Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2020-03-25 23:47:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.3160 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Wed Mar 25 23:47:26 2020 rev:9 rq:788232 version:2.4.2.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2020-03-03 10:18:59.322991549 +0100
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.3160/apache2-mod_auth_openidc.changes
2020-03-25 23:49:02.792040419 +0100
@@ -1,0 +2,22 @@
+Wed Mar 25 14:25:24 UTC 2020 - Martin Hauke <[email protected]>
+
+- Update to version 2.4.2.1
+ Changes since 2.4.1:
+ * oops: fix json_deep_copy of claims
+ * fix memory leak in OAuth 2.0 JWT validation
+ * fix configured private/public key cleanup on process exit
+ * allow for expressions in Require statements, see #469
+ * always refresh keys from jwks_uri when there is no kid in the
+ JWT header
+ * destroy shared memory segments only in parent process; see #458
+ * fix memory leaks introduced by #457
+ * if content was already returned via html/http send then don't
+ return 500 but send 200 to avoid extraneous internal error
+ document text to be sent on some Apache 2.4.x versions
+ * if OIDCPublicKeyFiles contains a certificate, the corresponding
+ x5c, x5t and x5t#256 parameters will be added to the generated
+ jwkset available at "<redirect_uri>?jwks=rsa"
+ - fix: also add SameSite=None to by-value session cookies
+ - try to fix graceful restart crash; see #458
+
+-------------------------------------------------------------------
Old:
----
apache2-mod_auth_openidc-2.4.1.tar.gz
New:
----
apache2-mod_auth_openidc-2.4.2.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.qhytqA/_old 2020-03-25 23:49:06.404039462 +0100
+++ /var/tmp/diff_new_pack.qhytqA/_new 2020-03-25 23:49:06.404039462 +0100
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_auth_openidc
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define apxs %{_sbindir}/apxs2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
Name: apache2-mod_auth_openidc
-Version: 2.4.1
+Version: 2.4.2.1
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
++++++ apache2-mod_auth_openidc-2.4.1.tar.gz ->
apache2-mod_auth_openidc-2.4.2.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/AUTHORS
new/mod_auth_openidc-2.4.2.1/AUTHORS
--- old/mod_auth_openidc-2.4.1/AUTHORS 2020-01-30 07:54:42.000000000 +0100
+++ new/mod_auth_openidc-2.4.2.1/AUTHORS 2020-03-25 13:09:26.000000000
+0100
@@ -59,3 +59,5 @@
Andy Lindeman <https://github.com/alindeman>
Stefan Wachter <https://github.com/swachter>
Paolo Battino
+ absynth76 <https://github.com/absynth76>
+ Aaron Jones <https://github.com/wwaaron>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/ChangeLog
new/mod_auth_openidc-2.4.2.1/ChangeLog
--- old/mod_auth_openidc-2.4.1/ChangeLog 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/ChangeLog 2020-03-25 13:09:26.000000000
+0100
@@ -1,3 +1,41 @@
+03/25/2020
+- oops: fix json_deep_copy of claims
+- release 2.4.2.1
+
+03/24/2020
+- fix memory leak in OAuth 2.0 JWT validation; closes #470; thanks Conrad
Thukral
+- fix configured private/public key cleanup on process exit
+
+03/21/2020
+- allow for expressions in Require statements, see #469; thanks @wwaaron
+ also see:
https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#expressions-in-require-statements
+- bump to 2.4.2rc5
+
+03/19/2020
+- always refresh keys from jwks_uri when there is no kid in the JWT header
+- bump to 2.4.2rc4
+
+03/15/2020
+- destroy shared memory segments only in parent process; see #458
+- bump to 2.4.2rc3
+
+03/10/2020
+- fix memory leaks introduced by #457
+- bump to 2.4.2rc2
+
+02/19/2020
+- if content was already returned via html/http send then don't return 500
+ but send 200 to avoid extraneous internal error document text to be sent
+ on some Apache 2.4.x versions e.g. CentOS 7
+- bump to 2.4.2rc1
+
+02/03/2020
+- if OIDCPublicKeyFiles contains a certificate, the corresponding x5c, x5t and
x5t#256
+ parameters will be added to the generated jwkset available at
"<redirect_uri>?jwks=rsa"
+ thanks @absynth76
+- fix: also add SameSite=None to by-value session cookies
+- bump to 2.4.2rc0
+
01/30/2020
- try to fix graceful restart crash; see #458
- release 2.4.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/Dockerfile
new/mod_auth_openidc-2.4.2.1/Dockerfile
--- old/mod_auth_openidc-2.4.1/Dockerfile 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/Dockerfile 2020-03-25 13:09:26.000000000
+0100
@@ -35,3 +35,4 @@
RUN a2enconf openidc
RUN /usr/sbin/apache2ctl start
+# docker run -p 443:443 -it 749d1204d189 /bin/bash -c "source
/etc/apache2/envvars && valgrind --leak-check=full /usr/sbin/apache2 -X"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/Dockerfile-alpine
new/mod_auth_openidc-2.4.2.1/Dockerfile-alpine
--- old/mod_auth_openidc-2.4.1/Dockerfile-alpine 2020-01-30
07:54:42.000000000 +0100
+++ new/mod_auth_openidc-2.4.2.1/Dockerfile-alpine 2020-03-25
13:09:26.000000000 +0100
@@ -1,62 +1,66 @@
-FROM alpine:3.10
-
-ENV BUILD_DIR /tmp/mod_auth_openidc
-
-ENV APACHE_LOG_DIR /var/log/apache2
-
-ENV APACHE_DEFAULT_CONF /etc/apache2/httpd.conf
-
-# add testing repository (for cjose library)
-RUN echo "http://nl.alpinelinux.org/alpine/edge/testing"; >>
/etc/apk/repositories
-
-# ADD source
-RUN mkdir ${BUILD_DIR}
-
-COPY . ${BUILD_DIR}
-
-# add dependencies, build and install mod_auth_openidc, need atomic operation
for image size
-RUN apk update && apk add --no-cache \
- apache2 \
- apache2-proxy \
- wget \
- jansson \
- hiredis \
- cjose \
- cjose-dev \
- git \
- autoconf \
- build-base \
- automake \
- curl \
- apache2-dev \
- curl-dev \
- pcre-dev \
- libtool \
- && \
- cd ${BUILD_DIR} && \
- ./autogen.sh && \
- ./configure CFLAGS="-g -O0" LDFLAGS="-lrt" && \
- make test && \
- make install && \
- cd -- && \
- rm -fr ${BUILD_DIR} && \
- apk del git cjose-dev apache2-dev autoconf automake build-base wget curl-dev
pcre-dev libtool
-
-# configure apache
-RUN apk add --no-cache sed && \
- echo "LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so"
>> ${APACHE_DEFAULT_CONF} && \
- ln -sfT /dev/stderr "${APACHE_LOG_DIR}/error.log" && \
- ln -sfT /dev/stdout "${APACHE_LOG_DIR}/access.log" && \
- ln -sfT /dev/stdout "${APACHE_LOG_DIR}/other_vhosts_access.log" && \
- chown -R --no-dereference "apache:users" "${APACHE_LOG_DIR}" && \
- apk del sed
-
-# https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop
-# stop gracefully when docker stops, create issue with interactive mode
because it's the signal use by the docker engine on windows.
