Commit fd7f1d47 authored by Christoph Martin's avatar Christoph Martin

Imported Upstream version 2.1.2

parent c420c2f3
......@@ -26,3 +26,8 @@ reporting bugs, providing fixes, suggesting useful features or other:
Ryan Kelly <https://github.com/rfk>
John R. Dennis <https://github.com/jdennis>
steve-dave <https://github.com/steve-dave>
glatzert <https://github.com/glatzert>
Amit Joshi <amitsharadjoshi@gmail.com>
Andy Curtis <https://github.com/asc1>
solsson <https://github.com/solsson>
drdivano <https://github.com/drdivano>
7/11/2016
11/19/2016
- release 2.1.2
11/18/2016
- fix crash when searching for keys with a kid, there's no initial match and x5t values exist for the non-matching keys; closes #196
11/9/2016
- remove stale claims from session when refreshing them from the userinfo endpoint fails; addresses #194
- release 2.1.1
11/8/2016
- log readable error messages when memcache operations fail
11/6/2016
- fix memory leak when skipping jwks_uri keys with a non-matching "use" value
11/4/2016
- always restore id_token/claims on sub-requests so e.g. listing claims-protected subdirectories will work
- remove obsolete functions for storing the session in the request state
- bump to 2.1.1rc0
11/3/2016
- remove obsolete sessions from session cache; thanks @stevedave
11/1/2016
- release version 2.1.0
10/28/2016
- don't include encryption keys from the jwks_uri when verifying a JWT and no kid has been specified
- fix memory leaks in composite claim handling
10/27/2016
- handle aggregated and distributed claims from the userinfo endpoint
- only pick private_key_jwt token endpoint authentication if a private key is configured; closes #189
- bump to 2.0.1rc7
10/24/2016
- add OpenID Connect RP certification test script
- handle non-integer exp/iat timestamps; closes #187; thanks @drdivano
10/21/2016
- bugfix: first truncate files before writing them
- support refreshing provider metadata based on timestamp and OIDCProviderMetadataRefreshInterval
10/20/2016
- bugfix: correctly truncate encryption keys derived from client secret for algorithms that require a key size < 256 bits
- add test/test-cmd tool
- bugfix: return error on session cache failures; closes #185; thanks @solsson
- bump to 2.0.1rc6
10/18/2016
- bugfix: JWTs with a header that doesn't specify a `kid` that would not validate when used with more than 1 key; closes #184; thanks @solsson
- bump to 2.0.1rc5
10/13/2016
- urlencode provider URL cache key to fix file cache backend issue; closes #179, thanks @djahandarie
10/9/2016
- fix null pointer segfault in debug printout in oidc_util_read_form_encoded_params
- fix OIDCOAuthAcceptTokenAs parsing flaw introduced in 2.0.0rc5
- bump to 2.0.1rc4
10/2/2016
- support presenting the access token to the userinfo endpoint in a POST parameter
- bump to 2.0.1rc3
9/30/2016
- support WebFinger Discovery with URL-style user identifiers
9/28/2016
- fix memory leak in oidc_jwk_to_json
- add "remove_at_cache" hook; addresses #177
- bump to 2.0.1rc2
9/27/2016
- add support for Request URI with signed and/or encrypted Request Objects
- bump to 2.0.1rc1
9/22/2016
- refuse webfinger responses with an href value that is not on secure https
- add userinfo JWT response verification and decryption
9/20/2016
- log the JWT header before optional decryption is applied
9/19/2016
- check that a sub claim returned from the userinfo endpoint matches the one in the id_token
- fix issue in oidc_metadata_parse_url so that static default would not be honored
- this only affected server-wide OIDCClientJwksUri usage in dynamic client registration
