Blame SOURCES/httpd-2.4.6-r1555539.patch

008793
diff --git a/docs/manual/expr.html.en b/docs/manual/expr.html.en
008793
index 5c3ae45..8bd941a 100644
008793
--- a/docs/manual/expr.html.en
008793
+++ b/docs/manual/expr.html.en
008793
@@ -46,7 +46,7 @@
008793
 
  • Other
  • 008793
     
  • Comparison with SSLRequire
  • 008793
     
  • Version History
  • 008793
    -

    See also

    008793
    +

    See also

    008793
     
    top
    008793
     
    008793
     

    Grammar in Backus-Naur Form notation

    008793
    diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en
    008793
    index 7199052..c86dc8a 100644
    008793
    --- a/docs/manual/mod/mod_authnz_ldap.html.en
    008793
    +++ b/docs/manual/mod/mod_authnz_ldap.html.en
    008793
    @@ -350,6 +350,9 @@ for HTTP Basic authentication.
    008793
         ldap-filter.  Other authorization types may also be
    008793
         used but may require that additional authorization modules be loaded.

    008793
     
    008793
    +    

    Since v2.5.0, expressions are supported

    008793
    +    within the LDAP require directives.

    008793
    +
    008793
     

    Require ldap-user

    008793
     
    008793
         

    The Require ldap-user directive specifies what

    008793
    @@ -576,6 +579,16 @@ Require ldap-group cn=Administrators, o=Example
    008793
           
    008793
     
    008793
           
  • 008793
    +        Grant access to anybody in the group whose name matches the
    008793
    +        hostname of the virtual host. In this example an
    008793
    +        expression is used to build the filter.
    008793
    +<highlight language="config">
    008793
    +AuthLDAPURL ldap://ldap.example.com/o=Example?uid
    008793
    +Require ldap-group cn=%{SERVER_NAME}, o=Example
    008793
    +</highlight>
    008793
    +      
    008793
    +
    008793
    +      
  • 008793
             The next example assumes that everyone at Example who
    008793
             carries an alphanumeric pager will have an LDAP attribute
    008793
             of qpagePagerID. The example will grant access
    008793
    diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
    008793
    index 2c25dbc..063debe 100644
    008793
    --- a/modules/aaa/mod_authnz_ldap.c
    008793
    +++ b/modules/aaa/mod_authnz_ldap.c
    008793
    @@ -607,6 +607,10 @@ static authz_status ldapuser_check_authorization(request_rec *r,
    008793
     
    008793
         util_ldap_connection_t *ldc = NULL;
    008793
     
    008793
    +    const char *err = NULL;
    008793
    +    const ap_expr_info_t *expr = parsed_require_args;
    008793
    +    const char *require;
    008793
    +
    008793
         const char *t;
    008793
         char *w;
    008793
     
    008793
    @@ -680,11 +684,19 @@ static authz_status ldapuser_check_authorization(request_rec *r,
    008793
             return AUTHZ_DENIED;
    008793
         }
    008793
     
    008793
    +    require = ap_expr_str_exec(r, expr, &err;;
    008793
    +    if (err) {
    008793
    +        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585)
    008793
    +                      "auth_ldap authorize: require user: Can't evaluate expression: %s",
    008793
    +                      err);
    008793
    +        return AUTHZ_DENIED;
    008793
    +    }
    008793
    +
    008793
         /*
    008793
          * First do a whole-line compare, in case it's something like
    008793
          *   require user Babs Jensen
    008793
          */
    008793
    -    result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args);
    008793
    +    result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require);
    008793
         switch(result) {
    008793
             case LDAP_COMPARE_TRUE: {
    008793
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703)
    008793
    @@ -704,7 +716,7 @@ static authz_status ldapuser_check_authorization(request_rec *r,
    008793
         /*
    008793
          * Now break apart the line and compare each word on it
    008793
          */
    008793
    -    t = require_args;
    008793
    +    t = require;
    008793
         while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
    008793
             result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
    008793
             switch(result) {
    008793
    @@ -744,6 +756,10 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
    008793
     
    008793
         util_ldap_connection_t *ldc = NULL;
    008793
     
    008793
    +    const char *err = NULL;
    008793
    +    const ap_expr_info_t *expr = parsed_require_args;
    008793
    +    const char *require;
    008793
    +
    008793
         const char *t;
    008793
     
    008793
         char filtbuf[FILTER_LENGTH];
    008793
    @@ -863,7 +879,15 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
    008793
             }
    008793
         }
    008793
     
    008793
    -    t = require_args;
    008793
    +    require = ap_expr_str_exec(r, expr, &err;;
    008793
    +    if (err) {
    008793
    +        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586)
    008793
    +                      "auth_ldap authorize: require group: Can't evaluate expression: %s",
    008793
    +                      err);
    008793
    +        return AUTHZ_DENIED;
    008793
    +    }
    008793
    +
    008793
    +    t = require;
    008793
     
    008793
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713)
    008793
                       "auth_ldap authorize: require group: testing for group "
    008793
    @@ -959,6 +983,10 @@ static authz_status ldapdn_check_authorization(request_rec *r,
    008793
     
    008793
         util_ldap_connection_t *ldc = NULL;
    008793
     
    008793
    +    const char *err = NULL;
    008793
    +    const ap_expr_info_t *expr = parsed_require_args;
    008793
    +    const char *require;
    008793
    +
    008793
         const char *t;
    008793
     
