modules/aaa/mod_auth_basic.c

	mod_auth_basic.c revision 6f61c36ed87866636fbc8bae4da3842205d81e5b
28ec5e4f5c4a71428affc986304e894eda600925takashi/* Licensed to the Apache Software Foundation (ASF) under one or more
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive * contributor license agreements.  See the NOTICE file distributed with
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive * this work for additional information regarding copyright ownership.
5f5d1b4cc970b7f06ff8ef6526128e9a27303d88nd * The ASF licenses this file to You under the Apache License, Version 2.0
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive * (the "License"); you may not use this file except in compliance with
acc36ab93565d2880447d535da6ca6e5feac7a70nd * the License.  You may obtain a copy of the License at
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding *
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding *     http://www.apache.org/licenses/LICENSE-2.0
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding *
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding * Unless required by applicable law or agreed to in writing, software
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding * distributed under the License is distributed on an "AS IS" BASIS,
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
acc36ab93565d2880447d535da6ca6e5feac7a70nd * See the License for the specific language governing permissions and
acc36ab93565d2880447d535da6ca6e5feac7a70nd * limitations under the License.
acc36ab93565d2880447d535da6ca6e5feac7a70nd */
acc36ab93565d2880447d535da6ca6e5feac7a70nd
acc36ab93565d2880447d535da6ca6e5feac7a70nd#include "apr_strings.h"
acc36ab93565d2880447d535da6ca6e5feac7a70nd#include "apr_lib.h"            /* for apr_isspace */
acc36ab93565d2880447d535da6ca6e5feac7a70nd#include "apr_base64.h"         /* for apr_base64_decode et al */
acc36ab93565d2880447d535da6ca6e5feac7a70nd#define APR_WANT_STRFUNC        /* for strcasecmp */
acc36ab93565d2880447d535da6ca6e5feac7a70nd#include "apr_want.h"
acc36ab93565d2880447d535da6ca6e5feac7a70nd
7db9f691a00ead175b03335457ca296a33ddf31bnd#include "ap_config.h"
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive#include "httpd.h"
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive#include "http_config.h"
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive#include "http_core.h"
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive#include "http_log.h"
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen#include "http_protocol.h"
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen#include "http_request.h"
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive#include "util_md5.h"
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive#include "ap_provider.h"
ce71a46e27f6e2ae210e1f925545aa6e4f74db74jsl#include "ap_expr.h"
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive#include "mod_auth.h"
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slivetypedef struct {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    authn_provider_list *providers;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    char *dir; /* unused variable */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    int authoritative;
5f48875017569cc7610b17d852c44e02684d9d5aerikabele    ap_expr_info_t *fakeuser;
5f48875017569cc7610b17d852c44e02684d9d5aerikabele    ap_expr_info_t *fakepass;
5f48875017569cc7610b17d852c44e02684d9d5aerikabele    const char *use_digest_algorithm;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    unsigned int fake_set:1,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                 use_digest_algorithm_set:1,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                 authoritative_set:1;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive} auth_basic_config_rec;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
e41a440220bb41526fac54001a3ee94abb0d07a6rbowenstatic void *create_auth_basic_dir_config(apr_pool_t *p, char *d)
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *conf = apr_pcalloc(p, sizeof(*conf));
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
3114b83fa8f03492a3e36809e875dec55b68a79dpepper    /* Any failures are fatal. */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    conf->authoritative = 1;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    return conf;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive}
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slivestatic void *merge_auth_basic_dir_config(apr_pool_t *p, void *basev, void *overridesv)
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *newconf = apr_pcalloc(p, sizeof(*newconf));
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *base = basev;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *overrides = overridesv;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newconf->authoritative =
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            overrides->authoritative_set ? overrides->authoritative :
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                    base->authoritative;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newconf->authoritative_set = overrides->authoritative_set
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            || base->authoritative_set;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newconf->fakeuser =
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            overrides->fake_set ? overrides->fakeuser : base->fakeuser;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newconf->fakepass =
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            overrides->fake_set ? overrides->fakepass : base->fakepass;