- non-functional changes for OIDC RP certification:
- explicitly log the client authentication method when calling the token endpoint
- log the keys that are included for token verification
- bump to 2.0.1rc0
9/9/2016
- fix overriding provider token endpoint auth with static config when not set in .conf file
- don't add our own cookies to the incoming headers
- allow stripping cookies from the Cookie header sent to the application/backend with OIDCStripCookies
- release 2.0.0
9/5/2016
- encapsulate (sub-)directory config handling and fix merging so values can be set back to default values in subdirs
- bump to 2.0.0rc5
9/2/2016
- fix JWK creation when no client secret is set e.g. in Implicit flows; closes #168; thanks @asc1
- bump to 2.0.0rc4
9/1/2016
- fix HTML decoding of OIDCPreservePost data; closes #165
- limit max POST data size to 1Mb
- allow chunked data in POST handling; revise handler
- change preserve POST JSON data format to urlencoded for performance reasons
8/31/2016
- allow setting the token endpoint authentication method in the .conf file (for dynamic client registration that sets the .client)
8/30/2016
- pass refresh token in header/environment variable with OIDCPassRefreshToken; thanks Amit Joshi
- fix front-channel img-style logout with newer versions of PingFederate that don't send an Accept: image/png header
8/29/2016
- preserve POST data across authentication requests and discovery with OIDCPreservePost
- bump to 2.0.0rc3
8/24/2016
- fix parsing of OIDCOAuthAcceptTokenAs to accept options following ":"
- bump to 2.0.0rc2
8/5/2016
- delete the debian directory
- rename OIDCOAuthTokenEndpointCert/Key to OIDCOAuthIntrospectionEndpointCert/Key
- pre-release 2.0.0rc1
7/30/2016
- encrypt state/session JWT cookies and session JWT cache values for non-shm storages
7/29/2016
- use cjose - https://github.com/cisco/cjose (master) - for JOSE functions
- use stricter input parsing functions for configuration values
- bump to 2.0.0rc0
7/21/2016
- support TLS client authentication to token and introspection endpoints
- bump to 1.9.0rc3
7/19/2016
- add support for chunked session cookies; closes #153; thanks @glatzert
- bump to 1.9.0rc2
7/9/2016
- fix Elliptic Curve signature verification for corrupted input
- release 1.8.10.1
- support OpenSSL 1.1.x
- bump to 1.9.0rc1
7/5/2016
- use AUTHZ_DENIED instead of HTTP_UNAUTHORIZED in oidc_authz_checker; closes #151; thanks @gwollman
- use signed JWTs for state/session cookies
- achieve smaller client-cookie sizes for regular cases; no id_token is stored in the session:
- (optional) id_token_hint no longer available in session management calls (logout/prompt=none) with "OIDCSessionType client-cookie"
- "OIDCPassIDTokenAs serialized" is not available with "OIDCSessionType client-cookie"
- bump to 1.9.0rc0
6/27/2016
- use EVP_CIPHER_CTX_new to avoid compilation errors with OpenSSL 1.1.0
......
If your looking for binary packages, please see:
https://github.com/pingidentity/mod_auth_openidc/wiki#8-where-can-i-get-binary-packages
Preferably you should use one of the pre-compiled binary packages, available for
various platforms, see:
https://github.com/pingidentity/mod_auth_openidc/wiki#11-where-can-i-get-binary-packages
and proceed with the Configuration section below.
If your platform is not supported or you want to run the latest code,
......@@ -11,6 +12,7 @@ Installation from source
You will require development headers and tools for the following
dependencies:
Apache (>=2.0)
cjose (>=0.4.1)
OpenSSL (>=0.9.8) (>=1.0.1 for Elliptic Curve support)
Curl (>=?)
Jansson (>=2.0) (JSON parser for C)
......
