httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bnicho...@apache.org
Subject svn commit: r368027 [2/3] - in /httpd/httpd/trunk: docs/conf/ docs/conf/extra/ docs/manual/developer/ docs/manual/mod/ include/ modules/aaa/ server/
Date Wed, 11 Jan 2006 14:31:02 GMT
Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Wed Jan 11 06:30:28 2006
@@ -17,6 +17,7 @@
 #include "ap_provider.h"
 #include "httpd.h"
 #include "http_config.h"
+#include "ap_provider.h"
 #include "http_core.h"
 #include "http_log.h"
 #include "http_protocol.h"
@@ -45,9 +46,6 @@
 #if APR_HAS_THREADS
     apr_thread_mutex_t *lock;       /* Lock for this config */
 #endif
-    int auth_authoritative;         /* Is this auth method the one and only? */
-/*    int authz_enabled;              Is ldap authorization enabled in this directory? */
-
 
     /* These parameters are all derived from the AuthLDAPURL directive */
     char *url;                      /* String representation of the URL */
@@ -294,12 +292,6 @@
     sec->bindpw = NULL;
     sec->deref = always;
     sec->group_attrib_is_dn = 1;
-    sec->auth_authoritative = 1;
-
-/*
-    sec->frontpage_hack = 0;
-*/
-
     sec->secure = -1;   /*Initialize to unset*/
 
     sec->user_is_dn = 0;
@@ -448,23 +440,8 @@
     return AUTH_GRANTED;
 }
 
-/*
- * Authorisation Phase
- * -------------------
- *
- * After checking whether the username and password are correct, we need
- * to check whether that user is authorised to view this resource. The
- * require directive is used to do this:
- *
- *  require valid-user          Any authenticated is allowed in.
- *  require user <username>     This particular user is allowed in.
- *  require group <groupname>   The user must be a member of this group
- *                              in order to be allowed in.
- *  require dn <dn>             The user must have the following DN in the
- *                              LDAP tree to be let in.
- *
- */
-static int authz_ldap_check_user_access(request_rec *r)
+static authz_status ldapuser_check_authorization(request_rec *r,
+                                             const char *require_args)
 {
     int result = 0;
     authn_ldap_request_t *req =
@@ -473,28 +450,146 @@
         (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
 
     util_ldap_connection_t *ldc = NULL;
-    int m = r->method_number;
 
-    const apr_array_header_t *reqs_arr = ap_requires(r);
-    require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
-
-    register int x;
     const char *t;
-    char *w, *value;
-    int method_restricted = 0;
+    char *w;
 
     char filtbuf[FILTER_LENGTH];
     const char *dn = NULL;
     const char **vals = NULL;
 
-/*
-    if (!sec->enabled) {
-        return DECLINED;
+    if (!sec->have_ldap_url) {
+        return AUTHZ_DENIED;
     }
-*/
+
+    if (sec->host) {
+        ldc = util_ldap_connection_find(r, sec->host, sec->port,
+                                       sec->binddn, sec->bindpw, sec->deref,
+                                       sec->secure);
+        apr_pool_cleanup_register(r->pool, ldc,
+                                  authnz_ldap_cleanup_connection_close,
+                                  apr_pool_cleanup_null);
+    }
+    else {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+        return AUTHZ_DENIED;
+    }
+
+    /*
+     * If we have been authenticated by some other module than mod_authnz_ldap,
+     * the req structure needed for authorization needs to be created
+     * and populated with the userid and DN of the account in LDAP
+     */
+
+    /* Check that we have a userid to start with */
+    if ((!r->user) || (strlen(r->user) == 0)) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+            "ldap authorize: Userid is blank, AuthType=%s",
+            r->ap_auth_type);
+    }
+
+    if(!req) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+            "ldap authorize: Creating LDAP req structure");
+
+        /* Build the username filter */
+        authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
+
+        /* Search for the user DN */
+        result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+             sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+        /* Search failed, log error and return failure */
+        if(result != LDAP_SUCCESS) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                "auth_ldap authorise: User DN not found, %s", ldc->reason);
+            return AUTHZ_DENIED;
+        }
+
+        req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+            sizeof(authn_ldap_request_t));
+        ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+        req->dn = apr_pstrdup(r->pool, dn);
+        req->user = r->user;
+    }
+
+    if (req->dn == NULL || strlen(req->dn) == 0) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                      "require user: user's DN has not been defined; failing authorization",
+                      getpid());
+        return AUTHZ_DENIED;
+    }
+
+    /*
+     * First do a whole-line compare, in case it's something like
+     *   require user Babs Jensen
+     */
+    result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args);
+    switch(result) {
+        case LDAP_COMPARE_TRUE: {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                          "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                          "require user: authorization successful", getpid());
+            return AUTHZ_GRANTED;
+        }
+        default: {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                          "[%" APR_PID_T_FMT "] auth_ldap authorize: require user: "
+                          "authorization failed [%s][%s]", getpid(),
+                          ldc->reason, ldap_err2string(result));
+        }
+    }
+
+    /*
+     * Now break apart the line and compare each word on it
+     */
+    t = require_args;
+    while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+        result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
+        switch(result) {
+            case LDAP_COMPARE_TRUE: {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                              "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                              "require user: authorization successful", getpid());
+                return AUTHZ_GRANTED;
+            }
+            default: {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                              "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                              "require user: authorization failed [%s][%s]",
+                              getpid(), ldc->reason, ldap_err2string(result));
+            }
+        }
+    }
+
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                  "[%" APR_PID_T_FMT "] auth_ldap authorize: authorization denied", getpid());
+    return AUTHZ_DENIED;
+}
+
+static authz_status ldapgroup_check_authorization(request_rec *r,
+                                             const char *require_args)
+{
+    int result = 0;
+    authn_ldap_request_t *req =
+        (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+    authn_ldap_config_t *sec =
+        (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+
+    util_ldap_connection_t *ldc = NULL;
+
+    const char *t;
+
+    char filtbuf[FILTER_LENGTH];
+    const char *dn = NULL;
+    const char **vals = NULL;
+    struct mod_auth_ldap_groupattr_entry_t *ent;
+    int i;
 
     if (!sec->have_ldap_url) {
-        return DECLINED;
+        return AUTHZ_DENIED;
     }
 
     if (sec->host) {
@@ -507,8 +602,8 @@
     }
     else {
         ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
-                      "[%" APR_PID_T_FMT "] auth_ldap authorise: no sec->host - weird...?", getpid());
-        return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+        return AUTHZ_DENIED;
     }
 
     /*
@@ -529,12 +624,6 @@
 #endif
     }
 
-    if (!reqs_arr) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                      "[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid());
-        return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
-    }
-
     /*
      * If we have been authenticated by some other module than mod_auth_ldap,
      * the req structure needed for authorization needs to be created
@@ -563,7 +652,7 @@
         if(result != LDAP_SUCCESS) {
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                 "auth_ldap authorise: User DN not found, %s", ldc->reason);
-            return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+            return AUTHZ_DENIED;
         }
 
         req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
@@ -573,252 +662,416 @@
         req->user = r->user;
     }
 
-    /* Loop through the requirements array until there's no elements
-     * left, or something causes a return from inside the loop */
-    for(x=0; x < reqs_arr->nelts; x++) {
-        if (! (reqs[x].method_mask & (APR_INT64_C(1) << m))) {
-            continue;
+    ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
+
+    if (sec->group_attrib_is_dn) {
+        if (req->dn == NULL || strlen(req->dn) == 0) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                          "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
+                          "user's DN has not been defined; failing authorization",
+                          getpid());
+            return AUTHZ_DENIED;
         }
-        method_restricted = 1;
+    }
+    else {
+        if (req->user == NULL || strlen(req->user) == 0) {
+            /* We weren't called in the authentication phase, so we didn't have a
+             * chance to set the user field. Do so now. */
+            req->user = r->user;
+        }
+    }
+
+    t = require_args;
 
-        t = reqs[x].requirement;
-        w = ap_getword_white(r->pool, &t);
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                  "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
+                  "testing for group membership in \"%s\"",
+                  getpid(), t);
 
