From: Bradley Nicholes Date: Wed, 11 Jan 2006 14:30:28 +0000 (+0000) Subject: Authz refactoring X-Git-Tag: 2.3.0~2622 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9fed4c73d7d572fa468b407c44a1923e520f98ae;p=apache Authz refactoring Merge from branches/authz-dev Basically here is a list of what has been done: - Convert all of the authz modules from hook based to provider based - Remove the ap_requires field from the core_dir_config structure - Remove the function ap_requires() since its functionality is no longer supported or necessary in the refactoring - Remove the calls to ap_some_auth_required() in the core request handling to allow the hooks to be called in all cases. - Add the new module mod_authz_core which will act as the authorization provider vector and contain common authz directives such as 'Require', 'Reject' and '' - Add the new module mod_authn_core which will contain common authentication directives such as 'AuthType', 'AuthName' and '' - Move the check for METHOD_MASK out of the authz providers and into the authz_core provider vector - Define the status codes that can be returned by the authz providers as AUTHZ_DENIED, AUTHZ_GRANTED and AUTHZ_GENERAL_ERROR - Remove the 'Satisfy' directive - Implement the '', '' block directives to handle the 'and' and 'or' logic for authorization. - Remove the 'AuthzXXXAuthoritative' directives from all of the authz providers - Implement the 'Reject' directive that will deny authorization if the argument is true - Fold the 'Reject' directive into the '', '' logic - Reimplement the host based authorization functionality provided by 'allow', 'deny' and 'order' as authz providers - Remove the 'allow', 'deny' and 'order' directives - Merge mod_authn_alias into mod_authn_core - Add '' functionality which is similar to '' but specific to authorization aliasing - Remove all of the references to the 'authzxxxAuthoritative' directives from the documentation - Remove the 'Satisfy' directive from the documentation - Remove 'Allow', 'Deny', 'Order' directives from the documentation - Document '', '', 'Reject' directives - Reimplement the APIs ap_auth_type(), ap_auth_name() as optional functions and move the actual implementation into mod_authn_core - Reimplement the API ap_some_auth_required() as an optional function and move the actual implementation into mod_authz_core Major Changes: - Added the directives , , , Reject - Expanded the functionality of the directive 'Require' to handle all authorization and access control - Added the new authz providers 'env', 'ip', 'host', 'all' to handle host-based access control - Removed the directives 'Allow', 'Deny', 'Order', 'Satisfy', 'AuthzXXXAuthoritative' - Removed the ap_require() API - Moved the directives 'AuthType', 'AuthName' out of mod_core and into mod_authn_core - Moved the directive 'Require' out of mod_core and into mod_authz_core - Merged mod_authn_alias into mod_authn_core - Renamed mod_authz_dbm authz providers from 'group' and 'file-group' to 'dbm-group' and 'dbm-file-group' Benefits: - All authorization and access control is now handle through two directives, 'Require' and 'Reject' - Authorization has been expanded to allow for complex 'AND/OR' control logic through the directives '' and '' - Configuration is now much simpler and consistent across the board - Other modules like mod_ssl and mod_proxy should be able to plug into and take advantage of the same provider based authorization mechanism by implementing their own providers Issues: - Backwards compatibility between 2.2 and 2.3 configurations will be broken in the area of authorization and access control due to the fact that the directives 'allow', 'deny', 'order' and 'satisfy' have been removed. When moving from 2.2 to 2.3 these directives will have to be changed to 'Require all granted', 'Require all denied' or some variation of the authz host-based providers. - Existing third party authorization modules will have to adapt to the new structure. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@368027 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/conf/extra/httpd-autoindex.conf.in b/docs/conf/extra/httpd-autoindex.conf.in index 13b400d1ad..91ddb534c5 100644 --- a/docs/conf/extra/httpd-autoindex.conf.in +++ b/docs/conf/extra/httpd-autoindex.conf.in @@ -22,8 +22,7 @@ Alias /icons/ "@exp_iconsdir@/" Options Indexes MultiViews AllowOverride None - Order allow,deny - Allow from all + Require all granted # diff --git a/docs/conf/extra/httpd-dav.conf.in b/docs/conf/extra/httpd-dav.conf.in index 56a1a819ab..ec8a5e59b6 100644 --- a/docs/conf/extra/httpd-dav.conf.in +++ b/docs/conf/extra/httpd-dav.conf.in @@ -24,6 +24,7 @@ Alias /uploads "@@ServerRoot@@/uploads" # You can use the htdigest program to create the password database: # htdigest -c "@@ServerRoot@@/user.passwd" DAV-upload admin AuthUserFile "@@ServerRoot@@/user.passwd" + AuthDigestProvider file # Allow universal read-access, but writes are restricted # to the admin user. diff --git a/docs/conf/extra/httpd-info.conf.in b/docs/conf/extra/httpd-info.conf.in index db316c032e..261f096d7e 100644 --- a/docs/conf/extra/httpd-info.conf.in +++ b/docs/conf/extra/httpd-info.conf.in @@ -12,9 +12,7 @@ SetHandler server-status - Order deny,allow - Deny from all - Allow from .example.com + Require host .example.com # @@ -31,7 +29,5 @@ # SetHandler server-info - Order deny,allow - Deny from all - Allow from .example.com + Require host .example.com diff --git a/docs/conf/extra/httpd-manual.conf.in b/docs/conf/extra/httpd-manual.conf.in index 874b0933ec..fc9e616944 100644 --- a/docs/conf/extra/httpd-manual.conf.in +++ b/docs/conf/extra/httpd-manual.conf.in @@ -12,8 +12,7 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru))?(/.*)?$ "@exp_manualdir@$ Options Indexes AllowOverride None - Order allow,deny - Allow from all + Require all granted SetHandler type-map diff --git a/docs/conf/extra/httpd-multilang-errordoc.conf.in b/docs/conf/extra/httpd-multilang-errordoc.conf.in index d3192508b5..617f5f607f 100644 --- a/docs/conf/extra/httpd-multilang-errordoc.conf.in +++ b/docs/conf/extra/httpd-multilang-errordoc.conf.in @@ -26,8 +26,7 @@ Alias /error/ "@exp_errordir@/" Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var - Order allow,deny - Allow from all + Require all granted LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr ForceLanguagePriority Prefer Fallback diff --git a/docs/conf/extra/httpd-userdir.conf.in b/docs/conf/extra/httpd-userdir.conf.in index f424dd437d..210fba0a71 100644 --- a/docs/conf/extra/httpd-userdir.conf.in +++ b/docs/conf/extra/httpd-userdir.conf.in @@ -17,12 +17,10 @@ UserDir public_html AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - Order allow,deny - Allow from all + Require all granted - Order deny,allow - Deny from all + Require all denied diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in index e493562a15..a165e57512 100644 --- a/docs/conf/httpd.conf.in +++ b/docs/conf/httpd.conf.in @@ -112,8 +112,7 @@ DocumentRoot "@exp_htdocsdir@" Options FollowSymLinks AllowOverride None - Order deny,allow - Deny from all + Require all denied # @@ -151,8 +150,7 @@ DocumentRoot "@exp_htdocsdir@" # # Controls who can get stuff from this server. # - Order allow,deny - Allow from all + Require all granted @@ -169,9 +167,7 @@ DocumentRoot "@exp_htdocsdir@" # viewed by Web clients. # - Order allow,deny - Deny from all - Satisfy All + Require all denied # @@ -265,8 +261,7 @@ LogLevel warn AllowOverride None Options None - Order allow,deny - Allow from all + Require all granted # diff --git a/docs/manual/developer/request.xml b/docs/manual/developer/request.xml index 72d5cf68b0..7bb7689274 100644 --- a/docs/manual/developer/request.xml +++ b/docs/manual/developer/request.xml @@ -149,56 +149,18 @@

Needs Documentation. Code is:

-switch (ap_satisfies(r)) {
-case SATISFY_ALL:
-case SATISFY_NOSPEC:
-    if ((access_status = ap_run_access_checker(r)) != 0) {
-        return decl_die(access_status, "check access", r);
-    }
-
-    if (ap_some_auth_required(r)) {
-        if (((access_status = ap_run_check_user_id(r)) != 0)
-            || !ap_auth_type(r)) {
-            return decl_die(access_status, ap_auth_type(r)
-                          ? "check user.  No user file?"
-                          : "perform authentication. AuthType not set!",
-                          r);
-        }
-
-        if (((access_status = ap_run_auth_checker(r)) != 0)
-            || !ap_auth_type(r)) {
-            return decl_die(access_status, ap_auth_type(r)
-                          ? "check access.  No groups file?"
-                          : "perform authentication. AuthType not set!",
-                          r);
-        }
-    }
-    break;
-
-case SATISFY_ANY:
-    if (((access_status = ap_run_access_checker(r)) != 0)) {
-        if (!ap_some_auth_required(r)) {
+        if ((access_status = ap_run_access_checker(r)) != 0) {
             return decl_die(access_status, "check access", r);
         }
 
-        if (((access_status = ap_run_check_user_id(r)) != 0)
-            || !ap_auth_type(r)) {
-            return decl_die(access_status, ap_auth_type(r)
-                          ? "check user.  No user file?"
-                          : "perform authentication. AuthType not set!",
-                          r);
+        if ((access_status = ap_run_check_user_id(r)) != 0) {
+            return decl_die(access_status, "check user", r);
         }
 
-        if (((access_status = ap_run_auth_checker(r)) != 0)
-            || !ap_auth_type(r)) {
-            return decl_die(access_status, ap_auth_type(r)
-                          ? "check access.  No groups file?"
-                          : "perform authentication. AuthType not set!",
-                          r);
+        if ((access_status = ap_run_auth_checker(r)) != 0) {
+            return decl_die(access_status, "check authorization", r);
         }
-    }
-    break;
-}
+ diff --git a/docs/manual/mod/allmodules.xml b/docs/manual/mod/allmodules.xml index 0bac66e23c..d76e4b8507 100644 --- a/docs/manual/mod/allmodules.xml +++ b/docs/manual/mod/allmodules.xml @@ -9,11 +9,13 @@ mod_auth_digest.xml mod_authn_alias.xml mod_authn_anon.xml + mod_authn_core.xml mod_authn_dbd.xml mod_authn_dbm.xml mod_authn_default.xml mod_authn_file.xml mod_authnz_ldap.xml + mod_authz_core.xml mod_authz_dbd.xml mod_authz_dbm.xml mod_authz_default.xml diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index 3d9447e70f..d5402df6c4 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -469,69 +469,6 @@ be passed through .htaccess Files - -AuthName -Authorization realm for use in HTTP -authentication -AuthName auth-domain -directory.htaccess - -AuthConfig - - -

This directive sets the name of the authorization realm for a - directory. This realm is given to the client so that the user - knows which username and password to send. - AuthName takes a single argument; if the - realm name contains spaces, it must be enclosed in quotation - marks. It must be accompanied by AuthType and Require directives, and directives such - as AuthUserFile and - AuthGroupFile to - work.

- -

For example:

- - - AuthName "Top Secret" - - -

The string provided for the AuthName is what will - appear in the password dialog provided by most browsers.

- -Authentication, Authorization, and - Access Control - - - -AuthType -Type of user authentication -AuthType Basic|Digest -directory.htaccess - -AuthConfig - - -

This directive selects the type of user authentication for a - directory. The authentication types available are - Basic (implemented by - mod_auth_basic) and Digest - (implemented by mod_auth_digest).

- -

To implement authentication, you must also use the AuthName and Require directives. In addition, the - server must have an authentication-provider module such as - mod_authn_file and an authorization module such - as mod_authz_user.

- - -Authentication, Authorization, - and Access Control - - CGIMapExtension Technique for locating the interpreter for CGI @@ -2391,101 +2328,6 @@ directory - -Require -Selects which authenticated users can access -a resource -Require entity-name [entity-name] ... -directory.htaccess - -AuthConfig - - -

This directive selects which authenticated users can access a - resource. The restrictions are processed by authorization - modules. Some of the allowed syntaxes provided by - mod_authz_user and - mod_authz_groupfile are:

- -
-
Require user userid [userid] - ...
-
Only the named users can access the resource.
- -
Require group group-name [group-name] - ...
-
Only users in the named groups can access the resource.
- -
Require valid-user
-
All valid users can access the resource.
-
- -

Other authorization modules that implement require options - include mod_authnz_ldap, - mod_authz_dbm, and - mod_authz_owner.

- -

Require must be accompanied by - AuthName and AuthType directives, and directives such - as AuthUserFile - and AuthGroupFile (to - define users and groups) in order to work correctly. Example:

- - - AuthType Basic
- AuthName "Restricted Resource"
- AuthUserFile /web/users
- AuthGroupFile /web/groups
- Require group admin - - -

Access controls which are applied in this way are effective for - all methods. This is what is normally - desired. If you wish to apply access controls only to - specific methods, while leaving other methods unprotected, then - place the Require statement into a - Limit - section.

- -

If Require is used together with - the Allow or - Deny directives, - then the interaction of these restrictions is controlled by - the Satisfy directive.

- - Removing controls in subdirectories -

The following example shows how to use the Satisfy directive to disable access - controls in a subdirectory of a protected directory. This - technique should be used with caution, because it will also - disable any access controls imposed by - mod_authz_host.

- - <Directory /path/to/protected/>
- - Require user david
- - </Directory>
- <Directory /path/to/protected/unprotected>
- - # All access controls and authentication are disabled
- # in this directory
- Satisfy Any
- Allow from all
- - </Directory>
- - - - - -Authentication, Authorization, - and Access Control -Satisfy -mod_authz_host - - RLimitCPU Limits the CPU consumption of processes launched @@ -2593,55 +2435,6 @@ processes launched by Apache children RLimitCPU - -Satisfy -Interaction between host-level access control and -user authentication -Satisfy Any|All -Satisfy All -directory.htaccess - -AuthConfig -Influenced by Limit and LimitExcept in version 2.0.51 and -later - - -

Access policy if both Allow and Require used. The parameter can be - either All or Any. This directive is only - useful if access to a particular area is being restricted by both - username/password and client host address. In this case - the default behavior (All) is to require that the client - passes the address access restriction and enters a valid - username and password. With the Any option the client will be - granted access if they either pass the host restriction or enter a - valid username and password. This can be used to password restrict - an area, but to let clients from particular addresses in without - prompting for a password.

- -

For example, if you wanted to let people on your network have - unrestricted access to a portion of your website, but require that - people outside of your network provide a password, you could use a - configuration similar to the following:

- - - Require valid-user
- Allow from 192.168.1
- Satisfy Any - - -

Since version 2.0.51 Satisfy directives can - be restricted to particular methods by Limit and LimitExcept sections.

- - Allow - Require - - ScriptInterpreterSource Technique for locating the interpreter for CGI diff --git a/docs/manual/mod/mod_auth_digest.xml b/docs/manual/mod/mod_auth_digest.xml index 283a4196fb..cf65d1a4e7 100644 --- a/docs/manual/mod/mod_auth_digest.xml +++ b/docs/manual/mod/mod_auth_digest.xml @@ -38,7 +38,6 @@ AuthName AuthType Require -Satisfy Authentication howto
Using Digest Authentication diff --git a/docs/manual/mod/mod_authn_alias.xml b/docs/manual/mod/mod_authn_alias.xml index 6ba51d0c1b..9bf23c09ca 100644 --- a/docs/manual/mod/mod_authn_alias.xml +++ b/docs/manual/mod/mod_authn_alias.xml @@ -76,7 +76,6 @@ AuthType Basic
AuthName LDAP_Protected_Place
- AuthzLDAPAuthoritative off
require valid-user
</Directory>
diff --git a/docs/manual/mod/mod_authn_core.xml b/docs/manual/mod/mod_authn_core.xml new file mode 100644 index 0000000000..4fcf0b243d --- /dev/null +++ b/docs/manual/mod/mod_authn_core.xml @@ -0,0 +1,103 @@ + + + + + + + + + +mod_authn_core +Core Authentication +Base +mod_authn_core.c +authn_core_module +Available in Apache 2.3 and later + + +

This module provides core authentication capabilities to + allow or deny access to portions of the web site. + mod_authn_core provides directives that are + common to all authentication providers.

+ + + +AuthName +Authorization realm for use in HTTP +authentication +AuthName auth-domain +directory.htaccess + +AuthConfig + + +

This directive sets the name of the authorization realm for a + directory. This realm is given to the client so that the user + knows which username and password to send. + AuthName takes a single argument; if the + realm name contains spaces, it must be enclosed in quotation + marks. It must be accompanied by AuthType and Require directives, and directives such + as AuthUserFile and + AuthGroupFile to + work.

+ +

For example:

+ + + AuthName "Top Secret" + + +

The string provided for the AuthName is what will + appear in the password dialog provided by most browsers.

+ +Authentication, Authorization, and + Access Control + + + +AuthType +Type of user authentication +AuthType Basic|Digest +directory.htaccess + +AuthConfig + + +

This directive selects the type of user authentication for a + directory. The authentication types available are + Basic (implemented by + mod_auth_basic) and Digest + (implemented by mod_auth_digest).

+ +

To implement authentication, you must also use the AuthName and Require directives. In addition, the + server must have an authentication-provider module such as + mod_authn_file and an authorization module such + as mod_authz_user.

+ + +Authentication, Authorization, + and Access Control + + + + diff --git a/docs/manual/mod/mod_authn_core.xml.meta b/docs/manual/mod/mod_authn_core.xml.meta new file mode 100644 index 0000000000..5161d87507 --- /dev/null +++ b/docs/manual/mod/mod_authn_core.xml.meta @@ -0,0 +1,11 @@ + + + + mod_authn_core + /mod/ + .. + + + en + + diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 526de29f98..f9f25dd4bf 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -301,9 +301,7 @@ for HTTP Basic authentication.

If this directive exists, mod_authnz_ldap grants access to any user that has successfully authenticated during the search/bind phase. Requires that mod_authz_user be - loaded and that the - AuthzLDAPAuthoritative - directive be set to off.

+ loaded.

require ldap-user @@ -573,17 +571,10 @@ require valid-user that gets created in the web

 AuthLDAPURL            "the url"
-AuthzLDAPAuthoritative off
 AuthGroupFile mygroupfile
 require group mygroupfile
-

AuthzLDAPAuthoritative - must be off to allow mod_authnz_ldap to decline group - authentication so that Apache will fall back to file - authentication for checking group membership. This allows the - FrontPage-managed group file to be used.

-
How It Works

FrontPage restricts access to a web by adding the require @@ -643,25 +634,6 @@ require group mygroupfile

- -AuthzLDAPAuthoritative -Prevent other authentication modules from -authenticating the user if this one fails -AuthzLDAPAuthoritative on|off -AuthzLDAPAuthoritative on -directory.htaccess - -AuthConfig - - -

Set to off if this module should let other - authentication modules attempt to authenticate the user, should - authentication with this module fail. Control is only passed on - to lower modules if there is no DN or rule that matches the - supplied user name (as passed by the client).

- - - AuthLDAPBindDN Optional DN to use in binding to the LDAP server diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml new file mode 100644 index 0000000000..9faac243ee --- /dev/null +++ b/docs/manual/mod/mod_authz_core.xml @@ -0,0 +1,222 @@ + + + + + + + + + +mod_authz_core +Core Authorization +Base +mod_authz_core.c +authz_core_module +Available in Apache 2.3 and later + + +

This module provides core authorization capabilities so that + authenticated users can be allowed or denied access to portions + of the web site. mod_authz_core provides the + functionality to register various authorization providers. It is + usually used in conjunction with an authentication + provider module such as mod_authn_file and an + authorization module such as mod_authz_user. It + also allows for "AND" and "OR" logic to be applied to the + authorization processing.

