Commit dab598a2 authored by Moritz Schlarb's avatar Moritz Schlarb

New upstream version 2.3.8

parent 6a5c35b8
......@@ -46,3 +46,5 @@ reporting bugs, providing fixes, suggesting useful features or other:
timpuri <https://github.com/timpuri>
Eldar Zaitov <https://github.com/kyprizel>
Gergan Penkov <https://github.com/gergan>
Florian Weimer <https://github.com/fweimer>
Aaron Donovan <https://github.com/amdonov>
09/12/2018
- fix return result FALSE when JWT payload parsing fails; see #389; thanks @amdonov
- release 2.3.8
08/30/2018
- add LGTM code quality badges, see #385; thanks @xcorail
- fix 3 LGTM alerts
08/23/2018
- improve auto-detection of XMLHttpRequests via Accept header; see #331
- bump to 2.3.8rc5
08/15/2018
- initialize test_proto_authorization_request properly; see #382; thanks @jdennis
- add sanity check on provider->auth_request_method; closes #382; thanks @jdennis
- bump to 2.3.8rc4
08/14/2018
- allow usage with LibreSSL; closes #380; thanks @hihellobolke
- bump to 2.3.8rc3
08/04/2018
- don't return content with 503 since it will turn the HTTP status code into a 200; see #331
- bump to 2.3.8rc2
08/03/2018
- add option to set an upper limit to the number of concurrent state cookies via OIDCStateMaxNumberOfCookies; see #331
- make the default maximum number of parallel state cookies 7 instead of unlimited; see #331
- bump to 2.3.8rc1
07/30/2018
- fix using access token as endpoint auth method in introspection calls; closes #377; thanks @skauffmann
07/25/2018
- fix reading access_token form POST parameters when combined with `AuthType auth-openidc`; see #376; thanks Nicolas Salerno
- bump to 2.3.8rc0
07/06/2018
- abort when string length for remote user name substitution is larger than 255 characters
- release 2.3.7
......
[![Build Status](https://travis-ci.org/zmartzone/mod_auth_openidc.svg?branch=master)](https://travis-ci.org/zmartzone/mod_auth_openidc)
[<img width="184" height="96" align="right" src="http://openid.net/wordpress-content/uploads/2016/04/oid-l-certification-mark-l-rgb-150dpi-90mm@2x.png" alt="OpenID Certification">](https://openid.net/certification)
[![Code Quality: Cpp](https://img.shields.io/lgtm/grade/cpp/g/zmartzone/mod_auth_openidc.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/zmartzone/mod_auth_openidc/context:cpp)
[![Total Alerts](https://img.shields.io/lgtm/alerts/g/zmartzone/mod_auth_openidc.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/zmartzone/mod_auth_openidc/alerts)
mod_auth_openidc
================
......@@ -55,6 +57,22 @@ works in the same way as described for OpenID Connect above. See the [Wiki](http
For an exhaustive description of all configuration options, see the file `auth_openidc.conf`
in this directory. This file can also serve as an include file for `httpd.conf`.
Support
-------
#### Community Support
For generic questions, see the Wiki pages with Frequently Asked Questions at:
[https://github.com/zmartzone/mod_auth_openidc/wiki](https://github.com/zmartzone/mod_auth_openidc/wiki)
There is a Google Group/mailing list at:
[mod_auth_openidc@googlegroups.com](mailto:mod_auth_openidc@googlegroups.com)
The corresponding forum/archive is at:
[https://groups.google.com/forum/#!forum/mod_auth_openidc](https://groups.google.com/forum/#!forum/mod_auth_openidc)
Any questions/issues should go to the mailing list. The Github issues tracker should be used only for bugs reports and feature requests.
