|
Packit |
90a5c9 |
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
Packit |
90a5c9 |
* contributor license agreements. See the NOTICE file distributed with
|
|
Packit |
90a5c9 |
* this work for additional information regarding copyright ownership.
|
|
Packit |
90a5c9 |
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
Packit |
90a5c9 |
* (the "License"); you may not use this file except in compliance with
|
|
Packit |
90a5c9 |
* the License. You may obtain a copy of the License at
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* Unless required by applicable law or agreed to in writing, software
|
|
Packit |
90a5c9 |
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
Packit |
90a5c9 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
Packit |
90a5c9 |
* See the License for the specific language governing permissions and
|
|
Packit |
90a5c9 |
* limitations under the License.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "apr_strings.h"
|
|
Packit |
90a5c9 |
#include "apr_lib.h" /* for apr_isspace */
|
|
Packit |
90a5c9 |
#include "apr_base64.h" /* for apr_base64_decode et al */
|
|
Packit |
90a5c9 |
#define APR_WANT_STRFUNC /* for strcasecmp */
|
|
Packit |
90a5c9 |
#include "apr_want.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "ap_config.h"
|
|
Packit |
90a5c9 |
#include "httpd.h"
|
|
Packit |
90a5c9 |
#include "http_config.h"
|
|
Packit |
90a5c9 |
#include "http_core.h"
|
|
Packit |
90a5c9 |
#include "http_log.h"
|
|
Packit |
90a5c9 |
#include "http_protocol.h"
|
|
Packit |
90a5c9 |
#include "http_request.h"
|
|
Packit |
90a5c9 |
#include "util_md5.h"
|
|
Packit |
90a5c9 |
#include "ap_provider.h"
|
|
Packit |
90a5c9 |
#include "ap_expr.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "mod_auth.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
typedef struct {
|
|
Packit |
90a5c9 |
authn_provider_list *providers;
|
|
Packit |
90a5c9 |
char *dir; /* unused variable */
|
|
Packit |
90a5c9 |
int authoritative;
|
|
Packit |
90a5c9 |
ap_expr_info_t *fakeuser;
|
|
Packit |
90a5c9 |
ap_expr_info_t *fakepass;
|
|
Packit |
90a5c9 |
const char *use_digest_algorithm;
|
|
Packit |
90a5c9 |
int fake_set:1;
|
|
Packit |
90a5c9 |
int use_digest_algorithm_set:1;
|
|
Packit |
90a5c9 |
int authoritative_set:1;
|
|
Packit |
90a5c9 |
} auth_basic_config_rec;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void *create_auth_basic_dir_config(apr_pool_t *p, char *d)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
auth_basic_config_rec *conf = apr_pcalloc(p, sizeof(*conf));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Any failures are fatal. */
|
|
Packit |
90a5c9 |
conf->authoritative = 1;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return conf;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void *merge_auth_basic_dir_config(apr_pool_t *p, void *basev, void *overridesv)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
auth_basic_config_rec *newconf = apr_pcalloc(p, sizeof(*newconf));
|
|
Packit |
90a5c9 |
auth_basic_config_rec *base = basev;
|
|
Packit |
90a5c9 |
auth_basic_config_rec *overrides = overridesv;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
newconf->authoritative =
|
|
Packit |
90a5c9 |
overrides->authoritative_set ? overrides->authoritative :
|
|
Packit |
90a5c9 |
base->authoritative;
|
|
Packit |
90a5c9 |
newconf->authoritative_set = overrides->authoritative_set
|
|
Packit |
90a5c9 |
|| base->authoritative_set;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
newconf->fakeuser =
|
|
Packit |
90a5c9 |
overrides->fake_set ? overrides->fakeuser : base->fakeuser;
|
|
Packit |
90a5c9 |
newconf->fakepass =
|
|
Packit |
90a5c9 |
overrides->fake_set ? overrides->fakepass : base->fakepass;
|
|
Packit |
90a5c9 |
newconf->fake_set = overrides->fake_set || base->fake_set;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
newconf->use_digest_algorithm =
|
|
Packit |
90a5c9 |
overrides->use_digest_algorithm_set ? overrides->use_digest_algorithm
|
|
Packit |
90a5c9 |
: base->use_digest_algorithm;
|
|
Packit |
90a5c9 |
newconf->use_digest_algorithm_set =
|
|
Packit |
90a5c9 |
overrides->use_digest_algorithm_set || base->use_digest_algorithm_set;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
newconf->providers = overrides->providers ? overrides->providers : base->providers;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return newconf;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *add_authn_provider(cmd_parms *cmd, void *config,
|
|
Packit |
90a5c9 |