+ + + +Require +Selects which authenticated users can access +a resource +Require entity-name [entity-name] ... +directory.htaccess + +AuthConfig + + +

This directive selects which authenticated users can access a + resource. The restrictions are processed by authorization + modules. Some of the allowed syntaxes provided by + mod_authz_user and + mod_authz_groupfile are:

+ +
+
Require user userid [userid] + ...
+
Only the named users can access the resource.
+ +
Require group group-name [group-name] + ...
+
Only users in the named groups can access the resource.
+ +
Require valid-user
+
All valid users can access the resource.
+
+ +

Other authorization modules that implement require options + include mod_authnz_ldap, + mod_authz_dbm, mod_authz_dbd, + mod_authz_host, and + mod_authz_owner.

+ +

For a complete authentication and authorization configuration, + Require must be accompanied by + AuthName, AuthType and + AuthBasicProvider + directives, and directives such as + AuthUserFile + and AuthGroupFile (to + define users and groups) in order to work correctly. Example:

+ + + AuthType Basic
+ AuthName "Restricted Resource"
+ AuthBasicProvider file
+ AuthUserFile /web/users
+ AuthGroupFile /web/groups
+ Require group admin + + +

Access controls which are applied in this way are effective for + all methods. This is what is normally + desired. If you wish to apply access controls only to + specific methods, while leaving other methods unprotected, then + place the Require statement into a + Limit + section.

+ + + +Authentication, Authorization, + and Access Control +mod_authz_host + + + +Reject +Rejects which authenticated users can access +a resource +Reject entity-name [entity-name] ... +directory.htaccess + +AuthConfig + + +

This directive is similar to the + Require directive however + it rejects which authenticated users can access a resource. The + restrictions are processed by authorization modules. See the + Require directive for details + about usage.

+ + +Authentication, Authorization, + and Access Control +mod_authz_host + + + +SatisfyAll +Enclose a group of authorization directives that must all +be satisfied in order to grant access to a resource. This block allows +for 'AND' logic to be applied to various authorization providers. +<SatisfyAll> +... </SatisfyAll> +directory.htaccess + +AuthConfig + + +

SatisfyAll and + </SatisfyAll> are used to enclose a group of + authorization directives that must all be satisfied in order to + grant access to a resource.

+ +

The + <SatisfyAll> block as well as the + <SatisfyOne> block + allow you to apply "AND" and "OR" logic to the authorization processing. + For example the following authorization block would apply the logic:

+ +

+ if ((user == "John") ||
+    ((Group == "admin") && (ldap-group <ldap-object> contains auth'ed_user) &&
+     ((ldap-attribute dept == "sales") || + (file-group contains contains auth'ed_user))))
+ then
+   auth_granted
+ else
+   auth_denied
+

+ + + <Directory /www/mydocs>
+   Authname ...
+   AuthBasicProvider ...
+   ...
+   Require user John
+   <SatisfyAll>
+    Require Group admins
+    Require ldap-group cn=mygroup,o=foo
+    <SatisfyOne>
+     Require ldap-attribute dept="sales"
+     Require file-group
+    </SatisfyOne>
+   </SatisfyAll>
+ </Directory>
+ + + + +Authentication, Authorization, + and Access Control + + + + +SatisfyOne +Enclose a group of authorization directives that must +satisfy at least one in order to grant access to a resource. This +block allows for 'OR' logic to be applied to various authorization +providers. +<SatisfyOne> +... </SatisfyOne> +directory.htaccess + +AuthConfig + + +

SatisfyOne and + </SatisfyOne> are used to enclose a group of + authorization directives that must satisfy at least one in order to + grant access to a resource.

+ +

See the + <SatisfyAll> directive for a usage example.

+ + + +Authentication, Authorization, + and Access Control + + + + diff --git a/docs/manual/mod/mod_authz_core.xml.meta b/docs/manual/mod/mod_authz_core.xml.meta new file mode 100644 index 0000000000..b2bef72f58 --- /dev/null +++ b/docs/manual/mod/mod_authz_core.xml.meta @@ -0,0 +1,11 @@ + + + + mod_authz_core + /mod/ + .. + + + en + + diff --git a/docs/manual/mod/mod_authz_dbd.xml b/docs/manual/mod/mod_authz_dbd.xml index 6002c86aee..03cf4ba910 100644 --- a/docs/manual/mod/mod_authz_dbd.xml +++ b/docs/manual/mod/mod_authz_dbd.xml @@ -38,7 +38,6 @@ Require -Satisfy DBDriver DBDParams @@ -182,40 +181,4 @@ header is present - -AuthzDBDAuthoritative -Sets whether authorization will be passed on to lower level -modules -AuthzDBDAuthoritative On|Off -AuthzDBDAuthoritative On -directory - - -

Setting the AuthzDBDAuthoritative - directive explicitly to Off allows group authorization - to be handled by another authz module if the userID is not - in any authorized dbd-group. If there are any groups - specified, the usual checks will be applied and a failure will - give an Authentication Required reply.

- -

So if a userID appears in the database of more than one module; - or if a valid Require - directive applies to more than one module; then the first module - will verify the credentials; and no access is passed on; - regardless of the AuthAuthoritative setting.

- -

A common use for this is in conjunction with one of the - auth providers; such or - mod_authn_file. Whereas this DBD module supplies - the bulk of the user credential checking; a few (administrator) related - accesses fall through to a lower level with a well protected - .htpasswd file.

- -

By default, control is not passed on and an unknown group - will result in an Authentication Required reply. Not - setting it thus keeps the system secure and forces an NCSA - compliant behaviour.

- - - diff --git a/docs/manual/mod/mod_authz_dbm.xml b/docs/manual/mod/mod_authz_dbm.xml index 6d6ca04ff3..f53029c623 100644 --- a/docs/manual/mod/mod_authz_dbm.xml +++ b/docs/manual/mod/mod_authz_dbm.xml @@ -37,7 +37,6 @@ Require -Satisfy AuthDBMGroupFile @@ -119,51 +118,4 @@ store list of user groups - -AuthzDBMAuthoritative -Sets whether authorization will be passed on to lower level -modules -AuthzDBMAuthoritative On|Off -AuthzDBMAuthoritative On -directory.htaccess - -AuthConfig - - -

Setting the AuthzDBMAuthoritative - directive explicitly to Off allows group authorization - to be passed on to lower level modules (as defined in the - modules.c file) if there is no group found - for the the supplied userID. If there are any groups - specified, the usual checks will be applied and a failure will - give an Authentication Required reply.

- -

So if a userID appears in the database of more than one module; - or if a valid Require - directive applies to more than one module; then the first module - will verify the credentials; and no access is passed on; - regardless of the AuthAuthoritative setting.

- -

A common use for this is in conjunction with one of the - auth providers; such as mod_authn_dbm or - mod_authn_file. Whereas this DBM module supplies - the bulk of the user credential checking; a few (administrator) related - accesses fall through to a lower level with a well protected - .htpasswd file.

- -

By default, control is not passed on and an unknown group - will result in an Authentication Required reply. Not - setting it thus keeps the system secure and forces an NCSA - compliant behaviour.

- - Security -

Do consider the implications of allowing a user to - allow fall-through in his .htaccess file; and verify that this - is really what you want; Generally it is easier to just secure - a single .htpasswd file, than it is to secure a - database which might have more access interfaces.

- - - - diff --git a/docs/manual/mod/mod_authz_groupfile.xml b/docs/manual/mod/mod_authz_groupfile.xml index d3aed88d66..b590113a62 100644 --- a/docs/manual/mod/mod_authz_groupfile.xml +++ b/docs/manual/mod/mod_authz_groupfile.xml @@ -37,7 +37,6 @@ Require -Satisfy AuthGroupFile @@ -75,36 +74,4 @@ of user groups for authorization - -AuthzGroupFileAuthoritative -Sets whether authorization will be passed on to lower level -modules -AuthzGroupFileAuthoritative On|Off -AuthzGroupFileAuthoritative On -directory.htaccess - -AuthConfig - - -

Setting the AuthzGroupFileAuthoritative - directive explicitly to Off allows for - group authorization to be passed on to lower level modules (as defined - in the modules.c files) if there is no - group matching the supplied userID.

- -

By default, control is not passed on and an unknown group - will result in an Authentication Required reply. Not - setting it thus keeps the system secure and forces an NCSA - compliant behaviour.

- - Security -

Do consider the implications of allowing a user to - allow fall-through in his .htaccess file; and verify - that this is really what you want; Generally it is easier to just - secure a single .htpasswd file, than it is to secure - a database which might have more access interfaces.

- - - - diff --git a/docs/manual/mod/mod_authz_host.xml b/docs/manual/mod/mod_authz_host.xml index 915aaecc6a..89f332bfbc 100644 --- a/docs/manual/mod/mod_authz_host.xml +++ b/docs/manual/mod/mod_authz_host.xml @@ -28,31 +28,21 @@ address) Base mod_authz_host.c authz_host_module -Available in Apache 2.1 and later +Available in Apache 2.3 and later -

The directives provided by mod_authz_host are - used in Directory, - Files, and - Location sections +

The authorization providers implemented by mod_authz_host are + registered using the Require or + Reject directives. These + directives can be referenced within a + Directory, + Files, + or Location section as well as .htaccess files to control access to particular parts of the server. Access can be controlled based on the client hostname, IP address, or other characteristics of the client request, as captured in environment variables. The Allow and Deny directives are used to - specify which clients are or are not allowed access to the server, - while the Order - directive sets the default access state, and configures how the - Allow and Deny directives interact with each - other.

- -

Both host-based access restrictions and password-based - authentication may be implemented simultaneously. In that case, - the Satisfy directive is used - to determine how the two sets of restrictions interact.

+ href="../env.html">environment variables.

In general, access restriction directives apply to all access methods (GET, PUT, @@ -62,111 +52,33 @@ address) in a Limit section.

 -Satisfy -Require - - -Allow -Controls which hosts can access an area of the -server - Allow from all|host|env=env-variable -[host|env=env-variable] ... -directory.htaccess - -Limit - - -

The Allow directive affects which hosts can +Authentication, Authorization, + and Access Control +Require +Reject + +

The require Directives + +

Apache's Require and + Reject directives are + used during the authorization phase to ensure that a user is allowed or + denied access to a resource. mod_authz_host extends the + authorization types with env, ip, + host and all. Other authorization types may also be + used but may require that additional authorization modules be loaded.

+ +

These authorization providers affect which hosts can access an area of the server. Access can be controlled by hostname, IP Address, IP Address range, or by other characteristics of the client request captured in environment variables.

-

The first argument to this directive is always - from. The subsequent arguments can take three - different forms. If Allow from all is specified, then - all hosts are allowed access, subject to the configuration of the - Deny and Order directives as discussed - below. To allow only particular hosts or groups of hosts to access - the server, the host can be specified in any of the - following formats:

- -
-
A (partial) domain-name
- -
- Example: - Allow from apache.org
- Allow from .net example.edu - -

Hosts whose names match, or end in, this string are allowed - access. Only complete components are matched, so the above - example will match foo.apache.org but it will not - match fooapache.org. This configuration will cause - Apache to perform a double reverse DNS lookup on the client IP - address, regardless of the setting of the HostnameLookups directive. It will do - a reverse DNS lookup on the IP address to find the associated - hostname, and then do a forward lookup on the hostname to assure - that it matches the original IP address. Only if the forward - and reverse DNS are consistent and the hostname matches will - access be allowed.

- -
A full IP address
- -
- Example: - Allow from 10.1.2.3
- Allow from 192.168.1.104 192.168.1.205 - -

An IP address of a host allowed access

- -
A partial IP address
- -
- Example: - Allow from 10.1
- Allow from 10 172.20 192.168.2 - -

The first 1 to 3 bytes of an IP address, for subnet - restriction.

- -
A network/netmask pair
- -
- Example: - Allow from 10.1.0.0/255.255.0.0 - -

A network a.b.c.d, and a netmask w.x.y.z. For more - fine-grained subnet restriction.

- -
A network/nnn CIDR specification
- -
- Example: - Allow from 10.1.0.0/16 - -

Similar to the previous case, except the netmask consists of - nnn high-order 1 bits.

-
- -

Note that the last three examples above match exactly the - same set of hosts.

+
require env -

IPv6 addresses and IPv6 subnets can be specified as shown - below:

- - - Allow from 2001:db8::a00:20ff:fea7:ccea
- Allow from 2001:db8::a00:20ff:fea7:ccea/10 - - -

The third format of the arguments to the - Allow directive allows access to the server +

The env provider allows access to the server to be controlled based on the existence of an environment variable. When Allow from - env=env-variable is specified, then the request is + href="../env.html">environment variable. When Require + env env-variable is specified, then the request is allowed access if the environment variable env-variable exists. The server provides the ability to set environment variables in a flexible way based on characteristics of the client @@ -175,162 +87,126 @@ server used to allow access based on such factors as the clients User-Agent (browser type), Referer, or other HTTP request header fields.

- + Example: SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
<Directory /docroot>
- Order Deny,Allow
- Deny from all
- Allow from env=let_me_in
+ Require env let_me_in
 </Directory> - +

In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all others will be denied.

- - - - -Deny -Controls which hosts are denied access to the -server - Deny from all|host|env=env-variable -[host|env=env-variable] ... -directory.htaccess - -Limit - - -

This directive allows access to the server to be restricted - based on hostname, IP address, or environment variables. The - arguments for the Deny directive are - identical to the arguments for the Allow directive.

- - - - -Order -Controls the default access state and the order in which -Allow and Deny are -evaluated. - Order ordering -Order Deny,Allow -directory.htaccess - -Limit - - -

The Order directive controls the default - access state and the order in which Allow and Deny directives are evaluated. - Ordering is one of

- -
-
Deny,Allow
- -
The Deny directives - are evaluated before the Allow directives. Access is - allowed by default. Any client which does not match a - Deny directive or does - match an Allow - directive will be allowed access to the server.
- -
Allow,Deny
- -
The Allow - directives are evaluated before the Deny directives. Access is denied - by default. Any client which does not match an Allow directive or does match a - Deny directive will be - denied access to the server.
- -
Mutual-failure
- -
Only those hosts which appear on the Allow list and do not appear on - the Deny list are - granted access. This ordering has the same effect as Order - Allow,Deny and is deprecated in favor of that - configuration.
-
- -

Keywords may only be separated by a comma; no whitespace is - allowed between them. Note that in all cases every Allow and Deny statement is evaluated.

- -

In the following example, all hosts in the apache.org domain - are allowed access; all other hosts are denied access.

+
+ +
require ip + +

The ip provider allows access to the server + to be controlled based on the IP address of the remote client. + When Require ip ip-address is specified, + then the request is allowed access if the IP address matches.

+ +

A full IP address:

+ - Order Deny,Allow
- Deny from all
- Allow from apache.org + Require ip 10.1.2.3
+ Require ip 192.168.1.104 192.168.1.205 -

In the next example, all hosts in the apache.org domain are - allowed access, except for the hosts which are in the - foo.apache.org subdomain, who are denied access. All hosts not - in the apache.org domain are denied access because the default - state is to deny access to the server.

+

An IP address of a host allowed access

+ +

A partial IP address:

+ + + Require ip 10.1
+ Require ip 10 172.20 192.168.2 + +

The first 1 to 3 bytes of an IP address, for subnet + restriction.

+ +

A network/netmask pair:

+ + + Require ip 10.1.0.0/255.255.0.0 + +

A network a.b.c.d, and a netmask w.x.y.z. For more + fine-grained subnet restriction.

+ +

A network/nnn CIDR specification:

+ + + Require ip 10.1.0.0/16 + +

Similar to the previous case, except the netmask consists of + nnn high-order 1 bits.

+ +

Note that the last three examples above match exactly the + same set of hosts.

+ +

IPv6 addresses and IPv6 subnets can be specified as shown + below:

+ + + Require ip 2001:db8::a00:20ff:fea7:ccea
+ Require ip 2001:db8::a00:20ff:fea7:ccea/10 + + + +
+
require host + +

The host provider allows access to the server + to be controlled based on the host name of the remote client. + When Require host host-name is specified, + then the request is allowed access if the host name matches.

+ +

A (partial) domain-name

+ - Order Allow,Deny
- Allow from apache.org
- Deny from foo.apache.org + Require host apache.org
+ Require host .net example.edu + +

Hosts whose names match, or end in, this string are allowed + access. Only complete components are matched, so the above + example will match foo.apache.org but it will not + match fooapache.org. This configuration will cause + Apache to perform a double reverse DNS lookup on the client IP + address, regardless of the setting of the HostnameLookups directive. It will do + a reverse DNS lookup on the IP address to find the associated + hostname, and then do a forward lookup on the hostname to assure + that it matches the original IP address. Only if the forward + and reverse DNS are consistent and the hostname matches will + access be allowed.

+ +
+ +
require all + +

The all provider mimics the functionality the + was previously provided by the 'Allow from all' and 'Deny from all' + directives. This provider can take one of two arguments which are + 'granted' or 'denied'. The following examples will grant or deny + access to all requests.

-

On the other hand, if the Order in the last - example is changed to Deny,Allow, all hosts will - be allowed access. This happens because, regardless of the - actual ordering of the directives in the configuration file, - the Allow from apache.org will be evaluated last - and will override the Deny from foo.apache.org. - All hosts not in the apache.org domain will also - be allowed access because the default state will change to - allow.

- -

The presence of an Order directive can affect - access to a part of the server even in the absence of accompanying - Allow and Deny directives because of its effect - on the default access state. For example,

+ + Require all granted
+ - <Directory /www>
- - Order Allow,Deny
- - </Directory> + Require all denied
 -

will deny all access to the /www directory - because the default access state will be set to - deny.

- -

The Order directive controls the order of access - directive processing only within each phase of the server's - configuration processing. This implies, for example, that an - Allow or Deny directive occurring in a - Location section will - always be evaluated after an Allow or Deny directive occurring in a - Directory section or - .htaccess file, regardless of the setting of the - Order directive. For details on the merging - of configuration sections, see the documentation on How Directory, Location and Files sections - work.

- - +
+ + +
+ diff --git a/docs/manual/mod/mod_authz_owner.xml b/docs/manual/mod/mod_authz_owner.xml index 66e68954fe..bff20aff22 100644 --- a/docs/manual/mod/mod_authz_owner.xml +++ b/docs/manual/mod/mod_authz_owner.xml @@ -70,7 +70,6 @@ Require -Satisfy
Configuration Examples @@ -93,7 +92,6 @@ AuthName MyPrivateFiles
AuthBasicProvider dbm
AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
- Satisfy All
Require file-owner
</Directory> @@ -132,39 +130,4 @@
- -AuthzOwnerAuthoritative -Sets whether authorization will be passed on to lower level -modules -AuthzOwnerAuthoritative On|Off -AuthzOwnerAuthoritative On -directory.htaccess - -AuthConfig - - -

Setting the AuthzOwnerAuthoritative - directive explicitly to Off allows for - user authorization to be passed on to lower level modules (as defined - in the modules.c files) if:

- -
    -
  • in the case of file-owner the file-system owner does not - match the supplied web-username or could not be determined, or
    • - -
  • in the case of file-group the file-system group does not - contain the supplied web-username or could not be determined.
    • -
- -

Note that setting the value to Off also allows the - combination of file-owner and file-group, so - access will be allowed if either one or the other (or both) match.

