1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * Security options etc.
20 * Module derived from code originally written by Rob McCool
24 #include "apr_strings.h"
25 #include "apr_network_io.h"
28 #define APR_WANT_STRFUNC
29 #define APR_WANT_BYTEFUNC
32 #include "ap_config.h"
34 #include "http_config.h"
35 #include "http_core.h"
37 #include "http_request.h"
38 #include "http_protocol.h"
39 #include "ap_provider.h"
44 #if APR_HAVE_NETINET_IN_H
45 #include <netinet/in.h>
48 #undef AUTHZ_EXTRA_CONFIGS
50 typedef struct provider_alias_rec {
54 const void *provider_parsed_args;
55 ap_conf_vector_t *sec_auth;
56 const authz_provider *provider;
66 typedef struct authz_section_conf authz_section_conf;
68 struct authz_section_conf {
69 const char *provider_name;
70 const char *provider_args;
71 const void *provider_parsed_args;
72 const authz_provider *provider;
76 /** true if this is not a real container but produced by AuthMerging;
77 * only used for logging */
79 authz_section_conf *first;
80 authz_section_conf *next;
83 typedef struct authz_core_dir_conf authz_core_dir_conf;
85 struct authz_core_dir_conf {
86 authz_section_conf *section;
87 authz_core_dir_conf *next;
89 signed char authz_forbidden_on_fail;
94 typedef struct authz_core_srv_conf {
95 apr_hash_t *alias_rec;
96 } authz_core_srv_conf;
98 module AP_MODULE_DECLARE_DATA authz_core_module;
100 static authz_core_dir_conf *authz_core_first_dir_conf;
102 static void *create_authz_core_dir_config(apr_pool_t *p, char *dummy)
104 authz_core_dir_conf *conf = apr_pcalloc(p, sizeof(*conf));
106 conf->op = AUTHZ_LOGIC_UNSET;
107 conf->authz_forbidden_on_fail = UNSET;
109 conf->next = authz_core_first_dir_conf;
110 authz_core_first_dir_conf = conf;
115 static void *merge_authz_core_dir_config(apr_pool_t *p,
116 void *basev, void *newv)
118 authz_core_dir_conf *base = (authz_core_dir_conf *)basev;
119 authz_core_dir_conf *new = (authz_core_dir_conf *)newv;
120 authz_core_dir_conf *conf;
122 if (new->op == AUTHZ_LOGIC_UNSET && !new->section && base->section ) {
123 /* Only authz_forbidden_on_fail has been set in new. Don't treat
124 * it as a new auth config w.r.t. AuthMerging */
125 conf = apr_pmemdup(p, base, sizeof(*base));
127 else if (new->op == AUTHZ_LOGIC_OFF || new->op == AUTHZ_LOGIC_UNSET ||
128 !(base->section || new->section)) {
129 conf = apr_pmemdup(p, new, sizeof(*new));
132 authz_section_conf *section;
136 section = apr_pcalloc(p, sizeof(*section));
139 base->section->limited | new->section->limited;
141 section->op = new->op;
142 section->is_merged = 1;
144 section->first = apr_pmemdup(p, base->section,
145 sizeof(*base->section));
146 section->first->next = apr_pmemdup(p, new->section,
147 sizeof(*new->section));
149 section = apr_pmemdup(p, base->section,
150 sizeof(*base->section));
154 section = apr_pmemdup(p, new->section, sizeof(*new->section));
157 conf = apr_pcalloc(p, sizeof(*conf));
159 conf->section = section;
163 if (new->authz_forbidden_on_fail == UNSET)
164 conf->authz_forbidden_on_fail = base->authz_forbidden_on_fail;
166 conf->authz_forbidden_on_fail = new->authz_forbidden_on_fail;
171 static void *create_authz_core_svr_config(apr_pool_t *p, server_rec *s)
173 authz_core_srv_conf *authcfg;
175 authcfg = apr_pcalloc(p, sizeof(*authcfg));
176 authcfg->alias_rec = apr_hash_make(p);
178 return (void *)authcfg;
181 /* This is a fake authz provider that really merges various authz alias
182 * configurations and then invokes them.
