static int check_user_access(request_rec * r) { int m = r->method_number; const apr_array_header_t * reqs_arr = ap_requires(r); if (! reqs_arr) { return DECLINED; } require_line * reqs = (require_line *)reqs_arr->elts; int x; for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { continue; } const char * t = reqs[x].requirement; const char * w = ap_getword_white(r->pool, &t); if (!strcasecmp(w, "pam-account")) { const char * pam_service = ap_getword_conf(r->pool, &t); if (pam_service && strlen(pam_service)) { authn_status ret = pam_authenticate_with_login_password(r, pam_service, r->user, NULL, _PAM_STEP_ACCOUNT); if (ret == AUTH_GRANTED) { return OK; } } } } return DECLINED; }
/** * This hook is used to check to see if the resource being requested * is available for the authenticated user (r->user and r->ap_auth_type). * It runs after the access_checker and check_user_id hooks. Note that * it will *only* be called if Apache determines that access control has * been applied to this resource (through a 'Require' directive). * * @param r the current request * @return OK, DECLINED, or HTTP_... */ static int auth_checker(request_rec *r) { authnz_crowd_dir_config *config = get_config(r); if (config == NULL) { return HTTP_INTERNAL_SERVER_ERROR; } if (r->user == NULL) { ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, "Authorisation requested, but no user provided."); return HTTP_INTERNAL_SERVER_ERROR; } /* Iterate over requirements */ const apr_array_header_t *requires = ap_requires(r); apr_array_header_t *user_groups = NULL; int x; for (x = 0; x < requires->nelts; x++) { require_line require = APR_ARRAY_IDX(requires, x, require_line); /* Ignore this requirement if it does not apply to the HTTP method used in the request. */ if (!(require.method_mask & (AP_METHOD_BIT << r->method_number))) { continue; } const char *next_word = require.requirement; /* Only process group requirements */ if (strcasecmp(ap_getword_white(r->pool, &next_word), "group") == 0) { /* Fetch groups only if actually needed. */ if (user_groups == NULL) { user_groups = crowd_user_groups(r->user, r, config->crowd_config); if (user_groups == NULL) { return HTTP_INTERNAL_SERVER_ERROR; } } /* Iterate over the groups mentioned in the requirement. */ while (*next_word != '\0') { const char *required_group = ap_getword_conf(r->pool, &next_word); /* Iterate over the user's groups. */ int y; for (y = 0; y < user_groups->nelts; y++) { const char *user_group = APR_ARRAY_IDX(user_groups, y, const char *); if (strcasecmp(user_group, required_group) == 0) { ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Granted authorisation to '%s' on the basis of membership of '%s'.", r->user, user_group); return OK; } } } } } ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, "Denied authorisation to '%s'.", r->user); return config->authoritative ? HTTP_UNAUTHORIZED : DECLINED; }
static int digest_check_auth(request_rec *r) { char *user = r->connection->user; int m = r->method_number; int method_restricted = 0; register int x; const char *t; char *w; array_header *reqs_arr; require_line *reqs; if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest")) return DECLINED; reqs_arr = ap_requires(r); /* If there is no "requires" directive, * then any user will do. */ if (!reqs_arr) return OK; reqs = (require_line *) reqs_arr->elts; for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (1 << m))) continue; method_restricted = 1; t = reqs[x].requirement; w = ap_getword(r->pool, &t, ' '); if (!strcmp(w, "valid-user")) return OK; else if (!strcmp(w, "user")) { while (t[0]) { w = ap_getword_conf(r->pool, &t); if (!strcmp(user, w)) return OK; } } else return DECLINED; } if (!method_restricted) return OK; ap_note_digest_auth_failure(r); return AUTH_REQUIRED; }
/************************************************** * Authorization phase (Apache 2.2) * * Requires authentication phase to run first. * * Handles Require persona-idp directives. **************************************************/ static int Auth_persona_check_auth(request_rec *r) { const apr_array_header_t *reqs_arr=NULL; require_line *reqs=NULL; register int x; const char *szRequireLine; char *szRequire_cmd; if (!persona_authn_active(r)) { return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, ERRTAG "Auth_persona_check_auth"); /* get require line */ reqs_arr = ap_requires(r); reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; /* decline if no require line found */ if (!reqs_arr) return DECLINED; /* walk through the array to check each require command */ for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << r->method_number))) continue; /* get require line */ szRequireLine = reqs[x].requirement; ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "Require Line is '%s'", szRequireLine); /* get the first word in require line */ szRequire_cmd = ap_getword_white(r->pool, &szRequireLine); ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "Require Cmd is '%s'", szRequire_cmd); // persona-idp: check host part of user name if (!strcmp("persona-idp", szRequire_cmd)) { char *reqIdp = ap_getword_conf(r->pool, &szRequireLine); const char *issuer = apr_table_get(r->notes, PERSONA_ISSUER_NOTE); if (!issuer || strcmp(issuer, reqIdp)) { return HTTP_FORBIDDEN; } ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r, ERRTAG "user '%s' is authorized", r->user); return OK; } } return DECLINED; }
