Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2020-11-26 23:13:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.5913 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Thu Nov 26 23:13:46 2020 rev:13 rq:850781 version:2.4.5
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2020-09-10 22:55:14.280411737 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.5913/apache2-mod_auth_openidc.changes
2020-11-26 23:15:01.081019325 +0100
@@ -1,0 +2,29 @@
+Mon Nov 23 19:50:22 UTC 2020 - Michael Ströder <[email protected]>
+
+- Update to version 2.4.5
+ * Features
+ - disable caching token introspection results by setting
+ OIDCOAuthTokenIntrospectionInterval to -1
+ - add exec support to OIDCCryptoPassphrase
+ - delete stale session cookies that aren't in the cache
+ - allow OIDCDiscoverURL to be a relative URL
+ - add OIDCCABundlePath for configuring path to curl CA bundle
+ * Bugfixes
+ - enable authentication of sub-requests when the main request
+ doesn't require authentication
+ - fix content processing for info and JWKs handler so mod_headers etc.
+ work; closes #497
+ - avoid Apache 2.4 appending 401 HTML document text to step-up
+ authentication HTML refresh page; closes #484
+ - add config check for OIDCCryptoPassphrase in OAuth 2.0 RS setup with
+ cache encryption enabled
+ - populate AUTH_TYPE when performing authentication
+ - improve sanity checking on Redis reply
+ * Security
+ - ensure that sub is returned from the userinfo endpoint following
+ https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse;
+ prevents potential ID spoofing
+ - don't printout JSON errors about NULL characters in error log
+ - restrict printout of JSON parsing errors to 4096 bytes
+
+-------------------------------------------------------------------
Old:
----
apache2-mod_auth_openidc-2.4.4.1.tar.gz
New:
----
apache2-mod_auth_openidc-2.4.5.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.wOirHw/_old 2020-11-26 23:15:01.781019902 +0100
+++ /var/tmp/diff_new_pack.wOirHw/_new 2020-11-26 23:15:01.785019905 +0100
@@ -19,7 +19,7 @@
%define apxs %{_sbindir}/apxs2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
Name: apache2-mod_auth_openidc
-Version: 2.4.4.1
+Version: 2.4.5
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
++++++ apache2-mod_auth_openidc-2.4.4.1.tar.gz ->
apache2-mod_auth_openidc-2.4.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/.travis.yml
new/mod_auth_openidc-2.4.5/.travis.yml
--- old/mod_auth_openidc-2.4.4.1/.travis.yml 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/.travis.yml 2020-11-23 09:53:27.000000000
+0100
@@ -1,7 +1,5 @@
language: c
-dist: trusty
-
arch:
- amd64
- ppc64le
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/AUTHORS
new/mod_auth_openidc-2.4.5/AUTHORS
--- old/mod_auth_openidc-2.4.4.1/AUTHORS 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/AUTHORS 2020-11-23 09:53:27.000000000 +0100
@@ -64,3 +64,5 @@
Bryan Ingram <https://github/bcingram>
Tim Deisser <https://github.com/deisser>
Peter Hurtenbach <https://github.com/Peter0x48>
+ Paul Spangler <https://github.com/spanglerco>
+ Chris Pawling <https://github.com/chris468>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/ChangeLog
new/mod_auth_openidc-2.4.5/ChangeLog
--- old/mod_auth_openidc-2.4.4.1/ChangeLog 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/ChangeLog 2020-11-23 09:53:27.000000000
+0100
@@ -1,3 +1,52 @@
+11/23/2020
+- release 2.4.5
+
+11/19/2020
+- ensure that "sub" is returned from the userinfo endpoint following
https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
+ prevents potential ID spoofing; thanks Christian Fries of Ruhr-University
Bochum
+- don't printout JSON errors about NULL characters in error log; thanks
Christian Fries of Ruhr-University Bochum
+- restrict printout of JSON parsing errors to 4096 bytes; thanks Christian
Fries of Ruhr-University Bochum
+- bump to 2.4.5rc6
+
+11/5/2020
+- fix content processing for info and JWKs handler so mod_headers etc. works;
closes #497
+- bump to 2.4.5rc5
+
+11/2/2020
+- improve sanity checking on Redis reply
+- bump to 2.4.5rc4
+
+10/30/2020
+- disable caching token introspection results by setting
OIDCOAuthTokenIntrospectionInterval to -1; thanks @wadahiro
+- bump to 2.4.5rc3
+
+10/27/2020
+- config check on OIDCCryptoPassphrase in OAuth 2.0 RS setup with cache
encryption enabled
+- bump to 2.4.5rc2
+
+10/22/2020
+- hash define expression option to OIDCUnAuthAction so it compiles for Apache
2.2; fixes 1461634
+- bump to 2.4.5rc1
+- add exec support to OIDCCryptoPassphrase
+
+10/19/2020
+- delete stale session cookies that aren't in the cache
+- allow OIDCDiscoverURL to be a relative URL
+
+10/08/2020
+- add OIDCCABundlePath for configuring path to curl CA bundle
+
+09/22/2020
+- avoid Apache 2.4 appending 401 HTML document text to step-up authentication
HTML refresh page; closes #484
+- bump to 2.4.5rc0
+
+09/21/2020
+- populate AUTH_TYPE when performing authentication; thanks @spanglerco
+
+09/19/2020
+- enable authentication of sub-requests when the main request doesn't require
+ authentication; thanks @spanglerco
+
09/03/2020
- add SameSite attribute on cookie clearance / logout; thanks @v0gler
- bump to 2.4.4.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/auth_openidc.conf
new/mod_auth_openidc-2.4.5/auth_openidc.conf
--- old/mod_auth_openidc-2.4.4.1/auth_openidc.conf 2020-09-03
16:52:30.000000000 +0200
+++ new/mod_auth_openidc-2.4.5/auth_openidc.conf 2020-11-23
09:53:27.000000000 +0100
@@ -17,7 +17,11 @@
# - encryption of the (temporary) state cookie
# - encryption of cache entries, that may include the session cookie, see:
OIDCCacheEncrypt and OIDCSessionType
# Note that an encrypted cache mechanism can be shared between servers if they
use the same OIDCCryptoPassphrase
+# If the value begins with exec: the resulting command will be executed and the
+# first line returned to standard output by the program will be used as the
+# password. The command may be absolute or relative to the web server root.