184 static authz_status authz_alias_check_authorization(request_rec *r,
185 const char *require_args,
186 const void *parsed_require_args)
188 const char *provider_name;
189 authz_status ret = AUTHZ_DENIED;
191 /* Look up the provider alias in the alias list.
192 * Get the the dir_config and call ap_Merge_per_dir_configs()
193 * Call the real provider->check_authorization() function
194 * return the result of the above function call
197 provider_name = apr_table_get(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
200 authz_core_srv_conf *authcfg;
201 provider_alias_rec *prvdraliasrec;
203 authcfg = ap_get_module_config(r->server->module_config,
206 prvdraliasrec = apr_hash_get(authcfg->alias_rec, provider_name,
207 APR_HASH_KEY_STRING);
209 /* If we found the alias provider in the list, then merge the directory
210 configurations and call the real provider */
212 ap_conf_vector_t *orig_dir_config = r->per_dir_config;
215 ap_merge_per_dir_configs(r->pool, orig_dir_config,
216 prvdraliasrec->sec_auth);
218 ret = prvdraliasrec->provider->
219 check_authorization(r, prvdraliasrec->provider_args,
220 prvdraliasrec->provider_parsed_args);
222 r->per_dir_config = orig_dir_config;
225 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02305)
226 "no alias provider found for '%s' (BUG?)",
231 ap_assert(provider_name != NULL);
237 static const authz_provider authz_alias_provider =
239 &authz_alias_check_authorization,
243 static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig,
246 const char *endp = ap_strrchr_c(args, '>');
248 char *provider_alias;
250 ap_conf_vector_t *new_authz_config;
251 int old_overrides = cmd->override;
254 const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
260 return apr_pstrcat(cmd->pool, cmd->cmd->name,
261 "> directive missing closing '>'", NULL);
264 args = apr_pstrndup(cmd->temp_pool, args, endp - args);
267 return apr_pstrcat(cmd->pool, cmd->cmd->name,
268 "> directive requires additional arguments", NULL);
271 /* Pull the real provider name and the alias name from the block header */
272 provider_name = ap_getword_conf(cmd->pool, &args);
273 provider_alias = ap_getword_conf(cmd->pool, &args);
274 provider_args = ap_getword_conf(cmd->pool, &args);
276 if (!provider_name[0] || !provider_alias[0]) {
277 return apr_pstrcat(cmd->pool, cmd->cmd->name,
278 "> directive requires additional arguments", NULL);
281 new_authz_config = ap_create_per_dir_config(cmd->pool);
283 /* Walk the subsection configuration to get the per_dir config that we will
284 * merge just before the real provider is called.
286 cmd->override = OR_AUTHCFG | ACCESS_CONF;
287 errmsg = ap_walk_config(cmd->directive->first_child, cmd,
289 cmd->override = old_overrides;
292 provider_alias_rec *prvdraliasrec;
293 authz_core_srv_conf *authcfg;
295 prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(*prvdraliasrec));
297 /* Save off the new directory config along with the original
298 * provider name and function pointer data
300 prvdraliasrec->provider_name = provider_name;
301 prvdraliasrec->provider_alias = provider_alias;
302 prvdraliasrec->provider_args = provider_args;
303 prvdraliasrec->sec_auth = new_authz_config;
304 prvdraliasrec->provider =
305 ap_lookup_provider(AUTHZ_PROVIDER_GROUP, provider_name,
306 AUTHZ_PROVIDER_VERSION);
308 /* by the time the config file is used, the provider should be loaded
309 * and registered with us.
