*/
AP_DECLARE(const char *) ap_auth_name(request_rec *r);
-/**
- * How the requires lines must be met.
- * @param r The current request
- * @return How the requirements must be met. One of:
- * <pre>
- * SATISFY_ANY -- any of the requirements must be met.
- * SATISFY_ALL -- all of the requirements must be met.
- * SATISFY_NOSPEC -- There are no applicable satisfy lines
- * </pre>
- *
-AP_DE CLARE(int) ap_satisfies(request_rec *r);
-*/
-
-/**
- * Retrieve information about all of the requires directives for this request
- * @param r The current request
- * @return An array of all requires directives for this request
- *
-AP_DE CLARE(const apr_array_header_t *) ap_requires(request_rec *r);
-*/
-
#ifdef CORE_PRIVATE
/**
char *ap_default_type;
-// /* Authentication stuff. Groan... */
-//
-// int *satisfy; /* for every method one */
-// char *ap_auth_type; /* Deprecated see mod_authn */
-// char *ap_auth_name; /* Deprecated see mod_authn */
-// apr_array_header_t *ap_requires; /* Deprecated see mod_authz */
-
/* Custom response config. These can contain text or a URL to redirect to.
* if response_code_strings is NULL then there are none in the config,
* if it's not null then it's allocated to sizeof(char*)*RESPONSE_CODES.
* authorization values with mod_authz_host
*/
-/*APR_DECLARE_OPTIONAL_FN(const apr_array_header_t *, authz_ap_requires,
- (request_rec *r));
-*/
APR_DECLARE_OPTIONAL_FN(int, authz_some_auth_required, (request_rec *r));
APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_type, (request_rec *r));
APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_name, (request_rec *r));
return HTTP_INTERNAL_SERVER_ERROR;
}
- /*XXX Need to figure out how to remove ap_auth_type from
- the request_rec yet still make the data available
- on a per-request basis.
- */
r->ap_auth_type = (char*)current_auth;
res = get_basic_auth(r, &sent_user, &sent_pw);
return AUTH_GRANTED;
}
-#if 0
-/*
- * Authorisation Phase
- * -------------------
- *
- * After checking whether the username and password are correct, we need
- * to check whether that user is authorised to view this resource. The
- * require directive is used to do this:
- *
- * require valid-user Any authenticated is allowed in.
- * require user <username> This particular user is allowed in.
- * require group <groupname> The user must be a member of this group
- * in order to be allowed in.
- * require dn <dn> The user must have the following DN in the
- * LDAP tree to be let in.
- *
- */
-static int authz_ldap_check_user_access(request_rec *r)
-{
- int result = 0;
- authn_ldap_request_t *req =
- (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
- authn_ldap_config_t *sec =
- (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
-
- util_ldap_connection_t *ldc = NULL;
- int m = r->method_number;
-
- const apr_array_header_t *reqs_arr = ap_requires(r);
- require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
-
- register int x;
- const char *t;
- char *w, *value;
- int method_restricted = 0;
-
- char filtbuf[FILTER_LENGTH];
- const char *dn = NULL;
- const char **vals = NULL;
-
-/*
- if (!sec->enabled) {
- return DECLINED;
- }
-*/
-
- if (!sec->have_ldap_url) {
- return DECLINED;
- }
-
- if (sec->host) {
- ldc = util_ldap_connection_find(r, sec->host, sec->port,
- sec->binddn, sec->bindpw, sec->deref,
- sec->secure);
- apr_pool_cleanup_register(r->pool, ldc,
- authnz_ldap_cleanup_connection_close,
- apr_pool_cleanup_null);
- }
- else {
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: no sec->host - weird...?", getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
-
- /*
- * If there are no elements in the group attribute array, the default should be
- * member and uniquemember; populate the array now.
