1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
19 #include "http_config.h"
20 #include "ap_provider.h"
21 #include "http_request.h"
22 #include "http_protocol.h"
23 #include "http_core.h"
26 #include "apr_strings.h"
27 #include "mod_authz_dbd.h"
32 module AP_MODULE_DECLARE_DATA authz_dbd_module;
34 /* Export a hook for modules that manage clientside sessions
35 * (e.g. mod_auth_cookie)
36 * to deal with those when we successfully login/logout at the server
38 * XXX: WHY would this be specific to dbd_authz? Why wouldn't we track
39 * this across all authz user providers in a lower level mod, such as
40 * mod_auth_basic/digest?
42 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(authz_dbd, AUTHZ_DBD, int, client_login,
43 (request_rec *r, int code, const char *action),
44 (r, code, action), OK, DECLINED)
49 const char *redir_query;
53 static ap_dbd_t *(*dbd_handle)(request_rec*) = NULL;
54 static void (*dbd_prepare)(server_rec*, const char*, const char*) = NULL;
56 static const char *const noerror = "???";
58 static void *authz_dbd_cr_cfg(apr_pool_t *pool, char *dummy)
60 authz_dbd_cfg *ret = apr_pcalloc(pool, sizeof(authz_dbd_cfg));
65 static void *authz_dbd_merge_cfg(apr_pool_t *pool, void *BASE, void *ADD)
67 authz_dbd_cfg *base = BASE;
68 authz_dbd_cfg *add = ADD;
69 authz_dbd_cfg *ret = apr_palloc(pool, sizeof(authz_dbd_cfg));
71 ret->query = (add->query == NULL) ? base->query : add->query;
72 ret->redir_query = (add->redir_query == NULL)
73 ? base->redir_query : add->redir_query;
74 ret->redirect = (add->redirect == -1) ? base->redirect : add->redirect;
78 static const char *authz_dbd_prepare(cmd_parms *cmd, void *cfg,
81 static unsigned int label_num = 0;
83 const char *err = ap_check_cmd_context(cmd, NOT_IN_HTACCESS);
87 if (dbd_prepare == NULL) {
88 dbd_prepare = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_prepare);
89 if (dbd_prepare == NULL) {
90 return "You must load mod_dbd to enable AuthzDBD functions";
92 dbd_handle = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_acquire);
94 label = apr_psprintf(cmd->pool, "authz_dbd_%d", ++label_num);
96 dbd_prepare(cmd->server, query, label);
98 /* save the label here for our own use */
99 return ap_set_string_slot(cmd, cfg, label);
102 static const command_rec authz_dbd_cmds[] = {
103 AP_INIT_FLAG("AuthzDBDLoginToReferer", ap_set_flag_slot,
104 (void*)APR_OFFSETOF(authz_dbd_cfg, redirect), ACCESS_CONF,
105 "Whether to redirect to referer on successful login"),
106 AP_INIT_TAKE1("AuthzDBDQuery", authz_dbd_prepare,
107 (void*)APR_OFFSETOF(authz_dbd_cfg, query), ACCESS_CONF,
108 "SQL query for DBD Authz or login"),
109 AP_INIT_TAKE1("AuthzDBDRedirectQuery", authz_dbd_prepare,
110 (void*)APR_OFFSETOF(authz_dbd_cfg, redir_query), ACCESS_CONF,
111 "SQL query to get per-user redirect URL after login"),
115 static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg,
119 const char *newuri = NULL;
122 ap_dbd_t *dbd = dbd_handle(r);
123 apr_dbd_prepared_t *query;
124 apr_dbd_results_t *res = NULL;
125 apr_dbd_row_t *row = NULL;
127 if (cfg->query == NULL) {
128 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01642)
129 "No query configured for %s!", action);
130 return HTTP_INTERNAL_SERVER_ERROR;
133 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02902)
134 "No db handle available for %s! "
135 "Check your database access",
137 return HTTP_INTERNAL_SERVER_ERROR;
139 query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING);
141 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01643)
142 "Error retrieving Query for %s!", action);
143 return HTTP_INTERNAL_SERVER_ERROR;
146 rv = apr_dbd_pvquery(dbd->driver, r->pool, dbd->handle, &nrows,
147 query, r->user, NULL);
150 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01644)
151 "authz_dbd: %s of user %s updated %d rows",
152 action, r->user, nrows);
156 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
157 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01645)
158 "authz_dbd: query for %s failed; user %s [%s]",
159 action, r->user, message?message:noerror);
160 return HTTP_INTERNAL_SERVER_ERROR;
163 if (cfg->redirect == 1) {
164 newuri = apr_table_get(r->headers_in, "Referer");
167 if (!newuri && cfg->redir_query) {
168 query = apr_hash_get(dbd->prepared, cfg->redir_query,
169 APR_HASH_KEY_STRING);
171 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01646)
172 "authz_dbd: no redirect query!");
173 /* OK, this is non-critical; we can just not-redirect */
175 else if ((rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle,
176 &res, query, 0, r->user, NULL)) == 0) {
177 for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
179 rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
181 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
182 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01647)
183 "authz_dbd in get_row; action=%s user=%s [%s]",
