From cd4438a812041664a7d3f11993a902d98e8f8acf Mon Sep 17 00:00:00 2001
From: Galen Charlton <gmc@esilibrary.com>
Date: Thu, 30 Apr 2015 11:07:14 -0700
Subject: [PATCH] LP#1449283: fix auth when running under Apache 2.4

When running under Apache 2.4 using the stock configuration
derived from apache_24/eg_vhost.conf.in, protected
URLs such as https://eghost/reporter/ that are meant to
require valid EG staff credentials were not in fact
requiring authentication.

This patch does the following to fix this:

[1] Removes several uses of "Require all granted" that
    was causing authentication to be ignored.
[2] Changes OpenILS::WWW::Proxy::Authen so that it always
    sets the username in the Apache request object if
    authentication was successful; it appears that starting
    with Apache 2.4, authentication handlers must ensure
    that a user name is set for a "Require valid-user"
    directive to work.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Jason Stephenson <jstephenson@mvlc.org>
Signed-off-by: Bill Erickson <berickxx@gmail.com>
---
 Open-ILS/examples/apache_24/eg_vhost.conf.in  | 26 +++++++------------
 .../perlmods/lib/OpenILS/WWW/Proxy/Authen.pm  |  4 +++
 2 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/Open-ILS/examples/apache_24/eg_vhost.conf.in b/Open-ILS/examples/apache_24/eg_vhost.conf.in
index 3d60fda7a5..d4bbd785cd 100644
--- a/Open-ILS/examples/apache_24/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache_24/eg_vhost.conf.in
@@ -441,11 +441,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     PerlHandler OpenILS::WWW::Exporter
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 <Location /opac/extras/merge_template>
@@ -455,11 +454,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     PerlHandler OpenILS::WWW::TemplateBatchBibUpdate
     PerlSendHeader On
     Options +ExecCGI
-    Require all granted 
 </Location>
 
 <Location /opac/extras/circ>
@@ -468,10 +466,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 <Location /collections>
@@ -481,10 +478,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "money.collections_tracker.create"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 # ----------------------------------------------------------------------------------
@@ -496,7 +492,7 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     PerlSendHeader On
     allow from all
     SSLRequireSSL
@@ -511,10 +507,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "VIEW_REPORT_OUTPUT"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 # ----------------------------------------------------------------------------------
@@ -526,10 +521,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </LocationMatch>
 
 
@@ -600,10 +594,9 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 # ----------------------------------------------------------------------------------
@@ -613,14 +606,13 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local
     SetHandler perl-script
     AuthType Basic
     AuthName "PhoneList Login"
-    require valid-user
+    Require valid-user
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlHandler OpenILS::WWW::PhoneList
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
     Options +ExecCGI
     PerlSendHeader On
-    allow from all
     <IfModule mod_headers.c>
         Header onsuccess set Cache-Control no-cache
     </IfModule>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
index 2e33aa159e..5b1c64b77d 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
@@ -102,6 +102,10 @@ sub handler {
                         -expires=>'-1h'
                 );
             } else {
+                # it appears that as of Apache 2.4, authentication
+                # handlers are expected to ensure that the request
+                # object has ->user set.
+                $apache->user($user->usrname);
                 $bad_auth = 0;
             }
         }
-- 
2.43.2