Tree - source-git/httpd - CentOS Git server

source-git / httpd

Blame modules/aaa/mod_authnz_fcgi.c

Blob History Raw

Packit	90a5c9	`/* Licensed to the Apache Software Foundation (ASF) under one or more`
Packit	90a5c9	`* contributor license agreements. See the NOTICE file distributed with`
Packit	90a5c9	`* this work for additional information regarding copyright ownership.`
Packit	90a5c9	`* The ASF licenses this file to You under the Apache License, Version 2.0`
Packit	90a5c9	`* (the "License"); you may not use this file except in compliance with`
Packit	90a5c9	`* the License. You may obtain a copy of the License at`
Packit	90a5c9	`*`
Packit	90a5c9	`* http://www.apache.org/licenses/LICENSE-2.0`
Packit	90a5c9	`*`
Packit	90a5c9	`* Unless required by applicable law or agreed to in writing, software`
Packit	90a5c9	`* distributed under the License is distributed on an "AS IS" BASIS,`
Packit	90a5c9	`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
Packit	90a5c9	`* See the License for the specific language governing permissions and`
Packit	90a5c9	`* limitations under the License.`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`#include "apr_hash.h"`
Packit	90a5c9	`#include "apr_lib.h"`
Packit	90a5c9	`#include "apr_strings.h"`
Packit	90a5c9
Packit	90a5c9	`#include "ap_provider.h"`
Packit	90a5c9	`#include "httpd.h"`
Packit	90a5c9	`#include "http_config.h"`
Packit	90a5c9	`#include "http_core.h"`
Packit	90a5c9	`#include "http_protocol.h"`
Packit	90a5c9	`#include "http_request.h"`
Packit	90a5c9	`#include "http_log.h"`
Packit	90a5c9	`#include "util_script.h"`
Packit	90a5c9	`#include "ap_provider.h"`
Packit	90a5c9	`#include "mod_auth.h"`
Packit	90a5c9	`#include "util_fcgi.h"`
Packit	90a5c9	`#include "ap_mmn.h"`
Packit	90a5c9
Packit	90a5c9	`module AP_MODULE_DECLARE_DATA authnz_fcgi_module;`
Packit	90a5c9
Packit	90a5c9	`typedef struct {`
Packit	90a5c9	`const char name; / provider name */`
Packit	90a5c9	`const char backend; / backend address, as configured */`
Packit	90a5c9	`const char *host;`
Packit	90a5c9	`apr_port_t port;`
Packit	90a5c9	`apr_sockaddr_t *backend_addrs;`
Packit	90a5c9	`int is_authn;`
Packit	90a5c9	`int is_authz;`
Packit	90a5c9	`} fcgi_provider_conf;`
Packit	90a5c9
Packit	90a5c9	`typedef struct {`
Packit	90a5c9	`const char name; / provider name */`
Packit	90a5c9	`const char default_user; / this is user if authorizer returns`
Packit	90a5c9	`* success and a user expression yields`
Packit	90a5c9	`* empty string`
Packit	90a5c9	`*/`
Packit	90a5c9	`ap_expr_info_t user_expr; / expr to evaluate to set r->user */`
Packit	90a5c9	`char authoritative; /* fail request if user is rejected? */`
Packit	90a5c9	`char require_basic_auth; /* fail if client didn't send credentials? */`
Packit	90a5c9	`} fcgi_dir_conf;`
Packit	90a5c9
Packit	90a5c9	`typedef struct {`
Packit	90a5c9	`/* If an "authnz" provider successfully authenticates, record`
Packit	90a5c9	`* the provider name here for checking during authz.`
Packit	90a5c9	`*/`
Packit	90a5c9	`const char *successful_authnz_provider;`
Packit	90a5c9	`} fcgi_request_notes;`
Packit	90a5c9
Packit	90a5c9	`static apr_hash_t fcgi_authn_providers, fcgi_authz_providers;`
Packit	90a5c9
Packit	90a5c9	`#define FCGI_IO_TIMEOUT apr_time_from_sec(30)`
Packit	90a5c9
Packit	90a5c9	`#ifndef NON200_RESPONSE_BUF_LEN`
Packit	90a5c9	`#define NON200_RESPONSE_BUF_LEN 8192`
Packit	90a5c9	`#endif`
Packit	90a5c9
Packit	90a5c9	`/* fcgi://{hostname\|IPv4\|IPv6}:port[/] */`
Packit	90a5c9	`#define FCGI_BACKEND_REGEX_STR "m%^fcgi://(.*):(\\d{1,5})/?$%"`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* utility function to connect to a peer; generally useful, but`
Packit	90a5c9	`* wait for AF_UNIX support in this mod before thinking about how`
Packit	90a5c9	`* to make it available to other modules`
Packit	90a5c9	`*/`
Packit	90a5c9	`static apr_status_t connect_to_peer(apr_socket_t **newsock,`
Packit	90a5c9	`request_rec *r,`
Packit	90a5c9	`apr_sockaddr_t *backend_addrs,`
Packit	90a5c9	`const char *backend_name,`
Packit	90a5c9	`apr_interval_time_t timeout)`
Packit	90a5c9	`{`
Packit	90a5c9	`apr_status_t rv = APR_EINVAL; /* returned if no backend addr was provided`
Packit	90a5c9	`*/`
Packit	90a5c9	`int connected = 0;`
Packit	90a5c9	`apr_sockaddr_t *addr = backend_addrs;`
Packit	90a5c9
Packit	90a5c9	`while (addr && !connected) {`
Packit	90a5c9	`int loglevel = addr->next ? APLOG_DEBUG : APLOG_ERR;`
Packit	90a5c9	`rv = apr_socket_create(newsock, addr->family,`
Packit	90a5c9	`SOCK_STREAM, 0, r->pool);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, loglevel, rv, r,`
Packit	90a5c9	`APLOGNO(02494) "error creating family %d socket "`
Packit	90a5c9	`"for target %s",`
Packit	90a5c9	`addr->family, backend_name);`
Packit	90a5c9	`addr = addr->next;`
Packit	90a5c9	`continue;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`apr_socket_opt_set(*newsock, APR_TCP_NODELAY, 1);`
Packit	90a5c9	`apr_socket_timeout_set(*newsock,`
Packit	90a5c9	`timeout ? timeout : r->server->timeout);`
Packit	90a5c9
Packit	90a5c9	`rv = apr_socket_connect(*newsock, addr);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`apr_socket_close(*newsock);`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, loglevel, rv, r,`
Packit	90a5c9	`APLOGNO(02495) "attempt to connect to %pI (%s) "`
Packit	90a5c9	`"failed", addr, backend_name);`
Packit	90a5c9	`addr = addr->next;`
Packit	90a5c9	`continue;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`connected = 1;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return rv;`
Packit	90a5c9	`#undef FN_LOG_MARK`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static void log_provider_info(const fcgi_provider_conf conf, request_rec r)`
Packit	90a5c9	`{`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,`
Packit	90a5c9	`APLOGNO(02496) "name %s, backend %s, host %s, port %d, "`
Packit	90a5c9	`"first address %pI, %c%c",`
Packit	90a5c9	`conf->name,`
Packit	90a5c9	`conf->backend,`
Packit	90a5c9	`conf->host,`
Packit	90a5c9	`(int)conf->port,`
Packit	90a5c9	`conf->backend_addrs,`
Packit	90a5c9	`conf->is_authn ? 'N' : '_',`
Packit	90a5c9	`conf->is_authz ? 'Z' : '_');`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static void setupenv(request_rec r, const char password, const char *apache_role)`
Packit	90a5c9	`{`
Packit	90a5c9	`ap_add_common_vars(r);`
Packit	90a5c9	`ap_add_cgi_vars(r);`
Packit	90a5c9	`apr_table_setn(r->subprocess_env, "FCGI_ROLE", AP_FCGI_AUTHORIZER_STR);`
Packit	90a5c9	`if (apache_role) {`
Packit	90a5c9	`apr_table_setn(r->subprocess_env, "FCGI_APACHE_ROLE", apache_role);`
Packit	90a5c9	`}`
Packit	90a5c9	`if (password) {`
