Commit 31d78a71 authored by Moritz Schlarb's avatar Moritz Schlarb

New upstream version 2.3.1

parent c699a271
<!--
NOTE WELL
A new issue should be about a bug or a feature!
A question should go to the mailinglist at:
mod_auth_openidc@googlegroups.com
The corresponding forum/archive is at:
https://groups.google.com/forum/#!forum/mod_auth_openidc
-->
### Expected behaviour
### Actual behaviour
### Minimized example that reproduces the behaviour
/aclocal.m4
/.cproject
/.project
/config.log
/config.status
/configure
/Makefile
/discover
/metadata
/.settings
language: c
dist: trusty
addons:
apt:
packages:
- libssl-dev
- libcurl4-openssl-dev
- libjansson-dev
- libhiredis-dev
- libpcre3-dev
- apache2-dev
- check
install:
- wget https://github.com/cisco/cjose/archive/0.4.1.tar.gz
- tar zxvf 0.4.1.tar.gz
- cd cjose-0.4.1
- ./configure --prefix=/usr
- make test
- sudo make install
- cd -
script:
- ./autogen.sh && ./configure --with-apxs2=/usr/bin/apxs2 CFLAGS=-Werror && make && make test
......@@ -5,6 +5,7 @@ The primary author of mod_auth_openidc is:
Thanks to the following people for contributing to mod_auth_openidc by
reporting bugs, providing fixes, suggesting useful features or other:
Dániel SÜTTŐ <https://github.com/suttod>
Roland Hedberg <https://github.com/rohe>
Bill Simon <https://github.com/billsimon>
Jim Fox <https://github.com/jimfox>
......
07/19/2017
- handle multiple values in X-Forwarded-* headers as to better support chains of reverse proxies in front of mod_auth_openidc
- log request headers in oidc_util_hdr_in_get
- release 2.3.1
07/13/2017
- remove A128GCM/A192GCM from the supported algorithms in docs/auth_openidc.conf
because cjose doesn't support A128GCM and A192GCM (yet)
- bump to 2.3.1rc5
07/09/2017
- refactor oidc_get_current_url_port so that it assumes the default port when
X-Forwarded-Proto has been set; closes #282 and may address #278
- bump to 2.3.1rc4
07/07/2017
- use the defined name (`Provided-Token-Binding-ID`) for the provided token binding ID HTTP header
see: https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00#section-2.1
depends on mod_token_binding >= 0.3.0 now
- bump to 2.3.1rc3
06/29/2017
- support sending the authentication request via HTTP POST through HTML/Javascript autosubmit
- bump to 2.3.1rc2
06/28/2017
- support private_key_jwt and client_secret_jwt as client authentication methods for token introspection
- bump to 2.3.1rc1
06/22/2017
- fix bug where token_endpoint_auth set to private_key_jwt would fail to provide the credential if client_secret wasn't set
- bump to 2.3.1rc0
06/13/2017
- release 2.3.0
06/07/2017
- fix file cache backend: allow caching of non-filename friendly keys such as configuration URLs and JWKs URIs
- enable JQ-based claims expression matching when compiled from source with --with-jq=<dir>, e.g.:
Require claims_expr '.aud == "ac_oic_client" and (.scope | index("profile") != null)'
- normalize cache backend logging
- bump to 2.3.0rc3
06/06/2017
- avoid cleaning our own state cookie twice when it is expired
- bump to 2.3.0rc2
06/02/2017
- refactor remote user handling so it allows for postfixing with the issuer value after applying the regex
- bump to 2.3.0rc1
05/31/2017
- add support for custom actions to take after authorization fails with OIDCUnAutzAction
this enables stepup authentication scenarios when combined with the following:
- add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
- add OIDCPathScope that is configurable on a per-path basis and concatenate with OIDCScope as static per-provider value
- support 3rd-party-init-SSO with additional authentication request params when a single static provider has been configured
- add support for an empty OIDCClaimPrefix; can be used with OIDCWhiteListedClaims to protect selected headers
- bump to 2.3.0rc0
05/30/2017
- support sending Authorization Request as "request" object in addition to "request_uri"; thanks @suttod
