httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose Kahan <jose.ka...@w3.org>
Subject Re: Extending mod_authz_dbd
Date Thu, 23 Apr 2015 19:54:43 GMT
Hi Graham,

Here's a first patch that adds the functionality that you suggested.

>   Require dbd-login %{REQUEST_URI} %{REQUEST_METHOD} %{REMOTE_USER}
>   AuthzDBDQuery "UPDATE authn SET uri = %s, method = %s WHERE user = %s”
>
>   Require dbd-logout %{TIME} %{REMOTE_USER}
>   AuthzDBDQuery "UPDATE authn SET logout_time = %s WHERE user = %s”
>
> To be backwards compatible, "Require dbd-login” on it’s own would imply "Require
dbd-login %{REMOTER_USER}”.
>
> One possible approach to support completely generic queries might be as follows:
>
>   Require dbd-query %{REQUEST_URI} %{REMOTE_USER}
>   AuthzDBDQuery “SELECT count(user) FROM authn WHERE uri=%s AND user = %s”

Although I developed and tested this against the 2.4.10 source
tree (the latest debian jessie version), I checked and this 
module as well as mod_dbd.c have not changed since then neither 
in the latest 2.4.x nor in trunk. I don't think there will be 
an issue running it there.  Installing that environment over the 
default debian one could be a hazzle for me that I'd prefer
to avoid , but that I could do if needed.

Here below are some development notes.

Please keep me update if I can contribute something else to this
patch, that it be documentation or further changes. I understand
there's no engagement to accept this code from you. We can chat
on irc too if needed.

Cheers,

-jose

Open issues:

- I wanted to control that the number of bind arguments correspond to
  those in the prepared request. However this value is not visible in
  apr_dbd_prepared_t *query.  Looking at the code in apr_dbd.c, I see
  that even though the number of bind arguments are being passed to
  apr_dbd_pselect() and apr_dbd_pquery() in nargs, this argument is
  discarded before calling the implementation of those functions in
  the driver.

  At least in the mysql driver, there is no further check that there
  is an equivalence between the bind and prepared statement
  arguments. In both cases there is just a call to

        mysql_stmt_bind_param(statement->stmt, bind);

  which expects bind to have the correct number of arguments. I
  checked the sqlite3 driver and it has the same issue.

  If bind has more arguments, there is no issue. If there is less, we
  risk a SIGSEV or unexpected behavior.

  To avoid this issue, I wanted to control the number of arguments
  when parsing the configuration file and show a configuration error
  when necessary. However, as the prepared query goes into opaque
  driver implementations, I don't have access to its nargs value. Are
  there any ideas on how to get this info?  The only hack I could
  think of is counting the number of % inside the prepared query and
  making sure that we have the corresponding number of bind arguments.

- Would it be worth it to connect this module to mod_socache.c?

Other questions:

- In function dbd_parse_config, I was unable to decide whether it
  would be ok to use cmd->temp_pool instead of cmd->pool in my call to
  ap_getword_white()

- I am using ap_expr_parse_cmd() on each argument of the require
  dbd-query, dbd-login, and dbd-logout directives. I think this is
  akin to building an expression tree for each argument. Is there a
  more efficient way to do so?

Mime
View raw message