From: Steinar H. Gunderson Date: Wed, 29 Jul 2015 08:57:32 +0000 (+0200) Subject: Update mod_authz_itkacl for Apache 2.4. X-Git-Url: https://git.sesse.net/?p=itkacl;a=commitdiff_plain;h=dd2c1b4524d195a4d191d9cb7bbe6c3adb0aa2bb Update mod_authz_itkacl for Apache 2.4. --- diff --git a/libapache2-mod-authz-itkacl-0.5/mod_authz_itkacl.c b/libapache2-mod-authz-itkacl-0.5/mod_authz_itkacl.c deleted file mode 100644 index e554915..0000000 --- a/libapache2-mod-authz-itkacl-0.5/mod_authz_itkacl.c +++ /dev/null @@ -1,188 +0,0 @@ -/* - * ITKACL module, (C) 2004-2011 Steinar H. Gunderson - */ - -#define MODAUTHITKACL_VERSION "0.4" - -#include "apr_strings.h" - -#include "ap_config.h" -#include "httpd.h" -#include "http_config.h" -#include "http_core.h" -#include "http_log.h" -#include "http_protocol.h" -#include "http_request.h" - -module AP_MODULE_DECLARE_DATA authz_itkacl_module; - -extern int itkacl_check(const char * const realm, const char * const user, - char *errmsg, size_t errmsg_size); - -typedef struct { - int authoritative; -} authz_itkacl_config_rec; - -static void *authz_itkacl_dir_create_config(apr_pool_t *p, char *d) -{ - authz_itkacl_config_rec *conf = apr_palloc(p, sizeof(*conf)); - - conf->authoritative = 1; /* keep the fortress secure by default */ - return conf; -} - -static const command_rec authz_itkacl_cmds[] = -{ - AP_INIT_FLAG("AuthzITKACLAuthoritative", ap_set_flag_slot, - (void *)APR_OFFSETOF(authz_itkacl_config_rec, authoritative), - OR_AUTHCFG, - "Set to 'Off' to allow access control to be passed along to " - "lower modules if the 'require user' or 'require valid-user' " - "statement is not met. (default: On)."), - {NULL} -}; - -static int fail(request_rec *r, authz_itkacl_config_rec *conf) -{ - if (conf->authoritative) { - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; - } else { - return DECLINED; - } -} - -static int handle_require(request_rec *r, authz_itkacl_config_rec *conf, const char *username, const char *acl_path) -{ - char errmsg[1024]; - int ret; - - ret = itkacl_check(acl_path, username, errmsg, 1024); - if (ret == 0) { - return OK; - } - - if (ret == -1) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "error during itkacl check for %s on %s: %s", - username, acl_path, errmsg); - } - - return HTTP_UNAUTHORIZED; -} - -static int authz_itkacl_authorize_user(request_rec *r) -{ - char *username, *ptr; - const apr_array_header_t *reqs_arr = ap_requires(r); - unsigned i; - require_line *reqs; - authz_itkacl_config_rec *conf = (authz_itkacl_config_rec *) - ap_get_module_config(r->per_dir_config, &authz_itkacl_module); - - if (reqs_arr == NULL) - return DECLINED; - - /* strip the domain part (FIXME: use the alias module instead?) */ - username = strdup(r->user); - ptr = strchr(username, '@'); - if (ptr != NULL) - ptr[0] = 0; - - reqs = (require_line *)reqs_arr->elts; - for (i = 0; i < reqs_arr->nelts; ++i) { - const char *t, *w; - - if (!(reqs[i].method_mask & (AP_METHOD_BIT << (r->method_number)))) - continue; - - t = reqs[i].requirement; - w = ap_getword_white(r->pool, &t); - - if (strcasecmp(w, "valid-user") == 0) { - free(username); - return OK; - } - - if (strcasecmp(w, "itkacl") == 0) { - const char *acl_path; - - acl_path = ap_getword_conf(r->pool, &t); - if (acl_path == NULL || strcmp(acl_path, "") == 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "'Require itkacl' needs an argument"); - return fail(r, conf); - } - - if (strcasecmp(acl_path, "anyof") == 0) { - int num_seen = 0, ret; - while ((acl_path = ap_getword_conf(r->pool, &t)) != NULL && - strcmp(acl_path, "") != 0) { - ret = handle_require(r, conf, username, acl_path); - if (ret == OK) { - free(username); - return ret; - } - ++num_seen; - } - if (num_seen == 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Missing arguments after 'Require itkacl anyof'"); - } else if (ret == HTTP_UNAUTHORIZED) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "%s failed itkacl check for (multiple paths)", - username, acl_path); - ret = fail(r, conf); - } - free(username); - return ret; - } else { - /* check that there are no more arguments */ - w = ap_getword_conf(r->pool, &t); - if (w != NULL && strcmp(w, "") != 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Excess arguments ('%s') after Require itkacl %s; " - "did you mean 'Require itkacl anyof ...'