Packit	90a5c9	`apr_table_setn(r->subprocess_env, "REMOTE_PASSWD", password);`
Packit	90a5c9	`}`
Packit	90a5c9	`/* Drop the variables CONTENT_LENGTH, PATH_INFO, PATH_TRANSLATED,`
Packit	90a5c9	`* SCRIPT_NAME and most Hop-By-Hop headers - EXCEPT we will pass`
Packit	90a5c9	`* PROXY_AUTH to allow CGI to perform proxy auth for httpd`
Packit	90a5c9	`*/`
Packit	90a5c9	`apr_table_unset(r->subprocess_env, "CONTENT_LENGTH");`
Packit	90a5c9	`apr_table_unset(r->subprocess_env, "PATH_INFO");`
Packit	90a5c9	`apr_table_unset(r->subprocess_env, "PATH_TRANSLATED");`
Packit	90a5c9	`apr_table_unset(r->subprocess_env, "SCRIPT_NAME");`
Packit	90a5c9	`apr_table_unset(r->subprocess_env, "HTTP_KEEP_ALIVE");`
Packit	90a5c9	`apr_table_unset(r->subprocess_env, "HTTP_TE");`
Packit	90a5c9	`apr_table_unset(r->subprocess_env, "HTTP_TRAILER");`
Packit	90a5c9	`apr_table_unset(r->subprocess_env, "HTTP_TRANSFER_ENCODING");`
Packit	90a5c9	`apr_table_unset(r->subprocess_env, "HTTP_UPGRADE");`
Packit	90a5c9
Packit	90a5c9	`/* Connection hop-by-hop header to prevent the CGI from hanging */`
Packit	90a5c9	`apr_table_setn(r->subprocess_env, "HTTP_CONNECTION", "close");`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static apr_status_t recv_data(const fcgi_provider_conf *conf,`
Packit	90a5c9	`request_rec *r,`
Packit	90a5c9	`apr_socket_t *s,`
Packit	90a5c9	`char *buf,`
Packit	90a5c9	`apr_size_t *buflen)`
Packit	90a5c9	`{`
Packit	90a5c9	`apr_status_t rv;`
Packit	90a5c9
Packit	90a5c9	`rv = apr_socket_recv(s, buf, buflen);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,`
Packit	90a5c9	`APLOGNO(02497) "Couldn't read from backend %s",`
Packit	90a5c9	`conf->backend);`
Packit	90a5c9	`return rv;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`#if AP_MODULE_MAGIC_AT_LEAST(20130702,2)`
Packit	90a5c9	`ap_log_rdata(APLOG_MARK, APLOG_TRACE5, r, "FastCGI data received",`
Packit	90a5c9	`buf, *buflen, AP_LOG_DATA_SHOW_OFFSET);`
Packit	90a5c9	`#endif`
Packit	90a5c9	`return APR_SUCCESS;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static apr_status_t recv_data_full(const fcgi_provider_conf *conf,`
Packit	90a5c9	`request_rec *r,`
Packit	90a5c9	`apr_socket_t *s,`
Packit	90a5c9	`char *buf,`
Packit	90a5c9	`apr_size_t buflen)`
Packit	90a5c9	`{`
Packit	90a5c9	`apr_size_t readlen;`
Packit	90a5c9	`apr_size_t cumulative_len = 0;`
Packit	90a5c9	`apr_status_t rv;`
Packit	90a5c9
Packit	90a5c9	`do {`
Packit	90a5c9	`readlen = buflen - cumulative_len;`
Packit	90a5c9	`rv = recv_data(conf, r, s, buf + cumulative_len, &readlen);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`return rv;`
Packit	90a5c9	`}`
Packit	90a5c9	`cumulative_len += readlen;`
Packit	90a5c9	`} while (cumulative_len < buflen);`
Packit	90a5c9
Packit	90a5c9	`return APR_SUCCESS;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static apr_status_t sendv_data(const fcgi_provider_conf *conf,`
Packit	90a5c9	`request_rec *r,`
Packit	90a5c9	`apr_socket_t *s,`
Packit	90a5c9	`struct iovec *vec,`
Packit	90a5c9	`int nvec,`
Packit	90a5c9	`apr_size_t *len)`
Packit	90a5c9	`{`
Packit	90a5c9	`apr_size_t to_write = 0, written = 0;`
Packit	90a5c9	`apr_status_t rv = APR_SUCCESS;`
Packit	90a5c9	`int i, offset;`
Packit	90a5c9
Packit	90a5c9	`for (i = 0; i < nvec; i++) {`
Packit	90a5c9	`to_write += vec[i].iov_len;`
Packit	90a5c9	`#if AP_MODULE_MAGIC_AT_LEAST(20130702,2)`
Packit	90a5c9	`ap_log_rdata(APLOG_MARK, APLOG_TRACE5, r, "FastCGI data sent",`
Packit	90a5c9	`vec[i].iov_base, vec[i].iov_len, AP_LOG_DATA_SHOW_OFFSET);`
Packit	90a5c9	`#endif`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`offset = 0;`
Packit	90a5c9	`while (to_write) {`
Packit	90a5c9	`apr_size_t n = 0;`
Packit	90a5c9	`rv = apr_socket_sendv(s, vec + offset, nvec - offset, &n);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,`
Packit	90a5c9	`APLOGNO(02498) "Sending data to %s failed",`
Packit	90a5c9	`conf->backend);`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`if (n > 0) {`
Packit	90a5c9	`written += n;`
Packit	90a5c9	`if (written >= to_write)`
Packit	90a5c9	`break; /* short circuit out */`
Packit	90a5c9	`for (i = offset; i < nvec; ) {`
Packit	90a5c9	`if (n >= vec[i].iov_len) {`
Packit	90a5c9	`offset++;`
Packit	90a5c9	`n -= vec[i++].iov_len;`
Packit	90a5c9	`} else {`
Packit	90a5c9	`vec[i].iov_len -= n;`
Packit	90a5c9	`vec[i].iov_base = (char *) vec[i].iov_base + n;`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`*len = written;`
Packit	90a5c9
Packit	90a5c9	`return rv;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static apr_status_t send_begin_request(request_rec *r,`
Packit	90a5c9	`const fcgi_provider_conf *conf,`
Packit	90a5c9	`apr_socket_t *s, int role,`
Packit	90a5c9	`apr_uint16_t request_id)`
Packit	90a5c9	`{`
Packit	90a5c9	`struct iovec vec[2];`
Packit	90a5c9	`ap_fcgi_header header;`
Packit	90a5c9	`unsigned char farray[AP_FCGI_HEADER_LEN];`
Packit	90a5c9	`ap_fcgi_begin_request_body brb;`
Packit	90a5c9	`unsigned char abrb[AP_FCGI_HEADER_LEN];`
Packit	90a5c9	`apr_size_t len;`
Packit	90a5c9
Packit	90a5c9	`ap_fcgi_fill_in_header(&header, AP_FCGI_BEGIN_REQUEST, request_id,`
Packit	90a5c9	`sizeof(abrb), 0);`
Packit	90a5c9	`ap_fcgi_fill_in_request_body(&brb, role, 0 /* NOT AP_FCGI_KEEP_CONN */);`
Packit	90a5c9
Packit	90a5c9	`ap_fcgi_header_to_array(&header, farray);`
Packit	90a5c9	`ap_fcgi_begin_request_body_to_array(&brb, abrb);`
Packit	90a5c9
Packit	90a5c9	`vec[0].iov_base = (void *)farray;`
Packit	90a5c9	`vec[0].iov_len = sizeof(farray);`
Packit	90a5c9	`vec[1].iov_base = (void *)abrb;`
Packit	90a5c9	`vec[1].iov_len = sizeof(abrb);`
Packit	90a5c9
Packit	90a5c9	`return sendv_data(conf, r, s, vec, 2, &len;;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static apr_status_t send_environment(apr_socket_t *s,`
Packit	90a5c9	`const fcgi_provider_conf *conf,`
Packit	90a5c9	`request_rec *r, apr_uint16_t request_id,`
Packit	90a5c9	`apr_pool_t *temp_pool)`
Packit	90a5c9	`{`
Packit	90a5c9	`const char *fn = "send_environment";`
Packit	90a5c9	`const apr_array_header_t *envarr;`
Packit	90a5c9	`const apr_table_entry_t *elts;`
Packit	90a5c9	`struct iovec vec[2];`
Packit	90a5c9	`ap_fcgi_header header;`
Packit	90a5c9	`unsigned char farray[AP_FCGI_HEADER_LEN];`
Packit	90a5c9	`char *body;`
Packit	90a5c9	`apr_status_t rv;`
Packit	90a5c9	`apr_size_t avail_len, len, required_len;`
Packit	90a5c9	`int i, next_elem, starting_elem;`
Packit	90a5c9
Packit	90a5c9	`envarr = apr_table_elts(r->subprocess_env);`
Packit	90a5c9	`elts = (const apr_table_entry_t *) envarr->elts;`
Packit	90a5c9
Packit	90a5c9	`if (APLOG_R_IS_LEVEL(r, APLOG_TRACE2)) {`
Packit	90a5c9
