--- mod_auth_pgsql-2.0.3/mod_auth_pgsql.c Fri Jun 29 21:02:34 2012 UTC +++ mod_auth_pgsql-2.0.3/mod_auth_pgsql.c Fri Jun 29 21:08:15 2012 UTC @@ -84,7 +84,7 @@ */ -#define AUTH_PGSQL_VERSION "2.0.3" +#define AUTH_PGSQL_VERSION "2.0.3_SKPatch" #include "apr_hooks.h" #include "apr.h" @@ -109,6 +109,8 @@ #include "http_request.h" #include "util_script.h" +#include "mod_auth.h" + #ifdef WIN32 #define crypt apr_password_validate #else @@ -188,7 +190,7 @@ static int pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, - char *user, char *sent_pw); + const char *user, const char *sent_pw); static char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec); @@ -434,9 +436,8 @@ * failures separately */ -static char *auth_pg_md5(char *pw) +static char *auth_pg_md5(const char *pw) { - apr_md5_ctx_t ctx; unsigned char digest[APR_MD5_DIGESTSIZE]; static unsigned char md5hash[APR_MD5_DIGESTSIZE * 2 + 1]; int i; @@ -451,14 +452,15 @@ } -static char *auth_pg_base64(char *pw) +static char *auth_pg_base64(const char *pw) { if (auth_pgsql_pool_base64 == NULL) apr_pool_create_ex(&auth_pgsql_pool_base64, NULL, NULL, NULL); if (auth_pgsql_pool == NULL) return NULL; - return ap_pbase64encode(auth_pgsql_pool, pw); + /* NOTE: ap_pbase64encode is no change arg2. so removable const. */ + return ap_pbase64encode(auth_pgsql_pool, (char *)pw); } @@ -603,7 +605,7 @@ return result; } -char *get_pg_pw(request_rec * r, char *user, pg_auth_config_rec * sec) +char *get_pg_pw(request_rec * r, const char *user, pg_auth_config_rec * sec) { char query[MAX_STRING_LEN]; char *safe_user; @@ -744,19 +746,20 @@ } /* Process authentication request from Apache*/ -static int pg_authenticate_basic_user(request_rec * r) +static authn_status check_password(request_rec *r, const char *user, + const char *password) { + pg_auth_config_rec *sec = (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_pgsql_module); - char *val = NULL; - char *sent_pw, *real_pw; - int res; - char *user; + const char *val = NULL; + const char *sent_pw; + const char *real_pw; + authn_status auth_res; + + sent_pw = password; - if ((res = ap_get_basic_auth_pw(r, (const char **) &sent_pw))) - return res; - user = r->user; #ifdef DEBUG_AUTH_PGSQL ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, @@ -773,7 +776,7 @@ if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[mod_auth_pgsql.c] - missing configuration parameters"); - return DECLINED; + return AUTH_GENERAL_ERROR; } pg_errstr[0] = '\0'; @@ -790,22 +793,16 @@ if (!real_pw) { if (pg_errstr[0]) { - res = HTTP_INTERNAL_SERVER_ERROR; + auth_res = AUTH_GENERAL_ERROR; } else { - if (sec->auth_pg_authoritative) { /* force error and access denied */ apr_snprintf(pg_errstr, MAX_STRING_LEN, "mod_auth_pgsql: Password for user %s not found (PG-Authoritative)", user); - ap_note_basic_auth_failure(r); - res = HTTP_UNAUTHORIZED; - } else { - /* allow fall through to another module */ - return DECLINED; - } + auth_res = AUTH_USER_NOT_FOUND; } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - return res; + return auth_res; } /* allow no password, if the flag is set and the password @@ -817,7 +814,7 @@ user); ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); pg_log_auth_user(r, sec, user, sent_pw); - return OK; + return AUTH_GRANTED; }; /* if the flag is off however, keep that kind of stuff at @@ -828,8 +825,7 @@ "[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; + return AUTH_DENIED; }; if (sec->auth_pg_encrypted) @@ -858,8 +854,7 @@ apr_snprintf(pg_errstr, MAX_STRING_LEN, "PG user %s: password mismatch", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; + return AUTH_DENIED; } /* store password in the cache */ @@ -872,123 +867,14 @@ } pg_log_auth_user(r, sec, user, sent_pw); - return OK; -} - -/* Checking ID */ - -static int pg_check_auth(request_rec * r) -{ - pg_auth_config_rec *sec = - (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, - &auth_pgsql_module); - char *user = r->user; - int m = r->method_number; - int group_result = DECLINED; - - - - apr_array_header_t *reqs_arr = (apr_array_header_t *) ap_requires(r); - require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; - - register int x, res; - const char *t; - char *w; - - pg_errstr[0] = '\0'; - -#ifdef DEBUG_AUTH_PGSQL - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "[mod_auth_pgsql.c] - pg_check_auth - going to check auth for user \"%s\" ", - user); -#endif /* DEBUG_AUTH_PGSQL */ - - - - /* if we cannot do it; leave it to some other guy - */ - if ((!sec->auth_pg_grp_table) && (!sec->auth_pg_grp_group_field) - && (!sec->auth_pg_grp_user_field)) - return DECLINED; - - if (!reqs_arr) { - if (sec->auth_pg_authoritative) { - /* force error and access denied */ - apr_snprintf(pg_errstr, MAX_STRING_LEN, - "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", - user); - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - res = HTTP_UNAUTHORIZED; - } else { - return DECLINED; - } - } - - for (x = 0; x < reqs_arr->nelts; x++) { - - if (!(reqs[x].method_mask & (1 << m))) - continue; - - t = reqs[x].requirement; - w = ap_getword(r->pool, &t, ' '); - - if (!strcmp(w, "valid-user")) - return OK; - - if (!strcmp(w, "user")) { - while (t[0]) { - w = ap_getword_conf(r->pool, &t); - if (!strcmp(user, w)) - return OK; - } - if (sec->auth_pg_authoritative) { - /* force error and access denied */ - apr_snprintf(pg_errstr, MAX_STRING_LEN, - "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", - user); - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; - } - - } else if (!strcmp(w, "group")) { - /* look up the membership for each of the groups in the table */ - pg_errstr[0] = '\0'; - - while (t[0]) { - if (get_pg_grp(r, ap_getword(r->pool, &t, ' '), user, sec)) { - group_result = OK; - }; - }; - - if (pg_errstr[0]) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - return HTTP_INTERNAL_SERVER_ERROR; - } - - if (group_result == OK) - return OK; - - if (sec->auth_pg_authoritative) { - apr_snprintf(pg_errstr, MAX_STRING_LEN, - "[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)", - user); - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; - }; - } - } - - return DECLINED; + return AUTH_GRANTED; } /* Send the authentication to the log table */ int -pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user, - char *sent_pw) +pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, const char *user, + const char *sent_pw) { char sql[MAX_STRING_LEN]; char *s; @@ -1061,7 +947,7 @@ sec->auth_pg_log_addrs_field); strncat(fields, sql, MAX_STRING_LEN - strlen(fields) - 1); apr_snprintf(sql, MAX_STRING_LEN, ", '%s'", - r->connection->remote_ip); + r->connection->client_ip); strncat(values, sql, MAX_STRING_LEN - strlen(values) - 1); } if (sec->auth_pg_log_pwd_field) { /* Password field , clear WARNING */ @@ -1114,15 +1000,22 @@ } +static const authn_provider authn_pgsql_provider = +{ + &check_password, + NULL, +}; + static void register_hooks(apr_pool_t * p) { ap_hook_post_config(pg_auth_init_handler, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_auth_checker(pg_check_auth, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_check_user_id(pg_authenticate_basic_user, NULL, NULL, - APR_HOOK_MIDDLE); + + ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "pgsql", + AUTHN_PROVIDER_VERSION, + &authn_pgsql_provider, AP_AUTH_INTERNAL_PER_CONF); }; -module AP_MODULE_DECLARE_DATA auth_pgsql_module = { +AP_DECLARE_MODULE(auth_pgsql) = { STANDARD20_MODULE_STUFF, create_pg_auth_dir_config, /* dir config creater */ NULL, /* dir merger --- default is to override */