debian/0000755000000000000000000000000012201473335007166 5ustar debian/source/0000755000000000000000000000000012201473335010466 5ustar debian/source/format0000644000000000000000000000001412201473335011674 0ustar 3.0 (quilt) debian/control0000644000000000000000000000133612201473335010574 0ustar Source: libapache2-mod-auth-pgsql Maintainer: Marco Nenciarini Section: httpd Priority: extra Standards-Version: 3.9.4 Build-Depends: debhelper (>= 7.0.50~), apache2-dev (>= 2.4), libpq-dev Vcs-Git: git://anonscm.debian.org/collab-maint/libapache2-mod-auth-pgsql.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/libapache2-mod-auth-pgsql.git Homepage: http://www.giuseppetanzilli.it/mod_auth_pgsql2 Package: libapache2-mod-auth-pgsql Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: Module for Apache2 which provides PostgreSQL authentication mod_auth_pgsql implements authentication and logging routines using PostgreSQL tables for Apache's authentication protocol. debian/rules0000755000000000000000000000036512201473335010252 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ --with apache2 override_dh_auto_install: install .libs/mod_auth_pgsql.so debian/libapache2-mod-auth-pgsql/usr/lib/apache2/modules debian/changelog0000644000000000000000000001130412201473335011037 0ustar libapache2-mod-auth-pgsql (2.0.3-6) unstable; urgency=low [ Peter Pentchev ] * Convert to the 3.0 (quilt) source format. * Use "PostgreSQL" instead of "pgsql" and "postgresql" in the package synopsis and long description. * Add a Homepage control field. * Add a blank line to the end of debian/NEWS to satisfy Lintian. * Add a doc-base file describing the HTML manual. * Add the 03-encoding.patch to allow a configurable connection encoding and to properly escape client-supplied values. (Closes: #512672) [ Marco Nenciarini ] * Minimize the rules file using debhelper 7 with apache2 sequencer. * Bump Standards-Version to 3.9.4: - change the section to "httpd" from "web" * Mention the logging ability in long desription. * Add the 04-apache-2.4.patch to make the package working with Apache 2.4. Patch from http://www.sky-air.net/wordpress/mod_auth_pgsql-at-apache2-4-2 (CLoses: #666814) * Drop postinst/prerm logic to migrate the load file name to 000_ prefix, as even the oldstable distribution has the 2.0.3-5 version. * Add VCS-* field URI in debian/control -- Marco Nenciarini Sat, 10 Aug 2013 19:12:42 +0200 libapache2-mod-auth-pgsql (2.0.3-5) unstable; urgency=low [ Micha Lenk ] * Rename the config snippet in /etc/apache2/mods-available/ and the corresponding symlink in /etc/apache2/mods-enabled/ now having prefix 000_ in order to load the module auth_pgsql prior to other authentication modules (Closes: #399562). * On upgrade let the postinst script try to fix this bug too. [ Marco Nenciarini ] * debian/rules: removed dash from make clean invocation fixes lintian debian-rules-ignores-make-clean-error -- Marco Nenciarini Tue, 16 Oct 2007 10:21:49 +0200 libapache2-mod-auth-pgsql (2.0.3-4) unstable; urgency=low * Bump debhelper compat level to 5. * Update Debian policy to version 3.7.2.2. No changes required. * Build with apache 2.2 (Closes: #391756) -- Marco Nenciarini Sun, 8 Oct 2006 16:17:31 +0200 libapache2-mod-auth-pgsql (2.0.3-3) unstable; urgency=high * Force reloading of apache2 when mod-auth-pgsql is upgraded. (Closes: #356426) * urgency=high due to recent security issue. (Apache servers can often run for many months without needing to be restarted, so they would be still vulnerable.) -- Marco Nenciarini Tue, 14 Mar 2006 09:10:35 +0100 libapache2-mod-auth-pgsql (2.0.3-2) unstable; urgency=low * debian/prerm: Fixed bashism (test with -[ao]). -- Marco Nenciarini Mon, 16 Jan 2006 10:57:34 +0100 libapache2-mod-auth-pgsql (2.0.3-1) unstable; urgency=low * New upstream release -- Marco Nenciarini Sun, 15 Jan 2006 16:19:22 +0100 libapache2-mod-auth-pgsql (2.0.2b1-7) unstable; urgency=high * SECURITY UPDATE: Arbitrary remote code execution with www-data privileges. CVE-2005-3656 Fix several format string vulnerabilities in ap_log_[rp]error() calls (patch stolen from Ubuntu) * debian/control: Bump Standards-Version to 3.6.2.0; no changes required -- Marco Nenciarini Wed, 11 Jan 2006 15:06:50 +0100 libapache2-mod-auth-pgsql (2.0.2b1-6) unstable; urgency=low * Transition to new PostgreSQL architecture. * debian/control: Changed build dependency