const char *readparamsvr(cmd_parms *cmd, void *cfg, const char *value) {
	mod_server_cfg *c = (mod_server_cfg*)cfg;
	int i;

	if(0 == apr_strnatcmp(cmd->directive->directive, STS_TIMEOUT)) {
		i = atoi(value);
		if(i >= 0) {
			c->stsTimeout = (unsigned int)i;
		}
		else {
			return apr_psprintf(cmd->pool, "MOD_SECURE_HEADERS: Invalid %s (%s) specified -- Must be 0 or greater", STS_TIMEOUT, value);
		}
	}
	else if(0 == apr_strnatcmp(cmd->directive->directive, STS_SUBDOMAINS)) {
		if(0 == apr_strnatcasecmp(value, "On")) {
			c->includeSubDomains = TRUE;
		}
		else if(0 == apr_strnatcasecmp(value, "Off")) {
			c->includeSubDomains = FALSE;
		}
		else {
			return apr_psprintf(cmd->pool, "MOD_SECURE_HEADERS: Invalid argument to %s - must be 'On' or 'Off'", STS_SUBDOMAINS);
		}
	}
	else {
		return apr_psprintf(cmd->pool, "MOD_SECURE_HEADERS: Invalid server directive '%s'", cmd->directive->directive);
	}

	return NULL;
}
示例#2
0
/*
 * parse the cache backend type
 */
const char *oidc_parse_cache_type(apr_pool_t *pool, const char *arg,
		oidc_cache_t **type) {
	static char *options[] = {
			OIDC_CACHE_TYPE_SHM,
			OIDC_CACHE_TYPE_MEMCACHE,
#ifdef USE_LIBHIREDIS
			OIDC_CACHE_TYPE_REDIS,
#endif
			OIDC_CACHE_TYPE_FILE,
			NULL };
	const char *rv = oidc_valid_string_option(pool, arg, options);
	if (rv != NULL)
		return rv;

	if (apr_strnatcmp(arg, OIDC_CACHE_TYPE_SHM) == 0) {
		*type = &oidc_cache_shm;
	} else if (apr_strnatcmp(arg, OIDC_CACHE_TYPE_MEMCACHE) == 0) {
		*type = &oidc_cache_memcache;
	} else if (apr_strnatcmp(arg, OIDC_CACHE_TYPE_FILE) == 0) {
		*type = &oidc_cache_file;
#ifdef USE_LIBHIREDIS
	} else if (apr_strnatcmp(arg, OIDC_CACHE_TYPE_REDIS) == 0) {
		*type = &oidc_cache_redis;
#endif
	}

	return NULL;
}
示例#3
0
/*
 * parse a URL according to one of two schemes (NULL for any)
 */
static const char * oidc_valid_url_scheme(apr_pool_t *pool, const char *arg,
		const char *scheme1, const char *scheme2) {

	apr_uri_t uri;

	if (apr_uri_parse(pool, arg, &uri) != APR_SUCCESS) {
		return apr_psprintf(pool, "'%s' cannot be parsed as a URL", arg);
	}

	if (uri.scheme == NULL) {
		return apr_psprintf(pool,
				"'%s' cannot be parsed as a URL (no scheme set)", arg);
	}

	if ((scheme1 != NULL) && (apr_strnatcmp(uri.scheme, scheme1) != 0)) {
		if ((scheme2 != NULL) && (apr_strnatcmp(uri.scheme, scheme2) != 0)) {
			return apr_psprintf(pool,
					"'%s' cannot be parsed as a \"%s\" or \"%s\" URL (scheme == %s)!",
					arg, scheme1, scheme2, uri.scheme);
		} else if (scheme2 == NULL) {
			return apr_psprintf(pool,
					"'%s' cannot be parsed as a \"%s\" URL (scheme == %s)!",
					arg, scheme1, uri.scheme);
		}
	}

	if (uri.hostname == NULL) {
		return apr_psprintf(pool,
				"'%s' cannot be parsed as a valid URL (no hostname set, check your slashes)",
				arg);
	}

	return NULL;
}
示例#4
0
/*
 * parse the session mechanism type and the cookie persistency property
 */
const char *oidc_parse_session_type(apr_pool_t *pool, const char *arg,
		int *type, int *persistent) {
	static char *options[] = {
			OIDC_SESSION_TYPE_SERVER_CACHE_STR,
			OIDC_SESSION_TYPE_SERVER_CACHE_STR OIDC_SESSION_TYPE_SEPARATOR OIDC_SESSION_TYPE_PERSISTENT,
			OIDC_SESSION_TYPE_CLIENT_COOKIE_STR,
			OIDC_SESSION_TYPE_CLIENT_COOKIE_STR OIDC_SESSION_TYPE_SEPARATOR OIDC_SESSION_TYPE_PERSISTENT,
			NULL };
	const char *rv = oidc_valid_string_option(pool, arg, options);
	if (rv != NULL)
		return rv;

	char *s = apr_pstrdup(pool, arg);
	char *p = strstr(s, OIDC_SESSION_TYPE_SEPARATOR);

