842ae4bd224140319ae7feec1872b93dfd491143fielding/* Licensed to the Apache Software Foundation (ASF) under one or more
842ae4bd224140319ae7feec1872b93dfd491143fielding * contributor license agreements. See the NOTICE file distributed with
842ae4bd224140319ae7feec1872b93dfd491143fielding * this work for additional information regarding copyright ownership.
842ae4bd224140319ae7feec1872b93dfd491143fielding * The ASF licenses this file to You under the Apache License, Version 2.0
842ae4bd224140319ae7feec1872b93dfd491143fielding * (the "License"); you may not use this file except in compliance with
842ae4bd224140319ae7feec1872b93dfd491143fielding * the License. You may obtain a copy of the License at
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes *
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * http://www.apache.org/licenses/LICENSE-2.0
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes *
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Unless required by applicable law or agreed to in writing, software
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * distributed under the License is distributed on an "AS IS" BASIS,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * See the License for the specific language governing permissions and
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * limitations under the License.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes */
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes/*
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Security options etc.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes *
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Module derived from code originally written by Rob McCool
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes *
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes */
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "apr_strings.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "apr_network_io.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "apr_md5.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#define APR_WANT_STRFUNC
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#define APR_WANT_BYTEFUNC
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "apr_want.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "ap_config.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "httpd.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "http_config.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "http_core.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "http_log.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "http_request.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "http_protocol.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "ap_provider.h"
feaca656b298a47325760932c0fbc74600550bcdsf#include "ap_expr.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "mod_auth.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#if APR_HAVE_NETINET_IN_H
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include <netinet/in.h>
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#endif
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
5014faa85f522902d3326b3182d4b389cd520d9echrisd#undef AUTHZ_EXTRA_CONFIGS
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholestypedef struct provider_alias_rec {
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes char *provider_name;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes char *provider_alias;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes char *provider_args;
97cc46935ec496b83fef9d6feb094d706c895b3bsf const void *provider_parsed_args;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes ap_conf_vector_t *sec_auth;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes const authz_provider *provider;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes} provider_alias_rec;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdtypedef enum {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd AUTHZ_LOGIC_AND,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd AUTHZ_LOGIC_OR,
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf AUTHZ_LOGIC_OFF,
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf AUTHZ_LOGIC_UNSET
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd} authz_logic_op;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdtypedef struct authz_section_conf authz_section_conf;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdstruct authz_section_conf {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd const char *provider_name;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd const char *provider_args;
97cc46935ec496b83fef9d6feb094d706c895b3bsf const void *provider_parsed_args;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd const authz_provider *provider;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd apr_int64_t limited;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_logic_op op;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd int negate;
4feb1b3dbcb682b0ea5d876f2894b675aed9ad35sf /** true if this is not a real container but produced by AuthMerging;
4feb1b3dbcb682b0ea5d876f2894b675aed9ad35sf * only used for logging */
4feb1b3dbcb682b0ea5d876f2894b675aed9ad35sf int is_merged;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *first;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *next;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd};
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdtypedef struct authz_core_dir_conf authz_core_dir_conf;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdstruct authz_core_dir_conf {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *section;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_core_dir_conf *next;
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf authz_logic_op op;
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf signed char authz_forbidden_on_fail;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd};
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf#define UNSET -1
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholestypedef struct authz_core_srv_conf {
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes apr_hash_t *alias_rec;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes} authz_core_srv_conf;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesmodule AP_MODULE_DECLARE_DATA authz_core_module;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdstatic authz_core_dir_conf *authz_core_first_dir_conf;
353fc7ad88a4f946a2c11edfbb73a1044abc7207bnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesstatic void *create_authz_core_dir_config(apr_pool_t *p, char *dummy)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd authz_core_dir_conf *conf = apr_pcalloc(p, sizeof(*conf));
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf conf->op = AUTHZ_LOGIC_UNSET;
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf conf->authz_forbidden_on_fail = UNSET;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->next = authz_core_first_dir_conf;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_core_first_dir_conf = conf;
f8ce85be85fcd02385a5a3cb469530f7474c0daechrisd
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes return (void *)conf;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisdstatic void *merge_authz_core_dir_config(apr_pool_t *p,
95b1a32e3398084889f7d948477e02d5a3b9f9cachrisd void *basev, void *newv)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes authz_core_dir_conf *base = (authz_core_dir_conf *)basev;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes authz_core_dir_conf *new = (authz_core_dir_conf *)newv;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes authz_core_dir_conf *conf;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf if (new->op == AUTHZ_LOGIC_UNSET && !new->section && base->section ) {
11e076839c8d5a82d55e710194d0daac51390dbdsf /* Only authz_forbidden_on_fail has been set in new. Don't treat
11e076839c8d5a82d55e710194d0daac51390dbdsf * it as a new auth config w.r.t. AuthMerging */
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf conf = apr_pmemdup(p, base, sizeof(*base));
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf }
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf else if (new->op == AUTHZ_LOGIC_OFF || new->op == AUTHZ_LOGIC_UNSET ||
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf !(base->section || new->section)) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf = apr_pmemdup(p, new, sizeof(*new));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *section;
482ac4a7875bf582690164f70e868508c17f6b87bnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (base->section) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (new->section) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section = apr_pcalloc(p, sizeof(*section));
7871f87cd19d007e2cc8efe7480171343efda61abnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->limited =
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd base->section->limited | new->section->limited;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->op = new->op;
4feb1b3dbcb682b0ea5d876f2894b675aed9ad35sf section->is_merged = 1;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->first = apr_pmemdup(p, base->section,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd sizeof(*base->section));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->first->next = apr_pmemdup(p, new->section,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd sizeof(*new->section));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd } else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section = apr_pmemdup(p, base->section,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd sizeof(*base->section));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section = apr_pmemdup(p, new->section, sizeof(*new->section));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
5a29df0ef666c55a49729d5e8ffb15c43039748frpluem conf = apr_pcalloc(p, sizeof(*conf));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->section = section;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->op = new->op;
7871f87cd19d007e2cc8efe7480171343efda61abnicholes }
7871f87cd19d007e2cc8efe7480171343efda61abnicholes
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf if (new->authz_forbidden_on_fail == UNSET)
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf conf->authz_forbidden_on_fail = base->authz_forbidden_on_fail;
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf else
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf conf->authz_forbidden_on_fail = new->authz_forbidden_on_fail;
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes return (void*)conf;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
b47fd7ec6545b9120660f1723f9d5c5624744f4ccovener/* Only per-server directive we have is GLOBAL_ONLY */
b47fd7ec6545b9120660f1723f9d5c5624744f4ccovenerstatic void *merge_authz_core_svr_config(apr_pool_t *p,
b47fd7ec6545b9120660f1723f9d5c5624744f4ccovener void *basev, void *newv)
b47fd7ec6545b9120660f1723f9d5c5624744f4ccovener{
b47fd7ec6545b9120660f1723f9d5c5624744f4ccovener return basev;
b47fd7ec6545b9120660f1723f9d5c5624744f4ccovener}
b47fd7ec6545b9120660f1723f9d5c5624744f4ccovener
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesstatic void *create_authz_core_svr_config(apr_pool_t *p, server_rec *s)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes authz_core_srv_conf *authcfg;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd authcfg = apr_pcalloc(p, sizeof(*authcfg));
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes authcfg->alias_rec = apr_hash_make(p);
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
95b1a32e3398084889f7d948477e02d5a3b9f9cachrisd return (void *)authcfg;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd/* This is a fake authz provider that really merges various authz alias
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd * configurations and then invokes them.