#### Commercial Services
For commercial Support contracts, Professional Services, Training and use-case specific support you can contact:
[sales@zmartzone.eu](mailto:sales@zmartzone.eu)
How to Use It
-------------
......@@ -70,6 +88,7 @@ OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configura
OIDCClientID <your-client-id-administered-through-the-google-api-console>
OIDCClientSecret <your-client-secret-administered-through-the-google-api-console>
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://www.example.com/example/redirect_uri
OIDCCryptoPassphrase <password>
......@@ -98,6 +117,7 @@ See also the [Wiki page on Keycloak](https://github.com/zmartzone/mod_auth_openi
```apache
OIDCProviderMetadataURL https://keycloak.example.net/auth/realms/master/.well-known/openid-configuration
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://www.example.net/oauth2callback
OIDCCryptoPassphrase random1234
OIDCClientID <your-client-id-registered-in-keycloak>
......@@ -128,6 +148,7 @@ OIDCProviderMetadataURL <issuer>/.well-known/openid-configuration
OIDCClientID <client_id>
OIDCClientSecret <client_secret>
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://<hostname>/secure/redirect_uri
OIDCCryptoPassphrase <password>
......@@ -156,22 +177,8 @@ OIDCOAuthVerifySharedKeys plain##<shared-secret-to-validate-symmetric-jwt-signat
</Location>
```
Support
-------
See the Wiki pages with Frequently Asked Questions at:
https://github.com/zmartzone/mod_auth_openidc/wiki
There is a Google Group/mailing list at:
[mod_auth_openidc@googlegroups.com](mailto:mod_auth_openidc@googlegroups.com)
The corresponding forum/archive is at:
https://groups.google.com/forum/#!forum/mod_auth_openidc
For commercial support and consultancy you can contact:
[info@zmartzone.eu](mailto:info@zmartzone.eu)
Any questions/issues should go to the mailing list. The Github issues tracker should be used only for bugs reports and feature requests.
Disclaimer
----------
*This software is open sourced by ZmartZone IAM. For commercial support
you can contact [ZmartZone IAM](https://www.zmartzone.eu) as described above.*
*This software is open sourced by ZmartZone IAM. For commercial services
you can contact [ZmartZone IAM](https://www.zmartzone.eu) as described above in the [Support](#support) section.*
......@@ -136,14 +136,14 @@
# "authz_header" means that the token will be presented in an "Authorization: Bearer" header using HTTP GET
# "post_param" means that the token will be presented a form-encoded POST parameter using HTTP POST
# When not defined the default is "authz_header".
# NB: this can be overrridden on a per-OP basis in the .conf file using the key: userinfo_token_method
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_token_method
#OIDCUserInfoTokenMethod [authz_header|post_param]
# Defines the HTTP method used to pass the parameters in the Authentication Request to the Authorization Endpoint.
# "GET" means that the parameters will be passed as query parameters in an HTTP GET
# "POST" means that the parameters will be passed as form-post parameters in an HTTP POST
# When not defined the default is "GET".
# NB: this can be overrridden on a per-OP basis in the .conf file using the key: auth_request_method
# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_method
# OIDCProviderAuthRequestMethod [ GET | POST ]
########################################################################################
......@@ -208,6 +208,7 @@
# "optional": referred token binding will be requested, the "cnf["tbh"]" claim is optional on return
# "required": referred token binding will be requested, the "cnf["tbh"]" claim must be present when the Client supports Token Binding
# "enforced": referred token binding will be requested, the "cnf["tbh"]" claim must be present and the User Agent must support Token Binding
# When not defined the default is "optional".
#OIDCTokenBindingPolicy [disabled|optional|required|enforced]
# (used only in dynamic client registration)
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.3.7.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.3.8.
#
# Report bugs to <hans.zandbelt@zmartzone.eu>.
#
......@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='mod_auth_openidc'
PACKAGE_TARNAME='mod_auth_openidc'
PACKAGE_VERSION='2.3.7'
PACKAGE_STRING='mod_auth_openidc 2.3.7'
PACKAGE_VERSION='2.3.8'
PACKAGE_STRING='mod_auth_openidc 2.3.8'
PACKAGE_BUGREPORT='hans.zandbelt@zmartzone.eu'
PACKAGE_URL=''
......@@ -1269,7 +1269,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures mod_auth_openidc 2.3.7 to adapt to many kinds of systems.
