debian/ 0000755 0000000 0000000 00000000000 12201473335 007166 5 ustar debian/source/ 0000755 0000000 0000000 00000000000 12201473335 010466 5 ustar debian/source/format 0000644 0000000 0000000 00000000014 12201473335 011674 0 ustar 3.0 (quilt)
debian/control 0000644 0000000 0000000 00000001336 12201473335 010574 0 ustar Source: libapache2-mod-auth-pgsql
Maintainer: Marco Nenciarini
Section: httpd
Priority: extra
Standards-Version: 3.9.4
Build-Depends: debhelper (>= 7.0.50~), apache2-dev (>= 2.4), libpq-dev
Vcs-Git: git://anonscm.debian.org/collab-maint/libapache2-mod-auth-pgsql.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/libapache2-mod-auth-pgsql.git
Homepage: http://www.giuseppetanzilli.it/mod_auth_pgsql2
Package: libapache2-mod-auth-pgsql
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Module for Apache2 which provides PostgreSQL authentication
mod_auth_pgsql implements authentication and logging routines using PostgreSQL
tables for Apache's authentication protocol.
debian/rules 0000755 0000000 0000000 00000000365 12201473335 010252 0 ustar #!/usr/bin/make -f
# -*- makefile -*-
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
%:
dh $@ --with apache2
override_dh_auto_install:
install .libs/mod_auth_pgsql.so debian/libapache2-mod-auth-pgsql/usr/lib/apache2/modules
debian/changelog 0000644 0000000 0000000 00000011304 12201473335 011037 0 ustar libapache2-mod-auth-pgsql (2.0.3-6) unstable; urgency=low
[ Peter Pentchev ]
* Convert to the 3.0 (quilt) source format.
* Use "PostgreSQL" instead of "pgsql" and "postgresql" in the package
synopsis and long description.
* Add a Homepage control field.
* Add a blank line to the end of debian/NEWS to satisfy Lintian.
* Add a doc-base file describing the HTML manual.
* Add the 03-encoding.patch to allow a configurable connection encoding
and to properly escape client-supplied values. (Closes: #512672)
[ Marco Nenciarini ]
* Minimize the rules file using debhelper 7 with apache2 sequencer.
* Bump Standards-Version to 3.9.4:
- change the section to "httpd" from "web"
* Mention the logging ability in long desription.
* Add the 04-apache-2.4.patch to make the package working with
Apache 2.4. Patch from
http://www.sky-air.net/wordpress/mod_auth_pgsql-at-apache2-4-2
(CLoses: #666814)
* Drop postinst/prerm logic to migrate the load file name to 000_
prefix, as even the oldstable distribution has the 2.0.3-5 version.
* Add VCS-* field URI in debian/control
-- Marco Nenciarini Sat, 10 Aug 2013 19:12:42 +0200
libapache2-mod-auth-pgsql (2.0.3-5) unstable; urgency=low
[ Micha Lenk ]
* Rename the config snippet in /etc/apache2/mods-available/ and the
corresponding symlink in /etc/apache2/mods-enabled/ now having prefix 000_
in order to load the module auth_pgsql prior to other authentication
modules (Closes: #399562).
* On upgrade let the postinst script try to fix this bug too.
[ Marco Nenciarini ]
* debian/rules: removed dash from make clean invocation fixes lintian
debian-rules-ignores-make-clean-error
-- Marco Nenciarini Tue, 16 Oct 2007 10:21:49 +0200
libapache2-mod-auth-pgsql (2.0.3-4) unstable; urgency=low
* Bump debhelper compat level to 5.
* Update Debian policy to version 3.7.2.2. No changes required.
* Build with apache 2.2 (Closes: #391756)
-- Marco Nenciarini Sun, 8 Oct 2006 16:17:31 +0200
libapache2-mod-auth-pgsql (2.0.3-3) unstable; urgency=high
* Force reloading of apache2 when mod-auth-pgsql is
upgraded. (Closes: #356426)
* urgency=high due to recent security issue. (Apache servers can often run
for many months without needing to be restarted, so they would be still
vulnerable.)
-- Marco Nenciarini Tue, 14 Mar 2006 09:10:35 +0100
libapache2-mod-auth-pgsql (2.0.3-2) unstable; urgency=low
* debian/prerm: Fixed bashism (test with -[ao]).
-- Marco Nenciarini Mon, 16 Jan 2006 10:57:34 +0100
libapache2-mod-auth-pgsql (2.0.3-1) unstable; urgency=low
* New upstream release
-- Marco Nenciarini Sun, 15 Jan 2006 16:19:22 +0100
libapache2-mod-auth-pgsql (2.0.2b1-7) unstable; urgency=high
* SECURITY UPDATE: Arbitrary remote code execution with www-data privileges.
