1 /* ====================================================================
2 * The Apache Software License, Version 1.1
4 * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
19 * 3. The end-user documentation included with the redistribution,
20 * if any, must include the following acknowledgment:
21 * "This product includes software developed by the
22 * Apache Software Foundation (http://www.apache.org/)."
23 * Alternately, this acknowledgment may appear in the software itself,
24 * if and wherever such third-party acknowledgments normally appear.
26 * 4. The names "Apache" and "Apache Software Foundation" must
27 * not be used to endorse or promote products derived from this
28 * software without prior written permission. For written
29 * permission, please contact apache@apache.org.
31 * 5. Products derived from this software may not be called "Apache",
32 * nor may "Apache" appear in their name, without prior written
33 * permission of the Apache Software Foundation.
35 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
36 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
37 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
38 * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
41 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
42 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
43 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
44 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
45 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
47 * ====================================================================
49 * This software consists of voluntary contributions made by many
50 * individuals on behalf of the Apache Software Foundation. For more
51 * information on the Apache Software Foundation, please see
52 * <http://www.apache.org/>.
54 * Portions of this software are based upon public domain software
55 * originally written at the National Center for Supercomputing Applications,
56 * University of Illinois, Urbana-Champaign.
60 * http_auth: authentication
62 * Rob McCool & Brian Behlendorf.
64 * Adapted to Apache by rst.
66 * dirkx - Added Authoritative control to allow passing on to lower
67 * modules if and only if the userid is not known to this
68 * module. A known user with a faulty or absent password still
69 * causes an AuthRequired. The default is 'Authoritative', i.e.
70 * no control is passed along.
75 #define APR_WANT_STRFUNC
77 #include "apr_strings.h"
79 #if defined(AP_AUTH_DBM_USE_APR)
82 #define datum apr_datum_t
84 #define dbm_close apr_dbm_close
90 #include "http_config.h"
91 #include "http_core.h"
93 #include "http_protocol.h"
94 #include "http_request.h" /* for ap_hook_(check_user_id | auth_checker)*/
99 char *auth_dbmgrpfile;
101 int auth_dbmauthoritative;
102 } dbm_auth_config_rec;
104 static void *create_dbm_auth_dir_config(apr_pool_t *p, char *d)
106 dbm_auth_config_rec *conf = apr_palloc(p, sizeof(*conf));
108 conf->auth_dbmpwfile = NULL;
109 conf->auth_dbmgrpfile = NULL;
110 conf->auth_dbmtype = "default";
111 conf->auth_dbmauthoritative = 1; /* fortress is secure by default */
116 static const char *set_dbm_slot(cmd_parms *cmd, void *offset,
117 const char *f, const char *t)
119 if (!t || strcmp(t, "dbm"))
122 return ap_set_file_slot(cmd, offset, f);
125 static const char *set_dbm_type(cmd_parms *cmd,
129 dbm_auth_config_rec *conf = dir_config;
131 conf->auth_dbmtype = apr_pstrdup(cmd->pool, arg);
135 static const command_rec dbm_auth_cmds[] =
137 AP_INIT_TAKE1("AuthDBMUserFile", ap_set_file_slot,
138 (void *) APR_XtOffsetOf(dbm_auth_config_rec, auth_dbmpwfile),
139 OR_AUTHCFG, "dbm database file containing user IDs and passwords"),
140 AP_INIT_TAKE1("AuthDBMGroupFile", ap_set_file_slot,
141 (void *) APR_XtOffsetOf(dbm_auth_config_rec, auth_dbmgrpfile),
142 OR_AUTHCFG, "dbm database file containing group names and member user IDs"),
143 AP_INIT_TAKE12("AuthUserFile", set_dbm_slot,
144 (void *) APR_XtOffsetOf(dbm_auth_config_rec, auth_dbmpwfile),
146 AP_INIT_TAKE12("AuthGroupFile", set_dbm_slot,
147 (void *) APR_XtOffsetOf(dbm_auth_config_rec, auth_dbmgrpfile),
149 AP_INIT_TAKE1("AuthDBMType", set_dbm_type,
151 OR_AUTHCFG, "what type of DBM file the user file is"),
152 AP_INIT_FLAG("AuthDBMAuthoritative", ap_set_flag_slot,
153 (void *) APR_XtOffsetOf(dbm_auth_config_rec, auth_dbmauthoritative),
154 OR_AUTHCFG, "Set to 'no' to allow access control to be passed along to lower modules, if the UserID is not known in this module"),
158 module AP_MODULE_DECLARE_DATA auth_dbm_module;
160 static char *get_dbm_pw(request_rec *r,
162 char *auth_dbmpwfile,
168 #ifdef AP_AUTH_DBM_USE_APR
172 #ifndef NETSCAPE_DBM_COMPAT
173 q.dsize = strlen(q.dptr);
175 q.dsize = strlen(q.dptr) + 1;
178 #ifdef AP_AUTH_DBM_USE_APR
179 retval = apr_dbm_open_ex(&f, dbtype, auth_dbmpwfile, APR_DBM_READONLY,
180 APR_OS_DEFAULT, r->pool);
181 if (retval != APR_SUCCESS) {
182 ap_log_rerror(APLOG_MARK, APLOG_ERR, retval, r,
183 "could not open dbm (type %s) auth file: %s", dbtype,
187 if (apr_dbm_fetch(f, q, &d) == APR_SUCCESS)
188 /* sorry for the obscurity ... falls through to the
189 * if (d.dptr) { block ...