const char *arg)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
auth_basic_config_rec *conf = (auth_basic_config_rec*)config;
|
|
Packit |
90a5c9 |
authn_provider_list *newp;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
newp = apr_pcalloc(cmd->pool, sizeof(authn_provider_list));
|
|
Packit |
90a5c9 |
newp->provider_name = arg;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* lookup and cache the actual provider now */
|
|
Packit |
90a5c9 |
newp->provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
|
|
Packit |
90a5c9 |
newp->provider_name,
|
|
Packit |
90a5c9 |
AUTHN_PROVIDER_VERSION);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (newp->provider == NULL) {
|
|
Packit |
90a5c9 |
/* by the time they use it, the provider should be loaded and
|
|
Packit |
90a5c9 |
registered with us. */
|
|
Packit |
90a5c9 |
return apr_psprintf(cmd->pool,
|
|
Packit |
90a5c9 |
"Unknown Authn provider: %s",
|
|
Packit |
90a5c9 |
newp->provider_name);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!newp->provider->check_password) {
|
|
Packit |
90a5c9 |
/* if it doesn't provide the appropriate function, reject it */
|
|
Packit |
90a5c9 |
return apr_psprintf(cmd->pool,
|
|
Packit |
90a5c9 |
"The '%s' Authn provider doesn't support "
|
|
Packit |
90a5c9 |
"Basic Authentication", newp->provider_name);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Add it to the list now. */
|
|
Packit |
90a5c9 |
if (!conf->providers) {
|
|
Packit |
90a5c9 |
conf->providers = newp;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
authn_provider_list *last = conf->providers;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
while (last->next) {
|
|
Packit |
90a5c9 |
last = last->next;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
last->next = newp;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *set_authoritative(cmd_parms * cmd, void *config, int flag)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
auth_basic_config_rec *conf = (auth_basic_config_rec *) config;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
conf->authoritative = flag;
|
|
Packit |
90a5c9 |
conf->authoritative_set = 1;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *add_basic_fake(cmd_parms * cmd, void *config,
|
|
Packit |
90a5c9 |
const char *user, const char *pass)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
auth_basic_config_rec *conf = (auth_basic_config_rec *) config;
|
|
Packit |
90a5c9 |
const char *err;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!strcasecmp(user, "off")) {
|
|
Packit |
90a5c9 |
conf->fakeuser = NULL;
|
|
Packit |
90a5c9 |
conf->fakepass = NULL;
|
|
Packit |
90a5c9 |
conf->fake_set = 1;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
/* if password is unspecified, set it to the fixed string "password" to
|
|
Packit |
90a5c9 |
* be compatible with the behaviour of mod_ssl.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (!pass) {
|
|
Packit |
90a5c9 |
pass = "password";
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
conf->fakeuser =
|
|
Packit |
90a5c9 |
ap_expr_parse_cmd(cmd, user, AP_EXPR_FLAG_STRING_RESULT,
|
|
Packit |
90a5c9 |
&err, NULL);
|
|
Packit |
90a5c9 |
if (err) {
|
|
Packit |
90a5c9 |
return apr_psprintf(cmd->pool,
|
|
Packit |
90a5c9 |
"Could not parse fake username expression '%s': %s", user,
|
|
Packit |
90a5c9 |
err);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
conf->fakepass =
|
|
Packit |
90a5c9 |
ap_expr_parse_cmd(cmd, pass, AP_EXPR_FLAG_STRING_RESULT,
|
|
Packit |
90a5c9 |
&err, NULL);
|
|
Packit |
90a5c9 |
if (err) {
|
|
Packit |
90a5c9 |
return apr_psprintf(cmd->pool,
|
|
Packit |
90a5c9 |
"Could not parse fake password expression associated to user '%s': %s",
|
|
Packit |
90a5c9 |
user, err);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
conf->fake_set = 1;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *set_use_digest_algorithm(cmd_parms *cmd, void *config,
|
|
Packit |
90a5c9 |
const char *alg)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
auth_basic_config_rec *conf = (auth_basic_config_rec *)config;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (strcasecmp(alg, "Off") && strcasecmp(alg, "MD5")) {
|
|
Packit |
90a5c9 |
return apr_pstrcat(cmd->pool,
|
|
Packit |
90a5c9 |
"Invalid algorithm in "
|
|
Packit |
90a5c9 |
"AuthBasicUseDigestAlgorithm: ", alg, NULL);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
conf->use_digest_algorithm = alg;
|
|
Packit |
90a5c9 |
conf->use_digest_algorithm_set = 1;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const command_rec auth_basic_cmds[] =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