- support nested claim matching in Require directives; thanks @suttod
- support explicitly setting the "kid" of the private key in OIDCPrivateKeyFiles; thanks @suttod
05/25/2017
- fix cache fallback so it happens (when enabled) only after failure
05/19/2017
- make OIDCStripCookies work on AuthType oauth20 paths; closes #273; thanks Michele Danieli
- bump to 2.2.1rc6
05/18/2017
- fix parse function of OIDCRequestObject configuration option; thanks @suttod
05/17/2017
- avoid crash when the X-Forwarded-Proto header is not correctly set by a reverse proxy in front of mod_auth_openidc
05/14/2017
- support JWT verification against multiple keys with no provided kid by looping over the provided keys with cjose 0.5.0
- remove OIDC RP certification files; moved to separate repository
05/04/2017
- improve documentation for OIDCCryptoPassphrase; closes #268
04/30/2017
- fix wrong return value for cache_file_set in the file cache backend (OIDCCacheType file); thanks Ernani Joppert Pontes Martins
- bump to 2.2.1rc5
04/29/2017
- correctly log success/failure in cache_file_set
- avoid decoding a JSON object and logging an error when the input is NULL
e.g. when claims have not been resolved because userinfo endpoint is not set
04/20/2017
- support relative RedirectURIs; closes #200; thanks @moschlar
- don't assume that having OIDCCryptPassphrase set means we should validate the config for
openid-connect since it can now also be used to encrypt (auth20) cache entries
- bump to 2.2.1rc4
04/08/2017
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
AC_INIT([mod_auth_openidc],[2.2.1rc4],[hans.zandbelt@zmartzone.eu])
AC_INIT([mod_auth_openidc],[2.3.1],[hans.zandbelt@zmartzone.eu])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
......@@ -89,25 +89,23 @@ AC_SUBST(HIREDIS_LIBS)
# JQ
HAVE_LIBJQ=0
#AC_ARG_WITH(jq,
# [ --with-jq=PATH location of your libjq installation])
AC_ARG_WITH(jq,
[ --with-jq=PATH location of your libjq installation])
#if test -n "$with_jq"
#then
# JQ_CFLAGS="-I$with_jq/include"
# JQ_LIBS="-L$with_jq/lib -ljq"
#else
# JQ_LIBS="-ljq"
#fi
#CPPFLAGS="$JQ_CFLAGS $CPPFLAGS"
#AC_CHECK_HEADERS([jq.h], , [HAVE_LIBJQ=0])
#LDFLAGS="$JQ_LIBS $LDFLAGS"
#AC_CHECK_LIB([jq], [jq_init], , [HAVE_LIBJQ=0])
#if test "x$have_jq" = "x0" ; then
# AC_MSG_WARN("cannot find library for -ljq.")
#fi
if test -n "$with_jq"
then
JQ_CFLAGS="-I$with_jq/include"
JQ_LIBS="-L$with_jq/lib -ljq"
CPPFLAGS="$JQ_CFLAGS $CPPFLAGS"
AC_CHECK_HEADERS([jq.h], , [HAVE_LIBJQ=0])
LDFLAGS="$JQ_LIBS $LDFLAGS"
AC_CHECK_LIB([jq], [jq_init], [HAVE_LIBJQ=1], [HAVE_LIBJQ=0])
if test "x$have_jq" = "x0" ; then
AC_MSG_WARN("cannot find library for -ljq.")
fi
fi
AC_SUBST(HAVE_LIBJQ)
AC_SUBST(JQ_CFLAGS)
......
/*.lo
/*.o
/*.slo
/*.la
/.libs
......@@ -213,7 +213,7 @@ apr_byte_t oidc_authz_match_claim(request_rec *r,
}
/* The match is a success if we walked the whole claim name and the attr_spec is at a colon. */
if (!(*attr_c) && (*spec_c) == ':') {
if (!(*attr_c) && (*spec_c) == OIDC_CHAR_COLON) {
/* skip the colon */
spec_c++;
......@@ -222,13 +222,28 @@ apr_byte_t oidc_authz_match_claim(request_rec *r,
return TRUE;
/* a tilde denotes a string PCRE match */
} else if (!(*attr_c) && (*spec_c) == '~') {
} else if (!(*attr_c) && (*spec_c) == OIDC_CHAR_TILDE) {
/* skip the tilde */
spec_c++;
if (oidc_authz_match_expression(r, spec_c, val) == TRUE)
return TRUE;
/* dot means child nodes must be evaluated */
} else if (!(*attr_c) && (*spec_c) == OIDC_CHAR_DOT) {
/* skip the dot */
spec_c++;
if (!json_is_object(val)) {
oidc_warn(r, "\"%s\" matched, and child nodes should be evaluated, but value is not an object.", key);
return FALSE;
}
oidc_debug(r, "Attribute chunk matched. Evaluating children of key: \"%s\".", key);
return oidc_authz_match_claim(r, spec_c, json_object_get(claims, key));
}
iter = json_object_iter_next((json_t *) claims, iter);
......
/*.lo
/*.o
/*.slo
/.libs
......@@ -66,6 +66,7 @@ typedef apr_byte_t (*oidc_cache_set_function)(request_rec *r,
typedef int (*oidc_cache_destroy_function)(server_rec *s);
typedef struct oidc_cache_t {
const char *name;
int encrypt_by_default;
oidc_cache_post_config_function post_config;
oidc_cache_child_init_function child_init;
......
......@@ -401,7 +401,7 @@ static int oidc_cache_crypto_encrypt(request_rec *r, const char *plaintext,
encoded_len + 1 + OIDC_CACHE_TAG_LEN + 1);
memcpy(encoded, p, encoded_len);
p = encoded + encoded_len;
*p = '.';
*p = OIDC_CHAR_DOT;
p++;
/* base64url encode the tag and append it in the buffer */
......@@ -479,7 +479,7 @@ static unsigned char *oidc_cache_hash_passphrase(request_rec *r,
unsigned int key_len = 0;
oidc_jose_error_t err;
if (oidc_jose_hash_bytes(r->pool, "sha256",
if (oidc_jose_hash_bytes(r->pool, OIDC_JOSE_ALG_SHA256,
(const unsigned char *) passphrase, strlen(passphrase), &key,
&key_len, &err) == FALSE) {
oidc_error(r, "oidc_jose_hash_bytes returned an error: %s", err.text);
......@@ -496,7 +496,7 @@ static char *oidc_cache_get_hashed_key(request_rec *r, const char *passphrase,
const char *key) {
char *input = apr_psprintf(r->pool, "%s:%s", passphrase, key);
char *output = NULL;
if (oidc_util_hash_string_and_base64url_encode(r, "sha256", input,
if (oidc_util_hash_string_and_base64url_encode(r, OIDC_JOSE_ALG_SHA256, input,
&output) == FALSE) {
oidc_error(r,
"oidc_util_hash_string_and_base64url_encode returned an error");
......@@ -514,8 +514,11 @@ apr_byte_t oidc_cache_get(request_rec *r, const char *section, const char *key,
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
int encrypted = oidc_cfg_cache_encrypt(r);
apr_byte_t rc = TRUE;
char *msg = NULL;
oidc_debug(r, "enter: %s (decrypt=%d)", key, encrypted);
oidc_debug(r, "enter: %s (section=%s, decrypt=%d, type=%s)", key, section,
encrypted, cfg->cache->name);
/* see if encryption is turned on */
if (encrypted == 1)
......@@ -523,22 +526,39 @@ apr_byte_t oidc_cache_get(request_rec *r, const char *section, const char *key,
/* get the value from the cache */
const char *cache_value = NULL;
if (cfg->cache->get(r, section, key, &cache_value) == FALSE)
return FALSE;
if (cfg->cache->get(r, section, key, &cache_value) == FALSE) {
rc = FALSE;
goto out;
}
/* see if it is any good */
if (cache_value == NULL)
return TRUE;
goto out;
/* see if encryption is turned on */
if (encrypted == 0) {
*value = apr_pstrdup(r->pool, cache_value);
return TRUE;
goto out;
}
return (oidc_cache_crypto_decrypt(r, cache_value,
rc = (oidc_cache_crypto_decrypt(r, cache_value,
oidc_cache_hash_passphrase(r, cfg->crypto_passphrase),
(unsigned char **) value) > 0);
out:
/* log the result */
msg = apr_psprintf(r->pool, "from %s cache backend for %skey %s",
cfg->cache->name, encrypted ? "encrypted " : "", key);
if (rc == TRUE)
if (*value != NULL)
oidc_debug(r, "cache hit: return %d bytes %s",
*value ? (int )strlen(*value) : 0, msg);
else
oidc_debug(r, "cache miss %s", msg);
else
oidc_warn(r, "error retrieving value %s", msg);
return rc;
}
/*
......@@ -551,20 +571,42 @@ apr_byte_t oidc_cache_set(request_rec *r, const char *section, const char *key,
&auth_openidc_module);
int encrypted = oidc_cfg_cache_encrypt(r);
char *encoded = NULL;
apr_byte_t rc = FALSE;
char *msg = NULL;
oidc_debug(r, "enter: %s=len(%d) (encrypt=%d)", key,
value ? (int )strlen(value) : 0, encrypted);
oidc_debug(r,
