Mercurial > hg > nginx
comparison src/http/modules/ngx_http_auth_basic_module.c @ 503:b1648294f693 release-0.1.26
nginx-0.1.26-RELEASE import
*) Change: the invalid client header lines are now ignored and logged
at the info level.
*) Change: the server name is also logged in error log.
*) Feature: the ngx_http_auth_basic_module module and the auth_basic
and auth_basic_user_file directives.
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Tue, 22 Mar 2005 16:02:46 +0000 |
parents | |
children | 9b8c906f6e63 |
comparison
equal
deleted
inserted
replaced
502:2017b79d7db5 | 503:b1648294f693 |
---|---|
1 | |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 */ | |
5 | |
6 | |
7 #include <ngx_config.h> | |
8 #include <ngx_core.h> | |
9 #include <ngx_http.h> | |
10 | |
11 | |
12 #define NGX_HTTP_AUTH_BUF_SIZE 2048 | |
13 | |
14 | |
15 typedef struct { | |
16 ngx_str_t passwd; | |
17 } ngx_http_auth_basic_ctx_t; | |
18 | |
19 | |
20 typedef struct { | |
21 ngx_str_t realm; | |
22 ngx_str_t user_file; | |
23 } ngx_http_auth_basic_loc_conf_t; | |
24 | |
25 | |
26 static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); | |
27 static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, | |
28 ngx_http_auth_basic_ctx_t *ctx, ngx_str_t *passwd, ngx_str_t *realm); | |
29 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, | |
30 ngx_str_t *realm); | |
31 static void ngx_http_auth_basic_close(ngx_file_t *file); | |
32 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); | |
33 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, | |
34 void *parent, void *child); | |
35 static ngx_int_t ngx_http_auth_basic_init(ngx_cycle_t *cycle); | |
36 static char *ngx_http_auth_basic(ngx_conf_t *cf, void *post, void *data); | |
37 | |
38 | |
39 static ngx_conf_post_handler_pt ngx_http_auth_basic_p = ngx_http_auth_basic; | |
40 | |
41 static ngx_command_t ngx_http_auth_basic_commands[] = { | |
42 | |
43 { ngx_string("auth_basic"), | |
44 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
45 ngx_conf_set_str_slot, | |
46 NGX_HTTP_LOC_CONF_OFFSET, | |
47 offsetof(ngx_http_auth_basic_loc_conf_t, realm), | |
48 &ngx_http_auth_basic_p }, | |
49 | |
50 { ngx_string("auth_basic_user_file"), | |
51 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
52 ngx_conf_set_str_slot, | |
53 NGX_HTTP_LOC_CONF_OFFSET, | |
54 offsetof(ngx_http_auth_basic_loc_conf_t, user_file), | |
55 NULL }, | |
56 | |
57 ngx_null_command | |
58 }; | |
59 | |
60 | |
61 | |
62 ngx_http_module_t ngx_http_auth_basic_module_ctx = { | |
63 NULL, /* pre conf */ | |
64 | |
65 NULL, /* create main configuration */ | |
66 NULL, /* init main configuration */ | |
67 | |
68 NULL, /* create server configuration */ | |
69 NULL, /* merge server configuration */ | |
70 | |
71 ngx_http_auth_basic_create_loc_conf, /* create location configuration */ | |
72 ngx_http_auth_basic_merge_loc_conf /* merge location configuration */ | |
73 }; | |
74 | |
75 | |
76 ngx_module_t ngx_http_auth_basic_module = { | |
77 NGX_MODULE, | |
78 &ngx_http_auth_basic_module_ctx, /* module context */ | |
79 ngx_http_auth_basic_commands, /* module directives */ | |
80 NGX_HTTP_MODULE, /* module type */ | |
