Re: access control for dynamic hosts (vote?)

[Mario Brandt]

+1

On 6 March 2016 at 14:12, Fabien  wrote:
>
>> Attached is a patch against the sources, including a documentation, which
>> use the syntax "Require forward-dns foo.apache.org".
>
>
> Here is a v2 which adds a missing "/" in the XML documentation.
>
> --
> Fabien.

Re: access control for dynamic hosts (vote?)

[Fabien]

Attached is a patch against the sources, including a documentation, which use 
the syntax "Require forward-dns foo.apache.org".


Here is a v2 which adds a missing "/" in the XML documentation.

--
Fabien.Index: docs/log-message-tags/next-number
===
--- docs/log-message-tags/next-number	(revision 1733791)
+++ docs/log-message-tags/next-number	(working copy)
@@ -1 +1 @@
-3354
+3357
Index: docs/manual/mod/mod_authz_host.xml
===
--- docs/manual/mod/mod_authz_host.xml	(revision 1733791)
+++ docs/manual/mod/mod_authz_host.xml	(working copy)
@@ -58,7 +58,8 @@
 Apache's Require
 directive is used during the authorization phase to ensure that a user is allowed or
 denied access to a resource.  mod_authz_host extends the
-authorization types with ip, host and local.
+authorization types with ip, host,
+forward-dns and local.
 Other authorization types may also be
 used but may require that additional authorization modules be loaded.
 
@@ -157,6 +158,29 @@
 
 
 
+Require forward-dns
+
+The forward-dns provider allows access to the server
+to be controlled based on simple host names.  When
+Require forward-dns host-name is specified,
+all IP addresses corresponding to host-name
+are allowed access.
+
+In contrast to the host provider, this provider does not
+rely on reverse DNS lookups: it simply queries the DNS for the host name
+and allows a client if its IP matches.  As a consequence, it will only
+work with host names, not domain names.  However, as the reverse DNS is
+not used, it will work with clients which use a dynamic DNS service.
+
+
+Require forward-dns bla.example.org
+
+
+A client the IP of which is resolved from the name
+bla.example.org will be granted access.
+
+
+
 Require local
 
 The local provider allows access to the server if any
Index: modules/aaa/mod_authz_host.c
===
--- modules/aaa/mod_authz_host.c	(revision 1733791)
+++ modules/aaa/mod_authz_host.c	(working copy)
@@ -216,6 +216,71 @@
 return AUTHZ_DENIED;
 }
 
+static authz_status
+forward_dns_check_authorization(request_rec *r,
+const char *require_line,
+const void *parsed_require_line)
+{
+const char *err = NULL;
+const ap_expr_info_t *expr = parsed_require_line;
+const char *require, *t;
+char *w;
+
+/* the require line is an expression, which is evaluated now. */
+require = ap_expr_str_exec(r, expr, );
+if (err) {
+  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354)
+"Can't evaluate require expression: %s", err);
+  return AUTHZ_DENIED;
+}
+
+/* tokenize expected list of names */
+t = require;
+while ((w = ap_getword_conf(r->pool, )) && w[0]) {
+
+apr_sockaddr_t *sa;
+apr_status_t rv;
+char *hash_ptr;
+
+/* stop on apache configuration file comments */
+if ((hash_ptr = ap_strchr(w, '#'))) {
+if (hash_ptr == w) {
+break;
+}
+*hash_ptr = '\0';
+}
+
+/* does the client ip match one of the names? */
+rv = apr_sockaddr_info_get(, w, APR_UNSPEC, 0, 0, r->pool);
+if (rv == APR_SUCCESS) {
+
+while (sa) {
+int match = apr_sockaddr_equal(sa, r->useragent_addr);
+
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355)
+  "access check for %s as '%s': %s",
+  r->useragent_ip, w, match? "yes": "no");
+if (match) {
+return AUTHZ_GRANTED;
+}
+
+sa = sa->next;
+}
+}
+else {
+ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356)
+  "No sockaddr info for \"%s\"", w);
+}
+
+/* stop processing, we are in a comment */
+if (hash_ptr) {
+break;
+}
+}
+
+return AUTHZ_DENIED;
+}
+
 static authz_status local_check_authorization(request_rec *r,
   const char *require_line,
   const void *parsed_require_line)
@@ -265,6 +330,12 @@
 _parse_config,
 };
 
+static const authz_provider authz_forward_dns_provider =
+{
+_dns_check_authorization,
+_parse_config,
+};
+
 static const authz_provider authz_local_provider =
 {
 _check_authorization,
@@ -309,6 +380,10 @@
 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "host",
   AUTHZ_PROVIDER_VERSION,
   _host_provider, AP_AUTH_INTERNAL_PER_CONF);
+ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "forward-dns",
+

Re: access control for dynamic hosts (vote?)

[Yann Ylavic]

On Sun, Mar 6, 2016 at 8:13 AM, Fabien  wrote:
>
> I'm proposing to commit the patch if I'm given a go.
>
> Vote?

LGTM, +1

Regards,
Yann.

Re: access control for dynamic hosts (vote?)

[Fabien]

Hello Apache developers,


Unfortunately I think you need to pick an awkward name here so it
cannot be confused/misused.  Like "forward-dns"


Attached is a patch against the sources, including a documentation, 
which use the syntax "Require forward-dns foo.apache.org".


The second file is the same extension as an external module, for easy 
testing. The only difference with the integrated version is the error 
messages text which are given the function name instead of en APLOGNO, and 
the absence of documentation.


I'm proposing to commit the patch if I'm given a go.

Vote?

--
Fabien.Index: docs/log-message-tags/next-number
===
--- docs/log-message-tags/next-number	(revision 1733559)
+++ docs/log-message-tags/next-number	(working copy)
@@ -1 +1 @@
-3354
+3357
Index: docs/manual/mod/mod_authz_host.xml
===
--- docs/manual/mod/mod_authz_host.xml	(revision 1733559)
+++ docs/manual/mod/mod_authz_host.xml	(working copy)
@@ -58,7 +58,8 @@
 Apache's Require
 directive is used during the authorization phase to ensure that a user is allowed or
 denied access to a resource.  mod_authz_host extends the
-authorization types with ip, host and local.
+authorization types with ip, host,
+forward-dns and local.
 Other authorization types may also be
 used but may require that additional authorization modules be loaded.
 
@@ -157,6 +158,29 @@
 
 
 
+Require forward-dns
+
+The forward-dns provider allows access to the server
+to be controlled based on simple host names.  When
+Require forward-dns host-name is specified,
+all IP addresses corresponding to host-name
+are allowed access.
+
+In contrast to the host provider, this provider does not
+rely on reverse DNS lookups: it simply queries the DNS for the host name
+and allows a client if its IP matches.  As a consequence, it will only
+work with host names, not domain names.  However, as the reverse DNS is
+not used, it will work with clients which use a dynamic DNS service.
+
+
+Require forward-dns bla.example.org
+
+
+A client the IP of which is resolved from the name
+bla.example.org will be granted access.
+
+
+
 Require local
 
 The local provider allows access to the server if any
Index: modules/aaa/mod_authz_host.c
===
--- modules/aaa/mod_authz_host.c	(revision 1733559)
+++ modules/aaa/mod_authz_host.c	(working copy)
@@ -216,6 +216,71 @@
 return AUTHZ_DENIED;
 }
 
