| /* Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include "apr_strings.h" |
| |
| #include "ap_config.h" |
| #include "ap_provider.h" |
| #include "httpd.h" |
| #include "http_config.h" |
| #include "http_core.h" |
| #include "http_log.h" |
| #include "http_protocol.h" |
| #include "http_request.h" |
| |
| #include "mod_auth.h" |
| |
| #include "ap_socache.h" |
| #include "util_mutex.h" |
| #include "apr_optional.h" |
| |
| module AP_MODULE_DECLARE_DATA authn_socache_module; |
| |
| typedef struct authn_cache_dircfg { |
| apr_interval_time_t timeout; |
| apr_array_header_t *providers; |
| const char *context; |
| } authn_cache_dircfg; |
| |
| /* FIXME: |
| * I think the cache and mutex should be global |
| */ |
| static apr_global_mutex_t *authn_cache_mutex = NULL; |
| static ap_socache_provider_t *socache_provider = NULL; |
| static ap_socache_instance_t *socache_instance = NULL; |
| static const char *const authn_cache_id = "authn-socache"; |
| static int configured; |
| |
| static apr_status_t remove_lock(void *data) |
| { |
| if (authn_cache_mutex) { |
| apr_global_mutex_destroy(authn_cache_mutex); |
| authn_cache_mutex = NULL; |
| } |
| return APR_SUCCESS; |
| } |
| |
| static apr_status_t destroy_cache(void *data) |
| { |
| if (socache_instance) { |
| socache_provider->destroy(socache_instance, (server_rec*)data); |
| socache_instance = NULL; |
| } |
| return APR_SUCCESS; |
| } |
| |
| static int authn_cache_precfg(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptmp) |
| { |
| apr_status_t rv = ap_mutex_register(pconf, authn_cache_id, |
| NULL, APR_LOCK_DEFAULT, 0); |
| if (rv != APR_SUCCESS) { |
| ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, plog, APLOGNO(01673) |
| "failed to register %s mutex", authn_cache_id); |
| return 500; /* An HTTP status would be a misnomer! */ |
| } |
| socache_provider = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP, |
| AP_SOCACHE_DEFAULT_PROVIDER, |
| AP_SOCACHE_PROVIDER_VERSION); |
| configured = 0; |
| return OK; |
| } |
| |
| static int authn_cache_post_config(apr_pool_t *pconf, apr_pool_t *plog, |
| apr_pool_t *ptmp, server_rec *s) |
| { |
| apr_status_t rv; |
| static struct ap_socache_hints authn_cache_hints = {64, 32, 60000000}; |
| const char *errmsg; |
| |
| if (!configured) { |
| return OK; /* don't waste the overhead of creating mutex & cache */ |
| } |
| if (socache_provider == NULL) { |
| ap_log_perror(APLOG_MARK, APLOG_CRIT, 0, plog, APLOGNO(01674) |
| "Please select a socache provider with AuthnCacheSOCache " |
| "(no default found on this platform). Maybe you need to " |
| "load mod_socache_shmcb or another socache module first"); |
| return 500; /* An HTTP status would be a misnomer! */ |
| } |
| |
| /* We have socache_provider, but do not have socache_instance. This should |
| * happen only when using "default" socache_provider, so create default |
| * socache_instance in this case. */ |
| if (socache_instance == NULL) { |
| errmsg = socache_provider->create(&socache_instance, NULL, |
| ptmp, pconf); |
| if (errmsg) { |
| ap_log_perror(APLOG_MARK, APLOG_CRIT, 0, plog, APLOGNO(02612) |
| "failed to create mod_socache_shmcb socache " |
| "instance: %s", errmsg); |
| return 500; |
| } |
| } |
| |
| rv = ap_global_mutex_create(&authn_cache_mutex, NULL, |
| authn_cache_id, NULL, s, pconf, 0); |
| if (rv != APR_SUCCESS) { |
| ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, plog, APLOGNO(01675) |
| "failed to create %s mutex", authn_cache_id); |
| return 500; /* An HTTP status would be a misnomer! */ |
| } |
| apr_pool_cleanup_register(pconf, NULL, remove_lock, apr_pool_cleanup_null); |
| |
| rv = socache_provider->init(socache_instance, authn_cache_id, |
| &authn_cache_hints, s, pconf); |
| if (rv != APR_SUCCESS) { |
| ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, plog, APLOGNO(01677) |
| "failed to initialise %s cache", authn_cache_id); |
| return 500; /* An HTTP status would be a misnomer! */ |
| } |
| apr_pool_cleanup_register(pconf, (void*)s, destroy_cache, apr_pool_cleanup_null); |
| return OK; |
| } |
| |
| static void authn_cache_child_init(apr_pool_t *p, server_rec *s) |
| { |
| const char *lock; |
| apr_status_t rv; |
| if (!configured) { |
| return; /* don't waste the overhead of creating mutex & cache */ |
| } |
| lock = apr_global_mutex_lockfile(authn_cache_mutex); |
| rv = apr_global_mutex_child_init(&authn_cache_mutex, lock, p); |
| if (rv != APR_SUCCESS) { |
| ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, APLOGNO(01678) |
| "failed to initialise mutex in child_init"); |
| } |
| } |
| |
| static const char *authn_cache_socache(cmd_parms *cmd, void *CFG, |
| const char *arg) |
| { |
| const char *errmsg = ap_check_cmd_context(cmd, GLOBAL_ONLY); |
| const char *sep, *name; |
| |
| if (errmsg) |
| return errmsg; |
| |
| /* Argument is of form 'name:args' or just 'name'. */ |
| sep = ap_strchr_c(arg, ':'); |
| if (sep) { |
| name = apr_pstrmemdup(cmd->pool, arg, sep - arg); |
| sep++; |
| } |
| else { |
| name = arg; |
| } |
| |
| socache_provider = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP, name, |
| AP_SOCACHE_PROVIDER_VERSION); |
| if (socache_provider == NULL) { |
| errmsg = apr_psprintf(cmd->pool, |
| "Unknown socache provider '%s'. Maybe you need " |
| "to load the appropriate socache module " |
| "(mod_socache_%s?)", arg, arg); |
| } |
| else { |
| errmsg = socache_provider->create(&socache_instance, sep, |
| cmd->temp_pool, cmd->pool); |
| } |
| |
| if (errmsg) { |
| errmsg = apr_psprintf(cmd->pool, "AuthnCacheSOCache: %s", errmsg); |
| } |
| return errmsg; |
| } |
| |
| static const char *authn_cache_enable(cmd_parms *cmd, void *CFG) |
| { |
| const char *errmsg = ap_check_cmd_context(cmd, GLOBAL_ONLY); |
| configured = 1; |
| return errmsg; |
| } |
| |
| static const char *const directory = "directory"; |
| static void* authn_cache_dircfg_create(apr_pool_t *pool, char *s) |
| { |
| authn_cache_dircfg *ret = apr_palloc(pool, sizeof(authn_cache_dircfg)); |
| ret->timeout = apr_time_from_sec(300); |
| ret->providers = NULL; |
| ret->context = directory; |
| return ret; |
| } |
| |
| /* not sure we want this. Might be safer to document use-all-or-none */ |
| static void* authn_cache_dircfg_merge(apr_pool_t *pool, void *BASE, void *ADD) |
| { |
| authn_cache_dircfg *base = BASE; |
| authn_cache_dircfg *add = ADD; |
| authn_cache_dircfg *ret = apr_pmemdup(pool, add, sizeof(authn_cache_dircfg)); |
| /* preserve context and timeout if not defaults */ |
| if (add->context == directory) { |
| ret->context = base->context; |
| } |
| if (add->timeout == apr_time_from_sec(300)) { |
| ret->timeout = base->timeout; |
| } |
| if (add->providers == NULL) { |
| ret->providers = base->providers; |
| } |
| return ret; |
| } |
| |
| static const char *authn_cache_setprovider(cmd_parms *cmd, void *CFG, |
| const char *arg) |
| { |
| authn_cache_dircfg *cfg = CFG; |
| if (cfg->providers == NULL) { |
| cfg->providers = apr_array_make(cmd->pool, 4, sizeof(const char*)); |
| } |
| APR_ARRAY_PUSH(cfg->providers, const char*) = arg; |
| configured = 1; |
| return NULL; |
| } |
| |
| static const char *authn_cache_timeout(cmd_parms *cmd, void *CFG, |
| const char *arg) |
| { |
| authn_cache_dircfg *cfg = CFG; |
| int secs = atoi(arg); |
| cfg->timeout = apr_time_from_sec(secs); |
| return NULL; |
| } |
| |
| static const command_rec authn_cache_cmds[] = |
| { |
| /* global stuff: cache and mutex */ |
| AP_INIT_TAKE1("AuthnCacheSOCache", authn_cache_socache, NULL, RSRC_CONF, |
| "socache provider for authn cache"), |
| AP_INIT_NO_ARGS("AuthnCacheEnable", authn_cache_enable, NULL, RSRC_CONF, |