\`configure' configures mod_auth_openidc 2.3.8 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1331,7 +1331,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of mod_auth_openidc 2.3.7:";;
short | recursive ) echo "Configuration of mod_auth_openidc 2.3.8:";;
esac
cat <<\_ACEOF
......@@ -1445,7 +1445,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
mod_auth_openidc configure 2.3.7
mod_auth_openidc configure 2.3.8
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -1747,7 +1747,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by mod_auth_openidc $as_me 2.3.7, which was
It was created by mod_auth_openidc $as_me 2.3.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -2096,7 +2096,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
NAMEVER=mod_auth_openidc-2.3.7
NAMEVER=mod_auth_openidc-2.3.8
# This section defines the --with-apxs2 option.
......@@ -4886,7 +4886,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by mod_auth_openidc $as_me 2.3.7, which was
This file was extended by mod_auth_openidc $as_me 2.3.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -4939,7 +4939,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
mod_auth_openidc config.status 2.3.7
mod_auth_openidc config.status 2.3.8
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
AC_INIT([mod_auth_openidc],[2.3.7],[hans.zandbelt@zmartzone.eu])
AC_INIT([mod_auth_openidc],[2.3.8],[hans.zandbelt@zmartzone.eu])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
......
......@@ -107,7 +107,8 @@ int oidc_cache_shm_post_config(server_rec *s) {
/* create the shared memory segment */
apr_status_t rv = apr_shm_create(&context->shm,
cfg->cache_shm_entry_size_max * cfg->cache_shm_size_max,
(apr_size_t) cfg->cache_shm_entry_size_max
* cfg->cache_shm_size_max,
NULL, s->process->pool);
if (rv != APR_SUCCESS) {
oidc_serror(s, "apr_shm_create failed to create shared memory segment");
......
......@@ -104,6 +104,8 @@
#define OIDC_DEFAULT_SESSION_CLIENT_COOKIE_CHUNK_SIZE 4000
/* timeout in seconds after which state expires */
#define OIDC_DEFAULT_STATE_TIMEOUT 300
/* maximum number of parallel state cookies; 0 means unlimited, until the browser or server gives up */
#define OIDC_DEFAULT_MAX_NUMBER_OF_STATE_COOKIES 7
/* default session inactivity timeout */
#define OIDC_DEFAULT_SESSION_INACTIVITY_TIMEOUT 300
/* default session max duration */
......@@ -227,6 +229,7 @@
#define OIDCHTTPTimeoutLong "OIDCHTTPTimeoutLong"
#define OIDCHTTPTimeoutShort "OIDCHTTPTimeoutShort"
#define OIDCStateTimeout "OIDCStateTimeout"
#define OIDCStateMaxNumberOfCookies "OIDCStateMaxNumberOfCookies"
#define OIDCSessionInactivityTimeout "OIDCSessionInactivityTimeout"
#define OIDCMetadataDir "OIDCMetadataDir"
#define OIDCSessionCacheFallbackToCookie "OIDCSessionCacheFallbackToCookie"
......@@ -994,6 +997,27 @@ static const char *oidc_set_client_auth_bearer_token(cmd_parms *cmd,
return NULL;
}
/*
* set the maximun number of parallel state cookies
*/
static const char *oidc_set_max_number_of_state_cookies(cmd_parms *cmd,
void *struct_ptr, const char *arg) {
oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(
cmd->server->module_config, &auth_openidc_module);
const char *rv = oidc_parse_max_number_of_state_cookies(cmd->pool, arg,
&cfg->max_number_of_state_cookies);
return OIDC_CONFIG_DIR_RV(cmd, rv);
}
/*
* return the maximun number of parallel state cookies
*/
int oidc_cfg_max_number_of_state_cookies(oidc_cfg *cfg) {
if (cfg->max_number_of_state_cookies == OIDC_CONFIG_POS_INT_UNSET)
return OIDC_DEFAULT_MAX_NUMBER_OF_STATE_COOKIES;
return cfg->max_number_of_state_cookies;
}
/*
* create a new server config record with defaults
*/
......@@ -1102,6 +1126,7 @@ void *oidc_create_server_config(apr_pool_t *pool, server_rec *svr) {
c->http_timeout_long = OIDC_DEFAULT_HTTP_TIMEOUT_LONG;
c->http_timeout_short = OIDC_DEFAULT_HTTP_TIMEOUT_SHORT;
c->state_timeout = OIDC_DEFAULT_STATE_TIMEOUT;
c->max_number_of_state_cookies = OIDC_CONFIG_POS_INT_UNSET;
c->session_inactivity_timeout = OIDC_DEFAULT_SESSION_INACTIVITY_TIMEOUT;
c->cookie_domain = NULL;
......@@ -1416,6 +1441,10 @@ void *oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) {
c->state_timeout =
add->state_timeout != OIDC_DEFAULT_STATE_TIMEOUT ?
add->state_timeout : base->state_timeout;
c->max_number_of_state_cookies =
add->max_number_of_state_cookies != OIDC_CONFIG_POS_INT_UNSET ?
add->max_number_of_state_cookies :
base->max_number_of_state_cookies;
c->session_inactivity_timeout =
add->session_inactivity_timeout
!= OIDC_DEFAULT_SESSION_INACTIVITY_TIMEOUT ?
