static const char *add_index(cmd_parms *cmd, void *dummy, const char *arg)
{
dir_config_rec *d = dummy;
const char *t, *w;
int count = 0;
if (!d->index_names) {
d->index_names = apr_array_make(cmd->pool, 2, sizeof(char *));
}
t = arg;
while ((w = ap_getword_conf(cmd->pool, &t)) && w[0]) {
if (count == 0 && !strcasecmp(w, "disabled")) {
/* peek to see if "disabled" is first in a series of arguments */
const char *tt = t;
const char *ww = ap_getword_conf(cmd->temp_pool, &tt);
if (ww == NULL || !ww[0]) {
/* "disabled" is first, and alone */
apr_array_clear(d->index_names);
break;
}
}
*(const char **)apr_array_push(d->index_names) = w;
count++;
}
return NULL;
}
// reads through all the lines in custom container and builds a string of css rules
static char* get_container_properties(cmd_parms *cmd, void *config, char **curr_css,
char *container) {
moon_svr_cfg *cfg = config;
char * line = cfg->buf;
while (!ap_cfg_getline(line, MAX_STRING_LEN, cmd->config_file)) {
if (!strcasecmp(line, container)) {
break;
}
const char * pos = line;
char * new_property = NULL;
char * new_value = NULL;
char * temp = NULL;
if(!(*pos) || !(new_property = ap_getword_conf(cmd->pool, &pos))) {
return "Syntax error: could not read property\n";
}
if(!(*pos) || !(new_value = ap_getword_conf(cmd->pool, &pos))) {
return "Syntax error: could not read value\n";
}
temp = apr_palloc(cmd->pool,strlen(*curr_css)+strlen(new_property)+strlen(new_value)+3);
strcpy(temp, *curr_css);
strcat(temp, new_property);
strcat(temp, ":");
strcat(temp, new_value);
strcat(temp, ";");
*curr_css = temp;
}
return NULL;
}
static const char * set_serverremap(cmd_parms *cmd, void *CFG, const char *args)
{
cdn_conf *cfg = (cdn_conf *)CFG;
server_remap_t *remap;
unsigned int regflags = 0;
const char *pattern, *flags;
const char *usage = "Usage: CDNHTMLRemapURLServer pattern [flags]";
pattern = ap_getword_conf(cmd->pool, &args);
if(!pattern)
return usage;
flags = ap_getword_conf(cmd->pool, &args);
if(flags && !*flags)
flags = NULL;
if(cfg->map == NULL)
cfg->map = apr_array_make(cmd->pool, 4, sizeof(server_remap_t));
remap = apr_array_push(cfg->map);
regflags = AP_REG_NOSUB | FLAG(AP_REG_EXTENDED, flags, 'x') |
FLAG(AP_REG_ICASE, flags, 'i');
if(ap_regcomp(&(remap->regex), pattern, regflags) != 0)
return "CDNHTMLRemapURLServer: error compiling regex";
remap->flags |= FLAG(REMAP_FLAG_AUTH, flags, 'a') |
FLAG(REMAP_FLAG_QSTRING_IGNORE, flags, 'q');
return NULL;
}
AP_DECLARE(void) unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit,
const char *arg, const char * arg2, int type)
{
#if (defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC) || defined(RLIMIT_AS)) && APR_HAVE_STRUCT_RLIMIT && APR_HAVE_GETRLIMIT
char *str;
struct rlimit *limit;
/* If your platform doesn't define rlim_t then typedef it in ap_config.h */
rlim_t cur = 0;
rlim_t max = 0;
*plimit = (struct rlimit *)apr_pcalloc(cmd->pool, sizeof(**plimit));
limit = *plimit;
if ((getrlimit(type, limit)) != 0) {
*plimit = NULL;
ap_log_error(APLOG_MARK, APLOG_ERR, errno, cmd->server,
"%s: getrlimit failed", cmd->cmd->name);
return;
}
if ((str = ap_getword_conf(cmd->pool, &arg))) {
if (!strcasecmp(str, "max")) {
cur = limit->rlim_max;
}
else {
cur = atol(str);
}
}
else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
