1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /*
18 * Security options etc.
19 *
20 * Module derived from code originally written by Rob McCool
21 *
22 */
23
24 #include "apr_strings.h"
25 #include "apr_network_io.h"
26 #define APR_WANT_STRFUNC
27 #define APR_WANT_BYTEFUNC
28 #include "apr_want.h"
29
30 #include "ap_config.h"
31 #include "httpd.h"
32 #include "http_config.h"
33 #include "http_core.h"
34 #include "http_log.h"
35 #include "http_request.h"
36 #include "http_protocol.h"
37 #include "ap_provider.h"
38
39 #include "mod_auth.h"
40
41 #if APR_HAVE_NETINET_IN_H
42 #include <netinet/in.h>
43 #endif
44
45 /* TODO List
46
47 - Track down all of the references to r->ap_auth_type
48 and change them to ap_auth_type()
49 - Remove ap_auth_type and ap_auth_name from the
50 request_rec
51
52 */
53
54 typedef struct {
55 const char *ap_auth_type;
56 int auth_type_set;
57 const char *ap_auth_name;
58 } authn_core_dir_conf;
59
60 typedef struct provider_alias_rec {
61 char *provider_name;
62 char *provider_alias;
63 ap_conf_vector_t *sec_auth;
64 const authn_provider *provider;
65 } provider_alias_rec;
66
67 typedef struct authn_alias_srv_conf {
68 apr_hash_t *alias_rec;
69 } authn_alias_srv_conf;
70
71
72 module AP_MODULE_DECLARE_DATA authn_core_module;
73
create_authn_core_dir_config(apr_pool_t * p,char * dummy)74 static void *create_authn_core_dir_config(apr_pool_t *p, char *dummy)
75 {
76 authn_core_dir_conf *conf =
77 (authn_core_dir_conf *)apr_pcalloc(p, sizeof(authn_core_dir_conf));
78
79 return (void *)conf;
80 }
81
merge_authn_core_dir_config(apr_pool_t * a,void * basev,void * newv)82 static void *merge_authn_core_dir_config(apr_pool_t *a, void *basev, void *newv)
83 {
84 authn_core_dir_conf *base = (authn_core_dir_conf *)basev;
85 authn_core_dir_conf *new = (authn_core_dir_conf *)newv;
86 authn_core_dir_conf *conf =
87 (authn_core_dir_conf *)apr_pcalloc(a, sizeof(authn_core_dir_conf));
88
89 if (new->auth_type_set) {
90 conf->ap_auth_type = new->ap_auth_type;
91 conf->auth_type_set = 1;
92 }
93 else {
94 conf->ap_auth_type = base->ap_auth_type;
95 conf->auth_type_set = base->auth_type_set;
96 }
97
98 if (new->ap_auth_name) {
99 conf->ap_auth_name = new->ap_auth_name;
100 } else {
101 conf->ap_auth_name = base->ap_auth_name;
102 }
103
104 return (void*)conf;
105 }
106
authn_alias_check_password(request_rec * r,const char * user,const char * password)107 static authn_status authn_alias_check_password(request_rec *r, const char *user,
108 const char *password)
109 {
110 /* Look up the provider alias in the alias list */
111 /* Get the dir_config and call ap_Merge_per_dir_configs() */
112 /* Call the real provider->check_password() function */
113 /* return the result of the above function call */
114
115 const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE);
116 authn_status ret = AUTH_USER_NOT_FOUND;
117 authn_alias_srv_conf *authcfg =
118 (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
119 &authn_core_module);
120
121 if (provider_name) {
122 provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
123 provider_name, APR_HASH_KEY_STRING);
124 ap_conf_vector_t *orig_dir_config = r->per_dir_config;
125
126 /* If we found the alias provider in the list, then merge the directory
127 configurations and call the real provider */
128 if (prvdraliasrec) {
129 r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config,
130 prvdraliasrec->sec_auth);
131 ret = prvdraliasrec->provider->check_password(r,user,password);
132 r->per_dir_config = orig_dir_config;
133 }
134 }
135
136 return ret;
137 }
138
authn_alias_get_realm_hash(request_rec * r,const char * user,const char * realm,char ** rethash)139 static authn_status authn_alias_get_realm_hash(request_rec *r, const char *user,
140 const char *realm, char **rethash)
141 {
142 /* Look up the provider alias in the alias list */
143 /* Get the dir_config and call ap_Merge_per_dir_configs() */
144 /* Call the real provider->get_realm_hash() function */
145 /* return the result of the above function call */
146
147 const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE);
148 authn_status ret = AUTH_USER_NOT_FOUND;
149 authn_alias_srv_conf *authcfg =
150 (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
151 &authn_core_module);
152
153 if (provider_name) {
154 provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
155 provider_name, APR_HASH_KEY_STRING);
156 ap_conf_vector_t *orig_dir_config = r->per_dir_config;
157
158 /* If we found the alias provider in the list, then merge the directory
