mirror of
https://github.com/nginx/nginx.git
synced 2024-12-17 23:27:49 +08:00
445 lines
11 KiB
C
445 lines
11 KiB
C
|
|
||
|
/*
|
||
|
* Copyright (C) Maxim Dounin
|
||
|
* Copyright (C) Nginx, Inc.
|
||
|
*/
|
||
|
|
||
|
|
||
|
#include <ngx_config.h>
|
||
|
#include <ngx_core.h>
|
||
|
#include <ngx_http.h>
|
||
|
|
||
|
|
||
|
typedef struct {
|
||
|
ngx_str_t uri;
|
||
|
ngx_array_t *vars;
|
||
|
} ngx_http_auth_request_conf_t;
|
||
|
|
||
|
|
||
|
typedef struct {
|
||
|
ngx_uint_t done;
|
||
|
ngx_uint_t status;
|
||
|
ngx_http_request_t *subrequest;
|
||
|
} ngx_http_auth_request_ctx_t;
|
||
|
|
||
|
|
||
|
typedef struct {
|
||
|
ngx_int_t index;
|
||
|
ngx_http_complex_value_t value;
|
||
|
ngx_http_set_variable_pt set_handler;
|
||
|
} ngx_http_auth_request_variable_t;
|
||
|
|
||
|
|
||
|
static ngx_int_t ngx_http_auth_request_handler(ngx_http_request_t *r);
|
||
|
static ngx_int_t ngx_http_auth_request_done(ngx_http_request_t *r,
|
||
|
void *data, ngx_int_t rc);
|
||
|
static ngx_int_t ngx_http_auth_request_set_variables(ngx_http_request_t *r,
|
||
|
ngx_http_auth_request_conf_t *arcf, ngx_http_auth_request_ctx_t *ctx);
|
||
|
static ngx_int_t ngx_http_auth_request_variable(ngx_http_request_t *r,
|
||
|
ngx_http_variable_value_t *v, uintptr_t data);
|
||
|
static void *ngx_http_auth_request_create_conf(ngx_conf_t *cf);
|
||
|
static char *ngx_http_auth_request_merge_conf(ngx_conf_t *cf,
|
||
|
void *parent, void *child);
|
||
|
static ngx_int_t ngx_http_auth_request_init(ngx_conf_t *cf);
|
||
|
static char *ngx_http_auth_request(ngx_conf_t *cf, ngx_command_t *cmd,
|
||
|
void *conf);
|
||
|
static char *ngx_http_auth_request_set(ngx_conf_t *cf, ngx_command_t *cmd,
|
||
|
void *conf);
|
||
|
|
||
|
|
||
|
static ngx_command_t ngx_http_auth_request_commands[] = {
|
||
|
|
||
|
{ ngx_string("auth_request"),
|
||
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
|
||
|
ngx_http_auth_request,
|
||
|
NGX_HTTP_LOC_CONF_OFFSET,
|
||
|
0,
|
||
|
NULL },
|
||
|
|
||
|
{ ngx_string("auth_request_set"),
|
||
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
|
||
|
ngx_http_auth_request_set,
|
||
|
NGX_HTTP_LOC_CONF_OFFSET,
|
||
|
0,
|
||
|
NULL },
|
||
|
|
||
|
ngx_null_command
|
||
|
};
|
||
|
|
||
|
|
||
|
static ngx_http_module_t ngx_http_auth_request_module_ctx = {
|
||
|
NULL, /* preconfiguration */
|
||
|
ngx_http_auth_request_init, /* postconfiguration */
|
||
|
|
||
|
NULL, /* create main configuration */
|
||
|
NULL, /* init main configuration */
|
||
|
|
||
|
NULL, /* create server configuration */
|
||
|
NULL, /* merge server configuration */
|
||
|
|
||
|
ngx_http_auth_request_create_conf, /* create location configuration */
|
||
|
ngx_http_auth_request_merge_conf /* merge location configuration */
|
||
|
};
|
||
|
|
||
|
|
||
|
ngx_module_t ngx_http_auth_request_module = {
|
||
|
NGX_MODULE_V1,
|
||
|
&ngx_http_auth_request_module_ctx, /* module context */
|
||
|
ngx_http_auth_request_commands, /* module directives */
|
||
|
NGX_HTTP_MODULE, /* module type */
|
||
|
NULL, /* init master */
|
||
|
NULL, /* init module */
|
||
|