+static authz_status
+forward_dns_check_authorization(request_rec *r,
+const char *require_line,
+const void *parsed_require_line)
+{
+const char *err = NULL;
+const ap_expr_info_t *expr = parsed_require_line;
+const char *require, *t;
+char *w;
+
+/* the require line is an expression, which is evaluated now. */
+require = ap_expr_str_exec(r, expr, );
+if (err) {
+  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354)
+"Can't evaluate require expression: %s", err);
+  return AUTHZ_DENIED;
+}
+
+/* tokenize expected list of names */
+t = require;
+while ((w = ap_getword_conf(r->pool, )) && w[0]) {
+
+apr_sockaddr_t *sa;
+apr_status_t rv;
+char *hash_ptr;
+
+/* stop on apache configuration file comments */
+if ((hash_ptr = ap_strchr(w, '#'))) {
+if (hash_ptr == w) {
+break;
+}
+*hash_ptr = '\0';
+}
+
+/* does the client ip match one of the names? */
+rv = apr_sockaddr_info_get(, w, APR_UNSPEC, 0, 0, r->pool);
+if (rv == APR_SUCCESS) {
+
+while (sa) {
+int match = apr_sockaddr_equal(sa, r->useragent_addr);
+
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355)
+  "access check for %s as '%s': %s",
+  r->useragent_ip, w, match? "yes": "no");
+if (match) {
+return AUTHZ_GRANTED;
+}
+
+sa = sa->next;
+}
+}
+else {
+ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356)
+  "No sockaddr info for \"%s\"", w);
+}
+
+/* stop processing, we are in a comment */
+if (hash_ptr) {
+break;
+}
+}
+
+return AUTHZ_DENIED;
+}
+
 static authz_status local_check_authorization(request_rec *r,
   const char *require_line,
   const void *parsed_require_line)
@@ -265,6 +330,12 @@
 _parse_config,
 };
 
+static const authz_provider authz_forward_dns_provider =
+{
+_dns_check_authorization,
+

RE: access control for dynamic hosts

[fabien]

Hello Rick,

Forward doesn’t mean dynamic, however, and using one particular solution 
like that is misleading, IMO.  Using “forward-dns” makes more sense to 
me.


Yep, with such a name what it does is pretty clear.

That said, how would you intend to handle multiple A records for the 
same name: look them all up and store in a table, or support only one A 
record per name?  At a minimum, I think that needs to be clearly 
documented.


Sure. The "poc" implementation posted up-thread walks over all the records 
till a match is found, or this is a deny.


There is no attempt at caching anything, as the actual use case is to deal 
with dynamic dns hosts, so with pretty short refresh times. Caching is the 
problem of the dns resolver.


--
Fabien.

RE: access control for dynamic hosts

[Houser, Rick]

Forward doesn’t mean dynamic, however, and using one particular solution like 
that is misleading, IMO.  Using “forward-dns” makes more sense to me.

That said, how would you intend to handle multiple A records for the same name: 
look them all up and store in a table, or support only one A record per name?  
At a minimum, I think that needs to be clearly documented.


Rick Houser

From: Yehuda Katz [mailto:yeh...@ymkatz.net]
Sent: Tuesday, March 01, 2016 10:09 AM
To: dev@httpd.apache.org
Subject: Re: access control for dynamic hosts

dyndns is a company name, but it seems to be synonymous for a lot of systems 
with dynamic-dns.
That would make a recognizable option for a lot of people.

- Y

On Tue, Mar 1, 2016 at 10:00 AM, Eric Covener 
<cove...@gmail.com<mailto:cove...@gmail.com>> wrote:
On Tue, Mar 1, 2016 at 9:53 AM,  <fab...@apache.org<mailto:fab...@apache.org>> 
wrote:
> Maybe "Require ip" could be extended instead of using a new name:
>
>   "Require ip myserver.apache.org<http://myserver.apache.org>"


Unfortunately I think you need to pick an awkward name here so it
cannot be confused/misused.  Like "forward-dns"

--
Eric Covener
cove...@gmail.com<mailto:cove...@gmail.com>

Re: access control for dynamic hosts

[Yehuda Katz]

dyndns is a company name, but it seems to be synonymous for a lot of
systems with dynamic-dns.
That would make a recognizable option for a lot of people.

