modules/aaa/mod_authz_user.c

842ae4bd224140319ae7feec1872b93dfd491143fielding/* Licensed to the Apache Software Foundation (ASF) under one or more
842ae4bd224140319ae7feec1872b93dfd491143fielding * contributor license agreements.  See the NOTICE file distributed with
842ae4bd224140319ae7feec1872b93dfd491143fielding * this work for additional information regarding copyright ownership.
842ae4bd224140319ae7feec1872b93dfd491143fielding * The ASF licenses this file to You under the Apache License, Version 2.0
842ae4bd224140319ae7feec1872b93dfd491143fielding * (the "License"); you may not use this file except in compliance with
842ae4bd224140319ae7feec1872b93dfd491143fielding * the License.  You may obtain a copy of the License at
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz *
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *     http://www.apache.org/licenses/LICENSE-2.0
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz *
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * Unless required by applicable law or agreed to in writing, software
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * distributed under the License is distributed on an "AS IS" BASIS,
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * See the License for the specific language governing permissions and
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * limitations under the License.
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz */
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz#include "apr_strings.h"
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz#include "ap_config.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "ap_provider.h"
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz#include "httpd.h"
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz#include "http_config.h"
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz#include "http_core.h"
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz#include "http_log.h"
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz#include "http_protocol.h"
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz#include "http_request.h"
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes#include "mod_auth.h"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantztypedef struct {
42a58c2174dae6edfc97af967add2f50baa85800jim        int dummy;  /* just here to stop compiler warnings for now. */
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz} authz_user_config_rec;
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantzstatic void *create_authz_user_dir_config(apr_pool_t *p, char *d)
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz{
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    authz_user_config_rec *conf = apr_palloc(p, sizeof(*conf));
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    return conf;
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz}
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantzstatic const command_rec authz_user_cmds[] =
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz{
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    {NULL}
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz};
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantzmodule AP_MODULE_DECLARE_DATA authz_user_module;
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesstatic authz_status user_check_authorization(request_rec *r,
97cc46935ec496b83fef9d6feb094d706c895b3bsf                                             const char *require_args,
97cc46935ec496b83fef9d6feb094d706c895b3bsf                                             const void *parsed_require_args)
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz{
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    const char *err = NULL;
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    const ap_expr_info_t *expr = parsed_require_args;
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    const char *require;
194c1e226415b5f34251d249ffe2f8b96c835637minfrin
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    const char *t, *w;
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
db027b0af55a7fa31f2e1659368d606a8b860bb0chrisd    if (!r->user) {
18b5268e013574026b2503b1641baf3299045f45sf        return AUTHZ_DENIED_NO_USER;
db027b0af55a7fa31f2e1659368d606a8b860bb0chrisd    }
db027b0af55a7fa31f2e1659368d606a8b860bb0chrisd
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    require = ap_expr_str_exec(r, expr, &err);
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    if (err) {
194c1e226415b5f34251d249ffe2f8b96c835637minfrin        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02594)
194c1e226415b5f34251d249ffe2f8b96c835637minfrin                      "authz_user authorize: require user: Can't "
194c1e226415b5f34251d249ffe2f8b96c835637minfrin                      "evaluate require expression: %s", err);
194c1e226415b5f34251d249ffe2f8b96c835637minfrin        return AUTHZ_DENIED;
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    }
194c1e226415b5f34251d249ffe2f8b96c835637minfrin
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    t = require;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes    while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes        if (!strcmp(r->user, w)) {
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes            return AUTHZ_GRANTED;
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz        }
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    }
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
b1f989ad92bf5918c4f48babb99238d5201da6fccovener    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01663)
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz                  "access to %s failed, reason: user '%s' does not meet "
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes                  "'require'ments for user to be allowed access",
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes                  r->uri, r->user);
e8f95a682820a599fe41b22977010636be5c2717jim
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes    return AUTHZ_DENIED;
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz}
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
97cc46935ec496b83fef9d6feb094d706c895b3bsfstatic authz_status validuser_check_authorization(request_rec *r,
97cc46935ec496b83fef9d6feb094d706c895b3bsf                                                  const char *require_line,
97cc46935ec496b83fef9d6feb094d706c895b3bsf                                                  const void *parsed_require_line)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
db027b0af55a7fa31f2e1659368d606a8b860bb0chrisd    if (!r->user) {
18b5268e013574026b2503b1641baf3299045f45sf        return AUTHZ_DENIED_NO_USER;
db027b0af55a7fa31f2e1659368d606a8b860bb0chrisd    }
db027b0af55a7fa31f2e1659368d606a8b860bb0chrisd
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes    return AUTHZ_GRANTED;
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes}
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
194c1e226415b5f34251d249ffe2f8b96c835637minfrinstatic const char *user_parse_config(cmd_parms *cmd, const char *require_line,
194c1e226415b5f34251d249ffe2f8b96c835637minfrin                                     const void **parsed_require_line)
194c1e226415b5f34251d249ffe2f8b96c835637minfrin{
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    const char *expr_err = NULL;
f6098228fada9d4d6dcdc0cd321f4f5904040d1etrawick    ap_expr_info_t *expr;
194c1e226415b5f34251d249ffe2f8b96c835637minfrin
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
194c1e226415b5f34251d249ffe2f8b96c835637minfrin            &expr_err, NULL);
194c1e226415b5f34251d249ffe2f8b96c835637minfrin
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    if (expr_err)
194c1e226415b5f34251d249ffe2f8b96c835637minfrin        return apr_pstrcat(cmd->temp_pool,
194c1e226415b5f34251d249ffe2f8b96c835637minfrin                           "Cannot parse expression in require line: ",
194c1e226415b5f34251d249ffe2f8b96c835637minfrin                           expr_err, NULL);
194c1e226415b5f34251d249ffe2f8b96c835637minfrin
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    *parsed_require_line = expr;
194c1e226415b5f34251d249ffe2f8b96c835637minfrin
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    return NULL;
194c1e226415b5f34251d249ffe2f8b96c835637minfrin}
194c1e226415b5f34251d249ffe2f8b96c835637minfrin
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesstatic const authz_provider authz_user_provider =
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes    &user_check_authorization,
194c1e226415b5f34251d249ffe2f8b96c835637minfrin    &user_parse_config,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes};
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesstatic const authz_provider authz_validuser_provider =
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes{
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes    &validuser_check_authorization,
97cc46935ec496b83fef9d6feb094d706c895b3bsf    NULL,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes};
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantzstatic void register_hooks(apr_pool_t *p)
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz{
2e242dca7111f99d54dd144b7b8418d88d560032chrisd    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "user",
2e242dca7111f99d54dd144b7b8418d88d560032chrisd                              AUTHZ_PROVIDER_VERSION,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd                              &authz_user_provider, AP_AUTH_INTERNAL_PER_CONF);
2e242dca7111f99d54dd144b7b8418d88d560032chrisd    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "valid-user",
2e242dca7111f99d54dd144b7b8418d88d560032chrisd                              AUTHZ_PROVIDER_VERSION,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd                              &authz_validuser_provider,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd                              AP_AUTH_INTERNAL_PER_CONF);
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz}
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz
36ef8f77bffe75d1aa327882be1b5bdbe2ff567asfAP_DECLARE_MODULE(authz_user) =
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz{
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    STANDARD20_MODULE_STUFF,
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    create_authz_user_dir_config, /* dir config creater */
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    NULL,                         /* dir merger --- default is to override */
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    NULL,                         /* server config */
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    NULL,                         /* merge server config */
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    authz_user_cmds,              /* command apr_table_t */
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz    register_hooks                /* register hooks */
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz};