[Pkg-securepass-commits] [SCM] mod-authz-securepass/master: Imported Upstream version 0~20150105.gitda462d3

Fri Jun 5 16:12:55 UTC 2015

The following commit has been merged in the master branch:
commit 2bd8b864fbfc03aed5829a3a0c4ab296ac6f0eb1
Author: Alessio Treglia <alessio.treglia at smartodds.co.uk>
Date:   Fri Jun 5 17:10:36 2015 +0100

    Imported Upstream version 0~20150105.gitda462d3

diff --git a/INSTALL b/INSTALL
index dc3e080..02e5b35 100755
--- a/INSTALL
+++ b/INSTALL
@@ -18,21 +18,21 @@ For RedHat distro install apxs with
 
 3)
 Download the source from git from the stable branch:
-	git clone https://github.com/gplll/mod_authz_securepass.git -b master
+	git clone https://github.com/garlsecurity/mod_authz_securepass.git -b master
 	cd mod_authz_securepass
 
 4)
 Compile the module and install it:
 
-debian distro:
-	make install_debian
-	a2enmod securepass
-
-redhat distro:
-	make install_redhat
+make install
 
 5)
-configure mod_auth_securepass using the following directives:
+In your Apache configuration, place the following line to load this module:
+
+LoadModule authz_securepass_module /path/to/mod_authz_securepass.so
+
+6)
+configure mod_authz_securepass using the following directives:
 
 Valid Server/VirtualHost Directives
 -----------------------------------
diff --git a/LICENSE b/LICENSE
index 5fff9ae..7eba5d8 100755
--- a/LICENSE
+++ b/LICENSE
@@ -1,3 +1,29 @@
+Files jsmn.c, jsmn.h are licensed under the MIT License
+
+The remaining files are licensed under the GNU GENERAL PUBLIC LICENSE
+
+==========================================================================
+MIT LICENSE
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+==========================================================================
 GNU GENERAL PUBLIC LICENSE
                        Version 2, June 1991
 
diff --git a/Makefile b/Makefile
old mode 100755
new mode 100644
index 1ddb5d5..ee3e7b6
--- a/Makefile
+++ b/Makefile
@@ -3,24 +3,36 @@
 ##
 
 
+ifneq ($(shell which apxs2 2>/dev/null),)
+APXS_PATH = apxs2
+else
+APXS_PATH = apxs
+endif
 
+# Note that gcc flags are passed through apxs, so preface with -Wc
+MY_LDFLAGS=-lcurl
+MY_CFLAGS=-Wc,-I. -Wc,-Wall
+SRCS=mod_authz_securepass.c jsmn.c
+HDRS=jsmn.h
+BUILDDIR := build
 
+.SUFFIXES: .c .o .la
 
-install_debian: mod_authz_securepass.c jsmn.c
-	apxs2 -c -l curl mod_authz_securepass.c jsmn.c
-	#apxs2 -i -a mod_authz_securepass.la
-	install -m 644 .libs/mod_authz_securepass.so /usr/lib/apache2/modules/
-	install -m 644 securepass.load /etc/apache2/mods-available
+all:  build/.libs/mod_authz_securepass.so
 
+.PHONY: builddir
+builddir: build
 
-install_redhat: mod_authz_securepass.c
-	apxs -c -l curl mod_authz_securepass.c jsmn.c
-	apxs -i -a mod_authz_securepass.la
-	#echo "LoadModule authz_securepass_module /etc/httpd/modules/mod_authz_securepass.so" > /etc/httpd/conf.d/mod_authz_securepass.conf
+$(BUILDDIR):
+	@mkdir -p $@
+
+$(BUILDDIR)/.libs/mod_authz_securepass.so: $(SRCS) $(HDRS) | $(BUILDDIR)
+	@cd $(BUILDDIR) && for file in $(SRCS) $(HDRS) ; do ln -sf ../$$file . ; done
+	@cd $(BUILDDIR) && $(APXS_PATH) $(MY_LDFLAGS) $(MY_CFLAGS) -c $(subst src/,,$(SRCS))
+
+install: all
+	$(APXS_PATH) -i $(BUILDDIR)/mod_authz_securepass.la
 
-	
 clean:
-	rm -rf .libs
-	rm -rf mod_authz_securepass.lo  mod_authz_securepass.la  mod_authz_securepass.slo mod_authz_securepass.o
-	rm -rf jsmn.lo  jsmn.la  jsmn.slo jsmn.o
+	-rm -rf $(BUILDDIR)
 
diff --git a/README.md b/README.md
index 7323e8c..dcf5fd3 100755
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 Apache authorization module for SecurePass
 ==========================================
 
-This is an Apache (2.2) module for authorizing SecurePass users.
+This is an Apache (2.2 and 2.4) module for authorizing SecurePass users.
 SecurePass provides web single sign-on through the CAS protocol.
 
