You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2023/04/25 17:35:08 UTC
svn commit: r1909409 - in /httpd/httpd/trunk: CHANGES docs/manual/developer/new_api_2_6.xml include/ap_mmn.h include/http_request.h include/mod_auth.h server/request.c
Author: minfrin
Date: Tue Apr 25 17:35:08 2023
New Revision: 1909409
URL: http://svn.apache.org/viewvc?rev=1909409&view=rev
Log:
core: Add the token_checker hook, that allows authentication to take
place using mechanisms other than username/password, such as bearer
tokens.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml
httpd/httpd/trunk/include/ap_mmn.h
httpd/httpd/trunk/include/http_request.h
httpd/httpd/trunk/include/mod_auth.h
httpd/httpd/trunk/server/request.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1909409&r1=1909408&r2=1909409&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Apr 25 17:35:08 2023
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) core: Add the token_checker hook, that allows authentication to take
+ place using mechanisms other than username/password, such as bearer
+ tokens. [Graham Leggett]
+
*) mod_alias: When an alias is declared inside a Location, make sure
the balance of the URL is preserved to match the alias declared
outside a location. Fixes an error where all requests are mapped
Modified: httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml?rev=1909409&r1=1909408&r2=1909409&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml (original)
+++ httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml Tue Apr 25 17:35:08 2023
@@ -57,6 +57,22 @@
<p>Introduces a new API to fill me in.</p>
</section>
+ <section id="http_request">
+ <title>http_request (changed)</title>
+ <ul>
+ <li>New autht_provider API</li>
+ <li>New <code>token_checker</code> hook to handle authentication based on
+ mechanisms other than username and password.</li>
+ <li>New function <code>ap_hook_check_autht</code>, as an addition to
+ <code>ap_hook_check_authn</code> and <code>ap_hook_check_authz</code>.</li>
+ </ul>
+ </section>
+
+ <section id="mod_auth">
+ <title>mod_auth (changed)</title>
+ <p>Adds an additional provider framework for autht - token authentication.</p>
+ </section>
+
</section>
<section id="upgrading">
Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1909409&r1=1909408&r2=1909409&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Tue Apr 25 17:35:08 2023
@@ -715,6 +715,8 @@
* 20211221.10 (2.5.1-dev) Add ap_proxy_canonenc_ex
* 20211221.11 (2.5.1-dev) Add AP_CTIME_OPTION_GMTOFF to util_time.h
* 20211221.12 (2.5.1-dev) Add cmd_parms->regex
+ * 20211221.13 (2.5.1-dev) Add hook token_checker to check for authorization other
+ * than username / password. Add autht_provider structure.
*/
#define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
@@ -722,7 +724,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20211221
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 12 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 13 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Modified: httpd/httpd/trunk/include/http_request.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_request.h?rev=1909409&r1=1909408&r2=1909409&view=diff
==============================================================================
--- httpd/httpd/trunk/include/http_request.h (original)
+++ httpd/httpd/trunk/include/http_request.h Tue Apr 25 17:35:08 2023
@@ -481,6 +481,19 @@ AP_DECLARE_HOOK(int,access_checker_ex,(r
AP_DECLARE_HOOK(int,auth_checker,(request_rec *r))
/**
+ * This hook is used to parse any tokens in the request that might key
+ * or contain metadata such as users or IP addresses that may be
+ * relevant to the request. It runs before the access checker. This
+ * hook should be registered with ap_hook_check_autht().
+ *
+ * @param r the current request
+ * @return OK, DECLINED, or HTTP_...
+ * @ingroup hooks
+ * @see ap_hook_check_authz
+ */
+AP_DECLARE_HOOK(int,token_checker,(request_rec *r))
+
+/**
* Register a hook function that will apply additional access control to
* the current request.
* @param pf An access_checker hook function
@@ -516,6 +529,24 @@ AP_DECLARE(void) ap_hook_check_access_ex
const char * const *aszSucc,
int nOrder, int type);
+/**
+ * Register a hook function that will analyze the request headers, extract
+ * any tokens, and apply and metadata contained in the tokens or keyed against
+ * the tokens to the request record.