#OIDCCryptoPassphrase <passphrase>
+#OIDCCryptoPassphrase "exec:/path/to/otherProgram argument1"
#
# All other entries below this are optional though some may be required in a
@@ -380,7 +384,9 @@
# to be refreshed by introspecting (and validating) it again against the
Authorization Server.
# (can be configured on a per-path basis)
# When not defined the value is 0, which means it only expires after the `exp`
(or alternative,
-# see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server
+# see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server.
+# When set to -1, caching of the introspection results is disabled and the
token will be introspected
+# on each request presenting it.
#OIDCOAuthTokenIntrospectionInterval <seconds>
# Require a valid SSL server certificate when communicating with the
Authorization Server
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/configure.ac
new/mod_auth_openidc-2.4.5/configure.ac
--- old/mod_auth_openidc-2.4.4.1/configure.ac 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/configure.ac 2020-11-23 09:53:27.000000000
+0100
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.4.1],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.5],[[email protected]])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/src/cache/redis.c
new/mod_auth_openidc-2.4.5/src/cache/redis.c
--- old/mod_auth_openidc-2.4.4.1/src/cache/redis.c 2020-09-03
16:52:30.000000000 +0200
+++ new/mod_auth_openidc-2.4.5/src/cache/redis.c 2020-11-23
09:53:27.000000000 +0100
@@ -291,10 +291,17 @@
goto end;
}
+ if (reply->type != REDIS_REPLY_STRING) {
+ oidc_error(r, "redisCommand reply type is not string: %d",
reply->type);
+ goto end;
+ }
+
/* do a sanity check on the returned value */
- if (reply->len != strlen(reply->str)) {
- oidc_error(r, "redisCommand reply->len != strlen(reply->str):
'%s'",
- reply->str);
+ if ((reply->str == NULL)
+ || (reply->len != strlen(reply->str))) {
+ oidc_error(r,
+ "redisCommand reply->len (%d) !=
strlen(reply->str): '%s'",
+ (int )reply->len, reply->str);
goto end;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/src/config.c
new/mod_auth_openidc-2.4.5/src/config.c
--- old/mod_auth_openidc-2.4.4.1/src/config.c 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/src/config.c 2020-11-23 09:53:27.000000000
+0100
@@ -277,6 +277,7 @@
#define OIDCStateInputHeaders "OIDCStateInputHeaders"
#define OIDCRedirectURLsAllowed "OIDCRedirectURLsAllowed"
#define OIDCStateCookiePrefix "OIDCStateCookiePrefix"
+#define OIDCCABundlePath "OIDCCABundlePath"
extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
@@ -289,7 +290,9 @@
char *cookie;
char *authn_header;
int unauth_action;
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
ap_expr_info_t *unauth_expression;
+#endif
int unautz_action;
apr_array_header_t *pass_cookies;
apr_array_header_t *strip_cookies;
@@ -372,12 +375,10 @@
}
/*
- * set a relative or absolute URL value in the server config
+ * set a relative or absolute URL value in a config rec
*/
-static const char *oidc_set_relative_or_absolute_url_slot(cmd_parms *cmd,
- void *ptr, const char *arg) {
- oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(
- cmd->server->module_config, &auth_openidc_module);
+static const char *oidc_set_relative_or_absolute_url_slot_dir_cfg(
+ cmd_parms *cmd, void *ptr, const char *arg) {
if (arg[0] == OIDC_CHAR_FORWARD_SLASH) {
// relative uri
apr_uri_t uri;
@@ -386,20 +387,22 @@
"cannot parse '%s' as relative URI",
arg);
return OIDC_CONFIG_DIR_RV(cmd, rv);
} else {
- return ap_set_string_slot(cmd, cfg, arg);
+ return ap_set_string_slot(cmd, ptr, arg);
}
} else {
// absolute uri
- return oidc_set_url_slot_type(cmd, cfg, arg, NULL);
+ return oidc_set_url_slot_type(cmd, ptr, arg, NULL);
}
}
/*
- * set a HTTPS/HTTP value in the directory config
+ * set a relative or absolute URL value in the server config
*/
-static const char *oidc_set_url_slot_dir_cfg(cmd_parms *cmd, void *ptr,
- const char *arg) {
- return oidc_set_url_slot_type(cmd, ptr, arg, NULL);
+static const char *oidc_set_relative_or_absolute_url_slot(cmd_parms *cmd,
+ void *ptr, const char *arg) {
+ oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(
+ cmd->server->module_config, &auth_openidc_module);
+ return oidc_set_relative_or_absolute_url_slot_dir_cfg(cmd, cfg, arg);
}
/*
@@ -416,6 +419,55 @@
}
/*
+ * set a path value in the server config, converting to absolute if necessary
+ */
+static const char *oidc_set_path_slot(cmd_parms *cmd, void *ptr, const char
*arg) {
+ oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(
+ cmd->server->module_config, &auth_openidc_module);
+ const char *full_path = oidc_util_get_full_path(cmd->pool, arg);
+ return ap_set_string_slot(cmd, cfg, full_path);
+}
+
+/*
+ * set a string value in the server config with exec support