 This module enhances the Apache authorization features by introducing two rules to restrict access 
@@ -30,4 +30,4 @@ bitbucket.org/zserge/jsmn under the MIT license.
 
 Author
 ===========================================
-gplll1818 at gmail.com, Jun 2014
+gplll1818 at gmail.com, Jun 2014 - Jan 2015
diff --git a/securepass.load b/authz_securepass.load
similarity index 100%
rename from securepass.load
rename to authz_securepass.load
diff --git a/jsmn.c b/jsmn.c
index 5638139..491de5e 100644
--- a/jsmn.c
+++ b/jsmn.c
@@ -1,3 +1,25 @@
+/*
+* Copyright (c) 2010 Serge A. Zaitsev
+* 
+* Permission is hereby granted, free of charge, to any person obtaining a copy
+* of this software and associated documentation files (the "Software"), to deal
+* in the Software without restriction, including without limitation the rights
+* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+* copies of the Software, and to permit persons to whom the Software is
+* furnished to do so, subject to the following conditions:
+* 
+* The above copyright notice and this permission notice shall be included in
+* all copies or substantial portions of the Software.
+* 
+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+* THE SOFTWARE.
+*/
+
 #include <stdlib.h>
 
 #include "jsmn.h"
diff --git a/jsmn.h b/jsmn.h
index c8f388c..15222f2 100644
--- a/jsmn.h
+++ b/jsmn.h
@@ -1,3 +1,25 @@
+/*
+* Copyright (c) 2010 Serge A. Zaitsev
+* 
+* Permission is hereby granted, free of charge, to any person obtaining a copy
+* of this software and associated documentation files (the "Software"), to deal
+* in the Software without restriction, including without limitation the rights
+* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+* copies of the Software, and to permit persons to whom the Software is
+* furnished to do so, subject to the following conditions:
+* 
+* The above copyright notice and this permission notice shall be included in
+* all copies or substantial portions of the Software.
+* 
+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+* THE SOFTWARE.
+*/
+
 #ifndef __JSMN_H_
 #define __JSMN_H_
 
diff --git a/mod_authz_securepass.c b/mod_authz_securepass.c
index b8b4f21..3bfa10e 100755
--- a/mod_authz_securepass.c
+++ b/mod_authz_securepass.c
@@ -26,8 +26,6 @@
 #include "curl/curl.h"
 #include "jsmn.h"
 
-#define AUTHZ_GRANTED 1
-#define AUTHZ_DENIED 0
 #define DEFAULT_GROUP_TMO 600
 #define DEFAULT_CACHE_CLEAN_ITV 1800
 #define ERR_LINE_LEN 80
@@ -569,9 +567,9 @@ static void *create_authz_securepass_server_config (apr_pool_t *pool, server_rec
 
 static void *merge_authz_securepass_server_config (apr_pool_t *pool, void *BASE, void *ADD)
 {
-    sp_cfg *c = apr_pcalloc(pool, sizeof(sp_cfg));
-    sp_cfg *base = BASE;
-    sp_cfg *add = ADD;
+	sp_cfg *c = apr_pcalloc(pool, sizeof(sp_cfg));
+	sp_cfg *base = BASE;
+	sp_cfg *add = ADD;
 
 	c->check_group =(add->check_group != TRUE ? add->check_group : base->check_group);
 	c->debug =(add->debug != FALSE ? add->debug : base->debug);
@@ -761,6 +759,122 @@ static const command_rec authz_securepass_cmds[] =
 	{ NULL }
 };
 
