From 3e638ff2836e836eba2613338c8102da8d62a976 Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Tue, 25 Apr 2023 17:35:08 +0000 Subject: core: Add the token_checker hook, that allows authentication to take place using mechanisms other than username/password, such as bearer tokens. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1909409 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ docs/manual/developer/new_api_2_6.xml | 16 +++++++++++++++ include/ap_mmn.h | 4 +++- include/http_request.h | 31 +++++++++++++++++++++++++++++ include/mod_auth.h | 37 +++++++++++++++++++++++++++++++++++ server/request.c | 29 +++++++++++++++++++++++++++ 6 files changed, 120 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 5776d4a06f..4f76f323a4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) core: Add the token_checker hook, that allows authentication to take + place using mechanisms other than username/password, such as bearer + tokens. [Graham Leggett] + *) mod_alias: When an alias is declared inside a Location, make sure the balance of the URL is preserved to match the alias declared outside a location. Fixes an error where all requests are mapped diff --git a/docs/manual/developer/new_api_2_6.xml b/docs/manual/developer/new_api_2_6.xml index 898c26f77f..eda804c03f 100644 --- a/docs/manual/developer/new_api_2_6.xml +++ b/docs/manual/developer/new_api_2_6.xml @@ -57,6 +57,22 @@

Introduces a new API to fill me in.

+
+ http_request (changed) + +
+ +
+ mod_auth (changed) +

Adds an additional provider framework for autht - token authentication.