	if (p) {
		*persistent = 1;
		*p = '\0';
	}

	if (apr_strnatcmp(s, OIDC_SESSION_TYPE_SERVER_CACHE_STR) == 0) {
		*type = OIDC_SESSION_TYPE_SERVER_CACHE;
	} else if (apr_strnatcmp(s, OIDC_SESSION_TYPE_CLIENT_COOKIE_STR) == 0) {
		*type = OIDC_SESSION_TYPE_CLIENT_COOKIE;
	}
	return NULL;
}
/*
 * Builds the session cookie from the given session ID and configuration.
 */
char *
build_cookie(request_rec *r, mod_but_server_t *config, char *sid)
{
	char *cookie = NULL;
	const char *cookiename = config->cookie_name;
	const char *domain = "";
	const char *path = "";
	const char *secure = "";
	const char *httponly = "";
	const char *expiration = "";

	if (apr_strnatcmp(config->cookie_domain, "")) {
		domain = apr_psprintf(r->pool, "domain=%s; ", config->cookie_domain);
	}

	if (apr_strnatcmp(config->cookie_path, "")) {
		path = apr_psprintf(r->pool, "path=%s; ", config->cookie_path);
	}

	if (config->cookie_secure == 1) {
		secure = "secure; ";
	}

	if (config->cookie_httponly == 1) {
		httponly = "HttpOnly";
	}

	if (apr_strnatcmp(config->cookie_expiration, "")) {
		expiration = apr_psprintf(r->pool, "expires=%s; ", config->cookie_expiration);
	}

	cookie = apr_psprintf(r->pool, "%s=%s; %s%s%s%s%s", cookiename, sid, domain, path, expiration, secure, httponly);
	ERRLOG_INFO("Built cookie string [%s]", cookie);
	return cookie;
}
示例#6
0
/*
 * parse a "set claims as" value from the provided string
 */
const char *oidc_parse_set_claims_as(apr_pool_t *pool, const char *arg,
		int *in_headers, int *in_env_vars) {
	static char *options[] = {
			OIDC_PASS_CLAIMS_AS_BOTH,
			OIDC_PASS_CLAIMS_AS_HEADERS,
			OIDC_PASS_CLAIMS_AS_ENV,
			OIDC_PASS_CLAIMS_AS_NONE,
			NULL };
	const char *rv = oidc_valid_string_option(pool, arg, options);
	if (rv != NULL)
		return rv;

	if (apr_strnatcmp(arg, OIDC_PASS_CLAIMS_AS_BOTH) == 0) {
		*in_headers = 1;
		*in_env_vars = 1;
	} else if (apr_strnatcmp(arg, OIDC_PASS_CLAIMS_AS_HEADERS) == 0) {
		*in_headers = 1;
		*in_env_vars = 0;
	} else if (apr_strnatcmp(arg, OIDC_PASS_CLAIMS_AS_ENV) == 0) {
		*in_headers = 0;
		*in_env_vars = 1;
	} else if (apr_strnatcmp(arg, OIDC_PASS_CLAIMS_AS_NONE) == 0) {
		*in_headers = 0;
		*in_env_vars = 0;
	}

	return NULL;
}
示例#7
0
/*
 * return OpenSSL cipher for JWE encryption algorithm
 */
static const EVP_CIPHER *apr_jwe_enc_to_openssl_cipher(const char *enc) {
	if (apr_strnatcmp(enc, "A128CBC-HS256") == 0) {
		return EVP_aes_128_cbc();
	}
	if (apr_strnatcmp(enc, "A256CBC-HS512") == 0) {
		return EVP_aes_256_cbc();
	}
	return NULL;
}
示例#8
0
/*
 * return OpenSSL hash for JWE encryption algorithm
 */
static const EVP_MD *apr_jwe_enc_to_openssl_hash(const char *enc) {
	if (apr_strnatcmp(enc, "A128CBC-HS256") == 0) {
		return EVP_sha256();
	}
	if (apr_strnatcmp(enc, "A256CBC-HS512") == 0) {
		return EVP_sha512();
	}
	return NULL;
}
示例#9
0
/*
 * convert a "pass id token as" value to an integer
 */
static int oidc_parse_pass_idtoken_as_str2int(const char *v) {
	if (apr_strnatcmp(v, OIDC_PASS_ID_TOKEN_AS_CLAIMS_STR) == 0)
		return OIDC_PASS_IDTOKEN_AS_CLAIMS;
	if (apr_strnatcmp(v, OIDC_PASS_IDTOKEN_AS_PAYLOAD_STR) == 0)
		return OIDC_PASS_IDTOKEN_AS_PAYLOAD;
	if (apr_strnatcmp(v, OIDC_PASS_IDTOKEN_AS_SERIALIZED_STR) == 0)
		return OIDC_PASS_IDTOKEN_AS_SERIALIZED;
	return -1;
}
示例#10
0
/*
 * convert an "accept OAuth 2.0 token in" value to an integer
 */
static apr_byte_t oidc_parse_oauth_accept_token_in_str2byte(const char *v) {
	if (apr_strnatcmp(v, OIDC_OAUTH_ACCEPT_TOKEN_IN_HEADER_STR) == 0)
		return OIDC_OAUTH_ACCEPT_TOKEN_IN_HEADER;
	if (apr_strnatcmp(v, OIDC_OAUTH_ACCEPT_TOKEN_IN_POST_STR) == 0)
		return OIDC_OAUTH_ACCEPT_TOKEN_IN_POST;
	if (apr_strnatcmp(v, OIDC_OAUTH_ACCEPT_TOKEN_IN_QUERY_STR) == 0)
		return OIDC_OAUTH_ACCEPT_TOKEN_IN_QUERY;
	if (strstr(v, OIDC_OAUTH_ACCEPT_TOKEN_IN_COOKIE_STR) == v)
		return OIDC_OAUTH_ACCEPT_TOKEN_IN_COOKIE;
	return OIDC_OAUTH_ACCEPT_TOKEN_IN_DEFAULT;
}
示例#11
0
/*
 * parse the JSON client metadata in to a oidc_provider_t struct
 */
apr_byte_t oidc_metadata_client_parse(request_rec *r, oidc_cfg *cfg,
		json_t *j_client, oidc_provider_t *provider) {

