diff options
author | Jan Pazdziora <jpazdziora@redhat.com> | 2013-07-24 07:56:52 -0700 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2013-07-24 17:12:45 +0200 |
commit | 2d140997600ab3df9634e97b58597e4e5ae74d87 (patch) | |
tree | e54c5da25bbb8455b3f3340d4ff13c7803ca1888 | |
download | mod_lookup_identity-2d140997600ab3df9634e97b58597e4e5ae74d87.tar.gz mod_lookup_identity-2d140997600ab3df9634e97b58597e4e5ae74d87.tar.xz mod_lookup_identity-2d140997600ab3df9634e97b58597e4e5ae74d87.zip |
Apache module mod_lookup_identity.
-rw-r--r-- | LICENSE | 191 | ||||
-rw-r--r-- | README | 55 | ||||
-rw-r--r-- | mod_lookup_identity.c | 235 |
3 files changed, 481 insertions, 0 deletions
@@ -0,0 +1,191 @@ +Apache License +Version 2.0, January 2004 +http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + +"License" shall mean the terms and conditions for use, reproduction, and +distribution as defined by Sections 1 through 9 of this document. + +"Licensor" shall mean the copyright owner or entity authorized by the copyright +owner that is granting the License. + +"Legal Entity" shall mean the union of the acting entity and all other entities +that control, are controlled by, or are under common control with that entity. +For the purposes of this definition, "control" means (i) the power, direct or +indirect, to cause the direction or management of such entity, whether by +contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the +outstanding shares, or (iii) beneficial ownership of such entity. + +"You" (or "Your") shall mean an individual or Legal Entity exercising +permissions granted by this License. + +"Source" form shall mean the preferred form for making modifications, including +but not limited to software source code, documentation source, and configuration +files. + +"Object" form shall mean any form resulting from mechanical transformation or +translation of a Source form, including but not limited to compiled object code, +generated documentation, and conversions to other media types. + +"Work" shall mean the work of authorship, whether in Source or Object form, made +available under the License, as indicated by a copyright notice that is included +in or attached to the work (an example is provided in the Appendix below). + +"Derivative Works" shall mean any work, whether in Source or Object form, that +is based on (or derived from) the Work and for which the editorial revisions, +annotations, elaborations, or other modifications represent, as a whole, an +original work of authorship. For the purposes of this License, Derivative Works +shall not include works that remain separable from, or merely link (or bind by +name) to the interfaces of, the Work and Derivative Works thereof. + +"Contribution" shall mean any work of authorship, including the original version +of the Work and any modifications or additions to that Work or Derivative Works +thereof, that is intentionally submitted to Licensor for inclusion in the Work +by the copyright owner or by an individual or Legal Entity authorized to submit +on behalf of the copyright owner. For the purposes of this definition, +"submitted" means any form of electronic, verbal, or written communication sent +to the Licensor or its representatives, including but not limited to +communication on electronic mailing lists, source code control systems, and +issue tracking systems that are managed by, or on behalf of, the Licensor for +the purpose of discussing and improving the Work, but excluding communication +that is conspicuously marked or otherwise designated in writing by the copyright +owner as "Not a Contribution." + +"Contributor" shall mean Licensor and any individual or Legal Entity on behalf +of whom a Contribution has been received by Licensor and subsequently +incorporated within the Work. + +2. Grant of Copyright License. + +Subject to the terms and conditions of this License, each Contributor hereby +grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, +irrevocable copyright license to reproduce, prepare Derivative