summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Pazdziora <jpazdziora@redhat.com>2015-04-23 10:17:08 +0200
committerJan Pazdziora <jpazdziora@redhat.com>2015-05-14 14:19:13 +0200
commit9f15acc9893554a6676a148fb56fe79769b55b7a (patch)
tree4ecde9d96d9da8a0d8b647080db15fdb1505da00
downloadmod_auth_fixup-master.tar.gz
mod_auth_fixup-master.tar.xz
mod_auth_fixup-master.zip
Apache module mod_auth_fixup.HEADmod_auth_fixup-0.5master
-rw-r--r--LICENSE202
-rw-r--r--README135
-rw-r--r--auth_fixup.conf12
-rw-r--r--auth_fixup.module3
-rw-r--r--mod_auth_fixup.c163
-rw-r--r--mod_auth_fixup.spec70
6 files changed, 585 insertions, 0 deletions
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d645695
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/README b/README
new file mode 100644
index 0000000..7830713
--- /dev/null
+++ b/README
@@ -0,0 +1,135 @@
+
+Apache module mod_auth_fixup
+============================
+
+Apache module mod_auth_fixup uses results of previous authentication
+and other phases and checks that user was authenticated, optionally
+updating the user identifier with a substring based on regular
+expression match.
+
+Possible use is processing result of mod_ssl's operation on Apache 2.2.
+Module mod_ssl has SSLVerifyClient require mechanism which sets the
+user identifier and it is not proper authentication module to the rest
+of Apache HTTP Server internals. That makes it hard to combine
+mod_ssl with authorization modules to check additional attributes
+of the authenticated user.
+
+Module configuration
+--------------------
+
+Let us assume we have mod_ssl configured with client authentication:
+
+ <Location /login>
+ SSLVerifyClient require
+ SSLVerifyDepth 1
+ SSLOptions +StrictRequire
+ SSLUserName SSL_CLIENT_S_DN_CN
+ </Location>
+
+The access will only be allowed if the client certificate can be
+verified by mod_ssl, and the authenticated user identifier will be
+the content of client's Subject DN's common name. In access log
+we will see the CN value as the user identifier.
+
+Often, there are two issues with that situation:
+
+1) On Apache 2.2, when we try to use the result of such authentication
+ for example with Require, like
+
+ Require group admins
+
+ or even plain
+
+ Require valid-user
+
+ we will get an error:
+
+ configuration error: couldn't perform authentication.
+ AuthType not set!
+
+ It's because mod_ssl does not run the standard authentication
+ handler.
+
+ By adding
+
+ AuthType Fixup
+
+ to the configuration, mod_auth_fixup takes the role of the
+ authentication handler, even if it does not do anything else than
+ checking that the result of the mod_ssl operation, the user
+ identifier it has left in the internal r->user, set.
+
+ Of course, any other module could have set the user identification,
+ not just mod_ssl, and mod_auth_fixup would process it just fine.
+
+2) The Common Name field of the Subject DN is often filled with
+ structured information, and for the subsequent authorization phase,
+ only a substring of that might be the actual user identification
+ in the identity management setup used.
+
+ For that, AuthFixupRegexp directive can specify regular expression
+ to match the user identifier against, and substitution string. When
+ the user identifier matches, it is the updated with the new value,
+ and this new value will be then shown in the access log and
+ available to later authorization phases. So for example,
+
+ AuthFixupRegexp userid=(.+?); user$1
+
+ will make sure the user identifier contains substring
+
+ userid=<the-identifier>;
+
+ and the nonempty string between userid= and the first semicolon
+ will replace the $1 part in the substitution string. Note that
+ the first part of the requirement matched by the above
+ AuthFixupRegexp example could be handled by
+
+ SSLRequire %{SSL_CLIENT_S_DN_CN} =~ m/userid=.+?;/
+
+ But there is no way to extract the identifier with SSLRequire (and
+ to add Require to it in Apache 2.2).
+
+ When AuthFixupRegexp is not specified, it is effectively equivalent
+ to
+
+ AuthFixupRegexp .+ $0
+
+The full example configuration might then be:
+
+ <Location /login>
+ SSLVerifyClient require
+ SSLVerifyDepth 1
+ SSLOptions +StrictRequire
+ SSLUserName SSL_CLIENT_S_DN_CN
+
+ AuthType Fixup
+ AuthFixupRegexp userid=(.+?); user$1
+ Require group admins
+ </Location>
+
+Building from sources
+---------------------
+
+When building from sources, command
+
+ apxs -i -a -c mod_auth_fixup.c -Wall -pedantic
+
+should build and install the module.
