// RM Configuration
char* szAuthGrpFile; // Auth GroupFile name
- int bRequireAll; // all require directives must match, otherwise OR logic
+ int bRequireAll; // all "known" require directives must match, otherwise OR logic
+ int bAuthoritative; // allow htaccess plugin to DECLINE when authz fails
// Content Configuration
char* szApplicationId; // Shib applicationId value
dc->tSettings = NULL;
dc->szAuthGrpFile = NULL;
dc->bRequireAll = -1;
+ dc->bAuthoritative = -1;
dc->szApplicationId = NULL;
dc->szRequireWith = NULL;
dc->szRedirectToSSL = NULL;
dc->bRequireSession=((child->bRequireSession==-1) ? parent->bRequireSession : child->bRequireSession);
dc->bExportAssertion=((child->bExportAssertion==-1) ? parent->bExportAssertion : child->bExportAssertion);
dc->bRequireAll=((child->bRequireAll==-1) ? parent->bRequireAll : child->bRequireAll);
+ dc->bAuthoritative=((child->bAuthoritative==-1) ? parent->bAuthoritative : child->bAuthoritative);
dc->bUseEnvVars=((child->bUseEnvVars==-1) ? parent->bUseEnvVars : child->bUseEnvVars);
dc->bUseHeaders=((child->bUseHeaders==-1) ? parent->bUseHeaders : child->bUseHeaders);
return dc;
pair<bool,long> res = sta.getServiceProvider().doAuthorization(sta);
if (res.first) return res.second;
- // We're all okay.
- return OK;
+ // The SP method should always return true, so if we get this far, something unusual happened.
+ // Just let Apache (or some other module) decide what to do.
+ return DECLINED;
}
catch (exception& e) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an exception: %s", e.what());
~htAccessControl() {}
Lockable* lock() {return this;}
void unlock() {}
- bool authorized(const SPRequest& request, const Session* session) const;
+ aclresult_t authorized(const SPRequest& request, const Session* session) const;
private:
bool checkAttribute(const SPRequest& request, const Attribute* attr, const char* toMatch, RegularExpression* re) const;
};
return false;
}
-bool htAccessControl::authorized(const SPRequest& request, const Session* session) const
+AccessControl::aclresult_t htAccessControl::authorized(const SPRequest& request, const Session* session) const
{
// Make sure the object is our type.
const ShibTargetApache* sta=dynamic_cast<const ShibTargetApache*>(&request);
const array_header* reqs_arr=ap_requires(sta->m_req);
if (!reqs_arr)
- return true;
+ return shib_acl_indeterminate; // should never happen
require_line* reqs=(require_line*)reqs_arr->elts;
#define SHIB_AP_CHECK_IS_OK { \
if (sta->m_dc->bRequireAll < 1) \
- return true; \
+ return shib_acl_true; \
auth_OK[x] = true; \
continue; \
}
request.log(SPRequest::SPDebug,"htAccessControl plugin accepting valid-user based on active session");
SHIB_AP_CHECK_IS_OK;
}
- else
+ else {
request.log(SPRequest::SPError,"htAccessControl plugin rejecting access for valid-user rule, no session is active");
+ }
}
else if (!strcmp(w,"user") && !remote_user.empty()) {
bool regexp=false;
}
}
- // check if all require directives are true
+ // If we get here, we either "failed" or we're in require all mode.
