You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2013/12/30 09:54:09 UTC
svn commit: r1554168 - in /httpd/httpd/trunk: CHANGES
docs/log-message-tags/next-number docs/manual/expr.xml
docs/manual/mod/mod_authz_dbd.xml modules/aaa/mod_authz_dbd.c
Author: minfrin
Date: Mon Dec 30 08:54:09 2013
New Revision: 1554168
URL: http://svn.apache.org/r1554168
Log:
mod_authnz_dbd: Support the expression parser within the require directives.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/log-message-tags/next-number
httpd/httpd/trunk/docs/manual/expr.xml
httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml
httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1554168&r1=1554167&r2=1554168&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Dec 30 08:54:09 2013
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_authnz_dbd: Support the expression parser within the require
+ directives. [Graham Leggett]
+
*) mod_authnz_ldap: Support the expression parser within the require
directives. [Graham Leggett]
Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1554168&r1=1554167&r2=1554168&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
+++ httpd/httpd/trunk/docs/log-message-tags/next-number Mon Dec 30 08:54:09 2013
@@ -1 +1 @@
-2590
+2591
Modified: httpd/httpd/trunk/docs/manual/expr.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/expr.xml?rev=1554168&r1=1554167&r2=1554168&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/expr.xml (original)
+++ httpd/httpd/trunk/docs/manual/expr.xml Mon Dec 30 08:54:09 2013
@@ -56,6 +56,7 @@
<seealso><a href="mod/mod_authnz_ldap.html#reqdn">Require ldap-dn</a></seealso>
<seealso><a href="mod/mod_authnz_ldap.html#reqattribute">Require ldap-attribute</a></seealso>
<seealso><a href="mod/mod_authnz_ldap.html#reqfilter">Require ldap-filter</a></seealso>
+<seealso><a href="mod/mod_authz_dbd.html#reqgroup">Require dbd-group</a></seealso>
<seealso><directive module="mod_ssl">SSLRequire</directive></seealso>
<seealso><directive module="mod_log_debug">LogMessage</directive></seealso>
<seealso><module>mod_include</module></seealso>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml?rev=1554168&r1=1554167&r2=1554168&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml Mon Dec 30 08:54:09 2013
@@ -52,6 +52,55 @@
<seealso><directive module="mod_dbd">DBDriver</directive></seealso>
<seealso><directive module="mod_dbd">DBDParams</directive></seealso>
+<section id="requiredirectives"><title>The Require Directives</title>
+
+ <p>Apache's <directive module="mod_authz_core">Require</directive>
+ directives are used during the authorization phase to ensure that
+ a user is allowed to access a resource. mod_authz_dbd extends the
+ authorization types with <code>dbd-group</code>, <code>dbd-login</code> and
+ <code>dbd-logout</code>.</p>
+
+ <p>Since v2.5.0, <a href="../expr.html">expressions</a> are supported
+ within the DBD require directives.</p>
+
+<section id="reqgroup"><title>Require dbd-group</title>
+
+ <p>This directive specifies group membership that is required for the
+ user to gain access.</p>
+
+ <highlight language="config">
+ Require dbd-group team
+ AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"
+ </highlight>
+
+</section>
+
+<section id="reqlogin"><title>Require dbd-login</title>
+
+ <p>This directive specifies a query to be run indicating the user
+ has logged in.</p>
+
+ <highlight language="config">
+ Require dbd-login
+ AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s"
+ </highlight>
+
+</section>
+
+<section id="reqlogout"><title>Require dbd-logout</title>
+
+ <p>This directive specifies a query to be run indicating the user
+ has logged out.</p>
+
+ <highlight language="config">
+ Require dbd-logout
+ AuthzDBDQuery "UPDATE authn SET login = 'false' WHERE user = %s"
+ </highlight>
+
+</section>
+
+</section>
+
<section id="login">
<title>Database Login</title>
<p>
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c?rev=1554168&r1=1554167&r2=1554168&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c Mon Dec 30 08:54:09 2013
@@ -253,6 +253,11 @@ static authz_status dbdgroup_check_autho
int i, rv;
const char *w;
apr_array_header_t *groups = NULL;
+
+ const char *err = NULL;
+ const ap_expr_info_t *expr = parsed_require_args;
+ const char *require;
+
const char *t;
authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
&authz_dbd_module);
@@ -269,7 +274,15 @@ static authz_status dbdgroup_check_autho
}
}
- t = require_args;
+ require = ap_expr_str_exec(r, expr, &err);
+ if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02590)
+ "authz_dbd authorize: require dbd-group: Can't "
+ "evaluate require expression: %s", err);
+ return AUTHZ_DENIED;
+ }
+
+ t = require;
while (t[0]) {
w = ap_getword_white(r->pool, &t);
for (i=0; i < groups->nelts; ++i) {
@@ -310,10 +323,29 @@ static authz_status dbdlogout_check_auth
return (authz_dbd_login(r, cfg, "logout") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
}
+static const char *dbd_parse_config(cmd_parms *cmd, const char *require_line,
+ const void **parsed_require_line)
+{
+ const char *expr_err = NULL;
+ ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr));
+
+ expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+
+ if (expr_err)
+ return apr_pstrcat(cmd->temp_pool,
+ "Cannot parse expression in require line: ",
+ expr_err, NULL);
+
+ *parsed_require_line = expr;
+
+ return NULL;
+}
+
static const authz_provider authz_dbdgroup_provider =
{
&dbdgroup_check_authorization,
- NULL,
+ dbd_parse_config,
};
static const authz_provider authz_dbdlogin_provider =