"Invalid parameters for %s", cmd->cmd->name);
return;
}
if (arg2 && (str = ap_getword_conf(cmd->pool, &arg2))) {
max = atol(str);
}
/* if we aren't running as root, cannot increase max */
if (geteuid()) {
limit->rlim_cur = cur;
if (max) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
"Must be uid 0 to raise maximum %s", cmd->cmd->name);
}
}
else {
if (cur) {
limit->rlim_cur = cur;
}
if (max) {
limit->rlim_max = max;
}
}
#else
ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
"Platform does not support rlimit for %s", cmd->cmd->name);
#endif
}
static const char *ip_parse_config(cmd_parms *cmd,
const char *require_line,
const void **parsed_require_line)
{
const char *t, *w;
int count = 0;
apr_ipsubnet_t **ip;
apr_pool_t *ptemp = cmd->temp_pool;
apr_pool_t *p = cmd->pool;
/* The 'ip' provider will allow the configuration to specify a list of
ip addresses to check rather than a single address. This is different
from the previous host based syntax. */
t = require_line;
while ((w = ap_getword_conf(ptemp, &t)) && w[0])
count++;
if (count == 0)
return "'require ip' requires an argument";
ip = apr_pcalloc(p, sizeof(apr_ipsubnet_t *) * (count + 1));
*parsed_require_line = ip;
t = require_line;
while ((w = ap_getword_conf(ptemp, &t)) && w[0]) {
char *addr = apr_pstrdup(ptemp, w);
char *mask;
apr_status_t rv;
if (parsed_subnets &&
(*ip = apr_hash_get(parsed_subnets, w, APR_HASH_KEY_STRING)) != NULL)
{
/* we already have parsed this subnet */
ip++;
continue;
}
if ((mask = ap_strchr(addr, '/')))
*mask++ = '\0';
rv = apr_ipsubnet_create(ip, addr, mask, p);
if(APR_STATUS_IS_EINVAL(rv)) {
/* looked nothing like an IP address */
return apr_psprintf(p, "ip address '%s' appears to be invalid", w);
}
else if (rv != APR_SUCCESS) {
return apr_psprintf(p, "ip address '%s' appears to be invalid: %pm",
w, &rv);
}
if (parsed_subnets)
apr_hash_set(parsed_subnets, w, APR_HASH_KEY_STRING, *ip);
ip++;
}
return NULL;
}
static const char *set_user_dir(cmd_parms *cmd, void *dummy, const char *arg)
{
userdir_config *s_cfg = ap_get_module_config(cmd->server->module_config,
&userdir_module);
char *username;
const char *usernames = arg;
char *kw = ap_getword_conf(cmd->pool, &usernames);
apr_table_t *usertable;
/* Since we are a raw argument, it is possible for us to be called with
* zero arguments. So that we aren't ambiguous, flat out reject this.
*/
if (*kw == '\0') {
return "UserDir requires an argument.";
}
/*
* Let's do the comparisons once.
*/
if ((!strcasecmp(kw, "disable")) || (!strcasecmp(kw, "disabled"))) {
/*
* If there are no usernames specified, this is a global disable - we
* need do no more at this point than record the fact.
*/
if (!*usernames) {
s_cfg->globally_disabled = O_DISABLE;
return NULL;
}
usertable = s_cfg->disabled_users;
}
else if ((!strcasecmp(kw, "enable")) || (!strcasecmp(kw, "enabled"))) {
if (!*usernames) {
s_cfg->globally_disabled = O_ENABLE;
return NULL;
}
usertable = s_cfg->enabled_users;
}
else {
/*
* If the first (only?) value isn't one of our keywords, just copy
* the string to the userdir string.
*/
s_cfg->userdir = apr_pstrdup(cmd->pool, arg);
return NULL;
}
/*
* Now we just take each word in turn from the command line and add it to
* the appropriate table.
