diff options
Diffstat (limited to 'mod_auth_fixup.c')
-rw-r--r-- | mod_auth_fixup.c | 163 |
1 files changed, 163 insertions, 0 deletions
diff --git a/mod_auth_fixup.c b/mod_auth_fixup.c new file mode 100644 index 0000000..e752459 --- /dev/null +++ b/mod_auth_fixup.c @@ -0,0 +1,163 @@ + +/* + * Copyright 2015 Jan Pazdziora + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "httpd.h" +#include "http_core.h" +#include "http_config.h" +#include "http_log.h" +#include "http_request.h" + +#include "ap_regex.h" +#include "apr_strings.h" + +typedef struct { + const char * regexp_str; + ap_regex_t * regexp; + const char * substitution_str; +} auth_fixup_config_rec; + +static void * create_dir_conf(apr_pool_t * pool, char * dir) { + auth_fixup_config_rec * cfg + = apr_pcalloc(pool, sizeof(auth_fixup_config_rec)); + return cfg; +} + +static const char * set_regexp(cmd_parms * cmd, void * struct_ptr, + const char * arg, const char * arg2) { + auth_fixup_config_rec * cfg = (auth_fixup_config_rec *) struct_ptr; + if (cfg) { + cfg->regexp = ap_pregcomp(cmd->pool, arg, AP_REG_EXTENDED); + if (cfg->regexp == NULL) { + return "Regular expression could not be compiled."; + } + cfg->regexp_str = apr_pstrdup(cmd->pool, arg); + if (arg2) { + cfg->substitution_str = apr_pstrdup(cmd->pool, arg2); + } + } + return NULL; +} + +static const command_rec auth_fixup_cmds[] = { + AP_INIT_TAKE12("AuthFixupRegexp", set_regexp, NULL, OR_AUTHCFG, + "Regular expression to match against r->user, " + "and optional substitution string with backreferences"), + {NULL} +}; + +static int pretend_auth_type(request_rec *r) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "pretend_auth_type: called with r->user [%s]", r->user); + const char *auth_type = ap_auth_type(r); + if (! auth_type || strcasecmp(auth_type, "Fixup")) { + return DECLINED; + } + if (r->user) { + return OK; + } + return DECLINED; +} + +module AP_MODULE_DECLARE_DATA auth_fixup_module; +static int fixup_user(request_rec *r) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: called with r->user [%s]", r->user); + if (apr_table_get(r->notes, "fixup-user-already-run")) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: already run in this request, declining"); + return DECLINED; + } + + auth_fixup_config_rec *conf + = ap_get_module_config(r->per_dir_config, &auth_fixup_module); + if (pretend_auth_type(r) == OK) { + if (!r->user) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "fixup_user: AuthType Fixup configured and no r->user found, forbidden" + ); + return HTTP_FORBIDDEN; + } + } + if (!r->user) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: declining, no r->user"); + return DECLINED; + } + apr_table_setn(r->notes, "fixup-user-already-run", r->user); + if (!conf->regexp) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: declining, no conf->regexp"); + return DECLINED; + } + + unsigned int nmatch = AP_MAX_REG_MATCH; + ap_regmatch_t pmatch[AP_MAX_REG_MATCH]; + if (ap_regexec(conf->regexp, r->user, nmatch, pmatch, 0)) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "fixup_user: matching [%s] =~ m/%s/ failed, forbidden", + r->user, conf->regexp_str); + return HTTP_FORBIDDEN; + } + + char * new_user = ap_pregsub(r->pool, + ( conf->substitution_str ? conf->substitution_str : "$0" ), + r->user, nmatch, pmatch); + if (! new_user) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "fixup_user: substitution [%s] =~ /%s/ -> [%s] failed, internal server error", + r->user, conf->regexp_str, conf->substitution_str); + return HTTP_INTERNAL_SERVER_ERROR; + } + if (! *new_user) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "fixup_user: substitution [%s] =~ /%s/ -> [%s] resulted in " + "empty string, forbidden", + r->user, conf->regexp_str, conf->substitution_str); + return HTTP_FORBIDDEN; + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "fixup_user: resetting user [%s] to [%s]", r->user, new_user); + r->user = new_user; + return DECLINED; +} + + +static void register_hooks(apr_pool_t * p) { +#if AP_MODULE_MAGIC_AT_LEAST(20111025,3) + static const char * const aszSucc[] = {"mod_authz_core.c", + "mod_lookup_identity.c", NULL}; + static const char * const aszPred[] = {"mod_ssl.c", NULL}; + ap_hook_check_access(fixup_user, aszPred, aszSucc, APR_HOOK_MIDDLE, + AP_AUTH_INTERNAL_PER_CONF); + ap_hook_check_authz(fixup_user, NULL, NULL, APR_HOOK_REALLY_FIRST, + AP_AUTH_INTERNAL_PER_CONF); + ap_hook_check_user_id(pretend_auth_type, NULL, NULL, + APR_HOOK_REALLY_FIRST); + +#else + static const char * const aszSucc[] = {"mod_authn_default.c", NULL}; + ap_hook_check_user_id(pretend_auth_type, NULL, aszSucc, APR_HOOK_LAST); + ap_hook_auth_checker(fixup_user, NULL, NULL, APR_HOOK_REALLY_FIRST); +#endif +} + +module AP_MODULE_DECLARE_DATA auth_fixup_module = { + STANDARD20_MODULE_STUFF, + create_dir_conf, /* Per-directory configuration handler */ + NULL, /* Merge handler for per-directory configurations */ + NULL, /* Per-server configuration handler */ + NULL, /* Merge handler for per-server configurations */ + auth_fixup_cmds, /* Any directives we may have for httpd */ + register_hooks /* Our hook registering function */ +}; + |