1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements.  See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License.  You may obtain a copy of the License at
7 *
8 *     http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/**
18 * @file  mod_auth.h
19 * @brief Authentication and Authorization Extension for Apache
20 *
21 * @defgroup MOD_AUTH mod_auth
22 * @ingroup  APACHE_MODS
23 */
24
25#ifndef APACHE_MOD_AUTH_H
26#define APACHE_MOD_AUTH_H
27
28#include "apr_pools.h"
29#include "apr_hash.h"
30#include "apr_optional.h"
31
32#include "httpd.h"
33#include "http_config.h"
34
35#ifdef __cplusplus
36extern "C" {
37#endif
38
39#define AUTHN_PROVIDER_GROUP "authn"
40#define AUTHZ_PROVIDER_GROUP "authz"
41#define AUTHN_PROVIDER_VERSION "0"
42#define AUTHZ_PROVIDER_VERSION "0"
43#define AUTHN_DEFAULT_PROVIDER "file"
44
45#define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
46#define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"
47
48#define AUTHN_PREFIX "AUTHENTICATE_"
49#define AUTHZ_PREFIX "AUTHORIZE_"
50
51/** all of the requirements must be met */
52#ifndef SATISFY_ALL
53#define SATISFY_ALL 0
54#endif
55/**  any of the requirements must be met */
56#ifndef SATISFY_ANY
57#define SATISFY_ANY 1
58#endif
59/** There are no applicable satisfy lines */
60#ifndef SATISFY_NOSPEC
61#define SATISFY_NOSPEC 2
62#endif
63
64typedef enum {
65    AUTH_DENIED,
66    AUTH_GRANTED,
67    AUTH_USER_FOUND,
68    AUTH_USER_NOT_FOUND,
69    AUTH_GENERAL_ERROR
70} authn_status;
71
72typedef enum {
73    AUTHZ_DENIED,
74    AUTHZ_GRANTED,
75    AUTHZ_NEUTRAL,
76    AUTHZ_GENERAL_ERROR,
77    AUTHZ_DENIED_NO_USER      /* denied because r->user == NULL */
78} authz_status;
79
80typedef struct {
81    /* Given a username and password, expected to return AUTH_GRANTED
82     * if we can validate this user/password combination.
83     */
84    authn_status (*check_password)(request_rec *r, const char *user,
85                                   const char *password);
86
87    /* Given a user and realm, expected to return AUTH_USER_FOUND if we
88     * can find a md5 hash of 'user:realm:password'
89     */
90    authn_status (*get_realm_hash)(request_rec *r, const char *user,
91                                   const char *realm, char **rethash);
92} authn_provider;
93
94/* A linked-list of authn providers. */
95typedef struct authn_provider_list authn_provider_list;
96
97struct authn_provider_list {
98    const char *provider_name;
99    const authn_provider *provider;
100    authn_provider_list *next;
101};
102
103typedef struct {
104    /* Given a request_rec, expected to return AUTHZ_GRANTED
105     * if we can authorize user access.
106     * @param r the request record
107     * @param require_line the argument to the authz provider
108     * @param parsed_require_line the value set by parse_require_line(), if any
109     */
110    authz_status (*check_authorization)(request_rec *r,
111                                        const char *require_line,
112                                        const void *parsed_require_line);
113
114    /** Check the syntax of a require line and optionally cache the parsed
115     * line. This function may be NULL.
116     * @param cmd the config directive
117     * @param require_line the argument to the authz provider
118     * @param parsed_require_line place to store parsed require_line for use by provider
119     * @return Error message or NULL on success
120     */
121    const char *(*parse_require_line)(cmd_parms *cmd, const char *require_line,
122                                      const void **parsed_require_line);
123} authz_provider;
124
125/* ap_authn_cache_store: Optional function for authn providers
126 * to enable cacheing their lookups with mod_authn_cache
127 * @param r The request rec
128 * @param module Module identifier
129 * @param user User name to authenticate
130 * @param realm Digest authn realm (NULL for basic authn)
131 * @param data The value looked up by the authn provider, to cache
132 */
133APR_DECLARE_OPTIONAL_FN(void, ap_authn_cache_store,
134                        (request_rec*, const char*, const char*,
135                         const char*, const char*));
136
137#ifdef __cplusplus
138}
139#endif
140
141#endif
142