/**
parse_cstring
Provided a place to put the cookie list, a maximum number of cookies to
extract, and a string with the values in it, parse_cstring() stuffs up
to cmax cookies into the array. We return the number of cookies pulled
out of the string.
Right now, since almost all web browsers and servers use v1 of the
cookie standard, and there is no standard for v2, which no one uses
anyway, we're just doing v1.
*/
int parse_cstring(cookie clist[], int cmax, char * const cstring)
{
int n;
char *current = cstring;
for(n = 0; n < cmax; n++) {
current = strstr(current, "Set-Cookie: ");
if(current == NULL)
break;
current += 13; /* strlen("Set-Cookie: ") = 13 */
n += extract_cookie(&clist[n], current);
}
return n;
}
/**************************************************
* authentification phase:
* verify if cookie is set and if it is known in memcache server
**************************************************/
static int Auth_memCookie_check_cookie(request_rec *r)
{
strAuth_memCookie_config_rec *conf = NULL;
char *szCookieValue = NULL;
apr_table_t *pAuthSession = NULL;
apr_status_t tRetStatus;
char *szRemoteIP = NULL;
const char *command = NULL;
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "ap_hook_check_user_id in");
/* get apache config */
conf = ap_get_module_config(r->per_dir_config, &mod_auth_memcookie_module);
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "check MatchIP_Mode:%d",conf->nAuth_memCookie_MatchIP_Mode);
/* set remote ip in case of conf->nAuth_memCookie_MatchIP_Mode value */
if (conf->nAuth_memCookie_MatchIP_Mode == 2 && apr_table_get(r->headers_in, "Via") != NULL)
szRemoteIP = apr_pstrdup(r->pool, apr_table_get(r->headers_in, "Via"));
else if (conf->nAuth_memCookie_MatchIP_Mode == 1 && apr_table_get(r->headers_in, "X-Forwarded-For") != NULL)
szRemoteIP = apr_pstrdup(r->pool, apr_table_get(r->headers_in, "X-Forwarded-For"));
else
szRemoteIP = apr_pstrdup(r->pool, r->connection->client_ip);
if (!conf->nAuth_memCookie_Authoritative)
return DECLINED;
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "AuthType is '%s'", ap_auth_type(r));
if (strncmp("Cookie", ap_auth_type(r), 6) != 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, ERRTAG "Auth type not specified as 'Cookie'");
return HTTP_UNAUTHORIZED;
}
if (!conf->szAuth_memCookie_CookieName) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, ERRTAG "No Auth_memCookie_CookieName specified");
return HTTP_UNAUTHORIZED;
}
if (!conf->szAuth_memCookie_memCached_addr) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, ERRTAG "No Auth_memCookie_Memcached_AddrPort specified");
return HTTP_UNAUTHORIZED;
}
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "Memcached server(s) adresse(s) are %s",conf->szAuth_memCookie_memCached_addr);
pAuthSession = NULL;
/* extract session cookie from headers */
szCookieValue = extract_cookie(r, conf->szAuth_memCookie_CookieName);
/* if we have a cookie, get session from memcache */
if (szCookieValue) {
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "got cookie; value is %s", szCookieValue);
if((pAuthSession = Auth_memCookie_get_session(r, conf, szCookieValue)) == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r, ERRTAG "AuthSession %s not found: %s", szCookieValue, r->filename);
}
} else {
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r, ERRTAG "cookie not found! not authorized! RemoteIP:%s", szRemoteIP);
}
/* unset headers sent by the client that are supposed to be set by us */
if (conf->szAuth_memCookie_SessionHeaders) {
char *headers = apr_pstrdup(r->pool, conf->szAuth_memCookie_SessionHeaders);
char *key, *keypos = 0;
for(key = strtok_r(headers, ", ", &keypos); key; key = strtok_r(NULL, ", ", &keypos))
apr_table_unset(r->headers_in, key);
}
/* still no session? goodbye */
if (!pAuthSession)
return HTTP_UNAUTHORIZED;
/* check remote ip if option is enabled */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, ERRTAG "check ip: remote_ip=%s cookie_ip=%s", szRemoteIP ,apr_table_get(pAuthSession,"RemoteIP"));
if (conf->nAuth_memCookie_MatchIP_Mode != 0) {
if (strcmp(szRemoteIP, apr_table_get(pAuthSession,"RemoteIP"))) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, ERRTAG "unauthorized, by ip. user:%s remote_ip:%s != cookie_ip:%s", apr_table_get(pAuthSession,"UserName"),szRemoteIP ,apr_table_get(pAuthSession,"RemoteIP"));
return HTTP_UNAUTHORIZED;
}
}
/* set env var X_ to the information session value */
apr_table_do(Auth_memCookie_DoSetEnv, r, pAuthSession, NULL);
/* set REMOTE_USER var for scripts language */
apr_table_setn(r->subprocess_env, "REMOTE_USER", apr_table_get(pAuthSession,"UserName"));
/* set in http header the session value */
if (conf->nAuth_memCookie_SetSessionHTTPHeader)
apr_table_do(Auth_memCookie_DoSetHeader, r, pAuthSession, NULL);
/* log authorisation ok */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, ERRTAG "authentication ok");
/* fix http header for php */
if (conf->nAuth_memCookie_authbasicfix)
fix_headers_in(r, apr_table_get(pAuthSession, "Password"));
// do we add the X-Remote-User header?
if (conf->nAuth_memCookie_Add_Remote_User_Header) {
if (apr_table_get(r->headers_in, "X-Remote-User") == NULL) {
apr_table_addn(r->headers_in, "X-Remote-User", r->user);
}
else {
apr_table_set(r->headers_in, "X-Remote-User", r->user);
}
}
/* if all is ok return auth ok */
return OK;
}