// Check authentication type. static int is_auth_httprequest_required(request_rec* rec) { const apr_array_header_t* requires = ap_requires(rec); struct require_line* rl = (struct require_line*)requires->elts; int it; AP_LOG_DEBUG(rec, " Core::AuthType=%s", ap_auth_type(rec)); AP_LOG_DEBUG(rec, " Core::AuthName=%s", ap_auth_name(rec)); if(strcasecmp(ap_auth_type(rec), HR_AUTH)!=0) return FALSE; // Type is not match. for(it=0; it<requires->nelts; it++) { AP_LOG_DEBUG(rec, " Core::Requires[%d]=%s", it, rl[it].requirement); if(strcasecmp(rl[it].requirement, "valid-request")==0) return TRUE; // Found. } return FALSE; }
// redirect here // assertions here static int authz_guanxi_check_user_id(request_rec *r) { fprintf(stderr, "authz_guanxi_check_user_id\n"); fflush(stderr); r->ap_auth_type = "guanxi"; r->user = "******"; apr_table_set(r->headers_in, "REMOTE_USER", "testuser"); const apr_array_header_t *reqs_arr = ap_requires(r); require_line* reqs = (require_line*)reqs_arr->elts; for (int x=0; x<reqs_arr->nelts; x++) { fprintf(stderr, "req, %s\n", reqs[x].requirement); fflush(stderr); } return OK; }
static int mod_authopenid_check_user_access(request_rec *r) { modauthopenid_config *s_cfg; s_cfg = (modauthopenid_config *) ap_get_module_config(r->per_dir_config, &authopenid_module); char *user = r->user; int m = r->method_number; int required_user = 0; register int x; const char *t, *w; const apr_array_header_t *reqs_arr = ap_requires(r); require_line *reqs; if (!reqs_arr) return DECLINED; reqs = (require_line *)reqs_arr->elts; for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue; t = reqs[x].requirement; w = ap_getword_white(r->pool, &t); if (!strcasecmp(w, "valid-user")) return OK; if (!strcasecmp(w, "user")) { required_user = 1; while (t[0]) { w = ap_getword_conf(r->pool, &t); if (!strcmp(user, w)) return OK; } } } if (!required_user) return DECLINED; APERR(r, "Access to %s failed: user '%s' invalid", r->uri, user); ap_note_auth_failure(r); return HTTP_UNAUTHORIZED; }
static int authz_unixgroup_check_user_access(request_rec *r) { authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *) ap_get_module_config(r->per_dir_config, &authz_unixgroup_module); int m= r->method_number; int required_group= 0; register int x; const char *t, *w; const apr_array_header_t *reqs_arr= ap_requires(r); const char *filegroup= NULL; require_line *reqs; /* If not enabled, pass */ if ( !dir->enabled ) return DECLINED; /* If there are no Require arguments, pass */ if (!reqs_arr) return DECLINED; reqs= (require_line *)reqs_arr->elts; /* Loop through the "Require" argument list */ for(x= 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue; t= reqs[x].requirement; w= ap_getword_white(r->pool, &t); /* The 'file-group' directive causes mod_authz_owner to store the * group name of the file we are trying to access in a note attached * to the request. It's our job to decide if the user actually is * in that group. If the note is missing, we just ignore it. * Probably mod_authz_owner is not installed. */ if ( !strcasecmp(w, "file-group")) { filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE); if (filegroup == NULL) continue; } if ( !strcmp(w,"group") || filegroup != NULL) { required_group= 1; if (filegroup) { /* Check if user is in the group that owns the file */ if (check_unix_group(r,filegroup)) return OK; } else if (t[0]) { /* Pass rest of require line to authenticator */ if (check_unix_group(r,t)) return OK; } } } /* If we didn't see a 'require group' or aren't authoritive, decline */ if (!required_group || !dir->authoritative) return DECLINED; /* Authentication failed and we are authoritive, declare unauthorized */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: user %s not allowed access", r->uri, r->user); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; }
