+++ /dev/null
-/*
- * ITKACL module, (C) 2004-2011 Steinar H. Gunderson
- */
-
-#define MODAUTHITKACL_VERSION "0.4"
-
-#include "apr_strings.h"
-
-#include "ap_config.h"
-#include "httpd.h"
-#include "http_config.h"
-#include "http_core.h"
-#include "http_log.h"
-#include "http_protocol.h"
-#include "http_request.h"
-
-module AP_MODULE_DECLARE_DATA authz_itkacl_module;
-
-extern int itkacl_check(const char * const realm, const char * const user,
- char *errmsg, size_t errmsg_size);
-
-typedef struct {
- int authoritative;
-} authz_itkacl_config_rec;
-
-static void *authz_itkacl_dir_create_config(apr_pool_t *p, char *d)
-{
- authz_itkacl_config_rec *conf = apr_palloc(p, sizeof(*conf));
-
- conf->authoritative = 1; /* keep the fortress secure by default */
- return conf;
-}
-
-static const command_rec authz_itkacl_cmds[] =
-{
- AP_INIT_FLAG("AuthzITKACLAuthoritative", ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_itkacl_config_rec, authoritative),
- OR_AUTHCFG,
- "Set to 'Off' to allow access control to be passed along to "
- "lower modules if the 'require user' or 'require valid-user' "
- "statement is not met. (default: On)."),
- {NULL}
-};
-
-static int fail(request_rec *r, authz_itkacl_config_rec *conf)
-{
- if (conf->authoritative) {
- ap_note_auth_failure(r);
- return HTTP_UNAUTHORIZED;
- } else {
- return DECLINED;
- }
-}
-
-static int handle_require(request_rec *r, authz_itkacl_config_rec *conf, const char *username, const char *acl_path)
-{
- char errmsg[1024];
- int ret;
-
- ret = itkacl_check(acl_path, username, errmsg, 1024);
- if (ret == 0) {
- return OK;
- }
-
- if (ret == -1) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "error during itkacl check for %s on %s: %s",
- username, acl_path, errmsg);
- }
-
- return HTTP_UNAUTHORIZED;
-}
-
-static int authz_itkacl_authorize_user(request_rec *r)
-{
- char *username, *ptr;
- const apr_array_header_t *reqs_arr = ap_requires(r);
- unsigned i;
- require_line *reqs;
- authz_itkacl_config_rec *conf = (authz_itkacl_config_rec *)
- ap_get_module_config(r->per_dir_config, &authz_itkacl_module);
-
- if (reqs_arr == NULL)
- return DECLINED;
-
- /* strip the domain part (FIXME: use the alias module instead?) */
- username = strdup(r->user);
- ptr = strchr(username, '@');
- if (ptr != NULL)
- ptr[0] = 0;
-
- reqs = (require_line *)reqs_arr->elts;
- for (i = 0; i < reqs_arr->nelts; ++i) {
- const char *t, *w;
-
- if (!(reqs[i].method_mask & (AP_METHOD_BIT << (r->method_number))))
- continue;
-
- t = reqs[i].requirement;
- w = ap_getword_white(r->pool, &t);
-
- if (strcasecmp(w, "valid-user") == 0) {
- free(username);
- return OK;
- }
-
- if (strcasecmp(w, "itkacl") == 0) {
- const char *acl_path;
-
- acl_path = ap_getword_conf(r->pool, &t);
- if (acl_path == NULL || strcmp(acl_path, "") == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "'Require itkacl' needs an argument");
- return fail(r, conf);
- }
-
- if (strcasecmp(acl_path, "anyof") == 0) {
- int num_seen = 0, ret;
- while ((acl_path = ap_getword_conf(r->pool, &t)) != NULL &&
- strcmp(acl_path, "") != 0) {
- ret = handle_require(r, conf, username, acl_path);
- if (ret == OK) {
- free(username);
- return ret;
- }
- ++num_seen;
- }
- if (num_seen == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "Missing arguments after 'Require itkacl anyof'");
- } else if (ret == HTTP_UNAUTHORIZED) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "%s failed itkacl check for (multiple paths)",
- username, acl_path);
- ret = fail(r, conf);
- }
- free(username);
- return ret;
- } else {
- /* check that there are no more arguments */
- w = ap_getword_conf(r->pool, &t);
- if (w != NULL && strcmp(w, "") != 0) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "Excess arguments ('%s') after Require itkacl %s; "
- "did you mean 'Require itkacl anyof ...'?",
- w, acl_path);
- return fail(r, conf);
- }
-
- int ret = handle_require(r, conf, username, acl_path);
- if (ret == HTTP_UNAUTHORIZED) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "%s failed itkacl check for %s",
- username, acl_path);
- ret = fail(r, conf);
- }