311 if (!prvdraliasrec->provider) {
312 return apr_psprintf(cmd->pool,
313 "Unknown Authz provider: %s",
316 if (prvdraliasrec->provider->parse_require_line) {
317 err = prvdraliasrec->provider->parse_require_line(cmd,
318 provider_args, &prvdraliasrec->provider_parsed_args);
320 return apr_psprintf(cmd->pool,
321 "Can't parse 'Require %s %s': %s",
322 provider_name, provider_args, err);
325 authcfg = ap_get_module_config(cmd->server->module_config,
328 apr_hash_set(authcfg->alias_rec, provider_alias,
329 APR_HASH_KEY_STRING, prvdraliasrec);
331 /* Register the fake provider so that we get called first */
332 ap_register_auth_provider(cmd->pool, AUTHZ_PROVIDER_GROUP,
333 provider_alias, AUTHZ_PROVIDER_VERSION,
334 &authz_alias_provider,
335 AP_AUTH_INTERNAL_PER_CONF);
341 static const char* format_authz_result(authz_status result)
343 return ((result == AUTHZ_DENIED)
345 : ((result == AUTHZ_GRANTED)
347 : ((result == AUTHZ_DENIED_NO_USER)
348 ? "denied (no authenticated user yet)"
352 static const char* format_authz_command(apr_pool_t *p,
353 authz_section_conf *section)
355 return (section->provider
356 ? apr_pstrcat(p, "Require ", (section->negate ? "not " : ""),
357 section->provider_name, " ",
358 section->provider_args, NULL)
359 : apr_pstrcat(p, section->is_merged ? "AuthMerging " : "<Require",
360 ((section->op == AUTHZ_LOGIC_AND)
361 ? (section->negate ? "NotAll" : "All")
362 : (section->negate ? "None" : "Any")),
363 section->is_merged ? "" : ">", NULL));
366 static authz_section_conf* create_default_section(apr_pool_t *p)
368 authz_section_conf *section = apr_pcalloc(p, sizeof(*section));
370 section->op = AUTHZ_LOGIC_OR;
375 static const char *add_authz_provider(cmd_parms *cmd, void *config,
378 authz_core_dir_conf *conf = (authz_core_dir_conf*)config;
379 authz_section_conf *section = apr_pcalloc(cmd->pool, sizeof(*section));
380 authz_section_conf *child;
382 section->provider_name = ap_getword_conf(cmd->pool, &args);
384 if (!strcasecmp(section->provider_name, "not")) {
385 section->provider_name = ap_getword_conf(cmd->pool, &args);
389 section->provider_args = args;
391 /* lookup and cache the actual provider now */
392 section->provider = ap_lookup_provider(AUTHZ_PROVIDER_GROUP,
393 section->provider_name,
394 AUTHZ_PROVIDER_VERSION);
396 /* by the time the config file is used, the provider should be loaded
397 * and registered with us.
399 if (!section->provider) {
400 return apr_psprintf(cmd->pool,
401 "Unknown Authz provider: %s",
402 section->provider_name);
405 /* if the provider doesn't provide the appropriate function, reject it */
406 if (!section->provider->check_authorization) {
407 return apr_psprintf(cmd->pool,
408 "The '%s' Authz provider is not supported by any "
409 "of the loaded authorization modules",
410 section->provider_name);
413 section->limited = cmd->limited;
415 if (section->provider->parse_require_line) {
417 apr_pool_userdata_setn(section->provider_name,
418 AUTHZ_PROVIDER_NAME_NOTE,
419 apr_pool_cleanup_null,
421 err = section->provider->parse_require_line(cmd, args,
422 §ion->provider_parsed_args);
428 if (!conf->section) {
429 conf->section = create_default_section(cmd->pool);
432 if (section->negate && conf->section->op == AUTHZ_LOGIC_OR) {
433 return apr_psprintf(cmd->pool, "negative %s directive has no effect "
436 format_authz_command(cmd->pool, conf->section));
439 conf->section->limited |= section->limited;
441 child = conf->section->first;
444 while (child->next) {
448 child->next = section;
451 conf->section->first = section;
457 static const char *add_authz_section(cmd_parms *cmd, void *mconfig,
460 authz_core_dir_conf *conf = mconfig;
461 const char *endp = ap_strrchr_c(args, '>');
462 authz_section_conf *old_section = conf->section;
