Re: svn commit: r1909411 - in /httpd/httpd/trunk: ./ docs/manual/mod/ modules/aaa/

2023-05-05 Thread Ruediger Pluem 



On 4/25/23 7:52 PM, minf...@apache.org wrote:
> Author: minfrin
> Date: Tue Apr 25 17:52:18 2023
> New Revision: 1909411
> 
> URL: http://svn.apache.org/viewvc?rev=1909411=rev
> Log:
>   *) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within
>  bearer tokens, both as part of the aaa framework, and as a way to
>  generate tokens and pass them to backend servers and services.
> 
>   *) mod_auth_bearer: New module to handle RFC 6750 Bearer tokens, using
>  the token_checker hook.
> 
>   *) mod_autht_core: New module to handle provider aliases for token
>  authentication.
> 
> 
> Added:
> httpd/httpd/trunk/docs/manual/mod/mod_auth_bearer.xml
> httpd/httpd/trunk/docs/manual/mod/mod_autht_core.xml
> httpd/httpd/trunk/docs/manual/mod/mod_autht_jwt.xml
> httpd/httpd/trunk/modules/aaa/mod_auth_bearer.c
> httpd/httpd/trunk/modules/aaa/mod_autht_core.c
> httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/aaa/config.m4
> 

> Added: httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c?rev=1909411=auto
> ==
> --- httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c (added)
> +++ httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c Tue Apr 25 17:52:18 2023
> @@ -0,0 +1,1089 @@
> +/* Licensed to the Apache Software Foundation (ASF) under one or more
> + * contributor license agreements.  See the NOTICE file distributed with
> + * this work for additional information regarding copyright ownership.
> + * The ASF licenses this file to You under the Apache License, Version 2.0
> + * (the "License"); you may not use this file except in compliance with
> + * the License.  You may obtain a copy of the License at
> + *
> + * http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS" BASIS,
> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> + * See the License for the specific language governing permissions and
> + * limitations under the License.
> + */
> +
> +/**
> + * This module adds support for https://tools.ietf.org/html/rfc7519 JWT 
> tokens
> + * as https://tools.ietf.org/html/rfc6750 Bearer tokens, both as a generator
> + * of JWT bearer tokens, and as an acceptor of JWT Bearer tokens for 
> authentication.
> + */
> +
> +#include "apr_strings.h"
> +#include "apr_hash.h"
> +#include "apr_crypto.h"
> +#include "apr_jose.h"
> +#include "apr_lib.h"/* for apr_isspace */
> +#include "apr_base64.h" /* for apr_base64_decode et al */
> +#define APR_WANT_STRFUNC/* for strcasecmp */
> +#include "apr_want.h"
> +
> +#include "ap_config.h"
> +#include "httpd.h"
> +#include "http_config.h"
> +#include "http_core.h"
> +#include "http_log.h"
> +#include "http_protocol.h"
> +#include "http_request.h"
> +#include "util_md5.h"
> +#include "ap_provider.h"
> +#include "ap_expr.h"
> +
> +#include "mod_auth.h"
> +
> +#define CRYPTO_KEY "auth_bearer_context"
> +
> +module AP_MODULE_DECLARE_DATA autht_jwt_module;
> +
> +typedef enum jws_alg_type_e {
> +/** No specific type. */
> +JWS_ALG_TYPE_NONE = 0,
> +/** HMAC SHA256 */
> +JWS_ALG_TYPE_HS256 = 1,
> +} jws_alg_type_e;
> +
> +typedef struct {
> +unsigned char *secret;
> +apr_size_t secret_len;
> +jws_alg_type_e jws_alg;
> +} auth_bearer_signature_rec;
> +
> +typedef struct {
> +apr_hash_t *claims;
> +apr_array_header_t *signs;
> +apr_array_header_t *verifies;
> +int signs_set:1;
> +int verifies_set:1;
> +int fake_set:1;
> +} auth_bearer_config_rec;
> +
> +typedef struct {
> +const char *library;
> +const char *params;
> +apr_crypto_t **crypto;


Why not apr_crypto_t *crypto instead and using &(var->crypto) where 
apr_crypto_t ** is needed below?

