mod_auth_db.c revision 1ccd992d37d62c8cb2056126f2234f64ec189bfd
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
*
* Portions of this software are based upon public domain software
* originally written at the National Center for Supercomputing Applications,
* University of Illinois, Urbana-Champaign.
*/
/*
* mod_auth_db: authentication
*
* Original work by Rob McCool & Brian Behlendorf.
*
* Adapted to Apache by rst (mod_auth_dbm)
*
* Adapted for Berkeley DB by Andrew Cohen
*
* apache 2 port by Brian Martin
*
* mod_auth_db was based on mod_auth_dbm.
*
* Warning, this is not a drop in replacement for mod_auth_dbm,
* for people wanting to switch from dbm to Berkeley DB.
* It requires the use of AuthDBUserFile and AuthDBGroupFile
* instead of AuthDBMUserFile AuthDBMGroupFile
*
* Also, in the configuration file you need to specify
* auth_db_module rather than auth_dbm_module
*
* On some BSD systems (e.g. FreeBSD and NetBSD) dbm is automatically
* mapped to Berkeley DB. You can use either mod_auth_dbm or
* mod_auth_db. The latter makes it more obvious that it's Berkeley.
* On other platforms where you want to use the DB library you
* usually have to install it first. See http://www.sleepycat.com/
* for the distribution. The interface this module uses is the
* one from DB version 1.85 and 1.86, but DB version 2.x
* can also be used when compatibility mode is enabled.
*
* dirkx - Added Authoritative control to allow passing on to lower
* modules if and only if the userid is not known to this
* module. A known user with a faulty or absent password still
* causes an AuthRequired. The default is 'Authoritative', i.e.
* no control is passed along.
*/
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h" /* for ap_hook_(check_user_id | auth_check) */
#ifdef HAVE_DB_H
#include <db.h>
#endif
#define DB_VER 3
#define DB_VER 2
#else
#define DB_VER 1
#endif
typedef struct {
char *auth_dbpwfile;
char *auth_dbgrpfile;
int auth_dbauthoritative;
static void *create_db_auth_dir_config(apr_pool_t *p, char *d)
{
return sec;
}
{
if (!t || strcmp(t, "db"))
return DECLINE_CMD;
}
static const command_rec db_auth_cmds[] =
{
{"AuthDBUserFile", ap_set_file_slot,
{"AuthDBGroupFile", ap_set_file_slot,
{"AuthUserFile", set_db_slot,
{"AuthGroupFile", set_db_slot,
{"AuthDBAuthoritative", ap_set_flag_slot,
"Set to 'no' to allow access control to be passed along to lower modules if the userID is not known to this module"},
{NULL}
};
{
DB *f;
DBT d, q;
int retval;
memset(&d, 0, sizeof(d));
memset(&q, 0, sizeof(q));
#if DB_VER == 3
char * reason;
switch(retval) {
case DB_OLD_VERSION:
reason = "Old database version. Upgrade to version 3";
break;
case EEXIST:
reason = "DB_CREATE and DB_EXCL were specified and the file exists";
break;
case EINVAL:
reason = "An invalid flag value or parameter was specified";
break;
case ENOENT:
reason = "A non-existent re_source file was specified";
break;
default:
reason = "And I don't know why";
break;
}
"could not open db auth file %s: %s",
return NULL;
}
char * reason;
switch(retval) {
case EEXIST:
reason = "DB_CREATE and DB_EXCL were specified and the file exists.";
break;
case EINVAL:
reason = "An invalid flag value or parameter was specified";
break;
case ENOENT:
reason = "A non-existent re_source file was specified";
break;
default:
reason = "And I don't know why";
break;
}
"could not open db auth file %s: %s",
return NULL;
}
#else
"could not open db auth file: %s", auth_dbpwfile);
return NULL;
}
#endif
#else
if (!((f->get) (f, &q, &d, 0))) {
#endif
}
(f->close) (f, 0);
#else
(f->close) (f);
#endif
return pw;
}
/* We do something strange with the group file. If the group file
* contains any : we assume the format is
* key=username value=":"groupname [":"anything here is ignored]
* otherwise we now (0.8.14+) assume that the format is
* key=username value=groupname
* The first allows the password and group files to be the same
* physical DB file; key=username value=password":"groupname[":"anything]
*
* mark@telescope.org, 22Sep95
*/
{
char *grp_colon;
char *grp_colon2;
return NULL;
if (grp_colon2)
*grp_colon2 = '\0';
return grp_colon;
}
return grp_data;
}
static int db_authenticate_basic_user(request_rec *r)
{
const char *sent_pw;
int res;
return res;
if (!sec->auth_dbpwfile) {
return DECLINED;
}
if (!(sec->auth_dbauthoritative))
return DECLINED;
return HTTP_UNAUTHORIZED;
}
/* Password is up to first : if exists */
if (colon_pw) {
*colon_pw = '\0';
}
if (invalid_pw != APR_SUCCESS) {
"DB user %s: authentication failure for \"%s\": "
"Password Mismatch",
return HTTP_UNAUTHORIZED;
}
return OK;
}
/* Checking ID */
static int db_check_auth(request_rec *r)
{
int m = r->method_number;
register int x;
const char *t;
char *w;
if (!sec->auth_dbgrpfile)
return DECLINED;
if (!reqs_arr)
return DECLINED;
continue;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
const char *orig_groups, *groups;
char *v;
if (!(sec->auth_dbauthoritative))
return DECLINED;
"user %s not in DB group file %s: %s",
return HTTP_UNAUTHORIZED;
}
while (t[0]) {
w = ap_getword_white(r->pool, &t);
while (groups[0]) {
if (!strcmp(v, w))
return OK;
}
}
return HTTP_UNAUTHORIZED;
}
}
return DECLINED;
}
static void register_hooks(void)
{
}
{
create_db_auth_dir_config, /* dir config creater */
NULL, /* dir merger --- default is to override */
NULL, /* server config */
NULL, /* merge server config */
db_auth_cmds, /* command apr_table_t */
NULL, /* handlers */
register_hooks /* register hooks */
};