#include "apr_strings.h"

#include "apr_network_io.h"

#include "apr_md5.h"

#define APR_WANT_STRFUNC

#define APR_WANT_BYTEFUNC

#include "apr_want.h"

#include "ap_config.h"

#include "httpd.h"

#include "http_core.h"

#include "http_config.h"

#include "http_log.h"

#include "http_protocol.h"

#include "http_request.h"

#include "mod_auth.h"

#if APR_HAVE_NETINET_IN_H

#include <netinet/in.h>

#endif

enum allowdeny_type {

T_ENV,

T_ALL,

T_IP,

T_HOST,

T_FAIL

};

typedef struct {

apr_int64_t limited;

union {

char *from;

apr_ipsubnet_t *ip;

} x;

enum allowdeny_type type;

} allowdeny;

#define DENY_THEN_ALLOW 0

#define ALLOW_THEN_DENY 1

#define MUTUAL_FAILURE 2

typedef struct {

int order[METHODS];

apr_array_header_t *allows;

apr_array_header_t *denys;

int *satisfy; /* for every method one */

} access_compat_dir_conf;

module AP_MODULE_DECLARE_DATA access_compat_module;

static void *create_access_compat_dir_config(apr_pool_t *p, char *dummy)

{

int i;

access_compat_dir_conf *conf =

(access_compat_dir_conf *)apr_pcalloc(p, sizeof(access_compat_dir_conf));

for (i = 0; i < METHODS; ++i) {

conf->order[i] = DENY_THEN_ALLOW;

}

conf->allows = apr_array_make(p, 1, sizeof(allowdeny));

conf->denys = apr_array_make(p, 1, sizeof(allowdeny));

conf->satisfy = apr_palloc(p, sizeof(*conf->satisfy) * METHODS);

for (i = 0; i < METHODS; ++i) {

conf->satisfy[i] = SATISFY_NOSPEC;

}

return (void *)conf;

}

static const char *order(cmd_parms *cmd, void *dv, const char *arg)

{

access_compat_dir_conf *d = (access_compat_dir_conf *) dv;

int i, o;

ap_log_error(APLOG_MARK, LOG_WARNING, 0, cmd->server,

"The 'Order' directive has been deprecated. "

"Consider using '<SatisfyAll><SatisfyOne>' directives.");

if (!strcasecmp(arg, "allow,deny"))

o = ALLOW_THEN_DENY;

else if (!strcasecmp(arg, "deny,allow"))

o = DENY_THEN_ALLOW;

else if (!strcasecmp(arg, "mutual-failure"))

o = MUTUAL_FAILURE;

else

return "unknown order";

for (i = 0; i < METHODS; ++i)

if (cmd->limited & (AP_METHOD_BIT << i))

d->order[i] = o;

return NULL;

}

static const char *satisfy(cmd_parms *cmd, void *dv, const char *arg)

{

access_compat_dir_conf *d = (access_compat_dir_conf *) dv;

int satisfy = SATISFY_NOSPEC;

int i;

ap_log_error(APLOG_MARK, LOG_WARNING, 0, cmd->server,

"The 'Satisfy' directive has been deprecated. "

"Consider using '<SatisfyAll><SatisfyOne>' directives.");

if (!strcasecmp(arg, "all")) {

satisfy = SATISFY_ALL;

}

else if (!strcasecmp(arg, "any")) {

satisfy = SATISFY_ANY;

}

else {

return "Satisfy either 'any' or 'all'.";

}

for (i = 0; i < METHODS; ++i) {

if (cmd->limited & (AP_METHOD_BIT << i)) {

d->satisfy[i] = satisfy;

}

}

return NULL;

}

static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,

const char *where_c)

{

access_compat_dir_conf *d = (access_compat_dir_conf *) dv;

allowdeny *a;

char *where = apr_pstrdup(cmd->pool, where_c);

char *s;

char msgbuf[120];

apr_status_t rv;

ap_log_error(APLOG_MARK, LOG_WARNING, 0, cmd->server,

"The 'Allow/Deny' directives have been deprecated. "

"Consider using one of the host providers in mod_authz_host.");

if (strcasecmp(from, "from"))

return "allow and deny must be followed by 'from'";

a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys);

a->x.from = where;

a->limited = cmd->limited;

if (!strncasecmp(where, "env=", 4)) {

a->type = T_ENV;

a->x.from += 4;

}

else if (!strcasecmp(where, "all")) {

a->type = T_ALL;

}

else if ((s = ap_strchr(where, '/'))) {

*s++ = '\0';

rv = apr_ipsubnet_create(&a->x.ip, where, s, cmd->pool);

if(APR_STATUS_IS_EINVAL(rv)) {

/* looked nothing like an IP address */

return "An IP address was expected";

}

else if (rv != APR_SUCCESS) {

apr_strerror(rv, msgbuf, sizeof msgbuf);

return apr_pstrdup(cmd->pool, msgbuf);