- free(username);
- return ret;
- }
- }
- }
-
- free(username);
- return DECLINED;
-}
-
-static int authz_itkacl_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
-{
- ap_add_version_component(p, "mod_auth_itkacl/" MODAUTHITKACL_VERSION);
- return OK;
-}
-
-void authz_itkacl_register_hooks(apr_pool_t *p)
-{
- ap_hook_post_config(authz_itkacl_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_auth_checker(authz_itkacl_authorize_user, NULL, NULL, APR_HOOK_MIDDLE);
-}
-
-module AP_MODULE_DECLARE_DATA authz_itkacl_module =
-{
- STANDARD20_MODULE_STUFF,
- authz_itkacl_dir_create_config,
- NULL,
- NULL,
- NULL,
- authz_itkacl_cmds,
- authz_itkacl_register_hooks
-};
--- /dev/null
+/*
+ * ITKACL module, (C) 2004-2015 Steinar H. Gunderson
+ */
+
+#define MODAUTHITKACL_VERSION "0.6"
+
+#include "apr_strings.h"
+
+#include "ap_config.h"
+#include "httpd.h"
+#include "http_config.h"
+#include "http_core.h"
+#include "http_log.h"
+#include "http_protocol.h"
+#include "http_request.h"
+#include "mod_auth.h"
+
+module AP_MODULE_DECLARE_DATA authz_itkacl_module;
+
+extern int itkacl_check(const char * const realm, const char * const user,
+ char *errmsg, size_t errmsg_size);
+
+static int handle_require(request_rec *r, const char *username, const char *acl_path)
+{
+ char errmsg[1024];
+ int ret;
+
+ ret = itkacl_check(acl_path, username, errmsg, 1024);
+ if (ret == 0) {
+ return AUTHZ_GRANTED;
+ }
+
+ if (ret == -1) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "error during itkacl check for %s on %s: %s",
+ username, acl_path, errmsg);
+ }
+
+ return AUTHZ_DENIED;
+}
+
+static authz_status authz_itkacl_authorize_user(request_rec *r, const char *require_line, const void *parsed_require_line)
+{
+ char *username, *ptr;
+ const char *t, *acl_path;
+
+ if (r->user == NULL) {
+ return AUTHZ_DENIED_NO_USER;
+ }
+
+ /* strip the domain part (FIXME: use the alias module instead?) */
+ username = apr_pstrdup(r->pool, r->user);
+ ptr = strchr(username, '@');
+ if (ptr != NULL)
+ ptr[0] = 0;
+
+ t = require_line;
+ acl_path = ap_getword_conf(r->pool, &t);
+ if (acl_path == NULL || strcmp(acl_path, "") == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "'require itkacl' requires an argument");
+ return AUTHZ_DENIED;
+ }
+
+ if (strcasecmp(acl_path, "anyof") == 0) {
+ int num_seen = 0, ret;
+ while ((acl_path = ap_getword_conf(r->pool, &t)) != NULL &&
+ strcmp(acl_path, "") != 0) {
+ ret = handle_require(r, username, acl_path);
+ if (ret == AUTHZ_GRANTED) {
+ return ret;
+ }
+ ++num_seen;
+ }
+ if (num_seen == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Missing arguments after 'Require itkacl anyof'");
+ return AUTHZ_DENIED;
+ } else if (ret == HTTP_UNAUTHORIZED) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "%s failed itkacl check for (multiple paths)",
+ username);
+ return AUTHZ_DENIED;
+ }
+ return ret;
+ } else {
+ /* check that there are no more arguments */
+ const char *w = ap_getword_conf(r->pool, &t);
+ if (w != NULL && strcmp(w, "") != 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Excess arguments ('%s') after Require itkacl %s; "
+ "did you mean 'Require itkacl anyof ...'?",
+ w, acl_path);
+ return AUTHZ_DENIED;
+ }
+
+ int ret = handle_require(r, username, acl_path);
+ if (ret == AUTHZ_DENIED) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "%s failed itkacl check for %s",
+ username, acl_path);
+ return AUTHZ_DENIED;
+ }
+ return ret;
+ }
+}
+
+static int authz_itkacl_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
+{
+ ap_add_version_component(p, "mod_auth_itkacl/" MODAUTHITKACL_VERSION);
+ return OK;
+}
+
+static const authz_provider authz_itkacl_provider =
+{
+ &authz_itkacl_authorize_user,
+ NULL,
+};
+
+void authz_itkacl_register_hooks(apr_pool_t *p)
+{
+ ap_hook_post_config(authz_itkacl_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "itkacl", AUTHZ_PROVIDER_VERSION, &authz_itkacl_provider, AP_AUTH_INTERNAL_PER_CONF);
+}
+
+module AP_MODULE_DECLARE_DATA authz_itkacl_module =
+{
+ STANDARD20_MODULE_STUFF,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ authz_itkacl_register_hooks
+};