Refactor auth configuration to allow HTTP and HTTPS virtual hosts to use different auth mechanisms, and refactor log configuration to make it easier to use.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1291133 13f79535-47bb-0310-9956-ffa450edef68

sca-cpp/trunk/modules/http/basic-auth-conf

@@ -25,15 +25,22 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 
+sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
+if [ "$sslconf" = "" ]; then
+    sslsuffix=""
+else
+    sslsuffix="-ssl"
+fi
+
 # Disallow public access to server resources
-cat >$root/conf/noauth.conf <<EOF
+cat >$root/conf/noauth$sslsuffix.conf <<EOF
 # Generated by: basic-auth-conf $*
 # Disallow public access to server resources
 
 EOF
 
 # Generate basic authentication configuration
-cat >>$root/conf/auth.conf <<EOF
+cat >>$root/conf/locauth$sslsuffix.conf <<EOF
 # Generated by: basic-auth-conf $*
 # Require clients to present a userid + password for HTTP
 # basic authentication

sca-cpp/trunk/modules/http/cert-auth-conf

@@ -25,15 +25,22 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 
+sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
+if [ "$sslconf" = "" ]; then
+    sslsuffix=""
+else
+    sslsuffix="-ssl"
+fi
+
 # Disallow public access to server resources
-cat >$root/conf/noauth.conf <<EOF
+cat >$root/conf/noauth$sslsuffix.conf <<EOF
 # Generated by: cert-auth-conf $*
 # Disallow public access to server resources
 
 EOF
 
 # Generate authentication configuration
-cat >>$root/conf/auth.conf <<EOF
+cat >>$root/conf/locauth$sslsuffix.conf <<EOF
 # Generated by: cert-auth-conf $*
 # Require clients to present a valid client certificate
 SSLVerifyClient require

sca-cpp/trunk/modules/http/form-auth-conf

@@ -27,15 +27,22 @@ host=`echo $conf | awk '{ print $6 }'`
 
 pw=`cat $root/cert/ca.key | head -2 | tail -1`
 
+sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
+if [ "$sslconf" = "" ]; then
+    sslsuffix=""
+else
+    sslsuffix="-ssl"
+fi
+
 # Disallow public access to server resources
-cat >$root/conf/noauth.conf <<EOF
+cat >$root/conf/noauth$sslsuffix.conf <<EOF
 # Generated by: form-auth-conf $*
 # Disallow public access to server resources
 
 EOF
 
 # Generate form authentication configuration
-cat >>$root/conf/auth.conf <<EOF
+cat >>$root/conf/locauth$sslsuffix.conf <<EOF
 # Generated by: form-auth-conf $*
 # Require clients to present a userid + password through form-based
 # authentication

sca-cpp/trunk/modules/http/group-auth-conf

@@ -23,8 +23,15 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 user=$2
 group="members"
 
+sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
+if [ "$sslconf" = "" ]; then
+    sslsuffix=""
+else
+    sslsuffix="-ssl"
+fi
+
 # Disallow public access to server resources
-cat >$root/conf/noauth.conf <<EOF
+cat >$root/conf/noauth$sslsuffix.conf <<EOF
 # Generated by: group-auth-conf $*
 # Disallow public access to server resources
 
@@ -36,9 +43,9 @@ cp $root/conf/.httpd.groups.tmp $root/conf/httpd.groups
 rm $root/conf/.httpd.groups.tmp
 
 # Generate HTTPD group authorization configuration
-conf=`cat $root/conf/auth.conf | grep "Generated by: group-auth-conf"`
+conf=`cat $root/conf/locauth$sslsuffix.conf | grep "Generated by: group-auth-conf"`
 if [ "$conf" = "" ]; then
-    cat >>$root/conf/auth.conf <<EOF
+    cat >>$root/conf/locauth$sslsuffix.conf <<EOF
 # Generated by: group-auth-conf $1
 # Allow group member access to root location
 <Location />

sca-cpp/trunk/modules/http/htdocs/login/index.html

@@ -23,6 +23,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign in</title>
 </head>
 <body>

sca-cpp/trunk/modules/http/htdocs/logout/index.html

@@ -24,6 +24,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign out</title>
 </head>
 <h1>Sign out</h1>

sca-cpp/trunk/modules/http/httpd-conf

@@ -101,6 +101,9 @@ Header onsuccess set Cache-Control "max-age=604800" env=!must-revalidate
 Header set Cache-Control "must-revalidate, max-age=0" env=must-revalidate
 Header set Expires "Tue, 01 Jan 1980 00:00:00 GMT" env=must-revalidate
 
+# Configuration auth modules
+Include conf/auth.conf
+
 # Set default document root
 DocumentRoot $htdocs
 DirectoryIndex index-min.html index.html
@@ -112,11 +115,6 @@ AllowOverride None
 Require all denied
 </Directory>
 
-# Configure authentication
-Include conf/noauth.conf
-Include conf/auth.conf
-Include conf/pubauth.conf
-
 # Configure output filters to enable compression and rate limiting
 <Location />
 SetOutputFilter RATE_LIMIT;DEFLATE
@@ -144,6 +142,12 @@ RewriteRule .* http://$host$pportsuffix%{REQUEST_URI} [R]
 </Location>
 
 Include conf/svhost.conf
+
+# Configure authentication
+Include conf/noauth.conf
+Include conf/locauth.conf
+Include conf/pubauth.conf
+
 </VirtualHost>
 
 EOF
@@ -151,7 +155,6 @@ EOF
 # Configure logging
 cat >$root/conf/log.conf <<EOF
 # Generated by: httpd-conf $*
-LogLevel notice
 ErrorLog $root/logs/error_log
 CustomLog $root/logs/access_log combined
 
@@ -227,6 +230,11 @@ EOF
 # Generate auth configuration
 cat >$root/conf/auth.conf <<EOF
 # Generated by: httpd-conf $*
+
+EOF
+
+cat >$root/conf/locauth.conf <<EOF
+# Generated by: httpd-conf $*
 # Authentication and authorization configuration
 
 # Allow authorized access to document root

sca-cpp/trunk/modules/http/httpd-loglevel-conf

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Configure HTTPD log level
+here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here`
+mkdir -p $1
+root=`echo "import os; print os.path.realpath('$1')" | python`
+level=$2
+
+# Configure log level
+cat >>$root/conf/log.conf <<EOF
+# Generated by: httpd-loglevel-conf $*
+LogLevel $level
+
+EOF
+

sca-cpp/trunk/modules/http/httpd-ssl-conf

@@ -72,10 +72,39 @@ RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R]
 </Location>
 
 Include conf/svhost-ssl.conf
+
+# Configure authentication
+Include conf/noauth-ssl.conf
+Include conf/locauth-ssl.conf
+Include conf/pubauth-ssl.conf
+
 </VirtualHost>
 
 EOF
 
+# Generate auth configuration
+cat >$root/conf/locauth-ssl.conf <<EOF
+# Generated by: httpd-ssl-conf $*
+# Authentication and authorization configuration
+Include conf/locauth.conf
+
+EOF
+
+cat >$root/conf/pubauth-ssl.conf <<EOF
+# Generated by: httpd-ssl-conf $*
+# Allow everyone to access public locations
+Include conf/pubauth.conf
+
+EOF
+
+# Allow public access to server resources
+cat >$root/conf/noauth-ssl.conf <<EOF
+# Generated by: httpd-conf $*
+# Allow public access to server resources
+Include conf/noauth.conf
+
+EOF
+
 # Generate HTTP vhost configuration
 cat >>$root/conf/svhost.conf <<EOF
 # Generated by: httpd-ssl-conf $*
@@ -89,6 +118,7 @@ RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R]
 
 EOF
 
+# Redirect HTTP traffic to HTTPS in HTTP vhost
 cat >>$root/conf/dvhost.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Redirect HTTP traffic to HTTPS

sca-cpp/trunk/modules/http/open-auth-conf

@@ -25,17 +25,24 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 
+sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
+if [ "$sslconf" = "" ]; then
+    sslsuffix=""
+else
+    sslsuffix="-ssl"
+fi
+
 pw=`cat $root/cert/ca.key | head -2 | tail -1`
 