+ */
+static const char *oidc_set_passphrase_slot(cmd_parms *cmd, void *struct_ptr,
+ const char *arg) {
+ int arglen = strlen(arg);
+ char **argv;
+ char *result;
+ const char *passphrase;
+ oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(
+ cmd->server->module_config, &auth_openidc_module);
+
+ /* Based on code from mod_session_crypto. */
+ if (arglen > 5 && strncmp(arg, "exec:", 5) == 0) {
+ if (apr_tokenize_to_argv(arg + 5, &argv, cmd->temp_pool) !=
APR_SUCCESS) {
+ return apr_pstrcat(cmd->pool,
+ "Unable to parse exec arguments from ", arg +
5, NULL);
+ }
+ argv[0] = ap_server_root_relative(cmd->temp_pool, argv[0]);
+
+ if (!argv[0]) {
+ return apr_pstrcat(cmd->pool,
+ "Invalid ", cmd->cmd->name, " exec location:",
arg + 5, NULL);
+ }
+ result = ap_get_exec_line(cmd->pool, argv[0], (const char *
const *)argv);
+
+ if (!result) {
+ return apr_pstrcat(cmd->pool,
+ "Unable to get passphrase from exec of ", arg +
5, NULL);
+ }
+
+ passphrase = result;
+ } else {
+ passphrase = arg;
+ }
+
+ return ap_set_string_slot(cmd, cfg, passphrase);
+}
+
+/*
* set the cookie domain in the server config and check it syntactically
*/
static const char *oidc_set_cookie_domain(cmd_parms *cmd, void *ptr,
@@ -927,9 +979,10 @@
static const char * oidc_set_unauth_action(cmd_parms *cmd, void *m,
const char *arg1, const char *arg2) {
oidc_dir_cfg *dir_cfg = (oidc_dir_cfg *) m;
- const char *expr_err = NULL;
const char *rv = oidc_parse_unauth_action(cmd->pool, arg1,
&dir_cfg->unauth_action);
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
+ const char *expr_err = NULL;
if ((rv == NULL) && (arg2 != NULL)) {
dir_cfg->unauth_expression = ap_expr_parse_cmd(cmd, arg2,
AP_EXPR_FLAG_DONT_VARY &
AP_EXPR_FLAG_RESTRICTED, &expr_err,
@@ -939,6 +992,7 @@
expr_err, NULL);
}
}
+#endif
return OIDC_CONFIG_DIR_RV(cmd, rv);
}
@@ -1343,6 +1397,8 @@
c->redirect_urls_allowed = NULL;
+ c->ca_bundle_path = NULL;
+
return c;
}
@@ -1818,6 +1874,10 @@
add->redirect_urls_allowed != NULL ?
add->redirect_urls_allowed :
base->redirect_urls_allowed;
+ c->ca_bundle_path =
+ add->ca_bundle_path != NULL ?
+ add->ca_bundle_path :
base->ca_bundle_path;
+
return c;
}
@@ -1847,7 +1907,9 @@
c->cookie_path = OIDC_CONFIG_STRING_UNSET;
c->authn_header = OIDC_CONFIG_STRING_UNSET;
c->unauth_action = OIDC_CONFIG_POS_INT_UNSET;
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
c->unauth_expression = NULL;
+#endif
c->unautz_action = OIDC_CONFIG_POS_INT_UNSET;
c->pass_cookies = NULL;
c->strip_cookies = NULL;
@@ -1855,7 +1917,7 @@
c->pass_info_in_env_vars = OIDC_CONFIG_POS_INT_UNSET;
c->oauth_accept_token_in = OIDC_CONFIG_POS_INT_UNSET;
c->oauth_accept_token_options = apr_hash_make(pool);
- c->oauth_token_introspect_interval = OIDC_CONFIG_POS_INT_UNSET;
+ c->oauth_token_introspect_interval = -2;
c->preserve_post = OIDC_CONFIG_POS_INT_UNSET;
c->pass_refresh_token = OIDC_CONFIG_POS_INT_UNSET;
c->path_auth_request_params = NULL;
@@ -1950,7 +2012,7 @@
int oidc_cfg_token_introspection_interval(request_rec *r) {
oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
&auth_openidc_module);
- if (dir_cfg->oauth_token_introspect_interval ==
OIDC_CONFIG_POS_INT_UNSET)
+ if (dir_cfg->oauth_token_introspect_interval <= -2)
return OIDC_DEFAULT_TOKEN_INTROSPECTION_INTERVAL;
return dir_cfg->oauth_token_introspect_interval;
}
@@ -1979,11 +2041,12 @@
oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
&auth_openidc_module);
- int rc = 0;
- const char *err_str = NULL;
if (dir_cfg->unauth_action == OIDC_CONFIG_POS_INT_UNSET)
return OIDC_DEFAULT_UNAUTH_ACTION;
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
+ int rc = 0;
+ const char *err_str = NULL;
if (dir_cfg->unauth_expression == NULL)
return dir_cfg->unauth_action;
@@ -1995,12 +2058,19 @@
}
return (rc > 0) ? dir_cfg->unauth_action : OIDC_DEFAULT_UNAUTH_ACTION;
+#else
+ return dir_cfg->unauth_action;
+#endif
}
apr_byte_t oidc_dir_cfg_unauth_expr_is_set(request_rec *r) {
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
&auth_openidc_module);
return (dir_cfg->unauth_expression != NULL) ? TRUE : FALSE;
+#else
+ return FALSE;
+#endif
}
int oidc_dir_cfg_unautz_action(request_rec *r) {
@@ -2045,9 +2115,11 @@
c->unauth_action =
add->unauth_action != OIDC_CONFIG_POS_INT_UNSET ?
add->unauth_action :
base->unauth_action;
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
c->unauth_expression =
add->unauth_expression != NULL ?
add->unauth_expression :
base->unauth_expression;
+#endif
c->unautz_action =
add->unautz_action != OIDC_CONFIG_POS_INT_UNSET ?
add->unautz_action :
base->unautz_action;
@@ -2072,7 +2144,7 @@
add->oauth_accept_token_options :
base->oauth_accept_token_options;
c->oauth_token_introspect_interval =
- add->oauth_token_introspect_interval !=
OIDC_CONFIG_POS_INT_UNSET ?