postgresql-dev to libpq-dev. * Makefile: Use pg_config to determine include directory. -- Marco Nenciarini Fri, 17 Jun 2005 17:57:30 +0200 libapache2-mod-auth-pgsql (2.0.2b1-5) unstable; urgency=low * Added proper debian/watch file. * Modified debian/copyright to report the right dowload url. -- Marco Nenciarini Mon, 23 Aug 2004 15:16:41 +0200 libapache2-mod-auth-pgsql (2.0.2b1-4) unstable; urgency=high * Back out the ill-fated apache2 LFS transition. (Closes: #267352) * Bump the apache2-threaded-dev build-dep to (>= 2.0.50-10) -- Marco Nenciarini Sun, 22 Aug 2004 17:14:47 +0200 libapache2-mod-auth-pgsql (2.0.2b1-3) unstable; urgency=medium * Corrected some errors in documentation (Closes: #264465) * Recompiled for apache2 LFS transition (Closes: #266178) * Bump the apache2-threaded-dev build-dep to (>= 2.0.50-9) -- Marco Nenciarini Tue, 17 Aug 2004 10:07:25 +0200 libapache2-mod-auth-pgsql (2.0.2b1-2) unstable; urgency=low * Added a prerm script to allow apache2 to work correctly afrer module remotion. -- Marco Nenciarini Mon, 19 Apr 2004 16:02:05 +0200 libapache2-mod-auth-pgsql (2.0.2b1-1) unstable; urgency=low * Initial Release. (Closes: #242198) -- Marco Nenciarini Fri, 2 Apr 2004 19:33:23 +0200 debian/gbp.conf0000644000000000000000000000032312201473335010603 0ustar [DEFAULT] cleaner = /bin/true pristine-tar = True sign-tags = True [git-buildpackage] export-dir = ../build-area/ tarball-dir = ../tarballs/ [git-dch] meta = True id-length = 7 [gbp-pq] patch-numbers = False debian/watch0000644000000000000000000000030012201473335010210 0ustar # Site Directory Pattern Version Script version=2 http://www.giuseppetanzilli.it/mod_auth_pgsql2/dist/ (?:.*/)?mod_auth_pgsql-?_?([\w+\d+\.]+|\d+)(\.tar|\.tgz)(\.gz|\.bz2|) debian uupdate debian/docs0000644000000000000000000000004012201473335010033 0ustar README TODO mod_auth_pgsql.html debian/NEWS0000644000000000000000000000046512201473335007672 0ustar libapache2-mod-auth-pgsql (2.0.3-5) unstable; urgency=low The auth_pgsql module needs to be loaded before any other authentication modules. So we renamed its configuration file to 000_auth_pgsql.load to make it loading first. -- Marco Nenciarini Tue, 16 Oct 2007 10:44:11 +0200 debian/000_auth_pgsql.load0000644000000000000000000000011012201473335012545 0ustar LoadModule auth_pgsql_module /usr/lib/apache2/modules/mod_auth_pgsql.so debian/doc-base0000644000000000000000000000072012201473335010565 0ustar Document: libapache2-mod-auth-pgsql Title: Module mod_auth_pgsql PostgreSQL authentication module for Apache web server Author: Giuseppe Tanzilli Abstract: This module allows user authentication (and can log authethication requests) against information stored in a PostgreSQL database. Section: System/Security Format: HTML Index: /usr/share/doc/libapache2-mod-auth-pgsql/mod_auth_pgsql.html Files: /usr/share/doc/libapache2-mod-auth-pgsql/mod_auth_pgsql.html debian/apache20000644000000000000000000000003712201473335010414 0ustar mod debian/000_auth_pgsql.load debian/patches/0000755000000000000000000000000012201473335010615 5ustar debian/patches/debian-dirs.patch0000644000000000000000000000151712201473335014023 0ustar From: Marco Nenciarini Date: Sat, 10 Aug 2013 16:26:41 +0200 Subject: debian dirs --- Makefile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 0ab38a4..eccaea6 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,12 @@ -APACHE2_HOME=/usr/local/apache2 -PGSQL_LIB=/usr/local/pgsql/lib -PGSQL_INCLUDE=/usr/local/pgsql/include +APACHE2_HOME=/usr +PGSQL_LIB=/usr/lib +PGSQL_INCLUDE=$(shell pg_config --includedir) shared: - ${APACHE2_HOME}/bin/apxs -i -a -c -I ${PGSQL_INCLUDE} -L ${PGSQL_LIB} -lpq mod_auth_pgsql.c + ${APACHE2_HOME}/bin/apxs2 -a -c -I ${PGSQL_INCLUDE} -L ${PGSQL_LIB} -lpq mod_auth_pgsql.c indent: indent -kr -ts4 mod_auth_pgsql.c clean: - rm -rf .libs/ *.la *.o *.lo *.slo *~ \ No newline at end of file + rm -rf .libs/ *.la *.o *.lo *.slo *~ debian/patches/documentation.patch0000644000000000000000000001407012201473335014511 0ustar From: Marco Nenciarini Date: Sat, 10 Aug 2013 16:26:41 +0200 Subject: documentation --- mod_auth_pgsql.html | 47 ++++++++++++++++++++++++++++------------------- 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/mod_auth_pgsql.html b/mod_auth_pgsql.html index 3269fe0..d35768b 100644 --- a/mod_auth_pgsql.html +++ b/mod_auth_pgsql.html @@ -48,18 +48,19 @@ Notes | Changelog