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen    newconf->fake_set = overrides->fake_set || base->fake_set;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newconf->use_digest_algorithm =
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen        overrides->use_digest_algorithm_set ? overrides->use_digest_algorithm
879db3a83a2a8da2eab7412c0118357acc50c1e0rbowen                                            : base->use_digest_algorithm;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newconf->use_digest_algorithm_set =
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        overrides->use_digest_algorithm_set || base->use_digest_algorithm_set;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newconf->providers = overrides->providers ? overrides->providers : base->providers;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    return newconf;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive}
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slivestatic const char *add_authn_provider(cmd_parms *cmd, void *config,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                                      const char *arg)
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *conf = (auth_basic_config_rec*)config;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    authn_provider_list *newp;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newp = apr_pcalloc(cmd->pool, sizeof(authn_provider_list));
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newp->provider_name = arg;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    /* lookup and cache the actual provider now */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    newp->provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                                        newp->provider_name,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                                        AUTHN_PROVIDER_VERSION);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    if (newp->provider == NULL) {
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen        /* by the time they use it, the provider should be loaded and
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive           registered with us. */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        return apr_psprintf(cmd->pool,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                            "Unknown Authn provider: %s",
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen                            newp->provider_name);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    if (!newp->provider->check_password) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        /* if it doesn't provide the appropriate function, reject it */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        return apr_psprintf(cmd->pool,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                            "The '%s' Authn provider doesn't support "
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                            "Basic Authentication", newp->provider_name);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    /* Add it to the list now. */
5f48875017569cc7610b17d852c44e02684d9d5aerikabele    if (!conf->providers) {
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        conf->providers = newp;
5f48875017569cc7610b17d852c44e02684d9d5aerikabele    }
5f48875017569cc7610b17d852c44e02684d9d5aerikabele    else {
5f48875017569cc7610b17d852c44e02684d9d5aerikabele        authn_provider_list *last = conf->providers;
5f48875017569cc7610b17d852c44e02684d9d5aerikabele
5f48875017569cc7610b17d852c44e02684d9d5aerikabele        while (last->next) {
5f48875017569cc7610b17d852c44e02684d9d5aerikabele            last = last->next;
5f48875017569cc7610b17d852c44e02684d9d5aerikabele        }
5f48875017569cc7610b17d852c44e02684d9d5aerikabele        last->next = newp;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    }
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    return NULL;
181e56d8b348d301d615ccf5465ae600fee2867berikabele}
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slivestatic const char *set_authoritative(cmd_parms * cmd, void *config, int flag)
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *conf = (auth_basic_config_rec *) config;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen    conf->authoritative = flag;
181e56d8b348d301d615ccf5465ae600fee2867berikabele    conf->authoritative_set = 1;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    return NULL;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive}
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgunstatic const char *add_basic_fake(cmd_parms * cmd, void *config,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        const char *user, const char *pass)
181e56d8b348d301d615ccf5465ae600fee2867berikabele{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *conf = (auth_basic_config_rec *) config;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    const char *err;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
181e56d8b348d301d615ccf5465ae600fee2867berikabele    if (!strcasecmp(user, "off")) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        conf->fakeuser = NULL;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        conf->fakepass = NULL;
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele        conf->fake_set = 1;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    }
181e56d8b348d301d615ccf5465ae600fee2867berikabele    else {
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele        /* if password is unspecified, set it to the fixed string "password" to
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele         * be compatible with the behaviour of mod_ssl.
