Apache module mod_lookup_identity.

3 files changed, 481 insertions, 0 deletions

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..37ec93a
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,191 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and
+distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct or
+indirect, to cause the direction or management of such entity, whether by
+contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and configuration
+files.
+
+"Object" form shall mean any form resulting from mechanical transformation or
+translation of a Source form, including but not limited to compiled object code,
+generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form, made
+available under the License, as indicated by a copyright notice that is included
+in or attached to the work (an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that
+is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative Works
+shall not include works that remain separable from, or merely link (or bind by
+name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version
+of the Work and any modifications or additions to that Work or Derivative Works
+thereof, that is intentionally submitted to Licensor for inclusion in the Work
+by the copyright owner or by an individual or Legal Entity authorized to submit
+on behalf of the copyright owner. For the purposes of this definition,
+"submitted" means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems, and
+issue tracking systems that are managed by, or on behalf of, the Licensor for
+the purpose of discussing and improving the Work, but excluding communication
+that is conspicuously marked or otherwise designated in writing by the copyright
+owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently
+incorporated within the Work.
+
+2. Grant of Copyright License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the Work and such
+Derivative Works in Source or Object form.
+
+3. Grant of Patent License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable (except as stated in this section) patent license to make, have
+made, use, offer to sell, sell, import, and otherwise transfer the Work, where
+such license applies only to those patent claims licensable by such Contributor
+that are necessarily infringed by their Contribution(s) alone or by combination
+of their Contribution(s) with the Work to which such Contribution(s) was
+submitted. If You institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work or a
+Contribution incorporated within the Work constitutes direct or contributory
+patent infringement, then any patent licenses granted to You under this License
+for that Work shall terminate as of the date such litigation is filed.
+
+4. Redistribution.
+
+You may reproduce and distribute copies of the Work or Derivative Works thereof
+in any medium, with or without modifications, and in Source or Object form,
+provided that You meet the following conditions:
+
+You must give any other recipients of the Work or Derivative Works a copy of
+this License; and
+You must cause any modified files to carry prominent notices stating that You
+changed the files; and
+You must retain, in the Source form of any Derivative Works that You distribute,
+all copyright, patent, trademark, and attribution notices from the Source form
+of the Work, excluding those notices that do not pertain to any part of the
+Derivative Works; and
+If the Work includes a "NOTICE" text file as part of its distribution, then any
+Derivative Works that You distribute must include a readable copy of the
+attribution notices contained within such NOTICE file, excluding those notices
+that do not pertain to any part of the Derivative Works, in at least one of the
+following places: within a NOTICE text file distributed as part of the
+Derivative Works; within the Source form or documentation, if provided along
+with the Derivative Works; or, within a display generated by the Derivative
+Works, if and wherever such third-party notices normally appear. The contents of
+the NOTICE file are for informational purposes only and do not modify the
+License. You may add Your own attribution notices within Derivative Works that
+You distribute, alongside or as an addendum to the NOTICE text from the Work,
+provided that such additional attribution notices cannot be construed as
+modifying the License.
+You may add Your own copyright statement to Your modifications and may provide
+additional or different license terms and conditions for use, reproduction, or
+distribution of Your modifications, or for any such Derivative Works as a whole,
+provided Your use, reproduction, and distribution of the Work otherwise complies
+with the conditions stated in this License.
+
+5. Submission of Contributions.
+
+Unless You explicitly state otherwise, any Contribution intentionally submitted
+for inclusion in the Work by You to the Licensor shall be under the terms and
+conditions of this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify the terms of
+any separate license agreement you may have executed with Licensor regarding
+such Contributions.
+
+6. Trademarks.
+
+This License does not grant permission to use the trade names, trademarks,
+service marks, or product names of the Licensor, except as required for
+reasonable and customary use in describing the origin of the Work and
+reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty.
+
+Unless required by applicable law or agreed to in writing, Licensor provides the
+Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
+including, without limitation, any warranties or conditions of TITLE,
+NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
+solely responsible for determining the appropriateness of using or
+redistributing the Work and assume any risks associated with Your exercise of
+permissions under this License.
+
+8. Limitation of Liability.
+
+In no event and under no legal theory, whether in tort (including negligence),
+contract, or otherwise, unless required by applicable law (such as deliberate
+and grossly negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special, incidental,
+or consequential damages of any character arising as a result of this License or
+out of the use or inability to use the Work (including but not limited to
+damages for loss of goodwill, work stoppage, computer failure or malfunction, or
+any and all other commercial damages or losses), even if such Contributor has
+been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability.