Packit	90a5c9	`for (i = 0; i < envarr->nelts; ++i) {`
Packit	90a5c9	`if (!elts[i].key) {`
Packit	90a5c9	`continue;`
Packit	90a5c9	`}`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,`
Packit	90a5c9	`"%s: '%s': '%s'",`
Packit	90a5c9	`fn, elts[i].key,`
Packit	90a5c9	`!strcmp(elts[i].key, "REMOTE_PASSWD") ?`
Packit	90a5c9	`"XXXXXXXX" : elts[i].val);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* Send envvars over in as many FastCGI records as it takes, */`
Packit	90a5c9	`next_elem = 0; /* starting with the first one */`
Packit	90a5c9
Packit	90a5c9	`avail_len = 16 * 1024; /* our limit per record, which could have been up`
Packit	90a5c9	`* to AP_FCGI_MAX_CONTENT_LEN`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`while (next_elem < envarr->nelts) {`
Packit	90a5c9	`starting_elem = next_elem;`
Packit	90a5c9	`required_len = ap_fcgi_encoded_env_len(r->subprocess_env,`
Packit	90a5c9	`avail_len,`
Packit	90a5c9	`&next_elem);`
Packit	90a5c9
Packit	90a5c9	`if (!required_len) {`
Packit	90a5c9	`if (next_elem < envarr->nelts) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,`
Packit	90a5c9	`APLOGNO(02499) "couldn't encode envvar '%s' in %"`
Packit	90a5c9	`APR_SIZE_T_FMT " bytes",`
Packit	90a5c9	`elts[next_elem].key, avail_len);`
Packit	90a5c9	`/* skip this envvar and continue */`
Packit	90a5c9	`++next_elem;`
Packit	90a5c9	`continue;`
Packit	90a5c9	`}`
Packit	90a5c9	`/* only an unused element at the end of the array */`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,`
Packit	90a5c9	`APLOGNO(02500) "required len for encoding envvars: %"`
Packit	90a5c9	`APR_SIZE_T_FMT ", %d/%d elems processed so far",`
Packit	90a5c9	`required_len, next_elem, envarr->nelts);`
Packit	90a5c9
Packit	90a5c9	`body = apr_palloc(temp_pool, required_len);`
Packit	90a5c9	`rv = ap_fcgi_encode_env(r, r->subprocess_env, body, required_len,`
Packit	90a5c9	`&starting_elem);`
Packit	90a5c9	`/* we pre-compute, so we can't run out of space */`
Packit	90a5c9	`ap_assert(rv == APR_SUCCESS);`
Packit	90a5c9	`/* compute and encode must be in sync */`
Packit	90a5c9	`ap_assert(starting_elem == next_elem);`
Packit	90a5c9
Packit	90a5c9	`ap_fcgi_fill_in_header(&header, AP_FCGI_PARAMS, request_id,`
Packit	90a5c9	`(apr_uint16_t)required_len, 0);`
Packit	90a5c9	`ap_fcgi_header_to_array(&header, farray);`
Packit	90a5c9
Packit	90a5c9	`vec[0].iov_base = (void *)farray;`
Packit	90a5c9	`vec[0].iov_len = sizeof(farray);`
Packit	90a5c9	`vec[1].iov_base = body;`
Packit	90a5c9	`vec[1].iov_len = required_len;`
Packit	90a5c9
Packit	90a5c9	`rv = sendv_data(conf, r, s, vec, 2, &len;;`
Packit	90a5c9	`apr_pool_clear(temp_pool);`
Packit	90a5c9
Packit	90a5c9	`if (rv) {`
Packit	90a5c9	`return rv;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* Envvars sent, so say we're done */`
Packit	90a5c9	`ap_fcgi_fill_in_header(&header, AP_FCGI_PARAMS, request_id, 0, 0);`
Packit	90a5c9	`ap_fcgi_header_to_array(&header, farray);`
Packit	90a5c9
Packit	90a5c9	`vec[0].iov_base = (void *)farray;`
Packit	90a5c9	`vec[0].iov_len = sizeof(farray);`
Packit	90a5c9
Packit	90a5c9	`return sendv_data(conf, r, s, vec, 1, &len;;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* This header-state logic is from mod_proxy_fcgi.`
Packit	90a5c9	`*/`
Packit	90a5c9	`enum {`
Packit	90a5c9	`HDR_STATE_READING_HEADERS,`
Packit	90a5c9	`HDR_STATE_GOT_CR,`
Packit	90a5c9	`HDR_STATE_GOT_CRLF,`
Packit	90a5c9	`HDR_STATE_GOT_CRLFCR,`
Packit	90a5c9	`HDR_STATE_GOT_LF,`
Packit	90a5c9	`HDR_STATE_DONE_WITH_HEADERS`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`/* Try to find the end of the script headers in the response from the back`
Packit	90a5c9	`* end fastcgi server. STATE holds the current header parsing state for this`
Packit	90a5c9	`* request.`
Packit	90a5c9	`*`
Packit	90a5c9	`* Returns 0 if it can't find the end of the headers, and 1 if it found the`
Packit	90a5c9	`* end of the headers. */`
Packit	90a5c9	`static int handle_headers(request_rec r, int state,`
Packit	90a5c9	`const char *readbuf, apr_size_t readlen)`
Packit	90a5c9	`{`
Packit	90a5c9	`const char *itr = readbuf;`
Packit	90a5c9
Packit	90a5c9	`while (readlen--) {`
Packit	90a5c9	`if (*itr == '\r') {`
Packit	90a5c9	`switch (*state) {`
Packit	90a5c9	`case HDR_STATE_GOT_CRLF:`
Packit	90a5c9	`*state = HDR_STATE_GOT_CRLFCR;`
Packit	90a5c9	`break;`
Packit	90a5c9
Packit	90a5c9	`default:`
Packit	90a5c9	`*state = HDR_STATE_GOT_CR;`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (*itr == '\n') {`
Packit	90a5c9	`switch (*state) {`
Packit	90a5c9	`case HDR_STATE_GOT_LF:`
Packit	90a5c9	`*state = HDR_STATE_DONE_WITH_HEADERS;`
Packit	90a5c9	`break;`
Packit	90a5c9
Packit	90a5c9	`case HDR_STATE_GOT_CR:`
Packit	90a5c9	`*state = HDR_STATE_GOT_CRLF;`
Packit	90a5c9	`break;`
Packit	90a5c9
Packit	90a5c9	`case HDR_STATE_GOT_CRLFCR:`
Packit	90a5c9	`*state = HDR_STATE_DONE_WITH_HEADERS;`
Packit	90a5c9	`break;`
Packit	90a5c9
Packit	90a5c9	`default:`
Packit	90a5c9	`*state = HDR_STATE_GOT_LF;`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`*state = HDR_STATE_READING_HEADERS;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (*state == HDR_STATE_DONE_WITH_HEADERS)`
Packit	90a5c9	`break;`
Packit	90a5c9
Packit	90a5c9	`++itr;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (*state == HDR_STATE_DONE_WITH_HEADERS) {`
Packit	90a5c9	`return 1;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return 0;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* handle_response() is based on mod_proxy_fcgi's dispatch()`
Packit	90a5c9	`*/`
Packit	90a5c9	`static apr_status_t handle_response(const fcgi_provider_conf *conf,`
Packit	90a5c9	`request_rec r, apr_socket_t s,`
Packit	90a5c9	`apr_pool_t *temp_pool,`
Packit	90a5c9	`apr_uint16_t request_id,`
Packit	90a5c9	`char *rspbuf,`
Packit	90a5c9	`apr_size_t *rspbuflen)`
Packit	90a5c9	`{`
Packit	90a5c9	`apr_bucket *b;`
Packit	90a5c9	`apr_bucket_brigade *ob;`
Packit	90a5c9	`apr_size_t orspbuflen = 0;`
Packit	90a5c9	`apr_status_t rv = APR_SUCCESS;`
Packit	90a5c9	`const char *fn = "handle_response";`
Packit	90a5c9	`int header_state = HDR_STATE_READING_HEADERS;`
Packit	90a5c9	`int seen_end_of_headers = 0, done = 0;`
Packit	90a5c9
Packit	90a5c9	`if (rspbuflen) {`
Packit	90a5c9	`orspbuflen = *rspbuflen;`
Packit	90a5c9	`rspbuflen = 0; / unless we actually read something */`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ob = apr_brigade_create(r->pool, r->connection->bucket_alloc);`
Packit	90a5c9
Packit	90a5c9	`while (!done && rv == APR_SUCCESS) { /* Keep reading FastCGI records until`
Packit	90a5c9	`* we get AP_FCGI_END_REQUEST (done)`
Packit	90a5c9	`* or an error occurs.`
Packit	90a5c9	`*/`
Packit	90a5c9	`apr_size_t readbuflen;`
Packit	90a5c9	`apr_uint16_t clen;`
Packit	90a5c9	`apr_uint16_t rid;`
Packit	90a5c9	`char readbuf[AP_IOBUFSIZE + 1];`
Packit	90a5c9	`unsigned char farray[AP_FCGI_HEADER_LEN];`
Packit	90a5c9	`unsigned char plen;`
Packit	90a5c9	`unsigned char type;`
Packit	90a5c9	`unsigned char version;`
Packit	90a5c9
Packit	90a5c9	`rv = recv_data_full(conf, r, s, (char *)farray, AP_FCGI_HEADER_LEN);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,`
Packit	90a5c9	`APLOGNO(02501) "%s: Error occurred before reading "`
Packit	90a5c9	`"entire header", fn);`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_fcgi_header_fields_from_array(&version, &type, &rid, &clen, &plen,`
Packit	90a5c9	`farray);`
Packit	90a5c9
Packit	90a5c9	`if (version != AP_FCGI_VERSION_1) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,`
Packit	90a5c9	`APLOGNO(02502) "%s: Got bogus FastCGI header "`
Packit	90a5c9	`"version %d", fn, (int)version);`
Packit	90a5c9	`rv = APR_EINVAL;`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (rid != request_id) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,`
Packit	90a5c9	`APLOGNO(02503) "%s: Got bogus FastCGI header "`
Packit	90a5c9	`"request id %d, expected %d",`
Packit	90a5c9	`fn, rid, request_id);`
Packit	90a5c9	`rv = APR_EINVAL;`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`recv_again: /* if we need to keep reading more of a record's content */`
Packit	90a5c9
Packit	90a5c9	`if (clen > sizeof(readbuf) - 1) {`
Packit	90a5c9	`readbuflen = sizeof(readbuf) - 1;`
Packit	90a5c9	`} else {`
Packit	90a5c9	`readbuflen = clen;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Now get the actual content of the record.`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (readbuflen != 0) {`
Packit	90a5c9	`rv = recv_data(conf, r, s, readbuf, &readbuflen);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`readbuf[readbuflen] = '\0';`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`switch (type) {`
Packit	90a5c9	`case AP_FCGI_STDOUT: /* Response headers and optional body */`
Packit	90a5c9	`if (clen != 0) {`
Packit	90a5c9	`b = apr_bucket_transient_create(readbuf,`
Packit	90a5c9	`readbuflen,`
Packit	90a5c9	`r->connection->bucket_alloc);`
Packit	90a5c9
Packit	90a5c9	`APR_BRIGADE_INSERT_TAIL(ob, b);`
Packit	90a5c9
Packit	90a5c9	`if (!seen_end_of_headers) {`
Packit	90a5c9	`int st = handle_headers(r, &header_state,`
Packit	90a5c9	`readbuf, readbuflen);`
Packit	90a5c9
Packit	90a5c9	`if (st == 1) {`
Packit	90a5c9	`int status;`
Packit	90a5c9
Packit	90a5c9	`seen_end_of_headers = 1;`
Packit	90a5c9
Packit	90a5c9	`status =`
Packit	90a5c9	`ap_scan_script_header_err_brigade_ex(r, ob,`
Packit	90a5c9	`NULL,`
Packit	90a5c9	`APLOG_MODULE_INDEX);`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,`
Packit	90a5c9	`APLOGNO(02504) "%s: script header "`
Packit	90a5c9	`"parsing -> %d/%d",`
Packit	90a5c9	`fn, status, r->status);`
Packit	90a5c9
Packit	90a5c9	`if (rspbuf) { /* caller wants to see response body,`
Packit	90a5c9	`* if any`
Packit	90a5c9	`*/`
Packit	90a5c9	`apr_status_t tmprv;`
Packit	90a5c9
Packit	90a5c9	`if (rspbuflen) {`
Packit	90a5c9	`*rspbuflen = orspbuflen;`
Packit	90a5c9	`}`
Packit	90a5c9	`tmprv = apr_brigade_flatten(ob, rspbuf, rspbuflen);`
Packit	90a5c9	`if (tmprv != APR_SUCCESS) {`
Packit	90a5c9	`/* should not occur for these bucket types;`
Packit	90a5c9	`* does not indicate overflow`
Packit	90a5c9	`*/`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, tmprv, r,`
Packit	90a5c9	`APLOGNO(02505) "%s: error "`
Packit	90a5c9	`"flattening response body",`
Packit	90a5c9	`fn);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (status != OK) {`
Packit	90a5c9	`r->status = status;`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,`
Packit	90a5c9	`APLOGNO(02506) "%s: Error parsing "`
Packit	90a5c9	`"script headers from %s",`
Packit	90a5c9	`fn, conf->backend);`
Packit	90a5c9	`rv = APR_EINVAL;`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`apr_pool_clear(temp_pool);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`/* We're still looking for the end of the`
Packit	90a5c9	`* headers, so this part of the data will need`
Packit	90a5c9	`* to persist. */`
Packit	90a5c9	`apr_bucket_setaside(b, temp_pool);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* If we didn't read all the data go back and get the`
Packit	90a5c9	`* rest of it. */`
Packit	90a5c9	`if (clen > readbuflen) {`
Packit	90a5c9	`clen -= readbuflen;`
Packit	90a5c9	`goto recv_again;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`break;`
Packit	90a5c9
Packit	90a5c9	`case AP_FCGI_STDERR: /* Text to log */`
Packit	90a5c9	`if (clen) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,`
Packit	90a5c9	`APLOGNO(02507) "%s: Logged from %s: '%s'",`
Packit	90a5c9	`fn, conf->backend, readbuf);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (clen > readbuflen) {`
Packit	90a5c9	`clen -= readbuflen;`
Packit	90a5c9	`goto recv_again; /* continue reading this record */`
Packit	90a5c9	`}`
Packit	90a5c9	`break;`
Packit	90a5c9
Packit	90a5c9	`case AP_FCGI_END_REQUEST:`
Packit	90a5c9	`done = 1;`
Packit	90a5c9	`break;`
Packit	90a5c9
Packit	90a5c9	`default:`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,`
Packit	90a5c9	`APLOGNO(02508) "%s: Got bogus FastCGI record type "`
Packit	90a5c9	`"%d", fn, type);`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`/* Leave on above switch's inner error. */`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Read/discard any trailing padding.`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (plen) {`
Packit	90a5c9	`rv = recv_data_full(conf, r, s, readbuf, plen);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,`
Packit	90a5c9	`APLOGNO(02509) "%s: Error occurred reading "`
Packit	90a5c9	`"padding",`
Packit	90a5c9	`fn);`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`apr_brigade_cleanup(ob);`
Packit	90a5c9
Packit	90a5c9	`if (rv == APR_SUCCESS && !seen_end_of_headers) {`
Packit	90a5c9	`rv = APR_EINVAL;`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,`
Packit	90a5c9	`APLOGNO(02510) "%s: Never reached end of script headers",`
Packit	90a5c9	`fn);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return rv;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* almost from mod_fcgid */`
Packit	90a5c9	`static int mod_fcgid_modify_auth_header(void *vars,`
Packit	90a5c9	`const char key, const char val)`
Packit	90a5c9	`{`
Packit	90a5c9	`/* When the application gives a 200 response, the server ignores response`
Packit	90a5c9	`headers whose names aren't prefixed with Variable- prefix, and ignores`