  • Auth_PG_host
  • Auth_PG_port
  • Auth_PG_options
  • -
  • Auth_PG_database
  • -
  • Auth_PG_user
  • -
  • Auth_PG_pwd
  • -
  • Auth_PG_pwd_table
  • -
  • Auth_PG_grp_table
  • +
  • Auth_PG_database
  • +
  • Auth_PG_user
  • +
  • Auth_PG_pwd
  • +
  • Auth_PG_pwd_table
  • +
  • Auth_PG_grp_table
  • Auth_PG_uid_field
  • Auth_PG_pwd_field
  • -
  • Auth_PG_gid_field
  • +
  • Auth_PG_grp_group_field
  • +
  • Auth_PG_grp_user_field
  • Auth_PG_nopasswd
  • Auth_PG_authoritative
  • -
  • Auth_PG_lowercase_uid
  • -
  • Auth_PG_uppercase_uid
  • +
  • Auth_PG_lowercase_uid
  • +
  • Auth_PG_uppercase_uid
  • Auth_PG_pwd_ignore_case
  • Auth_PG_encrypted
  • @@ -112,7 +113,7 @@ available options.

    information.

    -

    Auth_PG_user
    +

    Auth_PG_user

    Syntax: Auth_PG_user username
    Context: directory, .htaccess
    @@ -125,7 +126,7 @@ access on all the log tables (if used).
    Needed if the user who make the quey is differrent from the user runnig apache, or if the posmater is on a different server and you must autheticate with password
    -

    Auth_PG_pwd

    +

    Auth_PG_pwd

    Syntax: Auth_PG_pwd password
    Context: directory, .htaccess
    Override: AuthConfig
    @@ -169,17 +170,25 @@ in the Auth_PG_pwd_table relation.

    Override: AuthConfig
    Status: Extension

    Specifies the attribute name of the field containing the encrypted -(see Auth_PG_encrypted) password in the Auth_PGpwd_table relation.
    +(see Auth_PG_encrypted) password in the Auth_PG_pwd_table relation.
    Please remember to use field of type varchar, not char for the password.

    -

    Auth_PG_gid_field

    -Syntax: Auth_PG_gid_field attribute name
    +

    Auth_PG_grp_group_field

    +Syntax: Auth_PG_grp_group_field attribute name
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Extension

    Specifies the attribute name of the field containing the group name in the Auth_PG_grp_table relation. This directive is only necessary if you want to authenticate by user groups.

    +

    Auth_PG_grp_user_field

    +Syntax: Auth_PG_grp_user_field attribute name
    +Context: directory, .htaccess
    +Override: AuthConfig
    +Status: Extension +

    Specifies the attribute name of the field containing the user name +in the Auth_PG_grp_table relation. This directive is only necessary if +you want to authenticate by user groups.

    Auth_PG_nopasswd

    Syntax: Auth_PG_nopasswd on or off
    Context: directory, .htaccess
    @@ -202,7 +211,7 @@ the PostgreSQL scheme, the parent directory scheme will be given the chance to try and authenticate the user. Exercise caution when turning this option off. It can be a security risk. Can be used to use two authentication schemes for the same dir.