+
+
diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 613ebfe10f..7b6e524aae 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -715,6 +715,8 @@ * 20211221.10 (2.5.1-dev) Add ap_proxy_canonenc_ex * 20211221.11 (2.5.1-dev) Add AP_CTIME_OPTION_GMTOFF to util_time.h * 20211221.12 (2.5.1-dev) Add cmd_parms->regex + * 20211221.13 (2.5.1-dev) Add hook token_checker to check for authorization other + * than username / password. Add autht_provider structure. */ #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */ @@ -722,7 +724,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20211221 #endif -#define MODULE_MAGIC_NUMBER_MINOR 12 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 13 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/include/http_request.h b/include/http_request.h index 93defac285..6823aea4ff 100644 --- a/include/http_request.h +++ b/include/http_request.h @@ -480,6 +480,19 @@ AP_DECLARE_HOOK(int,access_checker_ex,(request_rec *r)) */ AP_DECLARE_HOOK(int,auth_checker,(request_rec *r)) +/** + * This hook is used to parse any tokens in the request that might key + * or contain metadata such as users or IP addresses that may be + * relevant to the request. It runs before the access checker. This + * hook should be registered with ap_hook_check_autht(). + * + * @param r the current request + * @return OK, DECLINED, or HTTP_... + * @ingroup hooks + * @see ap_hook_check_authz + */ +AP_DECLARE_HOOK(int,token_checker,(request_rec *r)) + /** * Register a hook function that will apply additional access control to * the current request. @@ -516,6 +529,24 @@ AP_DECLARE(void) ap_hook_check_access_ex(ap_HOOK_access_checker_ex_t *pf, const char * const *aszSucc, int nOrder, int type); +/** + * Register a hook function that will analyze the request headers, extract + * any tokens, and apply and metadata contained in the tokens or keyed against + * the tokens to the request record. + * @param pf A token_checker hook function + * @param aszPre A NULL-terminated array of strings that name modules whose + * hooks should precede this one + * @param aszSucc A NULL-terminated array of strings that name modules whose + * hooks should succeed this one + * @param nOrder An integer determining order before honouring aszPre and + * aszSucc (for example, HOOK_MIDDLE) + * @param type Internal request processing mode, either + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF + */ +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf, + const char * const *aszPre, + const char * const *aszSucc, + int nOrder, int type); /** * Register a hook function that will analyze the request headers, diff --git a/include/mod_auth.h b/include/mod_auth.h index 858e02bdec..e2b0f77461 100644 --- a/include/mod_auth.h +++ b/include/mod_auth.h @@ -36,15 +36,20 @@ extern "C" { #endif +#define AUTHT_PROVIDER_GROUP "autht" #define AUTHN_PROVIDER_GROUP "authn" #define AUTHZ_PROVIDER_GROUP "authz" +#define AUTHT_PROVIDER_VERSION "0" #define AUTHN_PROVIDER_VERSION "0" #define AUTHZ_PROVIDER_VERSION "0" +#define AUTHT_DEFAULT_PROVIDER "jwt" #define AUTHN_DEFAULT_PROVIDER "file" +#define AUTHT_PROVIDER_NAME_NOTE "autht_provider_name" #define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name" #define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name" +#define AUTHT_PREFIX "TOKEN_" #define AUTHN_PREFIX "AUTHENTICATE_" #define AUTHZ_PREFIX "AUTHORIZE_" @@ -70,6 +75,15 @@ typedef enum { AUTH_HANDLED } authn_status; +typedef enum { + AUTHT_DENIED = AUTH_DENIED, + AUTHT_GRANTED = AUTH_GRANTED, + AUTHT_GENERAL_ERROR = AUTH_GENERAL_ERROR, + AUTHT_MISMATCH, + AUTHT_EXPIRED, + AUTHT_INVALID +} autht_status; + typedef enum { AUTHZ_DENIED, AUTHZ_GRANTED, @@ -81,15 +95,20 @@ typedef enum { typedef struct { /* Given a username and password, expected to return AUTH_GRANTED * if we can validate this user/password combination. + * + * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers. */ authn_status (*check_password)(request_rec *r, const char *user, const char *password); /* Given a user and realm, expected to return AUTH_USER_FOUND if we * can find a md5 hash of 'user:realm:password' + * + * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers. */ authn_status (*get_realm_hash)(request_rec *r, const char *user, const char *realm, char **rethash); + } authn_provider; /* A linked-list of authn providers. */ @@ -101,6 +120,24 @@ struct authn_provider_list { authn_provider_list *next; }; +typedef struct { + /* Given a token of a given type, expected to return AUTH_GRANTED + * if the token could be successfully authenticated. + */ + autht_status (*check_token)(request_rec *r, const char *type, + const char *token); + +} autht_provider; + +/* A linked-list of authn providers. */ +typedef struct autht_provider_list autht_provider_list; + +struct autht_provider_list { + const char *provider_name; + const autht_provider *provider; + autht_provider_list *next; +}; + typedef struct { /* Given a request_rec, expected to return AUTHZ_GRANTED * if we can authorize user access. diff --git a/server/request.c b/server/request.c index cd2908da5d..27336b69cb 100644 --- a/server/request.c +++ b/server/request.c @@ -73,6 +73,7 @@ APR_HOOK_STRUCT( APR_HOOK_LINK(post_perdir_config) APR_HOOK_LINK(dirwalk_stat) APR_HOOK_LINK(force_authn) + APR_HOOK_LINK(token_checker) ) AP_IMPLEMENT_HOOK_RUN_FIRST(int,pre_translate_name, @@ -103,6 +104,8 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(apr_status_t,dirwalk_stat, (finfo, r, wanted), AP_DECLINED) AP_IMPLEMENT_HOOK_RUN_FIRST(int,force_authn, (request_rec *r), (r), DECLINED) +AP_IMPLEMENT_HOOK_RUN_FIRST(int,token_checker, + (request_rec *r), (r), DECLINED) static int auth_internal_per_conf = 0; static int auth_internal_per_conf_hooks = 0; @@ -333,6 +336,12 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) switch (ap_satisfies(r)) { case SATISFY_ALL: case SATISFY_NOSPEC: + if ((access_status = ap_run_token_checker(r)) != OK && + access_status != DECLINED) { + return decl_die(access_status, + "check token (with Satisfy All)", r); + } + if ((access_status = ap_run_access_checker(r)) != OK) { return decl_die(access_status, "check access (with Satisfy All)", r); @@ -368,6 +377,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) } break; case SATISFY_ANY: + if ((access_status = ap_run_token_checker(r)) == OK) { + ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, + "request authorized bypassing access_checker by " + "token_checker hook and 'Satisfy any': %s", + r->uri); + break; + } + if ((access_status = ap_run_access_checker(r)) == OK) { ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, "request authorized without authentication by " @@ -2217,6 +2234,18 @@ AP_DECLARE(void) ap_hook_check_access_ex(ap_HOOK_access_checker_ex_t *pf, ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder); } +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf, + const char * const *aszPre, + const char * const *aszSucc, + int nOrder, int type) +{ + if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) { + ++auth_internal_per_conf_hooks; + } + + ap_hook_token_checker(pf, aszPre, aszSucc, nOrder); +} + AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf, const char * const *aszPre, const char * const *aszSucc, -- cgit v1.2.1