*/
while (*usernames) {
username = ap_getword_conf(cmd->pool, &usernames);
apr_table_setn(usertable, username, kw);
}
return NULL;
}
static const char* cwx_balance_command(cmd_parms *cmd, void *pconfig, char* arg){
const char* line;
char* value= NULL;
CWX_SVR_MSG_KEY* svr_msg=NULL;
CWX_KEY_VALUE* key_value=NULL;
CWX_CONFIG *config = cwx_get_server_config(cmd->server);
if (!config) return 0;
if (NULL == arg) return "must set cwinux-balance's arg: svr_name msg_type [-] key...";
svr_msg = (CWX_SVR_MSG_KEY *) apr_pcalloc(config->m_pool, sizeof(CWX_SVR_MSG_KEY));
line = arg;
//get svr_name
value = ap_getword_conf(config->m_pool, &line);
if (!value || !strlen(value)){
return "must set balance's svr_name by format: svr_name msg_type [-] key...";
}
svr_msg->m_svr_name = value;
//get msg_type
value = ap_getword_conf(config->m_pool, &line);
if (!value || !strlen(value)){
return "must set balance's msg_type by format: svr_name msg_type [-] key...";
}
svr_msg->m_msg_type = value;
//get [-]
value = ap_getword_conf(config->m_pool, &line);
if (!value || !strlen(value)){
return "must set balance's [-] or key by format: svr_name msg_type [-] key...";
}
if ('-' == value[0]){
svr_msg->m_exclude = true;
value = ap_getword_conf(config->m_pool, &line);
if (!value || !strlen(value)){
return "must set balance's key by format: svr_name msg_type [-] key...";
}
}else{
svr_msg->m_exclude = false;
}
svr_msg->m_key_value = NULL;
while(value && strlen(value)){
key_value = (CWX_KEY_VALUE*) apr_pcalloc(config->m_pool, sizeof(CWX_KEY_VALUE));
key_value->m_key = value;
cwx_tolower(key_value->m_key);
key_value->m_lowerkey = key_value->m_key;
key_value->m_value = NULL;
key_value->m_next = svr_msg->m_key_value;
svr_msg->m_key_value = key_value;
value = ap_getword_conf(config->m_pool, &line);
}
svr_msg->m_next = config->m_balance;
config->m_balance = svr_msg;
return 0;
}
static const char *
config_tls(cmd_parms *cmd, void *d, const char *v)
{
struct srv *s = ap_srv_config_get_cmd(cmd);
const char *arg;
const char *word = ap_getword_conf(cmd->pool, &arg);
if (!strncasecmp(word, "plus", 1)) {
word = ap_getword_conf(cmd->pool, &arg);
};
return ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
}
static const char* cwx_header_command(cmd_parms *cmd, void *pconfig, char* arg){
char szMsg[512];
const char* line;
char* value= NULL;
CWX_SVR_MSG_KEY* svr_msg=NULL;
CWX_KEY_VALUE* key_value=NULL;
CWX_CONFIG *config = cwx_get_server_config(cmd->server);
char * head_data = NULL;
if (!config) return 0;
if (NULL == arg) return "must set cwinux-header's arg: svr_name msg_type header:value header:value ...";
svr_msg = (CWX_SVR_MSG_KEY *) apr_pcalloc(config->m_pool, sizeof(CWX_SVR_MSG_KEY));
line = arg;
//get svr_name
value = ap_getword_conf(config->m_pool, &line);
if (!value || !strlen(value)){
return "must set cwinux-header's svr_name: svr_name msg_type header:value header:value ...";
}
svr_msg->m_svr_name = value;
//get msg_type
value = ap_getword_conf(config->m_pool, &line);
if (!value || !strlen(value)){
return "must set cwinux-header's msg_type: svr_name msg_type header:value header:value ...";
}
svr_msg->m_msg_type = value;
value = ap_getword_conf(config->m_pool, &line);
if (!value || !strlen(value)){
return "must set cwinux-header's header:value: svr_name msg_type header:value header:value ...";
}
svr_msg->m_key_value = NULL;
while(value && strlen(value)){
head_data = (char*)strchr(value, ':');
if (!head_data || (head_data==value)){
snprintf(szMsg, 511, "Invalid cwinux-header's header:data's format:%s", value);
return apr_pstrdup(config->m_pool, szMsg);
}
head_data[0] = 0x00;
head_data++;
key_value = (CWX_KEY_VALUE*) apr_pcalloc(config->m_pool, sizeof(CWX_KEY_VALUE));
key_value->m_key = value;
key_value->m_value = head_data;
key_value->m_next = svr_msg->m_key_value;
svr_msg->m_key_value = key_value;
value = ap_getword_conf(config->m_pool, &line);
}
svr_msg->m_next = config->m_header;
config->m_header = svr_msg;
return 0;
}
/**
* This hook is used to check to see if the resource being requested
* is available for the authenticated user (r->user and r->ap_auth_type).
* It runs after the access_checker and check_user_id hooks. Note that
* it will *only* be called if Apache determines that access control has
* been applied to this resource (through a 'Require' directive).
*
* @param r the current request
* @return OK, DECLINED, or HTTP_...