    008793
         char filtbuf[FILTER_LENGTH];
    008793
    @@ -1021,7 +1049,15 @@ static authz_status ldapdn_check_authorization(request_rec *r,
    008793
             req->user = r->user;
    008793
         }
    008793
     
    008793
    -    t = require_args;
    008793
    +    require = ap_expr_str_exec(r, expr, &err;;
    008793
    +    if (err) {
    008793
    +        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587)
    008793
    +                      "auth_ldap authorize: require dn: Can't evaluate expression: %s",
    008793
    +                      err);
    008793
    +        return AUTHZ_DENIED;
    008793
    +    }
    008793
    +
    008793
    +    t = require;
    008793
     
    008793
         if (req->dn == NULL || strlen(req->dn) == 0) {
    008793
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725)
    008793
    @@ -1068,6 +1104,10 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
    008793
     
    008793
         util_ldap_connection_t *ldc = NULL;
    008793
     
    008793
    +    const char *err = NULL;
    008793
    +    const ap_expr_info_t *expr = parsed_require_args;
    008793
    +    const char *require;
    008793
    +
    008793
         const char *t;
    008793
         char *w, *value;
    008793
     
    008793
    @@ -1138,7 +1178,16 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
    008793
             return AUTHZ_DENIED;
    008793
         }
    008793
     
    008793
    -    t = require_args;
    008793
    +    require = ap_expr_str_exec(r, expr, &err;;
    008793
    +    if (err) {
    008793
    +        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588)
    008793
    +                      "auth_ldap authorize: require ldap-attribute: Can't "
    008793
    +                      "evaluate expression: %s", err);
    008793
    +        return AUTHZ_DENIED;
    008793
    +    }
    008793
    +
    008793
    +    t = require;
    008793
    +
    008793
         while (t[0]) {
    008793
             w = ap_getword(r->pool, &t, '=');
    008793
             value = ap_getword_conf(r->pool, &t);
    008793
    @@ -1183,6 +1232,11 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
    008793
             (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
    008793
     
    008793
         util_ldap_connection_t *ldc = NULL;
    008793
    +
    008793
    +    const char *err = NULL;
    008793
    +    const ap_expr_info_t *expr = parsed_require_args;
    008793
    +    const char *require;
    008793
    +
    008793
         const char *t;
    008793
     
    008793
         char filtbuf[FILTER_LENGTH];
    008793
    @@ -1252,7 +1306,15 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
    008793
             return AUTHZ_DENIED;
    008793
         }
    008793
     
    008793
    -    t = require_args;
    008793
    +    require = ap_expr_str_exec(r, expr, &err;;
    008793
    +    if (err) {
    008793
    +        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589)
    008793
    +                      "auth_ldap authorize: require ldap-filter: Can't "
    008793
    +                      "evaluate require expression: %s", err);
    008793
    +        return AUTHZ_DENIED;
    008793
    +    }
    008793
    +
    008793
    +    t = require;
    008793
     
    008793
         if (t[0]) {
    008793
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743)
    008793
    @@ -1311,6 +1373,25 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
    008793
         return AUTHZ_DENIED;
    008793
     }
    008793
     
    008793
    +static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line,
    008793
    +                                     const void **parsed_require_line)
    008793
    +{
    008793
    +    const char *expr_err = NULL;
    008793
    +    ap_expr_info_t *expr;
    008793
    +
    008793
    +    expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
    008793
    +            &expr_err, NULL);
    008793
    +
    008793
    +    if (expr_err)
    008793
    +        return apr_pstrcat(cmd->temp_pool,
    008793
    +                           "Cannot parse expression in require line: ",
    008793
    +                           expr_err, NULL);
    008793
    +
    008793
    +    *parsed_require_line = expr;
    008793
    +
    008793
    +    return NULL;
    008793
    +}
    008793
    +
    008793
     
    008793
     /*
    008793
      * Use the ldap url parsing routines to break up the ldap url into
    008793
    @@ -1769,30 +1850,30 @@ static const authn_provider authn_ldap_provider =
    008793
     static const authz_provider authz_ldapuser_provider =
    008793
     {
    008793
         &ldapuser_check_authorization,
    008793
    -    NULL,
    008793
    +    &ldap_parse_config,
    008793
     };
    008793
     static const authz_provider authz_ldapgroup_provider =
    008793
     {
    008793
         &ldapgroup_check_authorization,
    008793
    -    NULL,
    008793
    +    &ldap_parse_config,
    008793
     };
    008793
     
    008793
     static const authz_provider authz_ldapdn_provider =
    008793
     {
    008793
         &ldapdn_check_authorization,
    008793
    -    NULL,
    008793
    +    &ldap_parse_config,
    008793
     };
    008793
     
    008793
     static const authz_provider authz_ldapattribute_provider =
    008793
     {
    008793
         &ldapattribute_check_authorization,
    008793
    -    NULL,
    008793
    +    &ldap_parse_config,
    008793
     };
    008793
     
    008793
     static const authz_provider authz_ldapfilter_provider =
    008793
     {
    008793
         &ldapfilter_check_authorization,
    008793
    -    NULL,
    008793
    +    &ldap_parse_config,
    008793
     };
    008793
     
    008793
     static void ImportULDAPOptFn(void)