CVE-2005-3656
Fix several format string vulnerabilities in ap_log_[rp]error() calls
(patch stolen from Ubuntu)
* debian/control: Bump Standards-Version to 3.6.2.0; no changes required
-- Marco Nenciarini Wed, 11 Jan 2006 15:06:50 +0100
libapache2-mod-auth-pgsql (2.0.2b1-6) unstable; urgency=low
* Transition to new PostgreSQL architecture.
* debian/control: Changed build dependency postgresql-dev to
libpq-dev.
* Makefile: Use pg_config to determine include directory.
-- Marco Nenciarini Fri, 17 Jun 2005 17:57:30 +0200
libapache2-mod-auth-pgsql (2.0.2b1-5) unstable; urgency=low
* Added proper debian/watch file.
* Modified debian/copyright to report the right dowload url.
-- Marco Nenciarini Mon, 23 Aug 2004 15:16:41 +0200
libapache2-mod-auth-pgsql (2.0.2b1-4) unstable; urgency=high
* Back out the ill-fated apache2 LFS transition. (Closes: #267352)
* Bump the apache2-threaded-dev build-dep to (>= 2.0.50-10)
-- Marco Nenciarini Sun, 22 Aug 2004 17:14:47 +0200
libapache2-mod-auth-pgsql (2.0.2b1-3) unstable; urgency=medium
* Corrected some errors in documentation (Closes: #264465)
* Recompiled for apache2 LFS transition (Closes: #266178)
* Bump the apache2-threaded-dev build-dep to (>= 2.0.50-9)
-- Marco Nenciarini Tue, 17 Aug 2004 10:07:25 +0200
libapache2-mod-auth-pgsql (2.0.2b1-2) unstable; urgency=low
* Added a prerm script to allow apache2 to work correctly afrer module
remotion.
-- Marco Nenciarini Mon, 19 Apr 2004 16:02:05 +0200
libapache2-mod-auth-pgsql (2.0.2b1-1) unstable; urgency=low
* Initial Release. (Closes: #242198)
-- Marco Nenciarini Fri, 2 Apr 2004 19:33:23 +0200
debian/gbp.conf 0000644 0000000 0000000 00000000323 12201473335 010603 0 ustar [DEFAULT]
cleaner = /bin/true
pristine-tar = True
sign-tags = True
[git-buildpackage]
export-dir = ../build-area/
tarball-dir = ../tarballs/
[git-dch]
meta = True
id-length = 7
[gbp-pq]
patch-numbers = False
debian/watch 0000644 0000000 0000000 00000000300 12201473335 010210 0 ustar # Site Directory Pattern Version Script
version=2
http://www.giuseppetanzilli.it/mod_auth_pgsql2/dist/ (?:.*/)?mod_auth_pgsql-?_?([\w+\d+\.]+|\d+)(\.tar|\.tgz)(\.gz|\.bz2|) debian uupdate
debian/docs 0000644 0000000 0000000 00000000040 12201473335 010033 0 ustar README
TODO
mod_auth_pgsql.html
debian/NEWS 0000644 0000000 0000000 00000000465 12201473335 007672 0 ustar libapache2-mod-auth-pgsql (2.0.3-5) unstable; urgency=low
The auth_pgsql module needs to be loaded before any other
authentication modules. So we renamed its configuration file to
000_auth_pgsql.load to make it loading first.
-- Marco Nenciarini Tue, 16 Oct 2007 10:44:11 +0200
debian/000_auth_pgsql.load 0000644 0000000 0000000 00000000110 12201473335 012545 0 ustar LoadModule auth_pgsql_module /usr/lib/apache2/modules/mod_auth_pgsql.so
debian/doc-base 0000644 0000000 0000000 00000000720 12201473335 010565 0 ustar Document: libapache2-mod-auth-pgsql
Title: Module mod_auth_pgsql PostgreSQL authentication module for
Apache web server
Author: Giuseppe Tanzilli
Abstract: This module allows user authentication (and can log
authethication requests) against information stored in a PostgreSQL
database.