JWT_SRC = \
src/jose/apr_jwt.c \
src/jose/apr_jwk.c \
src/jose/apr_jws.c \
src/jose/apr_jwe.c
JWT_HDRS = \
src/jose/apr_jose.h
# Source files. mod_auth_openidc.c must be the first file.
SRC=src/mod_auth_openidc.c \
src/cache/file.c \
......@@ -16,13 +6,13 @@ SRC=src/mod_auth_openidc.c \
src/cache/lock.c \
src/oauth.c \
src/proto.c \
src/crypto.c \
src/config.c \
src/util.c \
src/authz.c \
src/session.c \
src/metadata.c \
$(JWT_SRC)
src/jose.c \
src/parse.c
ifeq (@HAVE_LIBHIREDIS@, 1)
SRC += \
......@@ -34,12 +24,15 @@ endif
HDRS = \
$(JWT_HDRS) \
src/mod_auth_openidc.h \
src/jose.h \
src/parse.h \
src/cache/cache.h
# Files to include when making a .tar.gz-file for distribution
DISTFILES=$(SRC) \
$(HDRS) \
test/test.c \
test/test-cmd.c \
test/stub.c \
configure \
configure.ac \
......@@ -55,8 +48,8 @@ DISTFILES=$(SRC) \
all: src/mod_auth_openidc.la
CFLAGS=@OPENSSL_CFLAGS@ @CURL_CFLAGS@ @JANSSON_CFLAGS@ @PCRE_CFLAGS@ $(REDIS_CFLAGS)
LIBS=@OPENSSL_LIBS@ @CURL_LIBS@ @JANSSON_LIBS@ @PCRE_LIBS@ $(REDIS_LIBS)
CFLAGS=@OPENSSL_CFLAGS@ @CURL_CFLAGS@ @JANSSON_CFLAGS@ @CJOSE_CFLAGS@ @PCRE_CFLAGS@ $(REDIS_CFLAGS)
LIBS=@OPENSSL_LIBS@ @CURL_LIBS@ @JANSSON_LIBS@ @CJOSE_LIBS@ @PCRE_LIBS@ $(REDIS_LIBS)
src/mod_auth_openidc.la: $(SRC) $(HDRS)
@APXS2@ @APXS2_OPTS@ -Wc,"-DNAMEVER=\"@NAMEVER@\" $(CFLAGS)" -Wl,"$(LIBS)" -Wc,-Wall -Wc,-g -c $(SRC)
......@@ -67,10 +60,10 @@ configure: configure.ac
@NAMEVER@.tar.gz: $(DISTFILES)
tar -c --transform="s#^#@NAMEVER@/#" -vzf $@ $(DISTFILES)
test/test: test/*.c src/mod_auth_openidc.la
@APXS2@ @APXS2_OPTS@ $(CFLAGS) -Wl,"$(LIBS)" -Isrc -Wc,-Wall -Wc,-g -c -o $@ test/*.c $(SRC:.c=.lo) @APR_LIBS@
test/test test/test-cmd: test/test.c test/stub.c src/mod_auth_openidc.la
@APXS2@ @APXS2_OPTS@ $(CFLAGS) -Wl,"$(LIBS)" -Isrc -Wc,-Wall -Wc,-g -c -o $@ $@.c test/stub.c $(SRC:.c=.lo) @APR_LIBS@
test-compile: test/test
test-compile: test/test test/test-cmd
test: test-compile
test/test
......@@ -85,11 +78,11 @@ distfile: @NAMEVER@.tar.gz
.PHONY: clean
clean:
rm -f src/mod_auth_openidc.la
rm -f src/*.o src/cache/*.o src/jose/*.o test/*.o
rm -f src/*.lo src/cache/*.lo src/jose/*.lo test/*.lo
rm -f src/*.slo src/cache/*.slo src/jose/*.slo test/*.slo
rm -rf src/.libs/ src/cache/.libs/ src/jose/.libs/ test/.libs
rm -rf test/test
rm -f src/*.o src/cache/*.o test/*.o
rm -f src/*.lo src/cache/*.lo test/*.lo
rm -f src/*.slo src/cache/*.slo test/*.slo
rm -rf src/.libs/ src/cache/.libs/ test/.libs
rm -rf test/test test/test-cmd
.PHONY: distclean
distclean: clean
......
[![Build Status](https://travis-ci.org/pingidentity/mod_auth_openidc.svg?branch=master)](https://travis-ci.org/pingidentity/mod_auth_openidc)
mod_auth_openidc
================
......@@ -171,8 +173,11 @@ Entries that can be included in the .conf file are:
"userinfo_encrypted_response_enc" overrides OIDCUserInfoEncryptedResponseEnc
"auth_request_params" overrides OIDCAuthRequestParams
"token_endpoint_params" overrides OIDCProviderTokenEndpointParams
"token_endpoint_auth" overrides OIDCProviderTokenEndpointAuth
"registration_endpoint_json" overrides OIDCProviderRegistrationEndpointJson
"userinfo_refresh_interval" overrides OIDCUserInfoRefreshInterval
"userinfo_token_method" overrides OIDCUserInfoTokenMethod
"request_object" overrides OIDCRequestObject
"registration_token" an access_token that will be used on client registration calls for the associated OP
Sample client metadata for issuer `https://localhost:9031`, so the **mod_auth_openidc**
......@@ -199,12 +204,10 @@ OIDCCryptoPassphrase <password>
If you do not want to use the internal discovery page (you really shouldn't...), you
can have the user being redirected to an external discovery page by setting
`OIDCDiscoverURL`. That URL will be accessed with 2 parameters, `oidc_callback` and
`target_link_uri` (both URLs). The `target_link_uri` parameter value needs to be returned to the
`oidc_callback` URL (again in the `target_link_uri parameter`) together with an
`iss` parameter that contains the URL-encoded issuer value of the
selected Provider, or a URL-encoded account name for OpenID Connect Discovery
purposes (aka. e-mail style identifier), or a domain name.