-STOPSIGNAL WINCH
-
-# port to expose, referes to the Listen 80 in the embedded httpd.conf
-EXPOSE 80
-
-# launch apache
+FROM alpine:3.10
+
+ENV MOD_AUTH_OPENIDC_REPOSITORY
https://github.com/zmartzone/mod_auth_openidc.git
+
+ENV MOD_AUTH_OPENIDC_BRANCH master
+
+ENV BUILD_DIR /tmp/mod_auth_openidc
+
+ENV APACHE_LOG_DIR /var/log/apache2
+
+ENV APACHE_DEFAULT_CONF /etc/apache2/httpd.conf
+
+# add testing repository (for cjose library)
+RUN echo "http://nl.alpinelinux.org/alpine/edge/testing"; >>
/etc/apk/repositories
+
+# ADD source
+RUN mkdir ${BUILD_DIR}
+
+# add dependencies, build and install mod_auth_openidc, need atomic operation
for image size
+RUN apk update && apk add --no-cache \
+ apache2 \
+ apache2-proxy \
+ wget \
+ jansson \
+ hiredis \
+ cjose \
+ cjose-dev \
+ git \
+ autoconf \
+ build-base \
+ automake \
+ curl \
+ apache2-dev \
+ curl-dev \
+ pcre-dev \
+ libtool \
+ && \
+ cd ${BUILD_DIR} && \
+ git clone -b ${MOD_AUTH_OPENIDC_BRANCH} ${MOD_AUTH_OPENIDC_REPOSITORY} && \
+ cd mod_auth_openidc && \
+ ./autogen.sh && \
+ ./configure CFLAGS="-g -O0" LDFLAGS="-lrt" && \
+ make test && \
+ make install && \
+ cd ../.. && \
+ rm -fr ${BUILD_DIR} && \
+ apk del git cjose-dev apache2-dev autoconf automake build-base wget curl-dev
pcre-dev libtool
+
+# configure apache
+RUN apk add --no-cache sed && \
+ echo "LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so"
>> ${APACHE_DEFAULT_CONF} && \
+ ln -sfT /dev/stderr "${APACHE_LOG_DIR}/error.log" && \
+ ln -sfT /dev/stdout "${APACHE_LOG_DIR}/access.log" && \
+ ln -sfT /dev/stdout "${APACHE_LOG_DIR}/other_vhosts_access.log" && \
+ chown -R --no-dereference "apache:users" "${APACHE_LOG_DIR}" && \
+ apk del sed
+
+# https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop
+# stop gracefully when docker stops, create issue with interactive mode
because it's the signal use by the docker engine on windows.
+STOPSIGNAL WINCH
+
+# port to expose, referes to the Listen 80 in the embedded httpd.conf
+EXPOSE 80
+
+# launch apache
CMD exec /usr/sbin/httpd -D FOREGROUND -f ${APACHE_DEFAULT_CONF}
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/README.md
new/mod_auth_openidc-2.4.2.1/README.md
--- old/mod_auth_openidc-2.4.1/README.md 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/README.md 2020-03-25 13:09:26.000000000
+0100
@@ -140,6 +140,7 @@
- [Keycloak](https://github.com/zmartzone/mod_auth_openidc/wiki/Keycloak)
- [Azure
AD](https://github.com/zmartzone/mod_auth_openidc/wiki/Azure-OAuth2.0-and-OpenID)
- [Sign in with
Apple](https://github.com/zmartzone/mod_auth_openidc/wiki/Sign-in-with-Apple)
+- [Curity Identity
Server](https://github.com/zmartzone/mod_auth_openidc/wiki/Curity-Identity-Server)
-
[LemonLDAP::NG](https://github.com/zmartzone/mod_auth_openidc/wiki/LemonLDAP::NG)
- [GitLab](https://github.com/zmartzone/mod_auth_openidc/wiki/GitLab-OAuth2)
- [Globus](https://github.com/zmartzone/mod_auth_openidc/wiki/Globus)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/configure.ac
new/mod_auth_openidc-2.4.2.1/configure.ac
--- old/mod_auth_openidc-2.4.1/configure.ac 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/configure.ac 2020-03-25 13:09:26.000000000
+0100
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.1],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.2.1],[[email protected]])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/openidc.conf
new/mod_auth_openidc-2.4.2.1/openidc.conf
--- old/mod_auth_openidc-2.4.1/openidc.conf 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/openidc.conf 2020-03-25 13:09:26.000000000
+0100
@@ -28,3 +28,12 @@
AuthType openid-connect
Require valid-user
</Location>
+
+OIDCOAuthSSLValidateServer Off
+OIDCOAuthVerifyJwksUri https://host.docker.internal:9031/ext/jwks
+OIDCOAuthRemoteUserClaim Username
+
+<Location /api>
+ AuthType oauth20
+ Require valid-user
+</Location>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/authz.c
new/mod_auth_openidc-2.4.2.1/src/authz.c
--- old/mod_auth_openidc-2.4.1/src/authz.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/authz.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -422,10 +422,11 @@
* Apache >=2.4 authorization routine: match the claims from the authenticated
user against the Require primitive
*/
authz_status oidc_authz_worker24(request_rec *r, const json_t * const claims,
- const char *require_args, oidc_authz_match_claim_fn_type
match_claim_fn) {
+ const char *require_args, const void *parsed_require_args,
oidc_authz_match_claim_fn_type match_claim_fn) {
int count_oauth_claims = 0;
- const char *t, *w;
+ const char *t, *w, *err = NULL;
+ const ap_expr_info_t *expr = parsed_require_args;
/* needed for anonymous authentication */
if (r->user == NULL)
@@ -435,8 +436,13 @@
if (!claims)
return AUTHZ_DENIED;
+ t = ap_expr_str_exec(r, expr, &err);
+ if (err) {
