httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n..@apache.org
Subject svn commit: r345389 - in /httpd/httpd/trunk/modules/aaa: config.m4 mod_authz_dbd.c mod_authz_dbd.h
Date Fri, 18 Nov 2005 00:42:13 GMT
Author: niq
Date: Thu Nov 17 16:42:08 2005
New Revision: 345389

URL: http://svn.apache.org/viewcvs?rev=345389&view=rev
Log:
mod_authz_dbd: SQL authz with Login/Session support

Added:
    httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
    httpd/httpd/trunk/modules/aaa/mod_authz_dbd.h
Modified:
    httpd/httpd/trunk/modules/aaa/config.m4

Modified: httpd/httpd/trunk/modules/aaa/config.m4
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/config.m4?rev=345389&r1=345388&r2=345389&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/config.m4 (original)
+++ httpd/httpd/trunk/modules/aaa/config.m4 Thu Nov 17 16:42:08 2005
@@ -31,6 +31,7 @@
 APACHE_MODULE(authz_user, 'require user' authorization control, , , yes)
 APACHE_MODULE(authz_dbm, DBM-based authorization control, , , most)
 APACHE_MODULE(authz_owner, 'require file-owner' authorization control, , , most)
+APACHE_MODULE(authz_dbd, SQL based authorization and Login/Session support, , , most)
 
 dnl LDAP authentication module. This module has both the authn and authz
 dnl modules in one, so as to share the LDAP server config directives.

Added: httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c?rev=345389&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c (added)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c Thu Nov 17 16:42:08 2005
@@ -0,0 +1,316 @@
+/* Copyright 2005 The Apache Software Foundation or its licensors, as
+ * applicable.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "httpd.h"
+#include "http_log.h"
+#include "http_config.h"
+#include "http_request.h"
+#include "http_protocol.h"
+#include "http_core.h"
+#include "apr_dbd.h"
+#include "mod_dbd.h"
+#include "apr_strings.h"
+#include "mod_authz_dbd.h"
+
+module AP_MODULE_DECLARE_DATA authz_dbd_module;
+
+/* Export a hook for modules that manage clientside sessions
+ * (e.g. mod_auth_cookie)
+ * to deal with those when we successfully login/logout at the server
+ */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(authz_dbd, AP, int, client_login,
+                            (request_rec *r, int code, const char *action),
+                            (r, code, action), OK, DECLINED)
+
+
+typedef struct {
+    const char *query;
+    const char *redir_query;
+    int redirect;
+    int authoritative;
+} authz_dbd_cfg ;
+
+static ap_dbd_t *(*dbd_handle)(request_rec*) = NULL;
+static void (*dbd_prepare)(server_rec*, const char*, const char*) = NULL;
+
+static const char *const noerror = "???";
+
+static void *authz_dbd_cr_cfg(apr_pool_t *pool, char *dummy)
+{
+    authz_dbd_cfg *ret = apr_pcalloc(pool, sizeof(authz_dbd_cfg));
+    ret->redirect = ret->authoritative = -1;
+    return ret;
+}
+static void *authz_dbd_merge_cfg(apr_pool_t *pool, void *BASE, void *ADD)
+{
+    authz_dbd_cfg *base = BASE;
+    authz_dbd_cfg *add = ADD;
+    authz_dbd_cfg *ret = apr_palloc(pool, sizeof(authz_dbd_cfg));
+
+    ret->query = (add->query == NULL) ? base->query : add->query;
+    ret->redir_query = (add->redir_query == NULL)
+                            ? base->redir_query : add->redir_query;
+    ret->authoritative = (add->authoritative == -1)
+                            ? base->authoritative : add->authoritative;
+    ret->redirect = (add->redirect == -1) ? base->redirect : add->redirect;
+    return ret;
+}
+static const char *authz_dbd_prepare(cmd_parms *cmd, void *cfg,
+                                     const char *query)
+{
+    static unsigned int label_num = 0;
+    char *label;
+
+    if (dbd_prepare == NULL) {
+        dbd_prepare = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_prepare);
+        if (dbd_prepare == NULL) {
+            return "You must load mod_dbd to enable AuthzDBD functions";
+        }
+        dbd_handle = APR_RETRIEVE_OPTIONAL_FN(ap_dbd_acquire);
+    }
+    label = apr_psprintf(cmd->pool, "authz_dbd_%d", ++label_num);
+
+    dbd_prepare(cmd->server, query, label);
+
+    /* save the label here for our own use */
+    return ap_set_string_slot(cmd, cfg, label);
+}
+static const command_rec authz_dbd_cmds[] = {
+    AP_INIT_FLAG("AuthzDBDAuthoritative", ap_set_flag_slot,
+                 (void*)APR_OFFSETOF(authz_dbd_cfg, authoritative), ACCESS_CONF,
+                 "Whether dbd-group is authoritative"),
+    AP_INIT_FLAG("AuthzDBDLoginToReferer", ap_set_flag_slot,
+                 (void*)APR_OFFSETOF(authz_dbd_cfg, redirect), ACCESS_CONF,
+                 "Whether to redirect to referer on successful login"),
+    AP_INIT_TAKE1("AuthzDBDQuery", authz_dbd_prepare,
+                  (void*)APR_OFFSETOF(authz_dbd_cfg, query), ACCESS_CONF,
+                  "SQL query for DBD Authz or login"),
+    AP_INIT_TAKE1("AuthzDBDRedirectQuery", authz_dbd_prepare,
+                  (void*)APR_OFFSETOF(authz_dbd_cfg, redir_query), ACCESS_CONF,
+                  "SQL query to get per-user redirect URL after login"),
+    {NULL}
+};
+
+static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg,
+                           const char *action)
+{
+    int rv;
+    const char *newuri = NULL;
+    int nrows;
+    const char *message;
+    ap_dbd_t *dbd = dbd_handle(r);
+    apr_dbd_prepared_t *query;
+    apr_dbd_results_t *res = NULL;
+    apr_dbd_row_t *row = NULL;
+
+    if (cfg->query == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "No query configured for %s!", action);
+        return HTTP_INTERNAL_SERVER_ERROR;
+    }
+    query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING);
+    if (query == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "Error retrieving Query for %s!", action);
+        return HTTP_INTERNAL_SERVER_ERROR;
+    }
+
+    rv = apr_dbd_pvquery(dbd->driver, r->pool, dbd->handle, &nrows,
+                         query, r->user, NULL);
+    if (rv == 0) {
+        if (nrows != 1) {
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                          "authz_dbd: %s of user %s updated %d rows",
+                          action, r->user, nrows);
+        }
+    }
+    else {
+        message = apr_dbd_error(dbd->driver, dbd->handle, rv);
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "authz_dbd: query for %s failed; user %s [%s]",
+                      action, r->user, message?message:noerror);
+        return HTTP_INTERNAL_SERVER_ERROR;
+    }
+
+    if (cfg->redirect == 1) {
+        newuri = apr_table_get(r->headers_in, "Referer");
+    }
+
+    if (!newuri && cfg->redir_query) {
+        query = apr_hash_get(dbd->prepared, cfg->redir_query,
+                             APR_HASH_KEY_STRING);
+        if (query == NULL) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "authz_dbd: no redirect query!");
+            /* OK, this is non-critical; we can just not-redirect */
+        }
+        else if (apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res,
+                                  query, 0, r->user, NULL) == 0) {
+            for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
+                 rv != -1;
+                 rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
+                if (rv == 0) {
+                    newuri = apr_dbd_get_entry(dbd->driver, row, 0);
+                }
+                else {
+                    message = apr_dbd_error(dbd->driver, dbd->handle, rv);
+                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "authz_dbd in get_row; action=%s user=%s [%s]",
+                          action, r->user, message?message:noerror);
+                }
+            }
+        }
+        else {
+            message = apr_dbd_error(dbd->driver, dbd->handle, rv);
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "authz_dbd/redirect for %s of %s [%s]",
+                          action, r->user, message?message:noerror);
+        }
+    }
+    if (newuri != NULL) {
+        apr_table_set(r->err_headers_out, "Location", newuri);
+        rv = HTTP_MOVED_TEMPORARILY;
+    }
+    else {
+        rv = OK;
+    }
+    authz_dbd_run_client_login(r, rv, action);
+    return rv;
+}
+
+static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg,
+                                 apr_array_header_t *groups)
+{
+    /* SELECT group FROM authz WHERE user = %s */
+    int rv;
+    const char *message;
+    ap_dbd_t *dbd = dbd_handle(r);
+    apr_dbd_prepared_t *query;
+    apr_dbd_results_t *res = NULL;
+    apr_dbd_row_t *row = NULL;
+    const char **group;
+
+    if (cfg->query == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "No query configured for dbd-group!");
+        return HTTP_INTERNAL_SERVER_ERROR;
+    }
+    query = apr_hash_get(dbd->prepared, cfg->query, APR_HASH_KEY_STRING);
+    if (query == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "Error retrieving query for dbd-group!");
+        return HTTP_INTERNAL_SERVER_ERROR;
+    }
+    rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res,
+                          query, 0, r->user, NULL);
+    if (rv == 0) {
+        for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
+             rv != -1;
+             rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
+            if (rv == 0) {
+                group = apr_array_push(groups);
+                *group = apr_dbd_get_entry(dbd->driver, row, 0);
+            }
+            else {
+                message = apr_dbd_error(dbd->driver, dbd->handle, rv);
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                        "authz_dbd in get_row; group query for user=%s [%s]",
+                        r->user, message?message:noerror);
+                return HTTP_INTERNAL_SERVER_ERROR;
+            }
+        }
+    }
+    else {
+        message = apr_dbd_error(dbd->driver, dbd->handle, rv);
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "authz_dbd, in groups query for %s [%s]",
+                      r->user, message?message:noerror);
+        return HTTP_INTERNAL_SERVER_ERROR;
+    }
+    return OK;
+}
+static int authz_dbd_check(request_rec *r)
+{
+    int i, x, rv;
+    const char *w;
+    int m = r->method_number;
+    const apr_array_header_t *reqs_arr = ap_requires(r);
+    require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
+    apr_array_header_t *groups = NULL;
+    const char *t;
+    authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
+                                              &authz_dbd_module);
+
+    if (!reqs_arr) {
+        return DECLINED;
+    }
+
+    for (x = 0; x < reqs_arr->nelts; x++) {
+        if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
+            continue;
+        }
+
+        t = reqs[x].requirement;
+        w = ap_getword_white(r->pool, &t);
+        if (!strcasecmp(w, "dbd-group")) {
+            if (groups == NULL) {
+                groups = apr_array_make(r->pool, 4, sizeof(const char*));
+                rv = authz_dbd_group_query(r, cfg, groups);
+                if (rv != OK) {
+                    return rv;
+                }
+            }
+            while (t[0]) {
+                w = ap_getword_white(r->pool, &t);
+                for (i=0; i < groups->nelts; ++i) {
+                    if (!strcmp(w, ((const char**)groups->elts)[i])) {
+                        return OK;
+                    }
+                }
+            }
+        }
+        else if (!strcasecmp(w, "dbd-login")) {
+            return authz_dbd_login(r, cfg, "login");
+        }
+        else if (!strcasecmp(w, "dbd-logout")) {
+            return authz_dbd_login(r, cfg, "logout");
+        }
+    }
+
+    if ((groups != NULL) && cfg->authoritative) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                   "authz_dbd: user %s denied access to %s",
+                   r->user, r->uri);
+        ap_note_auth_failure(r);
+        return HTTP_UNAUTHORIZED;
+    }
+    return DECLINED;
+}
+static void authz_dbd_hooks(apr_pool_t *p)
+{
+    ap_hook_auth_checker(authz_dbd_check, NULL, NULL, APR_HOOK_MIDDLE);
+}
+module AP_MODULE_DECLARE_DATA authz_dbd_module =
+{
+    STANDARD20_MODULE_STUFF,
+    authz_dbd_cr_cfg,
+    authz_dbd_merge_cfg,
+    NULL,
+    NULL,
+    authz_dbd_cmds,
+    authz_dbd_hooks
+};
+

Added: httpd/httpd/trunk/modules/aaa/mod_authz_dbd.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_dbd.h?rev=345389&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_dbd.h (added)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_dbd.h Thu Nov 17 16:42:08 2005
@@ -0,0 +1,23 @@
+/* Copyright 2000-2005 The Apache Software Foundation or its licensors, as
+ * applicable.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MOD_AUTHZ_DBD_H
+#define MOD_AUTHZ_DBD_H
+#include "httpd.h"
+
+APR_DECLARE_EXTERNAL_HOOK(authz_dbd, AP, int, client_login,
+                          (request_rec *r, int code, const char *action))
+#endif



Mime
View raw message