Section: System/Security
Format: HTML
Index: /usr/share/doc/libapache2-mod-auth-pgsql/mod_auth_pgsql.html
Files: /usr/share/doc/libapache2-mod-auth-pgsql/mod_auth_pgsql.html
debian/apache2 0000644 0000000 0000000 00000000037 12201473335 010414 0 ustar mod debian/000_auth_pgsql.load
debian/patches/ 0000755 0000000 0000000 00000000000 12201473335 010615 5 ustar debian/patches/debian-dirs.patch 0000644 0000000 0000000 00000001517 12201473335 014023 0 ustar From: Marco Nenciarini
Date: Sat, 10 Aug 2013 16:26:41 +0200
Subject: debian dirs
---
Makefile | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index 0ab38a4..eccaea6 100644
--- a/Makefile
+++ b/Makefile
@@ -1,12 +1,12 @@
-APACHE2_HOME=/usr/local/apache2
-PGSQL_LIB=/usr/local/pgsql/lib
-PGSQL_INCLUDE=/usr/local/pgsql/include
+APACHE2_HOME=/usr
+PGSQL_LIB=/usr/lib
+PGSQL_INCLUDE=$(shell pg_config --includedir)
shared:
- ${APACHE2_HOME}/bin/apxs -i -a -c -I ${PGSQL_INCLUDE} -L ${PGSQL_LIB} -lpq mod_auth_pgsql.c
+ ${APACHE2_HOME}/bin/apxs2 -a -c -I ${PGSQL_INCLUDE} -L ${PGSQL_LIB} -lpq mod_auth_pgsql.c
indent:
indent -kr -ts4 mod_auth_pgsql.c
clean:
- rm -rf .libs/ *.la *.o *.lo *.slo *~
\ No newline at end of file
+ rm -rf .libs/ *.la *.o *.lo *.slo *~
debian/patches/documentation.patch 0000644 0000000 0000000 00000014070 12201473335 014511 0 ustar From: Marco Nenciarini
Date: Sat, 10 Aug 2013 16:26:41 +0200
Subject: documentation
---
mod_auth_pgsql.html | 47 ++++++++++++++++++++++++++++-------------------
1 file changed, 28 insertions(+), 19 deletions(-)
diff --git a/mod_auth_pgsql.html b/mod_auth_pgsql.html
index 3269fe0..d35768b 100644
--- a/mod_auth_pgsql.html
+++ b/mod_auth_pgsql.html
@@ -48,18 +48,19 @@ Notes | Changelog
Auth_PG_host
Auth_PG_port
Auth_PG_options
- Auth_PG_database
- Auth_PG_user
- Auth_PG_pwd
- Auth_PG_pwd_table
- Auth_PG_grp_table
+ Auth_PG_database
+ Auth_PG_user
+ Auth_PG_pwd
+ Auth_PG_pwd_table
+ Auth_PG_grp_table
Auth_PG_uid_field
Auth_PG_pwd_field
- Auth_PG_gid_field
+ Auth_PG_grp_group_field
+ Auth_PG_grp_user_field
Auth_PG_nopasswd
Auth_PG_authoritative
- Auth_PG_lowercase_uid
- Auth_PG_uppercase_uid
+ Auth_PG_lowercase_uid
+ Auth_PG_uppercase_uid
Auth_PG_pwd_ignore_case
Auth_PG_encrypted
@@ -112,7 +113,7 @@ available options.
information.
- Auth_PG_user
+ Auth_PG_user
Syntax: Auth_PG_user username
Context: directory, .htaccess
@@ -125,7 +126,7 @@ access on all the log tables (if used).
Needed if the user who make the quey is differrent from the
user runnig apache, or if the posmater is on a different server and you
must autheticate with password
- Auth_PG_pwd
+ Auth_PG_pwd
Syntax: Auth_PG_pwd password
Context: directory, .htaccess
Override: AuthConfig
@@ -169,17 +170,25 @@ in the Auth_PG_pwd_table relation.
Override: AuthConfig
Status: Extension
Specifies the attribute name of the field containing the encrypted
-(see Auth_PG_encrypted) password in the Auth_PGpwd_table relation.
+(see Auth_PG_encrypted) password in the Auth_PG_pwd_table relation.
Please remember to use field of type varchar, not char for the password.
- Auth_PG_gid_field
-Syntax: Auth_PG_gid_field attribute name
+ Auth_PG_grp_group_field
+Syntax: Auth_PG_grp_group_field attribute name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Specifies the attribute name of the field containing the group name
in the Auth_PG_grp_table relation. This directive is only necessary if
you want to authenticate by user groups.
+ Auth_PG_grp_user_field
+Syntax: Auth_PG_grp_user_field attribute name
+Context: directory, .htaccess
+Override: AuthConfig
+Status: Extension
+Specifies the attribute name of the field containing the user name
+in the Auth_PG_grp_table relation. This directive is only necessary if
+you want to authenticate by user groups.
Auth_PG_nopasswd
Syntax: Auth_PG_nopasswd on or off
Context: directory, .htaccess
@@ -202,7 +211,7 @@ the PostgreSQL scheme, the parent directory scheme will be given
the chance to try and authenticate the user. Exercise caution
when turning this option off. It can be a security risk. Can be
used to use two authentication schemes for the same dir.