193 if (!(f = dbm_open(auth_dbmpwfile, O_RDONLY, 0664))) {
194 ap_log_rerror(APLOG_MARK, APLOG_ERR, errno, r,
195 "could not open dbm auth file: %s", auth_dbmpwfile);
203 pw = apr_palloc(r->pool, d.dsize + 1);
204 strncpy(pw, d.dptr, d.dsize);
205 pw[d.dsize] = '\0'; /* Terminate the string */
212 /* We do something strange with the group file. If the group file
213 * contains any : we assume the format is
214 * key=username value=":"groupname [":"anything here is ignored]
215 * otherwise we now (0.8.14+) assume that the format is
216 * key=username value=groupname
217 * The first allows the password and group files to be the same
218 * physical DBM file; key=username value=password":"groupname[":"anything]
220 * mark@telescope.org, 22Sep95
223 static char *get_dbm_grp(request_rec *r, char *user, char *auth_dbmgrpfile,
226 char *grp_data = get_dbm_pw(r, user, auth_dbmgrpfile,dbtype);
230 if (grp_data == NULL)
233 if ((grp_colon = strchr(grp_data, ':')) != NULL) {
234 grp_colon2 = strchr(++grp_colon, ':');
242 static int dbm_authenticate_basic_user(request_rec *r)
244 dbm_auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
247 char *real_pw, *colon_pw;
248 apr_status_t invalid_pw;
251 if ((res = ap_get_basic_auth_pw(r, &sent_pw)))
254 if (!conf->auth_dbmpwfile)
257 if (!(real_pw = get_dbm_pw(r, r->user, conf->auth_dbmpwfile,
258 conf->auth_dbmtype))) {
259 if (!(conf->auth_dbmauthoritative))
261 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
262 "DBM user %s not found: %s", r->user, r->filename);
263 ap_note_basic_auth_failure(r);
264 return HTTP_UNAUTHORIZED;
266 /* Password is up to first : if exists */
267 colon_pw = strchr(real_pw, ':');
271 invalid_pw = apr_password_validate(sent_pw, real_pw);
272 if (invalid_pw != APR_SUCCESS) {
273 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
274 "DBM user %s: authentication failure for \"%s\": "
277 ap_note_basic_auth_failure(r);
278 return HTTP_UNAUTHORIZED;
285 static int dbm_check_auth(request_rec *r)
287 dbm_auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
289 char *user = r->user;
290 int m = r->method_number;
292 const apr_array_header_t *reqs_arr = ap_requires(r);
293 require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
299 if (!conf->auth_dbmgrpfile)
304 for (x = 0; x < reqs_arr->nelts; x++) {
306 if (!(reqs[x].method_mask & (AP_METHOD_BIT << m)))
309 t = reqs[x].requirement;
310 w = ap_getword_white(r->pool, &t);
312 if (!strcmp(w, "group") && conf->auth_dbmgrpfile) {
313 const char *orig_groups, *groups;
316 if (!(groups = get_dbm_grp(r, user, conf->auth_dbmgrpfile,
317 conf->auth_dbmtype))) {
318 if (!(conf->auth_dbmauthoritative))
320 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
321 "user %s not in DBM group file %s: %s",
322 user, conf->auth_dbmgrpfile, r->filename);
323 ap_note_basic_auth_failure(r);
324 return HTTP_UNAUTHORIZED;
326 orig_groups = groups;
328 w = ap_getword_white(r->pool, &t);
329 groups = orig_groups;
331 v = ap_getword(r->pool, &groups, ',');
336 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
337 "user %s not in right group: %s",
339 ap_note_basic_auth_failure(r);
340 return HTTP_UNAUTHORIZED;
347 static void register_hooks(apr_pool_t *p)
349 ap_hook_check_user_id(dbm_authenticate_basic_user, NULL, NULL,
351 ap_hook_auth_checker(dbm_check_auth, NULL, NULL, APR_HOOK_MIDDLE);
354 module AP_MODULE_DECLARE_DATA auth_dbm_module =
356 STANDARD20_MODULE_STUFF,
357 create_dbm_auth_dir_config, /* dir config creater */
358 NULL, /* dir merger --- default is to override */
359 NULL, /* server config */
360 NULL, /* merge server config */
361 dbm_auth_cmds, /* command apr_table_t */
362 register_hooks /* register hooks */