mod_auth_db.c revision 17db3022778ec47c890504b9378961c428bfddc8
ad099a822dc3de888a5294adf44b230bb9437f47rbowen/* ====================================================================
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * Copyright (c) 1995-1999 The Apache Group. All rights reserved.
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
c27a94ad0c1ec49cc72ccdf9796b31ab56415604nd * Redistribution and use in source and binary forms, with or without
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * modification, are permitted provided that the following conditions
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * are met:
031b91a62d25106ae69d4693475c79618dd5e884fielding *
031b91a62d25106ae69d4693475c79618dd5e884fielding * 1. Redistributions of source code must retain the above copyright
031b91a62d25106ae69d4693475c79618dd5e884fielding * notice, this list of conditions and the following disclaimer.
031b91a62d25106ae69d4693475c79618dd5e884fielding *
031b91a62d25106ae69d4693475c79618dd5e884fielding * 2. Redistributions in binary form must reproduce the above copyright
031b91a62d25106ae69d4693475c79618dd5e884fielding * notice, this list of conditions and the following disclaimer in
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * the documentation and/or other materials provided with the
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * distribution.
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * 3. All advertising materials mentioning features or use of this
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * software must display the following acknowledgment:
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * "This product includes software developed by the Apache Group
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * for use in the Apache HTTP server project (http://www.apache.org/)."
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * 4. The names "Apache Server" and "Apache Group" must not be used to
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * endorse or promote products derived from this software without
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * prior written permission. For written permission, please contact
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * apache@apache.org.
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * 5. Products derived from this software may not be called "Apache"
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * nor may "Apache" appear in their names without prior written
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * permission of the Apache Group.
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim * 6. Redistributions of any form whatsoever must retain the following
15533ba489eab4fd353719602c5eaa8219a58997jailletc * acknowledgment:
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar * "This product includes software developed by the Apache Group
15533ba489eab4fd353719602c5eaa8219a58997jailletc * for use in the Apache HTTP server project (http://www.apache.org/)."
15533ba489eab4fd353719602c5eaa8219a58997jailletc *
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * IT'S CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * OF THE POSSIBILITY OF SUCH DAMAGE.
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * ====================================================================
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * This software consists of voluntary contributions made by many
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * individuals on behalf of the Apache Group and was originally based
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * on public domain software written at the National Center for
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * Supercomputing Applications, University of Illinois, Urbana-Champaign.
162731dcc08cbf08bad68aafe2fbd1c395bbf3c2nilgun * For more information on the Apache Group and the Apache HTTP server
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * project, please see <http://www.apache.org/>.
ceaaa460774099db5747f2d7f216295ea6d729ectakashi *
1cd8c9e1716ec7beeddcc151ef24e97860f6cb0cminfrin */
1cd8c9e1716ec7beeddcc151ef24e97860f6cb0cminfrin
1cd8c9e1716ec7beeddcc151ef24e97860f6cb0cminfrin/*
1cd8c9e1716ec7beeddcc151ef24e97860f6cb0cminfrin * mod_auth_db: authentication
1cd8c9e1716ec7beeddcc151ef24e97860f6cb0cminfrin *
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * Original work by Rob McCool & Brian Behlendorf.
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
162731dcc08cbf08bad68aafe2fbd1c395bbf3c2nilgun * Adapted to Apache by rst (mod_auth_dbm)
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
1cd8c9e1716ec7beeddcc151ef24e97860f6cb0cminfrin * Adapted for Berkeley DB by Andrew Cohen
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * mod_auth_db was based on mod_auth_dbm.
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * Warning, this is not a drop in replacement for mod_auth_dbm,
162731dcc08cbf08bad68aafe2fbd1c395bbf3c2nilgun * for people wanting to switch from dbm to Berkeley DB.