- Auth_PG_lowercase_uid
+ Auth_PG_lowercase_uid
Syntax: Auth_PG_lowercase_uid on or off
Context: directory, .htaccess
Override: AuthConfig
@@ -211,7 +220,7 @@ used to use two authentication schemes for the same dir.
user UIDs to lowercase before looking them up. When turned on this does
not affect the case of the original user ID should this module decline
to authenticate and a lower level is called.
- Auth_PG_uppercase_uid
+ Auth_PG_uppercase_uid
Syntax: Auth_PG_uppercase_uid on or off
Context: directory, .htaccess
Override: AuthConfig
@@ -277,14 +286,14 @@ initial space .
This option allows you to exercise greater control over the SQL code
used to retrieve the group name and corresponding user from the
database. You can use this to search for the group name
-using more attributes in the table than the gid_field.
+using more attributes in the table than the grp_group_field.
The basic SQL statement used to retrieve a group name and user name
for checking looks like this:
-select <uid_field> from <grp_table> where
-<gid_field> ='<required group> '
+select <grp_user_field> from <grp_table> where
+<grp_group_field> ='<required group> '
-The gid_whereclause will be added to the end of this statement
+The grp_whereclause will be added to the end of this statement
and must fit logically. The where clause must be double
quoted.
debian/patches/apache-2.4.patch 0000644 0000000 0000000 00000024215 12201473335 013364 0 ustar From: Marco Nenciarini
Date: Sat, 20 Jul 2013 18:47:04 +0200
Subject: apache 2.4
---
mod_auth_pgsql.c | 196 ++++++++++++-------------------------------------------
1 file changed, 41 insertions(+), 155 deletions(-)
diff --git a/mod_auth_pgsql.c b/mod_auth_pgsql.c
index 639537d..26d7f90 100644
--- a/mod_auth_pgsql.c
+++ b/mod_auth_pgsql.c
@@ -109,6 +109,8 @@
#include "http_request.h"
#include "util_script.h"
+#include "mod_auth.h"
+
#ifdef WIN32
#define crypt apr_password_validate
#else
@@ -191,7 +193,7 @@ module AP_MODULE_DECLARE_DATA auth_pgsql_module;
static int pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec,
- char *user, char *sent_pw);
+ const char *user, const char *sent_pw);
static char *do_pg_query(request_rec * r, char *query,
pg_auth_config_rec * sec);
@@ -442,9 +444,8 @@ static char pg_errstr[MAX_STRING_LEN];
* failures separately
*/
-static char *auth_pg_md5(char *pw)
+static char *auth_pg_md5(const char *pw)
{
- apr_md5_ctx_t ctx;
unsigned char digest[APR_MD5_DIGESTSIZE];
static unsigned char md5hash[APR_MD5_DIGESTSIZE * 2 + 1];
int i;
@@ -459,14 +460,15 @@ static char *auth_pg_md5(char *pw)
}
-static char *auth_pg_base64(char *pw)
+static char *auth_pg_base64(const char *pw)
{
if (auth_pgsql_pool_base64 == NULL)
apr_pool_create_ex(&auth_pgsql_pool_base64, NULL, NULL, NULL);
if (auth_pgsql_pool == NULL)
return NULL;
- return ap_pbase64encode(auth_pgsql_pool, pw);
+ /* NOTE: ap_pbase64encode is no change arg2. so removable const. */
+ return ap_pbase64encode(auth_pgsql_pool, (char *)pw);
}
@@ -557,7 +559,8 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
if (!check || strcmp(sec->auth_pg_charset, check)) {
apr_snprintf(pg_errstr, MAX_STRING_LEN,
- "mod_auth_pgsql database character set encoding %s");
+ "mod_auth_pgsql database character set encoding %s",
+ check);
PQfinish(pg_conn);
return NULL;
}
@@ -614,7 +617,7 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
return result;
}
-char *get_pg_pw(request_rec * r, char *user, pg_auth_config_rec * sec)
+char *get_pg_pw(request_rec * r, const char *user, pg_auth_config_rec * sec)
{
char query[MAX_STRING_LEN];
char *safe_user;
@@ -755,19 +758,20 @@ static char *get_pg_grp(request_rec * r, char *group, char *user,
}
/* Process authentication request from Apache*/
-static int pg_authenticate_basic_user(request_rec * r)
+static authn_status check_password(request_rec *r, const char *user,
+ const char *password)
{
+
pg_auth_config_rec *sec =
(pg_auth_config_rec *) ap_get_module_config(r->per_dir_config,
&auth_pgsql_module);
- char *val = NULL;
- char *sent_pw, *real_pw;
- int res;
- char *user;
+ const char *val = NULL;
+ const char *sent_pw;
+ const char *real_pw;
+ authn_status auth_res;
+
+ sent_pw = password;