+ oidc_error(r, "could not evaluate expression '%s': %s",
require_args, err);
+ return AUTHZ_DENIED;
+ }
+
/* loop over the Required specifications */
- t = require_args;
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
count_oauth_claims++;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/cache/cache.h
new/mod_auth_openidc-2.4.2.1/src/cache/cache.h
--- old/mod_auth_openidc-2.4.1/src/cache/cache.h 2020-01-30
07:54:42.000000000 +0100
+++ new/mod_auth_openidc-2.4.2.1/src/cache/cache.h 2020-03-25
13:09:26.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -82,6 +82,7 @@
char *mutex_filename;
apr_shm_t *shm;
int *sema;
+ apr_byte_t is_parent;
} oidc_cache_mutex_t;
oidc_cache_mutex_t *oidc_cache_mutex_create(apr_pool_t *pool);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/cache/common.c
new/mod_auth_openidc-2.4.2.1/src/cache/common.c
--- old/mod_auth_openidc-2.4.1/src/cache/common.c 2020-01-30
07:54:42.000000000 +0100
+++ new/mod_auth_openidc-2.4.2.1/src/cache/common.c 2020-03-25
13:09:26.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -82,6 +82,7 @@
ctx->mutex_filename = NULL;
ctx->shm = NULL;
ctx->sema = NULL;
+ ctx->is_parent = TRUE;
return ctx;
}
@@ -169,6 +170,7 @@
apr_global_mutex_unlock(m->mutex);
}
+ m->is_parent = FALSE;
//oidc_sdebug(s, "semaphore: %d (m=%pp,s=%pp)", *m->sema, m, s);
return rv;
@@ -215,7 +217,7 @@
(*m->sema)--;
//oidc_sdebug(s, "semaphore: %d (m=%pp,s=%pp)", *m->sema,
m->mutex, s);
- if ((m->shm != NULL) && (*m->sema == 0)) {
+ if ((m->shm != NULL) && (*m->sema == 0) && (m->is_parent ==
TRUE)) {
rv = apr_shm_destroy(m->shm);
oidc_sdebug(s, "apr_shm_destroy for semaphore returned:
%d", rv);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/cache/file.c
new/mod_auth_openidc-2.4.2.1/src/cache/file.c
--- old/mod_auth_openidc-2.4.1/src/cache/file.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/cache/file.c 2020-03-25
13:09:26.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/cache/memcache.c
new/mod_auth_openidc-2.4.2.1/src/cache/memcache.c
--- old/mod_auth_openidc-2.4.1/src/cache/memcache.c 2020-01-30
07:54:42.000000000 +0100
+++ new/mod_auth_openidc-2.4.2.1/src/cache/memcache.c 2020-03-25
13:09:26.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/cache/redis.c
new/mod_auth_openidc-2.4.2.1/src/cache/redis.c
--- old/mod_auth_openidc-2.4.1/src/cache/redis.c 2020-01-30
07:54:42.000000000 +0100
+++ new/mod_auth_openidc-2.4.2.1/src/cache/redis.c 2020-03-25
13:09:26.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/cache/shm.c
new/mod_auth_openidc-2.4.2.1/src/cache/shm.c
--- old/mod_auth_openidc-2.4.1/src/cache/shm.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/cache/shm.c 2020-03-25
13:09:26.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -65,6 +65,7 @@
typedef struct oidc_cache_cfg_shm_t {
apr_shm_t *shm;
oidc_cache_mutex_t *mutex;
+ apr_byte_t is_parent;
} oidc_cache_cfg_shm_t;
/* size of key in cached key/value pairs */
@@ -88,6 +89,7 @@
sizeof(oidc_cache_cfg_shm_t));
context->shm = NULL;
context->mutex = oidc_cache_mutex_create(pool);
+ context->is_parent = TRUE;
return context;
}
@@ -142,6 +144,8 @@
&auth_openidc_module);
oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *) cfg->cache_cfg;
+ context->is_parent = FALSE;
+
/* initialize the lock for the child process */
return oidc_cache_mutex_child_init(p, s, context->mutex);
}
@@ -343,7 +347,7 @@
if (context == NULL)
return rv;
- if (context->shm) {
+ if ((context->is_parent == TRUE) && (context->shm)) {
oidc_cache_mutex_lock(s, context->mutex);
if (*context->mutex->sema == 1) {
rv = apr_shm_destroy(context->shm);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/config.c
new/mod_auth_openidc-2.4.2.1/src/config.c
--- old/mod_auth_openidc-2.4.1/src/config.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/config.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -619,6 +619,23 @@
return OIDC_CONFIG_DIR_RV(cmd, rv);
}
+typedef struct oidc_cleanup_keys_ctx {
+ apr_pool_t *pool;
+ apr_hash_t *keys;
+} oidc_cleanup_keys_ctx;
+
+static apr_status_t oidc_cleanup_keys(void *data) {
+ oidc_cleanup_keys_ctx *ctx = (oidc_cleanup_keys_ctx *) data;
+ oidc_jwk_t *jwk = NULL;
+ apr_hash_index_t *hi;
+ for (hi = apr_hash_first(ctx->pool, ctx->keys); hi;
+ hi = apr_hash_next(hi)) {
+ apr_hash_this(hi, NULL, NULL, (void **) &jwk);
+ oidc_jwk_destroy(jwk);
+ }
+ return APR_SUCCESS;
+}
+
/*
* add a public key from an X.509 file to our list of JWKs with public keys
*/
@@ -642,15 +659,22 @@
fname = oidc_util_get_full_path(cmd->pool, fname);
- if (oidc_jwk_parse_rsa_public_key(cmd->pool, kid, fname, &jwk,
- &err) == FALSE) {
+ if (oidc_jwk_parse_rsa_public_key(cmd->pool, kid, fname, &jwk, &err)
+ == FALSE) {
return apr_psprintf(cmd->pool,
"oidc_jwk_parse_rsa_public_key failed for
(kid=%s) \"%s\": %s",
kid, fname, oidc_jose_e2s(cmd->pool, err));
