Package: mod-authz-securepass / 0~20140715+0git93f271f5-3

9001-ap_requires.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
From 5de1382b159cc8e6648ace7cab52dd02c04ae3e7 Mon Sep 17 00:00:00 2001
From: gplll <gplll1818@gmail.com>
Date: Sun, 28 Dec 2014 07:33:23 +0100
Subject: [PATCH] Added support for Apache 2.4 through introduction of authz
 providers for sprealm and spgroups - see ap_register_auth_provider()

---
 INSTALL                |   11 +--
 Makefile               |    2 
 README.md              |    2 
 mod_authz_securepass.c |  136 +++++++++++++++++++++++++++++++++++++++++++++++--
 4 files changed, 138 insertions(+), 13 deletions(-)

--- mod-authz-securepass.orig/INSTALL
+++ mod-authz-securepass/INSTALL
@@ -18,21 +18,16 @@ For RedHat distro install apxs with
 
 3)
 Download the source from git from the stable branch:
-	git clone https://github.com/gplll/mod_authz_securepass.git -b master
+	git clone https://github.com/garlsecurity/mod_authz_securepass.git -b master
 	cd mod_authz_securepass
 
 4)
 Compile the module and install it:
 
-debian distro:
-	make install_debian
-	a2enmod securepass
-
-redhat distro:
-	make install_redhat
+make install
 
 5)
-configure mod_auth_securepass using the following directives:
+configure mod_authz_securepass using the following directives:
 
 Valid Server/VirtualHost Directives
 -----------------------------------
--- mod-authz-securepass.orig/README.md
+++ mod-authz-securepass/README.md
@@ -1,7 +1,7 @@
 Apache authorization module for SecurePass
 ==========================================
 
-This is an Apache (2.2) module for authorizing SecurePass users.
+This is an Apache (2.2 and 2.4) module for authorizing SecurePass users.
 SecurePass provides web single sign-on through the CAS protocol.
 
 This module enhances the Apache authorization features by introducing two rules to restrict access 
--- mod-authz-securepass.orig/mod_authz_securepass.c
+++ mod-authz-securepass/mod_authz_securepass.c
@@ -569,9 +569,9 @@ static void *create_authz_securepass_ser
 
 static void *merge_authz_securepass_server_config (apr_pool_t *pool, void *BASE, void *ADD)
 {
-    sp_cfg *c = apr_pcalloc(pool, sizeof(sp_cfg));
-    sp_cfg *base = BASE;
-    sp_cfg *add = ADD;
+	sp_cfg *c = apr_pcalloc(pool, sizeof(sp_cfg));
+	sp_cfg *base = BASE;
+	sp_cfg *add = ADD;
 
 	c->check_group =(add->check_group != TRUE ? add->check_group : base->check_group);
 	c->debug =(add->debug != FALSE ? add->debug : base->debug);
@@ -761,6 +761,109 @@ static const command_rec authz_securepas
 	{ NULL }
 };
 
