/* Licensed to the Apache Software Foundation (ASF) under one or more

 * contributor license agreements.  See the NOTICE file distributed with

 * this work for additional information regarding copyright ownership.

 * The ASF licenses this file to You under the Apache License, Version 2.0

 * (the "License"); you may not use this file except in compliance with

 * the License.  You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

/**

 * @file  mod_auth.h

 * @brief Authentication and Authorization Extension for Apache

 *

 * @defgroup MOD_AUTH mod_auth

 * @ingroup  APACHE_MODS

 */

#ifndef APACHE_MOD_AUTH_H

#define APACHE_MOD_AUTH_H

#include "apr_pools.h"

#include "apr_hash.h"

#include "apr_optional.h"

#include "httpd.h"

#include "http_config.h"

#ifdef __cplusplus

extern "C" {

#endif

#define AUTHN_PROVIDER_GROUP "authn"

#define AUTHZ_PROVIDER_GROUP "authz"

#define AUTHN_PROVIDER_VERSION "0"

#define AUTHZ_PROVIDER_VERSION "0"

#define AUTHN_DEFAULT_PROVIDER "file"

#define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"

#define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"

#define AUTHN_PREFIX "AUTHENTICATE_"

#define AUTHZ_PREFIX "AUTHORIZE_"

/** all of the requirements must be met */

#ifndef SATISFY_ALL

#define SATISFY_ALL 0

#endif

/**  any of the requirements must be met */

#ifndef SATISFY_ANY

#define SATISFY_ANY 1

#endif

/** There are no applicable satisfy lines */

#ifndef SATISFY_NOSPEC

#define SATISFY_NOSPEC 2

#endif

typedef enum {

    AUTH_DENIED,

    AUTH_GRANTED,

    AUTH_USER_FOUND,

    AUTH_USER_NOT_FOUND,

    AUTH_GENERAL_ERROR

} authn_status;

typedef enum {

    AUTHZ_DENIED,

    AUTHZ_GRANTED,

    AUTHZ_NEUTRAL,

    AUTHZ_GENERAL_ERROR,

    AUTHZ_DENIED_NO_USER      /* denied because r->user == NULL */

} authz_status;

typedef struct {

    /* Given a username and password, expected to return AUTH_GRANTED

     * if we can validate this user/password combination.

     */

    authn_status (*check_password)(request_rec *r, const char *user,

                                   const char *password);

    /* Given a user and realm, expected to return AUTH_USER_FOUND if we

     * can find a md5 hash of 'user:realm:password'

     */

    authn_status (*get_realm_hash)(request_rec *r, const char *user,

                                   const char *realm, char **rethash);

} authn_provider;

/* A linked-list of authn providers. */

typedef struct authn_provider_list authn_provider_list;

struct authn_provider_list {

    const char *provider_name;

    const authn_provider *provider;

    authn_provider_list *next;

};

typedef struct {

    /* Given a request_rec, expected to return AUTHZ_GRANTED

     * if we can authorize user access.

     * @param r the request record

     * @param require_line the argument to the authz provider

     * @param parsed_require_line the value set by parse_require_line(), if any

     */

    authz_status (*check_authorization)(request_rec *r,

                                        const char *require_line,

                                        const void *parsed_require_line);

    /** Check the syntax of a require line and optionally cache the parsed

     * line. This function may be NULL.

     * @param cmd the config directive

     * @param require_line the argument to the authz provider

     * @param parsed_require_line place to store parsed require_line for use by provider

     * @return Error message or NULL on success

     */

    const char *(*parse_require_line)(cmd_parms *cmd, const char *require_line,

                                      const void **parsed_require_line);

} authz_provider;

/* ap_authn_cache_store: Optional function for authn providers

 * to enable cacheing their lookups with mod_authn_cache

 * @param r The request rec

 * @param module Module identifier

 * @param user User name to authenticate

 * @param realm Digest authn realm (NULL for basic authn)

 * @param data The value looked up by the authn provider, to cache

 */

APR_DECLARE_OPTIONAL_FN(void, ap_authn_cache_store,

                        (request_rec*, const char*, const char*,

                         const char*, const char*));

#ifdef __cplusplus

}

#endif

#endif