From 90bedfd5b7642c05d23d3e7b67e1b055b5baae3b Mon Sep 17 00:00:00 2001 From: David Hawes Date: Mon, 4 Apr 2022 08:43:13 -0400 Subject: [PATCH] Remove Apache 2.2 support --- README | 12 +-- src/mod_auth_cas.c | 205 --------------------------------------------- src/mod_auth_cas.h | 6 -- 3 files changed, 1 insertion(+), 222 deletions(-) diff --git a/README b/README index 1eb755c..d84de62 100644 --- a/README +++ b/README @@ -295,15 +295,6 @@ Description: Set the optional 'Secure' attribute for cookies issued by mod_auth_ the connection (the 'Auto' option). The options 'On' and 'Off' can be used to override the automatic behaviour. -Directive: CASAuthoritative -Default: Off -Description: This directive determines whether an optional authorization directive - (see 'Require cas-attribute') is authoritative and thus binding or - if other authorization modules will also be applied. - 'On' means authoritative, 'Off' means not authoritative. - NOTE: This directive is unavailable with Apache 2.4. See the RequireAny, - RequireNone, and RequireAll directives instead. - Directive: CASValidateSAML Default: Off Description: If enabled, the response from the CAS Server will be parsed for SAML @@ -412,7 +403,6 @@ Description: Use this directive to authorize based on CAS or SAML attributes returned via the session validation call. Multiple directives are OR-ed. If directive is present with no attributes defined, the request is declined. If value has spaces, wrap the pair in quotes. - See also CASAuthoritative. Directive: Require cas-attribute ~ Default: NULL @@ -421,7 +411,7 @@ Description: Use this form of the directive to authorize based on CAS or SAML directives are OR-ed. If directive is present with no attributes defined, the request is declined. The value is interpreted as a Perl-Compatible Regular Expression (PCRE) using case-sensitive - matching. See also CASAuthoritative. + matching. ======================================================================== CONTACT INFORMATION AND WEBSITE diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c index c91a55f..1715931 100644 --- a/src/mod_auth_cas.c +++ b/src/mod_auth_cas.c @@ -124,9 +124,6 @@ void *cas_create_server_config(apr_pool_t *pool, server_rec *svr) c->CASValidateSAML = CAS_DEFAULT_VALIDATE_SAML; c->CASAttributeDelimiter = CAS_DEFAULT_ATTRIBUTE_DELIMITER; c->CASAttributePrefix = CAS_DEFAULT_ATTRIBUTE_PREFIX; -#if MODULE_MAGIC_NUMBER_MAJOR < 20120211 - c->CASAuthoritative = CAS_DEFAULT_AUTHORITATIVE; -#endif c->CASPreserveTicket = CAS_DEFAULT_PRESERVE_TICKET; cas_setURL(pool, &(c->CASLoginURL), CAS_DEFAULT_LOGIN_URL); cas_setURL(pool, &(c->CASValidateURL), CAS_DEFAULT_VALIDATE_URL); @@ -161,9 +158,6 @@ void *cas_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) c->CASCookieSecure = (add->CASCookieSecure != CAS_DEFAULT_COOKIE_SECURE ? add->CASCookieSecure : base->CASCookieSecure); c->CASSSOEnabled = (add->CASSSOEnabled != CAS_DEFAULT_SSO_ENABLED ? add->CASSSOEnabled : base->CASSSOEnabled); c->CASValidateSAML = (add->CASValidateSAML != CAS_DEFAULT_VALIDATE_SAML ? add->CASValidateSAML : base->CASValidateSAML); -#if MODULE_MAGIC_NUMBER_MAJOR < 20120211 - c->CASAuthoritative = (add->CASAuthoritative != CAS_DEFAULT_AUTHORITATIVE ? add->CASAuthoritative : base->CASAuthoritative); -#endif c->CASPreserveTicket = (add->CASPreserveTicket != CAS_DEFAULT_PRESERVE_TICKET ? add->CASPreserveTicket : base->CASPreserveTicket); c->CASAttributeDelimiter = (apr_strnatcasecmp(add->CASAttributeDelimiter, CAS_DEFAULT_ATTRIBUTE_DELIMITER) != 0 ? add->CASAttributeDelimiter : base->CASAttributeDelimiter); c->CASAttributePrefix = (apr_strnatcasecmp(add->CASAttributePrefix, CAS_DEFAULT_ATTRIBUTE_PREFIX) != 0 ? add->CASAttributePrefix : base->CASAttributePrefix); @@ -423,16 +417,6 @@ const char *cfg_readCASParameter(cmd_parms *cmd, void *cfg, const char *value) else return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: Invalid argument to CASSSOEnabled - must be 'On' or 'Off'")); break; -#if MODULE_MAGIC_NUMBER_MAJOR < 20120211 - case cmd_authoritative: - if(apr_strnatcasecmp(value, "On") == 0) - c->CASAuthoritative = TRUE; - else if(apr_strnatcasecmp(value, "Off") == 0) - c->CASAuthoritative = FALSE; - else - return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: Invalid argument to CASAuthoritative - must be 'On' or 'Off'")); - break; -#endif case cmd_preserve_ticket: if(apr_strnatcasecmp(value, "On") == 0) c->CASPreserveTicket = TRUE; @@ -473,11 +457,7 @@ apr_byte_t cas_setURL(apr_pool_t *pool, apr_uri_t *uri, const char *url) apr_byte_t isSSL(const request_rec *r) { -#ifdef APACHE2_0 - if(apr_strnatcasecmp("https", ap_http_method(r)) == 0) -#else if(apr_strnatcasecmp("https", ap_http_scheme(r)) == 0) -#endif return TRUE; return FALSE; @@ -602,11 +582,7 @@ char *getCASService(const request_rec *r, const cas_cfg *c) char *scheme, *port_str = "", *service; apr_byte_t print_port = TRUE; -#ifdef APACHE2_0 - scheme = (char *) ap_http_method(r); -#else scheme = (char *) ap_http_scheme(r); -#endif if (root_proxy->is_initialized) { service = apr_psprintf(r->pool, "%s%s%s%s", @@ -2238,17 +2214,10 @@ int cas_authenticate(request_rec *r) if(c->CASRootProxiedAs.is_initialized) { newLocation = apr_psprintf(r->pool, "%s%s%s%s", apr_uri_unparse(r->pool, &c->CASRootProxiedAs, 0), r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); } else { -#ifdef APACHE2_0 - if(printPort == TRUE) - newLocation = apr_psprintf(r->pool, "%s://%s:%u%s%s%s", ap_http_method(r), r->server->server_hostname, r->connection->local_addr->port, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); - else - newLocation = apr_psprintf(r->pool, "%s://%s%s%s%s", ap_http_method(r), r->server->server_hostname, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); -#else if(printPort == TRUE) newLocation = apr_psprintf(r->pool, "%s://%s:%u%s%s%s", ap_http_scheme(r), r->server->server_hostname, r->connection->local_addr->port, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); else newLocation = apr_psprintf(r->pool, "%s://%s%s%s%s", ap_http_scheme(r), r->server->server_hostname, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); -#endif } apr_table_add(r->headers_out, "Location", newLocation); return HTTP_MOVED_TEMPORARILY; @@ -2431,7 +2400,6 @@ int cas_match_attribute(const char *const attr_spec, const cas_saml_attr *const } return CAS_ATTR_NO_MATCH; } -#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211 authz_status cas_check_authorization(request_rec *r, const char *require_line, @@ -2478,157 +2446,6 @@ static const authz_provider authz_cas_provider = NULL, }; -#else - -/* CAS authorization module, code adopted from Nick Kew's Apache Modules Book, 2007, p. 190f */ -int cas_authorize(request_rec *r) -{ - const cas_saml_attr *const attrs = cas_get_attributes(r); - - const apr_array_header_t *const reqs_arr = ap_requires(r); - const require_line *const reqs = - reqs_arr ? (require_line *) reqs_arr->elts : NULL; - const cas_cfg *const c = - ap_get_module_config(r->server->module_config, - &auth_cas_module); - - if(c->CASDebug) - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Entering