diff options
author | Bradley Nicholes <bnicholes@apache.org> | 2005-12-08 05:36:14 +0000 |
---|---|---|
committer | Bradley Nicholes <bnicholes@apache.org> | 2005-12-08 05:36:14 +0000 |
commit | 584fb10cdb5fa46c597165bb7159cababa8f436a (patch) | |
tree | 12af0e82fe5c546f8372cb0e81bde2f2365f108c | |
parent | 909cc96e2fec751fcc05c5ef350e954dc10e7e6e (diff) | |
download | httpd-584fb10cdb5fa46c597165bb7159cababa8f436a.tar.gz |
Initial conversion of mod_authz_groupfile to be provider based
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/authz-dev@354998 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | modules/aaa/mod_authz_groupfile.c | 122 |
1 files changed, 120 insertions, 2 deletions
diff --git a/modules/aaa/mod_authz_groupfile.c b/modules/aaa/mod_authz_groupfile.c index 77a63b9644..a1fd210f10 100644 --- a/modules/aaa/mod_authz_groupfile.c +++ b/modules/aaa/mod_authz_groupfile.c @@ -47,6 +47,7 @@ #include "apr_lib.h" /* apr_isspace */ #include "ap_config.h" +#include "ap_provider.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" @@ -61,6 +62,8 @@ typedef struct { int authoritative; } authz_groupfile_config_rec; +APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); + static void *create_authz_groupfile_dir_config(apr_pool_t *p, char *d) { authz_groupfile_config_rec *conf = apr_palloc(p, sizeof(*conf)); @@ -145,6 +148,7 @@ static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile, return APR_SUCCESS; } +#if 0 /* Checking ID */ static int check_user_access(request_rec *r) @@ -264,12 +268,126 @@ static int check_user_access(request_rec *r) ap_note_auth_failure(r); return HTTP_UNAUTHORIZED; } +#endif + +static authz_status group_check_authorization(request_rec *r, + const char *require_args) +{ + authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config, + &authz_groupfile_module); + char *user = r->user; + const char *t, *w; + apr_table_t *grpstatus = NULL; + apr_status_t status; + + status = groups_for_user(r->pool, user, conf->groupfile, + &grpstatus); + + if (status != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Could not open group file: %s", + conf->groupfile); + return AUTHZ_DENIED; + } + + if (apr_table_elts(grpstatus)->nelts == 0) { + /* no groups available, so exit immediately */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user doesn't appear in group file (%s).", + r->user, r->uri, conf->groupfile); + return AUTHZ_DENIED; + } + + t = require_args; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + if (apr_table_get(grpstatus, w)) { + return AUTHZ_GRANTED; + } + } + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user is not part of the 'require'ed group(s).", + r->user, r->uri); + + return AUTHZ_DENIED; +} + +APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; + +static authz_status filegroup_check_authorization(request_rec *r, + const char *require_args) +{ + const char *filegroup = NULL; + + + authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config, + &authz_groupfile_module); + char *user = r->user; + apr_table_t *grpstatus = NULL; + apr_status_t status; + + status = groups_for_user(r->pool, user, conf->groupfile, + &grpstatus); + + if (status != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, + "Could not open group file: %s", + conf->groupfile); + return AUTHZ_DENIED; + } + + if (apr_table_elts(grpstatus)->nelts == 0) { + /* no groups available, so exit immediately */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user doesn't appear in group file (%s).", + r->user, r->uri, conf->groupfile); + return AUTHZ_DENIED; + } + + filegroup = authz_owner_get_file_group(r); + + if (filegroup) { + if (apr_table_get(grpstatus, filegroup)) { + return AUTHZ_GRANTED; + } + } + else { + /* No need to emit a error log entry because the call + to authz_owner_get_file_group already did it + for us. + */ + return AUTHZ_DENIED; + } + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed, reason: " + "user is not part of the 'require'ed file group.", + r->user, r->uri); + + return AUTHZ_DENIED; +} + +static const authz_provider authz_group_provider = +{ + &group_check_authorization, +}; + +static const authz_provider authz_filegroup_provider = +{ + &filegroup_check_authorization, +}; static void register_hooks(apr_pool_t *p) { - static const char * const aszPre[]={ "mod_authz_owner.c", NULL }; + authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group); - ap_hook_auth_checker(check_user_access, aszPre, NULL, APR_HOOK_MIDDLE); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "group", "0", + &authz_group_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "file-group", "0", + &authz_filegroup_provider); } module AP_MODULE_DECLARE_DATA authz_groupfile_module = |