 # Disallow public access to server resources
-cat >$root/conf/noauth.conf <<EOF
+cat >$root/conf/noauth$sslsuffix.conf <<EOF
 # Generated by: open-auth-conf $*
 # Disallow public access to server resources
 
 EOF
 
 # Generate form authentication configuration
-cat >>$root/conf/auth.conf <<EOF
+cat >>$root/conf/locauth$sslsuffix.conf <<EOF
 # Generated by: open-auth-conf $*
 # Enable Tuscany open authentication
 <Location />

sca-cpp/trunk/modules/http/vhost-conf

@@ -44,9 +44,17 @@ NameVirtualHost $vhost
 <VirtualHost $vhost>
 ServerName http://vhost.$host:$pport
 ServerAlias *.$host
-VirtualDocumentRoot $vroot/%1/$vhtdocs/
+
+# Map /v/<app-name>/<path> to vroot/<app-name>/vhtdocs/<path>
+AliasMatch /v/([^/]+)(.*)$ $vroot/\$1/$vhtdocs/\$2
 
 Include conf/dvhost.conf
+
+# Configure authentication
+Include conf/noauth.conf
+Include conf/auth.conf
+Include conf/pubauth.conf
+
 </VirtualHost>
 
 EOF

sca-cpp/trunk/modules/http/vhost-ssl-conf

@@ -49,8 +49,16 @@ NameVirtualHost $sslvhost
 <VirtualHost $sslvhost>
 ServerName https://vhost.$host:$sslpport
 ServerAlias *.$host
-VirtualDocumentRoot $vroot/%1/$vhtdocs/
+
+# Map /v/<app-name>/<path> to vroot/<app-name>/vhtdocs/<path>
+AliasMatch /v/([^/]+)(.*)$ $vroot/\$1/$vhtdocs/\$2
 
 Include conf/dvhost-ssl.conf
+
+# Configure authentication
+Include conf/noauth-ssl.conf
+Include conf/auth-ssl.conf
+Include conf/pubauth-ssl.conf
+
 </VirtualHost>
 

sca-cpp/trunk/modules/oauth/oauth-conf

@@ -32,6 +32,13 @@ fi
 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 
+sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
+if [ "$sslconf" = "" ]; then
+    sslsuffix=""
+else
+    sslsuffix="-ssl"
+fi
+
 # Configure HTTPD mod_tuscany_oauth module
 cat >>$root/conf/modules.conf <<EOF
 # Generated by: oauth-conf $*
@@ -42,14 +49,14 @@ LoadModule mod_tuscany_oauth2 $here/libmod_tuscany_oauth2$libsuffix
 EOF
 
 # Disallow public access to server resources
-cat >$root/conf/noauth.conf <<EOF
+cat >$root/conf/noauth$sslsuffix.conf <<EOF
 # Generated by: oauth-auth-conf $*
 # Disallow public access to server resources
 
 EOF
 
 # Configure OAuth authentication
-cat >>$root/conf/auth.conf <<EOF
+cat >>$root/conf/locauth$sslsuffix.conf <<EOF
 # Generated by: oauth-conf $*
 # Enable OAuth authentication
 <Location />
@@ -74,6 +81,9 @@ AddAuthOAuth1ScopeAttr FIRSTNAME first-name
 AddAuthOAuth1ScopeAttr LASTNAME last-name
 </Location>
 
+EOF
+
+cat >>$root/conf/auth.conf <<EOF
 # Configure OAuth App keys
 Include $root/cert/oauth-keys.conf
 

sca-cpp/trunk/modules/oauth/oauth-memcached-conf

@@ -23,6 +23,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 host=$2
 port=$3
 
+sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
+if [ "$sslconf" = "" ]; then
+    sslsuffix=""
+else
+    sslsuffix="-ssl"
+fi
+
 # Configure HTTPD mod_tuscany_oauth module cache
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: oauth-memcached-conf $*

sca-cpp/trunk/modules/openid/openid-conf

@@ -26,14 +26,14 @@ conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 openid_prefix=`cat $here/openid.prefix`
 