+ * @param pf A token_checker hook function
+ * @param aszPre A NULL-terminated array of strings that name modules whose
+ * hooks should precede this one
+ * @param aszSucc A NULL-terminated array of strings that name modules whose
+ * hooks should succeed this one
+ * @param nOrder An integer determining order before honouring aszPre and
+ * aszSucc (for example, HOOK_MIDDLE)
+ * @param type Internal request processing mode, either
+ * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
+ */
+AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
+ const char * const *aszPre,
+ const char * const *aszSucc,
+ int nOrder, int type);
/**
* Register a hook function that will analyze the request headers,
Modified: httpd/httpd/trunk/include/mod_auth.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/mod_auth.h?rev=1909409&r1=1909408&r2=1909409&view=diff
==============================================================================
--- httpd/httpd/trunk/include/mod_auth.h (original)
+++ httpd/httpd/trunk/include/mod_auth.h Tue Apr 25 17:35:08 2023
@@ -36,15 +36,20 @@
extern "C" {
#endif
+#define AUTHT_PROVIDER_GROUP "autht"
#define AUTHN_PROVIDER_GROUP "authn"
#define AUTHZ_PROVIDER_GROUP "authz"
+#define AUTHT_PROVIDER_VERSION "0"
#define AUTHN_PROVIDER_VERSION "0"
#define AUTHZ_PROVIDER_VERSION "0"
+#define AUTHT_DEFAULT_PROVIDER "jwt"
#define AUTHN_DEFAULT_PROVIDER "file"
+#define AUTHT_PROVIDER_NAME_NOTE "autht_provider_name"
#define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
#define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"
+#define AUTHT_PREFIX "TOKEN_"
#define AUTHN_PREFIX "AUTHENTICATE_"
#define AUTHZ_PREFIX "AUTHORIZE_"
@@ -71,6 +76,15 @@ typedef enum {
} authn_status;
typedef enum {
+ AUTHT_DENIED = AUTH_DENIED,
+ AUTHT_GRANTED = AUTH_GRANTED,
+ AUTHT_GENERAL_ERROR = AUTH_GENERAL_ERROR,
+ AUTHT_MISMATCH,
+ AUTHT_EXPIRED,
+ AUTHT_INVALID
+} autht_status;
+
+typedef enum {
AUTHZ_DENIED,
AUTHZ_GRANTED,
AUTHZ_NEUTRAL,
@@ -81,15 +95,20 @@ typedef enum {
typedef struct {
/* Given a username and password, expected to return AUTH_GRANTED
* if we can validate this user/password combination.
+ *
+ * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
*/
authn_status (*check_password)(request_rec *r, const char *user,
const char *password);
/* Given a user and realm, expected to return AUTH_USER_FOUND if we
* can find a md5 hash of 'user:realm:password'
+ *
+ * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
*/
authn_status (*get_realm_hash)(request_rec *r, const char *user,
const char *realm, char **rethash);
+
} authn_provider;
/* A linked-list of authn providers. */
@@ -102,6 +121,24 @@ struct authn_provider_list {
};
typedef struct {
+ /* Given a token of a given type, expected to return AUTH_GRANTED
+ * if the token could be successfully authenticated.
+ */
+ autht_status (*check_token)(request_rec *r, const char *type,
+ const char *token);
+
+} autht_provider;
+
+/* A linked-list of authn providers. */
+typedef struct autht_provider_list autht_provider_list;
+
+struct autht_provider_list {
+ const char *provider_name;
+ const autht_provider *provider;
+ autht_provider_list *next;
+};
+
+typedef struct {
/* Given a request_rec, expected to return AUTHZ_GRANTED
* if we can authorize user access.