- */
- if (sec->groupattr->nelts == 0) {
- struct mod_auth_ldap_groupattr_entry_t *grp;
-#if APR_HAS_THREADS
- apr_thread_mutex_lock(sec->lock);
-#endif
- grp = apr_array_push(sec->groupattr);
- grp->name = "member";
- grp = apr_array_push(sec->groupattr);
- grp->name = "uniquemember";
-#if APR_HAS_THREADS
- apr_thread_mutex_unlock(sec->lock);
-#endif
- }
-
- if (!reqs_arr) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
-
- /*
- * If we have been authenticated by some other module than mod_auth_ldap,
- * the req structure needed for authorization needs to be created
- * and populated with the userid and DN of the account in LDAP
- */
-
- /* Check that we have a userid to start with */
- if ((!r->user) || (strlen(r->user) == 0)) {
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
- "ldap authorize: Userid is blank, AuthType=%s",
- r->ap_auth_type);
- }
-
- if(!req) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "ldap authorize: Creating LDAP req structure");
-
- /* Build the username filter */
- authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
-
- /* Search for the user DN */
- result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
- sec->scope, sec->attributes, filtbuf, &dn, &vals);
-
- /* Search failed, log error and return failure */
- if(result != LDAP_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "auth_ldap authorise: User DN not found, %s", ldc->reason);
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
-
- req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
- sizeof(authn_ldap_request_t));
- ap_set_module_config(r->request_config, &authnz_ldap_module, req);
- req->dn = apr_pstrdup(r->pool, dn);
- req->user = r->user;
- }
-
- /* Loop through the requirements array until there's no elements
- * left, or something causes a return from inside the loop */
- for(x=0; x < reqs_arr->nelts; x++) {
- if (! (reqs[x].method_mask & (1 << m))) {
- continue;
- }
- method_restricted = 1;
-
- t = reqs[x].requirement;
- w = ap_getword_white(r->pool, &t);
-
- if (strcmp(w, "ldap-user") == 0) {
- if (req->dn == NULL || strlen(req->dn) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require user: user's DN has not been defined; failing authorisation",
- getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
- /*
- * First do a whole-line compare, in case it's something like
- * require user Babs Jensen
- */
- result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, t);
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require user: authorisation successful", getpid());
- return OK;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: require user: "
- "authorisation failed [%s][%s]", getpid(),
- ldc->reason, ldap_err2string(result));
- }
- }
- /*
- * Now break apart the line and compare each word on it
- */
- while (t[0]) {
- w = ap_getword_conf(r->pool, &t);
- result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require user: authorisation successful", getpid());
- return OK;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require user: authorisation failed [%s][%s]",
- getpid(), ldc->reason, ldap_err2string(result));
- }
- }
- }
- }
- else if (strcmp(w, "ldap-dn") == 0) {
- if (req->dn == NULL || strlen(req->dn) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require dn: user's DN has not been defined; failing authorisation",
- getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
-
- result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server);
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require dn: authorisation successful", getpid());
- return OK;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require dn \"%s\": LDAP error [%s][%s]",
- getpid(), t, ldc->reason, ldap_err2string(result));
- }
- }
- }
- else if (strcmp(w, "ldap-group") == 0) {
- struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
- int i;
-
- if (sec->group_attrib_is_dn) {
- if (req->dn == NULL || strlen(req->dn) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
- "user's DN has not been defined; failing authorisation",
- getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
- }
- else {
- if (req->user == NULL || strlen(req->user) == 0) {
- /* We weren't called in the authentication phase, so we didn't have a
- * chance to set the user field. Do so now. */
- req->user = r->user;
- }
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
- "testing for group membership in \"%s\"",
- getpid(), t);
-
- for (i = 0; i < sec->groupattr->nelts; i++) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
- "testing for %s: %s (%s)", getpid(),
- ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
-
- result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
- sec->group_attrib_is_dn ? req->dn : req->user);
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
- "authorisation successful (attribute %s) [%s][%s]",
- getpid(), ent[i].name, ldc->reason, ldap_err2string(result));
- return OK;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: require group \"%s\": "
- "authorisation failed [%s][%s]",
- getpid(), t, ldc->reason, ldap_err2string(result));
- }
- }
- }
- }
- else if (strcmp(w, "ldap-attribute") == 0) {
- if (req->dn == NULL || strlen(req->dn) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require ldap-attribute: user's DN has not been defined; failing authorisation",
- getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
