core: Add the token_checker hook, that allows authentication to take

place using mechanisms other than username/password, such as bearer
tokens.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1909409 13f79535-47bb-0310-9956-ffa450edef68

3 files changed, 71 insertions, 1 deletions

diff --git a/include/ap_mmn.h b/include/ap_mmn.h
index 613ebfe10f..7b6e524aae 100644
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@@ -715,6 +715,8 @@
  * 20211221.10 (2.5.1-dev) Add ap_proxy_canonenc_ex
  * 20211221.11 (2.5.1-dev) Add AP_CTIME_OPTION_GMTOFF to util_time.h
  * 20211221.12 (2.5.1-dev) Add cmd_parms->regex
+ * 20211221.13 (2.5.1-dev) Add hook token_checker to check for authorization other
+ *                         than username / password. Add autht_provider structure.
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
@@ -722,7 +724,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20211221
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 12             /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 13             /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
diff --git a/include/http_request.h b/include/http_request.h
index 93defac285..6823aea4ff 100644
--- a/include/http_request.h
+++ b/include/http_request.h
@@ -481,6 +481,19 @@ AP_DECLARE_HOOK(int,access_checker_ex,(request_rec *r))
 AP_DECLARE_HOOK(int,auth_checker,(request_rec *r))
 
 /**
+ * This hook is used to parse any tokens in the request that might key
+ * or contain metadata such as users or IP addresses that may be
+ * relevant to the request. It runs before the access checker. This
+ * hook should be registered with ap_hook_check_autht().
+ *
+ * @param r the current request
+ * @return OK, DECLINED, or HTTP_...
+ * @ingroup hooks
+ * @see ap_hook_check_authz
+ */
+AP_DECLARE_HOOK(int,token_checker,(request_rec *r))
+
+/**
  * Register a hook function that will apply additional access control to
  * the current request.
  * @param pf An access_checker hook function
@@ -516,6 +529,24 @@ AP_DECLARE(void) ap_hook_check_access_ex(ap_HOOK_access_checker_ex_t *pf,
                                          const char * const *aszSucc,
                                          int nOrder, int type);
 
+/**
+ * Register a hook function that will analyze the request headers, extract
+ * any tokens, and apply and metadata contained in the tokens or keyed against
+ * the tokens to the request record.
+ * @param pf A token_checker hook function
+ * @param aszPre A NULL-terminated array of strings that name modules whose
+ *               hooks should precede this one
+ * @param aszSucc A NULL-terminated array of strings that name modules whose
+ *                hooks should succeed this one
+ * @param nOrder An integer determining order before honouring aszPre and
+ *               aszSucc (for example, HOOK_MIDDLE)
+ * @param type Internal request processing mode, either
+ *             AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
+ */
+AP_DECLARE(void) ap_hook_check_autht(ap_HOOK_check_user_id_t *pf,
+                                     const char * const *aszPre,
+                                     const char * const *aszSucc,
+                                     int nOrder, int type);
 
 /**
  * Register a hook function that will analyze the request headers,
diff --git a/include/mod_auth.h b/include/mod_auth.h
index 858e02bdec..e2b0f77461 100644
--- a/include/mod_auth.h
+++ b/include/mod_auth.h
@@ -36,15 +36,20 @@
 extern "C" {
 #endif
 
+#define AUTHT_PROVIDER_GROUP "autht"
 #define AUTHN_PROVIDER_GROUP "authn"
 #define AUTHZ_PROVIDER_GROUP "authz"
+#define AUTHT_PROVIDER_VERSION "0"
 #define AUTHN_PROVIDER_VERSION "0"
 #define AUTHZ_PROVIDER_VERSION "0"
+#define AUTHT_DEFAULT_PROVIDER "jwt"
 #define AUTHN_DEFAULT_PROVIDER "file"
 
+#define AUTHT_PROVIDER_NAME_NOTE "autht_provider_name"
 #define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
 #define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"
 
+#define AUTHT_PREFIX "TOKEN_"
 #define AUTHN_PREFIX "AUTHENTICATE_"
 #define AUTHZ_PREFIX "AUTHORIZE_"
 
@@ -71,6 +76,15 @@ typedef enum {
 } authn_status;
 
 typedef enum {
+    AUTHT_DENIED = AUTH_DENIED,
+    AUTHT_GRANTED = AUTH_GRANTED,
+    AUTHT_GENERAL_ERROR = AUTH_GENERAL_ERROR,
+    AUTHT_MISMATCH,
+    AUTHT_EXPIRED,
+    AUTHT_INVALID
+} autht_status;
+
+typedef enum {
     AUTHZ_DENIED,
     AUTHZ_GRANTED,
     AUTHZ_NEUTRAL,
@@ -81,15 +95,20 @@ typedef enum {
 typedef struct {
     /* Given a username and password, expected to return AUTH_GRANTED
      * if we can validate this user/password combination.
+     *
+     * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
      */
     authn_status (*check_password)(request_rec *r, const char *user,
                                    const char *password);
 
     /* Given a user and realm, expected to return AUTH_USER_FOUND if we
      * can find a md5 hash of 'user:realm:password'
+     *
+     * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
      */
     authn_status (*get_realm_hash)(request_rec *r, const char *user,
                                    const char *realm, char **rethash);
+
 } authn_provider;
 
 /* A linked-list of authn providers. */
@@ -102,6 +121,24 @@ struct authn_provider_list {
 };
 
 typedef struct {
+    /* Given a token of a given type, expected to return AUTH_GRANTED
+     * if the token could be successfully authenticated.
+     */
+    autht_status (*check_token)(request_rec *r, const char *type,
+                                const char *token);
+
+} autht_provider;
+
+/* A linked-list of authn providers. */
+typedef struct autht_provider_list autht_provider_list;
+
+struct autht_provider_list {
+    const char *provider_name;
+    const autht_provider *provider;
+    autht_provider_list *next;
+};
+
+typedef struct {
     /* Given a request_rec, expected to return AUTHZ_GRANTED
      * if we can authorize user access.
      * @param r the request record