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele         */
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele        if (!pass) {
181e56d8b348d301d615ccf5465ae600fee2867berikabele            pass = "password";
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        conf->fakeuser =
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                ap_expr_parse_cmd(cmd, user, AP_EXPR_FLAG_STRING_RESULT,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                        &err, NULL);
181e56d8b348d301d615ccf5465ae600fee2867berikabele        if (err) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            return apr_psprintf(cmd->pool,
181e56d8b348d301d615ccf5465ae600fee2867berikabele                    "Could not parse fake username expression '%s': %s", user,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                    err);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        conf->fakepass =
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                ap_expr_parse_cmd(cmd, pass, AP_EXPR_FLAG_STRING_RESULT,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                        &err, NULL);
181e56d8b348d301d615ccf5465ae600fee2867berikabele        if (err) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            return apr_psprintf(cmd->pool,
181e56d8b348d301d615ccf5465ae600fee2867berikabele                    "Could not parse fake password expression '%s': %s", user,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                    err);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        conf->fake_set = 1;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
96aee4c18ac74113f91235b99233431769cd1e31jsl    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
181e56d8b348d301d615ccf5465ae600fee2867berikabele    return NULL;
ec5fd46fd2a4a263bb5cdf419e8d4106007a2ac8gryzor}
5f48875017569cc7610b17d852c44e02684d9d5aerikabele
181e56d8b348d301d615ccf5465ae600fee2867berikabelestatic const char *set_use_digest_algorithm(cmd_parms *cmd, void *config,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                                            const char *alg)
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *conf = (auth_basic_config_rec *)config;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    if (strcasecmp(alg, "Off") && strcasecmp(alg, "MD5")) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        return apr_pstrcat(cmd->pool,
181e56d8b348d301d615ccf5465ae600fee2867berikabele                           "Invalid algorithm in "
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                           "AuthBasicUseDigestAlgorithm: ", alg, NULL);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    conf->use_digest_algorithm = apr_pstrdup(cmd->pool, alg);
181e56d8b348d301d615ccf5465ae600fee2867berikabele    conf->use_digest_algorithm_set = 1;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    return NULL;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive}
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgunstatic const command_rec auth_basic_cmds[] =
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive{
181e56d8b348d301d615ccf5465ae600fee2867berikabele    AP_INIT_ITERATE("AuthBasicProvider", add_authn_provider, NULL, OR_AUTHCFG,
5f48875017569cc7610b17d852c44e02684d9d5aerikabele                    "specify the auth providers for a directory or location"),
5f48875017569cc7610b17d852c44e02684d9d5aerikabele    AP_INIT_FLAG("AuthBasicAuthoritative", set_authoritative, NULL, OR_AUTHCFG,
181e56d8b348d301d615ccf5465ae600fee2867berikabele                 "Set to 'Off' to allow access control to be passed along to "
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                 "lower modules if the UserID is not known to this module"),
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    AP_INIT_TAKE12("AuthBasicFake", add_basic_fake, NULL, OR_AUTHCFG,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                  "Fake basic authentication using the given expressions for "
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                  "username and password, 'off' to disable. Password defaults "
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                  "to 'password' if missing."),
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    AP_INIT_TAKE1("AuthBasicUseDigestAlgorithm", set_use_digest_algorithm,
181e56d8b348d301d615ccf5465ae600fee2867berikabele                  NULL, OR_AUTHCFG,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                  "Set to 'MD5' to use the auth provider's authentication "
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                  "check for digest auth, using a hash of 'user:realm:pass'"),
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    {NULL}
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive};
181e56d8b348d301d615ccf5465ae600fee2867berikabele
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slivemodule AP_MODULE_DECLARE_DATA auth_basic_module;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive/* These functions return 0 if client is OK, and proper error status
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive * if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun * HTTP_INTERNAL_SERVER_ERROR, if things are so totally confused that we
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive * couldn't figure out how to tell if the client is authorized or not.
181e56d8b348d301d615ccf5465ae600fee2867berikabele *
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive * If they return DECLINED, and all other modules also decline, that's
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive * treated by the server core as a configuration error, logged and
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive * reported as such.