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd */
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisdstatic authz_status authz_alias_check_authorization(request_rec *r,
97cc46935ec496b83fef9d6feb094d706c895b3bsf const char *require_args,
97cc46935ec496b83fef9d6feb094d706c895b3bsf const void *parsed_require_args)
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd{
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd const char *provider_name;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd authz_status ret = AUTHZ_DENIED;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd /* Look up the provider alias in the alias list.
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd * Get the the dir_config and call ap_Merge_per_dir_configs()
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd * Call the real provider->check_authorization() function
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd * return the result of the above function call
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd */
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd provider_name = apr_table_get(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd if (provider_name) {
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd authz_core_srv_conf *authcfg;
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd provider_alias_rec *prvdraliasrec;
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd authcfg = ap_get_module_config(r->server->module_config,
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd &authz_core_module);
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd prvdraliasrec = apr_hash_get(authcfg->alias_rec, provider_name,
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd APR_HASH_KEY_STRING);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd /* If we found the alias provider in the list, then merge the directory
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd configurations and call the real provider */
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd if (prvdraliasrec) {
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd ap_conf_vector_t *orig_dir_config = r->per_dir_config;
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd
5692bc05d2e606215730568e47bba1b9beabef99chrisd r->per_dir_config =
5692bc05d2e606215730568e47bba1b9beabef99chrisd ap_merge_per_dir_configs(r->pool, orig_dir_config,
5692bc05d2e606215730568e47bba1b9beabef99chrisd prvdraliasrec->sec_auth);
5692bc05d2e606215730568e47bba1b9beabef99chrisd
5692bc05d2e606215730568e47bba1b9beabef99chrisd ret = prvdraliasrec->provider->
97cc46935ec496b83fef9d6feb094d706c895b3bsf check_authorization(r, prvdraliasrec->provider_args,
97cc46935ec496b83fef9d6feb094d706c895b3bsf prvdraliasrec->provider_parsed_args);
5692bc05d2e606215730568e47bba1b9beabef99chrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd r->per_dir_config = orig_dir_config;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd }
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf else {
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02305)
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf "no alias provider found for '%s' (BUG?)",
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf provider_name);
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf }
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf }
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf else {
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf ap_assert(provider_name != NULL);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd }
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd return ret;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd}
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisdstatic const authz_provider authz_alias_provider =
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd{
97cc46935ec496b83fef9d6feb094d706c895b3bsf &authz_alias_check_authorization,
97cc46935ec496b83fef9d6feb094d706c895b3bsf NULL,
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd};
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisdstatic const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig,
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd const char *args)
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd{
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd const char *endp = ap_strrchr_c(args, '>');
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd char *provider_name;
5692bc05d2e606215730568e47bba1b9beabef99chrisd char *provider_alias;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd char *provider_args;
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd ap_conf_vector_t *new_authz_config;
5692bc05d2e606215730568e47bba1b9beabef99chrisd int old_overrides = cmd->override;
5692bc05d2e606215730568e47bba1b9beabef99chrisd const char *errmsg;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd if (err != NULL) {
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd return err;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd }
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd if (endp == NULL) {
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd return apr_pstrcat(cmd->pool, cmd->cmd->name,
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd "> directive missing closing '>'", NULL);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd }
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
05a5d2147e0dadae69d00691f814049dc9999efdsf args = apr_pstrndup(cmd->temp_pool, args, endp - args);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd if (!args[0]) {
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd return apr_pstrcat(cmd->pool, cmd->cmd->name,
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd "> directive requires additional arguments", NULL);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd }
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd /* Pull the real provider name and the alias name from the block header */
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd provider_name = ap_getword_conf(cmd->pool, &args);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd provider_alias = ap_getword_conf(cmd->pool, &args);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd provider_args = ap_getword_conf(cmd->pool, &args);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd if (!provider_name[0] || !provider_alias[0]) {
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd return apr_pstrcat(cmd->pool, cmd->cmd->name,
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd "> directive requires additional arguments", NULL);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd }
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd new_authz_config = ap_create_per_dir_config(cmd->pool);
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd /* Walk the subsection configuration to get the per_dir config that we will
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd * merge just before the real provider is called.
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd cmd->override = OR_AUTHCFG | ACCESS_CONF;
f8ce85be85fcd02385a5a3cb469530f7474c0daechrisd errmsg = ap_walk_config(cmd->directive->first_child, cmd,
f8ce85be85fcd02385a5a3cb469530f7474c0daechrisd new_authz_config);
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd cmd->override = old_overrides;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd if (!errmsg) {
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd provider_alias_rec *prvdraliasrec;
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd authz_core_srv_conf *authcfg;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(*prvdraliasrec));
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd /* Save off the new directory config along with the original
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd * provider name and function pointer data
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd */
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd prvdraliasrec->provider_name = provider_name;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd prvdraliasrec->provider_alias = provider_alias;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd prvdraliasrec->provider_args = provider_args;
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd prvdraliasrec->sec_auth = new_authz_config;
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd prvdraliasrec->provider =
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd ap_lookup_provider(AUTHZ_PROVIDER_GROUP, provider_name,
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd AUTHZ_PROVIDER_VERSION);
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd
9829e274c4f34e23acc7b1bbe1c563049bab5776chrisd /* by the time the config file is used, the provider should be loaded
9829e274c4f34e23acc7b1bbe1c563049bab5776chrisd * and registered with us.
