static int check_user_access(request_rec * r) {
int m = r->method_number;
const apr_array_header_t * reqs_arr = ap_requires(r);
if (! reqs_arr) {
return DECLINED;
}
require_line * reqs = (require_line *)reqs_arr->elts;
int x;
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
continue;
}
const char * t = reqs[x].requirement;
const char * w = ap_getword_white(r->pool, &t);
if (!strcasecmp(w, "pam-account")) {
const char * pam_service = ap_getword_conf(r->pool, &t);
if (pam_service && strlen(pam_service)) {
authn_status ret = pam_authenticate_with_login_password(r, pam_service, r->user, NULL, _PAM_STEP_ACCOUNT);
if (ret == AUTH_GRANTED) {
return OK;
}
}
}
}
return DECLINED;
}
/**
* This hook is used to check to see if the resource being requested
* is available for the authenticated user (r->user and r->ap_auth_type).
* It runs after the access_checker and check_user_id hooks. Note that
* it will *only* be called if Apache determines that access control has
* been applied to this resource (through a 'Require' directive).
*
* @param r the current request
* @return OK, DECLINED, or HTTP_...
*/
static int auth_checker(request_rec *r) {
authnz_crowd_dir_config *config = get_config(r);
if (config == NULL) {
return HTTP_INTERNAL_SERVER_ERROR;
}
if (r->user == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, "Authorisation requested, but no user provided.");
return HTTP_INTERNAL_SERVER_ERROR;
}
/* Iterate over requirements */
const apr_array_header_t *requires = ap_requires(r);
apr_array_header_t *user_groups = NULL;
int x;
for (x = 0; x < requires->nelts; x++) {
require_line require = APR_ARRAY_IDX(requires, x, require_line);
/* Ignore this requirement if it does not apply to the HTTP method used in the request. */
if (!(require.method_mask & (AP_METHOD_BIT << r->method_number))) {
continue;
}
const char *next_word = require.requirement;
/* Only process group requirements */
if (strcasecmp(ap_getword_white(r->pool, &next_word), "group") == 0) {
/* Fetch groups only if actually needed. */
if (user_groups == NULL) {
user_groups = crowd_user_groups(r->user, r, config->crowd_config);
if (user_groups == NULL) {
return HTTP_INTERNAL_SERVER_ERROR;
}
}
/* Iterate over the groups mentioned in the requirement. */
while (*next_word != '\0') {
const char *required_group = ap_getword_conf(r->pool, &next_word);
/* Iterate over the user's groups. */
int y;
for (y = 0; y < user_groups->nelts; y++) {
const char *user_group = APR_ARRAY_IDX(user_groups, y, const char *);
if (strcasecmp(user_group, required_group) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Granted authorisation to '%s' on the basis of membership of '%s'.", r->user, user_group);
return OK;
}
}
}
}
}
ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, "Denied authorisation to '%s'.", r->user);
return config->authoritative ? HTTP_UNAUTHORIZED : DECLINED;
}
static int digest_check_auth(request_rec *r)
{
char *user = r->connection->user;
int m = r->method_number;
int method_restricted = 0;
register int x;
const char *t;
char *w;
array_header *reqs_arr;
require_line *reqs;
if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest"))
return DECLINED;
reqs_arr = ap_requires(r);
/* If there is no "requires" directive,
* then any user will do.
*/
if (!reqs_arr)
return OK;
reqs = (require_line *) reqs_arr->elts;
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (1 << m)))
continue;
method_restricted = 1;
t = reqs[x].requirement;
w = ap_getword(r->pool, &t, ' ');
if (!strcmp(w, "valid-user"))
return OK;
else if (!strcmp(w, "user")) {
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (!strcmp(user, w))
return OK;
}
}
else
return DECLINED;
}
if (!method_restricted)
return OK;
ap_note_digest_auth_failure(r);
return AUTH_REQUIRED;
}
/**************************************************
* Authorization phase (Apache 2.2)
*
* Requires authentication phase to run first.
*
* Handles Require persona-idp directives.
**************************************************/
static int Auth_persona_check_auth(request_rec *r)
{
const apr_array_header_t *reqs_arr=NULL;
require_line *reqs=NULL;
register int x;
const char *szRequireLine;
char *szRequire_cmd;
if (!persona_authn_active(r)) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, ERRTAG "Auth_persona_check_auth");
/* get require line */
reqs_arr = ap_requires(r);
reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
/* decline if no require line found */
if (!reqs_arr) return DECLINED;
/* walk through the array to check each require command */
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (AP_METHOD_BIT << r->method_number)))
continue;
/* get require line */
szRequireLine = reqs[x].requirement;
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "Require Line is '%s'", szRequireLine);
/* get the first word in require line */
szRequire_cmd = ap_getword_white(r->pool, &szRequireLine);
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO, 0,r,ERRTAG "Require Cmd is '%s'", szRequire_cmd);
// persona-idp: check host part of user name
if (!strcmp("persona-idp", szRequire_cmd)) {
char *reqIdp = ap_getword_conf(r->pool, &szRequireLine);
const char *issuer = apr_table_get(r->notes, PERSONA_ISSUER_NOTE);
if (!issuer || strcmp(issuer, reqIdp)) {
return HTTP_FORBIDDEN;
}
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r,
ERRTAG "user '%s' is authorized", r->user);
return OK;
}
}
return DECLINED;
}
// Check authentication type.
static int is_auth_httprequest_required(request_rec* rec)
{
const apr_array_header_t* requires = ap_requires(rec);
struct require_line* rl = (struct require_line*)requires->elts;
int it;
AP_LOG_DEBUG(rec, " Core::AuthType=%s", ap_auth_type(rec));
AP_LOG_DEBUG(rec, " Core::AuthName=%s", ap_auth_name(rec));
if(strcasecmp(ap_auth_type(rec), HR_AUTH)!=0) return FALSE; // Type is not match.
for(it=0; it<requires->nelts; it++) {
AP_LOG_DEBUG(rec, " Core::Requires[%d]=%s", it, rl[it].requirement);
if(strcasecmp(rl[it].requirement, "valid-request")==0) return TRUE; // Found.
}
return FALSE;
}
// redirect here
// assertions here
static int authz_guanxi_check_user_id(request_rec *r) {
fprintf(stderr, "authz_guanxi_check_user_id\n");
fflush(stderr);
r->ap_auth_type = "guanxi";
r->user = "******";
apr_table_set(r->headers_in, "REMOTE_USER", "testuser");
const apr_array_header_t *reqs_arr = ap_requires(r);
require_line* reqs = (require_line*)reqs_arr->elts;
for (int x=0; x<reqs_arr->nelts; x++) {
fprintf(stderr, "req, %s\n", reqs[x].requirement);
fflush(stderr);
}
return OK;
}
static int mod_authopenid_check_user_access(request_rec *r) {
modauthopenid_config *s_cfg;
s_cfg = (modauthopenid_config *) ap_get_module_config(r->per_dir_config, &authopenid_module);
char *user = r->user;
int m = r->method_number;
int required_user = 0;
register int x;
const char *t, *w;
const apr_array_header_t *reqs_arr = ap_requires(r);
require_line *reqs;
if (!reqs_arr)
return DECLINED;
reqs = (require_line *)reqs_arr->elts;
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m)))
continue;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (!strcasecmp(w, "valid-user"))
return OK;
if (!strcasecmp(w, "user")) {
required_user = 1;
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (!strcmp(user, w))
return OK;
}
}
}
if (!required_user)
return DECLINED;
APERR(r, "Access to %s failed: user '%s' invalid", r->uri, user);
ap_note_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
static int authz_unixgroup_check_user_access(request_rec *r)
{
authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *)
ap_get_module_config(r->per_dir_config, &authz_unixgroup_module);
int m= r->method_number;
int required_group= 0;
register int x;
const char *t, *w;
const apr_array_header_t *reqs_arr= ap_requires(r);
const char *filegroup= NULL;
require_line *reqs;
/* If not enabled, pass */
if ( !dir->enabled ) return DECLINED;
/* If there are no Require arguments, pass */
if (!reqs_arr) return DECLINED;
reqs= (require_line *)reqs_arr->elts;
/* Loop through the "Require" argument list */
for(x= 0; x < reqs_arr->nelts; x++)
{
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue;
t= reqs[x].requirement;
w= ap_getword_white(r->pool, &t);
/* The 'file-group' directive causes mod_authz_owner to store the
* group name of the file we are trying to access in a note attached
* to the request. It's our job to decide if the user actually is
* in that group. If the note is missing, we just ignore it.
* Probably mod_authz_owner is not installed.