Packit	90a5c9	`any response content */`
Packit	90a5c9	`if (strncasecmp(key, "Variable-", 9) == 0)`
Packit	90a5c9	`apr_table_setn(vars, key, val);`
Packit	90a5c9	`return 1;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static int fix_auth_header(void vr, const char key, const char *val)`
Packit	90a5c9	`{`
Packit	90a5c9	`request_rec *r = vr;`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "moving %s->%s", key, val);`
Packit	90a5c9	`apr_table_unset(r->err_headers_out, key);`
Packit	90a5c9	`apr_table_setn(r->subprocess_env, key + 9, val);`
Packit	90a5c9	`return 1;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static void req_rsp(request_rec r, const fcgi_provider_conf conf,`
Packit	90a5c9	`const char password, const char apache_role,`
Packit	90a5c9	`char rspbuf, apr_size_t rspbuflen)`
Packit	90a5c9	`{`
Packit	90a5c9	`const char *fn = "req_rsp";`
Packit	90a5c9	`apr_pool_t *temp_pool;`
Packit	90a5c9	`apr_size_t orspbuflen = 0;`
Packit	90a5c9	`apr_socket_t *s;`
Packit	90a5c9	`apr_status_t rv;`
Packit	90a5c9	`apr_table_t *saved_subprocess_env =`
Packit	90a5c9	`apr_table_copy(r->pool, r->subprocess_env);`
Packit	90a5c9
Packit	90a5c9	`if (rspbuflen) {`
Packit	90a5c9	`orspbuflen = *rspbuflen;`
Packit	90a5c9	`rspbuflen = 0; / unless we actually read something */`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`apr_pool_create(&temp_pool, r->pool);`
Packit	90a5c9
Packit	90a5c9	`setupenv(r, password, apache_role);`
Packit	90a5c9
Packit	90a5c9	`rv = connect_to_peer(&s, r, conf->backend_addrs,`
Packit	90a5c9	`conf->backend, FCGI_IO_TIMEOUT);`
Packit	90a5c9	`if (rv == APR_SUCCESS) {`
Packit	90a5c9	`apr_uint16_t request_id = 1;`
Packit	90a5c9
Packit	90a5c9	`rv = send_begin_request(r, conf, s, AP_FCGI_AUTHORIZER, request_id);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,`
Packit	90a5c9	`APLOGNO(02511) "%s: Failed writing request to %s",`
Packit	90a5c9	`fn, conf->backend);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (rv == APR_SUCCESS) {`
Packit	90a5c9	`rv = send_environment(s, conf, r, request_id, temp_pool);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,`
Packit	90a5c9	`APLOGNO(02512) "%s: Failed writing environment "`
Packit	90a5c9	`"to %s", fn, conf->backend);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* The responder owns the request body, not the authorizer.`
Packit	90a5c9	`* Don't even send an empty AP_FCGI_STDIN block. libfcgi doesn't care,`
Packit	90a5c9	`* but it wasn't sent to authorizers by mod_fastcgi or mod_fcgi and`
Packit	90a5c9	`* may be unhandled by the app. Additionally, the FastCGI spec does`
Packit	90a5c9	`* not mention FCGI_STDIN in the Authorizer description, though it`
Packit	90a5c9	`* does describe FCGI_STDIN elsewhere in more general terms than`
Packit	90a5c9	`* simply a wrapper for the client's request body.`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`if (rv == APR_SUCCESS) {`
Packit	90a5c9	`if (rspbuflen) {`
Packit	90a5c9	`*rspbuflen = orspbuflen;`
Packit	90a5c9	`}`
Packit	90a5c9	`rv = handle_response(conf, r, s, temp_pool, request_id, rspbuf,`
Packit	90a5c9	`rspbuflen);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,`
Packit	90a5c9	`APLOGNO(02514) "%s: Failed handling response "`
Packit	90a5c9	`"from %s", fn, conf->backend);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`apr_socket_close(s);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`/* some sort of mechanical problem */`
Packit	90a5c9	`r->status = HTTP_INTERNAL_SERVER_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,`
Packit	90a5c9	`APLOGNO(02515) "%s: Received HTTP status %d",`
Packit	90a5c9	`fn, r->status);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`r->subprocess_env = saved_subprocess_env;`
Packit	90a5c9
Packit	90a5c9	`if (r->status == HTTP_OK) {`
Packit	90a5c9	`/* An Authorizer application's 200 response may include headers`
Packit	90a5c9	`* whose names are prefixed with Variable-, and they should be`
Packit	90a5c9	`* available to subsequent phases via subprocess_env (and yanked`
Packit	90a5c9	`* from the client response).`
Packit	90a5c9	`*/`
Packit	90a5c9	`apr_table_t vars = apr_table_make(temp_pool, / not used to allocate`
Packit	90a5c9	`* any values that end up`
Packit	90a5c9	`* in r->(anything)`
Packit	90a5c9	`*/`
Packit	90a5c9	`10);`
Packit	90a5c9	`apr_table_do(mod_fcgid_modify_auth_header, vars,`
Packit	90a5c9	`r->err_headers_out, NULL);`
Packit	90a5c9	`apr_table_do(fix_auth_header, r, vars, NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`apr_pool_destroy(temp_pool);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static int fcgi_check_authn(request_rec *r)`
Packit	90a5c9	`{`
Packit	90a5c9	`const char *fn = "fcgi_check_authn";`
Packit	90a5c9	`fcgi_dir_conf *dconf = ap_get_module_config(r->per_dir_config,`
Packit	90a5c9	`&authnz_fcgi_module);`
Packit	90a5c9	`const char *password = NULL;`
Packit	90a5c9	`const fcgi_provider_conf *conf;`
Packit	90a5c9	`const char *prov;`
Packit	90a5c9	`const char *auth_type;`
Packit	90a5c9	`char rspbuf[NON200_RESPONSE_BUF_LEN + 1]; /* extra byte for '\0' */`
Packit	90a5c9	`apr_size_t rspbuflen = sizeof rspbuf - 1;`
Packit	90a5c9	`int res;`
Packit	90a5c9
Packit	90a5c9	`prov = dconf && dconf->name ? dconf->name : NULL;`
Packit	90a5c9
Packit	90a5c9	`if (!prov \|\| !strcasecmp(prov, "None")) {`
Packit	90a5c9	`return DECLINED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`auth_type = ap_auth_type(r);`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,`
Packit	90a5c9	`APLOGNO(02516) "%s, prov %s, authoritative %s, "`
Packit	90a5c9	`"require-basic %s, user expr? %s type %s",`
Packit	90a5c9	`fn, prov,`
Packit	90a5c9	`dconf->authoritative ? "yes" : "no",`
Packit	90a5c9	`dconf->require_basic_auth ? "yes" : "no",`
Packit	90a5c9	`dconf->user_expr ? "yes" : "no",`
Packit	90a5c9	`auth_type);`
Packit	90a5c9
Packit	90a5c9	`if (auth_type && !strcasecmp(auth_type, "Basic")) {`
Packit	90a5c9	`if ((res = ap_get_basic_auth_pw(r, &password))) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,`
Packit	90a5c9	`APLOGNO(02517) "%s: couldn't retrieve basic auth "`
Packit	90a5c9	`"password", fn);`
Packit	90a5c9	`if (dconf->require_basic_auth) {`
Packit	90a5c9	`return res;`
Packit	90a5c9	`}`
Packit	90a5c9	`password = NULL;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`conf = apr_hash_get(fcgi_authn_providers, prov, APR_HASH_KEY_STRING);`
Packit	90a5c9	`if (!conf) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,`
Packit	90a5c9	`APLOGNO(02518) "%s: can't find config for provider %s",`
Packit	90a5c9	`fn, prov);`
