diff options
| author | Arno Töll <arno@debian.org> | 2012-10-20 02:58:14 +0200 |
|---|---|---|
| committer | Arno Töll <arno@debian.org> | 2012-10-20 02:58:14 +0200 |
| commit | 5c4fba3ffbe778bdffe10a93d04821579601a020 (patch) | |
| tree | 91be9a7f99d3988ba48b0a619479aa46a3234191 /modules/aaa | |
| parent | 8f9c15530d0bc387af114619b3ff3f930eb23d3c (diff) | |
| download | apache2-upstream/2.4.3.tar.gz | |
Imported Upstream version 2.4.3upstream/2.4.3
Diffstat (limited to 'modules/aaa')
| -rw-r--r-- | modules/aaa/mod_auth_digest.c | 13 | ||||
| -rw-r--r-- | modules/aaa/mod_authn_dbd.c | 17 | ||||
| -rw-r--r-- | modules/aaa/mod_authnz_ldap.c | 111 | ||||
| -rw-r--r-- | modules/aaa/mod_authz_core.c | 105 | ||||
| -rw-r--r-- | modules/aaa/mod_authz_dbd.c | 4 |
5 files changed, 151 insertions, 99 deletions
diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c index 460619b0..65183160 100644 --- a/modules/aaa/mod_auth_digest.c +++ b/modules/aaa/mod_auth_digest.c @@ -267,26 +267,17 @@ static int initialize_tables(server_rec *s, apr_pool_t *ctx) { unsigned long idx; apr_status_t sts; - const char *tempdir; /* set up client list */ - sts = apr_temp_dir_get(&tempdir, ctx); - if (APR_SUCCESS != sts) { - ap_log_error(APLOG_MARK, APLOG_ERR, sts, s, APLOGNO(01761) - "Failed to find temporary directory"); - log_error_and_cleanup("failed to find temp dir", sts, s); - return HTTP_INTERNAL_SERVER_ERROR; - } - /* Create the shared memory segment */ /* * Create a unique filename using our pid. This information is * stashed in the global variable so the children inherit it. */ - client_shm_filename = apr_psprintf(ctx, "%s/authdigest_shm.%"APR_PID_T_FMT, tempdir, - getpid()); + client_shm_filename = ap_runtime_dir_relative(ctx, "authdigest_shm"); + client_shm_filename = ap_append_pid(ctx, client_shm_filename, "."); /* Now create that segment */ sts = apr_shm_create(&client_shm, shmem_size, diff --git a/modules/aaa/mod_authn_dbd.c b/modules/aaa/mod_authn_dbd.c index 5819abd4..db5b05f6 100644 --- a/modules/aaa/mod_authn_dbd.c +++ b/modules/aaa/mod_authn_dbd.c @@ -100,6 +100,7 @@ static authn_status authn_dbd_password(request_rec *r, const char *user, apr_dbd_prepared_t *statement; apr_dbd_results_t *res = NULL; apr_dbd_row_t *row = NULL; + int ret; authn_dbd_conf *conf = ap_get_module_config(r->per_dir_config, &authn_dbd_module); @@ -124,11 +125,12 @@ static authn_status authn_dbd_password(request_rec *r, const char *user, "AuthDBDUserPWQuery with the key '%s'", conf->user); return AUTH_GENERAL_ERROR; } - if (apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, statement, - 0, user, NULL) != 0) { + if ((ret = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, + statement, 0, user, NULL) != 0)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01656) "Query execution error looking up '%s' " - "in database", user); + "in database [%s]", + user, apr_dbd_error(dbd->driver, dbd->handle, ret)); return AUTH_GENERAL_ERROR; } for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1); @@ -193,6 +195,7 @@ static authn_status authn_dbd_realm(request_rec *r, const char *user, apr_dbd_prepared_t *statement; apr_dbd_results_t *res = NULL; apr_dbd_row_t *row = NULL; + int ret; authn_dbd_conf *conf = ap_get_module_config(r->per_dir_config, &authn_dbd_module); @@ -215,11 +218,13 @@ static authn_status authn_dbd_realm(request_rec *r, const char *user, "AuthDBDUserRealmQuery with the key '%s'", conf->realm); return AUTH_GENERAL_ERROR; } - if (apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, statement, - 0, user, realm, NULL) != 0) { + if ((ret = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, + statement, 0, user, realm, NULL) != 0)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01661) "Query execution error looking up '%s:%s' " - "in database", user, realm); + "in database [%s]", + user, realm, + apr_dbd_error(dbd->driver, dbd->handle, ret)); return AUTH_GENERAL_ERROR; } for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1); diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 689d5b76..d55b57f5 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -870,6 +870,7 @@ static authz_status ldapgroup_check_authorization(request_rec *r, "membership in \"%s\"", t); + /* PR52464 exhaust attrs in base group before checking subgroups */ for (i = 0; i < sec->groupattr->nelts; i++) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714) "auth_ldap authorize: require group: testing for %s: " @@ -879,64 +880,62 @@ static authz_status ldapgroup_check_authorization(request_rec *r, result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715) - "auth_ldap authorize: require group: " - "authorization successful (attribute %s) " - "[%s][%d - %s]", - ent[i].name, ldc->reason, result, - ldap_err2string(result)); - set_request_vars(r, LDAP_AUTHZ); - return AUTHZ_GRANTED; - } - case LDAP_NO_SUCH_ATTRIBUTE: - case LDAP_COMPARE_FALSE: { - /* nested groups need searches and compares, so grab a new handle */ - authnz_ldap_cleanup_connection_close(ldc); - apr_pool_cleanup_kill(r->pool, ldc,authnz_ldap_cleanup_connection_close); - - ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH); - apr_pool_cleanup_register(r->pool, ldc, - authnz_ldap_cleanup_connection_close, - apr_pool_cleanup_null); - - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01716) - "auth_ldap authorise: require group \"%s\": " - "failed [%s][%d - %s], checking sub-groups", - t, ldc->reason, result, ldap_err2string(result)); - - result = util_ldap_cache_check_subgroups(r, ldc, sec->url, t, ent[i].name, - sec->group_attrib_is_dn ? req->dn : req->user, - sec->sgAttributes[0] ? sec->sgAttributes : default_attributes, - sec->subgroupclasses, - 0, sec->maxNestingDepth); - if(result == LDAP_COMPARE_TRUE) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717) - "auth_ldap authorise: require group " - "(sub-group): authorisation successful " - "(attribute %s) [%s][%d - %s]", - ent[i].name, ldc->reason, result, - ldap_err2string(result)); - set_request_vars(r, LDAP_AUTHZ); - return AUTHZ_GRANTED; - } - else { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718) - "auth_ldap authorise: require group " - "(sub-group) \"%s\": authorisation failed " - "[%s][%d - %s]", - t, ldc->reason, result, - ldap_err2string(result)); - } - break; - } - default: { + if (result == LDAP_COMPARE_TRUE) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715) + "auth_ldap authorize: require group: " + "authorization successful (attribute %s) " + "[%s][%d - %s]", + ent[i].name, ldc->reason, result, + ldap_err2string(result)); + set_request_vars(r, LDAP_AUTHZ); + return AUTHZ_GRANTED; + } + else { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719) "auth_ldap authorize: require group \"%s\": " - "authorization failed [%s][%d - %s]", - t, ldc->reason, result, ldap_err2string(result)); - } + "didn't match with attr %s [%s][%d - %s]", + t, ldc->reason, ent[i].name, result, + ldap_err2string(result)); + } + } + + for (i = 0; i < sec->groupattr->nelts; i++) { + /* nested groups need searches and compares, so grab a new handle */ + authnz_ldap_cleanup_connection_close(ldc); + apr_pool_cleanup_kill(r->pool, ldc,authnz_ldap_cleanup_connection_close); + + ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01716) + "auth_ldap authorise: require group \"%s\": " + "failed [%s][%d - %s], checking sub-groups", + t, ldc->reason, result, ldap_err2string(result)); + + result = util_ldap_cache_check_subgroups(r, ldc, sec->url, t, ent[i].name, + sec->group_attrib_is_dn ? req->dn : req->user, + sec->sgAttributes[0] ? sec->sgAttributes : default_attributes, + sec->subgroupclasses, + 0, sec->maxNestingDepth); + if (result == LDAP_COMPARE_TRUE) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717) + "auth_ldap authorise: require group " + "(sub-group): authorisation successful " + "(attribute %s) [%s][%d - %s]", + ent[i].name, ldc->reason, result, + ldap_err2string(result)); + set_request_vars(r, LDAP_AUTHZ); + return AUTHZ_GRANTED; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718) + "auth_ldap authorise: require group " + "(sub-group) \"%s\": didn't match with attr %s " + "[%s][%d - %s]", + t, ldc->reason, ent[i].name, result, + ldap_err2string(result)); } } diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c index fb286e20..9b7173c8 100644 --- a/modules/aaa/mod_authz_core.c +++ b/modules/aaa/mod_authz_core.c @@ -221,6 +221,14 @@ static authz_status authz_alias_check_authorization(request_rec *r, r->per_dir_config = orig_dir_config; } + else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02305) + "no alias provider found for '%s' (BUG?)", + provider_name); + } + } + else { + ap_assert(provider_name != NULL); } return ret; @@ -305,6 +313,14 @@ static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig, "Unknown Authz provider: %s", provider_name); } + if (prvdraliasrec->provider->parse_require_line) { + const char *err = prvdraliasrec->provider->parse_require_line(cmd, + provider_args, &prvdraliasrec->provider_parsed_args); + if (err) + return apr_psprintf(cmd->pool, + "Can't parse 'Require %s %s': %s", + provider_name, provider_args, err); + } authcfg = ap_get_module_config(cmd->server->module_config, &authz_core_module); @@ -397,8 +413,14 @@ static const char *add_authz_provider(cmd_parms *cmd, void *config, section->limited = cmd->limited; if (section->provider->parse_require_line) { - const char *err = section->provider->parse_require_line(cmd, args, - §ion->provider_parsed_args); + const char *err; + apr_pool_userdata_setn(section->provider_name, + AUTHZ_PROVIDER_NAME_NOTE, + apr_pool_cleanup_null, + cmd->temp_pool); + err = section->provider->parse_require_line(cmd, args, + §ion->provider_parsed_args); + if (err) return err; } @@ -607,12 +629,9 @@ static int authz_core_check_section(apr_pool_t *p, server_rec *s, if (ret != OK) { ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, APR_SUCCESS, s, APLOGNO(01624) - "%s", - apr_pstrcat(p, (is_conf - ? "<Directory>, <Location>, or similar" - : format_authz_command(p, section)), - " directive contains only negative " - "authorization directives", NULL)); + "%s directive contains only negative authorization directives", + is_conf ? "<Directory>, <Location>, or similar" + : format_authz_command(p, section)); } return ret; @@ -1015,36 +1034,74 @@ static const authz_provider authz_method_provider = &method_parse_config, }; -static authz_status expr_check_authorization(request_rec *r, - const char *require_line, - const void *parsed_require_line) -{ - const char *err = NULL; - const ap_expr_info_t *expr = parsed_require_line; - int rc = ap_expr_exec(r, expr, &err); +/* + * expr authz provider + */ - if (rc <= 0) - /* XXX: real error handling? */ - return AUTHZ_DENIED; - else - return AUTHZ_GRANTED; +#define REQUIRE_EXPR_NOTE "Require_expr_info" +struct require_expr_info { + ap_expr_info_t *expr; + int want_user; +}; + +static int expr_lookup_fn(ap_expr_lookup_parms *parms) +{ + if (parms->type == AP_EXPR_FUNC_VAR + && strcasecmp(parms->name, "REMOTE_USER") == 0) { + struct require_expr_info *info; + apr_pool_userdata_get((void**)&info, REQUIRE_EXPR_NOTE, parms->ptemp); + AP_DEBUG_ASSERT(info != NULL); + info->want_user = 1; + } + return ap_expr_lookup_default(parms); } static const char *expr_parse_config(cmd_parms *cmd, const char *require_line, const void **parsed_require_line) { const char *expr_err = NULL; - ap_expr_info_t *expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err, - NULL); + struct require_expr_info *info = apr_pcalloc(cmd->pool, sizeof(*info)); + + apr_pool_userdata_setn(info, REQUIRE_EXPR_NOTE, apr_pool_cleanup_null, + cmd->temp_pool); + info->expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err, + expr_lookup_fn); if (expr_err) - return "Cannot parse expression in require line"; + return apr_pstrcat(cmd->temp_pool, + "Cannot parse expression in require line: ", + expr_err, NULL); - *parsed_require_line = expr; + *parsed_require_line = info; return NULL; } +static authz_status expr_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) +{ + const char *err = NULL; + const struct require_expr_info *info = parsed_require_line; + int rc = ap_expr_exec(r, info->expr, &err); + + if (rc < 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02320) + "Error evaluating expression in 'Require expr': %s", + err); + return AUTHZ_GENERAL_ERROR; + } + else if (rc == 0) { + if (info->want_user) + return AUTHZ_DENIED_NO_USER; + else + return AUTHZ_DENIED; + } + else { + return AUTHZ_GRANTED; + } +} + static const authz_provider authz_expr_provider = { &expr_check_authorization, diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c index 59ca2b34..86d3b561 100644 --- a/modules/aaa/mod_authz_dbd.c +++ b/modules/aaa/mod_authz_dbd.c @@ -162,8 +162,8 @@ static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg, "authz_dbd: no redirect query!"); /* OK, this is non-critical; we can just not-redirect */ } - else if (apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, - query, 0, r->user, NULL) == 0) { + else if ((rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, + &res, query, 0, r->user, NULL) == 0)) { for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1); rv != -1; rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) { |