*/
static int auth_checker(request_rec *r) {
authnz_crowd_dir_config *config = get_config(r);
if (config == NULL) {
return HTTP_INTERNAL_SERVER_ERROR;
}
if (r->user == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, "Authorisation requested, but no user provided.");
return HTTP_INTERNAL_SERVER_ERROR;
}
/* Iterate over requirements */
const apr_array_header_t *requires = ap_requires(r);
apr_array_header_t *user_groups = NULL;
int x;
for (x = 0; x < requires->nelts; x++) {
require_line require = APR_ARRAY_IDX(requires, x, require_line);
/* Ignore this requirement if it does not apply to the HTTP method used in the request. */
if (!(require.method_mask & (AP_METHOD_BIT << r->method_number))) {
continue;
}
const char *next_word = require.requirement;
/* Only process group requirements */
if (strcasecmp(ap_getword_white(r->pool, &next_word), "group") == 0) {
/* Fetch groups only if actually needed. */
if (user_groups == NULL) {
user_groups = crowd_user_groups(r->user, r, config->crowd_config);
if (user_groups == NULL) {
return HTTP_INTERNAL_SERVER_ERROR;
}
}
/* Iterate over the groups mentioned in the requirement. */
while (*next_word != '\0') {
const char *required_group = ap_getword_conf(r->pool, &next_word);
/* Iterate over the user's groups. */
int y;
for (y = 0; y < user_groups->nelts; y++) {
const char *user_group = APR_ARRAY_IDX(user_groups, y, const char *);
if (strcasecmp(user_group, required_group) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Granted authorisation to '%s' on the basis of membership of '%s'.", r->user, user_group);
return OK;
}
}
}
}
}
ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, "Denied authorisation to '%s'.", r->user);
return config->authoritative ? HTTP_UNAUTHORIZED : DECLINED;
}
/*
* Apache >=2.4 authorization routine: match the claims from the authenticated user against the Require primitive
*/
authz_status oidc_authz_worker24(request_rec *r, const json_t * const claims, const char *require_args) {
int count_oauth_claims = 0;
const char *t, *w;
/* needed for anonymous authentication */
if (r->user == NULL) return AUTHZ_DENIED_NO_USER;
/* if no claims, impossible to satisfy */
if (!claims) return AUTHZ_DENIED;
/* loop over the Required specifications */
t = require_args;
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
count_oauth_claims++;
oidc_debug(r, "evaluating claim specification: %s", w);
/* see if we can match any of out input claims against this Require'd value */
if (oidc_authz_match_claim(r, w, claims) == TRUE) {
oidc_debug(r, "require claim '%s' matched", w);
return AUTHZ_GRANTED;
}
}
/* if there wasn't anything after the Require claims directive... */
if (count_oauth_claims == 0) {
oidc_warn(r,
"'require claim' missing specification(s) in configuration, denying");
}
return AUTHZ_DENIED;
}
/*******************************************************************************
* Get the next configuration directive argument, & return an u_short.
* The pool arg should be temporary storage.
*/
static const char *get_u_short(pool *p, const char **arg,
u_short *num, u_short min)
{
char *ptr;
long tmp;
const char *txt = ap_getword_conf(p, arg);
if (*txt == '\0') {
return "\"\"";
}
tmp = strtol(txt, &ptr, 10);
if (*ptr != '\0') {
return ap_pstrcat(p, "\"", txt, "\" must be a positive integer", NULL);
}
if (tmp < min || tmp > USHRT_MAX) {
return ap_psprintf(p, "\"%u\" must be >= %u and < %u", *num, min, USHRT_MAX);
}
*num = (u_short) tmp;
return NULL;
}
/*******************************************************************************
* Get the next configuration directive argument, & return an in_addr and port.
* The arg must be in the form "host:port" where host can be an IP or hostname.
* The pool arg should be persistant storage.