+#if (AP_SERVER_MINORVERSION_NUMBER == 4)
+static const char *sp_parse_config(cmd_parms *cmd, const char *require_line,
+									 const void **parsed_require_line) {
+	const char *expr_err = NULL;
+	ap_expr_info_t *expr;
+
+	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, 
+			"SecurePass: entering sp_parse_config(), require_line=%s", require_line);
+	expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT, &expr_err, NULL);
+	if (expr_err)
+		return (apr_pstrcat(cmd->temp_pool, "Cannot parse expression in require line: ", expr_err, NULL));
+	*parsed_require_line = expr;
+	return NULL;
+}
+
+static authz_status sprealm_check_authorization(request_rec *r,
+												 const char *require_args,
+												 const void *parsed_require_args) {
+
+	authz_securepass_dir_config_rec *dir= (authz_securepass_dir_config_rec *) 
+				ap_get_module_config(r->per_dir_config, &authz_securepass_module);
+	sp_cfg *c = (sp_cfg *) ap_get_module_config(r->server->module_config, &authz_securepass_module);
+
+	const char *err = NULL;
+	const ap_expr_info_t *expr = parsed_require_args;
+	const char *require;
+
+
+	if (c->debug) {
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "SecurePass checking user %s, required_sprealms=%s", 
+				r->user, require_args);
+		dump_config (r, dir, c);
+	}
+#if MYDEBUG
+	/* this is only used during module development to simulate CAS user */
+	if (dir->forced_user) {
+		if (!r->user) {
+			/* CAS has not been invoked yet */
+			return AUTHZ_DENIED_NO_USER;
+		}
+		else {
+			/* CAS has been invoked - substitute the user with MY user */
+			r->user = apr_pcalloc(r->pool, 100);
+			strcpy (r->user, dir->forced_user);
+		}
+	}
+#endif
+	if (!r->user) {
+		return AUTHZ_DENIED_NO_USER;
+	}
+	require = ap_expr_str_exec(r, expr, &err);
+	if (err) {
+		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "SecurePass: Can't evaluate expression: %s", err);
+		return AUTHZ_DENIED;
+	}
+	if (c->debug) {
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "SecurePass: require=%s", require);
+	}
+	if (check_securepass_realm (r, require)) {
+		/* a Realm has been found */
+		return AUTHZ_GRANTED;
+	} else {
+		return AUTHZ_DENIED;
+	}
+}
+
+static authz_status spgroup_check_authorization(request_rec *r,
+												 const char *require_args,
+												 const void *parsed_require_args) {
+
+	authz_securepass_dir_config_rec *dir= (authz_securepass_dir_config_rec *) 
+				ap_get_module_config(r->per_dir_config, &authz_securepass_module);
+	sp_cfg *c = (sp_cfg *) ap_get_module_config(r->server->module_config, &authz_securepass_module);
+
+	const char *err = NULL;
+	const ap_expr_info_t *expr = parsed_require_args;
+	const char *require;
+
+	if (c->debug) {
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "SecurePass checking user %s, required_spgroups=%s", 
+				r->user, require_args);
+	}
+#if MYDEBUG
+	/* this is only used during module development to simulate CAS user */
+	if (dir->forced_user) {
+		if (!r->user) {
+			/* CAS has not been invoked yet */
+			return AUTHZ_DENIED_NO_USER;
+		}
+		else {
+			/* CAS has been invoked - substitute the user with MY user */
+			r->user = apr_pcalloc(r->pool, 100);
+			strcpy (r->user, dir->forced_user);
+		}
+	}
+#endif
+	if (!r->user) {
+		return AUTHZ_DENIED_NO_USER;
+	}
+	require = ap_expr_str_exec(r, expr, &err);
+	if (err) {
+		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "SecurePass: Can't evaluate expression: %s", err);
+		return AUTHZ_DENIED;
+	}
+	if (c->debug) {
+		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "SecurePass: require=%s", require);
+	}
+	if (check_sp_group (r, require)) {
+		return AUTHZ_GRANTED;
+	} else {
+		return AUTHZ_DENIED;
+	}
+
+}
+
+#else // (AP_SERVER_MINORVERSION_NUMBER == 4)
 
 static int authz_securepass_check_user_access(request_rec *r) 
 {
@@ -846,6 +960,7 @@ static int authz_securepass_check_user_access(request_rec *r)
 	ap_note_basic_auth_failure(r);
 	return HTTP_UNAUTHORIZED;
 }
+#endif
 
 static int authz_sp_post_config(apr_pool_t *pool, apr_pool_t *p1, apr_pool_t *p2, server_rec *s)
 {
@@ -884,11 +999,37 @@ static int authz_sp_post_config(apr_pool_t *pool, apr_pool_t *p1, apr_pool_t *p2
 	return status;
 }
 
