2001-03-08
2001-03-08 14:35:49 by Per Hedbor <ph@opera.com>
-
bc0fa0352dec39d4eb230d52ea7d5711614bfdba
(127 lines)
(+20/-107)
[
Show
| Annotate
]
Branch: 5.2
The module level security patterns now use the new authentication API. Placed a lot of modules in groups
Rev: server/base_server/configuration.pike:1.420
Rev: server/base_server/module.pike:1.111
Rev: server/base_server/roxen.pike:1.644
Rev: server/config_interface/dbs/browser.pike:1.10
Rev: server/config_interface/sites/config_left_item.pike:1.50
Rev: server/etc/modules/Roxen.pmod:1.72
Rev: server/modules/configuration/config_tags.pike:1.141
Rev: server/modules/database/sqltag.pike:1.76
Rev: server/modules/filesystems/filesystem.pike:1.96
Rev: server/modules/graphics/atlas.pike:1.4
Rev: server/modules/graphics/business.pike:1.140
Rev: server/modules/graphics/cimg.pike:1.38
Rev: server/modules/graphics/counter.pike:1.40
Rev: server/modules/graphics/gbutton.pike:1.78
Rev: server/modules/graphics/graphic_text.pike:1.260
Rev: server/modules/graphics/pimage.pike:1.25
Rev: server/modules/graphics/tablist.pike:1.52
Rev: server/modules/graphics/wiretap.pike:1.24
Rev: server/modules/scripting/piketag.pike:2.31
Rev: server/modules/security/auth_httpbasic.pike:1.5
Rev: server/modules/security/auth_httpcookie.pike:1.5
Rev: server/modules/security/userdb_system.pike:1.6
Rev: server/modules/tags/accessed.pike:1.41
Rev: server/modules/tags/additional_rxml.pike:1.11
Rev: server/modules/tags/awizard.pike:1.22
Rev: server/modules/tags/check_spelling.pike:1.16
Rev: server/modules/tags/countdown.pike:1.42
Rev: server/modules/tags/diremit.pike:1.7
Rev: server/modules/tags/email.pike:1.6
Rev: server/modules/tags/foldlist.pike:1.29
Rev: server/modules/tags/html_wash.pike:1.15
Rev: server/modules/tags/indirect_href.pike:1.26
Rev: server/modules/tags/killframe.pike:1.33
Rev: server/modules/tags/obox.pike:1.35
Rev: server/modules/tags/rxmlparse.pike:1.54
Rev: server/modules/tags/rxmltags.pike:1.208
Rev: server/modules/tags/sed.pike:1.11
Rev: server/modules/tags/ssi.pike:1.38
Rev: server/modules/tags/tablify.pike:1.63
Rev: server/modules/tags/translation_mod.pike:1.10
Rev: server/modules/tags/vform.pike:1.22
Rev: server/modules/tags/wizard_tag.pike:1.29
Rev: server/modules/tags/wizz.pike:1.2
Rev: server/protocols/http.pike:1.307
1:
// A vitual server's main configuration
// Copyright © 1996 - 2000, Roxen IS.
- constant cvs_version = "$Id: configuration.pike,v 1.419 2001/03/05 04:43:10 per Exp $";
+ constant cvs_version = "$Id: configuration.pike,v 1.420 2001/03/08 14:35:38 per Exp $";
#include <module.h>
#include <module_constants.h>
#include <roxen.h>
827: Inside #if defined(MODULE_LEVEL_SECURITY)
int|mapping check_security(function|RoxenModule a, RequestID id,
void|int slevel)
{
- array level;
+
array seclevels;
- int ip_ok = 0; // Unknown
- int auth_ok = 0; // Unknown
+
// NOTE:
// ip_ok and auth_ok are three-state variables.
// Valid contents for them are:
838: Inside #if defined(MODULE_LEVEL_SECURITY)
// 1 May be bad -- Restriction encountered, and test failed.
// ~0 OK -- Test passed.