-# Disallow public access to server resources
-cat >$root/conf/noauth.conf <<EOF
-# Generated by: openid-auth-conf $*
-# Disallow public access to server resources
+sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
+if [ "$sslconf" = "" ]; then
+    sslsuffix=""
+else
+    sslsuffix="-ssl"
+fi
 
-EOF
-
-# Configure OpenID authentication
+# Configure HTTPD mod_auth_openid module
 cat >>$root/conf/modules.conf <<EOF
 # Generated by: openid-conf $*
 # Load support for OpenID authentication
@@ -41,7 +41,15 @@ LoadModule authopenid_module  $openid_prefix/modules/mod_auth_openid.so
 
 EOF
 
-cat >>$root/conf/auth.conf <<EOF
+# Disallow public access to server resources
+cat >$root/conf/noauth$sslsuffix.conf <<EOF
+# Generated by: openid-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
+# Configure OpenID authentication
+cat >>$root/conf/locauth$sslsuffix.conf <<EOF
 # Generated by: openid-conf $*
 # Enable OpenID authentication
 <Location />
@@ -62,7 +70,7 @@ AuthOpenIDAXAdd LASTNAME http://axschema.org/namePerson/last
 
 EOF
 
-cat >>$root/conf/pubauth.conf <<EOF
+cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
 # Generated by: openid-conf $*
 # Allow public access to /openid location
 <Location /openid>

sca-cpp/trunk/modules/openid/openid-step2-conf

@@ -25,8 +25,15 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 
+sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
+if [ "$sslconf" = "" ]; then
+    sslsuffix=""
+else
+    sslsuffix="-ssl"
+fi
+
 # Configure HTTPD to serve OpenID XRDS and LRDD documents
-cat >>$root/conf/auth.conf <<EOF
+cat >>$root/conf/locauth$sslsuffix.conf <<EOF
 # Generated by: openid-step2-conf $*
 # Serve OpenID XRDS document
 Alias /openid $root/conf/openid.xrds
@@ -42,7 +49,7 @@ ForceType text/plain
 
 EOF
 
-cat >>$root/conf/pubauth.conf <<EOF
+cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
 # Generated by: openid-step2-conf $*
 # Allow access to /.well-known/host-meta location
 <Location /.well-known/host-meta>

sca-cpp/trunk/patches/modsecurity-crs_2.2.2.patch

@@ -6,3 +6,9 @@
 ---
 > #SecRule ARGS "(?:ft|htt)ps?.*\?+$" \
 > #        "phase:2,rev:'2.2.2',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,status:501,msg:'Remote File Inclusion Attack',id:'950119',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.rfi_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
+--- base_rules/modsecurity_crs_50_outbound.conf
++++ base_rules/modsecurity_crs_50_outbound.conf
+39c39
+< SecRule RESPONSE_BODY "\<\%" "phase:4,rev:'2.2.2',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"
+---
+> #SecRule RESPONSE_BODY "\<\%" "phase:4,rev:'2.2.2',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"

sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/login/index.html

@@ -23,6 +23,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign in</title>
 </head>
 <body>

sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/logout/index.html

@@ -23,6 +23,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign out</title>
 </head>
 <body>

sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/login/index.html

@@ -23,6 +23,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign in</title>
 </head>
 <body>

sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/logout/index.html

@@ -23,6 +23,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign out</title>
 </head>
 <body>

sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html

@@ -23,6 +23,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign in</title>
 </head>
 <body>

sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html

@@ -23,6 +23,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign out</title>
 </head>
 <body>

sca-cpp/trunk/samples/store-python/htdocs/login/index.html

@@ -23,6 +23,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign in</title>
 </head>
 <body>

sca-cpp/trunk/samples/store-python/htdocs/logout/index.html

@@ -23,6 +23,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes"/>
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
 <link rel="stylesheet" type="text/css" href="/ui.css"/>
+<script type="text/javascript" src="/util.js"></script>
 <title>Sign out</title>
 </head>
 <body>