modules/aaa/mod_authn_core.c

	mod_authn_core.c revision d6e81217d873dc3b87fc4ffa5fbac2fad4191a15
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu/* Licensed to the Apache Software Foundation (ASF) under one or more
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * contributor license agreements.  See the NOTICE file distributed with
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * this work for additional information regarding copyright ownership.
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * The ASF licenses this file to You under the Apache License, Version 2.0
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * (the "License"); you may not use this file except in compliance with
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * the License.  You may obtain a copy of the License at
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu *
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu *     http://www.apache.org/licenses/LICENSE-2.0
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu *
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * Unless required by applicable law or agreed to in writing, software
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * distributed under the License is distributed on an "AS IS" BASIS,
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * See the License for the specific language governing permissions and
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * limitations under the License.
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu */
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu
c208973c890b8f993297720fd0247bc7481d4304Christian Maeder/*
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * Security options etc.
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu *
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu * Module derived from code originally written by Rob McCool
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu *
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu */
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "apr_strings.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "apr_network_io.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#define APR_WANT_STRFUNC
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#define APR_WANT_BYTEFUNC
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "apr_want.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu
a77aecc59cee605ea48e33b65a627e0aa0a245e0Mihai Codescu#include "ap_config.h"
a77aecc59cee605ea48e33b65a627e0aa0a245e0Mihai Codescu#include "httpd.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "http_config.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "http_core.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "http_log.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "http_request.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "http_protocol.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "ap_provider.h"
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include "mod_auth.h"
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#if APR_HAVE_NETINET_IN_H
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu#include <netinet/in.h>
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder#endif
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu/* TODO List
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu- Track down all of the references to r->ap_auth_type
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder   and change them to ap_auth_type()
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu- Remove ap_auth_type and ap_auth_name from the
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder   request_rec
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu*/
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maedertypedef struct {
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu    char *ap_auth_type;
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu    char *ap_auth_name;
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder} authn_core_dir_conf;
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescutypedef struct provider_alias_rec {
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu    char *provider_name;
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder    char *provider_alias;
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder    ap_conf_vector_t *sec_auth;
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder    const authn_provider *provider;
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu} provider_alias_rec;
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maedertypedef struct authn_alias_srv_conf {
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu    apr_hash_t *alias_rec;
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu} authn_alias_srv_conf;
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder
a77aecc59cee605ea48e33b65a627e0aa0a245e0Mihai Codescu
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescumodule AP_MODULE_DECLARE_DATA authn_core_module;
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maederstatic void *create_authn_core_dir_config(apr_pool_t *p, char *dummy)
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder{
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maeder    authn_core_dir_conf *conf =
a77aecc59cee605ea48e33b65a627e0aa0a245e0Mihai Codescu            (authn_core_dir_conf *)apr_pcalloc(p, sizeof(authn_core_dir_conf));
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu    return (void *)conf;
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu}
a77aecc59cee605ea48e33b65a627e0aa0a245e0Mihai Codescu
a9cc955b0a33e631b9ce3404e4e25b62cd067a77Christian Maederstatic void *merge_authn_core_dir_config(apr_pool_t *a, void *basev, void *newv)
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu{
2e0e43889f746e31eacf8eeccdeaa4032a65b07eMihai Codescu    authn_core_dir_conf *base = (authn_core_dir_conf *)basev;
    authn_core_dir_conf *new = (authn_core_dir_conf *)newv;
    authn_core_dir_conf *conf;

    /* Create this conf by duplicating the base, replacing elements
    * (or creating copies for merging) where new-> values exist.
    */
    conf = (authn_core_dir_conf *)apr_pmemdup(a, base, sizeof(authn_core_dir_conf));

    if (new->ap_auth_type) {
        conf->ap_auth_type = new->ap_auth_type;
    }

    if (new->ap_auth_name) {
        conf->ap_auth_name = new->ap_auth_name;
    }

    return (void*)conf;
}

static authn_status authn_alias_check_password(request_rec *r, const char *user,
                                              const char *password)
{
    /* Look up the provider alias in the alias list */
    /* Get the the dir_config and call ap_Merge_per_dir_configs() */
    /* Call the real provider->check_password() function */
    /* return the result of the above function call */

    const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE);
    authn_status ret = AUTH_USER_NOT_FOUND;
    authn_alias_srv_conf *authcfg =
        (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
                                                     &authn_core_module);

    if (provider_name) {
        provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
                                                         provider_name, APR_HASH_KEY_STRING);
        ap_conf_vector_t *orig_dir_config = r->per_dir_config;

        /* If we found the alias provider in the list, then merge the directory
           configurations and call the real provider */
        if (prvdraliasrec) {
            r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config,
                                                         prvdraliasrec->sec_auth);
            ret = prvdraliasrec->provider->check_password(r,user,password);
            r->per_dir_config = orig_dir_config;
        }
    }

    return ret;
}

static authn_status authn_alias_get_realm_hash(request_rec *r, const char *user,
                                               const char *realm, char **rethash)
{
    /* Look up the provider alias in the alias list */
    /* Get the the dir_config and call ap_Merge_per_dir_configs() */
    /* Call the real provider->get_realm_hash() function */
    /* return the result of the above function call */

    const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE);
    authn_status ret = AUTH_USER_NOT_FOUND;
    authn_alias_srv_conf *authcfg =
        (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
                                                     &authn_core_module);

    if (provider_name) {
        provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
                                                         provider_name, APR_HASH_KEY_STRING);
        ap_conf_vector_t *orig_dir_config = r->per_dir_config;