9829e274c4f34e23acc7b1bbe1c563049bab5776chrisd */
9829e274c4f34e23acc7b1bbe1c563049bab5776chrisd if (!prvdraliasrec->provider) {
9829e274c4f34e23acc7b1bbe1c563049bab5776chrisd return apr_psprintf(cmd->pool,
9829e274c4f34e23acc7b1bbe1c563049bab5776chrisd "Unknown Authz provider: %s",
9829e274c4f34e23acc7b1bbe1c563049bab5776chrisd provider_name);
9829e274c4f34e23acc7b1bbe1c563049bab5776chrisd }
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf if (prvdraliasrec->provider->parse_require_line) {
4a470b153b1c251444249415190aabf912001e71sf err = prvdraliasrec->provider->parse_require_line(cmd,
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf provider_args, &prvdraliasrec->provider_parsed_args);
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf if (err)
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf return apr_psprintf(cmd->pool,
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf "Can't parse 'Require %s %s': %s",
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf provider_name, provider_args, err);
21da42a6b8f551ef603bd06356d3bf71d6d0c21dsf }
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd authcfg = ap_get_module_config(cmd->server->module_config,
36300c97db6e8e2b6ad38cead57f921ad9848106chrisd &authz_core_module);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd apr_hash_set(authcfg->alias_rec, provider_alias,
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd APR_HASH_KEY_STRING, prvdraliasrec);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd /* Register the fake provider so that we get called first */
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd ap_register_auth_provider(cmd->pool, AUTHZ_PROVIDER_GROUP,
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd provider_alias, AUTHZ_PROVIDER_VERSION,
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd &authz_alias_provider,
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd AP_AUTH_INTERNAL_PER_CONF);
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd }
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd return errmsg;
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd}
cb556b487ce3b50b3b69abadccd3b78b7a5507bdchrisd
5014faa85f522902d3326b3182d4b389cd520d9echrisdstatic const char* format_authz_result(authz_status result)
5014faa85f522902d3326b3182d4b389cd520d9echrisd{
5014faa85f522902d3326b3182d4b389cd520d9echrisd return ((result == AUTHZ_DENIED)
5014faa85f522902d3326b3182d4b389cd520d9echrisd ? "denied"
5014faa85f522902d3326b3182d4b389cd520d9echrisd : ((result == AUTHZ_GRANTED)
5014faa85f522902d3326b3182d4b389cd520d9echrisd ? "granted"
18b5268e013574026b2503b1641baf3299045f45sf : ((result == AUTHZ_DENIED_NO_USER)
4feb1b3dbcb682b0ea5d876f2894b675aed9ad35sf ? "denied (no authenticated user yet)"
18b5268e013574026b2503b1641baf3299045f45sf : "neutral")));
5014faa85f522902d3326b3182d4b389cd520d9echrisd}
5014faa85f522902d3326b3182d4b389cd520d9echrisd
5014faa85f522902d3326b3182d4b389cd520d9echrisdstatic const char* format_authz_command(apr_pool_t *p,
5014faa85f522902d3326b3182d4b389cd520d9echrisd authz_section_conf *section)
5014faa85f522902d3326b3182d4b389cd520d9echrisd{
5014faa85f522902d3326b3182d4b389cd520d9echrisd return (section->provider
5014faa85f522902d3326b3182d4b389cd520d9echrisd ? apr_pstrcat(p, "Require ", (section->negate ? "not " : ""),
5014faa85f522902d3326b3182d4b389cd520d9echrisd section->provider_name, " ",
5014faa85f522902d3326b3182d4b389cd520d9echrisd section->provider_args, NULL)
4feb1b3dbcb682b0ea5d876f2894b675aed9ad35sf : apr_pstrcat(p, section->is_merged ? "AuthMerging " : "<Require",
5014faa85f522902d3326b3182d4b389cd520d9echrisd ((section->op == AUTHZ_LOGIC_AND)
5014faa85f522902d3326b3182d4b389cd520d9echrisd ? (section->negate ? "NotAll" : "All")
5014faa85f522902d3326b3182d4b389cd520d9echrisd : (section->negate ? "None" : "Any")),
4feb1b3dbcb682b0ea5d876f2894b675aed9ad35sf section->is_merged ? "" : ">", NULL));
5014faa85f522902d3326b3182d4b389cd520d9echrisd}
5014faa85f522902d3326b3182d4b389cd520d9echrisd
5014faa85f522902d3326b3182d4b389cd520d9echrisdstatic authz_section_conf* create_default_section(apr_pool_t *p)
7871f87cd19d007e2cc8efe7480171343efda61abnicholes{
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *section = apr_pcalloc(p, sizeof(*section));
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
5014faa85f522902d3326b3182d4b389cd520d9echrisd section->op = AUTHZ_LOGIC_OR;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return section;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
7871f87cd19d007e2cc8efe7480171343efda61abnicholesstatic const char *add_authz_provider(cmd_parms *cmd, void *config,
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd const char *args)
7871f87cd19d007e2cc8efe7480171343efda61abnicholes{
7871f87cd19d007e2cc8efe7480171343efda61abnicholes authz_core_dir_conf *conf = (authz_core_dir_conf*)config;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *section = apr_pcalloc(cmd->pool, sizeof(*section));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *child;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->provider_name = ap_getword_conf(cmd->pool, &args);
7871f87cd19d007e2cc8efe7480171343efda61abnicholes
5014faa85f522902d3326b3182d4b389cd520d9echrisd if (!strcasecmp(section->provider_name, "not")) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->provider_name = ap_getword_conf(cmd->pool, &args);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->negate = 1;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->provider_args = args;
7871f87cd19d007e2cc8efe7480171343efda61abnicholes
7871f87cd19d007e2cc8efe7480171343efda61abnicholes /* lookup and cache the actual provider now */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->provider = ap_lookup_provider(AUTHZ_PROVIDER_GROUP,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->provider_name,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd AUTHZ_PROVIDER_VERSION);
7871f87cd19d007e2cc8efe7480171343efda61abnicholes
7871f87cd19d007e2cc8efe7480171343efda61abnicholes /* by the time the config file is used, the provider should be loaded
7871f87cd19d007e2cc8efe7480171343efda61abnicholes * and registered with us.
7871f87cd19d007e2cc8efe7480171343efda61abnicholes */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (!section->provider) {
7871f87cd19d007e2cc8efe7480171343efda61abnicholes return apr_psprintf(cmd->pool,
7871f87cd19d007e2cc8efe7480171343efda61abnicholes "Unknown Authz provider: %s",
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->provider_name);
7871f87cd19d007e2cc8efe7480171343efda61abnicholes }
7871f87cd19d007e2cc8efe7480171343efda61abnicholes
7871f87cd19d007e2cc8efe7480171343efda61abnicholes /* if the provider doesn't provide the appropriate function, reject it */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (!section->provider->check_authorization) {
7871f87cd19d007e2cc8efe7480171343efda61abnicholes return apr_psprintf(cmd->pool,
7871f87cd19d007e2cc8efe7480171343efda61abnicholes "The '%s' Authz provider is not supported by any "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "of the loaded authorization modules",
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->provider_name);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->limited = cmd->limited;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
97cc46935ec496b83fef9d6feb094d706c895b3bsf if (section->provider->parse_require_line) {
41070e1a54b4f6b5486011e5bcbaabec5bfbe728sf const char *err;
41070e1a54b4f6b5486011e5bcbaabec5bfbe728sf apr_pool_userdata_setn(section->provider_name,
41070e1a54b4f6b5486011e5bcbaabec5bfbe728sf AUTHZ_PROVIDER_NAME_NOTE,
41070e1a54b4f6b5486011e5bcbaabec5bfbe728sf apr_pool_cleanup_null,
41070e1a54b4f6b5486011e5bcbaabec5bfbe728sf cmd->temp_pool);
41070e1a54b4f6b5486011e5bcbaabec5bfbe728sf err = section->provider->parse_require_line(cmd, args,
41070e1a54b4f6b5486011e5bcbaabec5bfbe728sf &section->provider_parsed_args);
41070e1a54b4f6b5486011e5bcbaabec5bfbe728sf
97cc46935ec496b83fef9d6feb094d706c895b3bsf if (err)
97cc46935ec496b83fef9d6feb094d706c895b3bsf return err;
97cc46935ec496b83fef9d6feb094d706c895b3bsf }
97cc46935ec496b83fef9d6feb094d706c895b3bsf
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (!conf->section) {
5014faa85f522902d3326b3182d4b389cd520d9echrisd conf->section = create_default_section(cmd->pool);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (section->negate && conf->section->op == AUTHZ_LOGIC_OR) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return apr_psprintf(cmd->pool, "negative %s directive has no effect "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "in %s directive",
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd cmd->cmd->name,
5014faa85f522902d3326b3182d4b389cd520d9echrisd format_authz_command(cmd->pool, conf->section));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->section->limited |= section->limited;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child = conf->section->first;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (child) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd while (child->next) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child = child->next;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child->next = section;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->section->first = section;
7871f87cd19d007e2cc8efe7480171343efda61abnicholes }
7871f87cd19d007e2cc8efe7480171343efda61abnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return NULL;
7871f87cd19d007e2cc8efe7480171343efda61abnicholes}
7871f87cd19d007e2cc8efe7480171343efda61abnicholes
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisdstatic const char *add_authz_section(cmd_parms *cmd, void *mconfig,
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd const char *args)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd authz_core_dir_conf *conf = mconfig;
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd const char *endp = ap_strrchr_c(args, '>');
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *old_section = conf->section;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *section;
5692bc05d2e606215730568e47bba1b9beabef99chrisd int old_overrides = cmd->override;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd apr_int64_t old_limited = cmd->limited;
5692bc05d2e606215730568e47bba1b9beabef99chrisd const char *errmsg;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes if (endp == NULL) {
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes return apr_pstrcat(cmd->pool, cmd->cmd->name,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes "> directive missing closing '>'", NULL);
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
05a5d2147e0dadae69d00691f814049dc9999efdsf args = apr_pstrndup(cmd->temp_pool, args, endp - args);
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes if (args[0]) {
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes return apr_pstrcat(cmd->pool, cmd->cmd->name,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "> directive doesn't take additional arguments",
