Google Git
Sign in
apache / httpd / refs/heads/trunk / . / modules / aaa / mod_auth_bearer.c
blob: d127e1d7c3572ced2979c5b05038774520de3c68 [file] [log] [blame]
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* This module adds support for https://tools.ietf.org/html/rfc6750 Bearer
* tokens, both as a generator of bearer tokens, and as an acceptor of
* Bearer tokens for authentication.
*/
#include "apr_strings.h"
#include "apr_hash.h"
#include "apr_lib.h" /* for apr_isspace */
#define APR_WANT_STRFUNC /* for strcasecmp */
#include "apr_want.h"
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "ap_provider.h"
#include "ap_expr.h"
#include "mod_auth.h"
module AP_MODULE_DECLARE_DATA auth_bearer_module;
typedef struct {
autht_provider_list *providers;
int authoritative;
ap_expr_info_t *proxy;
unsigned int authoritative_set:1;
unsigned int proxy_set:1;
} auth_bearer_config_rec;
static void *create_auth_bearer_dir_config(apr_pool_t *p, char *d)
{
auth_bearer_config_rec *conf = apr_pcalloc(p, sizeof(*conf));
/* Any failures are fatal. */
conf->authoritative = 1;
return conf;
}
static void *merge_auth_bearer_dir_config(apr_pool_t *p, void *basev, void *overridesv)
{
auth_bearer_config_rec *newconf = apr_pcalloc(p, sizeof(*newconf));
auth_bearer_config_rec *base = basev;
auth_bearer_config_rec *overrides = overridesv;
newconf->authoritative =
overrides->authoritative_set ? overrides->authoritative :
base->authoritative;
newconf->authoritative_set = overrides->authoritative_set
|| base->authoritative_set;
newconf->providers = overrides->providers ? overrides->providers : base->providers;
newconf->proxy =
overrides->proxy_set ? overrides->proxy : base->proxy;
newconf->proxy_set = overrides->proxy_set || base->proxy_set;
return newconf;
}
static const char *add_autht_provider(cmd_parms *cmd, void *config,
const char *arg)
{
auth_bearer_config_rec *conf = (auth_bearer_config_rec*)config;
autht_provider_list *newp;
newp = apr_pcalloc(cmd->pool, sizeof(autht_provider_list));
newp->provider_name = arg;
/* lookup and cache the actual provider now */
newp->provider = ap_lookup_provider(AUTHT_PROVIDER_GROUP,
newp->provider_name,
AUTHT_PROVIDER_VERSION);
if (newp->provider == NULL) {
/* by the time they use it, the provider should be loaded and
registered with us. */
return apr_psprintf(cmd->pool,
"Unknown Autht provider: %s",
newp->provider_name);
}
if (!newp->provider->check_token) {
/* if it doesn't provide the appropriate function, reject it */
return apr_psprintf(cmd->pool,
"The '%s' Autht provider doesn't support "
"Bearer Authentication", newp->provider_name);
}
/* Add it to the list now. */
if (!conf->providers) {
conf->providers = newp;
}
else {
autht_provider_list *last = conf->providers;
while (last->next) {
last = last->next;
}
last->next = newp;
}
return NULL;
}
static const char *set_authoritative(cmd_parms * cmd, void *config, int flag)
{
auth_bearer_config_rec *conf = (auth_bearer_config_rec *) config;
conf->authoritative = flag;
conf->authoritative_set = 1;
return NULL;
}
static const char *set_bearer_proxy(cmd_parms * cmd, void *config,
const char *user)
{
auth_bearer_config_rec *conf = (auth_bearer_config_rec *) config;
const char *err;
if (!strcasecmp(user, "off")) {
conf->proxy = NULL;
conf->proxy_set = 1;
}
else {
conf->proxy =
ap_expr_parse_cmd(cmd, user, AP_EXPR_FLAG_STRING_RESULT,
&err, NULL);
if (err) {
return apr_psprintf(cmd->pool,
"Could not parse proxy expression '%s': %s", user,
err);
}
conf->proxy_set = 1;
}
return NULL;
}
static const command_rec auth_bearer_cmds[] =
{
AP_INIT_ITERATE("AuthBearerProvider", add_autht_provider, NULL, OR_AUTHCFG,
"specify the auth providers for a directory or location"),
AP_INIT_FLAG("AuthBearerAuthoritative", set_authoritative, NULL, OR_AUTHCFG,
"Set to 'Off' to allow access control to be passed along to "
"lower modules if the token is not known to this module"),
AP_INIT_TAKE1("AuthBearerProxy", set_bearer_proxy, NULL, OR_AUTHCFG,
"Pass a bearer authentication token over a proxy connection "
"generated using the given expression, 'off' to disable."),
{NULL}
};
/* These functions return 0 if client is OK, and proper error status
* if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or
* HTTP_INTERNAL_SERVER_ERROR, if things are so totally confused that we
* couldn't figure out how to tell if the client is authorized or not.
*
* If they return DECLINED, and all other modules also decline, that's
* treated by the server core as a configuration error, logged and
* reported as such.
*/
static void note_bearer_auth_failure(request_rec *r)
{
apr_table_setn(r->err_headers_out,
(PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate"
: "WWW-Authenticate",
apr_pstrcat(r->pool, "Bearer realm=\"", ap_auth_name(r),
"\"", NULL));
}
static int hook_note_bearer_auth_failure(request_rec *r, const char *auth_type)
{
if (strcasecmp(auth_type, "Bearer"))
return DECLINED;
note_bearer_auth_failure(r);
return OK;
}
static int get_bearer_auth(request_rec *r, const char **token)
{
const char *auth_line;
/* Get the appropriate header */
auth_line = apr_table_get(r->headers_in, (PROXYREQ_PROXY == r->proxyreq)
? "Proxy-Authorization"
: "Authorization");
if (!auth_line) {
note_bearer_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Bearer")) {
/* Client tried to authenticate using wrong auth scheme */
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10448)
"client used wrong authentication scheme: %s", r->uri);
note_bearer_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
/* Skip leading spaces. */
while (apr_isspace(*auth_line)) {
auth_line++;
}
*token = auth_line;
return OK;
}
/* Determine the token, and check if we can process the token, for HTTP
* bearer authentication...
