code: introduce oidc_util_url_matches_redirect_uri

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

src/handle/content.c

@@ -59,12 +59,12 @@ int oidc_content_handler(request_rec *r) {
 		if (_oidc_strcmp(r->parsed_uri.path, oidc_cfg_metrics_path_get(c)) == 0)
 			return oidc_metrics_handle_request(r);
 
-	if (oidc_enabled(r) == FALSE) {
+	if (oidc_enabled(r, c) == FALSE) {
 		OIDC_METRICS_COUNTER_INC(r, c, OM_CONTENT_REQUEST_DECLINED);
 		return DECLINED;
 	}
 
-	if (oidc_util_url_cur_matches(r, oidc_util_url_redirect_uri(r, c)) == TRUE) {
+	if (oidc_util_url_matches_redirect_uri(r, c) == TRUE) {
 
 		/* requests to the redirect URI are handled and finished here */
 		rc = OK;

src/mod_auth_openidc.c

@@ -310,7 +310,7 @@ const char *oidc_original_request_method(request_rec *r, oidc_cfg_t *cfg, apr_by
 	const char *method = OIDC_METHOD_GET;
 
 	char *m = NULL;
-	if ((handle_discovery_response == TRUE) && (oidc_util_url_cur_matches(r, oidc_util_url_redirect_uri(r, cfg))) &&
+	if ((handle_discovery_response == TRUE) && (oidc_util_url_matches_redirect_uri(r, cfg)) &&
 	    (oidc_is_discovery_response(r, cfg))) {
 		oidc_util_url_parameter_get(r, OIDC_DISC_RM_PARAM, &m);
 		if (m != NULL)
@@ -1249,7 +1249,7 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg_t *c) {
 	oidc_session_load(r, &session);
 
 	/* see if the initial request is to the redirect URI; this handles potential logout too */
-	if (oidc_util_url_cur_matches(r, oidc_util_url_redirect_uri(r, c))) {
+	if (oidc_util_url_matches_redirect_uri(r, c) == TRUE) {
 
 		/* handle request to the redirect_uri */
 		rc = oidc_handle_redirect_uri_request(r, c, session);
@@ -1330,7 +1330,7 @@ static int oidc_check_mixed_userid_oauth(request_rec *r, oidc_cfg_t *c) {
 
 int oidc_fixups(request_rec *r) {
 	oidc_cfg_t *c = ap_get_module_config(r->server->module_config, &auth_openidc_module);
-	if (oidc_enabled(r) == TRUE) {
+	if (oidc_enabled(r, c) == TRUE) {
 		OIDC_METRICS_TIMING_REQUEST_ADD(r, c, OM_MOD_AUTH_OPENIDC);
 		return OK;
 	}
@@ -1351,7 +1351,7 @@ int oidc_check_user_id(request_rec *r) {
 	oidc_debug(r, "incoming request: \"%s?%s\", ap_is_initial_req(r)=%d", r->parsed_uri.path, r->args,
 		   ap_is_initial_req(r));
 
-	if (oidc_enabled(r) == FALSE) {
+	if (oidc_enabled(r, c) == FALSE) {
 		OIDC_METRICS_COUNTER_INC(r, c, OM_AUTHTYPE_DECLINED);
 		return DECLINED;
 	}
@@ -1387,7 +1387,11 @@ int oidc_check_user_id(request_rec *r) {
 /*
  * check of mod_auth_openidc needs to handle this request
  */
-apr_byte_t oidc_enabled(request_rec *r) {
+apr_byte_t oidc_enabled(request_rec *r, oidc_cfg_t *c) {
+
+	//	if (oidc_util_url_matches_redirect_uri(r, c) == TRUE)
+	//		return TRUE;
+
 	if (ap_auth_type(r) == NULL)
 		return FALSE;
 
@@ -1821,7 +1825,9 @@ static const char oidcFilterName[] = "oidc_filter_in_filter";
  */
 static void oidc_filter_in_insert_filter(request_rec *r) {
 