    -

    Auth_PG_lowercase_uid

    +

    Auth_PG_lowercase_uid

    Syntax: Auth_PG_lowercase_uid on or off
    Context: directory, .htaccess
    Override: AuthConfig
    @@ -211,7 +220,7 @@ used to use two authentication schemes for the same dir.

    user UIDs to lowercase before looking them up. When turned on this does not affect the case of the original user ID should this module decline to authenticate and a lower level is called.

    -

    Auth_PG_uppercase_uid

    +

    Auth_PG_uppercase_uid

    Syntax: Auth_PG_uppercase_uid on or off
    Context: directory, .htaccess
    Override: AuthConfig
    @@ -277,14 +286,14 @@ initial space .

    This option allows you to exercise greater control over the SQL code used to retrieve the group name and corresponding user from the database. You can use this to search for the group name -using more attributes in the table than the gid_field.

    +using more attributes in the table than the grp_group_field.

    The basic SQL statement used to retrieve a group name and user name for checking looks like this:

      -select <uid_field> from <grp_table> where -<gid_field> ='<required group> ' +select <grp_user_field> from <grp_table> where +<grp_group_field> ='<required group> '
    -The gid_whereclause will be added to the end of this statement +The grp_whereclause will be added to the end of this statement and must fit logically. The where clause must be double quoted.