NULL, /* init process */
|
||
|
NULL, /* init thread */
|
||
|
NULL, /* exit thread */
|
||
|
NULL, /* exit process */
|
||
|
NULL, /* exit master */
|
||
|
NGX_MODULE_V1_PADDING
|
||
|
};
|
||
|
|
||
|
|
||
|
static ngx_int_t
|
||
|
ngx_http_auth_request_handler(ngx_http_request_t *r)
|
||
|
{
|
||
|
ngx_table_elt_t *h, *ho;
|
||
|
ngx_http_request_t *sr;
|
||
|
ngx_http_post_subrequest_t *ps;
|
||
|
ngx_http_auth_request_ctx_t *ctx;
|
||
|
ngx_http_auth_request_conf_t *arcf;
|
||
|
|
||
|
arcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_request_module);
|
||
|
|
||
|
if (arcf->uri.len == 0) {
|
||
|
return NGX_DECLINED;
|
||
|
}
|
||
|
|
||
|
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||
|
"auth request handler");
|
||
|
|
||
|
ctx = ngx_http_get_module_ctx(r, ngx_http_auth_request_module);
|
||
|
|
||
|
if (ctx != NULL) {
|
||
|
if (!ctx->done) {
|
||
|
return NGX_AGAIN;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* as soon as we are done - explicitly set variables to make
|
||
|
* sure they will be available after internal redirects
|
||
|
*/
|
||
|
|
||
|
if (ngx_http_auth_request_set_variables(r, arcf, ctx) != NGX_OK) {
|
||
|
return NGX_ERROR;
|
||
|
}
|
||
|
|
||
|
/* return appropriate status */
|
||
|
|
||
|
if (ctx->status == NGX_HTTP_FORBIDDEN) {
|
||
|
return ctx->status;
|
||
|
}
|
||
|
|
||
|
if (ctx->status == NGX_HTTP_UNAUTHORIZED) {
|
||
|
sr = ctx->subrequest;
|
||
|
|
||
|
h = sr->headers_out.www_authenticate;
|
||
|
|
||
|
if (!h && sr->upstream) {
|
||
|
h = sr->upstream->headers_in.www_authenticate;
|
||
|
}
|
||
|
|
||
|
if (h) {
|
||
|
ho = ngx_list_push(&r->headers_out.headers);
|
||
|
if (ho == NULL) {
|
||
|
return NGX_ERROR;
|
||
|
}
|
||
|
|
||
|
*ho = *h;
|
||
|
|
||
|
r->headers_out.www_authenticate = ho;
|
||
|
}
|
||
|
|
||
|
return ctx->status;
|
||
|
}
|
||
|
|
||
|
if (ctx->status >= NGX_HTTP_OK
|
||
|
&& ctx->status < NGX_HTTP_SPECIAL_RESPONSE)
|
||
|
{
|
||
|
return NGX_OK;
|
||
|
}
|
||
|
|
||
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
|
||
|
"auth request unexpected status: %d", ctx->status);
|
||
|
|
||
|
return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
||
|
}
|
||
|
|
||
|
ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_auth_request_ctx_t));
|
||
|
if (ctx == NULL) {
|
||
|
return NGX_ERROR;
|
||
|
}
|
||
|
|
||
|
ps = ngx_palloc(r->pool, sizeof(ngx_http_post_subrequest_t));
|
||
|
if (ps == NULL) {
|
||
|
return NGX_ERROR;
|
||
|
}
|
||
|
|
||
|
ps->handler = ngx_http_auth_request_done;
|
||
|
ps->data = ctx;
|
||
|
|
||
|
if (ngx_http_subrequest(r, &arcf->uri, NULL, &sr, ps,
|
||
|
NGX_HTTP_SUBREQUEST_WAITED)
|
||
|
!= NGX_OK)
|
||
|
{
|
||
|
return NGX_ERROR;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* allocate fake request body to avoid attempts to read it and to make
|
||
|
* sure real body file (if already read) won't be closed by upstream
|
||
|
*/
|
||
|
|
||
|
sr->request_body = ngx_pcalloc(r->pool, sizeof(ngx_http_request_body_t));
|
||
|
if (sr->request_body == NULL) {
|
||
|
return NGX_ERROR;
|
||
|
}
|
||
|
|
||
|
sr->header_only = 1;
|
||
|