- while (t[0]) {
- w = ap_getword(r->pool, &t, '=');
- value = ap_getword_conf(r->pool, &t);
-
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: checking attribute"
- " %s has value %s", getpid(), w, value);
- result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
- w, value);
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
- 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require attribute: authorisation "
- "successful", getpid());
- return OK;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
- 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require attribute: authorisation "
- "failed [%s][%s]", getpid(),
- ldc->reason, ldap_err2string(result));
- }
- }
- }
- }
- else if (strcmp(w, "ldap-filter") == 0) {
- if (req->dn == NULL || strlen(req->dn) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require ldap-filter: user's DN has not been defined; failing authorisation",
- getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
- if (t[0]) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: checking filter %s",
- getpid(), t);
-
- /* Build the username filter */
- authn_ldap_build_filter(filtbuf, r, req->user, t, sec);
-
- /* Search for the user DN */
- result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
- sec->scope, sec->attributes, filtbuf, &dn, &vals);
-
- /* Make sure that the filtered search returned the correct user dn */
- if (result == LDAP_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: checking dn match %s",
- getpid(), dn);
- result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn,
- sec->compare_dn_on_server);
- }
-
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
- 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require ldap-filter: authorisation "
- "successful", getpid());
- return OK;
- }
- case LDAP_FILTER_ERROR: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
- 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require ldap-filter: %s authorisation "
- "failed [%s][%s]", getpid(),
- filtbuf, ldc->reason, ldap_err2string(result));
- break;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
- 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
- "require ldap-filter: authorisation "
- "failed [%s][%s]", getpid(),
- ldc->reason, ldap_err2string(result));
- }
- }
- }
- }
- }
-
- if (!method_restricted) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: agreeing because non-restricted",
- getpid());
- return OK;
- }
-
- if (!sec->auth_authoritative) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise", getpid());
- return DECLINED;
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid());
- ap_note_basic_auth_failure (r);
-
- return HTTP_UNAUTHORIZED;
-}
-#endif
-
static authz_status ldapuser_check_authorization(request_rec *r,
const char *require_args)
{
return OK;
}
-#if 0
-static int authz_dbd_check(request_rec *r)
-{
- int i, x, rv;
- const char *w;
- int m = r->method_number;
- const apr_array_header_t *reqs_arr = ap_requires(r);
- require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
- apr_array_header_t *groups = NULL;
- const char *t;
- authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
- &authz_dbd_module);
-
- if (!reqs_arr) {
- return DECLINED;
- }
-
- for (x = 0; x < reqs_arr->nelts; x++) {
- if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
- continue;
- }
-
- t = reqs[x].requirement;
- w = ap_getword_white(r->pool, &t);
- if (!strcasecmp(w, "dbd-group")) {
- if (groups == NULL) {
- groups = apr_array_make(r->pool, 4, sizeof(const char*));
- rv = authz_dbd_group_query(r, cfg, groups);
- if (rv != OK) {
- return rv;
- }
- }
- while (t[0]) {
- w = ap_getword_white(r->pool, &t);
- for (i=0; i < groups->nelts; ++i) {
- if (!strcmp(w, ((const char**)groups->elts)[i])) {
- return OK;
- }
- }
- }
- }
- else if (!strcasecmp(w, "dbd-login")) {
- return authz_dbd_login(r, cfg, "login");
- }
- else if (!strcasecmp(w, "dbd-logout")) {
- return authz_dbd_login(r, cfg, "logout");
- }
- }
-
- if ((groups != NULL) && cfg->authoritative) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "authz_dbd: user %s denied access to %s",
- r->user, r->uri);
- ap_note_auth_failure(r);
- return HTTP_UNAUTHORIZED;
- }
- return DECLINED;
-}
-#endif
-
static authz_status dbdgroup_check_authorization(request_rec *r,
const char *require_args)
{
return retval;
}
-#if 0
-/* Checking ID */
-static int dbm_check_auth(request_rec *r)
-{
- authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
- &authz_dbm_module);
- char *user = r->user;
- int m = r->method_number;
- const apr_array_header_t *reqs_arr = ap_requires(r);
- require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
- register int x;
- const char *t;
- char *w;
- int required_group = 0;
- const char *filegroup = NULL;
- const char *orig_groups = NULL;
- char *reason = NULL;
-
- if (!conf->grpfile) {
- return DECLINED;
- }
-
- if (!reqs_arr) {
- return DECLINED;
- }
-
- for (x = 0; x < reqs_arr->nelts; x++) {
-
- if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
- continue;
- }
-
- t = reqs[x].requirement;
- w = ap_getword_white(r->pool, &t);
-
- if (!strcasecmp(w, "file-group")) {
- filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
-
- if (!filegroup) {
- /* mod_authz_owner is not present or not
- * authoritative. We are just a helper module for testing
- * group membership, so we don't care and decline.
