mod_authz_dbd.c revision 0cf25f370efc889c01f7028bdfc8204b17aa4ce4
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim/* Licensed to the Apache Software Foundation (ASF) under one or more
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * contributor license agreements. See the NOTICE file distributed with
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * this work for additional information regarding copyright ownership.
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * The ASF licenses this file to You under the Apache License, Version 2.0
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * (the "License"); you may not use this file except in compliance with
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * the License. You may obtain a copy of the License at
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * Unless required by applicable law or agreed to in writing, software
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * distributed under the License is distributed on an "AS IS" BASIS,
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * See the License for the specific language governing permissions and
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * limitations under the License.
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim/* Export a hook for modules that manage clientside sessions
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick * (e.g. mod_auth_cookie)
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim * to deal with those when we successfully login/logout at the server
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick * XXX: WHY would this be specific to dbd_authz? Why wouldn't we track
0c32a43de97332a10a45ca4213339132dd4a3844trawick * this across all authz user providers in a lower level mod, such as
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickAPR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(authz_dbd, AUTHZ_DBD, int, client_login,
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jimtypedef struct {
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim const char *query;
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim const char *redir_query;
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jimstatic void (*dbd_prepare)(server_rec*, const char*, const char*) = NULL;
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jimstatic void *authz_dbd_cr_cfg(apr_pool_t *pool, char *dummy)
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim authz_dbd_cfg *ret = apr_pcalloc(pool, sizeof(authz_dbd_cfg));
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickstatic void *authz_dbd_merge_cfg(apr_pool_t *pool, void *BASE, void *ADD)
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim authz_dbd_cfg *ret = apr_palloc(pool, sizeof(authz_dbd_cfg));
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim ret->query = (add->query == NULL) ? base->query : add->query;
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim ret->redirect = (add->redirect == -1) ? base->redirect : add->redirect;
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jimstatic const char *authz_dbd_prepare(cmd_parms *cmd, void *cfg,
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim const char *query)
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim static unsigned int label_num = 0;
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim const char *err = ap_check_cmd_context(cmd, NOT_IN_HTACCESS);
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim return "You must load mod_dbd to enable AuthzDBD functions";
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim label = apr_psprintf(cmd->pool, "authz_dbd_%d", ++label_num);
f8aafb8bd93472f7da5a7c158958ee09e4176c8etrawick /* save the label here for our own use */
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim AP_INIT_FLAG("AuthzDBDLoginToReferer", ap_set_flag_slot,
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim (void*)APR_OFFSETOF(authz_dbd_cfg, redirect), ACCESS_CONF,
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim "Whether to redirect to referer on successful login"),
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim "SQL query for DBD Authz or login"),
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim AP_INIT_TAKE1("AuthzDBDRedirectQuery", authz_dbd_prepare,
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim (void*)APR_OFFSETOF(authz_dbd_cfg, redir_query), ACCESS_CONF,
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim "SQL query to get per-user redirect URL after login"),
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jimstatic int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg,
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim const char *action)
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim const char *message;
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01642)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01643)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick rv = apr_dbd_pvquery(dbd->driver, r->pool, dbd->handle, &nrows,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick if (rv == 0) {
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01644)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "authz_dbd: %s of user %s updated %d rows",
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick message = apr_dbd_error(dbd->driver, dbd->handle, rv);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01645)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "authz_dbd: query for %s failed; user %s [%s]",
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick query = apr_hash_get(dbd->prepared, cfg->redir_query,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01646)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "authz_dbd: no redirect query!");
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick /* OK, this is non-critical; we can just not-redirect */
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick else if ((rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick if (rv != 0) {
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick message = apr_dbd_error(dbd->driver, dbd->handle, rv);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01647)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "authz_dbd in get_row; action=%s user=%s [%s]",
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick /* we can't break out here or row won't get cleaned up */
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick message = apr_dbd_error(dbd->driver, dbd->handle, rv);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01648)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "authz_dbd/redirect for %s of %s [%s]",
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick apr_table_set(r->err_headers_out, "Location", newuri);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickstatic int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick /* SELECT group FROM authz WHERE user = %s */
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick const char *message;
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick const char **group;
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01649)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "No query configured for dbd-group!");
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01650)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "Error retrieving query for dbd-group!");
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick if (rv == 0) {
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick if (rv == 0) {
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick message = apr_dbd_error(dbd->driver, dbd->handle, rv);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01651)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "authz_dbd in get_row; group query for user=%s [%s]",
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick message = apr_dbd_error(dbd->driver, dbd->handle, rv);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01652)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "authz_dbd, in groups query for %s [%s]",
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickstatic authz_status dbdgroup_check_authorization(request_rec *r,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick const char *w;
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick const char *require;
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick const char *t;
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick groups = apr_array_make(r->pool, 4, sizeof(const char*));
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02590)
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "authz_dbd authorize: require dbd-group: Can't "
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick while (t[0]) {
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickstatic authz_status dbdlogin_check_authorization(request_rec *r,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick return (authz_dbd_login(r, cfg, "login") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickstatic authz_status dbdlogout_check_authorization(request_rec *r,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick return (authz_dbd_login(r, cfg, "logout") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickstatic const char *dbd_parse_config(cmd_parms *cmd, const char *require_line,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr));
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick "Cannot parse expression in require line: ",
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickstatic const authz_provider authz_dbdgroup_provider =
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickstatic const authz_provider authz_dbdlogin_provider =
11f2c481e1d57bedb3f758565307501e9a2730ddtrawickstatic const authz_provider authz_dbdlogout_provider =
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-group",
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-login",