Skip to content

Commit 06473fa

Browse files
author
Bradley Nicholes
committed
re-introduce ap_satisfies API back into core and modify how the access_checker, check_user_id and auth_checker hooks are called so that they respect the precedence that is set through the satisfy ALL/ANY directive. This also restores the directives order, allow, deny, satisfyas supported directives rather than being deprecated. These directives still remain in mod_access_compat however.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@534533 13f79535-47bb-0310-9956-ffa450edef68
1 parent 938cb0e commit 06473fa

7 files changed

Lines changed: 82 additions & 52 deletions

File tree

include/http_core.h

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,13 @@ extern "C" {
114114

115115
/** @} // get_remote_host */
116116

117+
/** all of the requirements must be met */
118+
#define SATISFY_ALL 0
119+
/** any of the requirements must be met */
120+
#define SATISFY_ANY 1
121+
/** There are no applicable satisfy lines */
122+
#define SATISFY_NOSPEC 2
123+
117124
/** Make sure we don't write less than 8000 bytes at any one time.
118125
*/
119126
#define AP_MIN_BYTES_TO_WRITE 8000
@@ -287,6 +294,18 @@ AP_DECLARE(const char *) ap_auth_type(request_rec *r);
287294
*/
288295
AP_DECLARE(const char *) ap_auth_name(request_rec *r);
289296

297+
/**
298+
* How the requires lines must be met.
299+
* @param r The current request
300+
* @return How the requirements must be met. One of:
301+
* <pre>
302+
* SATISFY_ANY -- any of the requirements must be met.
303+
* SATISFY_ALL -- all of the requirements must be met.
304+
* SATISFY_NOSPEC -- There are no applicable satisfy lines
305+
* </pre>
306+
*/
307+
AP_DECLARE(int) ap_satisfies(request_rec *r);
308+
290309
#ifdef CORE_PRIVATE
291310

292311
/**
@@ -649,13 +668,20 @@ APR_DECLARE_OPTIONAL_FN(const char *, ap_ident_lookup,
649668

650669
/* ----------------------------------------------------------------------
651670
*
652-
* authorization values with mod_authz_host
671+
* authorization values with mod_authz_core
653672
*/
654673

655674
APR_DECLARE_OPTIONAL_FN(int, authz_some_auth_required, (request_rec *r));
656675
APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_type, (request_rec *r));
657676
APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_name, (request_rec *r));
658677

678+
/* ----------------------------------------------------------------------
679+
*
680+
* authorization values with mod_access_compat
681+
*/
682+
683+
APR_DECLARE_OPTIONAL_FN(int, access_compat_ap_satisfies, (request_rec *r));
684+
659685
/* ---------------------------------------------------------------------- */
660686

661687
#ifdef __cplusplus

modules/aaa/mod_access_compat.c

Lines changed: 4 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -98,10 +98,6 @@ static const char *order(cmd_parms *cmd, void *dv, const char *arg)
9898
access_compat_dir_conf *d = (access_compat_dir_conf *) dv;
9999
int i, o;
100100

101-
ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server,
102-
"The 'Order' directive has been deprecated. "
103-
"Consider using '<SatisfyAll><SatisfyOne>' directives.");
104-
105101
if (!strcasecmp(arg, "allow,deny"))
106102
o = ALLOW_THEN_DENY;
107103
else if (!strcasecmp(arg, "deny,allow"))
@@ -124,10 +120,6 @@ static const char *satisfy(cmd_parms *cmd, void *dv, const char *arg)
124120
int satisfy = SATISFY_NOSPEC;
125121
int i;
126122

127-
ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server,
128-
"The 'Satisfy' directive has been deprecated. "
129-
"Consider using '<SatisfyAll><SatisfyOne>' directives.");
130-
131123
if (!strcasecmp(arg, "all")) {
132124
satisfy = SATISFY_ALL;
133125
}
@@ -157,10 +149,6 @@ static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
157149
char msgbuf[120];
158150
apr_status_t rv;
159151

160-
ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server,
161-
"The 'Allow/Deny' directives have been deprecated. "
162-
"Consider using one of the host providers in mod_authz_host.");
163-
164152
if (strcasecmp(from, "from"))
165153
return "allow and deny must be followed by 'from'";
166154

@@ -307,7 +295,7 @@ static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)
307295
return 0;
308296
}
309297

