X-Git-Url: http://andersk.mit.edu/gitweb/mod-vhost-ldap.git/blobdiff_plain/8503d00beb04137ab5900adcdfa495fde7ec37ca..refs/heads/scripts-rebased:/mod_vhost_ldap.c diff --git a/mod_vhost_ldap.c b/mod_vhost_ldap.c index f3b729a..6bc67fc 100644 --- a/mod_vhost_ldap.c +++ b/mod_vhost_ldap.c @@ -31,9 +31,11 @@ #include "http_request.h" #include "apr_version.h" #include "apr_ldap.h" -#include "apr_strings.h" #include "apr_reslist.h" +#include "apr_strings.h" +#include "apr_tables.h" #include "util_ldap.h" +#include "util_script.h" #if !defined(APU_HAS_LDAP) && !defined(APR_HAS_LDAP) #error mod_vhost_ldap requires APR-util to have LDAP support built in @@ -49,6 +51,9 @@ #define MIN_UID 100 #define MIN_GID 100 +const char USERDIR[] = "web_scripts"; + +#define MAX_FAILURES 5 module AP_MODULE_DECLARE_DATA vhost_ldap_module; @@ -94,6 +99,8 @@ typedef struct mod_vhost_ldap_request_t { char *attributes[] = { "apacheServerName", "apacheDocumentRoot", "apacheScriptAlias", "apacheSuexecUid", "apacheSuexecGid", "apacheServerAdmin", 0 }; +static int total_modules; + #if (APR_MAJOR_VERSION >= 1) static APR_OPTIONAL_FN_TYPE(uldap_connection_close) *util_ldap_connection_close; static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find; @@ -117,6 +124,13 @@ static void ImportULDAPOptFn(void) static int mod_vhost_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { + module **m; + + /* Stolen from modules/generators/mod_cgid.c */ + total_modules = 0; + for (m = ap_preloaded_modules; *m != NULL; m++) + total_modules++; + /* make sure that mod_ldap (util_ldap) is loaded */ if (ap_find_linked_module("util_ldap.c") == NULL) { ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, @@ -385,6 +399,16 @@ static const char *mod_vhost_ldap_set_fallback(cmd_parms *cmd, void *dummy, cons return NULL; } +static int reconfigure_directive(apr_pool_t *p, + server_rec *s, + const char *dir, + const char *args) +{ + ap_directive_t dir_s = { .directive = dir, .args = args, .next = NULL, + .line_num = 0, .filename = "VhostLDAPConf" }; + return ap_process_config_tree(s, &dir_s, p, p); +} + command_rec mod_vhost_ldap_cmds[] = { AP_INIT_TAKE1("VhostLDAPURL", mod_vhost_ldap_parse_url, NULL, RSRC_CONF, "URL to define LDAP connection. This should be an RFC 2255 compliant\n" @@ -421,22 +445,31 @@ command_rec mod_vhost_ldap_cmds[] = { #define FILTER_LENGTH MAX_STRING_LEN static int mod_vhost_ldap_translate_name(request_rec *r) { - request_rec *top = (r->main)?r->main:r; + server_rec *server; + const char *error; + int code; mod_vhost_ldap_request_t *reqc; - apr_table_t *e; int failures = 0; const char **vals = NULL; char filtbuf[FILTER_LENGTH]; mod_vhost_ldap_config_t *conf = (mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config, &vhost_ldap_module); - core_server_config * core = - (core_server_config *) ap_get_module_config(r->server->module_config, &core_module); util_ldap_connection_t *ldc = NULL; int result = 0; const char *dn = NULL; - char *cgi; const char *hostname = NULL; int is_fallback = 0; + int sleep0 = 0; + int sleep1 = 1; + int sleep; + struct berval hostnamebv, shostnamebv; + + if ((error = ap_init_virtual_host(r->pool, "", r->server, &server)) != NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, + "[mod_vhost_ldap.c]: Could not initialize a new VirtualHost: %s", + error); + return HTTP_INTERNAL_SERVER_ERROR; + } reqc = (mod_vhost_ldap_request_t *)apr_pcalloc(r->pool, sizeof(mod_vhost_ldap_request_t)); @@ -459,17 +492,24 @@ start_over: else { ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, "[mod_vhost_ldap.c] translate: no conf->host - weird...?"); - return DECLINED; + return