}
- if (*public_keys == NULL)
+ if (*public_keys == NULL) {
*public_keys = apr_hash_make(cmd->pool);
+ oidc_cleanup_keys_ctx *ctx = apr_pcalloc(cmd->pool,
+ sizeof(oidc_cleanup_keys_ctx));
+ ctx->pool = cmd->pool;
+ ctx->keys = *public_keys;
+ apr_pool_cleanup_register(cmd->pool, ctx, oidc_cleanup_keys,
+ oidc_cleanup_keys);
+ }
apr_hash_set(*public_keys, jwk->kid, APR_HASH_KEY_STRING, jwk);
return NULL;
@@ -711,16 +735,25 @@
fname = oidc_util_get_full_path(cmd->pool, fname);
- if (oidc_jwk_parse_rsa_private_key(cmd->pool, kid, fname, &jwk,
- &err) == FALSE) {
+ if (oidc_jwk_parse_rsa_private_key(cmd->pool, kid, fname, &jwk, &err)
+ == FALSE) {
return apr_psprintf(cmd->pool,
"oidc_jwk_parse_rsa_private_key failed for
(kid=%s) \"%s\": %s",
kid, fname, oidc_jose_e2s(cmd->pool, err));
}
- if (cfg->private_keys == NULL)
+ if (cfg->private_keys == NULL) {
cfg->private_keys = apr_hash_make(cmd->pool);
+ oidc_cleanup_keys_ctx *ctx = apr_pcalloc(cmd->pool,
+ sizeof(oidc_cleanup_keys_ctx));
+ ctx->pool = cmd->pool;
+ ctx->keys = cfg->private_keys;
+ apr_pool_cleanup_register(cmd->pool, ctx, oidc_cleanup_keys,
+ oidc_cleanup_keys);
+ }
+
apr_hash_set(cfg->private_keys, jwk->kid, APR_HASH_KEY_STRING, jwk);
+
return NULL;
}
@@ -2326,11 +2359,29 @@
return oidc_config_check_merged_vhost_configs(pool, s);
}
+static const char *oidc_parse_config(cmd_parms *cmd, const char *require_line,
+ const void **parsed_require_line) {
+ const char *expr_err = NULL;
+ ap_expr_info_t *expr;
+
+ expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+
+ if (expr_err)
+ return apr_pstrcat(cmd->temp_pool,
+ "Cannot parse expression in require line: ",
+ expr_err, NULL);
+
+ *parsed_require_line = expr;
+
+ return NULL;
+}
+
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static const authz_provider oidc_authz_claim_provider = {
&oidc_authz_checker_claim,
- NULL, };
-
+ &oidc_parse_config,
+};
#ifdef USE_LIBJQ
static const authz_provider oidc_authz_claims_expr_provider = {
&oidc_authz_checker_claims_expr,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/jose.c
new/mod_auth_openidc-2.4.2.1/src/jose.c
--- old/mod_auth_openidc-2.4.1/src/jose.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/jose.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -66,6 +66,62 @@
#define snprintf _snprintf
#endif
+/* to extract a b64 encoded certificate representation as a single string */
+static int oidc_jose_util_get_b64encoded_certificate_data(apr_pool_t *p,
+ X509 *x509_cert, unsigned char** b64_encoded_certificate,
+ oidc_jose_error_t *err) {
+ int rc = 0;
+ char *name = NULL, *header = NULL;
+ long len = 0, b64_len = 0;
+ BIO *bio = NULL;
+ unsigned char* data = NULL;
+
+ if ((bio = BIO_new(BIO_s_mem())) == NULL) {
+ oidc_jose_error_openssl(err, "BIO_new");
+ goto end;
+ }
+
+ if (!PEM_write_bio_X509(bio, x509_cert)) {
+ oidc_jose_error_openssl(err, "PEM_write_bio_X509");
+ goto end;
+ }
+ if (!PEM_read_bio(bio, &name, &header, &data, &len)) {
+ oidc_jose_error_openssl(err, "PEM_read_bio");
+ goto end;
+ }
+
+ /* "For every 3 bytes of input provided 4 bytes of output data will be
produced." */
+ b64_len = (((len + 2) / 3) * 4) + 1;
+
+ *b64_encoded_certificate = (unsigned char *) apr_pcalloc(p, b64_len);
+ if (!*b64_encoded_certificate) {
+ oidc_jose_error_openssl(err, "apr_pcalloc");
+ goto end;
+ };
+
+ rc = EVP_EncodeBlock(*b64_encoded_certificate, data, len);
+
+end:
+ if (bio) {
+ BIO_free(bio);
+ }
+ if (name != NULL) {
+ OPENSSL_free(name);
+ }
+ if (data != NULL) {
+ OPENSSL_free(data);
+ }
+ if (header != NULL) {
+ OPENSSL_free(header);
+ }
+
+ return rc;
+}
+
+/* definition follows */
+static char *internal_cjose_jwk_to_json(apr_pool_t *pool, oidc_jwk_t *oidc_jwk,
+ oidc_jose_error_t *oidc_err);
+
/*
* assemble an error report
*/
@@ -354,11 +410,9 @@
*/
apr_byte_t oidc_jwk_to_json(apr_pool_t *pool, oidc_jwk_t *jwk, char **s_json,
oidc_jose_error_t *err) {
- cjose_err cjose_err;
- char *s = cjose_jwk_to_json(jwk->cjose_jwk, TRUE, &cjose_err);
+ char *s = internal_cjose_jwk_to_json(pool, jwk, err);
if (s == NULL) {
- oidc_jose_error(err, "cjose_jwk_to_json failed: %s",
- oidc_cjose_e2s(pool, cjose_err));
+ oidc_jose_error(err, "internal_cjose_jwk_to_json failed");
return FALSE;
}
*s_json = apr_pstrdup(pool, s);
@@ -1080,15 +1134,19 @@
* by "input" to a JSON Web Key object
*/
apr_byte_t oidc_jwk_rsa_bio_to_jwk(apr_pool_t *pool, BIO *input,
- const char *kid, cjose_jwk_t **jwk, int is_private_key,
+ const char *kid, oidc_jwk_t **oidc_jwk, int is_private_key,
oidc_jose_error_t *err) {
+ cjose_err cjose_err;
X509 *x509 = NULL;
- EVP_PKEY *pkey = NULL;
+ EVP_PKEY *pkey = NULL;
apr_byte_t rv = FALSE;
-
+ unsigned char *x509_pem_encoded_certificate = NULL, *x509_bytes = NULL;
+ int b64_len, x509_cert_length;
cjose_jwk_rsa_keyspec key_spec;
+
