« back to all changes in this revision
Viewing changes to src/authz.c
- browse files at revision 5
- compare with another revision
- download diff
- download tarball
- view history from revision 5
- Committer: Package Import Robot
- Author(s): Hans Zandbelt
- Date: 2014-10-13 12:23:35 UTC
- mfrom: (1.1.3)
- Revision ID: package-import@ubuntu.com-20141013122335-31wgnq50ascmubib
Tags: 1.6.0-1
new upstream release; add libssl-dev dependency
- files modified:
- AUTHORS
added
removed
src/authz.c
70
70
return FALSE;
71
71
72
72
/* loop over all of the user claims */
73
void *iter = json_object_iter((json_t*)claims);
73
void *iter = json_object_iter((json_t*) claims);
74
74
while (iter) {
75
75
76
key = json_object_iter_key(iter);
77
val = json_object_iter_value(iter);
76
key = json_object_iter_key(iter);
77
val = json_object_iter_value(iter);
78
78
79
ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
80
"oidc_authz_match_claim: evaluating key \"%s\"", (const char *) key);
79
oidc_debug(r, "evaluating key \"%s\"", (const char * ) key);
81
80
82
81
const char *attr_c = (const char *) key;
83
82
const char *spec_c = attr_spec;
101
100
return TRUE;
102
101
}
103
102
104
/* see if it is a integer and it equals the Require'd value */
103
/* see if it is a integer and it equals the Require'd value */
105
104
} else if (json_is_integer(val)) {
106
105
107
106
if (json_integer_value(val) == atoi(spec_c)) {
108
107
return TRUE;
109
108
}
110
109
111
/* see if it is a boolean and it (case-insensitively) matches the Require'd value */
110
/* see if it is a boolean and it (case-insensitively) matches the Require'd value */
112
111
} else if (json_is_boolean(val)) {
113
112
114
113
if (apr_strnatcmp(json_is_true(val) ? "true" : "false", spec_c)
116
115
return TRUE;
117
116
}
118
117
119
/* if it is an array, we'll walk it */
118
/* if it is an array, we'll walk it */
120
119
} else if (json_is_array(val)) {
121
120
122
121
/* compare the claim values */
131
130
* whitespace). At this point, spec_c points to the
132
131
* NULL-terminated value pattern.
133
132
*/
134
if (apr_strnatcmp(json_string_value(elem), spec_c) == 0) {
133
if (apr_strnatcmp(json_string_value(elem), spec_c)
134
== 0) {
135
135
return TRUE;
136
136
}
137
137
151
151
152
152
} else {
153
153
154
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
155
"oidc_authz_match_claim: unhandled in-array JSON object type [%d] for key \"%s\"",
156
elem->type, (const char *) key);
154
oidc_warn(r,
155
"unhandled in-array JSON object type [%d] for key \"%s\"",
156
elem->type, (const char * ) key);
157
157
}
158
158
}
159
159
160
160
} else {
161
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
162
"oidc_authz_match_claim: unhandled JSON object type [%d] for key \"%s\"",
163
val->type, (const char *) key);
161
oidc_warn(r, "unhandled JSON object type [%d] for key \"%s\"",
162
val->type, (const char * ) key);
164
163
}
165
164
166
165
}
167
166
168
167
/* TODO: a tilde (denotes a PCRE match). */
169
168
//else if (!(*attr_c) && (*spec_c) == '~') {
170
171
iter = json_object_iter_next((json_t *)claims, iter);
169
iter = json_object_iter_next((json_t *) claims, iter);
172
170
}
173
171
return FALSE;
174
172
}
222
220
token = ap_getword_conf(r->pool, &requirement);
223
221
count_oauth_claims++;
224
222
225
ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
226
"oidc_authz_worker: evaluating claim specification: %s",
227
token);
223
oidc_debug(r, "evaluating claim specification: %s", token);
228
224
229
225
if (oidc_authz_match_claim(r, token, claims) == TRUE) {
230
226
231
227
/* if *any* claim matches, then authorization has succeeded and all of the others are ignored */
232
ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
233
"oidc_authz_worker: require claim "
234
"'%s' matched", token);
228
oidc_debug(r, "require claim '%s' matched", token);
235
229
return OK;
236
230
}
237
231
}
239
233
240
234
/* if there weren't any "Require claim" directives, we're irrelevant */
241
235
if (!have_oauthattr) {
242
ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
243
"oidc_authz_worker: no claim statements found, not performing authz");
236
oidc_debug(r, "no claim statements found, not performing authz");
244
237
return DECLINED;
245
238
}
246
239
/* if there was a "Require claim", but no actual claims, that's cause to warn the admin of an iffy configuration */
247
240
if (count_oauth_claims == 0) {
248
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
249
"oidc_authz_worker: 'require claim' missing specification(s) in configuration, declining");
241
oidc_warn(r,
242
"'require claim' missing specification(s) in configuration, declining");
250
243
return DECLINED;
251
244
}
252
245
253
246
/* log the event, also in Apache speak */
254
ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
255
"oidc_authz_worker: authorization denied for client session");
247
oidc_debug(r, "authorization denied for client session");
256
248
ap_note_auth_failure(r);
257
249
258
250
return HTTP_UNAUTHORIZED;
279
271
280
272
count_oauth_claims++;
281
273
282
ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
283
"oidc_authz_worker24: evaluating claim specification: %s",
284
w);
274
oidc_debug(r, "evaluating claim specification: %s", w);
285
275
286
276
/* see if we can match any of out input claims against this Require'd value */
287
277
if (oidc_authz_match_claim(r, w, claims) == TRUE) {
288
278
289
ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
290
"oidc_authz_worker24: require claim "
291
"'%s' matched", w);
279
oidc_debug(r, "require claim '%s' matched", w);
292
280
return AUTHZ_GRANTED;
293
281
}
294
282
}
295
283
296
284
/* if there wasn't anything after the Require claims directive... */
297
285
if (count_oauth_claims == 0) {
298
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
299
"oidc_authz_worker24: 'require claim' missing specification(s) in configuration, denying");
286
oidc_warn(r,
287
"'require claim' missing specification(s) in configuration, denying");
300
288
}
301
289
302
290
return AUTHZ_DENIED;
Loggerhead is a web-based interface for Breezy
Version: 2.0.1