......@@ -2627,6 +2656,11 @@ const command_rec oidc_config_cmds[] = {
(void*)APR_OFFSETOF(oidc_cfg, state_timeout),
RSRC_CONF,
"Time to live in seconds for state parameter (cq. interval in which the authorization request and the corresponding response need to be completed)."),
AP_INIT_TAKE1(OIDCStateMaxNumberOfCookies,
oidc_set_max_number_of_state_cookies,
(void*)APR_OFFSETOF(oidc_cfg, max_number_of_state_cookies),
RSRC_CONF,
"Maximun number of parallel state cookies i.e. outstanding authorization requests."),
AP_INIT_TAKE1(OIDCSessionInactivityTimeout,
oidc_set_session_inactivity_timeout,
(void*)APR_OFFSETOF(oidc_cfg, session_inactivity_timeout),
......
......@@ -142,7 +142,7 @@ char *oidc_jwt_serialize(apr_pool_t *pool, oidc_jwt_t *jwt,
size_t out_len;
if (cjose_base64url_encode((const uint8_t *) s_payload,
strlen(s_payload), &out, &out_len, &cjose_err) == FALSE)
return FALSE;
return NULL;
cser = apr_pstrmemdup(pool, out, out_len);
cjose_get_dealloc()(out);
......@@ -435,14 +435,14 @@ oidc_jwk_t *oidc_jwk_create_symmetric_key(apr_pool_t *pool, const char *skid,
if (cjose_jwk == NULL) {
oidc_jose_error(err, "cjose_jwk_create_oct_spec failed: %s",
oidc_cjose_e2s(pool, cjose_err));
return FALSE;
return NULL;
}
if (set_kid == TRUE) {
if (oidc_jwk_set_or_generate_kid(pool, cjose_jwk, skid,
(const char *) key, key_len, err) == FALSE) {
cjose_jwk_release(cjose_jwk);
return FALSE;
return NULL;
}
}
......@@ -779,6 +779,7 @@ apr_byte_t oidc_jwt_parse(apr_pool_t *pool, const char *input_json,
&jwt->payload, err) == FALSE) {
oidc_jwt_destroy(jwt);
*j_jwt = NULL;
return FALSE;
}
return TRUE;
......@@ -839,7 +840,7 @@ apr_byte_t oidc_jwt_sign(apr_pool_t *pool, oidc_jwt_t *jwt, oidc_jwk_t *jwk,
return TRUE;
}
#if (OPENSSL_VERSION_NUMBER < 0x10100000)
#if (OPENSSL_VERSION_NUMBER < 0x10100000) || defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX * EVP_MD_CTX_new() {
return malloc(sizeof(EVP_MD_CTX));
}
......
This diff is collapsed.
......@@ -379,6 +379,7 @@ typedef struct oidc_cfg {
int http_timeout_long;
int http_timeout_short;
int state_timeout;
int max_number_of_state_cookies;
int session_inactivity_timeout;
int session_cache_fallback_to_cookie;
......@@ -431,7 +432,7 @@ apr_byte_t oidc_get_remote_user(request_rec *r, const char *claim_name, const ch
#define OIDC_REDIRECT_URI_REQUEST_REQUEST_URI "request_uri"
// oidc_oauth
int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c);
int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c, const char *access_token);
apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token);
// oidc_proto.c
......@@ -536,7 +537,9 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token
#define OIDC_CONTENT_TYPE_JWT "application/jwt"
#define OIDC_CONTENT_TYPE_FORM_ENCODED "application/x-www-form-urlencoded"
#define OIDC_CONTENT_TYPE_IMAGE_PNG "image/png"
#define OIDC_CONTENT_TYPE_HTML "text/html"
#define OIDC_CONTENT_TYPE_TEXT_HTML "text/html"
#define OIDC_CONTENT_TYPE_APP_XHTML_XML "application/xhtml+xml"
#define OIDC_CONTENT_TYPE_ANY "*/*"
#define OIDC_STR_SPACE " "
#define OIDC_STR_EQUAL "="
......@@ -559,6 +562,7 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token
#define OIDC_CHAR_FORWARD_SLASH '/'
#define OIDC_CHAR_PIPE '|'
#define OIDC_CHAR_AMP '&'
#define OIDC_CHAR_SEMI_COLON ';'
#define OIDC_APP_INFO_REFRESH_TOKEN "refresh_token"
#define OIDC_APP_INFO_ACCESS_TOKEN "access_token"
......@@ -686,6 +690,7 @@ int oidc_cfg_cache_encrypt(request_rec *r);
int oidc_cfg_session_cache_fallback_to_cookie(request_rec *r);
const char *oidc_parse_pkce_type(apr_pool_t *pool, const char *arg, oidc_proto_pkce_t **type);
const char *oidc_cfg_claim_prefix(request_rec *r);
int oidc_cfg_max_number_of_state_cookies(oidc_cfg *cfg);
// oidc_util.c
int oidc_strnenvcmp(const char *a, const char *b, int len);
......@@ -785,6 +790,7 @@ const char *oidc_util_hdr_in_host_get(const request_rec *r);
void oidc_util_hdr_out_location_set(const request_rec *r, const char *value);
const char *oidc_util_hdr_out_location_get(const request_rec *r);
void oidc_util_hdr_err_out_add(const request_rec *r, const char *name, const char *value);
apr_byte_t oidc_util_hdr_in_accept_contains(const request_rec *r, const char *needle);
// oidc_metadata.c
apr_byte_t oidc_metadata_provider_retrieve(request_rec *r, oidc_cfg *cfg, const char *issuer, const char *url, json_t **j_metadata, char **response);
......
......@@ -163,8 +163,7 @@ static apr_byte_t oidc_oauth_validate_access_token(request_rec *r, oidc_cfg *c,
((c->oauth.introspection_client_auth_bearer_token != NULL)
&& strcmp(c->oauth.introspection_client_auth_bearer_token,
"") == 0) ?
apr_table_get(params, token) :
c->oauth.introspection_client_auth_bearer_token;
token : c->oauth.introspection_client_auth_bearer_token;
/* add the token endpoint authentication credentials */
if (oidc_proto_token_endpoint_auth(r, c,
......@@ -706,7 +705,7 @@ static apr_byte_t oidc_oauth_set_request_user(request_rec *r, oidc_cfg *c,
/*
* main routine: handle OAuth 2.0 authentication/authorization
*/
int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c) {
int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c, const char *access_token) {
/* check if this is a sub-request or an initial request */
if (!ap_is_initial_req(r)) {
......@@ -747,14 +746,15 @@ int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c) {
oidc_oauth_provider_config(r, c);
/* get the bearer access token from the Authorization header */
const char *access_token = NULL;
if (oidc_oauth_get_bearer_token(r, &access_token) == FALSE) {
if (r->method_number == M_OPTIONS) {
r->user = "";
return OK;
if (access_token == NULL) {
if (oidc_oauth_get_bearer_token(r, &access_token) == FALSE) {
if (r->method_number == M_OPTIONS) {
r->user = "";
return OK;
}
return oidc_oauth_return_www_authenticate(r,
OIDC_PROTO_ERR_INVALID_REQUEST, "No bearer token found in the request");
}
return oidc_oauth_return_www_authenticate(r,
OIDC_PROTO_ERR_INVALID_REQUEST, "No bearer token found in the request");
}
/* validate the obtained access token against the OAuth AS validation endpoint */
......
......@@ -530,6 +530,28 @@ const char *oidc_valid_session_max_duration(apr_pool_t *pool, int v) {
return NULL;
}
#define OIDC_MAX_NUMBER_OF_STATE_COOKIES_MIN 0
#define OIDC_MAX_NUMBER_OF_STATE_COOKIES_MAX 255
/*
* check the maximum number of parallel state cookies
*/
const char *oidc_valid_max_number_of_state_cookies(apr_pool_t *pool, int v) {
if (v == 0) {
return NULL;
}
if (v < OIDC_MAX_NUMBER_OF_STATE_COOKIES_MIN) {
return apr_psprintf(pool, "maximum must not be less than %d",
OIDC_MAX_NUMBER_OF_STATE_COOKIES_MIN);
}
if (v > OIDC_MAX_NUMBER_OF_STATE_COOKIES_MAX) {
return apr_psprintf(pool, "maximum must not be greater than %d",
OIDC_MAX_NUMBER_OF_STATE_COOKIES_MAX);
}
return NULL;
}
/*
* parse a session max duration value from the provided string
*/
......@@ -1218,3 +1240,12 @@ const char *oidc_parse_auth_request_method(apr_pool_t *pool, const char *arg,
return NULL;
}
/*
* parse the maximum number of parallel state cookies
*/
const char *oidc_parse_max_number_of_state_cookies(apr_pool_t *pool,
const char *arg, int *int_value) {
return oidc_parse_int_valid(pool, arg, int_value,
oidc_valid_max_number_of_state_cookies);
}
......@@ -90,6 +90,7 @@ const char *oidc_valid_userinfo_refresh_interval(apr_pool_t *pool, int v);
const char *oidc_valid_userinfo_token_method(apr_pool_t *pool, const char *arg);
const char *oidc_valid_token_binding_policy(apr_pool_t *pool, const char *arg);
const char *oidc_valid_auth_request_method(apr_pool_t *pool, const char *arg);
const char *oidc_valid_max_number_of_state_cookies(apr_pool_t *pool, int v);
const char *oidc_parse_int(apr_pool_t *pool, const char *arg, int *int_value);
const char *oidc_parse_boolean(apr_pool_t *pool, const char *arg, int *bool_value);
......@@ -116,6 +117,7 @@ const char *oidc_parse_info_hook_data(apr_pool_t *pool, const char *arg, apr_has
const char *oidc_parse_token_binding_policy(apr_pool_t *pool, const char *arg, int *int_value);
const char *oidc_token_binding_policy2str(apr_pool_t *pool, int v);
const char *oidc_parse_auth_request_method(apr_pool_t *pool, const char *arg, int *method);
const char *oidc_parse_max_number_of_state_cookies(apr_pool_t *pool, const char *arg, int *int_value);
typedef const char *(*oidc_valid_int_function_t)(apr_pool_t *, int);
typedef const char *(*oidc_valid_function_t)(apr_pool_t *, const char *);
......
......@@ -32,6 +32,11 @@ restrictions:
supersede any condition above with which it is incompatible.
*/
#ifndef MOD_AUTH_OPENIDC_PCRE_SUBST_H_
#define MOD_AUTH_OPENIDC_PCRE_SUBST_H_
#define OIDC_PCRE_MAXCAPTURE 255
char *pcre_subst(const pcre *, const pcre_extra *, const char *, int, int, int, const char *);
#endif /* MOD_AUTH_OPENIDC_PCRE_SUBST_H_ */
......@@ -154,7 +154,7 @@ static int oidc_proto_delete_from_request(void* rec, const char* name,
const char* value) {
oidc_proto_copy_req_ctx_t *ctx = (oidc_proto_copy_req_ctx_t *) rec;
oidc_debug(ctx->r, "deleting from query paramters: name: %s, value: %s",
oidc_debug(ctx->r, "deleting from query parameters: name: %s, value: %s",
name, value);
if (oidc_proto_param_needs_action(ctx->request_object_config, name,
......@@ -649,7 +649,7 @@ int oidc_proto_authorization_request(request_rec *r,
rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
params);
} else {
} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
/* construct the full authorization request URL */
authorization_request = oidc_util_http_query_encoded_url(r,
......@@ -666,6 +666,10 @@ int oidc_proto_authorization_request(request_rec *r,
/* and tell Apache to return an HTTP Redirect (302) message */
rv = HTTP_MOVED_TEMPORARILY;
}
} else {
oidc_error(r, "provider->auth_request_method set to wrong value: %d",
provider->auth_request_method);
return HTTP_INTERNAL_SERVER_ERROR;
}
/* add a referred token binding request for the provider if enabled */
......
......@@ -97,7 +97,7 @@ int oidc_base64url_encode(request_rec *r, char **dst, const char *src,
enc_len--;
if ((enc_len > 0) && (enc[enc_len - 1] == ','))
enc_len--;
if ((enc_len > 0) &&(enc[enc_len - 1] == ','))
if ((enc_len > 0) && (enc[enc_len - 1] == ','))
enc_len--;
enc[enc_len] = '\0';
}
......@@ -320,9 +320,9 @@ char *oidc_util_unescape_string(const request_rec *r, const char *str) {
return NULL;
}
int counter = 0;
char *replaced = (char *)str;
while(str[counter] != '\0') {
if(str[counter] == '+') {
char *replaced = (char *) str;
while (str[counter] != '\0') {
if (str[counter] == '+') {
replaced[counter] = ' ';
}
counter++;
......@@ -353,7 +353,7 @@ char *oidc_util_html_escape(apr_pool_t *pool, const char *s) {
for (i = 0; i < strlen(s); i++) {
for (n = 0; n < len; n++) {
if (s[i] == chars[n]) {
m = (unsigned int)strlen(replace[n]);
m = (unsigned int) strlen(replace[n]);
for (k = 0; k < m; k++)
r[j + k] = replace[n][k];
j += m;
......@@ -530,12 +530,13 @@ const char *oidc_get_redirect_uri_iss(request_rec *r, oidc_cfg *cfg,
const char *redirect_uri = oidc_get_redirect_uri(r, cfg);
if (provider->issuer_specific_redirect_uri != 0) {
redirect_uri = apr_psprintf(r->pool, "%s%s%s=%s", redirect_uri,
strchr(redirect_uri ? redirect_uri : "", OIDC_CHAR_QUERY) != NULL ?
OIDC_STR_AMP :
OIDC_STR_QUERY,
OIDC_PROTO_ISS, oidc_util_escape_string(r, provider->issuer));
// OIDC_PROTO_CLIENT_ID,
// oidc_util_escape_string(r, provider->client_id));
strchr(redirect_uri ? redirect_uri : "",
OIDC_CHAR_QUERY) != NULL ?
OIDC_STR_AMP :
OIDC_STR_QUERY,
OIDC_PROTO_ISS, oidc_util_escape_string(r, provider->issuer));
// OIDC_PROTO_CLIENT_ID,
// oidc_util_escape_string(r, provider->client_id));
oidc_debug(r, "determined issuer specific redirect uri: %s",
redirect_uri);
}
......@@ -1346,8 +1347,8 @@ int oidc_util_html_send(request_rec *r, const char *title,
on_load ? apr_psprintf(r->pool, " onload=\"%s()\"", on_load) : "",
html_body ? html_body : "<p></p>");
return oidc_util_http_send(r, html, strlen(html), OIDC_CONTENT_TYPE_HTML,
status_code);
return oidc_util_http_send(r, html, strlen(html),
OIDC_CONTENT_TYPE_TEXT_HTML, status_code);
}
static char *html_error_template_contents = NULL;
......@@ -1357,7 +1358,8 @@ static char *html_error_template_contents = NULL;
* that is relative to the Apache root directory
*/
char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename) {
return (abs_or_rel_filename) ? ap_server_root_relative(pool, abs_or_rel_filename) : NULL;
return (abs_or_rel_filename) ?
ap_server_root_relative(pool, abs_or_rel_filename) : NULL;
}
/*
......@@ -1389,7 +1391,7 @@ int oidc_util_html_send_error(request_rec *r, const char *html_template,
description ? description : ""));
return oidc_util_http_send(r, html, strlen(html),
OIDC_CONTENT_TYPE_HTML, status_code);
OIDC_CONTENT_TYPE_TEXT_HTML, status_code);
}
}
......@@ -1980,8 +1982,8 @@ void oidc_util_table_add_query_encoded_params(apr_pool_t *pool,
* create a symmetric key from a client_secret
*/
apr_byte_t oidc_util_create_symmetric_key(request_rec *r,
const char *client_secret, unsigned int r_key_len, const char *hash_algo,
apr_byte_t set_kid, oidc_jwk_t **jwk) {
const char *client_secret, unsigned int r_key_len,
const char *hash_algo, apr_byte_t set_kid, oidc_jwk_t **jwk) {
oidc_jose_error_t err;
unsigned char *key = NULL;
unsigned int key_len;
......@@ -2216,7 +2218,8 @@ static const char *oidc_util_hdr_in_get(const request_rec *r, const char *name)
return value;
}
static const char *oidc_util_hdr_in_get_left_most_only(const request_rec *r, const char *name, const char *separator) {
static const char *oidc_util_hdr_in_get_left_most_only(const request_rec *r,
const char *name, const char *separator) {
char *last = NULL;
const char *value = oidc_util_hdr_in_get(r, name);
if (value)
......@@ -2224,6 +2227,29 @@ static const char *oidc_util_hdr_in_get_left_most_only(const request_rec *r, con
return NULL;
}
static apr_byte_t oidc_util_hdr_in_contains(const request_rec *r,
const char *name, const char *separator, const char postfix_separator,
const char *needle) {
char *ctx = NULL, *elem = NULL;
const char *value = oidc_util_hdr_in_get(r, name);
apr_byte_t rc = FALSE;
if (value) {
elem = apr_strtok(apr_pstrdup(r->pool, value), separator, &ctx);
while (elem != NULL) {
while (*elem == OIDC_CHAR_SPACE)
elem++;
if ((strncmp(elem, needle, strlen(needle)) == 0)
&& ((elem[strlen(needle)] == '\0')
|| (elem[strlen(needle)] == postfix_separator))) {
rc = TRUE;
break;
}
elem = apr_strtok(NULL, separator, &ctx);
}
}
return rc;
}
static void oidc_util_hdr_table_set(const request_rec *r, apr_table_t *table,
const char *name, const char *value) {
......@@ -2288,7 +2314,8 @@ const char *oidc_util_hdr_in_user_agent_get(const request_rec *r) {
}
const char *oidc_util_hdr_in_x_forwarded_for_get(const request_rec *r) {
return oidc_util_hdr_in_get_left_most_only(r, OIDC_HTTP_HDR_X_FORWARDED_FOR, OIDC_STR_COMMA);
return oidc_util_hdr_in_get_left_most_only(r, OIDC_HTTP_HDR_X_FORWARDED_FOR,
OIDC_STR_COMMA);
}
const char *oidc_util_hdr_in_content_type_get(const request_rec *r) {
......@@ -2303,20 +2330,29 @@ const char *oidc_util_hdr_in_accept_get(const request_rec *r) {
return oidc_util_hdr_in_get(r, OIDC_HTTP_HDR_ACCEPT);
}
apr_byte_t oidc_util_hdr_in_accept_contains(const request_rec *r,
const char *needle) {
return oidc_util_hdr_in_contains(r, OIDC_HTTP_HDR_ACCEPT, OIDC_STR_COMMA,
OIDC_CHAR_SEMI_COLON, needle);
}
const char *oidc_util_hdr_in_authorization_get(const request_rec *r) {
return oidc_util_hdr_in_get(r, OIDC_HTTP_HDR_AUTHORIZATION);
}
const char *oidc_util_hdr_in_x_forwarded_proto_get(const request_rec *r) {
return oidc_util_hdr_in_get_left_most_only(r, OIDC_HTTP_HDR_X_FORWARDED_PROTO, OIDC_STR_COMMA);
return oidc_util_hdr_in_get_left_most_only(r,
OIDC_HTTP_HDR_X_FORWARDED_PROTO, OIDC_STR_COMMA);
}
const char *oidc_util_hdr_in_x_forwarded_port_get(const request_rec *r) {
return oidc_util_hdr_in_get_left_most_only(r, OIDC_HTTP_HDR_X_FORWARDED_PORT, OIDC_STR_COMMA);
return oidc_util_hdr_in_get_left_most_only(r,
OIDC_HTTP_HDR_X_FORWARDED_PORT, OIDC_STR_COMMA);
}
const char *oidc_util_hdr_in_x_forwarded_host_get(const request_rec *r) {
return oidc_util_hdr_in_get_left_most_only(r, OIDC_HTTP_HDR_X_FORWARDED_HOST, OIDC_STR_COMMA);
return oidc_util_hdr_in_get_left_most_only(r,
OIDC_HTTP_HDR_X_FORWARDED_HOST, OIDC_STR_COMMA);
}
const char *oidc_util_hdr_in_host_get(const request_rec *r) {
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment