Attachment #391848 for bug #532798

View | Details | Raw Unified | Return to bug 532798
Collapse All | Expand All

Lines 109-114 Link Here

(-)a/mod_auth_pgsql.c (-155 / +41 lines)
109	#include "http_request.h"	109	#include "http_request.h"
110	#include "util_script.h"	110	#include "util_script.h"
111		111
		112	#include "mod_auth.h"
		113
112	#ifdef WIN32	114	#ifdef WIN32
113	#define crypt apr_password_validate	115	#define crypt apr_password_validate
114	#else	116	#else
Lines 191-197 module AP_MODULE_DECLARE_DATA auth_pgsql_module; Link Here
191		193
192		194
193	static int pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec,	195	static int pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec,
194	char user, char sent_pw);	196	const char user, const char sent_pw);
195	static char do_pg_query(request_rec r, char *query,	197	static char do_pg_query(request_rec r, char *query,
196	pg_auth_config_rec * sec);	198	pg_auth_config_rec * sec);
197		199
Lines 442-450 static char pg_errstr[MAX_STRING_LEN]; Link Here
442	* failures separately	444	* failures separately
443	*/	445	*/
444		446
445	static char auth_pg_md5(char pw)	447	static char auth_pg_md5(const char pw)
446	{	448	{
447	apr_md5_ctx_t ctx;
448	unsigned char digest[APR_MD5_DIGESTSIZE];	449	unsigned char digest[APR_MD5_DIGESTSIZE];
449	static unsigned char md5hash[APR_MD5_DIGESTSIZE * 2 + 1];	450	static unsigned char md5hash[APR_MD5_DIGESTSIZE * 2 + 1];
450	int i;	451	int i;
Lines 459-472 static char auth_pg_md5(char pw) Link Here
459	}	460	}
460		461
461		462
462	static char auth_pg_base64(char pw)	463	static char auth_pg_base64(const char pw)
463	{	464	{
464	if (auth_pgsql_pool_base64 == NULL)	465	if (auth_pgsql_pool_base64 == NULL)
465	apr_pool_create_ex(&auth_pgsql_pool_base64, NULL, NULL, NULL);	466	apr_pool_create_ex(&auth_pgsql_pool_base64, NULL, NULL, NULL);
466	if (auth_pgsql_pool == NULL)	467	if (auth_pgsql_pool == NULL)
467	return NULL;	468	return NULL;
468		469
469	return ap_pbase64encode(auth_pgsql_pool, pw);	470	/* NOTE: ap_pbase64encode is no change arg2. so removable const. */
		471	return ap_pbase64encode(auth_pgsql_pool, (char *)pw);
470	}	472	}
471		473
472		474
Lines 557-563 char do_pg_query(request_rec r, char query, pg_auth_config_rec sec) Link Here
557		559
558	if (!check \|\| strcmp(sec->auth_pg_charset, check)) {	560	if (!check \|\| strcmp(sec->auth_pg_charset, check)) {
559	apr_snprintf(pg_errstr, MAX_STRING_LEN,	561	apr_snprintf(pg_errstr, MAX_STRING_LEN,
560	"mod_auth_pgsql database character set encoding %s");	562	"mod_auth_pgsql database character set encoding %s",
		563	check);
561	PQfinish(pg_conn);	564	PQfinish(pg_conn);
562	return NULL;	565	return NULL;
563	}	566	}
Lines 614-620 char do_pg_query(request_rec r, char query, pg_auth_config_rec sec) Link Here
614	return result;	617	return result;
615	}	618	}
616		619
617	char get_pg_pw(request_rec r, char user, pg_auth_config_rec sec)	620	char get_pg_pw(request_rec r, const char user, pg_auth_config_rec sec)
618	{	621	{
619	char query[MAX_STRING_LEN];	622	char query[MAX_STRING_LEN];
620	char *safe_user;	623	char *safe_user;
Lines 755-773 static char get_pg_grp(request_rec r, char group, char user, Link Here
755	}	758	}
756		759
757	/* Process authentication request from Apache*/	760	/* Process authentication request from Apache*/
758	static int pg_authenticate_basic_user(request_rec * r)	761	static authn_status check_password(request_rec r, const char user,
		762	const char *password)
759	{	763	{
		764
760	pg_auth_config_rec *sec =	765	pg_auth_config_rec *sec =
761	(pg_auth_config_rec *) ap_get_module_config(r->per_dir_config,	766	(pg_auth_config_rec *) ap_get_module_config(r->per_dir_config,
762	&auth_pgsql_module);	767	&auth_pgsql_module);
763	char *val = NULL;	768	const char *val = NULL;
764	char sent_pw, real_pw;	769	const char *sent_pw;
765	int res;	770	const char *real_pw;
766	char *user;	771	authn_status auth_res;
		772
		773	sent_pw = password;
767		774
768	if ((res = ap_get_basic_auth_pw(r, (const char **) &sent_pw)))
769	return res;
770	user = r->user;
771		775
772	#ifdef DEBUG_AUTH_PGSQL	776	#ifdef DEBUG_AUTH_PGSQL
773	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,	777	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
Lines 784-790 static int pg_authenticate_basic_user(request_rec * r) Link Here
784	if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) {	788	if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) {
