From 1b4236d695a48c36daa6e00e75e0606bda871ee4 Mon Sep 17 00:00:00 2001 From: Nick Kew Date: Fri, 14 Oct 2005 23:33:40 +0000 Subject: [PATCH] Add mod_authn_dbd git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@321247 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_authn_dbd.html | 3 + docs/manual/mod/mod_authn_dbd.html.en | 117 +++++++++++++ docs/manual/mod/mod_authn_dbd.xml | 104 +++++++++++ docs/manual/mod/mod_authn_dbd.xml.meta | 11 ++ modules/aaa/mod_authn_dbd.c | 230 +++++++++++++++++++++++++ 5 files changed, 465 insertions(+) create mode 100644 docs/manual/mod/mod_authn_dbd.html create mode 100644 docs/manual/mod/mod_authn_dbd.html.en create mode 100644 docs/manual/mod/mod_authn_dbd.xml create mode 100644 docs/manual/mod/mod_authn_dbd.xml.meta create mode 100644 modules/aaa/mod_authn_dbd.c diff --git a/docs/manual/mod/mod_authn_dbd.html b/docs/manual/mod/mod_authn_dbd.html new file mode 100644 index 0000000000..f86a5a6604 --- /dev/null +++ b/docs/manual/mod/mod_authn_dbd.html @@ -0,0 +1,3 @@ +URI: mod_authn_dbd.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 diff --git a/docs/manual/mod/mod_authn_dbd.html.en b/docs/manual/mod/mod_authn_dbd.html.en new file mode 100644 index 0000000000..e23cd17ea5 --- /dev/null +++ b/docs/manual/mod/mod_authn_dbd.html.en @@ -0,0 +1,117 @@ + + + +mod_authn_dbd - Apache HTTP Server + + + + + +
+

Modules | Directives | FAQ | Glossary | Sitemap

+

Apache HTTP Server Version 2.1

+
+
<-
+
+Apache > HTTP Server > Documentation > Version 2.1 > Modules
+
+

Apache Module mod_authn_dbd

+
+

Available Languages:  en 

+
+ + + + +
Description:User authentication using an SQL database
Status:Extension
Module Identifier:authn_dbd_module
Source File:mod_authn_dbd.c
Compatibility:Available in Apache 2.1 and later
+

Summary

+ +

This module provides authentication front-ends such as + mod_auth_digest and mod_auth_basic + to authenticate users by looking up users in SQL tables. + Similar functionality is provided by, for example, + mod_authn_file.

+

This module relies on mod_dbd to specify + the backend database driver and connection parameters, and + manage the database connections.

+ +

When using mod_auth_basic or + mod_auth_digest, this module is invoked via the + AuthBasicProvider or + AuthDigestProvider + with the dbd value.

+
+ + +
top
+

AuthDBDUserPWQuery Directive

+ + + + + + + +
Description:SQL query to look up a password for a user
Syntax:AuthDBDUserPWQuery query
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authn_dbd
+

The AuthDBDUserPWQuery specifies an + SQL query to look up a password for a specified user. + The query must take a single string (typically SQL varchar) + argument (username), and return a single value (encrypted password). +

+

+ AuthDBDUserPWQuery "SELECT password FROM authn WHERE username = %s" +

+ + +
+
top
+

AuthDBDUserRealmQuery Directive

+ + + + + + + +
Description:SQL query to look up a password hash for a user and realm. +
Syntax:AuthDBDUserRealmQuery query
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authn_dbd
+

The AuthDBDUserRealmPWQuery specifies an + SQL query to look up a password for a specified user and realm. + The query must take two string (typically SQL varchar) arguments + (username and realm), and return a single value (encrypted password). +

+

+ AuthDBDUserRealmPWQuery "SELECT password FROM authn + WHERE username = %s AND realm = %s" +

+ + +
+
+
+

Available Languages:  en 

+
+ diff --git a/docs/manual/mod/mod_authn_dbd.xml b/docs/manual/mod/mod_authn_dbd.xml new file mode 100644 index 0000000000..728d86b71d --- /dev/null +++ b/docs/manual/mod/mod_authn_dbd.xml @@ -0,0 +1,104 @@ + + + + + + + + + +mod_authn_dbd +User authentication using an SQL database +Extension +mod_authn_dbd.c +authn_dbd_module +Available in Apache 2.1 and later + + +

This module provides authentication front-ends such as + mod_auth_digest and mod_auth_basic + to authenticate users by looking up users in SQL tables. + Similar functionality is provided by, for example, + mod_authn_file.

