1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * Security options etc.
20 * Module derived from code originally written by Rob McCool
24 #include "apr_strings.h"
25 #include "apr_network_io.h"
26 #define APR_WANT_STRFUNC
27 #define APR_WANT_BYTEFUNC
30 #include "ap_config.h"
32 #include "http_config.h"
33 #include "http_core.h"
35 #include "http_request.h"
36 #include "http_protocol.h"
38 #include "ap_provider.h"
42 #if APR_HAVE_NETINET_IN_H
43 #include <netinet/in.h>
48 - Track down all of the references to r->ap_auth_type
49 and change them to ap_auth_type()
50 - Remove ap_auth_type and ap_auth_name from the
56 ap_expr_info_t *ap_auth_type;
58 ap_expr_info_t *ap_auth_name;
59 } authn_core_dir_conf;
61 typedef struct provider_alias_rec {
64 ap_conf_vector_t *sec_auth;
65 const authn_provider *provider;
68 typedef struct authn_alias_srv_conf {
69 apr_hash_t *alias_rec;
70 } authn_alias_srv_conf;
73 module AP_MODULE_DECLARE_DATA authn_core_module;
75 static void *create_authn_core_dir_config(apr_pool_t *p, char *dummy)
77 authn_core_dir_conf *conf =
78 (authn_core_dir_conf *)apr_pcalloc(p, sizeof(authn_core_dir_conf));
83 static void *merge_authn_core_dir_config(apr_pool_t *a, void *basev, void *newv)
85 authn_core_dir_conf *base = (authn_core_dir_conf *)basev;
86 authn_core_dir_conf *new = (authn_core_dir_conf *)newv;
87 authn_core_dir_conf *conf =
88 (authn_core_dir_conf *)apr_pcalloc(a, sizeof(authn_core_dir_conf));
90 if (new->auth_type_set) {
91 conf->ap_auth_type = new->ap_auth_type;
92 conf->auth_type_set = 1;
95 conf->ap_auth_type = base->ap_auth_type;
96 conf->auth_type_set = base->auth_type_set;
99 if (new->ap_auth_name) {
100 conf->ap_auth_name = new->ap_auth_name;
102 conf->ap_auth_name = base->ap_auth_name;
108 static authn_status authn_alias_check_password(request_rec *r, const char *user,
109 const char *password)
111 /* Look up the provider alias in the alias list */
112 /* Get the dir_config and call ap_Merge_per_dir_configs() */
113 /* Call the real provider->check_password() function */
114 /* return the result of the above function call */
116 const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE);
117 authn_status ret = AUTH_USER_NOT_FOUND;
118 authn_alias_srv_conf *authcfg =
119 (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
123 provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
124 provider_name, APR_HASH_KEY_STRING);
125 ap_conf_vector_t *orig_dir_config = r->per_dir_config;
127 /* If we found the alias provider in the list, then merge the directory
128 configurations and call the real provider */
130 r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config,
131 prvdraliasrec->sec_auth);
132 ret = prvdraliasrec->provider->check_password(r,user,password);
133 r->per_dir_config = orig_dir_config;
140 static authn_status authn_alias_get_realm_hash(request_rec *r, const char *user,
141 const char *realm, char **rethash)
143 /* Look up the provider alias in the alias list */
144 /* Get the dir_config and call ap_Merge_per_dir_configs() */
145 /* Call the real provider->get_realm_hash() function */
146 /* return the result of the above function call */
148 const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE);
149 authn_status ret = AUTH_USER_NOT_FOUND;
150 authn_alias_srv_conf *authcfg =
151 (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
155 provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
156 provider_name, APR_HASH_KEY_STRING);
157 ap_conf_vector_t *orig_dir_config = r->per_dir_config;
159 /* If we found the alias provider in the list, then merge the directory
160 configurations and call the real provider */
162 r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config,
163 prvdraliasrec->sec_auth);
164 ret = prvdraliasrec->provider->get_realm_hash(r,user,realm,rethash);
165 r->per_dir_config = orig_dir_config;
172 static void *create_authn_alias_svr_config(apr_pool_t *p, server_rec *s)
175 authn_alias_srv_conf *authcfg;
177 authcfg = (authn_alias_srv_conf *) apr_pcalloc(p, sizeof(authn_alias_srv_conf));
178 authcfg->alias_rec = apr_hash_make(p);
180 return (void *) authcfg;
183 /* Only per-server directive we have is GLOBAL_ONLY */
184 static void *merge_authn_alias_svr_config(apr_pool_t *p, void *basev, void *overridesv)
189 static const authn_provider authn_alias_provider =
191 &authn_alias_check_password,
192 &authn_alias_get_realm_hash,
195 static const authn_provider authn_alias_provider_nodigest =
197 &authn_alias_check_password,
201 static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *arg)
203 const char *endp = ap_strrchr_c(arg, '>');
205 char *provider_alias;
207 int old_overrides = cmd->override;
209 const authn_provider *provider = NULL;
210 ap_conf_vector_t *new_auth_config = ap_create_per_dir_config(cmd->pool);
211 authn_alias_srv_conf *authcfg =
212 (authn_alias_srv_conf *)ap_get_module_config(cmd->server->module_config,
215 const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
221 return apr_pstrcat(cmd->pool, cmd->cmd->name,
222 "> directive missing closing '>'", NULL);
225 args = apr_pstrndup(cmd->temp_pool, arg, endp - arg);
228 return apr_pstrcat(cmd->pool, cmd->cmd->name,
229 "> directive requires additional arguments", NULL);
232 /* Pull the real provider name and the alias name from the block header */
233 provider_name = ap_getword_conf(cmd->pool, &args);