*/
if ( !strcasecmp(w, "file-group"))
{
filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
if (filegroup == NULL) continue;
}
if ( !strcmp(w,"group") || filegroup != NULL)
{
required_group= 1;
if (filegroup)
{
/* Check if user is in the group that owns the file */
if (check_unix_group(r,filegroup))
return OK;
}
else if (t[0])
{
/* Pass rest of require line to authenticator */
if (check_unix_group(r,t))
return OK;
}
}
}
/* If we didn't see a 'require group' or aren't authoritive, decline */
if (!required_group || !dir->authoritative)
return DECLINED;
/* Authentication failed and we are authoritive, declare unauthorized */
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: user %s not allowed access",
r->uri, r->user);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
static int dbm_check_auth(request_rec *r)
{
dbm_auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_dbm_module);
char *user = r->user;
int m = r->method_number;
const apr_array_header_t *reqs_arr = ap_requires(r);
require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
register int x;
const char *t;
char *w;
if (!conf->auth_dbmgrpfile)
return DECLINED;
if (!reqs_arr)
return DECLINED;
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m)))
continue;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (!strcmp(w, "group") && conf->auth_dbmgrpfile) {
const char *orig_groups, *groups;
char *v;
if (!(groups = get_dbm_grp(r, user, conf->auth_dbmgrpfile,
conf->auth_dbmtype))) {
if (!(conf->auth_dbmauthoritative))
return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"user %s not in DBM group file %s: %s",
user, conf->auth_dbmgrpfile, r->filename);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
orig_groups = groups;
while (t[0]) {
w = ap_getword_white(r->pool, &t);
groups = orig_groups;
while (groups[0]) {
v = ap_getword(r->pool, &groups, ',');
if (!strcmp(v, w))
return OK;
}
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"user %s not in right group: %s",
user, r->filename);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
}
return DECLINED;
}
static int pg_check_auth(request_rec * r)
{
pg_auth_config_rec *sec =
(pg_auth_config_rec *) ap_get_module_config(r->per_dir_config,
&auth_pgsql_module);
char *user = r->user;
int m = r->method_number;
int group_result = DECLINED;
apr_array_header_t *reqs_arr = (apr_array_header_t *) ap_requires(r);
require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
register int x, res;
const char *t;
char *w;
pg_errstr[0] = '\0';
#ifdef DEBUG_AUTH_PGSQL
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"[mod_auth_pgsql.c] - pg_check_auth - going to check auth for user \"%s\" ",
user);
#endif /* DEBUG_AUTH_PGSQL */
/* if we cannot do it; leave it to some other guy
*/
if ((!sec->auth_pg_grp_table) && (!sec->auth_pg_grp_group_field)
&& (!sec->auth_pg_grp_user_field))
return DECLINED;
if (!reqs_arr) {
if (sec->auth_pg_authoritative) {
/* force error and access denied */
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
user);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
ap_note_basic_auth_failure(r);
res = HTTP_UNAUTHORIZED;
} else {
return DECLINED;
}
}
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (1 << m)))
continue;
t = reqs[x].requirement;
w = ap_getword(r->pool, &t, ' ');
if (!strcmp(w, "valid-user"))
return OK;
if (!strcmp(w, "user")) {
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (!strcmp(user, w))
return OK;
}
if (sec->auth_pg_authoritative) {
/* force error and access denied */
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
user);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
} else if (!strcmp(w, "group")) {
/* look up the membership for each of the groups in the table */
pg_errstr[0] = '\0';
while (t[0]) {
if (get_pg_grp(r, ap_getword(r->pool, &t, ' '), user, sec)) {
group_result = OK;
};
};
if (pg_errstr[0]) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
return HTTP_INTERNAL_SERVER_ERROR;
}
if (group_result == OK)
return OK;
if (sec->auth_pg_authoritative) {
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)",
user);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
};
}
}
return DECLINED;
}
static int dbm_check_auth(request_rec *r)
{
dbm_auth_config_rec *sec =
(dbm_auth_config_rec *) ap_get_module_config(r->per_dir_config,
&dbm_auth_module);
char *user = r->connection->user;
int m = r->method_number;
array_header *reqs_arr = ap_requires(r);
require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
register int x;
const char *t;
char *w;
if (!sec->auth_dbmgrpfile)
return DECLINED;
if (!reqs_arr)
return DECLINED;
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (1 << m)))
continue;
t = reqs[x].requirement;
w = ap_getword(r->pool, &t, ' ');
if (!strcmp(w, "group") && sec->auth_dbmgrpfile) {
const char *orig_groups, *groups;
char *v;
if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) {
if (!(sec->auth_dbmauthoritative))
return DECLINED;
ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
"user %s not in DBM group file %s: %s",
user, sec->auth_dbmgrpfile, r->filename);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
orig_groups = groups;
while (t[0]) {