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd NULL);
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section = apr_pcalloc(cmd->pool, sizeof(*section));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
5014faa85f522902d3326b3182d4b389cd520d9echrisd if (!strcasecmp(cmd->cmd->name, "<RequireAll")) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->op = AUTHZ_LOGIC_AND;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
5014faa85f522902d3326b3182d4b389cd520d9echrisd else if (!strcasecmp(cmd->cmd->name, "<RequireAny")) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->op = AUTHZ_LOGIC_OR;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
5014faa85f522902d3326b3182d4b389cd520d9echrisd else if (!strcasecmp(cmd->cmd->name, "<RequireNotAll")) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->op = AUTHZ_LOGIC_AND;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->negate = 1;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->op = AUTHZ_LOGIC_OR;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->negate = 1;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->section = section;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd /* trigger NOT_IN_LIMIT errors as if this were a <Limit> directive */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd cmd->limited &= ~(AP_METHOD_BIT << (METHODS - 1));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd cmd->override = OR_AUTHCFG;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd errmsg = ap_walk_config(cmd->directive->first_child, cmd, cmd->context);
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes cmd->override = old_overrides;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd cmd->limited = old_limited;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->section = old_section;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (errmsg) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return errmsg;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (section->first) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *child;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (!old_section) {
5014faa85f522902d3326b3182d4b389cd520d9echrisd old_section = conf->section = create_default_section(cmd->pool);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (section->negate && old_section->op == AUTHZ_LOGIC_OR) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return apr_psprintf(cmd->pool, "%s directive has "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "no effect in %s directive",
5014faa85f522902d3326b3182d4b389cd520d9echrisd format_authz_command(cmd->pool, section),
5014faa85f522902d3326b3182d4b389cd520d9echrisd format_authz_command(cmd->pool, old_section));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd old_section->limited |= section->limited;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (!section->negate && section->op == old_section->op) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd /* be associative */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section = section->first;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child = old_section->first;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (child) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd while (child->next) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child = child->next;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child->next = section;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd old_section->first = section;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return apr_pstrcat(cmd->pool,
5014faa85f522902d3326b3182d4b389cd520d9echrisd format_authz_command(cmd->pool, section),
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd " directive contains no authorization directives",
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd NULL);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return NULL;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdstatic const char *authz_merge_sections(cmd_parms *cmd, void *mconfig,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd const char *arg)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_core_dir_conf *conf = mconfig;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (!strcasecmp(arg, "Off")) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->op = AUTHZ_LOGIC_OFF;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
5014faa85f522902d3326b3182d4b389cd520d9echrisd else if (!strcasecmp(arg, "And")) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->op = AUTHZ_LOGIC_AND;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
5014faa85f522902d3326b3182d4b389cd520d9echrisd else if (!strcasecmp(arg, "Or")) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf->op = AUTHZ_LOGIC_OR;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return apr_pstrcat(cmd->pool, cmd->cmd->name, " must be one of: "
5014faa85f522902d3326b3182d4b389cd520d9echrisd "Off | And | Or", NULL);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return NULL;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd}
fe5ff7f0ffa81497b5511eb87c24fff2923889d6bnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdstatic int authz_core_check_section(apr_pool_t *p, server_rec *s,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *section, int is_conf)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *prev = NULL;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *child = section->first;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd int ret = !OK;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd while (child) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (child->first) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (authz_core_check_section(p, s, child, 0) != OK) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return !OK;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (child->negate && child->op != section->op) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *next = child->next;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd /* avoid one level of recursion when De Morgan permits */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child = child->first;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (prev) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd prev->next = child;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->first = child;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd do {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child->negate = !child->negate;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd } while (child->next && (child = child->next));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child->next = next;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd prev = child;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child = child->next;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
5014faa85f522902d3326b3182d4b389cd520d9echrisd child = section->first;
5014faa85f522902d3326b3182d4b389cd520d9echrisd
5014faa85f522902d3326b3182d4b389cd520d9echrisd while (child) {
5014faa85f522902d3326b3182d4b389cd520d9echrisd if (!child->negate) {
5014faa85f522902d3326b3182d4b389cd520d9echrisd ret = OK;
5014faa85f522902d3326b3182d4b389cd520d9echrisd break;
5014faa85f522902d3326b3182d4b389cd520d9echrisd }
5014faa85f522902d3326b3182d4b389cd520d9echrisd
5014faa85f522902d3326b3182d4b389cd520d9echrisd child = child->next;
5014faa85f522902d3326b3182d4b389cd520d9echrisd }
5014faa85f522902d3326b3182d4b389cd520d9echrisd
5014faa85f522902d3326b3182d4b389cd520d9echrisd if (ret != OK) {
185aa71728867671e105178b4c66fbc22b65ae26sf ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, APR_SUCCESS, s, APLOGNO(01624)
fc251eb7714d158c2952bc2ddbbcfb9169098212sf "%s directive contains only negative authorization directives",
fc251eb7714d158c2952bc2ddbbcfb9169098212sf is_conf ? "<Directory>, <Location>, or similar"
fc251eb7714d158c2952bc2ddbbcfb9169098212sf : format_authz_command(p, section));
5014faa85f522902d3326b3182d4b389cd520d9echrisd }
5014faa85f522902d3326b3182d4b389cd520d9echrisd
5014faa85f522902d3326b3182d4b389cd520d9echrisd return ret;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd}
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdstatic int authz_core_pre_config(apr_pool_t *p, apr_pool_t *plog,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd apr_pool_t *ptemp)
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd{
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_core_first_dir_conf = NULL;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return OK;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd}
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdstatic int authz_core_check_config(apr_pool_t *p, apr_pool_t *plog,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd apr_pool_t *ptemp, server_rec *s)
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd{
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_core_dir_conf *conf = authz_core_first_dir_conf;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd while (conf) {
5014faa85f522902d3326b3182d4b389cd520d9echrisd if (conf->section) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (authz_core_check_section(p, s, conf->section, 1) != OK) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return !OK;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd conf = conf->next;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return OK;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd}
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdstatic const command_rec authz_cmds[] =
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd{
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd AP_INIT_RAW_ARGS("<AuthzProviderAlias", authz_require_alias_section,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd NULL, RSRC_CONF,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "container for grouping an authorization provider's "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "directives under a provider alias"),
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd AP_INIT_RAW_ARGS("Require", add_authz_provider, NULL, OR_AUTHCFG,
5014faa85f522902d3326b3182d4b389cd520d9echrisd "specifies authorization directives "
5014faa85f522902d3326b3182d4b389cd520d9echrisd "which one must pass (or not) for a request to suceeed"),
5014faa85f522902d3326b3182d4b389cd520d9echrisd AP_INIT_RAW_ARGS("<RequireAll", add_authz_section, NULL, OR_AUTHCFG,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "container for grouping authorization directives "
221ee9cbaffea40ec8219ee3194f2d711e589229chrisd "of which none must fail and at least one must pass "
221ee9cbaffea40ec8219ee3194f2d711e589229chrisd "for a request to succeed"),
