add Apache Require claim authorization functions

bump to 3.0.1

Signed-off-by: Hans Zandbelt <[email protected]>

ChangeLog

@@ -1,2 +1,6 @@
+05/20/2019
+- add Apache Require claim authorization functions
+- bump to 3.0.1
+
 03/22/2019
 - initial import of version 3.0.0

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_oauth2],[3.0.0],[[email protected]])
+AC_INIT([mod_oauth2],[3.0.1],[[email protected]])
 AC_CONFIG_HEADERS([src/config.h])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
@@ -33,11 +33,11 @@ PKG_CHECK_MODULES(APR, [apr-1, apr-util-1])
 AC_SUBST(APR_CFLAGS)
 AC_SUBST(APR_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.0.0])
+PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.0.1])
 AC_SUBST(OAUTH2_CFLAGS)
 AC_SUBST(OAUTH2_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.0.0])
+PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.0.1])
 AC_SUBST(OAUTH2_APACHE_CFLAGS)
 AC_SUBST(OAUTH2_APACHE_LIBS)
 

src/mod_oauth2.c

@@ -92,6 +92,8 @@ static void *oauth2_cfg_dir_merge(apr_pool_t *pool, void *b, void *a)
 	return cfg;
 }
 
+#define OAUTH2_REQUEST_STATE_KEY_CLAIMS "C"
+
 static int oauth2_request_handler(oauth2_cfg_source_token_t *cfg,
 				  oauth2_cfg_token_verify_t *verify,
 				  oauth2_cfg_target_pass_t *target_pass,
@@ -135,6 +137,8 @@ static int oauth2_request_handler(oauth2_cfg_source_token_t *cfg,
 		goto end;
 	}
 
+	oauth2_apache_request_state_set_json(
+	    ctx, OAUTH2_REQUEST_STATE_KEY_CLAIMS, json_token);
 	oauth2_apache_target_pass(ctx, target_pass, source_token, json_token);
 
 	rv = OK;
@@ -280,24 +284,66 @@ static const command_rec OAUTH2_APACHE_COMMANDS(oauth2)[] = {
 	{ NULL }
 };
 
+
+static authz_status oauth2_authz_checker(request_rec *r,
+		const char *require_args, const void *parsed_require_args,
+		oauth2_apache_authz_match_claim_fn_type match_claim_fn) {
+	json_t *claims = NULL;
+	oauth2_cfg_dir_t *cfg = NULL;
+	oauth2_apache_request_ctx_t *ctx = NULL;
+	authz_status rc = AUTHZ_DENIED_NO_USER;
+
+	cfg = ap_get_module_config(r->per_dir_config, &oauth2_module);
+	ctx = OAUTH2_APACHE_REQUEST_CTX(r, oauth2);
+
+	oauth2_debug(ctx->log, "enter");
+
+	if (r->user != NULL && strlen(r->user) == 0)
+		r->user = NULL;
+
+	oauth2_apache_request_state_get_json(ctx, OAUTH2_REQUEST_STATE_KEY_CLAIMS, &claims);
+
+	rc = oauth2_apache_authorize(ctx, claims, require_args, match_claim_fn);
+	if (claims)
+		json_decref(claims);
+
+	if ((rc == AUTHZ_DENIED) && ap_auth_type(r))
+		oauth2_apache_return_www_authenticate(cfg->source_token, ctx,
+				HTTP_UNAUTHORIZED, "insufficient_scope", // TODO: OAUTH2_ERROR_INSUFFICIENT_SCOPE,
+				"Different scope(s) or other claims required.");
+
+	oauth2_debug(ctx->log, "leave");
+
+	return rc;
+}
+
+static authz_status oauth2_authz_checker_claim(request_rec *r,
+		const char *require_args, const void *parsed_require_args) {
+	return oauth2_authz_checker(r, require_args, parsed_require_args,
+			oauth2_apache_authz_match_claim);
+}
+
+static const authz_provider oauth2_authz_claim_provider = {
+		&oauth2_authz_checker_claim,
+		NULL };
+
+#define OAUTH2_REQUIRE_CLAIM "claim"
+
 static void oauth2_register_hooks(apr_pool_t *p)
 {
 	ap_hook_post_config(OAUTH2_APACHE_POST_CONFIG(oauth2), NULL, NULL,
 			    APR_HOOK_MIDDLE);
-#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
 	ap_hook_check_authn(oauth2_check_user_id_handler, NULL, NULL,
 			    APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF);
-#else
-	ap_hook_check_user_id(oauth2_check_user_id_handler, NULL, NULL,
-			      APR_HOOK_MIDDLE);
-#endif
-
+	ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP,
+			OAUTH2_REQUIRE_CLAIM, "0", &oauth2_authz_claim_provider,
+			AP_AUTH_INTERNAL_PER_CONF);
 	// TODO: register content handler for "special" stuff like returning the
 	// JWKs that
 	//       the peer may use to encrypt the token and the private key
 	//       material that we use to sign e.g. client authentication
 	//       assertions
-	// ap_hook_handler(oidc_content_handler, NULL, NULL, APR_HOOK_MIDDLE);
+	// ap_hook_handler(oauth2_content_handler, NULL, NULL, APR_HOOK_MIDDLE);
 }
 
 OAUTH2_APACHE_MODULE_DECLARE_EX(