search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
enabled block processing properly.
[httpd-crcsyncproxy.git] / modules / aaa / mod_authz_dbd.c
blob42fdc0d4fcd1c939bc231310ebcfa45956add6dc
1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "httpd.h"
18 #include "http_log.h"
19 #include "http_config.h"
20 #include "ap_provider.h"
21 #include "http_request.h"
22 #include "http_protocol.h"
23 #include "http_core.h"
24 #include "apr_dbd.h"
25 #include "mod_dbd.h"
26 #include "apr_strings.h"
27 #include "mod_authz_dbd.h"
28
29 #include "mod_auth.h"
30
31
32 module AP_MODULE_DECLARE_DATA authz_dbd_module;
33
34 /* Export a hook for modules that manage clientside sessions
35 * (e.g. mod_auth_cookie)
36 * to deal with those when we successfully login/logout at the server
37 *
38 * XXX: WHY would this be specific to dbd_authz? Why wouldn't we track
39 * this across all authz user providers in a lower level mod, such as
40 * mod_auth_basic/digest?
41 */
42 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(authz_dbd, AUTHZ_DBD, int, client_login,
43 (request_rec *r, int code, const char *action),
44 (r, code, action), OK, DECLINED)
45
46
47 typedef struct {
48 const char *query;
49 const char *redir_query;
50 int redirect;
51 } authz_dbd_cfg ;
52
53 static ap_dbd_t *(*dbd_handle)(request_rec*) = NULL;
54 static void (*dbd_prepare)(server_rec*, const char*, const char*) = NULL;
55
56 static const char *const noerror = "???";
57
58 static void *authz_dbd_cr_cfg(apr_pool_t *pool, char *dummy)
59 {
60 authz_dbd_cfg *ret = apr_pcalloc(pool, sizeof(authz_dbd_cfg));
61 ret->redirect = -1;
62 return ret;
63 }
64 static void *authz_dbd_merge_cfg(apr_pool_t *pool, void *BASE, void *ADD)
65 {
66 authz_dbd_cfg *base = BASE;
67 authz_dbd_cfg *add = ADD;
68 authz_dbd_cfg *ret = apr_palloc(pool, sizeof(authz_dbd_cfg));
69
70 ret->query = (add->query == NULL) ? base->query : add->query;
71 ret->redir_query = (add->redir_query == NULL)
72 ? base->redir_query : add->redir_query;
73 ret->redirect = (add->redirect == -1) ? base->redirect : add->redirect;
74 return ret;
75 }
76 static const char *authz_dbd_prepare(cmd_parms *cmd, void *cfg,
77 const char *query)
78 {
79 static unsigned int label_num = 0;
80 char *label;
81
82 if (dbd_prepare == NULL) {
83 dbd_prepare = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_prepare);
84 if (dbd_prepare == NULL) {
85 return "You must load mod_dbd to enable AuthzDBD functions";
86 }
87 dbd_handle = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_acquire);
88 }
89 label = apr_psprintf(cmd->pool, "authz_dbd_%d", ++label_num);
90
91 dbd_prepare(cmd->server, query, label);
92
93 /* save the label here for our own use */
94 return ap_set_string_slot(cmd, cfg, label);
95 }
96 static const command_rec authz_dbd_cmds[] = {
97 AP_INIT_FLAG("AuthzDBDLoginToReferer", ap_set_flag_slot,
98 (void*)APR_OFFSETOF(authz_dbd_cfg, redirect), ACCESS_CONF,
99 "Whether to redirect to referer on successful login"),
100 AP_INIT_TAKE1("AuthzDBDQuery", authz_dbd_prepare,
101 (void*)APR_OFFSETOF(authz_dbd_cfg, query), ACCESS_CONF,
102 "SQL query for DBD Authz or login"),
103 AP_INIT_TAKE1("AuthzDBDRedirectQuery", authz_dbd_prepare,
104 (void*)APR_OFFSETOF(authz_dbd_cfg, redir_query), ACCESS_CONF,
105 "SQL query to get per-user redirect URL after login"),
106 {NULL}
107 };
108
109 static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg,
110 const char *action)
111 {
112 int rv;
113 const char *newuri = NULL;
114 int nrows;
115 const char *message;
116 ap_dbd_t *dbd = dbd_handle(r);
117 apr_dbd_prepared_t *query;
118 apr_dbd_results_t *res = NULL;
119 apr_dbd_row_t *row = NULL;
120
121 if (cfg->query == NULL) {
122 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
123 "No query configured for %s!", action);
124 return HTTP_INTERNAL_SERVER_ERROR;
125 }
126 query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING);
127 if (query == NULL) {
128 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
129 "Error retrieving Query for %s!", action);
130 return HTTP_INTERNAL_SERVER_ERROR;
131 }
132
133 rv = apr_dbd_pvquery(dbd->driver, r->pool, dbd->handle, &nrows,
134 query, r->user, NULL);
135 if (rv == 0) {
136 if (nrows != 1) {
137 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
138 "authz_dbd: %s of user %s updated %d rows",
139 action, r->user, nrows);
140 }
141 }
142 else {
143 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
144 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
145 "authz_dbd: query for %s failed; user %s [%s]",
146 action, r->user, message?message:noerror);
147 return HTTP_INTERNAL_SERVER_ERROR;
148 }
149
150 if (cfg->redirect == 1) {
151 newuri = apr_table_get(r->headers_in, "Referer");
152 }
153
154 if (!newuri && cfg->redir_query) {
155 query = apr_hash_get(dbd->prepared, cfg->redir_query,
156 APR_HASH_KEY_STRING);
157 if (query == NULL) {
158 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
159 "authz_dbd: no redirect query!");
160 /* OK, this is non-critical; we can just not-redirect */
161 }
162 else if (apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res,
163 query, 0, r->user, NULL) == 0) {
164 for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
165 rv != -1;
166 rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
167 if (rv != 0) {
168 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
169 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