Works of, +publicly display, publicly perform, sublicense, and distribute the Work and such +Derivative Works in Source or Object form. + +3. Grant of Patent License. + +Subject to the terms and conditions of this License, each Contributor hereby +grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, +irrevocable (except as stated in this section) patent license to make, have +made, use, offer to sell, sell, import, and otherwise transfer the Work, where +such license applies only to those patent claims licensable by such Contributor +that are necessarily infringed by their Contribution(s) alone or by combination +of their Contribution(s) with the Work to which such Contribution(s) was +submitted. If You institute patent litigation against any entity (including a +cross-claim or counterclaim in a lawsuit) alleging that the Work or a +Contribution incorporated within the Work constitutes direct or contributory +patent infringement, then any patent licenses granted to You under this License +for that Work shall terminate as of the date such litigation is filed. + +4. Redistribution. + +You may reproduce and distribute copies of the Work or Derivative Works thereof +in any medium, with or without modifications, and in Source or Object form, +provided that You meet the following conditions: + +You must give any other recipients of the Work or Derivative Works a copy of +this License; and +You must cause any modified files to carry prominent notices stating that You +changed the files; and +You must retain, in the Source form of any Derivative Works that You distribute, +all copyright, patent, trademark, and attribution notices from the Source form +of the Work, excluding those notices that do not pertain to any part of the +Derivative Works; and +If the Work includes a "NOTICE" text file as part of its distribution, then any +Derivative Works that You distribute must include a readable copy of the +attribution notices contained within such NOTICE file, excluding those notices +that do not pertain to any part of the Derivative Works, in at least one of the +following places: within a NOTICE text file distributed as part of the +Derivative Works; within the Source form or documentation, if provided along +with the Derivative Works; or, within a display generated by the Derivative +Works, if and wherever such third-party notices normally appear. The contents of +the NOTICE file are for informational purposes only and do not modify the +License. You may add Your own attribution notices within Derivative Works that +You distribute, alongside or as an addendum to the NOTICE text from the Work, +provided that such additional attribution notices cannot be construed as +modifying the License. +You may add Your own copyright statement to Your modifications and may provide +additional or different license terms and conditions for use, reproduction, or +distribution of Your modifications, or for any such Derivative Works as a whole, +provided Your use, reproduction, and distribution of the Work otherwise complies +with the conditions stated in this License. + +5. Submission of Contributions. + +Unless You explicitly state otherwise, any Contribution intentionally submitted +for inclusion in the Work by You to the Licensor shall be under the terms and +conditions of this License, without any additional terms or conditions. +Notwithstanding the above, nothing herein shall supersede or modify the terms of +any separate license agreement you may have executed with Licensor regarding +such Contributions. + +6. Trademarks. + +This License does not grant permission to use the trade names, trademarks, +service marks, or product names of the Licensor, except as required for +reasonable and customary use in describing the origin of the Work and +reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. + +Unless required by applicable law or agreed to in writing, Licensor provides the +Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, +including, without limitation, any warranties or conditions