OpenVMS Source Code Demos
mod_auth_openvms
/* ====================================================================
* Copyright (c) 1995 The Apache Group. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* 4. The names "Apache Server" and "Apache Group" must not be used to
* endorse or promote products derived from this software without
* prior written permission.
*
* 5. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
* IT'S CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Group and was originally based
* on public domain software written at the National Center for
* Supercomputing Applications, University of Illinois, Urbana-Champaign.
* For more information on the Apache Group and the Apache HTTP server
* project, please see <http://www.apache.org/>.
*
*/
/*
** FACILITY:
** Compaq Secure Web Server for OpenVMS Alpha
**
** ABSTRACT:
** This module provides a basic routine for authenticating a user based
** on a username and password contained in the SYSUAF records.
**
** NOTE: This module is based on MOD_AUTH_NIS.C. Credit goes to
** [email protected], the author of that module.
**
** RESTRICTION:
** There is no support for secondary passwords or external authentication
** at this time. (The MOD_AUTH_xxx services only provide one password.)
**
** CREATION DATE: November 29, 2000
**
** AUTHORS:
** Kevin D. O'Kelley
**
** MODIFICATION HISTORY:
**
** 000 KDO/29-Nov-2000
** Created.
**
** 001 RJB/02-Feb-2001
** vms_auth_princ_sysuaf syntax has changed to require
** the caller to supply the client's host-name string.
**
** 002 KDO/02-Nov-2001
** Add authoritative/non-authoritative support. Add support
** for case-insensitive username comparison. Add support for
** the "require group" directive.
**
** 003 MPD/15-Jan-2003
** Added Apache 2.0 API changes
**
*/
/*
** Include files
*/
#include <ctype.h>
#include <types.h>
#include <limits.h>
#include <string.h>
#include <ssdef.h>
#include <kgbdef.h>
#include <lgidef.h>
#include <stsdef.h>
#include <descrip.h>
#include <starlet.h>
#include <builtins.h>
#ifdef SHADOW
#undef SHADOW
#endif
#ifdef MULTITHREADING
#undef MULTITHREADING
#endif
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "apr_strings.h"
#include "protshr.h"
/*
** Conditional asssembly macros
*/
#ifndef __VMS_AUTH_SYSUAF_DEBUG
#define __VMS_AUTH_SYSUAF_DEBUG 0 /* 1= debugging */
#endif
#if __VMS_AUTH_SYSUAF_DEBUG
#define DEBUG_PRINTF(ARGS) printf ARGS
#define DEBUG_OFF (0)
#define DEBUG_ON (1)
#include <stdio.h>
#else
#define DEBUG_PRINTF(ARGS)
#define DEBUG_OFF (1)
#define DEBUG_ON (0)
#endif
/*
** Definitions
*/
#ifndef INTERNAL
#define INTERNAL static
#endif
#ifndef NULL
#define NULL (void *) 0
#endif
#ifndef alloca
#define alloca __ALLOCA
#endif
#define BAD_STATUS(I) (((I) & STS$M_SUCCESS) == 0)
#define GOOD_STATUS(I) (((I) & STS$M_SUCCESS) == 1)
/*
** Data structures
*/
typedef unsigned int VMS_STATUS;
typedef struct dsc$descriptor_s DSC_S;
typedef struct /* context block */
{
int fUserEnable; /* 0= false (this module abstains) */
int fGroupEnable; /* 0= false (no group processing) */
int fAuthoritative; /* 0= false (DECLINE, not REJECT) */
}
CTXBLK;
typedef struct /* temp structure for identifiers */
{
int iUsed; /* number of identifiers */
int iAllocated; /* number of slots allocated */
int aiIds[10]; /* initial allocation of space */
}
IDENT_LIST;
/*
** Function prototypes
*/
INTERNAL int save_identifier(const char *pcszName, IDENT_LIST **ppident);
extern module AP_MODULE_DECLARE_DATA auth_openvms_module;
void *create_auth_openvms_context (apr_pool_t *p, char *d)
{
CTXBLK *sec = (CTXBLK *) apr_pcalloc (p, sizeof(CTXBLK));
sec->fUserEnable = sec->fGroupEnable = -1;
return (void *) sec;