*/
static const char *get_host_n_port(pool *p, const char **arg,
const char **host, u_short *port)
{
char *cvptr, *portStr;
long tmp;
*host = ap_getword_conf(p, arg);
if (**host == '\0')
return "\"\"";
portStr = strchr(*host, ':');
if (portStr == NULL)
return "missing port specification";
/* Split the host and port portions */
*portStr++ = '\0';
/* Convert port number */
tmp = (u_short) strtol(portStr, &cvptr, 10);
if (*cvptr != '\0' || tmp < 1 || tmp > USHRT_MAX)
return ap_pstrcat(p, "bad port number \"", portStr, "\"", NULL);
*port = (unsigned short) tmp;
return NULL;
}
/* parse the <VirtualHost> addresses */
const char *ap_parse_vhost_addrs(apr_pool_t *p,
const char *hostname,
server_rec *s)
{
server_addr_rec **addrs;
const char *err;
/* start the list of addreses */
addrs = &s->addrs;
while (hostname[0]) {
err = get_addresses(p, ap_getword_conf(p, &hostname), &addrs, s->port);
if (err) {
*addrs = NULL;
return err;
}
}
/* terminate the list */
*addrs = NULL;
if (s->addrs) {
if (s->addrs->host_port) {
/* override the default port which is inherited from main_server */
s->port = s->addrs->host_port;
}
}
return NULL;
}
static int check_user_access(request_rec * r) {
int m = r->method_number;
const apr_array_header_t * reqs_arr = ap_requires(r);
if (! reqs_arr) {
return DECLINED;
}
require_line * reqs = (require_line *)reqs_arr->elts;
int x;
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
continue;
}
const char * t = reqs[x].requirement;
const char * w = ap_getword_white(r->pool, &t);
if (!strcasecmp(w, "pam-account")) {
const char * pam_service = ap_getword_conf(r->pool, &t);
if (pam_service && strlen(pam_service)) {
authn_status ret = pam_authenticate_with_login_password(r, pam_service, r->user, NULL, _PAM_STEP_ACCOUNT);
if (ret == AUTH_GRANTED) {
return OK;
}
}
}
}
return DECLINED;
}
static authz_status group_check_authorization(request_rec *r,
const char *require_args,
const void *parsed_require_args)
{
authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_groupfile_module);
char *user = r->user;
const char *t, *w;
apr_table_t *grpstatus = NULL;
apr_status_t status;
if (!user) {
return AUTHZ_DENIED_NO_USER;
}
/* If there is no group file - then we are not
* configured. So decline.
*/
if (!(conf->groupfile)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01664)
"No group file was specified in the configuration");
return AUTHZ_DENIED;
}
status = groups_for_user(r->pool, user, conf->groupfile,
&grpstatus);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01665)
"Could not open group file: %s",
conf->groupfile);
return AUTHZ_DENIED;
}
if (apr_is_empty_table(grpstatus)) {
/* no groups available, so exit immediately */
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01666)
"Authorization of user %s to access %s failed, reason: "
"user doesn't appear in group file (%s).",
r->user, r->uri, conf->groupfile);
return AUTHZ_DENIED;
}
t = require_args;
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
if (apr_table_get(grpstatus, w)) {
return AUTHZ_GRANTED;
}
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01667)
"Authorization of user %s to access %s failed, reason: "
"user is not part of the 'require'ed group(s).",
r->user, r->uri);
return AUTHZ_DENIED;
}
static const char * set_act_as_origin(cmd_parms *cmd, void *CFG, const char *args)
{
cdn_conf *cfg = (cdn_conf *)CFG;
act_as_origin_t *orig;
unsigned int regflags = 0;
const char *pattern, *flags, *exptime;
const char *usage = "Usage: CDNActAsOrigin pattern [flags] [exptime]";
pattern = ap_getword_conf(cmd->pool, &args);
if(!pattern)
return usage;
flags = ap_getword_conf(cmd->pool, &args);
if(flags && !*flags)
flags = NULL;
exptime = ap_getword_conf(cmd->pool, &args);
if(exptime && !*exptime)
exptime = NULL;
if(cfg->originify == NULL)
cfg->originify = apr_array_make(cmd->pool, 4, sizeof(act_as_origin_t));
orig = apr_array_push(cfg->originify);
regflags = AP_REG_NOSUB | FLAG(AP_REG_EXTENDED, flags, 'x') |
FLAG(AP_REG_ICASE, flags, 'i');
if(ap_regcomp(&(orig->regex), pattern, regflags) != 0)
return "CDNActAsOrigin: error compiling regex";
orig->flags |= FLAG(ORIGINIFY_FLAG_EXPIRE, flags, 'e') |
FLAG(ORIGINIFY_FLAG_AUTH, flags, 'a');
if(orig->flags & ORIGINIFY_FLAG_EXPIRE) {
if(exptime) {
errno = 0;
orig->exptime = strtol(exptime, NULL, 10);
if(errno)
return "CDNActAsOrigin: error setting expiration time";
} else if(cfg->default_exptime) {
orig->exptime = cfg->default_exptime;
} else
return "CDNActAsOrigin: expiration flag set but no expiration time given";
}
return NULL;
}
/*******************************************************************************
* Get the next configuration directive argument, & add it to an env array.
