From: Bradley Nicholes <bnicholes@apache.org>
Date: Wed, 7 Dec 2005 05:19:21 +0000 (+0000)
Subject: Split the authz type from the arguments when the
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98a7c5388258492799318a208a1a53bb5acc0f0a;p=thirdparty%2Fapache%2Fhttpd.git

Split the authz type from the arguments when the
   authz provider is registered and store the type
   in ->provider_name and the arguments in ->requirement
Move the check for METHOD_MASK out of the authz
   providers and into the provider vector
Change the status code to AUTHZ_DENIED, AUTHZ_GRANTED
   and AUTHZ_GENERAL_ERROR


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/authz-dev@354716 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/aaa/mod_auth.h b/modules/aaa/mod_auth.h
index d0c54b084f3..7569fd402b8 100644
--- a/modules/aaa/mod_auth.h
+++ b/modules/aaa/mod_auth.h
@@ -53,7 +53,6 @@ typedef enum {
 
 typedef enum {
     AUTHZ_DENIED,
-    AUTHZ_DECLINED,
     AUTHZ_GRANTED,
     AUTHZ_GENERAL_ERROR
 } authz_status;
@@ -86,7 +85,6 @@ typedef struct {
      * if we can authorize user access.
      */
     authz_status (*check_authorization)(request_rec *r,
-                                        apr_int64_t method_mask,
                                         const char *require_line);
 } authz_provider;
 
diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c
index f5f7a0f5678..2973875a6f9 100644
--- a/modules/aaa/mod_authz_core.c
+++ b/modules/aaa/mod_authz_core.c
@@ -117,11 +117,18 @@ static const char *add_authz_provider(cmd_parms *cmd, void *config,
 {
     authz_core_dir_conf *conf = (authz_core_dir_conf*)config;
     authz_provider_list *newp;
+    const char *t, *w;
 
     newp = apr_pcalloc(cmd->pool, sizeof(authz_provider_list));
     /* XXX: Split this out to the name and then the rest of the directive. */
-    newp->provider_name = apr_pstrdup(cmd->pool, arg);
-    newp->requirement = apr_pstrdup(cmd->pool, arg);
+
+    t = arg;
+    w = ap_getword_white(cmd->pool, &t);
+
+    if (w)
+        newp->provider_name = apr_pstrdup(cmd->pool, w);
+    if (t)
+        newp->requirement = apr_pstrdup(cmd->pool, t);
     newp->method_mask = cmd->limited;
 
     /* lookup and cache the actual provider now */
@@ -202,9 +209,14 @@ static int authorize_user(request_rec *r)
                            current_provider->provider_name);
         }
 
+        /* check to make sure that the request method requires
+        authorization before calling the provider */
+        if (!(current_provider->method_mask & 
+            (AP_METHOD_BIT << r->method_number))) {
+            continue;
+        }
 
         auth_result = provider->check_authorization(r,
-                        current_provider->method_mask,
                         current_provider->requirement);
 
         apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
@@ -247,8 +259,7 @@ static int authorize_user(request_rec *r)
 
         /* If we're returning 403, tell them to try again. */
         if (return_code == HTTP_UNAUTHORIZED) {
-            /* XXX: Why is this a basic auth failure? */
-            ap_note_basic_auth_failure (r);
+            ap_note_auth_failure (r);
         }
         return return_code;
     }
diff --git a/modules/aaa/mod_authz_user.c b/modules/aaa/mod_authz_user.c
index de8aada83df..9785582baf6 100644
--- a/modules/aaa/mod_authz_user.c
+++ b/modules/aaa/mod_authz_user.c
@@ -118,27 +118,14 @@ static int check_user_access(request_rec *r)
 #endif
 
 static authz_status user_check_authorization(request_rec *r,
-                                             apr_int64_t method_mask,
-                                             const char *require_line)
+                                             const char *require_args)
 {
-    int m = r->method_number;
     const char *t, *w;
 
-    if (!(method_mask & (AP_METHOD_BIT << m))) {
-        return AUTHZ_DECLINED;
-    }
-
-    t = require_line;
-    w = ap_getword_white(r->pool, &t);
-    if (!strcasecmp(w, "user")) {
-        /* And note that there are applicable requirements
-         * which we consider ourselves the owner of.
-         */
-        while (t[0]) {
-            w = ap_getword_conf(r->pool, &t);
-            if (!strcmp(r->user, w)) {
-                return AUTHZ_GRANTED;
-            }
+    t = require_args;
+    while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+        if (!strcmp(r->user, w)) {
+            return AUTHZ_GRANTED;
         }
     }
 
@@ -151,13 +138,8 @@ static authz_status user_check_authorization(request_rec *r,
     return AUTHZ_DENIED;
 }
 
-static authz_status validuser_check_authorization(request_rec *r, apr_int64_t method_mask, const char *require_line)
+static authz_status validuser_check_authorization(request_rec *r, const char *require_line)
 {
-    int m = r->method_number;
-
-    if (!(method_mask & (AP_METHOD_BIT << m))) {
-        return AUTHZ_DECLINED;
-    }
     return AUTHZ_GRANTED;
 }
 
@@ -176,8 +158,6 @@ static void register_hooks(apr_pool_t *p)
                          &authz_user_provider);
     ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "valid-user", "0",
                          &authz_validuser_provider);
-
-    /*    ap_hook_auth_checker(check_user_access, NULL, NULL, APR_HOOK_MIDDLE);*/
 }
 
 module AP_MODULE_DECLARE_DATA authz_user_module =