+ add->oauth_token_introspect_interval >= -1 ?
add->oauth_token_introspect_interval :
base->oauth_token_introspect_interval;
c->preserve_post =
@@ -2226,6 +2298,9 @@
}
+ if ((c->cache_encrypt == 1) && (c->crypto_passphrase == NULL))
+ return oidc_check_config_error(s, OIDCCryptoPassphrase);
+
return OK;
}
@@ -2618,7 +2693,7 @@
void oidc_register_hooks(apr_pool_t *pool) {
ap_hook_post_config(oidc_post_config, NULL, NULL, APR_HOOK_LAST);
ap_hook_child_init(oidc_child_init, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_handler(oidc_content_handler, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_handler(oidc_content_handler, NULL, NULL, APR_HOOK_FIRST);
ap_hook_insert_filter(oidc_filter_in_insert_filter, NULL, NULL,
APR_HOOK_MIDDLE);
ap_register_input_filter(oidcFilterName, oidc_filter_in_filter, NULL,
@@ -2898,7 +2973,7 @@
RSRC_CONF,
"Specify an outgoing proxy for your network
(<host>[:<port>]."),
AP_INIT_TAKE1(OIDCCryptoPassphrase,
- oidc_set_string_slot,
+ oidc_set_passphrase_slot,
(void*)APR_OFFSETOF(oidc_cfg,
crypto_passphrase),
RSRC_CONF,
"Passphrase used for AES crypto on cookies and
state."),
@@ -3114,7 +3189,7 @@
"Name of a HTML error template: needs to
contain two \"%s\" characters, one for the error message, one for the
description."),
AP_INIT_TAKE1(OIDCDiscoverURL,
- oidc_set_url_slot_dir_cfg,
+ oidc_set_relative_or_absolute_url_slot_dir_cfg,
(void *)APR_OFFSETOF(oidc_dir_cfg,
discover_url),
RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
"Defines an external IDP Discovery page"),
@@ -3247,5 +3322,11 @@
RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
"Define the cookie prefix for the state
cookie."),
+ AP_INIT_TAKE1(OIDCCABundlePath,
+ oidc_set_path_slot,
+ (void *) APR_OFFSETOF(oidc_cfg, ca_bundle_path),
+ RSRC_CONF,
+ "Sets the path to the CA bundle to be used by
cURL."),
+
{ NULL }
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/src/mod_auth_openidc.c
new/mod_auth_openidc-2.4.5/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.4.1/src/mod_auth_openidc.c 2020-09-03
16:52:30.000000000 +0200
+++ new/mod_auth_openidc-2.4.5/src/mod_auth_openidc.c 2020-11-23
09:53:27.000000000 +0100
@@ -935,7 +935,7 @@
oidc_util_set_cookie(r, cookieName, cookieValue, -1,
OIDC_COOKIE_SAMESITE_LAX(c));
- return HTTP_OK;
+ return OK;
}
/*
@@ -2453,7 +2453,7 @@
* and cryptographically bind it to the browser
*/
int rc = oidc_authorization_request_set_cookie(r, c, state,
proto_state);
- if (rc != HTTP_OK) {
+ if (rc != OK) {
oidc_proto_state_destroy(proto_state);
return rc;
}
@@ -3754,9 +3754,6 @@
int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
oidc_session_t *session) {
- /* track if the session needs to be updated/saved into the cache */
- apr_byte_t needs_save = FALSE;
-
if (oidc_proto_is_redirect_authorization_response(r, c)) {
/* this is an authorization response from the OP using the
Basic Client profile or a Hybrid flow*/
@@ -3787,9 +3784,13 @@
} else if (oidc_util_request_has_parameter(r,
OIDC_REDIRECT_URI_REQUEST_JWKS)) {
-
- /* handle JWKs request */
- return oidc_handle_jwks(r, c);
+ /*
+ * Will be handled in the content handler; avoid:
+ * No authentication done but request not allowed without
authentication
+ * by setting r->user
+ */
+ r->user = "";
+ return OK;
} else if (oidc_util_request_has_parameter(r,
OIDC_REDIRECT_URI_REQUEST_SESSION)) {
@@ -3821,12 +3822,13 @@
if (session->remote_user == NULL)
return HTTP_UNAUTHORIZED;
- /* set r->user, set headers/env-vars, update expiry, update
userinfo + AT */
- int rc = oidc_handle_existing_session(r, c, session,
&needs_save);
- if (rc != OK)
- return rc;
-
- return oidc_handle_info_request(r, c, session, needs_save);
+ /*
+ * Will be handled in the content handler; avoid:
+ * No authentication done but request not allowed without
authentication
+ * by setting r->user
+ */
+ r->user = "";
+ return OK;
} else if ((r->args == NULL) || (apr_strnatcmp(r->args, "") == 0)) {
@@ -3875,59 +3877,7 @@
}
/* check if this is a sub-request or an initial request */
- if (ap_is_initial_req(r)) {
-
- int rc = OK;
- apr_byte_t needs_save = FALSE;
-
- /* load the session from the request state; this will be a new
"empty" session if no state exists */
- oidc_session_t *session = NULL;
- oidc_session_load(r, &session);
-
- /* see if the initial request is to the redirect URI; this
handles potential logout too */
- if (oidc_util_request_matches_url(r, oidc_get_redirect_uri(r,
c))) {
-
- /* handle request to the redirect_uri */
- rc = oidc_handle_redirect_uri_request(r, c, session);
-
- /* free resources allocated for the session */
- oidc_session_free(r, session);
-
- return rc;
-
- /* initial request to non-redirect URI, check if we
have an existing session */
- } else if (session->remote_user != NULL) {
-
- /* this is initial request and we already have a
session */
- rc = oidc_handle_existing_session(r, c, session,
&needs_save);
- if (rc == OK) {
-
- /* check if something was updated in the
session and we need to save it again */