-	if (oidc_enabled(r) == FALSE)
+	oidc_cfg_t *c = ap_get_module_config(r->server->module_config, &auth_openidc_module);
+
+	if (oidc_enabled(r, c) == FALSE)
 		return;
 
 	if (ap_is_initial_req(r) == 0)

src/mod_auth_openidc.h

@@ -140,7 +140,7 @@
 
 int oidc_check_user_id(request_rec *r);
 int oidc_fixups(request_rec *r);
-apr_byte_t oidc_enabled(request_rec *r);
+apr_byte_t oidc_enabled(request_rec *r, oidc_cfg_t *c);
 void oidc_request_state_set(request_rec *r, const char *key, const char *value);
 const char *oidc_request_state_get(request_rec *r, const char *key);
 void oidc_scrub_headers(request_rec *r);

src/oauth.c

@@ -669,7 +669,7 @@ int oidc_oauth_check_userid(request_rec *r, oidc_cfg_t *c, const char *access_to
 		}
 
 		/* check if this is a request to the "special" handler (Redirect URI) */
-	} else if (oidc_util_url_cur_matches(r, oidc_util_url_redirect_uri(r, c))) {
+	} else if (oidc_util_url_matches_redirect_uri(r, c) == TRUE) {
 
 		/* check if this is a request for the public (encryption) keys */
 		if (oidc_util_url_has_parameter(r, OIDC_REDIRECT_URI_REQUEST_JWKS)) {

src/util/url.c

@@ -290,6 +290,13 @@ apr_byte_t oidc_util_url_cur_matches(request_rec *r, const char *url) {
 	return (_oidc_strcmp(r->parsed_uri.path, uri.path) == 0);
 }
 
+/*
+ * see if the currently accessed path matches the Redirect URI
+ */
+apr_byte_t oidc_util_url_matches_redirect_uri(request_rec *r, oidc_cfg_t *cfg) {
+	return oidc_util_url_cur_matches(r, oidc_util_url_redirect_uri(r, cfg));
+}
+
 /*
  * see if the currently accessed path has a certain query parameter
  */

src/util/util.h

@@ -126,6 +126,7 @@ apr_byte_t oidc_util_url_cur_is_secure(request_rec *r, oidc_cfg_t *c);
 apr_byte_t oidc_util_url_cur_matches(request_rec *r, const char *url);
 const char *oidc_util_url_abs(request_rec *r, oidc_cfg_t *cfg, const char *url);
 const char *oidc_util_url_redirect_uri(request_rec *r, oidc_cfg_t *c);
+apr_byte_t oidc_util_url_matches_redirect_uri(request_rec *r, oidc_cfg_t *cfg);
 apr_byte_t oidc_util_url_has_parameter(request_rec *r, const char *param);
 apr_byte_t oidc_util_url_parameter_get(request_rec *r, char *name, char **value);
 

test/test_util.c

@@ -744,12 +744,17 @@ END_TEST
 
 START_TEST(test_util_url_matches) {
 	request_rec *r = oidc_test_request_get();
+	oidc_cfg_t *c = oidc_test_cfg_get();
+
 	ck_assert_msg(oidc_util_url_cur_matches(r, NULL) == FALSE, "match");
 	ck_assert_msg(oidc_util_url_cur_matches(r, "sss//www.example.com/bla") == FALSE, "match");
 	ck_assert_msg(oidc_util_url_cur_matches(r, "https://www.example.com/bla") == TRUE, "no match");
 	ck_assert_msg(oidc_util_url_cur_matches(r, "https://www.example.com/bla2") == FALSE, "match");
 	r->parsed_uri.path = NULL;
 	ck_assert_msg(oidc_util_url_cur_matches(r, "https://www.example.com/bla2") == FALSE, "match");
+	ck_assert_msg(oidc_util_url_matches_redirect_uri(r, c) == FALSE, "match");
+	apr_uri_parse(r->pool, "https://www.example.com/protected/", &r->parsed_uri);
+	ck_assert_msg(oidc_util_url_matches_redirect_uri(r, c) == TRUE, "no match");
 }
 END_TEST