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive */
181e56d8b348d301d615ccf5465ae600fee2867berikabele
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slivestatic void note_basic_auth_failure(request_rec *r)
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    apr_table_setn(r->err_headers_out,
5f48875017569cc7610b17d852c44e02684d9d5aerikabele                   (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate"
5f48875017569cc7610b17d852c44e02684d9d5aerikabele                                                   : "WWW-Authenticate",
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                   apr_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r),
181e56d8b348d301d615ccf5465ae600fee2867berikabele                               "\"", NULL));
5f48875017569cc7610b17d852c44e02684d9d5aerikabele}
0e07836b674ca484eb457056c4a4ec5edc226139humbedooh
181e56d8b348d301d615ccf5465ae600fee2867berikabelestatic int hook_note_basic_auth_failure(request_rec *r, const char *auth_type)
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    if (strcasecmp(auth_type, "Basic"))
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        return DECLINED;
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    note_basic_auth_failure(r);
181e56d8b348d301d615ccf5465ae600fee2867berikabele    return OK;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive}
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgunstatic int get_basic_auth(request_rec *r, const char **user,
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                          const char **pw)
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele{
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele    const char *auth_line;
181e56d8b348d301d615ccf5465ae600fee2867berikabele    char *decoded_line;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    int length;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    /* Get the appropriate header */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_line = apr_table_get(r->headers_in, (PROXYREQ_PROXY == r->proxyreq)
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                                              ? "Proxy-Authorization"
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                                              : "Authorization");
181e56d8b348d301d615ccf5465ae600fee2867berikabele
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    if (!auth_line) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        note_basic_auth_failure(r);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        return HTTP_UNAUTHORIZED;
181e56d8b348d301d615ccf5465ae600fee2867berikabele    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Basic")) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        /* Client tried to authenticate using wrong auth scheme */
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01614)
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                      "client used wrong authentication scheme: %s", r->uri);
181e56d8b348d301d615ccf5465ae600fee2867berikabele        note_basic_auth_failure(r);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        return HTTP_UNAUTHORIZED;
181e56d8b348d301d615ccf5465ae600fee2867berikabele    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    /* Skip leading spaces. */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    while (apr_isspace(*auth_line)) {
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele        auth_line++;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
181e56d8b348d301d615ccf5465ae600fee2867berikabele    decoded_line = apr_palloc(r->pool, apr_base64_decode_len(auth_line) + 1);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    length = apr_base64_decode(decoded_line, auth_line);
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele    /* Null-terminate the string. */
181e56d8b348d301d615ccf5465ae600fee2867berikabele    decoded_line[length] = '\0';
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    *user = ap_getword_nulls(r->pool, (const char**)&decoded_line, ':');
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    *pw = decoded_line;
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    /* set the user, even though the user is unauthenticated at this point */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    r->user = (char *) *user;
181e56d8b348d301d615ccf5465ae600fee2867berikabele
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    return OK;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive}
181e56d8b348d301d615ccf5465ae600fee2867berikabele
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive/* Determine user ID, and check if it really is that user, for HTTP
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive * basic authentication...
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slivestatic int authenticate_basic_user(request_rec *r)
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *conf = ap_get_module_config(r->per_dir_config,
181e56d8b348d301d615ccf5465ae600fee2867berikabele                                                       &auth_basic_module);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    const char *sent_user, *sent_pw, *current_auth;
181e56d8b348d301d615ccf5465ae600fee2867berikabele    const char *realm = NULL;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    const char *digest = NULL;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    int res;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    authn_status auth_result;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    authn_provider_list *current_provider;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    /* Are we configured to be Basic auth? */
181e56d8b348d301d615ccf5465ae600fee2867berikabele    current_auth = ap_auth_type(r);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    if (!current_auth || strcasecmp(current_auth, "Basic")) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        return DECLINED;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    /* We need an authentication realm. */
181e56d8b348d301d615ccf5465ae600fee2867berikabele    if (!ap_auth_name(r)) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01615)
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                      "need AuthName: %s", r->uri);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        return HTTP_INTERNAL_SERVER_ERROR;
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele    }
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    r->ap_auth_type = (char*)current_auth;
181e56d8b348d301d615ccf5465ae600fee2867berikabele
41dd95074cc6924ee56c53ba11aa6faf59b2ee13erikabele    res = get_basic_auth(r, &sent_user, &sent_pw);
181e56d8b348d301d615ccf5465ae600fee2867berikabele    if (res) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        return res;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
3114b83fa8f03492a3e36809e875dec55b68a79dpepper    if (conf->use_digest_algorithm
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        && !strcasecmp(conf->use_digest_algorithm, "MD5")) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        realm = ap_auth_name(r);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        digest = ap_md5(r->pool,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                        (unsigned char *)apr_pstrcat(r->pool, sent_user, ":",
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                                                     realm, ":",
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                                                     sent_pw, NULL));
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    current_provider = conf->providers;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    do {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        const authn_provider *provider;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        /* For now, if a provider isn't set, we'll be nice and use the file
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive         * provider.
