From: Nick Kew Date: Fri, 18 Nov 2005 00:42:08 +0000 (+0000) Subject: mod_authz_dbd: SQL authz with Login/Session support X-Git-Tag: 2.3.0~2747 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5dbbe6d499157a6bad9eb805e2a9b0d26559da1e;p=apache mod_authz_dbd: SQL authz with Login/Session support git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@345389 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/aaa/config.m4 b/modules/aaa/config.m4 index e2c057d212..3140787362 100644 --- a/modules/aaa/config.m4 +++ b/modules/aaa/config.m4 @@ -31,6 +31,7 @@ APACHE_MODULE(authz_groupfile, 'require group' authorization control, , , yes) APACHE_MODULE(authz_user, 'require user' authorization control, , , yes) APACHE_MODULE(authz_dbm, DBM-based authorization control, , , most) APACHE_MODULE(authz_owner, 'require file-owner' authorization control, , , most) +APACHE_MODULE(authz_dbd, SQL based authorization and Login/Session support, , , most) dnl LDAP authentication module. This module has both the authn and authz dnl modules in one, so as to share the LDAP server config directives. diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c new file mode 100644 index 0000000000..3395b4b588 --- /dev/null +++ b/modules/aaa/mod_authz_dbd.c @@ -0,0 +1,316 @@ +/* Copyright 2005 The Apache Software Foundation or its licensors, as + * applicable. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "httpd.h" +#include "http_log.h" +#include "http_config.h" +#include "http_request.h" +#include "http_protocol.h" +#include "http_core.h" +#include "apr_dbd.h" +#include "mod_dbd.h" +#include "apr_strings.h" +#include "mod_authz_dbd.h" + +module AP_MODULE_DECLARE_DATA authz_dbd_module; + +/* Export a hook for modules that manage clientside sessions + * (e.g. mod_auth_cookie) + * to deal with those when we successfully login/logout at the server + */ +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(authz_dbd, AP, int, client_login, + (request_rec *r, int code, const char *action), + (r, code, action), OK, DECLINED) + + +typedef struct { + const char *query; + const char *redir_query; + int redirect; + int authoritative; +} authz_dbd_cfg ; + +static ap_dbd_t *(*dbd_handle)(request_rec*) = NULL; +static void (*dbd_prepare)(server_rec*, const char*, const char*) = NULL; + +static const char *const noerror = "???"; + +static void *authz_dbd_cr_cfg(apr_pool_t *pool, char *dummy) +{ + authz_dbd_cfg *ret = apr_pcalloc(pool, sizeof(authz_dbd_cfg)); + ret->redirect = ret->authoritative = -1; + return ret; +} +static void *authz_dbd_merge_cfg(apr_pool_t *pool, void *BASE, void *ADD) +{ + authz_dbd_cfg *base = BASE; + authz_dbd_cfg *add = ADD; + authz_dbd_cfg *ret = apr_palloc(pool, sizeof(authz_dbd_cfg)); + + ret->query = (add->query == NULL) ? base->query : add->query; + ret->redir_query = (add->redir_query == NULL) + ? base->redir_query : add->redir_query; + ret->authoritative = (add->authoritative == -1) + ? base->authoritative : add->authoritative; + ret->redirect = (add->redirect == -1) ? base->redirect : add->redirect; + return ret; +} +static const char *authz_dbd_prepare(cmd_parms *cmd, void *cfg, + const char *query) +{ + static unsigned int label_num = 0; + char *label; + + if (dbd_prepare == NULL) { + dbd_prepare = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_prepare); + if (dbd_prepare == NULL) { + return "You must load mod_dbd to enable AuthzDBD functions"; + } + dbd_handle = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_acquire); + } + label = apr_psprintf(cmd->pool, "authz_dbd_%d", ++label_num); + + dbd_prepare(cmd->server, query, label); + + /* save the label here for our own use */ + return ap_set_string_slot(cmd, cfg, label); +} +static const command_rec authz_dbd_cmds[] = { + AP_INIT_FLAG("AuthzDBDAuthoritative", ap_set_flag_slot, + (void*)APR_OFFSETOF(authz_dbd_cfg, authoritative), ACCESS_CONF, + "Whether dbd-group is authoritative"), + AP_INIT_FLAG("AuthzDBDLoginToReferer", ap_set_flag_slot, + (void*)APR_OFFSETOF(authz_dbd_cfg, redirect), ACCESS_CONF, + "Whether to redirect to referer on successful login"), + AP_INIT_TAKE1("AuthzDBDQuery", authz_dbd_prepare, + (void*)APR_OFFSETOF(authz_dbd_cfg, query), ACCESS_CONF, + "SQL query for DBD Authz or login"), + AP_INIT_TAKE1("AuthzDBDRedirectQuery", authz_dbd_prepare, + (void*)APR_OFFSETOF(authz_dbd_cfg, redir_query), ACCESS_CONF, + "SQL query to get per-user redirect URL after login"), + {NULL} +}; + +static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg, + const char *action) +{ + int rv; + const char *newuri = NULL; + int nrows; + const char *message; + ap_dbd_t *dbd = dbd_handle(r); + apr_dbd_prepared_t *query; + apr_dbd_results_t *res = NULL; + apr_dbd_row_t *row = NULL; + + if (cfg->query == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "No query configured for %s!", action); + return HTTP_INTERNAL_SERVER_ERROR; + } + query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING); + if (query == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Error retrieving Query for %s!", action); + return HTTP_INTERNAL_SERVER_ERROR; + } + + rv = apr_dbd_pvquery(dbd->driver, r->pool, dbd->handle, &nrows, + query, r->user, NULL); + if (rv == 0) { + if (nrows != 1) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "authz_dbd: %s of user %s updated %d rows", + action, r->user, nrows); + } + } + else { + message = apr_dbd_error(dbd->driver, dbd->handle, rv); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "authz_dbd: query for %s failed; user %s [%s]", + action, r->user, message?message:noerror); + return HTTP_INTERNAL_SERVER_ERROR; + } + + if (cfg->redirect == 1) { + newuri = apr_table_get(r->headers_in, "Referer"); + } + + if (!newuri && cfg->redir_query) { + query = apr_hash_get(dbd->prepared, cfg->redir_query, + APR_HASH_KEY_STRING); + if (query == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "authz_dbd: no redirect query!"); + /* OK, this is non-critical; we can just not-redirect */ + } + else if (apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, + query, 0, r->user, NULL) == 0) { + for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1); + rv != -1; + rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) { + if (rv == 0) { + newuri = apr_dbd_get_entry(dbd->driver, row, 0); + } + else { + message = apr_dbd_error(dbd->driver, dbd->handle, rv); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "authz_dbd in get_row; action=%s user=%s [%s]", + action, r->user, message?message:noerror); + } + } + } + else { + message = apr_dbd_error(dbd->driver, dbd->handle, rv); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "authz_dbd/redirect for %s of %s [%s]", + action, r->user, message?message:noerror); + } + } + if (newuri != NULL) { + apr_table_set(r->err_headers_out, "Location", newuri); + rv = HTTP_MOVED_TEMPORARILY; + } + else { + rv = OK; + } + authz_dbd_run_client_login(r, rv, action); + return rv; +} + +static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg, + apr_array_header_t *groups) +{ + /* SELECT group FROM authz WHERE user = %s */ + int rv; + const char *message; + ap_dbd_t *dbd = dbd_handle(r); + apr_dbd_prepared_t *query; + apr_dbd_results_t *res = NULL; + apr_dbd_row_t *row = NULL; + const char **group; + + if (cfg->query == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "No query configured for dbd-group!"); + return HTTP_INTERNAL_SERVER_ERROR; + } + query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING); + if (query == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Error retrieving query for dbd-group!"); + return HTTP_INTERNAL_SERVER_ERROR; + } + rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, + query, 0, r->user, NULL); + if (rv == 0) { + for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1); + rv != -1; + rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) { + if (rv == 0) { + group = apr_array_push(groups); + *group = apr_dbd_get_entry(dbd->driver, row, 0); + } + else { + message = apr_dbd_error(dbd->driver, dbd->handle, rv); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "authz_dbd in get_row; group query for user=%s [%s]", + r->user, message?message:noerror); + return HTTP_INTERNAL_SERVER_ERROR; + } + } + } + else { + message = apr_dbd_error(dbd->driver, dbd->handle, rv); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "authz_dbd, in groups query for %s [%s]", + r->user, message?message:noerror); + return HTTP_INTERNAL_SERVER_ERROR; + } + return OK; +} +static int authz_dbd_check(request_rec *r) +{ + int i, x, rv; + const char *w; + int m = r->method_number; + const apr_array_header_t *reqs_arr = ap_requires(r); + require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; + apr_array_header_t *groups = NULL; + const char *t; + authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, + &authz_dbd_module); + + if (!reqs_arr) { + return DECLINED; + } + + for (x = 0; x < reqs_arr->nelts; x++) { + if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { + continue; + } + + t = reqs[x].requirement; + w = ap_getword_white(r->pool, &t); + if (!strcasecmp(w, "dbd-group")) { + if (groups == NULL) { + groups = apr_array_make(r->pool, 4, sizeof(const char*)); + rv = authz_dbd_group_query(r, cfg, groups); + if (rv != OK) { + return rv; + } + } + while (t[0]) { + w = ap_getword_white(r->pool, &t); + for (i=0; i < groups->nelts; ++i) { + if (!strcmp(w, ((const char**)groups->elts)[i])) { + return OK; + } + } + } + } + else if (!strcasecmp(w, "dbd-login")) { + return authz_dbd_login(r, cfg, "login"); + } + else if (!strcasecmp(w, "dbd-logout")) { + return authz_dbd_login(r, cfg, "logout"); + } + } + + if ((groups != NULL) && cfg->authoritative) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "authz_dbd: user %s denied access to %s", + r->user, r->uri); + ap_note_auth_failure(r); + return HTTP_UNAUTHORIZED; + } + return DECLINED; +} +static void authz_dbd_hooks(apr_pool_t *p) +{ + ap_hook_auth_checker(authz_dbd_check, NULL, NULL, APR_HOOK_MIDDLE); +} +module AP_MODULE_DECLARE_DATA authz_dbd_module = +{ + STANDARD20_MODULE_STUFF, + authz_dbd_cr_cfg, + authz_dbd_merge_cfg, + NULL, + NULL, + authz_dbd_cmds, + authz_dbd_hooks +}; + diff --git a/modules/aaa/mod_authz_dbd.h b/modules/aaa/mod_authz_dbd.h new file mode 100644 index 0000000000..85cc5b4fe1 --- /dev/null +++ b/modules/aaa/mod_authz_dbd.h @@ -0,0 +1,23 @@ +/* Copyright 2000-2005 The Apache Software Foundation or its licensors, as + * applicable. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MOD_AUTHZ_DBD_H +#define MOD_AUTHZ_DBD_H +#include "httpd.h" + +APR_DECLARE_EXTERNAL_HOOK(authz_dbd, AP, int, client_login, + (request_rec *r, int code, const char *action)) +#endif