+
+License
+-------
+
+Copyright 2015 Jan Pazdziora
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
diff --git a/auth_fixup.conf b/auth_fixup.conf
new file mode 100644
index 0000000..0e17b04
--- /dev/null
+++ b/auth_fixup.conf
@@ -0,0 +1,12 @@
+
+# <Location /login>
+# SSLVerifyClient require
+# SSLVerifyDepth 1
+# SSLOptions +StrictRequire
+# SSLUserName SSL_CLIENT_S_DN_CN
+#
+# AuthType Fixup
+# AuthFixupRegexp userid=(.+?);
+# Require group admins
+# </Location>
+
diff --git a/auth_fixup.module b/auth_fixup.module
new file mode 100644
index 0000000..eac166f
--- /dev/null
+++ b/auth_fixup.module
@@ -0,0 +1,3 @@
+
+# LoadModule auth_fixup_module modules/mod_auth_fixup.so
+
diff --git a/mod_auth_fixup.c b/mod_auth_fixup.c
new file mode 100644
index 0000000..e752459
--- /dev/null
+++ b/mod_auth_fixup.c
@@ -0,0 +1,163 @@
+
+/*
+ * Copyright 2015 Jan Pazdziora
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "httpd.h"
+#include "http_core.h"
+#include "http_config.h"
+#include "http_log.h"
+#include "http_request.h"
+
+#include "ap_regex.h"
+#include "apr_strings.h"
+
+typedef struct {
+ const char * regexp_str;
+ ap_regex_t * regexp;
+ const char * substitution_str;
+} auth_fixup_config_rec;
+
+static void * create_dir_conf(apr_pool_t * pool, char * dir) {
+ auth_fixup_config_rec * cfg
+ = apr_pcalloc(pool, sizeof(auth_fixup_config_rec));
+ return cfg;
+}
+
+static const char * set_regexp(cmd_parms * cmd, void * struct_ptr,
+ const char * arg, const char * arg2) {
+ auth_fixup_config_rec * cfg = (auth_fixup_config_rec *) struct_ptr;
+ if (cfg) {
+ cfg->regexp = ap_pregcomp(cmd->pool, arg, AP_REG_EXTENDED);
+ if (cfg->regexp == NULL) {
+ return "Regular expression could not be compiled.";
+ }
+ cfg->regexp_str = apr_pstrdup(cmd->pool, arg);
+ if (arg2) {
+ cfg->substitution_str = apr_pstrdup(cmd->pool, arg2);
+ }
+ }
+ return NULL;
+}
+
+static const command_rec auth_fixup_cmds[] = {
+ AP_INIT_TAKE12("AuthFixupRegexp", set_regexp, NULL, OR_AUTHCFG,
+ "Regular expression to match against r->user, "
+ "and optional substitution string with backreferences"),
+ {NULL}
+};
+
+static int pretend_auth_type(request_rec *r) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "pretend_auth_type: called with r->user [%s]", r->user);
+ const char *auth_type = ap_auth_type(r);
+ if (! auth_type || strcasecmp(auth_type, "Fixup")) {
+ return DECLINED;
+ }
+ if (r->user) {
+ return OK;
+ }
+ return DECLINED;
+}
+
+module AP_MODULE_DECLARE_DATA auth_fixup_module;
+static int fixup_user(request_rec *r) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: called with r->user [%s]", r->user);
+ if (apr_table_get(r->notes, "fixup-user-already-run")) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: already run in this request, declining");
+ return DECLINED;
+ }
+
+ auth_fixup_config_rec *conf
+ = ap_get_module_config(r->per_dir_config, &auth_fixup_module);
+ if (pretend_auth_type(r) == OK) {
+ if (!r->user) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "fixup_user: AuthType Fixup configured and no r->user found, forbidden"
+ );
+ return HTTP_FORBIDDEN;
+ }
+ }
+ if (!r->user) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: declining, no r->user");
+ return DECLINED;
+ }
+ apr_table_setn(r->notes, "fixup-user-already-run", r->user);
+ if (!conf->regexp) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: declining, no conf->regexp");
+ return DECLINED;
+ }
+
+ unsigned int nmatch = AP_MAX_REG_MATCH;
+ ap_regmatch_t pmatch[AP_MAX_REG_MATCH];
+ if (ap_regexec(conf->regexp, r->user, nmatch, pmatch, 0)) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+ "fixup_user: matching [%s] =~ m/%s/ failed, forbidden",
+ r->user, conf->regexp_str);
+ return HTTP_FORBIDDEN;
+ }
+
+ char * new_user = ap_pregsub(r->pool,
+ ( conf->substitution_str ? conf->substitution_str : "$0" ),
+ r->user, nmatch, pmatch);
+ if (! new_user) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "fixup_user: substitution [%s] =~ /%s/ -> [%s] failed, internal server error",
+ r->user, conf->regexp_str, conf->substitution_str);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ if (! *new_user) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "fixup_user: substitution [%s] =~ /%s/ -> [%s] resulted in "