}
/*
** Directives handled by this module
**
** NOTE: "AuthUserOpenVMS" is the old syntax. We keep it for backwards
** compatability. However, by default, this module is enabled, although
** not authoritative.
*/
command_rec auth_openvms_cmds[] =
{
{ "AuthOpenVMSAuthoritative", ap_set_flag_slot,
(void *) APR_XtOffsetOf(CTXBLK,fAuthoritative), OR_AUTHCFG, FLAG,
"Set to 'no' to allow access control to be passed along "
"to lower modules if the userID is not known to this module" },
{ "AuthOpenVMSGroup", ap_set_flag_slot,
(void *) APR_XtOffsetOf(CTXBLK,fGroupEnable), OR_AUTHCFG, FLAG,
"OpenVMS authorization on or off" },
{ "AuthOpenVMSUser", ap_set_flag_slot,
(void *) APR_XtOffsetOf(CTXBLK,fUserEnable), OR_AUTHCFG, FLAG,
"OpenVMS authentication/authorization on or off" },
{ "AuthUserOpenVMS", ap_set_flag_slot,
(void *) APR_XtOffsetOf(CTXBLK,fUserEnable), OR_AUTHCFG, FLAG,
"OBSOLETE: Please switch to AuthOpenVMSUser" },
{ NULL }
};
/*
** These functions return 0 if client is OK, and proper error status
** if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or
** SERVER_ERROR, if things are so totally confused that we couldn't
** figure out how to tell if the client is authorized or not.
**
** If they return DECLINED, and all other modules also decline, that's
** treated by the server core as a configuration error, logged and
** reported as such.
*/
/*
** a u t h e n t i c a t e _ o p e n v m s
**
** Basic HTTP authentication.
** Return with OK for success, DECLINED for an unknown user with the
** AuthOpenVMSAuthoritative directive disabled and HTTP_UNAUTHORIZED for a
** failure.
*/
INTERNAL int authenticate_openvms (request_rec *r)
{
unsigned int st;
CTXBLK *sec = (CTXBLK *)
ap_get_module_config (r->per_dir_config, &auth_openvms_module);
conn_rec *c = r->connection;
const char *pcszPassword;
const char *pcszHostName;
char errstr[MAX_STRING_LEN];
int res;
if ((res = ap_get_basic_auth_pw (r, &pcszPassword)))
return res;
if (!sec->fUserEnable)
return DECLINED;
pcszHostName = ap_get_remote_host ( r->connection, r->per_dir_config,
REMOTE_NOLOOKUP, 0 );
st = apache$$auth_princ_sysuaf (
(const char *) r->user, strlen(r->user),
pcszPassword, strlen(pcszPassword),
pcszHostName, strlen(pcszHostName) );
if (st == LGI$_NOSUCHUSER)
{
if (!sec->fAuthoritative)
return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"OpenVMS user %s not found", r->user);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
if (BAD_STATUS(st))
{
apr_snprintf(errstr, sizeof(errstr),
"OpenVMS authorization failure %s status=0x%08x",
r->user, st);
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"access to %s failed for %s, reason: %s",
r->uri,
ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, 0),
errstr);
ap_note_basic_auth_failure (r);
return HTTP_UNAUTHORIZED;
}
return OK;
}
/*
** c h e c k _ o p e n v m s _ a c c e s s
**
** Parse the "require user" and "require group" directives to determine
** whether or not the user is allowed access.
** Return with OK for success, DECLINED for an unknown user with the
** AuthOpenVMSAuthoritative directive disabled and HTTP_UNAUTHORIZED for a
** failure.
*/
INTERNAL int check_openvms_access (request_rec *r)
{
unsigned int st;
int fAuthorized = 0;
int iRequireGroup = 0;
CTXBLK *sec = (CTXBLK *)
ap_get_module_config (r->per_dir_config, &auth_openvms_module);
conn_rec *c = r->connection;
int m = r->method_number;
register int x;
const char *t, *w;
const apr_array_header_t *reqs_arr = ap_requires(r);
require_line *reqs;
IDENT_LIST *pident = NULL;