159 configurations and call the real provider */
160 if (prvdraliasrec) {
161 r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config,
162 prvdraliasrec->sec_auth);
163 ret = prvdraliasrec->provider->get_realm_hash(r,user,realm,rethash);
164 r->per_dir_config = orig_dir_config;
165 }
166 }
167
168 return ret;
169 }
170
create_authn_alias_svr_config(apr_pool_t * p,server_rec * s)171 static void *create_authn_alias_svr_config(apr_pool_t *p, server_rec *s)
172 {
173
174 authn_alias_srv_conf *authcfg;
175
176 authcfg = (authn_alias_srv_conf *) apr_pcalloc(p, sizeof(authn_alias_srv_conf));
177 authcfg->alias_rec = apr_hash_make(p);
178
179 return (void *) authcfg;
180 }
181
182 /* Only per-server directive we have is GLOBAL_ONLY */
merge_authn_alias_svr_config(apr_pool_t * p,void * basev,void * overridesv)183 static void *merge_authn_alias_svr_config(apr_pool_t *p, void *basev, void *overridesv)
184 {
185 return basev;
186 }
187
188 static const authn_provider authn_alias_provider =
189 {
190 &authn_alias_check_password,
191 &authn_alias_get_realm_hash,
192 };
193
194 static const authn_provider authn_alias_provider_nodigest =
195 {
196 &authn_alias_check_password,
197 NULL,
198 };
199
authaliassection(cmd_parms * cmd,void * mconfig,const char * arg)200 static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *arg)
201 {
202 const char *endp = ap_strrchr_c(arg, '>');
203 const char *args;
204 char *provider_alias;
205 char *provider_name;
206 int old_overrides = cmd->override;
207 const char *errmsg;
208 const authn_provider *provider = NULL;
209 ap_conf_vector_t *new_auth_config = ap_create_per_dir_config(cmd->pool);
210 authn_alias_srv_conf *authcfg =
211 (authn_alias_srv_conf *)ap_get_module_config(cmd->server->module_config,
212 &authn_core_module);
213
214 const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
215 if (err != NULL) {
216 return err;
217 }
218
219 if (endp == NULL) {
220 return apr_pstrcat(cmd->pool, cmd->cmd->name,
221 "> directive missing closing '>'", NULL);
222 }
223
224 args = apr_pstrndup(cmd->temp_pool, arg, endp - arg);
225
226 if (!args[0]) {
227 return apr_pstrcat(cmd->pool, cmd->cmd->name,
228 "> directive requires additional arguments", NULL);
229 }
230
231 /* Pull the real provider name and the alias name from the block header */
232 provider_name = ap_getword_conf(cmd->pool, &args);
233 provider_alias = ap_getword_conf(cmd->pool, &args);
234
235 if (!provider_name[0] || !provider_alias[0]) {
236 return apr_pstrcat(cmd->pool, cmd->cmd->name,
237 "> directive requires additional arguments", NULL);
238 }
239
240 if (strcasecmp(provider_name, provider_alias) == 0) {
241 return apr_pstrcat(cmd->pool,
242 "The alias provider name must be different from the base provider name.", NULL);
243 }
244
245 /* Look up the alias provider to make sure that it hasn't already been registered. */
246 provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_alias,
247 AUTHN_PROVIDER_VERSION);
248 if (provider) {
249 return apr_pstrcat(cmd->pool, "The alias provider ", provider_alias,
250 " has already be registered previously as either a base provider or an alias provider.",
251 NULL);
252 }
253
254 /* walk the subsection configuration to get the per_dir config that we will
255 merge just before the real provider is called. */
256 cmd->override = OR_AUTHCFG | ACCESS_CONF;
257 errmsg = ap_walk_config(cmd->directive->first_child, cmd, new_auth_config);
258 cmd->override = old_overrides;
259
260 if (!errmsg) {
261 provider_alias_rec *prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(provider_alias_rec));
262 provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_name,
263 AUTHN_PROVIDER_VERSION);
264
265 if (!provider) {
266 /* by the time they use it, the provider should be loaded and
267 registered with us. */
268 return apr_psprintf(cmd->pool,
269 "Unknown Authn provider: %s",
270 provider_name);
271 }
272
273 /* Save off the new directory config along with the original provider name
274 and function pointer data */
275 prvdraliasrec->sec_auth = new_auth_config;
276 prvdraliasrec->provider_name = provider_name;
277 prvdraliasrec->provider_alias = provider_alias;
278 prvdraliasrec->provider = provider;
279 apr_hash_set(authcfg->alias_rec, provider_alias, APR_HASH_KEY_STRING, prvdraliasrec);
280
281 /* Register the fake provider so that we get called first */
282 ap_register_auth_provider(cmd->pool, AUTHN_PROVIDER_GROUP,
283 provider_alias, AUTHN_PROVIDER_VERSION,
284 provider->get_realm_hash ?
