modules/aaa/mod_authz_groupfile.c

   1 /* Licensed to the Apache Software Foundation (ASF) under one or more
   2  * contributor license agreements.  See the NOTICE file distributed with
   3  * this work for additional information regarding copyright ownership.
   4  * The ASF licenses this file to You under the Apache License, Version 2.0
   5  * (the "License"); you may not use this file except in compliance with
   6  * the License.  You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /* This module is triggered by an
  18  *
  19  *          AuthGroupFile standard /path/to/file
  20  *
  21  * and the presense of a
  22  *
  23  *         require group <list-of-groups>
  24  *
  25  * In an applicable limit/directory block for that method.
  26  *
  27  * If there are no AuthGroupFile directives valid for
  28  * the request; we DECLINED.
  29  *
  30  * If the AuthGroupFile is defined; but somehow not
  31  * accessible: we SERVER_ERROR (was DECLINED).
  32  *
  33  * If there are no 'require ' directives defined for
  34  * this request then we DECLINED (was OK).
  35  *
  36  * If there are no 'require ' directives valid for
  37  * this request method then we DECLINED. (was OK)
  38  *
  39  * If there are any 'require group' blocks and we
  40  * are not in any group - we HTTP_UNAUTHORIZE
  41  *
  42  */
  43
  44 #include "apr_strings.h"
  45 #include "apr_lib.h" /* apr_isspace */
  46
  47 #include "ap_config.h"
  48 #include "ap_provider.h"
  49 #include "httpd.h"
  50 #include "http_config.h"
  51 #include "http_core.h"
  52 #include "http_log.h"
  53 #include "http_protocol.h"
  54 #include "http_request.h"
  55
  56 #include "mod_auth.h"
  57
  58 typedef struct {
  59     char *groupfile;
  60 } authz_groupfile_config_rec;
  61
  62 APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
  63
  64 static void *create_authz_groupfile_dir_config(apr_pool_t *p, char *d)
  65 {
  66     authz_groupfile_config_rec *conf = apr_palloc(p, sizeof(*conf));
  67
  68     conf->groupfile = NULL;
  69     return conf;
  70 }
  71
  72 static const char *set_authz_groupfile_slot(cmd_parms *cmd, void *offset, const char *f,
  73                                  const char *t)
  74 {
  75     if (t && strcmp(t, "standard")) {
  76         return apr_pstrcat(cmd->pool, "Invalid auth file type: ", t, NULL);
  77     }
  78
  79     return ap_set_file_slot(cmd, offset, f);
  80 }
  81
  82 static const command_rec authz_groupfile_cmds[] =
  83 {
  84     AP_INIT_TAKE12("AuthGroupFile", set_authz_groupfile_slot,
  85                    (void *)APR_OFFSETOF(authz_groupfile_config_rec, groupfile),
  86                    OR_AUTHCFG,
  87                    "text file containing group names and member user IDs"),
  88     {NULL}
  89 };
  90
  91 module AP_MODULE_DECLARE_DATA authz_groupfile_module;
  92
  93 static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile,
  94                                     apr_table_t ** out)
  95 {
  96     ap_configfile_t *f;
  97     apr_table_t *grps = apr_table_make(p, 15);
  98     apr_pool_t *sp;
  99     char l[MAX_STRING_LEN];
 100     const char *group_name, *ll, *w;
 101     apr_status_t status;
 102     apr_size_t group_len;
 103
 104     if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) {
 105         return status ;
 106     }
 107
 108     apr_pool_create(&sp, p);
 109
 110     while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
 111         if ((l[0] == '#') || (!l[0])) {
 112             continue;
 113         }
 114         ll = l;
 115         apr_pool_clear(sp);
 116
 117         group_name = ap_getword(sp, &ll, ':');
 118         group_len = strlen(group_name);
 119
 120         while (group_len && apr_isspace(*(group_name + group_len - 1))) {
 121             --group_len;
 122         }
 123
 124         while (ll[0]) {
 125             w = ap_getword_conf(sp, &ll);
 126             if (!strcmp(w, user)) {
 127                 apr_table_setn(grps, apr_pstrmemdup(p, group_name, group_len),
 128                                "in");
 129                 break;
 130             }
 131         }
 132     }
 133     ap_cfg_closefile(f);
 134     apr_pool_destroy(sp);
 135
 136     *out = grps;
 137     return APR_SUCCESS;
 138 }
 139
 140 static authz_status group_check_authorization(request_rec *r,
 141                                              const char *require_args)
 142 {
 143     authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
 144             &authz_groupfile_module);
 145     char *user = r->user;
 146     const char *t, *w;
 147     apr_table_t *grpstatus = NULL;
 148     apr_status_t status;
 149
 150     if (!user) {
 151         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 152             "access to %s failed, reason: no authenticated user", r->uri);
 153         return AUTHZ_DENIED;
 154     }
 155
 156     /* If there is no group file - then we are not
 157      * configured. So decline.