memset(&key_spec, 0, sizeof(cjose_jwk_rsa_keyspec));
+ *oidc_jwk = oidc_jwk_new(pool);
if (is_private_key) {
/* get the private key struct from the BIO */
@@ -1111,6 +1169,78 @@
oidc_jose_error_openssl(err, "X509_get_pubkey");
goto end;
}
+ /* certificate is present, fill the jwkset with
certificate entries */
+ /* populate first x5c certificate */
+ if (((*oidc_jwk)->x5c = (unsigned char**)
apr_pcalloc(pool,
+ sizeof(unsigned char*))) == NULL) {
+ oidc_jose_error_openssl(err, "malloc");
+ goto end;
+ }
+ b64_len =
oidc_jose_util_get_b64encoded_certificate_data(pool, x509,
+ &x509_pem_encoded_certificate, err);
+ if (x509_pem_encoded_certificate == NULL) {
+ oidc_jose_error_openssl(err,
+
"oidc_jose_util_get_b64encoded_certificate");
+ goto end;
+ }
+ (*oidc_jwk)->x5c[0] = (unsigned char *)
apr_pmemdup(pool,
+ x509_pem_encoded_certificate, b64_len +
1);
+ (*oidc_jwk)->x5c_count = 1;
+ /* populate thumbprints entries */
+#if OPENSSL_VERSION_NUMBER < 0x000907000L
+ // openssl below 0.9.7 does not allocate memory for you
:o
+ x509_cert_length = i2d_X509(x509, NULL);
+ if (x509_cert_length <= 0){
+ oidc_jose_error_openssl(err, "i2d_X509");
+ goto end;
+ }
+ x509_bytes = (unsigned char *)malloc(pool,
x509_cert_length + 1);
+#endif
+ x509_cert_length = i2d_X509(x509, &x509_bytes);
+ if (x509_cert_length < 0) {
+ oidc_jose_error_openssl(err, "i2d_X509");
+ goto end;
+ }
+ /* populate x5t */
+ if (oidc_jose_hash_and_base64url_encode(pool,
OIDC_JOSE_ALG_SHA1,
+ (const char *) x509_bytes,
x509_cert_length,
+ &(*oidc_jwk)->x5t) == FALSE) {
+ oidc_jose_error(err,
+
"oidc_jose_hash_and_base64urlencode failed");
+ }
+ /* populate x5t_S256 */
+ if (oidc_jose_hash_and_base64url_encode(pool,
OIDC_JOSE_ALG_SHA256,
+ (const char *) x509_bytes,
x509_cert_length,
+ &(*oidc_jwk)->x5t_S256) == FALSE) {
+ oidc_jose_error(err,
+
"oidc_jose_hash_and_base64urlencode failed");
+ }
+
+ X509_free(x509);
+ /* populate the x5c chain if any*/
+ while (!((x509 = PEM_read_bio_X509_AUX(input, NULL,
NULL, NULL))
+ == NULL)) {
+ b64_len =
oidc_jose_util_get_b64encoded_certificate_data(pool,
+ x509,
&x509_pem_encoded_certificate, err);
+ if (((*oidc_jwk)->x5c = (unsigned char**)
realloc(
+ (*oidc_jwk)->x5c,
+ sizeof(unsigned char*) *
((*oidc_jwk)->x5c_count + 1)))
+ == NULL) {
+ oidc_jose_error_openssl(err, "realloc");
+ goto end;
+ }
+ if (x509_pem_encoded_certificate == NULL) {
+ oidc_jose_error_openssl(err,
+
"oidc_jose_util_get_b64encoded_certificate %s",
+ (*oidc_jwk)->x5c_count);
+ goto end;
+ }
+ (*oidc_jwk)->x5c[(*oidc_jwk)->x5c_count] =
+ (unsigned char *)
apr_pmemdup(pool,
+
x509_pem_encoded_certificate, b64_len + 1);
+ (*oidc_jwk)->x5c_count += 1;
+ X509_free(x509);
+ }
}
}
@@ -1149,9 +1279,8 @@
BN_bn2bin(rsa_d, key_spec.d);
}
- cjose_err cjose_err;
- *jwk = cjose_jwk_create_RSA_spec(&key_spec, &cjose_err);
- if (*jwk == NULL) {
+ (*oidc_jwk)->cjose_jwk = cjose_jwk_create_RSA_spec(&key_spec,
&cjose_err);
+ if ((*oidc_jwk)->cjose_jwk == NULL) {
oidc_jose_error(err, "cjose_jwk_create_RSA_spec failed: %s",
oidc_cjose_e2s(pool, cjose_err));
goto end;
@@ -1161,14 +1290,19 @@
memcpy(fingerprint, key_spec.n, key_spec.nlen);
memcpy(fingerprint + key_spec.nlen, key_spec.e, key_spec.elen);
- if (oidc_jwk_set_or_generate_kid(pool, *jwk, kid, fingerprint,
- key_spec.nlen + key_spec.elen, err) == FALSE) {
+ if (oidc_jwk_set_or_generate_kid(pool, (*oidc_jwk)->cjose_jwk, kid,
+ fingerprint, key_spec.nlen + key_spec.elen, err) ==
FALSE) {
goto end;
}
- rv = TRUE;
+ (*oidc_jwk)->kid = apr_pstrdup(pool,
+ cjose_jwk_get_kid((*oidc_jwk)->cjose_jwk, &cjose_err));
+ (*oidc_jwk)->kty = cjose_jwk_get_kty((*oidc_jwk)->cjose_jwk,
&cjose_err);
+ rv = TRUE;
end:
+ if (x509_bytes)
+ free(x509_bytes);
if (pkey)
EVP_PKEY_free(pkey);
if (x509)
@@ -1196,13 +1330,10 @@
goto end;
}
- cjose_jwk_t *cjose_jwk = NULL;
- if (oidc_jwk_rsa_bio_to_jwk(pool, input, kid, &cjose_jwk,
is_private_key,
+ if (oidc_jwk_rsa_bio_to_jwk(pool, input, kid, jwk, is_private_key,
err) == FALSE)
goto end;
- *jwk = oidc_jwk_from_cjose(pool, cjose_jwk);
-
rv = TRUE;
end:
@@ -1223,6 +1354,7 @@
apr_byte_t rv = FALSE;
const char *kid = NULL;
+ oidc_jwk_t *oidc_jwk = NULL;
/* get the "x5c" array element from the JSON object */
json_t *v = json_object_get(json, OIDC_JOSE_HDR_X5C);
@@ -1282,7 +1414,9 @@
}
/* do the actual parsing */
- rv = oidc_jwk_rsa_bio_to_jwk(pool, input, kid, jwk, FALSE, err);
+
+ rv = oidc_jwk_rsa_bio_to_jwk(pool, input, kid, &oidc_jwk, FALSE, err);
+ *jwk = oidc_jwk->cjose_jwk;
BIO_free(input);
@@ -1304,3 +1438,79 @@
const char *filename, oidc_jwk_t **jwk, oidc_jose_error_t *err)
{
return oidc_jwk_parse_rsa_key(pool, FALSE, kid, filename, jwk, err);
}
+
+/*
+ * produce the string jwk representation from an oidc_jwk_t structure
+ */
+static char *internal_cjose_jwk_to_json(apr_pool_t *pool, oidc_jwk_t *oidc_jwk,
+ oidc_jose_error_t *oidc_err) {
+ char *result = NULL, *cjose_jwk_json;
+ cjose_err err;
+ json_t *json = NULL, *tempArray = NULL;
+ json_error_t json_error;
+
+ if (!oidc_jwk) {
+ oidc_jose_error(oidc_err,
+ "internal_cjose_jwk_to_json failed: NULL
oidc_jwk");
+ return NULL;
+ }
+
+ // get current
+ cjose_jwk_json = cjose_jwk_to_json(oidc_jwk->cjose_jwk, TRUE, &err);
+
+ if (cjose_jwk_json == NULL) {
+ oidc_jose_error(oidc_err, "cjose_jwk_to_json failed: %s",
+ oidc_cjose_e2s(pool, err));
+ goto to_json_cleanup;
+ }
+
+ json = json_loads(cjose_jwk_json, 0, &json_error);
+ if (!json) {
+ oidc_jose_error(oidc_err, "json_loads failed");
+ goto to_json_cleanup;
+ }
+
+ // set x5c
+ if (oidc_jwk->x5c_count != 0) {
+ tempArray = json_array();
+ if (tempArray == NULL) {
+ oidc_jose_error(oidc_err, "json_array failed");
+ goto to_json_cleanup;
+ }
+ for (int i = 0; i < oidc_jwk->x5c_count; i++) {
+ if (json_array_append_new(tempArray,
+ json_string((char *) oidc_jwk->x5c[i]))
== -1) {
+ oidc_jose_error(oidc_err, "json_array_append
failed");
+ goto to_json_cleanup;
+ }
+ }
+ json_object_set_new(json, OIDC_JOSE_JWK_X5C_STR, tempArray);
+ }
+
+ // set x5t#256
+ if (oidc_jwk->x5t_S256 != NULL)
+ json_object_set_new(json, OIDC_JOSE_JWK_X5T256_STR,
+ json_string(oidc_jwk->x5t_S256));
+
+ // set x5t
+ if (oidc_jwk->x5t != NULL)
+ json_object_set_new(json, OIDC_JOSE_JWK_X5T_STR,
+ json_string(oidc_jwk->x5t));
+
+ // generate the string ...
+ result = json_dumps(json,
+ JSON_ENCODE_ANY | JSON_COMPACT | JSON_PRESERVE_ORDER);
+ if (!result) {
+ oidc_jose_error(oidc_err, "json_dumps failed");
+ goto to_json_cleanup;
+ }
+
+to_json_cleanup:
+
+ if (cjose_jwk_json)
+ free(cjose_jwk_json);
+ if (json)
+ json_decref(json);
+
+ return result;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/jose.h
new/mod_auth_openidc-2.4.2.1/src/jose.h
--- old/mod_auth_openidc-2.4.1/src/jose.h 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/jose.h 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -64,6 +64,7 @@
#include "cjose/cjose.h"
+#define OIDC_JOSE_ALG_SHA1 "sha1"
#define OIDC_JOSE_ALG_SHA256 "sha256"
/* indicate support for OpenSSL version dependent features */
@@ -75,6 +76,14 @@
#define OIDC_JOSE_ERROR_SOURCE_LENGTH 80
#define OIDC_JOSE_ERROR_FUNCTION_LENGTH 80
+/* the OIDC jwk fileds as references in RFC 5741 */
+#define OIDC_JOSE_JWK_KID_STR "kid" //Key ID
+#define OIDC_JOSE_JWK_KTY_STR "kty" //Key type
+#define OIDC_JOSE_JWK_USE_STR "use" //Key usage (enc|sig)
+#define OIDC_JOSE_JWK_X5C_STR "x5c" //X509 certificate chain
+#define OIDC_JOSE_JWK_X5T_STR "x5t" //X509 SHA-1 thumbprint
+#define OIDC_JOSE_JWK_X5T256_STR "x5t#S256" //X509 SHA-256 thumbprint
+
/* struct for returning errors to the caller */
typedef struct {
char source[OIDC_JOSE_ERROR_SOURCE_LENGTH];
@@ -144,6 +153,14 @@
int kty;
/* key identifier */
char *kid;
+ /* X.509 Certificate Chain */;
+ unsigned char **x5c;
+ /* the size of the certificate chain */
+ int x5c_count;
+ /* X.509 Certificate SHA-1 Thumbprint */
+ char *x5t;
+ /* X.509 Certificate SHA-256 Thumbprint */
+ char *x5t_S256;
/* cjose JWK structure */
cjose_jwk_t *cjose_jwk;
} oidc_jwk_t;
@@ -250,7 +267,7 @@
unsigned int oidc_alg2keysize(const char *alg);
apr_byte_t oidc_jwk_rsa_bio_to_jwk(apr_pool_t *pool, BIO *input,
- const char *kid, cjose_jwk_t **jwk, int is_private_key,
+ const char *kid, oidc_jwk_t **jwk, int is_private_key,
oidc_jose_error_t *err);
#endif /* MOD_AUTH_OPENIDC_JOSE_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/metadata.c
new/mod_auth_openidc-2.4.2.1/src/metadata.c
--- old/mod_auth_openidc-2.4.1/src/metadata.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/metadata.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/mod_auth_openidc.c
new/mod_auth_openidc-2.4.2.1/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.1/src/mod_auth_openidc.c 2020-01-30
07:54:42.000000000 +0100
+++ new/mod_auth_openidc-2.4.2.1/src/mod_auth_openidc.c 2020-03-25
13:09:26.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -2046,8 +2046,8 @@
/* match the returned state parameter against the state stored in the
browser */
if (oidc_authorization_response_match_state(r, c,
- apr_table_get(params, OIDC_PROTO_STATE), &provider,
- &proto_state) == FALSE) {
+ apr_table_get(params, OIDC_PROTO_STATE), &provider,
&proto_state)
+ == FALSE) {
if (c->default_sso_url != NULL) {
oidc_warn(r,
"invalid authorization response state;
a default SSO URL is set, sending the user there: %s",
@@ -2057,7 +2057,10 @@
}
oidc_error(r,
"invalid authorization response state and no
default SSO URL is set, sending an error...");
- return HTTP_INTERNAL_SERVER_ERROR;
+ // if content was already returned via html/http send then
don't return 500
+ // but send 200 to avoid extraneous internal error document
text to be sent
+ return ((r->user) && (strncmp(r->user, "", 1) == 0)) ?