785	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,	789	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
786	"[mod_auth_pgsql.c] - missing configuration parameters");	790	"[mod_auth_pgsql.c] - missing configuration parameters");
787	return DECLINED;	791	return AUTH_GENERAL_ERROR;
788	}	792	}
789	pg_errstr[0] = '\0';	793	pg_errstr[0] = '\0';
790		794
Lines 809-830 static int pg_authenticate_basic_user(request_rec * r) Link Here
809		813
810	if (!real_pw) {	814	if (!real_pw) {
811	if (pg_errstr[0]) {	815	if (pg_errstr[0]) {
812	res = HTTP_INTERNAL_SERVER_ERROR;	816	auth_res = AUTH_GENERAL_ERROR;
813	} else {	817	} else {
814	if (sec->auth_pg_authoritative) {
815	/* force error and access denied */	818	/* force error and access denied */
816	apr_snprintf(pg_errstr, MAX_STRING_LEN,	819	apr_snprintf(pg_errstr, MAX_STRING_LEN,
817	"mod_auth_pgsql: Password for user %s not found (PG-Authoritative)",	820	"mod_auth_pgsql: Password for user %s not found (PG-Authoritative)",
818	user);	821	user);
819	ap_note_basic_auth_failure(r);	822	auth_res = AUTH_USER_NOT_FOUND;
820	res = HTTP_UNAUTHORIZED;
821	} else {
822	/* allow fall through to another module */
823	return DECLINED;
824	}
825	}	823	}
826	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);	824	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
827	return res;	825	return auth_res;
828	}	826	}
829		827
830	/* allow no password, if the flag is set and the password	828	/* allow no password, if the flag is set and the password
Lines 836-842 static int pg_authenticate_basic_user(request_rec * r) Link Here
836	user);	834	user);
837	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);	835	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
838	pg_log_auth_user(r, sec, user, sent_pw);	836	pg_log_auth_user(r, sec, user, sent_pw);
839	return OK;	837	return AUTH_GRANTED;
840	};	838	};
841		839
842	/* if the flag is off however, keep that kind of stuff at	840	/* if the flag is off however, keep that kind of stuff at
Lines 847-854 static int pg_authenticate_basic_user(request_rec * r) Link Here
847	"[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"",	845	"[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"",
848	user);	846	user);
849	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);	847	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
850	ap_note_basic_auth_failure(r);	848	return AUTH_DENIED;
851	return HTTP_UNAUTHORIZED;
852	};	849	};
853		850
854	if (sec->auth_pg_encrypted)	851	if (sec->auth_pg_encrypted)
Lines 877-884 static int pg_authenticate_basic_user(request_rec * r) Link Here
877	apr_snprintf(pg_errstr, MAX_STRING_LEN,	874	apr_snprintf(pg_errstr, MAX_STRING_LEN,
878	"PG user %s: password mismatch", user);	875	"PG user %s: password mismatch", user);
879	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);	876	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
880	ap_note_basic_auth_failure(r);	877	return AUTH_DENIED;
881	return HTTP_UNAUTHORIZED;
882	}	878	}
883		879
884	/* store password in the cache */	880	/* store password in the cache */
Lines 891-1020 static int pg_authenticate_basic_user(request_rec * r) Link Here
891	}	887	}
892		888
893	pg_log_auth_user(r, sec, user, sent_pw);	889	pg_log_auth_user(r, sec, user, sent_pw);
894	return OK;	890	return AUTH_GRANTED;
895	}
896
897	/* Checking ID */
898
899	static int pg_check_auth(request_rec * r)
900	{
901	pg_auth_config_rec *sec =
902	(pg_auth_config_rec *) ap_get_module_config(r->per_dir_config,
903	&auth_pgsql_module);
904	char *user = r->user;
905	int m = r->method_number;
906	int group_result = DECLINED;
907
908
909
910	apr_array_header_t reqs_arr = (apr_array_header_t ) ap_requires(r);
911	require_line reqs = reqs_arr ? (require_line ) reqs_arr->elts : NULL;
912
913	register int x, res;
914	const char *t;
915	char *w;
916
917	pg_errstr[0] = '\0';
918
919	#ifdef DEBUG_AUTH_PGSQL
920	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
921	"[mod_auth_pgsql.c] - pg_check_auth - going to check auth for user \"%s\" ",
922	user);
923	#endif /* DEBUG_AUTH_PGSQL */
924
925
926	if (!pg_conn) {
927	if (!(pg_conn = pg_connect(sec))) {
928	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
929	ap_note_basic_auth_failure(r);
930	return HTTP_UNAUTHORIZED;
931	}
932	}
933
934	/* if we cannot do it; leave it to some other guy
935	*/