+
+While redistributing the Work or Derivative Works thereof, You may choose to
+offer, and charge a fee for, acceptance of support, warranty, indemnity, or
+other liability obligations and/or rights consistent with this License. However,
+in accepting such obligations, You may act only on Your own behalf and on Your
+sole responsibility, not on behalf of any other Contributor, and only if You
+agree to indemnify, defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason of your
+accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work
+
+To apply the Apache License to your work, attach the following boilerplate
+notice, with the fields enclosed by brackets "[]" replaced with your own
+identifying information. (Don't include the brackets!) The text should be
+enclosed in the appropriate comment syntax for the file format. We also
+recommend that a file or class name and description of purpose be included on
+the same "printed page" as the copyright notice for easier identification within
+third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/README b/README
new file mode 100644
index 0000000..f6fb2be
--- /dev/null
+++ b/README
@@ -0,0 +1,55 @@
+
+Apache module mod_lookup_identity
+=================================
+
+Apache module to retrieve additional information about the
+authenticated user.
+
+It retrieves the GECOS information using the getpwnam call and store
+it in a note/environment variable (by default REMOTE_USER_GECOS).
+It gets list of group names the user belongs using getgrouplist and
+getgrgid calls and stores it in a note/environment variable (by
+default REMOTE_USER_GROUPS, space separated).
+
+The module needs to be loaded into Apache's configuration file like
+/etc/httpd/conf/httpd.conf with directive like
+
+    LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
+The default behaviour can be changed with the following directives:
+
+    LookupOutput where_to_store_results
+	
+	Specifies if the lookups will be done at all and where the results
+	of the lookup will be stored. Possible values are:
+
+	    None: Disable the lookup altogether
+	    Notes: Sets the Apache notes table only
+	    Env: Sets environment variables only
+	    All: Sets both (the default) 
+
+    LookupOutputGECOS name_of_the_note/environment_variable_for_the_GECOS_result
+
+	Default is REMOTE_USER_GECOS
+
+    LookupOutputGroups name_of_the_note/environment_variable_for_the_group_list
+
+	Default is REMOTE_USER_GROUPS
+
+    LookupOutputGroupsSeparator the_separator
+
+	Default is single space
+
+Of course, if sssd is configured on the machine, it will do the
+lookup for us but the standard Unix calls are the interface for us at
+this point.
+
+Building from sources
+---------------------
+
+When building from sources, command
+
+    apxs -i -a -c mod_lookup_identity.c
+
+should build and install the module.
+
diff --git a/mod_lookup_identity.c b/mod_lookup_identity.c
new file mode 100644
index 0000000..69bdafd
--- /dev/null
+++ b/mod_lookup_identity.c
@@ -0,0 +1,235 @@
+
+#include <stdio.h>
+#include "apr_hash.h"
+#include "ap_config.h"
+#include "ap_provider.h"
+#include "apr_strings.h"
+#include "httpd.h"
+#include "http_core.h"
+#include "http_config.h"
+#include "http_log.h"
+#include "http_protocol.h"
+#include "http_request.h"
+#include <pwd.h>
+#include <grp.h>
+
+static const int LOOKUP_IDENTITY_OUTPUT_NONE = 0;
+static const int LOOKUP_IDENTITY_OUTPUT_NOTES = 1;
+static const int LOOKUP_IDENTITY_OUTPUT_ENV = 2;
+static const int LOOKUP_IDENTITY_OUTPUT_ALL = 3;
+static const int LOOKUP_IDENTITY_OUTPUT_DEFAULT = 4;
+
+static char * LOOKUP_IDENTITY_OUTPUT_GECOS = "REMOTE_USER_GECOS";
+static char * LOOKUP_IDENTITY_OUTPUT_GROUPS = "REMOTE_USER_GROUPS";
+static char * LOOKUP_IDENTITY_OUTPUT_GROUPS_SEP = " ";
