You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2010/09/19 19:55:47 UTC
svn commit: r998706 - in /httpd/httpd/trunk: ./ include/ modules/aaa/
Author: sf
Date: Sun Sep 19 17:55:47 2010
New Revision: 998706
URL: http://svn.apache.org/viewvc?rev=998706&view=rev
Log:
Allow authz providers to check args while reading the config and allow
them to cache parsed args.
Use this to check that argument to 'all' provider is 'granted' or 'denied'.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/include/ap_mmn.h
httpd/httpd/trunk/include/mod_auth.h
httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
httpd/httpd/trunk/modules/aaa/mod_authz_core.c
httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c
httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c
httpd/httpd/trunk/modules/aaa/mod_authz_host.c
httpd/httpd/trunk/modules/aaa/mod_authz_owner.c
httpd/httpd/trunk/modules/aaa/mod_authz_user.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Sep 19 17:55:47 2010
@@ -2,6 +2,9 @@
Changes with Apache 2.3.9
+ *) mod_authz_core: Allow authz providers to check args while reading the
+ config and allow to cache parsed args. [Stefan Fritsch]
+
*) mod_include: Move the request_rec within mod_include to be
exposed within include_ctx_t. [Graham Leggett]
Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Sun Sep 19 17:55:47 2010
@@ -255,12 +255,15 @@
* interface.
* 20100918.0 (2.3.9-dev) Move the request_rec within mod_include to be
* exposed within include_ctx_t.
+ * 20100919.0 (2.3.9-dev) Authz providers: Add parsed_require_line parameter
+ * to check_authorization() function. Add
+ * parse_require_line() function.
*/
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20100918
+#define MODULE_MAGIC_NUMBER_MAJOR 20100919
#endif
#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */
Modified: httpd/httpd/trunk/include/mod_auth.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/mod_auth.h?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/include/mod_auth.h (original)
+++ httpd/httpd/trunk/include/mod_auth.h Sun Sep 19 17:55:47 2010
@@ -103,9 +103,23 @@ struct authn_provider_list {
typedef struct {
/* Given a request_rec, expected to return AUTHZ_GRANTED
* if we can authorize user access.
+ * @param r the request record
+ * @param require_line the argument to the authz provider
+ * @param parsed_require_line the value set by parse_require_line(), if any
*/
authz_status (*check_authorization)(request_rec *r,
- const char *require_line);
+ const char *require_line,
+ const void *parsed_require_line);
+
+ /** Check the syntax of a require line and optionally cache the parsed
+ * line. This function may be NULL.
+ * @param cmd the config directive
+ * @param require_line the argument to the authz provider
+ * @param parsed_require_line place to store parsed require_line for use by provider
+ * @return Error message or NULL on success
+ */
+ const char *(*parse_require_line)(cmd_parms *cmd, const char *require_line,
+ const void **parsed_require_line);
} authz_provider;
/* ap_authn_cache_store: Optional function for authn providers
Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Sun Sep 19 17:55:47 2010
@@ -597,7 +597,8 @@ start_over:
}
static authz_status ldapuser_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
@@ -733,7 +734,8 @@ static authz_status ldapuser_check_autho
}
static authz_status ldapgroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
@@ -948,7 +950,8 @@ static authz_status ldapgroup_check_auth
}
static authz_status ldapdn_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
@@ -1056,7 +1059,8 @@ static authz_status ldapdn_check_authori
}
static authz_status ldapattribute_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
@@ -1171,7 +1175,8 @@ static authz_status ldapattribute_check_
}
static authz_status ldapfilter_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int result = 0;
authn_ldap_request_t *req =
@@ -1730,25 +1735,30 @@ static const authn_provider authn_ldap_p
static const authz_provider authz_ldapuser_provider =
{
&ldapuser_check_authorization,
+ NULL,
};
static const authz_provider authz_ldapgroup_provider =
{
&ldapgroup_check_authorization,
+ NULL,
};
static const authz_provider authz_ldapdn_provider =
{
&ldapdn_check_authorization,
+ NULL,
};
static const authz_provider authz_ldapattribute_provider =
{
&ldapattribute_check_authorization,
+ NULL,
};
static const authz_provider authz_ldapfilter_provider =
{
&ldapfilter_check_authorization,
+ NULL,
};
static void ImportULDAPOptFn(void)
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_core.c Sun Sep 19 17:55:47 2010
@@ -50,6 +50,7 @@ typedef struct provider_alias_rec {
char *provider_name;
char *provider_alias;
char *provider_args;
+ const void *provider_parsed_args;
ap_conf_vector_t *sec_auth;
const authz_provider *provider;
} provider_alias_rec;
@@ -65,6 +66,7 @@ typedef struct authz_section_conf authz_
struct authz_section_conf {
const char *provider_name;
const char *provider_args;
+ const void *provider_parsed_args;
const authz_provider *provider;
apr_int64_t limited;
authz_logic_op op;
@@ -159,7 +161,8 @@ static void *create_authz_core_svr_confi
* configurations and then invokes them.