HTTP_INTERNAL_SERVER_ERROR; } hostname = r->hostname; + if (hostname == NULL || hostname[0] == '\0') + goto null; fallback: ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, - "[mod_vhost_ldap.c]: translating %s", r->uri); + "[mod_vhost_ldap.c]: translating hostname [%s], uri [%s]", + hostname, r->uri); - apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))", conf->filter, hostname, hostname); + ber_str2bv(hostname, 0, 0, &hostnamebv); + if (ldap_bv2escaped_filter_value(&hostnamebv, &shostnamebv) != 0) + goto null; + apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))", conf->filter, shostnamebv.bv_val, shostnamebv.bv_val); + ber_memfree(shostnamebv.bv_val); result = util_ldap_cache_getuserdn(r, ldc, conf->url, conf->basedn, conf->scope, attributes, filtbuf, &dn, &vals); @@ -477,13 +517,38 @@ fallback: util_ldap_connection_close(ldc); /* sanity check - if server is down, retry it up to 5 times */ - if (result == LDAP_SERVER_DOWN) { - if (failures++ <= 5) { + if (AP_LDAP_IS_SERVER_DOWN(result) || + (result == LDAP_TIMEOUT) || + (result == LDAP_CONNECT_ERROR)) { + sleep = sleep0 + sleep1; + ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, + "[mod_vhost_ldap.c]: lookup failure, retry number #[%d], sleeping for [%d] seconds", + failures, sleep); + if (failures++ < MAX_FAILURES) { + /* Back-off exponentially */ + apr_sleep(apr_time_from_sec(sleep)); + sleep0 = sleep1; + sleep1 = sleep; goto start_over; - } + } else { + return HTTP_GATEWAY_TIME_OUT; + } } - if ((result == LDAP_NO_SUCH_OBJECT)) { + if (result == LDAP_NO_SUCH_OBJECT) { + if (strcmp(hostname, "*") != 0) { + if (strncmp(hostname, "*.", 2) == 0) + hostname += 2; + hostname += strcspn(hostname, "."); + hostname = apr_pstrcat(r->pool, "*", hostname, (const char *)NULL); + ap_log_rerror(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, 0, r, + "[mod_vhost_ldap.c] translate: " + "virtual host not found, trying wildcard %s", + hostname); + goto fallback; + } + +null: if (conf->fallback && (is_fallback++ <= 0)) { ap_log_rerror(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, 0, r, "[mod_vhost_ldap.c] translate: " @@ -498,7 +563,7 @@ fallback: "virtual host %s not found", hostname); - return DECLINED; + return HTTP_BAD_REQUEST; } /* handle bind failure */ @@ -507,7 +572,7 @@ fallback: "[mod_vhost_ldap.c] translate: " "translate failed; virtual host %s; URI %s [%s]", hostname, r->uri, ldap_err2string(result)); - return DECLINED; + return HTTP_INTERNAL_SERVER_ERROR; } /* mark the user and DN */ @@ -515,28 +580,57 @@ fallback: /* Optimize */ if (vals) { - int i = 0; - while (attributes[i]) { + int i; + for (i = 0; attributes[i]; i++) { + + const char *directive; + char *val = apr_pstrdup (r->pool, vals[i]); + /* These do not correspond to any real directives */ + if (strcasecmp (attributes[i], "apacheSuexecUid") == 0) { + reqc->uid = val; + continue; + } + else if (strcasecmp (attributes[i], "apacheSuexecGid") == 0) { + reqc->gid = val; + continue; + } if (strcasecmp (attributes[i], "apacheServerName") == 0) { - reqc->name = apr_pstrdup (r->pool, vals[i]); + reqc->name = val; + directive = "ServerName"; } else if (strcasecmp (attributes[i], "apacheServerAdmin") == 0) { - reqc->admin = apr_pstrdup (r->pool, vals[i]); + reqc->admin = val; + directive = "ServerAdmin"; } else if (strcasecmp (attributes[i], "apacheDocumentRoot") == 0) { - reqc->docroot = apr_pstrdup (r->pool, vals[i]); + reqc->docroot = val; + directive = "DocumentRoot"; } else if (strcasecmp (attributes[i], "apacheScriptAlias") == 0) { - reqc->cgiroot = apr_pstrdup (r->pool, vals[i]); - } - else if (strcasecmp (attributes[i], "apacheSuexecUid") == 