5014faa85f522902d3326b3182d4b389cd520d9echrisd AP_INIT_RAW_ARGS("<RequireAny", add_authz_section, NULL, OR_AUTHCFG,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "container for grouping authorization directives "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "of which one must pass "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "for a request to succeed"),
5014faa85f522902d3326b3182d4b389cd520d9echrisd#ifdef AUTHZ_EXTRA_CONFIGS
5014faa85f522902d3326b3182d4b389cd520d9echrisd AP_INIT_RAW_ARGS("<RequireNotAll", add_authz_section, NULL, OR_AUTHCFG,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "container for grouping authorization directives "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "of which some must fail or none must pass "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "for a request to succeed"),
5014faa85f522902d3326b3182d4b389cd520d9echrisd#endif
5014faa85f522902d3326b3182d4b389cd520d9echrisd AP_INIT_RAW_ARGS("<RequireNone", add_authz_section, NULL, OR_AUTHCFG,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "container for grouping authorization directives "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "of which none must pass "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "for a request to succeed"),
5014faa85f522902d3326b3182d4b389cd520d9echrisd AP_INIT_TAKE1("AuthMerging", authz_merge_sections, NULL, OR_AUTHCFG,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "controls how a <Directory>, <Location>, or similar "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "directive's authorization directives are combined with "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "those of its predecessor"),
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf AP_INIT_FLAG("AuthzSendForbiddenOnFailure", ap_set_flag_slot_char,
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf (void *)APR_OFFSETOF(authz_core_dir_conf, authz_forbidden_on_fail),
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf OR_AUTHCFG,
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf "Controls if an authorization failure should result in a "
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf "'403 FORBIDDEN' response instead of the HTTP-conforming "
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf "'401 UNAUTHORIZED'"),
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd {NULL}
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd};
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisdstatic authz_status apply_authz_sections(request_rec *r,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *section,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_logic_op parent_op)
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd{
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_status auth_result;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd /* check to make sure that the request method requires authorization */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (!(section->limited & (AP_METHOD_BIT << r->method_number))) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd auth_result =
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd (parent_op == AUTHZ_LOGIC_AND) ? AUTHZ_GRANTED : AUTHZ_NEUTRAL;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
185aa71728867671e105178b4c66fbc22b65ae26sf ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO(01625)
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "authorization result of %s: %s "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "(directive limited to other methods)",
5014faa85f522902d3326b3182d4b389cd520d9echrisd format_authz_command(r->pool, section),
5014faa85f522902d3326b3182d4b389cd520d9echrisd format_authz_result(auth_result));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes return auth_result;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (section->provider) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd apr_table_setn(r->notes, AUTHZ_PROVIDER_NAME_NOTE,
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd section->provider_name);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd auth_result =
97cc46935ec496b83fef9d6feb094d706c895b3bsf section->provider->check_authorization(r, section->provider_args,
97cc46935ec496b83fef9d6feb094d706c895b3bsf section->provider_parsed_args);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_section_conf *child = section->first;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd auth_result = AUTHZ_NEUTRAL;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd while (child) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd authz_status child_result;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child_result = apply_authz_sections(r, child, section->op);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (child_result == AUTHZ_GENERAL_ERROR) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return AUTHZ_GENERAL_ERROR;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (child_result != AUTHZ_NEUTRAL) {
18b5268e013574026b2503b1641baf3299045f45sf /*
18b5268e013574026b2503b1641baf3299045f45sf * Handling of AUTHZ_DENIED/AUTHZ_DENIED_NO_USER: Return
18b5268e013574026b2503b1641baf3299045f45sf * AUTHZ_DENIED_NO_USER if providing a user may change the
18b5268e013574026b2503b1641baf3299045f45sf * result, AUTHZ_DENIED otherwise.
18b5268e013574026b2503b1641baf3299045f45sf */
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf if (section->op == AUTHZ_LOGIC_AND) {
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf if (child_result == AUTHZ_DENIED) {
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf auth_result = child_result;
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf break;
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf }
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf if ((child_result == AUTHZ_DENIED_NO_USER
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf && auth_result != AUTHZ_DENIED)
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf || (auth_result == AUTHZ_NEUTRAL)) {
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf auth_result = child_result;
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf }
18b5268e013574026b2503b1641baf3299045f45sf }
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf else {
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf /* AUTHZ_LOGIC_OR */
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf if (child_result == AUTHZ_GRANTED) {
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf auth_result = child_result;
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf break;
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf }
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf if ((child_result == AUTHZ_DENIED_NO_USER
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf && auth_result == AUTHZ_DENIED)
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf || (auth_result == AUTHZ_NEUTRAL)) {
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf auth_result = child_result;
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd child = child->next;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (section->negate) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (auth_result == AUTHZ_GRANTED) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd auth_result = AUTHZ_DENIED;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
18b5268e013574026b2503b1641baf3299045f45sf else if (auth_result == AUTHZ_DENIED ||
18b5268e013574026b2503b1641baf3299045f45sf auth_result == AUTHZ_DENIED_NO_USER) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd /* For negated directives, if the original result was denied
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd * then the new result is neutral since we can not grant
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd * access simply because authorization was not rejected.
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd auth_result = AUTHZ_NEUTRAL;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
185aa71728867671e105178b4c66fbc22b65ae26sf ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO(01626)
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "authorization result of %s: %s",
5014faa85f522902d3326b3182d4b389cd520d9echrisd format_authz_command(r->pool, section),
5014faa85f522902d3326b3182d4b389cd520d9echrisd format_authz_result(auth_result));
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes return auth_result;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
18b5268e013574026b2503b1641baf3299045f45sfstatic int authorize_user_core(request_rec *r, int after_authn)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
5692bc05d2e606215730568e47bba1b9beabef99chrisd authz_core_dir_conf *conf;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes authz_status auth_result;
482ac4a7875bf582690164f70e868508c17f6b87bnicholes
5692bc05d2e606215730568e47bba1b9beabef99chrisd conf = ap_get_module_config(r->per_dir_config, &authz_core_module);
5692bc05d2e606215730568e47bba1b9beabef99chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (!conf->section) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (ap_auth_type(r)) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd /* there's an AuthType configured, but no authorization
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd * directives applied to support it
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
185aa71728867671e105178b4c66fbc22b65ae26sf ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01627)
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "AuthType configured with no corresponding "
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "authorization directives");
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return HTTP_INTERNAL_SERVER_ERROR;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
185aa71728867671e105178b4c66fbc22b65ae26sf ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO(01628)
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "authorization result: granted (no directives)");
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return OK;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd auth_result = apply_authz_sections(r, conf->section, AUTHZ_LOGIC_AND);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (auth_result == AUTHZ_GRANTED) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return OK;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
18b5268e013574026b2503b1641baf3299045f45sf else if (auth_result == AUTHZ_DENIED_NO_USER) {
18b5268e013574026b2503b1641baf3299045f45sf if (after_authn) {
185aa71728867671e105178b4c66fbc22b65ae26sf ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01629)
18b5268e013574026b2503b1641baf3299045f45sf "authorization failure (no authenticated user): %s",
18b5268e013574026b2503b1641baf3299045f45sf r->uri);
18b5268e013574026b2503b1641baf3299045f45sf /*
18b5268e013574026b2503b1641baf3299045f45sf * If we're returning 401 to an authenticated user, tell them to
18b5268e013574026b2503b1641baf3299045f45sf * try again. If unauthenticated, note_auth_failure has already
18b5268e013574026b2503b1641baf3299045f45sf * been called during auth.