- if (needs_save) {
- if (oidc_session_save(r, session,
FALSE) == FALSE) {
- oidc_warn(r, "error saving
session");
- rc = HTTP_INTERNAL_SERVER_ERROR;
- }
- }
- }
-
- /* free resources allocated for the session */
- oidc_session_free(r, session);
-
- /* strip any cookies that we need to */
- oidc_strip_cookies(r);
-
- return rc;
- }
-
- /* free resources allocated for the session */
- oidc_session_free(r, session);
-
- /*
- * else: initial request, we have no session and it is not an
authorization or
- * discovery response: just hit the default flow for
unauthenticated users
- */
- } else {
+ if (!ap_is_initial_req(r)) {
/* not an initial request, try to recycle what we've already
established in the main request */
if (r->main != NULL)
@@ -3966,10 +3916,61 @@
}
/*
* else: not initial request, but we could not find a session,
so:
- * just hit the default flow for unauthenticated users
+ * try to load a new session as if this were the initial request
*/
}
+ int rc = OK;
+ apr_byte_t needs_save = FALSE;
+
+ /* load the session from the request state; this will be a new "empty"
session if no state exists */
+ oidc_session_t *session = NULL;
+ oidc_session_load(r, &session);
+
+ /* see if the initial request is to the redirect URI; this handles
potential logout too */
+ if (oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, c))) {
+
+ /* handle request to the redirect_uri */
+ rc = oidc_handle_redirect_uri_request(r, c, session);
+
+ /* free resources allocated for the session */
+ oidc_session_free(r, session);
+
+ return rc;
+
+ /* initial request to non-redirect URI, check if we have an
existing session */
+ } else if (session->remote_user != NULL) {
+
+ /* this is initial request and we already have a session */
+ rc = oidc_handle_existing_session(r, c, session, &needs_save);
+ if (rc == OK) {
+
+ /* check if something was updated in the session and we
need to save it again */
+ if (needs_save) {
+ if (oidc_session_save(r, session, FALSE) ==
FALSE) {
+ oidc_warn(r, "error saving session");
+ rc = HTTP_INTERNAL_SERVER_ERROR;
+ }
+ }
+ }
+
+ /* free resources allocated for the session */
+ oidc_session_free(r, session);
+
+ /* strip any cookies that we need to */
+ oidc_strip_cookies(r);
+
+ return rc;
+ }
+
+ /* free resources allocated for the session */
+ oidc_session_free(r, session);
+
+ /*
+ * else: we have no session and it is not an authorization or
+ * discovery response: just hit the default flow for
unauthenticated users
+ */
+
return oidc_handle_unauthenticated_user(r, c);
}
@@ -3980,10 +3981,14 @@
/* get the bearer access token from the Authorization header */
const char *access_token = NULL;
- if (oidc_oauth_get_bearer_token(r, &access_token) == TRUE)
+ if (oidc_oauth_get_bearer_token(r, &access_token) == TRUE) {
+
+ r->ap_auth_type = apr_pstrdup(r->pool,
OIDC_AUTH_TYPE_OPENID_OAUTH20);
return oidc_oauth_check_userid(r, c, access_token);
+ }
/* no bearer token found: then treat this as a regular OIDC browser
request */
+ r->ap_auth_type = apr_pstrdup(r->pool, OIDC_AUTH_TYPE_OPENID_CONNECT);
return oidc_check_userid_openidc(r, c);
}
@@ -4000,22 +4005,26 @@
r->parsed_uri.path, r->args, ap_is_initial_req(r));
/* see if any authentication has been defined at all */
- if (ap_auth_type(r) == NULL)
+ const char *current_auth = ap_auth_type(r);
+ if (current_auth == NULL)
return DECLINED;
/* see if we've configured OpenID Connect user authentication for this
request */
- if (apr_strnatcasecmp((const char *) ap_auth_type(r),
- OIDC_AUTH_TYPE_OPENID_CONNECT) == 0)
+ if (strcasecmp(current_auth, OIDC_AUTH_TYPE_OPENID_CONNECT) == 0) {
+
+ r->ap_auth_type = (char *)current_auth;
return oidc_check_userid_openidc(r, c);
+ }
/* see if we've configured OAuth 2.0 access control for this request */
- if (apr_strnatcasecmp((const char *) ap_auth_type(r),
- OIDC_AUTH_TYPE_OPENID_OAUTH20) == 0)
+ if (strcasecmp(current_auth, OIDC_AUTH_TYPE_OPENID_OAUTH20) == 0) {
+
+ r->ap_auth_type = (char *)current_auth;
return oidc_oauth_check_userid(r, c, NULL);
+ }
/* see if we've configured "mixed mode" for this request */
- if (apr_strnatcasecmp((const char *) ap_auth_type(r),
- OIDC_AUTH_TYPE_OPENID_BOTH) == 0)
+ if (strcasecmp(current_auth, OIDC_AUTH_TYPE_OPENID_BOTH) == 0)
return oidc_check_mixed_userid_oauth(r, c);
/* this is not for us but for some other handler */
@@ -4090,6 +4099,11 @@
location);
oidc_util_html_send(r, "Stepup Authentication", html_head,
NULL, NULL,
HTTP_UNAUTHORIZED);
+ /*
+ * a hack for Apache 2.4 to prevent it from writing its own 401
HTML document
+ * text by making ap_send_error_response in http_protocol.c
return early...
+ */
+ r->header_only = 1;
}
return AUTHZ_DENIED;
@@ -4256,12 +4270,39 @@
* handle content generating requests
*/
int oidc_content_handler(request_rec *r) {
- if (oidc_enabled(r) == FALSE)
- return DECLINED;
oidc_cfg *c = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
- return oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, c)) ?