- */
- continue;
- }
- }
-
- if (!strcasecmp(w, "group") || filegroup) {
- const char *realm = ap_auth_name(r);
- const char *groups;
- char *v;
-
- /* remember that actually a group is required */
- required_group = 1;
-
- /* fetch group data from dbm file only once. */
- if (!orig_groups) {
- apr_status_t status;
-
- status = get_dbm_grp(r, apr_pstrcat(r->pool, user, ":", realm,
- NULL),
- user,
- conf->grpfile, conf->dbmtype, &groups);
-
- if (status != APR_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
- "could not open dbm (type %s) group access "
- "file: %s", conf->dbmtype, conf->grpfile);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- if (groups == NULL) {
- /* no groups available, so exit immediately */
- reason = apr_psprintf(r->pool,
- "user doesn't appear in DBM group "
- "file (%s).", conf->grpfile);
- break;
- }
-
- orig_groups = groups;
- }
-
- if (filegroup) {
- groups = orig_groups;
- while (groups[0]) {
- v = ap_getword(r->pool, &groups, ',');
- if (!strcmp(v, filegroup)) {
- return OK;
- }
- }
-
- if (conf->authoritative) {
- reason = apr_psprintf(r->pool,
- "file group '%s' does not match.",
- filegroup);
- break;
- }
-
- /* now forget the filegroup, thus alternatively require'd
- groups get a real chance */
- filegroup = NULL;
- }
- else {
- while (t[0]) {
- w = ap_getword_white(r->pool, &t);
- groups = orig_groups;
- while (groups[0]) {
- v = ap_getword(r->pool, &groups, ',');
- if (!strcmp(v, w)) {
- return OK;
- }
- }
- }
- }
- }
- }
-
- /* No applicable "require group" for this method seen */
- if (!required_group || !conf->authoritative) {
- return DECLINED;
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "Authorization of user %s to access %s failed, reason: %s",
- r->user, r->uri,
- reason ? reason : "user is not part of the "
- "'require'ed group(s).");
-
- ap_note_auth_failure(r);
- return HTTP_UNAUTHORIZED;
-}
-#endif
-
static authz_status dbmgroup_check_authorization(request_rec *r,
const char *require_args)
{
return APR_SUCCESS;
}
-#if 0
-/* Checking ID */
-
-static int check_user_access(request_rec *r)
-{
- authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
- &authz_groupfile_module);
- char *user = r->user;
- int m = r->method_number;
- int required_group = 0;
- register int x;
- const char *t, *w;
- apr_table_t *grpstatus = NULL;
- const apr_array_header_t *reqs_arr = ap_requires(r);
- require_line *reqs;
- const char *filegroup = NULL;
- char *reason = NULL;
-
- /* If there is no group file - then we are not
- * configured. So decline.
- */
- if (!(conf->groupfile)) {
- return DECLINED;
- }
-
- if (!reqs_arr) {
- return DECLINED; /* XXX change from legacy */
- }
-
- reqs = (require_line *)reqs_arr->elts;
-
- for (x = 0; x < reqs_arr->nelts; x++) {
-
- if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
- continue;
- }
-
- t = reqs[x].requirement;
- w = ap_getword_white(r->pool, &t);
-
- /* needs mod_authz_owner to be present */
- if (!strcasecmp(w, "file-group")) {
- filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
-
- if (!filegroup) {
- /* mod_authz_owner is not present or not
- * authoritative. We are just a helper module for testing
- * group membership, so we don't care and decline.
- */
- continue;
- }
- }
-
- if (!strcasecmp(w, "group") || filegroup) {
- required_group = 1; /* remember the requirement */
-
- /* create group table only if actually needed. */
- if (!grpstatus) {
- apr_status_t status;
-
- status = groups_for_user(r->pool, user, conf->groupfile,
- &grpstatus);
-
- if (status != APR_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
- "Could not open group file: %s",
- conf->groupfile);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- if (apr_table_elts(grpstatus)->nelts == 0) {
- /* no groups available, so exit immediately */
- reason = apr_psprintf(r->pool,
- "user doesn't appear in group file "
- "(%s).", conf->groupfile);
- break;
- }
- }
-
- if (filegroup) {
- if (apr_table_get(grpstatus, filegroup)) {
- return OK;
- }
-
- if (conf->authoritative) {
- reason = apr_psprintf(r->pool,
- "file group '%s' does not match.",
- filegroup);
- break;
- }
-
- /* now forget the filegroup, thus alternatively require'd
- groups get a real chance */
- filegroup = NULL;
- }