| "enable socache configuration in htaccess even if not enabled anywhere else"), |
| /* per-dir stuff */ |
| AP_INIT_ITERATE("AuthnCacheProvideFor", authn_cache_setprovider, NULL, |
| OR_AUTHCFG, "Determine what authn providers to cache for"), |
| AP_INIT_TAKE1("AuthnCacheTimeout", authn_cache_timeout, NULL, |
| OR_AUTHCFG, "Timeout (secs) for cached credentials"), |
| AP_INIT_TAKE1("AuthnCacheContext", ap_set_string_slot, |
| (void*)APR_OFFSETOF(authn_cache_dircfg, context), |
| ACCESS_CONF, "Context for authn cache"), |
| {NULL} |
| }; |
| |
| static const char *construct_key(request_rec *r, const char *context, |
| const char *user, const char *realm) |
| { |
| /* handle "special" context values */ |
| if (!strcmp(context, directory)) { |
| /* FIXME: are we at risk of this blowing up? */ |
| char *new_context; |
| char *slash = strrchr(r->uri, '/'); |
| new_context = apr_palloc(r->pool, slash - r->uri + |
| strlen(r->server->server_hostname) + 1); |
| strcpy(new_context, r->server->server_hostname); |
| strncat(new_context, r->uri, slash - r->uri); |
| context = new_context; |
| } |
| else if (!strcmp(context, "server")) { |
| context = r->server->server_hostname; |
| } |
| /* any other context value is literal */ |
| |
| if (realm == NULL) { /* basic auth */ |
| return apr_pstrcat(r->pool, context, ":", user, NULL); |
| } |
| else { /* digest auth */ |
| return apr_pstrcat(r->pool, context, ":", user, ":", realm, NULL); |
| } |
| } |
| |
| static void ap_authn_cache_store(request_rec *r, const char *module, |
| const char *user, const char *realm, |
| const char* data) |
| { |
| apr_status_t rv; |
| authn_cache_dircfg *dcfg; |
| const char *key; |
| apr_time_t expiry; |
| |
| /* first check whether we're cacheing for this module */ |
| dcfg = ap_get_module_config(r->per_dir_config, &authn_socache_module); |
| if (!configured || !dcfg->providers) { |
| return; |
| } |
| if (!ap_array_str_contains(dcfg->providers, module)) { |
| return; |
| } |
| |
| /* OK, we're on. Grab mutex to do our business */ |
| rv = apr_global_mutex_trylock(authn_cache_mutex); |
| if (APR_STATUS_IS_EBUSY(rv)) { |
| /* don't wait around; just abandon it */ |
| ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, APLOGNO(01679) |
| "authn credentials for %s not cached (mutex busy)", user); |
| return; |
| } |
| else if (rv != APR_SUCCESS) { |
| ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01680) |
| "Failed to cache authn credentials for %s in %s", |
| module, dcfg->context); |
| return; |
| } |
| |
| /* We have the mutex, so go ahead */ |
| /* first build our key and determine expiry time */ |
| key = construct_key(r, dcfg->context, user, realm); |
| expiry = apr_time_now() + dcfg->timeout; |
| |
| /* store it */ |
| rv = socache_provider->store(socache_instance, r->server, |
| (unsigned char*)key, strlen(key), expiry, |
| (unsigned char*)data, strlen(data), r->pool); |
| if (rv == APR_SUCCESS) { |
| ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01681) |
| "Cached authn credentials for %s in %s", |
| user, dcfg->context); |
| } |
| else { |
| ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01682) |
| "Failed to cache authn credentials for %s in %s", |
| module, dcfg->context); |
| } |
| |
| /* We're done with the mutex */ |
| rv = apr_global_mutex_unlock(authn_cache_mutex); |
| if (rv != APR_SUCCESS) { |
| ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01683) "Failed to release mutex!"); |
| } |
| } |
| |
| #define MAX_VAL_LEN 100 |
| static authn_status check_password(request_rec *r, const char *user, |
| const char *password) |
| { |
| /* construct key |
| * look it up |
| * if found, test password |
| * |
| * mutexing here would be a big performance drag. |
| * It's definitely unnecessary with some backends (like ndbm or gdbm) |