- OK : DECLINED;
+ int rc = DECLINED;
+ /* track if the session needs to be updated/saved into the cache */
+ apr_byte_t needs_save = FALSE;
+ oidc_session_t *session = NULL;
+
+ if (oidc_enabled(r)
+ && oidc_util_request_matches_url(r,
oidc_get_redirect_uri(r, c))) {
+
+ if (oidc_util_request_has_parameter(r,
+ OIDC_REDIRECT_URI_REQUEST_INFO)) {
+
+ oidc_session_load(r, &session);
+
+ rc = oidc_handle_existing_session(r, c, session,
&needs_save);
+ if (rc == OK)
+ /* handle request for session info */
+ rc = oidc_handle_info_request(r, c, session,
needs_save);
+
+ /* free resources allocated for the session */
+ oidc_session_free(r, session);
+
+ } else if (oidc_util_request_has_parameter(r,
+ OIDC_REDIRECT_URI_REQUEST_JWKS)) {
+
+ /* handle JWKs request */
+ rc = oidc_handle_jwks(r, c);
+ }
+
+ }
+
+ return rc;
}
extern const command_rec oidc_config_cmds[];
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/src/mod_auth_openidc.h
new/mod_auth_openidc-2.4.5/src/mod_auth_openidc.h
--- old/mod_auth_openidc-2.4.4.1/src/mod_auth_openidc.h 2020-09-03
16:52:30.000000000 +0200
+++ new/mod_auth_openidc-2.4.5/src/mod_auth_openidc.h 2020-11-23
09:53:27.000000000 +0100
@@ -426,6 +426,8 @@
apr_byte_t state_input_headers;
apr_hash_t *redirect_urls_allowed;
+
+ char *ca_bundle_path;
} oidc_cfg;
int oidc_check_user_id(request_rec *r);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/src/oauth.c
new/mod_auth_openidc-2.4.5/src/oauth.c
--- old/mod_auth_openidc-2.4.4.1/src/oauth.c 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/src/oauth.c 2020-11-23 09:53:27.000000000
+0100
@@ -389,6 +389,13 @@
static apr_byte_t oidc_oauth_cache_access_token(request_rec *r, oidc_cfg *c,
apr_time_t cache_until, const char *access_token, json_t *json)
{
+ /* no cache mode */
+ int token_introspection_interval =
oidc_cfg_token_introspection_interval(r);
+ if (token_introspection_interval == -1) {
+ oidc_debug(r, "not caching introspection result");
+ return TRUE;
+ }
+
oidc_debug(r, "caching introspection result");
json_t *cache_entry = json_object();
@@ -411,6 +418,12 @@
json_t *cache_entry = NULL;
char *s_cache_entry = NULL;
+ /* no cache mode */
+ int token_introspection_interval =
oidc_cfg_token_introspection_interval(r);
+ if (token_introspection_interval == -1) {
+ return FALSE;
+ }
+
/* see if we've got the claims for this access_token cached already */
oidc_cache_get_access_token(r, access_token, &s_cache_entry);
@@ -426,7 +439,6 @@
/* compare the timestamp against the freshness requirement */
json_t *v = json_object_get(cache_entry,
OIDC_OAUTH_CACHE_KEY_TIMESTAMP);
apr_time_t now = apr_time_sec(apr_time_now());
- int token_introspection_interval =
oidc_cfg_token_introspection_interval(r);
if ((token_introspection_interval > 0)
&& (now > json_integer_value(v) +
token_introspection_interval)) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/src/proto.c
new/mod_auth_openidc-2.4.5/src/proto.c
--- old/mod_auth_openidc-2.4.4.1/src/proto.c 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/src/proto.c 2020-11-23 09:53:27.000000000
+0100
@@ -2337,7 +2337,15 @@
oidc_debug(r, "id_token_sub=%s, user_info_sub=%s", id_token_sub,
user_info_sub);
- if ((id_token_sub != NULL) && (user_info_sub != NULL)) {
+ if (user_info_sub == NULL) {
+ oidc_error(r,
+ "mandatory claim (\"%s\") was not returned from
userinfo endpoint
(https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse)",
+ OIDC_CLAIM_SUB);
+ json_decref(claims);
+ return FALSE;
+ }
+
+ if (id_token_sub != NULL) {
if (apr_strnatcmp(id_token_sub, user_info_sub) != 0) {
oidc_error(r,
"\"%s\" claim (\"%s\") returned from
userinfo endpoint does not match the one in the id_token (\"%s\")",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/src/session.c
new/mod_auth_openidc-2.4.5/src/session.c
--- old/mod_auth_openidc-2.4.4.1/src/session.c 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/src/session.c 2020-11-23 09:53:27.000000000
+0100
@@ -180,7 +180,7 @@
rc = oidc_session_load_cache_by_uuid(r, c, uuid, z);
- if (rc == FALSE) {
+ if (rc == FALSE || z->state == NULL) {
/* delete the session cookie */
oidc_util_set_cookie(r, oidc_cfg_dir_cookie(r), "", 0,