18b5268e013574026b2503b1641baf3299045f45sf */
18b5268e013574026b2503b1641baf3299045f45sf if (r->user)
18b5268e013574026b2503b1641baf3299045f45sf ap_note_auth_failure(r);
18b5268e013574026b2503b1641baf3299045f45sf
18b5268e013574026b2503b1641baf3299045f45sf return HTTP_UNAUTHORIZED;
18b5268e013574026b2503b1641baf3299045f45sf }
18b5268e013574026b2503b1641baf3299045f45sf else {
18b5268e013574026b2503b1641baf3299045f45sf /*
18b5268e013574026b2503b1641baf3299045f45sf * We need a user before we can decide what to do.
18b5268e013574026b2503b1641baf3299045f45sf * Get out of the way and proceed with authentication.
18b5268e013574026b2503b1641baf3299045f45sf */
18b5268e013574026b2503b1641baf3299045f45sf return DECLINED;
18b5268e013574026b2503b1641baf3299045f45sf }
18b5268e013574026b2503b1641baf3299045f45sf }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else if (auth_result == AUTHZ_DENIED || auth_result == AUTHZ_NEUTRAL) {
18b5268e013574026b2503b1641baf3299045f45sf if (!after_authn || ap_auth_type(r) == NULL) {
185aa71728867671e105178b4c66fbc22b65ae26sf ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01630)
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "client denied by server configuration: %s%s",
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd r->filename ? "" : "uri ",
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd r->filename ? r->filename : r->uri);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return HTTP_FORBIDDEN;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
185aa71728867671e105178b4c66fbc22b65ae26sf ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01631)
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd "user %s: authorization failure for \"%s\": ",
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd r->user, r->uri);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf if (conf->authz_forbidden_on_fail > 0) {
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf return HTTP_FORBIDDEN;
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf }
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf else {
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf /*
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf * If we're returning 401 to an authenticated user, tell them to
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf * try again. If unauthenticated, note_auth_failure has already
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf * been called during auth.
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf */
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf if (r->user)
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf ap_note_auth_failure(r);
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf return HTTP_UNAUTHORIZED;
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd else {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd /* We'll assume that the module has already said what its
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd * error was in the logs.
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd */
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return HTTP_INTERNAL_SERVER_ERROR;
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
18b5268e013574026b2503b1641baf3299045f45sfstatic int authorize_userless(request_rec *r)
18b5268e013574026b2503b1641baf3299045f45sf{
18b5268e013574026b2503b1641baf3299045f45sf return authorize_user_core(r, 0);
18b5268e013574026b2503b1641baf3299045f45sf}
18b5268e013574026b2503b1641baf3299045f45sf
18b5268e013574026b2503b1641baf3299045f45sfstatic int authorize_user(request_rec *r)
18b5268e013574026b2503b1641baf3299045f45sf{
18b5268e013574026b2503b1641baf3299045f45sf return authorize_user_core(r, 1);
18b5268e013574026b2503b1641baf3299045f45sf}
18b5268e013574026b2503b1641baf3299045f45sf
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesstatic int authz_some_auth_required(request_rec *r)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
5692bc05d2e606215730568e47bba1b9beabef99chrisd authz_core_dir_conf *conf;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
5692bc05d2e606215730568e47bba1b9beabef99chrisd conf = ap_get_module_config(r->per_dir_config, &authz_core_module);
5692bc05d2e606215730568e47bba1b9beabef99chrisd
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd if (conf->section
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd && (conf->section->limited & (AP_METHOD_BIT << r->method_number))) {
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd return 1;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes }
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
d507f8c93e58b2c65925ef42b70eab268a1cbbfechrisd return 0;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
05b30ac536cfc100ad693b417efc3da2bfae546csf/*
05b30ac536cfc100ad693b417efc3da2bfae546csf * env authz provider
05b30ac536cfc100ad693b417efc3da2bfae546csf */
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csfstatic authz_status env_check_authorization(request_rec *r,
05b30ac536cfc100ad693b417efc3da2bfae546csf const char *require_line,
05b30ac536cfc100ad693b417efc3da2bfae546csf const void *parsed_require_line)
05b30ac536cfc100ad693b417efc3da2bfae546csf{
05b30ac536cfc100ad693b417efc3da2bfae546csf const char *t, *w;
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf /* The 'env' provider will allow the configuration to specify a list of
05b30ac536cfc100ad693b417efc3da2bfae546csf env variables to check rather than a single variable. This is different
05b30ac536cfc100ad693b417efc3da2bfae546csf from the previous host based syntax. */
05b30ac536cfc100ad693b417efc3da2bfae546csf t = require_line;
05b30ac536cfc100ad693b417efc3da2bfae546csf while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
05b30ac536cfc100ad693b417efc3da2bfae546csf if (apr_table_get(r->subprocess_env, w)) {
05b30ac536cfc100ad693b417efc3da2bfae546csf return AUTHZ_GRANTED;
05b30ac536cfc100ad693b417efc3da2bfae546csf }
05b30ac536cfc100ad693b417efc3da2bfae546csf }
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf return AUTHZ_DENIED;
05b30ac536cfc100ad693b417efc3da2bfae546csf}
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csfstatic const authz_provider authz_env_provider =
05b30ac536cfc100ad693b417efc3da2bfae546csf{
05b30ac536cfc100ad693b417efc3da2bfae546csf &env_check_authorization,
05b30ac536cfc100ad693b417efc3da2bfae546csf NULL,
05b30ac536cfc100ad693b417efc3da2bfae546csf};
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf/*
05b30ac536cfc100ad693b417efc3da2bfae546csf * all authz provider
05b30ac536cfc100ad693b417efc3da2bfae546csf */
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csfstatic authz_status all_check_authorization(request_rec *r,
05b30ac536cfc100ad693b417efc3da2bfae546csf const char *require_line,
05b30ac536cfc100ad693b417efc3da2bfae546csf const void *parsed_require_line)
05b30ac536cfc100ad693b417efc3da2bfae546csf{
05b30ac536cfc100ad693b417efc3da2bfae546csf if (parsed_require_line) {
05b30ac536cfc100ad693b417efc3da2bfae546csf return AUTHZ_GRANTED;
05b30ac536cfc100ad693b417efc3da2bfae546csf }
05b30ac536cfc100ad693b417efc3da2bfae546csf return AUTHZ_DENIED;
05b30ac536cfc100ad693b417efc3da2bfae546csf}
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csfstatic const char *all_parse_config(cmd_parms *cmd, const char *require_line,
05b30ac536cfc100ad693b417efc3da2bfae546csf const void **parsed_require_line)
05b30ac536cfc100ad693b417efc3da2bfae546csf{
05b30ac536cfc100ad693b417efc3da2bfae546csf /*
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim * If the argument to the 'all' provider is 'granted' then just let
05b30ac536cfc100ad693b417efc3da2bfae546csf * everybody in. This would be equivalent to the previous syntax of
05b30ac536cfc100ad693b417efc3da2bfae546csf * 'allow from all'. If the argument is 'denied' we reject everbody,
05b30ac536cfc100ad693b417efc3da2bfae546csf * which is equivalent to 'deny from all'.