?", - w, acl_path); - return fail(r, conf); - } - - int ret = handle_require(r, conf, username, acl_path); - if (ret == HTTP_UNAUTHORIZED) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "%s failed itkacl check for %s", - username, acl_path); - ret = fail(r, conf); - } - free(username); - return ret; - } - } - } - - free(username); - return DECLINED; -} - -static int authz_itkacl_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) -{ - ap_add_version_component(p, "mod_auth_itkacl/" MODAUTHITKACL_VERSION); - return OK; -} - -void authz_itkacl_register_hooks(apr_pool_t *p) -{ - ap_hook_post_config(authz_itkacl_init_handler, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_auth_checker(authz_itkacl_authorize_user, NULL, NULL, APR_HOOK_MIDDLE); -} - -module AP_MODULE_DECLARE_DATA authz_itkacl_module = -{ - STANDARD20_MODULE_STUFF, - authz_itkacl_dir_create_config, - NULL, - NULL, - NULL, - authz_itkacl_cmds, - authz_itkacl_register_hooks -}; diff --git a/libapache2-mod-authz-itkacl-0.5/Makefile b/libapache2-mod-authz-itkacl-0.6/Makefile similarity index 100% rename from libapache2-mod-authz-itkacl-0.5/Makefile rename to libapache2-mod-authz-itkacl-0.6/Makefile diff --git a/libapache2-mod-authz-itkacl-0.5/debian/authz_itkacl.load b/libapache2-mod-authz-itkacl-0.6/debian/authz_itkacl.load similarity index 100% rename from libapache2-mod-authz-itkacl-0.5/debian/authz_itkacl.load rename to libapache2-mod-authz-itkacl-0.6/debian/authz_itkacl.load diff --git a/libapache2-mod-authz-itkacl-0.5/debian/changelog b/libapache2-mod-authz-itkacl-0.6/debian/changelog similarity index 90% rename from libapache2-mod-authz-itkacl-0.5/debian/changelog rename to libapache2-mod-authz-itkacl-0.6/debian/changelog index 04033f1..1a7b937 100644 --- a/libapache2-mod-authz-itkacl-0.5/debian/changelog +++ b/libapache2-mod-authz-itkacl-0.6/debian/changelog @@ -1,3 +1,9 @@ +libapache2-mod-authz-itkacl (0.6) unstable; urgency=medium + + * Update to Apache 2.4. + + -- Steinar H. Gunderson Sat, 18 Jul 2015 13:10:07 +0200 + libapache2-mod-authz-itkacl (0.5) unstable; urgency=low * Link against shared libitkacl. diff --git a/libapache2-mod-authz-itkacl-0.5/debian/compat b/libapache2-mod-authz-itkacl-0.6/debian/compat similarity index 100% rename from libapache2-mod-authz-itkacl-0.5/debian/compat rename to libapache2-mod-authz-itkacl-0.6/debian/compat diff --git a/libapache2-mod-authz-itkacl-0.5/debian/control b/libapache2-mod-authz-itkacl-0.6/debian/control similarity index 86% rename from libapache2-mod-authz-itkacl-0.5/debian/control rename to libapache2-mod-authz-itkacl-0.6/debian/control index e99127f..9a73611 100644 --- a/libapache2-mod-authz-itkacl-0.5/debian/control +++ b/libapache2-mod-authz-itkacl-0.6/debian/control @@ -2,12 +2,12 @@ Source: libapache2-mod-authz-itkacl Section: web Priority: optional Maintainer: Steinar H. Gunderson -Build-Depends: debhelper (>= 7.0.0), apache2-prefork-dev, libitkacl-dev +Build-Depends: debhelper (>= 7.0.0), apache2-prefork-dev, libitkacl-dev, dh-apache2 | apache2-dev Standards-Version: 3.9.1 Package: libapache2-mod-authz-itkacl Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, apache2.2-common +Depends: ${shlibs:Depends}, ${misc:Depends} Description: Apache module for ITKACL authorization An Apache module for checking authorization against ITKACLs. It does not do any kind of authentication; for that, something diff --git a/libapache2-mod-authz-itkacl-0.5/debian/dirs b/libapache2-mod-authz-itkacl-0.6/debian/dirs similarity index 100% rename from libapache2-mod-authz-itkacl-0.5/debian/dirs rename to libapache2-mod-authz-itkacl-0.6/debian/dirs diff --git a/libapache2-mod-authz-itkacl-0.5/debian/rules b/libapache2-mod-authz-itkacl-0.6/debian/rules similarity index 98% rename from libapache2-mod-authz-itkacl-0.5/debian/rules rename to