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive         */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        if (!current_provider) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                                          AUTHN_DEFAULT_PROVIDER,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                                          AUTHN_PROVIDER_VERSION);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            if (!provider || !provider->check_password) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01616)
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                              "No Authn provider configured");
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                auth_result = AUTH_GENERAL_ERROR;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                break;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, AUTHN_DEFAULT_PROVIDER);
5f48875017569cc7610b17d852c44e02684d9d5aerikabele        }
5f48875017569cc7610b17d852c44e02684d9d5aerikabele        else {
5f48875017569cc7610b17d852c44e02684d9d5aerikabele            provider = current_provider->provider;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, current_provider->provider_name);
645377709717e10daeb3b57531340ce14424c7c0jorton        }
645377709717e10daeb3b57531340ce14424c7c0jorton
645377709717e10daeb3b57531340ce14424c7c0jorton        if (digest) {
645377709717e10daeb3b57531340ce14424c7c0jorton            char *password;
645377709717e10daeb3b57531340ce14424c7c0jorton
645377709717e10daeb3b57531340ce14424c7c0jorton            if (!provider->get_realm_hash) {
645377709717e10daeb3b57531340ce14424c7c0jorton                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02493)
645377709717e10daeb3b57531340ce14424c7c0jorton                              "Authn provider does not support "
645377709717e10daeb3b57531340ce14424c7c0jorton                              "AuthBasicUseDigestAlgorithm");
645377709717e10daeb3b57531340ce14424c7c0jorton                auth_result = AUTH_GENERAL_ERROR;
645377709717e10daeb3b57531340ce14424c7c0jorton                break;
645377709717e10daeb3b57531340ce14424c7c0jorton            }
645377709717e10daeb3b57531340ce14424c7c0jorton            /* We expect the password to be hash of user:realm:password */
645377709717e10daeb3b57531340ce14424c7c0jorton            auth_result = provider->get_realm_hash(r, sent_user, realm,
645377709717e10daeb3b57531340ce14424c7c0jorton                                                   &password);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            if (auth_result == AUTH_USER_FOUND) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                auth_result = strcmp(digest, password) ? AUTH_DENIED
5f48875017569cc7610b17d852c44e02684d9d5aerikabele                                                       : AUTH_GRANTED;
5f48875017569cc7610b17d852c44e02684d9d5aerikabele            }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        else {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            auth_result = provider->check_password(r, sent_user, sent_pw);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE);
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen
c9cf90a8732db50bf51da5166f3c23f076d8174bpoirier        /* Something occured. Stop checking. */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        if (auth_result != AUTH_USER_NOT_FOUND) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            break;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        /* If we're not really configured for providers, stop now. */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        if (!conf->providers) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            break;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        }
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        current_provider = current_provider->next;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    } while (current_provider);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    if (auth_result != AUTH_GRANTED) {
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        int return_code;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        /* If we're not authoritative, then any error is ignored. */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        if (!(conf->authoritative) && auth_result != AUTH_DENIED) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            return DECLINED;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        switch (auth_result) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        case AUTH_DENIED:
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01617)
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen                      "user %s: authentication failure for \"%s\": "
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                      "Password Mismatch",
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                      sent_user, r->uri);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun            return_code = HTTP_UNAUTHORIZED;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun            break;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        case AUTH_USER_NOT_FOUND:
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01618)
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                      "user %s not found: %s", sent_user, r->uri);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            return_code = HTTP_UNAUTHORIZED;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            break;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        case AUTH_HANDLED:
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            return_code = r->status;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            break;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        case AUTH_GENERAL_ERROR:
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        default:
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            /* We'll assume that the module has already said what its error
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive             * was in the logs.