+

This module relies on mod_dbd to specify + the backend database driver and connection parameters, and + manage the database connections.

+ +

When using mod_auth_basic or + mod_auth_digest, this module is invoked via the + AuthBasicProvider or + AuthDigestProvider + with the dbd value.

+ + +AuthName +AuthType + + AuthBasicProvider + + + AuthDigestProvider + +DBDriver +DBDParams + + +AuthDBDUserPWQuery +SQL query to look up a password for a user +AuthDBDUserPWQuery query +directory.htaccess + +AuthConfig + + +

The AuthDBDUserPWQuery specifies an + SQL query to look up a password for a specified user. + The query must take a single string (typically SQL varchar) + argument (username), and return a single value (encrypted password). +

+ + AuthDBDUserPWQuery "SELECT password FROM authn WHERE username = %s" + + + + + + +AuthDBDUserRealmQuery +SQL query to look up a password hash for a user and realm. + +AuthDBDUserRealmQuery query +directory.htaccess + +AuthConfig + + +

The AuthDBDUserRealmPWQuery specifies an + SQL query to look up a password for a specified user and realm. + The query must take two string (typically SQL varchar) arguments + (username and realm), and return a single value (encrypted password). +

+ + AuthDBDUserRealmPWQuery "SELECT password FROM authn + WHERE username = %s AND realm = %s" + + + + + + diff --git a/docs/manual/mod/mod_authn_dbd.xml.meta b/docs/manual/mod/mod_authn_dbd.xml.meta new file mode 100644 index 0000000000..f5d8c8ab93 --- /dev/null +++ b/docs/manual/mod/mod_authn_dbd.xml.meta @@ -0,0 +1,11 @@ + + + + mod_authn_dbd + /mod/ + .. + + + en + + diff --git a/modules/aaa/mod_authn_dbd.c b/modules/aaa/mod_authn_dbd.c new file mode 100644 index 0000000000..fc5c24152a --- /dev/null +++ b/modules/aaa/mod_authn_dbd.c @@ -0,0 +1,230 @@ +/* Copyright 2000-2005 The Apache Software Foundation or its licensors, as + * applicable. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "ap_provider.h" +#include "httpd.h" +#include "http_config.h" +#include "http_log.h" +#include "apr_dbd.h" +#include "mod_dbd.h" +#include "apr_strings.h" +#include "mod_auth.h" +#include "apr_md5.h" + +module AP_MODULE_DECLARE_DATA authn_dbd_module; + +typedef struct { + const char *user; + const char *realm; +} authn_dbd_conf; +typedef struct { + const char *label; + const char *query; +} authn_dbd_rec; + +/* optional function - look it up once in post_config */ +static ap_dbd_t *(*authn_dbd_acquire_fn)(request_rec*) = NULL; +static void (*authn_dbd_prepare_fn)(server_rec*, const char*, const char*) = NULL; + +static void *authn_dbd_cr_conf(apr_pool_t *pool, char *dummy) +{ + authn_dbd_conf *ret = apr_pcalloc(pool, sizeof(authn_dbd_conf)); + return ret; +} +static void *authn_dbd_merge_conf(apr_pool_t *pool, void *BASE, void *ADD) +{ + authn_dbd_conf *add = ADD; + authn_dbd_conf *base = BASE; + authn_dbd_conf *ret = apr_palloc(pool, sizeof(authn_dbd_conf)); + ret->user = (add->user == NULL) ? base->user : add->user; + ret->realm = (add->realm == NULL) ? base->realm : add->realm; + return ret; +} +static const char *authn_dbd_prepare(cmd_parms *cmd, void *cfg, const char *query) +{ + static unsigned int label_num = 0; + char *label; + + if (authn_dbd_prepare_fn == NULL) { + authn_dbd_prepare_fn = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_prepare); + if (authn_dbd_prepare_fn == NULL) { + return "You must load mod_dbd to enable AuthDBD functions"; + } + authn_dbd_acquire_fn = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_acquire); + } + label = apr_psprintf(cmd->pool, "authn_dbd_%d", ++label_num); + + authn_dbd_prepare_fn(cmd->server, query, label); + + /* save the label here for our own use */ + *(void**)cfg = label; + return NULL; +} +static const command_rec authn_dbd_cmds[] = +{ + AP_INIT_TAKE1("AuthDBDUserPWQuery", authn_dbd_prepare, + (void *)APR_OFFSETOF(authn_dbd_conf, user), OR_AUTHCFG, + "Query used to fetch password for user"), + AP_INIT_TAKE1("AuthDBDUserRealmPWQuery", authn_dbd_prepare, + (void *)APR_OFFSETOF(authn_dbd_conf, realm), OR_AUTHCFG, + "Query used