81 ngx_http_auth_basic_init, /* init module */ | |
82 NULL /* init process */ | |
83 }; | |
84 | |
85 | |
86 static ngx_int_t | |
87 ngx_http_auth_basic_handler(ngx_http_request_t *r) | |
88 { | |
89 off_t offset; | |
90 ssize_t n; | |
91 ngx_fd_t fd; | |
92 ngx_str_t auth, encoded, pwd; | |
93 ngx_uint_t i, login, len, left, passwd; | |
94 ngx_file_t file; | |
95 ngx_http_auth_basic_ctx_t *ctx; | |
96 ngx_http_auth_basic_loc_conf_t *alcf; | |
97 u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; | |
98 enum { | |
99 sw_login, | |
100 sw_passwd, | |
101 sw_skip | |
102 } state; | |
103 | |
104 alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module); | |
105 | |
106 if (alcf->realm.len == 0 || alcf->user_file.len == 0) { | |
107 return NGX_OK; | |
108 } | |
109 | |
110 ctx = ngx_http_get_module_ctx(r, ngx_http_auth_basic_module); | |
111 | |
112 if (ctx) { | |
113 return ngx_http_auth_basic_crypt_handler(r, ctx, &ctx->passwd, | |
114 &alcf->realm); | |
115 } | |
116 | |
117 if (r->headers_in.authorization == NULL) { | |
118 return ngx_http_auth_basic_set_realm(r, &alcf->realm); | |
119 } | |
120 | |
121 encoded = r->headers_in.authorization->value; | |
122 | |
123 if (encoded.len < sizeof("Basic ") - 1 | |
124 || ngx_strncasecmp(encoded.data, "Basic ", sizeof("Basic ") - 1) != 0) | |
125 { | |
126 return ngx_http_auth_basic_set_realm(r, &alcf->realm); | |
127 } | |
128 | |
129 encoded.len -= sizeof("Basic ") - 1; | |
130 encoded.data += sizeof("Basic ") - 1; | |
131 | |
132 while (encoded.len && encoded.data[0] == ' ') { | |
133 encoded.len--; | |
134 encoded.data++; | |
135 } | |
136 | |
137 if (encoded.len == 0) { | |
138 return ngx_http_auth_basic_set_realm(r, &alcf->realm); | |
139 } | |
140 | |
141 auth.len = ngx_base64_decoded_length(encoded.len); | |
142 auth.data = ngx_palloc(r->pool, auth.len + 1); | |
143 if (auth.data == NULL) { | |
144 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
145 } | |
146 | |
147 if (ngx_decode_base64(&auth, &encoded) != NGX_OK) { | |
148 return ngx_http_auth_basic_set_realm(r, &alcf->realm); | |
149 } | |
150 | |
151 auth.data[auth.len] = '\0'; | |
152 | |
153 for (len = 0; len < auth.len; len++) { | |
154 if (auth.data[len] == ':') { | |
155 break; | |
156 } | |
157 } | |
158 | |
159 if (len == auth.len) { | |
160 return ngx_http_auth_basic_set_realm(r, &alcf->realm); | |
161 } | |
162 | |
163 r->headers_in.user.len = len; | |
164 r->headers_in.user.data = auth.data; | |
165 r->headers_in.passwd.len = auth.len - len - 1; | |
166 r->headers_in.passwd.data = &auth.data[len + 1]; | |
167 | |
168 fd = ngx_open_file(alcf->user_file.data, NGX_FILE_RDONLY, NGX_FILE_OPEN); | |
169 | |
170 if (fd == NGX_INVALID_FILE) { | |
171 ngx_log_error(NGX_LOG_ERR, r->connection->log, ngx_errno, | |
172 ngx_open_file_n " \"%s\" failed", alcf->user_file.data); | |
173 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
174 } | |
175 | |
176 ngx_memzero(&file, sizeof(ngx_file_t)); | |
177 | |
178 file.fd = fd; | |
179 file.name = alcf->user_file; | |
180 file.log = r->connection->log; | |
181 | |
182 state = sw_login; | |
183 passwd = 0; | |
184 login = 0; | |
185 left = 0; | |
186 offset = 0; | |
