Skip to content

Commit

Permalink
Remove Apache 2.2 support
Browse files Browse the repository at this point in the history
  • Loading branch information
dhawes committed Apr 4, 2022
1 parent c642248 commit 90bedfd
Show file tree
Hide file tree
Showing 3 changed files with 1 addition and 222 deletions.
12 changes: 1 addition & 11 deletions README
Original file line number Diff line number Diff line change
Expand Up @@ -295,15 +295,6 @@ Description: Set the optional 'Secure' attribute for cookies issued by mod_auth_
the connection (the 'Auto' option). The options 'On' and 'Off' can be used to override
the automatic behaviour.

Directive: CASAuthoritative
Default: Off
Description: This directive determines whether an optional authorization directive
(see 'Require cas-attribute') is authoritative and thus binding or
if other authorization modules will also be applied.
'On' means authoritative, 'Off' means not authoritative.
NOTE: This directive is unavailable with Apache 2.4. See the RequireAny,
RequireNone, and RequireAll directives instead.

Directive: CASValidateSAML
Default: Off
Description: If enabled, the response from the CAS Server will be parsed for SAML
Expand Down Expand Up @@ -412,7 +403,6 @@ Description: Use this directive to authorize based on CAS or SAML attributes
returned via the session validation call. Multiple directives
are OR-ed. If directive is present with no attributes defined,
the request is declined. If value has spaces, wrap the pair in quotes.
See also CASAuthoritative.

Directive: Require cas-attribute <attribute>~<value>
Default: NULL
Expand All @@ -421,7 +411,7 @@ Description: Use this form of the directive to authorize based on CAS or SAML
directives are OR-ed. If directive is present with no attributes
defined, the request is declined. The value is interpreted as a
Perl-Compatible Regular Expression (PCRE) using case-sensitive
matching. See also CASAuthoritative.
matching.

========================================================================
CONTACT INFORMATION AND WEBSITE
Expand Down
205 changes: 0 additions & 205 deletions src/mod_auth_cas.c
Original file line number Diff line number Diff line change
Expand Up @@ -124,9 +124,6 @@ void *cas_create_server_config(apr_pool_t *pool, server_rec *svr)
c->CASValidateSAML = CAS_DEFAULT_VALIDATE_SAML;
c->CASAttributeDelimiter = CAS_DEFAULT_ATTRIBUTE_DELIMITER;
c->CASAttributePrefix = CAS_DEFAULT_ATTRIBUTE_PREFIX;
#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
c->CASAuthoritative = CAS_DEFAULT_AUTHORITATIVE;
#endif
c->CASPreserveTicket = CAS_DEFAULT_PRESERVE_TICKET;
cas_setURL(pool, &(c->CASLoginURL), CAS_DEFAULT_LOGIN_URL);
cas_setURL(pool, &(c->CASValidateURL), CAS_DEFAULT_VALIDATE_URL);
Expand Down Expand Up @@ -161,9 +158,6 @@ void *cas_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD)
c->CASCookieSecure = (add->CASCookieSecure != CAS_DEFAULT_COOKIE_SECURE ? add->CASCookieSecure : base->CASCookieSecure);
c->CASSSOEnabled = (add->CASSSOEnabled != CAS_DEFAULT_SSO_ENABLED ? add->CASSSOEnabled : base->CASSSOEnabled);
c->CASValidateSAML = (add->CASValidateSAML != CAS_DEFAULT_VALIDATE_SAML ? add->CASValidateSAML : base->CASValidateSAML);
#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
c->CASAuthoritative = (add->CASAuthoritative != CAS_DEFAULT_AUTHORITATIVE ? add->CASAuthoritative : base->CASAuthoritative);
#endif
c->CASPreserveTicket = (add->CASPreserveTicket != CAS_DEFAULT_PRESERVE_TICKET ? add->CASPreserveTicket : base->CASPreserveTicket);
c->CASAttributeDelimiter = (apr_strnatcasecmp(add->CASAttributeDelimiter, CAS_DEFAULT_ATTRIBUTE_DELIMITER) != 0 ? add->CASAttributeDelimiter : base->CASAttributeDelimiter);
c->CASAttributePrefix = (apr_strnatcasecmp(add->CASAttributePrefix, CAS_DEFAULT_ATTRIBUTE_PREFIX) != 0 ? add->CASAttributePrefix : base->CASAttributePrefix);
Expand Down Expand Up @@ -423,16 +417,6 @@ const char *cfg_readCASParameter(cmd_parms *cmd, void *cfg, const char *value)
else
return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: Invalid argument to CASSSOEnabled - must be 'On' or 'Off'"));
break;
#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
case cmd_authoritative:
if(apr_strnatcasecmp(value, "On") == 0)
c->CASAuthoritative = TRUE;
else if(apr_strnatcasecmp(value, "Off") == 0)
c->CASAuthoritative = FALSE;
else
return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: Invalid argument to CASAuthoritative - must be 'On' or 'Off'"));
break;
#endif
case cmd_preserve_ticket:
if(apr_strnatcasecmp(value, "On") == 0)
c->CASPreserveTicket = TRUE;
Expand Down Expand Up @@ -473,11 +457,7 @@ apr_byte_t cas_setURL(apr_pool_t *pool, apr_uri_t *uri, const char *url)
apr_byte_t isSSL(const request_rec *r)
{

