On 12 Jul 2019, at 09:10, Ruediger Pluem <rpl...@apache.org> wrote:
> Given Erics comments, what about:
>
> SSLVerifyClient optional
> <Location /jira>
> <If "%{REQUEST_URI}
> =~'^\/jira\/servicedesk\/customer\/portal\/3\/(.+)\/unsubscribe(.*)'>
> require all granted
> </If
> <ElseIf "%{SSL_CLIENT_VERIFY} == 'SUCCESS' || %{SSL_CLIENT_VERIFY} ==
> 'GENEROUS’">
> # cert + group member? you can come in
> require ldap-group xxx
> </ElseIf>
> <Else>
> # no cert, go away
> require all denied
> </Else>
> </Location>
The expression syntax for regexes isn’t that clear in the docs (the examples
are too trivial to be useful), what eventually worked was this:
<If "%{REQUEST_URI} =~
m#^\/jira\/servicedesk\/customer\/portal\/3\/(.+)\/unsubscribe(.*)#>
require all granted
</If>
The next step is to attack the Directory/DirectoryMatch problem, and this one
I’m also struggling to make work.
Alias /storage /home/${HOST}/storage
<Directory /home/${HOST}/storage>
Dav on
Options +Indexes
SSLVerifyClient optional
# first, handle cert auth or basic auth...
<If "%{SSL_CLIENT_VERIFY} == 'SUCCESS' || %{SSL_CLIENT_VERIFY} ==
'GENEROUS'">
SSLUserName SSL_CLIENT_CERT_RFC4523_CEA
AuthLDAPBindDN xxx
AuthLDAPURL xxx
AuthLDAPRemoteUserAttribute inetSubscriberAccountId
</If>
<Else>
AuthBasicProvider ldap
AuthType basic
AuthName "Storage"
AuthLDAPBindDN xxx
AuthLDAPURL xxx
</Else>
# ...then apply authz
<If "%{REQUEST_FILENAME} =~ m#^/home/${HOST}/storage/atlassian/jira-home#>
require ldap-group xxx
</If>
<ElseIf "%{REQUEST_FILENAME} =~
m#^/home/${HOST}/storage/home/(?<USER>[^/]+)#>
<RequireAll>
require valid-user
require expr %{env:MATCH_USER} == %{REMOTE_USER}
</RequireAll>
</ElseIf>
<Else>
require valid-user
</Else>
</Directory>
Getting rid of DirectoryMatch above and consolidating everything into one
directory and a series of If/Else sections, we have the config above.
The first If/Else declares that users must be grabbed from the cert if present,
or basic auth if absent.
The second set of If/ElseIf/Else says that if you’re part of the ldap-group you
can see the jira stuff (this works), if your username you logged in as matches
the directory path you can come in (this doesn't work), and the third part says
otherwise if you are a valid-user you can see everything else (this works).
Most specifically, when you try and access /home/${HOST}/storage/home/, which
should not match the regex, for some reason it does match the regex and the
config applies (and fails). Then, if you try access
/home/${HOST}/storage/home/minf...@sharp.fm/ which definitely matches the
regex, the request fails as follows:
[Fri Jul 12 15:17:27.304567 2019] [authz_core:debug] [pid 172949:tid
140637026383616] mod_authz_core.c(820): [client x] AH01626: authorization
result of Require valid-user : granted
[Fri Jul 12 15:17:27.304573 2019] [authz_core:debug] [pid 172949:tid
140637026383616] mod_authz_core.c(820): [client x] AH01626: authorization
result of Require expr %{env:MATCH_USER} == %{REMOTE_USER}: denied (no
authenticated user yet)
What’s confusing me is that “require valid-user” works, but then directly
afterwards the expression fails saying the user that one line before has been
authenticated now isn’t authenticated, and that’s not making sense.
Regards,
Graham
—
smime.p7s
Description: S/MIME cryptographic signature
