1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * Security options etc.
20 * Module derived from code originally written by Rob McCool
24 #include "apr_strings.h"
25 #include "apr_network_io.h"
28 #define APR_WANT_STRFUNC
29 #define APR_WANT_BYTEFUNC
32 #include "ap_config.h"
33 #include "ap_provider.h"
35 #include "http_core.h"
36 #include "http_config.h"
38 #include "http_protocol.h"
39 #include "http_request.h"
43 #if APR_HAVE_NETINET_IN_H
44 #include <netinet/in.h>
48 int dummy; /* just here to stop compiler warnings for now. */
49 } authz_host_dir_conf;
51 module AP_MODULE_DECLARE_DATA authz_host_module;
53 static void *create_authz_host_dir_config(apr_pool_t *p, char *dummy)
55 authz_host_dir_conf *conf =
56 (authz_host_dir_conf *)apr_pcalloc(p, sizeof(authz_host_dir_conf));
61 static const command_rec authz_host_cmds[] =
66 static int in_domain(const char *domain, const char *what)
68 int dl = strlen(domain);
69 int wl = strlen(what);
72 if (strcasecmp(domain, &what[wl - dl]) != 0) {
76 /* Make sure we matched an *entire* subdomain --- if the user
77 * said 'allow from good.com', we don't want people from nogood.com
78 * to be able to get in.
82 return 1; /* matched whole thing */
85 return (domain[0] == '.' || what[wl - dl - 1] == '.');
93 static authz_status ip_check_authorization(request_rec *r,
94 const char *require_line,
95 const void *parsed_require_line)
99 /* The 'ip' provider will allow the configuration to specify a list of
100 ip addresses to check rather than a single address. This is different
101 from the previous host based syntax. */
103 while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
104 char *where = apr_pstrdup(r->pool, w);
111 if ((s = ap_strchr(where, '/'))) {
113 rv = apr_ipsubnet_create(&ip, where, s, r->pool);
114 if(APR_STATUS_IS_EINVAL(rv)) {
115 /* looked nothing like an IP address */
116 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
117 "an ip address 'require' list appears to be invalid ");
119 else if (rv != APR_SUCCESS) {
120 apr_strerror(rv, msgbuf, sizeof msgbuf);
121 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
122 "an ip address 'require' list appears to be invalid; %s ",
128 else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&ip, where,
130 if (rv != APR_SUCCESS) {
131 apr_strerror(rv, msgbuf, sizeof msgbuf);
132 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
133 "an ip address 'require' list appears to be invalid; %s ",
140 if (got_ip && apr_ipsubnet_test(ip, r->connection->remote_addr)) {
141 return AUTHZ_GRANTED;
145 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
146 "access to %s failed, reason: ip address list does not meet "
147 "'require'ments for user '%s' to be allowed access",
153 static authz_status host_check_authorization(request_rec *r,
154 const char *require_line,
155 const void *parsed_require_line)
158 const char *remotehost = NULL;
159 int remotehost_is_ip;
161 remotehost = ap_get_remote_host(r->connection,
166 if ((remotehost == NULL) || remotehost_is_ip) {
167 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
168 "access to %s failed, reason: unable to get the "
169 "remote host name", r->uri);
172 /* The 'host' provider will allow the configuration to specify a list of
173 host names to check rather than a single name. This is different
174 from the previous host based syntax. */
176 while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
177 if (in_domain(w, remotehost)) {
178 return AUTHZ_GRANTED;
182 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
183 "access to %s failed, reason: host name list does not meet "
184 "'require'ments for user '%s' to be allowed access",
191 static const authz_provider authz_ip_provider =
193 &ip_check_authorization,
197 static const authz_provider authz_host_provider =
199 &host_check_authorization,
204 static void register_hooks(apr_pool_t *p)
206 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ip",
207 AUTHZ_PROVIDER_VERSION,
208 &authz_ip_provider, AP_AUTH_INTERNAL_PER_CONF);
209 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "host",
210 AUTHZ_PROVIDER_VERSION,
211 &authz_host_provider, AP_AUTH_INTERNAL_PER_CONF);
214 AP_DECLARE_MODULE(authz_host) =
216 STANDARD20_MODULE_STUFF,
217 create_authz_host_dir_config, /* dir config creater */
218 NULL, /* dir merger --- default is to override */
219 NULL, /* server config */
220 NULL, /* merge server config */
222 register_hooks /* register hooks */