Re: svn commit: r1910327 - /httpd/httpd/branches/2.4.x/STATUS
On 6/9/23 6:28 PM, jean-frederic clere wrote: > On 6/9/23 14:58, rpl...@apache.org wrote: >> Author: rpluem >> Date: Fri Jun 9 12:58:55 2023 >> New Revision: 1910327 >> >> URL: http://svn.apache.org/viewvc?rev=1910327=rev >> Log: >> * Vote and comment [skip ci] >> >> Modified: >> httpd/httpd/branches/2.4.x/STATUS >> >> Modified: httpd/httpd/branches/2.4.x/STATUS >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1910327=1910326=1910327=diff >> == >> --- httpd/httpd/branches/2.4.x/STATUS (original) >> +++ httpd/httpd/branches/2.4.x/STATUS Fri Jun 9 12:58:55 2023 >> @@ -213,6 +213,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: >> Backport version for 2.4.x of patch: >> >> https://raw.githubusercontent.com/jfclere/patch/main/mod_deflate.patch >> +1: jfclere, >> + rpluem says: Does anyone know why we don't merge the server config? > > We have: > +++ > create_deflate_dirconf, /* dir config creater */ > NULL, /* dir merger --- default is to override */ > create_deflate_server_config, /* server config */ > NULL, /* merge server config */ > +++ > > Are you asking why? ;-) Exactly. I know that your patch only follows the existing pattern, but it came to my attention when reviewing it and I asked myself why we don't merge here. Hence the question is not really specifically to you but to everyone. Having a brief look into the version history reveals that it has been like that since the module exists. Hence I am not sure if anyone can provide a historical reasoning here. But probably we think together if this is the behavior we want to keep for some reason or if we should change it. Regards Rüdiger
Re: svn commit: r1910327 - /httpd/httpd/branches/2.4.x/STATUS
On 6/9/23 14:58, rpl...@apache.org wrote: Author: rpluem Date: Fri Jun 9 12:58:55 2023 New Revision: 1910327 URL: http://svn.apache.org/viewvc?rev=1910327=rev Log: * Vote and comment [skip ci] Modified: httpd/httpd/branches/2.4.x/STATUS Modified: httpd/httpd/branches/2.4.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1910327=1910326=1910327=diff == --- httpd/httpd/branches/2.4.x/STATUS (original) +++ httpd/httpd/branches/2.4.x/STATUS Fri Jun 9 12:58:55 2023 @@ -213,6 +213,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: Backport version for 2.4.x of patch: https://raw.githubusercontent.com/jfclere/patch/main/mod_deflate.patch +1: jfclere, + rpluem says: Does anyone know why we don't merge the server config? We have: +++ create_deflate_dirconf, /* dir config creater */ NULL, /* dir merger --- default is to override */ create_deflate_server_config, /* server config */ NULL, /* merge server config */ +++ Are you asking why? ;-) *) mod_http2: - new directive 'H2MaxDataFrameLen n' @@ -264,14 +265,14 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: https://svn.apache.org/r1908657 https://svn.apache.org/r1908150 2.4.x patch: svn merge -c 1877350,1894021,1906379,1908657,1908150 ^/httpd/httpd/trunk . - +1: jailletc36, + +1: jailletc36, rpluem *) core: Optimize send_brigade_nonblocking() trunk patch: https://svn.apache.org/r1892450 https://svn.apache.org/r1909966 2.4.x patch: svn merge -c 1892450,1909966 ^/httpd/httpd/trunk . - +1: jailletc36, + +1: jailletc36, rpluem *) mod_proxy: If we fail to connect to all looked up IP's from the worker lookup cache it might be caused by a change on DNS side. Try another -- Cheers Jean-Frederic
Re: svn commit: r1909411 - in /httpd/httpd/trunk: ./ docs/manual/mod/ modules/aaa/