static int dbm_check_auth(request_rec *r) { dbm_auth_config_rec *conf = ap_get_module_config(r->per_dir_config, &auth_dbm_module); char *user = r->user; int m = r->method_number; const apr_array_header_t *reqs_arr = ap_requires(r); require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; register int x; const char *t; char *w; if (!conf->auth_dbmgrpfile) return DECLINED; if (!reqs_arr) return DECLINED; for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue; t = reqs[x].requirement; w = ap_getword_white(r->pool, &t); if (!strcmp(w, "group") && conf->auth_dbmgrpfile) { const char *orig_groups, *groups; char *v; if (!(groups = get_dbm_grp(r, user, conf->auth_dbmgrpfile, conf->auth_dbmtype))) { if (!(conf->auth_dbmauthoritative)) return DECLINED; ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "user %s not in DBM group file %s: %s", user, conf->auth_dbmgrpfile, r->filename); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } orig_groups = groups; while (t[0]) { w = ap_getword_white(r->pool, &t); groups = orig_groups; while (groups[0]) { v = ap_getword(r->pool, &groups, ','); if (!strcmp(v, w)) return OK; } } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "user %s not in right group: %s", user, r->filename); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } } return DECLINED; }
static int pg_check_auth(request_rec * r) { pg_auth_config_rec *sec = (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_pgsql_module); char *user = r->user; int m = r->method_number; int group_result = DECLINED; apr_array_header_t *reqs_arr = (apr_array_header_t *) ap_requires(r); require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; register int x, res; const char *t; char *w; pg_errstr[0] = '\0'; #ifdef DEBUG_AUTH_PGSQL ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - pg_check_auth - going to check auth for user \"%s\" ", user); #endif /* DEBUG_AUTH_PGSQL */ /* if we cannot do it; leave it to some other guy */ if ((!sec->auth_pg_grp_table) && (!sec->auth_pg_grp_group_field) && (!sec->auth_pg_grp_user_field)) return DECLINED; if (!reqs_arr) { if (sec->auth_pg_authoritative) { /* force error and access denied */ apr_snprintf(pg_errstr, MAX_STRING_LEN, "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ap_note_basic_auth_failure(r); res = HTTP_UNAUTHORIZED; } else { return DECLINED; } } for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (1 << m))) continue; t = reqs[x].requirement; w = ap_getword(r->pool, &t, ' '); if (!strcmp(w, "valid-user")) return OK; if (!strcmp(w, "user")) { while (t[0]) { w = ap_getword_conf(r->pool, &t); if (!strcmp(user, w)) return OK; } if (sec->auth_pg_authoritative) { /* force error and access denied */ apr_snprintf(pg_errstr, MAX_STRING_LEN, "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } } else if (!strcmp(w, "group")) { /* look up the membership for each of the groups in the table */ pg_errstr[0] = '\0'; while (t[0]) { if (get_pg_grp(r, ap_getword(r->pool, &t, ' '), user, sec)) { group_result = OK; }; }; if (pg_errstr[0]) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); return HTTP_INTERNAL_SERVER_ERROR; } if (group_result == OK) return OK; if (sec->auth_pg_authoritative) { apr_snprintf(pg_errstr, MAX_STRING_LEN, "[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; }; } } return DECLINED; }
static int dbm_check_auth(request_rec *r) { dbm_auth_config_rec *sec = (dbm_auth_config_rec *) ap_get_module_config(r->per_dir_config, &dbm_auth_module); char *user = r->connection->user; int m = r->method_number; array_header *reqs_arr = ap_requires(r); require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; register int x; const char *t; char *w; if (!sec->auth_dbmgrpfile) return DECLINED; if (!reqs_arr) return DECLINED; for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (1 << m))) continue; t = reqs[x].requirement; w = ap_getword(r->pool, &t, ' '); if (!strcmp(w, "group") && sec->auth_dbmgrpfile) { const char *orig_groups, *groups; char *v; if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) { if (!(sec->auth_dbmauthoritative)) return DECLINED; ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, "user %s not in DBM group file %s: %s", user, sec->auth_dbmgrpfile, r->filename); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; } orig_groups = groups; while (t[0]) { w = ap_getword(r->pool, &t, ' '); groups = orig_groups; while (groups[0]) { v = ap_getword(r->pool, &groups, ','); if (!strcmp(v, w)) return OK; } } ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, "user %s not in right group: %s", user, r->filename); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; } } return DECLINED; }