#ifdef APACHE2_0
if(apr_strnatcasecmp("https", ap_http_method(r)) == 0)
#else
if(apr_strnatcasecmp("https", ap_http_scheme(r)) == 0)
#endif
return TRUE;

return FALSE;
Expand Down Expand Up @@ -602,11 +582,7 @@ char *getCASService(const request_rec *r, const cas_cfg *c)
char *scheme, *port_str = "", *service;
apr_byte_t print_port = TRUE;

#ifdef APACHE2_0
scheme = (char *) ap_http_method(r);
#else
scheme = (char *) ap_http_scheme(r);
#endif

if (root_proxy->is_initialized) {
service = apr_psprintf(r->pool, "%s%s%s%s",
Expand Down Expand Up @@ -2238,17 +2214,10 @@ int cas_authenticate(request_rec *r)
if(c->CASRootProxiedAs.is_initialized) {
newLocation = apr_psprintf(r->pool, "%s%s%s%s", apr_uri_unparse(r->pool, &c->CASRootProxiedAs, 0), r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : ""));
} else {
#ifdef APACHE2_0
if(printPort == TRUE)
newLocation = apr_psprintf(r->pool, "%s://%s:%u%s%s%s", ap_http_method(r), r->server->server_hostname, r->connection->local_addr->port, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : ""));
else
newLocation = apr_psprintf(r->pool, "%s://%s%s%s%s", ap_http_method(r), r->server->server_hostname, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : ""));
#else
if(printPort == TRUE)
newLocation = apr_psprintf(r->pool, "%s://%s:%u%s%s%s", ap_http_scheme(r), r->server->server_hostname, r->connection->local_addr->port, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : ""));
else
newLocation = apr_psprintf(r->pool, "%s://%s%s%s%s", ap_http_scheme(r), r->server->server_hostname, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : ""));
#endif
}
apr_table_add(r->headers_out, "Location", newLocation);
return HTTP_MOVED_TEMPORARILY;
Expand Down Expand Up @@ -2431,7 +2400,6 @@ int cas_match_attribute(const char *const attr_spec, const cas_saml_attr *const
}
return CAS_ATTR_NO_MATCH;
}
#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211

authz_status cas_check_authorization(request_rec *r,
const char *require_line,
Expand Down Expand Up @@ -2478,157 +2446,6 @@ static const authz_provider authz_cas_provider =
NULL,
};

