diff options
| author | Sergey Poznyakoff <gray@gnu.org.ua> | 2020-02-28 11:11:49 +0200 |
|---|---|---|
| committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2020-02-28 11:11:49 +0200 |
| commit | 6499240b4bc400332423432c73e12a3be994ff65 (patch) | |
| tree | d9aeaf1fd76e83e5c01248b1c6b241a63491be61 | |
| parent | 73bfc3bdfac590266ad67c48de5e866bb5d5fa4d (diff) | |
| download | ping903-6499240b4bc400332423432c73e12a3be994ff65.tar.gz ping903-6499240b4bc400332423432c73e12a3be994ff65.tar.bz2 | |
Implement "auth none" type.
* src/ping903.c (cf_auth): Support for "auth none".
(try_auth): Take action depending on the type of the
matching auth_location structure.
* doc/ping903.conf.5: Document "auth none"
* src/ping903.conf: Example of "auth none".
| -rw-r--r-- | doc/ping903.conf.5 | 15 | ||||
| -rw-r--r-- | src/ping903.c | 51 | ||||
| -rw-r--r-- | src/ping903.conf | 8 |
3 files changed, 62 insertions, 12 deletions
diff --git a/doc/ping903.conf.5 b/doc/ping903.conf.5 index befe082..1889892 100644 --- a/doc/ping903.conf.5 +++ b/doc/ping903.conf.5 @@ -212,7 +212,22 @@ authorization: auth basic POST /config /etc/ping903/htpasswd Modification auth basic PUT /config .fi +.TP +\fBauth none\fR \fIMETHOD\fR \fIURL\fR +Disables authorization for this combination of \fIMETHOD\fR and +\fIURL\fR. See \fBauth basic\fR for the description of \fIMETHOD\fR +and \fIURL\fR. + +Use this statement to exempt an URL from authorization which is +otherwise required for its parent URL. For example, the two +statements below require basic authorization for "/config", excepting +"/config/ip-list": .sp +.nf +auth none GET /config/ip-list +auth basic GET /config /etc/ping903/htpasswd "Config Access" +.fi +.PP Notice, that an incoming HTTP request is matched against each \fBauth\fR statement in turn, in the order they appear in the configuration file, and it is the first matching statement that diff --git a/src/ping903.c b/src/ping903.c index 7bc0f1c..1b8a668 100644 --- a/src/ping903.c +++ b/src/ping903.c @@ -528,7 +528,13 @@ ept_ip_match(struct MHD_Connection *conn, return ret; } +enum auth_type { + AUTH_NONE, + AUTH_BASIC +}; + struct auth_location { + int type; char *url; size_t ulen; int wildcard; @@ -547,7 +553,10 @@ cf_auth(int mode, union cf_callback_arg *arg, void *data) char **av; char *endp; struct auth_location *loc; - + int type; + char *passwd_file = NULL; + char *realm = NULL; + if (mode != CF_PARSE) return CF_RET_IGNORE; @@ -575,27 +584,41 @@ cf_auth(int mode, union cf_callback_arg *arg, void *data) argcv_free(ac, av); return CF_RET_FAIL; } - if (!auth_head && ac < 5) { - error("%s:%d: realm or password file name missing", - arg->input.file, arg->input.line); - argcv_free(ac, av); - return CF_RET_FAIL; - } - - if (strcmp(av[i_type], "basic")) { + + if (strcmp(av[i_type], "basic") == 0) { + type = AUTH_BASIC; + if (ac < 5 && (!auth_tail || auth_tail->type != type)) { + error("%s:%d: realm or password file name missing", + arg->input.file, arg->input.line); + argcv_free(ac, av); + return CF_RET_FAIL; + } + passwd_file = ac > i_file ? av[i_file] : auth_tail->passwd_file; + realm = ac > i_realm ? av[i_realm] : auth_tail->realm; + } else if (strcmp(av[i_type], "none") == 0) { + type = AUTH_NONE; + if (ac > 3) { + error("%s:%d: too many arguments for this authorization type", + arg->input.file, arg->input.line); + argcv_free(ac, av); + return CF_RET_FAIL; + } + + } else { error("%s:%d: unsupported authentication method", arg->input.file, arg->input.line); argcv_free(ac, av); return CF_RET_FAIL; } - + loc = emalloc(sizeof(*loc)); + loc->type = type; loc->url = av[i_url]; loc->ulen = strlen(loc->url); loc->wildcard = loc->url[strcspn(loc->url, "[]*?")] != 0; loc->method = av[i_method]; - loc->passwd_file = av[i_file] ? av[i_file] : auth_tail->passwd_file; - loc->realm = av[i_realm] ? av[i_realm] : auth_tail->realm; + loc->passwd_file = passwd_file; + loc->realm = realm; loc->next = NULL; if (auth_tail) @@ -699,6 +722,10 @@ try_auth(struct MHD_Connection *conn, const char *url, const char *method, char const *auth; free(url_buf); + + if (loc->type == AUTH_NONE) + return 0; + auth = MHD_lookup_connection_value(conn, MHD_HEADER_KIND, MHD_HTTP_HEADER_AUTHORIZATION); diff --git a/src/ping903.conf b/src/ping903.conf index 2f00aeb..d765b6f 100644 --- a/src/ping903.conf +++ b/src/ping903.conf @@ -82,6 +82,14 @@ #auth basic PUT /config #auth basic DELETE /config +# To exempt a combination of URL and method from authorization, use +# "auth none". For example, to allow read access to each particular +# keyword in the /config tree, while requiring authorization to access +# the root of the tree (and anything below it, if using any method other +# than GET), use: +#auth none GET /config/* +#auth basic * /config /etc/ping903/htpasswd Exopotamie + # For more details about basic authorization, please see the following: # ping903.conf(5) # ping903q(1), subsection "Basic authorization" |