+#if APACHE_2_4
+static const char *sp_parse_config(cmd_parms *cmd, const char *require_line,
+									 const void **parsed_require_line) {
+	const char *expr_err = NULL;
+	ap_expr_info_t *expr;
+
+	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+			"SecurePass: entering sp_parse_config(), require_line=%s", require_line);
+	expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT, &expr_err, NULL);
+	if (expr_err)
+		return (apr_pstrcat(cmd->temp_pool, "Cannot parse expression in require line: ", expr_err, NULL));
+	*parsed_require_line = expr;
+	return NULL;
+}
+
+static authz_status sprealm_check_authorization(request_rec *r,
+												 const char *require_args,
+												 const void *parsed_require_args) {
+
+	authz_securepass_dir_config_rec *dir= (authz_securepass_dir_config_rec *)
+				ap_get_module_config(r->per_dir_config, &authz_securepass_module);
+	sp_cfg *c = (sp_cfg *) ap_get_module_config(r->server->module_config, &authz_securepass_module);
+
+	const char *err = NULL;
+	const ap_expr_info_t *expr = parsed_require_args;
+	const char *require;
+
+#if MYDEBUG
+	/* this is only used during module development to simulate CAS user */
+	if (dir->forced_user) {
+		r->user = apr_pcalloc(r->pool, 100);
+		strcpy (r->user, dir->forced_user);
+	}
+#endif
+
+	if (c->debug) {
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "SecurePass checking user %s, required_sprealms=%s",
+				r->user, require_args);
+		dump_config (r, dir, c);
+	}
+	if (!r->user) {
+		return AUTHZ_DENIED_NO_USER;
+	}
+	require = ap_expr_str_exec(r, expr, &err);
+	if (err) {
+		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "SecurePass: Can't evaluate expression: %s", err);
+		return AUTHZ_DENIED;
+	}
+	if (c->debug) {
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "SecurePass: require=%s", require);
+	}
+	if (check_securepass_realm (r, require)) {
+		/* a Realm has been found */
+		return AUTHZ_GRANTED;
+	} else {
+		return AUTHZ_DENIED;
+	}
+}
+
+static authz_status spgroup_check_authorization(request_rec *r,
+												 const char *require_args,
+												 const void *parsed_require_args) {
+
+	authz_securepass_dir_config_rec *dir= (authz_securepass_dir_config_rec *)
+				ap_get_module_config(r->per_dir_config, &authz_securepass_module);
+	sp_cfg *c = (sp_cfg *) ap_get_module_config(r->server->module_config, &authz_securepass_module);
+
+	const char *err = NULL;
+	const ap_expr_info_t *expr = parsed_require_args;
+	const char *require;
+
+#if MYDEBUG
+	/* this is only used during module development to simulate CAS user */
+	if (dir->forced_user) {
+		r->user = apr_pcalloc(r->pool, 100);
+		strcpy (r->user, dir->forced_user);
+	}
+#endif
+
+	if (c->debug) {
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "SecurePass checking user %s, required_spgroups=%s",
+				r->user, require_args);
+	}
+	if (!r->user) {
+		return AUTHZ_DENIED_NO_USER;
+	}
+	require = ap_expr_str_exec(r, expr, &err);
+	if (err) {
+		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "SecurePass: Can't evaluate expression: %s", err);
+		return AUTHZ_DENIED;
+	}
+	if (c->debug) {
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "SecurePass: require=%s", require);
+	}
+	if (check_sp_group (r, require)) {
+		return AUTHZ_GRANTED;
+	} else {
+		return AUTHZ_DENIED;
+	}
+
+}
+
+#else /* APACHE_2_4 */
 
 static int authz_securepass_check_user_access(request_rec *r) 
 {
@@ -846,6 +949,7 @@ static int authz_securepass_check_user_a
 	ap_note_basic_auth_failure(r);
 	return HTTP_UNAUTHORIZED;
 }
+#endif
 
 static int authz_sp_post_config(apr_pool_t *pool, apr_pool_t *p1, apr_pool_t *p2, server_rec *s)
 {
@@ -884,11 +988,37 @@ static int authz_sp_post_config(apr_pool
 	return status;
 }
 
+#if APACHE_2_4
+static const authz_provider authz_sprealm_provider =
+{
+	&sprealm_check_authorization,
+	&sp_parse_config,
+};
+
+static const authz_provider authz_spgroup_provider =
+{
+	&spgroup_check_authorization,
+	&sp_parse_config,
+};
+#endif
+
 static void authz_securepass_register_hooks(apr_pool_t *p)
 {
 	ap_hook_post_config(authz_sp_post_config, NULL, NULL, APR_HOOK_LAST);
+#if APACHE_2_4
+	/* Register authz providers */
+	ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "sprealm",
+							AUTHZ_PROVIDER_VERSION,
+							&authz_sprealm_provider,
+							AP_AUTH_INTERNAL_PER_CONF);
+	ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "spgroup",
+							AUTHZ_PROVIDER_VERSION,
+							&authz_spgroup_provider,
+							AP_AUTH_INTERNAL_PER_CONF);
+#else
 	ap_hook_auth_checker(authz_securepass_check_user_access, NULL, NULL,
 		APR_HOOK_MIDDLE);
+#endif
 }
 
 module AP_MODULE_DECLARE_DATA authz_securepass_module = {
--- mod-authz-securepass.orig/Makefile
+++ mod-authz-securepass/Makefile
@@ -9,7 +9,7 @@ endif
 
 # Note that gcc flags are passed through apxs, so preface with -Wc
 MY_LDFLAGS=-lcurl
-MY_CFLAGS=-Wc,-I. -Wc,-Wall
+MY_CFLAGS=-Wc,-I. -Wc,-Wall -DAPACHE_2_4=1
 SRCS=mod_authz_securepass.c jsmn.c
 HDRS=jsmn.h
 BUILDDIR := build