| |
| /* |
| * Copyright (C) Igor Sysoev |
| */ |
| |
| |
| #include <ngx_config.h> |
| #include <ngx_core.h> |
| #include <ngx_http.h> |
| |
| |
| #define NGX_HTTP_AUTH_BUF_SIZE 2048 |
| |
| |
| typedef struct { |
| ngx_str_t passwd; |
| } ngx_http_auth_basic_ctx_t; |
| |
| |
| typedef struct { |
| ngx_str_t realm; |
| ngx_str_t user_file; |
| } ngx_http_auth_basic_loc_conf_t; |
| |
| |
| static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); |
| static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, |
| ngx_http_auth_basic_ctx_t *ctx, ngx_str_t *passwd, ngx_str_t *realm); |
| static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, |
| ngx_str_t *realm); |
| static void ngx_http_auth_basic_close(ngx_file_t *file); |
| static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); |
| static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, |
| void *parent, void *child); |
| static ngx_int_t ngx_http_auth_basic_init(ngx_cycle_t *cycle); |
| static char *ngx_http_auth_basic(ngx_conf_t *cf, void *post, void *data); |
| |
| |
| static ngx_conf_post_handler_pt ngx_http_auth_basic_p = ngx_http_auth_basic; |
| |
| static ngx_command_t ngx_http_auth_basic_commands[] = { |
| |
| { ngx_string("auth_basic"), |
| NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, |
| ngx_conf_set_str_slot, |
| NGX_HTTP_LOC_CONF_OFFSET, |
| offsetof(ngx_http_auth_basic_loc_conf_t, realm), |
| &ngx_http_auth_basic_p }, |
| |
| { ngx_string("auth_basic_user_file"), |
| NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, |
| ngx_conf_set_str_slot, |
| NGX_HTTP_LOC_CONF_OFFSET, |
| offsetof(ngx_http_auth_basic_loc_conf_t, user_file), |
| NULL }, |
| |
| ngx_null_command |
| }; |
| |
| |
| |
| ngx_http_module_t ngx_http_auth_basic_module_ctx = { |
| NULL, /* preconfiguration */ |
| NULL, /* postconfiguration */ |
| |
| NULL, /* create main configuration */ |
| NULL, /* init main configuration */ |
| |
| NULL, /* create server configuration */ |
| NULL, /* merge server configuration */ |
| |
| ngx_http_auth_basic_create_loc_conf, /* create location configuration */ |
| ngx_http_auth_basic_merge_loc_conf /* merge location configuration */ |
| }; |
| |
| |
| ngx_module_t ngx_http_auth_basic_module = { |
| NGX_MODULE_V1, |
| &ngx_http_auth_basic_module_ctx, /* module context */ |
| ngx_http_auth_basic_commands, /* module directives */ |
| NGX_HTTP_MODULE, /* module type */ |
| ngx_http_auth_basic_init, /* init module */ |
| NULL /* init process */ |
| }; |
| |
| |
| static ngx_int_t |
| ngx_http_auth_basic_handler(ngx_http_request_t *r) |
| { |
| off_t offset; |
| ssize_t n; |
| ngx_fd_t fd; |
| ngx_str_t auth, encoded, pwd; |
| ngx_uint_t i, login, len, left, passwd; |
| ngx_file_t file; |
| ngx_http_auth_basic_ctx_t *ctx; |
| ngx_http_auth_basic_loc_conf_t *alcf; |
| u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; |
| enum { |
| sw_login, |
| sw_passwd, |
| sw_skip |
| } state; |
| |
| alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module); |
| |
| if (alcf->realm.len == 0 || alcf->user_file.len == 0) { |
| return NGX_OK; |
| } |
| |
| ctx = ngx_http_get_module_ctx(r, ngx_http_auth_basic_module); |
| |
| if (ctx) { |
| return ngx_http_auth_basic_crypt_handler(r, ctx, &ctx->passwd, |
| &alcf->realm); |
| } |
| |
| if (r->headers_in.authorization == NULL) { |
| return ngx_http_auth_basic_set_realm(r, &alcf->realm); |
| } |
| |
| encoded = r->headers_in.authorization->value; |
| |
| if (encoded.len < sizeof("Basic ") - 1 |
