From: Bradley Nicholes Date: Sat, 31 Dec 2005 01:12:27 +0000 (+0000) Subject: Clean up and remove dead code X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf7ea61646cc2b07a65d5836a3ca0b2f31953823;p=thirdparty%2Fapache%2Fhttpd.git Clean up and remove dead code git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/authz-dev@360213 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/include/http_core.h b/include/http_core.h index b586ba5f90d..19bb1d218cd 100644 --- a/include/http_core.h +++ b/include/http_core.h @@ -294,27 +294,6 @@ AP_DECLARE(const char *) ap_auth_type(request_rec *r); */ AP_DECLARE(const char *) ap_auth_name(request_rec *r); -/** - * How the requires lines must be met. - * @param r The current request - * @return How the requirements must be met. One of: - * 
- *      SATISFY_ANY    -- any of the requirements must be met.
- *      SATISFY_ALL    -- all of the requirements must be met.
- *      SATISFY_NOSPEC -- There are no applicable satisfy lines
- *
- * -AP_DE CLARE(int) ap_satisfies(request_rec *r); -*/ - -/** - * Retrieve information about all of the requires directives for this request - * @param r The current request - * @return An array of all requires directives for this request - * -AP_DE CLARE(const apr_array_header_t *) ap_requires(request_rec *r); -*/ - #ifdef CORE_PRIVATE /** @@ -453,13 +432,6 @@ typedef struct { char *ap_default_type; -// /* Authentication stuff. Groan... */ -// -// int *satisfy; /* for every method one */ -// char *ap_auth_type; /* Deprecated see mod_authn */ -// char *ap_auth_name; /* Deprecated see mod_authn */ -// apr_array_header_t *ap_requires; /* Deprecated see mod_authz */ - /* Custom response config. These can contain text or a URL to redirect to. * if response_code_strings is NULL then there are none in the config, * if it's not null then it's allocated to sizeof(char*)*RESPONSE_CODES. @@ -687,9 +659,6 @@ APR_DECLARE_OPTIONAL_FN(const char *, ap_ident_lookup, * authorization values with mod_authz_host */ -/*APR_DECLARE_OPTIONAL_FN(const apr_array_header_t *, authz_ap_requires, - (request_rec *r)); -*/ APR_DECLARE_OPTIONAL_FN(int, authz_some_auth_required, (request_rec *r)); APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_type, (request_rec *r)); APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_name, (request_rec *r)); diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c index d93a69013b7..b82cee5cfb3 100644 --- a/modules/aaa/mod_auth_basic.c +++ b/modules/aaa/mod_auth_basic.c @@ -195,10 +195,6 @@ static int authenticate_basic_user(request_rec *r) return HTTP_INTERNAL_SERVER_ERROR; } - /*XXX Need to figure out how to remove ap_auth_type from - the request_rec yet still make the data available - on a per-request basis. - */ r->ap_auth_type = (char*)current_auth; res = get_basic_auth(r, &sent_user, &sent_pw); diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index dfd94e83ddf..ca21a618e97 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -440,381 +440,6 @@ start_over: return AUTH_GRANTED; } -#if 0 -/* - * Authorisation Phase - * ------------------- - * - * After checking whether the username and password are correct, we need - * to check whether that user is authorised to view this resource. The - * require directive is used to do this: - * - * require valid-user Any authenticated is allowed in. - * require user This particular user is allowed in. - * require group The user must be a member of this group - * in order to be allowed in. - * require dn The user must have the following DN in the - * LDAP tree to be let in. - * - */ -static int authz_ldap_check_user_access(request_rec *r) -{ - int result = 0; - authn_ldap_request_t *req = - (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); - authn_ldap_config_t *sec = - (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); - - util_ldap_connection_t *ldc = NULL; - int m = r->method_number; - - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL; - - register int x; - const char *t; - char *w, *value; - int method_restricted = 0; - - char filtbuf[FILTER_LENGTH]; - const char *dn = NULL; - const char **vals = NULL; - -/* - if (!sec->enabled) { - return DECLINED; - } -*/ - - if (!sec->have_ldap_url) { - return DECLINED; - } - - if (sec->host) { - ldc = util_ldap_connection_find(r, sec->host, sec->port, - sec->binddn, sec->bindpw, sec->deref, - sec->secure); - apr_pool_cleanup_register(r->pool, ldc, - authnz_ldap_cleanup_connection_close, - apr_pool_cleanup_null); - } - else { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: no sec->host - weird...?", getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - - /* - * If there are no elements in the group attribute array, the default should be - * member and uniquemember; populate the array now. - */ - if (sec->groupattr->nelts == 0) { - struct mod_auth_ldap_groupattr_entry_t *grp; -#if APR_HAS_THREADS - apr_thread_mutex_lock(sec->lock); -#endif - grp = apr_array_push(sec->groupattr); - grp->name = "member"; - grp = apr_array_push(sec->groupattr); - grp->name = "uniquemember"; -#if APR_HAS_THREADS - apr_thread_mutex_unlock(sec->lock); -#endif - } - - if (!reqs_arr) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - - /* - * If we have been authenticated by some other module than mod_auth_ldap, - * the req structure needed for authorization needs to be created - * and populated with the userid and DN of the account in LDAP - */ - - /* Check that we have a userid to start with */ - if ((!r->user) || (strlen(r->user) == 0)) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "ldap authorize: Userid is blank, AuthType=%s", - r->ap_auth_type); - } - - if(!req) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "ldap authorize: Creating LDAP req structure"); - - /* Build the username filter */ - authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); - - /* Search for the user DN */ - result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, - sec->scope, sec->attributes, filtbuf, &dn, &vals); - - /* Search failed, log error and return failure */ - if(result != LDAP_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "auth_ldap authorise: User DN not found, %s", ldc->reason); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - - req = (authn_ldap_request_t *)apr_pcalloc(r->pool, - sizeof(authn_ldap_request_t)); - ap_set_module_config(r->request_config, &authnz_ldap_module, req); - req->dn = apr_pstrdup(r->pool, dn); - req->user = r->user; - } - - /* Loop through the requirements array until there's no elements - * left, or something causes a return from inside the loop */ - for(x=0; x < reqs_arr->nelts; x++) { - if (! (reqs[x].method_mask & (1 << m))) { - continue; - } - method_restricted = 1; - - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); - - if (strcmp(w, "ldap-user") == 0) { - if (req->dn == NULL || strlen(req->dn) == 0) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require user: user's DN has not been defined; failing authorisation", - getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - /* - * First do a whole-line compare, in case it's something like - * require user Babs Jensen - */ - result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, t); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require user: authorisation successful", getpid()); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require user: " - "authorisation failed [%s][%s]", getpid(), - ldc->reason, ldap_err2string(result)); - } - } - /* - * Now break apart the line and compare each word on it - */ - while (t[0]) { - w = ap_getword_conf(r->pool, &t); - result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require user: authorisation successful", getpid()); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require user: authorisation failed [%s][%s]", - getpid(), ldc->reason, ldap_err2string(result)); - } - } - } - } - else if (strcmp(w, "ldap-dn") == 0) { - if (req->dn == NULL || strlen(req->dn) == 0) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require dn: user's DN has not been defined; failing authorisation", - getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - - result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require dn: authorisation successful", getpid()); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require dn \"%s\": LDAP error [%s][%s]", - getpid(), t, ldc->reason, ldap_err2string(result)); - } - } - } - else if (strcmp(w, "ldap-group") == 0) { - struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts; - int i; - - if (sec->group_attrib_is_dn) { - if (req->dn == NULL || strlen(req->dn) == 0) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " - "user's DN has not been defined; failing authorisation", - getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - } - else { - if (req->user == NULL || strlen(req->user) == 0) { - /* We weren't called in the authentication phase, so we didn't have a - * chance to set the user field. Do so now. */ - req->user = r->user; - } - } - - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " - "testing for group membership in \"%s\"", - getpid(), t); - - for (i = 0; i < sec->groupattr->nelts; i++) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " - "testing for %s: %s (%s)", getpid(), - ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); - - result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, - sec->group_attrib_is_dn ? req->dn : req->user); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " - "authorisation successful (attribute %s) [%s][%s]", - getpid(), ent[i].name, ldc->reason, ldap_err2string(result)); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group \"%s\": " - "authorisation failed [%s][%s]", - getpid(), t, ldc->reason, ldap_err2string(result)); - } - } - } - } - else if (strcmp(w, "ldap-attribute") == 0) { - if (req->dn == NULL || strlen(req->dn) == 0) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-attribute: user's DN has not been defined; failing authorisation", - getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - while (t[0]) { - w = ap_getword(r->pool, &t, '='); - value = ap_getword_conf(r->pool, &t); - - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: checking attribute" - " %s has value %s", getpid(), w, value); - result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, - w, value); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require attribute: authorisation " - "successful", getpid()); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require attribute: authorisation " - "failed [%s][%s]", getpid(), - ldc->reason, ldap_err2string(result)); - } - } - } - } - else if (strcmp(w, "ldap-filter") == 0) { - if (req->dn == NULL || strlen(req->dn) == 0) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-filter: user's DN has not been defined; failing authorisation", - getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - if (t[0]) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: checking filter %s", - getpid(), t); - - /* Build the username filter */ - authn_ldap_build_filter(filtbuf, r, req->user, t, sec); - - /* Search for the user DN */ - result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, - sec->scope, sec->attributes, filtbuf, &dn, &vals); - - /* Make sure that the filtered search returned the correct user dn */ - if (result == LDAP_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: checking dn match %s", - getpid(), dn); - result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn, - sec->compare_dn_on_server); - } - - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-filter: authorisation " - "successful", getpid()); - return OK; - } - case LDAP_FILTER_ERROR: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-filter: %s authorisation " - "failed [%s][%s]", getpid(), - filtbuf, ldc->reason, ldap_err2string(result)); - break; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-filter: authorisation " - "failed [%s][%s]", getpid(), - ldc->reason, ldap_err2string(result)); - } - } - } - } - } - - if (!method_restricted) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: agreeing because non-restricted", - getpid()); - return OK; - } - - if (!sec->auth_authoritative) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise", getpid()); - return DECLINED; - } - - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); - ap_note_basic_auth_failure (r); - - return HTTP_UNAUTHORIZED; -} -#endif - static authz_status ldapuser_check_authorization(request_rec *r, const char *require_args) { diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c index 7bdf07ad7c0..a9f8cc6445e 100644 --- a/modules/aaa/mod_authz_dbd.c +++ b/modules/aaa/mod_authz_dbd.c @@ -242,66 +242,6 @@ static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg, return OK; } -#if 0 -static int authz_dbd_check(request_rec *r) -{ - int i, x, rv; - const char *w; - int m = r->method_number; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; - apr_array_header_t *groups = NULL; - const char *t; - authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, - &authz_dbd_module); - - if (!reqs_arr) { - return DECLINED; - } - - for (x = 0; x < reqs_arr->nelts; x++) { - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; - } - - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); - if (!strcasecmp(w, "dbd-group")) { - if (groups == NULL) { - groups = apr_array_make(r->pool, 4, sizeof(const char*)); - rv = authz_dbd_group_query(r, cfg, groups); - if (rv != OK) { - return rv; - } - } - while (t[0]) { - w = ap_getword_white(r->pool, &t); - for (i=0; i < groups->nelts; ++i) { - if (!strcmp(w, ((const char**)groups->elts)[i])) { - return