diff options
Diffstat (limited to 'module/mod_auth_singleid.c')
-rw-r--r-- | module/mod_auth_singleid.c | 93 |
1 files changed, 78 insertions, 15 deletions
diff --git a/module/mod_auth_singleid.c b/module/mod_auth_singleid.c index 3b6304a..9c38434 100644 --- a/module/mod_auth_singleid.c +++ b/module/mod_auth_singleid.c @@ -92,8 +92,8 @@ static int shared_initialize (apr_pool_t *p, server_rec *s) { apr_file_t *file = NULL; + char *lock_name = NULL; const char *tmpdir; - char *lock_name; int rc; /* This may be called more than once */ @@ -324,7 +324,7 @@ session_cookie_value (request_rec *r, const char *name) return NULL; while (*cookies) { - pair = ap_get_token (r->pool, &cookies, 0); + pair = ap_get_token (r->pool, &cookies, 1); if (!pair) break; if (pair[0] == '$') @@ -338,6 +338,7 @@ session_cookie_value (request_rec *r, const char *name) if (*value != '=') continue; + ++value; while (isspace (*value)) ++value; @@ -380,22 +381,22 @@ session_load_info (request_rec *r) char *token, *sig, *end; char *identifier; long expiry; + size_t len; value = session_cookie_value (r, "mod-auth-single-id"); if (!value) return NULL; - sig = ap_get_token (r->pool, &value, 1); + sig = ap_get_token (r->pool, &value, 0); + if (!session_validate_sig (r->pool, sig, value)) + return NULL; /* The version of the session info, only 1 supported for now */ - token = ap_get_token (r->pool, &value, 1); + token = ap_get_token (r->pool, &value, 0); if (strcmp (token, "1") != 0) return NULL; - if (!session_validate_sig (r->pool, sig, value)) - return NULL; - - token = ap_get_token (r->pool, &value, 1); + token = ap_get_token (r->pool, &value, 0); expiry = strtol (token, &end, 10); if (*end != '\0') return NULL; @@ -405,7 +406,13 @@ session_load_info (request_rec *r) return NULL; /* The identifier */ - identifier = ap_get_token (r->pool, &value, 1); + identifier = ap_get_token (r->pool, &value, 0); + len = strlen (identifier); + if (identifier[0] == '"' && identifier[len - 1] == '"') { + identifier[len - 1] = 0; + ++identifier; + } + if (!ap_is_url (identifier)) return NULL; @@ -466,7 +473,7 @@ sid_request_qs (sid_request_t *req) } const char* -sid_request_url (sid_request_t *req) +sid_request_url (sid_request_t *req, int with_path) { /* function to determine if a connection is using https */ static APR_OPTIONAL_FN_TYPE(ssl_is_https) *using_https = NULL; @@ -487,7 +494,7 @@ sid_request_url (sid_request_t *req) host = req->rec->hostname ? req->rec->hostname : ap_get_server_name (req->rec); scheme = is_ssl ? "https" : "http"; port = ap_get_server_port (req->rec); - uri = req->rec->uri ? req->rec->uri : ""; + uri = with_path && req->rec->uri ? req->rec->uri : ""; /* Default ports? */ if ((port == 80 && !is_ssl) || (port == 443 && is_ssl)) @@ -573,8 +580,8 @@ hook_authenticate (request_rec* r) if (!(authtype = ap_auth_type (r)) || strcasecmp (SID_AUTHTYPE, authtype) != 0) return DECLINED; - ctx = (sid_context_t*)ap_get_module_config(r->per_dir_config, &auth_singleid_module); - if(ctx->identifier == NULL) + ctx = (sid_context_t*)ap_get_module_config (r->per_dir_config, &auth_singleid_module); + if (ctx->identifier == NULL) return DECLINED; mainreq = r; @@ -611,14 +618,70 @@ hook_authenticate (request_rec* r) return req.result; } +static int +hook_access(request_rec *r) +{ + sid_context_t* ctx; + const char* authtype; + char *user = r->user; + int m = r->method_number; + int method_restricted = 0; + register int x; + const char *t, *w; + const apr_array_header_t *reqs_arr; + require_line *reqs; + + /* Make sure it's for us */ + if (!(authtype = ap_auth_type (r)) || strcasecmp (SID_AUTHTYPE, authtype) != 0) + return DECLINED; + + ctx = (sid_context_t*)ap_get_module_config (r->per_dir_config, &auth_singleid_module); + + reqs_arr = ap_requires (r); + if (!reqs_arr) + return OK; + + reqs = (require_line *)reqs_arr->elts; + for (x = 0; x < reqs_arr->nelts; x++) { + if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) + continue; + + method_restricted = 1; + + t = reqs[x].requirement; + w = ap_getword_white (r->pool, &t); + if (!strcmp (w, "valid-user")) { + return OK; + } else if (!strcmp (w, "user")) { + while (t[0]) { + w = ap_getword_conf (r->pool, &t); + if (!strcmp (user, w)) { + return OK; + } + } + } else { + ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r, + "access to %s failed, reason: unknown require " + "directive:\"%s\"", r->uri, reqs[x].requirement); + } + } + + if (!method_restricted) + return OK; + + ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r, + "access to %s failed, reason: user %s not allowed access", + r->uri, user); + return HTTP_UNAUTHORIZED; +} + static void register_hooks(apr_pool_t *p) { - ap_log_perror (APLOG_MARK, APLOG_ERR, 0, p, "mod_auth_singleid registering hooks"); - ap_hook_post_config (hook_initialize, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_child_init (hook_child, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_check_user_id (hook_authenticate, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_auth_checker (hook_access, NULL, NULL, APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA auth_singleid_module = { |