AP_INIT_ITERATE("AuthBasicProvider", add_authn_provider, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"specify the auth providers for a directory or location"),
|
|
Packit |
90a5c9 |
AP_INIT_FLAG("AuthBasicAuthoritative", set_authoritative, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Set to 'Off' to allow access control to be passed along to "
|
|
Packit |
90a5c9 |
"lower modules if the UserID is not known to this module"),
|
|
Packit |
90a5c9 |
AP_INIT_TAKE12("AuthBasicFake", add_basic_fake, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Fake basic authentication using the given expressions for "
|
|
Packit |
90a5c9 |
"username and password, 'off' to disable. Password defaults "
|
|
Packit |
90a5c9 |
"to 'password' if missing."),
|
|
Packit |
90a5c9 |
AP_INIT_TAKE1("AuthBasicUseDigestAlgorithm", set_use_digest_algorithm,
|
|
Packit |
90a5c9 |
NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Set to 'MD5' to use the auth provider's authentication "
|
|
Packit |
90a5c9 |
"check for digest auth, using a hash of 'user:realm:pass'"),
|
|
Packit |
90a5c9 |
{NULL}
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
module AP_MODULE_DECLARE_DATA auth_basic_module;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* These functions return 0 if client is OK, and proper error status
|
|
Packit |
90a5c9 |
* if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or
|
|
Packit |
90a5c9 |
* HTTP_INTERNAL_SERVER_ERROR, if things are so totally confused that we
|
|
Packit |
90a5c9 |
* couldn't figure out how to tell if the client is authorized or not.
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* If they return DECLINED, and all other modules also decline, that's
|
|
Packit |
90a5c9 |
* treated by the server core as a configuration error, logged and
|
|
Packit |
90a5c9 |
* reported as such.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void note_basic_auth_failure(request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
apr_table_setn(r->err_headers_out,
|
|
Packit |
90a5c9 |
(PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate"
|
|
Packit |
90a5c9 |
: "WWW-Authenticate",
|
|
Packit |
90a5c9 |
apr_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r),
|
|
Packit |
90a5c9 |
"\"", NULL));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int hook_note_basic_auth_failure(request_rec *r, const char *auth_type)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
if (strcasecmp(auth_type, "Basic"))
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
note_basic_auth_failure(r);
|
|
Packit |
90a5c9 |
return OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int get_basic_auth(request_rec *r, const char **user,
|
|
Packit |
90a5c9 |
const char **pw)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
const char *auth_line;
|
|
Packit |
90a5c9 |
char *decoded_line;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Get the appropriate header */
|
|
Packit |
90a5c9 |
auth_line = apr_table_get(r->headers_in, (PROXYREQ_PROXY == r->proxyreq)
|
|
Packit |
90a5c9 |
? "Proxy-Authorization"
|
|
Packit |
90a5c9 |
: "Authorization");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!auth_line) {
|
|
Packit |
90a5c9 |
note_basic_auth_failure(r);
|
|
Packit |
90a5c9 |
return HTTP_UNAUTHORIZED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Basic")) {
|
|
Packit |
90a5c9 |
/* Client tried to authenticate using wrong auth scheme */
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01614)
|
|
Packit |
90a5c9 |
"client used wrong authentication scheme: %s", r->uri);
|
|
Packit |
90a5c9 |
note_basic_auth_failure(r);
|
|
Packit |
90a5c9 |
return HTTP_UNAUTHORIZED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Skip leading spaces. */
|
|
Packit |
90a5c9 |
while (*auth_line == ' ' || *auth_line == '\t') {
|
|
Packit |
90a5c9 |
auth_line++;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
decoded_line = ap_pbase64decode(r->pool, auth_line);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
*user = ap_getword_nulls(r->pool, (const char**)&decoded_line, ':');
|
|
Packit |
90a5c9 |
*pw = decoded_line;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* set the user, even though the user is unauthenticated at this point */
|
|
Packit |
90a5c9 |
r->user = (char *) *user;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Determine user ID, and check if it really is that user, for HTTP
|
|
Packit |
90a5c9 |
* basic authentication...