234 provider_alias = ap_getword_conf(cmd->pool, &args);
236 if (!provider_name[0] || !provider_alias[0]) {
237 return apr_pstrcat(cmd->pool, cmd->cmd->name,
238 "> directive requires additional arguments", NULL);
241 if (strcasecmp(provider_name, provider_alias) == 0) {
242 return apr_pstrcat(cmd->pool,
243 "The alias provider name must be different from the base provider name.", NULL);
246 /* Look up the alias provider to make sure that it hasn't already been registered. */
247 provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_alias,
248 AUTHN_PROVIDER_VERSION);
250 return apr_pstrcat(cmd->pool, "The alias provider ", provider_alias,
251 " has already be registered previously as either a base provider or an alias provider.",
255 /* walk the subsection configuration to get the per_dir config that we will
256 merge just before the real provider is called. */
257 cmd->override = OR_AUTHCFG | ACCESS_CONF;
258 errmsg = ap_walk_config(cmd->directive->first_child, cmd, new_auth_config);
259 cmd->override = old_overrides;
262 provider_alias_rec *prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(provider_alias_rec));
263 provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_name,
264 AUTHN_PROVIDER_VERSION);
267 /* by the time they use it, the provider should be loaded and
268 registered with us. */
269 return apr_psprintf(cmd->pool,
270 "Unknown Authn provider: %s",
274 /* Save off the new directory config along with the original provider name
275 and function pointer data */
276 prvdraliasrec->sec_auth = new_auth_config;
277 prvdraliasrec->provider_name = provider_name;
278 prvdraliasrec->provider_alias = provider_alias;
279 prvdraliasrec->provider = provider;
280 apr_hash_set(authcfg->alias_rec, provider_alias, APR_HASH_KEY_STRING, prvdraliasrec);
282 /* Register the fake provider so that we get called first */
283 ap_register_auth_provider(cmd->pool, AUTHN_PROVIDER_GROUP,
284 provider_alias, AUTHN_PROVIDER_VERSION,
285 provider->get_realm_hash ?
286 &authn_alias_provider :
287 &authn_alias_provider_nodigest,
288 AP_AUTH_INTERNAL_PER_CONF);
295 * Load an authorisation realm into our location configuration, applying the
296 * usual rules that apply to realms.
298 static const char *set_authname(cmd_parms *cmd, void *mconfig,
301 authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
302 const char *expr_err = NULL;
304 aconfig->ap_auth_name = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT,
307 return apr_pstrcat(cmd->temp_pool,
308 "Cannot parse expression '", word1, "' in AuthName: ",
315 static const char *set_authtype(cmd_parms *cmd, void *mconfig,
318 authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
319 const char *expr_err = NULL;
321 aconfig->ap_auth_type = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT,
324 return apr_pstrcat(cmd->temp_pool,
325 "Cannot parse expression '", word1, "' in AuthType: ",
329 aconfig->auth_type_set = 1;
334 static const char *authn_ap_auth_type(request_rec *r)
336 authn_core_dir_conf *conf;
338 conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config,
341 if (conf->ap_auth_type) {
342 const char *err = NULL, *type;
343 type = ap_expr_str_exec(r, conf->ap_auth_type, &err);
346 APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(02834) "AuthType expression could not be evaluated: %s", err);
350 return ap_casecmpstr(type, "None") ? type : NULL;
356 static const char *authn_ap_auth_name(request_rec *r)
358 authn_core_dir_conf *conf;
359 const char *err = NULL, *name;
361 conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config,
364 if (conf->ap_auth_name) {
365 name = ap_expr_str_exec(r, conf->ap_auth_name, &err);
368 APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(02835) "AuthName expression could not be evaluated: %s", err);
372 return ap_escape_quotes(r->pool, name);
378 static const command_rec authn_cmds[] =
380 AP_INIT_TAKE1("AuthType", set_authtype, NULL, OR_AUTHCFG,
381 "an HTTP authorization type (e.g., \"Basic\")"),
382 AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG,
383 "the authentication realm (e.g. \"Members Only\")"),
384 AP_INIT_RAW_ARGS("<AuthnProviderAlias", authaliassection, NULL, RSRC_CONF,
385 "container for grouping an authentication provider's "
386 "directives under a provider alias"),
390 static int authenticate_no_user(request_rec *r)
392 /* if there isn't an AuthType, then assume that no authentication
393 is required so return OK */
394 if (!ap_auth_type(r)) {
398 /* there's an AuthType configured, but no authentication module
399 * loaded to support it
401 ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01796)
402 "AuthType %s configured without corresponding module",
405 return HTTP_INTERNAL_SERVER_ERROR;
408 static void register_hooks(apr_pool_t *p)
410 APR_REGISTER_OPTIONAL_FN(authn_ap_auth_type);
411 APR_REGISTER_OPTIONAL_FN(authn_ap_auth_name);
413 ap_hook_check_authn(authenticate_no_user, NULL, NULL, APR_HOOK_LAST,
414 AP_AUTH_INTERNAL_PER_CONF);
417 AP_DECLARE_MODULE(authn_core) =
419 STANDARD20_MODULE_STUFF,
420 create_authn_core_dir_config, /* dir config creater */
421 merge_authn_core_dir_config, /* dir merger --- default is to override */
422 create_authn_alias_svr_config, /* server config */
423 merge_authn_alias_svr_config, /* merge server config */
425 register_hooks /* register hooks */
projects / apache / blob