to fetch password for user+realm"), + {NULL} +}; +static authn_status authn_dbd_password(request_rec *r, const char *user, + const char *password) +{ + apr_status_t rv; + const char *dbd_password = NULL; + char *colon_pw; + apr_dbd_prepared_t *statement; + apr_dbd_results_t *res = NULL; + apr_dbd_row_t *row = NULL; + + authn_dbd_conf *conf = ap_get_module_config(r->per_dir_config, + &authn_dbd_module); + ap_dbd_t *dbd = authn_dbd_acquire_fn(r); + if (dbd == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Error looking up %s in database", user); + return AUTH_GENERAL_ERROR; + } + + if (conf->user == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "No DBD Authn configured!"); + return AUTH_GENERAL_ERROR; + } + + statement = apr_hash_get(dbd->prepared, conf->user, APR_HASH_KEY_STRING); + if (statement == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "No DBD Authn configured!"); + return AUTH_GENERAL_ERROR; + } + if (apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, statement, + 0, user, NULL) != 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Error looking up %s in database", user); + return AUTH_GENERAL_ERROR; + } + for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1); + rv != -1; + rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) { + if (rv != 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "Error looking up %s in database", user); + return AUTH_GENERAL_ERROR; + } + if (dbd_password == NULL) { + dbd_password = apr_dbd_get_entry(dbd->driver, row, 0); + } + /* we can't break out here or row won't get cleaned up */ + } + + if (!dbd_password) { + return AUTH_USER_NOT_FOUND; + } + + colon_pw = ap_strchr(dbd_password, ':'); + if (colon_pw) { + *colon_pw = '\0'; + } + + rv = apr_password_validate(password, dbd_password); + + if (rv != APR_SUCCESS) { + return AUTH_DENIED; + } + + return AUTH_GRANTED; +} +static authn_status authn_dbd_realm(request_rec *r, const char *user, + const char *realm, char **rethash) +{ + apr_status_t rv; + const char *dbd_hash = NULL; + char *colon_hash; + apr_dbd_prepared_t *statement; + apr_dbd_results_t *res = NULL; + apr_dbd_row_t *row = NULL; + + authn_dbd_conf *conf = ap_get_module_config(r->per_dir_config, + &authn_dbd_module); + ap_dbd_t *dbd = authn_dbd_acquire_fn(r); + if (dbd == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Error looking up %s in database", user); + return AUTH_GENERAL_ERROR; + } + if (conf->realm == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "No DBD Authn configured!"); + return AUTH_GENERAL_ERROR; + } + statement = apr_hash_get(dbd->prepared, conf->realm, APR_HASH_KEY_STRING); + if (statement == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "No DBD Authn configured!"); + return AUTH_GENERAL_ERROR; + } + if (apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, statement, + 0, user, realm, NULL) != 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Error looking up %s:%s in database", user, realm); + return AUTH_GENERAL_ERROR; + } + for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1); + rv != -1; + rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) { + if (rv != 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "Error looking up %s in database", user); + return AUTH_GENERAL_ERROR; + } + if (dbd_hash == NULL) { + dbd_hash = apr_dbd_get_entry(dbd->driver, row, 0); + } + /* we can't break out here or row won't get cleaned up */ + } + + if (!dbd_hash) { + return AUTH_USER_NOT_FOUND; + } + + colon_hash = ap_strchr(dbd_hash, ':'); + if (colon_hash) { + *colon_hash = '\0'; + } + + *rethash = apr_pstrdup(r->pool, dbd_hash); + + return AUTH_USER_FOUND; +} +static void authn_dbd_hooks(apr_pool_t *p) +{ + static const authn_provider authn_dbd_provider = { + &authn_dbd_password, + &authn_dbd_realm + }; + + ap_register_provider(p, AUTHN_PROVIDER_GROUP, "dbd", "0", &authn_dbd_provider); +} +module AP_MODULE_DECLARE_DATA authn_dbd_module = +{ + STANDARD20_MODULE_STUFF, + authn_dbd_cr_conf, + authn_dbd_merge_conf, + NULL, + NULL, + authn_dbd_cmds, + authn_dbd_hooks +}; -- 2.40.0