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * It requires the use of AuthDBUserFile and AuthDBGroupFile
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * instead of AuthDBMUserFile AuthDBMGroupFile
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * Also, in the configuration file you need to specify
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * db_auth_module rather than dbm_auth_module
ad099a822dc3de888a5294adf44b230bb9437f47rbowen *
7a3589941a1276dd8bf6d4e6d01720b9408ef00bpquerna * On some BSD systems (e.g. FreeBSD and NetBSD) dbm is automatically
7a3589941a1276dd8bf6d4e6d01720b9408ef00bpquerna * mapped to Berkeley DB. You can use either mod_auth_dbm or
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * mod_auth_db. The latter makes it more obvious that it's Berkeley.
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * On other platforms where you want to use the DB library you
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * usually have to install it first. See http://www.sleepycat.com/
ad099a822dc3de888a5294adf44b230bb9437f47rbowen * for the distribution. The interface this module uses is the
* one from DB version 1.85 and 1.86, but DB version 2.x
* can also be used when compatibility mode is enabled.
*
* dirkx - Added Authoritative control to allow passing on to lower
* modules if and only if the user-id is not known to this
* module. A known user with a faulty or absent password still
* causes an AuthRequired. The default is 'Authoritative', i.e.
* no control is passed along.
*/
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include <db.h>
#if defined(DB_VERSION_MAJOR) && (DB_VERSION_MAJOR == 2)
#define DB2
#endif
typedef struct {
char *auth_dbpwfile;
char *auth_dbgrpfile;
int auth_dbauthoritative;
} db_auth_config_rec;
static void *create_db_auth_dir_config(pool *p, char *d)
{
db_auth_config_rec *sec
= (db_auth_config_rec *) ap_pcalloc(p, sizeof(db_auth_config_rec));
sec->auth_dbpwfile = NULL;
sec->auth_dbgrpfile = NULL;
sec->auth_dbauthoritative = 1; /* fortress is secure by default */
return sec;
}
static const char *set_db_slot(cmd_parms *cmd, void *offset, char *f, char *t)
{
if (!t || strcmp(t, "db"))
return DECLINE_CMD;
return ap_set_file_slot(cmd, offset, f);
}
static const command_rec db_auth_cmds[] =
{
{"AuthDBUserFile", ap_set_file_slot,
(void *) XtOffsetOf(db_auth_config_rec, auth_dbpwfile),
OR_AUTHCFG, TAKE1, NULL},
{"AuthDBGroupFile", ap_set_file_slot,
(void *) XtOffsetOf(db_auth_config_rec, auth_dbgrpfile),
OR_AUTHCFG, TAKE1, NULL},
{"AuthUserFile", set_db_slot,
(void *) XtOffsetOf(db_auth_config_rec, auth_dbpwfile),
OR_AUTHCFG, TAKE12, NULL},
{"AuthGroupFile", set_db_slot,
(void *) XtOffsetOf(db_auth_config_rec, auth_dbgrpfile),
OR_AUTHCFG, TAKE12, NULL},
{"AuthDBAuthoritative", ap_set_flag_slot,
(void *) XtOffsetOf(db_auth_config_rec, auth_dbauthoritative),
OR_AUTHCFG, FLAG,
"Set to 'no' to allow access control to be passed along to lower modules if the userID is not known to this module"},
{NULL}
};
module db_auth_module;
static char *get_db_pw(request_rec *r, char *user, const char *auth_dbpwfile)
{
DB *f;
DBT d, q;
char *pw = NULL;
memset(&d, 0, sizeof(d));
memset(&q, 0, sizeof(q));
q.data = user;
q.size = strlen(q.data);
#ifdef DB2
if (db_open(auth_dbpwfile, DB_HASH, DB_RDONLY, 0664, NULL, NULL, &f) != 0) {
#else
if (!(f = dbopen(auth_dbpwfile, O_RDONLY, 0664, DB_HASH, NULL))) {
#endif
ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
"could not open db auth file: %s", auth_dbpwfile);
return NULL;
}
#ifdef DB2
if (!((f->get) (f, NULL, &q, &d, 0))) {
#else
if (!((f->get) (f, &q, &d, 0))) {
#endif
pw = ap_palloc(r->pool, d.size + 1);
strncpy(pw, d.data, d.size);
pw[d.size] = '\0'; /* Terminate the string */
}
