Re: svn commit: r1909411 - in /httpd/httpd/trunk: ./ docs/manual/mod/ modules/aaa/
Any feedback on my comments below? Regards RĂ¼diger On 5/5/23 7:37 PM, Ruediger Pluem wrote: > > > On 4/25/23 7:52 PM, minf...@apache.org wrote: >> Author: minfrin >> Date: Tue Apr 25 17:52:18 2023 >> New Revision: 1909411 >> >> URL: http://svn.apache.org/viewvc?rev=1909411=rev >> Log: >> *) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within >> bearer tokens, both as part of the aaa framework, and as a way to >> generate tokens and pass them to backend servers and services. >> >> *) mod_auth_bearer: New module to handle RFC 6750 Bearer tokens, using >> the token_checker hook. >> >> *) mod_autht_core: New module to handle provider aliases for token >> authentication. >> >> >> Added: >> httpd/httpd/trunk/docs/manual/mod/mod_auth_bearer.xml >> httpd/httpd/trunk/docs/manual/mod/mod_autht_core.xml >> httpd/httpd/trunk/docs/manual/mod/mod_autht_jwt.xml >> httpd/httpd/trunk/modules/aaa/mod_auth_bearer.c >> httpd/httpd/trunk/modules/aaa/mod_autht_core.c >> httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c >> Modified: >> httpd/httpd/trunk/CHANGES >> httpd/httpd/trunk/modules/aaa/config.m4 >> > >> Added: httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c?rev=1909411=auto >> == >> --- httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c (added) >> +++ httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c Tue Apr 25 17:52:18 2023 >> @@ -0,0 +1,1089 @@ >> +/* Licensed to the Apache Software Foundation (ASF) under one or more >> + * contributor license agreements. See the NOTICE file distributed with >> + * this work for additional information regarding copyright ownership. >> + * The ASF licenses this file to You under the Apache License, Version 2.0 >> + * (the "License"); you may not use this file except in compliance with >> + * the License. You may obtain a copy of the License at >> + * >> + * http://www.apache.org/licenses/LICENSE-2.0 >> + * >> + * Unless required by applicable law or agreed to in writing, software >> + * distributed under the License is distributed on an "AS IS" BASIS, >> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >> + * See the License for the specific language governing permissions and >> + * limitations under the License. >> + */ >> + >> +/** >> + * This module adds support for https://tools.ietf.org/html/rfc7519 JWT >> tokens >> + * as https://tools.ietf.org/html/rfc6750 Bearer tokens, both as a generator >> + * of JWT bearer tokens, and as an acceptor of JWT Bearer tokens for >> authentication. >> + */ >> + >> +#include "apr_strings.h" >> +#include "apr_hash.h" >> +#include "apr_crypto.h" >> +#include "apr_jose.h" >> +#include "apr_lib.h"/* for apr_isspace */ >> +#include "apr_base64.h" /* for apr_base64_decode et al */ >> +#define APR_WANT_STRFUNC/* for strcasecmp */ >> +#include "apr_want.h" >> + >> +#include "ap_config.h" >> +#include "httpd.h" >> +#include "http_config.h" >> +#include "http_core.h" >> +#include "http_log.h" >> +#include "http_protocol.h" >> +#include "http_request.h" >> +#include "util_md5.h" >> +#include "ap_provider.h" >> +#include "ap_expr.h" >> + >> +#include "mod_auth.h" >> + >> +#define CRYPTO_KEY "auth_bearer_context" >> + >> +module AP_MODULE_DECLARE_DATA autht_jwt_module; >> + >> +typedef enum jws_alg_type_e { >> +/** No specific type. */ >> +JWS_ALG_TYPE_NONE = 0, >> +/** HMAC SHA256 */ >> +JWS_ALG_TYPE_HS256 = 1, >> +} jws_alg_type_e; >> + >> +typedef struct { >> +unsigned char *secret; >> +apr_size_t secret_len; >> +jws_alg_type_e jws_alg; >> +} auth_bearer_signature_rec; >> + >> +typedef struct { >> +apr_hash_t *claims; >> +apr_array_header_t *signs; >> +apr_array_header_t *verifies; >> +int signs_set:1; >> +int verifies_set:1; >> +int fake_set:1; >> +} auth_bearer_config_rec; >> + >> +typedef struct { >> +const char *library; >> +const char *params; >> +apr_crypto_t **crypto; > > > Why not apr_crypto_t *crypto instead and using &(var->crypto) where > apr_crypto_t ** is needed below? > >> +int library_set; >> +} auth_bearer_conf; >> + >> +static int auth_bearer_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t >> *ptemp, >> +server_rec *s) { >> +const apr_crypto_driver_t *driver = NULL; >> + >> +/* auth_bearer_init() will be called twice. Don't bother >> + * going through all of the initialization on the first call >> + * because it will just be thrown away.*/ >> +if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) { >> +return OK; >> +} >> + >> +while (s) { >> + >> +auth_bearer_conf *conf = ap_get_module_config(s->module_config, >> +_jwt_module); >> + >> +if (conf->library_set && !*conf->crypto) { >> + >> +
