Lines 109-114
Link Here
|
109 |
#include "http_request.h" |
109 |
#include "http_request.h" |
110 |
#include "util_script.h" |
110 |
#include "util_script.h" |
111 |
|
111 |
|
|
|
112 |
#include "mod_auth.h" |
113 |
|
112 |
#ifdef WIN32 |
114 |
#ifdef WIN32 |
113 |
#define crypt apr_password_validate |
115 |
#define crypt apr_password_validate |
114 |
#else |
116 |
#else |
Lines 191-197
module AP_MODULE_DECLARE_DATA auth_pgsql_module;
Link Here
|
191 |
|
193 |
|
192 |
|
194 |
|
193 |
static int pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, |
195 |
static int pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, |
194 |
char *user, char *sent_pw); |
196 |
const char *user, const char *sent_pw); |
195 |
static char *do_pg_query(request_rec * r, char *query, |
197 |
static char *do_pg_query(request_rec * r, char *query, |
196 |
pg_auth_config_rec * sec); |
198 |
pg_auth_config_rec * sec); |
197 |
|
199 |
|
Lines 442-450
static char pg_errstr[MAX_STRING_LEN];
Link Here
|
442 |
* failures separately |
444 |
* failures separately |
443 |
*/ |
445 |
*/ |
444 |
|
446 |
|
445 |
static char *auth_pg_md5(char *pw) |
447 |
static char *auth_pg_md5(const char *pw) |
446 |
{ |
448 |
{ |
447 |
apr_md5_ctx_t ctx; |
|
|
448 |
unsigned char digest[APR_MD5_DIGESTSIZE]; |
449 |
unsigned char digest[APR_MD5_DIGESTSIZE]; |
449 |
static unsigned char md5hash[APR_MD5_DIGESTSIZE * 2 + 1]; |
450 |
static unsigned char md5hash[APR_MD5_DIGESTSIZE * 2 + 1]; |
450 |
int i; |
451 |
int i; |
Lines 459-472
static char *auth_pg_md5(char *pw)
Link Here
|
459 |
} |
460 |
} |
460 |
|
461 |
|
461 |
|
462 |
|
462 |
static char *auth_pg_base64(char *pw) |
463 |
static char *auth_pg_base64(const char *pw) |
463 |
{ |
464 |
{ |
464 |
if (auth_pgsql_pool_base64 == NULL) |
465 |
if (auth_pgsql_pool_base64 == NULL) |
465 |
apr_pool_create_ex(&auth_pgsql_pool_base64, NULL, NULL, NULL); |
466 |
apr_pool_create_ex(&auth_pgsql_pool_base64, NULL, NULL, NULL); |
466 |
if (auth_pgsql_pool == NULL) |
467 |
if (auth_pgsql_pool == NULL) |
467 |
return NULL; |
468 |
return NULL; |
468 |
|
469 |
|
469 |
return ap_pbase64encode(auth_pgsql_pool, pw); |
470 |
/* NOTE: ap_pbase64encode is no change arg2. so removable const. */ |
|
|
471 |
return ap_pbase64encode(auth_pgsql_pool, (char *)pw); |
470 |
} |
472 |
} |
471 |
|
473 |
|
472 |
|
474 |
|
Lines 557-563
char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
Link Here
|
557 |
|
559 |
|
558 |
if (!check || strcmp(sec->auth_pg_charset, check)) { |
560 |
if (!check || strcmp(sec->auth_pg_charset, check)) { |
559 |
apr_snprintf(pg_errstr, MAX_STRING_LEN, |
561 |
apr_snprintf(pg_errstr, MAX_STRING_LEN, |
560 |
"mod_auth_pgsql database character set encoding %s"); |
562 |
"mod_auth_pgsql database character set encoding %s", |
|
|
563 |
check); |
561 |
PQfinish(pg_conn); |
564 |
PQfinish(pg_conn); |
562 |
return NULL; |
565 |
return NULL; |
563 |
} |
566 |
} |
Lines 614-620
char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
Link Here
|
614 |
return result; |
617 |
return result; |
615 |
} |
618 |
} |
616 |
|
619 |
|
617 |
char *get_pg_pw(request_rec * r, char *user, pg_auth_config_rec * sec) |
620 |
char *get_pg_pw(request_rec * r, const char *user, pg_auth_config_rec * sec) |
618 |
{ |
621 |
{ |
619 |
char query[MAX_STRING_LEN]; |
622 |
char query[MAX_STRING_LEN]; |
620 |
char *safe_user; |
623 |
char *safe_user; |
Lines 755-773
static char *get_pg_grp(request_rec * r, char *group, char *user,
Link Here
|
755 |
} |
758 |
} |
756 |
|
759 |
|
757 |
/* Process authentication request from Apache*/ |
760 |
/* Process authentication request from Apache*/ |
758 |
static int pg_authenticate_basic_user(request_rec * r) |