- Y

On Tue, Mar 1, 2016 at 10:00 AM, Eric Covener  wrote:

> On Tue, Mar 1, 2016 at 9:53 AM,   wrote:
> > Maybe "Require ip" could be extended instead of using a new name:
> >
> >   "Require ip myserver.apache.org"
>
>
> Unfortunately I think you need to pick an awkward name here so it
> cannot be confused/misused.  Like "forward-dns"
>
> --
> Eric Covener
> cove...@gmail.com
>

Re: access control for dynamic hosts

[Yann Ylavic]

On Tue, Mar 1, 2016 at 3:31 PM, Eric Covener  wrote:
> On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic  wrote:
>> How about "Require dns" (and mod_authz_dns) for the name?
>
> I think it is  reasonable to extend authz_host to disable the reverse
> check when requested (via some new first arg to require)

Good idea.

Re: access control for dynamic hosts

[Yann Ylavic]

On Tue, Mar 1, 2016 at 4:01 PM, Yann Ylavic  wrote:
> On Tue, Mar 1, 2016 at 3:31 PM, Eric Covener  wrote:
>> On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic  wrote:
>>> How about "Require dns" (and mod_authz_dns) for the name?
>>
>> I think it is  reasonable to extend authz_host to disable the reverse
>> check when requested (via some new first arg to require)
>
> Good idea.

Oups, it seems this has been abandoned already :p

Re: access control for dynamic hosts

[fabien]

Hello Yann,


[...]

Looks good to me.

It would have to be documented though, especially the difference with
"Require host" and maybe their complementarity (wrt security).


Sure, it needs a documentation, obviously. I will not commit anything 
without a doc.



How about "Require dns" (and mod_authz_dns) for the name?


Hmm. Note that "Require host" also uses the DNS, doubly so. I'm not sure 
that naming one "dns" might not suggest that the other ones would not use 
it?


I think that "Require host" should really be name "Require domain" because 
it is what it does, then "Require host" would be available... but this is 
too late:-)


Maybe "Require ip" could be extended instead of using a new name:

  "Require ip myserver.apache.org"

Would query the DNS to get the IP when checking for the authorization.
Not sure that it is a good idea, though.

--
Fabien.

Re: access control for dynamic hosts

[Eric Covener]

On Tue, Mar 1, 2016 at 9:53 AM,   wrote:
> Maybe "Require ip" could be extended instead of using a new name:
>
>   "Require ip myserver.apache.org"


Unfortunately I think you need to pick an awkward name here so it
cannot be confused/misused.  Like "forward-dns"

-- 
Eric Covener
cove...@gmail.com

Re: access control for dynamic hosts

[fabien]

How about "Require dns" (and mod_authz_dns) for the name?


I think it is  reasonable to extend authz_host to disable the reverse
check when requested (via some new first arg to require)


Note that the inner working logic is different, but this is an 
implementation detail.


What syntax would be appropriate?

  Require forward host foo.apache.org
  Require host forward-only foo.apache.org

Or maybe just a tag in front of the names?

  Require host mydomain.org !mydynahost.domain.org
  Require host mydomain.org *mydynahost.domain.org
  Require host mydomain.org ?mydynahost.domain.org

???

--
Fabien.

Re: access control for dynamic hosts

[Eric Covener]

On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic  wrote:
> How about "Require dns" (and mod_authz_dns) for the name?

I think it is  reasonable to extend authz_host to disable the reverse
check when requested (via some new first arg to require)

Re: access control for dynamic hosts

[Jacob Perkins]

This would be a god send. I personally use a lot of dynamic hosts from my ISP, 
in that I’m unable to control the rDNS records of the IPs I’m assigned. Having 
an option for checks going ‘forward’ only would be terrific.