`OIDCDiscoverURL`. That URL will be accessed with a number parameters: `oidc_callback`, `target_link_uri`,
`method` and `x_csrf`. All parameters (except `oidc_callback`) need to be returned to the `oidc_callback` URL
together with an `iss` parameter that contains the URL-encoded issuer value of the selected Provider, or a
URL-encoded account name for OpenID Connect Discovery purposes (aka. e-mail style identifier), or a domain name.
Sample callback:
......
This diff is collapsed.
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 1.8.10.1.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.2.
#
# Report bugs to <hzandbelt@pingidentity.com>.
#
......@@ -579,8 +579,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='mod_auth_openidc'
PACKAGE_TARNAME='mod_auth_openidc'
PACKAGE_VERSION='1.8.10.1'
PACKAGE_STRING='mod_auth_openidc 1.8.10.1'
PACKAGE_VERSION='2.1.2'
PACKAGE_STRING='mod_auth_openidc 2.1.2'
PACKAGE_BUGREPORT='hzandbelt@pingidentity.com'
PACKAGE_URL=''
......@@ -591,6 +591,8 @@ HIREDIS_LIBS
HIREDIS_CFLAGS
PCRE_LIBS
PCRE_CFLAGS
CJOSE_LIBS
CJOSE_CFLAGS
JANSSON_LIBS
JANSSON_CFLAGS
APR_LIBS
......@@ -624,6 +626,7 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
......@@ -664,6 +667,8 @@ APR_CFLAGS
APR_LIBS
JANSSON_CFLAGS
JANSSON_LIBS
CJOSE_CFLAGS
CJOSE_LIBS
PCRE_CFLAGS
PCRE_LIBS
HIREDIS_CFLAGS
......@@ -706,6 +711,7 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
......@@ -958,6 +964,15 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
......@@ -1095,7 +1110,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir
libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
......@@ -1208,7 +1223,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures mod_auth_openidc 1.8.10.1 to adapt to many kinds of systems.
\`configure' configures mod_auth_openidc 2.1.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1248,6 +1263,7 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
......@@ -1270,7 +1286,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of mod_auth_openidc 1.8.10.1:";;
short | recursive ) echo "Configuration of mod_auth_openidc 2.1.2:";;
esac
cat <<\_ACEOF
......@@ -1299,6 +1315,9 @@ Some influential environment variables:
C compiler flags for JANSSON, overriding pkg-config
JANSSON_LIBS
linker flags for JANSSON, overriding pkg-config
CJOSE_CFLAGS
C compiler flags for CJOSE, overriding pkg-config
CJOSE_LIBS linker flags for CJOSE, overriding pkg-config
PCRE_CFLAGS C compiler flags for PCRE, overriding pkg-config
PCRE_LIBS linker flags for PCRE, overriding pkg-config
HIREDIS_CFLAGS
......@@ -1372,7 +1391,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
mod_auth_openidc configure 1.8.10.1
mod_auth_openidc configure 2.1.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -1389,7 +1408,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by mod_auth_openidc $as_me 1.8.10.1, which was
It was created by mod_auth_openidc $as_me 2.1.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -1738,7 +1757,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
NAMEVER=mod_auth_openidc-1.8.10.1
NAMEVER=mod_auth_openidc-2.1.2
# This section defines the --with-apxs2 option.
......@@ -2361,6 +2380,101 @@ fi
# cjose
pkg_failed=no
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CJOSE" >&5
$as_echo_n "checking for CJOSE... " >&6; }
if test -n "$CJOSE_CFLAGS"; then
pkg_cv_CJOSE_CFLAGS="$CJOSE_CFLAGS"
elif test -n "$PKG_CONFIG"; then
if test -n "$PKG_CONFIG" && \
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"cjose\""; } >&5
($PKG_CONFIG --exists --print-errors "cjose") 2>&5
ac_status=$?