#else

/* CAS authorization module, code adopted from Nick Kew's Apache Modules Book, 2007, p. 190f */
int cas_authorize(request_rec *r)
{
const cas_saml_attr *const attrs = cas_get_attributes(r);

const apr_array_header_t *const reqs_arr = ap_requires(r);
const require_line *const reqs =
reqs_arr ? (require_line *) reqs_arr->elts : NULL;
const cas_cfg *const c =
ap_get_module_config(r->server->module_config,
&auth_cas_module);

if(c->CASDebug)
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Entering cas_authorize.");

if (!reqs_arr) {
if(c->CASDebug)
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"No require statements found, "
"so declining to perform authorization.");
return DECLINED;
}

return (cas_authorize_worker(r, attrs, reqs, reqs_arr->nelts, c));
}

/* Pulled out from cas_authorize to enable unit-testing */

int cas_authorize_worker(request_rec *r, const cas_saml_attr *const attrs, const require_line *const reqs, int nelts, const cas_cfg *const c)
{
const int m = r->method_number;
const char *token;
const char *requirement;
int i;
int have_casattr = 0;
int count_casattr = 0;

// Q: why don't we use ap_some_auth_required here?? performance?

/* Go through applicable Require directives */
for (i = 0; i < nelts; ++i) {
/* Ignore this Require if it's in a <Limit> section
* that exclude this method
*/

if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) {
continue;
}

/* ignore if it's not a "Require cas-attribute ..." */
requirement = reqs[i].requirement;

token = ap_getword_white(r->pool, &requirement);

if (apr_strnatcasecmp(token, "cas-attribute") != 0) {
continue;
}

/* OK, we have a "Require cas-attribute" to satisfy */
have_casattr = 1;

/* If we have an applicable cas-attribute, but no
* attributes were sent in the request, then we can
* just stop looking here, because it's not
* satisfiable. The code after this loop will give the
* appropriate response. */
if (!attrs) {
break;
}

/* Iterate over the attribute specification strings in this
* require directive searching for a specification that
* matches one of the attributes. */
while (*requirement) {
token = ap_getword_conf(r->pool, &requirement);
count_casattr++;

if(c->CASDebug)
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Evaluating attribute specification: %s",
token);

if (cas_match_attribute(token, attrs, r) ==
CAS_ATTR_MATCH) {

/* If *any* attribute matches, then
* authorization has succeeded and all
* of the others are ignored. */
if(c->CASDebug)
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Require cas-attribute "
"'%s' matched", token);
return OK;
}
}
}

/* If there weren't any "Require cas-attribute" directives,
* we're irrelevant.
*/
if (!have_casattr) {
if(c->CASDebug)
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"No cas-attribute statements found. "
"Not performing authZ.");
return DECLINED;
}

/* If we have no attributes to evaluate, it's worth reporting (may be attribute release upstream has yet to be approved)
*/
if (have_casattr && !attrs) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"'Require cas-attribute' cannot be satisfied; no attributes were available for authorization.");
return DECLINED;
}

/* If there was a "Require cas-attribute", but no actual attributes,
* that's cause to warn the admin of an iffy configuration.
*/
if (count_casattr == 0) {
if(c->CASDebug)
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"'Require cas-attribute' missing specification(s) in configuration. Declining.");
return DECLINED;
}

/* If we're not authoritative, hand over to other authz modules */
if (!c->CASAuthoritative) {
if(c->CASDebug)
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Authorization failed, but we are not "
"authoritative, thus handing over to other "
"module(s).");
return DECLINED;
}

/* OK, our decision is final and binding */
if(c->CASDebug)
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Authorization denied for client session");

ap_note_auth_failure(r);

return HTTP_UNAUTHORIZED;
}

#endif

#if OPENSSL_VERSION_NUMBER < 0x10100000L && defined(OPENSSL_THREADS) && APR_HAS_THREADS

/* shamelessly based on code from mod_ssl */
Expand Down Expand Up @@ -2849,34 +2666,15 @@ apr_status_t cas_in_filter(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode

void cas_register_hooks(apr_pool_t *p)
{
#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "cas-attribute",
AUTHZ_PROVIDER_VERSION,
&authz_cas_provider, AP_AUTH_INTERNAL_PER_CONF);
#else
/* make sure we run before mod_authz_user so that a "require valid-user"
* directive doesn't just automatically pass us. */
static const char *const authzSucc[] = { "mod_authz_user.c", NULL };
ap_hook_auth_checker(cas_authorize, NULL, authzSucc, APR_HOOK_MIDDLE);
#endif