- else {
- while (t[0]) {
- w = ap_getword_conf(r->pool, &t);
- if (apr_table_get(grpstatus, w)) {
- return OK;
- }
- }
- }
- }
- }
-
- /* No applicable "require group" for this method seen */
- if (!required_group || !conf->authoritative) {
- return DECLINED;
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "Authorization of user %s to access %s failed, reason: %s",
- r->user, r->uri,
- reason ? reason : "user is not part of the "
- "'require'ed group(s).");
-
- ap_note_auth_failure(r);
- return HTTP_UNAUTHORIZED;
-}
-#endif
-
static authz_status group_check_authorization(request_rec *r,
const char *require_args)
{
#include <netinet/in.h>
#endif
-/*
-enum allowdeny_type {
- T_ENV,
- T_ALL,
- T_IP,
- T_HOST,
- T_FAIL
-};
-
-typedef struct {
- apr_int64_t limited;
- union {
- char *from;
- apr_ipsubnet_t *ip;
- } x;
- enum allowdeny_type type;
-} allowdeny;
-*/
-
-/* things in the 'order' array */
-/*
-#define DENY_THEN_ALLOW 0
-#define ALLOW_THEN_DENY 1
-#define MUTUAL_FAILURE 2
-*/
-
typedef struct {
-/* int order[METHODS];
- apr_array_header_t *allows;
- apr_array_header_t *denys; */
int dummy; /* just here to stop compiler warnings for now. */
} authz_host_dir_conf;
static void *create_authz_host_dir_config(apr_pool_t *p, char *dummy)
{
-/* int i;*/
authz_host_dir_conf *conf =
(authz_host_dir_conf *)apr_pcalloc(p, sizeof(authz_host_dir_conf));
-/*
- for (i = 0; i < METHODS; ++i) {
- conf->order[i] = DENY_THEN_ALLOW;
- }
- conf->allows = apr_array_make(p, 1, sizeof(allowdeny));
- conf->denys = apr_array_make(p, 1, sizeof(allowdeny));
-*/
-
return (void *)conf;
}
-/*
-static const char *order(cmd_parms *cmd, void *dv, const char *arg)
-{
- authz_host_dir_conf *d = (authz_host_dir_conf *) dv;
- int i, o;
-
- if (!strcasecmp(arg, "allow,deny"))
- o = ALLOW_THEN_DENY;
- else if (!strcasecmp(arg, "deny,allow"))
- o = DENY_THEN_ALLOW;
- else if (!strcasecmp(arg, "mutual-failure"))
- o = MUTUAL_FAILURE;
- else
- return "unknown order";
-
- for (i = 0; i < METHODS; ++i)
- if (cmd->limited & (AP_METHOD_BIT << i))
- d->order[i] = o;
-
- return NULL;
-}
-*/
-
-/*
-static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
- const char *where_c)
-{
- authz_host_dir_conf *d = (authz_host_dir_conf *) dv;
- allowdeny *a;
- char *where = apr_pstrdup(cmd->pool, where_c);
- char *s;
- char msgbuf[120];
- apr_status_t rv;
-
- if (strcasecmp(from, "from"))
- return "allow and deny must be followed by 'from'";
-
- a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys);
- a->x.from = where;
- a->limited = cmd->limited;
-
- if (!strncasecmp(where, "env=", 4)) {
- a->type = T_ENV;
- a->x.from += 4;
-
- }
- else if (!strcasecmp(where, "all")) {
- a->type = T_ALL;
- }
- else if ((s = ap_strchr(where, '/'))) {
- *s++ = '\0';
- rv = apr_ipsubnet_create(&a->x.ip, where, s, cmd->pool);
- if(APR_STATUS_IS_EINVAL(rv)) {
- /* looked nothing like an IP address *
- return "An IP address was expected";
- }
- else if (rv != APR_SUCCESS) {
- apr_strerror(rv, msgbuf, sizeof msgbuf);
- return apr_pstrdup(cmd->pool, msgbuf);
- }
- a->type = T_IP;
- }
- else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&a->x.ip, where,
- NULL, cmd->pool))) {
- if (rv != APR_SUCCESS) {
- apr_strerror(rv, msgbuf, sizeof msgbuf);
- return apr_pstrdup(cmd->pool, msgbuf);
- }
- a->type = T_IP;
- }
- else { /* no slash, didn't look like an IP address => must be a host *
- a->type = T_HOST;
- }
-
- return NULL;
-}
-*/
-
-/*static char its_an_allow;*/
-
static const command_rec authz_host_cmds[] =
{
-/*
- AP_INIT_TAKE1("order", order, NULL, OR_LIMIT,
- "'allow,deny', 'deny,allow', or 'mutual-failure'"),
- AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT,
- "'from' followed by hostnames or IP-address wildcards"),
- AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT,
- "'from' followed by hostnames or IP-address wildcards"),
-*/
{NULL}
};
}
}
-/*
-static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)
-{
-
- allowdeny *ap = (allowdeny *) a->elts;
- apr_int64_t mmask = (AP_METHOD_BIT << method);
- int i;
- int gothost = 0;
- const char *remotehost = NULL;
-
- for (i = 0; i < a->nelts; ++i) {
- if (!(mmask & ap[i].limited)) {
- continue;
- }
-
- switch (ap[i].type) {
- case T_ENV:
- if (apr_table_get(r->subprocess_env, ap[i].x.from)) {
- return 1;
- }
- break;
-
- case T_ALL:
- return 1;
-
- case T_IP:
- if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) {
- return 1;
- }
- break;
-
- case T_HOST:
- if (!gothost) {
- int remotehost_is_ip;
-
- remotehost = ap_get_remote_host(r->connection,
- r->per_dir_config,
- REMOTE_DOUBLE_REV,
- &remotehost_is_ip);
-
- if ((remotehost == NULL) || remotehost_is_ip) {
- gothost = 1;
- }
- else {
- gothost = 2;
- }
- }
-
- if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) {
- return 1;
- }
- break;
-
- case T_FAIL:
- /* do nothing? *
- break;
- }
- }
-
- return 0;
-}
-
-static int check_dir_access(request_rec *r)
-{
- int method = r->method_number;
- int ret = OK;
- authz_host_dir_conf *a = (authz_host_dir_conf *)
- ap_get_module_config(r->per_dir_config, &authz_host_module);
-
- if (a->order[method] == ALLOW_THEN_DENY) {
- ret = HTTP_FORBIDDEN;
- if (find_allowdeny(r, a->allows, method)) {
- ret = OK;
- }
- if (find_allowdeny(r, a->denys, method)) {
- ret = HTTP_FORBIDDEN;
- }
- }
- else if (a->order[method] == DENY_THEN_ALLOW) {
- if (find_allowdeny(r, a->denys, method)) {
- ret = HTTP_FORBIDDEN;
- }
- if (find_allowdeny(r, a->allows, method)) {
- ret = OK;
- }
- }
- else {
- if (find_allowdeny(r, a->allows, method)
- && !find_allowdeny(r, a->denys, method)) {
- ret = OK;
- }
- else {
- ret = HTTP_FORBIDDEN;
- }
- }
-
- if (ret == HTTP_FORBIDDEN
- && (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "client denied by server configuration: %s",
- r->filename);
- }
-
- return ret;
-}
-*/
-
static authz_status env_check_authorization(request_rec *r, const char *require_line)
{
const char *t, *w;
&authz_host_provider);
ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "all", "0",
&authz_all_provider);
-
- /* This can be access checker since we don't require r->user to be set. */
-/* ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE); */
}
module AP_MODULE_DECLARE_DATA authz_host_module =
module AP_MODULE_DECLARE_DATA authz_owner_module;
-#if 0
-static int check_file_owner(request_rec *r)
-{
- authz_owner_config_rec *conf = ap_get_module_config(r->per_dir_config,
- &authz_owner_module);
- int m = r->method_number;
- register int x;
- const char *t, *w;
- const apr_array_header_t *reqs_arr = ap_requires(r);
- require_line *reqs;
- int required_owner = 0;
- apr_status_t status = 0;
- char *reason = NULL;
-
- if (!reqs_arr) {
- return DECLINED;
- }
-
- reqs = (require_line *)reqs_arr->elts;
- for (x = 0; x < reqs_arr->nelts; x++) {
-
- /* if authoritative = On then break if a require already failed. */
- if (reason && conf->authoritative) {
- break;
- }
-
- if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
- continue;
- }
-
- t = reqs[x].requirement;
- w = ap_getword_white(r->pool, &t);
-
- if (!strcmp(w, "file-owner")) {
-#if !APR_HAS_USER
- if ((required_owner & ~1) && conf->authoritative) {
- break;
- }
-
- required_owner |= 1; /* remember the requirement */
- reason = "'Require file-owner' is not supported on this platform.";
- continue;
-#else /* APR_HAS_USER */
- char *owner = NULL;
- apr_finfo_t finfo;
-
- if ((required_owner & ~1) && conf->authoritative) {
- break;
- }
-
- required_owner |= 1; /* remember the requirement */
-
- if (!r->filename) {
- reason = "no filename available";
- continue;
- }
-
- status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool);
- if (status != APR_SUCCESS) {
- reason = apr_pstrcat(r->pool, "could not stat file ",
- r->filename, NULL);
- continue;
- }
-
- if (!(finfo.valid & APR_FINFO_USER)) {
- reason = "no file owner information available";
- continue;
- }
-
- status = apr_uid_name_get(&owner, finfo.user, r->pool);
- if (status != APR_SUCCESS || !owner) {
- reason = "could not get name of file owner";
- continue;
- }
-
- if (strcmp(owner, r->user)) {
- reason = apr_psprintf(r->pool, "file owner %s does not match.",
- owner);
- continue;
- }
-
- /* this user is authorized */
- return OK;
-#endif /* APR_HAS_USER */
- }
-
- /* file-group only figures out the file's group and lets
- * other modules do the actual authorization (against a group file/db).
- * Thus, these modules have to hook themselves after
- * mod_authz_owner and of course recognize 'file-group', too.