OK; - } - } - } - } - else if (!strcasecmp(w, "dbd-login")) { - return authz_dbd_login(r, cfg, "login"); - } - else if (!strcasecmp(w, "dbd-logout")) { - return authz_dbd_login(r, cfg, "logout"); - } - } - - if ((groups != NULL) && cfg->authoritative) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "authz_dbd: user %s denied access to %s", - r->user, r->uri); - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; - } - return DECLINED; -} -#endif - static authz_status dbdgroup_check_authorization(request_rec *r, const char *require_args) { diff --git a/modules/aaa/mod_authz_dbm.c b/modules/aaa/mod_authz_dbm.c index 6c067b75182..c3c0aca1379 100644 --- a/modules/aaa/mod_authz_dbm.c +++ b/modules/aaa/mod_authz_dbm.c @@ -130,139 +130,6 @@ static apr_status_t get_dbm_grp(request_rec *r, char *key1, char *key2, return retval; } -#if 0 -/* Checking ID */ -static int dbm_check_auth(request_rec *r) -{ - authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config, - &authz_dbm_module); - char *user = r->user; - int m = r->method_number; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; - register int x; - const char *t; - char *w; - int required_group = 0; - const char *filegroup = NULL; - const char *orig_groups = NULL; - char *reason = NULL; - - if (!conf->grpfile) { - return DECLINED; - } - - if (!reqs_arr) { - return DECLINED; - } - - for (x = 0; x < reqs_arr->nelts; x++) { - - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; - } - - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); - - if (!strcasecmp(w, "file-group")) { - filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE); - - if (!filegroup) { - /* mod_authz_owner is not present or not - * authoritative. We are just a helper module for testing - * group membership, so we don't care and decline. - */ - continue; - } - } - - if (!strcasecmp(w, "group") || filegroup) { - const char *realm = ap_auth_name(r); - const char *groups; - char *v; - - /* remember that actually a group is required */ - required_group = 1; - - /* fetch group data from dbm file only once. */ - if (!orig_groups) { - apr_status_t status; - - status = get_dbm_grp(r, apr_pstrcat(r->pool, user, ":", realm, - NULL), - user, - conf->grpfile, conf->dbmtype, &groups); - - if (status != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, - "could not open dbm (type %s) group access " - "file: %s", conf->dbmtype, conf->grpfile); - return HTTP_INTERNAL_SERVER_ERROR; - } - - if (groups == NULL) { - /* no groups available, so exit immediately */ - reason = apr_psprintf(r->pool, - "user doesn't appear in DBM group " - "file (%s).", conf->grpfile); - break; - } - - orig_groups = groups; - } - - if (filegroup) { - groups = orig_groups; - while (groups[0]) { - v = ap_getword(r->pool, &groups, ','); - if (!strcmp(v, filegroup)) { - return OK; - } - } - - if (conf->authoritative) { - reason = apr_psprintf(r->pool, - "file group '%s' does not match.", - filegroup); - break; - } - - /* now forget the filegroup, thus alternatively require'd - groups get a real chance */ - filegroup = NULL; - } - else { - while (t[0]) { - w = ap_getword_white(r->pool, &t); - groups = orig_groups; - while (groups[0]) { - v = ap_getword(r->pool, &groups, ','); - if (!strcmp(v, w)) { - return OK; - } - } - } - } - } - } - - /* No applicable "require group" for this method seen */ - if (!required_group || !conf->authoritative) { - return DECLINED; - } - - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Authorization of user %s to access %s failed, reason: %s", - r->user, r->uri, - reason ? reason : "user is not part of the " - "'require'ed group(s)."); - - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; -} -#endif - static authz_status dbmgroup_check_authorization(request_rec *r, const char *require_args) { diff --git a/modules/aaa/mod_authz_groupfile.c b/modules/aaa/mod_authz_groupfile.c index 6b886b5a977..72d55efbb69 100644 --- a/modules/aaa/mod_authz_groupfile.c +++ b/modules/aaa/mod_authz_groupfile.c @@ -137,128 +137,6 @@ static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile, return APR_SUCCESS; } -#if 0 -/* Checking ID */ - -static int check_user_access(request_rec *r) -{ - authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config, - &authz_groupfile_module); - char *user = r->user; - int m = r->method_number; - int required_group = 0; - register int x; - const char *t, *w; - apr_table_t *grpstatus = NULL; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs; - const char *filegroup = NULL; - char *reason = NULL; - - /* If there is no group file - then we are not - * configured. So decline. - */ - if (!