[auth] Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround, add fastcgi test case (fixes #889)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2833 152afb58-edef-0310-8abb-c4023f1b3aa9
11 years ago · 7187271fb6
parent 61047369c7
commit 7187271fb6
5 changed files with 48 additions and 31 deletions
--- a/1
+++ b/1
@ -12,6 +12,7 @@ NEWS
  * Fix handling of empty header list entries in http_request_split_value, fixing invalid read in valgrind (fixes #2413)
  * Fix access log escaping of " and \\ (fixes #1551)
  * [mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410)
+  * [auth] Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround, add fastcgi test case (fixes #889)

 - 1.4.30 - 2011-12-18
  * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331)
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@ -181,6 +181,7 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
 	size_t k;
 	int auth_required = 0, auth_satisfied = 0;
 	char *http_authorization = NULL;
+	const char *auth_type = NULL;
 	data_string *ds;
 	mod_auth_plugin_data *p = p_d;
 	array *req;
@ -245,12 +246,14 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {

 			if ((auth_type_len == 5) &&
 			    (0 == strncasecmp(http_authorization, "Basic", auth_type_len))) {
+				auth_type = "Basic";

 				if (0 == strcmp(method->value->ptr, "basic")) {
 					auth_satisfied = http_auth_basic_check(srv, con, p, req, con->uri.path, auth_realm+1);
 				}
 			} else if ((auth_type_len == 6) &&
 				   (0 == strncasecmp(http_authorization, "Digest", auth_type_len))) {
+				auth_type = "Digest";
 				if (0 == strcmp(method->value->ptr, "digest")) {
 					if (-1 == (auth_satisfied = http_auth_digest_check(srv, con, p, req, con->uri.path, auth_realm+1))) {
 						con->http_status = 400;
@ -302,6 +305,17 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
 		/* the REMOTE_USER header */

 		buffer_copy_string_buffer(con->authed_user, p->auth_user);
+
+		/* AUTH_TYPE environment */
+
+		if (NULL == (ds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
+			ds = data_string_init();
+		}
+
+		buffer_copy_string(ds->key, "AUTH_TYPE");
+		buffer_copy_string(ds->value, auth_type);
+
+		array_insert_unique(con->environment, (data_unset *)ds);
 	}

 	return HANDLER_GO_ON;
--- a/src/mod_fastcgi.c
+++ b/src/mod_fastcgi.c
@ -1910,36 +1910,7 @@ static int fcgi_create_env(server *srv, handler_ctx *hctx, size_t request_id) {
 	FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_ADDR"), s, strlen(s)),con)

 	if (!buffer_is_empty(con->authed_user)) {
-		/* AUTH_TYPE fix by Troy Kruthoff (tkruthoff@gmail.com)
-		 * section 4.1.1 of RFC 3875 (cgi spec) requires the server to set a AUTH_TYPE env
-		 * declaring the type of authentication used.	 (see http://tools.ietf.org/html/rfc3875#page-11)
-		 *
-		 * I copied this code from mod_auth.c where it extracts auth info from the "Authorization" 
-		 * header to authenticate the user before allowing the request to proceed.  I'm guessing it makes
-		 * sense to re-parse the header here, as mod_auth is unaware if the request is headed for cgi/fcgi.
-		 * Someone more familiar with the lighty internals should be able to quickly determine if we are 
-		 * better storing AUTH_TYPE on the initial parse in mod_auth.
-		 */
-		char *http_authorization = NULL;
-		data_string *ds;
-	  	
 		FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_USER"), CONST_BUF_LEN(con->authed_user)),con)
-	
-		if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "Authorization"))) {
-			http_authorization = ds->value->ptr;
-		}
-	
-		if (ds && ds->value && ds->value->used) {
-			char *auth_realm;
-		  if (NULL != (auth_realm = strchr(http_authorization, ' '))) {
-				int auth_type_len = auth_realm - http_authorization;
-				if ((auth_type_len == 5) && (0 == strncmp(http_authorization, "Basic", auth_type_len))) {
-					  fcgi_env_add(p->fcgi_env, CONST_STR_LEN("AUTH_TYPE"), CONST_STR_LEN("Basic"));
-				} else if ((auth_type_len == 6) && (0 == strncmp(http_authorization, "Digest", auth_type_len))) {
-					  fcgi_env_add(p->fcgi_env, CONST_STR_LEN("AUTH_TYPE"), CONST_STR_LEN("Digest"));
-				}
-			}
-		}
 	}

 	if (con->request.content_length > 0 && host->mode != FCGI_AUTHORIZER) {
--- a/tests/lighttpd.conf
+++ b/tests/lighttpd.conf
@ -175,6 +175,19 @@ $HTTP["host"] !~ "(no-simple\.example\.org)" {
  simple-vhost.default-host   = "www.example.org"
 }

+$HTTP["host"] == "auth.example.org" {
+  server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/"
+  server.name = "auth.example.org"
+  auth.backend                = "htpasswd"
+  auth.require                = ( "" =>
+                                (
+                                  "method"  => "basic",
+                                  "realm"   => "download archiv",
+                                  "require" => "valid-user"
+                                )
+                              )
+}
+
 $HTTP["host"] =~ "(vvv).example.org" {
  url.redirect = ( "^/redirect/$" => "http://localhost:2048/" )
 }
--- a/tests/mod-fastcgi.t
+++ b/tests/mod-fastcgi.t
@ -7,7 +7,7 @@ BEGIN {
 }

 use strict;
-use Test::More tests => 56;
+use Test::More tests => 58;
 use LightyTest;

 my $tf = LightyTest->new();
@ -25,7 +25,7 @@ SKIP: {
 }

 SKIP: {
-	skip "no PHP running on port 1026", 33 unless $tf->listening_on(1026);
+	skip "no PHP running on port 1026", 35 unless $tf->listening_on(1026);

 	ok($tf->start_proc == 0, "Starting lighttpd") or goto cleanup;

@ -188,6 +188,24 @@ EOF
 	$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Length' => 4348 } ];
 	ok($tf->handle_http($t) == 0, 'X-Sendfile2');

+	$t->{REQUEST}  = ( <<EOF
+GET /get-server-env.php?env=REMOTE_USER HTTP/1.0
+Host: auth.example.org
+Authorization: Basic ZGVzOmRlcw==
+EOF
+ );
+	$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'des' } ];
+	ok($tf->handle_http($t) == 0, '$_SERVER["REMOTE_USER"]');
+
+	$t->{REQUEST}  = ( <<EOF
+GET /get-server-env.php?env=AUTH_TYPE HTTP/1.0
+Host: auth.example.org
+Authorization: Basic ZGVzOmRlcw==
+EOF
+ );
+	$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'Basic' } ];
+	ok($tf->handle_http($t) == 0, '$_SERVER["AUTH_TYPE"]');
+

 	ok($tf->stop_proc == 0, "Stopping lighttpd");