From 9f15acc9893554a6676a148fb56fe79769b55b7a Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Thu, 23 Apr 2015 10:17:08 +0200 Subject: Apache module mod_auth_fixup. --- LICENSE | 202 ++++++++++++++++++++++++++++++++++++++++++++++++++++ README | 135 +++++++++++++++++++++++++++++++++++ auth_fixup.conf | 12 ++++ auth_fixup.module | 3 + mod_auth_fixup.c | 163 ++++++++++++++++++++++++++++++++++++++++++ mod_auth_fixup.spec | 70 ++++++++++++++++++ 6 files changed, 585 insertions(+) create mode 100644 LICENSE create mode 100644 README create mode 100644 auth_fixup.conf create mode 100644 auth_fixup.module create mode 100644 mod_auth_fixup.c create mode 100644 mod_auth_fixup.spec diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README b/README new file mode 100644 index 0000000..7830713 --- /dev/null +++ b/README @@ -0,0 +1,135 @@ + +Apache module mod_auth_fixup +============================ + +Apache module mod_auth_fixup uses results of previous authentication +and other phases and checks that user was authenticated, optionally +updating the user identifier with a substring based on regular +expression match. + +Possible use is processing result of mod_ssl's operation on Apache 2.2. +Module mod_ssl has SSLVerifyClient require mechanism which sets the +user identifier and it is not proper authentication module to the rest +of Apache HTTP Server internals. That makes it hard to combine +mod_ssl with authorization modules to check additional attributes +of the authenticated user. + +Module configuration +-------------------- + +Let us assume we have mod_ssl configured with client authentication: + + + SSLVerifyClient require + SSLVerifyDepth 1 + SSLOptions +StrictRequire + SSLUserName SSL_CLIENT_S_DN_CN + + +The access will only be allowed if the client certificate can be +verified by mod_ssl, and the authenticated user identifier will be +the content of client's Subject DN's common name. In access log +we will see the CN value as the user identifier. + +Often, there are two issues with that situation: + +1) On Apache 2.2, when we try to use the result of such authentication + for example with Require, like + + Require group admins + + or even plain + + Require valid-user + + we will get an error: + + configuration error: couldn't perform authentication. + AuthType not set! + + It's because mod_ssl does not run the standard authentication + handler. + + By adding + + AuthType Fixup + + to the configuration, mod_auth_fixup takes the role of the + authentication handler, even if it does not do anything else than + checking that the result of the mod_ssl operation, the user + identifier it has left in the internal r->user, set. + + Of course, any other module could have set the user identification, + not just mod_ssl, and mod_auth_fixup would process it just fine. + +2) The Common Name field of the Subject DN is often filled with + structured information, and for the subsequent authorization phase, + only a substring of that might be the actual user identification + in the identity management setup used. + + For that, AuthFixupRegexp directive can specify regular expression + to match the user identifier against, and substitution string. When + the user identifier matches, it is the updated with the new value, + and this new value will be then shown in the access log and + available to later authorization phases. So for example, + + AuthFixupRegexp userid=(.+?); user$1 + + will make sure the user identifier contains substring + + userid=; + + and the nonempty string between userid= and the first semicolon + will replace the $1 part in the substitution string. Note that + the first part of the requirement matched by the above + AuthFixupRegexp example could be handled by + + SSLRequire %{SSL_CLIENT_S_DN_CN} =~ m/userid=.+?;/ + + But there is no way to extract the identifier with SSLRequire (and + to add Require to it in Apache 2.2). + + When AuthFixupRegexp is not specified, it is effectively equivalent + to + + AuthFixupRegexp .+ $0 + +The full example configuration might then be: + + + SSLVerifyClient require + SSLVerifyDepth 1 + SSLOptions +StrictRequire + SSLUserName SSL_CLIENT_S_DN_CN + + AuthType Fixup + AuthFixupRegexp userid=(.