+
+typedef struct lookup_identity_config {
+	char * context;
+	int output;
+	char * output_gecos;
+	char * output_groups;
+	char * output_groups_sep;
+} lookup_identity_config;
+
+module AP_MODULE_DECLARE_DATA lookup_identity_module;
+
+static int lookup_identity_hook(request_rec * r) {
+	lookup_identity_config * cfg = (lookup_identity_config *) ap_get_module_config(r->per_dir_config, &lookup_identity_module);
+	lookup_identity_config * srv_cfg = (lookup_identity_config *) ap_get_module_config(r->server->module_config, &lookup_identity_module);
+	if (! r->user) {
+		return DECLINED;
+	}
+	if (!(cfg || srv_cfg)) {
+		return DECLINED;
+	}
+	lookup_identity_config the_config;
+	the_config.output = cfg && cfg->output != LOOKUP_IDENTITY_OUTPUT_DEFAULT
+		? cfg->output
+		: srv_cfg && srv_cfg->output != LOOKUP_IDENTITY_OUTPUT_DEFAULT
+			? srv_cfg->output
+			: LOOKUP_IDENTITY_OUTPUT_ALL;
+	if (!(the_config.output & LOOKUP_IDENTITY_OUTPUT_ALL)) {
+		return DECLINED;
+	}
+
+	the_config.output_gecos = cfg && cfg->output_gecos ? cfg->output_gecos
+		: srv_cfg && srv_cfg->output_gecos ? srv_cfg->output_gecos : LOOKUP_IDENTITY_OUTPUT_GECOS;
+	the_config.output_groups = cfg && cfg->output_groups ? cfg->output_groups
+		: srv_cfg && srv_cfg->output_groups ? srv_cfg->output_groups : LOOKUP_IDENTITY_OUTPUT_GROUPS;
+	the_config.output_groups_sep = cfg && cfg->output_groups_sep ? cfg->output_groups_sep
+		: srv_cfg && srv_cfg->output_groups_sep ? srv_cfg->output_groups_sep : LOOKUP_IDENTITY_OUTPUT_GROUPS_SEP;
+	
+	struct passwd * pwd = getpwnam(r->user);
+	if (! pwd) {
+		return DECLINED;
+	}
+	int ngroups = 3;
+	gid_t * groups;
+	groups = malloc(sizeof(gid_t) * ngroups);
+	if (! groups) {
+		return DECLINED;
+	}
+	while (getgrouplist(r->user, pwd->pw_gid, groups, &ngroups) == -1) {
+		free(groups);
+		groups = malloc(sizeof(gid_t) * ngroups);
+		if (! groups) {
+			return DECLINED;
+		}
+	}
+	int i, len;
+	len = 0;
+	struct group * gr;
+	for (i = 0; i < ngroups; i++) {
+		if (len)
+			len += strlen(the_config.output_groups_sep);
+		gr = getgrgid(groups[i]);
+		if (gr)
+			len += strlen(gr->gr_name);
+	}
+	if (len) {
+		char * buffer = apr_palloc(r->pool, len + 1);
+		len = 0;
+		for (i = 0; i < ngroups; i++) {
+			gr = getgrgid(groups[i]);
+			if (gr) {
+				if (len) {
+					strcpy(buffer + len, the_config.output_groups_sep);
+					len += strlen(the_config.output_groups_sep);
+				}
+				strcpy(buffer + len, gr->gr_name);
+				len += strlen(gr->gr_name);
+			}
+		}
+		buffer[len] = '\0';
+		if (the_config.output & LOOKUP_IDENTITY_OUTPUT_NOTES) {
+			apr_table_setn(r->notes, the_config.output_groups, buffer);
+		}
+		if (the_config.output & LOOKUP_IDENTITY_OUTPUT_ENV) {
+			apr_table_setn(r->subprocess_env, the_config.output_groups, buffer);
+		}
+	}
+	free(groups);
+
+	if (the_config.output & LOOKUP_IDENTITY_OUTPUT_NOTES) {
+		apr_table_set(r->notes, the_config.output_gecos, pwd->pw_gecos);
+	}
+	if (the_config.output & LOOKUP_IDENTITY_OUTPUT_ENV) {
+		apr_table_set(r->subprocess_env, the_config.output_gecos, pwd->pw_gecos);
+	}
+
+	return OK;
+}
+
+const char * set_output(cmd_parms * cmd, void * conf_void, const char * arg) {
+	lookup_identity_config * cfg = (lookup_identity_config *) conf_void;
+	if (cfg) {
+		if (!strcasecmp(arg, "none")) {
+			cfg->output = LOOKUP_IDENTITY_OUTPUT_NONE;
+		} else if (!strcasecmp(arg, "all")) {
+			cfg->output = LOOKUP_IDENTITY_OUTPUT_ALL;
+		} else if (!strcasecmp(arg, "env")) {
+			cfg->output = LOOKUP_IDENTITY_OUTPUT_ENV;
+		} else if (!strcasecmp(arg, "notes")) {
+			cfg->output = LOOKUP_IDENTITY_OUTPUT_NOTES;
+		}
+	}
+	return NULL;
+}
+
+const char * set_output_gecos(cmd_parms * cmd, void * conf_void, const char * arg) {
+	lookup_identity_config * cfg = (lookup_identity_config *) conf_void;
