httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Comments on Authz_Provider implementation (was: Re: svn commit: r351547 - in /httpd/h)
Date Fri, 02 Dec 2005 16:39:46 GMT
   As I mentioned in my last commit, it still needs some clean up. 
Please, Please feel free to jump in and clean it up wherever you see the
need.  I don't have all of the answers to why things were done the way
they were before and if we still need to do it that way now or is there
a better way.  In this branch I have been trying to maintain backward
API compatibility as much as it makes sense.  But there are questions I
have about the need of some APIs such as ap_requires() and
ap_some_auth_required(), etc.  These are points that I need feedback on
and if we can eliminate them, like as was discussed with AuthType, then
lets do it.

>>> On 12/1/2005 at 10:53:07 pm, in message
<20051202055307.GM28636@scotch.ics.uci.edu>, justin@erenkrantz.com
wrote:
>
=============================================================================
> =
>> --- httpd/httpd/branches/authz-dev/include/http_core.h (original)
>> +++ httpd/httpd/branches/authz-dev/include/http_core.h Thu Dec  1
17:19:07 
> 2005
>> @@ -687,6 +687,7 @@
>>  
>>  APR_DECLARE_OPTIONAL_FN(const apr_array_header_t *,
authz_host_ap_requires,
>>                          (request_rec *r));
>> +APR_DECLARE_OPTIONAL_FN(int, authz_some_auth_required, (request_rec
*r));
> 
> I'm not quite clear on why we need to have an optional function here.
 (I'm
> probably missing something obvious here.)

The optional functions are here because the data moved but core still
needs it in order to process the request.  If we can eliminate the need
for core to require this information, then lets do it and get rid of the
optional functions.  The authz_host_ap_requires() optional function
(used in the ap_requires() API) can probably be removed in the clean up
since the "Require" line is no longer handled like it was before.  In
other words, there isn't a need to keep or retrieve an array of
"Require" lines that must be parsed at request time.  The only purpose
for the ap_require() function was to get the array of "Require" lines
for a particular dir_config.

>
=============================================================================
> =
>> --- httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_host.c
(original)
>> +++ httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_host.c Thu
Dec  1 
> 17:19:07 2005
> 
> I know you probably don't want to hear this, but this module has
nothing to
> do with hosts any more.  Want to reconsider a mod_authz_require or
> something like that?  ;-)
> 
> But, there's no way we should have the authz provider lookup code
stuck
> inside of mod_authz_host. 
> 

  I'm not opposed to creating a new mod_authz_require module if it is
necessary.  My only concern is auth_module overload.  It just seems
wrong to have to load 5-6 different authx_modules just to get simple
authentication working.  I chose to move the "Require" directive into
mod_authz_host simply thinking that "host" would refer to non-authz
specific module functionality (ie. a catch-all for global authz
functionality).  But I can be easily convinced to put "Require" along
with "AuthName" somewhere else if needed.  I need opinions and feedback
on this issue please.


>> @@ -520,6 +520,46 @@
>>      return conf->ap_requires;
>>  }
>>  
>> +static int authz_some_auth_required(request_rec *r)
>> +{
>> +    authz_host_dir_conf *conf =
ap_get_module_config(r->per_dir_config,
>> +            &authz_host_module);
>> +    authz_provider_list *current_provider;
>> +    int req_authz = 1;
> 
> Shouldn't this be defaulting to 0?  If there aren't any providers
active or
> interested, why return 1?
> 

True, it should default to 0.  

>> +    current_provider = conf->providers;
>> +    do {
>> +        const authz_provider *provider;
>> +
>> +        /* For now, if a provider isn't set, we'll be nice and use
the file
>> +        * provider.
>> +        */
>> +        if (!current_provider) {
>> +            provider = ap_lookup_provider(AUTHZ_PROVIDER_GROUP,
>> +                                          AUTHZ_DEFAULT_PROVIDER,
"0");
>> +
>> +            if (!provider || !provider->check_authorization) {
>> +                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>> +                              "No Authz providers configured. 
Assmuming no 
> authorization required.");
>> +                req_authz = 0;
>> +                break;
>> +            }
> 
> Considering we already do a check at config/registration time, do we
really
> need to repeat this check at request-time?

This is another area that needs some clean up.  This is kind of a cut
and paste left-over from the authnprovider stuff.  If a "Require" line
does not exist, in other words no authz provider was requested, should
we attempt to default to something like 'valid-user' in the same way
that the authn stuff defaults to 'file'?  As it stands now, attempting
to default would never happen because of the call to
ap_some_auth_required() during the request processing that skips authz
checking if there isn't a "Require" line present.


> 
>> +        }
>> +        else {
>> +            provider = current_provider->provider;
>> +        }
>> +
>> +        if (current_provider->method_mask & (AP_METHOD_BIT <<
r->method_number)) {
>> +            req_authz = 1;
>> +            break;
>> +        }
>> +    
>> +        current_provider = current_provider->next;
>> +    } while (current_provider);
> 
> The current version of the branch has a bunch of dead-code on it for
this
> loop.  We should strip it to the bare minimum:

Not sure what dead code you are referring to, but by all means, strip
it out if it isn't needed.


> 
> ...
> req_authz = 0;
> provider = conf->providers;
> while (provider) {
>   if (provider->method_mask & (AP_METHOD_BIT << r->method_number)) {
>     req_authz = 1;
>     break;
>   }
>   provider = provider->next;
> }
> 
> return req_authz;
> ...
> 
> Yet, something unsettles me about having to do this check at all. 
However,
> my thoughts haven't yet coalesced and I'm falling asleep at the
keyboard.
> I'll try to collect my thoughts on this and follow up later.  --
justin

The 'method_mask' check is there so that if the "Require" line is
enclosed in a <Limit> block, we only apply authorization for the
appropriate methods.  We may be able to consolidate this to the
auth_checker hook function before the providers are called and then
eliminate this check in the authz providers.

Like I mentioned before, Please, Please jump in and help out here.  I
haven't got all of the answers, I just want to see this functionality
implemented and hopefully improve the authn/authz handling.

Brad

Mime
View raw message