Merge branch 'master' of git://github.com/klausdieterkrannich/mod_aut…

…h_cas into klausdieterkrannich-master

Conflicts:
	src/mod_auth_cas.h

src/mod_auth_cas.c

@@ -115,8 +115,9 @@ void *cas_create_server_config(apr_pool_t *pool, server_rec *svr)
 	c->CASValidateSAML = CAS_DEFAULT_VALIDATE_SAML;
 	c->CASAttributeDelimiter = CAS_DEFAULT_ATTRIBUTE_DELIMITER;
 	c->CASAttributePrefix = CAS_DEFAULT_ATTRIBUTE_PREFIX;
+#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
 	c->CASAuthoritative = CAS_DEFAULT_AUTHORITATIVE;
-
+#endif
 	cas_setURL(pool, &(c->CASLoginURL), CAS_DEFAULT_LOGIN_URL);
 	cas_setURL(pool, &(c->CASValidateURL), CAS_DEFAULT_VALIDATE_URL);
 	cas_setURL(pool, &(c->CASProxyValidateURL), CAS_DEFAULT_PROXY_VALIDATE_URL);
@@ -147,7 +148,9 @@ void *cas_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD)
 	c->CASCookieHttpOnly = (add->CASCookieHttpOnly != CAS_DEFAULT_COOKIE_HTTPONLY ? add->CASCookieHttpOnly : base->CASCookieHttpOnly);
 	c->CASSSOEnabled = (add->CASSSOEnabled != CAS_DEFAULT_SSO_ENABLED ? add->CASSSOEnabled : base->CASSSOEnabled);
 	c->CASValidateSAML = (add->CASValidateSAML != CAS_DEFAULT_VALIDATE_SAML ? add->CASValidateSAML : base->CASValidateSAML);
+#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
 	c->CASAuthoritative = (add->CASAuthoritative != CAS_DEFAULT_AUTHORITATIVE ? add->CASAuthoritative : base->CASAuthoritative);
+#endif
 	c->CASAttributeDelimiter = (apr_strnatcasecmp(add->CASAttributeDelimiter, CAS_DEFAULT_ATTRIBUTE_DELIMITER) != 0 ? add->CASAttributeDelimiter : base->CASAttributeDelimiter);
 	c->CASAttributePrefix = (apr_strnatcasecmp(add->CASAttributePrefix, CAS_DEFAULT_ATTRIBUTE_PREFIX) != 0 ? add->CASAttributePrefix : base->CASAttributePrefix);
 
@@ -375,6 +378,7 @@ const char *cfg_readCASParameter(cmd_parms *cmd, void *cfg, const char *value)
 			else
 				return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: Invalid argument to CASSSOEnabled - must be 'On' or 'Off'"));
 		break;
+#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
 		case cmd_authoritative:
 			if(apr_strnatcasecmp(value, "On") == 0)
 				c->CASAuthoritative = TRUE;
@@ -383,6 +387,7 @@ const char *cfg_readCASParameter(cmd_parms *cmd, void *cfg, const char *value)
 			else
 				return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: Invalid argument to CASAuthoritative - must be 'On' or 'Off'"));
 		break;
+#endif
 		default:
 			/* should not happen */
 			return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: invalid command '%s'", cmd->directive->directive));
@@ -2290,7 +2295,52 @@ int cas_match_attribute(const char *const attr_spec, const cas_saml_attr *const
 	}
 	return CAS_ATTR_NO_MATCH;
 }
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
 
+authz_status cas_check_authorization(request_rec *r,
+						const char *require_line,
+						const void *parsed_require_line)
+{
+	const cas_cfg *const c = ap_get_module_config(r->server->module_config, &auth_cas_module);
+	const cas_saml_attr *const attrs = cas_get_attributes(r);
+
+	const char *t, *w;
+	unsigned int count_casattr = 0;
+
+	if(c->CASDebug)
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+			      "Entering cas_check_authorization.");
+
+	t = require_line;
+	while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+		count_casattr++;
+		if (cas_match_attribute(w, attrs, r) == CAS_ATTR_MATCH) {
+			/* If *any* attribute matches, then
+			 * authorization has succeeded and all
+			 * of the others are ignored. */
+			if(c->CASDebug)
+				ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+					      "Require cas-attribute "
+					      "'%s' matched", w);
+			return AUTHZ_GRANTED;
+		}
+	}
+
+	if (count_casattr == 0) {
+		if(c->CASDebug)	
+			ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+				      "'Require cas-attribute' missing specification(s) in configuration. Declining.");
+	}
+	return AUTHZ_DENIED;
+}
+
+static const authz_provider authz_cas_provider =
+{
+	&cas_check_authorization,
+	NULL,
+};
+
+#else
 