	/* get a handle to the client_id we need to use for this provider */
	oidc_json_object_get_string(r->pool, j_client, "client_id",
			&provider->client_id, NULL);

	/* get a handle to the client_secret we need to use for this provider */
	oidc_json_object_get_string(r->pool, j_client, "client_secret",
			&provider->client_secret, NULL);

	/* see if the token endpoint auth method defined in the client metadata overrides the provider one */
	char *token_endpoint_auth = NULL;
	oidc_json_object_get_string(r->pool, j_client, "token_endpoint_auth_method",
			&token_endpoint_auth, NULL);

	if (token_endpoint_auth != NULL) {
		if ((apr_strnatcmp(token_endpoint_auth, "client_secret_post") == 0)
				|| (apr_strnatcmp(token_endpoint_auth, "client_secret_basic")
						== 0)) {
			provider->token_endpoint_auth = apr_pstrdup(r->pool,
					token_endpoint_auth);
		} else {
			oidc_warn(r,
					"unsupported client auth method \"%s\" in client metadata for entry \"token_endpoint_auth_method\"",
					token_endpoint_auth);
		}
	}

	/* determine the response type if not set by .conf */
	if (provider->response_type == NULL) {

		provider->response_type = cfg->provider.response_type;

		/* "response_types" is an array in the client metadata as by spec */
		json_t *j_response_types = json_object_get(j_client, "response_types");
		if ((j_response_types != NULL) && (json_is_array(j_response_types))) {
			/* if there's an array we'll prefer the configured response_type if supported */
			if (oidc_util_json_array_has_value(r, j_response_types,
					provider->response_type) == FALSE) {
				/* if the configured response_type is not supported, we'll fallback to the first one that is listed */
				json_t *j_response_type = json_array_get(j_response_types, 0);
				if (json_is_string(j_response_type)) {
					provider->response_type = apr_pstrdup(r->pool,
							json_string_value(j_response_type));
				}
			}
		}
	}

	return TRUE;
}
示例#12
0
/*
 * parse a userinfo token method string value to an integer
 */
const char *oidc_parse_userinfo_token_method(apr_pool_t *pool, const char *arg,
		int *int_value) {
	const char *rv = oidc_valid_userinfo_token_method(pool, arg);
	if (rv != NULL)
		return rv;

	if (apr_strnatcmp(arg, OIDC_USER_INFO_TOKEN_METHOD_HEADER_STR) == 0)
		*int_value = OIDC_USER_INFO_TOKEN_METHOD_HEADER;
	if (apr_strnatcmp(arg, OIDC_USER_INFO_TOKEN_METHOD_POST_STR) == 0)
		*int_value = OIDC_USER_INFO_TOKEN_METHOD_POST;

	return NULL;
}
示例#13
0
static const char * ftpd_dbm_cmd_dbmtype(cmd_parms *cmd, void *config,
									 const char *arg)
{
	ftpd_dbm_server_conf *conf = ap_get_module_config(cmd->server->module_config,
									&ftpd_dbm_module);
	conf->dbtype = apr_pstrdup(cmd->pool, arg);
	if (apr_strnatcmp(conf->dbtype, "default") &&
			apr_strnatcmp(conf->dbtype, "DB") &&
			apr_strnatcmp(conf->dbtype, "GDBM") &&
			apr_strnatcmp(conf->dbtype, "SDBM") &&
			apr_strnatcmp(conf->dbtype, "NDBM")) {
		return apr_pstrcat(cmd->pool, "Invalid FTPChrootDBMType: ", arg, NULL);
	}
	return NULL;
}
示例#14
0
/*
 * check a provided hash value (at_hash|c_hash) against a corresponding hash calculated for a specified value and algorithm
 */
static apr_byte_t oidc_proto_validate_hash(request_rec *r, const char *alg,
		const char *hash, const char *value, const char *type) {

	/* hash the provided access_token */
	char *calc = NULL;
	unsigned int hash_len = 0;
	apr_jws_hash_string(r->pool, alg, value, &calc, &hash_len);