#ifdef DB2
(f->close) (f, 0);
#else
(f->close) (f);
#endif
return pw;
}
/* We do something strange with the group file. If the group file
* contains any : we assume the format is
* key=username value=":"groupname [":"anything here is ignored]
* otherwise we now (0.8.14+) assume that the format is
* key=username value=groupname
* The first allows the password and group files to be the same
* physical DB file; key=username value=password":"groupname[":"anything]
*
* mark@telescope.org, 22Sep95
*/
static char *get_db_grp(request_rec *r, char *user, const char *auth_dbgrpfile)
{
char *grp_data = get_db_pw(r, user, auth_dbgrpfile);
char *grp_colon;
char *grp_colon2;
if (grp_data == NULL)
return NULL;
if ((grp_colon = strchr(grp_data, ':')) != NULL) {
grp_colon2 = strchr(++grp_colon, ':');
if (grp_colon2)
*grp_colon2 = '\0';
return grp_colon;
}
return grp_data;
}
static int db_authenticate_basic_user(request_rec *r)
{
db_auth_config_rec *sec =
(db_auth_config_rec *) ap_get_module_config(r->per_dir_config,
&db_auth_module);
const char *sent_pw;
char *real_pw, *colon_pw;
char *invalid_pw;
int res;
if ((res = ap_get_basic_auth_pw(r, &sent_pw)))
return res;
if (!sec->auth_dbpwfile)
return DECLINED;
if (!(real_pw = get_db_pw(r, r->user, sec->auth_dbpwfile))) {
if (!(sec->auth_dbauthoritative))
return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"DB user %s not found: %s", r->user, r->filename);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
/* Password is up to first : if exists */
colon_pw = strchr(real_pw, ':');
if (colon_pw) {
*colon_pw = '\0';
}
invalid_pw = ap_validate_password(sent_pw, real_pw);
if (invalid_pw != NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"DB user %s: authentication failure for \"%s\": %s",
r->user, r->uri, invalid_pw);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
return OK;
}
/* Checking ID */
static int db_check_auth(request_rec *r)
{
db_auth_config_rec *sec =
(db_auth_config_rec *) ap_get_module_config(r->per_dir_config,
&db_auth_module);
char *user = r->user;
int m = r->method_number;
const array_header *reqs_arr = ap_requires(r);
require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
register int x;
const char *t;
char *w;
if (!sec->auth_dbgrpfile)
return DECLINED;
if (!reqs_arr)
return DECLINED;
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (1 << m)))
continue;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (!strcmp(w, "group") && sec->auth_dbgrpfile) {
const char *orig_groups, *groups;
char *v;
if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) {
if (!(sec->auth_dbauthoritative))
return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"user %s not in DB group file %s: %s",
user, sec->auth_dbgrpfile, r->filename);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
orig_groups = groups;
while (t[0]) {
w = ap_getword_white(r->pool, &t);
groups = orig_groups;
while (groups[0]) {
v = ap_getword(r->pool, &groups, ',');
if (!strcmp(v, w))
return OK;
}
}
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"user %s not in right group: %s", user, r->filename);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
}
return DECLINED;
}
module db_auth_module =
{
STANDARD_MODULE_STUFF,
NULL, /* initializer */
create_db_auth_dir_config, /* dir config creater */
NULL, /* dir merger --- default is to override */
NULL, /* server config */
NULL, /* merge server config */
db_auth_cmds, /* command table */
NULL, /* handlers */
NULL, /* filename translation */
db_authenticate_basic_user, /* check_user_id */
db_check_auth, /* check auth */
NULL, /* check access */
NULL, /* type_checker */
NULL, /* fixups */
NULL, /* logger */
NULL, /* header parser */
NULL, /* child_init */
NULL, /* child_exit */
NULL /* post read-request */
};