"enter: %s (section=%s, len=%d, encrypt=%d, ttl(s)=%" APR_TIME_T_FMT ", type=%s)",
key, section, value ? (int )strlen(value) : 0, encrypted,
apr_time_sec(expiry - apr_time_now()), cfg->cache->name);
/* see if we need to encrypt */
if (encrypted == 1) {
key = oidc_cache_get_hashed_key(r, cfg->crypto_passphrase, key);
if ((value != NULL)
&& (oidc_cache_crypto_encrypt(r, value,
oidc_cache_hash_passphrase(r, cfg->crypto_passphrase),
&encoded) > 0))
if (key == NULL)
goto out;
if (value != NULL) {
if (oidc_cache_crypto_encrypt(r, value,
oidc_cache_hash_passphrase(r, cfg->crypto_passphrase),
&encoded) <= 0)
goto out;
value = encoded;
}
}
/* store the resulting value in the cache */
return cfg->cache->set(r, section, key, value, expiry);
rc = cfg->cache->set(r, section, key, value, expiry);
out:
/* log the result */
msg = apr_psprintf(r->pool, "%d bytes in %s cache backend for %skey %s",
value ? (int) strlen(value) : 0, cfg->cache->name,
encrypted ? "encrypted " : "", key);
if (rc == TRUE)
oidc_debug(r, "successfully stored %s", msg);
else
oidc_warn(r, "could NOT store %s", msg);
return rc;
}
......@@ -75,7 +75,7 @@ typedef struct {
/*
* prefix that distinguishes mod_auth_openidc cache files from other files in the same directory (/tmp)
*/
#define OIDC_CACHE_FILE_PREFIX "mod-auth-connect-"
#define OIDC_CACHE_FILE_PREFIX "mod-auth-openidc-"
/* post config routine */
int oidc_cache_file_post_config(server_rec *s) {
......@@ -95,7 +95,7 @@ int oidc_cache_file_post_config(server_rec *s) {
static const char *oidc_cache_file_name(request_rec *r, const char *section,
const char *key) {
return apr_psprintf(r->pool, "%s%s-%s", OIDC_CACHE_FILE_PREFIX, section,
key);
oidc_util_escape_string(r, key));
}
/*
......@@ -239,11 +239,6 @@ static apr_byte_t oidc_cache_file_get(request_rec *r, const char *section,
apr_file_unlock(fd);
apr_file_close(fd);
/* log a successful cache hit */
oidc_debug(r,
"cache hit for key \"%s\" (%" APR_SIZE_T_FMT " bytes, expiring in: %" APR_TIME_T_FMT ")",
key, info.len, apr_time_sec(info.expire - apr_time_now()));
return TRUE;
error_close:
......@@ -295,6 +290,8 @@ static apr_status_t oidc_cache_file_clean(request_rec *r) {
/* time to clean, reset the modification time of the metadata file to reflect the timestamp of this cleaning cycle */
apr_file_mtime_set(metadata_path, apr_time_now(), r->pool);
oidc_debug(r, "start cleaning cycle");
} else {
/* no metadata file exists yet, create one (and open it) */
......@@ -329,7 +326,7 @@ static apr_status_t oidc_cache_file_clean(request_rec *r) {
if (i == APR_SUCCESS) {
/* skip non-cache entries, cq. the ".", ".." and the metadata file */
if ((fi.name[0] == '.')
if ((fi.name[0] == OIDC_CHAR_DOT)
|| (strstr(fi.name, OIDC_CACHE_FILE_PREFIX) != fi.name)
|| ((apr_strnatcmp(fi.name,
oidc_cache_file_name(r, "cache-file",
......@@ -444,14 +441,15 @@ static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section,
/* log our success/failure */
oidc_debug(r,
"%s stored entry for key \"%s\" (%" APR_SIZE_T_FMT " bytes, expires in: %" APR_TIME_T_FMT ")",
rc ? "successfully" : "could not", key, info.len,
apr_time_sec(expiry - apr_time_now()));
"%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes",
(rc == APR_SUCCESS) ? "successfully stored" : "could not store",
key, info.len);
return rc;
return (rc == APR_SUCCESS);
}
oidc_cache_t oidc_cache_file = {
"file",
1,
oidc_cache_file_post_config,
NULL,
......
