1 /* ====================================================================
2 * Copyright (c) 1995-2000 The Apache Software Foundation. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the Apache Software Foundation
19 * for use in the Apache HTTP server project (http://www.apache.org/)."
21 * 4. The names "Apache Server" and "Apache Software Foundation" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
26 * 5. Products derived from this software may not be called "Apache"
27 * nor may "Apache" appear in their names without prior written
28 * permission of the Apache Software Foundation.
30 * 6. Redistributions of any form whatsoever must retain the following
32 * "This product includes software developed by the Apache Software Foundation
33 * for use in the Apache HTTP server project (http://www.apache.org/)."
35 * THIS SOFTWARE IS PROVIDED BY THE Apache Software Foundation ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE Apache Software Foundation OR
39 * IT'S CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ====================================================================
49 * This software consists of voluntary contributions made by many
50 * individuals on behalf of the Apache Software Foundation and was originally based
51 * on public domain software written at the National Center for
52 * Supercomputing Applications, University of Illinois, Urbana-Champaign.
53 * For more information on the Apache Software Foundation and the Apache HTTP server
54 * project, please see <http://www.apache.org/>.
59 * mod_auth_db: authentication
61 * Original work by Rob McCool & Brian Behlendorf.
63 * Adapted to Apache by rst (mod_auth_dbm)
65 * Adapted for Berkeley DB by Andrew Cohen
67 * mod_auth_db was based on mod_auth_dbm.
69 * Warning, this is not a drop in replacement for mod_auth_dbm,
70 * for people wanting to switch from dbm to Berkeley DB.
71 * It requires the use of AuthDBUserFile and AuthDBGroupFile
72 * instead of AuthDBMUserFile AuthDBMGroupFile
74 * Also, in the configuration file you need to specify
75 * db_auth_module rather than dbm_auth_module
77 * On some BSD systems (e.g. FreeBSD and NetBSD) dbm is automatically
78 * mapped to Berkeley DB. You can use either mod_auth_dbm or
79 * mod_auth_db. The latter makes it more obvious that it's Berkeley.
80 * On other platforms where you want to use the DB library you
81 * usually have to install it first. See http://www.sleepycat.com/
82 * for the distribution. The interface this module uses is the
83 * one from DB version 1.85 and 1.86, but DB version 2.x
84 * can also be used when compatibility mode is enabled.
86 * dirkx - Added Authoritative control to allow passing on to lower
87 * modules if and only if the userid is not known to this
88 * module. A known user with a faulty or absent password still
89 * causes an AuthRequired. The default is 'Authoritative', i.e.
90 * no control is passed along.
93 #include "ap_config.h"
95 #include "http_config.h"
96 #include "http_core.h"
98 #include "http_protocol.h"
103 #if defined(DB_VERSION_MAJOR) && (DB_VERSION_MAJOR == 2)
110 char *auth_dbgrpfile;
111 int auth_dbauthoritative;
112 } db_auth_config_rec;
114 static void *create_db_auth_dir_config(ap_context_t *p, char *d)
116 db_auth_config_rec *sec
117 = (db_auth_config_rec *) ap_pcalloc(p, sizeof(db_auth_config_rec));
118 sec->auth_dbpwfile = NULL;
119 sec->auth_dbgrpfile = NULL;
120 sec->auth_dbauthoritative = 1; /* fortress is secure by default */
124 static const char *set_db_slot(cmd_parms *cmd, void *offset, char *f, char *t)
126 if (!t || strcmp(t, "db"))
129 return ap_set_file_slot(cmd, offset, f);
132 static const command_rec db_auth_cmds[] =
134 {"AuthDBUserFile", ap_set_file_slot,
135 (void *) XtOffsetOf(db_auth_config_rec, auth_dbpwfile),
136 OR_AUTHCFG, TAKE1, NULL},
137 {"AuthDBGroupFile", ap_set_file_slot,
138 (void *) XtOffsetOf(db_auth_config_rec, auth_dbgrpfile),
139 OR_AUTHCFG, TAKE1, NULL},
140 {"AuthUserFile", set_db_slot,
141 (void *) XtOffsetOf(db_auth_config_rec, auth_dbpwfile),
142 OR_AUTHCFG, TAKE12, NULL},
143 {"AuthGroupFile", set_db_slot,
144 (void *) XtOffsetOf(db_auth_config_rec, auth_dbgrpfile),
145 OR_AUTHCFG, TAKE12, NULL},
146 {"AuthDBAuthoritative", ap_set_flag_slot,
