static ngx_int_t ngx_http_variable_remote_user(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data) { ngx_int_t rc; rc = ngx_http_auth_basic_user(r); if (rc == NGX_DECLINED) { v->not_found = 1; return NGX_OK; } if (rc == NGX_ERROR) { return NGX_ERROR; } v->len = r->headers_in.user.len; v->valid = 1; v->no_cacheable = 0; v->not_found = 0; v->data = r->headers_in.user.data; return NGX_OK; }
static ngx_int_t ngx_http_auth_mysql_handler(ngx_http_request_t *r) { ngx_int_t rc; ngx_http_auth_mysql_ctx_t *ctx; ngx_http_auth_mysql_loc_conf_t *alcf; alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_mysql_module); if (alcf->realm.len == 0) { return NGX_DECLINED; } ctx = ngx_http_get_module_ctx(r, ngx_http_auth_mysql_module); if (ctx) { return ngx_http_auth_mysql_authenticate(r, ctx, &ctx->passwd, alcf); } /* Decode http auth user and passwd, leaving values on the request */ rc = ngx_http_auth_basic_user(r); if (rc == NGX_DECLINED) { return ngx_http_auth_mysql_set_realm(r, &alcf->realm); } if (rc == NGX_ERROR) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } /* Check user & password using MySQL */ return ngx_http_auth_mysql_authenticate(r, ctx, &ctx->passwd, alcf); }
static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r) { int rc; ngx_http_auth_ldap_ctx_t *ctx; ngx_http_auth_ldap_loc_conf_t *alcf; alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_ldap_module); if (alcf->realm.len == 0) { return NGX_DECLINED; } ctx = ngx_http_get_module_ctx(r, ngx_http_auth_ldap_module); if (ctx) { return ngx_http_auth_ldap_authenticate(r, ctx, &ctx->passwd, alcf); } rc = ngx_http_auth_basic_user(r); if (rc == NGX_DECLINED) { return ngx_http_auth_ldap_set_realm(r, &alcf->realm); } if (rc == NGX_ERROR) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } return ngx_http_auth_ldap_authenticate(r, ctx, &ctx->passwd, alcf); }
static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r) { off_t offset; ssize_t n; ngx_fd_t fd; ngx_int_t rc; ngx_err_t err; ngx_str_t pwd, realm, user_file; ngx_uint_t i, level, login, left, passwd; ngx_file_t file; ngx_http_auth_basic_ctx_t *ctx; ngx_http_auth_basic_loc_conf_t *alcf; u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; enum { sw_login, sw_passwd, sw_skip } state; alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module); if (alcf->realm == NULL || alcf->user_file.value.data == NULL) { return NGX_DECLINED; } if (ngx_http_complex_value(r, alcf->realm, &realm) != NGX_OK) { return NGX_ERROR; } if (realm.len == 3 && ngx_strncmp(realm.data, "off", 3) == 0) { return NGX_DECLINED; } ctx = ngx_http_get_module_ctx(r, ngx_http_auth_basic_module); if (ctx) { return ngx_http_auth_basic_crypt_handler(r, ctx, &ctx->passwd, &realm); } rc = ngx_http_auth_basic_user(r); if (rc == NGX_DECLINED) { ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "no user/password was provided for basic authentication"); return ngx_http_auth_basic_set_realm(r, &realm); } if (rc == NGX_ERROR) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } if (ngx_http_complex_value(r, &alcf->user_file, &user_file) != NGX_OK) { return NGX_ERROR; } fd = ngx_open_file(user_file.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); if (fd == NGX_INVALID_FILE) { err = ngx_errno; if (err == NGX_ENOENT) { level = NGX_LOG_ERR; rc = NGX_HTTP_FORBIDDEN; } else { level = NGX_LOG_CRIT; rc = NGX_HTTP_INTERNAL_SERVER_ERROR; } ngx_log_error(level, r->connection->log, err, ngx_open_file_n " \"%s\" failed", user_file.data); return rc; } ngx_memzero(&file, sizeof(ngx_file_t)); file.fd = fd; file.name = user_file; file.log = r->connection->log; state = sw_login; passwd = 0; login = 0; left = 0; offset = 0; for ( ;; ) { i = left; n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, offset); if (n == NGX_ERROR) { ngx_http_auth_basic_close(&file); return NGX_HTTP_INTERNAL_SERVER_ERROR; } if (n == 0) { break; } for (i = left; i < left + n; i++) { switch (state) { case sw_login: if (login == 0) { if (buf[i] == '#' || buf[i] == CR) { state = sw_skip; break; } if (buf[i] == LF) { break; } } if (buf[i] != r->headers_in.user.data[login]) { state = sw_skip; break; } if (login == r->headers_in.user.len) { state = sw_passwd; passwd = i + 1; } login++; break; case sw_passwd: if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { buf[i] = '\0'; ngx_http_auth_basic_close(&file); pwd.len = i - passwd; pwd.data = &buf[passwd]; return ngx_http_auth_basic_crypt_handler(r, NULL, &pwd, &realm); } break; case sw_skip: if (buf[i] == LF) { state = sw_login; login = 0; } break; } } if (state == sw_passwd) { left = left + n - passwd; ngx_memmove(buf, &buf[passwd], left); passwd = 0; } else { left = 0; } offset += n; } ngx_http_auth_basic_close(&file); if (state == sw_passwd) { pwd.len = i - passwd; pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); if (pwd.data == NULL) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); return ngx_http_auth_basic_crypt_handler(r, NULL, &pwd, &realm); } ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "user \"%V\" was not found in \"%V\"", &r->headers_in.user, &user_file); return ngx_http_auth_basic_set_realm(r, &realm); }