Any feedback on my comments below? Regards Rüdiger On 5/5/23 7:37 PM, Ruediger Pluem wrote: > > > On 4/25/23 7:52 PM, minf...@apache.org wrote: >> Author: minfrin >> Date: Tue Apr 25 17:52:18 2023 >> New Revision: 1909411 >> >> URL: http://svn.apache.org/viewvc?rev=1909411=rev >> Log: >> *) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within >> bearer tokens, both as part of the aaa framework, and as a way to >> generate tokens and pass them to backend servers and services. >> >> *) mod_auth_bearer: New module to handle RFC 6750 Bearer tokens, using >> the token_checker hook. >> >> *) mod_autht_core: New module to handle provider aliases for token >> authentication. >> >> >> Added: >> httpd/httpd/trunk/docs/manual/mod/mod_auth_bearer.xml >> httpd/httpd/trunk/docs/manual/mod/mod_autht_core.xml >> httpd/httpd/trunk/docs/manual/mod/mod_autht_jwt.xml >> httpd/httpd/trunk/modules/aaa/mod_auth_bearer.c >> httpd/httpd/trunk/modules/aaa/mod_autht_core.c >> httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c >> Modified: >> httpd/httpd/trunk/CHANGES >> httpd/httpd/trunk/modules/aaa/config.m4 >> > >> Added: httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c?rev=1909411=auto >> == >> --- httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c (added) >> +++ httpd/httpd/trunk/modules/aaa/mod_autht_jwt.c Tue Apr 25 17:52:18 2023 >> @@ -0,0 +1,1089 @@ >> +/* Licensed to the Apache Software Foundation (ASF) under one or more >> + * contributor license agreements. See the NOTICE file distributed with >> + * this work for additional information regarding copyright ownership. >> + * The ASF licenses this file to You under the Apache License, Version 2.0 >> + * (the "License"); you may not use this file except in compliance with >> + * the License. You may obtain a copy of the License at >> + * >> + * http://www.apache.org/licenses/LICENSE-2.0 >> + * >> + * Unless required by applicable law or agreed to in writing, software >> + * distributed under the License is distributed on an "AS IS" BASIS, >> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >> + * See the License for the specific language governing permissions and >> + * limitations under the License. >> + */ >> + >> +/** >> + * This module adds support for https://tools.ietf.org/html/rfc7519 JWT >> tokens >> + * as https://tools.ietf.org/html/rfc6750 Bearer tokens, both as a generator >> + * of JWT bearer tokens, and as an acceptor of JWT Bearer tokens for >> authentication. >> + */ >> + >> +#include "apr_strings.h" >> +#include "apr_hash.h" >> +#include "apr_crypto.h" >> +#include "apr_jose.h" >> +#include "apr_lib.h"/* for apr_isspace */ >> +#include "apr_base64.h" /* for apr_base64_decode et al */ >> +#define APR_WANT_STRFUNC/* for strcasecmp */ >> +#include "apr_want.h" >> + >> +#include "ap_config.h" >> +#include "httpd.h" >> +#include "http_config.h" >> +#include "http_core.h" >> +#include "http_log.h" >> +#include "http_protocol.h" >> +#include "http_request.h" >> +#include "util_md5.h" >> +#include "ap_provider.h" >> +#include "ap_expr.h" >> + >> +#include "mod_auth.h" >> + >> +#define CRYPTO_KEY "auth_bearer_context" >> + >> +module AP_MODULE_DECLARE_DATA autht_jwt_module; >> + >> +typedef enum jws_alg_type_e { >> +/** No specific type. */ >> +JWS_ALG_TYPE_NONE = 0, >> +/** HMAC SHA256 */ >> +JWS_ALG_TYPE_HS256 = 1, >> +} jws_alg_type_e; >> + >> +typedef struct { >> +unsigned char *secret; >> +apr_size_t secret_len; >> +jws_alg_type_e jws_alg; >> +} auth_bearer_signature_rec; >> + >> +typedef struct { >> +apr_hash_t *claims; >> +apr_array_header_t *signs; >> +apr_array_header_t *verifies; >> +int signs_set:1; >> +int verifies_set:1; >> +int fake_set:1; >> +} auth_bearer_config_rec; >> + >> +typedef struct { >> +const char *library; >> +const char *params; >> +apr_crypto_t **crypto; > > > Why not apr_crypto_t *crypto instead and using &(var->crypto) where > apr_crypto_t ** is needed below? > >> +int library_set; >> +} auth_bearer_conf; >> + >> +static int auth_bearer_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t >> *ptemp, >> +server_rec *s) { >> +const apr_crypto_driver_t *driver = NULL; >> + >> +/* auth_bearer_init() will be called twice. Don't bother >> + * going through all of the initialization on the first call >> + * because it will just be thrown away.*/ >> +if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) { >> +return OK; >> +} >> + >> +while (s) { >> + >> +auth_bearer_conf *conf = ap_get_module_config(s->module_config, >> +_jwt_module); >> + >> +if (conf->library_set && !*conf->crypto) { >> + >> +
