Re: svn commit: r1909411 - in /httpd/httpd/trunk: ./ docs/manual/mod/ modules/aaa/

2023-06-09 Thread Ruediger Pluem 
Any feedback on my comments below?

Regards

RĂ¼diger

On 5/5/23 7:37 PM, Ruediger Pluem wrote:
> 
> 
> On 4/25/23 7:52 PM, minf...@apache.org wrote:
>> Author: minfrin
>> Date: Tue Apr 25 17:52:18 2023
>> New Revision: 1909411
>>
>> URL: http://svn.apache.org/viewvc?rev=1909411=rev
>> Log:
>>   *) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within
>>  bearer tokens, both as part of the aaa framework, and as a way to
>>  generate tokens and pass them to backend servers and services.
>>
>>   *) mod_auth_bearer: New module to handle RFC 6750 Bearer tokens, using
>>  the token_checker hook.
>>
>>   *) mod_autht_core: New module to handle provider aliases for token
>>  authentication.
>>
>>
>> Added:
>> httpd/httpd/trunk/docs/manual/mod/mod_auth_bearer.xml
>> httpd/httpd/trunk/docs/manual/mod/mod_autht_core.xml
>> httpd/httpd/trunk/docs/manual/mod/mod_autht_jwt.xml
>> httpd/httpd/trunk/modules/aaa/mod_auth_bearer.c
>> httpd/httpd/trunk/modules/aaa/mod_autht_core.c
>> httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/modules/aaa/config.m4
>>
> 
>> Added: httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c?rev=1909411=auto
>> ==
>> --- httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c (added)
>> +++ httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c Tue Apr 25 17:52:18 2023
>> @@ -0,0 +1,1089 @@
>> +/* Licensed to the Apache Software Foundation (ASF) under one or more
>> + * contributor license agreements.  See the NOTICE file distributed with
>> + * this work for additional information regarding copyright ownership.
>> + * The ASF licenses this file to You under the Apache License, Version 2.0
>> + * (the "License"); you may not use this file except in compliance with
>> + * the License.  You may obtain a copy of the License at
>> + *
>> + * http://www.apache.org/licenses/LICENSE-2.0
>> + *
>> + * Unless required by applicable law or agreed to in writing, software
>> + * distributed under the License is distributed on an "AS IS" BASIS,
>> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>> + * See the License for the specific language governing permissions and
>> + * limitations under the License.
>> + */
>> +
>> +/**
>> + * This module adds support for https://tools.ietf.org/html/rfc7519 JWT 
>> tokens
>> + * as https://tools.ietf.org/html/rfc6750 Bearer tokens, both as a generator
>> + * of JWT bearer tokens, and as an acceptor of JWT Bearer tokens for 
>> authentication.
>> + */
>> +
>> +#include "apr_strings.h"
>> +#include "apr_hash.h"
>> +#include "apr_crypto.h"
>> +#include "apr_jose.h"
>> +#include "apr_lib.h"/* for apr_isspace */
>> +#include "apr_base64.h" /* for apr_base64_decode et al */
>> +#define APR_WANT_STRFUNC/* for strcasecmp */
>> +#include "apr_want.h"
>> +
>> +#include "ap_config.h"
>> +#include "httpd.h"
>> +#include "http_config.h"
>> +#include "http_core.h"
>> +#include "http_log.h"
>> +#include "http_protocol.h"
>> +#include "http_request.h"
>> +#include "util_md5.h"
>> +#include "ap_provider.h"
>> +#include "ap_expr.h"
>> +
>> +#include "mod_auth.h"
>> +
>> +#define CRYPTO_KEY "auth_bearer_context"
>> +
>> +module AP_MODULE_DECLARE_DATA autht_jwt_module;
>> +
>> +typedef enum jws_alg_type_e {
>> +/** No specific type. */
>> +JWS_ALG_TYPE_NONE = 0,
>> +/** HMAC SHA256 */
>> +JWS_ALG_TYPE_HS256 = 1,
>> +} jws_alg_type_e;
>> +
>> +typedef struct {
>> +unsigned char *secret;
>> +apr_size_t secret_len;
>> +jws_alg_type_e jws_alg;
>> +} auth_bearer_signature_rec;
>> +
>> +typedef struct {
>> +apr_hash_t *claims;
>> +apr_array_header_t *signs;
>> +apr_array_header_t *verifies;
>> +int signs_set:1;
>> +int verifies_set:1;
>> +int fake_set:1;
>> +} auth_bearer_config_rec;
>> +
>> +typedef struct {
>> +const char *library;
>> +const char *params;
>> +apr_crypto_t **crypto;
> 
> 
> Why not apr_crypto_t *crypto instead and using &(var->crypto) where 
> apr_crypto_t ** is needed below?
> 
>> +int library_set;
>> +} auth_bearer_conf;
>> +
>> +static int auth_bearer_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t 
>> *ptemp,
>> +server_rec *s) {
>> +const apr_crypto_driver_t *driver = NULL;
>> +
>> +/* auth_bearer_init() will be called twice. Don't bother
>> + * going through all of the initialization on the first call
>> + * because it will just be thrown away.*/
>> +if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
>> +return OK;
>> +}
>> +
>> +while (s) {
>> +
>> +auth_bearer_conf *conf = ap_get_module_config(s->module_config,
>> +_jwt_module);
>> +
>> +if (conf->library_set && !*conf->crypto) {
>> +
>> +

