brian 96/11/18 11:40:53
Modified: src http_core.h http_core.c http_request.h
http_request.c mod_access.c
Log:
Reviewed by: Brian Behlendorf, Roy Fielding, Jim Jagielski
Submitted by: Lou Langholtz
Added NCSA-compliant "Satisfy" directive for use with access control.
Revision Changes Path
1.16 +5 -0 apache/src/http_core.h
Index: http_core.h
===================================================================
RCS file: /export/home/cvs/apache/src/http_core.h,v
retrieving revision 1.15
retrieving revision 1.16
diff -C3 -r1.15 -r1.16
*** http_core.h 1996/11/04 09:43:07 1.15
--- http_core.h 1996/11/18 19:40:45 1.16
***************
*** 78,83 ****
--- 78,86 ----
#define REMOTE_NAME (1)
#define REMOTE_NOLOOKUP (2)
+ #define SATISFY_ALL 0
+ #define SATISFY_ANY 1
+
int allow_options (request_rec *);
int allow_overrides (request_rec *);
char *default_type (request_rec *);
***************
*** 103,108 ****
--- 106,112 ----
char *auth_type (request_rec *);
char *auth_name (request_rec *);
+ int satisfies (request_rec *r);
array_header *requires (request_rec *);
#ifdef CORE_PRIVATE
***************
*** 138,143 ****
--- 142,148 ----
/* Authentication stuff. Groan... */
+ int satisfy;
char *auth_type;
char *auth_name;
array_header *requires;
1.49 +23 -1 apache/src/http_core.c
Index: http_core.c
===================================================================
RCS file: /export/home/cvs/apache/src/http_core.c,v
retrieving revision 1.48
retrieving revision 1.49
diff -C3 -r1.48 -r1.49
*** http_core.c 1996/11/18 03:38:04 1.48
--- http_core.c 1996/11/18 19:40:46 1.49
***************
*** 92,97 ****
--- 92,98 ----
conf->hostname_lookups = 2;/* binary, but will use 2 as an "unset = on"
*/
conf->do_rfc1413 = DEFAULT_RFC1413 | 2; /* set bit 1 to indicate
default */
+ conf->satisfy = SATISFY_ALL;
#ifdef RLIMIT_CPU
conf->limit_cpu = NULL;
***************
*** 152,157 ****
--- 153,159 ----
conf->sec = append_arrays (a, base->sec, new->sec);
+ conf->satisfy = new->satisfy;
return (void*)conf;
}
***************
*** 279,284 ****
--- 281,293 ----
return conf->requires;
}
+ int satisfies (request_rec *r)
+ {
+ core_dir_config *conf =
+ (core_dir_config *)get_module_config(r->per_dir_config, &core_module);
+
+ return conf->satisfy;
+ }
/* Should probably just get rid of this... the only code that cares is
* part of the core anyway (and in fact, it isn't publicised to other
***************
*** 520,525 ****
--- 529,545 ----
return NULL;
}
+ const char *satisfy (cmd_parms *cmd, core_dir_config *c, char *arg)
+ {
+ if(!strcasecmp(arg,"all"))
+ c->satisfy = SATISFY_ALL;
+ else if(!strcasecmp(arg,"any"))
+ c->satisfy = SATISFY_ANY;
+ else
+ return "Satisfy either 'any' or 'all'.";
+ return NULL;
+ }
+
const char *require (cmd_parms *cmd, core_dir_config *c, char *arg)
{
require_line *r;
***************
*** 1088,1094 ****
{ "AuthName", set_string_slot, (void*)XtOffsetOf(core_dir_config,
auth_name),
OR_AUTHCFG, RAW_ARGS, "The authentication realm (e.g. \"Members
Only\")" },
{ "Require", require, NULL, OR_AUTHCFG, RAW_ARGS, "Selects which
authenticated users or groups may access a protected space" },
!
/* Old resource config file commands */
{ "AccessFileName", set_access_name, NULL, RSRC_CONF, TAKE1, "Name of
per-directory config files (default: .htaccess)" },
--- 1108,1116 ----
{ "AuthName", set_string_slot, (void*)XtOffsetOf(core_dir_config,
auth_name),
OR_AUTHCFG, RAW_ARGS, "The authentication realm (e.g. \"Members
Only\")" },
{ "Require", require, NULL, OR_AUTHCFG, RAW_ARGS, "Selects which
authenticated users or groups may access a protected space" },
! { "Satisfy", satisfy, NULL, OR_AUTHCFG, TAKE1,
! "access policy if both allow and require used ('all' or 'any')" },
!