-        if (strcmp(w, "ldap-user") == 0) {
-            if (req->dn == NULL || strlen(req->dn) == 0) {
+    for (i = 0; i < sec->groupattr->nelts; i++) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
+                      "testing for %s: %s (%s)", getpid(),
+                      ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
+
+        result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
+                             sec->group_attrib_is_dn ? req->dn : req->user);
+        switch(result) {
+            case LDAP_COMPARE_TRUE: {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                              "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                              "require user: user's DN has not been defined; failing authorisation",
-                              getpid());
-                return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+                              "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
+                              "authorization successful (attribute %s) [%s][%s]",
+                              getpid(), ent[i].name, ldc->reason, ldap_err2string(result));
+                return AUTHZ_GRANTED;
             }
-            /*
-             * First do a whole-line compare, in case it's something like
-             *   require user Babs Jensen
-             */
-            result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, t);
-            switch(result) {
-                case LDAP_COMPARE_TRUE: {
-                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                  "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                  "require user: authorisation successful", getpid());
-                    return OK;
-                }
-                default: {
-                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                  "[%" APR_PID_T_FMT "] auth_ldap authorise: require user: "
-                                  "authorisation failed [%s][%s]", getpid(),
-                                  ldc->reason, ldap_err2string(result));
-                }
-            }
-            /*
-             * Now break apart the line and compare each word on it
-             */
-            while (t[0]) {
-                w = ap_getword_conf(r->pool, &t);
-                result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
-                switch(result) {
-                    case LDAP_COMPARE_TRUE: {
-                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                      "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                      "require user: authorisation successful", getpid());
-                        return OK;
-                    }
-                    default: {
-                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                      "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                      "require user: authorisation failed [%s][%s]",
-                                      getpid(), ldc->reason, ldap_err2string(result));
-                    }
-                }
-            }
-        }
-        else if (strcmp(w, "ldap-dn") == 0) {
-            if (req->dn == NULL || strlen(req->dn) == 0) {
+            default: {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                              "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                              "require dn: user's DN has not been defined; failing authorisation",
-                              getpid());
-                return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+                              "[%" APR_PID_T_FMT "] auth_ldap authorize: require group \"%s\": "
+                              "authorization failed [%s][%s]",
+                              getpid(), t, ldc->reason, ldap_err2string(result));
             }
+        }
+    }
 
-            result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server);
-            switch(result) {
-                case LDAP_COMPARE_TRUE: {
-                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                  "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                  "require dn: authorisation successful", getpid());
-                    return OK;
-                }
-                default: {
-                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                  "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                  "require dn \"%s\": LDAP error [%s][%s]",
-                                  getpid(), t, ldc->reason, ldap_err2string(result));
-                }
-            }
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                  "[%" APR_PID_T_FMT "] auth_ldap authorize: authorization denied", getpid());
+
+    return AUTHZ_DENIED;
+}
+
+static authz_status ldapdn_check_authorization(request_rec *r,
+                                             const char *require_args)
+{
+    int result = 0;
+    authn_ldap_request_t *req =
+        (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+    authn_ldap_config_t *sec =
+        (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+
+    util_ldap_connection_t *ldc = NULL;
+
+    const char *t;
+
+    char filtbuf[FILTER_LENGTH];
+    const char *dn = NULL;
+    const char **vals = NULL;
+
+    if (!sec->have_ldap_url) {
+        return AUTHZ_DENIED;
+    }
+
+    if (sec->host) {
+        ldc = util_ldap_connection_find(r, sec->host, sec->port,
+                                       sec->binddn, sec->bindpw, sec->deref,
+                                       sec->secure);
+        apr_pool_cleanup_register(r->pool, ldc,
+                                  authnz_ldap_cleanup_connection_close,
+                                  apr_pool_cleanup_null);
+    }
+    else {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+        return AUTHZ_DENIED;
+    }
+
+    /*
+     * If we have been authenticated by some other module than mod_auth_ldap,
+     * the req structure needed for authorization needs to be created
+     * and populated with the userid and DN of the account in LDAP
+     */
+
+    /* Check that we have a userid to start with */
+    if ((!r->user) || (strlen(r->user) == 0)) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+            "ldap authorize: Userid is blank, AuthType=%s",
+            r->ap_auth_type);
+    }
+
+    if(!req) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+            "ldap authorize: Creating LDAP req structure");
+
+        /* Build the username filter */
+        authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
+
+        /* Search for the user DN */
+        result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+             sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+        /* Search failed, log error and return failure */
+        if(result != LDAP_SUCCESS) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                "auth_ldap authorise: User DN not found, %s", ldc->reason);
+            return AUTHZ_DENIED;
         }
-        else if (strcmp(w, "ldap-group") == 0) {
-            struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
-            int i;
-
-            if (sec->group_attrib_is_dn) {
-                if (req->dn == NULL || strlen(req->dn) == 0) {
-                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                  "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
-                                  "user's DN has not been defined; failing authorisation",
-                                  getpid());
-                    return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
-                }
-            }
-            else {
-                if (req->user == NULL || strlen(req->user) == 0) {
-                    /* We weren't called in the authentication phase, so we didn't have a
-                     * chance to set the user field. Do so now. */
-                    req->user = r->user;
-                }
-            }
 
+        req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+            sizeof(authn_ldap_request_t));
+        ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+        req->dn = apr_pstrdup(r->pool, dn);
+        req->user = r->user;
+    }
+
+    t = require_args;
+
+    if (req->dn == NULL || strlen(req->dn) == 0) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                      "require dn: user's DN has not been defined; failing authorization",
+                      getpid());
+        return AUTHZ_DENIED;
+    }
+
+    result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server);
+    switch(result) {
+        case LDAP_COMPARE_TRUE: {
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                          "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
-                          "testing for group membership in \"%s\"",
-                          getpid(), t);
+                          "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                          "require dn: authorization successful", getpid());
+            return AUTHZ_GRANTED;
+        }
+        default: {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                          "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                          "require dn \"%s\": LDAP error [%s][%s]",
+                          getpid(), t, ldc->reason, ldap_err2string(result));
+        }
+    }
 
-            for (i = 0; i < sec->groupattr->nelts; i++) {
-                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                              "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
-                              "testing for %s: %s (%s)", getpid(),
-                              ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
-
-                result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
-                                     sec->group_attrib_is_dn ? req->dn : req->user);
-                switch(result) {
-                    case LDAP_COMPARE_TRUE: {
-                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                      "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
-                                      "authorisation successful (attribute %s) [%s][%s]",
-                                      getpid(), ent[i].name, ldc->reason, ldap_err2string(result));
-                        return OK;
-                    }
-                    default: {
-                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                      "[%" APR_PID_T_FMT "] auth_ldap authorise: require group \"%s\": "
-                                      "authorisation failed [%s][%s]",
-                                      getpid(), t, ldc->reason, ldap_err2string(result));
-                    }
-                }
-            }
+
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                  "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid());
+
+    return AUTHZ_DENIED;
+}
+
+static authz_status ldapattribute_check_authorization(request_rec *r,
+                                             const char *require_args)
+{
+    int result = 0;
+    authn_ldap_request_t *req =
+        (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+    authn_ldap_config_t *sec =
+        (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+
+    util_ldap_connection_t *ldc = NULL;
+
+    const char *t;
+    char *w, *value;
+
+    char filtbuf[FILTER_LENGTH];
+    const char *dn = NULL;
+    const char **vals = NULL;
+
+    if (!sec->have_ldap_url) {
+        return AUTHZ_DENIED;
+    }
+
+    if (sec->host) {
+        ldc = util_ldap_connection_find(r, sec->host, sec->port,
+                                       sec->binddn, sec->bindpw, sec->deref,
+                                       sec->secure);
+        apr_pool_cleanup_register(r->pool, ldc,
+                                  authnz_ldap_cleanup_connection_close,
+                                  apr_pool_cleanup_null);
+    }
+    else {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+        return AUTHZ_DENIED;
+    }
+
+    /*
+     * If we have been authenticated by some other module than mod_auth_ldap,
+     * the req structure needed for authorization needs to be created
+     * and populated with the userid and DN of the account in LDAP
+     */
+
+    /* Check that we have a userid to start with */
+    if ((!r->user) || (strlen(r->user) == 0)) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+            "ldap authorize: Userid is blank, AuthType=%s",
+            r->ap_auth_type);
+    }
+
+    if(!req) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+            "ldap authorize: Creating LDAP req structure");
+
+        /* Build the username filter */
+        authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
+
+        /* Search for the user DN */
+        result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+             sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+        /* Search failed, log error and return failure */
+        if(result != LDAP_SUCCESS) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                "auth_ldap authorise: User DN not found, %s", ldc->reason);
+            return AUTHZ_DENIED;
         }
-        else if (strcmp(w, "ldap-attribute") == 0) {
-            if (req->dn == NULL || strlen(req->dn) == 0) {
-                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                              "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                              "require ldap-attribute: user's DN has not been defined; failing authorisation",
+
+        req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+            sizeof(authn_ldap_request_t));
+        ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+        req->dn = apr_pstrdup(r->pool, dn);
+        req->user = r->user;
+    }
+
+    if (req->dn == NULL || strlen(req->dn) == 0) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                      "require ldap-attribute: user's DN has not been defined; failing authorization",
+                      getpid());
+        return AUTHZ_DENIED;
+    }
+
+    t = require_args;
+    while (t[0]) {
+        w = ap_getword(r->pool, &t, '=');
+        value = ap_getword_conf(r->pool, &t);
+
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: checking attribute"
+                      " %s has value %s", getpid(), w, value);
+        result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value);
+        switch(result) {
+            case LDAP_COMPARE_TRUE: {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+                              0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                              "require attribute: authorization successful", 
                               getpid());
-                return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+                return AUTHZ_GRANTED;
             }
-            while (t[0]) {
-                w = ap_getword(r->pool, &t, '=');
-                value = ap_getword_conf(r->pool, &t);
-
-                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                              "[%" APR_PID_T_FMT "] auth_ldap authorise: checking attribute"
-                              " %s has value %s", getpid(), w, value);
-                result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
-                                                 w, value);
-                switch(result) {
-                    case LDAP_COMPARE_TRUE: {
-                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
-                                      0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                      "require attribute: authorisation "
-                                      "successful", getpid());
-                        return OK;
-                    }
-                    default: {
-                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
-                                      0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                      "require attribute: authorisation "
-                                      "failed [%s][%s]", getpid(),
-                                      ldc->reason, ldap_err2string(result));
-                    }
-                }
+            default: {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+                              0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                              "require attribute: authorization failed [%s][%s]", 
+                              getpid(), ldc->reason, ldap_err2string(result));
             }
         }
-        else if (strcmp(w, "ldap-filter") == 0) {
-            if (req->dn == NULL || strlen(req->dn) == 0) {
-                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                              "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                              "require ldap-filter: user's DN has not been defined; failing authorisation",
-                              getpid());
-                return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
-            }
-            if (t[0]) {
-                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                              "[%" APR_PID_T_FMT "] auth_ldap authorise: checking filter %s",
-                              getpid(), t);
+    }
 