Packit	90a5c9	`return HTTP_INTERNAL_SERVER_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (APLOGrdebug(r)) {`
Packit	90a5c9	`log_provider_info(conf, r);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`req_rsp(r, conf, password, AP_FCGI_APACHE_ROLE_AUTHENTICATOR_STR,`
Packit	90a5c9	`rspbuf, &rspbuflen);`
Packit	90a5c9
Packit	90a5c9	`if (r->status == HTTP_OK) {`
Packit	90a5c9	`if (dconf->user_expr) {`
Packit	90a5c9	`const char *err;`
Packit	90a5c9	`const char *user = ap_expr_str_exec(r, dconf->user_expr,`
Packit	90a5c9	`&err;;`
Packit	90a5c9	`if (user && strlen(user)) {`
Packit	90a5c9	`r->user = apr_pstrdup(r->pool, user);`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,`
Packit	90a5c9	`APLOGNO(02519) "%s: Setting user to '%s'",`
Packit	90a5c9	`fn, r->user);`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (user && dconf->default_user) {`
Packit	90a5c9	`r->user = apr_pstrdup(r->pool, dconf->default_user);`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (user) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,`
Packit	90a5c9	`APLOGNO(02520) "%s: Failure extracting user "`
Packit	90a5c9	`"after calling authorizer: user expression "`
Packit	90a5c9	`"yielded empty string (variable not set?)",`
Packit	90a5c9	`fn);`
Packit	90a5c9	`r->status = HTTP_INTERNAL_SERVER_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`/* unexpected error, not even an empty string was returned */`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,`
Packit	90a5c9	`APLOGNO(02521) "%s: Failure extracting user "`
Packit	90a5c9	`"after calling authorizer: %s",`
Packit	90a5c9	`fn, err);`
Packit	90a5c9	`r->status = HTTP_INTERNAL_SERVER_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`if (conf->is_authz) {`
Packit	90a5c9	`/* combined authn/authz phase, so app won't be invoked for authz`
Packit	90a5c9	`*`
Packit	90a5c9	`* Remember that the request was successfully authorized by this`
Packit	90a5c9	`* provider.`
Packit	90a5c9	`*/`
Packit	90a5c9	`fcgi_request_notes rnotes = apr_palloc(r->pool, sizeof(rnotes));`
Packit	90a5c9	`rnotes->successful_authnz_provider = conf->name;`
Packit	90a5c9	`ap_set_module_config(r->request_config, &authnz_fcgi_module,`
Packit	90a5c9	`rnotes);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`/* From the spec:`
Packit	90a5c9	`* For Authorizer response status values other than "200" (OK), the`
Packit	90a5c9	`* Web server denies access and sends the response status, headers,`
Packit	90a5c9	`* and content back to the HTTP client.`
Packit	90a5c9	`* But:`
Packit	90a5c9	`* This only makes sense if this authorizer is authoritative.`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (rspbuflen > 0 && !dconf->authoritative) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,`
Packit	90a5c9	`APLOGNO(02522) "%s: Ignoring response body from non-"`
Packit	90a5c9	`"authoritative authorizer", fn);`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (rspbuflen > 0) {`
Packit	90a5c9	`if (rspbuflen == sizeof rspbuf - 1) {`
Packit	90a5c9	`/* apr_brigade_flatten() interface :( */`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,`
Packit	90a5c9	`APLOGNO(02523) "%s: possible overflow handling "`
Packit	90a5c9	`"response body", fn);`
Packit	90a5c9	`}`
Packit	90a5c9	`rspbuf[rspbuflen] = '\0'; /* we reserved an extra byte for '\0' */`
Packit	90a5c9	`ap_custom_response(r, r->status, rspbuf); /* API makes a copy */`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return r->status == HTTP_OK ?`
Packit	90a5c9	`OK : dconf->authoritative ? r->status : DECLINED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static authn_status fcgi_check_password(request_rec r, const char user,`
Packit	90a5c9	`const char *password)`
Packit	90a5c9	`{`
Packit	90a5c9	`const char *fn = "fcgi_check_password";`
Packit	90a5c9	`const char *prov = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE);`
Packit	90a5c9	`const fcgi_provider_conf *conf;`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,`
Packit	90a5c9	`APLOGNO(02524) "%s(%s, XXX): provider %s",`
Packit	90a5c9	`fn, user, prov);`
Packit	90a5c9
Packit	90a5c9	`if (!prov) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,`
Packit	90a5c9	`APLOGNO(02525) "%s: provider note isn't set", fn);`
Packit	90a5c9	`return AUTH_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`conf = apr_hash_get(fcgi_authn_providers, prov, APR_HASH_KEY_STRING);`
Packit	90a5c9	`if (!conf) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,`
Packit	90a5c9	`APLOGNO(02526) "%s: can't find config for provider %s",`
Packit	90a5c9	`fn, prov);`
Packit	90a5c9	`return AUTH_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (APLOGrdebug(r)) {`
Packit	90a5c9	`log_provider_info(conf, r);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`req_rsp(r, conf, password,`
Packit	90a5c9	`/* combined authn and authz: FCGI_APACHE_ROLE not set */`
Packit	90a5c9	`conf->is_authz ? NULL : AP_FCGI_APACHE_ROLE_AUTHENTICATOR_STR,`
Packit	90a5c9	`NULL, NULL);`
Packit	90a5c9
Packit	90a5c9	`if (r->status == HTTP_OK) {`
Packit	90a5c9	`if (conf->is_authz) {`
Packit	90a5c9	`/* combined authn/authz phase, so app won't be invoked for authz`
Packit	90a5c9	`*`
Packit	90a5c9	`* Remember that the request was successfully authorized by this`
Packit	90a5c9	`* provider.`
Packit	90a5c9	`*/`
Packit	90a5c9	`fcgi_request_notes rnotes = apr_palloc(r->pool, sizeof(rnotes));`
Packit	90a5c9	`rnotes->successful_authnz_provider = conf->name;`
Packit	90a5c9	`ap_set_module_config(r->request_config, &authnz_fcgi_module,`
Packit	90a5c9	`rnotes);`
Packit	90a5c9	`}`
Packit	90a5c9	`return AUTH_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (r->status == HTTP_INTERNAL_SERVER_ERROR) {`
Packit	90a5c9	`return AUTH_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`return AUTH_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const authn_provider fcgi_authn_provider = {`
Packit	90a5c9	`&fcgi_check_password,`
Packit	90a5c9	`NULL /* get-realm-hash not supported */`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`static authz_status fcgi_authz_check(request_rec *r,`
Packit	90a5c9	`const char *require_line,`
Packit	90a5c9	`const void *parsed_require_line)`
Packit	90a5c9	`{`
Packit	90a5c9	`const char *fn = "fcgi_authz_check";`
Packit	90a5c9	`const char *prov = apr_table_get(r->notes, AUTHZ_PROVIDER_NAME_NOTE);`
Packit	90a5c9	`const fcgi_provider_conf *conf;`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,`
Packit	90a5c9	`APLOGNO(02527) "%s(%s)", fn, require_line);`
Packit	90a5c9
Packit	90a5c9	`if (!prov) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,`