    debian/patches/apache-2.4.patch0000644000000000000000000002421512201473335013364 0ustar From: Marco Nenciarini Date: Sat, 20 Jul 2013 18:47:04 +0200 Subject: apache 2.4 --- mod_auth_pgsql.c | 196 ++++++++++++------------------------------------------- 1 file changed, 41 insertions(+), 155 deletions(-) diff --git a/mod_auth_pgsql.c b/mod_auth_pgsql.c index 639537d..26d7f90 100644 --- a/mod_auth_pgsql.c +++ b/mod_auth_pgsql.c @@ -109,6 +109,8 @@ #include "http_request.h" #include "util_script.h" +#include "mod_auth.h" + #ifdef WIN32 #define crypt apr_password_validate #else @@ -191,7 +193,7 @@ module AP_MODULE_DECLARE_DATA auth_pgsql_module; static int pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, - char *user, char *sent_pw); + const char *user, const char *sent_pw); static char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec); @@ -442,9 +444,8 @@ static char pg_errstr[MAX_STRING_LEN]; * failures separately */ -static char *auth_pg_md5(char *pw) +static char *auth_pg_md5(const char *pw) { - apr_md5_ctx_t ctx; unsigned char digest[APR_MD5_DIGESTSIZE]; static unsigned char md5hash[APR_MD5_DIGESTSIZE * 2 + 1]; int i; @@ -459,14 +460,15 @@ static char *auth_pg_md5(char *pw) } -static char *auth_pg_base64(char *pw) +static char *auth_pg_base64(const char *pw) { if (auth_pgsql_pool_base64 == NULL) apr_pool_create_ex(&auth_pgsql_pool_base64, NULL, NULL, NULL); if (auth_pgsql_pool == NULL) return NULL; - return ap_pbase64encode(auth_pgsql_pool, pw); + /* NOTE: ap_pbase64encode is no change arg2. so removable const. */ + return ap_pbase64encode(auth_pgsql_pool, (char *)pw); } @@ -557,7 +559,8 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec) if (!check || strcmp(sec->auth_pg_charset, check)) { apr_snprintf(pg_errstr, MAX_STRING_LEN, - "mod_auth_pgsql database character set encoding %s"); + "mod_auth_pgsql database character set encoding %s", + check); PQfinish(pg_conn); return NULL; } @@ -614,7 +617,7 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec) return result; } -char *get_pg_pw(request_rec * r, char *user, pg_auth_config_rec * sec) +char *get_pg_pw(request_rec * r, const char *user, pg_auth_config_rec * sec) { char query[MAX_STRING_LEN]; char *safe_user; @@ -755,19 +758,20 @@ static char *get_pg_grp(request_rec * r, char *group, char *user, } /* Process authentication request from Apache*/ -static int pg_authenticate_basic_user(request_rec * r) +static authn_status check_password(request_rec *r, const char *user, + const char *password) { + pg_auth_config_rec *sec = (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_pgsql_module); - char *val = NULL; - char *sent_pw, *real_pw; - int res; - char *user; + const char *val = NULL; + const char *sent_pw; + const char *real_pw; + authn_status auth_res; + + sent_pw = password; - if ((res = ap_get_basic_auth_pw(r, (const char **) &sent_pw))) - return res; - user = r->user; #ifdef DEBUG_AUTH_PGSQL ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, @@ -784,7 +788,7 @@ static int pg_authenticate_basic_user(request_rec * r) if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - missing configuration parameters"); - return DECLINED; + return AUTH_GENERAL_ERROR; } pg_errstr[0] = '\0'; @@ -809,22 +813,16 @@ static int pg_authenticate_basic_user(request_rec * r) if (!real_pw) { if (pg_errstr[0]) { - res = HTTP_INTERNAL_SERVER_ERROR; + auth_res = AUTH_GENERAL_ERROR; } else { - if (sec->auth_pg_authoritative) { /* force error and access denied */ apr_snprintf(pg_errstr, MAX_STRING_LEN, "mod_auth_pgsql: Password for user %s not found (PG-Authoritative)", user); - ap_note_basic_auth_failure(r); - res = HTTP_UNAUTHORIZED; - } else { - /* allow fall through to another module */ - return DECLINED; - } + auth_res = AUTH_USER_NOT_FOUND; } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - return res; + return auth_res; } /* allow no password, if the flag is set and the password @@ -836,7 +834,7 @@ static int pg_authenticate_basic_user(request_rec * r) user); ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); pg_log_auth_user(r, sec, user, sent_pw); - return OK; + return AUTH_GRANTED; }; /* if the flag is off however, keep that kind of stuff at @@ -847,8 +845,7 @@ static int pg_authenticate_basic_user(request_rec * r) "[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; + return AUTH_DENIED; }; if (sec->auth_pg_encrypted) @@ -877,8 +874,7 @@ static int pg_authenticate_basic_user(request_rec * r) apr_snprintf(pg_errstr, MAX_STRING_LEN, "PG user %s: password mismatch", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; + return AUTH_DENIED; } /* store password in the cache */ @@ -891,130 +887,13 @@ static int pg_authenticate_basic_user(request_rec * r) } pg_log_auth_user(r, sec, user, sent_pw); - return OK; -} - -/* Checking ID */ - -static int pg_check_auth(request_rec * r) -{ - pg_auth_config_rec *sec = - (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, - &auth_pgsql_module); - char *user = r->user; - int m = r->method_number; - int group_result = DECLINED; - - - - apr_array_header_t *reqs_arr = (apr_array_header_t *) ap_requires(r); - require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; - - register int x, res; - const char *t; - char *w; - - pg_errstr[0] = '\0'; - -#ifdef DEBUG_AUTH_PGSQL - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "[mod_auth_pgsql.c] - pg_check_auth - going to check auth for user \"%s\" ", - user); -#endif /* DEBUG_AUTH_PGSQL */ - - - if (!pg_conn) { - if (!(pg_conn = pg_connect(sec))) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database"); - ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; - } - } - - /* if we cannot do it; leave it to some other guy - */ - if ((!sec->auth_pg_grp_table) && (!sec->auth_pg_grp_group_field) - && (!sec->auth_pg_grp_user_field)) - return DECLINED; - - if (!reqs_arr) { - if (sec->auth_pg_authoritative) { - /* force error and access denied */ - apr_snprintf(pg_errstr, MAX_STRING_LEN, - "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", - user); - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - res = HTTP_UNAUTHORIZED; - } else { - return DECLINED; - } - } - - for (x = 0; x < reqs_arr->nelts; x++) { - - if (!(reqs[x].method_mask & (1 << m))) - continue; - - t = reqs[x].requirement; - w = ap_getword(r->pool, &t, ' '); - - if (!strcmp(w, "valid-user")) - return OK; - - if (!strcmp(w, "user")) { - while (t[0]) { - w = ap_getword_conf(r->pool, &t); - if (!strcmp(user, w)) - return OK; - } - if (sec->auth_pg_authoritative) { - /* force error and access denied */ - apr_snprintf(pg_errstr, MAX_STRING_LEN, - "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", - user); - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; - } - - } else if (!strcmp(w, "group")) { - /* look up the membership for each of the groups in the table */ - pg_errstr[0] = '\0'; - - while (t[0]) { - if (get_pg_grp(r, ap_getword(r->pool, &t, ' '), user, sec)) { - group_result = OK; - }; - }; - - if (pg_errstr[0]) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - return HTTP_INTERNAL_SERVER_ERROR; - } - - if (group_result == OK) - return OK; - - if (sec->auth_pg_authoritative) { - apr_snprintf(pg_errstr, MAX_STRING_LEN, - "[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)", - user); - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); - ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; - }; - } - } - - return DECLINED; + return AUTH_GRANTED; } - /* Send the authentication to the log table */ int -pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user, - char *sent_pw) +pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, const char *user, + const char *sent_pw) { char sql[MAX_STRING_LEN]; char *s; @@ -1087,7 +966,7 @@ pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user, sec->auth_pg_log_addrs_field); strncat(fields, sql, MAX_STRING_LEN - strlen(fields) - 1); apr_snprintf(sql, MAX_STRING_LEN, ", '%s'", - r->connection->remote_ip); + r->connection->client_ip); strncat(values, sql, MAX_STRING_LEN - strlen(values) - 1); } if (sec->auth_pg_log_pwd_field) { /* Password field , clear WARNING */ @@ -1140,15 +1019,22 @@ static void *pg_auth_server_config(apr_pool_t * p, server_rec * s) } +static const authn_provider authn_pgsql_provider = +{ + &check_password, + NULL, +}; + static void register_hooks(apr_pool_t * p) { ap_hook_post_config(pg_auth_init_handler, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_auth_checker(pg_check_auth, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_check_user_id(pg_authenticate_basic_user, NULL, NULL, - APR_HOOK_MIDDLE); + + ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "pgsql", + AUTHN_PROVIDER_VERSION, + &authn_pgsql_provider, AP_AUTH_INTERNAL_PER_CONF); }; -module AP_MODULE_DECLARE_DATA auth_pgsql_module = { +AP_DECLARE_MODULE(auth_pgsql) = { STANDARD20_MODULE_STUFF, create_pg_auth_dir_config, /* dir config creater */ NULL, /* dir merger --- default is to override */ debian/patches/encoding.patch0000644000000000000000000002225512201473335013432 0ustar From: Marco Nenciarini Date: Sat, 10 Aug 2013 16:26:41 +0200 Subject: encoding --- mod_auth_pgsql.c | 144 +++++++++++++++++++++++++++++++--------------------- mod_auth_pgsql.html | 9 ++++ 2 files changed, 94 insertions(+), 59 deletions(-) diff --git a/mod_auth_pgsql.c b/mod_auth_pgsql.c index f13c166..639537d 100644 --- a/mod_auth_pgsql.c +++ b/mod_auth_pgsql.c @@ -151,6 +151,7 @@ typedef struct { const char *auth_pg_port; const char *auth_pg_options; const char *auth_pg_user; + const char *auth_pg_charset; const char *auth_pg_pwd; const char *auth_pg_pwd_table; const char *auth_pg_uname_field; @@ -181,6 +182,8 @@ typedef struct { } pg_auth_config_rec; +static PGconn *pg_conn; + static apr_pool_t *auth_pgsql_pool = NULL; static apr_pool_t *auth_pgsql_pool_base64 = NULL; @@ -220,6 +223,7 @@ static void *create_pg_auth_dir_config(apr_pool_t * p, char *d) new_rec->auth_pg_port = NULL; new_rec->auth_pg_options = NULL; new_rec->auth_pg_user = NULL; + new_rec->auth_pg_charset = NULL; new_rec->auth_pg_pwd = NULL; new_rec->auth_pg_pwd_table = NULL; new_rec->auth_pg_uname_field = NULL; @@ -324,6 +328,10 @@ static const command_rec pg_auth_cmds[] = { (void *) APR_OFFSETOF(pg_auth_config_rec, auth_pg_user), OR_AUTHCFG, "user name connect as"), + AP_INIT_TAKE1("Auth_PG_charset", ap_set_string_slot, + (void *) APR_OFFSETOF(pg_auth_config_rec, auth_pg_charset), + OR_AUTHCFG, + "charset to use for connection"), AP_INIT_TAKE1("Auth_PG_pwd", ap_set_string_slot, (void *) APR_OFFSETOF(pg_auth_config_rec, auth_pg_pwd), OR_AUTHCFG, @@ -462,53 +470,51 @@ static char *auth_pg_base64(char *pw) } +PGconn *pg_connect(pg_auth_config_rec *sec) +{ + PGconn *conn; -/* Got from POstgreSQL 7.2 */ -/* --------------- - * Escaping arbitrary strings to get valid SQL strings/identifiers. - * - * Replaces "\\" with "\\\\" and "'" with "''". - * length is the length of the buffer pointed to by - * from. The buffer at to must be at least 2*length + 1 characters - * long. A terminating NUL character is written. - * --------------- - */ + conn = PQsetdbLogin(sec->auth_pg_host, sec->auth_pg_port, + sec->auth_pg_options, NULL, sec->auth_pg_database, + sec->auth_pg_user, sec->auth_pg_pwd); + if (PQstatus(conn) != CONNECTION_OK) { + PQreset(conn); + apr_snprintf(pg_errstr, MAX_STRING_LEN, + "mod_auth_pgsql database connection error resetting %s", + PQerrorMessage(conn)); + if (PQstatus(conn) != CONNECTION_OK) { + apr_snprintf(pg_errstr, MAX_STRING_LEN, + "mod_auth_pgsql database connection error reset failed %s", + PQerrorMessage(conn)); + PQfinish(conn); + return NULL; + } + } + return conn; +} -static size_t pg_check_string(char *to, const char *from, size_t length) -{ - const char *source = from; - char *target = to; - unsigned int remaining = length; - - while (remaining > 0) { - switch (*source) { - case '\\': - *target = '\\'; - target++; - *target = '\\'; - /* target and remaining are updated below. */ - break; - case '\'': - *target = '\''; - target++; - *target = '\''; - /* target and remaining are updated below. */ - break; +static size_t pg_check_string(char *to, const char *from, size_t length, request_rec * r, pg_auth_config_rec *sec) +{ + int error; - default: - *target = *source; - /* target and remaining are updated below. */ + if (!pg_conn) { + if (!(pg_conn = pg_connect(sec))) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database"); + ap_note_basic_auth_failure(r); + return -1; } - source++; - target++; - remaining--; } - /* Write the terminating NUL character. */ - *target = '\0'; + PQescapeStringConn(pg_conn, to, from, length, &error); + + if (error) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot escape string"); + ap_note_basic_auth_failure(r); + return -1; + } - return target - to; + return 0; } @@ -518,7 +524,6 @@ static size_t pg_check_string(char *to, const char *from, size_t length) char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec) { PGresult *pg_result; - PGconn *pg_conn; char *val; char *result = NULL; @@ -530,19 +535,10 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec) sec->auth_pg_database); #endif /* DEBUG_AUTH_PGSQL */ - pg_conn = PQsetdbLogin(sec->auth_pg_host, sec->auth_pg_port, - sec->auth_pg_options, NULL, sec->auth_pg_database, - sec->auth_pg_user, sec->auth_pg_pwd); - if (PQstatus(pg_conn) != CONNECTION_OK) { - PQreset(pg_conn); - apr_snprintf(pg_errstr, MAX_STRING_LEN, - "mod_auth_pgsql database connection error resetting %s", - PQerrorMessage(pg_conn)); - if (PQstatus(pg_conn) != CONNECTION_OK) { - apr_snprintf(pg_errstr, MAX_STRING_LEN, - "mod_auth_pgsql database connection error reset failed %s", - PQerrorMessage(pg_conn)); - PQfinish(pg_conn); + if (!pg_conn) { + if (!(pg_conn = pg_connect(sec))) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database"); + ap_note_basic_auth_failure(r); return NULL; } } @@ -552,6 +548,21 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec) query); #endif /* DEBUG_AUTH_PGSQL */ + if (sec->auth_pg_charset) { + const char *check; + + PQsetClientEncoding(pg_conn, sec->auth_pg_charset); + + check = pg_encoding_to_char(PQclientEncoding(pg_conn)); + + if (!check || strcmp(sec->auth_pg_charset, check)) { + apr_snprintf(pg_errstr, MAX_STRING_LEN, + "mod_auth_pgsql database character set encoding %s"); + PQfinish(pg_conn); + return NULL; + } + } + pg_result = PQexec(pg_conn, query); if (pg_result == NULL) { @@ -610,7 +621,7 @@ char *get_pg_pw(request_rec * r, char *user, pg_auth_config_rec * sec) int n; safe_user = apr_palloc(r->pool, 1 + 2 * strlen(user)); - pg_check_string(safe_user, user, strlen(user)); + pg_check_string(safe_user, user, strlen(user), r, sec); #ifdef DEBUG_AUTH_PGSQL ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, @@ -685,8 +696,8 @@ static char *get_pg_grp(request_rec * r, char *group, char *user, #endif /* DEBUG_AUTH_PGSQL */ query[0] = '\0'; - pg_check_string(safe_user, user, strlen(user)); - pg_check_string(safe_group, group, strlen(group)); + pg_check_string(safe_user, user, strlen(user), r, sec); + pg_check_string(safe_group, group, strlen(group), r, sec); if ((!sec->auth_pg_grp_table) || (!sec->auth_pg_grp_group_field) || (!sec->auth_pg_grp_user_field)) @@ -777,6 +788,14 @@ static int pg_authenticate_basic_user(request_rec * r) } pg_errstr[0] = '\0'; + if (!pg_conn) { + if (!(pg_conn = pg_connect(sec))) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database"); + ap_note_basic_auth_failure(r); + return HTTP_UNAUTHORIZED; + } + } + if (sec->auth_pg_cache_passwords && (!apr_is_empty_table(sec->cache_pass_table))) { val = (char *) apr_table_get(sec->cache_pass_table, user); @@ -904,6 +923,13 @@ static int pg_check_auth(request_rec * r) #endif /* DEBUG_AUTH_PGSQL */ + if (!pg_conn) { + if (!(pg_conn = pg_connect(sec))) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database"); + ap_note_basic_auth_failure(r); + return HTTP_UNAUTHORIZED; + } + } /* if we cannot do it; leave it to some other guy */ @@ -1015,9 +1041,9 @@ pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user, } /* AUD: MAX_STRING_LEN probably isn't always correct */ - pg_check_string(safe_user, user, strlen(user)); - pg_check_string(safe_pw, sent_pw, strlen(sent_pw)); - pg_check_string(safe_req, r->the_request, strlen(r->the_request)); + pg_check_string(safe_user, user, strlen(user), r, sec); + pg_check_string(safe_pw, sent_pw, strlen(sent_pw), r, sec); + pg_check_string(safe_req, r->the_request, strlen(r->the_request), r, sec); if (sec->auth_pg_lowercaseuid) { diff --git a/mod_auth_pgsql.html b/mod_auth_pgsql.html index d35768b..5474314 100644 --- a/mod_auth_pgsql.html +++ b/mod_auth_pgsql.html @@ -48,6 +48,7 @@ Notes | Changelog

