make OIDCUnautzAction 302|auth work with RequireAny

zandbelt · zandbelt · commit 0d51b38a5d73 · 2023-05-24T17:46:38.000+02:00
handle 302/auth in the fixup handler so step up authentication works
with multiple/complex Require expressions e.g. RequireAny and Require
not; bump to 2.4.14.1rc2

Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,7 @@
 05/24/2023
 - fix RequireAny behaviour on 401/403/302: revert 9d6192b2ab0716d8f7d2a29754a80b6ab1e804eb for non-stepup authentication cases
-- bump to 2.4.14.1rc1
+- make OIDCUnautzAction 302|auth (i.e. step up authentication) work with multiple/complex Require expressions e.g. RequireAny
+- bump to 2.4.14.1rc2
 
 05/17/2023
 - fix refreshing claims from the userinfo endpoint when no id_token claims are stored in the session
diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.14.1rc1],[hans.zandbelt@openidc.com])
+AC_INIT([mod_auth_openidc],[2.4.14.1rc2],[hans.zandbelt@openidc.com])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 
diff --git a/src/config.c b/src/config.c
@@ -3042,6 +3042,7 @@ void oidc_register_hooks(apr_pool_t *pool) {
 	ap_hook_check_user_id(oidc_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);
 	ap_hook_auth_checker(oidc_auth_checker, NULL, authzSucc, APR_HOOK_MIDDLE);
 #endif
+	ap_hook_fixups(oidc_fixup_handler, NULL, NULL, APR_HOOK_MIDDLE);
 }
 
 /*
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -4388,21 +4388,16 @@ static authz_status oidc_handle_unauthorized_user24(request_rec *r) {
 	switch (oidc_dir_cfg_unautz_action(r)) {
 	case OIDC_UNAUTZ_RETURN403:
 	case OIDC_UNAUTZ_RETURN401:
-		oidc_util_html_send_error(r, c->error_template, "Authorization Error",
-				oidc_dir_cfg_unauthz_arg(r),
-				HTTP_UNAUTHORIZED);
-		if (c->error_template)
-			r->header_only = 1;
+		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_MSG,
+				oidc_dir_cfg_unauthz_arg(r) ? oidc_dir_cfg_unauthz_arg(r) : "");
+		oidc_debug(r,
+				"defer authorization error handling to the fixup handler");
 		return AUTHZ_DENIED;
 	case OIDC_UNAUTZ_RETURN302:
-		html_head = apr_psprintf(r->pool,
-				"<meta http-equiv=\"refresh\" content=\"0; url=%s\">",
-				oidc_dir_cfg_unauthz_arg(r));
-		oidc_util_html_send(r, "Authorization Error Redirect", html_head, NULL,
-				NULL,
-				HTTP_UNAUTHORIZED);
-		if (c->error_template)
-			r->header_only = 1;
+		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_REDIRECT,
+				oidc_dir_cfg_unauthz_arg(r) ? oidc_dir_cfg_unauthz_arg(r) : "");
+		oidc_debug(r,
+				"defer authorization error redirect to the fixup handler");
 		return AUTHZ_DENIED;
 	case OIDC_UNAUTZ_AUTHENTICATE:
 		/*
@@ -4429,8 +4424,8 @@ static authz_status oidc_handle_unauthorized_user24(request_rec *r) {
 	if (location != NULL) {
 		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_REDIRECT,
 				location);
-		oidc_debug(r, "defer step up authentication to the content handler");
-		return AUTHZ_GRANTED;
+		oidc_debug(r, "defer step up authentication to the fixup handler");
+		return AUTHZ_DENIED;
 	}
 
 	return AUTHZ_DENIED;
@@ -4612,6 +4607,7 @@ apr_byte_t oidc_enabled(request_rec *r) {
 
 	return FALSE;
 }
+
 /*
  * handle content generating requests
  */
@@ -4663,18 +4659,56 @@ int oidc_content_handler(request_rec *r) {
 
 		/* sending POST preserve */
 		rc = OK;
+	}
 
-	} else if (oidc_request_state_get(r,
-			OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_REDIRECT) != NULL) {
+	return rc;
+}
+
+int oidc_fixup_handler(request_rec *r) {
+	oidc_cfg *c = ap_get_module_config(r->server->module_config,
+			&auth_openidc_module);
+	int rc = DECLINED;
+	const char *location = NULL;
+	const char *msg = NULL;
 