bool auth_all_OK = true;
for (int i= 0; i<reqs_arr->nelts; i++) {
auth_all_OK &= auth_OK[i];
}
if (auth_all_OK || !method_restricted)
- return true;
+ return shib_acl_true;
- return false;
+ return (sta->m_dc->bAuthoritative != 0) ? shib_acl_false : shib_acl_indeterminate;
}
SPConfig::Caching |
SPConfig::RequestMapping |
SPConfig::InProcess |
- SPConfig::Logging
+ SPConfig::Logging |
+ SPConfig::Handlers
);
if (!g_Config->init(g_szSchemaDir)) {
ap_log_error(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(s),"shib_child_init() failed to initialize libraries");
{"ShibRequireAll", (config_fn_t)ap_set_flag_slot,
(void *) XtOffsetOf (shib_dir_config, bRequireAll),
OR_AUTHCFG, FLAG, "All require directives must match"},
+ {"AuthzShibAuthoritative", (config_fn_t)ap_set_flag_slot,
+ (void *) XtOffsetOf (shib_dir_config, bAuthoritative),
+ OR_AUTHCFG, FLAG, "Allow failed mod_shib htaccess authorization to fall through to other modules"},
{"ShibUseEnvironment", (config_fn_t)ap_set_flag_slot,
(void *) XtOffsetOf (shib_dir_config, bUseEnvVars),
OR_AUTHCFG, FLAG, "Export attributes using environment variables (default)"},
AP_INIT_FLAG("ShibRequireAll", (config_fn_t)ap_set_flag_slot,
(void *) offsetof (shib_dir_config, bRequireAll),
OR_AUTHCFG, "All require directives must match"),
+ AP_INIT_FLAG("AuthzShibAuthoritative", (config_fn_t)ap_set_flag_slot,
+ (void *) offsetof (shib_dir_config, bAuthoritative),
+ OR_AUTHCFG, "Allow failed mod_shib htaccess authorization to fall through to other modules"),
AP_INIT_FLAG("ShibUseEnvironment", (config_fn_t)ap_set_flag_slot,
(void *) offsetof (shib_dir_config, bUseEnvVars),
OR_AUTHCFG, "Export attributes using environment variables (default)"),
virtual ~AccessControl() {}
/**
+ * Possible results from an access control decision.
+ */
+ enum aclresult_t {
+ shib_acl_true,
+ shib_acl_false,
+ shib_acl_indeterminate
+ };
+
+ /**
* Perform an authorization check.
*
* @param request SP request information
* @param session active user session, if any
* @return true iff access should be granted
*/
- virtual bool authorized(const SPRequest& request, const Session* session) const=0;
+ virtual aclresult_t authorized(const SPRequest& request, const Session* session) const=0;
};
/**
}
Locker acllock(settings.second);
- if (settings.second->authorized(request,session)) {
- // Let the caller decide how to proceed.
- request.log(SPRequest::SPDebug, "access control provider granted access");
- return make_pair(false,0);
- }
- else {
- request.log(SPRequest::SPWarn, "access control provider denied access");
- TemplateParameters tp;
- tp.m_map["requestURL"] = targetURL;
- return make_pair(true,sendError(request, app, "access", tp));
+ switch (settings.second->authorized(request,session)) {
+ case AccessControl::shib_acl_true:
+ request.log(SPRequest::SPDebug, "access control provider granted access");
+ return make_pair(true,request.returnOK());
+
+ case AccessControl::shib_acl_false:
+ {
+ request.log(SPRequest::SPWarn, "access control provider denied access");
+ TemplateParameters tp;
+ tp.m_map["requestURL"] = targetURL;
+ return make_pair(true,sendError(request, app, "access", tp));
+ }
+
+ default:
+ // Use the "DECLINE" interface to signal we don't know what to do.