- if ((res = ap_get_basic_auth_pw(r, (const char **) &sent_pw)))
- return res;
- user = r->user;
#ifdef DEBUG_AUTH_PGSQL
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
@@ -784,7 +788,7 @@ static int pg_authenticate_basic_user(request_rec * r)
if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"[mod_auth_pgsql.c] - missing configuration parameters");
- return DECLINED;
+ return AUTH_GENERAL_ERROR;
}
pg_errstr[0] = '\0';
@@ -809,22 +813,16 @@ static int pg_authenticate_basic_user(request_rec * r)
if (!real_pw) {
if (pg_errstr[0]) {
- res = HTTP_INTERNAL_SERVER_ERROR;
+ auth_res = AUTH_GENERAL_ERROR;
} else {
- if (sec->auth_pg_authoritative) {
/* force error and access denied */
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"mod_auth_pgsql: Password for user %s not found (PG-Authoritative)",
user);
- ap_note_basic_auth_failure(r);
- res = HTTP_UNAUTHORIZED;
- } else {
- /* allow fall through to another module */
- return DECLINED;
- }
+ auth_res = AUTH_USER_NOT_FOUND;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
- return res;
+ return auth_res;
}
/* allow no password, if the flag is set and the password
@@ -836,7 +834,7 @@ static int pg_authenticate_basic_user(request_rec * r)
user);
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
pg_log_auth_user(r, sec, user, sent_pw);
- return OK;
+ return AUTH_GRANTED;
};
/* if the flag is off however, keep that kind of stuff at
@@ -847,8 +845,7 @@ static int pg_authenticate_basic_user(request_rec * r)
"[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"",
user);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
- ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
+ return AUTH_DENIED;
};
if (sec->auth_pg_encrypted)
@@ -877,8 +874,7 @@ static int pg_authenticate_basic_user(request_rec * r)
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"PG user %s: password mismatch", user);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
- ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
+ return AUTH_DENIED;
}
/* store password in the cache */
@@ -891,130 +887,13 @@ static int pg_authenticate_basic_user(request_rec * r)
}
pg_log_auth_user(r, sec, user, sent_pw);
- return OK;
-}
-
-/* Checking ID */
-
-static int pg_check_auth(request_rec * r)
-{
- pg_auth_config_rec *sec =
- (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config,
- &auth_pgsql_module);
- char *user = r->user;
- int m = r->method_number;
- int group_result = DECLINED;
-
-
-
- apr_array_header_t *reqs_arr = (apr_array_header_t *) ap_requires(r);
- require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
-
- register int x, res;
- const char *t;
- char *w;
-
- pg_errstr[0] = '\0';
-
-#ifdef DEBUG_AUTH_PGSQL
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
- "[mod_auth_pgsql.c] - pg_check_auth - going to check auth for user \"%s\" ",
- user);
-#endif /* DEBUG_AUTH_PGSQL */
-
-
- if (!pg_conn) {
- if (!(pg_conn = pg_connect(sec))) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
- ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
- }
- }
-
- /* if we cannot do it; leave it to some other guy
- */
- if ((!sec->auth_pg_grp_table) && (!sec->auth_pg_grp_group_field)
- && (!sec->auth_pg_grp_user_field))
- return DECLINED;
-
- if (!reqs_arr) {
- if (sec->auth_pg_authoritative) {
- /* force error and access denied */
- apr_snprintf(pg_errstr, MAX_STRING_LEN,
- "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
- user);
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
- ap_note_basic_auth_failure(r);
- res = HTTP_UNAUTHORIZED;
- } else {
- return DECLINED;
- }
- }
-
- for (x = 0; x < reqs_arr->nelts; x++) {
-
- if (!(reqs[x].method_mask & (1 << m)))
- continue;
-
- t = reqs[x].requirement;
- w = ap_getword(r->pool, &t, ' ');
-
- if (!strcmp(w, "valid-user"))
- return OK;
-
- if (!strcmp(w, "user")) {
- while (t[0]) {
- w = ap_getword_conf(r->pool, &t);
- if (!strcmp(user, w))
- return OK;
- }
- if (sec->auth_pg_authoritative) {
- /* force error and access denied */
- apr_snprintf(pg_errstr, MAX_STRING_LEN,
- "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
- user);
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
- ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
- }
-
- } else if (!strcmp(w, "group")) {
- /* look up the membership for each of the groups in the table */
- pg_errstr[0] = '\0';
-
- while (t[0]) {
- if (get_pg_grp(r, ap_getword(r->pool, &t, ' '), user, sec)) {
- group_result = OK;
- };
- };
-
- if (pg_errstr[0]) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- if (group_result == OK)
- return OK;
-
- if (sec->auth_pg_authoritative) {
- apr_snprintf(pg_errstr, MAX_STRING_LEN,
- "[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)",
- user);
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
- ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
- };
- }
- }
-
- return DECLINED;
+ return AUTH_GRANTED;
}
-
/* Send the authentication to the log table */
int
-pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user,
- char *sent_pw)
+pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, const char *user,
+ const char *sent_pw)
{
char sql[MAX_STRING_LEN];
char *s;
@@ -1087,7 +966,7 @@ pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user,
sec->auth_pg_log_addrs_field);
strncat(fields, sql, MAX_STRING_LEN - strlen(fields) - 1);
apr_snprintf(sql, MAX_STRING_LEN, ", '%s'",
- r->connection->remote_ip);
+ r->connection->client_ip);
strncat(values, sql, MAX_STRING_LEN - strlen(values) - 1);
}
if (sec->auth_pg_log_pwd_field) { /* Password field , clear WARNING */
@@ -1140,15 +1019,22 @@ static void *pg_auth_server_config(apr_pool_t * p, server_rec * s)
}
+static const authn_provider authn_pgsql_provider =
+{
+ &check_password,
+ NULL,
+};
+
static void register_hooks(apr_pool_t * p)
{
ap_hook_post_config(pg_auth_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_auth_checker(pg_check_auth, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_check_user_id(pg_authenticate_basic_user, NULL, NULL,
- APR_HOOK_MIDDLE);
+
+ ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "pgsql",
+ AUTHN_PROVIDER_VERSION,
+ &authn_pgsql_provider, AP_AUTH_INTERNAL_PER_CONF);
};
-module AP_MODULE_DECLARE_DATA auth_pgsql_module = {
+AP_DECLARE_MODULE(auth_pgsql) = {
STANDARD20_MODULE_STUFF,
create_pg_auth_dir_config, /* dir config creater */
NULL, /* dir merger --- default is to override */
debian/patches/encoding.patch 0000644 0000000 0000000 00000022255 12201473335 013432 0 ustar From: Marco Nenciarini
Date: Sat, 10 Aug 2013 16:26:41 +0200
Subject: encoding
---
mod_auth_pgsql.c | 144 +++++++++++++++++++++++++++++++---------------------
mod_auth_pgsql.html | 9 ++++
2 files changed, 94 insertions(+), 59 deletions(-)
diff --git a/mod_auth_pgsql.c b/mod_auth_pgsql.c
index f13c166..639537d 100644
--- a/mod_auth_pgsql.c
+++ b/mod_auth_pgsql.c
@@ -151,6 +151,7 @@ typedef struct {
const char *auth_pg_port;
const char *auth_pg_options;
const char *auth_pg_user;
+ const char *auth_pg_charset;
const char *auth_pg_pwd;
const char *auth_pg_pwd_table;
const char *auth_pg_uname_field;
@@ -181,6 +182,8 @@ typedef struct {
} pg_auth_config_rec;
+static PGconn *pg_conn;
+
static apr_pool_t *auth_pgsql_pool = NULL;
static apr_pool_t *auth_pgsql_pool_base64 = NULL;
@@ -220,6 +223,7 @@ static void *create_pg_auth_dir_config(apr_pool_t * p, char *d)
new_rec->auth_pg_port = NULL;
new_rec->auth_pg_options = NULL;
new_rec->auth_pg_user = NULL;
+ new_rec->auth_pg_charset = NULL;
new_rec->auth_pg_pwd = NULL;
new_rec->auth_pg_pwd_table = NULL;
new_rec->auth_pg_uname_field = NULL;
@@ -324,6 +328,10 @@ static const command_rec pg_auth_cmds[] = {
(void *) APR_OFFSETOF(pg_auth_config_rec, auth_pg_user),
OR_AUTHCFG,
"user name connect as"),
+ AP_INIT_TAKE1("Auth_PG_charset", ap_set_string_slot,
+ (void *) APR_OFFSETOF(pg_auth_config_rec, auth_pg_charset),
+ OR_AUTHCFG,
+ "charset to use for connection"),
AP_INIT_TAKE1("Auth_PG_pwd", ap_set_string_slot,
(void *) APR_OFFSETOF(pg_auth_config_rec, auth_pg_pwd),
OR_AUTHCFG,
@@ -462,53 +470,51 @@ static char *auth_pg_base64(char *pw)
}
+PGconn *pg_connect(pg_auth_config_rec *sec)
+{
+ PGconn *conn;
-/* Got from POstgreSQL 7.2 */
-/* ---------------
- * Escaping arbitrary strings to get valid SQL strings/identifiers.
- *
- * Replaces "\\" with "\\\\" and "'" with "''".