#if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
ap_hook_check_authn(
cas_authenticate,
NULL,
NULL,
APR_HOOK_MIDDLE,
AP_AUTH_INTERNAL_PER_URI);
#elif MODULE_MAGIC_NUMBER_MAJOR >= 20100714
ap_hook_check_access_ex(
cas_authenticate,
NULL,
NULL,
APR_HOOK_MIDDLE,
AP_AUTH_INTERNAL_PER_URI);
#else
ap_hook_check_user_id(cas_authenticate, NULL, NULL, APR_HOOK_MIDDLE);
#endif
ap_hook_post_config(cas_post_config, NULL, NULL, APR_HOOK_LAST);
ap_register_input_filter("CAS", cas_in_filter, NULL, AP_FTYPE_RESOURCE);
}
Expand Down Expand Up @@ -2921,9 +2719,6 @@ const command_rec cas_cmds [] = {
AP_INIT_TAKE1("CASRootProxiedAs", cfg_readCASParameter, (void *) cmd_root_proxied_as, RSRC_CONF, "URL used to access the root of the virtual server (only needed when the server is proxied)"),
AP_INIT_TAKE1("CASScrubRequestHeaders", ap_set_string_slot, (void *) APR_OFFSETOF(cas_dir_cfg, CASScrubRequestHeaders), ACCESS_CONF, "Scrub CAS user name and SAML attribute headers from the user's request."),
/* authorization options */
#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
AP_INIT_TAKE1("CASAuthoritative", cfg_readCASParameter, (void *) cmd_authoritative, RSRC_CONF, "Set 'On' to reject if access isn't allowed based on our rules; 'Off' (default) to allow checking against other modules too."),
#endif
AP_INIT_TAKE1("CASPreserveTicket", cfg_readCASParameter, (void *) cmd_preserve_ticket, RSRC_CONF, "Leave CAS ticket parameters intact when a valid session cookie exists. This helps prevent infinite redirect loops when CAS protection is being used at multiple levels."),
AP_INIT_TAKE1(0, 0, 0, 0, 0)
};
Expand Down
6 changes: 0 additions & 6 deletions src/mod_auth_cas.h
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,6 @@
#define CAS_DEFAULT_AUTHN_HEADER NULL
#define CAS_DEFAULT_SCRUB_REQUEST_HEADERS NULL
#define CAS_DEFAULT_SSO_ENABLED FALSE
#define CAS_DEFAULT_AUTHORITATIVE FALSE
#define CAS_DEFAULT_PRESERVE_TICKET FALSE

#define CAS_MAX_RESPONSE_SIZE 2147483648
Expand Down Expand Up @@ -252,12 +251,7 @@ const cas_saml_attr *cas_get_attributes(request_rec *r);
int cas_match_attribute(const char *const attr_spec, const cas_saml_attr *const attributes, struct request_rec *r);

/* Authorization check */
#if MODULE_MAGIC_NUMBER_MAJOR < 20120211
int cas_authorize(request_rec *r);
int cas_authorize_worker(request_rec *r, const cas_saml_attr *const attrs, const require_line *const reqs, int nelts, const cas_cfg *const c);
#else
authz_status cas_check_authorization(request_rec *r, const char *require_line, const void *parsed_require_line);
#endif

/* Fancy wrapper around flock() */
int cas_flock(apr_file_t *fileHandle, int lockOperation, request_rec *r);
Expand Down

0 comments on commit 90bedfd

Please sign in to comment.