+?); user$1 + Require group admins + + +Building from sources +--------------------- + +When building from sources, command + + apxs -i -a -c mod_auth_fixup.c -Wall -pedantic + +should build and install the module. + +License +------- + +Copyright 2015 Jan Pazdziora + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + diff --git a/auth_fixup.conf b/auth_fixup.conf new file mode 100644 index 0000000..0e17b04 --- /dev/null +++ b/auth_fixup.conf @@ -0,0 +1,12 @@ + +# +# SSLVerifyClient require +# SSLVerifyDepth 1 +# SSLOptions +StrictRequire +# SSLUserName SSL_CLIENT_S_DN_CN +# +# AuthType Fixup +# AuthFixupRegexp userid=(.+?); +# Require group admins +# + diff --git a/auth_fixup.module b/auth_fixup.module new file mode 100644 index 0000000..eac166f --- /dev/null +++ b/auth_fixup.module @@ -0,0 +1,3 @@ + +# LoadModule auth_fixup_module modules/mod_auth_fixup.so + diff --git a/mod_auth_fixup.c b/mod_auth_fixup.c new file mode 100644 index 0000000..e752459 --- /dev/null +++ b/mod_auth_fixup.c @@ -0,0 +1,163 @@ + +/* + * Copyright 2015 Jan Pazdziora + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "httpd.h" +#include "http_core.h" +#include "http_config.h" +#include "http_log.h" +#include "http_request.h" + +#include "ap_regex.h" +#include "apr_strings.h" + +typedef struct { + const char * regexp_str; + ap_regex_t * regexp; + const char * substitution_str; +} auth_fixup_config_rec; + +static void * create_dir_conf(apr_pool_t * pool, char * dir) { + auth_fixup_config_rec * cfg + = apr_pcalloc(pool, sizeof(auth_fixup_config_rec)); + return cfg; +} + +static const char * set_regexp(cmd_parms * cmd, void * struct_ptr, + const char * arg, const char * arg2) { + auth_fixup_config_rec * cfg = (auth_fixup_config_rec *) struct_ptr; + if (cfg) { + cfg->regexp = ap_pregcomp(cmd->pool, arg, AP_REG_EXTENDED); + if (cfg->regexp == NULL) { + return "Regular expression could not be compiled."; + } + cfg->regexp_str = apr_pstrdup(cmd->pool, arg); + if (arg2) { + cfg->substitution_str = apr_pstrdup(cmd->pool, arg2); + } + } + return NULL; +} + +static const command_rec auth_fixup_cmds[] = { + AP_INIT_TAKE12("AuthFixupRegexp", set_regexp, NULL, OR_AUTHCFG, + "Regular expression to match against r->user, " + "and optional substitution string with backreferences"), + {NULL} +}; + +static int pretend_auth_type(request_rec *r) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "pretend_auth_type: called with r->user [%s]", r->user); + const char *auth_type = ap_auth_type(r); + if (! auth_type || strcasecmp(auth_type, "Fixup")) { + return DECLINED; + } + if (r->user) { + return OK; + } + return DECLINED; +} + +module AP_MODULE_DECLARE_DATA auth_fixup_module; +static int fixup_user(request_rec *r) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: called with r->user [%s]", r->user); + if (apr_table_get(r->notes, "fixup-user-already-run")) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: already run in this request, declining"); + return DECLINED; + } + + auth_fixup_config_rec *conf + = ap_get_module_config(r->per_dir_config, &auth_fixup_module); + if (pretend_auth_type(r) == OK) { + if (!r->user) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "fixup_user: AuthType Fixup configured and no r->user found, forbidden" + ); + return HTTP_FORBIDDEN; + } + } + if (!r->user) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: declining, no r->user"); + return DECLINED; + } + apr_table_setn(r->notes, "fixup-user-already-run", r->user); + if (!conf->regexp) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: declining, no conf->regexp"); + return DECLINED; + } + + unsigned int nmatch = AP_MAX_REG_MATCH; + ap_regmatch_t pmatch[AP_MAX_REG_MATCH]; + if (ap_regexec(conf->regexp, r->user, nmatch, pmatch, 0)) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "fixup_user: matching [%s] =~ m/%s/ failed, forbidden", + r->user, conf->regexp_str); + return HTTP_FORBIDDEN; + } + + char * new_user = ap_pregsub(r->pool, + ( conf->substitution_str ? conf->substitution_str : "$0" ), + r->user, nmatch, pmatch); + if (! new_user) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "fixup_user: substitution [%s] =~ /%s/ -> [%s] failed, internal server error", + r->user, conf->regexp_str, conf->substitution_str); + return HTTP_INTERNAL_SERVER_ERROR; + } + if (! *new_user) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "fixup_user: substitution [%s] =~ /%s/ -> [%s] resulted in " + "empty string, forbidden", + r->user, conf->regexp_str, conf->substitution_str); + return HTTP_FORBIDDEN; + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "fixup_user: resetting user [%s] to [%s]", r->user, new_user); + r->user = new_user; + return DECLINED; +} + + +static void register_hooks(apr_pool_t * p) { +#if AP_MODULE_MAGIC_AT_LEAST(20111025,3) + static const char * const aszSucc[] = {"mod_authz_core.c", + "mod_lookup_identity.c", NULL}; + static const char * const aszPred[] = {"mod_ssl.c", NULL}; + ap_hook_check_access(fixup_user, aszPred, aszSucc, APR_HOOK_MIDDLE, + AP_AUTH_INTERNAL_PER_CONF); + ap_hook_check_authz(fixup_user, NULL, NULL, APR_HOOK_REALLY_FIRST, + AP_AUTH_INTERNAL_PER_CONF); + ap_hook_check_user_id(pretend_auth_type, NULL, NULL, + APR_HOOK_REALLY_FIRST); + +#else + static const char * const aszSucc[] = {"mod_authn_default.c", NULL}; + ap_hook_check_user_id(pretend_auth_type, NULL, aszSucc, APR_HOOK_LAST); + ap_hook_auth_checker(fixup_user, NULL, NULL, APR_HOOK_REALLY_FIRST); +#endif +} + +module AP_MODULE_DECLARE_DATA auth_fixup_module = { + STANDARD20_MODULE_STUFF, + create_dir_conf, /* Per-directory configuration handler */ + NULL, /* Merge handler for per-directory configurations */ + NULL, /* Per-server configuration handler */ + NULL, /* Merge handler for per-server configurations */ + auth_fixup_cmds, /* Any directives we may have for httpd */ + register_hooks /* Our hook registering function */ +}; + diff --git a/mod_auth_fixup.spec b/mod_auth_fixup.spec new file mode 100644 index 0000000..efbb4b4 --- /dev/null +++ b/mod_auth_fixup.spec @@ -0,0 +1,70 @@ +%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}} +%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} +%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} +# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 +%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} +%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} + +Summary: Check and update result of previous authentication +Name: mod_auth_fixup +Version: 0.5 +Release: 1%{?dist} +License: ASL 2.0 +Group: System Environment/Daemons +URL: http://www.adelton.com/apache/mod_auth_fixup/ +Source0: http://www.adelton.com/apache/mod_auth_fixup/%{name}-%{version}.tar.gz +BuildRequires: httpd-devel +BuildRequires: pkgconfig +Requires(pre): httpd +Requires: httpd-mmn = %{_httpd_mmn} + +# Suppres auto-provides for module DSO per +# https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering#Summary +%{?filter_provides_in: %filter_provides_in %{_libdir}/httpd/modules/.*\.so$} +%{?filter_setup} + +%description +mod_auth_fixup is an authentication module which checks if user +identifier which is the result of previous authentication phases +matches regular expression, optionally updating the identifier. +Another possible use is on Apache 2.2, processing result of +mod_ssl's operation which with SSLVerifyClient require provides +identifier of the user but since mod_ssl is not proper +authentication module, it cannot easily be combined with +authorization modules. + +%prep +%setup -q -n %{name}-%{version} + +%build +%{_httpd_apxs} -c -Wc,"%{optflags} -Wall -pedantic -std=c99" mod_auth_fixup.c +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +echo > auth_fixup.confx +echo "# Load the module in %{_httpd_modconfdir}/55-auth_fixup.conf" >> auth_fixup.confx +cat auth_fixup.conf >> auth_fixup.confx +%else +cat auth_fixup.module > auth_fixup.confx +cat auth_fixup.conf >> auth_fixup.confx +%endif + +%install +rm -rf $RPM_BUILD_ROOT +install -Dm 755 .libs/mod_auth_fixup.so $RPM_BUILD_ROOT%{_httpd_moddir}/mod_auth_fixup.so + +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +# httpd >= 2.4.x +install -Dp -m 0644 auth_fixup.module $RPM_BUILD_ROOT%{_httpd_modconfdir}/55-auth_fixup.conf +%endif +install -Dp -m 0644 auth_fixup.confx $RPM_BUILD_ROOT%{_httpd_confdir}/auth_fixup.conf + +%files +%doc README LICENSE +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +%config(noreplace) %{_httpd_modconfdir}/55-auth_fixup.conf +%endif +%config(noreplace) %{_httpd_confdir}/auth_fixup.conf +%{_httpd_moddir}/*.so + +%changelog +* Thu Apr 23 2015 Jan Pazdziora - 0.5-1 +- Initial release. -- cgit