w = ap_getword(r->pool, &t, ' ');
groups = orig_groups;
while (groups[0]) {
v = ap_getword(r->pool, &groups, ',');
if (!strcmp(v, w))
return OK;
}
}
ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
"user %s not in right group: %s",
user, r->filename);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
}
return DECLINED;
}
static int check_file_owner(request_rec *r)
{
authz_owner_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_owner_module);
int m = r->method_number;
register int x;
const char *t, *w;
const apr_array_header_t *reqs_arr = ap_requires(r);
require_line *reqs;
int required_owner = 0;
apr_status_t status = 0;
char *reason = NULL;
if (!reqs_arr) {
return DECLINED;
}
reqs = (require_line *)reqs_arr->elts;
for (x = 0; x < reqs_arr->nelts; x++) {
/* if authoritative = On then break if a require already failed. */
if (reason && conf->authoritative) {
break;
}
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
continue;
}
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (!strcmp(w, "file-owner")) {
#if !APR_HAS_USER
if ((required_owner & ~1) && conf->authoritative) {
break;
}
required_owner |= 1; /* remember the requirement */
reason = "'Require file-owner' is not supported on this platform.";
continue;
#else /* APR_HAS_USER */
char *owner = NULL;
apr_finfo_t finfo;
if ((required_owner & ~1) && conf->authoritative) {
break;
}
required_owner |= 1; /* remember the requirement */
if (!r->filename) {
reason = "no filename available";
continue;
}
status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool);
if (status != APR_SUCCESS) {
reason = apr_pstrcat(r->pool, "could not stat file ",
r->filename, NULL);
continue;
}
if (!(finfo.valid & APR_FINFO_USER)) {
reason = "no file owner information available";
continue;
}
status = apr_uid_name_get(&owner, finfo.user, r->pool);
if (status != APR_SUCCESS || !owner) {
reason = "could not get name of file owner";
continue;
}
if (strcmp(owner, r->user)) {
reason = apr_psprintf(r->pool, "file owner %s does not match.",
owner);
continue;
}
/* this user is authorized */
return OK;
#endif /* APR_HAS_USER */
}
/* file-group only figures out the file's group and lets
* other modules do the actual authorization (against a group file/db).
* Thus, these modules have to hook themselves after
* mod_authz_owner and of course recognize 'file-group', too.
*/
if (!strcmp(w, "file-group")) {
#if !APR_HAS_USER
if ((required_owner & ~6) && conf->authoritative) {
break;
}
required_owner |= 2; /* remember the requirement */
reason = "'Require file-group' is not supported on this platform.";
continue;
#else /* APR_HAS_USER */
char *group = NULL;
apr_finfo_t finfo;
if ((required_owner & ~6) && conf->authoritative) {
break;
}
required_owner |= 2; /* remember the requirement */
if (!r->filename) {
reason = "no filename available";
continue;
}
status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool);
if (status != APR_SUCCESS) {
reason = apr_pstrcat(r->pool, "could not stat file ",
r->filename, NULL);
continue;
}
if (!(finfo.valid & APR_FINFO_GROUP)) {
reason = "no file group information available";
continue;
}
status = apr_gid_name_get(&group, finfo.group, r->pool);
if (status != APR_SUCCESS || !group) {
reason = "could not get name of file group";
continue;
}
/* store group name in a note and let others decide... */
apr_table_setn(r->notes, AUTHZ_GROUP_NOTE, group);
required_owner |= 4;
continue;
#endif /* APR_HAS_USER */
}
}
if (!required_owner || !conf->authoritative) {
return DECLINED;
}
/* allow file-group passed to group db modules either if this is the
* only applicable requirement here or if a file-owner failed but we're
* not authoritative.
* This allows configurations like:
*
* AuthzOwnerAuthoritative Off
* require file-owner
* require file-group
*
* with the semantical meaning of "either owner or group must match"
* (inclusive or)
*
* [ 6 == 2 | 4; 7 == 1 | 2 | 4 ] should I use #defines instead?
*/
if (required_owner == 6 || (required_owner == 7 && !conf->authoritative)) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"Authorization of user %s to access %s failed, reason: %s",
r->user, r->uri, reason ? reason : "unknown");
ap_note_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
static int check_user_access(request_rec *r)
{
auth_config_rec *sec =
(auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_module);
char *user = r->connection->user;
int m = r->method_number;
int method_restricted = 0;
register int x;
const char *t, *w;
table *grpstatus;
const array_header *reqs_arr = ap_requires(r);
require_line *reqs;
/* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
* then any user will do.
*/
if (reqs_arr == NULL) {
return (OK);
}
reqs = (require_line *) reqs_arr->elts;
if (sec->auth_grpfile) {
grpstatus = groups_for_user(r->pool, user, sec->auth_grpfile);
}
else {
grpstatus = NULL;
}
for (x = 0; x < reqs_arr->nelts; x++) {
if (! (reqs[x].method_mask & (1 << m))) {
continue;
}
method_restricted = 1;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (strcmp(w, "valid-user") == 0) {
return OK;
}
/*
* If requested, allow access if the user is valid and the
* owner of the document.
