Apache HTTPD
mod_authz_groupfile.c
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* This module is triggered by an
18 *
19 * AuthGroupFile standard /path/to/file
20 *
21 * and the presence of a
22 *
23 * require group <list-of-groups>
24 *
25 * In an applicable limit/directory block for that method.
26 *
27 * If there are no AuthGroupFile directives valid for
28 * the request; we DECLINED.
29 *
30 * If the AuthGroupFile is defined; but somehow not
31 * accessible: we SERVER_ERROR (was DECLINED).
32 *
33 * If there are no 'require ' directives defined for
34 * this request then we DECLINED (was OK).
35 *
36 * If there are no 'require ' directives valid for
37 * this request method then we DECLINED. (was OK)
38 *
39 * If there are any 'require group' blocks and we
40 * are not in any group - we HTTP_UNAUTHORIZE
41 *
42 */
43
44#include "apr_strings.h"
45#include "apr_lib.h" /* apr_isspace */
46
47#include "ap_config.h"
48#include "ap_provider.h"
49#include "httpd.h"
50#include "http_config.h"
51#include "http_core.h"
52#include "http_log.h"
53#include "http_protocol.h"
54#include "http_request.h"
55#include "util_varbuf.h"
56
57#include "mod_auth.h"
58#include "mod_authz_owner.h"
59
60typedef struct {
61 char *groupfile;
62} authz_groupfile_config_rec;
63
64static void *create_authz_groupfile_dir_config(apr_pool_t *p, char *d)
65{
66 authz_groupfile_config_rec *conf = apr_palloc(p, sizeof(*conf));
67
68 conf->groupfile = NULL;
69 return conf;
70}
71
72static const command_rec authz_groupfile_cmds[] =
73{
74 AP_INIT_TAKE1("AuthGroupFile", ap_set_file_slot,
75 (void *)APR_OFFSETOF(authz_groupfile_config_rec, groupfile),
76 OR_AUTHCFG,
77 "text file containing group names and member user IDs"),
78 {NULL}
79};
80
81module AP_MODULE_DECLARE_DATA authz_groupfile_module;
82
83#define VARBUF_INIT_LEN 512
84#define VARBUF_MAX_LEN (16*1024*1024)
85static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile,
86 apr_table_t ** out)
87{
88 ap_configfile_t *f;
89 apr_table_t *grps = apr_table_make(p, 15);
90 apr_pool_t *sp;
91 struct ap_varbuf vb;
92 const char *group_name, *ll, *w;
93 apr_status_t status;
94 apr_size_t group_len;
95
96 if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) {
97 return status ;
98 }
99
100 apr_pool_create(&sp, p);
101 apr_pool_tag(sp, "authz_groupfile (groups_for_user)");
102
103 ap_varbuf_init(p, &vb, VARBUF_INIT_LEN);
104
105 while (!(ap_varbuf_cfg_getline(&vb, f, VARBUF_MAX_LEN))) {
106 if ((vb.buf[0] == '#') || (!vb.buf[0])) {
107 continue;
108 }
109 ll = vb.buf;
110 apr_pool_clear(sp);
111
112 group_name = ap_getword(sp, &ll, ':');
113 group_len = strlen(group_name);
114
115 while (group_len && apr_isspace(*(group_name + group_len - 1))) {
116 --group_len;
117 }
118
119 while (ll[0]) {
120 w = ap_getword_conf(sp, &ll);
121 if (!strcmp(w, user)) {
122 apr_table_setn(grps, apr_pstrmemdup(p, group_name, group_len),
123 "in");
124 break;
125 }
126 }
127 }
128 ap_cfg_closefile(f);
129 apr_pool_destroy(sp);
130 ap_varbuf_free(&vb);
131
132 *out = grps;
133 return APR_SUCCESS;
134}
135
136static authz_status group_check_authorization(request_rec *r,
137 const char *require_args,
138 const void *parsed_require_args)
139{
140 authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
141 &authz_groupfile_module);
142 char *user = r->user;
143
144 const char *err = NULL;
145 const ap_expr_info_t *expr = parsed_require_args;
146 const char *require;
147
148 const char *t, *w;
149 apr_table_t *grpstatus = NULL;
150 apr_status_t status;
151
152 if (!user) {
153 return AUTHZ_DENIED_NO_USER;
154 }
155
156 /* If there is no group file - then we are not
157 * configured. So decline.