*/
static authz_status authz_alias_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
const char *provider_name;
authz_status ret = AUTHZ_DENIED;
@@ -192,7 +195,8 @@ static authz_status authz_alias_check_au
prvdraliasrec->sec_auth);
ret = prvdraliasrec->provider->
- check_authorization(r, prvdraliasrec->provider_args);
+ check_authorization(r, prvdraliasrec->provider_args,
+ prvdraliasrec->provider_parsed_args);
r->per_dir_config = orig_dir_config;
}
@@ -203,7 +207,8 @@ static authz_status authz_alias_check_au
static const authz_provider authz_alias_provider =
{
- &authz_alias_check_authorization
+ &authz_alias_check_authorization,
+ NULL,
};
static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig,
@@ -370,6 +375,13 @@ static const char *add_authz_provider(cm
section->limited = cmd->limited;
+ if (section->provider->parse_require_line) {
+ const char *err = section->provider->parse_require_line(cmd, args,
+ §ion->provider_parsed_args);
+ if (err)
+ return err;
+ }
+
if (!conf->section) {
conf->section = create_default_section(cmd->pool);
}
@@ -670,7 +682,8 @@ static authz_status apply_authz_sections
section->provider_name);
auth_result =
- section->provider->check_authorization(r, section->provider_args);
+ section->provider->check_authorization(r, section->provider_args,
+ section->provider_parsed_args);
apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
}
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c Sun Sep 19 17:55:47 2010
@@ -244,7 +244,8 @@ static int authz_dbd_group_query(request
}
static authz_status dbdgroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
int i, rv;
const char *w;
@@ -279,7 +280,8 @@ static authz_status dbdgroup_check_autho
}
static authz_status dbdlogin_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
&authz_dbd_module);
@@ -292,7 +294,8 @@ static authz_status dbdlogin_check_autho
}
static authz_status dbdlogout_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
&authz_dbd_module);
@@ -307,17 +310,20 @@ static authz_status dbdlogout_check_auth
static const authz_provider authz_dbdgroup_provider =
{
&dbdgroup_check_authorization,
+ NULL,
};
static const authz_provider authz_dbdlogin_provider =
{
&dbdlogin_check_authorization,
+ NULL,
};
static const authz_provider authz_dbdlogout_provider =
{
&dbdlogout_check_authorization,
+ NULL,
};
static void authz_dbd_hooks(apr_pool_t *p)
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c Sun Sep 19 17:55:47 2010
@@ -131,7 +131,8 @@ static apr_status_t get_dbm_grp(request_
}
static authz_status dbmgroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_dbm_module);
@@ -201,7 +202,8 @@ static authz_status dbmgroup_check_autho
APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
static authz_status dbmfilegroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_dbm_module);
@@ -268,11 +270,13 @@ static authz_status dbmfilegroup_check_a
static const authz_provider authz_dbmgroup_provider =
{
&dbmgroup_check_authorization,
+ NULL,
};
static const authz_provider authz_dbmfilegroup_provider =
{
&dbmfilegroup_check_authorization,
+ NULL,
};
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c Sun Sep 19 17:55:47 2010
@@ -138,7 +138,8 @@ static apr_status_t groups_for_user(apr_
}
static authz_status group_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_groupfile_module);
@@ -197,7 +198,8 @@ static authz_status group_check_authoriz
APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
static authz_status filegroup_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_groupfile_module);
@@ -263,11 +265,13 @@ static authz_status filegroup_check_auth
static const authz_provider authz_group_provider =
{
&group_check_authorization,
+ NULL,
};
static const authz_provider authz_filegroup_provider =
{
&filegroup_check_authorization,
+ NULL,
};
static void register_hooks(apr_pool_t *p)
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_host.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_host.c?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_host.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_host.c Sun Sep 19 17:55:47 2010
@@ -90,7 +90,9 @@ static int in_domain(const char *domain,
}
}
-static authz_status env_check_authorization(request_rec *r, const char *require_line)
+static authz_status env_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