*/
static int authenticate_bearer_token(request_rec *r)
{
auth_bearer_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_bearer_module);
const char *sent_token, *current_auth;
int res;
autht_status auth_result;
autht_provider_list *current_provider;
/* Are we configured to be Bearer auth? */
current_auth = ap_auth_type(r);
if (!current_auth || strcasecmp(current_auth, "Bearer")) {
return DECLINED;
}
/* We need an authentication realm. */
if (!ap_auth_name(r)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10449)
"need AuthName: %s", r->uri);
return HTTP_INTERNAL_SERVER_ERROR;
}
r->ap_auth_type = (char*)current_auth;
res = get_bearer_auth(r, &sent_token);
if (res) {
return res;
}
current_provider = conf->providers;
do {
const autht_provider *provider;
/* For now, if a provider isn't set, we'll be nice and use the jwt
* provider.
*/
if (!current_provider) {
provider = ap_lookup_provider(AUTHT_PROVIDER_GROUP,
AUTHT_DEFAULT_PROVIDER,
AUTHT_PROVIDER_VERSION);
if (!provider || !provider->check_token) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10424)
"No Autht provider configured");
auth_result = AUTHT_GENERAL_ERROR;
break;
}
apr_table_setn(r->notes, AUTHT_PROVIDER_NAME_NOTE, AUTHT_DEFAULT_PROVIDER);
}
else {
provider = current_provider->provider;
apr_table_setn(r->notes, AUTHT_PROVIDER_NAME_NOTE, current_provider->provider_name);
}
auth_result = provider->check_token(r, "bearer", sent_token);
apr_table_unset(r->notes, AUTHT_PROVIDER_NAME_NOTE);
/* Something occurred. Stop checking. */
if (auth_result != AUTHT_MISMATCH) {
break;
}
/* If we're not really configured for providers, stop now. */
if (!conf->providers) {
break;
}
current_provider = current_provider->next;
} while (current_provider);
if (auth_result != AUTHT_GRANTED) {
int return_code;
/* If we're not authoritative, then any error is ignored. */
if (!(conf->authoritative) && auth_result != AUTHT_DENIED) {
return DECLINED;
}
switch (auth_result) {
case AUTHT_DENIED:
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10425)
"bearer token %s: authentication failure for \"%s\": "
"Token Rejected",
sent_token, r->uri);
return_code = HTTP_UNAUTHORIZED;
break;
case AUTHT_EXPIRED:
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10426)
"bearer token %s: authentication failure for \"%s\": "
"Token has expired",
sent_token, r->uri);
return_code = HTTP_UNAUTHORIZED;
break;
case AUTHT_INVALID:
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10427)
"bearer token %s: authentication failure for \"%s\": "
"Token is not yet valid",
sent_token, r->uri);
return_code = HTTP_UNAUTHORIZED;
break;
case AUTHT_MISMATCH:
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10428)
"bearer token %s: did not match '%s': %s", sent_token,
ap_auth_name(r), r->uri);
return_code = HTTP_UNAUTHORIZED;
break;
case AUTH_GENERAL_ERROR:
default:
/* We'll assume that the module has already said what its error
* was in the logs.
*/
return_code = HTTP_INTERNAL_SERVER_ERROR;
break;
}
/* If we're returning 401, tell them to try again. */
if (return_code == HTTP_UNAUTHORIZED) {
note_bearer_auth_failure(r);
}
return return_code;
}
return OK;
}
/* If we have set claims to be made, create a bearer authentication header
* for the benefit of a proxy or application running behind this server.
*/
static int authenticate_bearer_fixup(request_rec *r)
{
const char *auth_line, *token, *err;
auth_bearer_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_bearer_module);
if (!conf->proxy) {
return DECLINED;
}
token = ap_expr_str_exec(r, conf->proxy, &err);
if (err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10429)
"AuthBearerProxy: could not evaluate token expression for URI '%s': %s", r->uri, err);
return HTTP_INTERNAL_SERVER_ERROR;
}
if (!token || !*token) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(10430)
"AuthBearerProxy: empty token expression for URI '%s', ignoring", r->uri);
apr_table_unset(r->headers_in, "Authorization");
return DECLINED;
}
auth_line = apr_pstrcat(r->pool, "Bearer ", token,
NULL);
apr_table_setn(r->headers_in, "Authorization", auth_line);
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(10431)
"AuthBearerProxy: \"Authorization: %s\"",
auth_line);
return OK;
}
static void register_hooks(apr_pool_t *p)
{
ap_hook_check_autht(authenticate_bearer_token, NULL, NULL, APR_HOOK_MIDDLE,
AP_AUTH_INTERNAL_PER_CONF);
ap_hook_fixups(authenticate_bearer_fixup, NULL, NULL, APR_HOOK_LAST);
ap_hook_note_auth_failure(hook_note_bearer_auth_failure, NULL, NULL,
APR_HOOK_MIDDLE);
}
AP_DECLARE_MODULE(auth_bearer) =
{
STANDARD20_MODULE_STUFF,
create_auth_bearer_dir_config, /* dir config creater */
merge_auth_bearer_dir_config, /* dir merger --- default is to override */
NULL, /* server config */
NULL, /* merge server config */
auth_bearer_cmds, /* command apr_table_t */
register_hooks /* register hooks */
};