05b30ac536cfc100ad693b417efc3da2bfae546csf */
05b30ac536cfc100ad693b417efc3da2bfae546csf if (strcasecmp(require_line, "granted") == 0) {
05b30ac536cfc100ad693b417efc3da2bfae546csf *parsed_require_line = (void *)1;
05b30ac536cfc100ad693b417efc3da2bfae546csf return NULL;
05b30ac536cfc100ad693b417efc3da2bfae546csf }
05b30ac536cfc100ad693b417efc3da2bfae546csf else if (strcasecmp(require_line, "denied") == 0) {
05b30ac536cfc100ad693b417efc3da2bfae546csf /* *parsed_require_line is already NULL */
05b30ac536cfc100ad693b417efc3da2bfae546csf return NULL;
05b30ac536cfc100ad693b417efc3da2bfae546csf }
05b30ac536cfc100ad693b417efc3da2bfae546csf else {
05b30ac536cfc100ad693b417efc3da2bfae546csf return "Argument for 'Require all' must be 'granted' or 'denied'";
05b30ac536cfc100ad693b417efc3da2bfae546csf }
05b30ac536cfc100ad693b417efc3da2bfae546csf}
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csfstatic const authz_provider authz_all_provider =
05b30ac536cfc100ad693b417efc3da2bfae546csf{
05b30ac536cfc100ad693b417efc3da2bfae546csf &all_check_authorization,
05b30ac536cfc100ad693b417efc3da2bfae546csf &all_parse_config,
05b30ac536cfc100ad693b417efc3da2bfae546csf};
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf/*
05b30ac536cfc100ad693b417efc3da2bfae546csf * method authz provider
05b30ac536cfc100ad693b417efc3da2bfae546csf */
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csfstatic authz_status method_check_authorization(request_rec *r,
05b30ac536cfc100ad693b417efc3da2bfae546csf const char *require_line,
05b30ac536cfc100ad693b417efc3da2bfae546csf const void *parsed_require_line)
05b30ac536cfc100ad693b417efc3da2bfae546csf{
05b30ac536cfc100ad693b417efc3da2bfae546csf const apr_int64_t *allowed = parsed_require_line;
05b30ac536cfc100ad693b417efc3da2bfae546csf if (*allowed & (AP_METHOD_BIT << r->method_number))
05b30ac536cfc100ad693b417efc3da2bfae546csf return AUTHZ_GRANTED;
05b30ac536cfc100ad693b417efc3da2bfae546csf else
05b30ac536cfc100ad693b417efc3da2bfae546csf return AUTHZ_DENIED;
05b30ac536cfc100ad693b417efc3da2bfae546csf}
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csfstatic const char *method_parse_config(cmd_parms *cmd, const char *require_line,
05b30ac536cfc100ad693b417efc3da2bfae546csf const void **parsed_require_line)
05b30ac536cfc100ad693b417efc3da2bfae546csf{
05b30ac536cfc100ad693b417efc3da2bfae546csf const char *w, *t;
05b30ac536cfc100ad693b417efc3da2bfae546csf apr_int64_t *allowed = apr_pcalloc(cmd->pool, sizeof(apr_int64_t));
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf t = require_line;
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf while ((w = ap_getword_conf(cmd->temp_pool, &t)) && w[0]) {
05b30ac536cfc100ad693b417efc3da2bfae546csf int m = ap_method_number_of(w);
05b30ac536cfc100ad693b417efc3da2bfae546csf if (m == M_INVALID) {
05b30ac536cfc100ad693b417efc3da2bfae546csf return apr_pstrcat(cmd->pool, "Invalid Method '", w, "'", NULL);
05b30ac536cfc100ad693b417efc3da2bfae546csf }
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf *allowed |= (AP_METHOD_BIT << m);
05b30ac536cfc100ad693b417efc3da2bfae546csf }
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf *parsed_require_line = allowed;
05b30ac536cfc100ad693b417efc3da2bfae546csf return NULL;
05b30ac536cfc100ad693b417efc3da2bfae546csf}
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csfstatic const authz_provider authz_method_provider =
05b30ac536cfc100ad693b417efc3da2bfae546csf{
05b30ac536cfc100ad693b417efc3da2bfae546csf &method_check_authorization,
05b30ac536cfc100ad693b417efc3da2bfae546csf &method_parse_config,
05b30ac536cfc100ad693b417efc3da2bfae546csf};
05b30ac536cfc100ad693b417efc3da2bfae546csf
4c21a9f062e187b87c9cec726023f0fc086008f2sf/*
4c21a9f062e187b87c9cec726023f0fc086008f2sf * expr authz provider
4c21a9f062e187b87c9cec726023f0fc086008f2sf */
4c21a9f062e187b87c9cec726023f0fc086008f2sf
4c21a9f062e187b87c9cec726023f0fc086008f2sf#define REQUIRE_EXPR_NOTE "Require_expr_info"
4c21a9f062e187b87c9cec726023f0fc086008f2sfstruct require_expr_info {
4c21a9f062e187b87c9cec726023f0fc086008f2sf ap_expr_info_t *expr;
4c21a9f062e187b87c9cec726023f0fc086008f2sf int want_user;
4c21a9f062e187b87c9cec726023f0fc086008f2sf};
4c21a9f062e187b87c9cec726023f0fc086008f2sf
4c21a9f062e187b87c9cec726023f0fc086008f2sfstatic int expr_lookup_fn(ap_expr_lookup_parms *parms)
4c21a9f062e187b87c9cec726023f0fc086008f2sf{
4c21a9f062e187b87c9cec726023f0fc086008f2sf if (parms->type == AP_EXPR_FUNC_VAR
4c21a9f062e187b87c9cec726023f0fc086008f2sf && strcasecmp(parms->name, "REMOTE_USER") == 0) {
4c21a9f062e187b87c9cec726023f0fc086008f2sf struct require_expr_info *info;
4c21a9f062e187b87c9cec726023f0fc086008f2sf apr_pool_userdata_get((void**)&info, REQUIRE_EXPR_NOTE, parms->ptemp);
4c21a9f062e187b87c9cec726023f0fc086008f2sf AP_DEBUG_ASSERT(info != NULL);
4c21a9f062e187b87c9cec726023f0fc086008f2sf info->want_user = 1;
4c21a9f062e187b87c9cec726023f0fc086008f2sf }
4c21a9f062e187b87c9cec726023f0fc086008f2sf return ap_expr_lookup_default(parms);
4c21a9f062e187b87c9cec726023f0fc086008f2sf}
4c21a9f062e187b87c9cec726023f0fc086008f2sf
4c21a9f062e187b87c9cec726023f0fc086008f2sfstatic const char *expr_parse_config(cmd_parms *cmd, const char *require_line,
4c21a9f062e187b87c9cec726023f0fc086008f2sf const void **parsed_require_line)
4c21a9f062e187b87c9cec726023f0fc086008f2sf{
4c21a9f062e187b87c9cec726023f0fc086008f2sf const char *expr_err = NULL;
4c21a9f062e187b87c9cec726023f0fc086008f2sf struct require_expr_info *info = apr_pcalloc(cmd->pool, sizeof(*info));
4c21a9f062e187b87c9cec726023f0fc086008f2sf
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser /* if the expression happens to be surrounded by quotes, skip them */
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser if (require_line[0] == '"') {
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser apr_size_t len = strlen(require_line);
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser if (require_line[len-1] == '"')
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser require_line = apr_pstrndup(cmd->temp_pool,
