Re: svn commit: r1910327 - /httpd/httpd/branches/2.4.x/STATUS
On 6/9/23 6:28 PM, jean-frederic clere wrote: > On 6/9/23 14:58, rpl...@apache.org wrote: >> Author: rpluem >> Date: Fri Jun 9 12:58:55 2023 >> New Revision: 1910327 >> >> URL: http://svn.apache.org/viewvc?rev=1910327=rev >> Log: >> * Vote and comment [skip ci] >> >> Modified: >> httpd/httpd/branches/2.4.x/STATUS >> >> Modified: httpd/httpd/branches/2.4.x/STATUS >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1910327=1910326=1910327=diff >> == >> --- httpd/httpd/branches/2.4.x/STATUS (original) >> +++ httpd/httpd/branches/2.4.x/STATUS Fri Jun 9 12:58:55 2023 >> @@ -213,6 +213,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: >> Backport version for 2.4.x of patch: >> >> https://raw.githubusercontent.com/jfclere/patch/main/mod_deflate.patch >> +1: jfclere, >> + rpluem says: Does anyone know why we don't merge the server config? > > We have: > +++ > create_deflate_dirconf, /* dir config creater */ > NULL, /* dir merger --- default is to override */ > create_deflate_server_config, /* server config */ > NULL, /* merge server config */ > +++ > > Are you asking why? ;-) Exactly. I know that your patch only follows the existing pattern, but it came to my attention when reviewing it and I asked myself why we don't merge here. Hence the question is not really specifically to you but to everyone. Having a brief look into the version history reveals that it has been like that since the module exists. Hence I am not sure if anyone can provide a historical reasoning here. But probably we think together if this is the behavior we want to keep for some reason or if we should change it. Regards Rüdiger
Re: svn commit: r1910327 - /httpd/httpd/branches/2.4.x/STATUS
On 6/9/23 14:58, rpl...@apache.org wrote: Author: rpluem Date: Fri Jun 9 12:58:55 2023 New Revision: 1910327 URL: http://svn.apache.org/viewvc?rev=1910327=rev Log: * Vote and comment [skip ci] Modified: httpd/httpd/branches/2.4.x/STATUS Modified: httpd/httpd/branches/2.4.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1910327=1910326=1910327=diff == --- httpd/httpd/branches/2.4.x/STATUS (original) +++ httpd/httpd/branches/2.4.x/STATUS Fri Jun 9 12:58:55 2023 @@ -213,6 +213,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: Backport version for 2.4.x of patch: https://raw.githubusercontent.com/jfclere/patch/main/mod_deflate.patch +1: jfclere, + rpluem says: Does anyone know why we don't merge the server config? We have: +++ create_deflate_dirconf, /* dir config creater */ NULL, /* dir merger --- default is to override */ create_deflate_server_config, /* server config */ NULL, /* merge server config */ +++ Are you asking why? ;-) *) mod_http2: - new directive 'H2MaxDataFrameLen n' @@ -264,14 +265,14 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: https://svn.apache.org/r1908657 https://svn.apache.org/r1908150 2.4.x patch: svn merge -c 1877350,1894021,1906379,1908657,1908150 ^/httpd/httpd/trunk . - +1: jailletc36, + +1: jailletc36, rpluem *) core: Optimize send_brigade_nonblocking() trunk patch: https://svn.apache.org/r1892450 https://svn.apache.org/r1909966 2.4.x patch: svn merge -c 1892450,1909966 ^/httpd/httpd/trunk . - +1: jailletc36, + +1: jailletc36, rpluem *) mod_proxy: If we fail to connect to all looked up IP's from the worker lookup cache it might be caused by a change on DNS side. Try another -- Cheers Jean-Frederic
Re: svn commit: r1909411 - in /httpd/httpd/trunk: ./ docs/manual/mod/ modules/aaa/
Any feedback on my comments below?
Regards
Rüdiger
On 5/5/23 7:37 PM, Ruediger Pluem wrote:
>
>
> On 4/25/23 7:52 PM, minf...@apache.org wrote:
>> Author: minfrin
>> Date: Tue Apr 25 17:52:18 2023
>> New Revision: 1909411
>>
>> URL: http://svn.apache.org/viewvc?rev=1909411=rev
>> Log:
>> *) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within
>> bearer tokens, both as part of the aaa framework, and as a way to
>> generate tokens and pass them to backend servers and services.