184 action, r->user, message?message:noerror);
186 else if (newuri == NULL) {
189 apr_dbd_get_entry(dbd->driver, row, 0));
191 /* we can't break out here or row won't get cleaned up */
195 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
196 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01648)
197 "authz_dbd/redirect for %s of %s [%s]",
198 action, r->user, message?message:noerror);
201 if (newuri != NULL) {
202 r->status = HTTP_MOVED_TEMPORARILY;
203 apr_table_set(r->err_headers_out, "Location", newuri);
205 authz_dbd_run_client_login(r, OK, action);
209 static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg,
210 apr_array_header_t *groups)
212 /* SELECT group FROM authz WHERE user = %s */
215 ap_dbd_t *dbd = dbd_handle(r);
216 apr_dbd_prepared_t *query;
217 apr_dbd_results_t *res = NULL;
218 apr_dbd_row_t *row = NULL;
220 if (cfg->query == NULL) {
221 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01649)
222 "No query configured for dbd-group!");
223 return HTTP_INTERNAL_SERVER_ERROR;
226 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02903)
227 "No db handle available for dbd-query! "
228 "Check your database access");
229 return HTTP_INTERNAL_SERVER_ERROR;
231 query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING);
233 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01650)
234 "Error retrieving query for dbd-group!");
235 return HTTP_INTERNAL_SERVER_ERROR;
237 rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res,
238 query, 0, r->user, NULL);
240 for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
242 rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
244 APR_ARRAY_PUSH(groups, const char *) =
246 apr_dbd_get_entry(dbd->driver, row, 0));
249 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
250 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01651)
251 "authz_dbd in get_row; group query for user=%s [%s]",
252 r->user, message?message:noerror);
253 return HTTP_INTERNAL_SERVER_ERROR;
258 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
259 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01652)
260 "authz_dbd, in groups query for %s [%s]",
261 r->user, message?message:noerror);
262 return HTTP_INTERNAL_SERVER_ERROR;
267 static authz_status dbdgroup_check_authorization(request_rec *r,
268 const char *require_args,
269 const void *parsed_require_args)
273 apr_array_header_t *groups;
275 const char *err = NULL;
276 const ap_expr_info_t *expr = parsed_require_args;
280 authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
284 return AUTHZ_DENIED_NO_USER;
287 groups = apr_array_make(r->pool, 4, sizeof(const char*));
288 rv = authz_dbd_group_query(r, cfg, groups);
290 return AUTHZ_GENERAL_ERROR;
293 require = ap_expr_str_exec(r, expr, &err);
295 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02590)
296 "authz_dbd authorize: require dbd-group: Can't "
297 "evaluate require expression: %s", err);
303 w = ap_getword_white(r->pool, &t);
304 if (ap_array_str_contains(groups, w)) {
305 return AUTHZ_GRANTED;
312 static authz_status dbdlogin_check_authorization(request_rec *r,
313 const char *require_args,
314 const void *parsed_require_args)
316 authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
320 return AUTHZ_DENIED_NO_USER;
323 return (authz_dbd_login(r, cfg, "login") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
326 static authz_status dbdlogout_check_authorization(request_rec *r,
327 const char *require_args,
328 const void *parsed_require_args)
330 authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
334 return AUTHZ_DENIED_NO_USER;
337 return (authz_dbd_login(r, cfg, "logout") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
340 static const char *dbd_parse_config(cmd_parms *cmd, const char *require_line,
341 const void **parsed_require_line)
343 const char *expr_err = NULL;
344 ap_expr_info_t *expr;
346 expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
350 return apr_pstrcat(cmd->temp_pool,
351 "Cannot parse expression in require line: ",
355 *parsed_require_line = expr;
360 static const authz_provider authz_dbdgroup_provider =
362 &dbdgroup_check_authorization,
366 static const authz_provider authz_dbdlogin_provider =
368 &dbdlogin_check_authorization,
372 static const authz_provider authz_dbdlogout_provider =
374 &dbdlogout_check_authorization,
378 static void authz_dbd_hooks(apr_pool_t *p)
380 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-group",
381 AUTHZ_PROVIDER_VERSION,
382 &authz_dbdgroup_provider,
383 AP_AUTH_INTERNAL_PER_CONF);
384 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-login",
385 AUTHZ_PROVIDER_VERSION,
386 &authz_dbdlogin_provider,
387 AP_AUTH_INTERNAL_PER_CONF);
388 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-logout",
389 AUTHZ_PROVIDER_VERSION,
390 &authz_dbdlogout_provider,
391 AP_AUTH_INTERNAL_PER_CONF);
394 AP_DECLARE_MODULE(authz_dbd) =
396 STANDARD20_MODULE_STUFF,