463 authz_section_conf *section;
464 int old_overrides = cmd->override;
465 apr_int64_t old_limited = cmd->limited;
469 return apr_pstrcat(cmd->pool, cmd->cmd->name,
470 "> directive missing closing '>'", NULL);
473 args = apr_pstrndup(cmd->temp_pool, args, endp - args);
476 return apr_pstrcat(cmd->pool, cmd->cmd->name,
477 "> directive doesn't take additional arguments",
481 section = apr_pcalloc(cmd->pool, sizeof(*section));
483 if (!strcasecmp(cmd->cmd->name, "<RequireAll")) {
484 section->op = AUTHZ_LOGIC_AND;
486 else if (!strcasecmp(cmd->cmd->name, "<RequireAny")) {
487 section->op = AUTHZ_LOGIC_OR;
489 else if (!strcasecmp(cmd->cmd->name, "<RequireNotAll")) {
490 section->op = AUTHZ_LOGIC_AND;
494 section->op = AUTHZ_LOGIC_OR;
498 conf->section = section;
500 /* trigger NOT_IN_LIMIT errors as if this were a <Limit> directive */
501 cmd->limited &= ~(AP_METHOD_BIT << (METHODS - 1));
503 cmd->override = OR_AUTHCFG;
504 errmsg = ap_walk_config(cmd->directive->first_child, cmd, cmd->context);
505 cmd->override = old_overrides;
507 cmd->limited = old_limited;
509 conf->section = old_section;
515 if (section->first) {
516 authz_section_conf *child;
519 old_section = conf->section = create_default_section(cmd->pool);
522 if (section->negate && old_section->op == AUTHZ_LOGIC_OR) {
523 return apr_psprintf(cmd->pool, "%s directive has "
524 "no effect in %s directive",
525 format_authz_command(cmd->pool, section),
526 format_authz_command(cmd->pool, old_section));
529 old_section->limited |= section->limited;
531 if (!section->negate && section->op == old_section->op) {
533 section = section->first;
536 child = old_section->first;
539 while (child->next) {
543 child->next = section;
546 old_section->first = section;
550 return apr_pstrcat(cmd->pool,
551 format_authz_command(cmd->pool, section),
552 " directive contains no authorization directives",
559 static const char *authz_merge_sections(cmd_parms *cmd, void *mconfig,
562 authz_core_dir_conf *conf = mconfig;
564 if (!strcasecmp(arg, "Off")) {
565 conf->op = AUTHZ_LOGIC_OFF;
567 else if (!strcasecmp(arg, "And")) {
568 conf->op = AUTHZ_LOGIC_AND;
570 else if (!strcasecmp(arg, "Or")) {
571 conf->op = AUTHZ_LOGIC_OR;
574 return apr_pstrcat(cmd->pool, cmd->cmd->name, " must be one of: "
575 "Off | And | Or", NULL);
581 static int authz_core_check_section(apr_pool_t *p, server_rec *s,
582 authz_section_conf *section, int is_conf)
584 authz_section_conf *prev = NULL;
585 authz_section_conf *child = section->first;
590 if (authz_core_check_section(p, s, child, 0) != OK) {
594 if (child->negate && child->op != section->op) {
595 authz_section_conf *next = child->next;
597 /* avoid one level of recursion when De Morgan permits */
598 child = child->first;
604 section->first = child;
608 child->negate = !child->negate;
609 } while (child->next && (child = child->next));
619 child = section->first;
622 if (!child->negate) {
631 ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, APR_SUCCESS, s, APLOGNO(01624)
632 "%s directive contains only negative authorization directives",
633 is_conf ? "<Directory>, <Location>, or similar"
634 : format_authz_command(p, section));
640 static int authz_core_pre_config(apr_pool_t *p, apr_pool_t *plog,
643 authz_core_first_dir_conf = NULL;
648 static int authz_core_check_config(apr_pool_t *p, apr_pool_t *plog,
649 apr_pool_t *ptemp, server_rec *s)
651 authz_core_dir_conf *conf = authz_core_first_dir_conf;
655 if (authz_core_check_section(p, s, conf->section, 1) != OK) {
666 static const command_rec authz_cmds[] =
668 AP_INIT_RAW_ARGS("<AuthzProviderAlias", authz_require_alias_section,
670 "container for grouping an authorization provider's "
671 "directives under a provider alias"),
672 AP_INIT_RAW_ARGS("Require", add_authz_provider, NULL, OR_AUTHCFG,
673 "specifies authorization directives "
674 "which one must pass (or not) for a request to suceeed"),
675 AP_INIT_RAW_ARGS("<RequireAll", add_authz_section, NULL, OR_AUTHCFG,
676 "container for grouping authorization directives "
677 "of which none must fail and at least one must pass "
678 "for a request to succeed"),
679 AP_INIT_RAW_ARGS("<RequireAny", add_authz_section, NULL, OR_AUTHCFG,
680 "container for grouping authorization directives "
681 "of which one must pass "
682 "for a request to succeed"),
683 #ifdef AUTHZ_EXTRA_CONFIGS
684 AP_INIT_RAW_ARGS("<RequireNotAll", add_authz_section, NULL, OR_AUTHCFG,
685 "container for grouping authorization directives "
686 "of which some must fail or none must pass "
687 "for a request to succeed"),
689 AP_INIT_RAW_ARGS("<RequireNone", add_authz_section, NULL, OR_AUTHCFG,
690 "container for grouping authorization directives "
691 "of which none must pass "
692 "for a request to succeed"),
693 AP_INIT_TAKE1("AuthMerging", authz_merge_sections, NULL, OR_AUTHCFG,
694 "controls how a <Directory>, <Location>, or similar "
695 "directive's authorization directives are combined with "
696 "those of its predecessor"),
697 AP_INIT_FLAG("AuthzSendForbiddenOnFailure", ap_set_flag_slot_char,
698 (void *)APR_OFFSETOF(authz_core_dir_conf, authz_forbidden_on_fail),
700 "Controls if an authorization failure should result in a "
701 "'403 FORBIDDEN' response instead of the HTTP-conforming "
702 "'401 UNAUTHORIZED'"),
706 static authz_status apply_authz_sections(request_rec *r,
707 authz_section_conf *section,
708 authz_logic_op parent_op)
710 authz_status auth_result;
712 /* check to make sure that the request method requires authorization */
713 if (!(section->limited & (AP_METHOD_BIT << r->method_number))) {
715 (parent_op == AUTHZ_LOGIC_AND) ? AUTHZ_GRANTED : AUTHZ_NEUTRAL;
717 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO(01625)
718 "authorization result of %s: %s "
719 "(directive limited to other methods)",
720 format_authz_command(r->pool, section),
721 format_authz_result(auth_result));
726 if (section->provider) {
727 apr_table_setn(r->notes, AUTHZ_PROVIDER_NAME_NOTE,
728 section->provider_name);
731 section->provider->check_authorization(r, section->provider_args,
732 section->provider_parsed_args);
734 apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
737 authz_section_conf *child = section->first;
739 auth_result = AUTHZ_NEUTRAL;
742 authz_status child_result;
744 child_result = apply_authz_sections(r, child, section->op);
746 if (child_result == AUTHZ_GENERAL_ERROR) {
747 return AUTHZ_GENERAL_ERROR;
750 if (child_result != AUTHZ_NEUTRAL) {
752 * Handling of AUTHZ_DENIED/AUTHZ_DENIED_NO_USER: Return
753 * AUTHZ_DENIED_NO_USER if providing a user may change the
754 * result, AUTHZ_DENIED otherwise.
756 if (section->op == AUTHZ_LOGIC_AND) {
757 if (child_result == AUTHZ_DENIED) {
758 auth_result = child_result;
761 if ((child_result == AUTHZ_DENIED_NO_USER
762 && auth_result != AUTHZ_DENIED)
763 || (auth_result == AUTHZ_NEUTRAL)) {
764 auth_result = child_result;
769 if (child_result == AUTHZ_GRANTED) {
770 auth_result = child_result;
773 if ((child_result == AUTHZ_DENIED_NO_USER
774 && auth_result == AUTHZ_DENIED)
775 || (auth_result == AUTHZ_NEUTRAL)) {
776 auth_result = child_result;
785 if (section->negate) {
786 if (auth_result == AUTHZ_GRANTED) {
787 auth_result = AUTHZ_DENIED;
789 else if (auth_result == AUTHZ_DENIED ||
790 auth_result == AUTHZ_DENIED_NO_USER) {
791 /* For negated directives, if the original result was denied
792 * then the new result is neutral since we can not grant
793 * access simply because authorization was not rejected.