- -

By default, control is not passed on and an authorization failure - will result in an "Authentication Required" reply. Not - setting it to Off thus keeps the system secure and forces - an NCSA compliant behaviour.

- - - diff --git a/docs/manual/mod/mod_authz_user.xml b/docs/manual/mod/mod_authz_user.xml index c9d006971b..35703b6f8b 100644 --- a/docs/manual/mod/mod_authz_user.xml +++ b/docs/manual/mod/mod_authz_user.xml @@ -38,30 +38,5 @@ grant access to all successfully authenticated users.

Require -Satisfy - - -AuthzUserAuthoritative -Sets whether authorization will be passed on to lower level -modules -AuthzUserAuthoritative On|Off -AuthzUserAuthoritative On -directory.htaccess - -AuthConfig - - -

Setting the AuthzUserAuthoritative - directive explicitly to Off allows for - user authorization to be passed on to lower level modules (as defined - in the modules.c files) if there is no - user matching the supplied userID.

- -

By default, control is not passed on and an unknown user - will result in an Authentication Required reply. Not - setting it to Off thus keeps the system secure and forces - an NCSA compliant behaviour.

- - diff --git a/docs/manual/mod/mod_ldap.xml b/docs/manual/mod/mod_ldap.xml index a432341de1..b22cadb228 100644 --- a/docs/manual/mod/mod_ldap.xml +++ b/docs/manual/mod/mod_ldap.xml @@ -81,7 +81,6 @@ by other LDAP modules Allow from yourdomain.example.com
AuthLDAPEnabled on
AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one
- AuthLDAPAuthoritative on
require valid-user
</Location> @@ -212,7 +211,6 @@ by other LDAP modules Allow from yourdomain.example.com
AuthLDAPEnabled on
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
- AuthLDAPAuthoritative on
require valid-user
</Location> @@ -234,7 +232,6 @@ by other LDAP modules AuthLDAPEnabled on
LDAPTrustedMode TLS AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one
- AuthLDAPAuthoritative on
require valid-user
</Location> @@ -287,7 +284,6 @@ by other LDAP modules AuthLDAPEnabled on
LDAPTrustedClientCert CERT_NICKNAME <nickname> [password]
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
- AuthLDAPAuthoritative on
require valid-user
</Location> @@ -355,7 +351,6 @@ by other LDAP modules LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem
LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
- AuthLDAPAuthoritative on
require valid-user
</Location> diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 2c6bf7fa57..e6ca34309e 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -111,12 +111,15 @@ * 20051115.0 (2.3.0-dev) Added use_canonical_phys_port to core_dir_config * 20051231.0 (2.3.0-dev) Added num_blank_lines, pending_header_line, and * pending_header_size to request_rec + * 20060110.0 (2.3.0-dev) Conversion of Authz to be provider based + addition of + removal of Satisfy, Allow, Deny, Order */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ #ifndef MODULE_MAGIC_NUMBER_MAJOR -#define MODULE_MAGIC_NUMBER_MAJOR 20051231 +#define MODULE_MAGIC_NUMBER_MAJOR 20060110 #endif #define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ diff --git a/include/http_core.h b/include/http_core.h index 62f9e95e40..44f2410a14 100644 --- a/include/http_core.h +++ b/include/http_core.h @@ -114,13 +114,6 @@ extern "C" { /** @} // get_remote_host */ -/** all of the requirements must be met */ -#define SATISFY_ALL 0 -/** any of the requirements must be met */ -#define SATISFY_ANY 1 -/** There are no applicable satisfy lines */ -#define SATISFY_NOSPEC 2 - /** Make sure we don't write less than 8000 bytes at any one time. */ #define AP_MIN_BYTES_TO_WRITE 8000 @@ -294,25 +287,6 @@ AP_DECLARE(const char *) ap_auth_type(request_rec *r); */ AP_DECLARE(const char *) ap_auth_name(request_rec *r); -/** - * How the requires lines must be met. - * @param r The current request - * @return How the requirements must be met. One of: - * 
- *      SATISFY_ANY    -- any of the requirements must be met.
- *      SATISFY_ALL    -- all of the requirements must be met.
- *      SATISFY_NOSPEC -- There are no applicable satisfy lines
- *
- */ -AP_DECLARE(int) ap_satisfies(request_rec *r); - -/** - * Retrieve information about all of the requires directives for this request - * @param r The current request - * @return An array of all requires directives for this request - */ -AP_DECLARE(const apr_array_header_t *) ap_requires(request_rec *r); - #ifdef CORE_PRIVATE /** @@ -451,13 +425,6 @@ typedef struct { char *ap_default_type; - /* Authentication stuff. Groan... */ - - int *satisfy; /* for every method one */ - char *ap_auth_type; - char *ap_auth_name; - apr_array_header_t *ap_requires; - /* Custom response config. These can contain text or a URL to redirect to. * if response_code_strings is NULL then there are none in the config, * if it's not null then it's allocated to sizeof(char*)*RESPONSE_CODES. @@ -680,6 +647,15 @@ APR_DECLARE_OPTIONAL_FN(void, ap_logio_add_bytes_out, APR_DECLARE_OPTIONAL_FN(const char *, ap_ident_lookup, (request_rec *r)); +/* ---------------------------------------------------------------------- + * + * authorization values with mod_authz_host + */ + +APR_DECLARE_OPTIONAL_FN(int, authz_some_auth_required, (request_rec *r)); +APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_type, (request_rec *r)); +APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_name, (request_rec *r)); + /* ---------------------------------------------------------------------- */ #ifdef __cplusplus diff --git a/modules/aaa/NWGNUauthncore b/modules/aaa/NWGNUauthncore new file mode 100644 index 0000000000..e86b694ab8 --- /dev/null +++ b/modules/aaa/NWGNUauthncore @@ -0,0 +1,250 @@ +# +# Make sure all needed macro's are defined +# + +# +# Get the 'head' of the build environment if necessary. This includes default +# targets and paths to tools +# + +ifndef EnvironmentDefined +include $(AP_WORK)\build\NWGNUhead.inc +endif + +# +# These directories will be at the beginning of the include list, followed by +# INCDIRS +# +XINCDIRS += \ + $(AP_WORK)/include \ + $(NWOS) \ + $(AP_WORK)/modules/arch/netware \ + $(APR)/include \ + $(APRUTIL)/include \ + $(APR) \ + $(EOLIST) + +# +# These flags will come after CFLAGS +# +XCFLAGS += \ + -prefix pre_nw.h \ + $(EOLIST) + +# +# These defines will come after DEFINES +# +XDEFINES += \ + $(EOLIST) + +# +# These flags will be added to the link.opt file +# +XLFLAGS += \ + $(EOLIST) + +# +# These values will be appended to the correct variables based on the value of +# RELEASE +# +ifeq "$(RELEASE)" "debug" +XINCDIRS += \ + $(EOLIST) + +XCFLAGS += \ + $(EOLIST) + +XDEFINES += \ + $(EOLIST) + +XLFLAGS += \ + $(EOLIST) +endif + +ifeq "$(RELEASE)" "noopt" +XINCDIRS += \ + $(EOLIST) + +XCFLAGS += \ + $(EOLIST) + +XDEFINES += \ + $(EOLIST) + +XLFLAGS += \ + $(EOLIST) +endif + +ifeq "$(RELEASE)" "release" +XINCDIRS += \ + $(EOLIST) + +XCFLAGS += \ + $(EOLIST) + +XDEFINES += \ + $(EOLIST) + +XLFLAGS += \ + $(EOLIST) +endif + +# +# These are used by the link target if an NLM is being generated +# This is used by the link 'name' directive to name the nlm. If left blank +# TARGET_nlm (see below) will be used. +# +NLM_NAME = authncore + +# +# This is used by the link '-desc ' directive. +# If left blank, NLM_NAME will be used. +# +NLM_DESCRIPTION = Apache $(VERSION_STR) Authentication Core Module + +# +# This is used by the '-threadname' directive. If left blank, +# NLM_NAME Thread will be used. +# +NLM_THREAD_NAME = AuthnCore Module + +# +# If this is specified, it will override VERSION value in +# $(AP_WORK)\build\NWGNUenvironment.inc +# +NLM_VERSION = + +# +# If this is specified, it will override the default of 64K +# +NLM_STACK_SIZE = 8192 + + +# +# If this is specified it will be used by the link '-entry' directive +# +NLM_ENTRY_SYM = _LibCPrelude + +# +# If this is specified it will be used by the link '-exit' directive +# +NLM_EXIT_SYM = _LibCPostlude + +# +# If this is specified it will be used by the link '-check' directive +# +NLM_CHECK_SYM = + +# +# If these are specified it will be used by the link '-flags' directive +# +NLM_FLAGS = AUTOUNLOAD, PSEUDOPREEMPTION + +# +# If this is specified it will be linked in with the XDCData option in the def +# file instead of the default of $(NWOS)/apache.xdc. XDCData can be disabled +# by setting APACHE_UNIPROC in the environment +# +XDCDATA = + +# +# If there is an NLM target, put it here +# +TARGET_nlm = \ + $(OBJDIR)/authncore.nlm \ + $(EOLIST) + +# +# If there is an LIB target, put it here +# +TARGET_lib = \ + $(EOLIST) + +# +# These are the OBJ files needed to create the NLM target above. +# Paths must all use the '/' character +# +FILES_nlm_objs = \ + $(OBJDIR)/mod_authn_core.o \ + $(EOLIST) + +# +# These are the LIB files needed to create the NLM target above. +# These will be added as a library command in the link.opt file. +# +FILES_nlm_libs = \ + libcpre.o \ + $(EOLIST) + +# +# These are the modules that the above NLM target depends on to load. +# These will be added as a module command in the link.opt file. +# +FILES_nlm_modules = \ + aprlib \ + libc \ + $(EOLIST) + +# +# If the nlm has a msg file, put it's path here +# +FILE_nlm_msg = + +# +# If the nlm has a hlp file put it's path here +# +FILE_nlm_hlp = + +# +# If this is specified, it will override $(NWOS)\copyright.txt. +# +FILE_nlm_copyright = + +# +# Any additional imports go here +# +FILES_nlm_Ximports = \ + @$(APR)/aprlib.imp \ + @$(NWOS)/httpd.imp \ + @libc.imp \ + $(EOLIST) + +# +# Any symbols exported to here +# +FILES_nlm_exports = \ + authn_core_module \ + $(EOLIST) + +# +# These are the OBJ files needed to create the LIB target above. +# Paths must all use the '/' character +# +FILES_lib_objs = \ + $(EOLIST) + +# +# implement targets and dependancies (leave this section alone) +# + +libs :: $(OBJDIR) $(TARGET_lib) + +nlms :: libs $(TARGET_nlm) + +# +# Updated this target to create necessary directories and copy files to the +# correct place. (See $(AP_WORK)\build\NWGNUhead.inc for examples) +# +install :: nlms FORCE + +# +# Any specialized rules here +# + +# +# Include the 'tail' makefile that has targets that depend on variables defined +# in this makefile +# + +include $(AP_WORK)\build\NWGNUtail.inc + diff --git a/modules/aaa/NWGNUauthzcore b/modules/aaa/NWGNUauthzcore new file mode 100644 index 0000000000..01056f2aae --- /dev/null +++ b/modules/aaa/NWGNUauthzcore @@ -0,0 +1,250 @@ +# +# Make sure all needed macro's are defined +# + +# +# Get the 'head' of the build environment if necessary. This includes default +# targets and paths to tools +# + +ifndef EnvironmentDefined +include $(AP_WORK)\build\NWGNUhead.inc +endif + +# +# These directories will be at the beginning of the include list, followed by +# INCDIRS +# +XINCDIRS += \ + $(AP_WORK)/include \ + $(NWOS) \ + $(AP_WORK)/modules/arch/netware \ + $(APR)/include \ + $(APRUTIL)/include \ + $(APR) \ + $(EOLIST) + +# +# These flags will come after CFLAGS +# +XCFLAGS += \ + -prefix pre_nw.h \ + $(EOLIST) + +# +# These defines will come after DEFINES +# +XDEFINES += \ + $(EOLIST) + +# +# These flags will be added to the link.opt file +# +XLFLAGS += \ + $(EOLIST) + +# +# These values will be appended to the correct variables based on the value of +# RELEASE +# +ifeq "$(RELEASE)" "debug" +XINCDIRS += \ + $(EOLIST) + +XCFLAGS += \ + $(EOLIST) + +XDEFINES += \ + $(EOLIST) + +XLFLAGS += \ + $(EOLIST) +endif + +ifeq "$(RELEASE)" "noopt" +XINCDIRS += \ + $(EOLIST) + +XCFLAGS += \ + $(EOLIST) + +XDEFINES += \ + $(EOLIST) + +XLFLAGS += \ + $(EOLIST) +endif + +ifeq "$(RELEASE)" "release" +XINCDIRS += \ + $(EOLIST) + +XCFLAGS += \ + $(EOLIST) + +XDEFINES += \ + $(EOLIST) + +XLFLAGS += \ + $(EOLIST) +endif + +# +# These are used by the link target if an NLM is being generated +# This is used by the link 'name' directive to name the nlm. If left blank +# TARGET_nlm (see below) will be used. +# +NLM_NAME = authzcore + +# +# This is used by the link '-desc ' directive. +# If left blank, NLM_NAME will be used. +# +NLM_DESCRIPTION = Apache $(VERSION_STR) Authorization Core Module + +# +# This is used by the '-threadname' directive. If left blank, +# NLM_NAME Thread will be used. +# +NLM_THREAD_NAME = AuthzCore Module + +# +# If this is specified, it will override VERSION value in +# $(AP_WORK)\build\NWGNUenvironment.inc +# +NLM_VERSION = + +# +# If this is specified, it will override the default of 64K +# +NLM_STACK_SIZE = 8192 + + +# +# If this is specified it will be used by the link '-entry' directive +# +NLM_ENTRY_SYM = _LibCPrelude + +# +# If this is specified it will be used by the link '-exit' directive +# +NLM_EXIT_SYM = _LibCPostlude + +# +# If this is specified it will be used by the link '-check' directive +# +NLM_CHECK_SYM = + +# +# If these are specified it will be used by the link '-flags' directive +# +NLM_FLAGS = AUTOUNLOAD, PSEUDOPREEMPTION + +# +# If this is specified it will be linked in with the XDCData option in the def +# file instead of the default of $(NWOS)/apache.xdc. XDCData can be disabled +# by setting APACHE_UNIPROC in the environment +# +XDCDATA = + +# +# If there is an NLM target, put it here +# +TARGET_nlm = \ + $(OBJDIR)/authzcore.nlm \ + $(EOLIST) + +# +# If there is an LIB target, put it here +# +TARGET_lib = \ + $(EOLIST) + +# +# These are the OBJ files needed to create the NLM target above. +# Paths must all use the '/' character +# +FILES_nlm_objs = \ + $(OBJDIR)/mod_authz_core.o \ + $(EOLIST) + +# +# These are the LIB files needed to create the NLM target above. +# These will be added as a library command in the link.opt file. +# +FILES_nlm_libs = \ + libcpre.o \ + $(EOLIST) + +# +# These are the modules that the above NLM target depends on to load. +# These will be added as a module command in the link.opt file. +# +FILES_nlm_modules = \ + aprlib \ + libc \ + $(EOLIST) + +# +# If the nlm has a msg file, put it's path here +# +FILE_nlm_msg = + +# +# If the nlm has a hlp file put it's path here +# +FILE_nlm_hlp = + +# +# If this is specified, it will override $(NWOS)\copyright.txt. +# +FILE_nlm_copyright = + +# +# Any additional imports go here +# +FILES_nlm_Ximports = \ + @$(APR)/aprlib.imp \ + @$(NWOS)/httpd.imp \ + @libc.imp \ + $(EOLIST) + +# +# Any symbols exported to here +# +FILES_nlm_exports = \ + authz_core_module \ + $(EOLIST) + +# +# These are the OBJ files needed to create the LIB target above. +# Paths must all use the '/' character +# +FILES_lib_objs = \ + $(EOLIST) + +# +# implement targets and dependancies (leave this section alone) +# + +libs :: $(OBJDIR) $(TARGET_lib) + +nlms :: libs $(TARGET_nlm) + +# +# Updated this target to create necessary directories and copy files to the +# correct place. (See $(AP_WORK)\build\NWGNUhead.inc for examples) +# +install :: nlms FORCE + +# +# Any specialized rules here +# + +# +# Include the 'tail' makefile that has targets that depend on variables defined +# in this makefile +# + +include $(AP_WORK)\build\NWGNUtail.inc + diff --git a/modules/aaa/NWGNUmakefile b/modules/aaa/NWGNUmakefile index 0809983d53..7756b0f114 100644 --- a/modules/aaa/NWGNUmakefile +++ b/modules/aaa/NWGNUmakefile @@ -156,10 +156,12 @@ TARGET_nlm = \ $(OBJDIR)/authdigt.nlm \ $(OBJDIR)/authnano.nlm \ $(OBJDIR)/authnalias.nlm \ + $(OBJDIR)/authncore.nlm \ $(OBJDIR)/authndbm.nlm \ $(OBJDIR)/authndef.nlm \ $(OBJDIR)/authnfil.nlm \ $(OBJDIR)/authndbd.nlm \ + $(OBJDIR)/authzcore.nlm \ $(OBJDIR)/authzdbm.nlm \ $(OBJDIR)/authzdef.nlm \ $(OBJDIR)/authzgrp.nlm \ diff --git a/modules/aaa/config.m4 b/modules/aaa/config.m4 index 3140787362..f7c01303a4 100644 --- a/modules/aaa/config.m4 +++ b/modules/aaa/config.m4 @@ -18,8 +18,10 @@ dnl - and just in case all of the above punt; a default handler to dnl keep the bad guys out. APACHE_MODULE(authn_default, authentication backstopper, , , yes) -dnl Provider alias module. -APACHE_MODULE(authn_alias, auth provider alias, , , no) +dnl General Authentication modules; module which implements the +dnl non-authn module specific directives. +dnl +APACHE_MODULE(authn_core, core authentication module, , , yes) dnl Authorization modules: modules which verify a certain property such as dnl membership of a group, value of the IP address against a list of pre @@ -33,6 +35,11 @@ APACHE_MODULE(authz_dbm, DBM-based authorization control, , , most) APACHE_MODULE(authz_owner, 'require file-owner' authorization control, , , most) APACHE_MODULE(authz_dbd, SQL based authorization and Login/Session support, , , most) +dnl General Authorization modules; provider module which implements the +dnl non-authz module specific directives. +dnl +APACHE_MODULE(authz_core, core authorization provider vector module, , , yes) + dnl LDAP authentication module. This module has both the authn and authz dnl modules in one, so as to share the LDAP server config directives. APACHE_MODULE(authnz_ldap, LDAP based authentication, , , no) diff --git a/modules/aaa/mod_auth.h b/modules/aaa/mod_auth.h index ac44a423a3..0a413946e2 100644 --- a/modules/aaa/mod_auth.h +++ b/modules/aaa/mod_auth.h @@ -16,7 +16,7 @@ /** * @file mod_auth.h - * @brief uthentication Extension Module for Apache + * @brief Authentication and Authorization Extension for Apache * * @defgroup MOD_AUTH mod_auth * @ingroup APACHE_MODS @@ -35,10 +35,13 @@ extern "C" { #endif #define AUTHN_PROVIDER_GROUP "authn" +#define AUTHZ_PROVIDER_GROUP "authz" #define AUTHN_DEFAULT_PROVIDER "file" - +#define AUTHZ_DEFAULT_PROVIDER "default" + #define AUTHZ_GROUP_NOTE "authz_group_note" #define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name" +#define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name" typedef enum { AUTH_DENIED, @@ -48,12 +51,23 @@ typedef enum { AUTH_GENERAL_ERROR } authn_status; +typedef enum { + AUTHZ_DENIED, + AUTHZ_GRANTED, + AUTHZ_GENERAL_ERROR +} authz_status; + +typedef enum { + AUTHZ_REQSTATE_ONE, + AUTHZ_REQSTATE_ALL +} authz_request_state; + typedef struct { /* Given a username and password, expected to return AUTH_GRANTED * if we can validate this user/password combination. */ authn_status (*check_password)(request_rec *r, const char *user, - const char *password); + const char *password); /* Given a user and realm, expected to return AUTH_USER_FOUND if we * can find a md5 hash of 'user:realm:password' @@ -72,10 +86,30 @@ struct authn_provider_list { }; typedef struct { - /* For a given user, return a hash of all groups the user belongs to. */ - apr_hash_t * (*get_user_groups)(request_rec *r, const char *user); + /* Given a request_rec, expected to return AUTH_GRANTED + * if we can authorize user access. + */ + authz_status (*check_authorization)(request_rec *r, + const char *require_line); } authz_provider; +/* A linked-list of authn providers. */ +typedef struct authz_provider_list authz_provider_list; + +struct authz_provider_list { + const char *provider_name; + const authz_provider *provider; + authz_provider_list *one_next; + authz_provider_list *all_next; + /** If a Limit method is in effect, this field will be set */ + apr_int64_t method_mask; + authz_request_state req_state; + int req_state_level; + /** String following 'require ' from config file */ + char *requirement; + int is_reject; +}; + #ifdef __cplusplus } #endif diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c index c009af2855..b82cee5cfb 100644 --- a/modules/aaa/mod_auth_basic.c +++ b/modules/aaa/mod_auth_basic.c @@ -195,7 +195,7 @@ static int authenticate_basic_user(request_rec *r) return HTTP_INTERNAL_SERVER_ERROR; } - r->ap_auth_type = "Basic"; + r->ap_auth_type = (char*)current_auth; res = get_basic_auth(r, &sent_user, &sent_pw); if (res) { diff --git a/modules/aaa/mod_authn_core.c b/modules/aaa/mod_authn_core.c new file mode 100644 index 0000000000..b8e189e1cd --- /dev/null +++ b/modules/aaa/mod_authn_core.c @@ -0,0 +1,314 @@ +/* Copyright 2002-2005 The Apache Software Foundation or its licensors, as + * applicable. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * Security options etc. + * + * Module derived from code originally written by Rob McCool + * + */ + +#include "apr_strings.h" +#include "apr_network_io.h" +#define APR_WANT_STRFUNC +#define APR_WANT_BYTEFUNC +#include "apr_want.h" + +#define CORE_PRIVATE +#include "ap_config.h" +#include "httpd.h" +#include "http_config.h" +#include "http_core.h" +#include "http_log.h" +#include "http_request.h" +#include "http_protocol.h" +#include "ap_provider.h" + +#include "mod_auth.h" + +#if APR_HAVE_NETINET_IN_H +#include +#endif + +/* TODO List + +- Track down all of the references to r->ap_auth_type + and change them to ap_auth_type() +- Remove ap_auth_type and ap_auth_name from the + request_rec + +*/ + +typedef struct { + char *ap_auth_type; + char *ap_auth_name; +} authn_core_dir_conf; + +typedef struct provider_alias_rec { + char *provider_name; + char *provider_alias; + ap_conf_vector_t *sec_auth; + const authn_provider *provider; +} provider_alias_rec; + +typedef struct authn_alias_srv_conf { + apr_hash_t *alias_rec; +} authn_alias_srv_conf; + + +module AP_MODULE_DECLARE_DATA authn_core_module; + +static void *create_authn_core_dir_config(apr_pool_t *p, char *dummy) +{ + authn_core_dir_conf *conf = + (authn_core_dir_conf *)apr_pcalloc(p, sizeof(authn_core_dir_conf)); + + return (void *)conf; +} + +static void *merge_authn_core_dir_config(apr_pool_t *a, void *basev, void *newv) +{ + authn_core_dir_conf *base = (authn_core_dir_conf *)basev; + authn_core_dir_conf *new = (authn_core_dir_conf *)newv; + authn_core_dir_conf *conf; + + /* Create this conf by duplicating the base, replacing elements + * (or creating copies for merging) where new-> values exist. + */ + conf = (authn_core_dir_conf *)apr_palloc(a, sizeof(authn_core_dir_conf)); + memcpy(conf, base, sizeof(authn_core_dir_conf)); + + if (new->ap_auth_type) { + conf->ap_auth_type = new->ap_auth_type; + } + + if (new->ap_auth_name) { + conf->ap_auth_name = new->ap_auth_name; + } + + return (void*)conf; +} + +static authn_status authn_alias_check_password(request_rec *r, const char *user, + const char *password) +{ + /* Look up the provider alias in the alias list */ + /* Get the the dir_config and call ap_Merge_per_dir_configs() */ + /* Call the real provider->check_password() function */ + /* return the result of the above function call */ + + const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE); + authn_status ret = AUTH_USER_NOT_FOUND; + authn_alias_srv_conf *authcfg = + (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config, + &authn_core_module); + + if (provider_name) { + provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec, + provider_name, APR_HASH_KEY_STRING); + ap_conf_vector_t *orig_dir_config = r->per_dir_config; + + /* If we found the alias provider in the list, then merge the directory + configurations and call the real provider */ + if (prvdraliasrec) { + r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config, + prvdraliasrec->sec_auth); + ret = prvdraliasrec->provider->check_password(r,user,password); + r->per_dir_config = orig_dir_config; + } + } + + return ret; +} + +static authn_status authn_alias_get_realm_hash(request_rec *r, const char *user, + const char *realm, char **rethash) +{ + /* Look up the provider alias in the alias list */ + /* Get the the dir_config and call ap_Merge_per_dir_configs() */ + /* Call the real provider->get_realm_hash() function */ + /* return the result of the above function call */ + + const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE); + authn_status ret = AUTH_USER_NOT_FOUND; + authn_alias_srv_conf *authcfg = + (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config, + &authn_core_module); + + if (provider_name) { + provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec, + provider_name, APR_HASH_KEY_STRING); + ap_conf_vector_t *orig_dir_config = r->per_dir_config; + + /* If we found the alias provider in the list, then merge the directory + configurations and call the real provider */ + if (prvdraliasrec) { + r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config, + prvdraliasrec->sec_auth); + ret = prvdraliasrec->provider->get_realm_hash(r,user,realm,rethash); + r->per_dir_config = orig_dir_config; + } + } + + return ret; +} + +static void *create_authn_alias_svr_config(apr_pool_t *p, server_rec *s) +{ + + authn_alias_srv_conf *authcfg; + + authcfg = (authn_alias_srv_conf *) apr_pcalloc(p, sizeof(authn_alias_srv_conf)); + authcfg->alias_rec = apr_hash_make(p); + + return (void *) authcfg; +} + +static const authn_provider authn_alias_provider = +{ + &authn_alias_check_password, + &authn_alias_get_realm_hash, +}; + +static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *arg) +{ + int old_overrides = cmd->override; + const char *endp = ap_strrchr_c(arg, '>'); + const char *args; + char *provider_alias; + char *provider_name; + const char *errmsg; + ap_conf_vector_t *new_auth_config = ap_create_per_dir_config(cmd->pool); + authn_alias_srv_conf *authcfg = + (authn_alias_srv_conf *)ap_get_module_config(cmd->server->module_config, + &authn_core_module); + + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + if (err != NULL) { + return err; + } + + if (endp == NULL) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + "> directive missing closing '>'", NULL); + } + + args = apr_pstrndup(cmd->pool, arg, endp - arg); + + if (!args[0]) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + "> directive requires additional arguments", NULL); + } + + /* Pull the real provider name and the alias name from the block header */ + provider_name = ap_getword_conf(cmd->pool, &args); + provider_alias = ap_getword_conf(cmd->pool, &args); + + if (!provider_name[0] || !provider_alias[0]) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + "> directive requires additional arguments", NULL); + } + + /* walk the subsection configuration to get the per_dir config that we will + merge just before the real provider is called. */ + cmd->override = OR_ALL|ACCESS_CONF; + errmsg = ap_walk_config(cmd->directive->first_child, cmd, new_auth_config); + + if (!errmsg) { + provider_alias_rec *prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(provider_alias_rec)); + const authn_provider *provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_name,"0"); + + /* Save off the new directory config along with the original provider name + and function pointer data */ + prvdraliasrec->sec_auth = new_auth_config; + prvdraliasrec->provider_name = provider_name; + prvdraliasrec->provider_alias = provider_alias; + prvdraliasrec->provider = provider; + apr_hash_set(authcfg->alias_rec, provider_alias, APR_HASH_KEY_STRING, prvdraliasrec); + + /* Register the fake provider so that we get called first */ + ap_register_provider(cmd->pool, AUTHN_PROVIDER_GROUP, provider_alias, "0", + &authn_alias_provider); + } + + cmd->override = old_overrides; + + return errmsg; +} + +/* + * Load an authorisation realm into our location configuration, applying the + * usual rules that apply to realms. + */ +static const char *set_authname(cmd_parms *cmd, void *mconfig, + const char *word1) +{ + authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig; + + aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1); + return NULL; +} + + +static const char *authn_ap_auth_type(request_rec *r) +{ + authn_core_dir_conf *conf; + + conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config, + &authn_core_module); + + return apr_pstrdup(r->pool, conf->ap_auth_type); +} + +static const char *authn_ap_auth_name(request_rec *r) +{ + authn_core_dir_conf *conf; + + conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config, + &authn_core_module); + + return apr_pstrdup(r->pool, conf->ap_auth_name); +} + +static const command_rec authn_cmds[] = +{ + AP_INIT_TAKE1("AuthType", ap_set_string_slot, + (void*)APR_OFFSETOF(authn_core_dir_conf, ap_auth_type), OR_AUTHCFG, + "An HTTP authorization type (e.g., \"Basic\")"), + AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG, + "The authentication realm (e.g. \"Members Only\")"), + AP_INIT_RAW_ARGS("user field */ diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index edce66563c..ca21a618e9 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -17,6 +17,7 @@ #include "ap_provider.h" #include "httpd.h" #include "http_config.h" +#include "ap_provider.h" #include "http_core.h" #include "http_log.h" #include "http_protocol.h" @@ -45,9 +46,6 @@ typedef struct { #if APR_HAS_THREADS apr_thread_mutex_t *lock; /* Lock for this config */ #endif - int auth_authoritative; /* Is this auth method the one and only? */ -/* int authz_enabled; Is ldap authorization enabled in this directory? */ - /* These parameters are all derived from the AuthLDAPURL directive */ char *url; /* String representation of the URL */ @@ -294,12 +292,6 @@ static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d) sec->bindpw = NULL; sec->deref = always; sec->group_attrib_is_dn = 1; - sec->auth_authoritative = 1; - -/* - sec->frontpage_hack = 0; -*/ - sec->secure = -1; /*Initialize to unset*/ sec->user_is_dn = 0; @@ -448,23 +440,8 @@ start_over: return AUTH_GRANTED; } -/* - * Authorisation Phase - * ------------------- - * - * After checking whether the username and password are correct, we need - * to check whether that user is authorised to view this resource. The - * require directive is used to do this: - * - * require valid-user Any authenticated is allowed in. - * require user This particular user is allowed in. - * require group The user must be a member of this group - * in order to be allowed in. - * require dn The user must have the following DN in the - * LDAP tree to be let in. - * - */ -static int authz_ldap_check_user_access(request_rec *r) +static authz_status ldapuser_check_authorization(request_rec *r, + const char *require_args) { int result = 0; authn_ldap_request_t *req = @@ -473,28 +450,146 @@ static int authz_ldap_check_user_access(request_rec *r) (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; - int m = r->method_number; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL; - - register int x; const char *t; - char *w, *value; - int method_restricted = 0; + char *w; char filtbuf[FILTER_LENGTH]; const char *dn = NULL; const char **vals = NULL; -/* - if (!sec->enabled) { - return DECLINED; + if (!sec->have_ldap_url) { + return AUTHZ_DENIED; } -*/ + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->secure); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; + } + + /* + * If we have been authenticated by some other module than mod_authnz_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ + + /* Check that we have a userid to start with */ + if ((!r->user) || (strlen(r->user) == 0)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + + if(!req) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "ldap authorize: Creating LDAP req structure"); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Search failed, log error and return failure */ + if(result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "auth_ldap authorise: User DN not found, %s", ldc->reason); + return AUTHZ_DENIED; + } + + req = (authn_ldap_request_t *)apr_pcalloc(r->pool, + sizeof(authn_ldap_request_t)); + ap_set_module_config(r->request_config, &authnz_ldap_module, req); + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; + } + + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require user: user's DN has not been defined; failing authorization", + getpid()); + return AUTHZ_DENIED; + } + + /* + * First do a whole-line compare, in case it's something like + * require user Babs Jensen + */ + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require user: authorization successful", getpid()); + return AUTHZ_GRANTED; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require user: " + "authorization failed [%s][%s]", getpid(), + ldc->reason, ldap_err2string(result)); + } + } + + /* + * Now break apart the line and compare each word on it + */ + t = require_args; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require user: authorization successful", getpid()); + return AUTHZ_GRANTED; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require user: authorization failed [%s][%s]", + getpid(), ldc->reason, ldap_err2string(result)); + } + } + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: authorization denied", getpid()); + return AUTHZ_DENIED; +} + +static authz_status ldapgroup_check_authorization(request_rec *r, + const char *require_args) +{ + int result = 0; + authn_ldap_request_t *req = + (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); + authn_ldap_config_t *sec = + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; + + const char *t; + + char filtbuf[FILTER_LENGTH]; + const char *dn = NULL; + const char **vals = NULL; + struct mod_auth_ldap_groupattr_entry_t *ent; + int i; if (!sec->have_ldap_url) { - return DECLINED; + return AUTHZ_DENIED; } if (sec->host) { @@ -507,8 +602,8 @@ static int authz_ldap_check_user_access(request_rec *r) } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: no sec->host - weird...?", getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; } /* @@ -529,12 +624,6 @@ static int authz_ldap_check_user_access(request_rec *r) #endif } - if (!reqs_arr) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - /* * If we have been authenticated by some other module than mod_auth_ldap, * the req structure needed for authorization needs to be created @@ -563,7 +652,7 @@ static int authz_ldap_check_user_access(request_rec *r) if(result != LDAP_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "auth_ldap authorise: User DN not found, %s", ldc->reason); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + return AUTHZ_DENIED; } req = (authn_ldap_request_t *)apr_pcalloc(r->pool, @@ -573,252 +662,416 @@ static int authz_ldap_check_user_access(request_rec *r) req->user = r->user; } - /* Loop through the requirements array until there's no elements - * left, or something causes a return from inside the loop */ - for(x=0; x < reqs_arr->nelts; x++) { - if (! (reqs[x].method_mask & (APR_INT64_C(1) << m))) { - continue; + ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts; + + if (sec->group_attrib_is_dn) { + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: " + "user's DN has not been defined; failing authorization", + getpid()); + return AUTHZ_DENIED; } - method_restricted = 1; + } + else { + if (req->user == NULL || strlen(req->user) == 0) { + /* We weren't called in the authentication phase, so we didn't have a + * chance to set the user field. Do so now. */ + req->user = r->user; + } + } + + t = require_args; - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: " + "testing for group membership in \"%s\"", + getpid(), t); - if (strcmp(w, "ldap-user") == 0) { - if (req->dn == NULL || strlen(req->dn) == 0) { + for (i = 0; i < sec->groupattr->nelts; i++) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: " + "testing for %s: %s (%s)", getpid(), + ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); + + result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, + sec->group_attrib_is_dn ? req->dn : req->user); + switch(result) { + case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require user: user's DN has not been defined; failing authorisation", - getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: " + "authorization successful (attribute %s) [%s][%s]", + getpid(), ent[i].name, ldc->reason, ldap_err2string(result)); + return AUTHZ_GRANTED; } - /* - * First do a whole-line compare, in case it's something like - * require user Babs Jensen - */ - result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, t); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require user: authorisation successful", getpid()); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require user: " - "authorisation failed [%s][%s]", getpid(), - ldc->reason, ldap_err2string(result)); - } - } - /* - * Now break apart the line and compare each word on it - */ - while (t[0]) { - w = ap_getword_conf(r->pool, &t); - result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require user: authorisation successful", getpid()); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require user: authorisation failed [%s][%s]", - getpid(), ldc->reason, ldap_err2string(result)); - } - } - } - } - else if (strcmp(w, "ldap-dn") == 0) { - if (req->dn == NULL || strlen(req->dn) == 0) { + default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require dn: user's DN has not been defined; failing authorisation", - getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group \"%s\": " + "authorization failed [%s][%s]", + getpid(), t, ldc->reason, ldap_err2string(result)); } + } + } - result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require dn: authorisation successful", getpid()); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require dn \"%s\": LDAP error [%s][%s]", - getpid(), t, ldc->reason, ldap_err2string(result)); - } - } + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: authorization denied", getpid()); + + return AUTHZ_DENIED; +} + +static authz_status ldapdn_check_authorization(request_rec *r, + const char *require_args) +{ + int result = 0; + authn_ldap_request_t *req = + (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); + authn_ldap_config_t *sec = + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; + + const char *t; + + char filtbuf[FILTER_LENGTH]; + const char *dn = NULL; + const char **vals = NULL; + + if (!sec->have_ldap_url) { + return AUTHZ_DENIED; + } + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->secure); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; + } + + /* + * If we have been authenticated by some other module than mod_auth_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ + + /* Check that we have a userid to start with */ + if ((!r->user) || (strlen(r->user) == 0)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + + if(!req) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "ldap authorize: Creating LDAP req structure"); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Search failed, log error and return failure */ + if(result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "auth_ldap authorise: User DN not found, %s", ldc->reason); + return AUTHZ_DENIED; } - else if (strcmp(w, "ldap-group") == 0) { - struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts; - int i; - - if (sec->group_attrib_is_dn) { - if (req->dn == NULL || strlen(req->dn) == 0) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " - "user's DN has not been defined; failing authorisation", - getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - } - else { - if (req->user == NULL || strlen(req->user) == 0) { - /* We weren't called in the authentication phase, so we didn't have a - * chance to set the user field. Do so now. */ - req->user = r->user; - } - } + req = (authn_ldap_request_t *)apr_pcalloc(r->pool, + sizeof(authn_ldap_request_t)); + ap_set_module_config(r->request_config, &authnz_ldap_module, req); + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; + } + + t = require_args; + + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require dn: user's DN has not been defined; failing authorization", + getpid()); + return AUTHZ_DENIED; + } + + result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); + switch(result) { + case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " - "testing for group membership in \"%s\"", - getpid(), t); + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require dn: authorization successful", getpid()); + return AUTHZ_GRANTED; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require dn \"%s\": LDAP error [%s][%s]", + getpid(), t, ldc->reason, ldap_err2string(result)); + } + } - for (i = 0; i < sec->groupattr->nelts; i++) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " - "testing for %s: %s (%s)", getpid(), - ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); - - result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, - sec->group_attrib_is_dn ? req->dn : req->user); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " - "authorisation successful (attribute %s) [%s][%s]", - getpid(), ent[i].name, ldc->reason, ldap_err2string(result)); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: require group \"%s\": " - "authorisation failed [%s][%s]", - getpid(), t, ldc->reason, ldap_err2string(result)); - } - } - } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); + + return AUTHZ_DENIED; +} + +static authz_status ldapattribute_check_authorization(request_rec *r, + const char *require_args) +{ + int result = 0; + authn_ldap_request_t *req = + (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); + authn_ldap_config_t *sec = + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; + + const char *t; + char *w, *value; + + char