285 &authn_alias_provider :
286 &authn_alias_provider_nodigest,
287 AP_AUTH_INTERNAL_PER_CONF);
288 }
289
290 return errmsg;
291 }
292
293 /*
294 * Load an authorisation realm into our location configuration, applying the
295 * usual rules that apply to realms.
296 */
set_authname(cmd_parms * cmd,void * mconfig,const char * word1)297 static const char *set_authname(cmd_parms *cmd, void *mconfig,
298 const char *word1)
299 {
300 authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
301
302 aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1);
303 return NULL;
304 }
305
set_authtype(cmd_parms * cmd,void * mconfig,const char * word1)306 static const char *set_authtype(cmd_parms *cmd, void *mconfig,
307 const char *word1)
308 {
309 authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
310
311 aconfig->auth_type_set = 1;
312 aconfig->ap_auth_type = strcasecmp(word1, "None") ? word1 : NULL;
313
314 return NULL;
315 }
316
authn_ap_auth_type(request_rec * r)317 static const char *authn_ap_auth_type(request_rec *r)
318 {
319 authn_core_dir_conf *conf;
320
321 conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
322 &authn_core_module);
323
324 return conf->ap_auth_type;
325 }
326
authn_ap_auth_name(request_rec * r)327 static const char *authn_ap_auth_name(request_rec *r)
328 {
329 authn_core_dir_conf *conf;
330
331 conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
332 &authn_core_module);
333
334 return apr_pstrdup(r->pool, conf->ap_auth_name);
335 }
336
337 static const command_rec authn_cmds[] =
338 {
339 AP_INIT_TAKE1("AuthType", set_authtype, NULL, OR_AUTHCFG,
340 "an HTTP authorization type (e.g., \"Basic\")"),
341 AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG,
342 "the authentication realm (e.g. \"Members Only\")"),
343 AP_INIT_RAW_ARGS("<AuthnProviderAlias", authaliassection, NULL, RSRC_CONF,
344 "container for grouping an authentication provider's "
345 "directives under a provider alias"),
346 {NULL}
347 };
348
authenticate_no_user(request_rec * r)349 static int authenticate_no_user(request_rec *r)
350 {
351 /* if there isn't an AuthType, then assume that no authentication
352 is required so return OK */
353 if (!ap_auth_type(r)) {
354 return OK;
355 }
356
357 /* there's an AuthType configured, but no authentication module
358 * loaded to support it
359 */
360 ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(01796)
361 "AuthType %s configured without corresponding module",
362 ap_auth_type(r));
363
364 return HTTP_INTERNAL_SERVER_ERROR;
365 }
366
register_hooks(apr_pool_t * p)367 static void register_hooks(apr_pool_t *p)
368 {
369 APR_REGISTER_OPTIONAL_FN(authn_ap_auth_type);
370 APR_REGISTER_OPTIONAL_FN(authn_ap_auth_name);
371
372 ap_hook_check_authn(authenticate_no_user, NULL, NULL, APR_HOOK_LAST,
373 AP_AUTH_INTERNAL_PER_CONF);
374 }
375
376 AP_DECLARE_MODULE(authn_core) =
377 {
378 STANDARD20_MODULE_STUFF,
379 create_authn_core_dir_config, /* dir config creater */
380 merge_authn_core_dir_config, /* dir merger --- default is to override */
381 create_authn_alias_svr_config, /* server config */
382 merge_authn_alias_svr_config, /* merge server config */
383 authn_cmds,
384 register_hooks /* register hooks */
385 };
386
387