/* Old resource config file commands */
{ "AccessFileName", set_access_name, NULL, RSRC_CONF, TAKE1, "Name of
per-directory config files (default: .htaccess)" },
1.8 +1 -0 apache/src/http_request.h
Index: http_request.h
===================================================================
RCS file: /export/home/cvs/apache/src/http_request.h,v
retrieving revision 1.7
retrieving revision 1.8
diff -C3 -r1.7 -r1.8
*** http_request.h 1996/11/03 21:25:08 1.7
--- http_request.h 1996/11/18 19:40:48 1.8
***************
*** 83,88 ****
--- 83,89 ----
void internal_redirect (const char *new_uri, request_rec *);
void internal_redirect_handler (const char *new_uri, request_rec *);
+ int some_auth_required (request_rec *r);
#ifdef CORE_PRIVATE
/* Function called by main.c to handle first-level request */
1.28 +47 -21 apache/src/http_request.c
Index: http_request.c
===================================================================
RCS file: /export/home/cvs/apache/src/http_request.c,v
retrieving revision 1.27
retrieving revision 1.28
diff -C3 -r1.27 -r1.28
*** http_request.c 1996/11/03 20:52:11 1.27
--- http_request.c 1996/11/18 19:40:48 1.28
***************
*** 552,559 ****
}
- static int some_auth_required (request_rec *r);
-
request_rec *sub_req_lookup_uri (const char *new_file, const request_rec *r)
{
request_rec *rnew;
--- 552,557 ----
***************
*** 610,618 ****
if ((res = directory_walk (rnew))
|| (res = file_walk (rnew))
|| (res = location_walk (rnew))
! || (!some_auth_required (rnew) ? 0 :
! ((res = check_user_id (rnew)) || (res = check_auth (rnew))))
! || (res = check_access (rnew))
|| (res = find_types (rnew))
|| (res = run_fixups (rnew))
)
--- 608,621 ----
if ((res = directory_walk (rnew))
|| (res = file_walk (rnew))
|| (res = location_walk (rnew))
! || (satisfies(rnew) == SATISFY_ALL?
! ((res = check_access (rnew))
! || (some_auth_required (rnew) &&
! ((res = check_user_id (rnew)) || (res = check_auth (rnew))))):
! ((res = check_access (rnew))
! && (!some_auth_required (rnew) ||
! ((res = check_user_id (rnew)) || (res = check_auth (rnew)))))
! )
|| (res = find_types (rnew))
|| (res = run_fixups (rnew))
)
***************
*** 653,661 ****
if ((res = directory_walk (rnew))
|| (res = file_walk (rnew))
! || (res = check_access (rnew))
! || (!some_auth_required (rnew) ? 0 :
! ((res = check_user_id (rnew)) && (res = check_auth (rnew))))
|| (res = find_types (rnew))
|| (res = run_fixups (rnew))
)
--- 656,669 ----
if ((res = directory_walk (rnew))
|| (res = file_walk (rnew))
! || (satisfies(rnew) == SATISFY_ALL?
! ((res = check_access (rnew))
! || (some_auth_required (rnew) &&
! ((res = check_user_id (rnew)) || (res = check_auth (rnew))))):
! ((res = check_access (rnew))
! && (!some_auth_required (rnew) ||
! ((res = check_user_id (rnew)) || (res = check_auth (rnew)))))
! )
|| (res = find_types (rnew))
|| (res = run_fixups (rnew))
)
***************
*** 760,766 ****
else die (status, r);
}
! static int some_auth_required (request_rec *r)
{
/* Is there a require line configured for the type of *this* req? */
--- 768,774 ----
else die (status, r);
}
! int some_auth_required (request_rec *r)
{
/* Is there a require line configured for the type of *this* req? */
***************
*** 850,870 ****
return;
}
! if ((access_status = check_access (r)) != 0) {
! decl_die (access_status, "check access", r);
! return;
! }
!
! if (some_auth_required (r)) {
! if ((access_status = check_user_id (r)) != 0) {
! decl_die (access_status, "check user. No user file?", r);
return;
}
!
! if ((access_status = check_auth (r)) != 0) {
! decl_die (access_status, "check access. No groups file?", r);
! return;
}
}
if ((access_status = find_types (r)) != 0) {
--- 858,896 ----
return;
}
! switch (satisfies(r)) {
! case SATISFY_ALL:
! if ((access_status = check_access (r)) != 0) {
! decl_die (access_status, "check access", r);
return;
}
! if (some_auth_required (r)) {
! if ((access_status = check_user_id (r)) != 0) {
! decl_die (access_status, "check user. No user file?", r);
! return;
! }
! if ((access_status = check_auth (r)) != 0) {
! decl_die (access_status, "check access. No groups file?", r);
! return;
! }
! }
! break;
! case SATISFY_ANY:
! if ((access_status = check_access (r)) != 0) {
! if (!some_auth_required (r)) {
! decl_die (access_status, "check access", r);
! return;
! }
! if ((access_status = check_user_id (r)) != 0) {
! decl_die (access_status, "check user. No user file?", r);
! return;
! }
! if ((access_status = check_auth (r)) != 0) {
! decl_die (access_status, "check access. No groups file?", r);
! return;
! }
}
+ break;
}
if ((access_status = find_types (r)) != 0) {
1.10 +5 -1 apache/src/mod_access.c
Index: mod_access.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_access.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -C3 -r1.9 -r1.10
*** mod_access.c 1996/11/18 03:38:05 1.9
--- mod_access.c 1996/11/18 19:40:49 1.10
***************
*** 61,66 ****
--- 61,67 ----
#include "http_core.h"
#include "http_config.h"
#include "http_log.h"
+ #include "http_request.h"
typedef struct {
char *from;
***************
*** 234,241 ****
ret = FORBIDDEN;
}
! if (ret == FORBIDDEN)
log_reason ("Client denied by server configuration", r->filename, r);
return ret;
}
--- 235,245 ----
ret = FORBIDDEN;
}
! if (ret == FORBIDDEN && (
! satisfies(r) != SATISFY_ANY || !some_auth_required(r)
! )) {
log_reason ("Client denied by server configuration", r->filename, r);
+ }
return ret;
}