        /* If we found the alias provider in the list, then merge the directory
           configurations and call the real provider */
        if (prvdraliasrec) {
            r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config,
                                                         prvdraliasrec->sec_auth);
            ret = prvdraliasrec->provider->get_realm_hash(r,user,realm,rethash);
            r->per_dir_config = orig_dir_config;
        }
    }

    return ret;
}

static void *create_authn_alias_svr_config(apr_pool_t *p, server_rec *s)
{

    authn_alias_srv_conf *authcfg;

    authcfg = (authn_alias_srv_conf *) apr_pcalloc(p, sizeof(authn_alias_srv_conf));
    authcfg->alias_rec = apr_hash_make(p);

    return (void *) authcfg;
}

static const authn_provider authn_alias_provider =
{
    &authn_alias_check_password,
    &authn_alias_get_realm_hash,
};

static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *arg)
{
    int old_overrides = cmd->override;
    const char *endp = ap_strrchr_c(arg, '>');
    const char *args;
    char *provider_alias;
    char *provider_name;
    const char *errmsg;
    const authn_provider *provider = NULL;
    ap_conf_vector_t *new_auth_config = ap_create_per_dir_config(cmd->pool);
    authn_alias_srv_conf *authcfg =
        (authn_alias_srv_conf *)ap_get_module_config(cmd->server->module_config,
                                                     &authn_core_module);

    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
    if (err != NULL) {
        return err;
    }

    if (endp == NULL) {
        return apr_pstrcat(cmd->pool, cmd->cmd->name,
                           "> directive missing closing '>'", NULL);
    }

    args = apr_pstrndup(cmd->pool, arg, endp - arg);

    if (!args[0]) {
        return apr_pstrcat(cmd->pool, cmd->cmd->name,
                           "> directive requires additional arguments", NULL);
    }

    /* Pull the real provider name and the alias name from the block header */
    provider_name = ap_getword_conf(cmd->pool, &args);
    provider_alias = ap_getword_conf(cmd->pool, &args);

    if (!provider_name[0] || !provider_alias[0]) {
        return apr_pstrcat(cmd->pool, cmd->cmd->name,
                           "> directive requires additional arguments", NULL);
    }

    if (strcasecmp(provider_name, provider_alias) == 0) {
        return apr_pstrcat(cmd->pool,
                           "The alias provider name must be different from the base provider name.", NULL);
    }

    /* Look up the alias provider to make sure that it hasn't already been registered. */
    provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_alias, "0");
    if (provider) {
        return apr_pstrcat(cmd->pool, "The alias provider ", provider_alias,
                           " has already be registered previously as either a base provider or an alias provider.",
                           NULL);
    }

    /* walk the subsection configuration to get the per_dir config that we will
       merge just before the real provider is called. */
    cmd->override = OR_ALL|ACCESS_CONF;
    errmsg = ap_walk_config(cmd->directive->first_child, cmd, new_auth_config);

    if (!errmsg) {
        provider_alias_rec *prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(provider_alias_rec));
        provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_name, "0");

        /* Save off the new directory config along with the original provider name
           and function pointer data */
        prvdraliasrec->sec_auth = new_auth_config;
        prvdraliasrec->provider_name = provider_name;
        prvdraliasrec->provider_alias = provider_alias;
        prvdraliasrec->provider = provider;
        apr_hash_set(authcfg->alias_rec, provider_alias, APR_HASH_KEY_STRING, prvdraliasrec);

        /* Register the fake provider so that we get called first */
        ap_register_auth_provider(cmd->pool, AUTHN_PROVIDER_GROUP,
                                  provider_alias, "0", &authn_alias_provider,
                                  AP_AUTH_INTERNAL_PER_CONF);
    }

    cmd->override = old_overrides;

    return errmsg;
}

/*
 * Load an authorisation realm into our location configuration, applying the
 * usual rules that apply to realms.
 */
static const char *set_authname(cmd_parms *cmd, void *mconfig,
                                const char *word1)
{
    authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;

    aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1);
    return NULL;
}


static const char *authn_ap_auth_type(request_rec *r)
{
    authn_core_dir_conf *conf;

    conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
        &authn_core_module);

    return apr_pstrdup(r->pool, conf->ap_auth_type);
}

static const char *authn_ap_auth_name(request_rec *r)
{
    authn_core_dir_conf *conf;

    conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
        &authn_core_module);

    return apr_pstrdup(r->pool, conf->ap_auth_name);
}

static apr_array_header_t *authn_ap_list_provider_names(apr_pool_t *ptemp)
{
    return ap_list_provider_names(ptemp, AUTHN_PROVIDER_GROUP, "0");
}

static const command_rec authn_cmds[] =
{
    AP_INIT_TAKE1("AuthType", ap_set_string_slot,
                  (void*)APR_OFFSETOF(authn_core_dir_conf, ap_auth_type), OR_AUTHCFG,
                  "An HTTP authorization type (e.g., \"Basic\")"),
    AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG,
                  "The authentication realm (e.g. \"Members Only\")"),
    AP_INIT_RAW_ARGS("<AuthnProviderAlias", authaliassection, NULL, RSRC_CONF,
                     "Container for authentication directives grouped under "
                     "a provider alias"),
    {NULL}
};

static void register_hooks(apr_pool_t *p)
{
    APR_REGISTER_OPTIONAL_FN(authn_ap_auth_type);
    APR_REGISTER_OPTIONAL_FN(authn_ap_auth_name);
    APR_REGISTER_OPTIONAL_FN(authn_ap_list_provider_names);
}

module AP_MODULE_DECLARE_DATA authn_core_module =
{
    STANDARD20_MODULE_STUFF,
    create_authn_core_dir_config,   /* dir config creater */
    merge_authn_core_dir_config,    /* dir merger --- default is to override */
    create_authn_alias_svr_config,  /* server config */
    NULL,                           /* merge server config */
    authn_cmds,
    register_hooks                  /* register hooks */
};