summaryrefslogtreecommitdiff
path: root/module/mod_auth_singleid.c
diff options
context:
space:
mode:
authorStef Walter <stef@memberwebs.com>2009-06-18 19:13:56 +0000
committerStef Walter <stef@memberwebs.com>2009-06-18 19:13:56 +0000
commit8d5aadc77ea8b00558101f0258d7494ebe65c292 (patch)
treecfc58dc3715540e713ee562f1adc5ef91af25c98 /module/mod_auth_singleid.c
parent543b45ab3ed3f4d1a9852ead27becf0f2dee8f6d (diff)
A bunch of fixes that make OpenID authentication work for the first time.
Diffstat (limited to 'module/mod_auth_singleid.c')
-rw-r--r--module/mod_auth_singleid.c93
1 files changed, 78 insertions, 15 deletions
diff --git a/module/mod_auth_singleid.c b/module/mod_auth_singleid.c
index 3b6304a..9c38434 100644
--- a/module/mod_auth_singleid.c
+++ b/module/mod_auth_singleid.c
@@ -92,8 +92,8 @@ static int
shared_initialize (apr_pool_t *p, server_rec *s)
{
apr_file_t *file = NULL;
+ char *lock_name = NULL;
const char *tmpdir;
- char *lock_name;
int rc;
/* This may be called more than once */
@@ -324,7 +324,7 @@ session_cookie_value (request_rec *r, const char *name)
return NULL;
while (*cookies) {
- pair = ap_get_token (r->pool, &cookies, 0);
+ pair = ap_get_token (r->pool, &cookies, 1);
if (!pair)
break;
if (pair[0] == '$')
@@ -338,6 +338,7 @@ session_cookie_value (request_rec *r, const char *name)
if (*value != '=')
continue;
+ ++value;
while (isspace (*value))
++value;
@@ -380,22 +381,22 @@ session_load_info (request_rec *r)
char *token, *sig, *end;
char *identifier;
long expiry;
+ size_t len;
value = session_cookie_value (r, "mod-auth-single-id");
if (!value)
return NULL;
- sig = ap_get_token (r->pool, &value, 1);
+ sig = ap_get_token (r->pool, &value, 0);
+ if (!session_validate_sig (r->pool, sig, value))
+ return NULL;
/* The version of the session info, only 1 supported for now */
- token = ap_get_token (r->pool, &value, 1);
+ token = ap_get_token (r->pool, &value, 0);
if (strcmp (token, "1") != 0)
return NULL;
- if (!session_validate_sig (r->pool, sig, value))
- return NULL;
-
- token = ap_get_token (r->pool, &value, 1);
+ token = ap_get_token (r->pool, &value, 0);
expiry = strtol (token, &end, 10);
if (*end != '\0')
return NULL;
@@ -405,7 +406,13 @@ session_load_info (request_rec *r)
return NULL;
/* The identifier */
- identifier = ap_get_token (r->pool, &value, 1);
+ identifier = ap_get_token (r->pool, &value, 0);
+ len = strlen (identifier);
+ if (identifier[0] == '"' && identifier[len - 1] == '"') {
+ identifier[len - 1] = 0;
+ ++identifier;
+ }
+
if (!ap_is_url (identifier))
return NULL;
@@ -466,7 +473,7 @@ sid_request_qs (sid_request_t *req)
}
const char*
-sid_request_url (sid_request_t *req)
+sid_request_url (sid_request_t *req, int with_path)
{
/* function to determine if a connection is using https */
static APR_OPTIONAL_FN_TYPE(ssl_is_https) *using_https = NULL;
@@ -487,7 +494,7 @@ sid_request_url (sid_request_t *req)
host = req->rec->hostname ? req->rec->hostname : ap_get_server_name (req->rec);
scheme = is_ssl ? "https" : "http";
port = ap_get_server_port (req->rec);
- uri = req->rec->uri ? req->rec->uri : "";
+ uri = with_path && req->rec->uri ? req->rec->uri : "";
/* Default ports? */
if ((port == 80 && !is_ssl) || (port == 443 && is_ssl))
@@ -573,8 +580,8 @@ hook_authenticate (request_rec* r)
if (!(authtype = ap_auth_type (r)) || strcasecmp (SID_AUTHTYPE, authtype) != 0)
return DECLINED;
- ctx = (sid_context_t*)ap_get_module_config(r->per_dir_config, &auth_singleid_module);
- if(ctx->identifier == NULL)
+ ctx = (sid_context_t*)ap_get_module_config (r->per_dir_config, &auth_singleid_module);
+ if (ctx->identifier == NULL)
return DECLINED;
mainreq = r;
@@ -611,14 +618,70 @@ hook_authenticate (request_rec* r)
return req.result;
}
+static int
+hook_access(request_rec *r)
+{
+ sid_context_t* ctx;
+ const char* authtype;
+ char *user = r->user;
+ int m = r->method_number;
+ int method_restricted = 0;
+ register int x;
+ const char *t, *w;
+ const apr_array_header_t *reqs_arr;
+ require_line *reqs;
+
+ /* Make sure it's for us */
+ if (!(authtype = ap_auth_type (r)) || strcasecmp (SID_AUTHTYPE, authtype) != 0)
+ return DECLINED;
+
+ ctx = (sid_context_t*)ap_get_module_config (r->per_dir_config, &auth_singleid_module);
+
+ reqs_arr = ap_requires (r);
+ if (!reqs_arr)
+ return OK;
+
+ reqs = (require_line *)reqs_arr->elts;
+ for (x = 0; x < reqs_arr->nelts; x++) {
+ if (!(reqs[x].method_mask & (AP_METHOD_BIT << m)))
+ continue;
+
+ method_restricted = 1;
+
+ t = reqs[x].requirement;
+ w = ap_getword_white (r->pool, &t);
+ if (!strcmp (w, "valid-user")) {
+ return OK;
+ } else if (!strcmp (w, "user")) {
+ while (t[0]) {
+ w = ap_getword_conf (r->pool, &t);
+ if (!strcmp (user, w)) {
+ return OK;
+ }
+ }
+ } else {
+ ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r,
+ "access to %s failed, reason: unknown require "
+ "directive:\"%s\"", r->uri, reqs[x].requirement);
+ }
+ }
+
+ if (!method_restricted)
+ return OK;
+
+ ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r,
+ "access to %s failed, reason: user %s not allowed access",
+ r->uri, user);
+ return HTTP_UNAUTHORIZED;
+}
+
static void
register_hooks(apr_pool_t *p)
{
- ap_log_perror (APLOG_MARK, APLOG_ERR, 0, p, "mod_auth_singleid registering hooks");
-
ap_hook_post_config (hook_initialize, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (hook_child, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id (hook_authenticate, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_auth_checker (hook_access, NULL, NULL, APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA auth_singleid_module = {