filtbuf[FILTER_LENGTH]; + const char *dn = NULL; + const char **vals = NULL; + + if (!sec->have_ldap_url) { + return AUTHZ_DENIED; + } + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->secure); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; + } + + /* + * If we have been authenticated by some other module than mod_auth_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ + + /* Check that we have a userid to start with */ + if ((!r->user) || (strlen(r->user) == 0)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + + if(!req) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "ldap authorize: Creating LDAP req structure"); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Search failed, log error and return failure */ + if(result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "auth_ldap authorise: User DN not found, %s", ldc->reason); + return AUTHZ_DENIED; } - else if (strcmp(w, "ldap-attribute") == 0) { - if (req->dn == NULL || strlen(req->dn) == 0) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-attribute: user's DN has not been defined; failing authorisation", + + req = (authn_ldap_request_t *)apr_pcalloc(r->pool, + sizeof(authn_ldap_request_t)); + ap_set_module_config(r->request_config, &authnz_ldap_module, req); + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; + } + + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-attribute: user's DN has not been defined; failing authorization", + getpid()); + return AUTHZ_DENIED; + } + + t = require_args; + while (t[0]) { + w = ap_getword(r->pool, &t, '='); + value = ap_getword_conf(r->pool, &t); + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: checking attribute" + " %s has value %s", getpid(), w, value); + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require attribute: authorization successful", getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + return AUTHZ_GRANTED; } - while (t[0]) { - w = ap_getword(r->pool, &t, '='); - value = ap_getword_conf(r->pool, &t); - - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: checking attribute" - " %s has value %s", getpid(), w, value); - result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, - w, value); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require attribute: authorisation " - "successful", getpid()); - return OK; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require attribute: authorisation " - "failed [%s][%s]", getpid(), - ldc->reason, ldap_err2string(result)); - } - } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require attribute: authorization failed [%s][%s]", + getpid(), ldc->reason, ldap_err2string(result)); } } - else if (strcmp(w, "ldap-filter") == 0) { - if (req->dn == NULL || strlen(req->dn) == 0) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-filter: user's DN has not been defined; failing authorisation", - getpid()); - return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; - } - if (t[0]) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: checking filter %s", - getpid(), t); - - /* Build the username filter */ - authn_ldap_build_filter(filtbuf, r, req->user, t, sec); - - /* Search for the user DN */ - result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, - sec->scope, sec->attributes, filtbuf, &dn, &vals); - - /* Make sure that the filtered search returned the correct user dn */ - if (result == LDAP_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: checking dn match %s", - getpid(), dn); - result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn, - sec->compare_dn_on_server); - } + } - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-filter: authorisation " - "successful", getpid()); - return OK; - } - case LDAP_FILTER_ERROR: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-filter: %s authorisation " - "failed [%s][%s]", getpid(), - filtbuf, ldc->reason, ldap_err2string(result)); - break; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, - 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " - "require ldap-filter: authorisation " - "failed [%s][%s]", getpid(), - ldc->reason, ldap_err2string(result)); - } - } - } + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); + + return AUTHZ_DENIED; +} + +static authz_status ldapfilter_check_authorization(request_rec *r, + const char *require_args) +{ + int result = 0; + authn_ldap_request_t *req = + (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); + authn_ldap_config_t *sec = + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; + const char *t; + + char filtbuf[FILTER_LENGTH]; + const char *dn = NULL; + const char **vals = NULL; + + if (!sec->have_ldap_url) { + return AUTHZ_DENIED; + } + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->secure); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; + } + + /* + * If we have been authenticated by some other module than mod_auth_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ + + /* Check that we have a userid to start with */ + if ((!r->user) || (strlen(r->user) == 0)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + + if(!req) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "ldap authorize: Creating LDAP req structure"); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Search failed, log error and return failure */ + if(result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "auth_ldap authorise: User DN not found, %s", ldc->reason); + return AUTHZ_DENIED; } + + req = (authn_ldap_request_t *)apr_pcalloc(r->pool, + sizeof(authn_ldap_request_t)); + ap_set_module_config(r->request_config, &authnz_ldap_module, req); + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; } - if (!method_restricted) { + if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: agreeing because non-restricted", + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-filter: user's DN has not been defined; failing authorization", getpid()); - return OK; + return AUTHZ_DENIED; } - if (!sec->auth_authoritative) { + t = require_args; + + if (t[0]) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise", getpid()); - return DECLINED; + "[%" APR_PID_T_FMT "] auth_ldap authorize: checking filter %s", + getpid(), t); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, req->user, t, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Make sure that the filtered search returned the correct user dn */ + if (result == LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: checking dn match %s", + getpid(), dn); + result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn, + sec->compare_dn_on_server); + } + + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-filter: authorization " + "successful", getpid()); + return AUTHZ_GRANTED; + } + case LDAP_FILTER_ERROR: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-filter: %s authorization " + "failed [%s][%s]", getpid(), + filtbuf, ldc->reason, ldap_err2string(result)); + break; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-filter: authorization " + "failed [%s][%s]", getpid(), + ldc->reason, ldap_err2string(result)); + } + } } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); - ap_note_basic_auth_failure (r); + "[%" APR_PID_T_FMT "] auth_ldap authorise: authorization denied", getpid()); - return HTTP_UNAUTHORIZED; + return AUTHZ_DENIED; } @@ -1032,11 +1285,6 @@ static const command_rec authnz_ldap_cmds[] = "DN of the remote user. By default, this is set to off, meaning that " "the REMOTE_USER variable will contain whatever value the remote user sent."), - AP_INIT_FLAG("AuthzLDAPAuthoritative", ap_set_flag_slot, - (void *)APR_OFFSETOF(authn_ldap_config_t, auth_authoritative), OR_AUTHCFG, - "Set to 'off' to allow access control to be passed along to lower modules if " - "the UserID and/or group is not known to this module"), - AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, (void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, "Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" " @@ -1059,12 +1307,6 @@ static const command_rec authnz_ldap_cmds[] = "values \"never\", \"searching\", \"finding\", or \"always\". " "Defaults to always."), -/* - AP_INIT_FLAG("AuthLDAPAuthzEnabled", ap_set_flag_slot, - (void *)APR_OFFSETOF(authn_ldap_config_t, authz_enabled), OR_AUTHCFG, - "Set to off to disable the LDAP authorization handler, even if it's been enabled in a higher tree"), -*/ - AP_INIT_TAKE1("AuthLDAPCharsetConfig", set_charset_config, NULL, RSRC_CONF, "Character set conversion configuration file. If omitted, character set" "conversion is disabled."), @@ -1160,6 +1402,30 @@ static const authn_provider authn_ldap_provider = &authn_ldap_check_password, }; +static const authz_provider authz_ldapuser_provider = +{ + &ldapuser_check_authorization, +}; +static const authz_provider authz_ldapgroup_provider = +{ + &ldapgroup_check_authorization, +}; + +static const authz_provider authz_ldapdn_provider = +{ + &ldapdn_check_authorization, +}; + +static const authz_provider authz_ldapattribute_provider = +{ + &ldapattribute_check_authorization, +}; + +static const authz_provider authz_ldapfilter_provider = +{ + &ldapfilter_check_authorization, +}; + static void ImportULDAPOptFn(void) { util_ldap_connection_close = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_close); @@ -1173,12 +1439,23 @@ static void ImportULDAPOptFn(void) static void register_hooks(apr_pool_t *p) { - static const char * const aszPost[]={ "mod_authz_user.c", NULL }; - + /* Register authn provider */ ap_register_provider(p, AUTHN_PROVIDER_GROUP, "ldap", "0", &authn_ldap_provider); + + /* Register authz providers */ + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-user", "0", + &authz_ldapuser_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-group", "0", + &authz_ldapgroup_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-dn", "0", + &authz_ldapdn_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-attribute", "0", + &authz_ldapattribute_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-filter", "0", + &authz_ldapfilter_provider); + ap_hook_post_config(authnz_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE); - ap_hook_auth_checker(authz_ldap_check_user_access, NULL, aszPost, APR_HOOK_MIDDLE); ap_hook_optional_fn_retrieve(ImportULDAPOptFn,NULL,NULL,APR_HOOK_MIDDLE); } diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c new file mode 100644 index 0000000000..b3493ac4f7 --- /dev/null +++ b/modules/aaa/mod_authz_core.c @@ -0,0 +1,672 @@ +/* Copyright 2002-2005 The Apache Software Foundation or its licensors, as + * applicable. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * Security options etc. + * + * Module derived from code originally written by Rob McCool + * + */ + +#include "apr_strings.h" +#include "apr_network_io.h" +#include "apr_md5.h" + +#define APR_WANT_STRFUNC +#define APR_WANT_BYTEFUNC +#include "apr_want.h" + +#define CORE_PRIVATE +#include "ap_config.h" +#include "httpd.h" +#include "http_config.h" +#include "http_core.h" +#include "http_log.h" +#include "http_request.h" +#include "http_protocol.h" +#include "ap_provider.h" + +#include "mod_auth.h" + +#if APR_HAVE_NETINET_IN_H +#include +#endif + +/* TODO List + +X- Convert all of the authz modules to providers +X- Remove the ap_requires field from the core_dir_config structure +X- Remove the ap_requires field from authz_dir_conf +X- Remove the function ap_requires() and authz_ap_requires() + since their functionality is no longer supported + or necessary in the refactoring +X- Remove the calls to ap_some_auth_required() in the + core request handling to allow the hooks to be called + in all cases. Is this function even necessary + anymore? +- Determine of merge_authz_dir_config is even + necessary and remove if not +X- Split the authz type from the arguments when the + authz provider is registered and store the type + in ->provider_name and the arguments in ->requirement +X- Move the check for METHOD_MASK out of the authz + providers and into the provider vector +X- Change the status code to AUTHZ_DENIED, AUTHZ_GRANTED + and AUTHZ_GENERAL_ERROR +- Determine if setting the AUTHZ_PROVIDER_NAME_NOTE note + is even necessary. This was used in authn to support + authn_alias. Is there a need for an authz_alias? +X- Remove the Satisfy directive functionality and replace it with the + , directives +X- Remove the Satisfy directive +X- Implement the block directives + to handle the 'and' and 'or' logic for authorization. +X- Remove the AuthzXXXAuthoritative directives from all of + the authz providers +X- Implement the Reject directive that will deny authorization + if the argument is true +X- Fold the Reject directive into the + logic +X- Reimplement the host based authorization 'allow', 'deny' + and 'order' as authz providers +X- Remove the 'allow', 'deny' and 'order' directives +- Merge mod_authn_alias into mod_authn_core +X- Remove all of the references to the authzxxxAuthoritative + directives from the documentation +X- Remove the Satisfy directive from the documentation +*/ + +typedef struct provider_alias_rec { + char *provider_name; + char *provider_alias; + char *provider_args; + ap_conf_vector_t *sec_auth; + const authz_provider *provider; +} provider_alias_rec; + +typedef struct { + authz_provider_list *providers; + authz_request_state req_state; + int req_state_level; +} authz_core_dir_conf; + +typedef struct authz_core_srv_conf { + apr_hash_t *alias_rec; +} authz_core_srv_conf; + + +module AP_MODULE_DECLARE_DATA authz_core_module; + +static void *create_authz_core_dir_config(apr_pool_t *p, char *dummy) +{ + authz_core_dir_conf *conf = + (authz_core_dir_conf *)apr_pcalloc(p, sizeof(authz_core_dir_conf)); + + conf->req_state = AUTHZ_REQSTATE_ONE; + conf->req_state_level = 0; + return (void *)conf; +} + +#if 0 +static void *merge_authz_core_dir_config(apr_pool_t *a, void *basev, void *newv) +{ + authz_core_dir_conf *base = (authz_core_dir_conf *)basev; + authz_core_dir_conf *new = (authz_core_dir_conf *)newv; + authz_core_dir_conf *conf; + + /* Create this conf by duplicating the base, replacing elements + * (or creating copies for merging) where new-> values exist. + */ + conf = (authz_core_dir_conf *)apr_palloc(a, sizeof(authz_core_dir_conf)); + memcpy(conf, base, sizeof(authz_core_dir_conf)); + + return (void*)conf; +} +#endif + +static void *create_authz_core_svr_config(apr_pool_t *p, server_rec *s) +{ + + authz_core_srv_conf *authcfg; + + authcfg = (authz_core_srv_conf *) apr_pcalloc(p, sizeof(authz_core_srv_conf)); + authcfg->alias_rec = apr_hash_make(p); + + return (void *) authcfg; +} + +static const char *add_authz_provider(cmd_parms *cmd, void *config, + const char *arg) +{ + authz_core_dir_conf *conf = (authz_core_dir_conf*)config; + authz_provider_list *newp; + const char *t, *w; + + newp = apr_pcalloc(cmd->pool, sizeof(authz_provider_list)); + + t = arg; + w = ap_getword_white(cmd->pool, &t); + + if (w) + newp->provider_name = apr_pstrdup(cmd->pool, w); + if (t) + newp->requirement = apr_pstrdup(cmd->pool, t); + newp->method_mask = cmd->limited; + + /* lookup and cache the actual provider now */ + newp->provider = ap_lookup_provider(AUTHZ_PROVIDER_GROUP, + newp->provider_name, "0"); + newp->req_state = conf->req_state; + newp->req_state_level = conf->req_state_level; + newp->is_reject = (int)cmd->info; + + /* by the time the config file is used, the provider should be loaded + * and registered with us. + */ + if (newp->provider == NULL) { + return apr_psprintf(cmd->pool, + "Unknown Authz provider: %s", + newp->provider_name); + } + + /* if the provider doesn't provide the appropriate function, reject it */ + if (!newp->provider->check_authorization) { + return apr_psprintf(cmd->pool, + "The '%s' Authz provider is not supported by any " + "of the loaded authorization modules ", + newp->provider_name); + } + + /* Add it to the list now. */ + if (!conf->providers) { + conf->providers = newp; + } + else { + authz_provider_list *last = conf->providers; + int level = conf->req_state_level; + + /* if the level is 0 then take care of the implicit 'or' + operation at this level. */ + if (level == 0) { + /* Just run through the Require_one list and add the + node */ + while (last->one_next) { + last = last->one_next; + } + last->one_next = newp; + } + else { + /* Traverse the list to find the last entry.Each level + indicates a transition in the logic. */ + for (;level;level--) { + /* if we are in a Require_all block then run through + all of the Require_all nodes to the end of the list */ + if (last->req_state == AUTHZ_REQSTATE_ALL) { + while (last->all_next) { + last = last->all_next; + } + /* If the end of the list contains a node state + change then run through all of the Require_one + nodes to the end of that list */ + if (level >= last->req_state_level) { + while (last->one_next) { + last = last->one_next; + } + } + continue; + } + /* if we are in a Require_one block then run through + all of the Require_one nodes to the end of the list */ + if (last->req_state == AUTHZ_REQSTATE_ONE) { + while (last->one_next) { + last = last->one_next; + } + /* If the end of the list contains a node state + change then run through all of the Require_all + nodes to the end of that list */ + if (level >= last->req_state_level) { + while (last->all_next) { + last = last->all_next; + } + } + continue; + } + } + + /* The current state flag indicates which way the transition should + go. If ALL then take the all_next path, otherwise one_next */ + if (last->req_state == AUTHZ_REQSTATE_ALL) { + /* If we already have an all_next node, then + we must have dropped back a level so assign + the node to one_next */ + if (!last->all_next) { + last->all_next = newp; + } + else + last->one_next = newp; + } + else { + /* If we already have a one_next node, then + we must have dropped back a level so assign + the node to all_next */ + if (!last->one_next) { + last->one_next = newp; + } + else + last->all_next = newp; + } + } + } + + return NULL; +} + +/* This is a fake authz provider that really merges various authz alias + configurations and then envokes them. */ +static authz_status authz_alias_check_authorization(request_rec *r, + const char *require_args) +{ + /* Look up the provider alias in the alias list */ + /* Get the the dir_config and call ap_Merge_per_dir_configs() */ + /* Call the real provider->check_authorization() function */ + /* return the result of the above function call */ + + const char *provider_name = apr_table_get(r->notes, AUTHZ_PROVIDER_NAME_NOTE); + authz_status ret = AUTHZ_DENIED; + authz_core_srv_conf *authcfg = + (authz_core_srv_conf *)ap_get_module_config(r->server->module_config, + &authz_core_module); + + if (provider_name) { + provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec, + provider_name, APR_HASH_KEY_STRING); + ap_conf_vector_t *orig_dir_config = r->per_dir_config; + + /* If we found the alias provider in the list, then merge the directory + configurations and call the real provider */ + if (prvdraliasrec) { + r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config, + prvdraliasrec->sec_auth); + ret = prvdraliasrec->provider->check_authorization(r, prvdraliasrec->provider_args); + r->per_dir_config = orig_dir_config; + } + } + + return ret; +} + +static const authz_provider authz_alias_provider = +{ + &authz_alias_check_authorization, +}; + +static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig, const char *arg) +{ + int old_overrides = cmd->override; + const char *endp = ap_strrchr_c(arg, '>'); + const char *args; + char *provider_alias; + char *provider_name; + char *provider_args; + const char *errmsg; + ap_conf_vector_t *new_authz_config = ap_create_per_dir_config(cmd->pool); + authz_core_srv_conf *authcfg = + (authz_core_srv_conf *)ap_get_module_config(cmd->server->module_config, + &authz_core_module); + + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + if (err != NULL) { + return err; + } + + if (endp == NULL) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + "> directive missing closing '>'", NULL); + } + + args = apr_pstrndup(cmd->pool, arg, endp - arg); + + if (!args[0]) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + "> directive requires additional arguments", NULL); + } + + /* Pull the real provider name and the alias name from the block header */ + provider_name = ap_getword_conf(cmd->pool, &args); + provider_alias = ap_getword_conf(cmd->pool, &args); + provider_args = ap_getword_conf(cmd->pool, &args); + + if (!provider_name[0] || !provider_alias[0]) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + "> directive requires additional arguments", NULL); + } + + /* walk the subsection configuration to get the per_dir config that we will + merge just before the real provider is called. */ + cmd->override = OR_ALL|ACCESS_CONF; + errmsg = ap_walk_config(cmd->directive->first_child, cmd, new_authz_config); + + if (!errmsg) { + provider_alias_rec *prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(provider_alias_rec)); + const authz_provider *provider = ap_lookup_provider(AUTHZ_PROVIDER_GROUP, provider_name,"0"); + + /* Save off the new directory config along with the original provider name + and function pointer data */ + prvdraliasrec->sec_auth = new_authz_config; + prvdraliasrec->provider_name = provider_name; + prvdraliasrec->provider_alias = provider_alias; + prvdraliasrec->provider_args = provider_args; + prvdraliasrec->provider = provider; + + apr_hash_set(authcfg->alias_rec, provider_alias, APR_HASH_KEY_STRING, prvdraliasrec); + + /* Register the fake provider so that we get called first */ + ap_register_provider(cmd->pool, AUTHZ_PROVIDER_GROUP, provider_alias, "0", + &authz_alias_provider); + } + + cmd->override = old_overrides; + + return errmsg; +} + +static const char *authz_require_section(cmd_parms *cmd, void *mconfig, const char *arg) +{ + int old_overrides = cmd->override; + const char *endp = ap_strrchr_c(arg, '>'); + const char *args; + const char *errmsg; + authz_request_state old_reqstate; + authz_core_dir_conf *conf = (authz_core_dir_conf*)mconfig; +// authz_core_srv_conf *authcfg = +// (authz_core_srv_conf *)ap_get_module_config(cmd->server->module_config, +// &authz_core_module); + + if (endp == NULL) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + "> directive missing closing '>'", NULL); + } + + args = apr_pstrndup(cmd->pool, arg, endp - arg); + + if (args[0]) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + "> directive doesn't take additional arguments", NULL); + } + + /* Save off the current request state so that we can go back to it after walking + the subsection. Indicate a transition in the logic incrementing the level. + After the subsection walk the level will be decremented to indicate the + path to follow. As the require directives are read by the configuration + the req_state and the level will allow it to traverse the list to find + the last element in the provider calling list. */ + old_reqstate = conf->req_state; + if (strcasecmp (cmd->directive->directive, "req_state = AUTHZ_REQSTATE_ALL; + } + else { + conf->req_state = AUTHZ_REQSTATE_ONE; + } + conf->req_state_level++; + cmd->override = OR_ALL|ACCESS_CONF; + + /* walk the subsection configuration to get the per_dir config that we will + merge just before the real provider is called. */ + errmsg = ap_walk_config(cmd->directive->first_child, cmd, cmd->context); + + conf->req_state_level--; + conf->req_state = old_reqstate; + cmd->override = old_overrides; + + return errmsg; +} + +static const command_rec authz_cmds[] = +{ + AP_INIT_RAW_ARGS("Require", add_authz_provider, NULL, OR_AUTHCFG, + "Selects which authenticated users or groups may access " + "a protected space"), + AP_INIT_RAW_ARGS("Reject", add_authz_provider, (void*)1, OR_AUTHCFG, + "Rejects the specified authenticated users or groups from accessing " + "a protected space"), + AP_INIT_RAW_ARGS("check_authorization) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "No default authz provider configured"); + auth_result = AUTHZ_GENERAL_ERROR; + return auth_result; + } + apr_table_setn(r->notes, AUTHZ_PROVIDER_NAME_NOTE, + AUTHZ_DEFAULT_PROVIDER); + } + else { + provider = current_provider->provider; + apr_table_setn(r->notes, AUTHZ_PROVIDER_NAME_NOTE, + current_provider->provider_name); + } + + /* check to make sure that the request method requires + authorization before calling the provider */ + if (!(current_provider->method_mask & + (AP_METHOD_BIT << r->method_number))) { + return AUTHZ_DENIED; + } + + auth_result = provider->check_authorization(r, + current_provider->requirement); + + if (auth_result == AUTHZ_GENERAL_ERROR) { + return auth_result; + } + + if (current_provider->is_reject) { + auth_result = auth_result == AUTHZ_DENIED ? AUTHZ_GRANTED : AUTHZ_DENIED; + } + + apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE); + + /* If the current node is a Require_One type */ + if (current_provider->req_state == AUTHZ_REQSTATE_ONE) { + /* if the auth_result of *this* node was GRANTED and we are embedded in a Require_all block + then look to see if there is another Require_all node that needs to be satisfied */ + if (auth_result == AUTHZ_GRANTED) { + if ((current_provider->all_next) && + (current_provider->all_next->req_state_level < current_provider->req_state_level)) { + auth_result = check_provider_list (r, current_provider->all_next, + current_provider->req_state_level); + } + return auth_result; + } + one_next: + + /* Traverse forward to the next Require_one node it one exists + otherwise just return the auth_result */ + if (current_provider->one_next) { + auth_result = check_provider_list (r, current_provider->one_next, + current_provider->req_state_level); + } + else + return auth_result; + + /* if the *last* auth_result was GRANTED and we are embedded in a Require_all block + then look to see if there is another Require_all node that needs to be satisfied */ + if ((auth_result == AUTHZ_GRANTED) && (current_provider->all_next) && + (current_provider->all_next->req_state_level < current_provider->req_state_level)) { + auth_result = check_provider_list (r, current_provider->all_next, + current_provider->req_state_level); + } + /* If the *last* auth_result was DENIED and we are inside of a Require_one block + then look to see if there is another Require_one node that can be satisfied */ + else if ((auth_result == AUTHZ_DENIED) && (current_provider->one_next) && + (current_provider->one_next->req_state_level < current_provider->req_state_level)) { + goto one_next; + } + + return auth_result; + } + + /* If the current node is a Require_All type */ + if (current_provider->req_state == AUTHZ_REQSTATE_ALL) { + /* if the auth_result of *this* node was DENIED and we are embedded in a Require_one block + then look to see if there is another Require_one node that can be satisfied */ + if (auth_result == AUTHZ_DENIED) { + if ((current_provider->one_next) && + (current_provider->one_next->req_state_level < current_provider->req_state_level)) { + auth_result = check_provider_list (r, current_provider->one_next, + current_provider->req_state_level); + } + return auth_result; + } + all_next: + + /* Traverse forward to the next Require_all node it one exists + otherwise just return the auth_result */ + if (current_provider->all_next) { + auth_result = check_provider_list (r, current_provider->all_next, + current_provider->req_state_level); + } + else + return auth_result; + + /* if the *last* auth_result was DENIED and we are embedded in a Require_one block + then look to see if there is another Require_one node that can be satisfied */ + if ((auth_result == AUTHZ_DENIED) && (current_provider->one_next) && + (current_provider->one_next->req_state_level < current_provider->req_state_level)) { + auth_result = check_provider_list (r, current_provider->one_next, + current_provider->req_state_level); + } + /* If the *last* auth_result was GRANTED and we are inside of a Require_all block + then look to see if there is another Require_all node that needs to be satisfied */ + else if ((auth_result == AUTHZ_GRANTED) && (current_provider->all_next) && + (current_provider->all_next->req_state_level < current_provider->req_state_level)) { + goto all_next; + } + } + + return auth_result; +} + +static int authorize_user(request_rec *r) +{ + authz_core_dir_conf *conf = ap_get_module_config(r->per_dir_config, + &authz_core_module); + authz_status auth_result; + authz_provider_list *current_provider; + + /* If we're not really configured for providers, stop now. */ + if (!conf->providers) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "no authorization providers configured"); + return DECLINED; + } + + current_provider = conf->providers; + + auth_result = check_provider_list (r, current_provider, 0); + + if (auth_result != AUTHZ_GRANTED) { + int return_code; + + switch (auth_result) { + case AUTHZ_DENIED: + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "user %s: authorization failure for \"%s\": ", + r->user, r->uri); + return_code = HTTP_UNAUTHORIZED; + break; + case AUTHZ_GENERAL_ERROR: + default: + /* We'll assume that the module has already said what its + * error was in the logs. + */ + return_code = HTTP_INTERNAL_SERVER_ERROR; + break; + } + + /* If we're returning 403, tell them to try again. */ + if (return_code == HTTP_UNAUTHORIZED) { + ap_note_auth_failure (r); + } + return return_code; + } + + return OK; +} + +static int authz_some_auth_required(request_rec *r) +{ + authz_core_dir_conf *conf = ap_get_module_config(r->per_dir_config, + &authz_core_module); + authz_provider_list *current_provider; + int req_authz = 0; + + current_provider = conf->providers; + while (current_provider) { + + /* Does this provider config apply for this method */ + if (current_provider->method_mask & + (AP_METHOD_BIT << r->method_number)) { + req_authz = 1; + break; + } + + current_provider = current_provider->one_next; + } + + return req_authz; +} + +static void register_hooks(apr_pool_t *p) +{ + APR_REGISTER_OPTIONAL_FN(authz_some_auth_required); + + ap_hook_auth_checker(authorize_user, NULL, NULL, APR_HOOK_MIDDLE); +} + +module AP_MODULE_DECLARE_DATA authz_core_module = +{ + STANDARD20_MODULE_STUFF, + create_authz_core_dir_config, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + create_authz_core_svr_config, /* server config */ + NULL, /* merge server config */ + authz_cmds, + register_hooks /* register hooks */ +}; diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c index 3395b4b588..a9f8cc6445 100644 --- a/modules/aaa/mod_authz_dbd.c +++ b/modules/aaa/mod_authz_dbd.c @@ -17,6 +17,7 @@ #include "httpd.h" #include "http_log.h" #include "http_config.h" +#include "ap_provider.h" #include "http_request.h" #include "http_protocol.h" #include "http_core.h" @@ -25,6 +26,9 @@ #include "apr_strings.h" #include "mod_authz_dbd.h" +#include "mod_auth.h" + + module AP_MODULE_DECLARE_DATA authz_dbd_module; /* Export a hook for modules that manage clientside sessions @@ -40,7 +44,6 @@ typedef struct { const char *query; const char *redir_query; int redirect; - int authoritative; } authz_dbd_cfg ; static ap_dbd_t *(*dbd_handle)(request_rec*) = NULL; @@ -51,7 +54,7 @@ static const char *const noerror = "???"; static void *authz_dbd_cr_cfg(apr_pool_t *pool, char *dummy) { authz_dbd_cfg *ret = apr_pcalloc(pool, sizeof(authz_dbd_cfg)); - ret->redirect = ret->authoritative = -1; + ret->redirect = -1; return ret; } static void *authz_dbd_merge_cfg(apr_pool_t *pool, void *BASE, void *ADD) @@ -63,8 +66,6 @@ static void *authz_dbd_merge_cfg(apr_pool_t *pool, void *BASE, void *ADD) ret->query = (add->query == NULL) ? base->query : add->query; ret->redir_query = (add->redir_query == NULL) ? base->redir_query : add->redir_query; - ret->authoritative = (add->authoritative == -1) - ? base->authoritative : add->authoritative; ret->redirect = (add->redirect == -1) ? base->redirect : add->redirect; return ret; } @@ -89,9 +90,6 @@ static const char *authz_dbd_prepare(cmd_parms *cmd, void *cfg, return ap_set_string_slot(cmd, cfg, label); } static const command_rec authz_dbd_cmds[] = { - AP_INIT_FLAG("AuthzDBDAuthoritative", ap_set_flag_slot, - (void*)APR_OFFSETOF(authz_dbd_cfg, authoritative), ACCESS_CONF, - "Whether dbd-group is authoritative"), AP_INIT_FLAG("AuthzDBDLoginToReferer", ap_set_flag_slot, (void*)APR_OFFSETOF(authz_dbd_cfg, redirect), ACCESS_CONF, "Whether to redirect to referer on successful login"), @@ -181,6 +179,7 @@ static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg, } } if (newuri != NULL) { + r->status = HTTP_MOVED_TEMPORARILY; apr_table_set(r->err_headers_out, "Location", newuri); rv = HTTP_MOVED_TEMPORARILY; } @@ -242,67 +241,82 @@ static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg, } return OK; } -static int authz_dbd_check(request_rec *r) + +static authz_status dbdgroup_check_authorization(request_rec *r, + const char *require_args) { - int i, x, rv; + int i, rv; const char *w; - int m = r->method_number; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; apr_array_header_t *groups = NULL; const char *t; authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, &authz_dbd_module); - if (!reqs_arr) { - return DECLINED; - } - - for (x = 0; x < reqs_arr->nelts; x++) { - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; + if (groups == NULL) { + groups = apr_array_make(r->pool, 4, sizeof(const char*)); + rv = authz_dbd_group_query(r, cfg, groups); + if (rv != OK) { + return AUTHZ_GENERAL_ERROR; } + } - t = reqs[x].requirement; + t = require_args; + while (t[0]) { w = ap_getword_white(r->pool, &t); - if (!strcasecmp(w, "dbd-group")) { - if (groups == NULL) { - groups = apr_array_make(r->pool, 4, sizeof(const char*)); - rv = authz_dbd_group_query(r, cfg, groups); - if (rv != OK) { - return rv; - } + for (i=0; i < groups->nelts; ++i) { + if (!strcmp(w, ((const char**)groups->elts)[i])) { + return AUTHZ_GRANTED; } - while (t[0]) { - w = ap_getword_white(r->pool, &t); - for (i=0; i < groups->nelts; ++i) { - if (!strcmp(w, ((const char**)groups->elts)[i])) { - return OK; - } - } - } - } - else if (!strcasecmp(w, "dbd-login")) { - return authz_dbd_login(r, cfg, "login"); - } - else if (!strcasecmp(w, "dbd-logout")) { - return authz_dbd_login(r, cfg, "logout"); } } - if ((groups != NULL) && cfg->authoritative) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "authz_dbd: user %s denied access to %s", - r->user, r->uri); - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; - } - return DECLINED; + return AUTHZ_DENIED; +} + +static authz_status dbdlogin_check_authorization(request_rec *r, + const char *require_args) +{ + authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, + &authz_dbd_module); + + return (authz_dbd_login(r, cfg, "login") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED); } + +static authz_status dbdlogout_check_authorization(request_rec *r, + const char *require_args) +{ + authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, + &authz_dbd_module); + + return (authz_dbd_login(r, cfg, "logout") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED); +} + +static const authz_provider authz_dbdgroup_provider = +{ + &dbdgroup_check_authorization, +}; + +static const authz_provider authz_dbdlogin_provider = +{ + &dbdlogin_check_authorization, +}; + + +static const authz_provider authz_dbdlogout_provider = +{ + &dbdlogout_check_authorization, +}; + static void authz_dbd_hooks(apr_pool_t *p) { - ap_hook_auth_checker(authz_dbd_check, NULL, NULL, APR_HOOK_MIDDLE); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-group", "0", + &authz_dbdgroup_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-login", "0", + &authz_dbdlogin_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-logout", "0", + &authz_dbdlogout_provider); } + module AP_MODULE_DECLARE_DATA authz_dbd_module = { STANDARD20_MODULE_STUFF, diff --git a/modules/aaa/mod_authz_dbm.c b/modules/aaa/mod_authz_dbm.c index a69c747272..c3c0aca137 100644 --- a/modules/aaa/mod_authz_dbm.c +++ b/modules/aaa/mod_authz_dbm.c @@ -22,6 +22,7 @@ #include "httpd.h" #include "http_config.h" +#include "ap_provider.h" #include "http_core.h" #include "http_log.h" #include "http_protocol.h" @@ -32,9 +33,11 @@ typedef struct { char *grpfile; char *dbmtype; - int authoritative; } authz_dbm_config_rec; +APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); + + /* This should go into APR; perhaps with some nice * caching/locking/flocking of the open dbm file. */ @@ -62,7 +65,6 @@ static void *create_authz_dbm_dir_config(apr_pool_t *p, char *d) conf->grpfile = NULL; conf->dbmtype = "default"; - conf->authoritative = 1; /* fortress is secure by default */ return conf; } @@ -75,11 +77,6 @@ static const command_rec authz_dbm_cmds[] = AP_INIT_TAKE1("AuthzDBMType", ap_set_string_slot, (void *)APR_OFFSETOF(authz_dbm_config_rec, dbmtype), OR_AUTHCFG, "what type of DBM file the group file is"), - AP_INIT_FLAG("AuthzDBMAuthoritative", ap_set_flag_slot, - (void *)APR_OFFSETOF(authz_dbm_config_rec, authoritative), - OR_AUTHCFG, "Set to 'Off' to allow access control to be passed along to " - "lower modules, if the group required is not found or empty, or the user " - " is not in the required groups. (default is On.)"), {NULL} }; @@ -133,142 +130,152 @@ static apr_status_t get_dbm_grp(request_rec *r, char *key1, char *key2, return retval; } -/* Checking ID */ -static int dbm_check_auth(request_rec *r) +static authz_status dbmgroup_check_authorization(request_rec *r, + const char *require_args) { authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_dbm_module); char *user = r->user; - int m = r->method_number; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; - register int x; const char *t; char *w; - int required_group = 0; - const char *filegroup = NULL; const char *orig_groups = NULL; - char *reason = NULL; + const char *realm = ap_auth_name(r); + const char *groups; + char *v; if (!conf->grpfile) { - return DECLINED; + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "No group file was specified in the configuration"); + return AUTHZ_DENIED; } - if (!reqs_arr) { - return DECLINED; - } + /* fetch group data from dbm file only once. */ + if (!orig_groups) { + apr_status_t status; - for (x = 0; x < reqs_arr->nelts; x++) { + status = get_dbm_grp(r, apr_pstrcat(r->pool, user, ":", realm, NULL), + user, conf->grpfile, conf->dbmtype, &groups); - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; + if (status != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "could not open dbm (type %s) group access " + "file: %s", conf->dbmtype, conf->grpfile); + return AUTHZ_GENERAL_ERROR; } - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); + if (groups == NULL) { + /* no groups available, so exit immediately */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user doesn't appear in DBM group file (%s).", + r->user, r->uri, conf->grpfile); + return AUTHZ_DENIED; + } - if (!strcasecmp(w, "file-group")) { - filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE); + orig_groups = groups; + } - if (!filegroup) { - /* mod_authz_owner is not present or not - * authoritative. We are just a helper module for testing - * group membership, so we don't care and decline. - */ - continue; + t = require_args; + while ((w = ap_getword_white(r->pool, &t)) && w[0]) { + groups = orig_groups; + while (groups[0]) { + v = ap_getword(r->pool, &groups, ','); + if (!strcmp(v, w)) { + return AUTHZ_GRANTED; } } + } - if (!strcasecmp(w, "group") || filegroup) { - const char *realm = ap_auth_name(r); - const char *groups; - char *v; - - /* remember that actually a group is required */ - required_group = 1; - - /* fetch group data from dbm file only once. */ - if (!orig_groups) { - apr_status_t status; - - status = get_dbm_grp(r, apr_pstrcat(r->pool, user, ":", realm, - NULL), - user, - conf->grpfile, conf->dbmtype, &groups); - - if (status != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, - "could not open dbm (type %s) group access " - "file: %s", conf->dbmtype, conf->grpfile); - return HTTP_INTERNAL_SERVER_ERROR; - } - - if (groups == NULL) { - /* no groups available, so exit immediately */ - reason = apr_psprintf(r->pool, - "user doesn't appear in DBM group " - "file (%s).", conf->grpfile); - break; - } - - orig_groups = groups; - } + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user is not part of the 'require'ed group(s).", + r->user, r->uri); - if (filegroup) { - groups = orig_groups; - while (groups[0]) { - v = ap_getword(r->pool, &groups, ','); - if (!strcmp(v, filegroup)) { - return OK; - } - } - - if (conf->authoritative) { - reason = apr_psprintf(r->pool, - "file group '%s' does not match.", - filegroup); - break; - } - - /* now forget the filegroup, thus alternatively require'd - groups get a real chance */ - filegroup = NULL; - } - else { - while (t[0]) { - w = ap_getword_white(r->pool, &t); - groups = orig_groups; - while (groups[0]) { - v = ap_getword(r->pool, &groups, ','); - if (!strcmp(v, w)) { - return OK; - } - } - } - } - } + return AUTHZ_DENIED; +} + +APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; + +static authz_status dbmfilegroup_check_authorization(request_rec *r, + const char *require_args) +{ + authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config, + &authz_dbm_module); + char *user = r->user; + const char *realm = ap_auth_name(r); + const char *filegroup = NULL; + const char *orig_groups = NULL; + apr_status_t status; + const char *groups; + char *v; + + if (!conf->grpfile) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "No group file was specified in the configuration"); + return AUTHZ_DENIED; + } + + /* fetch group data from dbm file. */ + status = get_dbm_grp(r, apr_pstrcat(r->pool, user, ":", realm, NULL), + user, conf->grpfile, conf->dbmtype, &groups); + + if (status != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "could not open dbm (type %s) group access " + "file: %s", conf->dbmtype, conf->grpfile); + return AUTHZ_DENIED; } - /* No applicable "require group" for this method seen */ - if (!required_group || !conf->authoritative) { - return DECLINED; + if (groups == NULL) { + /* no groups available, so exit immediately */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user doesn't appear in DBM group file (%s).", + r->user, r->uri, conf->grpfile); + return AUTHZ_DENIED; + } + + orig_groups = groups; + + filegroup = authz_owner_get_file_group(r); + + if (filegroup) { + groups = orig_groups; + while (groups[0]) { + v = ap_getword(r->pool, &groups, ','); + if (!strcmp(v, filegroup)) { + return AUTHZ_GRANTED; + } + } } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Authorization of user %s to access %s failed, reason: %s", - r->user, r->uri, - reason ? reason : "user is not part of the " - "'require'ed group(s)."); + "Authorization of user %s to access %s failed, reason: " + "user is not part of the 'require'ed group(s).", + r->user, r->uri); - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; + return AUTHZ_DENIED; } +static const authz_provider authz_dbmgroup_provider = +{ + &dbmgroup_check_authorization, +}; + +static const authz_provider authz_dbmfilegroup_provider = +{ + &dbmfilegroup_check_authorization, +}; + + static void register_hooks(apr_pool_t *p) { - static const char * const aszPre[]={ "mod_authz_owner.c", NULL }; + authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group); - ap_hook_auth_checker(dbm_check_auth, aszPre, NULL, APR_HOOK_MIDDLE); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbm-group", "0", + &authz_dbmgroup_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbm-file-group", "0", + &authz_dbmfilegroup_provider); } module AP_MODULE_DECLARE_DATA authz_dbm_module = diff --git a/modules/aaa/mod_authz_default.c b/modules/aaa/mod_authz_default.c index 0576a0c24b..8a4712278b 100644 --- a/modules/aaa/mod_authz_default.c +++ b/modules/aaa/mod_authz_default.c @@ -53,31 +53,6 @@ static int check_user_access(request_rec *r) { authz_default_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_default_module); - int m = r->method_number; - int method_restricted = 0; - register int x; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs; - - /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive, - * then any user will do. - */ - if (!reqs_arr) { - return OK; - } - reqs = (require_line *)reqs_arr->elts; - - for (x = 0; x < reqs_arr->nelts; x++) { - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; - } - method_restricted = 1; - break; - } - - if (method_restricted == 0) { - return OK; - } if (!(conf->authoritative)) { return DECLINED; diff --git a/modules/aaa/mod_authz_groupfile.c b/modules/aaa/mod_authz_groupfile.c index 77a63b9644..72d55efbb6 100644 --- a/modules/aaa/mod_authz_groupfile.c +++ b/modules/aaa/mod_authz_groupfile.c @@ -38,8 +38,6 @@ * * If there are any 'require group' blocks and we * are not in any group - we HTTP_UNAUTHORIZE - * unless we are non-authoritative; in which - * case we DECLINED. * */ @@ -47,6 +45,7 @@ #include "apr_lib.h" /* apr_isspace */ #include "ap_config.h" +#include "ap_provider.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" @@ -58,15 +57,15 @@ typedef struct { char *groupfile; - int authoritative; } authz_groupfile_config_rec; +APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); + static void *create_authz_groupfile_dir_config(apr_pool_t *p, char *d) { authz_groupfile_config_rec *conf = apr_palloc(p, sizeof(*conf)); conf->groupfile = NULL; - conf->authoritative = 1; /* keep the fortress secure by default */ return conf; } @@ -86,13 +85,6 @@ static const command_rec authz_groupfile_cmds[] = (void *)APR_OFFSETOF(authz_groupfile_config_rec, groupfile), OR_AUTHCFG, "text file containing group names and member user IDs"), - AP_INIT_FLAG("AuthzGroupFileAuthoritative", ap_set_flag_slot, - (void *)APR_OFFSETOF(authz_groupfile_config_rec, - authoritative), - OR_AUTHCFG, - "Set to 'Off' to allow access control to be passed along to " - "lower modules if the 'require group' fails. (default is " - "On)."), {NULL} }; @@ -145,131 +137,139 @@ static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile, return APR_SUCCESS; } -/* Checking ID */ - -static int check_user_access(request_rec *r) +static authz_status group_check_authorization(request_rec *r, + const char *require_args) { authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config, - &authz_groupfile_module); + &authz_groupfile_module); char *user = r->user; - int m = r->method_number; - int required_group = 0; - register int x; const char *t, *w; apr_table_t *grpstatus = NULL; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs; - const char *filegroup = NULL; - char *reason = NULL; + apr_status_t status; /* If there is no group file - then we are not * configured. So decline. */ if (!(conf->groupfile)) { - return DECLINED; + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "No group file was specified in the configuration"); + return AUTHZ_DENIED; } - if (!reqs_arr) { - return DECLINED; /* XXX change from legacy */ - } + status = groups_for_user(r->pool, user, conf->groupfile, + &grpstatus); - reqs = (require_line *)reqs_arr->elts; + if (status != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Could not open group file: %s", + conf->groupfile); + return AUTHZ_DENIED; + } - for (x = 0; x < reqs_arr->nelts; x++) { + if (apr_table_elts(grpstatus)->nelts == 0) { + /* no groups available, so exit immediately */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user doesn't appear in group file (%s).", + r->user, r->uri, conf->groupfile); + return AUTHZ_DENIED; + } - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; + t = require_args; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + if (apr_table_get(grpstatus, w)) { + return AUTHZ_GRANTED; } + } - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user is not part of the 'require'ed group(s).", + r->user, r->uri); - /* needs mod_authz_owner to be present */ - if (!strcasecmp(w, "file-group")) { - filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE); + return AUTHZ_DENIED; +} - if (!filegroup) { - /* mod_authz_owner is not present or not - * authoritative. We are just a helper module for testing - * group membership, so we don't care and decline. - */ - continue; - } - } +APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; - if (!strcasecmp(w, "group") || filegroup) { - required_group = 1; /* remember the requirement */ - - /* create group table only if actually needed. */ - if (!grpstatus) { - apr_status_t status; - - status = groups_for_user(r->pool, user, conf->groupfile, - &grpstatus); - - if (status != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, - "Could not open group file: %s", - conf->groupfile); - return HTTP_INTERNAL_SERVER_ERROR; - } - - if (apr_table_elts(grpstatus)->nelts == 0) { - /* no groups available, so exit immediately */ - reason = apr_psprintf(r->pool, - "user doesn't appear in group file " - "(%s).", conf->groupfile); - break; - } - } +static authz_status filegroup_check_authorization(request_rec *r, + const char *require_args) +{ + authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config, + &authz_groupfile_module); + char *user = r->user; + apr_table_t *grpstatus = NULL; + apr_status_t status; + const char *filegroup = NULL; - if (filegroup) { - if (apr_table_get(grpstatus, filegroup)) { - return OK; - } - - if (conf->authoritative) { - reason = apr_psprintf(r->pool, - "file group '%s' does not match.", - filegroup); - break; - } - - /* now forget the filegroup, thus alternatively require'd - groups get a real chance */ - filegroup = NULL; - } - else { - while (t[0]) { - w = ap_getword_conf(r->pool, &t); - if (apr_table_get(grpstatus, w)) { - return OK; - } - } - } - } + /* If there is no group file - then we are not + * configured. So decline. + */ + if (!(conf->groupfile)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "No group file was specified in the configuration"); + return AUTHZ_DENIED; + } + + status = groups_for_user(r->pool, user, conf->groupfile, + &grpstatus); + if (status != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Could not open group file: %s", + conf->groupfile); + return AUTHZ_DENIED; + } + + if (apr_table_elts(grpstatus)->nelts == 0) { + /* no groups available, so exit immediately */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user doesn't appear in group file (%s).", + r->user, r->uri, conf->groupfile); + return AUTHZ_DENIED; } - /* No applicable "require group" for this method seen */ - if (!required_group || !conf->authoritative) { - return DECLINED; + filegroup = authz_owner_get_file_group(r); + + if (filegroup) { + if (apr_table_get(grpstatus, filegroup)) { + return AUTHZ_GRANTED; + } + } + else { + /* No need to emit a error log entry because the call + to authz_owner_get_file_group already did it + for us. + */ + return AUTHZ_DENIED; } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Authorization of user %s to access %s failed, reason: %s", - r->user, r->uri, - reason ? reason : "user is not part of the " - "'require'ed group(s)."); + "Authorization of user %s to access %s failed, reason: " + "user is not part of the 'require'ed file group.", + r->user, r->uri); - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; + return AUTHZ_DENIED; } +static const authz_provider authz_group_provider = +{ + &group_check_authorization, +}; + +static const authz_provider authz_filegroup_provider = +{ + &filegroup_check_authorization, +}; + static void register_hooks(apr_pool_t *p) { - static const char * const aszPre[]={ "mod_authz_owner.c", NULL }; + authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group); - ap_hook_auth_checker(check_user_access, aszPre, NULL, APR_HOOK_MIDDLE); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "group", "0", + &authz_group_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "file-group", "0", + &authz_filegroup_provider); } module AP_MODULE_DECLARE_DATA authz_groupfile_module = diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c index 582f32c7ac..89ebc023b6 100644 --- a/modules/aaa/mod_authz_host.c +++ b/modules/aaa/mod_authz_host.c @@ -30,145 +30,36 @@ #include "apr_want.h" #include "ap_config.h" +#include "ap_provider.h" #include "httpd.h" #include "http_core.h" #include "http_config.h" #include "http_log.h" +#include "http_protocol.h" #include "http_request.h" +#include "mod_auth.h" + #if APR_HAVE_NETINET_IN_H #include #endif -enum allowdeny_type { - T_ENV, - T_ALL, - T_IP, - T_HOST, - T_FAIL -}; - typedef struct { - apr_int64_t limited; - union { - char *from; - apr_ipsubnet_t *ip; - } x; - enum allowdeny_type type; -} allowdeny; - -/* things in the 'order' array */ -#define DENY_THEN_ALLOW 0 -#define ALLOW_THEN_DENY 1 -#define MUTUAL_FAILURE 2 - -typedef struct { - int order[METHODS]; - apr_array_header_t *allows; - apr_array_header_t *denys; + int dummy; /* just here to stop compiler warnings for now. */ } authz_host_dir_conf; module AP_MODULE_DECLARE_DATA authz_host_module; static void *create_authz_host_dir_config(apr_pool_t *p, char *dummy) { - int i; authz_host_dir_conf *conf = (authz_host_dir_conf *)apr_pcalloc(p, sizeof(authz_host_dir_conf)); - for (i = 0; i < METHODS; ++i) { - conf->order[i] = DENY_THEN_ALLOW; - } - conf->allows = apr_array_make(p, 1, sizeof(allowdeny)); - conf->denys = apr_array_make(p, 1, sizeof(allowdeny)); - return (void *)conf; } -static const char *order(cmd_parms *cmd, void *dv, const char *arg) -{ - authz_host_dir_conf *d = (authz_host_dir_conf *) dv; - int i, o; - - if (!strcasecmp(arg, "allow,deny")) - o = ALLOW_THEN_DENY; - else if (!strcasecmp(arg, "deny,allow")) - o = DENY_THEN_ALLOW; - else if (!strcasecmp(arg, "mutual-failure")) - o = MUTUAL_FAILURE; - else - return "unknown order"; - - for (i = 0; i < METHODS; ++i) - if (cmd->limited & (AP_METHOD_BIT << i)) - d->order[i] = o; - - return NULL; -} - -static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from, - const char *where_c) -{ - authz_host_dir_conf *d = (authz_host_dir_conf *) dv; - allowdeny *a; - char *where = apr_pstrdup(cmd->pool, where_c); - char *s; - char msgbuf[120]; - apr_status_t rv; - - if (strcasecmp(from, "from")) - return "allow and deny must be followed by 'from'"; - - a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys); - a->x.from = where; - a->limited = cmd->limited; - - if (!strncasecmp(where, "env=", 4)) { - a->type = T_ENV; - a->x.from += 4; - - } - else if (!strcasecmp(where, "all")) { - a->type = T_ALL; - } - else if ((s = ap_strchr(where, '/'))) { - *s++ = '\0'; - rv = apr_ipsubnet_create(&a->x.ip, where, s, cmd->pool); - if(APR_STATUS_IS_EINVAL(rv)) { - /* looked nothing like an IP address */ - return "An IP address was expected"; - } - else if (rv != APR_SUCCESS) { - apr_strerror(rv, msgbuf, sizeof msgbuf); - return apr_pstrdup(cmd->pool, msgbuf); - } - a->type = T_IP; - } - else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&a->x.ip, where, - NULL, cmd->pool))) { - if (rv != APR_SUCCESS) { - apr_strerror(rv, msgbuf, sizeof msgbuf); - return apr_pstrdup(cmd->pool, msgbuf); - } - a->type = T_IP; - } - else { /* no slash, didn't look like an IP address => must be a host */ - a->type = T_HOST; - } - - return NULL; -} - -static char its_an_allow; - static const command_rec authz_host_cmds[] = { - AP_INIT_TAKE1("order", order, NULL, OR_LIMIT, - "'allow,deny', 'deny,allow', or 'mutual-failure'"), - AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT, - "'from' followed by hostnames or IP-address wildcards"), - AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT, - "'from' followed by hostnames or IP-address wildcards"), {NULL} }; @@ -199,115 +90,168 @@ static int in_domain(const char *domain, const char *what) } } -static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method) +static authz_status env_check_authorization(request_rec *r, const char *require_line) { - - allowdeny *ap = (allowdeny *) a->elts; - apr_int64_t mmask = (AP_METHOD_BIT << method); - int i; - int gothost = 0; - const char *remotehost = NULL; - - for (i = 0; i < a->nelts; ++i) { - if (!(mmask & ap[i].limited)) { - continue; + const char *t, *w; + + /* The 'env' provider will allow the configuration to specify a list of + env variables to check rather than a single variable. This is different + from the previous host based syntax. */ + t = require_line; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + if (apr_table_get(r->subprocess_env, w)) { + return AUTHZ_GRANTED; } + } - switch (ap[i].type) { - case T_ENV: - if (apr_table_get(r->subprocess_env, ap[i].x.from)) { - return 1; - } - break; + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "access to %s failed, reason: env variable list does not meet " + "'require'ments for user '%s' to be allowed access", + r->uri, r->user); - case T_ALL: - return 1; + ap_note_auth_failure(r); + return AUTHZ_DENIED; +} - case T_IP: - if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) { - return 1; +static authz_status ip_check_authorization(request_rec *r, const char *require_line) +{ + const char *t, *w; + + /* The 'ip' provider will allow the configuration to specify a list of + ip addresses to check rather than a single address. This is different + from the previous host based syntax. */ + t = require_line; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + char *where = apr_pstrdup(r->pool, w); + char *s; + char msgbuf[120]; + apr_ipsubnet_t *ip; + apr_status_t rv; + int got_ip = 0; + + if ((s = ap_strchr(where, '/'))) { + *s++ = '\0'; + rv = apr_ipsubnet_create(&ip, where, s, r->pool); + if(APR_STATUS_IS_EINVAL(rv)) { + /* looked nothing like an IP address */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "an ip address 'require' list appears to be invalid "); } - break; - - case T_HOST: - if (!gothost) { - int remotehost_is_ip; - - remotehost = ap_get_remote_host(r->connection, - r->per_dir_config, - REMOTE_DOUBLE_REV, - &remotehost_is_ip); - - if ((remotehost == NULL) || remotehost_is_ip) { - gothost = 1; - } - else { - gothost = 2; - } + else if (rv != APR_SUCCESS) { + apr_strerror(rv, msgbuf, sizeof msgbuf); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "an ip address 'require' list appears to be invalid; %s ", + msgbuf); } - - if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) { - return 1; + else + got_ip = 1; + } + else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&ip, where, + NULL, r->pool))) { + if (rv != APR_SUCCESS) { + apr_strerror(rv, msgbuf, sizeof msgbuf); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "an ip address 'require' list appears to be invalid; %s ", + msgbuf); } - break; + else + got_ip = 1; + } - case T_FAIL: - /* do nothing? */ - break; + if (got_ip && apr_ipsubnet_test(ip, r->connection->remote_addr)) { + return AUTHZ_GRANTED; } } - return 0; + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "access to %s failed, reason: ip address list does not meet " + "'require'ments for user '%s' to be allowed access", + r->uri, r->user); + + ap_note_auth_failure(r); + return AUTHZ_DENIED; } -static int check_dir_access(request_rec *r) +static authz_status host_check_authorization(request_rec *r, const char *require_line) { - int method = r->method_number; - int ret = OK; - authz_host_dir_conf *a = (authz_host_dir_conf *) - ap_get_module_config(r->per_dir_config, &authz_host_module); - - if (a->order[method] == ALLOW_THEN_DENY) { - ret = HTTP_FORBIDDEN; - if (find_allowdeny(r, a->allows, method)) { - ret = OK; - } - if (find_allowdeny(r, a->denys, method)) { - ret = HTTP_FORBIDDEN; - } - } - else if (a->order[method] == DENY_THEN_ALLOW) { - if (find_allowdeny(r, a->denys, method)) { - ret = HTTP_FORBIDDEN; - } - if (find_allowdeny(r, a->allows, method)) { - ret = OK; - } + const char *t, *w; + const char *remotehost = NULL; + int remotehost_is_ip; + + remotehost = ap_get_remote_host(r->connection, + r->per_dir_config, + REMOTE_DOUBLE_REV, + &remotehost_is_ip); + + if ((remotehost == NULL) || remotehost_is_ip) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "access to %s failed, reason: unable to get the " + "remote host name", r->uri); } else { - if (find_allowdeny(r, a->allows, method) - && !find_allowdeny(r, a->denys, method)) { - ret = OK; - } - else { - ret = HTTP_FORBIDDEN; + /* The 'host' provider will allow the configuration to specify a list of + host names to check rather than a single name. This is different + from the previous host based syntax. */ + t = require_line; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + if (in_domain(w, remotehost)) { + return AUTHZ_GRANTED; + } } - } - if (ret == HTTP_FORBIDDEN - && (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "client denied by server configuration: %s", - r->filename); + "access to %s failed, reason: host name list does not meet " + "'require'ments for user '%s' to be allowed access", + r->uri, r->user); } - return ret; + ap_note_auth_failure(r); + return AUTHZ_DENIED; +} + +static authz_status all_check_authorization(request_rec *r, const char *require_line) +{ + /* If the argument to the 'all' provider is 'granted' then just let + everybody in. This would be equivalent to the previous syntax of + 'allow from all'. If the argument is anything else, this would + be equivalent to 'deny from all' Of course the opposite would be + true if the 'all' provider is invoked by the 'reject' directive */ + if (strcasecmp(require_line, "granted") == 0) { + return AUTHZ_GRANTED; + } + return AUTHZ_DENIED; } +static const authz_provider authz_env_provider = +{ + &env_check_authorization, +}; + +static const authz_provider authz_ip_provider = +{ + &ip_check_authorization, +}; + +static const authz_provider authz_host_provider = +{ + &host_check_authorization, +}; + +static const authz_provider authz_all_provider = +{ + &all_check_authorization, +}; + static void register_hooks(apr_pool_t *p) { - /* This can be access checker since we don't require r->user to be set. */ - ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "env", "0", + &authz_env_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ip", "0", + &authz_ip_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "host", "0", + &authz_host_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "all", "0", + &authz_all_provider); } module AP_MODULE_DECLARE_DATA authz_host_module = diff --git a/modules/aaa/mod_authz_owner.c b/modules/aaa/mod_authz_owner.c index 050860d896..1f74800379 100644 --- a/modules/aaa/mod_authz_owner.c +++ b/modules/aaa/mod_authz_owner.c @@ -19,6 +19,7 @@ #include "apr_user.h" #include "ap_config.h" +#include "ap_provider.