* The pool arg should be permanent storage.
*/
static const char *get_env_var(pool *p, const char **arg, char **envp, unsigned int *envc)
{
char * const val = ap_getword_conf(p, arg);
if (*val == '\0') {
return "\"\"";
}
return fcgi_config_set_env_var(p, envp, envc, val);
}
/* Handle a group check triggered by a 'Require external-group foo bar baz'
* directive. */
static authz_status externalgroup_check_authorization(request_rec *r,
const char *require_args, const void *parsed_require_args)
{
authnz_external_dir_config_rec *dir= (authnz_external_dir_config_rec *)
ap_get_module_config(r->per_dir_config, &authnz_external_module);
authnz_external_svr_config_rec *svr= (authnz_external_svr_config_rec *)
ap_get_module_config(r->server->module_config, &authnz_external_module);
char *user= r->user;
char *extname= dir->group_name;
const char *extpath, *extmethod;
const char *t, *w;
int code;
/* If no authenticated user, pass */
if ( !user ) return AUTHZ_DENIED_NO_USER;
/* If no external authenticator has been configured, pass */
if ( !extname ) return AUTHZ_DENIED;
/* Get the path and method associated with that external */
if (!(extpath= apr_table_get(svr->group_path, extname)) ||
!(extmethod= apr_table_get(svr->group_method,extname)))
{
errno= 0;
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"invalid GroupExternal keyword (%s)", extname);
return AUTHZ_DENIED;
}
if (dir->groupsatonce)
{
/* Pass rest of require line to authenticator */
code= exec_external(extpath, extmethod, r, ENV_GROUP, require_args);
if (code == 0) return AUTHZ_GRANTED;
}
else
{
/* Call authenticator once for each group name on line */
t= require_args;
while ((w= ap_getword_conf(r->pool, &t)) && w[0])
{
code= exec_external(extpath, extmethod, r, ENV_GROUP, w);
if (code == 0) return AUTHZ_GRANTED;
}
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Authorization of user %s to access %s failed. "
"User not in Required group.",
r->user, r->uri);
return AUTHZ_DENIED;
}
static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
const char *arg,
ssl_proto_t *options)
{
ssl_proto_t thisopt;
*options = SSL_PROTOCOL_NONE;
while (*arg) {
char *w = ap_getword_conf(parms->temp_pool, &arg);
char action = '\0';
if ((*w == '+') || (*w == '-')) {
action = *(w++);
}
if (strcEQ(w, "SSLv2")) {
#ifdef OPENSSL_NO_SSL2
if (action != '-') {
return "SSLv2 not supported by this version of OpenSSL";
}
#endif
thisopt = SSL_PROTOCOL_SSLV2;
}
else if (strcEQ(w, "SSLv3")) {
thisopt = SSL_PROTOCOL_SSLV3;
}
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;
}
else if (strcEQ(w, "all")) {
thisopt = SSL_PROTOCOL_ALL;
}
else {
return apr_pstrcat(parms->temp_pool,
parms->cmd->name,
": Illegal protocol '",
w, "'", NULL);
}
if (action == '-') {
*options &= ~thisopt;
}
else if (action == '+') {
*options |= thisopt;
}
else {
*options = thisopt;
}
}
return NULL;
}
static void add_service(struct runtime_data *r, const char *host_name, uint16_t port, const char *location, const char *name, const char *types, int append_host_name, const char *txt_record) {
struct service_data *d;
char *w;
ap_assert(r);
/* ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->main_server, "add_service: %s %s %s %s", host_name, location, name, txt_record); */
d = apr_palloc(r->pool, sizeof(struct service_data));
ap_assert(d);
d->pool = NULL;
d->runtime = r;
d->host_name = apr_pstrdup(r->pool, host_name);
d->port = port;
d->location = apr_pstrdup(r->pool, location);
d->name = apr_pstrdup(r->pool, name);
d->append_host_name = append_host_name;
d->chosen_name = NULL;
d->types = apr_array_make(r->pool, 4, sizeof(char*));
if (types)
while (*(w = ap_getword_conf(r->pool, &types)) != 0)
*(char**) apr_array_push(d->types) = w;