}

a->type = T_IP;

}

else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&a->x.ip, where,

NULL, cmd->pool))) {

if (rv != APR_SUCCESS) {

apr_strerror(rv, msgbuf, sizeof msgbuf);

return apr_pstrdup(cmd->pool, msgbuf);

}

a->type = T_IP;

}

else { /* no slash, didn't look like an IP address => must be a host */

a->type = T_HOST;

}

return NULL;

}

static char its_an_allow;

static const command_rec access_compat_cmds[] =

{

AP_INIT_TAKE1("order", order, NULL, OR_LIMIT,

"'allow,deny', 'deny,allow', or 'mutual-failure'"),

AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT,

"'from' followed by hostnames or IP-address wildcards"),

AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT,

"'from' followed by hostnames or IP-address wildcards"),

AP_INIT_TAKE1("Satisfy", satisfy, NULL, OR_AUTHCFG,

"access policy if both allow and require used ('all' or 'any')"),

{NULL}

};

static int in_domain(const char *domain, const char *what)

{

int dl = strlen(domain);

int wl = strlen(what);

if ((wl - dl) >= 0) {

if (strcasecmp(domain, &what[wl - dl]) != 0) {

return 0;

}

/* Make sure we matched an *entire* subdomain --- if the user

if (wl == dl) {

return 1; /* matched whole thing */

}

else {

return (domain[0] == '.' || what[wl - dl - 1] == '.');

}

}

else {

return 0;

}

}

static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)

{

allowdeny *ap = (allowdeny *) a->elts;

apr_int64_t mmask = (AP_METHOD_BIT << method);

int i;

int gothost = 0;

const char *remotehost = NULL;

for (i = 0; i < a->nelts; ++i) {

if (!(mmask & ap[i].limited)) {

continue;

}

switch (ap[i].type) {

case T_ENV:

if (apr_table_get(r->subprocess_env, ap[i].x.from)) {

return 1;

}

break;

case T_ALL:

return 1;

case T_IP:

if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) {

return 1;

}

break;

case T_HOST:

if (!gothost) {

int remotehost_is_ip;

remotehost = ap_get_remote_host(r->connection,

r->per_dir_config,

REMOTE_DOUBLE_REV,

&remotehost_is_ip);

if ((remotehost == NULL) || remotehost_is_ip) {

gothost = 1;

}

else {

gothost = 2;

}

}

if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) {

return 1;

}

break;

case T_FAIL:

/* do nothing? */

break;

}

}

return 0;

}

static int ap_satisfies(request_rec *r)

{

access_compat_dir_conf *conf = (access_compat_dir_conf *)

ap_get_module_config(r->per_dir_config, &access_compat_module);

return conf->satisfy[r->method_number];

}

static int check_dir_access(request_rec *r)

{

int method = r->method_number;

int ret = OK;

access_compat_dir_conf *a = (access_compat_dir_conf *)

ap_get_module_config(r->per_dir_config, &access_compat_module);

if (a->order[method] == ALLOW_THEN_DENY) {

ret = HTTP_FORBIDDEN;

if (find_allowdeny(r, a->allows, method)) {

ret = OK;

}

if (find_allowdeny(r, a->denys, method)) {

ret = HTTP_FORBIDDEN;

}

}

else if (a->order[method] == DENY_THEN_ALLOW) {

if (find_allowdeny(r, a->denys, method)) {

ret = HTTP_FORBIDDEN;

}

if (find_allowdeny(r, a->allows, method)) {

ret = OK;

}

}

else {

if (find_allowdeny(r, a->allows, method)

&& !find_allowdeny(r, a->denys, method)) {

ret = OK;

}

else {

ret = HTTP_FORBIDDEN;

}

}

if (ret == OK) {

apr_table_setn(r->notes, AUTHZ_ACCESS_PASSED_NOTE, "Y");

}

else {

apr_table_setn(r->notes, AUTHZ_ACCESS_PASSED_NOTE, "N");

/* If Satisfy is Any and authorization is required, then

if ((ap_satisfies(r) == SATISFY_ANY) && ap_some_auth_required(r)) {

ret = OK;

}

}

if (ret == HTTP_FORBIDDEN) {

ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,

"client denied by server configuration: %s",

r->filename);

}

return ret;

}

static void register_hooks(apr_pool_t *p)

{

APR_REGISTER_OPTIONAL_FN(ap_satisfies);

/* This can be access checker since we don't require r->user to be set. */

ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE);

}

module AP_MODULE_DECLARE_DATA access_compat_module =

{

STANDARD20_MODULE_STUFF,

create_access_compat_dir_config, /* dir config creater */

NULL, /* dir merger --- default is to override */

NULL, /* server config */

NULL, /* merge server config */

access_compat_cmds,

register_hooks /* register hooks */

};