Re: svn commit: r1909411 - in /httpd/httpd/trunk: ./ docs/manual/mod/ modules/aaa/

2023-05-05 Thread Ruediger Pluem 



On 4/25/23 7:52 PM, minf...@apache.org wrote:
> Author: minfrin
> Date: Tue Apr 25 17:52:18 2023
> New Revision: 1909411
> 
> URL: http://svn.apache.org/viewvc?rev=1909411=rev
> Log:
>   *) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within
>  bearer tokens, both as part of the aaa framework, and as a way to
>  generate tokens and pass them to backend servers and services.
> 
>   *) mod_auth_bearer: New module to handle RFC 6750 Bearer tokens, using
>  the token_checker hook.
> 
>   *) mod_autht_core: New module to handle provider aliases for token
>  authentication.
> 
> 
> Added:
> httpd/httpd/trunk/docs/manual/mod/mod_auth_bearer.xml
> httpd/httpd/trunk/docs/manual/mod/mod_autht_core.xml
> httpd/httpd/trunk/docs/manual/mod/mod_autht_jwt.xml
> httpd/httpd/trunk/modules/aaa/mod_auth_bearer.c
> httpd/httpd/trunk/modules/aaa/mod_autht_core.c
> httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/aaa/config.m4
> 

> Added: httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c?rev=1909411=auto
> ==
> --- httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c (added)
> +++ httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c Tue Apr 25 17:52:18 2023
> @@ -0,0 +1,1089 @@
> +/* Licensed to the Apache Software Foundation (ASF) under one or more
> + * contributor license agreements.  See the NOTICE file distributed with
> + * this work for additional information regarding copyright ownership.
> + * The ASF licenses this file to You under the Apache License, Version 2.0
> + * (the "License"); you may not use this file except in compliance with
> + * the License.  You may obtain a copy of the License at
> + *
> + * http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS" BASIS,
> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> + * See the License for the specific language governing permissions and
> + * limitations under the License.
> + */
> +
> +/**
> + * This module adds support for https://tools.ietf.org/html/rfc7519 JWT 
> tokens
> + * as https://tools.ietf.org/html/rfc6750 Bearer tokens, both as a generator
> + * of JWT bearer tokens, and as an acceptor of JWT Bearer tokens for 
> authentication.
> + */
> +
> +#include "apr_strings.h"
> +#include "apr_hash.h"
> +#include "apr_crypto.h"
> +#include "apr_jose.h"
> +#include "apr_lib.h"/* for apr_isspace */
> +#include "apr_base64.h" /* for apr_base64_decode et al */
> +#define APR_WANT_STRFUNC/* for strcasecmp */
> +#include "apr_want.h"
> +
> +#include "ap_config.h"
> +#include "httpd.h"
> +#include "http_config.h"
> +#include "http_core.h"
> +#include "http_log.h"
> +#include "http_protocol.h"
> +#include "http_request.h"
> +#include "util_md5.h"
> +#include "ap_provider.h"
> +#include "ap_expr.h"
> +
> +#include "mod_auth.h"
> +
> +#define CRYPTO_KEY "auth_bearer_context"
> +
> +module AP_MODULE_DECLARE_DATA autht_jwt_module;
> +
> +typedef enum jws_alg_type_e {
> +/** No specific type. */
> +JWS_ALG_TYPE_NONE = 0,
> +/** HMAC SHA256 */
> +JWS_ALG_TYPE_HS256 = 1,
> +} jws_alg_type_e;
> +
> +typedef struct {
> +unsigned char *secret;
> +apr_size_t secret_len;
> +jws_alg_type_e jws_alg;
> +} auth_bearer_signature_rec;
> +
> +typedef struct {
> +apr_hash_t *claims;
> +apr_array_header_t *signs;
> +apr_array_header_t *verifies;
> +int signs_set:1;
> +int verifies_set:1;
> +int fake_set:1;
> +} auth_bearer_config_rec;
> +
> +typedef struct {
> +const char *library;
> +const char *params;
> +apr_crypto_t **crypto;


Why not apr_crypto_t *crypto instead and using &(var->crypto) where 
apr_crypto_t ** is needed below?

> +int library_set;
> +} auth_bearer_conf;
> +
> +static int auth_bearer_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t 
> *ptemp,
> +server_rec *s) {
> +const apr_crypto_driver_t *driver = NULL;
> +
> +/* auth_bearer_init() will be called twice. Don't bother
> + * going through all of the initialization on the first call
> + * because it will just be thrown away.*/
> +if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
> +return OK;
> +}
> +
> +while (s) {
> +
> +auth_bearer_conf *conf = ap_get_module_config(s->module_config,
> +_jwt_module);
> +
> +if (conf->library_set && !*conf->crypto) {
> +
> +const apu_err_t *err = NULL;
> +apr_status_t rv;
> +
> +rv = apr_crypto_init(p);
> +if (APR_SUCCESS != rv) {
> +ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
> +