d->txt_record = apr_array_make(r->pool, 4, sizeof(char*));
if (txt_record)
while (*(w = ap_getword_conf(r->pool, &txt_record)) != 0)
*(char**) apr_array_push(d->txt_record) = w;
d->group = NULL;
d->next = r->services;
r->services = d;
/* ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->main_server, "done"); */
}
///cwinux-service svr_name [show:true/false] [delay:true/false] [persistent:true/false] [query:timeout] [connect:timeout] [reply:timeout] [restore:timeout] [min-idle:value] [max-idle:value]
static const char* cwx_svr_command(cmd_parms *cmd, void *pconfig, char* arg){
char szBuf[512];
const char* line = arg;
char* value = NULL;
CWX_SERVICE* svr = NULL;
CWX_CONFIG *config = cwx_get_server_config(cmd->server);
if (!config) return 0;
if (NULL == arg) return "must set cwinux-service's arg: service-name";
//get svr_name
value = ap_getword_conf(config->m_pool, &line);
if (!value || !strlen(value)){
return "Must set service's name by format: svr_name";
}
if (apr_hash_get(config->m_svr_hash, value, APR_HASH_KEY_STRING)){//exist
snprintf(szBuf, 511, "svr name[%s] is duplicationg.", value);
return apr_pstrdup(config->m_pool, szBuf);
}
svr = (CWX_SERVICE *) apr_pcalloc(config->m_pool, sizeof(CWX_SERVICE));
svr->m_svr_name = value;
svr->m_config = config;
svr->m_hosts = NULL;
svr->m_host_num = 0;
svr->m_key_item.m_bkey_hash = NULL;
svr->m_key_item.m_ex_bkey_hash = NULL;
svr->m_key_item.m_header = NULL;
svr->m_uri_key_hash = NULL;
cwx_reset_user_config(&svr->m_user_config);
value = ap_getword_conf(config->m_pool, &line);
while(value && strlen(value)){
if (!cwx_set_user_config(&svr->m_user_config, value)){
snprintf(szBuf, 511, "Invalid cwinux-service arg:%s", value);
return apr_pstrdup(config->m_pool, szBuf);
}
value = ap_getword_conf(config->m_pool, &line);
}
apr_hash_set(config->m_svr_hash, svr->m_svr_name, APR_HASH_KEY_STRING, svr);
config->m_svr_num++;
return 0;
}
static const char *get_pass_header(pool *p, const char **arg, array_header **array)
{
const char **header;
if (!*array) {
*array = ap_make_array(p, 10, sizeof(char*));
}
header = (const char **)ap_push_array(*array);
*header = ap_getword_conf(p, arg);
return header ? NULL : "\"\"";
}
static int digest_check_auth(request_rec *r)
{
char *user = r->connection->user;
int m = r->method_number;
int method_restricted = 0;
register int x;
const char *t;
char *w;
array_header *reqs_arr;
require_line *reqs;
if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest"))
return DECLINED;
reqs_arr = ap_requires(r);
/* If there is no "requires" directive,
* then any user will do.
*/
if (!reqs_arr)
return OK;
reqs = (require_line *) reqs_arr->elts;
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (1 << m)))
continue;
method_restricted = 1;
t = reqs[x].requirement;
w = ap_getword(r->pool, &t, ' ');
if (!strcmp(w, "valid-user"))
return OK;
else if (!strcmp(w, "user")) {
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (!strcmp(user, w))
return OK;
}
}
else
return DECLINED;
}
if (!method_restricted)
return OK;
ap_note_digest_auth_failure(r);
return AUTH_REQUIRED;
}
static authz_status check_user_access(request_rec * r, const char * require_args, const void * parsed_require_args) {
if (!r->user) {
return AUTHZ_DENIED_NO_USER;
}
const char * pam_service = ap_getword_conf(r->pool, &require_args);
if (pam_service && pam_service[0]) {
authn_status ret = pam_authenticate_with_login_password(r, pam_service, r->user, NULL, _PAM_STEP_ACCOUNT);
if (ret == AUTH_GRANTED) {
return AUTHZ_GRANTED;
}
}
return AUTHZ_DENIED;
}
/**************************************************
* Authorization phase (Apache 2.2)
*
* Requires authentication phase to run first.
*
* Handles Require persona-idp directives.