>>
>> *) mod_auth_bearer: New module to handle RFC 6750 Bearer tokens, using
>> the token_checker hook.
>>
>> *) mod_autht_core: New module to handle provider aliases for token
>> authentication.
>>
>>
>> Added:
>> httpd/httpd/trunk/docs/manual/mod/mod_auth_bearer.xml
>> httpd/httpd/trunk/docs/manual/mod/mod_autht_core.xml
>> httpd/httpd/trunk/docs/manual/mod/mod_autht_jwt.xml
>> httpd/httpd/trunk/modules/aaa/mod_auth_bearer.c
>> httpd/httpd/trunk/modules/aaa/mod_autht_core.c
>> httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/modules/aaa/config.m4
>>
>
>> Added: httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c?rev=1909411=auto
>> ==
>> --- httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c (added)
>> +++ httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c Tue Apr 25 17:52:18 2023
>> @@ -0,0 +1,1089 @@
>> +/* Licensed to the Apache Software Foundation (ASF) under one or more
>> + * contributor license agreements. See the NOTICE file distributed with
>> + * this work for additional information regarding copyright ownership.
>> + * The ASF licenses this file to You under the Apache License, Version 2.0
>> + * (the "License"); you may not use this file except in compliance with
>> + * the License. You may obtain a copy of the License at
>> + *
>> + * http://www.apache.org/licenses/LICENSE-2.0
>> + *
>> + * Unless required by applicable law or agreed to in writing, software
>> + * distributed under the License is distributed on an "AS IS" BASIS,
>> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>> + * See the License for the specific language governing permissions and
>> + * limitations under the License.
>> + */
>> +
>> +/**
>> + * This module adds support for https://tools.ietf.org/html/rfc7519 JWT
>> tokens
>> + * as https://tools.ietf.org/html/rfc6750 Bearer tokens, both as a generator
>> + * of JWT bearer tokens, and as an acceptor of JWT Bearer tokens for
>> authentication.
>> + */
>> +
>> +#include "apr_strings.h"
>> +#include "apr_hash.h"
>> +#include "apr_crypto.h"
>> +#include "apr_jose.h"
>> +#include "apr_lib.h"/* for apr_isspace */
>> +#include "apr_base64.h" /* for apr_base64_decode et al */
>> +#define APR_WANT_STRFUNC/* for strcasecmp */
>> +#include "apr_want.h"
>> +
>> +#include "ap_config.h"
>> +#include "httpd.h"
>> +#include "http_config.h"
>> +#include "http_core.h"
>> +#include "http_log.h"
>> +#include "http_protocol.h"
>> +#include "http_request.h"
>> +#include "util_md5.h"
>> +#include "ap_provider.h"
>> +#include "ap_expr.h"
>> +
>> +#include "mod_auth.h"
>> +
>> +#define CRYPTO_KEY "auth_bearer_context"
>> +
>> +module AP_MODULE_DECLARE_DATA autht_jwt_module;
>> +
>> +typedef enum jws_alg_type_e {
>> +/** No specific type. */
>> +JWS_ALG_TYPE_NONE = 0,
>> +/** HMAC SHA256 */
>> +JWS_ALG_TYPE_HS256 = 1,
>> +} jws_alg_type_e;
>> +
>> +typedef struct {
>> +unsigned char *secret;
>> +apr_size_t secret_len;
>> +jws_alg_type_e jws_alg;
>> +} auth_bearer_signature_rec;
>> +
>> +typedef struct {
>> +apr_hash_t *claims;
>> +apr_array_header_t *signs;
>> +apr_array_header_t *verifies;
>> +int signs_set:1;
>> +int verifies_set:1;
>> +int fake_set:1;
>> +} auth_bearer_config_rec;
>> +
>> +typedef struct {
>> +const char *library;
>> +const char *params;
>> +apr_crypto_t **crypto;
>
>
> Why not apr_crypto_t *crypto instead and using &(var->crypto) where
> apr_crypto_t ** is needed below?