	/* calculate the base64url-encoded value of the hash */
	char *encoded = NULL;
	oidc_base64url_encode(r, &encoded, calc, apr_jws_hash_length(alg) / 2, 1);

	/* compare the calculated hash against the provided hash */
	if ((apr_strnatcmp(encoded, hash) != 0)) {
		oidc_error(r,
				"provided \"%s\" hash value (%s) does not match the calculated value (%s)",
				type, hash, encoded);
		return FALSE;
	}

	oidc_debug(r,
			"successfully validated the provided \"%s\" hash value (%s) against the calculated value (%s)",
			type, hash, encoded);

	return TRUE;
}
示例#15
0
dav_error *dbms_get_redirect_props(const dav_repos_db *d,
                                   dav_repos_resource *r)
{
    dav_repos_query *q = NULL;
    dav_error *err = NULL;

    TRACE();

    /* do nothing if we have already fetched redirect props */
    if (r->redirect_lifetime && r->reftarget) {
        return NULL;
    }

    q = dbms_prepare(r->p, d->db, "SELECT lifetime, reftarget "
                     "FROM redirectrefs WHERE resource_id = ?");
    dbms_set_int(q, 1, r->serialno);

    if (dbms_execute(q) || (dbms_next(q) <=0)) {
        err = dav_new_error(r->p, HTTP_INTERNAL_SERVER_ERROR, 0,
                            "DBMS error in reftargets lookup.");
        goto error;
    }

    if (0 == apr_strnatcmp(dbms_get_string(q, 1), "p")) 
        r->redirect_lifetime = DAV_REDIRECTREF_PERMANENT;
    else
        r->redirect_lifetime = DAV_REDIRECTREF_TEMPORARY;

    r->reftarget = dbms_get_string(q, 2);

    error:
        dbms_query_destroy(q);
        return err;
}
示例#16
0
void
cleaning_shm_from_expired_session(request_rec *r)
{
	mod_but_server_t *config = ap_get_module_config(r->server->module_config, &but_module);

	int y;
	for (y = 0; y < MOD_BUT_SESSION_COUNT; y++) {
		mod_but_cookie *c = apr_rmm_addr_get(cs_rmm, off[y]);

		apr_time_t curtime = apr_time_now();
		int tnow = (int)apr_time_sec(curtime);
		int tcreate = c->session_create_time;
		int tlastaccess = c->session_last_access_time;

		if (!apr_strnatcmp(c->session_name, config->cookie_name)) {
			if ((tnow - tcreate) > config->session_timeout) {
				ERRLOG_INFO("(SHM) Cleanup Task A: Delta between tnow and tcreate %d at shmoffset %d", tnow-tcreate, y);
				mod_but_delete_session(y, r);
			} else {
				if ((tnow - tlastaccess) > config->session_inactivity_timeout) {
					ERRLOG_INFO("(SHM) Cleanup Task B: Delta between tnow and tlastaccess %d at shmoffset %d", tnow-tlastaccess, y);
					mod_but_delete_session(y, r);
				}
			}
		}
	}
}
示例#17
0
static bool has_valid_session(request_rec *r, modauthopenid_config *s_cfg) {
  // test for valid session - if so, return DECLINED
  std::string session_id = "";
  modauthopenid::get_session_id(r, std::string(s_cfg->cookie_name), session_id);
  if(session_id != "" && s_cfg->use_cookie) {
    modauthopenid::debug("found session_id in cookie: " + session_id);
    modauthopenid::session_t session;
    modauthopenid::SessionManager sm(std::string(s_cfg->db_location));
    sm.get_session(session_id, session);
    sm.close();

    // if session found 
    if(std::string(session.identity) != "") {
      std::string uri_path;
      modauthopenid::base_dir(std::string(r->uri), uri_path);
      std::string valid_path(session.path);
      // if found session has a valid path
      if(valid_path == uri_path.substr(0, valid_path.size()) && apr_strnatcmp(session.hostname.c_str(), r->hostname)==0) {
	const char* idchar = std::string(session.identity).c_str();
	APDEBUG(r, "setting REMOTE_USER to \"%s\"", idchar);
	r->user = apr_pstrdup(r->pool, idchar);
	return true;
      } else {
	APDEBUG(r, "session found for different path or hostname (cooke was for %s)", session.hostname.c_str());
      }
    }
  }
  return false;
};
示例#18
0
/*
 * validate an access token against the validation endpoint of the Authorization server and gets a response back
 */
static int oidc_oauth_validate_access_token(request_rec *r, oidc_cfg *c,
		const char *token, const char **response) {

	/* get a handle to the directory config */
	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
			&auth_openidc_module);

	/* assemble parameters to call the token endpoint for validation */
	apr_table_t *params = apr_table_make(r->pool, 4);

	/* add any configured extra static parameters to the introspection endpoint */
	oidc_util_table_add_query_encoded_params(r->pool, params,
			c->oauth.introspection_endpoint_params);

	/* add the access_token itself */
	apr_table_addn(params, "token", token);