libapache2-mod-authz-itkacl-0.6/debian/rules index 160d4a6..f1b2560 100755 --- a/libapache2-mod-authz-itkacl-0.5/debian/rules +++ b/libapache2-mod-authz-itkacl-0.6/debian/rules @@ -22,6 +22,7 @@ binary-arch: build install .libs/mod_authz_itkacl.so debian/libapache2-mod-authz-itkacl/usr/lib/apache2/modules/ dh_installchangelogs + dh_apache2 dh_strip dh_compress dh_fixperms diff --git a/libapache2-mod-authz-itkacl-0.6/mod_authz_itkacl.c b/libapache2-mod-authz-itkacl-0.6/mod_authz_itkacl.c new file mode 100644 index 0000000..51ec224 --- /dev/null +++ b/libapache2-mod-authz-itkacl-0.6/mod_authz_itkacl.c @@ -0,0 +1,134 @@ +/* + * ITKACL module, (C) 2004-2015 Steinar H. Gunderson + */ + +#define MODAUTHITKACL_VERSION "0.6" + +#include "apr_strings.h" + +#include "ap_config.h" +#include "httpd.h" +#include "http_config.h" +#include "http_core.h" +#include "http_log.h" +#include "http_protocol.h" +#include "http_request.h" +#include "mod_auth.h" + +module AP_MODULE_DECLARE_DATA authz_itkacl_module; + +extern int itkacl_check(const char * const realm, const char * const user, + char *errmsg, size_t errmsg_size); + +static int handle_require(request_rec *r, const char *username, const char *acl_path) +{ + char errmsg[1024]; + int ret; + + ret = itkacl_check(acl_path, username, errmsg, 1024); + if (ret == 0) { + return AUTHZ_GRANTED; + } + + if (ret == -1) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "error during itkacl check for %s on %s: %s", + username, acl_path, errmsg); + } + + return AUTHZ_DENIED; +} + +static authz_status authz_itkacl_authorize_user(request_rec *r, const char *require_line, const void *parsed_require_line) +{ + char *username, *ptr; + const char *t, *acl_path; + + if (r->user == NULL) { + return AUTHZ_DENIED_NO_USER; + } + + /* strip the domain part (FIXME: use the alias module instead?) */ + username = apr_pstrdup(r->pool, r->user); + ptr = strchr(username, '@'); + if (ptr != NULL) + ptr[0] = 0; + + t = require_line; + acl_path = ap_getword_conf(r->pool, &t); + if (acl_path == NULL || strcmp(acl_path, "") == 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "'require itkacl' requires an argument"); + return AUTHZ_DENIED; + } + + if (strcasecmp(acl_path, "anyof") == 0) { + int num_seen = 0, ret; + while ((acl_path = ap_getword_conf(r->pool, &t)) != NULL && + strcmp(acl_path, "") != 0) { + ret = handle_require(r, username, acl_path); + if (ret == AUTHZ_GRANTED) { + return ret; + } + ++num_seen; + } + if (num_seen == 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Missing arguments after 'Require itkacl anyof'"); + return AUTHZ_DENIED; + } else if (ret == HTTP_UNAUTHORIZED) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "%s failed itkacl check for (multiple paths)", + username); + return AUTHZ_DENIED; + } + return ret; + } else { + /* check that there are no more arguments */ + const char *w = ap_getword_conf(r->pool, &t); + if (w != NULL && strcmp(w, "") != 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Excess arguments ('%s') after Require itkacl %s; " + "did you mean 'Require itkacl anyof ...'?", + w, acl_path); + return AUTHZ_DENIED; + } + + int ret = handle_require(r, username, acl_path); + if (ret == AUTHZ_DENIED) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "%s failed itkacl check for %s", + username, acl_path); + return AUTHZ_DENIED; + } + return ret; + } +} + +static int authz_itkacl_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) +{ + ap_add_version_component(p, "mod_auth_itkacl/" MODAUTHITKACL_VERSION); + return OK; +} + +static const authz_provider authz_itkacl_provider = +{ + &authz_itkacl_authorize_user, + NULL, +}; + +void authz_itkacl_register_hooks(apr_pool_t *p) +{ + ap_hook_post_config(authz_itkacl_init_handler, NULL, NULL, APR_HOOK_MIDDLE); + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "itkacl", AUTHZ_PROVIDER_VERSION, &authz_itkacl_provider, AP_AUTH_INTERNAL_PER_CONF); +} + +module AP_MODULE_DECLARE_DATA authz_itkacl_module = +{ + STANDARD20_MODULE_STUFF, + NULL, + NULL, + NULL, + NULL, + NULL, + authz_itkacl_register_hooks +};