* @param r the request record
Modified: httpd/httpd/trunk/server/request.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1909409&r1=1909408&r2=1909409&view=diff
==============================================================================
--- httpd/httpd/trunk/server/request.c (original)
+++ httpd/httpd/trunk/server/request.c Tue Apr 25 17:35:08 2023
@@ -73,6 +73,7 @@ APR_HOOK_STRUCT(
APR_HOOK_LINK(post_perdir_config)
APR_HOOK_LINK(dirwalk_stat)
APR_HOOK_LINK(force_authn)
+ APR_HOOK_LINK(token_checker)
)
AP_IMPLEMENT_HOOK_RUN_FIRST(int,pre_translate_name,
@@ -103,6 +104,8 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(apr_status_t
(finfo, r, wanted), AP_DECLINED)
AP_IMPLEMENT_HOOK_RUN_FIRST(int,force_authn,
(request_rec *r), (r), DECLINED)
+AP_IMPLEMENT_HOOK_RUN_FIRST(int,token_checker,
+ (request_rec *r), (r), DECLINED)
static int auth_internal_per_conf = 0;
static int auth_internal_per_conf_hooks = 0;
@@ -333,6 +336,12 @@ AP_DECLARE(int) ap_process_request_inter
switch (ap_satisfies(r)) {
case SATISFY_ALL:
case SATISFY_NOSPEC:
+ if ((access_status = ap_run_token_checker(r)) != OK &&
+ access_status != DECLINED) {
+ return decl_die(access_status,
+ "check token (with Satisfy All)", r);
+ }
+
if ((access_status = ap_run_access_checker(r)) != OK) {
return decl_die(access_status,
"check access (with Satisfy All)", r);
@@ -368,6 +377,14 @@ AP_DECLARE(int) ap_process_request_inter
}
break;
case SATISFY_ANY:
+ if ((access_status = ap_run_token_checker(r)) == OK) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
+ "request authorized bypassing access_checker by "
+ "token_checker hook and 'Satisfy any': %s",
+ r->uri);
+ break;
+ }
+
if ((access_status = ap_run_access_checker(r)) == OK) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
"request authorized without authentication by "
@@ -2217,6 +2234,18 @@ AP_DECLARE(void) ap_hook_check_access_ex
ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder);
}
+AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
+ const char * const *aszPre,
+ const char * const *aszSucc,
+ int nOrder, int type)
+{
+ if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) {
+ ++auth_internal_per_conf_hooks;
+ }
+
+ ap_hook_token_checker(pf, aszPre, aszSucc, nOrder);
+}
+
AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf,
const char * const *aszPre,
const char * const *aszSucc,
Re: svn commit: r1909409 - in /httpd/httpd/trunk: CHANGES docs/manual/developer/new_api_2_6.xml include/ap_mmn.h include/http_request.h include/mod_auth.h server/request.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 5/5/23 12:28 PM, Ruediger Pluem wrote:
>
>
> On 4/25/23 7:35 PM, minfrin@apache.org wrote:
>> Author: minfrin
>> Date: Tue Apr 25 17:35:08 2023
>> New Revision: 1909409
>>
>> URL: http://svn.apache.org/viewvc?rev=1909409&view=rev
>> Log:
>> core: Add the token_checker hook, that allows authentication to take
>> place using mechanisms other than username/password, such as bearer
>> tokens.
>>
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml
>> httpd/httpd/trunk/include/ap_mmn.h
>> httpd/httpd/trunk/include/http_request.h
>> httpd/httpd/trunk/include/mod_auth.h
>> httpd/httpd/trunk/server/request.c
>>
>
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_request.h?rev=1909409&r1=1909408&r2=1909409&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/include/http_request.h (original)
>> +++ httpd/httpd/trunk/include/http_request.h Tue Apr 25 17:35:08 2023
>
>> @@ -516,6 +529,24 @@ AP_DECLARE(void) ap_hook_check_access_ex
>> const char * const *aszSucc,
>> int nOrder, int type);
>>
>> +/**
>> + * Register a hook function that will analyze the request headers, extract
>> + * any tokens, and apply and metadata contained in the tokens or keyed against
>> + * the tokens to the request record.
>> + * @param pf A token_checker hook function
>> + * @param aszPre A NULL-terminated array of strings that name modules whose
>> + * hooks should precede this one
>> + * @param aszSucc A NULL-terminated array of strings that name modules whose
>> + * hooks should succeed this one
>> + * @param nOrder An integer determining order before honouring aszPre and
>> + * aszSucc (for example, HOOK_MIDDLE)
>> + * @param type Internal request processing mode, either
>> + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
>> + */> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
>
> Isn't the above a copy and past error and should be ap_HOOK_token_checker_t instead?