-                /* Build the username filter */
-                authn_ldap_build_filter(filtbuf, r, req->user, t, sec);
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                  "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid());
 
-                /* Search for the user DN */
-                result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
-                     sec->scope, sec->attributes, filtbuf, &dn, &vals);
-
-                /* Make sure that the filtered search returned the correct user dn */
-                if (result == LDAP_SUCCESS) {
-                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                                  "[%" APR_PID_T_FMT "] auth_ldap authorise: checking dn match %s",
-                                  getpid(), dn);
-                    result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn,
-                         sec->compare_dn_on_server);
-                }
+    return AUTHZ_DENIED;
+}
 
-                switch(result) {
-                    case LDAP_COMPARE_TRUE: {
-                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
-                                      0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                      "require ldap-filter: authorisation "
-                                      "successful", getpid());
-                        return OK;
-                    }
-                    case LDAP_FILTER_ERROR: {
-                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
-                                      0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                      "require ldap-filter: %s authorisation "
-                                      "failed [%s][%s]", getpid(),
-                                      filtbuf, ldc->reason, ldap_err2string(result));
-                        break;
-                    }
-                    default: {
-                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
-                                      0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: "
-                                      "require ldap-filter: authorisation "
-                                      "failed [%s][%s]", getpid(),
-                                      ldc->reason, ldap_err2string(result));
-                    }
-                }
-            }
+static authz_status ldapfilter_check_authorization(request_rec *r,
+                                             const char *require_args)
+{
+    int result = 0;
+    authn_ldap_request_t *req =
+        (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+    authn_ldap_config_t *sec =
+        (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+
+    util_ldap_connection_t *ldc = NULL;
+    const char *t;
+
+    char filtbuf[FILTER_LENGTH];
+    const char *dn = NULL;
+    const char **vals = NULL;
+
+    if (!sec->have_ldap_url) {
+        return AUTHZ_DENIED;
+    }
+
+    if (sec->host) {
+        ldc = util_ldap_connection_find(r, sec->host, sec->port,
+                                       sec->binddn, sec->bindpw, sec->deref,
+                                       sec->secure);
+        apr_pool_cleanup_register(r->pool, ldc,
+                                  authnz_ldap_cleanup_connection_close,
+                                  apr_pool_cleanup_null);
+    }
+    else {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+        return AUTHZ_DENIED;
+    }
+
+    /*
+     * If we have been authenticated by some other module than mod_auth_ldap,
+     * the req structure needed for authorization needs to be created
+     * and populated with the userid and DN of the account in LDAP
+     */
+
+    /* Check that we have a userid to start with */
+    if ((!r->user) || (strlen(r->user) == 0)) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+            "ldap authorize: Userid is blank, AuthType=%s",
+            r->ap_auth_type);
+    }
+
+    if(!req) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+            "ldap authorize: Creating LDAP req structure");
+
+        /* Build the username filter */
+        authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
+
+        /* Search for the user DN */
+        result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+             sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+        /* Search failed, log error and return failure */
+        if(result != LDAP_SUCCESS) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                "auth_ldap authorise: User DN not found, %s", ldc->reason);
+            return AUTHZ_DENIED;
         }
+
+        req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+            sizeof(authn_ldap_request_t));
+        ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+        req->dn = apr_pstrdup(r->pool, dn);
+        req->user = r->user;
     }
 
-    if (!method_restricted) {
+    if (req->dn == NULL || strlen(req->dn) == 0) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                      "[%" APR_PID_T_FMT "] auth_ldap authorise: agreeing because non-restricted",
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                      "require ldap-filter: user's DN has not been defined; failing authorization",
                       getpid());
-        return OK;
+        return AUTHZ_DENIED;
     }
 
-    if (!sec->auth_authoritative) {
+    t = require_args;
+
+    if (t[0]) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                      "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise", getpid());
-        return DECLINED;
+                      "[%" APR_PID_T_FMT "] auth_ldap authorize: checking filter %s",
+                      getpid(), t);
+
+        /* Build the username filter */
+        authn_ldap_build_filter(filtbuf, r, req->user, t, sec);
+
+        /* Search for the user DN */
+        result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+             sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+        /* Make sure that the filtered search returned the correct user dn */
+        if (result == LDAP_SUCCESS) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                          "[%" APR_PID_T_FMT "] auth_ldap authorize: checking dn match %s",
+                          getpid(), dn);
+            result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn,
+                 sec->compare_dn_on_server);
+        }
+
+        switch(result) {
+            case LDAP_COMPARE_TRUE: {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+                              0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                              "require ldap-filter: authorization "
+                              "successful", getpid());
+                return AUTHZ_GRANTED;
+            }
+            case LDAP_FILTER_ERROR: {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+                              0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                              "require ldap-filter: %s authorization "
+                              "failed [%s][%s]", getpid(),
+                              filtbuf, ldc->reason, ldap_err2string(result));
+                break;
+            }
+            default: {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+                              0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+                              "require ldap-filter: authorization "
+                              "failed [%s][%s]", getpid(),
+                              ldc->reason, ldap_err2string(result));
+            }
+        }
     }
 
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                  "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid());
-    ap_note_basic_auth_failure (r);
+                  "[%" APR_PID_T_FMT "] auth_ldap authorise: authorization denied", getpid());
 
-    return HTTP_UNAUTHORIZED;
+    return AUTHZ_DENIED;
 }
 
 
@@ -1032,11 +1285,6 @@
                  "DN of the remote user. By default, this is set to off, meaning that "
                  "the REMOTE_USER variable will contain whatever value the remote user sent."),
 
-    AP_INIT_FLAG("AuthzLDAPAuthoritative", ap_set_flag_slot,
-                 (void *)APR_OFFSETOF(authn_ldap_config_t, auth_authoritative), OR_AUTHCFG,
-                 "Set to 'off' to allow access control to be passed along to lower modules if "
-                 "the UserID and/or group is not known to this module"),
-
     AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot,
                  (void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG,
                  "Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" "
@@ -1059,12 +1307,6 @@
                   "values \"never\", \"searching\", \"finding\", or \"always\". "
                   "Defaults to always."),
 