158 */
159 if (!(conf->groupfile)) {
160 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01664)
161 "No group file was specified in the configuration");
162 return AUTHZ_DENIED;
163 }
164
165 status = groups_for_user(r->pool, user, conf->groupfile,
166 &grpstatus);
167
168 if (status != APR_SUCCESS) {
169 ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01665)
170 "Could not open group file: %s",
171 conf->groupfile);
172 return AUTHZ_DENIED;
173 }
174
175 if (apr_is_empty_table(grpstatus)) {
176 /* no groups available, so exit immediately */
177 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01666)
178 "Authorization of user %s to access %s failed, reason: "
179 "user doesn't appear in group file (%s).",
180 r->user, r->uri, conf->groupfile);
181 return AUTHZ_DENIED;
182 }
183
184 require = ap_expr_str_exec(r, expr, &err);
185 if (err) {
186 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02592)
187 "authz_groupfile authorize: require group: Can't "
188 "evaluate require expression: %s", err);
189 return AUTHZ_DENIED;
190 }
191
192 t = require;
193 while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
194 if (apr_table_get(grpstatus, w)) {
195 return AUTHZ_GRANTED;
196 }
197 }
198
199 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01667)
200 "Authorization of user %s to access %s failed, reason: "
201 "user is not part of the 'require'ed group(s).",
202 r->user, r->uri);
203
204 return AUTHZ_DENIED;
205}
206
207static APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
208
209static authz_status filegroup_check_authorization(request_rec *r,
210 const char *require_args,
211 const void *parsed_require_args)
212{
213 authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
214 &authz_groupfile_module);
215 char *user = r->user;
216 apr_table_t *grpstatus = NULL;
217 apr_status_t status;
218 const char *filegroup = NULL;
219
220 if (!user) {
221 return AUTHZ_DENIED_NO_USER;
222 }
223
224 /* If there is no group file - then we are not
225 * configured. So decline.
226 */
227 if (!(conf->groupfile)) {
228 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01668)
229 "No group file was specified in the configuration");
230 return AUTHZ_DENIED;
231 }
232
233 status = groups_for_user(r->pool, user, conf->groupfile,
234 &grpstatus);
235 if (status != APR_SUCCESS) {
236 ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01669)
237 "Could not open group file: %s",
238 conf->groupfile);
239 return AUTHZ_DENIED;
240 }
241
242 if (apr_is_empty_table(grpstatus)) {
243 /* no groups available, so exit immediately */
244 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01670)
245 "Authorization of user %s to access %s failed, reason: "
246 "user doesn't appear in group file (%s).",
247 r->user, r->uri, conf->groupfile);
248 return AUTHZ_DENIED;
249 }
250
251 filegroup = authz_owner_get_file_group(r);
252
253 if (filegroup) {
254 if (apr_table_get(grpstatus, filegroup)) {
255 return AUTHZ_GRANTED;
256 }
257 }
258 else {
259 /* No need to emit a error log entry because the call
260 to authz_owner_get_file_group already did it
261 for us.
262 */
263 return AUTHZ_DENIED;
264 }
265
266 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01671)
267 "Authorization of user %s to access %s failed, reason: "
268 "user is not part of the 'require'ed file group.",
269 r->user, r->uri);
270
271 return AUTHZ_DENIED;
272}
273
274static const char *groupfile_parse_config(cmd_parms *cmd, const char *require_line,
275 const void **parsed_require_line)
276{
277 const char *expr_err = NULL;
278 ap_expr_info_t *expr;
279
280 expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
281 &expr_err, NULL);
282
283 if (expr_err)
284 return apr_pstrcat(cmd->temp_pool,
285 "Cannot parse expression in require line: ",
286 expr_err, NULL);
287
288 *parsed_require_line = expr;
289
290 return NULL;
291}
292
298
304
305
310
323
324AP_DECLARE_MODULE(authz_groupfile) =
325{
326 STANDARD20_MODULE_STUFF,
327 create_authz_groupfile_dir_config,/* dir config creater */
328 NULL, /* dir merger -- default is to override */
329 NULL, /* server config */
330 NULL, /* merge server config */
331 authz_groupfile_cmds, /* command apr_table_t */
332 register_hooks /* register hooks */
333};
ap_config.h
Symbol export macros and hook functions.
ap_provider.h
Apache Provider API.
apr_lib.h
APR general purpose library routines.
d
apr_size_t const unsigned char unsigned int unsigned int d
Definition apr_siphash.h:72
apr_strings.h
APR Strings library.