-		/* there was an authorization error, redirect for stepup authentication  */
-		oidc_util_hdr_out_location_set(r, oidc_request_state_get(r,
-				OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_REDIRECT));
+	oidc_debug(r, "enter: status=%d (%s)", r->status,
+			r->status_line ? r->status_line : "");
 
-		rc = HTTP_MOVED_TEMPORARILY;
+	/* this handler is (only) used to deal with the overall authorization result of RequireAll/RequireAny etc. */
+	if ((r->status != 401) && (r->status != 403))
+		goto end;
 
+	msg = oidc_request_state_get(r,
+			OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_MSG);
+	if (msg) {
+		oidc_util_html_send_error(r, c->error_template, "Authorization Error",
+				msg, HTTP_UNAUTHORIZED);
+		r->status =
+				(oidc_dir_cfg_unautz_action(r) == OIDC_UNAUTZ_RETURN403) ?
+						HTTP_FORBIDDEN : HTTP_UNAUTHORIZED;
+		;
+		if (c->error_template) {
+			rc = r->status;
+		} else {
+			/* need OK as we are processing internal 401 and a document that is already written */
+			rc = OK;
+		}
+		goto end;
 	}
 
+	location = oidc_request_state_get(r,
+			OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_REDIRECT);
+	if (location != NULL) {
+		/* there was an authorization error, redirect for an external error page or step up authentication  */
+		apr_table_set(r->headers_out, OIDC_HTTP_HDR_LOCATION, location);
+		r->status = HTTP_MOVED_TEMPORARILY;
+		/* need OK as we are processing internal 401 and a document that is already written */
+		rc = OK;
+		goto end;
+	}
+
+end:
+
 	return rc;
 }
 
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -112,12 +112,13 @@ APLOG_USE_MODULE(auth_openidc);
 #endif
 
 /* keys for storing info in the request state */
-#define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
-#define OIDC_REQUEST_STATE_KEY_CLAIMS  "c"
-#define OIDC_REQUEST_STATE_KEY_DISCOVERY  "d"
-#define OIDC_REQUEST_STATE_KEY_AUTHN  "a"
-#define OIDC_REQUEST_STATE_KEY_SAVE "s"
-#define OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_REDIRECT  "ar"
+#define OIDC_REQUEST_STATE_KEY_IDTOKEN            "i"
+#define OIDC_REQUEST_STATE_KEY_CLAIMS             "c"
+#define OIDC_REQUEST_STATE_KEY_DISCOVERY          "d"
+#define OIDC_REQUEST_STATE_KEY_AUTHN              "a"
+#define OIDC_REQUEST_STATE_KEY_SAVE               "s"
+#define OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_MSG      "am"
+#define OIDC_REQUEST_STATE_KEY_AUTHZ_ERR_REDIRECT "ar"
 
 /* parameter name of the callback URL in the discovery response */
 #define OIDC_DISC_CB_PARAM "oidc_callback"
@@ -507,6 +508,7 @@ apr_byte_t oidc_post_preserve_javascript(request_rec *r, const char *location, c
 void oidc_scrub_headers(request_rec *r);
 void oidc_strip_cookies(request_rec *r);
 int oidc_content_handler(request_rec *r);
+int oidc_fixup_handler(request_rec *r);
 apr_byte_t oidc_get_remote_user(request_rec *r, const char *claim_name, const char *replace, const char *reg_exp,
                                 json_t *json, char **request_user);
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-AC_INIT([mod_auth_openidc],[2.4.14.1rc1],[hans.zandbelt@openidc.com])`
	`1`	`+AC_INIT([mod_auth_openidc],[2.4.14.1rc2],[hans.zandbelt@openidc.com])`
`2`	`2`
`3`	`3`	`AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -3042,6 +3042,7 @@ void oidc_register_hooks(apr_pool_t *pool) {`
`3042`	`3042`	`ap_hook_check_user_id(oidc_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);`
`3043`	`3043`	`ap_hook_auth_checker(oidc_auth_checker, NULL, authzSucc, APR_HOOK_MIDDLE);`
`3044`	`3044`	`#endif`
	`3045`	`+ ap_hook_fixups(oidc_fixup_handler, NULL, NULL, APR_HOOK_MIDDLE);`
`3045`	`3046`	`}`
`3046`	`3047`
`3047`	`3048`	`/*`