core: Add the token_checker hook, that allows authentication to take

place using mechanisms other than username/password, such as bearer tokens. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1909409 13f79535-47bb-0310-9956-ffa450edef68
author: Graham Leggett <minfrin@apache.org> 2023-04-25 17:35:08 +0000
committer: Graham Leggett <minfrin@apache.org> 2023-04-25 17:35:08 +0000
commit: 3e638ff2836e836eba2613338c8102da8d62a976 (patch)
tree: f47c4cae0401ee49a6d2ae9a9c7d4154614484cb /server
parent: 34c58325ec7ad12144dba23c38832b19cbf2850f (diff)
download: httpd-3e638ff2836e836eba2613338c8102da8d62a976.tar.gz
1 files changed, 29 insertions, 0 deletions
diff --git a/server/request.c b/server/request.c
index cd2908da5d..27336b69cb 100644
--- a/server/request.c
+++ b/server/request.c
@@ -73,6 +73,7 @@ APR_HOOK_STRUCT(
     APR_HOOK_LINK(post_perdir_config)
     APR_HOOK_LINK(dirwalk_stat)
     APR_HOOK_LINK(force_authn)
+    APR_HOOK_LINK(token_checker)
 )
 
 AP_IMPLEMENT_HOOK_RUN_FIRST(int,pre_translate_name,
@@ -103,6 +104,8 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(apr_status_t,dirwalk_stat,
                             (finfo, r, wanted), AP_DECLINED)
 AP_IMPLEMENT_HOOK_RUN_FIRST(int,force_authn,
                             (request_rec *r), (r), DECLINED)
+AP_IMPLEMENT_HOOK_RUN_FIRST(int,token_checker,
+                            (request_rec *r), (r), DECLINED)
 
 static int auth_internal_per_conf = 0;
 static int auth_internal_per_conf_hooks = 0;
@@ -333,6 +336,12 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
         switch (ap_satisfies(r)) {
         case SATISFY_ALL:
         case SATISFY_NOSPEC:
+            if ((access_status = ap_run_token_checker(r)) != OK &&
+            		access_status != DECLINED) {
+                return decl_die(access_status,
+                                "check token (with Satisfy All)", r);
+            }
+
             if ((access_status = ap_run_access_checker(r)) != OK) {
                 return decl_die(access_status,
                                 "check access (with Satisfy All)", r);
@@ -368,6 +377,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
             }
             break;
         case SATISFY_ANY:
+            if ((access_status = ap_run_token_checker(r)) == OK) {
+                ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
+                              "request authorized bypassing access_checker by "
+                              "token_checker hook and 'Satisfy any': %s",
+                              r->uri);
+                break;
+            }
+
             if ((access_status = ap_run_access_checker(r)) == OK) {
                 ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
                               "request authorized without authentication by "
@@ -2217,6 +2234,18 @@ AP_DECLARE(void) ap_hook_check_access_ex(ap_HOOK_access_checker_ex_t *pf,
     ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder);
 }
 
+AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
+                                     const char * const *aszPre,
+                                     const char * const *aszSucc,
+                                     int nOrder, int type)
+{
+    if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) {
+        ++auth_internal_per_conf_hooks;
+    }
+
+    ap_hook_token_checker(pf, aszPre, aszSucc, nOrder);
+}
+
 AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf,
                                      const char * const *aszPre,
                                      const char * const *aszSucc,
author	Graham Leggett <minfrin@apache.org>	2023-04-25 17:35:08 +0000
committer	Graham Leggett <minfrin@apache.org>	2023-04-25 17:35:08 +0000
commit	3e638ff2836e836eba2613338c8102da8d62a976 (patch)
tree	f47c4cae0401ee49a6d2ae9a9c7d4154614484cb /server
parent	34c58325ec7ad12144dba23c38832b19cbf2850f (diff)
download	httpd-3e638ff2836e836eba2613338c8102da8d62a976.tar.gz