- */
- if (!strcmp(w, "file-group")) {
-#if !APR_HAS_USER
- if ((required_owner & ~6) && conf->authoritative) {
- break;
- }
-
- required_owner |= 2; /* remember the requirement */
- reason = "'Require file-group' is not supported on this platform.";
- continue;
-#else /* APR_HAS_USER */
- char *group = NULL;
- apr_finfo_t finfo;
-
- if ((required_owner & ~6) && conf->authoritative) {
- break;
- }
-
- required_owner |= 2; /* remember the requirement */
-
- if (!r->filename) {
- reason = "no filename available";
- continue;
- }
-
- status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool);
- if (status != APR_SUCCESS) {
- reason = apr_pstrcat(r->pool, "could not stat file ",
- r->filename, NULL);
- continue;
- }
-
- if (!(finfo.valid & APR_FINFO_GROUP)) {
- reason = "no file group information available";
- continue;
- }
-
- status = apr_gid_name_get(&group, finfo.group, r->pool);
- if (status != APR_SUCCESS || !group) {
- reason = "could not get name of file group";
- continue;
- }
-
- /* store group name in a note and let others decide... */
- apr_table_setn(r->notes, AUTHZ_GROUP_NOTE, group);
- required_owner |= 4;
- continue;
-#endif /* APR_HAS_USER */
- }
- }
-
- if (!required_owner || !conf->authoritative) {
- return DECLINED;
- }
-
- /* allow file-group passed to group db modules either if this is the
- * only applicable requirement here or if a file-owner failed but we're
- * not authoritative.
- * This allows configurations like:
- *
- * AuthzOwnerAuthoritative Off
- * require file-owner
- * require file-group
- *
- * with the semantical meaning of "either owner or group must match"
- * (inclusive or)
- *
- * [ 6 == 2 | 4; 7 == 1 | 2 | 4 ] should I use #defines instead?
- */
- if (required_owner == 6 || (required_owner == 7 && !conf->authoritative)) {
- return DECLINED;
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
- "Authorization of user %s to access %s failed, reason: %s",
- r->user, r->uri, reason ? reason : "unknown");
-
- ap_note_auth_failure(r);
- return HTTP_UNAUTHORIZED;
-}
-#endif
-
static authz_status fileowner_check_authorization(request_rec *r,
const char *require_args)
{
module AP_MODULE_DECLARE_DATA authz_user_module;
-#if 0
-static int check_user_access(request_rec *r)
-{
- authz_user_config_rec *conf = ap_get_module_config(r->per_dir_config,
- &authz_user_module);
- char *user = r->user;
- int m = r->method_number;
- int required_user = 0;
- register int x;
- const char *t, *w;
- const apr_array_header_t *reqs_arr = ap_requires(r);
- require_line *reqs;
-
- /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
- * then any user will do.
- */
- if (!reqs_arr) {
- return DECLINED;
- }
- reqs = (require_line *)reqs_arr->elts;
-
- for (x = 0; x < reqs_arr->nelts; x++) {
-
- if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
- continue;
- }
-
- t = reqs[x].requirement;
- w = ap_getword_white(r->pool, &t);
- if (!strcasecmp(w, "valid-user")) {
- return OK;
- }
- if (!strcasecmp(w, "user")) {
- /* And note that there are applicable requirements
- * which we consider ourselves the owner of.
- */
- required_user = 1;
- while (t[0]) {
- w = ap_getword_conf(r->pool, &t);
- if (!strcmp(user, w)) {
- return OK;
- }
- }
- }
- }
-
- if (!required_user) {
- /* no applicable requirements */
- return DECLINED;
- }
-
- if (!conf->authoritative) {
- return DECLINED;
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "access to %s failed, reason: user '%s' does not meet "
- "'require'ments for user/valid-user to be allowed access",
- r->uri, user);
-
- ap_note_auth_failure(r);
- return HTTP_UNAUTHORIZED;
-}
-#endif
-
static authz_status user_check_authorization(request_rec *r,
const char *require_args)
{
static void *create_core_dir_config(apr_pool_t *a, char *dir)
{
core_dir_config *conf;
-/* int i;*/
conf = (core_dir_config *)apr_pcalloc(a, sizeof(core_dir_config));
conf->use_canonical_phys_port = USE_CANONICAL_PHYS_PORT_UNSET;
conf->hostname_lookups = HOSTNAME_LOOKUP_UNSET;
-/*
- conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS);
- for (i = 0; i < METHODS; ++i) {
- conf->satisfy[i] = SATISFY_NOSPEC;
- }
-*/
#ifdef RLIMIT_CPU
conf->limit_cpu = NULL;
/* Otherwise we simply use the base->sec_file array
*/
- /* use a separate ->satisfy[] array either way */
-/* conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS);
- for (i = 0; i < METHODS; ++i) {
- if (new->satisfy[i] != SATISFY_NOSPEC) {
- conf->satisfy[i] = new->satisfy[i];
- } else {
- conf->satisfy[i] = base->satisfy[i];
- }
- }
-*/
-
if (new->server_signature != srv_sig_unset) {
conf->server_signature = new->server_signature;
}
return conf->override;
}
-/*
-AP_DECLARE(const char *) ap_auth_type(request_rec *r)
-{
- core_dir_config *conf;
-
- conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
- &core_module);
-
- return conf->ap_auth_type;
-}
-*/
-
/*
* Optional function coming from mod_ident, used for looking up ident user
*/
return NULL;
}
-/*
-AP_DECLARE(const char *) ap_auth_name(request_rec *r)
-{
- core_dir_config *conf;
-
- conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
- &core_module);
-
- return conf->ap_auth_name;
-}
-*/
-
/*
* Optional function coming from mod_ident, used for looking up ident user
*/
return conf->ap_document_root;
}
-/*
- * Optional function coming from mod_ident, used for looking up ident user
- *
-static APR_OPTIONAL_FN_TYPE(authz_ap_requires) *authz_ap_requires;
-
-AP_DECLARE(const apr_array_header_t *) ap_requires(request_rec *r)
-{
- if (authz_ap_requires) {
- return authz_ap_requires(r);
- }
- return NULL;
-}
-*/
-
-/*
-AP_DECLARE(int) ap_satisfies(request_rec *r)
-{
- core_dir_config *conf;
-
- conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
- &core_module);
-
- return conf->satisfy[r->method_number];
-}
-*/
-
/* Should probably just get rid of this... the only code that cares is
* part of the core anyway (and in fact, it isn't publicised to other
* modules).