187 | |
188 for ( ;; ) { | |
189 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, | |
190 offset); | |
191 | |
192 if (n == NGX_ERROR) { | |
193 ngx_http_auth_basic_close(&file); | |
194 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
195 } | |
196 | |
197 if (n == 0) { | |
198 break; | |
199 } | |
200 | |
201 for (i = left; i < left + n; i++) { | |
202 switch (state) { | |
203 | |
204 case sw_login: | |
205 if (login == 0 && buf[i] == '#') { | |
206 state = sw_skip; | |
207 break; | |
208 } | |
209 | |
210 if (buf[i] != auth.data[login]) { | |
211 state = sw_skip; | |
212 break; | |
213 } | |
214 | |
215 if (login == len) { | |
216 state = sw_passwd; | |
217 passwd = i + 1; | |
218 } | |
219 | |
220 login++; | |
221 | |
222 break; | |
223 | |
224 case sw_passwd: | |
225 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { | |
226 buf[i] = '\0'; | |
227 | |
228 ngx_http_auth_basic_close(&file); | |
229 | |
230 pwd.len = i - passwd; | |
231 pwd.data = &buf[passwd]; | |
232 | |
233 return ngx_http_auth_basic_crypt_handler(r, NULL, &pwd, | |
234 &alcf->realm); | |
235 } | |
236 | |
237 break; | |
238 | |
239 case sw_skip: | |
240 if (buf[i] == LF) { | |
241 state = sw_login; | |
242 login = 0; | |
243 } | |
244 | |
245 break; | |
246 } | |
247 } | |
248 | |
249 if (state == sw_passwd) { | |
250 left = left + n - passwd; | |
251 ngx_memcpy(buf, &buf[passwd], left); | |
252 passwd = 0; | |
253 | |
254 } else { | |
255 left = 0; | |
256 } | |
257 | |
258 offset += n; | |
259 } | |
260 | |
261 ngx_http_auth_basic_close(&file); | |
262 | |
263 return ngx_http_auth_basic_set_realm(r, &alcf->realm); | |
264 } | |
265 | |
266 | |
267 static ngx_int_t | |
268 ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, | |
269 ngx_http_auth_basic_ctx_t *ctx, ngx_str_t *passwd, ngx_str_t *realm) | |
270 { | |
271 ngx_int_t rc; | |
272 u_char *encrypted; | |
273 | |
274 rc = ngx_crypt(r->pool, r->headers_in.passwd.data, passwd->data, | |
275 &encrypted); | |
276 | |
277 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | |
278 "rc: %d user: \"%V\" salt: \"%s\"", | |
279 rc, &r->headers_in.user, passwd->data); | |
280 | |
281 if (rc == NGX_OK) { | |
282 if (ngx_strcmp(encrypted, passwd->data) == 0) { | |
283 return NGX_OK; | |
284 } | |
285 | |
286 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | |
287 "encrypted: \"%s\"", encrypted); | |
288 | |
289 return ngx_http_auth_basic_set_realm(r, realm); | |
290 } | |
291 | |
292 if (rc == NGX_ERROR) { | |
293 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
294 } | |
295 | |
296 /* rc == NGX_AGAIN */ | |
297 | |
298 if (ctx == NULL) { | |
299 ctx = ngx_palloc(r->pool, sizeof(ngx_http_auth_basic_ctx_t)); | |
300 if (ctx == NULL) { | |
301 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
302 } | |
303 | |
304 ngx_http_set_ctx(r, ctx, ngx_http_auth_basic_module); | |
305 | |
306 ctx->passwd.len = passwd->len; | |
307 passwd->len++; | |
308 | |
309 ctx->passwd.data = ngx_pstrdup(r->pool, passwd); | |
310 if (ctx->passwd.data == NULL) { | |
311 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
312 } | |
313 | |
314 } | |
315 | |
316 /* TODO: add mutex event */ | |
317 | |