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static int authenticate_basic_user(request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
auth_basic_config_rec *conf = ap_get_module_config(r->per_dir_config,
|
|
Packit |
90a5c9 |
&auth_basic_module);
|
|
Packit |
90a5c9 |
const char *sent_user, *sent_pw, *current_auth;
|
|
Packit |
90a5c9 |
const char *realm = NULL;
|
|
Packit |
90a5c9 |
const char *digest = NULL;
|
|
Packit |
90a5c9 |
int res;
|
|
Packit |
90a5c9 |
authn_status auth_result;
|
|
Packit |
90a5c9 |
authn_provider_list *current_provider;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Are we configured to be Basic auth? */
|
|
Packit |
90a5c9 |
current_auth = ap_auth_type(r);
|
|
Packit |
90a5c9 |
if (!current_auth || strcasecmp(current_auth, "Basic")) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* We need an authentication realm. */
|
|
Packit |
90a5c9 |
if (!ap_auth_name(r)) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01615)
|
|
Packit |
90a5c9 |
"need AuthName: %s", r->uri);
|
|
Packit |
90a5c9 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
r->ap_auth_type = (char*)current_auth;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
res = get_basic_auth(r, &sent_user, &sent_pw);
|
|
Packit |
90a5c9 |
if (res) {
|
|
Packit |
90a5c9 |
return res;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (conf->use_digest_algorithm
|
|
Packit |
90a5c9 |
&& !strcasecmp(conf->use_digest_algorithm, "MD5")) {
|
|
Packit |
90a5c9 |
realm = ap_auth_name(r);
|
|
Packit |
90a5c9 |
digest = ap_md5(r->pool,
|
|
Packit |
90a5c9 |
(unsigned char *)apr_pstrcat(r->pool, sent_user, ":",
|
|
Packit |
90a5c9 |
realm, ":",
|
|
Packit |
90a5c9 |
sent_pw, NULL));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
current_provider = conf->providers;
|
|
Packit |
90a5c9 |
do {
|
|
Packit |
90a5c9 |
const authn_provider *provider;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* For now, if a provider isn't set, we'll be nice and use the file
|
|
Packit |
90a5c9 |
* provider.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (!current_provider) {
|
|
Packit |
90a5c9 |
provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
|
|
Packit |
90a5c9 |
AUTHN_DEFAULT_PROVIDER,
|
|
Packit |
90a5c9 |
AUTHN_PROVIDER_VERSION);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!provider || !provider->check_password) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01616)
|
|
Packit |
90a5c9 |
"No Authn provider configured");
|
|
Packit |
90a5c9 |
auth_result = AUTH_GENERAL_ERROR;
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, AUTHN_DEFAULT_PROVIDER);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
provider = current_provider->provider;
|
|
Packit |
90a5c9 |
apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, current_provider->provider_name);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (digest) {
|
|
Packit |
90a5c9 |
char *password;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!provider->get_realm_hash) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02493)
|
|
Packit |
90a5c9 |
"Authn provider does not support "
|
|
Packit |
90a5c9 |
"AuthBasicUseDigestAlgorithm");
|
|
Packit |
90a5c9 |
auth_result = AUTH_GENERAL_ERROR;
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
/* We expect the password to be hash of user:realm:password */
|
|
Packit |
90a5c9 |
auth_result = provider->get_realm_hash(r, sent_user, realm,
|
|
Packit |
90a5c9 |
&password);
|
|
Packit |
90a5c9 |
if (auth_result == AUTH_USER_FOUND) {
|
|
Packit |
90a5c9 |
auth_result = strcmp(digest, password) ? AUTH_DENIED
|
|
Packit |
90a5c9 |
: AUTH_GRANTED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
auth_result = provider->check_password(r, sent_user, sent_pw);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Something occurred. Stop checking. */
|
|
Packit |
90a5c9 |
if (auth_result != AUTH_USER_NOT_FOUND) {
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* If we're not really configured for providers, stop now. */
|
|
Packit |
90a5c9 |
if (!conf->providers) {
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
current_provider = current_provider->next;
|
|
Packit |
90a5c9 |
} while (current_provider);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (auth_result != AUTH_GRANTED) {
|
|
Packit |
90a5c9 |
int return_code;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* If we're not authoritative, then any error is ignored. */
|
|
Packit |
90a5c9 |
if (!(conf->authoritative) && auth_result != AUTH_DENIED) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
switch (auth_result) {
