1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
package TestAPI::access2_24;
# testing $r->requires
# in the POST test it returns:
#
# [
# {
# 'method_mask' => -1,
# 'requirement' => 'user goo bar'
# },
# {
# 'method_mask' => -1,
# 'requirement' => 'group bar tar'
# }
# {
# 'method_mask' => 4,
# 'requirement' => 'valid-user'
# }
# ];
#
# otherwise it returns the same, sans the 'valid-user' entry
#
# also test:
# - $r->some_auth_required when it's required
# - $r->satisfies when Satisfy is set
use strict;
use warnings FATAL => 'all';
use Apache2::Access ();
use Apache2::RequestRec ();
use Apache::TestTrace;
use Apache2::Const -compile => qw(OK HTTP_UNAUTHORIZED SERVER_ERROR
AUTHZ_GRANTED AUTHZ_DENIED M_POST :satisfy
AUTHZ_DENIED_NO_USER);
my $users = "goo bar";
my $groups = "xar tar";
my %users = (
goo => "goopass",
bar => "barpass",
);
sub authz_handler {
my $self = shift;
my $r = shift;
my $requires = shift;
if (!$r->user) {
return Apache2::Const::AUTHZ_DENIED_NO_USER;
}
return Apache2::Const::SERVER_ERROR unless
$requires eq $users or $requires eq $groups;
my @require_args = split(/\s+/, $requires);
if (grep {$_ eq $r->user} @require_args) {
return Apache2::Const::AUTHZ_GRANTED;
}
return Apache2::Const::AUTHZ_DENIED;
}
sub authn_handler {
my $self = shift;
my $r = shift;
die '$r->some_auth_required failed' unless $r->some_auth_required;
my $satisfies = $r->satisfies;
die "wanted satisfies=" . Apache2::Const::SATISFY_ALL . ", got $satisfies"
unless $r->satisfies() == Apache2::Const::SATISFY_ALL;
my ($rc, $sent_pw) = $r->get_basic_auth_pw;
return $rc if $rc != Apache2::Const::OK;
if ($r->method_number == Apache2::Const::M_POST) {
return Apache2::Const::OK;
}
my $user = $r->user;
my $pass = $users{$user} || '';
unless (defined $pass and $sent_pw eq $pass) {
$r->note_basic_auth_failure;
return Apache2::Const::HTTP_UNAUTHORIZED;
}
Apache2::Const::OK;
}
1;
__DATA__
<NoAutoConfig>
<IfModule mod_version.c>
<IfVersion > 2.4.1>
PerlAddAuthzProvider my-user TestAPI::access2_24->authz_handler
PerlAddAuthzProvider my-group TestAPI::access2_24->authz_handler
<Location /TestAPI__access2>
PerlAuthenHandler TestAPI::access2_24->authn_handler
PerlResponseHandler Apache::TestHandler::ok1
SetHandler modperl
<IfModule @ACCESS_MODULE@>
# needed to test $r->satisfies
Allow from All
</IfModule>
AuthType Basic
AuthName "Access"
Require my-user goo bar
Require my-group xar tar
<Limit POST>
Require valid-user
</Limit>
Satisfy All
<IfModule @AUTH_MODULE@>
# htpasswd -mbc auth-users goo foo
# htpasswd -mb auth-users bar mar
# using md5 password so it'll work on win32 too
AuthUserFile @DocumentRoot@/api/auth-users
# group: user1 user2 ...
AuthGroupFile @DocumentRoot@/api/auth-groups
</IfModule>
</Location>
</IfVersion>
</IfModule>
</NoAutoConfig>
|