return NULL;
}
-/*
-static const char *satisfy(cmd_parms *cmd, void *c_, const char *arg)
-{
- core_dir_config *c = c_;
- int satisfy = SATISFY_NOSPEC;
- int i;
-
- if (!strcasecmp(arg, "all")) {
- satisfy = SATISFY_ALL;
- }
- else if (!strcasecmp(arg, "any")) {
- satisfy = SATISFY_ANY;
- }
- else {
- return "Satisfy either 'any' or 'all'.";
- }
-
- for (i = 0; i < METHODS; ++i) {
- if (cmd->limited & (AP_METHOD_BIT << i)) {
- c->satisfy[i] = satisfy;
- }
- }
-
- return NULL;
-}
-*/
/*
* Report a missing-'>' syntax error.
"specified URL paths"),
AP_INIT_RAW_ARGS("<FilesMatch", filesection, (void*)1, OR_ALL,
"Container for directives affecting files matching specified patterns"),
-/*
-AP_INIT_TAKE1("Satisfy", satisfy, NULL, OR_AUTHCFG,
- "access policy if both allow and require used ('all' or 'any')"),
-*/
#ifdef GPROF
AP_INIT_TAKE1("GprofDir", set_gprof_dir, NULL, RSRC_CONF,
"Directory to plop gmon.out files"),
{
logio_add_bytes_out = APR_RETRIEVE_OPTIONAL_FN(ap_logio_add_bytes_out);
ident_lookup = APR_RETRIEVE_OPTIONAL_FN(ap_ident_lookup);
-/* authz_ap_requires = APR_RETRIEVE_OPTIONAL_FN(authz_ap_requires); */
authz_ap_some_auth_required = APR_RETRIEVE_OPTIONAL_FN(authz_some_auth_required);
authn_ap_auth_type = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_type);
authn_ap_auth_name = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_name);
return decl_die(access_status, "check authorization", r);
}
-/*
- switch (ap_satisfies(r)) {
- case SATISFY_ALL:
- case SATISFY_NOSPEC:
- if ((access_status = ap_run_access_checker(r)) != 0) {
- return decl_die(access_status, "check access", r);
- }
-
- if (((access_status = ap_run_check_user_id(r)) != 0)
- || !ap_auth_type(r)) {
- return decl_die(access_status, ap_auth_type(r)
- ? "check user. No user file?"
- : "perform authentication. AuthType not set!",
- r);
- }
-
- if (((access_status = ap_run_auth_checker(r)) != 0)
- || !ap_auth_type(r)) {
- return decl_die(access_status, ap_auth_type(r)
- ? "check access. No groups file?"
- : "perform authentication. AuthType not set!",
- r);
- }
- break;
-
- case SATISFY_ANY:
- if (((access_status = ap_run_access_checker(r)) != 0)) {
-
- if (((access_status = ap_run_check_user_id(r)) != 0)
- || !ap_auth_type(r)) {
- return decl_die(access_status, ap_auth_type(r)
- ? "check user. No user file?"
- : "perform authentication. AuthType not set!",
- r);
- }
-
- if (((access_status = ap_run_auth_checker(r)) != 0)
- || !ap_auth_type(r)) {
- return decl_die(access_status, ap_auth_type(r)
- ? "check access. No groups file?"
- : "perform authentication. AuthType not set!",
- r);
- }
- }
- break;
- }
-*/
}
/* XXX Must make certain the ap_run_type_checker short circuits mime
* in mod-proxy for r->proxyreq && r->parsed_uri.scheme
projects / thirdparty / apache / httpd.git / commitdiff
