Branch: Tag:

2001-03-08

2001-03-08 14:35:49 by Per Hedbor <ph@opera.com>

The module level security patterns now use the new authentication API. Placed a lot of modules in groups

Rev: server/base_server/configuration.pike:1.420
Rev: server/base_server/module.pike:1.111
Rev: server/base_server/roxen.pike:1.644
Rev: server/config_interface/dbs/browser.pike:1.10
Rev: server/config_interface/sites/config_left_item.pike:1.50
Rev: server/etc/modules/Roxen.pmod:1.72
Rev: server/modules/configuration/config_tags.pike:1.141
Rev: server/modules/database/sqltag.pike:1.76
Rev: server/modules/filesystems/filesystem.pike:1.96
Rev: server/modules/graphics/atlas.pike:1.4
Rev: server/modules/graphics/business.pike:1.140
Rev: server/modules/graphics/cimg.pike:1.38
Rev: server/modules/graphics/counter.pike:1.40
Rev: server/modules/graphics/gbutton.pike:1.78
Rev: server/modules/graphics/graphic_text.pike:1.260
Rev: server/modules/graphics/pimage.pike:1.25
Rev: server/modules/graphics/tablist.pike:1.52
Rev: server/modules/graphics/wiretap.pike:1.24
Rev: server/modules/scripting/piketag.pike:2.31
Rev: server/modules/security/auth_httpbasic.pike:1.5
Rev: server/modules/security/auth_httpcookie.pike:1.5
Rev: server/modules/security/userdb_system.pike:1.6
Rev: server/modules/tags/accessed.pike:1.41
Rev: server/modules/tags/additional_rxml.pike:1.11
Rev: server/modules/tags/awizard.pike:1.22
Rev: server/modules/tags/check_spelling.pike:1.16
Rev: server/modules/tags/countdown.pike:1.42
Rev: server/modules/tags/diremit.pike:1.7
Rev: server/modules/tags/email.pike:1.6
Rev: server/modules/tags/foldlist.pike:1.29
Rev: server/modules/tags/html_wash.pike:1.15
Rev: server/modules/tags/indirect_href.pike:1.26
Rev: server/modules/tags/killframe.pike:1.33
Rev: server/modules/tags/obox.pike:1.35
Rev: server/modules/tags/rxmlparse.pike:1.54
Rev: server/modules/tags/rxmltags.pike:1.208
Rev: server/modules/tags/sed.pike:1.11
Rev: server/modules/tags/ssi.pike:1.38
Rev: server/modules/tags/tablify.pike:1.63
Rev: server/modules/tags/translation_mod.pike:1.10
Rev: server/modules/tags/vform.pike:1.22
Rev: server/modules/tags/wizard_tag.pike:1.29
Rev: server/modules/tags/wizz.pike:1.2
Rev: server/protocols/http.pike:1.307