OIDC_COOKIE_EXT_SAME_SITE_NONE);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/src/util.c
new/mod_auth_openidc-2.4.5/src/util.c
--- old/mod_auth_openidc-2.4.4.1/src/util.c 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/src/util.c 2020-11-23 09:53:27.000000000
+0100
@@ -680,6 +680,8 @@
CURL *curl;
struct curl_slist *h_list = NULL;
int i;
+ oidc_cfg *c = ap_get_module_config(r->server->module_config,
+ &auth_openidc_module);
/* do some logging about the inputs */
oidc_debug(r,
@@ -727,17 +729,22 @@
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST,
(ssl_validate_server != FALSE ? 2L : 0L));
+ if (c->ca_bundle_path != NULL) {
+ curl_easy_setopt(curl, CURLOPT_CAINFO, c->ca_bundle_path);
+ }
#ifdef WIN32
- DWORD buflen;
- char *ptr = NULL;
- char *retval = (char *) malloc(sizeof (TCHAR) * (MAX_PATH + 1));
- retval[0] = '\0';
- buflen = SearchPath(NULL, "curl-ca-bundle.crt", NULL, MAX_PATH+1,
retval, &ptr);
- if (buflen > 0)
- curl_easy_setopt(curl, CURLOPT_CAINFO, retval);
- else
- oidc_warn(r, "no curl-ca-bundle.crt file found in path");
- free(retval);
+ else {
+ DWORD buflen;
+ char *ptr = NULL;
+ char *retval = (char *) malloc(sizeof (TCHAR) * (MAX_PATH + 1));
+ retval[0] = '\0';
+ buflen = SearchPath(NULL, "curl-ca-bundle.crt", NULL,
MAX_PATH+1, retval, &ptr);
+ if (buflen > 0)
+ curl_easy_setopt(curl, CURLOPT_CAINFO, retval);
+ else
+ oidc_warn(r, "no curl-ca-bundle.crt file found in
path");
+ free(retval);
+ }
#endif
/* identify this HTTP client */
@@ -1290,6 +1297,8 @@
return FALSE;
}
+#define OIDC_JSON_MAX_ERROR_STR 4096
+
/*
* parse a JSON object
*/
@@ -1305,8 +1314,18 @@
/* decode the JSON contents of the buffer */
if (*json == NULL) {
/* something went wrong */
- oidc_error(r, "JSON parsing returned an error: %s (%s)",
- json_error.text, str);
+#if JANSSON_VERSION_HEX >= 0x020B00
+ if (json_error_code(&json_error) == json_error_null_character) {
+ oidc_error(r, "JSON parsing returned an error: %s",
+ json_error.text);
+ } else {
+#endif
+ oidc_error(r, "JSON parsing returned an error: %s (%s)",
+ json_error.text,
+ apr_pstrndup(r->pool, str,
OIDC_JSON_MAX_ERROR_STR));
+#if JANSSON_VERSION_HEX >= 0x020B00
+ }
+#endif
return FALSE;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/test/stub.c
new/mod_auth_openidc-2.4.5/test/stub.c
--- old/mod_auth_openidc-2.4.4.1/test/stub.c 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/test/stub.c 2020-11-23 09:53:27.000000000
+0100
@@ -37,6 +37,11 @@
return 0;
}
+AP_DECLARE(char *) ap_get_exec_line(apr_pool_t *p, const char *cmd,
+ const char * const *argv) {
+ return NULL;
+}
+
AP_DECLARE(char *) ap_getword(apr_pool_t *atrans, const char **line, char
stop) {
const char *pos = *line;
int len;
@@ -298,8 +303,9 @@
return NULL;
}
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
AP_DECLARE(int) ap_expr_exec(request_rec *r, const
ap_expr_info_t *expr,
const char **err) {
return 0;
}
-
+#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.4.1/test/test.c
new/mod_auth_openidc-2.4.5/test/test.c
--- old/mod_auth_openidc-2.4.4.1/test/test.c 2020-09-03 16:52:30.000000000
+0200
+++ new/mod_auth_openidc-2.4.5/test/test.c 2020-11-23 09:53:27.000000000
+0100
@@ -1486,6 +1486,22 @@
#endif
+
+static char * test_decode_json_object(request_rec *r) {
+ apr_byte_t rc = FALSE;
+ json_t *json = NULL;
+ rc = oidc_util_decode_json_object(r, "nojson", &json);
+ TST_ASSERT("test invalid JSON", rc == FALSE);
+ rc = oidc_util_decode_json_object(r, "{ \"n\": \"\\u0000<?php echo
'Hello' ?>\"}", &json);
+ TST_ASSERT("test JSON with NULL value", rc == FALSE);
+ rc = oidc_util_decode_json_object(r,