(conf->groupfile)) { - return DECLINED; - } - - if (!reqs_arr) { - return DECLINED; /* XXX change from legacy */ - } - - reqs = (require_line *)reqs_arr->elts; - - for (x = 0; x < reqs_arr->nelts; x++) { - - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; - } - - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); - - /* needs mod_authz_owner to be present */ - if (!strcasecmp(w, "file-group")) { - filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE); - - if (!filegroup) { - /* mod_authz_owner is not present or not - * authoritative. We are just a helper module for testing - * group membership, so we don't care and decline. - */ - continue; - } - } - - if (!strcasecmp(w, "group") || filegroup) { - required_group = 1; /* remember the requirement */ - - /* create group table only if actually needed. */ - if (!grpstatus) { - apr_status_t status; - - status = groups_for_user(r->pool, user, conf->groupfile, - &grpstatus); - - if (status != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, - "Could not open group file: %s", - conf->groupfile); - return HTTP_INTERNAL_SERVER_ERROR; - } - - if (apr_table_elts(grpstatus)->nelts == 0) { - /* no groups available, so exit immediately */ - reason = apr_psprintf(r->pool, - "user doesn't appear in group file " - "(%s).", conf->groupfile); - break; - } - } - - if (filegroup) { - if (apr_table_get(grpstatus, filegroup)) { - return OK; - } - - if (conf->authoritative) { - reason = apr_psprintf(r->pool, - "file group '%s' does not match.", - filegroup); - break; - } - - /* now forget the filegroup, thus alternatively require'd - groups get a real chance */ - filegroup = NULL; - } - else { - while (t[0]) { - w = ap_getword_conf(r->pool, &t); - if (apr_table_get(grpstatus, w)) { - return OK; - } - } - } - } - } - - /* No applicable "require group" for this method seen */ - if (!required_group || !conf->authoritative) { - return DECLINED; - } - - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Authorization of user %s to access %s failed, reason: %s", - r->user, r->uri, - reason ? reason : "user is not part of the " - "'require'ed group(s)."); - - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; -} -#endif - static authz_status group_check_authorization(request_rec *r, const char *require_args) { diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c index d428cc9dd5e..89ebc023b68 100644 --- a/modules/aaa/mod_authz_host.c +++ b/modules/aaa/mod_authz_host.c @@ -44,36 +44,7 @@ #include #endif -/* -enum allowdeny_type { - T_ENV, - T_ALL, - T_IP, - T_HOST, - T_FAIL -}; - -typedef struct { - apr_int64_t limited; - union { - char *from; - apr_ipsubnet_t *ip; - } x; - enum allowdeny_type type; -} allowdeny; -*/ - -/* things in the 'order' array */ -/* -#define DENY_THEN_ALLOW 0 -#define ALLOW_THEN_DENY 1 -#define MUTUAL_FAILURE 2 -*/ - typedef struct { -/* int order[METHODS]; - apr_array_header_t *allows; - apr_array_header_t *denys; */ int dummy; /* just here to stop compiler warnings for now. */ } authz_host_dir_conf; @@ -81,111 +52,14 @@ module AP_MODULE_DECLARE_DATA authz_host_module; static void *create_authz_host_dir_config(apr_pool_t *p, char *dummy) { -/* int i;*/ authz_host_dir_conf *conf = (authz_host_dir_conf *)apr_pcalloc(p, sizeof(authz_host_dir_conf)); -/* - for (i = 0; i < METHODS; ++i) { - conf->order[i] = DENY_THEN_ALLOW; - } - conf->allows = apr_array_make(p, 1, sizeof(allowdeny)); - conf->denys = apr_array_make(p, 1, sizeof(allowdeny)); -*/ - return (void *)conf; } -/* -static const char *order(cmd_parms *cmd, void *dv, const char *arg) -{ - authz_host_dir_conf *d = (authz_host_dir_conf *) dv; - int i, o; - - if (!strcasecmp(arg, "allow,deny")) - o = ALLOW_THEN_DENY; - else if (!strcasecmp(arg, "deny,allow")) - o = DENY_THEN_ALLOW; - else if (!strcasecmp(arg, "mutual-failure")) - o = MUTUAL_FAILURE; - else - return "unknown order"; - - for (i = 0; i < METHODS; ++i) - if (cmd->limited & (AP_METHOD_BIT << i)) - d->order[i] = o; - - return NULL; -} -*/ - -/* -static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from, - const char *where_c) -{ - authz_host_dir_conf *d = (authz_host_dir_conf *) dv; - allowdeny *a; - char *where = apr_pstrdup(cmd->pool, where_c); - char *s; - char msgbuf[120]; - apr_status_t rv; - - if (strcasecmp(from, "from")) - return "allow and deny must be followed by 'from'"; - - a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys); - a->x.from = where; - a->limited = cmd->limited; - - if (!strncasecmp(where, "env=", 