> +int library_set;
> +} auth_bearer_conf;
> +
> +static int auth_bearer_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t 
> *ptemp,
> +server_rec *s) {
> +const apr_crypto_driver_t *driver = NULL;
> +
> +/* auth_bearer_init() will be called twice. Don't bother
> + * going through all of the initialization on the first call
> + * because it will just be thrown away.*/
> +if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
> +return OK;
> +}
> +
> +while (s) {
> +
> +auth_bearer_conf *conf = ap_get_module_config(s->module_config,
> +_jwt_module);
> +
> +if (conf->library_set && !*conf->crypto) {
> +
> +const apu_err_t *err = NULL;
> +apr_status_t rv;
> +
> +rv = apr_crypto_init(p);
> +if (APR_SUCCESS != rv) {
> +ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
> +

Re: [VOTE] Switch read/write repository from Subversion to Git

2023-05-05 Thread Jim Jagielski 



> On May 4, 2023, at 4:34 AM, Ruediger Pluem  wrote:
> 
> This is a formal vote on whether we should move our read/write repository 
> from Subversion to Git.
> This means that our latest read/write repository will be no longer available 
> via svn.apache.org. It
> will be available via Git at 
> https://gitbox.apache.org/repos/asf/httpd-site.git and 
> https://github.com/apache/httpd.git.
> Github also offers the possibility to use a Subversion client:
> https://docs.github.com/en/get-started/working-with-subversion-on-github/support-for-subversion-clients
> 
> 
> [X]: Move the read/write repository from Subversion to Git and leverage the 
> features of Github (for now Actions and PR).
> [ ]: Move the read/write repository from Subversion to Git, but I don't want 
> to work with Github and I will only work with
> what gitbox.apache.org offers.
> [ ]: Leave everything as is.
> 

+1 for the move. "binding" if we are specifically noting votes from PMC members.

Re: build trunk in windows

2023-05-05 Thread jean-frederic clere 

On 5/4/23 11:31, Yann Ylavic wrote:

On Wed, May 3, 2023 at 2:54 PM jean-frederic clere  wrote:


On 4/24/23 18:25, Steffen wrote:

There is a howto Building Apache and dependencies using CMake at

https://www.apachelounge.com/viewtopic.php?t=8609





I ended fixing include/http_protocol.h see patch, did I miss something?


Looks like ap_h1_response_out_filter() is declared in
"include/mod_core.h" already, but without AP_CORE_DECLARE_NONSTD().
Not sure if we should remove the AP_CORE_DECLARE_NONSTD() in
"modules/http/http_filters.c" (where it's implemented) or add it in
the declaration. For instance ap_http_outerror_filter() has no
AP_CORE_DECLARE_NONSTD() anywhere..


so removing AP_CORE_DECLARE_NONSTD() in ./modules/http/http_filters.c is 
probably the smallest fix.


Putting AP_CORE_DECLARE_NONSTD() "everywhere" sounds weird to me ;-)

I will do that later this week-end, is that OK ;-)


Regards;
Yann.


--
Cheers

Jean-Frederic

Re: [VOTE] Switch read/write repository from Subversion to Git

2023-05-05 Thread Greg Stein 
On Fri, May 5, 2023 at 3:19 AM Dennis Clarke  wrote:

>
> > Everybody says git is decentralized, so why are you even asking this
> > question? Can't you just use any git repository, anywhere? ;-)
>
> Github is microsoft and you can bet they will break things. It is only a
> matter of time with them.
>

That is a fine opinion to hold. Many people (including myself) would
disagree with your opinion.

The voting so far appears to show that people are not concerned with the
hypothetical "they will break things". I would suggest there are no
comparative historical precedents, so the votes are not reflective of that
... opinion.

