Introduce note_auth_failure hook to allow modules to add support

for additional auth types. This makes ap_note_auth_failure() work with
mod_auth_digest again.

PR: 48807


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@960399 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -2,6 +2,10 @@
 
 Changes with Apache 2.3.7
 
+  *) core: Introduce note_auth_failure hook to allow modules to add support
+     for additional auth types. This makes ap_note_auth_failure() work with
+     mod_auth_digest again. PR 48807. [Stefan Fritsch]
+
   *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
 
   *) mod_authn_cache: new module [Nick Kew]

include/ap_mmn.h

@@ -233,6 +233,7 @@
  * 20100625.0 (2.3.7-dev)  Add 'userctx' to socache iterator callback prototype
  * 20100630.0 (2.3.7-dev)  make module_levels vector of char instead of int
  * 20100701.0 (2.3.7-dev)  re-order struct members to improve alignment
+ * 20100701.1 (2.3.7-dev)  add note_auth_failure hook
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
@@ -240,7 +241,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20100701
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 0                     /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 1                     /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a

include/http_protocol.h

@@ -437,28 +437,30 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r);
 
 /**
  * Setup the output headers so that the client knows how to authenticate
- * itself the next time, if an authentication request failed.  This function
+ * itself the next time, if an authentication request failed.
- * works for both basic and digest authentication
  * @param r The current request
  */ 
 AP_DECLARE(void) ap_note_auth_failure(request_rec *r);
 
 /**
- * Setup the output headers so that the client knows how to authenticate
+ * @deprecated @see ap_note_auth_failure
- * itself the next time, if an authentication request failed.  This function
- * works only for basic authentication
- * @param r The current request
  */ 
 AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r);
 
 /**
- * Setup the output headers so that the client knows how to authenticate
+ * @deprecated @see ap_note_auth_failure
- * itself the next time, if an authentication request failed.  This function
- * works only for digest authentication
- * @param r The current request
  */ 
 AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
 
+/**
+ * This hook allows modules to add support for a specific auth type to
+ * ap_note_auth_failure
+ * @param r the current request
+ * @param auth_type the configured auth_type
+ * @return OK, DECLINED
+ */
+AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type))
+
 /**
  * Get the password from the request headers
  * @param r The current request

modules/aaa/mod_auth_basic.c

@@ -127,6 +127,15 @@ static void note_basic_auth_failure(request_rec *r)
                                "\"", NULL));
 }
 
+static int hook_note_basic_auth_failure(request_rec *r, const char *auth_type)
+{
+    if (strcasecmp(auth_type, "Basic"))
+        return DECLINED;
+
+    note_basic_auth_failure(r);
+    return OK;
+}
+
 static int get_basic_auth(request_rec *r, const char **user,
                           const char **pw)
 {
@@ -290,6 +299,8 @@ static void register_hooks(apr_pool_t *p)
 {
     ap_hook_check_authn(authenticate_basic_user, NULL, NULL, APR_HOOK_MIDDLE,
                         AP_AUTH_INTERNAL_PER_CONF);
+    ap_hook_note_auth_failure(hook_note_basic_auth_failure, NULL, NULL,
+                              APR_HOOK_MIDDLE);
 }
 
 AP_DECLARE_MODULE(auth_basic) =

modules/aaa/mod_auth_digest.c

@@ -1369,6 +1369,39 @@ static void note_digest_auth_failure(request_rec *r,
 
 }
 
+static int hook_note_digest_auth_failure(request_rec *r, const char *auth_type)
+{
+    request_rec *mainreq;
+    digest_header_rec *resp;
+    digest_config_rec *conf;
+
+    if (strcasecmp(auth_type, "Digest"))
+        return DECLINED;
+
+    /* get the client response and mark */
+
+    mainreq = r;
+    while (mainreq->main != NULL) {
+        mainreq = mainreq->main;
+    }
+    while (mainreq->prev != NULL) {
+        mainreq = mainreq->prev;
+    }
+    resp = (digest_header_rec *) ap_get_module_config(mainreq->request_config,
+                                                      &auth_digest_module);
+    resp->needed_auth = 1;
+
+
+    /* get our conf */
+
+    conf = (digest_config_rec *) ap_get_module_config(r->per_dir_config,
+                                                      &auth_digest_module);
+
+    note_digest_auth_failure(r, conf, resp, 0);
+
+    return OK;
+}
+
 
 /*
  * Authorization header verification code
@@ -2054,6 +2087,9 @@ static void register_hooks(apr_pool_t *p)
                         AP_AUTH_INTERNAL_PER_CONF);
 
     ap_hook_fixups(add_auth_info, NULL, NULL, APR_HOOK_MIDDLE);
+    ap_hook_note_auth_failure(hook_note_digest_auth_failure, NULL, NULL,
+                              APR_HOOK_MIDDLE);
+
 }
 