const char *t, *w;
@@ -112,7 +114,9 @@ static authz_status env_check_authorizat
return AUTHZ_DENIED;
}
-static authz_status ip_check_authorization(request_rec *r, const char *require_line)
+static authz_status ip_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
const char *t, *w;
@@ -170,7 +174,9 @@ static authz_status ip_check_authorizati
return AUTHZ_DENIED;
}
-static authz_status host_check_authorization(request_rec *r, const char *require_line)
+static authz_status host_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
const char *t, *w;
const char *remotehost = NULL;
@@ -206,37 +212,60 @@ static authz_status host_check_authoriza
return AUTHZ_DENIED;
}
-static authz_status all_check_authorization(request_rec *r, const char *require_line)
+static authz_status all_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
- /* If the argument to the 'all' provider is 'granted' then just let
- everybody in. This would be equivalent to the previous syntax of
- 'allow from all'. If the argument is anything else, this would
- be equivalent to 'deny from all' Of course the opposite would be
- true if the 'all' provider is invoked by the 'reject' directive */
- if (strcasecmp(require_line, "granted") == 0) {
+ if (parsed_require_line) {
return AUTHZ_GRANTED;
}
return AUTHZ_DENIED;
}
+static const char *all_parse_config(cmd_parms *cmd, const char *require_line,
+ const void **parsed_require_line)
+{
+ /*
+ * If the argument to the 'all' provider is 'granted' then just let
+ * everybody in. This would be equivalent to the previous syntax of
+ * 'allow from all'. If the argument is 'denied' we reject everbody,
+ * which is equivalent to 'deny from all'.
+ */
+ if (strcasecmp(require_line, "granted") == 0) {
+ *parsed_require_line = (void *)1;
+ return NULL;
+ }
+ else if (strcasecmp(require_line, "denied") == 0) {
+ /* *parsed_require_line is already NULL */
+ return NULL;
+ }
+ else {
+ return "Argument for 'Require all' must be 'granted' or 'denied'";
+ }
+}
+
static const authz_provider authz_env_provider =
{
&env_check_authorization,
+ NULL,
};
static const authz_provider authz_ip_provider =
{
&ip_check_authorization,
+ NULL,
};
static const authz_provider authz_host_provider =
{
&host_check_authorization,
+ NULL,
};
static const authz_provider authz_all_provider =
{
&all_check_authorization,
+ &all_parse_config,
};
static void register_hooks(apr_pool_t *p)
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_owner.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_owner.c?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_owner.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_owner.c Sun Sep 19 17:55:47 2010
@@ -39,7 +39,8 @@ static const command_rec authz_owner_cmd
module AP_MODULE_DECLARE_DATA authz_owner_module;
static authz_status fileowner_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
char *reason = NULL;
apr_status_t status = 0;
@@ -165,6 +166,7 @@ static char *authz_owner_get_file_group(
static const authz_provider authz_fileowner_provider =
{
&fileowner_check_authorization,
+ NULL,
};
static void register_hooks(apr_pool_t *p)
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_user.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_user.c?rev=998706&r1=998705&r2=998706&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_user.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_user.c Sun Sep 19 17:55:47 2010
@@ -46,7 +46,8 @@ static const command_rec authz_user_cmds
module AP_MODULE_DECLARE_DATA authz_user_module;
static authz_status user_check_authorization(request_rec *r,
- const char *require_args)
+ const char *require_args,
+ const void *parsed_require_args)
{
const char *t, *w;
@@ -69,7 +70,9 @@ static authz_status user_check_authoriza
return AUTHZ_DENIED;
}
-static authz_status validuser_check_authorization(request_rec *r, const char *require_line)
+static authz_status validuser_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
{
if (!r->user) {
return AUTHZ_DENIED_NO_USER;
@@ -81,10 +84,12 @@ static authz_status validuser_check_auth
static const authz_provider authz_user_provider =
{
&user_check_authorization,
+ NULL,
};
static const authz_provider authz_validuser_provider =
{
&validuser_check_authorization,
+ NULL,
};
static void register_hooks(apr_pool_t *p)