 /* CAS authorization module, code adopted from Nick Kew's Apache Modules Book, 2007, p. 190f */
 int cas_authorize(request_rec *r)
@@ -2304,11 +2354,13 @@ int cas_authorize(request_rec *r)
 		ap_get_module_config(r->server->module_config,
 				     &auth_cas_module);
 
-	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+	if(c->CASDebug)
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 		      "Entering cas_authorize.");
 
 	if (!reqs_arr) {
-		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+		if(c->CASDebug)
+			ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 			      "No require statements found, "
 			      "so declining to perform authorization.");
 		return DECLINED;
@@ -2368,7 +2420,8 @@ int cas_authorize_worker(request_rec *r, const cas_saml_attr *const attrs, const
 			token = ap_getword_conf(r->pool, &requirement);
 			count_casattr++;
 
-			ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+			if(c->CASDebug)
+				ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 				     "Evaluating attribute specification: %s",
 				     token);
 
@@ -2378,7 +2431,8 @@ int cas_authorize_worker(request_rec *r, const cas_saml_attr *const attrs, const
 				/* If *any* attribute matches, then
 				 * authorization has succeeded and all
 				 * of the others are ignored. */
-				ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+				if(c->CASDebug)
+					ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 					      "Require cas-attribute "
 					      "'%s' matched", token);
 				return OK;
@@ -2390,7 +2444,8 @@ int cas_authorize_worker(request_rec *r, const cas_saml_attr *const attrs, const
 	 * we're irrelevant.
 	 */
 	if (!have_casattr) {
-		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+		if(c->CASDebug)
+			ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 			      "No cas-attribute statements found. "
                               "Not performing authZ.");
 		return DECLINED;
@@ -2399,29 +2454,34 @@ int cas_authorize_worker(request_rec *r, const cas_saml_attr *const attrs, const
 	 * that's cause to warn the admin of an iffy configuration.
 	 */
 	if (count_casattr == 0) {
-		ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+		if(c->CASDebug)
+			ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
 			      "'Require cas-attribute' missing specification(s) in configuration. Declining.");
 		return DECLINED;
 	}
 
 	/* If we're not authoritative, hand over to other authz modules */
 	if (!c->CASAuthoritative) {
-		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+		if(c->CASDebug)
+			ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 			      "Authorization failed, but we are not "
 			      "authoritative, thus handing over to other "
 			      "module(s).");
 		return DECLINED;
 	}
 
 	/* OK, our decision is final and binding */
-	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+	if(c->CASDebug)
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 		      "Authorization denied for client session");
 
 	ap_note_auth_failure(r);
 
 	return HTTP_UNAUTHORIZED;
 }
 
+#endif
+
 #if (defined(OPENSSL_THREADS) && APR_HAS_THREADS)
 
 /* shamelessly based on code from mod_ssl */
@@ -2640,12 +2700,25 @@ apr_status_t cas_in_filter(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode
 
 void cas_register_hooks(apr_pool_t *p)
 {
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
+	ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "cas-attribute",
+		AUTHZ_PROVIDER_VERSION,
+		&authz_cas_provider, AP_AUTH_INTERNAL_PER_CONF);
+#else
 	/* make sure we run before mod_authz_user so that a "require valid-user"
-         *  directive doesn't just automatically pass us. */
+	 *  directive doesn't just automatically pass us. */
 	static const char *const authzSucc[] = { "mod_authz_user.c", NULL };
+	ap_hook_auth_checker(cas_authorize, NULL, authzSucc, APR_HOOK_MIDDLE);
+#endif
 
-	ap_hook_post_config(cas_post_config, NULL, NULL, APR_HOOK_LAST);
-#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
+	ap_hook_check_access(
+		cas_authenticate,
+		NULL,
+		NULL,
+		APR_HOOK_MIDDLE,
+		AP_AUTH_INTERNAL_PER_URI);
+#elif MODULE_MAGIC_NUMBER_MAJOR >= 20100714
 	ap_hook_check_access_ex(
 		cas_authenticate,
 		NULL,
@@ -2655,7 +2728,7 @@ void cas_register_hooks(apr_pool_t *p)
 #else
 	ap_hook_check_user_id(cas_authenticate, NULL, NULL, APR_HOOK_MIDDLE);
 #endif
-ap_hook_auth_checker(cas_authorize, NULL, authzSucc, APR_HOOK_MIDDLE);
+	ap_hook_post_config(cas_post_config, NULL, NULL, APR_HOOK_LAST);
 	ap_register_input_filter("CAS", cas_in_filter, NULL, AP_FTYPE_RESOURCE);
 }
 
