-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) core: Add the token_checker hook, that allows authentication to take
+ place using mechanisms other than username/password, such as bearer
+ tokens. [Graham Leggett]
+
*) mod_alias: When an alias is declared inside a Location, make sure
the balance of the URL is preserved to match the alias declared
outside a location. Fixes an error where all requests are mapped
<p>Introduces a new API to fill me in.</p>
</section>
+ <section id="http_request">
+ <title>http_request (changed)</title>
+ <ul>
+ <li>New autht_provider API</li>
+ <li>New <code>token_checker</code> hook to handle authentication based on
+ mechanisms other than username and password.</li>
+ <li>New function <code>ap_hook_check_autht</code>, as an addition to
+ <code>ap_hook_check_authn</code> and <code>ap_hook_check_authz</code>.</li>
+ </ul>
+ </section>
+
+ <section id="mod_auth">
+ <title>mod_auth (changed)</title>
+ <p>Adds an additional provider framework for autht - token authentication.</p>
+ </section>
+
</section>
<section id="upgrading">
* 20211221.10 (2.5.1-dev) Add ap_proxy_canonenc_ex
* 20211221.11 (2.5.1-dev) Add AP_CTIME_OPTION_GMTOFF to util_time.h
* 20211221.12 (2.5.1-dev) Add cmd_parms->regex
+ * 20211221.13 (2.5.1-dev) Add hook token_checker to check for authorization other
+ * than username / password. Add autht_provider structure.
*/
#define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20211221
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 12 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 13 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
*/
AP_DECLARE_HOOK(int,auth_checker,(request_rec *r))
+/**
+ * This hook is used to parse any tokens in the request that might key
+ * or contain metadata such as users or IP addresses that may be
+ * relevant to the request. It runs before the access checker. This
+ * hook should be registered with ap_hook_check_autht().
+ *
+ * @param r the current request
+ * @return OK, DECLINED, or HTTP_...
+ * @ingroup hooks
+ * @see ap_hook_check_authz
+ */
+AP_DECLARE_HOOK(int,token_checker,(request_rec *r))
+
/**
* Register a hook function that will apply additional access control to
* the current request.
const char * const *aszSucc,
int nOrder, int type);
+/**
+ * Register a hook function that will analyze the request headers, extract
+ * any tokens, and apply and metadata contained in the tokens or keyed against
+ * the tokens to the request record.
+ * @param pf A token_checker hook function
+ * @param aszPre A NULL-terminated array of strings that name modules whose
+ * hooks should precede this one
+ * @param aszSucc A NULL-terminated array of strings that name modules whose
+ * hooks should succeed this one
+ * @param nOrder An integer determining order before honouring aszPre and
+ * aszSucc (for example, HOOK_MIDDLE)
+ * @param type Internal request processing mode, either
+ * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
+ */
+AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
+ const char * const *aszPre,
+ const char * const *aszSucc,
+ int nOrder, int type);
/**
* Register a hook function that will analyze the request headers,
extern "C" {
#endif
+#define AUTHT_PROVIDER_GROUP "autht"
#define AUTHN_PROVIDER_GROUP "authn"
#define AUTHZ_PROVIDER_GROUP "authz"
+#define AUTHT_PROVIDER_VERSION "0"
#define AUTHN_PROVIDER_VERSION "0"
#define AUTHZ_PROVIDER_VERSION "0"
+#define AUTHT_DEFAULT_PROVIDER "jwt"
#define AUTHN_DEFAULT_PROVIDER "file"
+#define AUTHT_PROVIDER_NAME_NOTE "autht_provider_name"
#define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
#define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"
+#define AUTHT_PREFIX "TOKEN_"
#define AUTHN_PREFIX "AUTHENTICATE_"
#define AUTHZ_PREFIX "AUTHORIZE_"
AUTH_HANDLED
} authn_status;
+typedef enum {
+ AUTHT_DENIED = AUTH_DENIED,
+ AUTHT_GRANTED = AUTH_GRANTED,
+ AUTHT_GENERAL_ERROR = AUTH_GENERAL_ERROR,
+ AUTHT_MISMATCH,
+ AUTHT_EXPIRED,
+ AUTHT_INVALID
+} autht_status;
+
typedef enum {
AUTHZ_DENIED,
AUTHZ_GRANTED,
typedef struct {
/* Given a username and password, expected to return AUTH_GRANTED
* if we can validate this user/password combination.
+ *
+ * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
*/
authn_status (*check_password)(request_rec *r, const char *user,
const char *password);
/* Given a user and realm, expected to return AUTH_USER_FOUND if we
* can find a md5 hash of 'user:realm:password'
+ *
+ * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
*/
authn_status (*get_realm_hash)(request_rec *r, const char *user,
const char *realm, char **rethash);
+
} authn_provider;
/* A linked-list of authn providers. */
authn_provider_list *next;
};
+typedef struct {
+ /* Given a token of a given type, expected to return AUTH_GRANTED
+ * if the token could be successfully authenticated.
+ */
+ autht_status (*check_token)(request_rec *r, const char *type,
+ const char *token);
+
+} autht_provider;
+
+/* A linked-list of authn providers. */
+typedef struct autht_provider_list autht_provider_list;
+
+struct autht_provider_list {
+ const char *provider_name;
+ const autht_provider *provider;
+ autht_provider_list *next;
+};
+
typedef struct {
/* Given a request_rec, expected to return AUTHZ_GRANTED
* if we can authorize user access.
APR_HOOK_LINK(post_perdir_config)
APR_HOOK_LINK(dirwalk_stat)
APR_HOOK_LINK(force_authn)
+ APR_HOOK_LINK(token_checker)
)
AP_IMPLEMENT_HOOK_RUN_FIRST(int,pre_translate_name,
(finfo, r, wanted), AP_DECLINED)
AP_IMPLEMENT_HOOK_RUN_FIRST(int,force_authn,
(request_rec *r), (r), DECLINED)
+AP_IMPLEMENT_HOOK_RUN_FIRST(int,token_checker,
+ (request_rec *r), (r), DECLINED)
static int auth_internal_per_conf = 0;
static int auth_internal_per_conf_hooks = 0;
switch (ap_satisfies(r)) {
case SATISFY_ALL:
case SATISFY_NOSPEC:
+ if ((access_status = ap_run_token_checker(r)) != OK &&
+ access_status != DECLINED) {
+ return decl_die(access_status,
+ "check token (with Satisfy All)", r);
+ }
+
if ((access_status = ap_run_access_checker(r)) != OK) {
return decl_die(access_status,
"check access (with Satisfy All)", r);
}
break;
case SATISFY_ANY:
+ if ((access_status = ap_run_token_checker(r)) == OK) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
+ "request authorized bypassing access_checker by "
+ "token_checker hook and 'Satisfy any': %s",
+ r->uri);
+ break;
+ }
+
if ((access_status = ap_run_access_checker(r)) == OK) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
"request authorized without authentication by "
ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder);
}
+AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
+ const char * const *aszPre,
+ const char * const *aszSucc,
+ int nOrder, int type)
+{
+ if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) {
+ ++auth_internal_per_conf_hooks;
+ }
+
+ ap_hook_token_checker(pf, aszPre, aszSucc, nOrder);
+}
+
AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf,
const char * const *aszPre,
const char * const *aszSucc,
projects / thirdparty / apache / httpd.git / commitdiff