0) { - reqc->uid = apr_pstrdup(r->pool, vals[i]); - } - else if (strcasecmp (attributes[i], "apacheSuexecGid") == 0) { - reqc->gid = apr_pstrdup(r->pool, vals[i]); + if (val != NULL) { + /* Hack to deal with current apacheScriptAlias lagout */ + if (strlen(val) > 0 && val[strlen(val) - 1] == '/') + val = apr_pstrcat(r->pool, "/cgi-bin/ ", val, (const char *)NULL); + else + val = apr_pstrcat(r->pool, "/cgi-bin/ ", val, "/", (const char *)NULL); + directive = "ScriptAlias"; + } + reqc->cgiroot = val; } - i++; + else { + /* This should not actually be reachable, but it's + good to cover all all possible cases */ + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "Unexpected attribute %s encountered", attributes[i]); + continue; + } + + if (val == NULL) + continue; + + if ((code = reconfigure_directive(r->pool, server, directive, val)) != 0) + return code; } } @@ -554,43 +648,38 @@ fallback: ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, "[mod_vhost_ldap.c] translate: " "translate failed; ServerName or DocumentRoot not defined"); - return DECLINED; + return HTTP_INTERNAL_SERVER_ERROR; } - cgi = NULL; - - if (reqc->cgiroot) { - cgi = strstr(r->uri, "cgi-bin/"); - if (cgi && (cgi != r->uri + strspn(r->uri, "/"))) { - cgi = NULL; - } - } - if (cgi) { - r->filename = apr_pstrcat (r->pool, reqc->cgiroot, cgi + strlen("cgi-bin"), NULL); - r->handler = "cgi-script"; - apr_table_setn(r->notes, "alias-forced-type", r->handler); - } else if (r->uri[0] == '/') { - r->filename = apr_pstrcat (r->pool, reqc->docroot, r->uri, NULL); - } else { - return DECLINED; - } + if (reqc->uid != NULL) { + char *username; + char *userdir_val; + uid_t uid = (uid_t) atoll(reqc->uid); - top->server->server_hostname = apr_pstrdup (top->pool, reqc->name); + if ((code = reconfigure_directive(r->pool, server, "UserDir", USERDIR)) != 0) + return code; - if (reqc->admin) { - top->server->server_admin = apr_pstrdup (top->pool, reqc->admin); - } + /* Deal with ~ expansion */ + if ((code = reconfigure_directive(r->pool, server, "UserDir", "disabled")) != 0) + return code; - // set environment variables - e = top->subprocess_env; - apr_table_addn (e, "SERVER_ROOT", reqc->docroot); + if (apr_uid_name_get(&username, uid, r->pool) != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, + "could not get username for uid %d", uid); + return HTTP_INTERNAL_SERVER_ERROR; + } - core->ap_document_root = apr_pstrdup(top->pool, reqc->docroot); + userdir_val = apr_pstrcat(r->pool, "enabled ", username, (const char *)NULL); - ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, - "[mod_vhost_ldap.c]: translated to %s", r->filename); + if ((code = reconfigure_directive(r->pool, server, "UserDir", userdir_val)) != 0) + return code; + } - return OK; + ap_fixup_virtual_host(r->pool, r->server, server); + r->server = server; + + /* Hack to allow post-processing by other modules (mod_rewrite, mod_alias) */ + return DECLINED; } #ifdef HAVE_UNIX_SUEXEC @@ -638,8 +727,14 @@ static ap_unix_identity_t *mod_vhost_ldap_get_suexec_id_doer(const request_rec * static void mod_vhost_ldap_register_hooks (apr_pool_t * p) { + + /* + * Run before mod_rewrite + */ + static const char * const aszRewrite[]={ "mod_rewrite.c", NULL }; + ap_hook_post_config(mod_vhost_ldap_post_config, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_translate_name(mod_vhost_ldap_translate_name, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_translate_name(mod_vhost_ldap_translate_name, NULL, aszRewrite, APR_HOOK_FIRST); #ifdef HAVE_UNIX_SUEXEC ap_hook_get_suexec_identity(mod_vhost_ldap_get_suexec_id_doer, NULL, NULL, APR_HOOK_MIDDLE); #endif