......@@ -97,16 +97,16 @@ static int oidc_cache_memcache_post_config(server_rec *s) {
if (cfg->cache_memcache_servers == NULL) {
oidc_serror(s,
"cache type is set to \"memcache\", but no valid OIDCMemCacheServers setting was found");
"cache type is set to \"memcache\", but no valid " OIDCMemCacheServers " setting was found");
return HTTP_INTERNAL_SERVER_ERROR;
}
/* loop over the provided memcache servers to find out the number of servers configured */
char *cache_config = apr_pstrdup(p, cfg->cache_memcache_servers);
split = apr_strtok(cache_config, " ", &tok);
split = apr_strtok(cache_config, OIDC_STR_SPACE, &tok);
while (split) {
nservers++;
split = apr_strtok(NULL, " ", &tok);
split = apr_strtok(NULL, OIDC_STR_SPACE, &tok);
}
/* allocated space for the number of servers */
......@@ -119,7 +119,7 @@ static int oidc_cache_memcache_post_config(server_rec *s) {
/* loop again over the provided servers */
cache_config = apr_pstrdup(p, cfg->cache_memcache_servers);
split = apr_strtok(cache_config, " ", &tok);
split = apr_strtok(cache_config, OIDC_STR_SPACE, &tok);
while (split) {
apr_memcache_server_t* st;
char* host_str;
......@@ -160,7 +160,7 @@ static int oidc_cache_memcache_post_config(server_rec *s) {
}
/* go to the next entry */
split = apr_strtok(NULL, " ", &tok);
split = apr_strtok(NULL, OIDC_STR_SPACE, &tok);
}
return OK;
......@@ -191,11 +191,14 @@ static char *oidc_cache_memcache_get_key(apr_pool_t *pool, const char *section,
/*
* check dead/alive status for all servers
*/
static apr_byte_t oidc_cache_memcache_status(request_rec *r, oidc_cache_cfg_memcache_t *context) {
static apr_byte_t oidc_cache_memcache_status(request_rec *r,
oidc_cache_cfg_memcache_t *context) {
int rc = TRUE;
int i;
for (i = 0; rc && i < context->cache_memcache->ntotal; i++)
rc = rc && (context->cache_memcache->live_servers[0]->status != APR_MC_SERVER_DEAD);
rc = rc
&& (context->cache_memcache->live_servers[0]->status
!= APR_MC_SERVER_DEAD);
return rc;
}
......@@ -205,8 +208,6 @@ static apr_byte_t oidc_cache_memcache_status(request_rec *r, oidc_cache_cfg_memc
static apr_byte_t oidc_cache_memcache_get(request_rec *r, const char *section,
const char *key, const char **value) {
oidc_debug(r, "enter, section=\"%s\", key=\"%s\"", section, key);
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
oidc_cache_cfg_memcache_t *context =
......@@ -260,8 +261,6 @@ static apr_byte_t oidc_cache_memcache_get(request_rec *r, const char *section,
static apr_byte_t oidc_cache_memcache_set(request_rec *r, const char *section,
const char *key, const char *value, apr_time_t expiry) {
oidc_debug(r, "enter, section=\"%s\", key=\"%s\"", section, key);
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
oidc_cache_cfg_memcache_t *context =
......@@ -302,6 +301,7 @@ static apr_byte_t oidc_cache_memcache_set(request_rec *r, const char *section,
}
oidc_cache_t oidc_cache_memcache = {
"memcache",
1,
oidc_cache_memcache_post_config,
NULL,
......