| || ngx_strncasecmp(encoded.data, "Basic ", sizeof("Basic ") - 1) != 0) |
| { |
| return ngx_http_auth_basic_set_realm(r, &alcf->realm); |
| } |
| |
| encoded.len -= sizeof("Basic ") - 1; |
| encoded.data += sizeof("Basic ") - 1; |
| |
| while (encoded.len && encoded.data[0] == ' ') { |
| encoded.len--; |
| encoded.data++; |
| } |
| |
| if (encoded.len == 0) { |
| return ngx_http_auth_basic_set_realm(r, &alcf->realm); |
| } |
| |
| auth.len = ngx_base64_decoded_length(encoded.len); |
| auth.data = ngx_palloc(r->pool, auth.len + 1); |
| if (auth.data == NULL) { |
| return NGX_HTTP_INTERNAL_SERVER_ERROR; |
| } |
| |
| if (ngx_decode_base64(&auth, &encoded) != NGX_OK) { |
| return ngx_http_auth_basic_set_realm(r, &alcf->realm); |
| } |
| |
| auth.data[auth.len] = '\0'; |
| |
| for (len = 0; len < auth.len; len++) { |
| if (auth.data[len] == ':') { |
| break; |
| } |
| } |
| |
| if (len == auth.len) { |
| return ngx_http_auth_basic_set_realm(r, &alcf->realm); |
| } |
| |
| r->headers_in.user.len = len; |
| r->headers_in.user.data = auth.data; |
| r->headers_in.passwd.len = auth.len - len - 1; |
| r->headers_in.passwd.data = &auth.data[len + 1]; |
| |
| fd = ngx_open_file(alcf->user_file.data, NGX_FILE_RDONLY, NGX_FILE_OPEN); |
| |
| if (fd == NGX_INVALID_FILE) { |
| ngx_log_error(NGX_LOG_ERR, r->connection->log, ngx_errno, |
| ngx_open_file_n " \"%s\" failed", alcf->user_file.data); |
| return NGX_HTTP_INTERNAL_SERVER_ERROR; |
| } |
| |
| ngx_memzero(&file, sizeof(ngx_file_t)); |
| |
| file.fd = fd; |
| file.name = alcf->user_file; |
| file.log = r->connection->log; |
| |
| state = sw_login; |
| passwd = 0; |
| login = 0; |
| left = 0; |
| offset = 0; |
| |
| for ( ;; ) { |
| n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, |
| offset); |
| |
| if (n == NGX_ERROR) { |
| ngx_http_auth_basic_close(&file); |
| return NGX_HTTP_INTERNAL_SERVER_ERROR; |
| } |
| |
| if (n == 0) { |
| break; |
| } |
| |
| for (i = left; i < left + n; i++) { |
| switch (state) { |
| |
| case sw_login: |
| if (login == 0 && buf[i] == '#') { |
| state = sw_skip; |
| break; |
| } |
| |
| if (buf[i] != auth.data[login]) { |
| state = sw_skip; |
| break; |
| } |
| |
| if (login == len) { |
| state = sw_passwd; |
| passwd = i + 1; |
| } |
| |
| login++; |
| |
| break; |
| |
| case sw_passwd: |
| if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { |
| buf[i] = '\0'; |
| |
| ngx_http_auth_basic_close(&file); |
| |
| pwd.len = i - passwd; |
| pwd.data = &buf[passwd]; |
| |
| return ngx_http_auth_basic_crypt_handler(r, NULL, &pwd, |
| &alcf->realm); |
| } |
| |
| break; |
| |
| case sw_skip: |
| if (buf[i] == LF) { |
| state = sw_login; |
| login = 0; |
| } |
| |
| break; |
| } |
| } |
| |
| if (state == sw_passwd) { |
| left = left + n - passwd; |
| ngx_memcpy(buf, &buf[passwd], left); |
| passwd = 0; |
| |
| } else { |
| left = 0; |
| } |
| |
| offset += n; |
| } |
| |
| ngx_http_auth_basic_close(&file); |
| |
| return ngx_http_auth_basic_set_realm(r, &alcf->realm); |
| } |
| |
| |
| static ngx_int_t |
| ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, |
| ngx_http_auth_basic_ctx_t *ctx, ngx_str_t *passwd, ngx_str_t *realm) |
| { |
| ngx_int_t rc; |
| u_char *encrypted; |
| |
| rc = ngx_crypt(r->pool, r->headers_in.passwd.data, passwd->data, |
| &encrypted); |
| |
| ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
| "rc: %d user: \"%V\" salt: \"%s\"", |
| rc, &r->headers_in.user, passwd->data); |
| |
| if (rc == NGX_OK) { |
| if (ngx_strcmp(encrypted, passwd->data) == 0) { |