	/* see if we want to do basic auth or post-param-based auth */
	const char *basic_auth = NULL;
	if ((c->oauth.introspection_endpoint_auth != NULL)
			&& (apr_strnatcmp(c->oauth.introspection_endpoint_auth,
					"client_secret_post") == 0)) {
		apr_table_addn(params, "client_id", c->oauth.client_id);
		apr_table_addn(params, "client_secret", c->oauth.client_secret);
	} else {
		basic_auth = apr_psprintf(r->pool, "%s:%s", c->oauth.client_id,
				c->oauth.client_secret);
	}

	/* call the endpoint with the constructed parameter set and return the resulting response */
	return oidc_util_http_post_form(r, c->oauth.introspection_endpoint_url,
			params, basic_auth, NULL, c->oauth.ssl_validate_server, response,
			c->http_timeout_long, c->outgoing_proxy, dir_cfg->pass_cookies);
}
示例#19
0
/*
 * Create the required structures in the shared memory segment.
 * The following stuff goes to the shared memory:
 *   a) Cookie Name
 *   b) Cookie Value
 *   c) First URL (which is later used for redirection)
 *
 * Note that it is important to save the unparsed URI here, so that URL encoding is preserved.
 * If we used the parsed URI here, we'd open up ourselves to a HTTP Response Splitting attack
 * through CR/LF injection.
 *
 * Function "searches" for free space within the shm section, and creates a new shm structure,
 * containing all relevant information a mod_but session requires.
 *
 * Writes SHM offset of newly generated session to shmoffset.
 *
 * Returns:
 *	STATUS_OK	and SHM offset in shmoffset
 *	STATUS_ESHM	if out of SHM space
 *	STATUS_EHACKING	if hacking is detected
 *	STATUS_ERROR	for all other internal errors
 */
apr_status_t
create_new_shm_session(request_rec *r, char *sid, int *shmoffset)
{
	mod_but_server_t *config = ap_get_module_config(r->server->module_config, &but_module);

	int i;
	for (i = 0; i < MOD_BUT_SESSION_COUNT; i++) {
		mod_but_cookie *c = apr_rmm_addr_get(cs_rmm, off[i]);
		ERRLOG_INFO("Existing session name [%s] and value [%s]", c->session_name, c->session_value);

		if (!apr_strnatcmp(c->session_name, "empty")) {
			ERRLOG_INFO("Setting-up new SHM session at offset [%d]", i);
			apr_cpystrn(c->session_name, config->cookie_name, sizeof(c->session_name));
			apr_cpystrn(c->session_value, sid, sizeof(c->session_value));
			/* Store r->unparsed_uri to prevent HTTP Response Splitting attacks */
			apr_cpystrn(c->session_firsturl, r->unparsed_uri, sizeof(c->session_firsturl));
			c->session_create_time = (int)apr_time_sec(apr_time_now());
			c->session_last_access_time = c->session_create_time;
			c->link_to_cookiestore=-1;
			c->logon_state = 0;
			c->auth_strength = 0;
			apr_cpystrn(c->service_list, config->service_list_cookie_value, sizeof(c->service_list));

			ERRLOG_CRIT("Session original URL is [%s]", c->session_firsturl);
			ERRLOG_INFO("Session name [%s] value [%s] ctime [%ds]", c->session_name, c->session_value, c->session_create_time);

			*shmoffset = i;
			return STATUS_OK;
		}
	}

	ERRLOG_INFO("No empty session slot found; all SHM used up");
	return STATUS_ESHM;
}
示例#20
0
/*
 * check if a string is an element of an array of strings
 */
apr_byte_t apr_jwt_array_has_string(apr_array_header_t *haystack,
		const char *needle) {
	int i;
	for (i = 0; i < haystack->nelts; i++) {
		if (apr_strnatcmp(((const char**) haystack->elts)[i], needle) == 0)
			return TRUE;
	}
	return FALSE;
}
示例#21
0
文件: yamlfile.c 项目: craig5/range
static range* _expand_cluster(range_request* rr,
                              const char* cluster, const char* section)
{
    struct stat st;
    const char* res;
    libcrange* lr = range_request_lr(rr);
    set* cache = libcrange_get_cache(lr, "nodescf:cluster_keys");
    apr_pool_t* req_pool = range_request_pool(rr);
    apr_pool_t* lr_pool = range_request_lr_pool(rr);

    const char* cluster_file;
    cache_entry* e;

    cluster_file = apr_psprintf(req_pool, "%s/%s.yaml", yaml_path, cluster);
    if (!cache) {
        cache = set_new(lr_pool, 0);
        libcrange_set_cache(lr, "nodescf:cluster_keys", cache);
    }

    if (stat(cluster_file, &st) == -1) {
        range_request_warn_type(rr, "NOCLUSTERDEF", cluster);
        return range_new(rr);
    }
    
    e = set_get_data(cache, cluster_file);
    if (!e) {
        e = apr_palloc(lr_pool, sizeof(struct cache_entry));
        apr_pool_create(&e->pool, lr_pool);
        e->sections = _cluster_keys(rr, e->pool, cluster, cluster_file);
        e->mtime = st.st_mtime;
        set_add(cache, cluster_file, e);
    }
    else {
        time_t cached_mtime = e->mtime;
        if (cached_mtime != st.st_mtime) {
            apr_pool_clear(e->pool);
            e->sections = _cluster_keys(rr, e->pool, cluster, cluster_file);
            e->mtime = st.st_mtime;
        } 
    }