Re: svn commit: r1909409 - in /httpd/httpd/trunk: CHANGES docs/manual/developer/new_api_2_6.xml include/ap_mmn.h include/http_request.h include/mod_auth.h server/request.c
On 5/5/23 12:28 PM, Ruediger Pluem wrote: > > > On 4/25/23 7:35 PM, minf...@apache.org wrote: >> Author: minfrin >> Date: Tue Apr 25 17:35:08 2023 >> New Revision: 1909409 >> >> URL: http://svn.apache.org/viewvc?rev=1909409=rev >> Log: >> core: Add the token_checker hook, that allows authentication to take >> place using mechanisms other than username/password, such as bearer >> tokens. >> >> Modified: >> httpd/httpd/trunk/CHANGES >> httpd/httpd/trunk/docs/manual/developer/new_api_2_6.xml >> httpd/httpd/trunk/include/ap_mmn.h >> httpd/httpd/trunk/include/http_request.h >> httpd/httpd/trunk/include/mod_auth.h >> httpd/httpd/trunk/server/request.c >> > >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_request.h?rev=1909409=1909408=1909409=diff >> == >> --- httpd/httpd/trunk/include/http_request.h (original) >> +++ httpd/httpd/trunk/include/http_request.h Tue Apr 25 17:35:08 2023 > >> @@ -516,6 +529,24 @@ AP_DECLARE(void) ap_hook_check_access_ex >> const char * const *aszSucc, >> int nOrder, int type); >> >> +/** >> + * Register a hook function that will analyze the request headers, extract >> + * any tokens, and apply and metadata contained in the tokens or keyed >> against >> + * the tokens to the request record. >> + * @param pf A token_checker hook function >> + * @param aszPre A NULL-terminated array of strings that name modules whose >> + * hooks should precede this one >> + * @param aszSucc A NULL-terminated array of strings that name modules whose >> + *hooks should succeed this one >> + * @param nOrder An integer determining order before honouring aszPre and >> + * aszSucc (for example, HOOK_MIDDLE) >> + * @param type Internal request processing mode, either >> + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF >> + */> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf, > > Isn't the above a copy and past error and should be ap_HOOK_token_checker_t > instead? > >> + const char * const *aszPre, >> + const char * const *aszSucc, >> + int nOrder, int type); >> >> /** >> * Register a hook function that will analyze the request headers, >> > >> Modified: httpd/httpd/trunk/server/request.c >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1909409=1909408=1909409=diff >> == >> --- httpd/httpd/trunk/server/request.c (original) >> +++ httpd/httpd/trunk/server/request.c Tue Apr 25 17:35:08 2023 > >> @@ -2217,6 +2234,18 @@ AP_DECLARE(void) ap_hook_check_access_ex >> ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder); >> } >> >> +AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf, > > Isn't the above a copy and past error and should be ap_HOOK_token_checker_t > instead? > > >> + const char * const *aszPre, >> + const char * const *aszSucc, >> + int nOrder, int type) >> +{ >> +if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) { >> +++auth_internal_per_conf_hooks; >> +} >> + >> +ap_hook_token_checker(pf, aszPre, aszSucc, nOrder); >> +} >> + >> AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf, >> const char * const *aszPre, >> const char * const *aszSucc, >> >> >> Fixed in r1910324. Regards Rüdiger