 AP_DECLARE_MODULE(auth_digest) =

modules/aaa/mod_auth_form.c

@@ -424,6 +424,16 @@ static void note_cookie_auth_failure(request_rec * r)
     }
 }
 
+static int hook_note_cookie_auth_failure(request_rec * r,
+                                         const char *auth_type)
+{
+    if (strcasecmp(auth_type, "form"))
+        return DECLINED;
+
+    note_cookie_auth_failure(r);
+    return OK;
+}
+
 /**
  * Set the auth username and password into the main request
  * notes table.
@@ -1183,6 +1193,9 @@ static void register_hooks(apr_pool_t * p)
     ap_hook_handler(authenticate_form_login_handler, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_handler(authenticate_form_logout_handler, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_handler(authenticate_form_redirect_handler, NULL, NULL, APR_HOOK_MIDDLE);
+
+    ap_hook_note_auth_failure(hook_note_cookie_auth_failure, NULL, NULL,
+                              APR_HOOK_MIDDLE);
 }
 
 AP_DECLARE_MODULE(auth_form) =

modules/aaa/mod_authz_core.c

@@ -768,8 +768,7 @@ static int authorize_user(request_rec *r)
                           r->user, r->uri);
 
             /* If we're returning 403, tell them to try again. */
-            /* XXX: ap_note_auth_failure is currently broken */
+            ap_note_auth_failure(r);
-            /*ap_note_auth_failure(r);*/
 
             return HTTP_UNAUTHORIZED;
         }

server/protocol.c

@@ -64,6 +64,7 @@ APR_HOOK_STRUCT(
     APR_HOOK_LINK(log_transaction)
     APR_HOOK_LINK(http_scheme)
     APR_HOOK_LINK(default_port)
+    APR_HOOK_LINK(note_auth_failure)
 )
 
 AP_DECLARE_DATA ap_filter_rec_t *ap_old_write_func = NULL;
@@ -1187,10 +1188,7 @@ AP_DECLARE(void) ap_note_auth_failure(request_rec *r)
 {
     const char *type = ap_auth_type(r);
     if (type) {
-        if (!strcasecmp(type, "Basic"))
+        ap_run_note_auth_failure(r, type);
-            ap_note_basic_auth_failure(r);
-        else if (!strcasecmp(type, "Digest"))
-            ap_note_digest_auth_failure(r);
     }
     else {
         ap_log_rerror(APLOG_MARK, APLOG_ERR,
@@ -1200,29 +1198,12 @@ AP_DECLARE(void) ap_note_auth_failure(request_rec *r)
 
 AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r)
 {
-    const char *type = ap_auth_type(r);
+    ap_note_auth_failure(r);
-
-    /* if there is no AuthType configure or it is something other than
-     * Basic, let ap_note_auth_failure() deal with it
-     */
-    if (!type || strcasecmp(type, "Basic"))
-        ap_note_auth_failure(r);
-    else
-        apr_table_setn(r->err_headers_out,
-                       (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate"
-                                                       : "WWW-Authenticate",
-                       apr_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r),
-                                   "\"", NULL));
 }
 
 AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r)
 {
-    apr_table_setn(r->err_headers_out,
+    ap_note_auth_failure(r);
-                   (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate"
-                                                   : "WWW-Authenticate",
-                   apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\""
-                                "%" APR_UINT64_T_HEX_FMT "\"",
-                                ap_auth_name(r), (apr_uint64_t)r->request_time));
 }
 
 AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
@@ -1243,7 +1224,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
     }
 
     if (!auth_line) {
-        ap_note_basic_auth_failure(r);
+        ap_note_auth_failure(r);
         return HTTP_UNAUTHORIZED;
     }
 
@@ -1251,7 +1232,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
         /* Client tried to authenticate using wrong auth scheme */
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                       "client used wrong authentication scheme: %s", r->uri);
-        ap_note_basic_auth_failure(r);
+        ap_note_auth_failure(r);
         return HTTP_UNAUTHORIZED;
     }
 
@@ -1757,3 +1738,6 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(const char *,http_scheme,
                             (const request_rec *r), (r), NULL)
 AP_IMPLEMENT_HOOK_RUN_FIRST(unsigned short,default_port,
                             (const request_rec *r), (r), 0)
+AP_IMPLEMENT_HOOK_RUN_FIRST(int, note_auth_failure,
+                            (request_rec *r, const char *auth_type),
+                            (r, auth_type), DECLINED)