Cheers,
-g

Re: svn commit: r1909409 - in /httpd/httpd/trunk: CHANGES docs/manual/developer/new_api_2_6.xml include/ap_mmn.h include/http_request.h include/mod_auth.h server/request.c

2023-05-05 Thread Ruediger Pluem 



On 4/25/23 7:35 PM, minf...@apache.org wrote:
> Author: minfrin
> Date: Tue Apr 25 17:35:08 2023
> New Revision: 1909409
> 
> URL: http://svn.apache.org/viewvc?rev=1909409=rev
> Log:
> core: Add the token_checker hook, that allows authentication to take
> place using mechanisms other than username/password, such as bearer
> tokens.
> 
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml
> httpd/httpd/trunk/include/ap_mmn.h
> httpd/httpd/trunk/include/http_request.h
> httpd/httpd/trunk/include/mod_auth.h
> httpd/httpd/trunk/server/request.c
> 

> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_request.h?rev=1909409=1909408=1909409=diff
> ==
> --- httpd/httpd/trunk/include/http_request.h (original)
> +++ httpd/httpd/trunk/include/http_request.h Tue Apr 25 17:35:08 2023

> @@ -516,6 +529,24 @@ AP_DECLARE(void) ap_hook_check_access_ex
>   const char * const *aszSucc,
>   int nOrder, int type);
>  
> +/**
> + * Register a hook function that will analyze the request headers, extract
> + * any tokens, and apply and metadata contained in the tokens or keyed 
> against
> + * the tokens to the request record.
> + * @param pf A token_checker hook function
> + * @param aszPre A NULL-terminated array of strings that name modules whose
> + *   hooks should precede this one
> + * @param aszSucc A NULL-terminated array of strings that name modules whose
> + *hooks should succeed this one
> + * @param nOrder An integer determining order before honouring aszPre and
> + *   aszSucc (for example, HOOK_MIDDLE)
> + * @param type Internal request processing mode, either
> + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
> + */> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,

Isn't the above a copy and past error and should be ap_HOOK_token_checker_t 
instead?

> + const char * const *aszPre,
> + const char * const *aszSucc,
> + int nOrder, int type);
>  
>  /**
>   * Register a hook function that will analyze the request headers,
> 

> Modified: httpd/httpd/trunk/server/request.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1909409=1909408=1909409=diff
> ==
> --- httpd/httpd/trunk/server/request.c (original)
> +++ httpd/httpd/trunk/server/request.c Tue Apr 25 17:35:08 2023

> @@ -2217,6 +2234,18 @@ AP_DECLARE(void) ap_hook_check_access_ex
>  ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder);
>  }
>  
> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,

Isn't the above a copy and past error and should be ap_HOOK_token_checker_t 
instead?


> + const char * const *aszPre,
> + const char * const *aszSucc,
> + int nOrder, int type)
> +{
> +if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) {
> +++auth_internal_per_conf_hooks;
> +}
> +
> +ap_hook_token_checker(pf, aszPre, aszSucc, nOrder);
> +}
> +
>  AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf,
>   const char * const *aszPre,
>   const char * const *aszSucc,
> 
> 
> 

Regards

Rüdiger

Re: [VOTE] Switch read/write repository from Subversion to Git

2023-05-05 Thread Dennis Clarke 




Everybody says git is decentralized, so why are you even asking this
question? Can't you just use any git repository, anywhere? ;-)


Github is microsoft and you can bet they will break things. It is only a
matter of time with them.

--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
Four decades in production systems.

Re: [VOTE] Switch read/write repository from Subversion to Git

2023-05-05 Thread Greg Stein 
On Fri, May 5, 2023 at 2:12 AM Dennis Clarke  wrote:
>...

>  Why the assumption of Microsoft github?  There is no reason to
> migrate to a git service such as Microsoft github when sourcehut works
> just fine as does a private git repo provided by Apache FSF itself.
>

Because the Apache Instructure Team has constructed a lot of tooling around
GitHub, to support git-based development at the Foundation. We
maintain/synchronize our own copy of the git repository, mailing lists and
commit emails are provided, LDAP authz groups are mapped to GitHub teams,
we have GitHub Actions available, and more. GitHub is fully-supported and
backed by Microsoft (and we have direct contact with them); compare with
sourcehut, quote: "Notice: sr.ht is currently in alpha, and the quality of
the service may reflect that."

Everybody says git is decentralized, so why are you even asking this
question? Can't you just use any git repository, anywhere? ;-)

Cheers,
-g

Re: [VOTE] Switch read/write repository from Subversion to Git

2023-05-05 Thread Dennis Clarke 

On 5/5/23 02:15, Ruediger Pluem wrote:



On 5/4/23 10:34 AM, Ruediger Pluem wrote:

This is a formal vote on whether we should move our read/write repository from 
Subversion to Git.
This means that our latest read/write repository will be no longer available 
via svn.apache.org. It
will be available via Git at https://gitbox.apache.org/repos/asf/httpd-site.git 
and https://github.com/apache/httpd.git.
Github also offers the possibility to use a Subversion client:
https://docs.github.com/en/get-started/working-with-subversion-on-github/support-for-subversion-clients


[ ]: Move the read/write repository from Subversion to Git and leverage the 
features of Github (for now Actions and PR).
[ ]: Move the read/write repository from Subversion to Git, but I don't want to 
work with Github and I will only work with
  what gitbox.apache.org offers.
[ ]: Leave everything as is.




After thinking a lot I come to the conclusion it is time now to do this.

[X]: Move the read/write repository from Subversion to Git and leverage the 
features of Github (for now Actions and PR).

Regards

Rüdiger



Why the assumption of Microsoft github?  There is no reason to
migrate to a git service such as Microsoft github when sourcehut works
just fine as does a private git repo provided by Apache FSF itself.


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
Four decades in production systems.

Re: [VOTE] Switch read/write repository from Subversion to Git

2023-05-05 Thread Ruediger Pluem 



On 5/4/23 10:34 AM, Ruediger Pluem wrote:
> This is a formal vote on whether we should move our read/write repository 
> from Subversion to Git.
> This means that our latest read/write repository will be no longer available 
> via svn.apache.org. It
> will be available via Git at 
> https://gitbox.apache.org/repos/asf/httpd-site.git and 
> https://github.com/apache/httpd.git.
> Github also offers the possibility to use a Subversion client:
> https://docs.github.com/en/get-started/working-with-subversion-on-github/support-for-subversion-clients
> 
> 
> [ ]: Move the read/write repository from Subversion to Git and leverage the 
> features of Github (for now Actions and PR).
> [ ]: Move the read/write repository from Subversion to Git, but I don't want 
> to work with Github and I will only work with
>  what gitbox.apache.org offers.
> [ ]: Leave everything as is.
> 
> 

After thinking a lot I come to the conclusion it is time now to do this.

[X]: Move the read/write repository from Subversion to Git and leverage the 
features of Github (for now Actions and PR).

Regards

Rüdiger

Re: ci vs PR approvals? (was: [apache/httpd] Fix a possible NULL pointer dereference in hook_uri2file (PR #355))

2023-05-05 Thread Ruediger Pluem 



On 5/5/23 2:37 AM, Greg Stein wrote:

> Down-thread, Giovanni asks about security patch handling. We can continue to 
> use repos/private/pmc/httpd/ for that. That area will
> not go away. If people want to go "all git", then Infra can provide projects 
> with a single, private repository that would function
> similarly.

Thanks for pointing this out. I think the repos/private/pmc/httpd should still 
stick in Subversion as it is now.
And it brings up another point: We need to adjust our release scripts once we 
made a switch.

> 
> IMO, I definitely think svn is a superior version control system to git. It 
> is much more approachable and easy to use, compared to
> git. I helped to build svn, yet I use git daily; this isn't knee-jerk svn 
> partisanship; svn is simply better/easier. But *GitHub*

And I still use it in other areas at $work that are not that much development 
driven but need to version control mostly
text files and where the GitHub features are not needed / useful. For these 
cases svn is clearly much better suited than git.

Regards

Rüdiger