[auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436)

can be combined with ssl:
    ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
	auth.require = ("/" => ( "require" => "valid-user", "method" => "extern") )

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2894 152afb58-edef-0310-8abb-c4023f1b3aa9

NEWS

@@ -27,6 +27,7 @@ NEWS
   * [ssl] accept ssl renegotiations if they are not disabled (fixes #2491)
   * [ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)
   * [auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes #2495)
+  * [auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436)
 
 - 1.4.32 - 2012-11-21
   * Code cleanup with clang/sparse (fixes #2437, thx kibi)

src/mod_auth.c

@@ -185,6 +185,7 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
 	data_string *ds;
 	mod_auth_plugin_data *p = p_d;
 	array *req;
+	data_string *req_method;
 
 	/* select the right config */
 	mod_auth_patch_connection(srv, con, p);
@@ -227,18 +228,30 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
 	if (auth_required == 0) return HANDLER_GO_ON;
 
 	req = ((data_array *)(p->conf.auth_require->data[k]))->value;
+	req_method = (data_string *)array_get_element(req, "method");
 
-	/* try to get Authorization-header */
-
-	if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "Authorization"))) {
-		http_authorization = ds->value->ptr;
+	if (0 == strcmp(req_method->value->ptr, "extern")) {
+		/* require REMOTE_USER to be already set */
+		if (NULL == (ds = (data_string *)array_get_element(con->environment, "REMOTE_USER"))) {
+			con->http_status = 401;
+			con->mode = DIRECT;
+			return HANDLER_FINISHED;
+		} else if (http_auth_match_rules(srv, req, ds->value->ptr, NULL, NULL)) {
+			log_error_write(srv, __FILE__, __LINE__, "s", "rules didn't match");
+			con->http_status = 401;
+			con->mode = DIRECT;
+			return HANDLER_FINISHED;
+		} else {
+			return HANDLER_GO_ON;
+		}
 	}
 
-	if (ds && ds->value && ds->value->used) {
+	/* try to get Authorization-header */
+
+	if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "Authorization")) && ds->value->used) {
 		char *auth_realm;
-		data_string *method;
 
-		method = (data_string *)array_get_element(req, "method");
+		http_authorization = ds->value->ptr;
 
 		/* parse auth-header */
 		if (NULL != (auth_realm = strchr(http_authorization, ' '))) {
@@ -248,13 +261,13 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
 			    (0 == strncasecmp(http_authorization, "Basic", auth_type_len))) {
 				auth_type = "Basic";
 
-				if (0 == strcmp(method->value->ptr, "basic")) {
+				if (0 == strcmp(req_method->value->ptr, "basic")) {
 					auth_satisfied = http_auth_basic_check(srv, con, p, req, auth_realm+1);
 				}
 			} else if ((auth_type_len == 6) &&
 				   (0 == strncasecmp(http_authorization, "Digest", auth_type_len))) {
 				auth_type = "Digest";
-				if (0 == strcmp(method->value->ptr, "digest")) {
+				if (0 == strcmp(req_method->value->ptr, "digest")) {
 					if (-1 == (auth_satisfied = http_auth_digest_check(srv, con, p, req, auth_realm+1))) {
 						con->http_status = 400;
 						con->mode = DIRECT;
@@ -494,9 +507,10 @@ SETDEFAULTS_FUNC(mod_auth_set_defaults) {
 				return HANDLER_ERROR;
 			} else {
 				if (0 != strcmp(method, "basic") &&
-				    0 != strcmp(method, "digest")) {
+				    0 != strcmp(method, "digest") &&
+				    0 != strcmp(method, "extern")) {
 					log_error_write(srv, __FILE__, __LINE__, "ss",
-							"method has to be either \"basic\" or \"digest\" in",
+							"method has to be either \"basic\", \"digest\" or \"extern\" in",
 							"auth.require = ( \"...\" => ( ..., \"method\" => \"...\") )");
 					return HANDLER_ERROR;
 				}