795 auth_result = AUTHZ_NEUTRAL;
799 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO(01626)
800 "authorization result of %s: %s",
801 format_authz_command(r->pool, section),
802 format_authz_result(auth_result));
807 static int authorize_user_core(request_rec *r, int after_authn)
809 authz_core_dir_conf *conf;
810 authz_status auth_result;
812 conf = ap_get_module_config(r->per_dir_config, &authz_core_module);
814 if (!conf->section) {
815 if (ap_auth_type(r)) {
816 /* there's an AuthType configured, but no authorization
817 * directives applied to support it
820 ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01627)
821 "AuthType configured with no corresponding "
822 "authorization directives");
824 return HTTP_INTERNAL_SERVER_ERROR;
827 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO(01628)
828 "authorization result: granted (no directives)");
833 auth_result = apply_authz_sections(r, conf->section, AUTHZ_LOGIC_AND);
835 if (auth_result == AUTHZ_GRANTED) {
838 else if (auth_result == AUTHZ_DENIED_NO_USER) {
840 ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01629)
841 "authorization failure (no authenticated user): %s",
844 * If we're returning 401 to an authenticated user, tell them to
845 * try again. If unauthenticated, note_auth_failure has already
846 * been called during auth.
849 ap_note_auth_failure(r);
851 return HTTP_UNAUTHORIZED;
855 * We need a user before we can decide what to do.
856 * Get out of the way and proceed with authentication.
861 else if (auth_result == AUTHZ_DENIED || auth_result == AUTHZ_NEUTRAL) {
862 if (!after_authn || ap_auth_type(r) == NULL) {
863 ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01630)
864 "client denied by server configuration: %s%s",
865 r->filename ? "" : "uri ",
866 r->filename ? r->filename : r->uri);
868 return HTTP_FORBIDDEN;
871 ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01631)
872 "user %s: authorization failure for \"%s\": ",
875 if (conf->authz_forbidden_on_fail > 0) {
876 return HTTP_FORBIDDEN;
880 * If we're returning 401 to an authenticated user, tell them to
881 * try again. If unauthenticated, note_auth_failure has already
882 * been called during auth.
885 ap_note_auth_failure(r);
886 return HTTP_UNAUTHORIZED;
891 /* We'll assume that the module has already said what its
892 * error was in the logs.
894 return HTTP_INTERNAL_SERVER_ERROR;
898 static int authorize_userless(request_rec *r)
900 return authorize_user_core(r, 0);
903 static int authorize_user(request_rec *r)
905 return authorize_user_core(r, 1);
908 static int authz_some_auth_required(request_rec *r)
910 authz_core_dir_conf *conf;
912 conf = ap_get_module_config(r->per_dir_config, &authz_core_module);
915 && (conf->section->limited & (AP_METHOD_BIT << r->method_number))) {
926 static authz_status env_check_authorization(request_rec *r,
927 const char *require_line,
928 const void *parsed_require_line)
932 /* The 'env' provider will allow the configuration to specify a list of
933 env variables to check rather than a single variable. This is different
934 from the previous host based syntax. */
936 while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
937 if (apr_table_get(r->subprocess_env, w)) {
938 return AUTHZ_GRANTED;
945 static const authz_provider authz_env_provider =
947 &env_check_authorization,
956 static authz_status all_check_authorization(request_rec *r,
957 const char *require_line,
958 const void *parsed_require_line)
960 if (parsed_require_line) {
961 return AUTHZ_GRANTED;
966 static const char *all_parse_config(cmd_parms *cmd, const char *require_line,
967 const void **parsed_require_line)
970 * If the argument to the 'all' provider is 'granted' then just let
971 * everybody in. This would be equivalent to the previous syntax of
972 * 'allow from all'. If the argument is 'denied' we reject everbody,
973 * which is equivalent to 'deny from all'.