Re: svn commit: r1909411 - in /httpd/httpd/trunk: ./ docs/manual/mod/ modules/aaa/
On 4/25/23 7:52 PM, minf...@apache.org wrote: > Author: minfrin > Date: Tue Apr 25 17:52:18 2023 > New Revision: 1909411 > > URL: http://svn.apache.org/viewvc?rev=1909411=rev > Log: > *) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within > bearer tokens, both as part of the aaa framework, and as a way to > generate tokens and pass them to backend servers and services. > > *) mod_auth_bearer: New module to handle RFC 6750 Bearer tokens, using > the token_checker hook. > > *) mod_autht_core: New module to handle provider aliases for token > authentication. > > > Added: > httpd/httpd/trunk/docs/manual/mod/mod_auth_bearer.xml > httpd/httpd/trunk/docs/manual/mod/mod_autht_core.xml > httpd/httpd/trunk/docs/manual/mod/mod_autht_jwt.xml > httpd/httpd/trunk/modules/aaa/mod_auth_bearer.c > httpd/httpd/trunk/modules/aaa/mod_autht_core.c > httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/modules/aaa/config.m4 > > Added: httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c?rev=1909411=auto > == > --- httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c (added) > +++ httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c Tue Apr 25 17:52:18 2023 > @@ -0,0 +1,1089 @@ > +/* Licensed to the Apache Software Foundation (ASF) under one or more > + * contributor license agreements. See the NOTICE file distributed with > + * this work for additional information regarding copyright ownership. > + * The ASF licenses this file to You under the Apache License, Version 2.0 > + * (the "License"); you may not use this file except in compliance with > + * the License. You may obtain a copy of the License at > + * > + * http://www.apache.org/licenses/LICENSE-2.0 > + * > + * Unless required by applicable law or agreed to in writing, software > + * distributed under the License is distributed on an "AS IS" BASIS, > + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > + * See the License for the specific language governing permissions and > + * limitations under the License. > + */ > + > +/** > + * This module adds support for https://tools.ietf.org/html/rfc7519 JWT > tokens > + * as https://tools.ietf.org/html/rfc6750 Bearer tokens, both as a generator > + * of JWT bearer tokens, and as an acceptor of JWT Bearer tokens for > authentication. > + */ > + > +#include "apr_strings.h" > +#include "apr_hash.h" > +#include "apr_crypto.h" > +#include "apr_jose.h" > +#include "apr_lib.h"/* for apr_isspace */ > +#include "apr_base64.h" /* for apr_base64_decode et al */ > +#define APR_WANT_STRFUNC/* for strcasecmp */ > +#include "apr_want.h" > + > +#include "ap_config.h" > +#include "httpd.h" > +#include "http_config.h" > +#include "http_core.h" > +#include "http_log.h" > +#include "http_protocol.h" > +#include "http_request.h" > +#include "util_md5.h" > +#include "ap_provider.h" > +#include "ap_expr.h" > + > +#include "mod_auth.h" > + > +#define CRYPTO_KEY "auth_bearer_context" > + > +module AP_MODULE_DECLARE_DATA autht_jwt_module; > + > +typedef enum jws_alg_type_e { > +/** No specific type. */ > +JWS_ALG_TYPE_NONE = 0, > +/** HMAC SHA256 */ > +JWS_ALG_TYPE_HS256 = 1, > +} jws_alg_type_e; > + > +typedef struct { > +unsigned char *secret; > +apr_size_t secret_len; > +jws_alg_type_e jws_alg; > +} auth_bearer_signature_rec; > + > +typedef struct { > +apr_hash_t *claims; > +apr_array_header_t *signs; > +apr_array_header_t *verifies; > +int signs_set:1; > +int verifies_set:1; > +int fake_set:1; > +} auth_bearer_config_rec; > + > +typedef struct { > +const char *library; > +const char *params; > +apr_crypto_t **crypto; Why not apr_crypto_t *crypto instead and using &(var->crypto) where apr_crypto_t ** is needed below? > +int library_set; > +} auth_bearer_conf; > + > +static int auth_bearer_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t > *ptemp, > +server_rec *s) { > +const apr_crypto_driver_t *driver = NULL; > + > +/* auth_bearer_init() will be called twice. Don't bother > + * going through all of the initialization on the first call > + * because it will just be thrown away.*/ > +if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) { > +return OK; > +} > + > +while (s) { > + > +auth_bearer_conf *conf = ap_get_module_config(s->module_config, > +_jwt_module); > + > +if (conf->library_set && !*conf->crypto) { > + > +const apu_err_t *err = NULL; > +apr_status_t rv; > + > +rv = apr_crypto_init(p); > +if (APR_SUCCESS != rv) { > +ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, > +