318 return rc; | |
319 } | |
320 | |
321 | |
322 static ngx_int_t | |
323 ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm) | |
324 { | |
325 r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); | |
326 if (r->headers_out.www_authenticate == NULL) { | |
327 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
328 } | |
329 | |
330 r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; | |
331 r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; | |
332 r->headers_out.www_authenticate->value = *realm; | |
333 | |
334 return NGX_HTTP_UNAUTHORIZED; | |
335 } | |
336 | |
337 static void | |
338 ngx_http_auth_basic_close(ngx_file_t *file) | |
339 { | |
340 if (ngx_close_file(file->fd) == NGX_FILE_ERROR) { | |
341 ngx_log_error(NGX_LOG_ALERT, file->log, ngx_errno, | |
342 ngx_close_file_n " \"%s\" failed", file->name.data); | |
343 } | |
344 } | |
345 | |
346 | |
347 static void * | |
348 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) | |
349 { | |
350 ngx_http_auth_basic_loc_conf_t *conf; | |
351 | |
352 conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_basic_loc_conf_t)); | |
353 if (conf == NULL) { | |
354 return NGX_CONF_ERROR; | |
355 } | |
356 | |
357 return conf; | |
358 } | |
359 | |
360 | |
361 static char * | |
362 ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) | |
363 { | |
364 ngx_http_auth_basic_loc_conf_t *prev = parent; | |
365 ngx_http_auth_basic_loc_conf_t *conf = child; | |
366 | |
367 size_t len; | |
368 u_char *realm, *p; | |
369 | |
370 if (conf->realm.data) { | |
371 if (conf->realm.len) { | |
372 len = sizeof("Basic realm=\"") - 1 + conf->realm.len + 1; | |
373 | |
374 realm = ngx_palloc(cf->pool, len); | |
375 if (realm == NULL) { | |
376 return NGX_CONF_ERROR; | |
377 } | |
378 | |
379 p = ngx_cpymem(realm, "Basic realm=\"", | |
380 sizeof("Basic realm=\"") - 1); | |
381 p = ngx_cpymem(p, conf->realm.data, conf->realm.len); | |
382 *p = '"'; | |
383 | |
384 conf->realm.len = len; | |
385 conf->realm.data = realm; | |
386 } | |
387 | |
388 } else { | |
389 conf->realm = prev->realm; | |
390 } | |
391 | |
392 | |
393 if (conf->user_file.data) { | |
394 if (ngx_conf_full_name(cf->cycle, &conf->user_file) != NGX_OK) { | |
395 return NGX_CONF_ERROR; | |
396 } | |
397 | |
398 } else { | |
399 conf->user_file = prev->user_file; | |
400 } | |
401 | |
402 return NGX_CONF_OK; | |
403 } | |
404 | |
405 | |
406 static ngx_int_t | |
407 ngx_http_auth_basic_init(ngx_cycle_t *cycle) | |
408 { | |
409 ngx_http_handler_pt *h; | |
410 ngx_http_core_main_conf_t *cmcf; | |
411 | |
412 cmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_core_module); | |
413 | |
414 h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); | |
415 if (h == NULL) { | |
416 return NGX_ERROR; | |
417 } | |
418 | |
419 *h = ngx_http_auth_basic_handler; | |
420 | |
421 return NGX_OK; | |
422 } | |
423 | |
424 | |
425 static char * | |
426 ngx_http_auth_basic(ngx_conf_t *cf, void *post, void *data) | |
427 { | |
428 ngx_str_t *realm = data; | |
429 | |
430 if (ngx_strcmp(realm->data, "off") == 0) { | |
431 realm->len = 0; | |
432 realm->data = (u_char *) ""; | |
433 } | |
434 | |
435 return NGX_CONF_OK; | |
436 } |