761 |
static authn_status check_password(request_rec *r, const char *user, |
|
|
762 |
const char *password) |
759 |
{ |
763 |
{ |
|
|
764 |
|
760 |
pg_auth_config_rec *sec = |
765 |
pg_auth_config_rec *sec = |
761 |
(pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, |
766 |
(pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, |
762 |
&auth_pgsql_module); |
767 |
&auth_pgsql_module); |
763 |
char *val = NULL; |
768 |
const char *val = NULL; |
764 |
char *sent_pw, *real_pw; |
769 |
const char *sent_pw; |
765 |
int res; |
770 |
const char *real_pw; |
766 |
char *user; |
771 |
authn_status auth_res; |
|
|
772 |
|
773 |
sent_pw = password; |
767 |
|
774 |
|
768 |
if ((res = ap_get_basic_auth_pw(r, (const char **) &sent_pw))) |
|
|
769 |
return res; |
770 |
user = r->user; |
771 |
|
775 |
|
772 |
#ifdef DEBUG_AUTH_PGSQL |
776 |
#ifdef DEBUG_AUTH_PGSQL |
773 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
777 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
Lines 784-790
static int pg_authenticate_basic_user(request_rec * r)
Link Here
|
784 |
if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) { |
788 |
if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) { |
785 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
789 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
786 |
"[mod_auth_pgsql.c] - missing configuration parameters"); |
790 |
"[mod_auth_pgsql.c] - missing configuration parameters"); |
787 |
return DECLINED; |
791 |
return AUTH_GENERAL_ERROR; |
788 |
} |
792 |
} |
789 |
pg_errstr[0] = '\0'; |
793 |
pg_errstr[0] = '\0'; |
790 |
|
794 |
|
Lines 809-830
static int pg_authenticate_basic_user(request_rec * r)
Link Here
|
809 |
|
813 |
|
810 |
if (!real_pw) { |
814 |
if (!real_pw) { |
811 |
if (pg_errstr[0]) { |
815 |
if (pg_errstr[0]) { |
812 |
res = HTTP_INTERNAL_SERVER_ERROR; |
816 |
auth_res = AUTH_GENERAL_ERROR; |
813 |
} else { |
817 |
} else { |
814 |
if (sec->auth_pg_authoritative) { |
|
|
815 |
/* force error and access denied */ |
818 |
/* force error and access denied */ |
816 |
apr_snprintf(pg_errstr, MAX_STRING_LEN, |
819 |
apr_snprintf(pg_errstr, MAX_STRING_LEN, |
817 |
"mod_auth_pgsql: Password for user %s not found (PG-Authoritative)", |
820 |
"mod_auth_pgsql: Password for user %s not found (PG-Authoritative)", |
818 |
user); |
821 |
user); |
819 |
ap_note_basic_auth_failure(r); |
822 |
auth_res = AUTH_USER_NOT_FOUND; |
820 |
res = HTTP_UNAUTHORIZED; |
|
|
821 |
} else { |
822 |
/* allow fall through to another module */ |
823 |
return DECLINED; |
824 |
} |
825 |
} |
823 |
} |
826 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
824 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
827 |
return res; |
825 |
return auth_res; |
828 |
} |
826 |
} |
829 |
|
827 |
|
830 |
/* allow no password, if the flag is set and the password |
828 |
/* allow no password, if the flag is set and the password |
Lines 836-842
static int pg_authenticate_basic_user(request_rec * r)
Link Here
|
836 |
user); |
834 |
user); |
837 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
835 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
838 |
pg_log_auth_user(r, sec, user, sent_pw); |
836 |
pg_log_auth_user(r, sec, user, sent_pw); |
839 |
return OK; |
837 |
return AUTH_GRANTED; |
840 |
}; |
838 |
}; |
841 |
|
839 |
|
842 |
/* if the flag is off however, keep that kind of stuff at |
840 |
/* if the flag is off however, keep that kind of stuff at |
Lines 847-854
static int pg_authenticate_basic_user(request_rec * r)
Link Here
|
847 |
"[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"", |
845 |
"[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"", |
848 |
user); |
846 |