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive             */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            return_code = HTTP_INTERNAL_SERVER_ERROR;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            break;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        /* If we're returning 403, tell them to try again. */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        if (return_code == HTTP_UNAUTHORIZED) {
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive            note_basic_auth_failure(r);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive        }
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        return return_code;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    }
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
645377709717e10daeb3b57531340ce14424c7c0jorton    return OK;
645377709717e10daeb3b57531340ce14424c7c0jorton}
645377709717e10daeb3b57531340ce14424c7c0jorton
645377709717e10daeb3b57531340ce14424c7c0jorton/* If requested, create a fake basic authentication header for the benefit
645377709717e10daeb3b57531340ce14424c7c0jorton * of a proxy or application running behind this server.
645377709717e10daeb3b57531340ce14424c7c0jorton */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slivestatic int authenticate_basic_fake(request_rec *r)
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive{
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    const char *auth_line, *user, *pass, *err;
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_config_rec *conf = ap_get_module_config(r->per_dir_config,
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                                                       &auth_basic_module);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    if (!conf->fakeuser) {
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        return DECLINED;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    }
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    user = ap_expr_str_exec(r, conf->fakeuser, &err);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    if (err) {
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02455)
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                      "AuthBasicFake: could not evaluate user expression for URI '%s': %s", r->uri, err);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        return HTTP_INTERNAL_SERVER_ERROR;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    }
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    if (!user || !*user) {
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02458)
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                      "AuthBasicFake: empty username expression for URI '%s', ignoring", r->uri);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        apr_table_unset(r->headers_in, "Authorization");
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        return DECLINED;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    }
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    pass = ap_expr_str_exec(r, conf->fakepass, &err);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    if (err) {
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02456)
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                      "AuthBasicFake: could not evaluate password expression for URI '%s': %s", r->uri, err);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        return HTTP_INTERNAL_SERVER_ERROR;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    }
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    if (!pass || !*pass) {
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02459)
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                      "AuthBasicFake: empty password expression for URI '%s', ignoring", r->uri);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        apr_table_unset(r->headers_in, "Authorization");
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun        return DECLINED;
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen    }
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    auth_line = apr_pstrcat(r->pool, "Basic ",
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                            ap_pbase64encode(r->pool,
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                                             apr_pstrcat(r->pool, user,
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh                                                         ":", pass, NULL)),
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh                            NULL);
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh    apr_table_setn(r->headers_in, "Authorization", auth_line);
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02457)
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                  "AuthBasicFake: \"Authorization: %s\"",
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                  auth_line);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    return OK;
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun}
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgunstatic void register_hooks(apr_pool_t *p)
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun{
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen    ap_hook_check_authn(authenticate_basic_user, NULL, NULL, APR_HOOK_MIDDLE,
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun                        AP_AUTH_INTERNAL_PER_CONF);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun    ap_hook_fixups(authenticate_basic_fake, NULL, NULL, APR_HOOK_LAST);
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    ap_hook_note_auth_failure(hook_note_basic_auth_failure, NULL, NULL,
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive                              APR_HOOK_MIDDLE);
60fdc5709bfeedd9539e279b5a5f46b3c610483bnilgun}
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383sliveAP_DECLARE_MODULE(auth_basic) =
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive{
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen    STANDARD20_MODULE_STUFF,
a1ef40892ffa2b44fc249423c5b6c42a74a84c68nd    create_auth_basic_dir_config,  /* dir config creater */
5f48875017569cc7610b17d852c44e02684d9d5aerikabele    merge_auth_basic_dir_config,   /* dir merger --- default is to override */
e41a440220bb41526fac54001a3ee94abb0d07a6rbowen    NULL,                          /* server config */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    NULL,                          /* merge server config */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive    auth_basic_cmds,               /* command apr_table_t */
5f48875017569cc7610b17d852c44e02684d9d5aerikabele    register_hooks                 /* register hooks */
ca0e3098838c1f9aa77bcdfc3df99cf9aa0f9383slive};
a1ef40892ffa2b44fc249423c5b6c42a74a84c68nd