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" @@ -29,202 +30,155 @@ #include "mod_auth.h" /* for AUTHZ_GROUP_NOTE */ typedef struct { - int authoritative; } authz_owner_config_rec; +APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); + static void *create_authz_owner_dir_config(apr_pool_t *p, char *d) { authz_owner_config_rec *conf = apr_palloc(p, sizeof(*conf)); - conf->authoritative = 1; /* keep the fortress secure by default */ return conf; } static const command_rec authz_owner_cmds[] = { - AP_INIT_FLAG("AuthzOwnerAuthoritative", ap_set_flag_slot, - (void *)APR_OFFSETOF(authz_owner_config_rec, authoritative), - OR_AUTHCFG, - "Set to 'Off' to allow access control to be passed along to " - "lower modules. (default is On.)"), {NULL} }; module AP_MODULE_DECLARE_DATA authz_owner_module; -static int check_file_owner(request_rec *r) +static authz_status fileowner_check_authorization(request_rec *r, + const char *require_args) { - authz_owner_config_rec *conf = ap_get_module_config(r->per_dir_config, - &authz_owner_module); - int m = r->method_number; - register int x; - const char *t, *w; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs; - int required_owner = 0; - apr_status_t status = 0; char *reason = NULL; + apr_status_t status = 0; - if (!reqs_arr) { - return DECLINED; +#if !APR_HAS_USER + reason = "'Require file-owner' is not supported on this platform."; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return AUTHZ_DENIED; +#else /* APR_HAS_USER */ + char *owner = NULL; + apr_finfo_t finfo; + + if (!r->filename) { + reason = "no filename available"; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return AUTHZ_DENIED; } - reqs = (require_line *)reqs_arr->elts; - for (x = 0; x < reqs_arr->nelts; x++) { - - /* if authoritative = On then break if a require already failed. */ - if (reason && conf->authoritative) { - break; - } + status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool); + if (status != APR_SUCCESS) { + reason = apr_pstrcat(r->pool, "could not stat file ", + r->filename, NULL); + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return AUTHZ_DENIED; + } - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; - } + if (!(finfo.valid & APR_FINFO_USER)) { + reason = "no file owner information available"; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return AUTHZ_DENIED; + } - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); + status = apr_uid_name_get(&owner, finfo.user, r->pool); + if (status != APR_SUCCESS || !owner) { + reason = "could not get name of file owner"; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return AUTHZ_DENIED; + } - if (!strcmp(w, "file-owner")) { -#if !APR_HAS_USER - if ((required_owner & ~1) && conf->authoritative) { - break; - } + if (strcmp(owner, r->user)) { + reason = apr_psprintf(r->pool, "file owner %s does not match.", + owner); + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return AUTHZ_DENIED; + } - required_owner |= 1; /* remember the requirement */ - reason = "'Require file-owner' is not supported on this platform."; - continue; -#else /* APR_HAS_USER */ - char *owner = NULL; - apr_finfo_t finfo; - - if ((required_owner & ~1) && conf->authoritative) { - break; - } - - required_owner |= 1; /* remember the requirement */ - - if (!r->filename) { - reason = "no filename available"; - continue; - } - - status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool); - if (status != APR_SUCCESS) { - reason = apr_pstrcat(r->pool, "could not stat file ", - r->filename, NULL); - continue; - } - - if (!(finfo.valid & APR_FINFO_USER)) { - reason = "no file owner information available"; - continue; - } - - status = apr_uid_name_get(&owner, finfo.user, r->pool); - if (status != APR_SUCCESS || !owner) { - reason = "could not get name of file owner"; - continue; - } - - if (strcmp(owner, r->user)) { - reason = apr_psprintf(r->pool, "file owner %s does not match.", - owner); - continue; - } - - /* this user is authorized */ - return OK; + /* this user is authorized */ + return AUTHZ_GRANTED; #endif /* APR_HAS_USER */ - } - - /* file-group only figures out the file's group and lets - * other modules do the actual authorization (against a group file/db). - * Thus, these modules have to hook themselves after - * mod_authz_owner and of course recognize 'file-group', too. - */ - if (!strcmp(w, "file-group")) { -#if !APR_HAS_USER - if ((required_owner & ~6) && conf->authoritative) { - break; - } +} - required_owner |= 2; /* remember the requirement */ - reason = "'Require file-group' is not supported on this platform."; - continue; +static char *authz_owner_get_file_group(request_rec *r) +{ + char *reason = NULL; + + /* file-group only figures out the file's group and lets + * other modules do the actual authorization (against a group file/db). + * Thus, these modules have to hook themselves after + * mod_authz_owner and of course recognize 'file-group', too. + */ +#if !APR_HAS_USER + return NULL; #else /* APR_HAS_USER */ - char *group = NULL; - apr_finfo_t finfo; - - if ((required_owner & ~6) && conf->authoritative) { - break; - } - - required_owner |= 2; /* remember the requirement */ - - if (!r->filename) { - reason = "no filename available"; - continue; - } - - status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool); - if (status != APR_SUCCESS) { - reason = apr_pstrcat(r->pool, "could not stat file ", - r->filename, NULL); - continue; - } - - if (!(finfo.valid & APR_FINFO_GROUP)) { - reason = "no file group information available"; - continue; - } - - status = apr_gid_name_get(&group, finfo.group, r->pool); - if (status != APR_SUCCESS || !group) { - reason = "could not get name of file group"; - continue; - } - - /* store group name in a note and let others decide... */ - apr_table_setn(r->notes, AUTHZ_GROUP_NOTE, group); - required_owner |= 4; - continue; -#endif /* APR_HAS_USER */ - } + char *group = NULL; + apr_finfo_t finfo; + apr_status_t status = 0; + + if (!r->filename) { + reason = "no filename available"; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return NULL; } - if (!required_owner || !conf->authoritative) { - return DECLINED; + status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool); + if (status != APR_SUCCESS) { + reason = apr_pstrcat(r->pool, "could not stat file ", + r->filename, NULL); + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return NULL; } - /* allow file-group passed to group db modules either if this is the - * only applicable requirement here or if a file-owner failed but we're - * not authoritative. - * This allows configurations like: - * - * AuthzOwnerAuthoritative Off - * require file-owner - * require file-group - * - * with the semantical meaning of "either owner or group must match" - * (inclusive or) - * - * [ 6 == 2 | 4; 7 == 1 | 2 | 4 ] should I use #defines instead? - */ - if (required_owner == 6 || (required_owner == 7 && !conf->authoritative)) { - return DECLINED; + if (!(finfo.valid & APR_FINFO_GROUP)) { + reason = "no file group information available"; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return NULL; } - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, - "Authorization of user %s to access %s failed, reason: %s", - r->user, r->uri, reason ? reason : "unknown"); + status = apr_gid_name_get(&group, finfo.group, r->pool); + if (status != APR_SUCCESS || !group) { + reason = "could not get name of file group"; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Authorization of user %s to access %s failed, reason: %s", + r->user, r->uri, reason ? reason : "unknown"); + return NULL; + } - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; + return group; +#endif /* APR_HAS_USER */ } +static const authz_provider authz_fileowner_provider = +{ + &fileowner_check_authorization, +}; + static void register_hooks(apr_pool_t *p) { - ap_hook_auth_checker(check_file_owner, NULL, NULL, APR_HOOK_MIDDLE); + APR_REGISTER_OPTIONAL_FN(authz_owner_get_file_group); + + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "file-owner", "0", + &authz_fileowner_provider); } module AP_MODULE_DECLARE_DATA authz_owner_module = diff --git a/modules/aaa/mod_authz_user.c b/modules/aaa/mod_authz_user.c index cc6d808a3e..0292f841bf 100644 --- a/modules/aaa/mod_authz_user.c +++ b/modules/aaa/mod_authz_user.c @@ -17,6 +17,7 @@ #include "apr_strings.h" #include "ap_config.h" +#include "ap_provider.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" @@ -24,97 +25,67 @@ #include "http_protocol.h" #include "http_request.h" +#include "mod_auth.h" + typedef struct { - int authoritative; + int dummy; /* just here to stop compiler warnings for now. */ } authz_user_config_rec; static void *create_authz_user_dir_config(apr_pool_t *p, char *d) { authz_user_config_rec *conf = apr_palloc(p, sizeof(*conf)); - conf->authoritative = 1; /* keep the fortress secure by default */ return conf; } static const command_rec authz_user_cmds[] = { - AP_INIT_FLAG("AuthzUserAuthoritative", ap_set_flag_slot, - (void *)APR_OFFSETOF(authz_user_config_rec, authoritative), - OR_AUTHCFG, - "Set to 'Off' to allow access control to be passed along to " - "lower modules if the 'require user' or 'require valid-user' " - "statement is not met. (default: On)."), {NULL} }; module AP_MODULE_DECLARE_DATA authz_user_module; -static int check_user_access(request_rec *r) +static authz_status user_check_authorization(request_rec *r, + const char *require_args) { - authz_user_config_rec *conf = ap_get_module_config(r->per_dir_config, - &authz_user_module); - char *user = r->user; - int m = r->method_number; - int required_user = 0; - register int x; const char *t, *w; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs; - - /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive, - * then any user will do. - */ - if (!reqs_arr) { - return DECLINED; - } - reqs = (require_line *)reqs_arr->elts; - - for (x = 0; x < reqs_arr->nelts; x++) { - - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; - } - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); - if (!strcasecmp(w, "valid-user")) { - return OK; + t = require_args; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + if (!strcmp(r->user, w)) { + return AUTHZ_GRANTED; } - if (!strcasecmp(w, "user")) { - /* And note that there are applicable requirements - * which we consider ourselves the owner of. - */ - required_user = 1; - while (t[0]) { - w = ap_getword_conf(r->pool, &t); - if (!strcmp(user, w)) { - return OK; - } - } - } - } - - if (!required_user) { - /* no applicable requirements */ - return DECLINED; - } - - if (!conf->authoritative) { - return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: user '%s' does not meet " - "'require'ments for user/valid-user to be allowed access", - r->uri, user); + "'require'ments for user to be allowed access", + r->uri, r->user); ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; + return AUTHZ_DENIED; } +static authz_status validuser_check_authorization(request_rec *r, const char *require_line) +{ + return AUTHZ_GRANTED; +} + +static const authz_provider authz_user_provider = +{ + &user_check_authorization, +}; +static const authz_provider authz_validuser_provider = +{ + &validuser_check_authorization, +}; + static void register_hooks(apr_pool_t *p) { - ap_hook_auth_checker(check_user_access, NULL, NULL, APR_HOOK_MIDDLE); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "user", "0", + &authz_user_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "valid-user", "0", + &authz_validuser_provider); } module AP_MODULE_DECLARE_DATA authz_user_module = diff --git a/server/core.c b/server/core.c index cd71ce7991..b3bd1b45b2 100644 --- a/server/core.c +++ b/server/core.c @@ -99,7 +99,6 @@ static char errordocument_default; static void *create_core_dir_config(apr_pool_t *a, char *dir) { core_dir_config *conf; - int i; conf = (core_dir_config *)apr_pcalloc(a, sizeof(core_dir_config)); @@ -118,10 +117,6 @@ static void *create_core_dir_config(apr_pool_t *a, char *dir) conf->use_canonical_phys_port = USE_CANONICAL_PHYS_PORT_UNSET; conf->hostname_lookups = HOSTNAME_LOOKUP_UNSET; - conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS); - for (i = 0; i < METHODS; ++i) { - conf->satisfy[i] = SATISFY_NOSPEC; - } #ifdef RLIMIT_CPU conf->limit_cpu = NULL; @@ -268,18 +263,6 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv) conf->ap_default_type = new->ap_default_type; } - if (new->ap_auth_type) { - conf->ap_auth_type = new->ap_auth_type; - } - - if (new->ap_auth_name) { - conf->ap_auth_name = new->ap_auth_name; - } - - if (new->ap_requires) { - conf->ap_requires = new->ap_requires; - } - if (conf->response_code_strings == NULL) { conf->response_code_strings = new->response_code_strings; } @@ -358,16 +341,6 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv) /* Otherwise we simply use the base->sec_file array */ - /* use a separate ->satisfy[] array either way */ - conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS); - for (i = 0; i < METHODS; ++i) { - if (new->satisfy[i] != SATISFY_NOSPEC) { - conf->satisfy[i] = new->satisfy[i]; - } else { - conf->satisfy[i] = base->satisfy[i]; - } - } - if (new->server_signature != srv_sig_unset) { conf->server_signature = new->server_signature; } @@ -670,24 +643,30 @@ AP_DECLARE(int) ap_allow_overrides(request_rec *r) return conf->override; } +/* + * Optional function coming from mod_ident, used for looking up ident user + */ +static APR_OPTIONAL_FN_TYPE(authn_ap_auth_type) *authn_ap_auth_type; + AP_DECLARE(const char *) ap_auth_type(request_rec *r) { - core_dir_config *conf; - - conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, - &core_module); - - return conf->ap_auth_type; + if (authn_ap_auth_type) { + return authn_ap_auth_type(r); + } + return NULL; } +/* + * Optional function coming from mod_ident, used for looking up ident user + */ +static APR_OPTIONAL_FN_TYPE(authn_ap_auth_name) *authn_ap_auth_name; + AP_DECLARE(const char *) ap_auth_name(request_rec *r) { - core_dir_config *conf; - - conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, - &core_module); - - return conf->ap_auth_name; + if (authn_ap_auth_name) { + return authn_ap_auth_name(r); + } + return NULL; } AP_DECLARE(const char *) ap_default_type(request_rec *r) @@ -712,26 +691,6 @@ AP_DECLARE(const char *) ap_document_root(request_rec *r) /* Don't use this! */ return conf->ap_document_root; } -AP_DECLARE(const apr_array_header_t *) ap_requires(request_rec *r) -{ - core_dir_config *conf; - - conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, - &core_module); - - return conf->ap_requires; -} - -AP_DECLARE(int) ap_satisfies(request_rec *r) -{ - core_dir_config *conf; - - conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, - &core_module); - - return conf->satisfy[r->method_number]; -} - /* Should probably just get rid of this... the only code that cares is * part of the core anyway (and in fact, it isn't publicised to other * modules). @@ -1659,46 +1618,6 @@ static const char *set_enable_sendfile(cmd_parms *cmd, void *d_, return NULL; } -static const char *satisfy(cmd_parms *cmd, void *c_, const char *arg) -{ - core_dir_config *c = c_; - int satisfy = SATISFY_NOSPEC; - int i; - - if (!strcasecmp(arg, "all")) { - satisfy = SATISFY_ALL; - } - else if (!strcasecmp(arg, "any")) { - satisfy = SATISFY_ANY; - } - else { - return "Satisfy either 'any' or 'all'."; - } - - for (i = 0; i < METHODS; ++i) { - if (cmd->limited & (AP_METHOD_BIT << i)) { - c->satisfy[i] = satisfy; - } - } - - return NULL; -} - -static const char *require(cmd_parms *cmd, void *c_, const char *arg) -{ - require_line *r; - core_dir_config *c = c_; - - if (!c->ap_requires) { - c->ap_requires = apr_array_make(cmd->pool, 2, sizeof(require_line)); - } - - r = (require_line *)apr_array_push(c->ap_requires); - r->requirement = apr_pstrdup(cmd->pool, arg); - r->method_mask = cmd->limited; - - return NULL; -} /* * Report a missing-'>' syntax error. @@ -2658,19 +2577,6 @@ AP_DECLARE(const char *) ap_psignature(const char *prefix, request_rec *r) "\n", NULL); } -/* - * Load an authorisation realm into our location configuration, applying the - * usual rules that apply to realms. - */ -static const char *set_authname(cmd_parms *cmd, void *mconfig, - const char *word1) -{ - core_dir_config *aconfig = (core_dir_config *)mconfig; - - aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1); - return NULL; -} - /* * Handle a request to include the server's OS platform in the Server * response header field (the ServerTokens directive). Unfortunately @@ -3227,15 +3133,6 @@ AP_INIT_RAW_ARGS("ap_auth_type = r->prev->ap_auth_type; } else { - switch (ap_satisfies(r)) { - case SATISFY_ALL: - case SATISFY_NOSPEC: - if ((access_status = ap_run_access_checker(r)) != 0) { - return decl_die(access_status, "check access", r); - } - - if (ap_some_auth_required(r)) { - if (((access_status = ap_run_check_user_id(r)) != 0) - || !ap_auth_type(r)) { - return decl_die(access_status, ap_auth_type(r) - ? "check user. No user file?" - : "perform authentication. AuthType not set!", - r); - } - - if (((access_status = ap_run_auth_checker(r)) != 0) - || !ap_auth_type(r)) { - return decl_die(access_status, ap_auth_type(r) - ? "check access. No groups file?" - : "perform authentication. AuthType not set!", - r); - } - } - break; - - case SATISFY_ANY: - if (((access_status = ap_run_access_checker(r)) != 0)) { - if (!ap_some_auth_required(r)) { - return decl_die(access_status, "check access", r); - } + if ((access_status = ap_run_access_checker(r)) != 0) { + return decl_die(access_status, "check access", r); + } - if (((access_status = ap_run_check_user_id(r)) != 0) - || !ap_auth_type(r)) { - return decl_die(access_status, ap_auth_type(r) - ? "check user. No user file?" - : "perform authentication. AuthType not set!", - r); - } + if ((access_status = ap_run_check_user_id(r)) != 0) { + return decl_die(access_status, "check user", r); + } - if (((access_status = ap_run_auth_checker(r)) != 0) - || !ap_auth_type(r)) { - return decl_die(access_status, ap_auth_type(r) - ? "check access. No groups file?" - : "perform authentication. AuthType not set!", - r); - } - } - break; + if ((access_status = ap_run_auth_checker(r)) != 0) { + return decl_die(access_status, "check authorization", r); } + } /* XXX Must make certain the ap_run_type_checker short circuits mime * in mod-proxy for r->proxyreq && r->parsed_uri.scheme @@ -1555,28 +1517,16 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_sub_req_output_filter(ap_filter_t *f, return APR_SUCCESS; } +extern APR_OPTIONAL_FN_TYPE(authz_some_auth_required) *authz_ap_some_auth_required; AP_DECLARE(int) ap_some_auth_required(request_rec *r) { /* Is there a require line configured for the type of *this* req? */ - - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs; - int i; - - if (!reqs_arr) { - return 0; + if (authz_ap_some_auth_required) { + return authz_ap_some_auth_required(r); } - - reqs = (require_line *) reqs_arr->elts; - - for (i = 0; i < reqs_arr->nelts; ++i) { - if (reqs[i].method_mask & (AP_METHOD_BIT << r->method_number)) { - return 1; - } - } - - return 0; + else + return 0; }