1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
# please insert nothing before this line: -*- mode: cperl; cperl-indent-level: 4; cperl-continued-statement-offset: 4; indent-tabs-mode: nil -*-
package TestAPI::access2;
# testing $r->requires
# in the POST test it returns:
#
# [
# {
# 'method_mask' => -1,
# 'requirement' => 'user goo bar'
# },
# {
# 'method_mask' => -1,
# 'requirement' => 'group bar tar'
# }
# {
# 'method_mask' => 4,
# 'requirement' => 'valid-user'
# }
# ];
#
# otherwise it returns the same, sans the 'valid-user' entry
#
# also test:
# - $r->some_auth_required when it's required
# - $r->satisfies when Satisfy is set
use strict;
use warnings FATAL => 'all';
use Apache2::Access ();
use Apache2::RequestRec ();
use Apache::TestTrace;
use Apache2::Const -compile => qw(OK HTTP_UNAUTHORIZED SERVER_ERROR
M_POST :satisfy);
my $users = "goo bar";
my $groups = "bar tar";
my %users = (
goo => "goopass",
bar => "barpass",
);
sub handler {
my $r = shift;
print 'xxxxx\n';
die '$r->some_auth_required failed' unless $r->some_auth_required;
my $satisfies = $r->satisfies;
die "wanted satisfies=" . Apache2::Const::SATISFY_ALL . ", got $satisfies"
unless $r->satisfies() == Apache2::Const::SATISFY_ALL;
my ($rc, $sent_pw) = $r->get_basic_auth_pw;
return $rc if $rc != Apache2::Const::OK;
# extract just the requirement entries
my %require =
map { my ($k, $v) = split /\s+/, $_->{requirement}, 2; ($k, $v||'') }
@{ $r->requires };
debug \%require;
# silly (we don't check user/pass here), just checking when
# the Limit options are getting through
if ($r->method_number == Apache2::Const::M_POST) {
if (exists $require{"valid-user"}) {
return Apache2::Const::OK;
}
else {
return Apache2::Const::SERVER_ERROR;
}
}
else {
# non-POST requests shouldn't see the Limit enclosed entry
return Apache2::Const::SERVER_ERROR if exists $require{"valid-user"};
}
return Apache2::Const::SERVER_ERROR unless $require{user} eq $users;
return Apache2::Const::SERVER_ERROR unless $require{group} eq $groups;
my $user = $r->user;
my $pass = $users{$user} || '';
unless (defined $pass and $sent_pw eq $pass) {
$r->note_basic_auth_failure;
return Apache2::Const::HTTP_UNAUTHORIZED;
}
Apache2::Const::OK;
}
1;
__DATA__
<NoAutoConfig>
<IfModule mod_version.c>
<IfVersion < 2.3.0>
<Location /TestAPI__access2>
PerlAuthenHandler TestAPI::access2
PerlResponseHandler Apache::TestHandler::ok1
SetHandler modperl
<IfModule @ACCESS_MODULE@>
# needed to test $r->satisfies
Allow from All
</IfModule>
AuthType Basic
AuthName "Access"
Require user goo bar
Require group bar tar
<Limit POST>
Require valid-user
</Limit>
Satisfy All
<IfModule @AUTH_MODULE@>
# htpasswd -mbc auth-users goo foo
# htpasswd -mb auth-users bar mar
# using md5 password so it'll work on win32 too
AuthUserFile @DocumentRoot@/api/auth-users
# group: user1 user2 ...
AuthGroupFile @DocumentRoot@/api/auth-groups
</IfModule>
</Location>
</IfVersion>
</IfModule>
</NoAutoConfig>
|