-/*
-    AP_INIT_FLAG("AuthLDAPAuthzEnabled", ap_set_flag_slot,
-                 (void *)APR_OFFSETOF(authn_ldap_config_t, authz_enabled), OR_AUTHCFG,
-                 "Set to off to disable the LDAP authorization handler, even if it's been enabled in a higher tree"),
-*/
-
     AP_INIT_TAKE1("AuthLDAPCharsetConfig", set_charset_config, NULL, RSRC_CONF,
                   "Character set conversion configuration file. If omitted, character set"
                   "conversion is disabled."),
@@ -1160,6 +1402,30 @@
     &authn_ldap_check_password,
 };
 
+static const authz_provider authz_ldapuser_provider =
+{
+    &ldapuser_check_authorization,
+};
+static const authz_provider authz_ldapgroup_provider =
+{
+    &ldapgroup_check_authorization,
+};
+
+static const authz_provider authz_ldapdn_provider =
+{
+    &ldapdn_check_authorization,
+};
+
+static const authz_provider authz_ldapattribute_provider =
+{
+    &ldapattribute_check_authorization,
+};
+
+static const authz_provider authz_ldapfilter_provider =
+{
+    &ldapfilter_check_authorization,
+};
+
 static void ImportULDAPOptFn(void)
 {
     util_ldap_connection_close  = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_close);
@@ -1173,12 +1439,23 @@
 
 static void register_hooks(apr_pool_t *p)
 {
-    static const char * const aszPost[]={ "mod_authz_user.c", NULL };
-
+    /* Register authn provider */
     ap_register_provider(p, AUTHN_PROVIDER_GROUP, "ldap", "0",
                          &authn_ldap_provider);
+
+    /* Register authz providers */
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-user", "0",
+                         &authz_ldapuser_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-group", "0",
+                         &authz_ldapgroup_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-dn", "0",
+                         &authz_ldapdn_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-attribute", "0",
+                         &authz_ldapattribute_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-filter", "0",
+                         &authz_ldapfilter_provider);
+
     ap_hook_post_config(authnz_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE);
-    ap_hook_auth_checker(authz_ldap_check_user_access, NULL, aszPost, APR_HOOK_MIDDLE);
 
     ap_hook_optional_fn_retrieve(ImportULDAPOptFn,NULL,NULL,APR_HOOK_MIDDLE);
 }

Copied: httpd/httpd/trunk/modules/aaa/mod_authz_core.c (from r360213, httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_core.c)
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_core.c?p2=httpd/httpd/trunk/modules/aaa/mod_authz_core.c&p1=httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_core.c&r1=360213&r2=368027&rev=368027&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_core.c Wed Jan 11 06:30:28 2006
@@ -70,23 +70,23 @@
    is even necessary.  This was used in authn to support
    authn_alias.  Is there a need for an authz_alias?
 X- Remove the Satisfy directive functionality and replace it with the
-   <RequireAll>, <RequireOne> directives
+   <SatisfyAll>, <SatisfyOne> directives
 X- Remove the Satisfy directive 
-X- Implement the <RequireAll> <RequireOne> block directives
+X- Implement the <SatisfyAll> <SatisfyOne> block directives
    to handle the 'and' and 'or' logic for authorization.
 X- Remove the AuthzXXXAuthoritative directives from all of
    the authz providers
 X- Implement the Reject directive that will deny authorization
    if the argument is true
-X- Fold the Reject directive into the <RequireAll> <RequireOne>
+X- Fold the Reject directive into the <SatisfyAll> <SatisfyOne>
    logic
 X- Reimplement the host based authorization 'allow', 'deny'
    and 'order' as authz providers   
 X- Remove the 'allow', 'deny' and 'order' directives      
 - Merge mod_authn_alias into mod_authn_core
-- Remove all of the references to the authzxxxAuthoritative
+X- Remove all of the references to the authzxxxAuthoritative
    directives from the documentation
-- Remove the Satisfy directive from the documentation
+X- Remove the Satisfy directive from the documentation
 */
 
 typedef struct provider_alias_rec {
@@ -414,7 +414,7 @@
        the req_state and the level will allow it to traverse the list to find
        the last element in the provider calling list. */
     old_reqstate = conf->req_state;
-    if (strcasecmp (cmd->directive->directive, "<RequireAll") == 0) {
+    if (strcasecmp (cmd->directive->directive, "<SatisfyAll") == 0) {
         conf->req_state = AUTHZ_REQSTATE_ALL;
     }
     else {
@@ -445,10 +445,10 @@
     AP_INIT_RAW_ARGS("<RequireAlias", authz_require_alias_section, NULL, RSRC_CONF,
                      "Container for authorization directives grouped under "
                      "an authz provider alias"),
-    AP_INIT_RAW_ARGS("<RequireAll", authz_require_section, NULL, OR_AUTHCFG,
+    AP_INIT_RAW_ARGS("<SatisfyAll", authz_require_section, NULL, OR_AUTHCFG,
                      "Container for grouping require statements that must all " 
                      "succeed for authorization to be granted"),
-    AP_INIT_RAW_ARGS("<RequireOne", authz_require_section, NULL, OR_AUTHCFG,
+    AP_INIT_RAW_ARGS("<SatisfyOne", authz_require_section, NULL, OR_AUTHCFG,
                      "Container for grouping require statements of which one " 
                      "must succeed for authorization to be granted"),
     {NULL}

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c Wed Jan 11 06:30:28 2006
@@ -17,6 +17,7 @@
 #include "httpd.h"
 #include "http_log.h"
 #include "http_config.h"
+#include "ap_provider.h"
 #include "http_request.h"
 #include "http_protocol.h"
 #include "http_core.h"
@@ -25,6 +26,9 @@
 #include "apr_strings.h"
 #include "mod_authz_dbd.h"
 
+#include "mod_auth.h"
+
+
 module AP_MODULE_DECLARE_DATA authz_dbd_module;
 
 /* Export a hook for modules that manage clientside sessions
@@ -40,7 +44,6 @@
     const char *query;
     const char *redir_query;
     int redirect;
-    int authoritative;
 } authz_dbd_cfg ;
 
 static ap_dbd_t *(*dbd_handle)(request_rec*) = NULL;
@@ -51,7 +54,7 @@
 static void *authz_dbd_cr_cfg(apr_pool_t *pool, char *dummy)
 {
     authz_dbd_cfg *ret = apr_pcalloc(pool, sizeof(authz_dbd_cfg));
-    ret->redirect = ret->authoritative = -1;
+    ret->redirect = -1;
     return ret;
 }
 static void *authz_dbd_merge_cfg(apr_pool_t *pool, void *BASE, void *ADD)
@@ -63,8 +66,6 @@
     ret->query = (add->query == NULL) ? base->query : add->query;
     ret->redir_query = (add->redir_query == NULL)
                             ? base->redir_query : add->redir_query;
-    ret->authoritative = (add->authoritative == -1)
-                            ? base->authoritative : add->authoritative;
     ret->redirect = (add->redirect == -1) ? base->redirect : add->redirect;
     return ret;
 }
@@ -89,9 +90,6 @@
     return ap_set_string_slot(cmd, cfg, label);
 }
 static const command_rec authz_dbd_cmds[] = {
-    AP_INIT_FLAG("AuthzDBDAuthoritative", ap_set_flag_slot,
-                 (void*)APR_OFFSETOF(authz_dbd_cfg, authoritative), ACCESS_CONF,
-                 "Whether dbd-group is authoritative"),
     AP_INIT_FLAG("AuthzDBDLoginToReferer", ap_set_flag_slot,
                  (void*)APR_OFFSETOF(authz_dbd_cfg, redirect), ACCESS_CONF,
                  "Whether to redirect to referer on successful login"),
@@ -181,6 +179,7 @@
         }
     }
     if (newuri != NULL) {
+        r->status = HTTP_MOVED_TEMPORARILY;
         apr_table_set(r->err_headers_out, "Location", newuri);
         rv = HTTP_MOVED_TEMPORARILY;
     }
@@ -242,67 +241,82 @@
     }
     return OK;
 }
-static int authz_dbd_check(request_rec *r)
+
+static authz_status dbdgroup_check_authorization(request_rec *r,
+                                              const char *require_args)
 {
-    int i, x, rv;
+    int i, rv;
     const char *w;
-    int m = r->method_number;
-    const apr_array_header_t *reqs_arr = ap_requires(r);
-    require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
     apr_array_header_t *groups = NULL;
     const char *t;
     authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
                                               &authz_dbd_module);
 
-    if (!reqs_arr) {
-        return DECLINED;
-    }
-
-    for (x = 0; x < reqs_arr->nelts; x++) {
-        if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
-            continue;
+    if (groups == NULL) {
+        groups = apr_array_make(r->pool, 4, sizeof(const char*));
+        rv = authz_dbd_group_query(r, cfg, groups);
+        if (rv != OK) {
+            return AUTHZ_GENERAL_ERROR;
         }
+    }
 
-        t = reqs[x].requirement;
+    t = require_args;
+    while (t[0]) {
         w = ap_getword_white(r->pool, &t);
-        if (!strcasecmp(w, "dbd-group")) {
-            if (groups == NULL) {
-                groups = apr_array_make(r->pool, 4, sizeof(const char*));
-                rv = authz_dbd_group_query(r, cfg, groups);
-                if (rv != OK) {
-                    return rv;
-                }
+        for (i=0; i < groups->nelts; ++i) {
+            if (!strcmp(w, ((const char**)groups->elts)[i])) {
+                return AUTHZ_GRANTED;
             }
-            while (t[0]) {
-                w = ap_getword_white(r->pool, &t);
-                for (i=0; i < groups->nelts; ++i) {
-                    if (!strcmp(w, ((const char**)groups->elts)[i])) {
-                        return OK;
-                    }
-                }
-            }
-        }
-        else if (!strcasecmp(w, "dbd-login")) {
-            return authz_dbd_login(r, cfg, "login");
-        }
-        else if (!strcasecmp(w, "dbd-logout")) {
-            return authz_dbd_login(r, cfg, "logout");
         }
     }
 
-    if ((groups != NULL) && cfg->authoritative) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                   "authz_dbd: user %s denied access to %s",
-                   r->user, r->uri);
-        ap_note_auth_failure(r);
-        return HTTP_UNAUTHORIZED;
-    }
-    return DECLINED;
+    return AUTHZ_DENIED;
+}
+
+static authz_status dbdlogin_check_authorization(request_rec *r,
+                                              const char *require_args)
+{
+    authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
+                                              &authz_dbd_module);
+
+    return (authz_dbd_login(r, cfg, "login") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
 }
+
+static authz_status dbdlogout_check_authorization(request_rec *r,
+                                              const char *require_args)
+{
+    authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config,
+                                              &authz_dbd_module);
+
+    return (authz_dbd_login(r, cfg, "logout") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
+}
+
+static const authz_provider authz_dbdgroup_provider =
+{
+    &dbdgroup_check_authorization,
+};
+
+static const authz_provider authz_dbdlogin_provider =
+{
+    &dbdlogin_check_authorization,
+};
+
+
+static const authz_provider authz_dbdlogout_provider =
+{
+    &dbdlogout_check_authorization,
+};
+
 static void authz_dbd_hooks(apr_pool_t *p)
 {
-    ap_hook_auth_checker(authz_dbd_check, NULL, NULL, APR_HOOK_MIDDLE);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-group", "0",
+                         &authz_dbdgroup_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-login", "0",
+                         &authz_dbdlogin_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbd-logout", "0",
+                         &authz_dbdlogout_provider);
 }
+
 module AP_MODULE_DECLARE_DATA authz_dbd_module =
 {
     STANDARD20_MODULE_STUFF,

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c Wed Jan 11 06:30:28 2006
@@ -22,6 +22,7 @@
 
 #include "httpd.h"
 #include "http_config.h"
+#include "ap_provider.h"
 #include "http_core.h"
 #include "http_log.h"
 #include "http_protocol.h"
@@ -32,9 +33,11 @@
 typedef struct {
     char *grpfile;
     char *dbmtype;
-    int authoritative;
 } authz_dbm_config_rec;
 
+APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
+
+
 /* This should go into APR; perhaps with some nice
  * caching/locking/flocking of the open dbm file.
  */
@@ -62,7 +65,6 @@
 
     conf->grpfile = NULL;
     conf->dbmtype = "default";
-    conf->authoritative = 1;  /* fortress is secure by default */
 
     return conf;
 }
@@ -75,11 +77,6 @@
     AP_INIT_TAKE1("AuthzDBMType", ap_set_string_slot,
      (void *)APR_OFFSETOF(authz_dbm_config_rec, dbmtype),
      OR_AUTHCFG, "what type of DBM file the group file is"),
-    AP_INIT_FLAG("AuthzDBMAuthoritative", ap_set_flag_slot,
-     (void *)APR_OFFSETOF(authz_dbm_config_rec, authoritative),
-     OR_AUTHCFG, "Set to 'Off' to allow access control to be passed along to "
-     "lower modules, if the group required is not found or empty, or the user "
-     " is not in the required groups. (default is On.)"),
     {NULL}
 };
 
@@ -133,142 +130,152 @@
     return retval;
 }
 
-/* Checking ID */
-static int dbm_check_auth(request_rec *r)
+static authz_status dbmgroup_check_authorization(request_rec *r,
+                                             const char *require_args)
 {
     authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
                                                       &authz_dbm_module);
     char *user = r->user;
-    int m = r->method_number;
-    const apr_array_header_t *reqs_arr = ap_requires(r);
-    require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
-    register int x;
     const char *t;
     char *w;
-    int required_group = 0;
-    const char *filegroup = NULL;
     const char *orig_groups = NULL;
-    char *reason = NULL;
+    const char *realm = ap_auth_name(r);
+    const char *groups;
+    char *v;
 
     if (!conf->grpfile) {
-        return DECLINED;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                        "No group file was specified in the configuration");
+        return AUTHZ_DENIED;
+    }
+
+    /* fetch group data from dbm file only once. */
+    if (!orig_groups) {
+        apr_status_t status;
+
+        status = get_dbm_grp(r, apr_pstrcat(r->pool, user, ":", realm, NULL),
+                             user, conf->grpfile, conf->dbmtype, &groups);
+
+        if (status != APR_SUCCESS) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                          "could not open dbm (type %s) group access "
+                          "file: %s", conf->dbmtype, conf->grpfile);
+            return AUTHZ_GENERAL_ERROR;
+        }
+
+        if (groups == NULL) {
+            /* no groups available, so exit immediately */
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "Authorization of user %s to access %s failed, reason: "
+                          "user doesn't appear in DBM group file (%s).", 
+                          r->user, r->uri, conf->grpfile);
+            return AUTHZ_DENIED;
+        }
+
+        orig_groups = groups;
     }
 
-    if (!reqs_arr) {
-        return DECLINED;
+    t = require_args;
+    while ((w = ap_getword_white(r->pool, &t)) && w[0]) {
+        groups = orig_groups;
+        while (groups[0]) {
+            v = ap_getword(r->pool, &groups, ',');
+            if (!strcmp(v, w)) {
+                return AUTHZ_GRANTED;
+            }
+        }
     }
 
-    for (x = 0; x < reqs_arr->nelts; x++) {
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                  "Authorization of user %s to access %s failed, reason: "
+                  "user is not part of the 'require'ed group(s).",
+                  r->user, r->uri);
 
-        if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
-            continue;
-        }
+    return AUTHZ_DENIED;
+}
 
-        t = reqs[x].requirement;
-        w = ap_getword_white(r->pool, &t);
+APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
 
-        if (!strcasecmp(w, "file-group")) {
-            filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
+static authz_status dbmfilegroup_check_authorization(request_rec *r,
+                                              const char *require_args)
+{
+    authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
+                                                      &authz_dbm_module);
+    char *user = r->user;
+    const char *realm = ap_auth_name(r);
+    const char *filegroup = NULL;
+    const char *orig_groups = NULL;
+    apr_status_t status;
+    const char *groups;
+    char *v;
 
-            if (!filegroup) {
-                /* mod_authz_owner is not present or not
-                 * authoritative. We are just a helper module for testing
-                 * group membership, so we don't care and decline.
-                 */
-                continue;
-            }
-        }
+    if (!conf->grpfile) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                        "No group file was specified in the configuration");
+        return AUTHZ_DENIED;
+    }
 
-        if (!strcasecmp(w, "group") || filegroup) {
-            const char *realm = ap_auth_name(r);
-            const char *groups;
-            char *v;
-
-            /* remember that actually a group is required */
-            required_group = 1;
-
-            /* fetch group data from dbm file only once. */
-            if (!orig_groups) {
-                apr_status_t status;
-
-                status = get_dbm_grp(r, apr_pstrcat(r->pool, user, ":", realm,
-                                                    NULL),
-                                     user,
-                                     conf->grpfile, conf->dbmtype, &groups);
-
-                if (status != APR_SUCCESS) {
-                    ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
-                                  "could not open dbm (type %s) group access "
-                                  "file: %s", conf->dbmtype, conf->grpfile);
-                    return HTTP_INTERNAL_SERVER_ERROR;
-                }
-
-                if (groups == NULL) {
-                    /* no groups available, so exit immediately */
-                    reason = apr_psprintf(r->pool,
-                                          "user doesn't appear in DBM group "
-                                          "file (%s).", conf->grpfile);
-                    break;
-                }
+    /* fetch group data from dbm file. */
+    status = get_dbm_grp(r, apr_pstrcat(r->pool, user, ":", realm, NULL),
+                         user, conf->grpfile, conf->dbmtype, &groups);
 
-                orig_groups = groups;
-            }
+    if (status != APR_SUCCESS) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "could not open dbm (type %s) group access "
+                      "file: %s", conf->dbmtype, conf->grpfile);
+        return AUTHZ_DENIED;
+    }
 
-            if (filegroup) {
-                groups = orig_groups;
-                while (groups[0]) {
-                    v = ap_getword(r->pool, &groups, ',');
-                    if (!strcmp(v, filegroup)) {
-                        return OK;
-                    }
-                }
-
-                if (conf->authoritative) {
-                    reason = apr_psprintf(r->pool,
-                                          "file group '%s' does not match.",
-                                          filegroup);
-                    break;
-                }
-
-                /* now forget the filegroup, thus alternatively require'd
-                   groups get a real chance */
-                filegroup = NULL;
-            }
-            else {
-                while (t[0]) {
-                    w = ap_getword_white(r->pool, &t);
-                    groups = orig_groups;
-                    while (groups[0]) {
-                        v = ap_getword(r->pool, &groups, ',');
-                        if (!strcmp(v, w)) {
-                            return OK;
-                        }
-                    }
-                }
-            }
-        }
+    if (groups == NULL) {
+        /* no groups available, so exit immediately */
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "Authorization of user %s to access %s failed, reason: "
+                      "user doesn't appear in DBM group file (%s).", 
+                      r->user, r->uri, conf->grpfile);
+        return AUTHZ_DENIED;
     }
 
-    /* No applicable "require group" for this method seen */
-    if (!required_group || !conf->authoritative) {
-        return DECLINED;
+    orig_groups = groups;
+
+    filegroup = authz_owner_get_file_group(r);
+
+    if (filegroup) {
+        groups = orig_groups;
+        while (groups[0]) {
+            v = ap_getword(r->pool, &groups, ',');
+            if (!strcmp(v, filegroup)) {
+                return AUTHZ_GRANTED;
+            }
+        }
     }
 
     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                  "Authorization of user %s to access %s failed, reason: %s",
-                  r->user, r->uri,
-                  reason ? reason : "user is not part of the "
-                                    "'require'ed group(s).");
+                  "Authorization of user %s to access %s failed, reason: "
+                  "user is not part of the 'require'ed group(s).",
+                  r->user, r->uri);
 
-    ap_note_auth_failure(r);
-    return HTTP_UNAUTHORIZED;
+    return AUTHZ_DENIED;
 }
 
+static const authz_provider authz_dbmgroup_provider =
+{
+    &dbmgroup_check_authorization,
+};
+
+static const authz_provider authz_dbmfilegroup_provider =
+{
+    &dbmfilegroup_check_authorization,
+};
+
+
 static void register_hooks(apr_pool_t *p)
 {
-    static const char * const aszPre[]={ "mod_authz_owner.c", NULL };
+    authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group);
 
-    ap_hook_auth_checker(dbm_check_auth, aszPre, NULL, APR_HOOK_MIDDLE);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbm-group", "0",
+                         &authz_dbmgroup_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "dbm-file-group", "0",
+                         &authz_dbmfilegroup_provider);
 }
 
 module AP_MODULE_DECLARE_DATA authz_dbm_module =

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_default.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_default.c?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_default.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_default.c Wed Jan 11 06:30:28 2006
@@ -53,31 +53,6 @@
 {
     authz_default_config_rec *conf = ap_get_module_config(r->per_dir_config,
                                                  &authz_default_module);
-    int m = r->method_number;
-    int method_restricted = 0;
-    register int x;
-    const apr_array_header_t *reqs_arr = ap_requires(r);
-    require_line *reqs;
-
-    /* BUG FIX: tadc, 11-Nov-1995.  If there is no "requires" directive,
-     * then any user will do.
-     */
-    if (!reqs_arr) {
-        return OK;
-    }
-    reqs = (require_line *)reqs_arr->elts;
-
-    for (x = 0; x < reqs_arr->nelts; x++) {
-        if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
-            continue;
-        }
-        method_restricted = 1;
-        break;
-    }
-
-    if (method_restricted == 0) {
-        return OK;
-    }
 
     if (!(conf->authoritative)) {
         return DECLINED;

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c Wed Jan 11 06:30:28 2006
@@ -38,8 +38,6 @@
  *
  * If there are any 'require group' blocks and we
  * are not in any group - we HTTP_UNAUTHORIZE
- * unless we are non-authoritative; in which
- * case we DECLINED.
  *
  */
 
@@ -47,6 +45,7 @@
 #include "apr_lib.h" /* apr_isspace */
 
 #include "ap_config.h"
+#include "ap_provider.h"
 #include "httpd.h"
 #include "http_config.h"
 #include "http_core.h"
@@ -58,15 +57,15 @@
 
 typedef struct {
     char *groupfile;
-    int authoritative;
 } authz_groupfile_config_rec;
 
+APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
+
 static void *create_authz_groupfile_dir_config(apr_pool_t *p, char *d)
 {
     authz_groupfile_config_rec *conf = apr_palloc(p, sizeof(*conf));
 
     conf->groupfile = NULL;
-    conf->authoritative = 1; /* keep the fortress secure by default */
     return conf;
 }
 
@@ -86,13 +85,6 @@
                    (void *)APR_OFFSETOF(authz_groupfile_config_rec, groupfile),
                    OR_AUTHCFG,
                    "text file containing group names and member user IDs"),
-    AP_INIT_FLAG("AuthzGroupFileAuthoritative", ap_set_flag_slot,
-                 (void *)APR_OFFSETOF(authz_groupfile_config_rec,
-                                      authoritative),
-                 OR_AUTHCFG,
-                 "Set to 'Off' to allow access control to be passed along to "
-                 "lower modules if the 'require group' fails. (default is "
-                 "On)."),
     {NULL}
 };
 
@@ -145,131 +137,139 @@
     return APR_SUCCESS;
 }
 
-/* Checking ID */
-
-static int check_user_access(request_rec *r)
+static authz_status group_check_authorization(request_rec *r,
+                                             const char *require_args)
 {
     authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
-                                                      &authz_groupfile_module);
+            &authz_groupfile_module);
     char *user = r->user;
-    int m = r->method_number;
-    int required_group = 0;
-    register int x;
     const char *t, *w;
     apr_table_t *grpstatus = NULL;
-    const apr_array_header_t *reqs_arr = ap_requires(r);
-    require_line *reqs;
-    const char *filegroup = NULL;
-    char *reason = NULL;
+    apr_status_t status;
 
     /* If there is no group file - then we are not
      * configured. So decline.
      */
     if (!(conf->groupfile)) {
-        return DECLINED;
-    }
-
-    if (!reqs_arr) {
-        return DECLINED; /* XXX change from legacy */
-    }
-
-    reqs = (require_line *)reqs_arr->elts;
-
-    for (x = 0; x < reqs_arr->nelts; x++) {
-
-        if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
-            continue;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                        "No group file was specified in the configuration");
+        return AUTHZ_DENIED;
+    }
+
+    status = groups_for_user(r->pool, user, conf->groupfile,
+                                &grpstatus);
+
+    if (status != APR_SUCCESS) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                        "Could not open group file: %s",
+                        conf->groupfile);
+        return AUTHZ_DENIED;
+    }
+
+    if (apr_table_elts(grpstatus)->nelts == 0) {
+        /* no groups available, so exit immediately */
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "Authorization of user %s to access %s failed, reason: "
+                      "user doesn't appear in group file (%s).",
+                      r->user, r->uri, conf->groupfile);
+        return AUTHZ_DENIED;
+    }
+
+    t = require_args;
+    while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+        if (apr_table_get(grpstatus, w)) {
+            return AUTHZ_GRANTED;
         }
+    }
 
-        t = reqs[x].requirement;
-        w = ap_getword_white(r->pool, &t);
-
-        /* needs mod_authz_owner to be present */
-        if (!strcasecmp(w, "file-group")) {
-            filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
-
-            if (!filegroup) {
-                /* mod_authz_owner is not present or not
-                 * authoritative. We are just a helper module for testing
-                 * group membership, so we don't care and decline.
-                 */
-                continue;
-            }
-        }
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                    "Authorization of user %s to access %s failed, reason: "
+                    "user is not part of the 'require'ed group(s).",
+                    r->user, r->uri);
 
-        if (!strcasecmp(w, "group") || filegroup) {
-            required_group = 1; /* remember the requirement */
+    return AUTHZ_DENIED;
+}
 
-            /* create group table only if actually needed. */
-            if (!grpstatus) {
-                apr_status_t status;
-
-                status = groups_for_user(r->pool, user, conf->groupfile,
-                                         &grpstatus);
-
-                if (status != APR_SUCCESS) {
-                    ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
-                                  "Could not open group file: %s",
-                                  conf->groupfile);
-                    return HTTP_INTERNAL_SERVER_ERROR;
-                }
-
-                if (apr_table_elts(grpstatus)->nelts == 0) {
-                    /* no groups available, so exit immediately */
-                    reason = apr_psprintf(r->pool,
-                                          "user doesn't appear in group file "
-                                          "(%s).", conf->groupfile);
-                    break;
-                }
-            }
+APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
 
-            if (filegroup) {
-                if (apr_table_get(grpstatus, filegroup)) {
-                    return OK;
-                }
-
-                if (conf->authoritative) {
-                    reason = apr_psprintf(r->pool,
-                                          "file group '%s' does not match.",
-                                          filegroup);
-                    break;
-                }
-
-                /* now forget the filegroup, thus alternatively require'd
-                   groups get a real chance */
-                filegroup = NULL;
-            }
-            else {
-                while (t[0]) {
-                    w = ap_getword_conf(r->pool, &t);
-                    if (apr_table_get(grpstatus, w)) {
-                        return OK;
-                    }
-                }
-            }
-        }
-    }
+static authz_status filegroup_check_authorization(request_rec *r,
+                                              const char *require_args)
+{
+    authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
+            &authz_groupfile_module);
+    char *user = r->user;
+    apr_table_t *grpstatus = NULL;
+    apr_status_t status;
+    const char *filegroup = NULL;
 
-    /* No applicable "require group" for this method seen */
-    if (!required_group || !conf->authoritative) {
-        return DECLINED;
+    /* If there is no group file - then we are not
+     * configured. So decline.
+     */
+    if (!(conf->groupfile)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                        "No group file was specified in the configuration");
+        return AUTHZ_DENIED;
+    }
+
+    status = groups_for_user(r->pool, user, conf->groupfile,
+                             &grpstatus);
+    if (status != APR_SUCCESS) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                      "Could not open group file: %s",
+                      conf->groupfile);
+        return AUTHZ_DENIED;
+    }
+
+    if (apr_table_elts(grpstatus)->nelts == 0) {
+        /* no groups available, so exit immediately */
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                        "Authorization of user %s to access %s failed, reason: "
+                        "user doesn't appear in group file (%s).",
+                        r->user, r->uri, conf->groupfile);
+        return AUTHZ_DENIED;
+    }
+
+    filegroup = authz_owner_get_file_group(r);
+
+    if (filegroup) {
+        if (apr_table_get(grpstatus, filegroup)) {
+            return AUTHZ_GRANTED;
+        }
+    }
+    else {
+        /* No need to emit a error log entry because the call
+        to authz_owner_get_file_group already did it
+        for us.
+        */
+        return AUTHZ_DENIED;
     }
 
     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                  "Authorization of user %s to access %s failed, reason: %s",
-                  r->user, r->uri,
-                  reason ? reason : "user is not part of the "
-                                    "'require'ed group(s).");
+                  "Authorization of user %s to access %s failed, reason: "
+                  "user is not part of the 'require'ed file group.",
+                  r->user, r->uri);
 
-    ap_note_auth_failure(r);
-    return HTTP_UNAUTHORIZED;
+    return AUTHZ_DENIED;
 }
 
+static const authz_provider authz_group_provider =
+{
+    &group_check_authorization,
+};
+
+static const authz_provider authz_filegroup_provider =
+{
+    &filegroup_check_authorization,
+};
+
 static void register_hooks(apr_pool_t *p)
 {
-    static const char * const aszPre[]={ "mod_authz_owner.c", NULL };
+    authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group);
 
-    ap_hook_auth_checker(check_user_access, aszPre, NULL, APR_HOOK_MIDDLE);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "group", "0",
+                         &authz_group_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "file-group", "0",
+                         &authz_filegroup_provider);
 }
 
 module AP_MODULE_DECLARE_DATA authz_groupfile_module =

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_host.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authz_host.c?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_host.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_host.c Wed Jan 11 06:30:28 2006
@@ -30,145 +30,36 @@
 #include "apr_want.h"
 
 #include "ap_config.h"
+#include "ap_provider.h"
 #include "httpd.h"
 #include "http_core.h"
 #include "http_config.h"
 #include "http_log.h"
+#include "http_protocol.h"
 #include "http_request.h"
 
+#include "mod_auth.h"
+
 #if APR_HAVE_NETINET_IN_H
 #include <netinet/in.h>
 #endif
 
-enum allowdeny_type {
-    T_ENV,
-    T_ALL,
-    T_IP,
-    T_HOST,
-    T_FAIL
-};
-
 typedef struct {
-    apr_int64_t limited;
-    union {
-        char *from;
-        apr_ipsubnet_t *ip;
-    } x;
-    enum allowdeny_type type;
-} allowdeny;
-
-/* things in the 'order' array */
-#define DENY_THEN_ALLOW 0
-#define ALLOW_THEN_DENY 1
-#define MUTUAL_FAILURE 2
-
-typedef struct {
-    int order[METHODS];
-    apr_array_header_t *allows;
-    apr_array_header_t *denys;
+	int dummy;  /* just here to stop compiler warnings for now. */
 } authz_host_dir_conf;
 
 module AP_MODULE_DECLARE_DATA authz_host_module;
 
 static void *create_authz_host_dir_config(apr_pool_t *p, char *dummy)
 {
-    int i;
     authz_host_dir_conf *conf =
         (authz_host_dir_conf *)apr_pcalloc(p, sizeof(authz_host_dir_conf));
 
-    for (i = 0; i < METHODS; ++i) {
-        conf->order[i] = DENY_THEN_ALLOW;
-    }
-    conf->allows = apr_array_make(p, 1, sizeof(allowdeny));
-    conf->denys = apr_array_make(p, 1, sizeof(allowdeny));
-
     return (void *)conf;
 }
 
-static const char *order(cmd_parms *cmd, void *dv, const char *arg)
-{
-    authz_host_dir_conf *d = (authz_host_dir_conf *) dv;
-    int i, o;
-
-    if (!strcasecmp(arg, "allow,deny"))
-        o = ALLOW_THEN_DENY;
-    else if (!strcasecmp(arg, "deny,allow"))
-        o = DENY_THEN_ALLOW;
-    else if (!strcasecmp(arg, "mutual-failure"))
-        o = MUTUAL_FAILURE;
-    else
-        return "unknown order";
-
-    for (i = 0; i < METHODS; ++i)
-        if (cmd->limited & (AP_METHOD_BIT << i))
-            d->order[i] = o;
-
-    return NULL;
-}
-
-static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
-                             const char *where_c)
-{
-    authz_host_dir_conf *d = (authz_host_dir_conf *) dv;
-    allowdeny *a;
-    char *where = apr_pstrdup(cmd->pool, where_c);
-    char *s;
-    char msgbuf[120];
-    apr_status_t rv;
-
-    if (strcasecmp(from, "from"))
-        return "allow and deny must be followed by 'from'";
-
-    a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys);
-    a->x.from = where;
-    a->limited = cmd->limited;
-
-    if (!strncasecmp(where, "env=", 4)) {
-        a->type = T_ENV;
-        a->x.from += 4;
-
-    }
-    else if (!strcasecmp(where, "all")) {
-        a->type = T_ALL;
-    }
-    else if ((s = ap_strchr(where, '/'))) {
-        *s++ = '\0';
-        rv = apr_ipsubnet_create(&a->x.ip, where, s, cmd->pool);
-        if(APR_STATUS_IS_EINVAL(rv)) {
-            /* looked nothing like an IP address */
-            return "An IP address was expected";
-        }
-        else if (rv != APR_SUCCESS) {
-            apr_strerror(rv, msgbuf, sizeof msgbuf);
-            return apr_pstrdup(cmd->pool, msgbuf);
-        }
-        a->type = T_IP;
-    }
-    else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&a->x.ip, where,
-                                                            NULL, cmd->pool))) {
-        if (rv != APR_SUCCESS) {
-            apr_strerror(rv, msgbuf, sizeof msgbuf);
-            return apr_pstrdup(cmd->pool, msgbuf);
-        }
-        a->type = T_IP;
-    }
-    else { /* no slash, didn't look like an IP address => must be a host */
-        a->type = T_HOST;
-    }
-
-    return NULL;
-}
-
-static char its_an_allow;
-
 static const command_rec authz_host_cmds[] =
 {
-    AP_INIT_TAKE1("order", order, NULL, OR_LIMIT,
-                  "'allow,deny', 'deny,allow', or 'mutual-failure'"),
-    AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT,
-                     "'from' followed by hostnames or IP-address wildcards"),
-    AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT,
-                     "'from' followed by hostnames or IP-address wildcards"),
     {NULL}
 };
 
@@ -199,115 +90,168 @@
     }
 }
 
-static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)
+static authz_status env_check_authorization(request_rec *r, const char *require_line)
 {
+    const char *t, *w;
 
-    allowdeny *ap = (allowdeny *) a->elts;
-    apr_int64_t mmask = (AP_METHOD_BIT << method);
-    int i;
-    int gothost = 0;
-    const char *remotehost = NULL;
-
-    for (i = 0; i < a->nelts; ++i) {
-        if (!(mmask & ap[i].limited)) {
-            continue;
+    /* The 'env' provider will allow the configuration to specify a list of
+        env variables to check rather than a single variable.  This is different
+        from the previous host based syntax. */
+    t = require_line;
+    while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+        if (apr_table_get(r->subprocess_env, w)) {
+            return AUTHZ_GRANTED;
         }
+    }
 
-        switch (ap[i].type) {
-        case T_ENV:
-            if (apr_table_get(r->subprocess_env, ap[i].x.from)) {
-                return 1;
-            }
-            break;
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                  "access to %s failed, reason: env variable list does not meet "
+                  "'require'ments for user '%s' to be allowed access",
+                  r->uri, r->user);
 
-        case T_ALL:
-            return 1;
+    ap_note_auth_failure(r);
+    return AUTHZ_DENIED;
+}
 
-        case T_IP:
-            if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) {
-                return 1;
-            }
-            break;
+static authz_status ip_check_authorization(request_rec *r, const char *require_line)
+{
+    const char *t, *w;
 
-        case T_HOST:
-            if (!gothost) {
-                int remotehost_is_ip;
-
-                remotehost = ap_get_remote_host(r->connection,
-                                                r->per_dir_config,
-                                                REMOTE_DOUBLE_REV,
-                                                &remotehost_is_ip);
-
-                if ((remotehost == NULL) || remotehost_is_ip) {
-                    gothost = 1;
-                }
-                else {
-                    gothost = 2;
-                }
-            }
+    /* The 'ip' provider will allow the configuration to specify a list of
+        ip addresses to check rather than a single address.  This is different
+        from the previous host based syntax. */
+    t = require_line;
+    while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+        char *where = apr_pstrdup(r->pool, w);
+        char *s;
+        char msgbuf[120];
+        apr_ipsubnet_t *ip;
+        apr_status_t rv;
+        int got_ip = 0;
 
-            if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) {
-                return 1;
+        if ((s = ap_strchr(where, '/'))) {
+            *s++ = '\0';
+            rv = apr_ipsubnet_create(&ip, where, s, r->pool);
+            if(APR_STATUS_IS_EINVAL(rv)) {
+                /* looked nothing like an IP address */
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "an ip address 'require' list appears to be invalid ");
+            }
+            else if (rv != APR_SUCCESS) {
+                apr_strerror(rv, msgbuf, sizeof msgbuf);
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "an ip address 'require' list appears to be invalid; %s ",
+                              msgbuf);
             }
-            break;
+            else
+                got_ip = 1;
+        }
+        else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&ip, where,
+                                                                NULL, r->pool))) {
+            if (rv != APR_SUCCESS) {
+                apr_strerror(rv, msgbuf, sizeof msgbuf);
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "an ip address 'require' list appears to be invalid; %s ",
+                              msgbuf);
+            }
+            else 
+                got_ip = 1;
+        }
 
-        case T_FAIL:
-            /* do nothing? */
-            break;
+        if (got_ip && apr_ipsubnet_test(ip, r->connection->remote_addr)) {
+            return AUTHZ_GRANTED;
         }
     }
 
-    return 0;
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                  "access to %s failed, reason: ip address list does not meet "
+                  "'require'ments for user '%s' to be allowed access",
+                  r->uri, r->user);
+
+    ap_note_auth_failure(r);
+    return AUTHZ_DENIED;
 }
 
-static int check_dir_access(request_rec *r)
+static authz_status host_check_authorization(request_rec *r, const char *require_line)
 {
-    int method = r->method_number;
-    int ret = OK;
-    authz_host_dir_conf *a = (authz_host_dir_conf *)
-        ap_get_module_config(r->per_dir_config, &authz_host_module);
-
-    if (a->order[method] == ALLOW_THEN_DENY) {
-        ret = HTTP_FORBIDDEN;
-        if (find_allowdeny(r, a->allows, method)) {
-            ret = OK;
-        }
-        if (find_allowdeny(r, a->denys, method)) {
-            ret = HTTP_FORBIDDEN;
-        }
-    }
-    else if (a->order[method] == DENY_THEN_ALLOW) {
-        if (find_allowdeny(r, a->denys, method)) {
-            ret = HTTP_FORBIDDEN;
-        }
-        if (find_allowdeny(r, a->allows, method)) {
-            ret = OK;
-        }
+    const char *t, *w;
+    const char *remotehost = NULL;
+    int remotehost_is_ip;
+
+    remotehost = ap_get_remote_host(r->connection,
+                                    r->per_dir_config,
+                                    REMOTE_DOUBLE_REV,
+                                    &remotehost_is_ip);
+
+    if ((remotehost == NULL) || remotehost_is_ip) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "access to %s failed, reason: unable to get the "
+                      "remote host name", r->uri);
     }
     else {
-        if (find_allowdeny(r, a->allows, method)
-            && !find_allowdeny(r, a->denys, method)) {
-            ret = OK;
-        }
-        else {
-            ret = HTTP_FORBIDDEN;
+        /* The 'host' provider will allow the configuration to specify a list of
+            host names to check rather than a single name.  This is different
+            from the previous host based syntax. */
+        t = require_line;
+        while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+            if (in_domain(w, remotehost)) {
+                return AUTHZ_GRANTED;
+            }
         }
-    }
 
-    if (ret == HTTP_FORBIDDEN
-        && (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "client denied by server configuration: %s",
-            r->filename);
+                      "access to %s failed, reason: host name list does not meet "
+                      "'require'ments for user '%s' to be allowed access",
+                      r->uri, r->user);
     }
 
-    return ret;
+    ap_note_auth_failure(r);
+    return AUTHZ_DENIED;
+}
+
+static authz_status all_check_authorization(request_rec *r, const char *require_line)
+{
+    /* If the argument to the 'all' provider is 'granted' then just let 
+        everybody in. This would be equivalent to the previous syntax of
+        'allow from all'. If the argument is anything else, this would
+        be equivalent to 'deny from all' Of course the opposite would be 
+        true if the 'all' provider is invoked by the 'reject' directive */
+    if (strcasecmp(require_line, "granted") == 0) {
+        return AUTHZ_GRANTED;
+    }
+    return AUTHZ_DENIED;
 }
 
+static const authz_provider authz_env_provider =
+{
+    &env_check_authorization,
+};
+
+static const authz_provider authz_ip_provider =
+{
+    &ip_check_authorization,
+};
+
+static const authz_provider authz_host_provider =
+{
+    &host_check_authorization,
+};
+
+static const authz_provider authz_all_provider =
+{
+    &all_check_authorization,
+};
+
 static void register_hooks(apr_pool_t *p)
 {
-    /* This can be access checker since we don't require r->user to be set. */
-    ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "env", "0",
+                         &authz_env_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ip", "0",
+                         &authz_ip_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "host", "0",
+                         &authz_host_provider);
+    ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "all", "0",
+                         &authz_all_provider);
 }
 
 module AP_MODULE_DECLARE_DATA authz_host_module =



Mime
View raw message