From: Stefan Fritsch <sf@apache.org>
Date: Sat, 25 Sep 2010 13:17:49 +0000 (+0000)
Subject: Add 'local' authz provider that matches connections originating
X-Git-Tag: 2.3.9~428
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2690fbd3251a4603b1a7f6c8375e8c59042382aa;p=apache

Add 'local' authz provider that matches connections originating
on the local host.  PR 19938.

Also remove some cruft from mod_authz_host (we don't need a per-dir config)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1001207 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 814d8b21d8..a892b05d4d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.3.9
 
+  *) mod_authz_host: Add 'local' provider that matches connections originating
+     on the local host. PR 19938. [Stefan Fritsch]
+
   *) Event MPM: Fix crash accessing pollset on worker thread when child
      process is exiting.  [Jeff Trawick]
 
diff --git a/docs/manual/mod/mod_authz_host.html.en b/docs/manual/mod/mod_authz_host.html.en
index 42cc0877b2..053f12f2a2 100644
--- a/docs/manual/mod/mod_authz_host.html.en
+++ b/docs/manual/mod/mod_authz_host.html.en
@@ -159,6 +159,25 @@ address)</td></tr>
 
 
 
+<h3><a name="reqlocal" id="reqlocal">Require local</a></h3>
+    <p>The <code>local</code> provider allows access to the server if any
+    of the following conditions is true:</p>
+
+    <ul>
+        <li>the client address matches 127.0.0.0/8</li>
+        <li>the client address is ::1</li>
+        <li>both the client and the server address of the connection are
+        the same</li>
+    </ul>
+
+    <p>This allows a convenient way to match connections that originate from
+    the local host:</p>
+
+    <div class="example"><p><code>
+    Require local
+    </code></p></div>
+
+
 </div>
 </div>
 <div class="bottomlang">
diff --git a/docs/manual/mod/mod_authz_host.xml b/docs/manual/mod/mod_authz_host.xml
index 1126215c25..6c599aad93 100644
--- a/docs/manual/mod/mod_authz_host.xml
+++ b/docs/manual/mod/mod_authz_host.xml
@@ -150,7 +150,25 @@ address)</description>
 
 </section>
 
+<section id="reqlocal"><title>Require local</title>
+    <p>The <code>local</code> provider allows access to the server if any
+    of the following conditions is true:</p>
+
+    <ul>
+        <li>the client address matches 127.0.0.0/8</li>
+        <li>the client address is ::1</li>
+        <li>both the client and the server address of the connection are
+        the same</li>
+    </ul>
+
+    <p>This allows a convenient way to match connections that originate from
+    the local host:</p>
+
+    <example>
+    Require local
+    </example>
 </section>
 
+</section>
 
 </modulesynopsis>
diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c
index 6d0be22315..5432282411 100644
--- a/modules/aaa/mod_authz_host.c
+++ b/modules/aaa/mod_authz_host.c
@@ -44,25 +44,6 @@
 #include <netinet/in.h>
 #endif
 
-typedef struct {
-        int dummy;  /* just here to stop compiler warnings for now. */
-} authz_host_dir_conf;
-
-module AP_MODULE_DECLARE_DATA authz_host_module;
-
-static void *create_authz_host_dir_config(apr_pool_t *p, char *dummy)
-{
-    authz_host_dir_conf *conf =
-        (authz_host_dir_conf *)apr_pcalloc(p, sizeof(authz_host_dir_conf));
-
-    return (void *)conf;
-}
-
-static const command_rec authz_host_cmds[] =
-{
-    {NULL}
-};
-
 static int in_domain(const char *domain, const char *what)
 {
     int dl = strlen(domain);
@@ -188,6 +169,29 @@ static authz_status host_check_authorization(request_rec *r,
     return AUTHZ_DENIED;
 }
 
+static apr_ipsubnet_t *localhost_v4;
+#if APR_HAVE_IPV6
+static apr_ipsubnet_t *localhost_v6;
+#endif
+
+static authz_status local_check_authorization(request_rec *r,
+                                              const char *require_line,
+                                              const void *parsed_require_line)
+{
+     if (   apr_sockaddr_equal(r->connection->local_addr,
+                               r->connection->remote_addr)
+         || apr_ipsubnet_test(localhost_v4, r->connection->remote_addr)
+#if APR_HAVE_IPV6
+         || apr_ipsubnet_test(localhost_v6, r->connection->remote_addr) 
+#endif
+        )
+     {
+        return AUTHZ_GRANTED;
+     }
+
+     return AUTHZ_DENIED;
+}
+
 static const authz_provider authz_ip_provider =
 {
     &ip_check_authorization,
@@ -200,24 +204,46 @@ static const authz_provider authz_host_provider =
     NULL,
 };
 
+static const authz_provider authz_local_provider =
+{
+    &local_check_authorization,
+    NULL,
+};
+
+
+static int authz_host_pre_config(apr_pool_t *p, apr_pool_t *plog,
+                                 apr_pool_t *ptemp)
+{
+    apr_ipsubnet_create(&localhost_v4, "127.0.0.0", "8", p);
+#if APR_HAVE_IPV6
+    apr_ipsubnet_create(&localhost_v6, "::1", "128", p);
+#endif
+
+    return OK;
+}
 
 static void register_hooks(apr_pool_t *p)
 {
+    ap_hook_pre_config(authz_host_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
+
     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ip",
                               AUTHZ_PROVIDER_VERSION,
                               &authz_ip_provider, AP_AUTH_INTERNAL_PER_CONF);
     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "host",
                               AUTHZ_PROVIDER_VERSION,
                               &authz_host_provider, AP_AUTH_INTERNAL_PER_CONF);
+    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "local",
+                              AUTHZ_PROVIDER_VERSION,
+                              &authz_local_provider, AP_AUTH_INTERNAL_PER_CONF);
 }
 
 AP_DECLARE_MODULE(authz_host) =
 {
     STANDARD20_MODULE_STUFF,
-    create_authz_host_dir_config,   /* dir config creater */
+    NULL,                           /* dir config creater */
     NULL,                           /* dir merger --- default is to override */
     NULL,                           /* server config */
     NULL,                           /* merge server config */
-    authz_host_cmds,
+    NULL,
     register_hooks                  /* register hooks */
 };