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }; then
pkg_cv_CJOSE_CFLAGS=`$PKG_CONFIG --cflags "cjose" 2>/dev/null`
test "x$?" != "x0" && pkg_failed=yes
else
pkg_failed=yes
fi
else
pkg_failed=untried
fi
if test -n "$CJOSE_LIBS"; then
pkg_cv_CJOSE_LIBS="$CJOSE_LIBS"
elif test -n "$PKG_CONFIG"; then
if test -n "$PKG_CONFIG" && \
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"cjose\""; } >&5
($PKG_CONFIG --exists --print-errors "cjose") 2>&5
ac_status=$?
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }; then
pkg_cv_CJOSE_LIBS=`$PKG_CONFIG --libs "cjose" 2>/dev/null`
test "x$?" != "x0" && pkg_failed=yes
else
pkg_failed=yes
fi
else
pkg_failed=untried
fi
if test $pkg_failed = yes; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
_pkg_short_errors_supported=yes
else
_pkg_short_errors_supported=no
fi
if test $_pkg_short_errors_supported = yes; then
CJOSE_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "cjose" 2>&1`
else
CJOSE_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "cjose" 2>&1`
fi
# Put the nasty error message in config.log where it belongs
echo "$CJOSE_PKG_ERRORS" >&5
as_fn_error $? "Package requirements (cjose) were not met:
$CJOSE_PKG_ERRORS
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
Alternatively, you may set the environment variables CJOSE_CFLAGS
and CJOSE_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details." "$LINENO" 5
elif test $pkg_failed = untried; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.
Alternatively, you may set the environment variables CJOSE_CFLAGS
and CJOSE_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
To get pkg-config, see <http://pkg-config.freedesktop.org/>.
See \`config.log' for more details" "$LINENO" 5; }
else
CJOSE_CFLAGS=$pkg_cv_CJOSE_CFLAGS
CJOSE_LIBS=$pkg_cv_CJOSE_LIBS
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
fi
# PCRE
pkg_failed=no
......@@ -3162,7 +3276,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by mod_auth_openidc $as_me 1.8.10.1, which was
This file was extended by mod_auth_openidc $as_me 2.1.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -3215,7 +3329,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
mod_auth_openidc config.status 1.8.10.1
mod_auth_openidc config.status 2.1.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
AC_INIT([mod_auth_openidc],[1.8.10.1],[hzandbelt@pingidentity.com])
AC_INIT([mod_auth_openidc],[2.1.2],[hzandbelt@pingidentity.com])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
......@@ -62,6 +62,11 @@ PKG_CHECK_MODULES(JANSSON, jansson)
AC_SUBST(JANSSON_CFLAGS)
AC_SUBST(JANSSON_LIBS)
# cjose
PKG_CHECK_MODULES(CJOSE, cjose)
AC_SUBST(CJOSE_CFLAGS)
AC_SUBST(CJOSE_LIBS)
# PCRE
PKG_CHECK_MODULES(PCRE, libpcre)
AC_SUBST(PCRE_CFLAGS)
......
......@@ -53,6 +53,8 @@
#ifndef _MOD_AUTH_OPENIDC_CACHE_H_
#define _MOD_AUTH_OPENIDC_CACHE_H_
#include "apr_global_mutex.h"
typedef void * (*oidc_cache_cfg_create)(apr_pool_t *pool);
typedef int (*oidc_cache_post_config_function)(server_rec *s);
typedef int (*oidc_cache_child_init_function)(apr_pool_t *p, server_rec *s);
......@@ -64,6 +66,7 @@ typedef apr_byte_t (*oidc_cache_set_function)(request_rec *r,
typedef int (*oidc_cache_destroy_function)(server_rec *s);
typedef struct oidc_cache_t {
apr_byte_t secure;
oidc_cache_cfg_create create_config;
oidc_cache_post_config_function post_config;
oidc_cache_child_init_function child_init;
......
......@@ -412,8 +412,8 @@ static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section,
}
/* try to open the cache file for writing, creating it if it does not exist */
if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE),
APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_TRUNCATE),
APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
oidc_error(r, "cache file \"%s\" could not be opened (%s)", path,
apr_strerror(rc, s_err, sizeof(s_err)));
return FALSE;
......@@ -452,6 +452,7 @@ static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section,
}
oidc_cache_t oidc_cache_file = {
1,
NULL,
oidc_cache_file_post_config,
NULL,
......