**************************************************/
static int Auth_persona_check_auth(request_rec *r)
{
const apr_array_header_t *reqs_arr=NULL;
require_line *reqs=NULL;
register int x;
const char *szRequireLine;
char *szRequire_cmd;
if (!persona_authn_active(r)) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, ERRTAG "Auth_persona_check_auth");
/* get require line */
reqs_arr = ap_requires(r);
reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
/* decline if no require line found */
if (!reqs_arr) return DECLINED;
/* walk through the array to check each require command */
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (AP_METHOD_BIT << r->method_number)))
continue;
/* get require line */
szRequireLine = reqs[x].requirement;
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "Require Line is '%s'", szRequireLine);
/* get the first word in require line */
szRequire_cmd = ap_getword_white(r->pool, &szRequireLine);
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "Require Cmd is '%s'", szRequire_cmd);
// persona-idp: check host part of user name
if (!strcmp("persona-idp", szRequire_cmd)) {
char *reqIdp = ap_getword_conf(r->pool, &szRequireLine);
const char *issuer = apr_table_get(r->notes, PERSONA_ISSUER_NOTE);
if (!issuer || strcmp(issuer, reqIdp)) {
return HTTP_FORBIDDEN;
}
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r,
ERRTAG "user '%s' is authorized", r->user);
return OK;
}
}
return DECLINED;
}
static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile,
apr_table_t ** out)
{
ap_configfile_t *f;
apr_table_t *grps = apr_table_make(p, 15);
apr_pool_t *sp;
struct ap_varbuf vb;
const char *group_name, *ll, *w;
apr_status_t status;
apr_size_t group_len;
if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) {
return status ;
}
apr_pool_create(&sp, p);
ap_varbuf_init(p, &vb, VARBUF_INIT_LEN);
while (!(ap_varbuf_cfg_getline(&vb, f, VARBUF_MAX_LEN))) {
if ((vb.buf[0] == '#') || (!vb.buf[0])) {
continue;
}
ll = vb.buf;
apr_pool_clear(sp);
group_name = ap_getword(sp, &ll, ':');
group_len = strlen(group_name);
while (group_len && apr_isspace(*(group_name + group_len - 1))) {
--group_len;
}
while (ll[0]) {
w = ap_getword_conf(sp, &ll);
if (!strcmp(w, user)) {
apr_table_setn(grps, apr_pstrmemdup(p, group_name, group_len),
"in");
break;
}
}
}
ap_cfg_closefile(f);
apr_pool_destroy(sp);
ap_varbuf_free(&vb);
*out = grps;
return APR_SUCCESS;
}
/*******************************************************************************
* Get the next configuration directive argument, & return a float.
* The pool arg should be temporary storage.
*/
static const char *get_float(pool *p, const char **arg,
float *num, float min, float max)
{
char *ptr;
const char *val = ap_getword_conf(p, arg);
if (*val == '\0')
return "\"\"";
*num = (float) strtod(val, &ptr);
if (*ptr != '\0')
return ap_pstrcat(p, "\"", val, "\" is not a floating point number", NULL);
if (*num < min || *num > max)
return ap_psprintf(p, "\"%f\" is not between %f and %f", *num, min, max);
return NULL;
}
/*******************************************************************************
* Get the next configuration directive argument, & return an u_int.
* The pool arg should be temporary storage.
*/
static const char *get_u_int(pool *p, const char **arg,
u_int *num, u_int min)
{
char *ptr;
const char *val = ap_getword_conf(p, arg);
if (*val == '\0')
return "\"\"";
*num = (u_int)strtol(val, &ptr, 10);
if (*ptr != '\0')
return ap_pstrcat(p, "\"", val, "\" must be a positive integer", NULL);
else if (*num < min)
return ap_psprintf(p, "\"%u\" must be >= %u", *num, min);
return NULL;
}
static authz_status host_check_authorization(request_rec *r,
const char *require_line,
const void *parsed_require_line)
{
const char *t, *w;
const char *remotehost = NULL;
int remotehost_is_ip;
remotehost = ap_get_useragent_host(r, REMOTE_DOUBLE_REV, &remotehost_is_ip);
if ((remotehost == NULL) || remotehost_is_ip) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01753)
"access check of '%s' to %s failed, reason: unable to get the "
"remote host name", require_line, r->uri);
}
else {
const char *err = NULL;
const ap_expr_info_t *expr = parsed_require_line;
const char *require;
require = ap_expr_str_exec(r, expr, &err);
if (err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02593)
"authz_host authorize: require host: Can't "
"evaluate require expression: %s", err);
return AUTHZ_DENIED;
}
/* The 'host' provider will allow the configuration to specify a list of
host names to check rather than a single name. This is different
from the previous host based syntax. */
t = require;
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
if (in_domain(w, remotehost)) {
return AUTHZ_GRANTED;
}
}
}
/* authz_core will log the require line and the result at DEBUG */
return AUTHZ_DENIED;
}