    res = set_get_data(e->sections, section);

    if (!res) {
        if(!apr_strnatcmp(section, "CLUSTER")) {
            res = "";
        } else {
            char* cluster_section = apr_psprintf(req_pool,
                                                 "%s:%s", cluster, section);
            range_request_warn_type(rr, "NOCLUSTER", cluster_section);
            return range_new(rr);
        }
    }

    return do_range_expand(rr, res);
}
示例#22
0
/*
 * parse JSON JWK
 */
apr_byte_t apr_jwk_parse_json(apr_pool_t *pool, json_t *json, apr_jwk_t **j_jwk,
		apr_jwt_error_t *err) {

	/* check that we've actually got a JSON value back */
	if (json == NULL) {
		apr_jwt_error(err, "JWK JSON is NULL");
		return FALSE;
	}

	/* check that the value is a JSON object */
	if (!json_is_object(json)) {
		apr_jwt_error(err, "JWK JSON is not a JSON object");
		return FALSE;
	}

	/* allocate memory for the JWK */
	*j_jwk = apr_pcalloc(pool, sizeof(apr_jwk_t));
	apr_jwk_t *jwk = *j_jwk;

	/* get the mandatory key type */
	char *kty = NULL;
	if (apr_jwt_get_string(pool, json, "kty", TRUE, &kty, err) == FALSE)
		return FALSE;

	/* get the optional kid */
	apr_jwt_get_string(pool, json, "kid", FALSE, &jwk->kid, NULL);

	/* parse the key */
	if (apr_strnatcmp(kty, "RSA") == 0)
		return apr_jwk_parse_rsa(pool, json, jwk, err);

	if (apr_strnatcmp(kty, "EC") == 0)
		return apr_jwk_parse_ec(pool, json, jwk, err);

	if (apr_strnatcmp(kty, "oct") == 0)
		return apr_jwk_parse_oct(pool, json, jwk, err);

	apr_jwt_error(err,
			"wrong or unsupported JWK key representation \"%s\" (\"RSA\", \"EC\" and \"oct\" are supported key types)",
			kty);

	return FALSE;
}
示例#23
0
/*
 * load a session from the cache/cookie
 */
apr_byte_t oidc_session_load(request_rec *r, oidc_session_t **zz) {
	oidc_cfg *c = ap_get_module_config(r->server->module_config,
			&auth_openidc_module);

	apr_byte_t rc = FALSE;
	const char *ses_p_tb_id = NULL, *env_p_tb_id = NULL;

	/* allocate space for the session object and fill it */
	oidc_session_t *z = (*zz = apr_pcalloc(r->pool, sizeof(oidc_session_t)));
	oidc_session_clear(r, z);

	if (c->session_type == OIDC_SESSION_TYPE_SERVER_CACHE)
		/* load the session from the cache */
		rc = oidc_session_load_cache(r, z);

	/* if we get here we configured client-cookie or retrieving from the cache failed */
	if ((c->session_type == OIDC_SESSION_TYPE_CLIENT_COOKIE)
			|| ((rc == FALSE) && oidc_cfg_session_cache_fallback_to_cookie(r)))
		/* load the session from a self-contained cookie */
		rc = oidc_session_load_cookie(r, c, z);

	if ((rc == TRUE) && (z->state != NULL)) {

		json_t *j_expires = json_object_get(z->state, OIDC_SESSION_EXPIRY_KEY);
		if (j_expires)
			z->expiry = apr_time_from_sec(json_integer_value(j_expires));

		/* check whether it has expired */
		if (apr_time_now() > z->expiry) {

			oidc_warn(r, "session restored from cache has expired");
			oidc_session_clear(r, z);

		} else {

			oidc_session_get(r, z, OIDC_SESSION_PROVIDED_TOKEN_BINDING_KEY,
					&ses_p_tb_id);

			if (ses_p_tb_id != NULL) {
				env_p_tb_id = oidc_util_get_provided_token_binding_id(r);
				if ((env_p_tb_id == NULL)
						|| (apr_strnatcmp(env_p_tb_id, ses_p_tb_id) != 0)) {
					oidc_error(r,
							"the Provided Token Binding ID stored in the session doesn't match the one presented by the user agent");
					oidc_session_clear(r, z);
				}
			}

			oidc_session_get(r, z, OIDC_SESSION_REMOTE_USER_KEY,
					&z->remote_user);
		}
	}

