From 5a1d28e8a3708668c808bac2f19f259e9860b60c Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Mon, 20 May 2019 22:31:38 +0200
Subject: [PATCH] add Apache Require claim authorization functions

bump to 3.0.1

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
---
 ChangeLog        |  4 ++++
 configure.ac     |  6 ++---
 src/mod_oauth2.c | 60 ++++++++++++++++++++++++++++++++++++++++++------
 3 files changed, 60 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3d4e023..f2e999d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,2 +1,6 @@
+05/20/2019
+- add Apache Require claim authorization functions
+- bump to 3.0.1
+
 03/22/2019
 - initial import of version 3.0.0
diff --git a/configure.ac b/configure.ac
index e4a4b0d..24f34ce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_oauth2],[3.0.0],[hans.zandbelt@zmartzone.eu])
+AC_INIT([mod_oauth2],[3.0.1],[hans.zandbelt@zmartzone.eu])
 AC_CONFIG_HEADERS([src/config.h])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
@@ -33,11 +33,11 @@ PKG_CHECK_MODULES(APR, [apr-1, apr-util-1])
 AC_SUBST(APR_CFLAGS)
 AC_SUBST(APR_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.0.0])
+PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.0.1])
 AC_SUBST(OAUTH2_CFLAGS)
 AC_SUBST(OAUTH2_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.0.0])
+PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.0.1])
 AC_SUBST(OAUTH2_APACHE_CFLAGS)
 AC_SUBST(OAUTH2_APACHE_LIBS)
 
diff --git a/src/mod_oauth2.c b/src/mod_oauth2.c
index 576111b..b11cb74 100644
--- a/src/mod_oauth2.c
+++ b/src/mod_oauth2.c
@@ -92,6 +92,8 @@ static void *oauth2_cfg_dir_merge(apr_pool_t *pool, void *b, void *a)
 	return cfg;
 }
 
+#define OAUTH2_REQUEST_STATE_KEY_CLAIMS "C"
+
 static int oauth2_request_handler(oauth2_cfg_source_token_t *cfg,
 				  oauth2_cfg_token_verify_t *verify,
 				  oauth2_cfg_target_pass_t *target_pass,
@@ -135,6 +137,8 @@ static int oauth2_request_handler(oauth2_cfg_source_token_t *cfg,
 		goto end;
 	}
 
+	oauth2_apache_request_state_set_json(
+	    ctx, OAUTH2_REQUEST_STATE_KEY_CLAIMS, json_token);
 	oauth2_apache_target_pass(ctx, target_pass, source_token, json_token);
 
 	rv = OK;
@@ -280,24 +284,66 @@ static const command_rec OAUTH2_APACHE_COMMANDS(oauth2)[] = {
 	{ NULL }
 };
 
+
+static authz_status oauth2_authz_checker(request_rec *r,
+		const char *require_args, const void *parsed_require_args,
+		oauth2_apache_authz_match_claim_fn_type match_claim_fn) {
+	json_t *claims = NULL;
+	oauth2_cfg_dir_t *cfg = NULL;
+	oauth2_apache_request_ctx_t *ctx = NULL;
+	authz_status rc = AUTHZ_DENIED_NO_USER;
+
+	cfg = ap_get_module_config(r->per_dir_config, &oauth2_module);
+	ctx = OAUTH2_APACHE_REQUEST_CTX(r, oauth2);
+
+	oauth2_debug(ctx->log, "enter");
+
+	if (r->user != NULL && strlen(r->user) == 0)
+		r->user = NULL;
+
+	oauth2_apache_request_state_get_json(ctx, OAUTH2_REQUEST_STATE_KEY_CLAIMS, &claims);
+
+	rc = oauth2_apache_authorize(ctx, claims, require_args, match_claim_fn);
+	if (claims)
+		json_decref(claims);
+
+	if ((rc == AUTHZ_DENIED) && ap_auth_type(r))
+		oauth2_apache_return_www_authenticate(cfg->source_token, ctx,
+				HTTP_UNAUTHORIZED, "insufficient_scope", // TODO: OAUTH2_ERROR_INSUFFICIENT_SCOPE,
+				"Different scope(s) or other claims required.");
+
+	oauth2_debug(ctx->log, "leave");
+
+	return rc;
+}
+
+static authz_status oauth2_authz_checker_claim(request_rec *r,
+		const char *require_args, const void *parsed_require_args) {
+	return oauth2_authz_checker(r, require_args, parsed_require_args,
+			oauth2_apache_authz_match_claim);
+}
+
+static const authz_provider oauth2_authz_claim_provider = {
+		&oauth2_authz_checker_claim,
+		NULL };
+
+#define OAUTH2_REQUIRE_CLAIM "claim"
+
 static void oauth2_register_hooks(apr_pool_t *p)
 {
 	ap_hook_post_config(OAUTH2_APACHE_POST_CONFIG(oauth2), NULL, NULL,
 			    APR_HOOK_MIDDLE);
-#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
 	ap_hook_check_authn(oauth2_check_user_id_handler, NULL, NULL,
 			    APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF);
-#else
-	ap_hook_check_user_id(oauth2_check_user_id_handler, NULL, NULL,
-			      APR_HOOK_MIDDLE);
-#endif
-
+	ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP,
+			OAUTH2_REQUIRE_CLAIM, "0", &oauth2_authz_claim_provider,
+			AP_AUTH_INTERNAL_PER_CONF);
 	// TODO: register content handler for "special" stuff like returning the
 	// JWKs that
 	//       the peer may use to encrypt the token and the private key
 	//       material that we use to sign e.g. client authentication
 	//       assertions
-	// ap_hook_handler(oidc_content_handler, NULL, NULL, APR_HOOK_MIDDLE);
+	// ap_hook_handler(oauth2_content_handler, NULL, NULL, APR_HOOK_MIDDLE);
 }
 
 OAUTH2_APACHE_MODULE_DECLARE_EX(