+	if (cfg) {
+		if (!strcmp(arg, "default")) {
+			cfg->output_gecos = LOOKUP_IDENTITY_OUTPUT_GECOS;
+		} else {
+			cfg->output_gecos = apr_palloc(cmd->pool, strlen(arg) + 1);
+			strcpy(cfg->output_gecos, arg);
+		}
+	}
+	return NULL;
+}
+
+const char * set_output_groups(cmd_parms * cmd, void * conf_void, const char * arg) {
+	lookup_identity_config * cfg = (lookup_identity_config *) conf_void;
+	if (cfg) {
+		if (!strcmp(arg, "default")) {
+			cfg->output_groups = LOOKUP_IDENTITY_OUTPUT_GROUPS;
+		} else {
+			cfg->output_groups = apr_palloc(cmd->pool, strlen(arg) + 1);
+			strcpy(cfg->output_groups, arg);
+		}
+	}
+	return NULL;
+}
+
+const char * set_output_groups_separator(cmd_parms * cmd, void * conf_void, const char * arg) {
+	lookup_identity_config * cfg = (lookup_identity_config *) conf_void;
+	if (cfg) {
+		if (!strcmp(arg, "default")) {
+			cfg->output_groups_sep = LOOKUP_IDENTITY_OUTPUT_GROUPS_SEP;
+		} else {
+			cfg->output_groups_sep = apr_palloc(cmd->pool, strlen(arg) + 1);
+			strcpy(cfg->output_groups_sep, arg);
+		}
+	}
+	return NULL;
+}
+
+lookup_identity_config * create_common_conf(apr_pool_t * pool) {
+	lookup_identity_config * cfg = apr_pcalloc(pool, sizeof(lookup_identity_config));
+	if (cfg) {
+		cfg->output = LOOKUP_IDENTITY_OUTPUT_DEFAULT;
+	}
+	return cfg;
+}
+
+void * create_server_conf(apr_pool_t * pool, server_rec * s) {
+	lookup_identity_config * cfg = create_common_conf(pool);
+	if (cfg)
+		cfg->context = apr_psprintf(pool, "(server %s)", s->server_hostname);
+	return cfg;
+}
+
+void * create_dir_conf(apr_pool_t * pool, char * context) {
+	lookup_identity_config * cfg = create_common_conf(pool);
+	if (cfg) {
+		context = context ? context : "(no directory context)";
+		cfg->context = apr_palloc(pool, strlen(context) + 1);
+		strcpy(cfg->context, context);
+	}
+	return cfg;
+}
+
+void * merge_dir_conf(apr_pool_t * pool, void * base_void, void * add_void) {
+	lookup_identity_config * base = (lookup_identity_config *) base_void;
+	lookup_identity_config * add = (lookup_identity_config *) add_void;
+	lookup_identity_config * cfg = (lookup_identity_config *) create_dir_conf(pool, add->context);
+	cfg->output = (add->output == LOOKUP_IDENTITY_OUTPUT_DEFAULT) ? base->output : add->output;
+	cfg->output_gecos = add->output_gecos ? add->output_gecos : base->output_gecos;
+	cfg->output_groups = add->output_groups ? add->output_groups : base->output_groups;
+	cfg->output_groups_sep = add->output_groups_sep ? add->output_groups_sep : base->output_groups_sep;
+	return cfg;
+}
+
+static const command_rec directives[] = {
+	AP_INIT_TAKE1("LookupOutput", set_output, NULL, RSRC_CONF | ACCESS_CONF, "Specify where the lookup results should be stored"),
+	AP_INIT_TAKE1("LookupOutputGECOS", set_output_gecos, NULL, RSRC_CONF | ACCESS_CONF, "Name of the note/variable for the GECOS information"),
+	AP_INIT_TAKE1("LookupOutputGroups", set_output_groups, NULL, RSRC_CONF | ACCESS_CONF, "Name of the note/variable for the group information"),
+	AP_INIT_TAKE1("LookupOutputGroupsSeparator", set_output_groups_separator, NULL, RSRC_CONF | ACCESS_CONF, "Group information separator"),
+	{ NULL }
+};
+
+static void register_hooks(apr_pool_t * pool) {
+	ap_hook_fixups(lookup_identity_hook, NULL, NULL, APR_HOOK_LAST);
+}
+
+module AP_MODULE_DECLARE_DATA lookup_identity_module = {
+	STANDARD20_MODULE_STUFF,
+	create_dir_conf,		/* Per-directory configuration handler */
+	merge_dir_conf,			/* Merge handler for per-directory configurations */
+	create_server_conf,		/* Per-server configuration handler */
+	merge_dir_conf,			/* Merge handler for per-server configurations */
+	directives,			/* Any directives we may have for httpd */
+	register_hooks			/* Our hook registering function */
+};
+