170 "authz_dbd in get_row; action=%s user=%s [%s]",
171 action, r->user, message?message:noerror);
172 }
173 else if (newuri == NULL) {
174 newuri = apr_dbd_get_entry(dbd->driver, row, 0);
175 }
176 /* we can't break out here or row won't get cleaned up */
177 }
178 }
179 else {
180 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
181 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
182 "authz_dbd/redirect for %s of %s [%s]",
183 action, r->user, message?message:noerror);
184 }
185 }
186 if (newuri != NULL) {
187 r->status = HTTP_MOVED_TEMPORARILY;
188 apr_table_set(r->err_headers_out, "Location", newuri);
189 }
190 authz_dbd_run_client_login(r, OK, action);
191 return OK;
192 }
193
194 static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg,
195 apr_array_header_t *groups)
196 {
197 /* SELECT group FROM authz WHERE user = %s */
198 int rv;
199 const char *message;
200 ap_dbd_t *dbd = dbd_handle(r);
201 apr_dbd_prepared_t *query;
202 apr_dbd_results_t *res = NULL;
203 apr_dbd_row_t *row = NULL;
204 const char **group;
205
206 if (cfg->query == NULL) {
207 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
208 "No query configured for dbd-group!");
209 return HTTP_INTERNAL_SERVER_ERROR;
210 }
211 query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING);
212 if (query == NULL) {
213 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
214 "Error retrieving query for dbd-group!");
215 return HTTP_INTERNAL_SERVER_ERROR;
216 }
217 rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res,
218 query, 0, r->user, NULL);
219 if (rv == 0) {
220 for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
221 rv != -1;
222 rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
223 if (rv == 0) {
224 group = apr_array_push(groups);
225 *group = apr_dbd_get_entry(dbd->driver, row, 0);
226 }
227 else {
228 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
229 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
230 "authz_dbd in get_row; group query for user=%s [%s]",
231 r->user, message?message:noerror);
232 return HTTP_INTERNAL_SERVER_ERROR;
233 }
234 }
235 }
236 else {
237 message = apr_dbd_error(dbd->driver, dbd->handle, rv);
238 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
239 "authz_dbd, in groups query for %s [%s]",
240 r->user, message?message:noerror);
241 return HTTP_INTERNAL_SERVER_ERROR;
242 }
243 return OK;
244 }
245
246 static authz_status dbdgroup_check_authorization(request_rec *r,
247 const char *require_args)
248 {
249 int i, rv;
250 const char *w;
251 apr_array_header_t *groups = NULL;
252 const char *t;
253 authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
254 &authz_dbd_module);
255
256 if (!r->user) {
257 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
258 "access to %s failed, reason: no authenticated user", r->uri);
259 return AUTHZ_DENIED;
260 }
261
262 if (groups == NULL) {
263 groups = apr_array_make(r->pool, 4, sizeof(const char*));
264 rv = authz_dbd_group_query(r, cfg, groups);
265 if (rv != OK) {
266 return AUTHZ_GENERAL_ERROR;
267 }
268 }
269
270 t = require_args;
271 while (t[0]) {
272 w = ap_getword_white(r->pool, &t);
273 for (i=0; i < groups->nelts; ++i) {
274 if (!strcmp(w, ((const char**)groups->elts)[i])) {
275 return AUTHZ_GRANTED;
276 }
277 }
278 }
279
280 return AUTHZ_DENIED;
281 }
282
283 static authz_status dbdlogin_check_authorization(request_rec *r,
284 const char *require_args)
285 {
286 authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
287 &authz_dbd_module);
288
289 if (!r->user) {
290 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
291 "access to %s failed, reason: no authenticated user", r->uri);
292 return AUTHZ_DENIED;
293 }
294
295 return (authz_dbd_login(r, cfg, "login") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
296 }
297
298 static authz_status dbdlogout_check_authorization(request_rec *r,
299 const char *require_args)
300 {
301 authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
302 &authz_dbd_module);
303
304 if (!r->user) {
305 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
306 "access to %s failed, reason: no authenticated user", r->uri);
307 return AUTHZ_DENIED;
308 }
309
310 return (authz_dbd_login(r, cfg, "logout") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
311 }
312
313 static const authz_provider authz_dbdgroup_provider =
314 {
315 &dbdgroup_check_authorization,
316 };
317
318 static const authz_provider authz_dbdlogin_provider =
319 {
320 &dbdlogin_check_authorization,
321 };
322
323
324 static const authz_provider authz_dbdlogout_provider =
325 {
326 &dbdlogout_check_authorization,
327 };
328
329 static void authz_dbd_hooks(apr_pool_t *p)
330 {
331 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-group",
332 AUTHZ_PROVIDER_VERSION,
333 &authz_dbdgroup_provider,
334 AP_AUTH_INTERNAL_PER_CONF);
335 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-login",
336 AUTHZ_PROVIDER_VERSION,
337 &authz_dbdlogin_provider,
338 AP_AUTH_INTERNAL_PER_CONF);
339 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-logout",
340 AUTHZ_PROVIDER_VERSION,
341 &authz_dbdlogout_provider,
342 AP_AUTH_INTERNAL_PER_CONF);
343 }
344
345 module AP_MODULE_DECLARE_DATA authz_dbd_module =
346 {
347 STANDARD20_MODULE_STUFF,
348 authz_dbd_cr_cfg,
349 authz_dbd_merge_cfg,
350 NULL,
351 NULL,
352 authz_dbd_cmds,
353 authz_dbd_hooks
354 };
355
Apache HTTP proxy using crcsync