static int authenticate_basic_user(request_rec *r)
{
auth_config_rec *sec =
(auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_module);
conn_rec *c = r->connection;
const char *sent_pw;
char *real_pw;
char *invalid_pw;
int res;
if ((res = ap_get_basic_auth_pw(r, &sent_pw)))
return res;
if (!sec->auth_pwfile)
return DECLINED;
if (!(real_pw = get_pw(r, c->user, sec->auth_pwfile))) {
if (!(sec->auth_authoritative))
return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"user %s not found: %s", c->user, r->uri);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
invalid_pw = ap_validate_password(sent_pw, real_pw);
if (invalid_pw != NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"user %s: authentication failure for \"%s\": %s",
c->user, r->uri, invalid_pw);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
return OK;
}
static int anon_authenticate_basic_user(request_rec *r)
{
anon_auth_config_rec *sec =
(anon_auth_config_rec *) ap_get_module_config(r->per_dir_config,
&anon_auth_module);
conn_rec *c = r->connection;
const char *sent_pw;
int res = DECLINED;
if ((res = ap_get_basic_auth_pw(r, &sent_pw)))
return res;
/* Ignore if we are not configured */
if (!sec->auth_anon_passwords)
return DECLINED;
/* Do we allow an empty userID and/or is it the magic one
*/
if ((!(c->user[0])) && (sec->auth_anon_nouserid)) {
res = OK;
}
else {
auth_anon *p = sec->auth_anon_passwords;
res = DECLINED;
while ((res == DECLINED) && (p != NULL)) {
if (!(strcasecmp(c->user, p->password)))
res = OK;
p = p->next;
}
}
if (
/* username is OK */
(res == OK)
/* password been filled out ? */
&& ((!sec->auth_anon_mustemail) || strlen(sent_pw))
/* does the password look like an email address ? */
&& ((!sec->auth_anon_verifyemail)
|| ((strpbrk("@", sent_pw) != NULL)
&& (strpbrk(".", sent_pw) != NULL)))) {
if (sec->auth_anon_logemail && ap_is_initial_req(r)) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
"Anonymous: Passwd <%s> Accepted",
sent_pw ? sent_pw : "\'none\'");
}
return OK;
}
else {
if (sec->auth_anon_authoritative) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"Anonymous: Authoritative, Passwd <%s> not accepted",
sent_pw ? sent_pw : "\'none\'");
return AUTH_REQUIRED;
}
/* Drop out the bottom to return DECLINED */
}
return DECLINED;
}
static PyObject * req_get_basic_auth_pw(requestobject *self, PyObject *args)
{
const char *pw;
request_rec *req;
req = self->request_rec;
if (! ap_get_basic_auth_pw(req, &pw))
return PyString_FromString(pw);
else {
Py_INCREF(Py_None);
return Py_None;
}
}
CAMLprim value
netcgi2_apache_request_get_basic_auth_pw (value rv)
{
CAMLparam1 (rv);
CAMLlocal1 (c);
request_rec *r = Request_rec_val (rv);
const char *pw = 0;
int i = ap_get_basic_auth_pw (r, &pw); /* no need to free(pw) */
/* Return [i] as the first component of a couple so we can deal with
* the possible errors on the Caml side. */
if (i == DECLINED) pw = NULL; /* FIXME */
c = alloc_tuple (2);
Store_field(c, 0, Val_int(i));
Store_field(c, 1, Val_optstring(pw));
CAMLreturn (c);
}
static int dbm_authenticate_basic_user(request_rec *r)
{
dbm_auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_dbm_module);
const char *sent_pw;
char *real_pw, *colon_pw;
apr_status_t invalid_pw;
int res;
if ((res = ap_get_basic_auth_pw(r, &sent_pw)))
return res;
if (!conf->auth_dbmpwfile)
return DECLINED;
if (!(real_pw = get_dbm_pw(r, r->user, conf->auth_dbmpwfile,
conf->auth_dbmtype))) {
if (!(conf->auth_dbmauthoritative))
return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"DBM user %s not found: %s", r->user, r->filename);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
/* Password is up to first : if exists */
colon_pw = strchr(real_pw, ':');
if (colon_pw) {
*colon_pw = '\0';
}
invalid_pw = apr_password_validate(sent_pw, real_pw);
if (invalid_pw != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"DBM user %s: authentication failure for \"%s\": "