"tmjcbnuvyrtygbtbyizkfuabiddgixcvnvupjuwnvxznpspmjaqrlpgmggixxovrpwntkvsvxjtkjjggnevyfyemdrlxtnmzjstmjuyquyyjzzwsfrazgzbdojkcfaeiqawltqsiwwzzgpiikpqoxixhsqtnfbchrcgxbgiaynkscvbvfnpuddrpjbgdtxxlebrswrtukzxqyyfrmwrrtfhcxhjfdoswjzvcchlufkqdaiqakvhyssegikcdkxvqxjrxukllhjduhokudtmhkqhqjheedxnlpbtybpwwogynneilkyffixdchdcjopxtdnhgsinwwktpqxfhmlfwucbtlbojaatocwqxsivdwwxrscsviwtllrqakzyogvseiackzzkkioactssxcglqqgavcpxmfokufechkdjkwbvdcnyboqbinbitixuqxeafdhrzndljsnqdlvxwvzggltmelmdcfouthhhzjuehfoejfyjvrpakmgmhaigkidmpmjtwrgezmwyvkgirhkxwrakbaizldjrcjbwieewdnxmrlgcmnuvhidvkqdokguvphmzywgqgfuwshouxcadbtkoxesyoqikuotloiowjpvztunkguyyrnbmsnwbpghharmvkoqjjoanbejbwdlewiebwkzsuxpxozqzteuozboxdaukiwbqduhdhdlgiewmgeeqwtgyvhexcsdthriprrxvpuqvlcgqlldpnjdtbcuxncoikjxxistytsdlzdmtevmxhoafdcwqqixzxnxnrcoqlkwosdxsktgdejqsopuzaqourcixwktuwjzqagtdjheqgkpeavaoxpechkkdxcrwdtuxvdwpyjgjtsgppnoudyjyslwzxcqtbeqdtppeoelefkumpaamkxjnmdbuzotdzjrwzjspgabxczvxiuogvtmkmvxitdezsrqskorsybwndftfoqrylgsnhetyksfjdctmmarhtxpjukhwxhzjorxgnbpskdzgmskiumcsyquuwknrmkvdxhwgztbbbgiogeynlertjprolkavghiatjaddwlacrlibdnbbhykaqepwujqkmylnnqcfmxqanfvxgmitmsgwotolcwqrxgaftsryrmvlnabnouwqubtocwhkerhvsyzgirkitehbpcvitmjndqwerqopsdhwenihhkybemtmrafhcqbbfrfhemzvklvzxykkczjdokblktoxknolzxgblsjplggysbutvddygjgaqntcavbopwanbdvijawdwuepvzcaoesbkdaaqevbaupyokttlgcplpfijaubzphwutmslimkdxtrgwrfhhvdygznabvhvfhhpuuzwkhaxurnnqrmrhmddkckxzrmzxavvfpyuagjfyjorlfwprlpmwyjbtyzidvabtjckfqesnumqddnrdkunxljarqxcokikkqvrwxfedfumbadugcvzigbdulrcmzihpepztbplwrcvunyrhlwdutawmroajvomwtnbntcdgeqnyjxqlgjcdkaxlezmrldewjvyfjljeskmebuepmbzlhludyzwfnjomfnbgdcseqvqdlxrsuyyakdfsssiobahylumrwzsztpwxvfxyqfhtubamboeykqjltmpdjzhrsdjfebwjhlsyrafmvhefyddxhkchaqxptrqewevrnqftswhhxezdxyowtstejeexrgiujxbxvrvukotxdtlbgdpmorbaglozcmkzyrgnsjauxybuwvozcatacoyrvuxpiqkppoiogpuiykdpxkefxvqwutsbdeerbhztiidxqxsahcbbbrhlqwwnstpsefwtunismgvhbcpholzedkivglyjoperxpfavaxqohcxrcmnfvlzqtflrslurdbxnyoswimovpteleifarnhrivasnxetxnwyumoiwomilmnmpnpfekpwiwpmlqumkfagjbxpswraxctsyvsfspoesfhfdifcexfknbbszjfznpwkftkescltnmmodctjmkwdlrgorauknioeqexwwqdkdhdielfewwenuhsosehfksfaybktumfaprcjgvgenfdffbgduawryrvlbphdjsryjzpspymqhflowqzvesljaasfjvheeqikfocyxuopsgsojcqmyfkwkspnspjewmsxljvezucnpuobfqblakqwbixswbbtuboneixdjhdbzdckkcarsswtutwhkjijwdtsyjirdcibtavigjnehntnpdpdugwryxybsqoboayifiwxyuiqlbjksjpuhwdglymyisjdhkovwexkroooorosiudclbrldesiolbrbeusyrpuuypioziymwdguquitxuiaxeayabeccbrislwinxxyumylbncyshsywkzdyqoaqtwbulnseynghoomiypzefykoexnzhwdcqoctptqabzbuiwxyahaptodtufofabylxtlggldckhuicuqdbueuuoknehkkuypnjwqfhocshmofgbmokiuxvcdonwuwqbjxgdukuubswwvxxqugjxnngnbnvtcophhamvbcuxdfkqubfiftrtfyljjulmansvnhnaoczrmxlqokbovddmpydamzicfzkmwcgecljucaezvhrcssupxkleiximldarmtszakjuficulnaefldyogmnavrfscsptejaexghcrqtnluzmxvxrixxgjtyujoruzzzrfgtymtfsdyrmhvvggyeeykdaglptsuqmqbknimmxnuftjjolcvhpdumqehmyevqlsotrsldgedxmuablgarjfwoqyuakqxbqewdlsfkamxrteaebqwwcsupefoshtwlghkqtqjddikfrwjilzuqfwpcxalauddfotnwlsdwpxynlqjpfcuodeyubenztxsjwxycrdhlluauutfrvgqzacvnfawqibftocxrksltmjvlnyjfeagoxpcepioattazmuuklhjxhpbughkmyjdgrxwqwdafgbnerlhlngeqojhjuvwwmqdradedjuugcqzkfozddctctckaqoruksjsqjpzdbvmocutxpnacbkihboujejmjdhorkpyzubhaxpksjfpzmwauwxkwyjisfsqdjdkvsifgxjygclbdtzultcejefyephhhgbazkqqdvhtkkllyopdcsnbqjcpyvienhqqkwyxfvjrgsymuxxsejqerumcldjuitavdgogcsvjgbwllaijavuaeqxvndvzyrlmmzrhijywctihqizqmjfosrddqqdyilnfzyvwkkqgnnhlajqgdsnhhzpphfjtkeafxlgaarcfdapicfmukyyzvbgoatibulenkkwtyrnzgbmcytazrieabuerwkxoffzuohdhqqhfbxqmqestunudduaywtrmdmbvidyvterebgvxwbhlbsqmghcktujvhfwmhralmodiywvyzvurzghwcpxqtzwmhnderhpognxnynmrfraklflrgppszmuxtwddrkzvqyvvmhlwcnzmspekcwhphabtmzdgvfyrvdzimpxbrkjbntiixkgxhepzqrugnmjyfbkcacbdgxbhraauoagihygwkiikuyximjjdnvslnfaouofwgdacnndhramvxazuzksploibonvneeixkykpwjmrlwkvbesxaklqkoaulskwdfstelqxyyrpvnzkjcmhvxbjvbmrgdoyiwlzubaovirtciwcptmrdggpcgtxptkfwjsnhbxprqjiezncmmypjfbgljzrawwdikhoaqggoizoixpnykwyotofdrduvgfcwxvzjuacxolorrfpunnkzltgbdkztiwjctjedtupmckbjajwcjnkbmywilylfhckksaowsbvhnktfeklaekpflbtsqpyxhrcwmjjgnqtmoumvcswredhtexnaojzjagrvwcieizjfvvmzzxmzwwvqthmrqvtviuyiqffjdpqmeknhwylmteliysiaenkhkiuojxdwscvtacbwfixhrcaxlfeakidxgrmgitrmrzdzhwjyazzikrclajgksENDxxxx",
&json);
+ TST_ASSERT("test invalid long JSON", rc == FALSE);
+ rc = oidc_util_decode_json_object(r, "{}", &json);
+ TST_ASSERT("test valid JSON", rc == TRUE);
+ json_decref(json);
+ return 0;
+}
+
static char * all_tests(apr_pool_t *pool, request_rec *r) {
char *message;
TST_RUN(test_public_key_parse, pool);
@@ -1519,6 +1535,8 @@
TST_RUN(test_current_url, r);
TST_RUN(test_accept, r);
+ TST_RUN(test_decode_json_object, r);
+
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
TST_RUN(test_authz_worker, r);
#endif
_______________________________________________
openSUSE Commits mailing list -- [email protected]
To unsubscribe, email [email protected]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/[email protected]