1:   // This file is part of Roxen Webserver.   // Copyright © 1996 - 2000, Roxen IS. - // $Id: module.pike,v 1.110 2001/02/21 05:41:10 per Exp $ + // $Id: module.pike,v 1.111 2001/03/08 14:35:40 per Exp $      #include <module_constants.h>   #include <module.h>
227:   /* By default, provide nothing. */   string query_provides() { return 0; }    - /* -  * Parse and return a parsed version of the security levels for this module -  * -  */ +     - class IP_with_mask + function(RequestID:int|mapping) query_seclevels()   { -  int net; -  int mask; -  static private int ip_to_int(string ip) -  { -  int res; -  foreach(((ip/".") + ({ "0", "0", "0" }))[..3], string num) { -  res = res*256 + (int)num; -  } -  return(res); -  } -  void create(string _ip, string|int _mask) -  { -  net = ip_to_int(_ip); -  if (intp(_mask)) { -  if (_mask > 32) { -  report_error(sprintf("Bad netmask: %s/%d\n" -  "Using %s/32\n", _ip, _mask, _ip)); -  _mask = 32; -  } -  mask = ~0<<(32-_mask); -  } else { -  mask = ip_to_int(_mask); -  } -  if (net & ~mask) { -  report_error(sprintf("Bad netmask: %s for network %s\n" -  "Ignoring node-specific bits\n", _ip, _mask)); -  net &= mask; -  } -  } -  int `()(string ip) -  { -  return((ip_to_int(ip) & mask) == net); -  } - }; -  - array query_seclevels() - { -  array patterns=({ }); -  +     if(catch(query("_seclevels")) || (query("_seclevels") == 0)) -  return patterns; -  -  foreach(replace(query("_seclevels"), -  ({" ","\t","\\\n"}), -  ({"","",""}))/"\n", string sl) { -  if(!strlen(sl) || sl[0]=='#') -  continue; -  -  string type, value; -  if(sscanf(sl, "%s=%s", type, value)==2) -  { -  array(string|int) arr; -  switch(lower_case(type)) -  { -  case "allowip": -  if (sizeof(arr = (value/"/")) == 2) { -  // IP/bits -  arr[1] = (int)arr[1]; -  patterns += ({ ({ MOD_ALLOW, IP_with_mask(@arr) }) }); -  } else if ((sizeof(arr = (value/":")) == 2) || -  (sizeof(arr = (value/",")) > 1)) { -  // IP:mask or IP,mask -  patterns += ({ ({ MOD_ALLOW, IP_with_mask(@arr) }) }); -  } else { -  // Pattern -  value = replace(value, ({ "?", ".", "*" }), ({ ".", "\\.", ".*" })); -  patterns += ({ ({ MOD_ALLOW, Regexp(value)->match, }) }); +  return 0; +  return roxen.compile_security_pattern(query("_seclevels"),this_object());   } -  break; +     -  case "acceptip": -  // Short-circuit version of allow ip. -  if (sizeof(arr = (value/"/")) == 2) { -  // IP/bits -  arr[1] = (int)arr[1]; -  patterns += ({ ({ MOD_ACCEPT, IP_with_mask(@arr) }) }); -  } else if ((sizeof(arr = (value/":")) == 2) || -  (sizeof(arr = (value/",")) > 1)) { -  // IP:mask or IP,mask -  patterns += ({ ({ MOD_ACCEPT, IP_with_mask(@arr) }) }); -  } else { -  // Pattern -  value = replace(value, ({ "?", ".", "*" }), ({ ".", "\\.", ".*" })); -  patterns += ({ ({ MOD_ACCEPT, Regexp(value)->match, }) }); -  } -  break; -  -  case "denyip": -  if (sizeof(arr = (value/"/")) == 2) { -  // IP/bits -  arr[1] = (int)arr[1]; -  patterns += ({ ({ MOD_DENY, IP_with_mask(@arr) }) }); -  } else if ((sizeof(arr = (value/":")) == 2) || -  (sizeof(arr = (value/",")) > 1)) { -  // IP:mask or IP,mask -  patterns += ({ ({ MOD_DENY, IP_with_mask(@arr) }) }); -  } else { -  // Pattern -  value = replace(value, ({ "?", ".", "*" }), ({ ".", "\\.", ".*" })); -  patterns += ({ ({ MOD_DENY, Regexp(value)->match, }) }); -  } -  break; -  -  case "allowuser": -  value = replace(value, ({ "?", ".", "*" }), ({ ".", "\\.", ".*" })); -  array(string) users = (value/"," - ({""})); -  int i; -  -  for(i=0; i < sizeof(users); i++) { -  if (lower_case(users[i]) == "any") { -  if(this_object()->register_module()[0] & MODULE_PROXY) -  patterns += ({ ({ MOD_PROXY_USER, lambda(){ return 1; } }) }); -  else -  patterns += ({ ({ MOD_USER, lambda(){ return 1; } }) }); -  break; -  } else { -  users[i & 0x0f] = "(^"+users[i]+"$)"; -  } -  if ((i & 0x0f) == 0x0f) { -  value = users[0..0x0f]*"|"; -  if(this_object()->register_module()[0] & MODULE_PROXY) { -  patterns += ({ ({ MOD_PROXY_USER, Regexp(value)->match, }) }); -  } else { -  patterns += ({ ({ MOD_USER, Regexp(value)->match, }) }); -  } -  } -  } -  if (i & 0x0f) { -  value = users[0..(i-1)&0x0f]*"|"; -  if(this_object()->register_module()[0] & MODULE_PROXY) { -  patterns += ({ ({ MOD_PROXY_USER, Regexp(value)->match, }) }); -  } else { -  patterns += ({ ({ MOD_USER, Regexp(value)->match, }) }); -  } -  } -  break; -  -  case "acceptuser": -  // Short-circuit version of allow user. -  // NOTE: MOD_PROXY_USER is already short-circuit. -  value = replace(value, ({ "?", ".", "*" }), ({ ".", "\\.", ".*" })); -  users = (value/"," - ({""})); -  -  for(i=0; i < sizeof(users); i++) { -  if (lower_case(users[i]) == "any") { -  if(this_object()->register_module()[0] & MODULE_PROXY) -  patterns += ({ ({ MOD_PROXY_USER, lambda(){ return 1; } }) }); -  else -  patterns += ({ ({ MOD_ACCEPT_USER, lambda(){ return 1; } }) }); -  break; -  } else { -  users[i & 0x0f] = "(^"+users[i]+"$)"; -  } -  if ((i & 0x0f) == 0x0f) { -  value = users[0..0x0f]*"|"; -  if(this_object()->register_module()[0] & MODULE_PROXY) { -  patterns += ({ ({ MOD_PROXY_USER, Regexp(value)->match, }) }); -  } else { -  patterns += ({ ({ MOD_ACCEPT_USER, Regexp(value)->match, }) }); -  } -  } -  } -  if (i & 0x0f) { -  value = users[0..(i-1)&0x0f]*"|"; -  if(this_object()->register_module()[0] & MODULE_PROXY) { -  patterns += ({ ({ MOD_PROXY_USER, Regexp(value)->match, }) }); -  } else { -  patterns += ({ ({ MOD_ACCEPT_USER, Regexp(value)->match, }) }); -  } -  } -  break; -  -  default: -  report_error(sprintf("Unknown Security:Patterns directive: " -  "type=\"%s\"\n", type)); -  break; -  } -  } else { -  report_error(sprintf("Syntax error in Security:Patterns directive: " -  "line=\"%s\"\n", sl)); -  } -  } -  return patterns; - } -  +    Stat stat_file(string f, RequestID id){}   array(string) find_dir(string f, RequestID id){}   mapping(string:Stat) find_dir_stat(string f, RequestID id)