"Password Mismatch",
r->user, r->uri);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
return OK;
}
static int authenticate_basic_user(request_rec *r)
{
auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_module);
const char *sent_pw;
char *real_pw;
apr_status_t invalid_pw;
int res;
if ((res = ap_get_basic_auth_pw(r, &sent_pw))) {
return res;
}
if (!conf->auth_pwfile) {
return DECLINED;
}
if (!(real_pw = get_pw(r, r->user, conf->auth_pwfile))) {
if (!(conf->auth_authoritative)) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"user %s not found: %s", r->user, r->uri);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
invalid_pw = apr_password_validate(sent_pw, real_pw);
if (invalid_pw != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"user %s: authentication failure for \"%s\": "
"Password Mismatch",
r->user, r->uri);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
return OK;
}
static int dbm_authenticate_basic_user(request_rec *r)
{
dbm_auth_config_rec *sec =
(dbm_auth_config_rec *) ap_get_module_config(r->per_dir_config,
&dbm_auth_module);
conn_rec *c = r->connection;
char *sent_pw, *real_pw, *colon_pw;
int res;
if ((res = ap_get_basic_auth_pw(r, &sent_pw)))
return res;
if (!sec->auth_dbmpwfile)
return DECLINED;
if (!(real_pw = get_dbm_pw(r, c->user, sec->auth_dbmpwfile))) {
if (!(sec->auth_dbmauthoritative))
return DECLINED;
ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
"DBM user %s not found: %s", c->user, r->filename);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
/* Password is up to first : if exists */
colon_pw = strchr(real_pw, ':');
if (colon_pw)
*colon_pw = '\0';
/* anyone know where the prototype for crypt is? */
if (strcmp(real_pw, (char *) crypt(sent_pw, real_pw))) {
ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
"user %s: password mismatch: %s", c->user, r->uri);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
return OK;
}
/* Process authentication request from Apache*/
static int pg_authenticate_basic_user(request_rec * r)
{
pg_auth_config_rec *sec =
(pg_auth_config_rec *) ap_get_module_config(r->per_dir_config,
&auth_pgsql_module);
char *val = NULL;
char *sent_pw, *real_pw;
int res;
char *user;
if ((res = ap_get_basic_auth_pw(r, (const char **) &sent_pw)))
return res;
user = r->user;
#ifdef DEBUG_AUTH_PGSQL
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"[mod_auth_pgsql.c] - pg_authenticate_basic_user - going to auth user \"%s\" pass \"%s\" uri \"%s\"",
user, sent_pw, r->unparsed_uri);
#endif /* DEBUG_AUTH_PGSQL */
/* if *password* checking is configured in any way, i.e. then
* handle it, if not decline and leave it to the next in line..
* We do not check on dbase, group, userid or host name, as it is
* perfectly possible to only do group control and leave
* user control to the next guy in line.
*/
if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"[mod_auth_pgsql.c] - missing configuration parameters");
return DECLINED;
}
pg_errstr[0] = '\0';
if (sec->auth_pg_cache_passwords
&& (!apr_is_empty_table(sec->cache_pass_table))) {
val = (char *) apr_table_get(sec->cache_pass_table, user);
if (val)
real_pw = val;
else
real_pw = get_pg_pw(r, user, sec);
} else
real_pw = get_pg_pw(r, user, sec);
if (!real_pw) {
if (pg_errstr[0]) {
res = HTTP_INTERNAL_SERVER_ERROR;
} else {
if (sec->auth_pg_authoritative) {
/* force error and access denied */
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"mod_auth_pgsql: Password for user %s not found (PG-Authoritative)",
user);
ap_note_basic_auth_failure(r);
res = HTTP_UNAUTHORIZED;
} else {
/* allow fall through to another module */
return DECLINED;
}
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
return res;
}
/* allow no password, if the flag is set and the password
* is empty. But be sure to log this.