*/
if (strcmp(w, "file-owner") == 0) {
#if defined(WIN32) || defined(NETWARE) || defined(OS2)
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
"'Require file-owner' not supported "
"on this platform, ignored");
continue;
#else
struct passwd *pwent;
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"checking for 'owner' access for file '%s'",
r->filename);
if (r->finfo.st_ino == 0) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"no stat info for '%s'", r->filename);
continue;
}
pwent = getpwuid(r->finfo.st_uid);
if (pwent == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"no username for UID %d (owner of '%s')",
r->finfo.st_uid, r->filename);
}
else {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"checking authenticated user '%s' "
"against owner '%s' of '%s'",
user, pwent->pw_name, r->filename);
if (strcmp(user, pwent->pw_name) == 0) {
return OK;
}
else {
continue;
}
}
#endif
}
if (strcmp(w, "file-group") == 0) {
#if defined(WIN32) || defined(NETWARE) || defined(OS2)
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
"'Require file-group' not supported "
"on this platform, ignored");
continue;
#else
struct group *grent;
if (sec->auth_grpfile == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
"no AuthGroupFile, so 'file-group' "
"requirement cannot succeed for file '%s'",
r->filename);
continue;
}
if (grpstatus == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, r,
"authenticated user '%s' not a member of "
"any groups, so 'file-group' requirement "
"cannot succeed for file '%s'",
user, r->filename);
continue;
}
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"checking for 'group' access for file '%s'",
r->filename);
if (r->finfo.st_ino == 0) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"no stat info for '%s'", r->filename);
continue;
}
grent = getgrgid(r->finfo.st_gid);
if (grent == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"no group name for GID %d (owner of '%s')",
r->finfo.st_gid, r->filename);
}
else {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"checking groups of authenticated user '%s' "
"against owner group '%s' of '%s'",
user, grent->gr_name, r->filename);
if (ap_table_get(grpstatus, grent->gr_name) != NULL) {
return OK;
}
else {
continue;
}
}
#endif
}
if (strcmp(w, "user") == 0) {
while (t[0] != '\0') {
w = ap_getword_conf(r->pool, &t);
if (strcmp(user, w) == 0) {
return OK;
}
}
}
else if (strcmp(w, "group") == 0) {
if (grpstatus == NULL) {
return DECLINED; /* DBM group? Something else? */
}
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (ap_table_get(grpstatus, w)) {
return OK;
}
}
}
else if (sec->auth_authoritative) {
/* if we aren't authoritative, any require directive could be
* valid even if we don't grok it. However, if we are
* authoritative, we can warn the user they did something wrong.
* That something could be a missing "AuthAuthoritative off", but
* more likely is a typo in the require directive.
*/
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"access to %s failed, "
"reason: unknown require directive:"
"\"%s\"", r->uri, reqs[x].requirement);
}
}
if (! method_restricted) {
return OK;
}
if (! sec->auth_authoritative) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"access to %s failed, reason: user %s not allowed access",
r->uri, user);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
static int check_user_access(request_rec *r)
{
auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_module);
char *user = r->user;
int m = r->method_number;
int method_restricted = 0;
register int x;
const char *t, *w;
apr_table_t *grpstatus;
const apr_array_header_t *reqs_arr = ap_requires(r);
require_line *reqs;
/* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
* then any user will do.
*/
if (!reqs_arr) {
return OK;
}
reqs = (require_line *)reqs_arr->elts;
if (conf->auth_grpfile) {
grpstatus = groups_for_user(r, user, conf->auth_grpfile);
}
else {
grpstatus = NULL;
}
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
continue;
}
method_restricted = 1;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (!strcmp(w, "valid-user")) {
return OK;
}
if (!strcmp(w, "user")) {
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (!strcmp(user, w)) {
return OK;
}
}
}
else if (!strcmp(w, "group")) {
if (!grpstatus) {
return DECLINED; /* DBM group? Something else? */
}
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (apr_table_get(grpstatus, w)) {
return OK;
}
}
}
else if (conf->auth_authoritative) {
/* if we aren't authoritative, any require directive could be
* valid even if we don't grok it. However, if we are
* authoritative, we can warn the user they did something wrong.
* That something could be a missing "AuthAuthoritative off", but
* more likely is a typo in the require directive.
*/
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: unknown require "
"directive:\"%s\"", r->uri, reqs[x].requirement);
}
}
if (!method_restricted) {
return OK;
}
if (!(conf->auth_authoritative)) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: user %s not allowed access",
r->uri, user);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