AP_INIT_TAKE1
#define AP_INIT_TAKE1(directive, func, mconfig, where, help)
Definition http_config.h:176
ap_get_module_config
#define ap_get_module_config(v, m)
Definition http_config.h:550
ap_cfg_closefile
int ap_cfg_closefile(ap_configfile_t *cfp)
Definition util.c:931
ap_pcfg_openfile
apr_status_t ap_pcfg_openfile(ap_configfile_t **ret_cfg, apr_pool_t *p, const char *name)
Definition util.c:957
AP_DECLARE_MODULE
#define AP_DECLARE_MODULE(foo)
Definition http_config.h:464
r
request_rec * r
Definition http_config.h:1168
ap_hook_optional_fn_retrieve
void ap_hook_optional_fn_retrieve(ap_HOOK_optional_fn_retrieve_t *pf, const char *const *aszPre, const char *const *aszSucc, int nOrder)
Definition config.c:195
ap_set_file_slot
const char * ap_set_file_slot(cmd_parms *cmd, void *struct_ptr, const char *arg)
Definition config.c:1535
APLOGNO
#define APLOGNO(n)
Definition http_log.h:117
APLOG_INFO
#define APLOG_INFO
Definition http_log.h:70
ap_log_rerror
#define ap_log_rerror
Definition http_log.h:454
APLOG_ERR
#define APLOG_ERR
Definition http_log.h:67
APLOG_MARK
#define APLOG_MARK
Definition http_log.h:283
APLOG_DEBUG
#define APLOG_DEBUG
Definition http_log.h:71
ap_register_auth_provider
apr_status_t ap_register_auth_provider(apr_pool_t *pool, const char *provider_group, const char *provider_name, const char *provider_version, const void *provider, int type)
Definition request.c:2179
AP_AUTH_INTERNAL_PER_CONF
#define AP_AUTH_INTERNAL_PER_CONF
Definition http_request.h:204
ap_varbuf_cfg_getline
apr_status_t ap_varbuf_cfg_getline(struct ap_varbuf *vb, ap_configfile_t *cfp, apr_size_t max_len)
Definition util.c:1207
ap_varbuf_free
void ap_varbuf_free(struct ap_varbuf *vb)
Definition util.c:3081
ap_varbuf_init
void ap_varbuf_init(apr_pool_t *pool, struct ap_varbuf *vb, apr_size_t init_size)
Definition util.c:2959
f
apr_file_t * f
Definition apr_buckets.h:927
APR_HOOK_MIDDLE
#define APR_HOOK_MIDDLE
Definition apr_hooks.h:303
APR_RETRIEVE_OPTIONAL_FN
#define APR_RETRIEVE_OPTIONAL_FN(name)
Definition apr_optional.h:84
APR_OPTIONAL_FN_TYPE
#define APR_OPTIONAL_FN_TYPE(name)
Definition apr_optional.h:42
AP_EXPR_FLAG_STRING_RESULT
#define AP_EXPR_FLAG_STRING_RESULT
Definition ap_expr.h:68
ap_expr_parse_cmd
#define ap_expr_parse_cmd(cmd, expr, flags, err, lookup_fn)
Definition ap_expr.h:340
ap_expr_str_exec
const char * ap_expr_str_exec(request_rec *r, const ap_expr_info_t *expr, const char **err)
Definition util_expr_eval.c:963
OR_AUTHCFG
#define OR_AUTHCFG
Definition http_config.h:235
STANDARD20_MODULE_STUFF
#define STANDARD20_MODULE_STUFF
Definition http_config.h:486
ap_getword
char * ap_getword(apr_pool_t *p, const char **line, char stop)
Definition util.c:723
ap_getword_conf
char * ap_getword_conf(apr_pool_t *p, const char **line)
Definition util.c:833
size
apr_size_t size
Definition apr_allocator.h:115
apr_isspace
#define apr_isspace(c)
Definition apr_lib.h:225
APR_SUCCESS
#define APR_SUCCESS
Definition apr_errno.h:225
apr_status_t
int apr_status_t
Definition apr_errno.h:44
t
apr_interval_time_t t
Definition apr_network_io.h:710
apr_pool_create
#define apr_pool_create(newpool, parent)
Definition apr_pools.h:322
err
apr_int32_t apr_int32_t apr_int32_t err
Definition apr_thread_proc.h:418
cmd
apr_cmdtype_e cmd
Definition apr_thread_proc.h:495
status
int int status
Definition apr_thread_proc.h:760
http_config.h
Apache Configuration.
http_core.h
CORE HTTP Daemon.
http_log.h
Apache Logging library.
http_protocol.h
HTTP protocol handling.
http_request.h
Apache Request library.
httpd.h
HTTP Daemon routines.
p
apr_pool_t * p
Definition md_event.c:32
mod_auth.h
Authentication and Authorization Extension for Apache.
authz_status
authz_status
Definition mod_auth.h:72
AUTHZ_DENIED
@ AUTHZ_DENIED
Definition mod_auth.h:73
AUTHZ_DENIED_NO_USER
@ AUTHZ_DENIED_NO_USER
Definition mod_auth.h:77
AUTHZ_GRANTED
@ AUTHZ_GRANTED
Definition mod_auth.h:74
AUTHZ_PROVIDER_VERSION
#define AUTHZ_PROVIDER_VERSION
Definition mod_auth.h:42
AUTHZ_PROVIDER_GROUP
#define AUTHZ_PROVIDER_GROUP
Definition mod_auth.h:40
groups_for_user
static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile, apr_table_t **out)
Definition mod_authz_groupfile.c:85
authz_owner_get_file_group
static apr_OFN_authz_owner_get_file_group_t * authz_owner_get_file_group
Definition mod_authz_groupfile.c:207
authz_groupfile_cmds
static const command_rec authz_groupfile_cmds[]
Definition mod_authz_groupfile.c:72
VARBUF_INIT_LEN
#define VARBUF_INIT_LEN
Definition mod_authz_groupfile.c:83
VARBUF_MAX_LEN
#define VARBUF_MAX_LEN
Definition mod_authz_groupfile.c:84
authz_groupfile_getfns
static void authz_groupfile_getfns(void)
Definition mod_authz_groupfile.c:306
register_hooks
static void register_hooks(apr_pool_t *p)
Definition mod_authz_groupfile.c:311
create_authz_groupfile_dir_config
static void * create_authz_groupfile_dir_config(apr_pool_t *p, char *d)
Definition mod_authz_groupfile.c:64
authz_group_provider
static const authz_provider authz_group_provider
Definition mod_authz_groupfile.c:293
group_check_authorization
static authz_status group_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args)
Definition mod_authz_groupfile.c:136
authz_filegroup_provider
static const authz_provider authz_filegroup_provider
Definition mod_authz_groupfile.c:299
filegroup_check_authorization
static authz_status filegroup_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args)
Definition mod_authz_groupfile.c:209
groupfile_parse_config
static const char * groupfile_parse_config(cmd_parms *cmd, const char *require_line, const void **parsed_require_line)
Definition mod_authz_groupfile.c:274
mod_authz_owner.h
out
static apr_file_t * out
Definition mod_info.c:85
NULL
return NULL
Definition mod_so.c:359
ap_configfile_t
Definition http_config.h:268
ap_expr_info_t
Definition ap_expr.h:41
ap_varbuf
Definition util_varbuf.h:47
ap_varbuf::strlen
apr_size_t strlen
Definition util_varbuf.h:59
ap_varbuf::buf
char * buf
Definition util_varbuf.h:50
apr_pool_t
Definition apr_pools.c:562
apr_table_t
Definition apr_tables.c:332
authz_groupfile_config_rec
Definition mod_authz_groupfile.c:60
authz_groupfile_config_rec::groupfile
char * groupfile
Definition mod_authz_groupfile.c:61
authz_provider
Definition mod_auth.h:103
cmd_parms_struct
Definition http_config.h:288
command_struct
Definition http_config.h:204
request_rec
A structure that represents the current request.
Definition httpd.h:845
request_rec::user
char * user
Definition httpd.h:1005
request_rec::uri
char * uri
Definition httpd.h:1016
request_rec::pool
apr_pool_t * pool
Definition httpd.h:847
request_rec::per_dir_config
struct ap_conf_vector_t * per_dir_config
Definition httpd.h:1047
require_line
A structure to keep track of authorization requirements.
Definition http_core.h:316
util_varbuf.h
Apache resizable variable length buffer library.
Generated by doxygen 1.9.8