Add the Apache module.
authorSteinar H. Gunderson <sesse@samfundet.no>
Tue, 14 May 2013 20:59:47 +0000 (22:59 +0200)
committerSteinar H. Gunderson <sesse@samfundet.no>
Tue, 14 May 2013 20:59:47 +0000 (22:59 +0200)
libapache2-mod-authz-itkacl-0.5/Makefile [new file with mode: 0644]
libapache2-mod-authz-itkacl-0.5/debian/authz_itkacl.load [new file with mode: 0644]
libapache2-mod-authz-itkacl-0.5/debian/changelog [new file with mode: 0644]
libapache2-mod-authz-itkacl-0.5/debian/compat [new file with mode: 0644]
libapache2-mod-authz-itkacl-0.5/debian/control [new file with mode: 0644]
libapache2-mod-authz-itkacl-0.5/debian/dirs [new file with mode: 0644]
libapache2-mod-authz-itkacl-0.5/debian/rules [new file with mode: 0755]
libapache2-mod-authz-itkacl-0.5/mod_authz_itkacl.c [new file with mode: 0644]

diff --git a/libapache2-mod-authz-itkacl-0.5/Makefile b/libapache2-mod-authz-itkacl-0.5/Makefile
new file mode 100644 (file)
index 0000000..72aedda
--- /dev/null
@@ -0,0 +1,9 @@
+mod_authz_itkacl.so:
+       apxs2 -c mod_authz_itkacl.c -litkacl
+
+clean:
+       $(RM) *.lo *.la *.slo *.sla *.loT
+       $(RM) -r .libs/
+
+.PHONY: clean
+
diff --git a/libapache2-mod-authz-itkacl-0.5/debian/authz_itkacl.load b/libapache2-mod-authz-itkacl-0.5/debian/authz_itkacl.load
new file mode 100644 (file)
index 0000000..4d9188f
--- /dev/null
@@ -0,0 +1 @@
+LoadModule authz_itkacl_module /usr/lib/apache2/modules/mod_authz_itkacl.so
diff --git a/libapache2-mod-authz-itkacl-0.5/debian/changelog b/libapache2-mod-authz-itkacl-0.5/debian/changelog
new file mode 100644 (file)
index 0000000..04033f1
--- /dev/null
@@ -0,0 +1,46 @@
+libapache2-mod-authz-itkacl (0.5) unstable; urgency=low
+
+  * Link against shared libitkacl.
+  * Do not link against anything libpq.
+  * Add ${misc:Depends}.
+  * Update Standards-Version.
+  * Make authz_itkacl.load non-executable.
+  * Make a native package for now, but move some logic into an "upstream"
+    Makefile.
+  * Remove some old cruft in the maintainer scripts.
+
+ -- Steinar H. Gunderson <sesse@samfundet.no>  Tue, 14 May 2013 22:50:47 +0200
+
+libapache2-mod-authz-itkacl (0.4-1) unstable; urgency=low
+
+  * Support "Require itkacl anyof /foo /bar".
+  * Internal refactoring.
+
+ -- Steinar H. Gunderson <sesse@samfundet.no>  Sat, 19 Nov 2011 22:24:10 +0100
+
+libapache2-mod-authz-itkacl (0.3-2) unstable; urgency=low
+
+  * Use bugfixed ITKACL client libraries.
+
+ -- Steinar H. Gunderson <sesse@debian.org>  Sun, 07 Jun 2009 20:19:36 +0200
+
+libapache2-mod-authz-itkacl (0.3-1) unstable; urgency=low
+
+  * Use ITKACL2 access libraries (DNS instead of Postgres).
+    * Adjust build-dependencies accordingly.
+
+ -- Steinar H. Gunderson <sesse@debian.org>  Wed, 25 Feb 2009 22:39:33 +0100
+
+libapache2-mod-authz-itkacl (0.2-1) unstable; urgency=low
+
+  * Port to Apache 2.2; drop the Kerberos stuff in order to make a pure
+    authz module.
+
+ -- Steinar H. Gunderson <sesse@debian.org>  Thu,  2 Nov 2006 23:21:42 +0100
+
+libapache-mod-auth-itkacl (0.1-1) unstable; urgency=low
+
+  * Initial release, based on libapache-mod-auth-kerb.