+ OK : HTTP_INTERNAL_SERVER_ERROR;
}
/* see if the response is an error response */
@@ -4040,7 +4043,7 @@
/* dispatch to the >=2.4 specific authz routine */
authz_status rc = oidc_authz_worker24(r, claims ? claims : id_token,
- require_args, match_claim_fn);
+ require_args, parsed_require_args, match_claim_fn);
/* cleanup */
if (claims)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/mod_auth_openidc.h
new/mod_auth_openidc-2.4.2.1/src/mod_auth_openidc.h
--- old/mod_auth_openidc-2.4.1/src/mod_auth_openidc.h 2020-01-30
07:54:42.000000000 +0100
+++ new/mod_auth_openidc-2.4.2.1/src/mod_auth_openidc.h 2020-03-25
13:09:26.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -667,7 +667,7 @@
#if MODULE_MAGIC_NUMBER_MAJOR < 20100714
int oidc_authz_worker22(request_rec *r, const json_t *const claims, const
require_line *const reqs, int nelts);
#else
-authz_status oidc_authz_worker24(request_rec *r, const json_t * const claims,
const char *require_args, oidc_authz_match_claim_fn_type match_claim_fn);
+authz_status oidc_authz_worker24(request_rec *r, const json_t * const claims,
const char *require_args, const void *parsed_require_args,
oidc_authz_match_claim_fn_type match_claim_fn);
#endif
int oidc_oauth_return_www_authenticate(request_rec *r, const char *error,
const char *error_description);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/oauth.c
new/mod_auth_openidc-2.4.2.1/src/oauth.c
--- old/mod_auth_openidc-2.4.1/src/oauth.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/oauth.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -652,9 +652,11 @@
oidc_debug(r, "successfully verified JWT access token: %s",
jwt->payload.value.str);
- *token = jwt->payload.value.json;
+ *token = json_deep_copy(jwt->payload.value.json);
*response = jwt->payload.value.str;
+ oidc_jwt_destroy(jwt);
+
return TRUE;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/parse.c
new/mod_auth_openidc-2.4.2.1/src/parse.c
--- old/mod_auth_openidc-2.4.1/src/parse.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/parse.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/parse.h
new/mod_auth_openidc-2.4.2.1/src/parse.h
--- old/mod_auth_openidc-2.4.1/src/parse.h 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/parse.h 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/proto.c
new/mod_auth_openidc-2.4.2.1/src/proto.c
--- old/mod_auth_openidc-2.4.1/src/proto.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/proto.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -1556,7 +1556,7 @@
oidc_debug(r,
"\"jwks_uri\" is set, but the JWT has a symmetric signature so we
won't pull/use keys from there");
} */else {
- apr_byte_t force_refresh = FALSE;
+ apr_byte_t force_refresh = jwt->header.kid == NULL ? TRUE :
FALSE;
/* get the key from the JWKs that corresponds with the key
specified in the header */
if (oidc_proto_get_keys_from_jwks_uri(r, cfg, jwt, jwks_uri,
dynamic_keys, &force_refresh) == FALSE) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/session.c
new/mod_auth_openidc-2.4.2.1/src/session.c
--- old/mod_auth_openidc-2.4.1/src/session.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/session.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -275,7 +275,7 @@
(first_time ?
OIDC_COOKIE_EXT_SAME_SITE_LAX :
OIDC_COOKIE_EXT_SAME_SITE_STRICT) :
- NULL);
+
OIDC_COOKIE_EXT_SAME_SITE_NONE);
return TRUE;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/src/util.c
new/mod_auth_openidc-2.4.2.1/src/util.c
--- old/mod_auth_openidc-2.4.1/src/util.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/src/util.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/test/stub.c
new/mod_auth_openidc-2.4.2.1/test/stub.c
--- old/mod_auth_openidc-2.4.1/test/stub.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/test/stub.c 2020-03-25 13:09:26.000000000
+0100
@@ -167,6 +167,18 @@
return 0;
}
+AP_DECLARE(ap_expr_info_t *) ap_expr_parse_cmd_mi(const cmd_parms *cmd, const
char *expr,
+ unsigned int flags, const char **err, ap_expr_lookup_fn_t
*lookup_fn,
+ int module_index) {
+ return NULL;
+}
+
+AP_DECLARE(const char *) ap_expr_str_exec(request_rec *r, const ap_expr_info_t
*expr,
+ const char **err) {
+ err = NULL;
+ return expr->filename;
+}
+
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
AP_DECLARE(void) ap_log_error_(const char *file, int line, int module_index,
int level, apr_status_t status, const server_rec *s, const char
*fmt,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/test/test-cmd.c
new/mod_auth_openidc-2.4.2.1/test/test-cmd.c
--- old/mod_auth_openidc-2.4.1/test/test-cmd.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/test/test-cmd.c 2020-03-25
13:09:26.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.1/test/test.c
new/mod_auth_openidc-2.4.2.1/test/test.c
--- old/mod_auth_openidc-2.4.1/test/test.c 2020-01-30 07:54:42.000000000
+0100
+++ new/mod_auth_openidc-2.4.2.1/test/test.c 2020-03-25 13:09:26.000000000
+0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2017-2019 ZmartZone IAM
+ * Copyright (C) 2017-2020 ZmartZone IAM
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
@@ -128,9 +128,11 @@
static char *test_public_key_parse(apr_pool_t *pool) {
oidc_jose_error_t err;
- cjose_jwk_t *jwk, *jwkCert = NULL;
+ oidc_jwk_t *jwk, *jwkCert = NULL;
BIO *input, *inputCert = NULL;
+ char* json = NULL;
+
int isPrivateKey = 0;
int result;
@@ -138,20 +140,40 @@
const char certificateFile[] = "./test/certificate.pem";
input = BIO_new(BIO_s_file());
- TST_ASSERT_ERR("test_public_key_parse_BIO_new_public_key", input !=
NULL, pool, err);
+ TST_ASSERT_ERR("test_public_key_parse_BIO_new_public_key", input !=
NULL,
+ pool, err);
- TST_ASSERT_ERR("test_public_key_parse_BIOread_filename_public_key",