+ return make_pair(true,request.returnDecline());
}
- return make_pair(false,0);
}
- else
+ else {
return make_pair(true,request.returnDecline());
+ }
}
catch (exception& e) {
TemplateParameters tp(&e);
Lockable* lock() {return this;}\r
void unlock() {}\r
\r
- bool authorized(const SPRequest& request, const Session* session) const;\r
+ aclresult_t authorized(const SPRequest& request, const Session* session) const;\r
\r
private:\r
string m_alias;\r
Lockable* lock() {return this;}\r
void unlock() {}\r
\r
- bool authorized(const SPRequest& request, const Session* session) const;\r
+ aclresult_t authorized(const SPRequest& request, const Session* session) const;\r
\r
private:\r
enum operator_t { OP_NOT, OP_AND, OP_OR } m_op;\r
delete m_rootAuthz;\r
}\r
\r
- bool authorized(const SPRequest& request, const Session* session) const;\r
+ aclresult_t authorized(const SPRequest& request, const Session* session) const;\r
\r
protected:\r
pair<bool,DOMElement*> load();\r
}\r
}\r
\r
-bool Rule::authorized(const SPRequest& request, const Session* session) const\r
+AccessControl::aclresult_t Rule::authorized(const SPRequest& request, const Session* session) const\r
{\r
// We can make this more complex later using pluggable comparison functions,\r
// but for now, just a straight port to the new Attribute API.\r
// Map alias in rule to the attribute.\r
if (!session) {\r
request.log(SPRequest::SPWarn, "AccessControl plugin not given a valid session to evaluate, are you using lazy sessions?");\r
- return false;\r
+ return shib_acl_false;\r
}\r
\r
// Find the attribute(s) matching the require rule.\r
session->getIndexedAttributes().equal_range(m_alias);\r
if (attrs.first == attrs.second) {\r
request.log(SPRequest::SPWarn, string("rule requires attribute (") + m_alias + "), not found in session");\r
- return false;\r
+ return shib_acl_false;\r
}\r
\r
for (; attrs.first != attrs.second; ++attrs.first) {\r
for (vector<string>::const_iterator j=vals.begin(); j!=vals.end(); ++j) {\r
if ((caseSensitive && *i == *j) || (!caseSensitive && !strcasecmp(i->c_str(),j->c_str()))) {\r
request.log(SPRequest::SPDebug, string("AccessControl plugin expecting ") + *j + ", authz granted");\r
- return true;\r
+ return shib_acl_true;\r
}\r
}\r
}\r
}\r
\r
- return false;\r
+ return shib_acl_false;\r
}\r
\r
Operator::Operator(const DOMElement* e)\r
for_each(m_operands.begin(),m_operands.end(),xmltooling::cleanup<AccessControl>());\r
}\r
\r
-bool Operator::authorized(const SPRequest& request, const Session* session) const\r
+AccessControl::aclresult_t Operator::authorized(const SPRequest& request, const Session* session) const\r
{\r
switch (m_op) {\r
case OP_NOT:\r
- return !m_operands[0]->authorized(request,session);\r
+ switch (m_operands[0]->authorized(request,session)) {\r
+ case shib_acl_true:\r
+ return shib_acl_false;\r
+ case shib_acl_false:\r
+ return shib_acl_true;\r
+ default:\r
+ return shib_acl_indeterminate;\r
+ }\r
\r
case OP_AND:\r
{\r
for (vector<AccessControl*>::const_iterator i=m_operands.begin(); i!=m_operands.end(); i++) {\r
if (!(*i)->authorized(request,session))\r
- return false;\r
+ return shib_acl_false;\r
}\r
- return true;\r
+ return shib_acl_true;\r
}\r
\r
case OP_OR:\r
{\r
for (vector<AccessControl*>::const_iterator i=m_operands.begin(); i!=m_operands.end(); i++) {\r
if ((*i)->authorized(request,session))\r
- return true;\r
+ return shib_acl_true;\r
}\r
- return false;\r
+ return shib_acl_false;\r
}\r
}\r
request.log(SPRequest::SPWarn,"unknown operation in access control policy, denying access");\r
- return false;\r
+ return shib_acl_false;\r
}\r
\r
pair<bool,DOMElement*> XMLAccessControl::load()\r
return make_pair(false,(DOMElement*)NULL);\r
}\r
\r
-bool XMLAccessControl::authorized(const SPRequest& request, const Session* session) const\r
+AccessControl::aclresult_t XMLAccessControl::authorized(const SPRequest& request, const Session* session) const\r
{\r
- return m_rootAuthz ? m_rootAuthz->authorized(request,session) : false;\r
+ return m_rootAuthz ? m_rootAuthz->authorized(request,session) : shib_acl_false;\r
}\r
\r
void unlock() {}\r
\r
- bool authorized(const SPRequest& request, const Session* session) const {\r
- return false;\r
+ aclresult_t authorized(const SPRequest& request, const Session* session) const {\r
+ return shib_acl_false;\r
}\r
};\r
\r