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser require_line + 1,
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser len - 2);
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser }
b9eb3442f3eef36ef7232fd107ba1890d94e3352breser
4c21a9f062e187b87c9cec726023f0fc086008f2sf apr_pool_userdata_setn(info, REQUIRE_EXPR_NOTE, apr_pool_cleanup_null,
4c21a9f062e187b87c9cec726023f0fc086008f2sf cmd->temp_pool);
4c21a9f062e187b87c9cec726023f0fc086008f2sf info->expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err,
4c21a9f062e187b87c9cec726023f0fc086008f2sf expr_lookup_fn);
4c21a9f062e187b87c9cec726023f0fc086008f2sf
4c21a9f062e187b87c9cec726023f0fc086008f2sf if (expr_err)
09833366b4d9b23dcd680676820c227a7cb470c9sf return apr_pstrcat(cmd->temp_pool,
09833366b4d9b23dcd680676820c227a7cb470c9sf "Cannot parse expression in require line: ",
09833366b4d9b23dcd680676820c227a7cb470c9sf expr_err, NULL);
4c21a9f062e187b87c9cec726023f0fc086008f2sf
4c21a9f062e187b87c9cec726023f0fc086008f2sf *parsed_require_line = info;
4c21a9f062e187b87c9cec726023f0fc086008f2sf
4c21a9f062e187b87c9cec726023f0fc086008f2sf return NULL;
4c21a9f062e187b87c9cec726023f0fc086008f2sf}
4c21a9f062e187b87c9cec726023f0fc086008f2sf
feaca656b298a47325760932c0fbc74600550bcdsfstatic authz_status expr_check_authorization(request_rec *r,
feaca656b298a47325760932c0fbc74600550bcdsf const char *require_line,
feaca656b298a47325760932c0fbc74600550bcdsf const void *parsed_require_line)
feaca656b298a47325760932c0fbc74600550bcdsf{
8fae12696bce44be9ce4c56888690cad8ac7b8f9sf const char *err = NULL;
4c21a9f062e187b87c9cec726023f0fc086008f2sf const struct require_expr_info *info = parsed_require_line;
4c21a9f062e187b87c9cec726023f0fc086008f2sf int rc = ap_expr_exec(r, info->expr, &err);
feaca656b298a47325760932c0fbc74600550bcdsf
81190529a026a31d7d7a707616f20620d3c3673bsf if (rc < 0) {
81190529a026a31d7d7a707616f20620d3c3673bsf ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02320)
81190529a026a31d7d7a707616f20620d3c3673bsf "Error evaluating expression in 'Require expr': %s",
81190529a026a31d7d7a707616f20620d3c3673bsf err);
81190529a026a31d7d7a707616f20620d3c3673bsf return AUTHZ_GENERAL_ERROR;
81190529a026a31d7d7a707616f20620d3c3673bsf }
81190529a026a31d7d7a707616f20620d3c3673bsf else if (rc == 0) {
4c21a9f062e187b87c9cec726023f0fc086008f2sf if (info->want_user)
4c21a9f062e187b87c9cec726023f0fc086008f2sf return AUTHZ_DENIED_NO_USER;
4c21a9f062e187b87c9cec726023f0fc086008f2sf else
4c21a9f062e187b87c9cec726023f0fc086008f2sf return AUTHZ_DENIED;
81190529a026a31d7d7a707616f20620d3c3673bsf }
81190529a026a31d7d7a707616f20620d3c3673bsf else {
8fae12696bce44be9ce4c56888690cad8ac7b8f9sf return AUTHZ_GRANTED;
81190529a026a31d7d7a707616f20620d3c3673bsf }
feaca656b298a47325760932c0fbc74600550bcdsf}
feaca656b298a47325760932c0fbc74600550bcdsf
feaca656b298a47325760932c0fbc74600550bcdsfstatic const authz_provider authz_expr_provider =
feaca656b298a47325760932c0fbc74600550bcdsf{
feaca656b298a47325760932c0fbc74600550bcdsf &expr_check_authorization,
feaca656b298a47325760932c0fbc74600550bcdsf &expr_parse_config,
feaca656b298a47325760932c0fbc74600550bcdsf};
feaca656b298a47325760932c0fbc74600550bcdsf
05b30ac536cfc100ad693b417efc3da2bfae546csf
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesstatic void register_hooks(apr_pool_t *p)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes APR_REGISTER_OPTIONAL_FN(authz_some_auth_required);
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd ap_hook_pre_config(authz_core_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd ap_hook_check_config(authz_core_check_config, NULL, NULL, APR_HOOK_MIDDLE);
809ec9d7cc8bc12d7dc6fafba24f3acad3e49d81chrisd ap_hook_check_authz(authorize_user, NULL, NULL, APR_HOOK_LAST,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd AP_AUTH_INTERNAL_PER_CONF);
18b5268e013574026b2503b1641baf3299045f45sf ap_hook_check_access_ex(authorize_userless, NULL, NULL, APR_HOOK_LAST,
18b5268e013574026b2503b1641baf3299045f45sf AP_AUTH_INTERNAL_PER_CONF);
05b30ac536cfc100ad693b417efc3da2bfae546csf
05b30ac536cfc100ad693b417efc3da2bfae546csf ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "env",
05b30ac536cfc100ad693b417efc3da2bfae546csf AUTHZ_PROVIDER_VERSION,
05b30ac536cfc100ad693b417efc3da2bfae546csf &authz_env_provider, AP_AUTH_INTERNAL_PER_CONF);
05b30ac536cfc100ad693b417efc3da2bfae546csf ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "all",
05b30ac536cfc100ad693b417efc3da2bfae546csf AUTHZ_PROVIDER_VERSION,
05b30ac536cfc100ad693b417efc3da2bfae546csf &authz_all_provider, AP_AUTH_INTERNAL_PER_CONF);
05b30ac536cfc100ad693b417efc3da2bfae546csf ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "method",
05b30ac536cfc100ad693b417efc3da2bfae546csf AUTHZ_PROVIDER_VERSION,
05b30ac536cfc100ad693b417efc3da2bfae546csf &authz_method_provider, AP_AUTH_INTERNAL_PER_CONF);
feaca656b298a47325760932c0fbc74600550bcdsf ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "expr",
feaca656b298a47325760932c0fbc74600550bcdsf AUTHZ_PROVIDER_VERSION,
feaca656b298a47325760932c0fbc74600550bcdsf &authz_expr_provider, AP_AUTH_INTERNAL_PER_CONF);
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
36ef8f77bffe75d1aa327882be1b5bdbe2ff567asfAP_DECLARE_MODULE(authz_core) =
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes STANDARD20_MODULE_STUFF,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes create_authz_core_dir_config, /* dir config creater */
7871f87cd19d007e2cc8efe7480171343efda61abnicholes merge_authz_core_dir_config, /* dir merger */
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes create_authz_core_svr_config, /* server config */
b47fd7ec6545b9120660f1723f9d5c5624744f4ccovener merge_authz_core_svr_config , /* merge server config */
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes authz_cmds,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes register_hooks /* register hooks */
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes};
95b1a32e3398084889f7d948477e02d5a3b9f9cachrisd