result = BIO_read_filename(input, publicKeyFile), pool, err);
+ TST_ASSERT_ERR("test_public_key_parse_BIOread_filename_public_key",
+ result = BIO_read_filename(input, publicKeyFile), pool,
err);
- TST_ASSERT_ERR("oidc_jwk_rsa_bio_to_jwk", oidc_jwk_rsa_bio_to_jwk(pool,
input, NULL, &jwk, isPrivateKey, &err),
+ TST_ASSERT_ERR("oidc_jwk_rsa_bio_to_jwk",
+ oidc_jwk_rsa_bio_to_jwk(pool, input, NULL, &jwk,
isPrivateKey, &err),
pool, err);
-
+ BIO_free(input);
+
inputCert = BIO_new(BIO_s_file());
- TST_ASSERT_ERR("test_public_key_parse_BIO_new_certificate", inputCert
!= NULL, pool, err);
+ TST_ASSERT_ERR("test_public_key_parse_BIO_new_certificate",
+ inputCert != NULL, pool, err);
- TST_ASSERT_ERR("test_public_key_parse_BIOread_filename_certificate",
BIO_read_filename(inputCert, certificateFile), pool, err);
+ TST_ASSERT_ERR("test_public_key_parse_BIOread_filename_certificate",
+ BIO_read_filename(inputCert, certificateFile), pool,
err);
- TST_ASSERT_ERR("oidc_jwk_rsa_bio_to_jwk", oidc_jwk_rsa_bio_to_jwk(pool,
inputCert, NULL, &jwkCert, isPrivateKey, &err),
+ TST_ASSERT_ERR("oidc_jwk_rsa_bio_to_jwk",
+ oidc_jwk_rsa_bio_to_jwk(pool, inputCert, NULL,
&jwkCert, isPrivateKey, &err),
pool, err);
+ BIO_free(inputCert);
+
+ TST_ASSERT_ERR("oidc_jwk_to_json with public key",
+ oidc_jwk_to_json(pool, jwk, &json, &err), pool, err);
+ TST_ASSERT_STR("oidc_jwk_to_json with public key output test", json,
+
"{\"kty\":\"RSA\",\"kid\":\"IbLjLR7-C1q0-ypkueZxGIJwBQNaLg46DZMpnPW1kps\",\"e\":\"AQAB\",\"n\":\"iGeTXbfV5bMppx7o7qMLCuVIKqbBa_qOzBiNNpe0K8rjg7-1z9GCuSlqbZtM0_5BQ6bGonnSPD--PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK-tjwiNMj1l-cZt8pvuS-3LtTWIzC-hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo_C6RV_MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9j-4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A-51dgD4cQNzieLEEkJw\"}");
+ oidc_jwk_destroy(jwk);
+
+ TST_ASSERT_ERR("oidc_jwk_to_json with certificate",
+ oidc_jwk_to_json(pool, jwkCert, &json, &err), pool,
err);
+ TST_ASSERT_STR("oidc_jwk_to_json with certificate output test", json,
+
"{\"kty\":\"RSA\",\"kid\":\"IbLjLR7-C1q0-ypkueZxGIJwBQNaLg46DZMpnPW1kps\",\"e\":\"AQAB\",\"n\":\"iGeTXbfV5bMppx7o7qMLCuVIKqbBa_qOzBiNNpe0K8rjg7-1z9GCuSlqbZtM0_5BQ6bGonnSPD--PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK-tjwiNMj1l-cZt8pvuS-3LtTWIzC-hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo_C6RV_MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9j-4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A-51dgD4cQNzieLEEkJw\",\"x5c\":[\"MIICnTCCAYUCBgFuk1+FLDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd2aW5jZW50MB4XDTE5MTEyMjEzNDcyMVoXDTI5MTEyMjEzNDkwMVowEjEQMA4GA1UEAwwHdmluY2VudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIhnk1231eWzKace6O6jCwrlSCqmwWv6jswYjTaXtCvK44O/tc/Rgrkpam2bTNP+QUOmxqJ50jw/vj6MIRXYr0uFjQN9ztCpdbUNMHR90zp8LniDvWoX1uKtARhbzDm53ivrY8IjTI9ZfnGbfKb7kvty7U1iMwvoU2TOHGlJsuaJZuT1XZq7ugulea8ZG2ATyExUs5eZqbqPwukVfzGEcAIetIIbNjhLyFg6yZGZ2Ghe7IxwvY/uJH3DOaGO2YYPCrh8paLnWDc5ao1QD3dDG5C5IdaWvH5h7JzenIH12LRSu2fFo2A1AIUx9SY2QlUhTeeQPudXYA+HEDc4nixBJCcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAfAo40il4qw7DfOkke0p1ZFAgLQQS3J5hYNDSRvVv+vxkk9o/N++zTMoHbfcDcU5BdVH6Qsr/12PXPX7Ur5WYDq+bWGAK3MAaGtZlmycFeVhoVRfab4TUWUy43H3VyFUNqjGRAVJ/VD1RW3fJ18KrQTN2fcKSd88Jqt5TvjROKghq95+8BQtlhrR/sQVrjgYwc+eU9ljWI56MQXbpHstl9IewMXnusSPxKRTbutjaxzKaoXRTUncPL6ga0SSxOTdKksM4ZYpPnq0B93silb+0qs8aJraGzjAmLE30opfufP+roth19VJxAfYsW5mgAmXP9kEAF+iWB8FB4/Q4noNG8Q==\"],\"x5t#S256\":\"hMVJ55Mqi4uAQIztPKUmL2MSfy6iN1Lr3J1CNGAIBms\",\"x5t\":\"0oN6Bx-eh6VAmNw1I7o3Dd9JPwE\"}");
+ oidc_jwk_destroy(jwkCert);
return 0;
}
@@ -1349,6 +1371,8 @@
static char * test_authz_worker(request_rec *r) {
authz_status rc;
char *require_args = NULL;
+ ap_expr_info_t *parsed_require_args = (ap_expr_info_t *)
apr_pcalloc(r->pool,
+ sizeof(ap_expr_info_t));;
json_error_t err;
json_t *json = NULL;
char *claims = NULL;
@@ -1401,47 +1425,58 @@
json != NULL);
require_args = "Require claim sub:hans";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (1: simple sub claim)", rc == AUTHZ_DENIED);
require_args = "Require claim sub:stef";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (2: simple sub claim)", rc == AUTHZ_GRANTED);
require_args = "Require claim nested.level1.level2:hans";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (3: nested claim)", rc == AUTHZ_GRANTED);
require_args = "Require claim nested.nestedarray:a";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (4: nested array)", rc == AUTHZ_DENIED);
require_args = "Require claim nested.nestedarray:c";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (5: nested array)", rc == AUTHZ_GRANTED);
require_args = "Require claim nested.level1:a";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (6: nested non-string)", rc == AUTHZ_DENIED);
require_args = "Require claim somebool:a";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (7: non-array)", rc == AUTHZ_DENIED);
require_args = "Require claim somebool.level1:a";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (8: nested non-array)", rc == AUTHZ_DENIED);
require_args = "Require claim realm_access.roles:someRole1";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (9: keycloak sample 1)", rc == AUTHZ_GRANTED);
require_args = "Require claim
resource_access.someClient.roles:someRole4";
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (10: keycloak sample 2)", rc == AUTHZ_GRANTED);
require_args = "Require claim https://test.com/pay:alot";;
- rc = oidc_authz_worker24(r, json, require_args, oidc_authz_match_claim);
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (11: namespaced key)", rc == AUTHZ_GRANTED);
json_decref(json);