—
Jacob Perkins
Product Owner
cPanel Inc.

jacob.perk...@cpanel.net 
Office:  713-529-0800 x 4046
Cell:  713-560-8655

> On Mar 1, 2016, at 6:44 AM, fab...@apache.org wrote:
> 
>  Require xxx foo.apache.org 
>  # allows ip of "foo.apache.org ", just be resolving 
> the name
> 
> For use with dyndns services.
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: access control for dynamic hosts

[Yann Ylavic]

Hi Fabien,

On Thu, Jan 14, 2016 at 9:38 AM, Fabien  wrote:
>
> Would anyone have an opinion, please?
>
> Although I can just commit the proposed changes, a formal go would be nice.

Looks good to me.

It would have to be documented though, especially the difference with
"Require host" and maybe their complementarity (wrt security).

How about "Require dns" (and mod_authz_dns) for the name?

Regards,
Yann.

Re: access control for dynamic hosts

[fabien]

This feature makes sense because it allows to allow a full domain, say
"apache.org", any host of which the inverse dns resolves to the domain
can then be allowed.

But this also means that if the reverse dns is not controlled, say with
the dynamic dns and a moving ip, ip control does not work, hence my
proposal for a lesser version which just checks that a client ip is
allowed just by resolving a name.


that is unsafe


it takes me exactly 5 seconds to add a PTR "myserver.apache.org" to one of 
our public ip-addresses if i would like to and nobody can do anything against 
it except check if the A record matchs because that can only be controlled by 
the domain owner


Indeed, but then "host" also checks that forward resolution works, that is 
"myserver.apache.org" must *also* point back to the same IP.


the same for anybody else who has a /24 or bigger network and the reverse dns 
delegated to his own namservers - i would not do such things, others would 
and so it's nothing to hand authentication on it


Sure, the second forward checks that all is well.


The feature I'm proposing is not related to that. I'm suggesting to have a 
way to specify host names *only* which are checked forward *only*.


  Require xxx foo.apache.org
  # allows ip of "foo.apache.org", just be resolving the name

For use with dyndns services.

--
Fabien.

Re: access control for dynamic hosts

[Reindl Harald]

Am 29.02.2016 um 07:16 schrieb fab...@apache.org:

Maybe the reverse dns is working on your test address?


I checked it and yes it does work that way. I never knew it did.


Indeed.

This feature makes sense because it allows to allow a full domain, say
"apache.org", any host of which the inverse dns resolves to the domain
can then be allowed.

But this also means that if the reverse dns is not controlled, say with
the dynamic dns and a moving ip, ip control does not work, hence my
proposal for a lesser version which just checks that a client ip is
allowed just by resolving a name.


that is unsafe

it takes me exactly 5 seconds to add a PTR "myserver.apache.org" to one 
of our public ip-addresses if i would like to and nobody can do anything 
against it except check if the A record matchs because that can only be 
controlled by the domain owner


the same for anybody else who has a /24 or bigger network and the 
reverse dns delegated to his own namservers - i would not do such 
things, others would and so it's nothing to hand authentication on it





signature.asc
Description: OpenPGP digital signature

Re: access control for dynamic hosts

[fabien]

Hello,


Maybe the reverse dns is working on your test address?


I checked it and yes it does work that way. I never knew it did.


Indeed.

This feature makes sense because it allows to allow a full domain, say 
"apache.org", any host of which the inverse dns resolves to the domain can 
then be allowed.


But this also means that if the reverse dns is not controlled, say with 
the dynamic dns and a moving ip, ip control does not work, hence my 
proposal for a lesser version which just checks that a client ip is 
allowed just by resolving a name.


--
Fabien.

Re: access control for dynamic hosts

[Mario Brandt]

Hi,

On 14 January 2016 at 22:36, Fabien  wrote:
>

> Maybe the reverse dns is working on your test address?

I checked it and yes it does work that way. I never knew it did.

Cheers
Mario

Re: access control for dynamic hosts

[Fabien]

Hello Apache devs,

Would anyone have an opinion, please?