936	if ((!sec->auth_pg_grp_table) && (!sec->auth_pg_grp_group_field)
937	&& (!sec->auth_pg_grp_user_field))
938	return DECLINED;
939
940	if (!reqs_arr) {
941	if (sec->auth_pg_authoritative) {
942	/* force error and access denied */
943	apr_snprintf(pg_errstr, MAX_STRING_LEN,
944	"mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
945	user);
946	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
947	ap_note_basic_auth_failure(r);
948	res = HTTP_UNAUTHORIZED;
949	} else {
950	return DECLINED;
951	}
952	}
953
954	for (x = 0; x < reqs_arr->nelts; x++) {
955
956	if (!(reqs[x].method_mask & (1 << m)))
957	continue;
958
959	t = reqs[x].requirement;
960	w = ap_getword(r->pool, &t, ' ');
961
962	if (!strcmp(w, "valid-user"))
963	return OK;
964
965	if (!strcmp(w, "user")) {
966	while (t[0]) {
967	w = ap_getword_conf(r->pool, &t);
968	if (!strcmp(user, w))
969	return OK;
970	}
971	if (sec->auth_pg_authoritative) {
972	/* force error and access denied */
973	apr_snprintf(pg_errstr, MAX_STRING_LEN,
974	"mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
975	user);
976	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
977	ap_note_basic_auth_failure(r);
978	return HTTP_UNAUTHORIZED;
979	}
980
981	} else if (!strcmp(w, "group")) {
982	/* look up the membership for each of the groups in the table */
983	pg_errstr[0] = '\0';
984
985	while (t[0]) {
986	if (get_pg_grp(r, ap_getword(r->pool, &t, ' '), user, sec)) {
987	group_result = OK;
988	};
989	};
990
991	if (pg_errstr[0]) {
992	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
993	return HTTP_INTERNAL_SERVER_ERROR;
994	}
995
996	if (group_result == OK)
997	return OK;
998
999	if (sec->auth_pg_authoritative) {
1000	apr_snprintf(pg_errstr, MAX_STRING_LEN,
1001	"[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)",
1002	user);
1003	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
1004	ap_note_basic_auth_failure(r);
1005	return HTTP_UNAUTHORIZED;
1006	};
1007	}
1008	}
1009
1010	return DECLINED;
1011	}	891	}
1012		892
1013
1014	/* Send the authentication to the log table */	893	/* Send the authentication to the log table */
1015	int	894	int
1016	pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user,	895	pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, const char *user,
1017	char *sent_pw)	896	const char *sent_pw)
1018	{	897	{
1019	char sql[MAX_STRING_LEN];	898	char sql[MAX_STRING_LEN];
1020	char *s;	899	char *s;
Lines 1087-1093 pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user, Link Here
1087	sec->auth_pg_log_addrs_field);	966	sec->auth_pg_log_addrs_field);
1088	strncat(fields, sql, MAX_STRING_LEN - strlen(fields) - 1);	967	strncat(fields, sql, MAX_STRING_LEN - strlen(fields) - 1);
1089	apr_snprintf(sql, MAX_STRING_LEN, ", '%s'",	968	apr_snprintf(sql, MAX_STRING_LEN, ", '%s'",
1090	r->connection->remote_ip);	969	r->connection->client_ip);
1091	strncat(values, sql, MAX_STRING_LEN - strlen(values) - 1);	970	strncat(values, sql, MAX_STRING_LEN - strlen(values) - 1);
1092	}	971	}
1093	if (sec->auth_pg_log_pwd_field) { /* Password field , clear WARNING */	972	if (sec->auth_pg_log_pwd_field) { /* Password field , clear WARNING */
Lines 1140-1154 static void pg_auth_server_config(apr_pool_t p, server_rec * s) Link Here
1140	}	1019	}
1141		1020
1142		1021
		1022	static const authn_provider authn_pgsql_provider =
		1023	{
		1024	&check_password,
		1025	NULL,
		1026	};
		1027
1143	static void register_hooks(apr_pool_t * p)	1028	static void register_hooks(apr_pool_t * p)
1144	{	1029	{
1145	ap_hook_post_config(pg_auth_init_handler, NULL, NULL, APR_HOOK_MIDDLE);	1030	ap_hook_post_config(pg_auth_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
1146	ap_hook_auth_checker(pg_check_auth, NULL, NULL, APR_HOOK_MIDDLE);	1031
1147	ap_hook_check_user_id(pg_authenticate_basic_user, NULL, NULL,	1032	ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "pgsql",
1148	APR_HOOK_MIDDLE);	1033	AUTHN_PROVIDER_VERSION,
		1034	&authn_pgsql_provider, AP_AUTH_INTERNAL_PER_CONF);
1149	};	1035	};
1150		1036
1151	module AP_MODULE_DECLARE_DATA auth_pgsql_module = {	1037	AP_DECLARE_MODULE(auth_pgsql) = {
1152	STANDARD20_MODULE_STUFF,	1038	STANDARD20_MODULE_STUFF,
1153	create_pg_auth_dir_config, /* dir config creater */	1039	create_pg_auth_dir_config, /* dir config creater */
1154	NULL, /* dir merger --- default is to override */	1040	NULL, /* dir merger --- default is to override */

Return to bug 532798