user); |
849 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
847 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
850 |
ap_note_basic_auth_failure(r); |
848 |
return AUTH_DENIED; |
851 |
return HTTP_UNAUTHORIZED; |
|
|
852 |
}; |
849 |
}; |
853 |
|
850 |
|
854 |
if (sec->auth_pg_encrypted) |
851 |
if (sec->auth_pg_encrypted) |
Lines 877-884
static int pg_authenticate_basic_user(request_rec * r)
Link Here
|
877 |
apr_snprintf(pg_errstr, MAX_STRING_LEN, |
874 |
apr_snprintf(pg_errstr, MAX_STRING_LEN, |
878 |
"PG user %s: password mismatch", user); |
875 |
"PG user %s: password mismatch", user); |
879 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
876 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
880 |
ap_note_basic_auth_failure(r); |
877 |
return AUTH_DENIED; |
881 |
return HTTP_UNAUTHORIZED; |
|
|
882 |
} |
878 |
} |
883 |
|
879 |
|
884 |
/* store password in the cache */ |
880 |
/* store password in the cache */ |
Lines 891-1020
static int pg_authenticate_basic_user(request_rec * r)
Link Here
|
891 |
} |
887 |
} |
892 |
|
888 |
|
893 |
pg_log_auth_user(r, sec, user, sent_pw); |
889 |
pg_log_auth_user(r, sec, user, sent_pw); |
894 |
return OK; |
890 |
return AUTH_GRANTED; |
895 |
} |
|
|
896 |
|
897 |
/* Checking ID */ |
898 |
|
899 |
static int pg_check_auth(request_rec * r) |
900 |
{ |
901 |
pg_auth_config_rec *sec = |
902 |
(pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, |
903 |
&auth_pgsql_module); |
904 |
char *user = r->user; |
905 |
int m = r->method_number; |
906 |
int group_result = DECLINED; |
907 |
|
908 |
|
909 |
|
910 |
apr_array_header_t *reqs_arr = (apr_array_header_t *) ap_requires(r); |
911 |
require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; |
912 |
|
913 |
register int x, res; |
914 |
const char *t; |
915 |
char *w; |
916 |
|
917 |
pg_errstr[0] = '\0'; |
918 |
|
919 |
#ifdef DEBUG_AUTH_PGSQL |
920 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
921 |
"[mod_auth_pgsql.c] - pg_check_auth - going to check auth for user \"%s\" ", |
922 |
user); |
923 |
#endif /* DEBUG_AUTH_PGSQL */ |
924 |
|
925 |
|
926 |
if (!pg_conn) { |
927 |
if (!(pg_conn = pg_connect(sec))) { |
928 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database"); |
929 |
ap_note_basic_auth_failure(r); |
930 |
return HTTP_UNAUTHORIZED; |
931 |
} |
932 |
} |
933 |
|
934 |
/* if we cannot do it; leave it to some other guy |
935 |
*/ |
936 |
if ((!sec->auth_pg_grp_table) && (!sec->auth_pg_grp_group_field) |
937 |
&& (!sec->auth_pg_grp_user_field)) |
938 |
return DECLINED; |
939 |
|
940 |
if (!reqs_arr) { |
941 |
if (sec->auth_pg_authoritative) { |
942 |
/* force error and access denied */ |
943 |
apr_snprintf(pg_errstr, MAX_STRING_LEN, |
944 |
"mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", |
945 |
user); |
946 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
947 |
ap_note_basic_auth_failure(r); |
948 |
res = HTTP_UNAUTHORIZED; |
949 |
} else { |
950 |
return DECLINED; |
951 |
} |
952 |
} |
953 |
|
954 |
for (x = 0; x < reqs_arr->nelts; x++) { |
955 |
|
956 |
if (!(reqs[x].method_mask & (1 << m))) |
957 |
continue; |
958 |
|
959 |
t = reqs[x].requirement; |
960 |
w = ap_getword(r->pool, &t, ' '); |
961 |
|
962 |
if (!strcmp(w, "valid-user")) |
963 |
return OK; |
964 |
|
965 |
if (!strcmp(w, "user")) { |
966 |
while (t[0]) { |
967 |
w = ap_getword_conf(r->pool, &t); |
968 |
if (!strcmp(user, w)) |
969 |
return OK; |
970 |
} |
971 |
if (sec->auth_pg_authoritative) { |
972 |
/* force error and access denied */ |
973 |
apr_snprintf(pg_errstr, MAX_STRING_LEN, |
974 |
"mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", |
975 |
user); |
976 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
977 |
ap_note_basic_auth_failure(r); |
978 |
return HTTP_UNAUTHORIZED; |
979 |
} |
980 |
|
981 |
} else if (!strcmp(w, "group")) { |
982 |
/* look up the membership for each of the groups in the table */ |
983 |
pg_errstr[0] = '\0'; |
984 |
|
985 |
while (t[0]) { |
986 |
if (get_pg_grp(r, ap_getword(r->pool, &t, ' '), user, sec)) { |
987 |
group_result = OK; |
988 |
}; |
989 |
}; |
990 |
|
991 |
if (pg_errstr[0]) { |
992 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
993 |
return HTTP_INTERNAL_SERVER_ERROR; |
994 |
} |
995 |
|
996 |
if (group_result == OK) |
997 |
return OK; |
998 |
|
999 |
if (sec->auth_pg_authoritative) { |
1000 |
apr_snprintf(pg_errstr, MAX_STRING_LEN, |
1001 |
"[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)", |
1002 |
user); |
1003 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); |
1004 |
ap_note_basic_auth_failure(r); |
1005 |
return HTTP_UNAUTHORIZED; |
1006 |
}; |
1007 |
} |
1008 |
} |
1009 |
|
1010 |
return DECLINED; |
1011 |
} |
891 |
} |
1012 |
|
892 |
|
1013 |
|
|
|
1014 |
/* Send the authentication to the log table */ |
893 |
/* Send the authentication to the log table */ |
1015 |
int |
894 |
int |
1016 |
pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user, |
895 |
pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, const char *user, |
1017 |
char *sent_pw) |
896 |
const char *sent_pw) |
1018 |
{ |
897 |
{ |
1019 |
char sql[MAX_STRING_LEN]; |
898 |
char sql[MAX_STRING_LEN]; |
1020 |
char *s; |
899 |
char *s; |
Lines 1087-1093
pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user,
Link Here
|
1087 |
sec->auth_pg_log_addrs_field); |
966 |
sec->auth_pg_log_addrs_field); |
1088 |
strncat(fields, sql, MAX_STRING_LEN - strlen(fields) - 1); |
967 |
strncat(fields, sql, MAX_STRING_LEN - strlen(fields) - 1); |
1089 |
apr_snprintf(sql, MAX_STRING_LEN, ", '%s'", |
968 |
apr_snprintf(sql, MAX_STRING_LEN, ", '%s'", |
1090 |
r->connection->remote_ip); |
969 |
r->connection->client_ip); |
1091 |
strncat(values, sql, MAX_STRING_LEN - strlen(values) - 1); |
970 |
strncat(values, sql, MAX_STRING_LEN - strlen(values) - 1); |
1092 |
} |
971 |
} |
1093 |
if (sec->auth_pg_log_pwd_field) { /* Password field , clear WARNING */ |
972 |
if (sec->auth_pg_log_pwd_field) { /* Password field , clear WARNING */ |
Lines 1140-1154
static void *pg_auth_server_config(apr_pool_t * p, server_rec * s)
Link Here
|
1140 |
} |
1019 |
} |
1141 |
|
1020 |
|
1142 |
|
1021 |
|
|
|
1022 |
static const authn_provider authn_pgsql_provider = |
1023 |
{ |
1024 |
&check_password, |
1025 |
NULL, |
1026 |
}; |
1027 |
|
1143 |
static void register_hooks(apr_pool_t * p) |
1028 |
static void register_hooks(apr_pool_t * p) |
1144 |
{ |
1029 |
{ |
1145 |
ap_hook_post_config(pg_auth_init_handler, NULL, NULL, APR_HOOK_MIDDLE); |
1030 |
ap_hook_post_config(pg_auth_init_handler, NULL, NULL, APR_HOOK_MIDDLE); |
1146 |
ap_hook_auth_checker(pg_check_auth, NULL, NULL, APR_HOOK_MIDDLE); |
1031 |
|
1147 |
ap_hook_check_user_id(pg_authenticate_basic_user, NULL, NULL, |
1032 |
ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "pgsql", |
1148 |
APR_HOOK_MIDDLE); |
1033 |
AUTHN_PROVIDER_VERSION, |
|
|
1034 |
&authn_pgsql_provider, AP_AUTH_INTERNAL_PER_CONF); |
1149 |
}; |
1035 |
}; |
1150 |
|
1036 |
|
1151 |
module AP_MODULE_DECLARE_DATA auth_pgsql_module = { |
1037 |
AP_DECLARE_MODULE(auth_pgsql) = { |
1152 |
STANDARD20_MODULE_STUFF, |
1038 |
STANDARD20_MODULE_STUFF, |
1153 |
create_pg_auth_dir_config, /* dir config creater */ |
1039 |
create_pg_auth_dir_config, /* dir config creater */ |
1154 |
NULL, /* dir merger --- default is to override */ |
1040 |
NULL, /* dir merger --- default is to override */ |