mod_authz_dbm.c revision 769ee2c1f743a4a5106253c2841df8dfe3deeab9
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek/* ====================================================================
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * The Apache Software License, Version 1.1
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * Copyright (c) 2000-2002 The Apache Software Foundation. All rights
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * Redistribution and use in source and binary forms, with or without
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * modification, are permitted provided that the following conditions
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * 1. Redistributions of source code must retain the above copyright
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * notice, this list of conditions and the following disclaimer.
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * 2. Redistributions in binary form must reproduce the above copyright
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * notice, this list of conditions and the following disclaimer in
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * the documentation and/or other materials provided with the
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * 3. The end-user documentation included with the redistribution,
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * if any, must include the following acknowledgment:
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * "This product includes software developed by the
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * Apache Software Foundation (http://www.apache.org/)."
19887cd06a3af2f045e763986eda19e208bd3f85Zbigniew Jędrzejewski-Szmek * Alternately, this acknowledgment may appear in the software itself,
21ac6ff143cc8bebfbd1818af28e8c6f82cd5265Zbigniew Jędrzejewski-Szmek * if and wherever such third-party acknowledgments normally appear.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * 4. The names "Apache" and "Apache Software Foundation" must
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * not be used to endorse or promote products derived from this
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * software without prior written permission. For written
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * permission, please contact apache@apache.org.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * 5. Products derived from this software may not be called "Apache",
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * nor may "Apache" appear in their name, without prior written
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * permission of the Apache Software Foundation.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * ====================================================================
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * This software consists of voluntary contributions made by many
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * individuals on behalf of the Apache Software Foundation. For more
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * information on the Apache Software Foundation, please see
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * Portions of this software are based upon public domain software
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * originally written at the National Center for Supercomputing Applications,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * University of Illinois, Urbana-Champaign.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * http_auth: authentication
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * Rob McCool & Brian Behlendorf.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * Adapted to Apache by rst.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * dirkx - Added Authoritative control to allow passing on to lower
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * modules if and only if the userid is not known to this
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * module. A known user with a faulty or absent password still
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * causes an AuthRequired. The default is 'Authoritative', i.e.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * no control is passed along.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#include "http_request.h" /* for ap_hook_(check_user_id | auth_checker)*/
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* This should go into APR; perhaps with some nice
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * caching/locking/flocking of the open dbm file.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t get_dbm_entry_as_str(request_rec *r, char *user,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek char *auth_dbmfile, char *dbtype,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek retval = apr_dbm_open_ex(&f, dbtype, auth_dbmfile, APR_DBM_READONLY,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek if (apr_dbm_fetch(f, q, &d) == APR_SUCCESS && d.dptr) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *str = apr_pstrmemdup(r->pool, d.dptr, d.dsize);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic void *create_authz_dbm_dir_config(apr_pool_t *p, char *d)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek authz_dbm_config_rec *conf = apr_palloc(p, sizeof(*conf));
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek conf->authoritative = 1; /* fortress is secure by default */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic const command_rec authz_dbm_cmds[] =
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek AP_INIT_TAKE1("AuthDBMGroupFile", ap_set_file_slot,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek (void *)APR_OFFSETOF(authz_dbm_config_rec, grpfile),
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek OR_AUTHCFG, "database file containing group names and member user IDs"),
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek AP_INIT_TAKE1("AuthzDBMType", ap_set_string_slot,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek (void *)APR_OFFSETOF(authz_dbm_config_rec, dbmtype),
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek OR_AUTHCFG, "what type of DBM file the group file is"),
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek AP_INIT_FLAG("AuthzDBMAuthoritative", ap_set_flag_slot,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek (void *)APR_OFFSETOF(authz_dbm_config_rec, authoritative),
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek OR_AUTHCFG, "Set to 'Off' to allow access control to be passed along to "
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek "lower modules, if the group required is not found or empty, or the user "
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek " is not in the required groups. (default is On.)"),
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekmodule AP_MODULE_DECLARE_DATA authz_dbm_module;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* We do something strange with the group file. If the group file
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * contains any : we assume the format is
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * key=username value=":"groupname [":"anything here is ignored]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * otherwise we now (0.8.14+) assume that the format is
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * key=username value=groupname
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * The first allows the password and group files to be the same
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * physical DBM file; key=username value=password":"groupname[":"anything]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * mark@telescope.org, 22Sep95
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t get_dbm_grp(request_rec *r, char *user, char *dbmgrpfile,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek char *dbtype, const char ** out)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek apr_status_t status = get_dbm_entry_as_str(r, user, dbmgrpfile,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek if ((grp_colon = strchr(grp_data, ':')) != NULL) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek grp_colon2 = strchr(++grp_colon, ':');
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* Checking ID */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic int dbm_check_auth(request_rec *r)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek const apr_array_header_t *reqs_arr = ap_requires(r);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
6e9efa59209d48fc69a456fbadb2b5c113f503a6Lennart Poettering if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek w = ap_getword_white(r->pool, &t);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek const char *orig_groups, *groups;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek status = get_dbm_grp(r, user, conf->grpfile, conf->dbmtype,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek "could not open dbm (type %s) group access file: %s",
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek return HTTP_INTERNAL_SERVER_ERROR;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek "user %s not in DBM group file %s: %s",
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek user, conf->grpfile, r->filename);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek w = ap_getword_white(r->pool, &t);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek v = ap_getword(r->pool, &groups, ',');
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek "user %s not in right group: %s",
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic void register_hooks(apr_pool_t *p)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek ap_hook_auth_checker(dbm_check_auth, NULL, NULL, APR_HOOK_MIDDLE);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekmodule AP_MODULE_DECLARE_DATA authz_dbm_module =
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek create_authz_dbm_dir_config, /* dir config creater */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek NULL, /* dir merger --- default is to override */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek authz_dbm_cmds, /* command apr_table_t */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek register_hooks /* register hooks */