+
+ -- Steinar H. Gunderson <sesse@debian.org>  Sat, 12 Jun 2004 12:52:41 +0200
+
diff --git a/libapache2-mod-authz-itkacl-0.5/debian/compat b/libapache2-mod-authz-itkacl-0.5/debian/compat
new file mode 100644 (file)
index 0000000..7f8f011
--- /dev/null
@@ -0,0 +1 @@
+7
diff --git a/libapache2-mod-authz-itkacl-0.5/debian/control b/libapache2-mod-authz-itkacl-0.5/debian/control
new file mode 100644 (file)
index 0000000..e99127f
--- /dev/null
@@ -0,0 +1,15 @@
+Source: libapache2-mod-authz-itkacl
+Section: web
+Priority: optional
+Maintainer: Steinar H. Gunderson <sesse@samfundet.no>
+Build-Depends: debhelper (>= 7.0.0), apache2-prefork-dev, libitkacl-dev
+Standards-Version: 3.9.1
+
+Package: libapache2-mod-authz-itkacl
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, apache2.2-common
+Description: Apache module for ITKACL authorization
+ An Apache module for checking authorization against ITKACLs.
+ It does not do any kind of authentication; for that, something
+ like mod_auth_kerb is recommended.
+
diff --git a/libapache2-mod-authz-itkacl-0.5/debian/dirs b/libapache2-mod-authz-itkacl-0.5/debian/dirs
new file mode 100644 (file)
index 0000000..1204391
--- /dev/null
@@ -0,0 +1,2 @@
+/etc/apache2/mods-available
+/usr/lib/apache2/modules
diff --git a/libapache2-mod-authz-itkacl-0.5/debian/rules b/libapache2-mod-authz-itkacl-0.5/debian/rules
new file mode 100755 (executable)
index 0000000..160d4a6
--- /dev/null
@@ -0,0 +1,34 @@
+#! /usr/bin/make -f
+
+build:
+       dh_testdir
+       $(MAKE)
+       apxs2 -c mod_authz_itkacl.c -litkacl
+
+clean:
+       dh_testdir
+       dh_testroot
+       dh_clean 
+       $(MAKE) clean
+
+binary: binary-arch
+binary-indep:
+binary-arch: build
+       dh_testdir
+       dh_testroot
+       dh_installdirs
+       
+       install -m 0644 debian/authz_itkacl.load debian/libapache2-mod-authz-itkacl/etc/apache2/mods-available/
+       install .libs/mod_authz_itkacl.so debian/libapache2-mod-authz-itkacl/usr/lib/apache2/modules/
+       
+       dh_installchangelogs 
+       dh_strip
+       dh_compress
+       dh_fixperms
+       dh_installdeb
+       dh_shlibdeps
+       dh_gencontrol
+       dh_md5sums
+       dh_builddeb
+
+.PHONY: build clean binary-indep binary-arch binary
diff --git a/libapache2-mod-authz-itkacl-0.5/mod_authz_itkacl.c b/libapache2-mod-authz-itkacl-0.5/mod_authz_itkacl.c
new file mode 100644 (file)
index 0000000..d892e78
--- /dev/null
@@ -0,0 +1,187 @@
+/*
+ * ITKACL module, (C) 2004-2011 Steinar H. Gunderson
+ */
+
+#define MODAUTHITKACL_VERSION "0.4"
+
+#include "apr_strings.h"
+
+#include "ap_config.h"
+#include "httpd.h"
+#include "http_config.h"
+#include "http_core.h"
+#include "http_log.h"
+#include "http_protocol.h"
+#include "http_request.h"
+
+module AP_MODULE_DECLARE_DATA authz_itkacl_module;
+
+extern int itkacl_check(const char * const realm, const char * const user,
+                       char *errmsg, size_t errmsg_size);
+
+typedef struct {
+       int authoritative;
+} authz_itkacl_config_rec;
+
+static void *authz_itkacl_dir_create_config(apr_pool_t *p, char *d)
+{
+       authz_itkacl_config_rec *conf = apr_palloc(p, sizeof(*conf));
+
+       conf->authoritative = 1; /* keep the fortress secure by default */
+       return conf;
+}
+
+static const command_rec authz_itkacl_cmds[] =
+{
+       AP_INIT_FLAG("AuthzITKACLAuthoritative", ap_set_flag_slot,
+               (void *)APR_OFFSETOF(authz_itkacl_config_rec, authoritative),
+               OR_AUTHCFG,
+               "Set to 'Off' to allow access control to be passed along to "
+               "lower modules if the 'require user' or 'require valid-user' "
+               "statement is not met. (default: On)."),
+       {NULL}
+};
+
+static int fail(request_rec *r, authz_itkacl_config_rec *conf)
+{
+       if (conf->authoritative) {
+               ap_note_auth_failure(r);
+               return HTTP_UNAUTHORIZED;
+       } else {
+               return DECLINED;
+       }
+}
+
+static int handle_require(request_rec *r, authz_itkacl_config_rec *conf, const char *username, const char *acl_path)
+{
+       char errmsg[1024];
+       int ret;
+
+       ret = itkacl_check(acl_path, username, errmsg, 1024);
+       if (ret == 0) {
+               return OK;
+       }
+
+       if (ret == -1) {
+               ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                       "error during itkacl check for %s on %s: %s",
+                       username, acl_path, errmsg);
+       }
+
+       return HTTP_UNAUTHORIZED;
+}
+
+static int authz_itkacl_authorize_user(request_rec *r)
+{
+       char *username, *ptr;
+       const apr_array_header_t *reqs_arr = ap_requires(r);
+       unsigned i;
+       require_line *reqs;
+       authz_itkacl_config_rec *conf = (authz_itkacl_config_rec *)
+               ap_get_module_config(r->per_dir_config, &authz_itkacl_module);
+
+       if (reqs_arr == NULL)
+               return DECLINED;
+       
+       /* strip the domain part (FIXME: use the alias module instead?) */
+       username = strdup(r->user);
+       ptr = strchr(username, '@');
+       if (ptr != NULL)
+               ptr[0] = 0;
+
+       reqs = (require_line *)reqs_arr->elts;
+       for (i = 0; i < reqs_arr->nelts; ++i) {
+               const char *t, *w;
+
+               if (!(reqs[i].method_mask & (AP_METHOD_BIT << (r->method_number))))
+                       continue;
+
+               t = reqs[i].requirement;
+               w = ap_getword_white(r->pool, &t);
+
+               if (strcasecmp(w, "valid-user") == 0) {
+                       free(username);
+                       return OK;
+               }
+
+               if (strcasecmp(w, "itkacl") == 0) {
+                       const char *acl_path;
+
+                       acl_path = ap_getword_conf(r->pool, &t);
+                       if (acl_path == NULL || strcmp(acl_path, "") == 0) {
+                               ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                                               "'Require itkacl' needs an argument");
+                               return fail(r, conf);
+                       }
+
+                       if (strcasecmp(acl_path, "anyof") == 0) {
+                               int num_seen = 0, ret;
+                               while ((acl_path = ap_getword_conf(r->pool, &t)) != NULL) {
+                                       ret = handle_require(r, conf, username, acl_path);
+                                       if (ret == OK) {
+                                               free(username);
+                                               return ret;
+                                       }
+                                       ++num_seen;
+                               }
+                               if (num_seen == 0) {
+                                       ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                                               "Missing arguments after 'Require itkacl anyof'");
+                               } else if (ret == HTTP_UNAUTHORIZED) {
+                                       ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                                           "%s failed itkacl check for (multiple paths)",
+                                           username, acl_path);
+                                       ret = fail(r, conf);
+                               }
+                               free(username);
+                               return ret;
+                       } else {
+                               /* check that there are no more arguments */
+                               w = ap_getword_conf(r->pool, &t);
+                               if (w != NULL && strcmp(w, "") != 0) {
+                                       ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                                               "Excess arguments ('%s') after Require itkacl %s; "
+                                               "did you mean 'Require itkacl anyof ...'?",
+                                               w, acl_path);
+                                       return fail(r, conf);
+                               }
+
+                               int ret = handle_require(r, conf, username, acl_path);
+                               if (ret == HTTP_UNAUTHORIZED) {
+                                       ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                                           "%s failed itkacl check for %s",
+                                           username, acl_path);
+                                       ret = fail(r, conf);
+                               }
+                               free(username);
+                               return ret;
+                       }
+               }
+       }
+
+       free(username);
+       return DECLINED;
+}
+
+static int authz_itkacl_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
+{
+       ap_add_version_component(p, "mod_auth_itkacl/" MODAUTHITKACL_VERSION);
+       return OK;
+}
+
+void authz_itkacl_register_hooks(apr_pool_t *p)
+{
+       ap_hook_post_config(authz_itkacl_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
+       ap_hook_auth_checker(authz_itkacl_authorize_user, NULL, NULL, APR_HOOK_MIDDLE); 
+}
+
+module AP_MODULE_DECLARE_DATA authz_itkacl_module =
+{
+       STANDARD20_MODULE_STUFF,
+       authz_itkacl_dir_create_config,
+       NULL,
+       NULL,
+       NULL,
+       authz_itkacl_cmds,
+       authz_itkacl_register_hooks
+};