>
>> +int library_set;
>> +} auth_bearer_conf;
>> +
>> +static int auth_bearer_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t
>> *ptemp,
>> +server_rec *s) {
>> +const apr_crypto_driver_t *driver = NULL;
>> +
>> +/* auth_bearer_init() will be called twice. Don't bother
>> + * going through all of the initialization on the first call
>> + * because it will just be thrown away.*/
>> +if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
>> +return OK;
>> +}
>> +
>> +while (s) {
>> +
>> +auth_bearer_conf *conf = ap_get_module_config(s->module_config,
>> +_jwt_module);
>> +
>> +if (conf->library_set && !*conf->crypto) {
>> +
>> +
Re: svn commit: r1909409 - in /httpd/httpd/trunk: CHANGES docs/manual/developer/new_api_2_6.xml include/ap_mmn.h include/http_request.h include/mod_auth.h server/request.c
On 5/5/23 12:28 PM, Ruediger Pluem wrote:
>
>
> On 4/25/23 7:35 PM, minf...@apache.org wrote:
>> Author: minfrin
>> Date: Tue Apr 25 17:35:08 2023
>> New Revision: 1909409
>>
>> URL: http://svn.apache.org/viewvc?rev=1909409=rev
>> Log:
>> core: Add the token_checker hook, that allows authentication to take
>> place using mechanisms other than username/password, such as bearer
>> tokens.
>>
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml
>> httpd/httpd/trunk/include/ap_mmn.h
>> httpd/httpd/trunk/include/http_request.h
>> httpd/httpd/trunk/include/mod_auth.h
>> httpd/httpd/trunk/server/request.c
>>
>
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_request.h?rev=1909409=1909408=1909409=diff
>> ==
>> --- httpd/httpd/trunk/include/http_request.h (original)
>> +++ httpd/httpd/trunk/include/http_request.h Tue Apr 25 17:35:08 2023
>
>> @@ -516,6 +529,24 @@ AP_DECLARE(void) ap_hook_check_access_ex
>> const char * const *aszSucc,
>> int nOrder, int type);
>>
>> +/**
>> + * Register a hook function that will analyze the request headers, extract
>> + * any tokens, and apply and metadata contained in the tokens or keyed
>> against
>> + * the tokens to the request record.
>> + * @param pf A token_checker hook function
>> + * @param aszPre A NULL-terminated array of strings that name modules whose
>> + * hooks should precede this one
>> + * @param aszSucc A NULL-terminated array of strings that name modules whose
>> + *hooks should succeed this one
>> + * @param nOrder An integer determining order before honouring aszPre and
>> + * aszSucc (for example, HOOK_MIDDLE)
>> + * @param type Internal request processing mode, either
>> + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
>> + */> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
>
> Isn't the above a copy and past error and should be ap_HOOK_token_checker_t
> instead?
>
>> + const char * const *aszPre,
>> + const char * const *aszSucc,
>> + int nOrder, int type);
>>
>> /**
>> * Register a hook function that will analyze the request headers,
>>
>
>> Modified: httpd/httpd/trunk/server/request.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1909409=1909408=1909409=diff
>> ==
>> --- httpd/httpd/trunk/server/request.c (original)
>> +++ httpd/httpd/trunk/server/request.c Tue Apr 25 17:35:08 2023
>
>> @@ -2217,6 +2234,18 @@ AP_DECLARE(void) ap_hook_check_access_ex
>> ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder);
>> }
>>
>> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
>
> Isn't the above a copy and past error and should be ap_HOOK_token_checker_t
> instead?
>
>
>> + const char * const *aszPre,
>> + const char * const *aszSucc,
>> + int nOrder, int type)
>> +{
>> +if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) {
>> +++auth_internal_per_conf_hooks;
>> +}
>> +
>> +ap_hook_token_checker(pf, aszPre, aszSucc, nOrder);
>> +}
>> +
>> AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf,
>> const char * const *aszPre,
>> const char * const *aszSucc,
>>
>>
>>
Fixed in r1910324.
Regards
Rüdiger