- * length is the length of the buffer pointed to by
- * from. The buffer at to must be at least 2*length + 1 characters
- * long. A terminating NUL character is written.
- * ---------------
- */
+ conn = PQsetdbLogin(sec->auth_pg_host, sec->auth_pg_port,
+ sec->auth_pg_options, NULL, sec->auth_pg_database,
+ sec->auth_pg_user, sec->auth_pg_pwd);
+ if (PQstatus(conn) != CONNECTION_OK) {
+ PQreset(conn);
+ apr_snprintf(pg_errstr, MAX_STRING_LEN,
+ "mod_auth_pgsql database connection error resetting %s",
+ PQerrorMessage(conn));
+ if (PQstatus(conn) != CONNECTION_OK) {
+ apr_snprintf(pg_errstr, MAX_STRING_LEN,
+ "mod_auth_pgsql database connection error reset failed %s",
+ PQerrorMessage(conn));
+ PQfinish(conn);
+ return NULL;
+ }
+ }
+ return conn;
+}
-static size_t pg_check_string(char *to, const char *from, size_t length)
-{
- const char *source = from;
- char *target = to;
- unsigned int remaining = length;
-
- while (remaining > 0) {
- switch (*source) {
- case '\\':
- *target = '\\';
- target++;
- *target = '\\';
- /* target and remaining are updated below. */
- break;
- case '\'':
- *target = '\'';
- target++;
- *target = '\'';
- /* target and remaining are updated below. */
- break;
+static size_t pg_check_string(char *to, const char *from, size_t length, request_rec * r, pg_auth_config_rec *sec)
+{
+ int error;
- default:
- *target = *source;
- /* target and remaining are updated below. */
+ if (!pg_conn) {
+ if (!(pg_conn = pg_connect(sec))) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
+ ap_note_basic_auth_failure(r);
+ return -1;
}
- source++;
- target++;
- remaining--;
}
- /* Write the terminating NUL character. */
- *target = '\0';
+ PQescapeStringConn(pg_conn, to, from, length, &error);
+
+ if (error) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot escape string");
+ ap_note_basic_auth_failure(r);
+ return -1;
+ }
- return target - to;
+ return 0;
}
@@ -518,7 +524,6 @@ static size_t pg_check_string(char *to, const char *from, size_t length)
char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
{
PGresult *pg_result;
- PGconn *pg_conn;
char *val;
char *result = NULL;
@@ -530,19 +535,10 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
sec->auth_pg_database);
#endif /* DEBUG_AUTH_PGSQL */
- pg_conn = PQsetdbLogin(sec->auth_pg_host, sec->auth_pg_port,
- sec->auth_pg_options, NULL, sec->auth_pg_database,
- sec->auth_pg_user, sec->auth_pg_pwd);
- if (PQstatus(pg_conn) != CONNECTION_OK) {
- PQreset(pg_conn);
- apr_snprintf(pg_errstr, MAX_STRING_LEN,
- "mod_auth_pgsql database connection error resetting %s",
- PQerrorMessage(pg_conn));
- if (PQstatus(pg_conn) != CONNECTION_OK) {
- apr_snprintf(pg_errstr, MAX_STRING_LEN,
- "mod_auth_pgsql database connection error reset failed %s",
- PQerrorMessage(pg_conn));
- PQfinish(pg_conn);
+ if (!pg_conn) {
+ if (!(pg_conn = pg_connect(sec))) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
+ ap_note_basic_auth_failure(r);
return NULL;
}
}
@@ -552,6 +548,21 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
query);
#endif /* DEBUG_AUTH_PGSQL */
+ if (sec->auth_pg_charset) {
+ const char *check;
+
+ PQsetClientEncoding(pg_conn, sec->auth_pg_charset);
+
+ check = pg_encoding_to_char(PQclientEncoding(pg_conn));
+
+ if (!check || strcmp(sec->auth_pg_charset, check)) {
+ apr_snprintf(pg_errstr, MAX_STRING_LEN,
+ "mod_auth_pgsql database character set encoding %s");
+ PQfinish(pg_conn);
+ return NULL;
+ }
+ }
+
pg_result = PQexec(pg_conn, query);
if (pg_result == NULL) {
@@ -610,7 +621,7 @@ char *get_pg_pw(request_rec * r, char *user, pg_auth_config_rec * sec)
int n;
safe_user = apr_palloc(r->pool, 1 + 2 * strlen(user));
- pg_check_string(safe_user, user, strlen(user));
+ pg_check_string(safe_user, user, strlen(user), r, sec);
#ifdef DEBUG_AUTH_PGSQL
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
@@ -685,8 +696,8 @@ static char *get_pg_grp(request_rec * r, char *group, char *user,
#endif /* DEBUG_AUTH_PGSQL */
query[0] = '\0';
- pg_check_string(safe_user, user, strlen(user));
- pg_check_string(safe_group, group, strlen(group));
+ pg_check_string(safe_user, user, strlen(user), r, sec);