147 (void *) XtOffsetOf(db_auth_config_rec, auth_dbauthoritative),
149 "Set to 'no' to allow access control to be passed along to lower modules if the userID is not known to this module"},
153 module db_auth_module;
155 static char *get_db_pw(request_rec *r, char *user, const char *auth_dbpwfile)
161 memset(&d, 0, sizeof(d));
162 memset(&q, 0, sizeof(q));
165 q.size = strlen(q.data);
168 if (db_open(auth_dbpwfile, DB_HASH, DB_RDONLY, 0664, NULL, NULL, &f) != 0) {
170 if (!(f = dbopen(auth_dbpwfile, O_RDONLY, 0664, DB_HASH, NULL))) {
172 ap_log_rerror(APLOG_MARK, APLOG_ERR, errno, r,
173 "could not open db auth file: %s", auth_dbpwfile);
178 if (!((f->get) (f, NULL, &q, &d, 0))) {
180 if (!((f->get) (f, &q, &d, 0))) {
182 pw = ap_palloc(r->pool, d.size + 1);
183 strncpy(pw, d.data, d.size);
184 pw[d.size] = '\0'; /* Terminate the string */
195 /* We do something strange with the group file. If the group file
196 * contains any : we assume the format is
197 * key=username value=":"groupname [":"anything here is ignored]
198 * otherwise we now (0.8.14+) assume that the format is
199 * key=username value=groupname
200 * The first allows the password and group files to be the same
201 * physical DB file; key=username value=password":"groupname[":"anything]
203 * mark@telescope.org, 22Sep95
206 static char *get_db_grp(request_rec *r, char *user, const char *auth_dbgrpfile)
208 char *grp_data = get_db_pw(r, user, auth_dbgrpfile);
212 if (grp_data == NULL)
215 if ((grp_colon = strchr(grp_data, ':')) != NULL) {
216 grp_colon2 = strchr(++grp_colon, ':');
224 static int db_authenticate_basic_user(request_rec *r)
226 db_auth_config_rec *sec =
227 (db_auth_config_rec *) ap_get_module_config(r->per_dir_config,
230 char *real_pw, *colon_pw;
234 if ((res = ap_get_basic_auth_pw(r, &sent_pw)))
237 if (!sec->auth_dbpwfile)
240 if (!(real_pw = get_db_pw(r, r->user, sec->auth_dbpwfile))) {
241 if (!(sec->auth_dbauthoritative))
243 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
244 "DB user %s not found: %s", r->user, r->filename);
245 ap_note_basic_auth_failure(r);
246 return AUTH_REQUIRED;
248 /* Password is up to first : if exists */
249 colon_pw = strchr(real_pw, ':');
253 invalid_pw = ap_validate_password(sent_pw, real_pw);
254 if (invalid_pw != NULL) {
255 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
256 "DB user %s: authentication failure for \"%s\": %s",
257 r->user, r->uri, invalid_pw);
258 ap_note_basic_auth_failure(r);
259 return AUTH_REQUIRED;
266 static int db_check_auth(request_rec *r)
268 db_auth_config_rec *sec =
269 (db_auth_config_rec *) ap_get_module_config(r->per_dir_config,
271 char *user = r->user;
272 int m = r->method_number;
274 const ap_array_header_t *reqs_arr = ap_requires(r);
275 require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
281 if (!sec->auth_dbgrpfile)
286 for (x = 0; x < reqs_arr->nelts; x++) {
288 if (!(reqs[x].method_mask & (1 << m)))
291 t = reqs[x].requirement;
292 w = ap_getword_white(r->pool, &t);
294 if (!strcmp(w, "group") && sec->auth_dbgrpfile) {
295 const char *orig_groups, *groups;
298 if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) {
299 if (!(sec->auth_dbauthoritative))
301 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
302 "user %s not in DB group file %s: %s",
303 user, sec->auth_dbgrpfile, r->filename);
304 ap_note_basic_auth_failure(r);
305 return AUTH_REQUIRED;
307 orig_groups = groups;
309 w = ap_getword_white(r->pool, &t);
310 groups = orig_groups;
312 v = ap_getword(r->pool, &groups, ',');
317 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
318 "user %s not in right group: %s", user, r->filename);
319 ap_note_basic_auth_failure(r);
320 return AUTH_REQUIRED;
328 module db_auth_module =
330 STANDARD_MODULE_STUFF,
331 NULL, /* initializer */
332 create_db_auth_dir_config, /* dir config creater */
333 NULL, /* dir merger --- default is to override */
334 NULL, /* server config */
335 NULL, /* merge server config */
336 db_auth_cmds, /* command ap_table_t */
338 NULL, /* filename translation */
339 db_authenticate_basic_user, /* check_user_id */
340 db_check_auth, /* check auth */
341 NULL, /* check access */
342 NULL, /* type_checker */
345 NULL, /* header parser */
346 NULL, /* child_init */
347 NULL, /* child_exit */
348 NULL /* post read-request */