310-
static int ap_satisfies(request_rec *r)
298+
static int access_compat_ap_satisfies(request_rec *r)
311299
{
312300
access_compat_dir_conf *conf = (access_compat_dir_conf *)
313301
ap_get_module_config(r->per_dir_config, &access_compat_module);
@@ -354,9 +342,9 @@ static int check_dir_access(request_rec *r)
354342
}
355343
else {
356344
apr_table_setn(r->notes, AUTHZ_ACCESS_PASSED_NOTE, "N");
357-
/* If Satisfy is Any and authorization is required, then
345+
/* If Satisfy is not Any and authorization is required, then
358346
defer to the authorization stage */
359-
if ((ap_satisfies(r) == SATISFY_ANY) && ap_some_auth_required(r)) {
347+
if ((access_compat_ap_satisfies(r) != SATISFY_ANY) && ap_some_auth_required(r)) {
360348
ret = OK;
361349
}
362350
}
@@ -373,7 +361,7 @@ static int check_dir_access(request_rec *r)
373361

374362
static void register_hooks(apr_pool_t *p)
375363
{
376-
APR_REGISTER_OPTIONAL_FN(ap_satisfies);
364+
APR_REGISTER_OPTIONAL_FN(access_compat_ap_satisfies);
377365

378366
/* This can be access checker since we don't require r->user to be set. */
379367
ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE);

modules/aaa/mod_auth.h

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -47,20 +47,17 @@ extern "C" {
4747
#define AUTHN_PREFIX "AUTHENTICATE_"
4848

4949
/** all of the requirements must be met */
50+
#ifndef SATISFY_ALL
5051
#define SATISFY_ALL 0
52+
#endif
5153
/** any of the requirements must be met */
54+
#ifndef SATISFY_ANY
5255
#define SATISFY_ANY 1
56+
#endif
5357
/** There are no applicable satisfy lines */
58+
#ifndef SATISFY_NOSPEC
5459
#define SATISFY_NOSPEC 2
55-
56-
APR_DECLARE_OPTIONAL_FN(int, ap_satisfies, (request_rec *r));
57-
58-
/* If your module uses ap_satisfies then you MUST add the line
59-
* below to your module for it to work correctly:
60-
* APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
61-
* and retrieve the optional function in the optional_fn_retrieve hook.
62-
* (See mod_authz_core.c for an example)
63-
*/
60+
#endif
6461

6562
typedef enum {
6663
AUTH_DENIED,

modules/aaa/mod_authz_core.c

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -711,8 +711,6 @@ static authz_status check_provider_list (request_rec *r, authz_provider_list *cu
711711
return auth_result;
712712
}
713713

714-
APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
715-
716714
static int authorize_user(request_rec *r)
717715
{
718716
authz_core_dir_conf *conf = ap_get_module_config(r->per_dir_config,
@@ -805,17 +803,11 @@ static int authz_some_auth_required(request_rec *r)
805803
return req_authz;
806804
}
807805

808-
static void ImportAuthzCoreOptFn(void)
809-
{
810-
ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
811-
}
812-
813806
static void register_hooks(apr_pool_t *p)
814807
{
815808
APR_REGISTER_OPTIONAL_FN(authz_some_auth_required);
816809

817810
ap_hook_auth_checker(authorize_user, NULL, NULL, APR_HOOK_MIDDLE);
818-
ap_hook_optional_fn_retrieve(ImportAuthzCoreOptFn,NULL,NULL,APR_HOOK_MIDDLE);
819811
}
820812

821813
module AP_MODULE_DECLARE_DATA authz_core_module =

modules/aaa/mod_authz_default.c

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -52,8 +52,6 @@ static const command_rec authz_default_cmds[] =
5252

5353
module AP_MODULE_DECLARE_DATA authz_default_module;
5454

55-
static APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
56-
5755
static int check_user_access(request_rec *r)
5856
{
5957
authz_default_config_rec *conf = ap_get_module_config(r->per_dir_config,
@@ -89,15 +87,9 @@ static int check_user_access(request_rec *r)
8987
return HTTP_UNAUTHORIZED;
9088
}
9189