| return NGX_OK; |
| } |
| |
| ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
| "encrypted: \"%s\"", encrypted); |
| |
| return ngx_http_auth_basic_set_realm(r, realm); |
| } |
| |
| if (rc == NGX_ERROR) { |
| return NGX_HTTP_INTERNAL_SERVER_ERROR; |
| } |
| |
| /* rc == NGX_AGAIN */ |
| |
| if (ctx == NULL) { |
| ctx = ngx_palloc(r->pool, sizeof(ngx_http_auth_basic_ctx_t)); |
| if (ctx == NULL) { |
| return NGX_HTTP_INTERNAL_SERVER_ERROR; |
| } |
| |
| ngx_http_set_ctx(r, ctx, ngx_http_auth_basic_module); |
| |
| ctx->passwd.len = passwd->len; |
| passwd->len++; |
| |
| ctx->passwd.data = ngx_pstrdup(r->pool, passwd); |
| if (ctx->passwd.data == NULL) { |
| return NGX_HTTP_INTERNAL_SERVER_ERROR; |
| } |
| |
| } |
| |
| /* TODO: add mutex event */ |
| |
| return rc; |
| } |
| |
| |
| static ngx_int_t |
| ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm) |
| { |
| r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); |
| if (r->headers_out.www_authenticate == NULL) { |
| return NGX_HTTP_INTERNAL_SERVER_ERROR; |
| } |
| |
| r->headers_out.www_authenticate->hash = 1; |
| r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; |
| r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; |
| r->headers_out.www_authenticate->value = *realm; |
| |
| return NGX_HTTP_UNAUTHORIZED; |
| } |
| |
| static void |
| ngx_http_auth_basic_close(ngx_file_t *file) |
| { |
| if (ngx_close_file(file->fd) == NGX_FILE_ERROR) { |
| ngx_log_error(NGX_LOG_ALERT, file->log, ngx_errno, |
| ngx_close_file_n " \"%s\" failed", file->name.data); |
| } |
| } |
| |
| |
| static void * |
| ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) |
| { |
| ngx_http_auth_basic_loc_conf_t *conf; |
| |
| conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_basic_loc_conf_t)); |
| if (conf == NULL) { |
| return NGX_CONF_ERROR; |
| } |
| |
| return conf; |
| } |
| |
| |
| static char * |
| ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) |
| { |
| ngx_http_auth_basic_loc_conf_t *prev = parent; |
| ngx_http_auth_basic_loc_conf_t *conf = child; |
| |
| size_t len; |
| u_char *realm, *p; |
| |
| if (conf->realm.data) { |
| if (conf->realm.len) { |
| len = sizeof("Basic realm=\"") - 1 + conf->realm.len + 1; |
| |
| realm = ngx_palloc(cf->pool, len); |
| if (realm == NULL) { |
| return NGX_CONF_ERROR; |
| } |
| |
| p = ngx_cpymem(realm, "Basic realm=\"", |
| sizeof("Basic realm=\"") - 1); |
| p = ngx_cpymem(p, conf->realm.data, conf->realm.len); |
| *p = '"'; |
| |
| conf->realm.len = len; |
| conf->realm.data = realm; |
| } |
| |
| } else { |
| conf->realm = prev->realm; |
| } |
| |
| |
| if (conf->user_file.data) { |
| if (ngx_conf_full_name(cf->cycle, &conf->user_file) != NGX_OK) { |
| return NGX_CONF_ERROR; |
| } |
| |
| } else { |
| conf->user_file = prev->user_file; |
| } |
| |
| return NGX_CONF_OK; |
| } |
| |
| |
| static ngx_int_t |
| ngx_http_auth_basic_init(ngx_cycle_t *cycle) |
| { |
| ngx_http_handler_pt *h; |
| ngx_http_core_main_conf_t *cmcf; |
| |
| cmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_core_module); |
| |
| h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); |
| if (h == NULL) { |
| return NGX_ERROR; |
| } |
| |
| *h = ngx_http_auth_basic_handler; |
| |
| return NGX_OK; |
| } |
| |
| |
| static char * |
| ngx_http_auth_basic(ngx_conf_t *cf, void *post, void *data) |
| { |
| ngx_str_t *realm = data; |
| |
| if (ngx_strcmp(realm->data, "off") == 0) { |
| realm->len = 0; |
| realm->data = (u_char *) ""; |
| } |
| |
| return NGX_CONF_OK; |
| } |