/*
** If we're not enabled then decline.
*/
if ((!sec->fGroupEnable) || (!sec->fUserEnable))
return DECLINED;
/*
** If there are no require directives then any user will do: decline,
** same as MOD_AUTH_DB does.
*/
if (!reqs_arr)
{
DEBUG_PRINTF(("(check_openvms_access) No require directives\n"));
return DECLINED;
}
reqs = (require_line *) reqs_arr->elts;
/*
** Parse each require directive.
**
** NOTE: We intentionally parse and handle the "require user" directive
** to make the string comparison case-insensitive.
*/
for (x = 0; x < reqs_arr->nelts; x++)
{
if (!(reqs[x].method_mask & (1 << m)))
continue;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (!strcasecmp(w, "valid-user"))
{
DEBUG_PRINTF(("(check_openvms_access) valid-user\n"));
fAuthorized++;
break;
}
if (!strcasecmp(w, "user"))
{
while (t[0])
{
w = ap_getword_conf(r->pool, &t);
DEBUG_PRINTF(("(check_openvms_access) user \"%s\"\n", w));
if (!strcasecmp(r->user, w))
{
fAuthorized++;
break;
}
}
if (fAuthorized > 0)
break;
}
else if (!strcasecmp(w, "group"))
{
while (t[0])
{
w = ap_getword_conf(r->pool, &t);
DEBUG_PRINTF(("(check_openvms_access) group \"%s\"\n", w));
if (save_identifier(w, &pident))
{
if (pident != NULL)
free(pident);
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"internal error: cannot save groups, "
"errno=%d (user %s)", errno, r->user);
return DECLINED;
}
iRequireGroup++;
}
}
else if (sec->fAuthoritative)
{
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"access to %s failed, reason: unknown require directive:"
"\"%s\"", r->uri, reqs[x].requirement);
}
}
/*
** All of the require directives have been parsed. If we didn't find
** a "require valid-user" or a matching "require user" directive but we
** did find one or more "require group" directives, then see if the
** user is a member of the specified group UICs or it the account has
** any of the specified identifiers granted to it. The tests for the
** validity of the account will be done at the same time.
**
** Otherwise, we still need to test the validity of the account, whether
** the access is allowed or not.
*/
if ((fAuthorized == 0) && (pident != NULL))
{
st = apache$$check_rights_list((const char *) r->user, strlen(r->user),
(const unsigned int *) &pident->aiIds[0], pident->iUsed);
if (GOOD_STATUS(st))
{
DEBUG_PRINTF(("(check_openvms_access) "
"apache$$check_rights_list(%s,%d) OK\n",
r->user, pident->iUsed));
free(pident);
return OK;
}
DEBUG_PRINTF(("(check_openvms_access) "
"apache$$check_rights_list(%s,%d) status=0x%x\n",
r->user, pident->iUsed, st));
free(pident);
}
else
{
if (pident != NULL)
free(pident);
st = apache$$check_rights_list((const char *) r->user, strlen(r->user),
(const unsigned int *) NULL, 0);
if (GOOD_STATUS(st))
{
DEBUG_PRINTF(("(check_openvms_access) "
"apache$$check_rights_list(%s) OK\n",
r->user, ((fAuthorized > 0) ? "" : " (not authorized)")));
if (fAuthorized > 0)
return OK;
if (iRequireGroup == 0)
return DECLINED; /* no require group directives */
st = SS$_NOCALLPRIV; /* some found but none were valid */
}
else
DEBUG_PRINTF(("(check_openvms_access) "
"apache$$check_rights_list(%s) status=0x%x\n", r->user, st));