+ "empty string, forbidden",
+ r->user, conf->regexp_str, conf->substitution_str);
+ return HTTP_FORBIDDEN;
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+ "fixup_user: resetting user [%s] to [%s]", r->user, new_user);
+ r->user = new_user;
+ return DECLINED;
+}
+
+
+static void register_hooks(apr_pool_t * p) {
+#if AP_MODULE_MAGIC_AT_LEAST(20111025,3)
+ static const char * const aszSucc[] = {"mod_authz_core.c",
+ "mod_lookup_identity.c", NULL};
+ static const char * const aszPred[] = {"mod_ssl.c", NULL};
+ ap_hook_check_access(fixup_user, aszPred, aszSucc, APR_HOOK_MIDDLE,
+ AP_AUTH_INTERNAL_PER_CONF);
+ ap_hook_check_authz(fixup_user, NULL, NULL, APR_HOOK_REALLY_FIRST,
+ AP_AUTH_INTERNAL_PER_CONF);
+ ap_hook_check_user_id(pretend_auth_type, NULL, NULL,
+ APR_HOOK_REALLY_FIRST);
+
+#else
+ static const char * const aszSucc[] = {"mod_authn_default.c", NULL};
+ ap_hook_check_user_id(pretend_auth_type, NULL, aszSucc, APR_HOOK_LAST);
+ ap_hook_auth_checker(fixup_user, NULL, NULL, APR_HOOK_REALLY_FIRST);
+#endif
+}
+
+module AP_MODULE_DECLARE_DATA auth_fixup_module = {
+ STANDARD20_MODULE_STUFF,
+ create_dir_conf, /* Per-directory configuration handler */
+ NULL, /* Merge handler for per-directory configurations */
+ NULL, /* Per-server configuration handler */
+ NULL, /* Merge handler for per-server configurations */
+ auth_fixup_cmds, /* Any directives we may have for httpd */
+ register_hooks /* Our hook registering function */
+};
+
diff --git a/mod_auth_fixup.spec b/mod_auth_fixup.spec
new file mode 100644
index 0000000..efbb4b4
--- /dev/null
+++ b/mod_auth_fixup.spec
@@ -0,0 +1,70 @@
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}}
+%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}}
+%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
+# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
+%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
+%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
+
+Summary: Check and update result of previous authentication
+Name: mod_auth_fixup
+Version: 0.5
+Release: 1%{?dist}
+License: ASL 2.0
+Group: System Environment/Daemons
+URL: http://www.adelton.com/apache/mod_auth_fixup/
+Source0: http://www.adelton.com/apache/mod_auth_fixup/%{name}-%{version}.tar.gz
+BuildRequires: httpd-devel
+BuildRequires: pkgconfig
+Requires(pre): httpd
+Requires: httpd-mmn = %{_httpd_mmn}
+
+# Suppres auto-provides for module DSO per
+# https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering#Summary
+%{?filter_provides_in: %filter_provides_in %{_libdir}/httpd/modules/.*\.so$}
+%{?filter_setup}
+
+%description
+mod_auth_fixup is an authentication module which checks if user
+identifier which is the result of previous authentication phases
+matches regular expression, optionally updating the identifier.
+Another possible use is on Apache 2.2, processing result of
+mod_ssl's operation which with SSLVerifyClient require provides
+identifier of the user but since mod_ssl is not proper
+authentication module, it cannot easily be combined with
+authorization modules.
+
+%prep
+%setup -q -n %{name}-%{version}
+
+%build
+%{_httpd_apxs} -c -Wc,"%{optflags} -Wall -pedantic -std=c99" mod_auth_fixup.c
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+echo > auth_fixup.confx
+echo "# Load the module in %{_httpd_modconfdir}/55-auth_fixup.conf" >> auth_fixup.confx
+cat auth_fixup.conf >> auth_fixup.confx
+%else
+cat auth_fixup.module > auth_fixup.confx
+cat auth_fixup.conf >> auth_fixup.confx
+%endif
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -Dm 755 .libs/mod_auth_fixup.so $RPM_BUILD_ROOT%{_httpd_moddir}/mod_auth_fixup.so
+
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+# httpd >= 2.4.x
+install -Dp -m 0644 auth_fixup.module $RPM_BUILD_ROOT%{_httpd_modconfdir}/55-auth_fixup.conf
+%endif
+install -Dp -m 0644 auth_fixup.confx $RPM_BUILD_ROOT%{_httpd_confdir}/auth_fixup.conf
+
+%files
+%doc README LICENSE
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+%config(noreplace) %{_httpd_modconfdir}/55-auth_fixup.conf
+%endif
+%config(noreplace) %{_httpd_confdir}/auth_fixup.conf
+%{_httpd_moddir}/*.so
+
+%changelog
+* Thu Apr 23 2015 Jan Pazdziora <jpazdziora@redhat.com> - 0.5-1
+- Initial release.