+ pg_check_string(safe_group, group, strlen(group), r, sec);
if ((!sec->auth_pg_grp_table) ||
(!sec->auth_pg_grp_group_field) || (!sec->auth_pg_grp_user_field))
@@ -777,6 +788,14 @@ static int pg_authenticate_basic_user(request_rec * r)
}
pg_errstr[0] = '\0';
+ if (!pg_conn) {
+ if (!(pg_conn = pg_connect(sec))) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
+ ap_note_basic_auth_failure(r);
+ return HTTP_UNAUTHORIZED;
+ }
+ }
+
if (sec->auth_pg_cache_passwords
&& (!apr_is_empty_table(sec->cache_pass_table))) {
val = (char *) apr_table_get(sec->cache_pass_table, user);
@@ -904,6 +923,13 @@ static int pg_check_auth(request_rec * r)
#endif /* DEBUG_AUTH_PGSQL */
+ if (!pg_conn) {
+ if (!(pg_conn = pg_connect(sec))) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
+ ap_note_basic_auth_failure(r);
+ return HTTP_UNAUTHORIZED;
+ }
+ }
/* if we cannot do it; leave it to some other guy
*/
@@ -1015,9 +1041,9 @@ pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user,
}
/* AUD: MAX_STRING_LEN probably isn't always correct */
- pg_check_string(safe_user, user, strlen(user));
- pg_check_string(safe_pw, sent_pw, strlen(sent_pw));
- pg_check_string(safe_req, r->the_request, strlen(r->the_request));
+ pg_check_string(safe_user, user, strlen(user), r, sec);
+ pg_check_string(safe_pw, sent_pw, strlen(sent_pw), r, sec);
+ pg_check_string(safe_req, r->the_request, strlen(r->the_request), r, sec);
if (sec->auth_pg_lowercaseuid) {
diff --git a/mod_auth_pgsql.html b/mod_auth_pgsql.html
index d35768b..5474314 100644
--- a/mod_auth_pgsql.html
+++ b/mod_auth_pgsql.html
@@ -48,6 +48,7 @@ Notes | Changelog
Auth_PG_host
Auth_PG_port
Auth_PG_options
+ Auth_PG_charset
Auth_PG_database
Auth_PG_user
Auth_PG_pwd
@@ -104,6 +105,14 @@ be found.
Specifies an option string to be passed to the postgreSQL backend
process. Refer to the PostgreSQL user manual for a description of the
available options.
+ Auth_PG_charset
+Syntax: Auth_PG_options option string
+Context: directory, .htaccess
+Override: AuthConfig
+Status: Extension
+Specifies the name of an encoding to be set for the PostgreSQL
+backend process. Refer to the PostgreSQL user manual for a description
+of the available options.
Auth_PG_database
Syntax: Auth_PG_database database name
Context: directory, .htaccess
debian/patches/series 0000644 0000000 0000000 00000000106 12201473335 012027 0 ustar debian-dirs.patch
documentation.patch
encoding.patch
apache-2.4.patch
debian/copyright 0000644 0000000 0000000 00000005004 12201473335 011120 0 ustar This package was debianized by Marco Nenciarini on
Fri, 2 Apr 2004 19:33:23 +0200.
It was downloaded from http://www.giuseppetanzilli.it/mod_auth_pgsql2/dist/
Upstream Maintainer:
Giuseppe Tanzilli
Original source Authors:
Adam Sussman Feb, 1996
Matthias Eckermann
Copyright:
=====================================================================
Copyright (c) 1996 Vidya Media Ventures, Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of this source code or a derived source code must
retain the above copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions of this module or a derived module in binary form
must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other
materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY VIDYA MEDIA VENTURES, INC. ``AS IS'' AND
ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL VIDYA MEDIA VENTURES, INC.
OR ITS EMPLOYEES BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
====================================================================
This software is a contribution to and makes use of the Apache HTTP
server which is written, maintained and copywritten by the Apache Group.
See http://www.apache.org/ for more information.
This software makes use of libpq which an interface to the PostgreSQL
database. PostgreSQL is copyright (c) 1994 by the Regents of the
University of California. As of this writing, more information on
PostgreSQL can be found at http://www.postgresSQL.org/
debian/dirs 0000644 0000000 0000000 00000000065 12201473335 010053 0 ustar /etc/apache2/mods-available
/usr/lib/apache2/modules
debian/compat 0000644 0000000 0000000 00000000002 12201473335 010364 0 ustar 7