static int check_file_owner(request_rec *r) { authz_owner_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_owner_module); int m = r->method_number; register int x; const char *t, *w; const apr_array_header_t *reqs_arr = ap_requires(r); require_line *reqs; int required_owner = 0; apr_status_t status = 0; char *reason = NULL; if (!reqs_arr) { return DECLINED; } reqs = (require_line *)reqs_arr->elts; for (x = 0; x < reqs_arr->nelts; x++) { /* if authoritative = On then break if a require already failed. */ if (reason && conf->authoritative) { break; } if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { continue; } t = reqs[x].requirement; w = ap_getword_white(r->pool, &t); if (!strcmp(w, "file-owner")) { #if !APR_HAS_USER if ((required_owner & ~1) && conf->authoritative) { break; } required_owner |= 1; /* remember the requirement */ reason = "'Require file-owner' is not supported on this platform."; continue; #else /* APR_HAS_USER */ char *owner = NULL; apr_finfo_t finfo; if ((required_owner & ~1) && conf->authoritative) { break; } required_owner |= 1; /* remember the requirement */ if (!r->filename) { reason = "no filename available"; continue; } status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool); if (status != APR_SUCCESS) { reason = apr_pstrcat(r->pool, "could not stat file ", r->filename, NULL); continue; } if (!(finfo.valid & APR_FINFO_USER)) { reason = "no file owner information available"; continue; } status = apr_uid_name_get(&owner, finfo.user, r->pool); if (status != APR_SUCCESS || !owner) { reason = "could not get name of file owner"; continue; } if (strcmp(owner, r->user)) { reason = apr_psprintf(r->pool, "file owner %s does not match.", owner); continue; } /* this user is authorized */ return OK; #endif /* APR_HAS_USER */ } /* file-group only figures out the file's group and lets * other modules do the actual authorization (against a group file/db). * Thus, these modules have to hook themselves after * mod_authz_owner and of course recognize 'file-group', too. */ if (!strcmp(w, "file-group")) { #if !APR_HAS_USER if ((required_owner & ~6) && conf->authoritative) { break; } required_owner |= 2; /* remember the requirement */ reason = "'Require file-group' is not supported on this platform."; continue; #else /* APR_HAS_USER */ char *group = NULL; apr_finfo_t finfo; if ((required_owner & ~6) && conf->authoritative) { break; } required_owner |= 2; /* remember the requirement */ if (!r->filename) { reason = "no filename available"; continue; } status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool); if (status != APR_SUCCESS) { reason = apr_pstrcat(r->pool, "could not stat file ", r->filename, NULL); continue; } if (!(finfo.valid & APR_FINFO_GROUP)) { reason = "no file group information available"; continue; } status = apr_gid_name_get(&group, finfo.group, r->pool); if (status != APR_SUCCESS || !group) { reason = "could not get name of file group"; continue; } /* store group name in a note and let others decide... */ apr_table_setn(r->notes, AUTHZ_GROUP_NOTE, group); required_owner |= 4; continue; #endif /* APR_HAS_USER */ } } if (!required_owner || !conf->authoritative) { return DECLINED; } /* allow file-group passed to group db modules either if this is the * only applicable requirement here or if a file-owner failed but we're * not authoritative. * This allows configurations like: * * AuthzOwnerAuthoritative Off * require file-owner * require file-group * * with the semantical meaning of "either owner or group must match" * (inclusive or) * * [ 6 == 2 | 4; 7 == 1 | 2 | 4 ] should I use #defines instead? */ if (required_owner == 6 || (required_owner == 7 && !conf->authoritative)) { return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, "Authorization of user %s to access %s failed, reason: %s", r->user, r->uri, reason ? reason : "unknown"); ap_note_auth_failure(r); return HTTP_UNAUTHORIZED; }
static int check_user_access(request_rec *r) { auth_config_rec *sec = (auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_module); char *user = r->connection->user; int m = r->method_number; int method_restricted = 0; register int x; const char *t, *w; table *grpstatus; const array_header *reqs_arr = ap_requires(r); require_line *reqs; /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive, * then any user will do. */ if (reqs_arr == NULL) { return (OK); } reqs = (require_line *) reqs_arr->elts; if (sec->auth_grpfile) { grpstatus = groups_for_user(r->pool, user, sec->auth_grpfile); } else { grpstatus = NULL; } for (x = 0; x < reqs_arr->nelts; x++) { if (! (reqs[x].method_mask & (1 << m))) { continue; } method_restricted = 1; t = reqs[x].requirement; w = ap_getword_white(r->pool, &t); if (strcmp(w, "valid-user") == 0) { return OK; } /* * If requested, allow access if the user is valid and the * owner of the document. */ if (strcmp(w, "file-owner") == 0) { #if defined(WIN32) || defined(NETWARE) || defined(OS2) ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r, "'Require file-owner' not supported " "on this platform, ignored"); continue; #else struct passwd *pwent; ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "checking for 'owner' access for file '%s'", r->filename); if (r->finfo.st_ino == 0) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "no stat info for '%s'", r->filename); continue; } pwent = getpwuid(r->finfo.st_uid); if (pwent == NULL) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "no username for UID %d (owner of '%s')", r->finfo.st_uid, r->filename); } else { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "checking authenticated user '%s' " "against owner '%s' of '%s'", user, pwent->pw_name, r->filename); if (strcmp(user, pwent->pw_name) == 0) { return OK; } else { continue; } } #endif } if (strcmp(w, "file-group") == 0) { #if defined(WIN32) || defined(NETWARE) || defined(OS2) ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r, "'Require file-group' not supported " "on this platform, ignored"); continue; #else struct group *grent; if (sec->auth_grpfile == NULL) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r, "no AuthGroupFile, so 'file-group' " "requirement cannot succeed for file '%s'", r->filename); continue; } if (grpstatus == NULL) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, r, "authenticated user '%s' not a member of " "any groups, so 'file-group' requirement " "cannot succeed for file '%s'", user, r->filename); continue; } ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "checking for 'group' access for file '%s'", r->filename); if (r->finfo.st_ino == 0) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "no stat info for '%s'", r->filename); continue; } grent = getgrgid(r->finfo.st_gid); if (grent == NULL) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "no group name for GID %d (owner of '%s')", r->finfo.st_gid, r->filename); } else { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "checking groups of authenticated user '%s' " "against owner group '%s' of '%s'", user, grent->gr_name, r->filename); if (ap_table_get(grpstatus, grent->gr_name) != NULL) { return OK; } else { continue; } } #endif } if (strcmp(w, "user") == 0) { while (t[0] != '\0') { w = ap_getword_conf(r->pool, &t); if (strcmp(user, w) == 0) { return OK; } } } else if (strcmp(w, "group") == 0) { if (grpstatus == NULL) { return DECLINED; /* DBM group? Something else? */ } while (t[0]) { w = ap_getword_conf(r->pool, &t); if (ap_table_get(grpstatus, w)) { return OK; } } } else if (sec->auth_authoritative) { /* if we aren't authoritative, any require directive could be * valid even if we don't grok it. However, if we are * authoritative, we can warn the user they did something wrong. * That something could be a missing "AuthAuthoritative off", but * more likely is a typo in the require directive. */ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "access to %s failed, " "reason: unknown require directive:" "\"%s\"", r->uri, reqs[x].requirement); } } if (! method_restricted) { return OK; } if (! sec->auth_authoritative) { return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "access to %s failed, reason: user %s not allowed access", r->uri, user); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; }
static int check_user_access(request_rec *r) { auth_config_rec *conf = ap_get_module_config(r->per_dir_config, &auth_module); char *user = r->user; int m = r->method_number; int method_restricted = 0; register int x; const char *t, *w; apr_table_t *grpstatus; const apr_array_header_t *reqs_arr = ap_requires(r); require_line *reqs; /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive, * then any user will do. */ if (!reqs_arr) { return OK; } reqs = (require_line *)reqs_arr->elts; if (conf->auth_grpfile) { grpstatus = groups_for_user(r, user, conf->auth_grpfile); } else { grpstatus = NULL; } for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { continue; } method_restricted = 1; t = reqs[x].requirement; w = ap_getword_white(r->pool, &t); if (!strcmp(w, "valid-user")) { return OK; } if (!strcmp(w, "user")) { while (t[0]) { w = ap_getword_conf(r->pool, &t); if (!strcmp(user, w)) { return OK; } } } else if (!strcmp(w, "group")) { if (!grpstatus) { return DECLINED; /* DBM group? Something else? */ } while (t[0]) { w = ap_getword_conf(r->pool, &t); if (apr_table_get(grpstatus, w)) { return OK; } } } else if (conf->auth_authoritative) { /* if we aren't authoritative, any require directive could be * valid even if we don't grok it. However, if we are * authoritative, we can warn the user they did something wrong. * That something could be a missing "AuthAuthoritative off", but * more likely is a typo in the require directive. */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: unknown require " "directive:\"%s\"", r->uri, reqs[x].requirement); } } if (!method_restricted) { return OK; } if (!(conf->auth_authoritative)) { return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: user %s not allowed access", r->uri, user); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; }