4)) { - a->type = T_ENV; - a->x.from += 4; - - } - else if (!strcasecmp(where, "all")) { - a->type = T_ALL; - } - else if ((s = ap_strchr(where, '/'))) { - *s++ = '\0'; - rv = apr_ipsubnet_create(&a->x.ip, where, s, cmd->pool); - if(APR_STATUS_IS_EINVAL(rv)) { - /* looked nothing like an IP address * - return "An IP address was expected"; - } - else if (rv != APR_SUCCESS) { - apr_strerror(rv, msgbuf, sizeof msgbuf); - return apr_pstrdup(cmd->pool, msgbuf); - } - a->type = T_IP; - } - else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&a->x.ip, where, - NULL, cmd->pool))) { - if (rv != APR_SUCCESS) { - apr_strerror(rv, msgbuf, sizeof msgbuf); - return apr_pstrdup(cmd->pool, msgbuf); - } - a->type = T_IP; - } - else { /* no slash, didn't look like an IP address => must be a host * - a->type = T_HOST; - } - - return NULL; -} -*/ - -/*static char its_an_allow;*/ - static const command_rec authz_host_cmds[] = { -/* - AP_INIT_TAKE1("order", order, NULL, OR_LIMIT, - "'allow,deny', 'deny,allow', or 'mutual-failure'"), - AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT, - "'from' followed by hostnames or IP-address wildcards"), - AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT, - "'from' followed by hostnames or IP-address wildcards"), -*/ {NULL} }; @@ -216,113 +90,6 @@ static int in_domain(const char *domain, const char *what) } } -/* -static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method) -{ - - allowdeny *ap = (allowdeny *) a->elts; - apr_int64_t mmask = (AP_METHOD_BIT << method); - int i; - int gothost = 0; - const char *remotehost = NULL; - - for (i = 0; i < a->nelts; ++i) { - if (!(mmask & ap[i].limited)) { - continue; - } - - switch (ap[i].type) { - case T_ENV: - if (apr_table_get(r->subprocess_env, ap[i].x.from)) { - return 1; - } - break; - - case T_ALL: - return 1; - - case T_IP: - if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) { - return 1; - } - break; - - case T_HOST: - if (!gothost) { - int remotehost_is_ip; - - remotehost = ap_get_remote_host(r->connection, - r->per_dir_config, - REMOTE_DOUBLE_REV, - &remotehost_is_ip); - - if ((remotehost == NULL) || remotehost_is_ip) { - gothost = 1; - } - else { - gothost = 2; - } - } - - if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) { - return 1; - } - break; - - case T_FAIL: - /* do nothing? * - break; - } - } - - return 0; -} - -static int check_dir_access(request_rec *r) -{ - int method = r->method_number; - int ret = OK; - authz_host_dir_conf *a = (authz_host_dir_conf *) - ap_get_module_config(r->per_dir_config, &authz_host_module); - - if (a->order[method] == ALLOW_THEN_DENY) { - ret = HTTP_FORBIDDEN; - if (find_allowdeny(r, a->allows, method)) { - ret = OK; - } - if (find_allowdeny(r, a->denys, method)) { - ret = HTTP_FORBIDDEN; - } - } - else if (a->order[method] == DENY_THEN_ALLOW) { - if (find_allowdeny(r, a->denys, method)) { - ret = HTTP_FORBIDDEN; - } - if (find_allowdeny(r, a->allows, method)) { - ret = OK; - } - } - else { - if (find_allowdeny(r, a->allows, method) - && !find_allowdeny(r, a->denys, method)) { - ret = OK; - } - else { - ret = HTTP_FORBIDDEN; - } - } - - if (ret == HTTP_FORBIDDEN - && (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "client denied by server configuration: %s", - r->filename); - } - - return ret; -} -*/ - static authz_status env_check_authorization(request_rec *r, const char *require_line) { const char *t, *w; @@ -485,9 +252,6 @@ static void register_hooks(apr_pool_t *p) &authz_host_provider); ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "all", "0", &authz_all_provider); - - /* This can be access checker since we don't require r->user to be set. */ -/* ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE); */ } module AP_MODULE_DECLARE_DATA authz_host_module = diff --git a/modules/aaa/mod_authz_owner.c b/modules/aaa/mod_authz_owner.c index 2163f351417..1f748003793 100644 --- a/modules/aaa/mod_authz_owner.c +++ b/modules/aaa/mod_authz_owner.c @@ -48,178 +48,6 @@ static const command_rec authz_owner_cmds[] = module AP_MODULE_DECLARE_DATA authz_owner_module; -#if 0 -static int check_file_owner(request_rec *r) -{ - authz_owner_config_rec *conf = ap_get_module_config(r->per_dir_config, - &authz_owner_module); - int m = r->method_number; - register int x; - const char *t, *w; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs; - int required_owner = 0; - apr_status_t status = 0; - char *reason = NULL; - - if (!reqs_arr) { - return DECLINED; - } - - reqs = (require_line *)reqs_arr->elts; - for (x = 0; x < reqs_arr->nelts; x++) { - - /* if authoritative = On then break if a require already failed. */ - if (reason && conf->authoritative) { - break; - } - - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; - } - - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); - - if (!strcmp(w, "file-owner")) { -#if !APR_HAS_USER - if ((required_owner & ~1) && conf->authoritative) { - break; - } - - required_owner |= 1; /* remember the requirement */ - reason = "'Require file-owner' is not supported on this platform."; - continue; -#else /* APR_HAS_USER */ - char *owner = NULL; - apr_finfo_t finfo; - - if ((required_owner & ~1) && conf->authoritative) { - break; - } - - required_owner |= 1; /* remember the requirement */ - - if (!r->filename) { - reason = "no filename available"; - continue; - } - - status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool); - if (status != APR_SUCCESS) { - reason = apr_pstrcat(r->pool, "could not stat file ", - r->filename, NULL); - continue; - } - - if (!(finfo.valid & APR_FINFO_USER)) { - reason = "no file owner information available"; - continue; - } - - status = apr_uid_name_get(&owner, finfo.user, r->pool); - if (status != APR_SUCCESS || !owner) { - reason = "could not get name of file owner"; - continue; - } - - if (strcmp(owner, r->user)) { - reason = apr_psprintf(r->pool, "file owner %s does not match.", - owner); - continue; - } - - /* this user is authorized */ - return OK; -#endif /* APR_HAS_USER */ - } - - /* file-group only figures out the file's group and lets - * other modules do the actual authorization (against a group file/db). - * Thus, these modules have to hook themselves after - * mod_authz_owner and of course recognize 'file-group', too. - */ - if (!strcmp(w, "file-group")) { -#if !APR_HAS_USER - if ((required_owner & ~6) && conf->authoritative) { - break; - } - - required_owner |= 2; /* remember the requirement */ - reason = "'Require file-group' is not supported on this platform."; - continue; -#else /* APR_HAS_USER */ - char *group = NULL; - apr_finfo_t finfo; - - if ((required_owner & ~6) && conf->authoritative) { - break; - } - - required_owner |= 2; /* remember the requirement */ - - if (!r->filename) { - reason = "no filename available"; - continue; - } - - status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool); - if (status != APR_SUCCESS) { - reason = apr_pstrcat(r->pool, "could not stat file ", - r->filename, NULL); - continue; - } - - if (!(finfo.valid & APR_FINFO_GROUP)) { - reason = "no file group information available"; - continue; - } - - status = apr_gid_name_get(&group, finfo.group, r->pool); - if (status != APR_SUCCESS || !group) { - reason = "could not get name of file group"; - continue; - } - - /* store group name in a note and let others decide... */ - apr_table_setn(r->notes, AUTHZ_GROUP_NOTE, group); - required_owner |= 4; - continue; -#endif /* APR_HAS_USER */ - } - } - - if (!required_owner || !conf->authoritative) { - return DECLINED; - } - - /* allow file-group passed to group db modules either if this is the - * only applicable requirement here or if a file-owner failed but we're - * not authoritative. - * This allows configurations like: - * - * AuthzOwnerAuthoritative Off - * require file-owner - * require file-group - * - * with the semantical meaning of "either owner or group must match" - * (inclusive or) - * - * [ 6 == 2 | 4; 7 == 1 | 2 | 4 ] should I use #defines instead? - */ - if (required_owner == 6 || (required_owner == 7 && !conf->authoritative)) { - return DECLINED; - } - - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, - "Authorization of user %s to access %s failed, reason: %s", - r->user, r->uri, reason ? reason : "unknown"); - - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; -} -#endif - static authz_status fileowner_check_authorization(request_rec *r, const char *require_args) { diff --git a/modules/aaa/mod_authz_user.c b/modules/aaa/mod_authz_user.c index 15a930543a3..0292f841bf7 100644 --- a/modules/aaa/mod_authz_user.c +++ b/modules/aaa/mod_authz_user.c @@ -45,71 +45,6 @@ static const command_rec authz_user_cmds[] = module AP_MODULE_DECLARE_DATA authz_user_module; -#if 0 -static int check_user_access(request_rec *r) -{ - authz_user_config_rec *conf = ap_get_module_config(r->per_dir_config, - &authz_user_module); - char *user = r->user; - int m = r->method_number; - int required_user = 0; - register int x; - const char *t, *w; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs; - - /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive, - * then