>
>> + const char * const *aszPre,
>> + const char * const *aszSucc,
>> + int nOrder, int type);
>>
>> /**
>> * Register a hook function that will analyze the request headers,
>>
>
>> Modified: httpd/httpd/trunk/server/request.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1909409&r1=1909408&r2=1909409&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/server/request.c (original)
>> +++ httpd/httpd/trunk/server/request.c Tue Apr 25 17:35:08 2023
>
>> @@ -2217,6 +2234,18 @@ AP_DECLARE(void) ap_hook_check_access_ex
>> ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder);
>> }
>>
>> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
>
> Isn't the above a copy and past error and should be ap_HOOK_token_checker_t instead?
>
>
>> + const char * const *aszPre,
>> + const char * const *aszSucc,
>> + int nOrder, int type)
>> +{
>> + if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) {
>> + ++auth_internal_per_conf_hooks;
>> + }
>> +
>> + ap_hook_token_checker(pf, aszPre, aszSucc, nOrder);
>> +}
>> +
>> AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf,
>> const char * const *aszPre,
>> const char * const *aszSucc,
>>
>>
>>
Fixed in r1910324.
Regards
RĂ¼diger
Re: svn commit: r1909409 - in /httpd/httpd/trunk: CHANGES docs/manual/developer/new_api_2_6.xml include/ap_mmn.h include/http_request.h include/mod_auth.h server/request.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 4/25/23 7:35 PM, minfrin@apache.org wrote:
> Author: minfrin
> Date: Tue Apr 25 17:35:08 2023
> New Revision: 1909409
>
> URL: http://svn.apache.org/viewvc?rev=1909409&view=rev
> Log:
> core: Add the token_checker hook, that allows authentication to take
> place using mechanisms other than username/password, such as bearer
> tokens.
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml
> httpd/httpd/trunk/include/ap_mmn.h
> httpd/httpd/trunk/include/http_request.h
> httpd/httpd/trunk/include/mod_auth.h
> httpd/httpd/trunk/server/request.c
>
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_request.h?rev=1909409&r1=1909408&r2=1909409&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/include/http_request.h (original)
> +++ httpd/httpd/trunk/include/http_request.h Tue Apr 25 17:35:08 2023
> @@ -516,6 +529,24 @@ AP_DECLARE(void) ap_hook_check_access_ex
> const char * const *aszSucc,
> int nOrder, int type);
>
> +/**
> + * Register a hook function that will analyze the request headers, extract
> + * any tokens, and apply and metadata contained in the tokens or keyed against
> + * the tokens to the request record.
> + * @param pf A token_checker hook function
> + * @param aszPre A NULL-terminated array of strings that name modules whose
> + * hooks should precede this one
> + * @param aszSucc A NULL-terminated array of strings that name modules whose
> + * hooks should succeed this one
> + * @param nOrder An integer determining order before honouring aszPre and
> + * aszSucc (for example, HOOK_MIDDLE)
> + * @param type Internal request processing mode, either
> + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
> + */> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
Isn't the above a copy and past error and should be ap_HOOK_token_checker_t instead?
> + const char * const *aszPre,
> + const char * const *aszSucc,
> + int nOrder, int type);
>
> /**
> * Register a hook function that will analyze the request headers,
>
> Modified: httpd/httpd/trunk/server/request.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1909409&r1=1909408&r2=1909409&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/server/request.c (original)
> +++ httpd/httpd/trunk/server/request.c Tue Apr 25 17:35:08 2023
> @@ -2217,6 +2234,18 @@ AP_DECLARE(void) ap_hook_check_access_ex
> ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder);
> }
>
> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
Isn't the above a copy and past error and should be ap_HOOK_token_checker_t instead?
> + const char * const *aszPre,
> + const char * const *aszSucc,
> + int nOrder, int type)
> +{
> + if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) {
> + ++auth_internal_per_conf_hooks;
> + }
> +
> + ap_hook_token_checker(pf, aszPre, aszSucc, nOrder);
> +}
> +
> AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf,
> const char * const *aszPre,
> const char * const *aszSucc,
>
>
>
Regards
RĂ¼diger