+#if (AP_SERVER_MINORVERSION_NUMBER == 4)
+static const authz_provider authz_sprealm_provider =
+{
+	&sprealm_check_authorization,
+	&sp_parse_config,
+};
+
+static const authz_provider authz_spgroup_provider =
+{
+	&spgroup_check_authorization,
+	&sp_parse_config,
+};
+#endif
+
 static void authz_securepass_register_hooks(apr_pool_t *p)
 {
 	ap_hook_post_config(authz_sp_post_config, NULL, NULL, APR_HOOK_LAST);
+#if (AP_SERVER_MINORVERSION_NUMBER == 4)
+	/* Register authz providers */
+	ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "sprealm",
+							AUTHZ_PROVIDER_VERSION,
+							&authz_sprealm_provider,
+							AP_AUTH_INTERNAL_PER_CONF);
+	ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "spgroup",
+							AUTHZ_PROVIDER_VERSION,
+							&authz_spgroup_provider,
+							AP_AUTH_INTERNAL_PER_CONF);
+#else
 	ap_hook_auth_checker(authz_securepass_check_user_access, NULL, NULL,
 		APR_HOOK_MIDDLE);
+#endif
 }
 
 module AP_MODULE_DECLARE_DATA authz_securepass_module = {
diff --git a/mod_authz_securepass.conf b/mod_authz_securepass.conf
new file mode 100644
index 0000000..dbfdd4e
--- /dev/null
+++ b/mod_authz_securepass.conf
@@ -0,0 +1 @@
+LoadModule authz_securepass_module modules/mod_authz_securepass.so
diff --git a/mod_authz_securepass.spec b/mod_authz_securepass.spec
new file mode 100644
index 0000000..7e83e81
--- /dev/null
+++ b/mod_authz_securepass.spec
@@ -0,0 +1,57 @@
+%global commit 515f59a2731c0b9350a96f2fe4703e5d9e2c8903
+%global shortcommit %(c=%{commit}; echo ${c:0:7})
+
+Name: 		mod_authz_securepass
+Summary: 	Apache 2.0/2.2/2.4 compliant module that supports authorization via SecurePass
+
+Version: 	1.1
+Release: 	1
+
+Source0: 	https://github.com/garlsecurity/%{name}/archive/%{version}/%{name}-v%{version}.tar.gz
+URL: 		https://github.com/garlsecurity/mod_authz_securepass
+
+Group: 		System Environment/Daemons
+License: 	GPLv2+
+
+BuildRoot: 	%{_tmppath}/%{name}-root
+BuildRequires: 	libcurl-devel
+BuildRequires: 	httpd-devel
+
+Requires: 	libcurl
+
+%description
+mod_authz_securepass is an Apache module that supports authorization via SecurePass.
+
+SecurePass provides identity management and web single sign-on through the CAS protocol.
+
+%prep
+%setup -qn %{name}-%{version}
+
+%build
+make
+
+%install
+[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}/httpd/modules/
+mkdir -p $RPM_BUILD_ROOT/etc/httpd/conf.d/
+
+install -m 755 build/.libs/mod_authz_securepass.so $RPM_BUILD_ROOT/%{_libdir}/httpd/modules/
+
+install mod_authz_securepass.conf $RPM_BUILD_ROOT/etc/httpd/conf.d/
+
+%clean
+[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
+
+
+%files
+%defattr(-,root,root,-)
+%doc LICENSE INSTALL README.md
+%{_libdir}/httpd/modules/*.so
+%config(noreplace) /etc/httpd/conf.d/*.conf
+
+%changelog
+* Tue Jan 5 2015 Giuseppe Paterno' (gpaterno at garl.ch)
+- Ported module to Apache 2.4
+
+* Fri Nov 7 2014 Giuseppe Paterno' (gpaterno at garl.ch)
+- First RPM of the SecurePass Apache authrization module

-- 
mod-authz-securepass packaging