......@@ -61,8 +61,6 @@
#include "../mod_auth_openidc.h"
// TODO: proper memcache error reporting (server unreachable etc.)
extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
typedef struct oidc_cache_cfg_memcache_t {
......@@ -168,6 +166,20 @@ static int oidc_cache_memcache_post_config(server_rec *s) {
return OK;
}
#define OIDC_CACHE_MEMCACHE_STATUS_ERR_SIZE 64
/*
* printout readable error messages about memcache failures
*/
static void oidc_cache_memcache_log_status_error(request_rec *r, const char *s,
apr_status_t rv) {
char s_err[OIDC_CACHE_MEMCACHE_STATUS_ERR_SIZE];
apr_strerror(rv, s_err, OIDC_CACHE_MEMCACHE_STATUS_ERR_SIZE);
oidc_error(r,
"%s returned an error: [%s]; check your that your memcache server is available/accessible.",
s, s_err);
}
/*
* assemble single key name based on section/key input
*/
......@@ -201,8 +213,7 @@ static apr_byte_t oidc_cache_memcache_get(request_rec *r, const char *section,
oidc_cache_memcache_get_key(r->pool, section, key));
return FALSE;
} else if (rv != APR_SUCCESS) {
// TODO: error strings ?
oidc_error(r, "apr_memcache_getp returned an error; perhaps your memcache server is not available?");
oidc_cache_memcache_log_status_error(r, "apr_memcache_getp", rv);
return FALSE;
}
......@@ -242,9 +253,7 @@ static apr_byte_t oidc_cache_memcache_set(request_rec *r, const char *section,
oidc_debug(r, "apr_memcache_delete: key %s not found in cache",
oidc_cache_memcache_get_key(r->pool, section, key));
} else if (rv != APR_SUCCESS) {
// TODO: error strings ?
oidc_error(r,
"apr_memcache_delete returned an error; perhaps your memcache server is not available?");
oidc_cache_memcache_log_status_error(r, "apr_memcache_delete", rv);
}
} else {
......@@ -257,9 +266,8 @@ static apr_byte_t oidc_cache_memcache_set(request_rec *r, const char *section,
oidc_cache_memcache_get_key(r->pool, section, key),
(char *) value, strlen(value), timeout, 0);
// TODO: error strings ?
if (rv != APR_SUCCESS) {
oidc_error(r, "apr_memcache_set returned an error; perhaps your memcache server is not available?");
oidc_cache_memcache_log_status_error(r, "apr_memcache_set", rv);
}
}
......@@ -267,6 +275,7 @@ static apr_byte_t oidc_cache_memcache_set(request_rec *r, const char *section,
}
oidc_cache_t oidc_cache_memcache = {
1,
oidc_cache_memcache_cfg_create,
oidc_cache_memcache_post_config,
NULL,
......
......@@ -374,6 +374,7 @@ static int oidc_cache_redis_destroy(server_rec *s) {
}
oidc_cache_t oidc_cache_redis = {
1,
oidc_cache_redis_cfg_create,
oidc_cache_redis_post_config,
oidc_cache_redis_child_init,
......
......@@ -55,6 +55,8 @@
#include <http_config.h>
#include <http_log.h>
#include "apr_shm.h"
#include "../mod_auth_openidc.h"
extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
......@@ -334,6 +336,7 @@ static int oidc_cache_shm_destroy(server_rec *s) {
}
oidc_cache_t oidc_cache_shm = {
0,
oidc_cache_shm_cfg_create,
oidc_cache_shm_post_config,
oidc_cache_shm_child_init,
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -84,6 +84,14 @@ AP_DECLARE(void) ap_log_error_(const char *file, int line, int module_index, int
AP_DECLARE(void) ap_log_error(const char *file, int line, int level,
apr_status_t status, const server_rec *s, const char *fmt, ...) {
#endif
if (level < APLOG_DEBUG) {
fprintf(stderr, "%s:%d [%d] [%d] ", file, line, level, status);
va_list ap;
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
fprintf(stderr, "\n");
}
}
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
......
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment