1 files changed, 163 insertions, 0 deletions
diff --git a/mod_auth_fixup.c b/mod_auth_fixup.c
new file mode 100644
index 0000000..e752459
--- /dev/null
+++ b/mod_auth_fixup.c
@@ -0,0 +1,163 @@
+
+/*
+ * Copyright 2015 Jan Pazdziora
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "httpd.h"
+#include "http_core.h"
+#include "http_config.h"
+#include "http_log.h"
+#include "http_request.h"
+
+#include "ap_regex.h"
+#include "apr_strings.h"
+
+typedef struct {
+	const char * regexp_str;
+	ap_regex_t * regexp;
+	const char * substitution_str;
+} auth_fixup_config_rec;
+
+static void * create_dir_conf(apr_pool_t * pool, char * dir) {
+	auth_fixup_config_rec * cfg
+			= apr_pcalloc(pool, sizeof(auth_fixup_config_rec));
+	return cfg;
+}
+
+static const char * set_regexp(cmd_parms * cmd, void * struct_ptr,
+	const char * arg, const char * arg2) {
+        auth_fixup_config_rec * cfg = (auth_fixup_config_rec *) struct_ptr;
+        if (cfg) {
+		cfg->regexp = ap_pregcomp(cmd->pool, arg, AP_REG_EXTENDED);
+		if (cfg->regexp == NULL) {
+			return "Regular expression could not be compiled.";
+		}
+		cfg->regexp_str = apr_pstrdup(cmd->pool, arg);
+		if (arg2) {
+			cfg->substitution_str = apr_pstrdup(cmd->pool, arg2);
+		}
+        }
+        return NULL;
+}
+
+static const command_rec auth_fixup_cmds[] = {
+	AP_INIT_TAKE12("AuthFixupRegexp", set_regexp, NULL, OR_AUTHCFG,
+		"Regular expression to match against r->user, "
+		"and optional substitution string with backreferences"),
+	{NULL}
+};
+
+static int pretend_auth_type(request_rec *r) {
+	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "pretend_auth_type: called with r->user [%s]", r->user);
+	const char *auth_type = ap_auth_type(r);
+	if (! auth_type || strcasecmp(auth_type, "Fixup")) {
+		return DECLINED;
+	}
+	if (r->user) {
+		return OK;
+	}
+	return DECLINED;
+}
+
+module AP_MODULE_DECLARE_DATA auth_fixup_module;
+static int fixup_user(request_rec *r) {
+	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: called with r->user [%s]", r->user);
+	if (apr_table_get(r->notes, "fixup-user-already-run")) {
+		ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: already run in this request, declining");
+		return DECLINED;
+	}
+
+	auth_fixup_config_rec *conf
+		= ap_get_module_config(r->per_dir_config, &auth_fixup_module);
+	if (pretend_auth_type(r) == OK) {
+		if (!r->user) {
+			ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+				"fixup_user: AuthType Fixup configured and no r->user found, forbidden"
+				);
+			return HTTP_FORBIDDEN;
+		}
+	}
+	if (!r->user) {
+		ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: declining, no r->user");
+		return DECLINED;
+	}
+	apr_table_setn(r->notes, "fixup-user-already-run", r->user);
+	if (!conf->regexp) {
+		ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "fixup_user: declining, no conf->regexp");
+		return DECLINED;
+	}
+
+	unsigned int nmatch = AP_MAX_REG_MATCH;
+	ap_regmatch_t pmatch[AP_MAX_REG_MATCH];
+	if (ap_regexec(conf->regexp, r->user, nmatch, pmatch, 0)) {
+		ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+			"fixup_user: matching [%s] =~ m/%s/ failed, forbidden",
+			r->user, conf->regexp_str);
+		return HTTP_FORBIDDEN;
+	}
+
+	char * new_user = ap_pregsub(r->pool,
+		( conf->substitution_str ? conf->substitution_str : "$0" ),
+		r->user, nmatch, pmatch);
+	if (! new_user) {
+		ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+			"fixup_user: substitution [%s] =~ /%s/ -> [%s] failed, internal server error",
+			r->user, conf->regexp_str, conf->substitution_str);
+		return HTTP_INTERNAL_SERVER_ERROR;
+	}
+	if (! *new_user) {
+		ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+			"fixup_user: substitution [%s] =~ /%s/ -> [%s] resulted in "
+			"empty string, forbidden",
+			r->user, conf->regexp_str, conf->substitution_str);
+		return HTTP_FORBIDDEN;
+	}
+
+	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+		"fixup_user: resetting user [%s] to [%s]", r->user, new_user);
+	r->user = new_user;
+	return DECLINED;
+}
+
+
+static void register_hooks(apr_pool_t * p) {
+#if AP_MODULE_MAGIC_AT_LEAST(20111025,3)
+	static const char * const aszSucc[] = {"mod_authz_core.c",
+						"mod_lookup_identity.c", NULL};
+	static const char * const aszPred[] = {"mod_ssl.c", NULL};
+	ap_hook_check_access(fixup_user, aszPred, aszSucc, APR_HOOK_MIDDLE,
+					AP_AUTH_INTERNAL_PER_CONF);
+	ap_hook_check_authz(fixup_user, NULL, NULL, APR_HOOK_REALLY_FIRST,
+					AP_AUTH_INTERNAL_PER_CONF);
+	ap_hook_check_user_id(pretend_auth_type, NULL, NULL,
+							APR_HOOK_REALLY_FIRST);
+
+#else
+	static const char * const aszSucc[] = {"mod_authn_default.c", NULL};
+	ap_hook_check_user_id(pretend_auth_type, NULL, aszSucc, APR_HOOK_LAST);
+	ap_hook_auth_checker(fixup_user, NULL, NULL, APR_HOOK_REALLY_FIRST);
+#endif
+}
+
+module AP_MODULE_DECLARE_DATA auth_fixup_module = {
+	STANDARD20_MODULE_STUFF,
+	create_dir_conf,	/* Per-directory configuration handler */
+	NULL,			/* Merge handler for per-directory configurations */
+	NULL,			/* Per-server configuration handler */
+	NULL,			/* Merge handler for per-server configurations */
+	auth_fixup_cmds,	/* Any directives we may have for httpd */
+	register_hooks		/* Our hook registering function */
+};
+