}
/*
** All is lost: this user is not allowed access.
*/
if (st == LGI$_NOSUCHUSER)
{
DEBUG_PRINTF(("(check_openvms_access) user %s not found\n", r->user));
if (!sec->fAuthoritative)
return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"access to %s failed, reason: OpenVMS user %s not found",
r->uri, r->user);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
if (SS$_NOCALLPRIV)
{
DEBUG_PRINTF(("(check_openvms_access) user %s not allowed\n", r->user));
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"access to %s failed, reason: user %s is not allowed",
r->uri, r->user);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
DEBUG_PRINTF(("(check_openvms_access) unexpected error 0x%x (user %s)\n",
st, r->user));
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"access to %s failed, reason: unexpected error 0x%x (user %s)",
r->uri, st, r->user);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
/*
** s a v e _ i d e n t i f i e r
**
** Add an identifier to the internal list. If necesssary, expand the list.
** Return with zero for success or minus one for failure. However, if the
** "require group" value is not an identifier, ignore it (not an error).
**
** NOTE: For simplicity, we use the realloc() function to expand an existing
** array. However, this function is not available to the low level pool
** allocation routines. Therefore, we must ensure that the structure is
** deallocated in all cases.
*/
INTERNAL int save_identifier(const char *pcszName, IDENT_LIST **ppident)
{
int i;
VMS_STATUS st;
unsigned int uiId;
unsigned int uiAttrib;
IDENT_LIST *pidentNew;
DSC_S dscsName;
/*
** Convert the name to an identifier.
*/
dscsName.dsc$b_dtype = DSC$K_DTYPE_T;
dscsName.dsc$b_class = DSC$K_CLASS_S;
dscsName.dsc$a_pointer = (char *) pcszName;
dscsName.dsc$w_length = strlen(dscsName.dsc$a_pointer);
if (dscsName.dsc$w_length == 0)
return(0);
if (dscsName.dsc$w_length > CHAR_MAX)
{
errno = EINVAL;
return(-1);
}
st = sys$asctoid(&dscsName, &uiId, &uiAttrib);
if (BAD_STATUS(st))
{
DEBUG_PRINTF(("(save_identifier) sys$asctoid(\"%.*s\") status=0x%x\n",
dscsName.dsc$w_length, dscsName.dsc$a_pointer, st));
return(0);
}
/*
** Only keep plain identifiers (i.e. no attributes), resource identifiers,
** and group ids. User names are also accepted here, but they are not
** relevant: user names are immediately handled by a string comparison.
*/
if (uiAttrib != (uiAttrib & (KGB$M_RESOURCE | KGB$M_DYNAMIC)))
return(0);
DEBUG_PRINTF(("(save_identifier) \"%.*s\" = 0x%08x (attrib=0x%08x)\n",
dscsName.dsc$w_length, dscsName.dsc$a_pointer, uiId, uiAttrib));
/*
** Save the value in the IDENT_LIST structure.
*/
if ((*ppident) == NULL)
{
(*ppident) = malloc(sizeof(**ppident));
if ((*ppident) == NULL)
return(-1);
(*ppident)->iUsed = 0;
(*ppident)->iAllocated = sizeof((*ppident)->aiIds) /
sizeof((*ppident)->aiIds[0]);
}
else
{
if ((*ppident)->iUsed >= (*ppident)->iAllocated)
{
pidentNew = (IDENT_LIST *) realloc((*ppident), sizeof(**ppident) +
((*ppident)->iAllocated * sizeof((*ppident)->aiIds[0])));
if (pidentNew == NULL)
return(-1);
(*ppident) = pidentNew;
(*ppident)->iAllocated += sizeof((*ppident)->aiIds) /
sizeof((*ppident)->aiIds[0]);
}
}
(*ppident)->aiIds[(*ppident)->iUsed++] = uiId;
return(0);
}
static void register_hooks(apr_pool_t *p)
{
ap_hook_check_user_id(authenticate_openvms,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_auth_checker(check_openvms_access,NULL,NULL,APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA auth_openvms_module =
{
STANDARD20_MODULE_STUFF,
create_auth_openvms_context,/* dir config creater */
NULL, /* dir merger --- default is to override */
NULL, /* server config */
NULL, /* merge server config */
auth_openvms_cmds, /* command apr_table_t */
register_hooks /* register hooks */
};