 158      */
 159     if (!(conf->groupfile)) {
 160         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 161                         "No group file was specified in the configuration");
 162         return AUTHZ_DENIED;
 163     }
 164
 165     status = groups_for_user(r->pool, user, conf->groupfile,
 166                                 &grpstatus);
 167
 168     if (status != APR_SUCCESS) {
 169         ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
 170                         "Could not open group file: %s",
 171                         conf->groupfile);
 172         return AUTHZ_DENIED;
 173     }
 174
 175     if (apr_table_elts(grpstatus)->nelts == 0) {
 176         /* no groups available, so exit immediately */
 177         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 178                       "Authorization of user %s to access %s failed, reason: "
 179                       "user doesn't appear in group file (%s).",
 180                       r->user, r->uri, conf->groupfile);
 181         return AUTHZ_DENIED;
 182     }
 183
 184     t = require_args;
 185     while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
 186         if (apr_table_get(grpstatus, w)) {
 187             return AUTHZ_GRANTED;
 188         }
 189     }
 190
 191     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 192                     "Authorization of user %s to access %s failed, reason: "
 193                     "user is not part of the 'require'ed group(s).",
 194                     r->user, r->uri);
 195
 196     return AUTHZ_DENIED;
 197 }
 198
 199 APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
 200
 201 static authz_status filegroup_check_authorization(request_rec *r,
 202                                               const char *require_args)
 203 {
 204     authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
 205             &authz_groupfile_module);
 206     char *user = r->user;
 207     apr_table_t *grpstatus = NULL;
 208     apr_status_t status;
 209     const char *filegroup = NULL;
 210
 211     if (!user) {
 212         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 213             "access to %s failed, reason: no authenticated user", r->uri);
 214         return AUTHZ_DENIED;
 215     }
 216
 217     /* If there is no group file - then we are not
 218      * configured. So decline.
 219      */
 220     if (!(conf->groupfile)) {
 221         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 222                         "No group file was specified in the configuration");
 223         return AUTHZ_DENIED;
 224     }
 225
 226     status = groups_for_user(r->pool, user, conf->groupfile,
 227                              &grpstatus);
 228     if (status != APR_SUCCESS) {
 229         ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
 230                       "Could not open group file: %s",
 231                       conf->groupfile);
 232         return AUTHZ_DENIED;
 233     }
 234
 235     if (apr_table_elts(grpstatus)->nelts == 0) {
 236         /* no groups available, so exit immediately */
 237         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 238                         "Authorization of user %s to access %s failed, reason: "
 239                         "user doesn't appear in group file (%s).",
 240                         r->user, r->uri, conf->groupfile);
 241         return AUTHZ_DENIED;
 242     }
 243
 244     filegroup = authz_owner_get_file_group(r);
 245
 246     if (filegroup) {
 247         if (apr_table_get(grpstatus, filegroup)) {
 248             return AUTHZ_GRANTED;
 249         }
 250     }
 251     else {
 252         /* No need to emit a error log entry because the call
 253         to authz_owner_get_file_group already did it
 254         for us.
 255         */
 256         return AUTHZ_DENIED;
 257     }
 258
 259     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 260                   "Authorization of user %s to access %s failed, reason: "
 261                   "user is not part of the 'require'ed file group.",
 262                   r->user, r->uri);
 263
 264     return AUTHZ_DENIED;
 265 }
 266
 267 static const authz_provider authz_group_provider =
 268 {
 269     &group_check_authorization,
 270 };
 271
 272 static const authz_provider authz_filegroup_provider =
 273 {
 274     &filegroup_check_authorization,
 275 };
 276
 277 static void register_hooks(apr_pool_t *p)
 278 {
 279     authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group);
 280
 281     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "group",
 282                               AUTHZ_PROVIDER_VERSION,
 283                               &authz_group_provider,
 284                               AP_AUTH_INTERNAL_PER_CONF);
 285     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "file-group",
 286                               AUTHZ_PROVIDER_VERSION,
 287                               &authz_filegroup_provider,
 288                               AP_AUTH_INTERNAL_PER_CONF);
 289 }
 290
 291 module AP_MODULE_DECLARE_DATA authz_groupfile_module =
 292 {
 293     STANDARD20_MODULE_STUFF,
 294     create_authz_groupfile_dir_config,/* dir config creater */
 295     NULL,                             /* dir merger -- default is to override */
 296     NULL,                             /* server config */
 297     NULL,                             /* merge server config */
 298     authz_groupfile_cmds,             /* command apr_table_t */
 299     register_hooks                    /* register hooks */
 300 };