	return rc;
}
static int find_cookie(request_rec *r,char **user,uint8_t *secret,int secretLen) {
	char *cookie=0l;
	char *cookie_expire=0l;
	char *cookie_valid=0l;
	ap_regmatch_t regmatch[AP_MAX_REG_MATCH];
	authn_google_config_rec *conf = ap_get_module_config(r->per_dir_config, &authn_google_module);
	cookie = (char *) apr_table_get(r->headers_in, "Cookie");
	if (cookie) {
	if (conf->debugLevel) 
					ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
												"Found cookie \"%s\"",cookie);
		if (!ap_regexec(cookie_regexp, cookie, AP_MAX_REG_MATCH, regmatch, 0)) {
			if (user) *user  = ap_pregsub(r->pool, "$2", cookie,AP_MAX_REG_MATCH,regmatch);
			cookie_expire = ap_pregsub(r->pool, "$3", cookie,AP_MAX_REG_MATCH,regmatch);
			cookie_valid = ap_pregsub(r->pool, "$4", cookie,AP_MAX_REG_MATCH,regmatch);
				
if (conf->debugLevel) 
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                      "Found cookie Expires \"%s\" Valid \"%s\"",cookie_expire,cookie_valid);

				if (cookie_expire && cookie_valid && *user) {
					long unsigned int exp = apr_atoi64(cookie_expire);
					long unsigned int now = apr_time_now()/1000000;
					if (exp < now) {

if (conf->debugLevel) 
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
           "Expired. Now=%lu Expire=%lu\n",now,exp);

						return 0;	/* Expired */
					}
					if (!secret) {
						secret = getUserSecret(r,*user,&secretLen,0L);
					}
					char *h = hash_cookie(r->pool,secret,secretLen,exp);

if (conf->debugLevel) 
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                      "Match cookie \"%s\" vs  \"%s\"",h,cookie_valid);

					if (apr_strnatcmp(h,cookie_valid)==0)
						return 1; /* Valid Cookie */
					else {

if (conf->debugLevel) 
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                      "MISMATCHED  cookie \"%s\" vs  \"%s\"",h,cookie_valid);

						return 0; /* Mismatched */
					}
				}
		}
	}
	return 0;	/* Not found */
}
示例#25
0
/*
 * parse a "claim required" value from the provided string
 */
const char *oidc_parse_claim_required(apr_pool_t *pool, const char *arg,
		int *is_required) {
	static char *options[] = {
			OIDC_CLAIM_REQUIRED_MANDATORY,
			OIDC_CLAIM_REQUIRED_OPTIONAL,
			NULL };
	const char *rv = oidc_valid_string_option(pool, arg, options);
	if (rv != NULL)
		return rv;
	*is_required = apr_strnatcmp(arg, OIDC_CLAIM_REQUIRED_MANDATORY);
	return NULL;
}
示例#26
0
static int twms_handler(request_rec *r)

{
  twms_dir_conf *dcfg;
  const char *data;
  const char *val;
  apr_table_t *tab;
  apr_file_t *fh;
  apr_size_t nsend;
  apr_finfo_t info;


  if ((r->method_number != M_GET )||(r->args==0)) return DECLINED;
  data=r->args;
  // scfg=ap_get_module_config(r->server->module_config,&twms_module);
  dcfg=ap_get_module_config(r->per_dir_config,&twms_module);
  if (!dcfg) return DECLINED; // Does this ever happen?

  if (!ap_strstr(data,"GetTileService")) return DECLINED;
  // Do we have a config for this directory

//  ap_log_error(APLOG_MARK,APLOG_ERR,0,r->server,"TWMS_handler: args %s, path %s scfg %x dcfg %x dir %s conf %s",
//    data,r->parsed_uri.path,scfg,dcfg,dcfg->path,dcfg->Config);
  if (!dcfg->Config) return DECLINED;


  // This is overkill here, but it works
  tab=apr_table_make(r->pool,0);

  while (*data && (val=ap_getword(r->pool, &data, '&'))) {
    char *key=apr_pstrdup(r->pool,ap_getword(r->pool, &val, '='));
    char *ival=apr_pstrdup(r->pool,val);
    ap_unescape_url(key);ap_unescape_url(ival);
    apr_table_merge(tab,key,ival);
  }

  if (!(val=apr_table_get(tab,"request"))) return DECLINED;
  if (apr_strnatcmp(val,"GetTileService")) return DECLINED;

  if (APR_SUCCESS!=apr_file_open(&fh,apr_pstrcat(r->pool,dcfg->path,dcfg->Config,0),
      APR_READ,APR_OS_DEFAULT,r->pool)) {
    ap_log_error(APLOG_MARK,APLOG_ERR,0,r->server,"TWMS file can't be read");
    return HTTP_CONFLICT;
  }
  ap_log_error(APLOG_MARK,APLOG_ERR,0,r->server,"TWMS Sending GTS file");
  apr_file_info_get(&info,APR_FINFO_SIZE,fh);

  ap_set_content_type(r,"text/xml");
  ap_send_fd(fh,r,0,info.size,&nsend);

  apr_file_close(fh);
  return OK;
}
示例#27
0
/*
 * get a value from the shared memory cache
 */
static apr_byte_t oidc_cache_shm_get(request_rec *r, const char *section,
		const char *key, const char **value) {

	oidc_debug(r, "enter, section=\"%s\", key=\"%s\"", section, key);

	oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
			&auth_openidc_module);
	oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *) cfg->cache_cfg;

	int i;
	const char *section_key = oidc_cache_shm_get_key(r->pool, section, key);

	*value = NULL;

	/* grab the global lock */
	if (oidc_cache_mutex_lock(r, context->mutex) == FALSE)
		return FALSE;

	/* get the pointer to the start of the shared memory block */
	oidc_cache_shm_entry_t *t = apr_shm_baseaddr_get(context->shm);

	/* loop over the block, looking for the key */
	for (i = 0; i < cfg->cache_shm_size_max; i++, OIDC_CACHE_SHM_ADD_OFFSET(t, cfg->cache_shm_entry_size_max)) {
		const char *tablekey = t->section_key;

		if ( (tablekey != NULL) && (apr_strnatcmp(tablekey, section_key) == 0) ) {

			/* found a match, check if it has expired */
			if (t->expires > apr_time_now()) {

				/* update access timestamp */
				t->access = apr_time_now();
				*value = t->value;

			} else {

				/* clear the expired entry */
				t->section_key[0] = '\0';
				t->access = 0;

			}

			/* we safely can break now since we would not have found an expired match twice */
			break;
		}
	}

	/* release the global lock */
	oidc_cache_mutex_unlock(r, context->mutex);

	return (*value == NULL) ? FALSE : TRUE;
}
示例#28
0
/*
 * parse a key value based on the provided encoding: b64|b64url|hex|plain
 */
static const char *oidc_parse_key_value(apr_pool_t *pool, const char *enc,
		const char *input, char **key, int *key_len) {
	static char *options[] = {
			OIDC_KEY_ENCODING_BASE64,
			OIDC_KEY_ENCODING_BASE64_URL,
			OIDC_KEY_ENCODING_HEX,
			OIDC_KEY_ENCODING_PLAIN,
			NULL };
	const char *rv = oidc_valid_string_option(pool, enc, options);
	if (rv != NULL)
		return rv;
	if (apr_strnatcmp(enc, OIDC_KEY_ENCODING_BASE64) == 0)
		return oidc_parse_base64(pool, input, key, key_len);
	if (apr_strnatcmp(enc, OIDC_KEY_ENCODING_BASE64_URL) == 0)
		return oidc_parse_base64url(pool, input, key, key_len);
	if (apr_strnatcmp(enc, OIDC_KEY_ENCODING_HEX) == 0)
		return oidc_parse_hex(pool, input, key, key_len);
	if (apr_strnatcmp(enc, OIDC_KEY_ENCODING_PLAIN) == 0) {
		*key = apr_pstrdup(pool, input);
		*key_len = strlen(*key);
	}
	return NULL;
}
示例#29
0
/*
 * parse an "unauthenticated action" value from the provided string
 */
const char *oidc_parse_unauth_action(apr_pool_t *pool, const char *arg,
		int *action) {
	static char *options[] = {
			OIDC_UNAUTH_ACTION_AUTH_STR,
			OIDC_UNAUTH_ACTION_PASS_STR,
			OIDC_UNAUTH_ACTION_401_STR,
			OIDC_UNAUTH_ACTION_410_STR,
			NULL };
	const char *rv = oidc_valid_string_option(pool, arg, options);
	if (rv != NULL)
		return rv;

	if (apr_strnatcmp(arg, OIDC_UNAUTH_ACTION_AUTH_STR) == 0)
		*action = OIDC_UNAUTH_AUTHENTICATE;
	else if (apr_strnatcmp(arg, OIDC_UNAUTH_ACTION_PASS_STR) == 0)
		*action = OIDC_UNAUTH_PASS;
	else if (apr_strnatcmp(arg, OIDC_UNAUTH_ACTION_401_STR) == 0)
		*action = OIDC_UNAUTH_RETURN401;
	else if (apr_strnatcmp(arg, OIDC_UNAUTH_ACTION_410_STR) == 0)
		*action = OIDC_UNAUTH_RETURN410;

	return NULL;
}
示例#30
0
/*
 * parse JSON JWK
 */
apr_byte_t apr_jwk_parse_json(apr_pool_t *pool, json_t *j_json,
		const char *s_json, apr_jwk_t **j_jwk) {

	/* check that we've actually got a JSON value back */
	if (j_json == NULL)
		return FALSE;

	/* check that the value is a JSON object */
	if (!json_is_object(j_json))
		return FALSE;

	/* allocate memory for the JWK */
	*j_jwk = apr_pcalloc(pool, sizeof(apr_jwk_t));
	apr_jwk_t *jwk = *j_jwk;

	/* set the raw JSON/string representations */
	jwk->value.json = j_json;
	jwk->value.str = apr_pstrdup(pool, s_json);

	/* get the key type */
	char *kty = NULL;
	if (apr_jwt_get_string(pool, &jwk->value, "kty", &kty) == FALSE)
		return FALSE;

	/* kty is mandatory */
	if (kty == NULL)
		return FALSE;

	/* parse the key */
	if (apr_strnatcmp(kty, "RSA") == 0)
		return apr_jwk_parse_rsa(pool, jwk);

	if (apr_strnatcmp(kty, "EC") == 0)
		return apr_jwk_parse_ec(pool, jwk);

	return FALSE;
}