  • Auth_PG_host
  • Auth_PG_port
  • Auth_PG_options
  • +
  • Auth_PG_charset
  • Auth_PG_database
  • Auth_PG_user
  • Auth_PG_pwd
  • @@ -104,6 +105,14 @@ be found.

    Specifies an option string to be passed to the postgreSQL backend process. Refer to the PostgreSQL user manual for a description of the available options.

    +

    Auth_PG_charset

    +Syntax: Auth_PG_options option string
    +Context: directory, .htaccess
    +Override: AuthConfig
    +Status: Extension +

    Specifies the name of an encoding to be set for the PostgreSQL +backend process. Refer to the PostgreSQL user manual for a description +of the available options.

    Auth_PG_database

    Syntax: Auth_PG_database database name
    Context: directory, .htaccess
    debian/patches/series0000644000000000000000000000010612201473335012027 0ustar debian-dirs.patch documentation.patch encoding.patch apache-2.4.patch debian/copyright0000644000000000000000000000500412201473335011120 0ustar This package was debianized by Marco Nenciarini on Fri, 2 Apr 2004 19:33:23 +0200. It was downloaded from http://www.giuseppetanzilli.it/mod_auth_pgsql2/dist/ Upstream Maintainer: Giuseppe Tanzilli Original source Authors: Adam Sussman Feb, 1996 Matthias Eckermann Copyright: ===================================================================== Copyright (c) 1996 Vidya Media Ventures, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of this source code or a derived source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions of this module or a derived module in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY VIDYA MEDIA VENTURES, INC. ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL VIDYA MEDIA VENTURES, INC. OR ITS EMPLOYEES BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ==================================================================== This software is a contribution to and makes use of the Apache HTTP server which is written, maintained and copywritten by the Apache Group. See http://www.apache.org/ for more information. This software makes use of libpq which an interface to the PostgreSQL database. PostgreSQL is copyright (c) 1994 by the Regents of the University of California. As of this writing, more information on PostgreSQL can be found at http://www.postgresSQL.org/ debian/dirs0000644000000000000000000000006512201473335010053 0ustar /etc/apache2/mods-available /usr/lib/apache2/modules debian/compat0000644000000000000000000000000212201473335010364 0ustar 7