static ngx_int_t ngx_http_auth_radius_handler( ngx_http_request_t *r ) { ngx_http_auth_radius_ctx_t* ctx; ctx = ngx_http_get_module_ctx( r, ngx_http_auth_radius_module ); ngx_http_auth_radius_main_conf_t* conf = ngx_http_get_module_loc_conf( r, ngx_http_auth_radius_module ); if ( conf->realm.data == NULL || conf->realm.len == 0 ) return NGX_OK; ngx_int_t rc = ngx_http_auth_basic_user( r ); if ( rc == NGX_ERROR ) return NGX_HTTP_INTERNAL_SERVER_ERROR; if ( rc == NGX_DECLINED || ( ctx && ctx->done && ctx->accepted == 0 ) ) { r->headers_out.www_authenticate = ngx_list_push( &r->headers_out.headers ); if ( r->headers_out.www_authenticate == NULL ) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } r->headers_out.www_authenticate->hash = 1; r->headers_out.www_authenticate->key.len = sizeof( "WWW-Authenticate" ) - 1; r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; ngx_int_t realm_len = sizeof( "Basic realm=\"\"" ) + conf->realm.len; ngx_buf_t* b = ngx_create_temp_buf( r->pool, realm_len ); ngx_snprintf( b->pos, realm_len, "Basic realm=\"%V\"", &conf->realm ); r->headers_out.www_authenticate->value.data = b->pos; r->headers_out.www_authenticate->value.len = realm_len - 1; return NGX_HTTP_UNAUTHORIZED; } if ( ctx == NULL ) { ctx = ngx_pcalloc( r->pool, sizeof( *ctx ) ); if ( ctx == NULL ) { // TODO log return NGX_ERROR; } ctx->attempts = conf->radius_attempts; ctx->done = 0; ctx->accepted = 0; ngx_http_set_ctx( r, ctx, ngx_http_auth_radius_module ); r->read_event_handler = http_req_read_handler; ngx_str_t args; ngx_str_t key; calc_req_digest( r, &conf->secret, ctx->digest ); key.data = ctx->digest; key.len = sizeof( ctx->digest ); args.len = sizeof( "o=get&k=" ) - 1 + key.len; // TODO args.data = ngx_palloc( r->pool, args.len ); u_char* e = ngx_snprintf( args.data, args.len, "o=get&k=%V", &key ); args.len = e - args.data; rc = ngx_http_auth_radius_init_subrequest( r, &conf->radius_cache, &args, ngx_http_auth_radius_subrequest_mcget_done ); return NGX_AGAIN; } if ( ctx->done == 0 ) { return NGX_AGAIN; } ngx_log_error( NGX_LOG_ERR, r->connection->log, 0, "GRANTED 0x%xl", r ); return NGX_OK; }
/* * Module handler * */ static ngx_int_t ngx_http_authnz_pam_handler(ngx_http_request_t *r) { ngx_int_t steps = 0; ngx_int_t rc; ngx_http_authnz_pam_loc_conf_t *loc_conf; loc_conf = ngx_http_get_module_loc_conf(r, ngx_http_authnz_pam_module); if (loc_conf->active == 0) { return NGX_DECLINED; } if (loc_conf->pam_service_name.len == 0) { pam_authnz_log_error("pam_authnz: Empty PAM service name"); return NGX_ERROR; } pam_authnz_debug1("pam_authnz: PAM service name is set to: %s", loc_conf->pam_service_name.data); if (r->headers_in.user.len == 0) { if (loc_conf->basic_auth == 1) { pam_authnz_debug0("pam_authnz: Basic auth"); rc = ngx_http_auth_basic_user(r); if (rc == NGX_DECLINED) { return ngx_http_authnz_pam_return_www_auth(r, &loc_conf->name); } if (rc == NGX_ERROR) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } steps = _PAM_STEP_AUTH; } else { pam_authnz_debug0("pam_authnz: Nothing to do. Everything is lost."); return NGX_DECLINED; } } else { pam_authnz_debug1("pam_authnz: User set to: %s", r->headers_in.user.data); } u_char *name_buf, *pass_buf, *p; size_t name_len, pass_len; for (name_len = 0; name_len < r->headers_in.user.len; name_len++) { if (r->headers_in.user.data[name_len] == ':') { break; } } for (pass_len = 0; ; pass_len++) { if (r->headers_in.user.data[name_len + pass_len] == '\0') { break; } } name_buf = ngx_palloc(r->pool, name_len+1); if (name_buf == NULL) { return NGX_ERROR; } p = ngx_cpymem(name_buf, r->headers_in.user.data , name_len); *p = '\0'; pass_buf = ngx_palloc(r->pool, pass_len+1 ); if (pass_buf == NULL) { return NGX_ERROR; } p = ngx_cpymem(pass_buf, &(r->headers_in.user.data[name_len+1]), pass_len); *p = '\0'; steps = steps + _PAM_STEP_ACCOUNT; rc = ngx_http_pam_authenticate(r, steps, loc_conf, (const char *) name_buf, (const char *) pass_buf); /* Authentication or authorization failed - clear remote_user */ if (rc != NGX_OK) { r->headers_in.user.data = (u_char *) ""; r->headers_in.user.len = 0; } return rc; };