of TITLE, +NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are +solely responsible for determining the appropriateness of using or +redistributing the Work and assume any risks associated with Your exercise of +permissions under this License. + +8. Limitation of Liability. + +In no event and under no legal theory, whether in tort (including negligence), +contract, or otherwise, unless required by applicable law (such as deliberate +and grossly negligent acts) or agreed to in writing, shall any Contributor be +liable to You for damages, including any direct, indirect, special, incidental, +or consequential damages of any character arising as a result of this License or +out of the use or inability to use the Work (including but not limited to +damages for loss of goodwill, work stoppage, computer failure or malfunction, or +any and all other commercial damages or losses), even if such Contributor has +been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. + +While redistributing the Work or Derivative Works thereof, You may choose to +offer, and charge a fee for, acceptance of support, warranty, indemnity, or +other liability obligations and/or rights consistent with this License. However, +in accepting such obligations, You may act only on Your own behalf and on Your +sole responsibility, not on behalf of any other Contributor, and only if You +agree to indemnify, defend, and hold each Contributor harmless for any liability +incurred by, or claims asserted against, such Contributor by reason of your +accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work + +To apply the Apache License to your work, attach the following boilerplate +notice, with the fields enclosed by brackets "[]" replaced with your own +identifying information. (Don't include the brackets!) The text should be +enclosed in the appropriate comment syntax for the file format. We also +recommend that a file or class name and description of purpose be included on +the same "printed page" as the copyright notice for easier identification within +third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. @@ -0,0 +1,55 @@ + +Apache module mod_lookup_identity +================================= + +Apache module to retrieve additional information about the +authenticated user. + +It retrieves the GECOS information using the getpwnam call and store +it in a note/environment variable (by default REMOTE_USER_GECOS). +It gets list of group names the user belongs using getgrouplist and +getgrgid calls and stores it in a note/environment variable (by +default REMOTE_USER_GROUPS, space separated). + +The module needs to be loaded into Apache's configuration file like +/etc/httpd/conf/httpd.conf with directive like + + LoadModule lookup_identity_module modules/mod_lookup_identity.so + +The default behaviour can be changed with the following directives: + + LookupOutput where_to_store_results + + Specifies if the lookups will be done at all and where the results + of the lookup will be stored. Possible values are: + + None: Disable the lookup altogether + Notes: Sets the Apache notes table only + Env: Sets environment variables only + All: Sets both (the default) + + LookupOutputGECOS name_of_the_note/environment_variable_for_the_GECOS_result + + Default is REMOTE_USER_GECOS + + LookupOutputGroups name_of_the_note/environment_variable_for_the_group_list + + Default is REMOTE_USER_GROUPS + + LookupOutputGroupsSeparator the_separator + + Default is single space + +Of course, if sssd is configured on the machine, it will do the +lookup for us but the standard Unix calls are the interface for us at +this point. + +Building from sources +--------------------- + +When building from sources, command + + apxs -i -a -c mod_lookup_identity.c + +should build and install the module. + diff --git a/mod_lookup_identity.c b/mod_lookup_identity.c new file mode 100644 index 0000000..69bdafd --- /dev/null +++ b/mod_lookup_identity.c @@ -0,0 +1,235 @@ + +#include <stdio.h> +#include "apr_hash.h" +#include "ap_config.h" +#include "ap_provider.h" +#include "apr_strings.h" +#include "httpd.h" +#include "http_core.h" +#include "http_config.h" +#include "http_log.h" +#include "http_protocol.h" +#include "http_request.h" +#include <pwd.h> +#include <grp.h> + +static const int LOOKUP_IDENTITY_OUTPUT_NONE = 0; +static const int LOOKUP_IDENTITY_OUTPUT_NOTES = 1; +static const int LOOKUP_IDENTITY_OUTPUT_ENV = 2; +static const int LOOKUP_IDENTITY_OUTPUT_ALL = 3; +static const int LOOKUP_IDENTITY_OUTPUT_DEFAULT = 4; + +static char * LOOKUP_IDENTITY_OUTPUT_GECOS = "REMOTE_USER_GECOS"; +static char * LOOKUP_IDENTITY_OUTPUT_GROUPS = "REMOTE_USER_GROUPS"; +static char * LOOKUP_IDENTITY_OUTPUT_GROUPS_SEP = " "; + +typedef struct lookup_identity_config { + char * context; + int output; + char * output_gecos; + char * output_groups; + char * output_groups_sep; +} lookup_identity_config; + +module AP_MODULE_DECLARE_DATA lookup_identity_module; + +static int lookup_identity_hook(request_rec * r) { + lookup_identity_config * cfg = (lookup_identity_config *) ap_get_module_config(r->per_dir_config, &lookup_identity_module); + lookup_identity_config * srv_cfg = (lookup_identity_config *) ap_get_module_config(r->server->module_config, &lookup_identity_module); + if (! r->user) { + return DECLINED; + } + if (!(cfg || srv_cfg)) { + return DECLINED; + } + lookup_identity_config the_config; + the_config.output = cfg && cfg->output != LOOKUP_IDENTITY_OUTPUT_DEFAULT + ? cfg->output + : srv_cfg && srv_cfg->output != LOOKUP_IDENTITY_OUTPUT_DEFAULT + ? srv_cfg->output + : LOOKUP_IDENTITY_OUTPUT_ALL; + if (!(the_config.output & LOOKUP_IDENTITY_OUTPUT_ALL)) { + return DECLINED; + } + + the_config.output_gecos = cfg && cfg->output_gecos ? cfg->output_gecos + : srv_cfg && srv_cfg->output_gecos ? srv_cfg->output_gecos : LOOKUP_IDENTITY_OUTPUT_GECOS; + the_config.output_groups = cfg && cfg->output_groups ? cfg->output_groups + : srv_cfg && srv_cfg->output_groups ? srv_cfg->output_groups : LOOKUP_IDENTITY_OUTPUT_GROUPS; + the_config.output_groups_sep = cfg && cfg->output_groups_sep ? cfg->output_groups_sep + : srv_cfg && srv_cfg->output_groups_sep ? srv_cfg->output_groups_sep : LOOKUP_IDENTITY_OUTPUT_GROUPS_SEP; + + struct passwd * pwd = getpwnam(r->user); + if (! pwd) { + return DECLINED; + } + int ngroups = 3; + gid_t * groups; + groups = malloc(sizeof(gid_t) * ngroups); + if (! groups) { + return DECLINED; + } + while (getgrouplist(r->user, pwd->pw_gid, groups, &ngroups) == -1) { + free(groups); + groups = malloc(sizeof(gid_t) * ngroups); + if (! groups) { + return DECLINED; + } + } + int i, len; + len = 0; + struct group * gr; + for (i = 0; i < ngroups; i++) { + if (len) + len += strlen(the_config.output_groups_sep); + gr = getgrgid(groups[i]); + if (gr) + len += strlen(gr->gr_name); + } + if (len) { + char * buffer = apr_palloc(r->pool, len + 1); + len = 0; + for (i = 0; i < ngroups; i++) { + gr = getgrgid(groups[i]); + if (gr) { + if (len) { + strcpy(buffer + len, the_config.output_groups_sep); + len += strlen(the_config.output_groups_sep); + } + strcpy(buffer + len, gr->gr_name); + len += strlen(gr->gr_name); + } + } + buffer[len] = '\0'; + if (the_config.output & LOOKUP_IDENTITY_OUTPUT_NOTES) { + apr_table_setn(r->notes, the_config.output_groups, buffer); + } + if (the_config.output & LOOKUP_IDENTITY_OUTPUT_ENV) { + apr_table_setn(r->subprocess_env, the_config.output_groups, buffer); + } + } + free(groups); + + if (the_config.output & LOOKUP_IDENTITY_OUTPUT_NOTES) { + apr_table_set(r->notes, the_config.output_gecos, pwd->pw_gecos); + } + if (the_config.output & LOOKUP_IDENTITY_OUTPUT_ENV) { + apr_table_set(r->subprocess_env, the_config.output_gecos, pwd->pw_gecos); + } + + return OK; +} + +const char * set_output(cmd_parms * cmd, void * conf_void, const char * arg) { + lookup_identity_config * cfg = (lookup_identity_config *) conf_void; + if (cfg) { + if (!strcasecmp(arg, "none")) { + cfg->output = LOOKUP_IDENTITY_OUTPUT_NONE; + } else if (!strcasecmp(arg, "all")) { + cfg->output = LOOKUP_IDENTITY_OUTPUT_ALL; + } else if (!strcasecmp(arg, "env")) { + cfg->output = LOOKUP_IDENTITY_OUTPUT_ENV; + } else if (!strcasecmp(arg, "notes")) { + cfg->output = LOOKUP_IDENTITY_OUTPUT_NOTES; + } + } + return NULL; +} + +const char * set_output_gecos(cmd_parms * cmd, void * conf_void, const char * arg) { + lookup_identity_config * cfg = (lookup_identity_config *) conf_void; + if (cfg) { + if (!strcmp(arg, "default")) { + cfg->output_gecos = LOOKUP_IDENTITY_OUTPUT_GECOS; + } else { + cfg->output_gecos = apr_palloc(cmd->pool, strlen(arg) + 1); + strcpy(cfg->output_gecos, arg); + } + } + return NULL; +} + +const char * set_output_groups(cmd_parms * cmd, void * conf_void, const char * arg) { + lookup_identity_config * cfg = (lookup_identity_config *) conf_void; + if (cfg) { + if (!strcmp(arg, "default")) { + cfg->output_groups = LOOKUP_IDENTITY_OUTPUT_GROUPS; + } else { + cfg->output_groups = apr_palloc(cmd->pool, strlen(arg) + 1); + strcpy(cfg->output_groups, arg); + } + } + return NULL; +} + +const char * set_output_groups_separator(cmd_parms * cmd, void * conf_void, const char * arg) { + lookup_identity_config * cfg = (lookup_identity_config *) conf_void; + if (cfg) { + if (!strcmp(arg, "default")) { + cfg->output_groups_sep = LOOKUP_IDENTITY_OUTPUT_GROUPS_SEP; + } else { + cfg->output_groups_sep = apr_palloc(cmd->pool, strlen(arg) + 1); + strcpy(cfg->output_groups_sep, arg); + } + } + return NULL; +} + +lookup_identity_config * create_common_conf(apr_pool_t * pool) { + lookup_identity_config * cfg = apr_pcalloc(pool, sizeof(lookup_identity_config)); + if (cfg) { + cfg->output = LOOKUP_IDENTITY_OUTPUT_DEFAULT; + } + return cfg; +} + +void * create_server_conf(apr_pool_t * pool, server_rec * s) { + lookup_identity_config * cfg = create_common_conf(pool); + if (cfg) + cfg->context = apr_psprintf(pool, "(server %s)", s->server_hostname); + return cfg; +} + +void * create_dir_conf(apr_pool_t * pool, char * context) { + lookup_identity_config * cfg = create_common_conf(pool); + if (cfg) { + context = context ? context : "(no directory context)"; + cfg->context = apr_palloc(pool, strlen(context) + 1); + strcpy(cfg->context, context); + } + return cfg; +} + +void * merge_dir_conf(apr_pool_t * pool, void * base_void, void * add_void) { + lookup_identity_config * base = (lookup_identity_config *) base_void; + lookup_identity_config * add = (lookup_identity_config *) add_void; + lookup_identity_config * cfg = (lookup_identity_config *) create_dir_conf(pool, add->context); + cfg->output = (add->output == LOOKUP_IDENTITY_OUTPUT_DEFAULT) ? base->output : add->output; + cfg->output_gecos = add->output_gecos ? add->output_gecos : base->output_gecos; + cfg->output_groups = add->output_groups ? add->output_groups : base->output_groups; + cfg->output_groups_sep = add->output_groups_sep ? add->output_groups_sep : base->output_groups_sep; + return cfg; +} + +static const command_rec directives[] = { + AP_INIT_TAKE1("LookupOutput", set_output, NULL, RSRC_CONF | ACCESS_CONF, "Specify where the lookup results should be stored"), + AP_INIT_TAKE1("LookupOutputGECOS", set_output_gecos, NULL, RSRC_CONF | ACCESS_CONF, "Name of the note/variable for the GECOS information"), + AP_INIT_TAKE1("LookupOutputGroups", set_output_groups, NULL, RSRC_CONF | ACCESS_CONF, "Name of the note/variable for the group information"), + AP_INIT_TAKE1("LookupOutputGroupsSeparator", set_output_groups_separator, NULL, RSRC_CONF | ACCESS_CONF, "Group information separator"), + { NULL } +}; + +static void register_hooks(apr_pool_t * pool) { + ap_hook_fixups(lookup_identity_hook, NULL, NULL, APR_HOOK_LAST); +} + +module AP_MODULE_DECLARE_DATA lookup_identity_module = { + STANDARD20_MODULE_STUFF, + create_dir_conf, /* Per-directory configuration handler */ + merge_dir_conf, /* Merge handler for per-directory configurations */ + create_server_conf, /* Per-server configuration handler */ + merge_dir_conf, /* Merge handler for per-server configurations */ + directives, /* Any directives we may have for httpd */ + register_hooks /* Our hook registering function */ +}; + |