|
|
Packit |
90a5c9 |
case AUTH_DENIED:
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01617)
|
|
Packit |
90a5c9 |
"user %s: authentication failure for \"%s\": "
|
|
Packit |
90a5c9 |
"Password Mismatch",
|
|
Packit |
90a5c9 |
sent_user, r->uri);
|
|
Packit |
90a5c9 |
return_code = HTTP_UNAUTHORIZED;
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
case AUTH_USER_NOT_FOUND:
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01618)
|
|
Packit |
90a5c9 |
"user %s not found: %s", sent_user, r->uri);
|
|
Packit |
90a5c9 |
return_code = HTTP_UNAUTHORIZED;
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
case AUTH_GENERAL_ERROR:
|
|
Packit |
90a5c9 |
default:
|
|
Packit |
90a5c9 |
/* We'll assume that the module has already said what its error
|
|
Packit |
90a5c9 |
* was in the logs.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
return_code = HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* If we're returning 401, tell them to try again. */
|
|
Packit |
90a5c9 |
if (return_code == HTTP_UNAUTHORIZED) {
|
|
Packit |
90a5c9 |
note_basic_auth_failure(r);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return return_code;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* If requested, create a fake basic authentication header for the benefit
|
|
Packit |
90a5c9 |
* of a proxy or application running behind this server.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static int authenticate_basic_fake(request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
const char *auth_line, *user, *pass, *err;
|
|
Packit |
90a5c9 |
auth_basic_config_rec *conf = ap_get_module_config(r->per_dir_config,
|
|
Packit |
90a5c9 |
&auth_basic_module);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!conf->fakeuser) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
user = ap_expr_str_exec(r, conf->fakeuser, &err;;
|
|
Packit |
90a5c9 |
if (err) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02455)
|
|
Packit |
90a5c9 |
"AuthBasicFake: could not evaluate user expression for URI '%s': %s", r->uri, err);
|
|
Packit |
90a5c9 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if (!user || !*user) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02458)
|
|
Packit |
90a5c9 |
"AuthBasicFake: empty username expression for URI '%s', ignoring", r->uri);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_table_unset(r->headers_in, "Authorization");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
pass = ap_expr_str_exec(r, conf->fakepass, &err;;
|
|
Packit |
90a5c9 |
if (err) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02456)
|
|
Packit |
90a5c9 |
"AuthBasicFake: could not evaluate password expression for URI '%s': %s", r->uri, err);
|
|
Packit |
90a5c9 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if (!pass || !*pass) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02459)
|
|
Packit |
90a5c9 |
"AuthBasicFake: empty password expression for URI '%s', ignoring", r->uri);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_table_unset(r->headers_in, "Authorization");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
auth_line = apr_pstrcat(r->pool, "Basic ",
|
|
Packit |
90a5c9 |
ap_pbase64encode(r->pool,
|
|
Packit |
90a5c9 |
apr_pstrcat(r->pool, user,
|
|
Packit |
90a5c9 |
":", pass, NULL)),
|
|
Packit |
90a5c9 |
NULL);
|
|
Packit |
90a5c9 |
apr_table_setn(r->headers_in, "Authorization", auth_line);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02457)
|
|
Packit |
90a5c9 |
"AuthBasicFake: \"Authorization: %s\"",
|
|
Packit |
90a5c9 |
auth_line);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void register_hooks(apr_pool_t *p)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
ap_hook_check_authn(authenticate_basic_user, NULL, NULL, APR_HOOK_MIDDLE,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
ap_hook_fixups(authenticate_basic_fake, NULL, NULL, APR_HOOK_LAST);
|
|
Packit |
90a5c9 |
ap_hook_note_auth_failure(hook_note_basic_auth_failure, NULL, NULL,
|
|
Packit |
90a5c9 |
APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_DECLARE_MODULE(auth_basic) =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
STANDARD20_MODULE_STUFF,
|
|
Packit |
90a5c9 |
create_auth_basic_dir_config, /* dir config creater */
|
|
Packit |
90a5c9 |
merge_auth_basic_dir_config, /* dir merger --- default is to override */
|
|
Packit |
90a5c9 |
NULL, /* server config */
|
|
Packit |
90a5c9 |
NULL, /* merge server config */
|
|
Packit |
90a5c9 |
auth_basic_cmds, /* command apr_table_t */
|
|
Packit |
90a5c9 |
register_hooks /* register hooks */
|
|
Packit |
90a5c9 |
};
|