httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bnicho...@apache.org
Subject svn commit: r368929 - in /httpd/httpd/trunk/modules/aaa: config.m4 mod_auth.h mod_authz_core.c mod_authz_default.c
Date Sat, 14 Jan 2006 00:13:25 GMT
Author: bnicholes
Date: Fri Jan 13 16:13:22 2006
New Revision: 368929

URL: http://svn.apache.org/viewcvs?rev=368929&view=rev
Log:
Restore Order, Deny, Allow, Satisfy for backwards compatibility with authz

Modified:
    httpd/httpd/trunk/modules/aaa/config.m4
    httpd/httpd/trunk/modules/aaa/mod_auth.h
    httpd/httpd/trunk/modules/aaa/mod_authz_core.c
    httpd/httpd/trunk/modules/aaa/mod_authz_default.c

Modified: httpd/httpd/trunk/modules/aaa/config.m4
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/config.m4?rev=368929&r1=368928&r2=368929&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/config.m4 (original)
+++ httpd/httpd/trunk/modules/aaa/config.m4 Fri Jan 13 16:13:22 2006
@@ -48,6 +48,10 @@
 dnl keep the bad guys out.
 APACHE_MODULE(authz_default, authorization control backstopper, , , yes)
 
+dnl - and just in case all of the above punt; a default handler to
+dnl keep the bad guys out.
+APACHE_MODULE(access_compat, mod_access compatibility, , , most)
+
 dnl these are the front-end authentication modules
 
 APACHE_MODULE(auth_basic, basic authentication, , , yes)

Modified: httpd/httpd/trunk/modules/aaa/mod_auth.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_auth.h?rev=368929&r1=368928&r2=368929&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_auth.h (original)
+++ httpd/httpd/trunk/modules/aaa/mod_auth.h Fri Jan 13 16:13:22 2006
@@ -42,6 +42,16 @@
 #define AUTHZ_GROUP_NOTE "authz_group_note"
 #define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
 #define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"
+#define AUTHZ_ACCESS_PASSED_NOTE "authz_access_passed"
+
+/** all of the requirements must be met */
+#define SATISFY_ALL 0
+/**  any of the requirements must be met */
+#define SATISFY_ANY 1
+/** There are no applicable satisfy lines */
+#define SATISFY_NOSPEC 2
+
+APR_DECLARE_OPTIONAL_FN(int, ap_satisfies, (request_rec *r));
 
 typedef enum {
     AUTH_DENIED,

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_core.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_core.c?rev=368929&r1=368928&r2=368929&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_core.c Fri Jan 13 16:13:22 2006
@@ -101,6 +101,8 @@
     authz_provider_list *providers;
     authz_request_state req_state;
     int req_state_level;
+//    int some_authz;
+//    char *path;
 } authz_core_dir_conf;
 
 typedef struct authz_core_srv_conf {
@@ -117,6 +119,7 @@
 
     conf->req_state = AUTHZ_REQSTATE_ONE;
     conf->req_state_level = 0;
+//    conf->some_authz = -1;
     return (void *)conf;
 }
 
@@ -131,7 +134,9 @@
     * (or creating copies for merging) where new-> values exist.
     */
     conf = (authz_core_dir_conf *)apr_palloc(a, sizeof(authz_core_dir_conf));
-    memcpy(conf, base, sizeof(authz_core_dir_conf));
+    memcpy(conf, new, sizeof(authz_core_dir_conf));
+
+    conf->some_authz = base->some_authz == -1 ? 0:base->some_authz == 0 ? 0:new->some_authz;
 
     return (void*)conf;
 }
@@ -155,6 +160,9 @@
     authz_provider_list *newp;
     const char *t, *w;
 
+//    conf->some_authz = 1;
+//    conf->path = apr_pstrdup(cmd->pool, cmd->path);
+
     newp = apr_pcalloc(cmd->pool, sizeof(authz_provider_list));
 
     t = arg;
@@ -583,12 +591,17 @@
     return auth_result;
 }
 
+APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
+
 static int authorize_user(request_rec *r)
 {
     authz_core_dir_conf *conf = ap_get_module_config(r->per_dir_config,
             &authz_core_module);
     authz_status auth_result;
     authz_provider_list *current_provider;
+    const char *note = apr_table_get(r->notes, AUTHZ_ACCESS_PASSED_NOTE);
+
+    ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
 
     /* If we're not really configured for providers, stop now. */
     if (!conf->providers) {
@@ -606,10 +619,21 @@
 
         switch (auth_result) {
             case AUTHZ_DENIED:
-                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                              "user %s: authorization failure for \"%s\": ",
-                              r->user, r->uri);
-                return_code = HTTP_UNAUTHORIZED;
+                /* XXX If the deprecated Satisfy directive is set to Any and 
+                   authorization as denied, then check to see what
+                   the access control stage said.  Just the if statement
+                   should be removed in 3.0 when the Satisfy directive
+                   goes away. */
+//                if (!note || ((note[0] == 'N') && (ap_satisfies(r) != SATISFY_ANY)))
{
+                if (!note || (ap_satisfies(r) != SATISFY_ANY) || (note[0] == 'N')) {
+                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                                  "user %s: authorization failure for \"%s\": ",
+                                  r->user, r->uri);
+                    return_code = HTTP_UNAUTHORIZED;
+                }
+                else {
+                    return_code = DECLINED;
+                }
                 break;
             case AUTHZ_GENERAL_ERROR:
             default:

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_default.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_default.c?rev=368929&r1=368928&r2=368929&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_default.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_default.c Fri Jan 13 16:13:22 2006
@@ -25,6 +25,9 @@
 #include "http_protocol.h"
 #include "http_request.h"
 
+#include "mod_auth.h"
+
+
 typedef struct {
     int authoritative;
 } authz_default_config_rec;
@@ -49,10 +52,22 @@
 
 module AP_MODULE_DECLARE_DATA authz_default_module;
 
+APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
+
 static int check_user_access(request_rec *r)
 {
     authz_default_config_rec *conf = ap_get_module_config(r->per_dir_config,
                                                  &authz_default_module);
+    const char *note = apr_table_get(r->notes, AUTHZ_ACCESS_PASSED_NOTE);
+
+    ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
+
+    /* If we got here and there isn't any authz required and there is no
+       note from the access checker that it failed, assume access is OK */
+    if (!ap_some_auth_required(r) || 
+        (note && (note[0] == 'Y') && (ap_satisfies(r) == SATISFY_ANY))) {
+        return OK;
+    }
 
     if (!(conf->authoritative)) {
         return DECLINED;



Mime
View raw message