cas_authorize."); - - if (!reqs_arr) { - if(c->CASDebug) - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "No require statements found, " - "so declining to perform authorization."); - return DECLINED; - } - - return (cas_authorize_worker(r, attrs, reqs, reqs_arr->nelts, c)); -} - -/* Pulled out from cas_authorize to enable unit-testing */ - -int cas_authorize_worker(request_rec *r, const cas_saml_attr *const attrs, const require_line *const reqs, int nelts, const cas_cfg *const c) -{ - const int m = r->method_number; - const char *token; - const char *requirement; - int i; - int have_casattr = 0; - int count_casattr = 0; - - // Q: why don't we use ap_some_auth_required here?? performance? - - /* Go through applicable Require directives */ - for (i = 0; i < nelts; ++i) { - /* Ignore this Require if it's in a section - * that exclude this method - */ - - if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) { - continue; - } - - /* ignore if it's not a "Require cas-attribute ..." */ - requirement = reqs[i].requirement; - - token = ap_getword_white(r->pool, &requirement); - - if (apr_strnatcasecmp(token, "cas-attribute") != 0) { - continue; - } - - /* OK, we have a "Require cas-attribute" to satisfy */ - have_casattr = 1; - - /* If we have an applicable cas-attribute, but no - * attributes were sent in the request, then we can - * just stop looking here, because it's not - * satisfiable. The code after this loop will give the - * appropriate response. */ - if (!attrs) { - break; - } - - /* Iterate over the attribute specification strings in this - * require directive searching for a specification that - * matches one of the attributes. */ - while (*requirement) { - token = ap_getword_conf(r->pool, &requirement); - count_casattr++; - - if(c->CASDebug) - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Evaluating attribute specification: %s", - token); - - if (cas_match_attribute(token, attrs, r) == - CAS_ATTR_MATCH) { - - /* If *any* attribute matches, then - * authorization has succeeded and all - * of the others are ignored. */ - if(c->CASDebug) - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Require cas-attribute " - "'%s' matched", token); - return OK; - } - } - } - - /* If there weren't any "Require cas-attribute" directives, - * we're irrelevant. - */ - if (!have_casattr) { - if(c->CASDebug) - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "No cas-attribute statements found. " - "Not performing authZ."); - return DECLINED; - } - - /* If we have no attributes to evaluate, it's worth reporting (may be attribute release upstream has yet to be approved) - */ - if (have_casattr && !attrs) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "'Require cas-attribute' cannot be satisfied; no attributes were available for authorization."); - return DECLINED; - } - - /* If there was a "Require cas-attribute", but no actual attributes, - * that's cause to warn the admin of an iffy configuration. - */ - if (count_casattr == 0) { - if(c->CASDebug) - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "'Require cas-attribute' missing specification(s) in configuration. Declining."); - return DECLINED; - } - - /* If we're not authoritative, hand over to other authz modules */ - if (!c->CASAuthoritative) { - if(c->CASDebug) - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Authorization failed, but we are not " - "authoritative, thus handing over to other " - "module(s)."); - return DECLINED; - } - - /* OK, our decision is final and binding */ - if(c->CASDebug) - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Authorization denied for client session"); - - ap_note_auth_failure(r); - - return HTTP_UNAUTHORIZED; -} - -#endif - #if OPENSSL_VERSION_NUMBER < 0x10100000L && defined(OPENSSL_THREADS) && APR_HAS_THREADS /* shamelessly based on code from mod_ssl */ @@ -2849,34 +2666,15 @@ apr_status_t cas_in_filter(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode void cas_register_hooks(apr_pool_t *p) { -#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "cas-attribute", AUTHZ_PROVIDER_VERSION, &authz_cas_provider, AP_AUTH_INTERNAL_PER_CONF); -#else - /* make sure we run before mod_authz_user so that a "require valid-user" - * directive doesn't just automatically pass us. */ - static const char *const authzSucc[] = { "mod_authz_user.c", NULL }; - ap_hook_auth_checker(cas_authorize, NULL, authzSucc, APR_HOOK_MIDDLE); -#endif - -#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211 ap_hook_check_authn( cas_authenticate, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_URI); -#elif MODULE_MAGIC_NUMBER_MAJOR >= 20100714 - ap_hook_check_access_ex( - cas_authenticate, - NULL, - NULL, - APR_HOOK_MIDDLE, - AP_AUTH_INTERNAL_PER_URI); -#else - ap_hook_check_user_id(cas_authenticate, NULL, NULL, APR_HOOK_MIDDLE); -#endif ap_hook_post_config(cas_post_config, NULL, NULL, APR_HOOK_LAST); ap_register_input_filter("CAS", cas_in_filter, NULL, AP_FTYPE_RESOURCE); } @@ -2921,9 +2719,6 @@ const command_rec cas_cmds [] = { AP_INIT_TAKE1("CASRootProxiedAs", cfg_readCASParameter, (void *) cmd_root_proxied_as, RSRC_CONF, "URL used to access the root of the virtual server (only needed when the server is proxied)"), AP_INIT_TAKE1("CASScrubRequestHeaders", ap_set_string_slot, (void *) APR_OFFSETOF(cas_dir_cfg, CASScrubRequestHeaders), ACCESS_CONF, "Scrub CAS user name and SAML attribute headers from the user's request."), /* authorization options */ -#if MODULE_MAGIC_NUMBER_MAJOR < 20120211 - AP_INIT_TAKE1("CASAuthoritative", cfg_readCASParameter, (void *) cmd_authoritative, RSRC_CONF, "Set 'On' to reject if access isn't allowed based on our rules; 'Off' (default) to allow checking against other modules too."), -#endif AP_INIT_TAKE1("CASPreserveTicket", cfg_readCASParameter, (void *) cmd_preserve_ticket, RSRC_CONF, "Leave CAS ticket parameters intact when a valid session cookie exists. This helps prevent infinite redirect loops when CAS protection is being used at multiple levels."), AP_INIT_TAKE1(0, 0, 0, 0, 0) }; diff --git a/src/mod_auth_cas.h b/src/mod_auth_cas.h index b446ee7..96499ac 100644 --- a/src/mod_auth_cas.h +++ b/src/mod_auth_cas.h @@ -104,7 +104,6 @@ #define CAS_DEFAULT_AUTHN_HEADER NULL #define CAS_DEFAULT_SCRUB_REQUEST_HEADERS NULL #define CAS_DEFAULT_SSO_ENABLED FALSE -#define CAS_DEFAULT_AUTHORITATIVE FALSE #define CAS_DEFAULT_PRESERVE_TICKET FALSE #define CAS_MAX_RESPONSE_SIZE 2147483648 @@ -252,12 +251,7 @@ const cas_saml_attr *cas_get_attributes(request_rec *r); int cas_match_attribute(const char *const attr_spec, const cas_saml_attr *const attributes, struct request_rec *r); /* Authorization check */ -#if MODULE_MAGIC_NUMBER_MAJOR < 20120211 -int cas_authorize(request_rec *r); -int cas_authorize_worker(request_rec *r, const cas_saml_attr *const attrs, const require_line *const reqs, int nelts, const cas_cfg *const c); -#else authz_status cas_check_authorization(request_rec *r, const char *require_line, const void *parsed_require_line); -#endif /* Fancy wrapper around flock() */ int cas_flock(apr_file_t *fileHandle, int lockOperation, request_rec *r);