......@@ -100,7 +100,7 @@ static int oidc_cache_redis_post_config(server_rec *s) {
/* parse the host:post tuple from the configuration */
if (cfg->cache_redis_server == NULL) {
oidc_serror(s,
"cache type is set to \"redis\", but no valid OIDCRedisCacheServer setting was found");
"cache type is set to \"redis\", but no valid " OIDCRedisCacheServer " setting was found");
return HTTP_INTERNAL_SERVER_ERROR;
}
......@@ -189,12 +189,13 @@ static oidc_cache_redis_ctx_t * oidc_cache_redis_connect(request_rec *r,
r->server->process->pool);
if (rctx == NULL) {
rctx = apr_pcalloc(r->server->process->pool, sizeof(oidc_cache_redis_ctx_t));
rctx = apr_pcalloc(r->server->process->pool,
sizeof(oidc_cache_redis_ctx_t));
rctx->ctx = NULL;
/* store the connection in the process context */
apr_pool_userdata_set(rctx, OIDC_CACHE_REDIS_CONTEXT, oidc_cache_redis_free,
r->server->process->pool);
apr_pool_userdata_set(rctx, OIDC_CACHE_REDIS_CONTEXT,
oidc_cache_redis_free, r->server->process->pool);
}
if (rctx->ctx == NULL) {
......@@ -205,7 +206,8 @@ static oidc_cache_redis_ctx_t * oidc_cache_redis_connect(request_rec *r,
/* check for errors */
if ((rctx->ctx == NULL) || (rctx->ctx->err != 0)) {
oidc_error(r, "failed to connect to Redis server (%s:%d): '%s'",
context->host_str, context->port, rctx->ctx != NULL ? rctx->ctx->errstr : "");
context->host_str, context->port,
rctx->ctx != NULL ? rctx->ctx->errstr : "");
oidc_cache_redis_free(rctx);
} else {
/* log the connection */
......@@ -292,8 +294,6 @@ static redisReply* oidc_cache_redis_command(request_rec *r,
static apr_byte_t oidc_cache_redis_get(request_rec *r, const char *section,
const char *key, const char **value) {
oidc_debug(r, "enter, section=\"%s\", key=\"%s\"", section, key);
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
oidc_cache_cfg_redis_t *context = (oidc_cache_cfg_redis_t *) cfg->cache_cfg;
......@@ -344,8 +344,6 @@ static apr_byte_t oidc_cache_redis_get(request_rec *r, const char *section,
static apr_byte_t oidc_cache_redis_set(request_rec *r, const char *section,
const char *key, const char *value, apr_time_t expiry) {
oidc_debug(r, "enter, section=\"%s\", key=\"%s\"", section, key);
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
oidc_cache_cfg_redis_t *context = (oidc_cache_cfg_redis_t *) cfg->cache_cfg;
......@@ -403,6 +401,7 @@ static int oidc_cache_redis_destroy(server_rec *s) {
}
oidc_cache_t oidc_cache_redis = {
"redis",
1,
oidc_cache_redis_post_config,
oidc_cache_redis_child_init,
......
......@@ -158,8 +158,6 @@ static char *oidc_cache_shm_get_key(apr_pool_t *pool, const char *section,
static apr_byte_t oidc_cache_shm_get(request_rec *r, const char *section,
const char *key, const char **value) {
oidc_debug(r, "enter, section=\"%s\", key=\"%s\"", section, key);
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *) cfg->cache_cfg;
......@@ -206,7 +204,7 @@ static apr_byte_t oidc_cache_shm_get(request_rec *r, const char *section,
/* release the global lock */
oidc_cache_mutex_unlock(r, context->mutex);
return (*value == NULL) ? FALSE : TRUE;
return TRUE;
}
/*
......@@ -215,9 +213,6 @@ static apr_byte_t oidc_cache_shm_get(request_rec *r, const char *section,
static apr_byte_t oidc_cache_shm_set(request_rec *r, const char *section,
const char *key, const char *value, apr_time_t expiry) {
oidc_debug(r, "enter, section=\"%s\", key=\"%s\", value size=%llu", section,
key, value ? (unsigned long long )strlen(value) : 0);
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *) cfg->cache_cfg;
......@@ -243,7 +238,7 @@ static apr_byte_t oidc_cache_shm_set(request_rec *r, const char *section,
> (cfg->cache_shm_entry_size_max
- sizeof(oidc_cache_shm_entry_t)))) {
oidc_error(r,
"could not store value since value size is too large (%llu > %lu); consider increasing OIDCCacheShmEntrySizeMax",
"could not store value since value size is too large (%llu > %lu); consider increasing " OIDCCacheShmEntrySizeMax "",
(unsigned long long )strlen(value),
(unsigned long )(cfg->cache_shm_entry_size_max
- sizeof(oidc_cache_shm_entry_t)));
......@@ -299,7 +294,7 @@ static apr_byte_t oidc_cache_shm_set(request_rec *r, const char *section,
age = (current_time - lru->access) / 1000000;
if (age < 3600) {
oidc_warn(r,
"dropping LRU entry with age = %" APR_TIME_T_FMT "s, which is less than one hour; consider increasing the shared memory caching space (which is %d now) with the (global) OIDCCacheShmMax setting.",
"dropping LRU entry with age = %" APR_TIME_T_FMT "s, which is less than one hour; consider increasing the shared memory caching space (which is %d now) with the (global) " OIDCCacheShmMax " setting.",
age, cfg->cache_shm_size_max);
}
}
......@@ -347,6 +342,7 @@ static int oidc_cache_shm_destroy(server_rec *s) {
}
oidc_cache_t oidc_cache_shm = {
"shm",
0,
oidc_cache_shm_post_config,
oidc_cache_shm_child_init,
......