92-
static void ImportAuthzDefOptFn(void)
93-
{
94-
ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
95-
}
96-
9790
static void register_hooks(apr_pool_t *p)
9891
{
9992
ap_hook_auth_checker(check_user_access,NULL,NULL,APR_HOOK_LAST);
100-
ap_hook_optional_fn_retrieve(ImportAuthzDefOptFn,NULL,NULL,APR_HOOK_MIDDLE);
10193
}
10294

10395
module AP_MODULE_DECLARE_DATA authz_default_module =

server/core.c

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -645,7 +645,8 @@ AP_DECLARE(int) ap_allow_overrides(request_rec *r)
645645
}
646646

647647
/*
648-
* Optional function coming from mod_ident, used for looking up ident user
648+
* Optional function coming from mod_authn_core, used for
649+
* retrieving the type of autorization
649650
*/
650651
static APR_OPTIONAL_FN_TYPE(authn_ap_auth_type) *authn_ap_auth_type;
651652

@@ -658,7 +659,8 @@ AP_DECLARE(const char *) ap_auth_type(request_rec *r)
658659
}
659660

660661
/*
661-
* Optional function coming from mod_ident, used for looking up ident user
662+
* Optional function coming from mod_authn_core, used for
663+
* retrieving the authorization realm
662664
*/
663665
static APR_OPTIONAL_FN_TYPE(authn_ap_auth_name) *authn_ap_auth_name;
664666

@@ -670,6 +672,20 @@ AP_DECLARE(const char *) ap_auth_name(request_rec *r)
670672
return NULL;
671673
}
672674

675+
/*
676+
* Optional function coming from mod_access_compat, used to determine how
677+
access control interacts with authentication/authorization
678+
*/
679+
static APR_OPTIONAL_FN_TYPE(access_compat_ap_satisfies) *access_compat_ap_satisfies;
680+
681+
AP_DECLARE(int) ap_satisfies(request_rec *r)
682+
{
683+
if (access_compat_ap_satisfies) {
684+
return access_compat_ap_satisfies(r);
685+
}
686+
return SATISFY_NOSPEC;
687+
}
688+
673689
AP_DECLARE(const char *) ap_default_type(request_rec *r)
674690
{
675691
core_dir_config *conf;
@@ -3646,6 +3662,7 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
36463662
authz_ap_some_auth_required = APR_RETRIEVE_OPTIONAL_FN(authz_some_auth_required);
36473663
authn_ap_auth_type = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_type);
36483664
authn_ap_auth_name = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_name);
3665+
access_compat_ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(access_compat_ap_satisfies);
36493666

36503667
set_banner(pconf);
36513668
ap_setup_make_content_type(pconf);

server/request.c

Lines changed: 26 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -183,18 +183,36 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
183183
r->ap_auth_type = r->prev->ap_auth_type;
184184
}
185185
else {
186-
if ((access_status = ap_run_access_checker(r)) != OK) {
187-
return decl_die(access_status, "check access", r);
188-
}
186+
switch (ap_satisfies(r)) {
187+
case SATISFY_ALL:
188+
case SATISFY_NOSPEC:
189+
if ((access_status = ap_run_access_checker(r)) != OK) {
190+
return decl_die(access_status, "check access", r);
191+
}
189192

190-
if ((access_status = ap_run_check_user_id(r)) != OK) {
191-
return decl_die(access_status, "check user", r);
192-
}
193+
if ((access_status = ap_run_check_user_id(r)) != OK) {
194+
return decl_die(access_status, "check user", r);
195+
}
196+
197+
if ((access_status = ap_run_auth_checker(r)) != OK) {
198+
return decl_die(access_status, "check authorization", r);
199+
}
200+
break;
201+
case SATISFY_ANY:
202+
if ((access_status = ap_run_access_checker(r)) != OK) {
193203

194-
if ((access_status = ap_run_auth_checker(r)) != OK) {
195-
return decl_die(access_status, "check authorization", r);
204+
if ((access_status = ap_run_check_user_id(r)) != OK) {
205+
return decl_die(access_status, "check user", r);
206+
}
207+
208+
if ((access_status = ap_run_auth_checker(r)) != OK) {
209+
return decl_die(access_status, "check authorization", r);
210+
}
211+
}
212+
break;
196213
}
197214

215+
198216
}
199217
/* XXX Must make certain the ap_run_type_checker short circuits mime
200218
* in mod-proxy for r->proxyreq && r->parsed_uri.scheme

0 commit comments

Comments
 (0)