httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bnicho...@apache.org
Subject svn commit: r354979 - in /httpd/httpd/branches/authz-dev/modules/aaa: mod_authz_core.c mod_authz_owner.c
Date Thu, 08 Dec 2005 04:50:58 GMT
Author: bnicholes
Date: Wed Dec  7 20:50:45 2005
New Revision: 354979

URL: http://svn.apache.org/viewcvs?rev=354979&view=rev
Log:
Finish initial conversion of mod_authz_owner

Modified:
    httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_core.c
    httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_owner.c

Modified: httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_core.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_core.c?rev=354979&r1=354978&r2=354979&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_core.c Wed Dec  7 20:50:45 2005
@@ -58,12 +58,12 @@
    anymore?
 - Determine of merge_authz_dir_config is even 
    necessary and remove if not
-- Split the authz type from the arguments when the
+X- Split the authz type from the arguments when the
    authz provider is registered and store the type
    in ->provider_name and the arguments in ->requirement
-- Move the check for METHOD_MASK out of the authz 
+X- Move the check for METHOD_MASK out of the authz 
    providers and into the provider vector
-- Change the status code to AUTHZ_DENIED, AUTHZ_GRANTED
+X- Change the status code to AUTHZ_DENIED, AUTHZ_GRANTED
    and AUTHZ_GENERAL_ERROR   
 - Determine if setting the AUTHZ_PROVIDER_NAME_NOTE note
    is even necessary.  This was used in authn to support

Modified: httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_owner.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_owner.c?rev=354979&r1=354978&r2=354979&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_owner.c (original)
+++ httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_owner.c Wed Dec  7 20:50:45 2005
@@ -33,6 +33,8 @@
     int authoritative;
 } authz_owner_config_rec;
 
+APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
+
 static void *create_authz_owner_dir_config(apr_pool_t *p, char *d)
 {
     authz_owner_config_rec *conf = apr_palloc(p, sizeof(*conf));
@@ -224,60 +226,125 @@
     return HTTP_UNAUTHORIZED;
 }
 #endif
+
 static authz_status fileowner_check_authorization(request_rec *r,
                                              const char *require_args)
 {
-#if !APR_HAS_USER
-    if ((required_owner & ~1) && conf->authoritative) {
-        break;
-    }
+    char *reason = NULL;
+    apr_status_t status = 0;
 
-    required_owner |= 1; /* remember the requirement */
+#if !APR_HAS_USER
     reason = "'Require file-owner' is not supported on this platform.";
-    continue;
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                  "Authorization of user %s to access %s failed, reason: %s",
+                  r->user, r->uri, reason ? reason : "unknown");
+    return AUTHZ_DENIED;
 #else  /* APR_HAS_USER */
     char *owner = NULL;
     apr_finfo_t finfo;
 
-    if ((required_owner & ~1) && conf->authoritative) {
-        break;
-    }
-
-    required_owner |= 1; /* remember the requirement */
-
     if (!r->filename) {
         reason = "no filename available";
-        continue;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Authorization of user %s to access %s failed, reason: %s",
+                      r->user, r->uri, reason ? reason : "unknown");
+        return AUTHZ_DENIED;
     }
 
     status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool);
     if (status != APR_SUCCESS) {
         reason = apr_pstrcat(r->pool, "could not stat file ",
                                 r->filename, NULL);
-        continue;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Authorization of user %s to access %s failed, reason: %s",
+                      r->user, r->uri, reason ? reason : "unknown");
+        return AUTHZ_DENIED;
     }
 
     if (!(finfo.valid & APR_FINFO_USER)) {
         reason = "no file owner information available";
-        continue;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Authorization of user %s to access %s failed, reason: %s",
+                      r->user, r->uri, reason ? reason : "unknown");
+        return AUTHZ_DENIED;
     }
 
     status = apr_uid_name_get(&owner, finfo.user, r->pool);
     if (status != APR_SUCCESS || !owner) {
         reason = "could not get name of file owner";
-        continue;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Authorization of user %s to access %s failed, reason: %s",
+                      r->user, r->uri, reason ? reason : "unknown");
+        return AUTHZ_DENIED;
     }
 
     if (strcmp(owner, r->user)) {
         reason = apr_psprintf(r->pool, "file owner %s does not match.",
                                 owner);
-        continue;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Authorization of user %s to access %s failed, reason: %s",
+                      r->user, r->uri, reason ? reason : "unknown");
+        return AUTHZ_DENIED;
     }
 
     /* this user is authorized */
-    return OK;
+    return AUTHZ_GRANTED;
 #endif /* APR_HAS_USER */
+}
+
+static char *authz_owner_get_file_group(request_rec *r)
+{
+    char *reason = NULL;
+
+    /* file-group only figures out the file's group and lets
+    * other modules do the actual authorization (against a group file/db).
+    * Thus, these modules have to hook themselves after
+    * mod_authz_owner and of course recognize 'file-group', too.
+    */
+#if !APR_HAS_USER
+    return NULL;
+#else  /* APR_HAS_USER */
+    char *group = NULL;
+    apr_finfo_t finfo;
+    apr_status_t status = 0;
+
+    if (!r->filename) {
+        reason = "no filename available";
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Authorization of user %s to access %s failed, reason: %s",
+                      r->user, r->uri, reason ? reason : "unknown");
+        return NULL;
     }
+
+    status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool);
+    if (status != APR_SUCCESS) {
+        reason = apr_pstrcat(r->pool, "could not stat file ",
+                                r->filename, NULL);
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Authorization of user %s to access %s failed, reason: %s",
+                      r->user, r->uri, reason ? reason : "unknown");
+        return NULL;
+    }
+
+    if (!(finfo.valid & APR_FINFO_GROUP)) {
+        reason = "no file group information available";
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Authorization of user %s to access %s failed, reason: %s",
+                      r->user, r->uri, reason ? reason : "unknown");
+        return NULL;
+    }
+
+    status = apr_gid_name_get(&group, finfo.group, r->pool);
+    if (status != APR_SUCCESS || !group) {
+        reason = "could not get name of file group";
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Authorization of user %s to access %s failed, reason: %s",
+                      r->user, r->uri, reason ? reason : "unknown");
+        return NULL;
+    }
+
+    return group;
+#endif /* APR_HAS_USER */
 }
 
 static const authz_provider authz_fileowner_provider =
@@ -287,10 +354,10 @@
 
 static void register_hooks(apr_pool_t *p)
 {
+    APR_REGISTER_OPTIONAL_FN(authz_owner_get_file_group);
+
     ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "file-owner", "0",
                          &authz_fileowner_provider);
-
-    ap_hook_auth_checker(check_file_owner, NULL, NULL, APR_HOOK_MIDDLE);
 }
 
 module AP_MODULE_DECLARE_DATA authz_owner_module =



Mime
View raw message