This diff is collapsed.
This diff is collapsed.
......@@ -63,6 +63,8 @@
#include "cjose/cjose.h"
#define OIDC_JOSE_ALG_SHA256 "sha256"
/* indicate support for OpenSSL version dependent features */
#define OIDC_JOSE_EC_SUPPORT OPENSSL_VERSION_NUMBER >= 0x1000100f
#define OIDC_JOSE_GCM_SUPPORT OPENSSL_VERSION_NUMBER >= 0x1000100f
......@@ -168,7 +170,7 @@ oidc_jwk_t *oidc_jwk_create_symmetric_key(apr_pool_t *pool, const char *kid,
apr_byte_t oidc_jwk_parse_rsa_public_key(apr_pool_t *pool, const char *kid,
const char *filename, oidc_jwk_t **jwk, oidc_jose_error_t *err);
/* parse an X.509 PEM formatted RSA private key file to a JWK */
apr_byte_t oidc_jwk_parse_rsa_private_key(apr_pool_t *pool,
apr_byte_t oidc_jwk_parse_rsa_private_key(apr_pool_t *pool, const char *kid,
const char *filename, oidc_jwk_t **jwk, oidc_jose_error_t *err);
/*
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -64,6 +64,8 @@
static apr_byte_t oidc_oauth_validate_access_token(request_rec *r, oidc_cfg *c,
const char *token, char **response) {
char *basic_auth = NULL;
/* assemble parameters to call the token endpoint for validation */
apr_table_t *params = apr_table_make(r->pool, 4);
......@@ -74,20 +76,12 @@ static apr_byte_t oidc_oauth_validate_access_token(request_rec *r, oidc_cfg *c,
/* add the access_token itself */
apr_table_addn(params, c->oauth.introspection_token_param_name, token);
/* see if we want to do basic auth or post-param-based auth */
const char *basic_auth = NULL;
if ((c->oauth.client_id != NULL) && (c->oauth.client_secret != NULL)) {
if ((c->oauth.introspection_endpoint_auth != NULL)
&& (apr_strnatcmp(c->oauth.introspection_endpoint_auth,
OIDC_PROTO_CLIENT_SECRET_POST) == 0)) {
apr_table_addn(params, OIDC_PROTO_CLIENT_ID, c->oauth.client_id);
apr_table_addn(params, OIDC_PROTO_CLIENT_SECRET,
c->oauth.client_secret);
} else {
basic_auth = apr_psprintf(r->pool, "%s:%s", c->oauth.client_id,
c->oauth.client_secret);
}
}
/* add the token endpoint authentication credentials */
if (oidc_proto_token_endpoint_auth(r, c,
c->oauth.introspection_endpoint_auth, c->oauth.client_id,
c->oauth.client_secret, c->oauth.introspection_endpoint_url, params,
&basic_auth) == FALSE)
return FALSE;
/* call the endpoint with the constructed parameter set and return the resulting response */
return apr_strnatcmp(c->oauth.introspection_endpoint_method,
......@@ -130,8 +124,9 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r,
oidc_debug(r, "authorization header found");
/* look for the Bearer keyword */
if (apr_strnatcasecmp(ap_getword(r->pool, &auth_line, ' '),
"Bearer") == 0) {
if (apr_strnatcasecmp(
ap_getword(r->pool, &auth_line, OIDC_CHAR_SPACE),
OIDC_PROTO_BEARER) == 0) {
/* skip any spaces after the Bearer keyword */
while (apr_isspace(*auth_line)) {
......@@ -464,44 +459,6 @@ static apr_byte_t oidc_oauth_resolve_access_token(request_rec *r, oidc_cfg *c,