a69b0328e 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -255,12 +255,15 @@ * interface. * 20100918.0 (2.3.9-dev) Move the request_rec within mod_include to be * exposed within include_ctx_t. + * 20100919.0 (2.3.9-dev) Authz providers: Add parsed_require_line parameter + * to check_authorization() function. Add + * parse_require_line() function. */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ #ifndef MODULE_MAGIC_NUMBER_MAJOR -#define MODULE_MAGIC_NUMBER_MAJOR 20100918 +#define MODULE_MAGIC_NUMBER_MAJOR 20100919 #endif #define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ diff --git a/include/mod_auth.h b/include/mod_auth.h index 69cab09b7f..1a424b3147 100644 --- a/include/mod_auth.h +++ b/include/mod_auth.h @@ -103,9 +103,23 @@ struct authn_provider_list { typedef struct { /* Given a request_rec, expected to return AUTHZ_GRANTED * if we can authorize user access. + * @param r the request record + * @param require_line the argument to the authz provider + * @param parsed_require_line the value set by parse_require_line(), if any */ authz_status (*check_authorization)(request_rec *r, - const char *require_line); + const char *require_line, + const void *parsed_require_line); + + /** Check the syntax of a require line and optionally cache the parsed + * line. This function may be NULL. + * @param cmd the config directive + * @param require_line the argument to the authz provider + * @param parsed_require_line place to store parsed require_line for use by provider + * @return Error message or NULL on success + */ + const char *(*parse_require_line)(cmd_parms *cmd, const char *require_line, + const void **parsed_require_line); } authz_provider; /* ap_authn_cache_store: Optional function for authn providers diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index c075dfdc39..111490e50c 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -597,7 +597,8 @@ start_over: } static authz_status ldapuser_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -733,7 +734,8 @@ static authz_status ldapuser_check_authorization(request_rec *r, } static authz_status ldapgroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -948,7 +950,8 @@ static authz_status ldapgroup_check_authorization(request_rec *r, } static authz_status ldapdn_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -1056,7 +1059,8 @@ static authz_status ldapdn_check_authorization(request_rec *r, } static authz_status ldapattribute_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -1171,7 +1175,8 @@ static authz_status ldapattribute_check_authorization(request_rec *r, } static authz_status ldapfilter_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = @@ -1730,25 +1735,30 @@ static const authn_provider authn_ldap_provider = static const authz_provider authz_ldapuser_provider = { &ldapuser_check_authorization, + NULL, }; static const authz_provider authz_ldapgroup_provider = { &ldapgroup_check_authorization, + NULL, }; static const authz_provider authz_ldapdn_provider = { &ldapdn_check_authorization, + NULL, }; static const authz_provider authz_ldapattribute_provider = { &ldapattribute_check_authorization, + NULL, }; static const authz_provider authz_ldapfilter_provider = { &ldapfilter_check_authorization, + NULL, }; static void ImportULDAPOptFn(void) diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c index 889951454b..be85879011 100644 --- a/modules/aaa/mod_authz_core.c +++ b/modules/aaa/mod_authz_core.c @@ -50,6 +50,7 @@ typedef struct provider_alias_rec { char *provider_name; char *provider_alias; char *provider_args; + const void *provider_parsed_args; ap_conf_vector_t *sec_auth; const authz_provider *provider; } provider_alias_rec; @@ -65,6 +66,7 @@ typedef struct authz_section_conf authz_section_conf; struct authz_section_conf { const char *provider_name; const char *provider_args; + const void *provider_parsed_args; const authz_provider *provider; apr_int64_t limited; authz_logic_op op; @@ -159,7 +161,8 @@ static void *create_authz_core_svr_config(apr_pool_t *p, server_rec *s) * configurations and then invokes them. */ static authz_status authz_alias_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { const char *provider_name; authz_status ret = AUTHZ_DENIED; @@ -192,7 +195,8 @@ static authz_status authz_alias_check_authorization(request_rec *r, prvdraliasrec->sec_auth); ret = prvdraliasrec->provider-> - check_authorization(r, prvdraliasrec->provider_args); + check_authorization(r, prvdraliasrec->provider_args, + prvdraliasrec->provider_parsed_args); r->per_dir_config = orig_dir_config; } @@ -203,7 +207,8 @@ static authz_status authz_alias_check_authorization(request_rec *r, static const authz_provider authz_alias_provider = { - &authz_alias_check_authorization + &authz_alias_check_authorization, + NULL, }; static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig, @@ -370,6 +375,13 @@ static const char *add_authz_provider(cmd_parms *cmd, void *config, section->limited = cmd->limited; + if (section->provider->parse_require_line) { + const char *err = section->provider->parse_require_line(cmd, args, + §ion->provider_parsed_args); + if (err) + return err; + } + if (!conf->section) { conf->section = create_default_section(cmd->pool); } @@ -670,7 +682,8 @@ static authz_status apply_authz_sections(request_rec *r, section->provider_name); auth_result = - section->provider->check_authorization(r, section->provider_args); + section->provider->check_authorization(r, section->provider_args, + section->provider_parsed_args); apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE); } diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c index 50fcc954f5..40de423a9a 100644 --- a/modules/aaa/mod_authz_dbd.c +++ b/modules/aaa/mod_authz_dbd.c @@ -244,7 +244,8 @@ static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg, } static authz_status dbdgroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { int i, rv; const char *w; @@ -279,7 +280,8 @@ static authz_status dbdgroup_check_authorization(request_rec *r, } static authz_status dbdlogin_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, &authz_dbd_module); @@ -292,7 +294,8 @@ static authz_status dbdlogin_check_authorization(request_rec *r, } static authz_status dbdlogout_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, &authz_dbd_module); @@ -307,17 +310,20 @@ static authz_status dbdlogout_check_authorization(request_rec *r, static const authz_provider authz_dbdgroup_provider = { &dbdgroup_check_authorization, + NULL, }; static const authz_provider authz_dbdlogin_provider = { &dbdlogin_check_authorization, + NULL, }; static const authz_provider authz_dbdlogout_provider = { &dbdlogout_check_authorization, + NULL, }; static void authz_dbd_hooks(apr_pool_t *p) diff --git a/modules/aaa/mod_authz_dbm.c b/modules/aaa/mod_authz_dbm.c index 2908eee2d3..b18f1483e7 100644 --- a/modules/aaa/mod_authz_dbm.c +++ b/modules/aaa/mod_authz_dbm.c @@ -131,7 +131,8 @@ static apr_status_t get_dbm_grp(request_rec *r, char *key1, char *key2, } static authz_status dbmgroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_dbm_module); @@ -201,7 +202,8 @@ static authz_status dbmgroup_check_authorization(request_rec *r, APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; static authz_status dbmfilegroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_dbm_module); @@ -268,11 +270,13 @@ static authz_status dbmfilegroup_check_authorization(request_rec *r, static const authz_provider authz_dbmgroup_provider = { &dbmgroup_check_authorization, + NULL, }; static const authz_provider authz_dbmfilegroup_provider = { &dbmfilegroup_check_authorization, + NULL, }; diff --git a/modules/aaa/mod_authz_groupfile.c b/modules/aaa/mod_authz_groupfile.c index 0ddf9ad9ea..7da27a455c 100644 --- a/modules/aaa/mod_authz_groupfile.c +++ b/modules/aaa/mod_authz_groupfile.c @@ -138,7 +138,8 @@ static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile, } static authz_status group_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_groupfile_module); @@ -197,7 +198,8 @@ static authz_status group_check_authorization(request_rec *r, APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; static authz_status filegroup_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_groupfile_module); @@ -263,11 +265,13 @@ static authz_status filegroup_check_authorization(request_rec *r, static const authz_provider authz_group_provider = { &group_check_authorization, + NULL, }; static const authz_provider authz_filegroup_provider = { &filegroup_check_authorization, + NULL, }; static void register_hooks(apr_pool_t *p) diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c index f556b664d4..a56d7738c4 100644 --- a/modules/aaa/mod_authz_host.c +++ b/modules/aaa/mod_authz_host.c @@ -90,7 +90,9 @@ static int in_domain(const char *domain, const char *what) } } -static authz_status