Packit	90a5c9	`APLOGNO(02528) "%s: provider note isn't set", fn);`
Packit	90a5c9	`return AUTHZ_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`conf = apr_hash_get(fcgi_authz_providers, prov, APR_HASH_KEY_STRING);`
Packit	90a5c9	`if (!conf) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,`
Packit	90a5c9	`APLOGNO(02529) "%s: can't find config for provider %s",`
Packit	90a5c9	`fn, prov);`
Packit	90a5c9	`return AUTHZ_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (APLOGrdebug(r)) {`
Packit	90a5c9	`log_provider_info(conf, r);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (!r->user) {`
Packit	90a5c9	`return AUTHZ_DENIED_NO_USER;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (conf->is_authn) {`
Packit	90a5c9	`/* combined authn/authz phase, so app won't be invoked for authz`
Packit	90a5c9	`*`
Packit	90a5c9	`* If the provider already successfully authorized this request,`
Packit	90a5c9	`* success.`
Packit	90a5c9	`*/`
Packit	90a5c9	`fcgi_request_notes *rnotes = ap_get_module_config(r->request_config,`
Packit	90a5c9	`&authnz_fcgi_module);`
Packit	90a5c9	`if (rnotes`
Packit	90a5c9	`&& rnotes->successful_authnz_provider`
Packit	90a5c9	`&& !strcmp(rnotes->successful_authnz_provider, conf->name)) {`
Packit	90a5c9	`return AUTHZ_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`req_rsp(r, conf, NULL, AP_FCGI_APACHE_ROLE_AUTHORIZER_STR, NULL, NULL);`
Packit	90a5c9
Packit	90a5c9	`if (r->status == HTTP_OK) {`
Packit	90a5c9	`return AUTHZ_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (r->status == HTTP_INTERNAL_SERVER_ERROR) {`
Packit	90a5c9	`return AUTHZ_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char fcgi_authz_parse(cmd_parms cmd, const char *require_line,`
Packit	90a5c9	`const void **parsed_require_line)`
Packit	90a5c9	`{`
Packit	90a5c9	`/* Allowed form: Require [not] registered-provider-name<EOS>`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (strcmp(require_line, "")) {`
Packit	90a5c9	`return "mod_authnz_fcgi doesn't support restrictions on providers "`
Packit	90a5c9	`"(i.e., multiple require args)";`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const authz_provider fcgi_authz_provider = {`
Packit	90a5c9	`&fcgi_authz_check,`
Packit	90a5c9	`&fcgi_authz_parse,`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`static const char fcgi_check_authn_provider(cmd_parms cmd,`
Packit	90a5c9	`void *d,`
Packit	90a5c9	`int argc,`
Packit	90a5c9	`char *const argv[])`
Packit	90a5c9	`{`
Packit	90a5c9	`const char *dname = "AuthnzFcgiCheckAuthnProvider";`
Packit	90a5c9	`fcgi_dir_conf *dc = d;`
Packit	90a5c9	`int ca = 0;`
Packit	90a5c9
Packit	90a5c9	`if (ca >= argc) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool, dname, ": No provider given", NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`dc->name = argv[ca];`
Packit	90a5c9	`ca++;`
Packit	90a5c9
Packit	90a5c9	`if (!strcasecmp(dc->name, "None")) {`
Packit	90a5c9	`if (ca < argc) {`
Packit	90a5c9	`return "Options aren't supported with \"None\"";`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`while (ca < argc) {`
Packit	90a5c9	`const char var = argv[ca], val;`
Packit	90a5c9	`int badarg = 0;`
Packit	90a5c9
Packit	90a5c9	`ca++;`
Packit	90a5c9
Packit	90a5c9	`/* at present, everything needs an argument */`
Packit	90a5c9	`if (ca >= argc) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool, dname, ": ", var,`
Packit	90a5c9	`"needs an argument", NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`val = argv[ca];`
Packit	90a5c9	`ca++;`
Packit	90a5c9
Packit	90a5c9	`if (!strcasecmp(var, "Authoritative")) {`
Packit	90a5c9	`if (!strcasecmp(val, "On")) {`
Packit	90a5c9	`dc->authoritative = 1;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (!strcasecmp(val, "Off")) {`
Packit	90a5c9	`dc->authoritative = 0;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`badarg = 1;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (!strcasecmp(var, "DefaultUser")) {`
Packit	90a5c9	`dc->default_user = val;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (!strcasecmp(var, "RequireBasicAuth")) {`
Packit	90a5c9	`if (!strcasecmp(val, "On")) {`
Packit	90a5c9	`dc->require_basic_auth = 1;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (!strcasecmp(val, "Off")) {`
Packit	90a5c9	`dc->require_basic_auth = 0;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`badarg = 1;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (!strcasecmp(var, "UserExpr")) {`
Packit	90a5c9	`const char *err;`
Packit	90a5c9	`int flags = AP_EXPR_FLAG_DONT_VARY \| AP_EXPR_FLAG_RESTRICTED`
Packit	90a5c9	`\| AP_EXPR_FLAG_STRING_RESULT;`
Packit	90a5c9
Packit	90a5c9	`dc->user_expr = ap_expr_parse_cmd(cmd, val,`
Packit	90a5c9	`flags, &err, NULL);`
Packit	90a5c9	`if (err) {`
Packit	90a5c9	`return apr_psprintf(cmd->pool, "%s: Error parsing '%s': '%s'",`
Packit	90a5c9	`dname, val, err);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool, dname, ": Unexpected option '",`
Packit	90a5c9	`var, "'", NULL);`
Packit	90a5c9	`}`
Packit	90a5c9	`if (badarg) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool, dname, ": Bad argument '",`
Packit	90a5c9	`val, "' to option '", var, "'", NULL);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* AuthnzFcgiAuthDefineProvider {authn\|authz\|authnz} provider-name \`
Packit	90a5c9	`* fcgi://backendhost:backendport/`
Packit	90a5c9	`*/`
Packit	90a5c9	`static const char fcgi_define_provider(cmd_parms cmd,`
Packit	90a5c9	`void *d,`
Packit	90a5c9	`int argc,`
Packit	90a5c9	`char *const argv[])`
Packit	90a5c9	`{`
Packit	90a5c9	`const char *dname = "AuthnzFcgiDefineProvider";`
Packit	90a5c9	`ap_rxplus_t *fcgi_backend_regex;`
Packit	90a5c9	`apr_status_t rv;`
Packit	90a5c9	`char *host;`
Packit	90a5c9	`const char err, stype;`
Packit	90a5c9	`fcgi_provider_conf conf = apr_pcalloc(cmd->pool, sizeof(conf));`
Packit	90a5c9	`int ca = 0, rc, port;`
Packit	90a5c9
Packit	90a5c9	`fcgi_backend_regex = ap_rxplus_compile(cmd->pool, FCGI_BACKEND_REGEX_STR);`
Packit	90a5c9	`if (!fcgi_backend_regex) {`
Packit	90a5c9	`return apr_psprintf(cmd->pool,`
Packit	90a5c9	`"%s: failed to compile regexec '%s'",`
Packit	90a5c9	`dname, FCGI_BACKEND_REGEX_STR);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`err = ap_check_cmd_context(cmd, GLOBAL_ONLY);`
Packit	90a5c9	`if (err)`
Packit	90a5c9	`return err;`
Packit	90a5c9
Packit	90a5c9	`if (ca >= argc) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool, dname, ": No type given", NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`stype = argv[ca];`
Packit	90a5c9	`ca++;`
Packit	90a5c9
Packit	90a5c9	`if (!strcasecmp(stype, "authn")) {`