| * Is there a risk in the general case? I guess the only risk we |
| * care about is a race condition that gets us a dangling pointer |
| * to no-longer-defined memory. Hmmm ... |
| */ |
| apr_status_t rv; |
| const char *key; |
| authn_cache_dircfg *dcfg; |
| unsigned char val[MAX_VAL_LEN]; |
| unsigned int vallen = MAX_VAL_LEN - 1; |
| dcfg = ap_get_module_config(r->per_dir_config, &authn_socache_module); |
| if (!configured || !dcfg->providers) { |
| return AUTH_USER_NOT_FOUND; |
| } |
| key = construct_key(r, dcfg->context, user, NULL); |
| rv = socache_provider->retrieve(socache_instance, r->server, |
| (unsigned char*)key, strlen(key), |
| val, &vallen, r->pool); |
| |
| if (APR_STATUS_IS_NOTFOUND(rv)) { |
| /* not found - just return */ |
| ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01684) |
| "Authn cache: no credentials found for %s", user); |
| return AUTH_USER_NOT_FOUND; |
| } |
| else if (rv == APR_SUCCESS) { |
| /* OK, we got a value */ |
| ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01685) |
| "Authn cache: found credentials for %s", user); |
| val[vallen] = 0; |
| } |
| else { |
| /* error: give up and pass the buck */ |
| /* FIXME: getting this for NOTFOUND - prolly a bug in mod_socache */ |
| ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01686) |
| "Error accessing authentication cache"); |
| return AUTH_USER_NOT_FOUND; |
| } |
| |
| rv = ap_password_validate(r, user, password, (char*) val); |
| if (rv != APR_SUCCESS) { |
| return AUTH_DENIED; |
| } |
| |
| return AUTH_GRANTED; |
| } |
| |
| static authn_status get_realm_hash(request_rec *r, const char *user, |
| const char *realm, char **rethash) |
| { |
| apr_status_t rv; |
| const char *key; |
| authn_cache_dircfg *dcfg; |
| unsigned char val[MAX_VAL_LEN]; |
| unsigned int vallen = MAX_VAL_LEN - 1; |
| dcfg = ap_get_module_config(r->per_dir_config, &authn_socache_module); |
| if (!configured || !dcfg->providers) { |
| return AUTH_USER_NOT_FOUND; |
| } |
| key = construct_key(r, dcfg->context, user, realm); |
| rv = socache_provider->retrieve(socache_instance, r->server, |
| (unsigned char*)key, strlen(key), |
| val, &vallen, r->pool); |
| |
| if (APR_STATUS_IS_NOTFOUND(rv)) { |
| /* not found - just return */ |
| ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01687) |
| "Authn cache: no credentials found for %s", user); |
| return AUTH_USER_NOT_FOUND; |
| } |
| else if (rv == APR_SUCCESS) { |
| /* OK, we got a value */ |
| ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01688) |
| "Authn cache: found credentials for %s", user); |
| } |
| else { |
| /* error: give up and pass the buck */ |
| /* FIXME: getting this for NOTFOUND - prolly a bug in mod_socache */ |
| ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01689) |
| "Error accessing authentication cache"); |
| return AUTH_USER_NOT_FOUND; |
| } |
| *rethash = apr_pstrmemdup(r->pool, (char *)val, vallen); |
| |
| return AUTH_USER_FOUND; |
| } |
| |
| static const authn_provider authn_cache_provider = |
| { |
| &check_password, |
| &get_realm_hash, |
| }; |
| |
| static void register_hooks(apr_pool_t *p) |
| { |
| ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "socache", |
| AUTHN_PROVIDER_VERSION, |
| &authn_cache_provider, AP_AUTH_INTERNAL_PER_CONF); |
| APR_REGISTER_OPTIONAL_FN(ap_authn_cache_store); |
| ap_hook_pre_config(authn_cache_precfg, NULL, NULL, APR_HOOK_MIDDLE); |
| ap_hook_post_config(authn_cache_post_config, NULL, NULL, APR_HOOK_MIDDLE); |
| ap_hook_child_init(authn_cache_child_init, NULL, NULL, APR_HOOK_MIDDLE); |
| } |
| |
| AP_DECLARE_MODULE(authn_socache) = |
| { |
| STANDARD20_MODULE_STUFF, |
| authn_cache_dircfg_create, |
| authn_cache_dircfg_merge, |
| NULL, |
| NULL, |
| authn_cache_cmds, |
| register_hooks |
| }; |