env_check_authorization(request_rec *r, const char *require_line) +static authz_status env_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { const char *t, *w; @@ -112,7 +114,9 @@ static authz_status env_check_authorization(request_rec *r, const char *require_ return AUTHZ_DENIED; } -static authz_status ip_check_authorization(request_rec *r, const char *require_line) +static authz_status ip_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { const char *t, *w; @@ -170,7 +174,9 @@ static authz_status ip_check_authorization(request_rec *r, const char *require_l return AUTHZ_DENIED; } -static authz_status host_check_authorization(request_rec *r, const char *require_line) +static authz_status host_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { const char *t, *w; const char *remotehost = NULL; @@ -206,37 +212,60 @@ static authz_status host_check_authorization(request_rec *r, const char *require return AUTHZ_DENIED; } -static authz_status all_check_authorization(request_rec *r, const char *require_line) +static authz_status all_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { - /* If the argument to the 'all' provider is 'granted' then just let - everybody in. This would be equivalent to the previous syntax of - 'allow from all'. If the argument is anything else, this would - be equivalent to 'deny from all' Of course the opposite would be - true if the 'all' provider is invoked by the 'reject' directive */ - if (strcasecmp(require_line, "granted") == 0) { + if (parsed_require_line) { return AUTHZ_GRANTED; } return AUTHZ_DENIED; } +static const char *all_parse_config(cmd_parms *cmd, const char *require_line, + const void **parsed_require_line) +{ + /* + * If the argument to the 'all' provider is 'granted' then just let + * everybody in. This would be equivalent to the previous syntax of + * 'allow from all'. If the argument is 'denied' we reject everbody, + * which is equivalent to 'deny from all'. + */ + if (strcasecmp(require_line, "granted") == 0) { + *parsed_require_line = (void *)1; + return NULL; + } + else if (strcasecmp(require_line, "denied") == 0) { + /* *parsed_require_line is already NULL */ + return NULL; + } + else { + return "Argument for 'Require all' must be 'granted' or 'denied'"; + } +} + static const authz_provider authz_env_provider = { &env_check_authorization, + NULL, }; static const authz_provider authz_ip_provider = { &ip_check_authorization, + NULL, }; static const authz_provider authz_host_provider = { &host_check_authorization, + NULL, }; static const authz_provider authz_all_provider = { &all_check_authorization, + &all_parse_config, }; static void register_hooks(apr_pool_t *p) diff --git a/modules/aaa/mod_authz_owner.c b/modules/aaa/mod_authz_owner.c index 45cf5e2ed4..4cd3cdcd90 100644 --- a/modules/aaa/mod_authz_owner.c +++ b/modules/aaa/mod_authz_owner.c @@ -39,7 +39,8 @@ static const command_rec authz_owner_cmds[] = module AP_MODULE_DECLARE_DATA authz_owner_module; static authz_status fileowner_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { char *reason = NULL; apr_status_t status = 0; @@ -165,6 +166,7 @@ static char *authz_owner_get_file_group(request_rec *r) static const authz_provider authz_fileowner_provider = { &fileowner_check_authorization, + NULL, }; static void register_hooks(apr_pool_t *p) diff --git a/modules/aaa/mod_authz_user.c b/modules/aaa/mod_authz_user.c index 7e536e0a1a..2d16a3c72d 100644 --- a/modules/aaa/mod_authz_user.c +++ b/modules/aaa/mod_authz_user.c @@ -46,7 +46,8 @@ static const command_rec authz_user_cmds[] = module AP_MODULE_DECLARE_DATA authz_user_module; static authz_status user_check_authorization(request_rec *r, - const char *require_args) + const char *require_args, + const void *parsed_require_args) { const char *t, *w; @@ -69,7 +70,9 @@ static authz_status user_check_authorization(request_rec *r, return AUTHZ_DENIED; } -static authz_status validuser_check_authorization(request_rec *r, const char *require_line) +static authz_status validuser_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) { if (!r->user) { return AUTHZ_DENIED_NO_USER; @@ -81,10 +84,12 @@ static authz_status validuser_check_authorization(request_rec *r, const char *re static const authz_provider authz_user_provider = { &user_check_authorization, + NULL, }; static const authz_provider authz_validuser_provider = { &validuser_check_authorization, + NULL, }; static void register_hooks(apr_pool_t *p)