Packit	90a5c9	`conf->is_authn = 1;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (!strcasecmp(stype, "authz")) {`
Packit	90a5c9	`conf->is_authz = 1;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (!strcasecmp(stype, "authnz")) {`
Packit	90a5c9	`conf->is_authn = conf->is_authz = 1;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool,`
Packit	90a5c9	`dname,`
Packit	90a5c9	`": Invalid provider type ",`
Packit	90a5c9	`stype,`
Packit	90a5c9	`NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (ca >= argc) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool, dname, ": No provider name given", NULL);`
Packit	90a5c9	`}`
Packit	90a5c9	`conf->name = argv[ca];`
Packit	90a5c9	`ca++;`
Packit	90a5c9
Packit	90a5c9	`if (ca >= argc) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool, dname, ": No backend-address given",`
Packit	90a5c9	`NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`rc = ap_rxplus_exec(cmd->pool, fcgi_backend_regex, argv[ca], NULL);`
Packit	90a5c9	`if (!rc \|\| ap_rxplus_nmatch(fcgi_backend_regex) != 3) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool,`
Packit	90a5c9	`dname, ": backend-address '",`
Packit	90a5c9	`argv[ca],`
Packit	90a5c9	`"' has invalid form",`
Packit	90a5c9	`NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`host = ap_rxplus_pmatch(cmd->pool, fcgi_backend_regex, 1);`
Packit	90a5c9	`if (host[0] == '[' && host[strlen(host) - 1] == ']') {`
Packit	90a5c9	`host += 1;`
Packit	90a5c9	`host[strlen(host) - 1] = '\0';`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`port = atoi(ap_rxplus_pmatch(cmd->pool, fcgi_backend_regex, 2));`
Packit	90a5c9	`if (port > 65535) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool,`
Packit	90a5c9	`dname, ": backend-address '",`
Packit	90a5c9	`argv[ca],`
Packit	90a5c9	`"' has invalid port",`
Packit	90a5c9	`NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`conf->backend = argv[ca];`
Packit	90a5c9	`conf->host = host;`
Packit	90a5c9	`conf->port = port;`
Packit	90a5c9	`ca++;`
Packit	90a5c9
Packit	90a5c9	`rv = apr_sockaddr_info_get(&conf->backend_addrs, conf->host,`
Packit	90a5c9	`APR_UNSPEC, conf->port, 0, cmd->pool);`
Packit	90a5c9	`if (rv != APR_SUCCESS) {`
Packit	90a5c9	`ap_log_error(APLOG_MARK, APLOG_STARTUP\|APLOG_CRIT, rv, NULL,`
Packit	90a5c9	`APLOGNO(02530) "Address %s could not be resolved",`
Packit	90a5c9	`conf->backend);`
Packit	90a5c9	`return apr_pstrcat(cmd->pool,`
Packit	90a5c9	`dname,`
Packit	90a5c9	`": Error resolving backend address",`
Packit	90a5c9	`NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (ca != argc) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool,`
Packit	90a5c9	`dname,`
Packit	90a5c9	`": Unexpected parameter ",`
Packit	90a5c9	`argv[ca],`
Packit	90a5c9	`NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (conf->is_authn) {`
Packit	90a5c9	`apr_hash_set(fcgi_authn_providers, conf->name, APR_HASH_KEY_STRING,`
Packit	90a5c9	`conf);`
Packit	90a5c9	`ap_register_auth_provider(cmd->pool, AUTHN_PROVIDER_GROUP,`
Packit	90a5c9	`conf->name,`
Packit	90a5c9	`AUTHN_PROVIDER_VERSION,`
Packit	90a5c9	`&fcgi_authn_provider,`
Packit	90a5c9	`AP_AUTH_INTERNAL_PER_CONF);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (conf->is_authz) {`
Packit	90a5c9	`apr_hash_set(fcgi_authz_providers, conf->name, APR_HASH_KEY_STRING,`
Packit	90a5c9	`conf);`
Packit	90a5c9	`ap_register_auth_provider(cmd->pool, AUTHZ_PROVIDER_GROUP,`
Packit	90a5c9	`conf->name,`
Packit	90a5c9	`AUTHZ_PROVIDER_VERSION,`
Packit	90a5c9	`&fcgi_authz_provider,`
Packit	90a5c9	`AP_AUTH_INTERNAL_PER_CONF);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const command_rec fcgi_cmds[] = {`
Packit	90a5c9	`AP_INIT_TAKE_ARGV("AuthnzFcgiDefineProvider",`
Packit	90a5c9	`fcgi_define_provider,`
Packit	90a5c9	`NULL,`
Packit	90a5c9	`RSRC_CONF,`
Packit	90a5c9	`"Define a FastCGI authn and/or authz provider"),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_TAKE_ARGV("AuthnzFcgiCheckAuthnProvider",`
Packit	90a5c9	`fcgi_check_authn_provider,`
Packit	90a5c9	`NULL,`
Packit	90a5c9	`OR_FILEINFO,`
Packit	90a5c9	`"Enable/disable a FastCGI authorizer to handle "`
Packit	90a5c9	`"check_authn phase"),`
Packit	90a5c9
Packit	90a5c9	`{NULL}`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`static int fcgi_pre_config(apr_pool_t pconf, apr_pool_t plog,`
Packit	90a5c9	`apr_pool_t *ptemp)`
Packit	90a5c9	`{`
Packit	90a5c9	`fcgi_authn_providers = apr_hash_make(pconf);`
Packit	90a5c9	`fcgi_authz_providers = apr_hash_make(pconf);`
Packit	90a5c9
Packit	90a5c9	`return OK;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static void fcgi_register_hooks(apr_pool_t *p)`
Packit	90a5c9	`{`
Packit	90a5c9	`static const char * const auth_basic_runs_after_me[] =`
Packit	90a5c9	`{"mod_auth_basic.c", NULL}; /* to allow for custom response */`
Packit	90a5c9
Packit	90a5c9	`ap_hook_pre_config(fcgi_pre_config, NULL, NULL, APR_HOOK_MIDDLE);`
Packit	90a5c9	`ap_hook_check_authn(fcgi_check_authn, NULL, auth_basic_runs_after_me,`
Packit	90a5c9	`APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static void create_dir_conf(apr_pool_t p, char *dummy)`
Packit	90a5c9	`{`
Packit	90a5c9	`fcgi_dir_conf *dconf = apr_pcalloc(p, sizeof(fcgi_dir_conf));`
Packit	90a5c9
Packit	90a5c9	`dconf->authoritative = 1;`
Packit	90a5c9	`return dconf;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static void merge_dir_conf(apr_pool_t p, void basev, void overridesv)`
Packit	90a5c9	`{`
Packit	90a5c9	`fcgi_dir_conf a = (fcgi_dir_conf )apr_pcalloc(p, sizeof(*a));`
Packit	90a5c9	`fcgi_dir_conf base = (fcgi_dir_conf )basev,`
Packit	90a5c9	`over = (fcgi_dir_conf )overridesv;`
Packit	90a5c9
Packit	90a5c9	`/* currently we just have a single directive applicable to a`
Packit	90a5c9	`* directory, so if it is set then grab all fields from fcgi_dir_conf`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (over->name) {`
Packit	90a5c9	`memcpy(a, over, sizeof(*a));`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`memcpy(a, base, sizeof(*a));`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return a;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`AP_DECLARE_MODULE(authnz_fcgi) =`
Packit	90a5c9	`{`
Packit	90a5c9	`STANDARD20_MODULE_STUFF,`
Packit	90a5c9	`create_dir_conf, /* dir config creater */`
Packit	90a5c9	`merge_dir_conf, /* dir merger */`
Packit	90a5c9	`NULL, /* server config */`
Packit	90a5c9	`NULL, /* merge server config */`
Packit	90a5c9	`fcgi_cmds, /* command apr_table_t */`
Packit	90a5c9	`fcgi_register_hooks /* register hooks */`
Packit	90a5c9	`};`

source-git / httpd

Source Code

Blame modules/aaa/mod_authnz_fcgi.c