- if(!(seclevels = misc_cache[ a ])) {
+ if(!(seclevels = misc_cache[ a ]))
+ {
RoxenModule mod = Roxen.get_owning_module (a);
if(mod && mod->query_seclevels)
misc_cache[ a ] = seclevels = ({
mod->query_seclevels(),
mod->query("_seclvl"),
- mod->query("_sec_group")
+
});
else
- {
- misc_cache[ a ] = seclevels = ({({}),0,"foo" });
+ misc_cache[ a ] = seclevels = ({0,0});
}
- }
+
- // werror("check_security %O %d <-> %d%s\n", a, slevel, seclevels[1],
- // (seclevels[-1]=="foo"?" (No module found)":""));
-
+
if(slevel && (seclevels[1] > slevel)) // "Trustlevel" to low.
return 1;
- if(!sizeof(seclevels[0]))
+ mixed err;
+ if( function(RequestID:int|mapping) f = seclevels[0] )
+ err=catch { return f( id ); };
+ else
return 0; // Ok if there are no patterns.
- mixed err;
- err = catch {
- foreach(seclevels[0], level) {
- switch(level[0]) {
- case MOD_ALLOW: // allow ip=...
- if(level[1](id->remoteaddr)) {
- ip_ok = ~0; // Match. It's ok.
- } else {
- ip_ok |= 1; // IP may be bad.
- }
- break;
-
- case MOD_DENY: // deny ip=...
-
- if(level[1](id->remoteaddr))
- return Roxen.http_low_answer(403, "<h2> Access forbidden </h2>");
- break;
-
- case MOD_USER: // allow user=...
- if(id->auth && id->auth[0] && level[1](id->auth[1])) {
- auth_ok = ~0; // Match. It's ok.
- } else {
- auth_ok |= 1; // Auth may be bad.
- }
- break;
-
- case MOD_PROXY_USER: // allow user=...
- if (ip_ok != 1) {
- // IP is OK as of yet.
- if(id->misc->proxyauth && id->misc->proxyauth[0] &&
- level[1](id->misc->proxyauth[1])) return 0;
- return Roxen.http_proxy_auth_required(seclevels[2]);
- } else {
- // Bad IP.
- return 1;
- }
- break;
-
- case MOD_ACCEPT: // accept ip=...
- // Short-circuit version on allow.
- if(level[1](id->remoteaddr)) {
- // Match. It's ok.
- return 0;
- } else {
- ip_ok |= 1; // IP may be bad.
- }
- break;
-
- case MOD_ACCEPT_USER: // accept user=...
- // Short-circuit version on allow.
- if(id->auth && id->auth[0] && level[1](id->auth[1])) {
- // Match. It's ok.
- return 0;
- } else {
- if (id->auth) {
- auth_ok |= 1; // Auth may be bad.
- } else {
- // No auth yet, get some.
- return Roxen.http_auth_required(seclevels[2]);
- }
- }
- break;
- }
- }
- };
-
- if (err) {
+
report_error("check_security(): %s:\n%s\n",
LOC_M(39, "Error during module security check"),
describe_backtrace(err));
- return 1;
- }
+
- if (ip_ok == 1) {
- // Bad IP.
+
return 1;
- } else {
- // IP OK, or no IP restrictions.
- if (auth_ok == 1) {
- // Bad authentification.
- // Query for authentification.
- return Roxen.http_auth_required(seclevels[2]);
- } else {
- // No auth required, or authentification OK.
- return 0;
+
}
- }
- }
+
#endif
// Empty all the caches above.
void invalidate_cache()
964:
file_extension_module_cache = ([]);
provider_module_cache = ([]);
#ifdef MODULE_LEVEL_SECURITY
- if(misc_cache)
+
misc_cache = ([ ]);
#endif
}
2441: Inside #if defined(MODULE_LEVEL_SECURITY)
#ifdef MODULE_LEVEL_SECURITY
if( (module_type & ~(MODULE_LOGGER|MODULE_PROVIDER)) != 0 )
{
- me->defvar("_sec_group", "user", DLOCALE(14, "Security: Realm"),
- TYPE_STRING,
- DLOCALE(15, "The realm to use when requesting password from the "
- "client. Usually used as an informative message to the "
- "user."));
+ // me->defvar("_sec_group", "user", DLOCALE(14, "Security: Realm"),
+ // TYPE_STRING,
+ // DLOCALE(15, "The realm to use when requesting password from the "
+ // "client. Usually used as an informative message to the "
+ // "user."));
me->defvar("_seclevels", "", DLOCALE(16, "Security: Patterns"),
TYPE_TEXT_FIELD,