975 if (strcasecmp(require_line, "granted") == 0) {
976 *parsed_require_line = (void *)1;
979 else if (strcasecmp(require_line, "denied") == 0) {
980 /* *parsed_require_line is already NULL */
984 return "Argument for 'Require all' must be 'granted' or 'denied'";
988 static const authz_provider authz_all_provider =
990 &all_check_authorization,
996 * method authz provider
999 static authz_status method_check_authorization(request_rec *r,
1000 const char *require_line,
1001 const void *parsed_require_line)
1003 const apr_int64_t *allowed = parsed_require_line;
1004 if (*allowed & (AP_METHOD_BIT << r->method_number))
1005 return AUTHZ_GRANTED;
1007 return AUTHZ_DENIED;
1010 static const char *method_parse_config(cmd_parms *cmd, const char *require_line,
1011 const void **parsed_require_line)
1014 apr_int64_t *allowed = apr_pcalloc(cmd->pool, sizeof(apr_int64_t));
1018 while ((w = ap_getword_conf(cmd->temp_pool, &t)) && w[0]) {
1019 int m = ap_method_number_of(w);
1020 if (m == M_INVALID) {
1021 return apr_pstrcat(cmd->pool, "Invalid Method '", w, "'", NULL);
1024 *allowed |= (AP_METHOD_BIT << m);
1027 *parsed_require_line = allowed;
1031 static const authz_provider authz_method_provider =
1033 &method_check_authorization,
1034 &method_parse_config,
1038 * expr authz provider
1041 #define REQUIRE_EXPR_NOTE "Require_expr_info"
1042 struct require_expr_info {
1043 ap_expr_info_t *expr;
1047 static int expr_lookup_fn(ap_expr_lookup_parms *parms)
1049 if (parms->type == AP_EXPR_FUNC_VAR
1050 && strcasecmp(parms->name, "REMOTE_USER") == 0) {
1051 struct require_expr_info *info;
1052 apr_pool_userdata_get((void**)&info, REQUIRE_EXPR_NOTE, parms->ptemp);
1053 AP_DEBUG_ASSERT(info != NULL);
1054 info->want_user = 1;
1056 return ap_expr_lookup_default(parms);
1059 static const char *expr_parse_config(cmd_parms *cmd, const char *require_line,
1060 const void **parsed_require_line)
1062 const char *expr_err = NULL;
1063 struct require_expr_info *info = apr_pcalloc(cmd->pool, sizeof(*info));
1065 apr_pool_userdata_setn(info, REQUIRE_EXPR_NOTE, apr_pool_cleanup_null,
1067 info->expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err,
1071 return apr_pstrcat(cmd->temp_pool,
1072 "Cannot parse expression in require line: ",
1075 *parsed_require_line = info;
1080 static authz_status expr_check_authorization(request_rec *r,
1081 const char *require_line,
1082 const void *parsed_require_line)
1084 const char *err = NULL;
1085 const struct require_expr_info *info = parsed_require_line;
1086 int rc = ap_expr_exec(r, info->expr, &err);
1089 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02320)
1090 "Error evaluating expression in 'Require expr': %s",
1092 return AUTHZ_GENERAL_ERROR;
1095 if (info->want_user)
1096 return AUTHZ_DENIED_NO_USER;
1098 return AUTHZ_DENIED;
1101 return AUTHZ_GRANTED;
1105 static const authz_provider authz_expr_provider =
1107 &expr_check_authorization,
1112 static void register_hooks(apr_pool_t *p)
1114 APR_REGISTER_OPTIONAL_FN(authz_some_auth_required);
1116 ap_hook_pre_config(authz_core_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
1117 ap_hook_check_config(authz_core_check_config, NULL, NULL, APR_HOOK_MIDDLE);
1118 ap_hook_check_authz(authorize_user, NULL, NULL, APR_HOOK_LAST,
1119 AP_AUTH_INTERNAL_PER_CONF);
1120 ap_hook_check_access_ex(authorize_userless, NULL, NULL, APR_HOOK_LAST,
1121 AP_AUTH_INTERNAL_PER_CONF);
1123 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "env",
1124 AUTHZ_PROVIDER_VERSION,
1125 &authz_env_provider, AP_AUTH_INTERNAL_PER_CONF);
1126 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "all",
1127 AUTHZ_PROVIDER_VERSION,
1128 &authz_all_provider, AP_AUTH_INTERNAL_PER_CONF);
1129 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "method",
1130 AUTHZ_PROVIDER_VERSION,
1131 &authz_method_provider, AP_AUTH_INTERNAL_PER_CONF);
1132 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "expr",
1133 AUTHZ_PROVIDER_VERSION,
1134 &authz_expr_provider, AP_AUTH_INTERNAL_PER_CONF);
1137 AP_DECLARE_MODULE(authz_core) =
1139 STANDARD20_MODULE_STUFF,
1140 create_authz_core_dir_config, /* dir config creater */
1141 merge_authz_core_dir_config, /* dir merger */
1142 create_authz_core_svr_config, /* server config */
1143 NULL, /* merge server config */
1145 register_hooks /* register hooks */