*/
if ((sec->auth_pg_nopasswd) && (!strlen(real_pw))) {
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"[mod_auth_pgsql.c] - Empty password accepted for user \"%s\"",
user);
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
pg_log_auth_user(r, sec, user, sent_pw);
return OK;
};
/* if the flag is off however, keep that kind of stuff at
* an arms length.
*/
if ((!strlen(real_pw)) || (!strlen(sent_pw))) {
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"",
user);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
};
if (sec->auth_pg_encrypted)
switch (sec->auth_pg_hash_type) {
case AUTH_PG_HASH_TYPE_MD5:
sent_pw = auth_pg_md5(sent_pw);
break;
case AUTH_PG_HASH_TYPE_CRYPT:
sent_pw = (char *) crypt(sent_pw, real_pw);
break;
case AUTH_PG_HASH_TYPE_BASE64:
sent_pw = auth_pg_base64(sent_pw);
break;
}
if (sec->auth_pg_hash_type == AUTH_PG_HASH_TYPE_NETEPI) {
char *netepi_pw;
if (netepi_pw = netepi_pwd_check(sec, r, real_pw, sent_pw))
goto netepi_ok;
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"PG user %s: password mismatch", user);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
netepi_ok:
sent_pw = netepi_pw;
} else if ((sec->auth_pg_hash_type == AUTH_PG_HASH_TYPE_MD5
|| sec->auth_pg_hash_type == AUTH_PG_HASH_TYPE_BASE64
|| sec->auth_pg_pwdignorecase)
? strcasecmp(real_pw, sent_pw) : strcmp(real_pw, sent_pw)) {
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"PG user %s: password mismatch", user);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
/* store password in the cache */
if (sec->auth_pg_cache_passwords && !val && sec->cache_pass_table) {
if ((apr_table_elts(sec->cache_pass_table))->nelts >=
MAX_TABLE_LEN) {
apr_table_clear(sec->cache_pass_table);
}
apr_table_set(sec->cache_pass_table, user, real_pw);
}
pg_log_auth_user(r, sec, user, sent_pw);
return OK;
}
static int psx_user(request_rec *r)
{
qEnvApache *renv = NULL;
try {
qEnvApacheServer *senv = get_psx_srv_env(r);
if (!senv)
return DECLINED;
const char *macro = senv->GetUserMacro();
if (!macro || !*macro)
return DECLINED;
renv = get_psx_req_env(r);
if (!renv)
return DECLINED;
if (renv->IsAuth == 1) {
if (r->main)
renv->Free();
return OK;
} else if (renv->IsAuth == -1) {
return psx_auth_fail(r, renv);
}
qCtxTmp tmpCtx(renv->GetCtx());
char *user = NULL;
const char *pw = NULL;
int res=ap_get_basic_auth_pw(r,&pw);
if (!res) {
#ifdef APACHE2
user = r->user;
#else
user = r->connection->user;
#endif
}
if (!user) user = "";
tmpCtx.MapObj(user, "username");
if (!pw) pw = "";
tmpCtx.MapObj(pw, "password");
CStr out = tmpCtx.ParseStr(macro);
out.Trim();
// ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, AP2STATUS r, "macro: %s, username: %s, password: %s, macro output: %s, macro length: %d, macro char: %x", (const char *) macro, (const char *)user, (const char *)pw, (const char *)out, out.Length(), (unsigned int)*(const char *)out);
if (out.IsEmpty()) {
renv->IsAuth = -1;
return psx_auth_fail(r, renv);
} else {
if (r->main)
renv->Free();
renv->IsAuth = 1;
return OK;
}
} catch (...) {
// login code redirected things
if (r->status == HTTP_MOVED_TEMPORARILY) {
return OK;
}
if (renv)
renv->Free();
smx_log_str(SMXLOGLEVEL_ERROR, "unhandled exception during authentication");
return DECLINED;
}
}