@@ -2696,8 +2769,9 @@ const command_rec cas_cmds [] = {
 	AP_INIT_TAKE1("CASRootProxiedAs", cfg_readCASParameter, (void *) cmd_root_proxied_as, RSRC_CONF, "URL used to access the root of the virtual server (only needed when the server is proxied)"),
  	AP_INIT_TAKE1("CASScrubRequestHeaders", ap_set_string_slot, (void *) APR_OFFSETOF(cas_dir_cfg, CASScrubRequestHeaders), ACCESS_CONF, "Scrub CAS user name and SAML attribute headers from the user's request."),
 	/* authorization options */
+#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
 	AP_INIT_TAKE1("CASAuthoritative", cfg_readCASParameter, (void *) cmd_authoritative, RSRC_CONF, "Set 'On' to reject if access isn't allowed based on our rules; 'Off' (default) to allow checking against other modules too."),
-
+#endif
 	AP_INIT_TAKE1(0, 0, 0, 0, 0)
 };
 

src/mod_auth_cas.h

@@ -45,6 +45,10 @@
 #define LIBCURL_NO_CURLPROTO
 #endif
 
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
+#include "mod_auth.h"
+#endif
+
 #include "cas_saml_attr.h"
 
 #ifndef AP_SERVER_MAJORVERSION_NUMBER
@@ -231,8 +235,12 @@ const cas_saml_attr *cas_get_attributes(request_rec *r);
 int cas_match_attribute(const char *const attr_spec, const cas_saml_attr *const attributes, struct request_rec *r);
 
 /* Authorization check */
+#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
 int cas_authorize(request_rec *r);
 int cas_authorize_worker(request_rec *r, const cas_saml_attr *const attrs, const require_line *const reqs, int nelts, const cas_cfg *const c);
+#else
+authz_status cas_check_authorization(request_rec *r, const char *require_line, const void *parsed_require_line);
+#endif
 
 /* Fancy wrapper around flock() */
 int cas_flock(apr_file_t *fileHandle, int lockOperation, request_rec *r);

tests/ap_stubs.c

@@ -58,6 +58,19 @@ AP_DECLARE(int) ap_is_initial_req(request_rec *r) {
   return 0;
 }
 
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
+
+AP_DECLARE(void) ap_log_error_(const char *file, int line, int module_index,
+                               int level, apr_status_t status,
+                               const server_rec *s, const char *fmt, ...) {
+}
+
+AP_DECLARE(void) ap_log_rerror(const char *file, int line, int module_index,
+                               int level, apr_status_t status,
+                               const request_rec *r, const char *fmt, ...) {
+}
+#else
+
 AP_DECLARE(void) ap_log_error(const char *file, int line, int level,
                               apr_status_t status, const server_rec *s,
                               const char *fmt, ...) {
@@ -69,6 +82,7 @@ AP_DECLARE(void) ap_log_rerror(const char *file, int line, int level,
                               const char *fmt, ...) {
 
 }
+#endif
 
 AP_DECLARE(char *) ap_md5_binary(apr_pool_t *a, const unsigned char *buf,
                                  int len)
@@ -208,6 +222,24 @@ AP_DECLARE(char *) ap_getword_conf(apr_pool_t *p, const char **line) {
     return res;
 }
 
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
+
+AP_DECLARE(void) ap_hook_check_access(ap_HOOK_access_checker_t *pf,
+                                      const char * const *aszPre,
+                                      const char * const *aszSucc,
+                                      int nOrder, int type) {
+}
+
+AP_DECLARE(apr_status_t) ap_register_auth_provider(apr_pool_t *pool,
+                                                   const char *provider_group,
+                                                   const char *provider_name,
+                                                   const char *provider_version,
+                                                   const void *provider,
+                                                   int type) {
+  return APR_SUCCESS;
+}
+#else
+
 AP_DECLARE(void) ap_note_auth_failure(request_rec *r) {
 
   return;
@@ -217,3 +249,4 @@ AP_DECLARE(const apr_array_header_t *) ap_requires(request_rec *r) {
 
   return NULL;
 }
+#endif