any user will do. - */ - if (!reqs_arr) { - return DECLINED; - } - reqs = (require_line *)reqs_arr->elts; - - for (x = 0; x < reqs_arr->nelts; x++) { - - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; - } - - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); - if (!strcasecmp(w, "valid-user")) { - return OK; - } - if (!strcasecmp(w, "user")) { - /* And note that there are applicable requirements - * which we consider ourselves the owner of. - */ - required_user = 1; - while (t[0]) { - w = ap_getword_conf(r->pool, &t); - if (!strcmp(user, w)) { - return OK; - } - } - } - } - - if (!required_user) { - /* no applicable requirements */ - return DECLINED; - } - - if (!conf->authoritative) { - return DECLINED; - } - - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: user '%s' does not meet " - "'require'ments for user/valid-user to be allowed access", - r->uri, user); - - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; -} -#endif - static authz_status user_check_authorization(request_rec *r, const char *require_args) { diff --git a/server/core.c b/server/core.c index 10395967a38..b3bd1b45b25 100644 --- a/server/core.c +++ b/server/core.c @@ -99,7 +99,6 @@ static char errordocument_default; static void *create_core_dir_config(apr_pool_t *a, char *dir) { core_dir_config *conf; -/* int i;*/ conf = (core_dir_config *)apr_pcalloc(a, sizeof(core_dir_config)); @@ -118,12 +117,6 @@ static void *create_core_dir_config(apr_pool_t *a, char *dir) conf->use_canonical_phys_port = USE_CANONICAL_PHYS_PORT_UNSET; conf->hostname_lookups = HOSTNAME_LOOKUP_UNSET; -/* - conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS); - for (i = 0; i < METHODS; ++i) { - conf->satisfy[i] = SATISFY_NOSPEC; - } -*/ #ifdef RLIMIT_CPU conf->limit_cpu = NULL; @@ -348,17 +341,6 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv) /* Otherwise we simply use the base->sec_file array */ - /* use a separate ->satisfy[] array either way */ -/* conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS); - for (i = 0; i < METHODS; ++i) { - if (new->satisfy[i] != SATISFY_NOSPEC) { - conf->satisfy[i] = new->satisfy[i]; - } else { - conf->satisfy[i] = base->satisfy[i]; - } - } -*/ - if (new->server_signature != srv_sig_unset) { conf->server_signature = new->server_signature; } @@ -661,18 +643,6 @@ AP_DECLARE(int) ap_allow_overrides(request_rec *r) return conf->override; } -/* -AP_DECLARE(const char *) ap_auth_type(request_rec *r) -{ - core_dir_config *conf; - - conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, - &core_module); - - return conf->ap_auth_type; -} -*/ - /* * Optional function coming from mod_ident, used for looking up ident user */ @@ -686,18 +656,6 @@ AP_DECLARE(const char *) ap_auth_type(request_rec *r) return NULL; } -/* -AP_DECLARE(const char *) ap_auth_name(request_rec *r) -{ - core_dir_config *conf; - - conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, - &core_module); - - return conf->ap_auth_name; -} -*/ - /* * Optional function coming from mod_ident, used for looking up ident user */ @@ -733,32 +691,6 @@ AP_DECLARE(const char *) ap_document_root(request_rec *r) /* Don't use this! */ return conf->ap_document_root; } -/* - * Optional function coming from mod_ident, used for looking up ident user - * -static APR_OPTIONAL_FN_TYPE(authz_ap_requires) *authz_ap_requires; - -AP_DECLARE(const apr_array_header_t *) ap_requires(request_rec *r) -{ - if (authz_ap_requires) { - return authz_ap_requires(r); - } - return NULL; -} -*/ - -/* -AP_DECLARE(int) ap_satisfies(request_rec *r) -{ - core_dir_config *conf; - - conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, - &core_module); - - return conf->satisfy[r->method_number]; -} -*/ - /* Should probably just get rid of this... the only code that cares is * part of the core anyway (and in fact, it isn't publicised to other * modules). @@ -1686,32 +1618,6 @@ static const char *set_enable_sendfile(cmd_parms *cmd, void *d_, return NULL; } -/* -static const char *satisfy(cmd_parms *cmd, void *c_, const char *arg) -{ - core_dir_config *c = c_; - int satisfy = SATISFY_NOSPEC; - int i; - - if (!strcasecmp(arg, "all")) { - satisfy = SATISFY_ALL; - } - else if (!strcasecmp(arg, "any")) { - satisfy = SATISFY_ANY; - } - else { - return "Satisfy either 'any' or 'all'."; - } - - for (i = 0; i < METHODS; ++i) { - if (cmd->limited & (AP_METHOD_BIT << i)) { - c->satisfy[i] = satisfy; - } - } - - return NULL; -} -*/ /* * Report a missing-'>' syntax error. @@ -3227,10 +3133,6 @@ AP_INIT_RAW_ARGS("proxyreq && r->parsed_uri.scheme