Although I can just commit the proposed changes, a formal go would be 
nice.


On Sun, 20 Dec 2015, Fabien wrote:


Date: Sun, 20 Dec 2015 09:44:55 +0100 (CET)
From: Fabien 
Reply-To: dev@httpd.apache.org
To: APACHE development mailing list 
Subject: access control for dynamic hosts


Hello folks,

I have a simple access control use case for which I have not found a clean 
solution.


I want to control access to a service based on the name of the client, 
however the client is a dynamic host, which implies that:


(1) I do not have any control about the reverse DNS
=> this rules out "Require host"

(2) the IP may change arbitrarily
=> this rules out "Require ip"

By browsing around it seems that I'm not alone having this issue, and I have 
not found any solution for that with apache configuration, nor a matching 
module in "modules.apache.org" listing.


The current workaround is to update the IP manually when it fails. Although I 
could automate (say query the ip periodically and update & reload the conf if 
there is a change), ISTM that it really belongs to apache configuration.


I would like something like "Require XXX foo.dynamic-dns.somewhere" (where 
XXX could be "name", "hostname", "dynamic", ...) which would query the NS 
when the HTTP request is received and check that the corresponding ip is the 
client IP.


I'm planing to develop a small module for that, and as it is somehow quite a 
basic service it could be a candidate for being added to 
"modules/aaa/mod_authz_host.c".


Another approach could be to extend apache expressions with a function
to query the DNS, but that seems a little overkill.

Any thoughts?




--
Fabien.

Re: access control for dynamic hosts

[Mario Brandt]

Hi Fabien,

doesn't it work using Require host with a dyndns name? At least my
test was successful.

Cheers
Mario

On 20 December 2015 at 09:44, Fabien  wrote:
>
> Hello folks,
>
> I have a simple access control use case for which I have not found a clean
> solution.
>
> I want to control access to a service based on the name of the client,
> however the client is a dynamic host, which implies that:
>
>  (1) I do not have any control about the reverse DNS
>  => this rules out "Require host"
>
>  (2) the IP may change arbitrarily
>  => this rules out "Require ip"
>
> By browsing around it seems that I'm not alone having this issue, and I have
> not found any solution for that with apache configuration, nor a matching
> module in "modules.apache.org" listing.
>
> The current workaround is to update the IP manually when it fails. Although
> I could automate (say query the ip periodically and update & reload the conf
> if there is a change), ISTM that it really belongs to apache configuration.
>
> I would like something like "Require XXX foo.dynamic-dns.somewhere" (where
> XXX could be "name", "hostname", "dynamic", ...) which would query the NS
> when the HTTP request is received and check that the corresponding ip is the
> client IP.
>
> I'm planing to develop a small module for that, and as it is somehow quite a
> basic service it could be a candidate for being added to
> "modules/aaa/mod_authz_host.c".
>
> Another approach could be to extend apache expressions with a function
> to query the DNS, but that seems a little overkill.
>
> Any thoughts?
>
> --
> Fabien.

Re: access control for dynamic hosts

[Fabien]

Hello Mario,


doesn't it work using Require host with a dyndns name?



From the documentation about "Require host ...":


"It will do a reverse DNS lookup on the IP address to find the associated 
hostname, and then do a forward lookup on the hostname to assure that it 
matches the original IP address. Only if the forward and reverse DNS are 
consistent and the hostname matches will access be allowed."


So the reverse DNS must work. A benefit is that it allows to check for a 
full domain.


Note that the source code seems to say the same, although in C:-)


At least my test was successful.


I'm surprised.

I just tested it again from my home (which use a dynamic dns), and it did 
not work with "Require host" in a  context, with "Require host 
NNN":


 sh> netcat  3128
 GET http://www.google.fr/ HTTP/1.0

 HTTP/1.1 403 Forbidden
 ...

So the client was not authorized, but after a reload with a "Require name 
NNN" from the submitted module:


 sh> netcat  3128
 GET http://www.google.fr/ HTTP/1.0

 HTTP/1.1 200 OK
 Date: Thu, 14 Jan 2016 21:30:40 GMT
 Server: gws
 ...

Maybe the reverse dns is working on your test address?

--
Fabien.

Re: access control for dynamic hosts

[Fabien]

Hello folks,

I would like something like "Require XXX foo.dynamic-dns.somewhere" 
(where XXX could be "name", "hostname", "dynamic", ...) which would 
query the NS when the HTTP request is received and check that the 
corresponding ip is the client IP.


I'm planing to develop a small module for that, and as it is somehow 
quite a basic service it could be a candidate for being added to 
"modules/aaa/mod_authz_host.c".


Attached is a working version with the syntax "Requite name 
foo.somewhere".


Note sure whether "name" is the best... name for the authorization 
provider, though.


I could append this to mod_authz_host.c & update the documentation if I'm 
given a go.


--
Fabien/* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/*
 * Security options etc.
 *
 * Module derived from code originally written by Rob McCool
 *
 */

#include "apr_strings.h"
#include "apr_network_io.h"
#include "apr_md5.h"
#include "apr_hash.h"

#define APR_WANT_STRFUNC
#define APR_WANT_BYTEFUNC
#include "apr_want.h"

#include "ap_config.h"
#include "ap_provider.h"
#include "httpd.h"
#include "http_core.h"
#include "http_config.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"

#include "mod_auth.h"

#if APR_HAVE_NETINET_IN_H
#include 
#endif

static authz_status name_check_authorization(request_rec *r,
 const char *require_line,
 const void *parsed_require_line)
{
const char *err = NULL;
const ap_expr_info_t *expr = parsed_require_line;
const char *require, *t;
char *w;

/* the require line is an expression, which is evaluated now. */
require = ap_expr_str_exec(r, expr, );
if (err) {
  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, // APLOGNO(FIXME)
"name_check_authorization: "
"Can't evaluate require expression: %s", err);
  return AUTHZ_DENIED;
}

/* tokenize expected list of names */
t = require;
while ((w = ap_getword_conf(r->pool, )) && w[0]) {

apr_sockaddr_t *sa;
apr_status_t rv;
char *hash_ptr;

/* stop on apache configuration file comments */
if ((hash_ptr = ap_strchr(w, '#'))) {
if (hash_ptr == w) {
break;
}
*hash_ptr = '\0';
}

/* does the client ip match one of the name? */
rv = apr_sockaddr_info_get(, w, APR_UNSPEC, 0, 0, r->pool);
if (rv == APR_SUCCESS) {

while (sa) {
int match = apr_sockaddr_equal(sa, r->useragent_addr);

ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, // APLOGNO(FIXME)
  "name_check_authorization: %s for %s: %s",
  w, r->useragent_ip, match? "yes": "no");
if (match) {
return AUTHZ_GRANTED;
}

sa = sa->next;
}
}
else {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, // APLOGNO(FIXME)
"name_check_authorization: no sockaddr info for \"%s\"", w);
}

/* stop processing, we are in a comment */
if (hash_ptr) {
break;
}
}

return AUTHZ_DENIED;
}

/* copy of host_parse_config */
static const char *name_parse_config(cmd_parms *cmd, const char *require_line,
 const void **parsed_require_line)
{
const char *expr_err = NULL;
ap_expr_info_t *expr;

expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
_err, NULL);

if (expr_err)
return apr_pstrcat(cmd->temp_pool,
   "Cannot parse expression in require line: ",
   expr_err, NULL);

*parsed_require_line = expr;

return NULL;
}

static const authz_provider authz_name_provider =
{
_check_authorization,
_parse_config,
};

static void register_hooks(apr_pool_t *p)
{
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "name",
  AUTHZ_PROVIDER_VERSION,
  _name_provider,
  AP_AUTH_INTERNAL_PER_CONF);
}