A bunch of fixes that make OpenID authentication work for the first time.

1 files changed, 78 insertions, 15 deletions

diff --git a/module/mod_auth_singleid.c b/module/mod_auth_singleid.c
index 3b6304a..9c38434 100644
--- a/module/mod_auth_singleid.c
+++ b/module/mod_auth_singleid.c
@@ -92,8 +92,8 @@ static int
 shared_initialize (apr_pool_t *p, server_rec *s)
 {
 	apr_file_t *file = NULL;
+	char *lock_name = NULL;
 	const char *tmpdir;
-	char *lock_name;
 	int rc;
 
 	/* This may be called more than once */
@@ -324,7 +324,7 @@ session_cookie_value (request_rec *r, const char *name)
 		return NULL;
 
 	while (*cookies) {
-		pair = ap_get_token (r->pool, &cookies, 0);
+		pair = ap_get_token (r->pool, &cookies, 1);
 		if (!pair)
 			break;
 		if (pair[0] == '$')
@@ -338,6 +338,7 @@ session_cookie_value (request_rec *r, const char *name)
 
 		if (*value != '=')
 			continue;
+		++value;
 		while (isspace (*value))
 			++value;
 
@@ -380,22 +381,22 @@ session_load_info (request_rec *r)
 	char *token, *sig, *end;
 	char *identifier;
 	long expiry;
+	size_t len;
 
 	value = session_cookie_value (r, "mod-auth-single-id");
 	if (!value)
 		return NULL;
 
-	sig = ap_get_token (r->pool, &value, 1);
+	sig = ap_get_token (r->pool, &value, 0);
+	if (!session_validate_sig (r->pool, sig, value))
+		return NULL;
 
 	/* The version of the session info, only 1 supported for now */
-	token = ap_get_token (r->pool, &value, 1);
+	token = ap_get_token (r->pool, &value, 0);
 	if (strcmp (token, "1") != 0)
 		return NULL;
 
-	if (!session_validate_sig (r->pool, sig, value))
-		return NULL;
-
-	token = ap_get_token (r->pool, &value, 1);
+	token = ap_get_token (r->pool, &value, 0);
 	expiry = strtol (token, &end, 10);
 	if (*end != '\0')
 		return NULL;
@@ -405,7 +406,13 @@ session_load_info (request_rec *r)
 		return NULL;
 
 	/* The identifier */
-	identifier = ap_get_token (r->pool, &value, 1);
+	identifier = ap_get_token (r->pool, &value, 0);
+	len = strlen (identifier);
+	if (identifier[0] == '"' && identifier[len - 1] == '"') {
+		identifier[len - 1] = 0;
+		++identifier;
+	}
+
 	if (!ap_is_url (identifier))
 		return NULL;
 
@@ -466,7 +473,7 @@ sid_request_qs (sid_request_t *req)
 }
 
 const char*
-sid_request_url (sid_request_t *req)
+sid_request_url (sid_request_t *req, int with_path)
 {
 	/* function to determine if a connection is using https */
 	static APR_OPTIONAL_FN_TYPE(ssl_is_https) *using_https = NULL;
@@ -487,7 +494,7 @@ sid_request_url (sid_request_t *req)
 	host = req->rec->hostname ? req->rec->hostname : ap_get_server_name (req->rec);
 	scheme = is_ssl ? "https" : "http";
 	port = ap_get_server_port (req->rec);
-	uri = req->rec->uri ? req->rec->uri : "";
+	uri = with_path && req->rec->uri ? req->rec->uri : "";
 
 	/* Default ports? */
 	if ((port == 80 && !is_ssl) || (port == 443 && is_ssl))
@@ -573,8 +580,8 @@ hook_authenticate (request_rec* r)
 	if (!(authtype = ap_auth_type (r)) || strcasecmp (SID_AUTHTYPE, authtype) != 0)
 		return DECLINED;
 
-	ctx = (sid_context_t*)ap_get_module_config(r->per_dir_config, &auth_singleid_module);
-	if(ctx->identifier == NULL)
+	ctx = (sid_context_t*)ap_get_module_config (r->per_dir_config, &auth_singleid_module);
+	if (ctx->identifier == NULL)
 		return DECLINED;
 
 	mainreq = r;
@@ -611,14 +618,70 @@ hook_authenticate (request_rec* r)
 	return req.result;
 }
 
+static int
+hook_access(request_rec *r)
+{
+	sid_context_t* ctx;
+	const char* authtype;
+	char *user = r->user;
+	int m = r->method_number;
+	int method_restricted = 0;
+	register int x;
+	const char *t, *w;
+	const apr_array_header_t *reqs_arr;
+	require_line *reqs;
+
+	/* Make sure it's for us */
+	if (!(authtype = ap_auth_type (r)) || strcasecmp (SID_AUTHTYPE, authtype) != 0)
+		return DECLINED;
+
+	ctx = (sid_context_t*)ap_get_module_config (r->per_dir_config, &auth_singleid_module);
+
+	reqs_arr = ap_requires (r);
+	if (!reqs_arr)
+		return OK;
+
+	reqs = (require_line *)reqs_arr->elts;
+	for (x = 0; x < reqs_arr->nelts; x++) {
+		if (!(reqs[x].method_mask & (AP_METHOD_BIT << m)))
+			continue;
+
+		method_restricted = 1;
+
+		t = reqs[x].requirement;
+		w = ap_getword_white (r->pool, &t);
+		if (!strcmp (w, "valid-user")) {
+			return OK;
+		} else if (!strcmp (w, "user")) {
+			while (t[0]) {
+				w = ap_getword_conf (r->pool, &t);
+				if (!strcmp (user, w)) {
+					return OK;
+				}
+			}
+		} else {
+			ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r,
+			               "access to %s failed, reason: unknown require "
+			               "directive:\"%s\"", r->uri, reqs[x].requirement);
+		}
+	}
+
+	if (!method_restricted)
+		return OK;
+
+	ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r,
+	               "access to %s failed, reason: user %s not allowed access",
+	               r->uri, user);
+	return HTTP_UNAUTHORIZED;
+}
+
 static void
 register_hooks(apr_pool_t *p)
 {
-	ap_log_perror (APLOG_MARK, APLOG_ERR, 0, p, "mod_auth_singleid registering hooks");
-
 	ap_hook_post_config (hook_initialize, NULL, NULL, APR_HOOK_MIDDLE);
 	ap_hook_child_init (hook_child, NULL, NULL, APR_HOOK_MIDDLE);
 	ap_hook_check_user_id (hook_authenticate, NULL, NULL, APR_HOOK_MIDDLE);
+	ap_hook_auth_checker (hook_access, NULL, NULL, APR_HOOK_MIDDLE);
 }
 
 module AP_MODULE_DECLARE_DATA auth_singleid_module = {