|
||
|
ctx->subrequest = sr;
|
||
|
|
||
|
ngx_http_set_ctx(r, ctx, ngx_http_auth_request_module);
|
||
|
|
||
|
return NGX_AGAIN;
|
||
|
}
|
||
|
|
||
|
|
||
|
static ngx_int_t
|
||
|
ngx_http_auth_request_done(ngx_http_request_t *r, void *data, ngx_int_t rc)
|
||
|
{
|
||
|
ngx_http_auth_request_ctx_t *ctx = data;
|
||
|
|
||
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||
|
"auth request done s:%d", r->headers_out.status);
|
||
|
|
||
|
ctx->done = 1;
|
||
|
ctx->status = r->headers_out.status;
|
||
|
|
||
|
return rc;
|
||
|
}
|
||
|
|
||
|
|
||
|
static ngx_int_t
|
||
|
ngx_http_auth_request_set_variables(ngx_http_request_t *r,
|
||
|
ngx_http_auth_request_conf_t *arcf, ngx_http_auth_request_ctx_t *ctx)
|
||
|
{
|
||
|
ngx_str_t val;
|
||
|
ngx_http_variable_t *v;
|
||
|
ngx_http_variable_value_t *vv;
|
||
|
ngx_http_auth_request_variable_t *av, *last;
|
||
|
ngx_http_core_main_conf_t *cmcf;
|
||
|
|
||
|
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||
|
"auth request set variables");
|
||
|
|
||
|
if (arcf->vars == NULL) {
|
||
|
return NGX_OK;
|
||
|
}
|
||
|
|
||
|
cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
|
||
|
v = cmcf->variables.elts;
|
||
|
|
||
|
av = arcf->vars->elts;
|
||
|
last = av + arcf->vars->nelts;
|
||
|
|
||
|
while (av < last) {
|
||
|
/*
|
||
|
* explicitly set new value to make sure it will be available after
|
||
|
* internal redirects
|
||
|
*/
|
||
|
|
||
|
vv = &r->variables[av->index];
|
||
|
|
||
|
if (ngx_http_complex_value(ctx->subrequest, &av->value, &val)
|
||
|
!= NGX_OK)
|
||
|
{
|
||
|
return NGX_ERROR;
|
||
|
}
|
||
|
|
||
|
vv->valid = 1;
|
||
|
vv->not_found = 0;
|
||
|
vv->data = val.data;
|
||
|
vv->len = val.len;
|
||
|
|
||
|
if (av->set_handler) {
|
||
|
/*
|
||
|
* set_handler only available in cmcf->variables_keys, so we store
|
||
|
* it explicitly
|
||
|
*/
|
||
|
|
||
|
av->set_handler(r, vv, v[av->index].data);
|
||
|
}
|
||
|
|
||
|
av++;
|
||
|
}
|
||
|
|
||
|
return NGX_OK;
|
||
|
}
|
||
|
|
||
|
|
||
|
static ngx_int_t
|
||
|
ngx_http_auth_request_variable(ngx_http_request_t *r,
|
||
|
ngx_http_variable_value_t *v, uintptr_t data)
|
||
|
{
|
||
|
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||
|
"auth request variable");
|
||
|
|
||
|
v->not_found = 1;
|
||
|
|
||
|
return NGX_OK;
|
||
|
}
|
||
|
|
||
|
|
||
|
static void *
|
||
|
ngx_http_auth_request_create_conf(ngx_conf_t *cf)
|
||
|
{
|
||
|
ngx_http_auth_request_conf_t *conf;
|
||
|
|
||
|
conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_request_conf_t));
|
||
|
if (conf == NULL) {
|
||
|
return NULL;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* set by ngx_pcalloc():
|
||
|
*
|
||
|
* conf->uri = { 0, NULL };
|
||
|
*/
|
||
|
|
||
|
conf->vars = NGX_CONF_UNSET_PTR;
|
||
|
|
||
|
return conf;
|
||
|
}
|
||
|
|
||
|
|
||
|
static char *
|
||
|
ngx_http_auth_request_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||
|
{
|
||
|
ngx_http_auth_request_conf_t *prev = parent;
|
||
|
ngx_http_auth_request_conf_t *conf = child;
|
||
|
|
||
|
ngx_conf_merge_str_value(conf->uri, prev->uri, "");
|
||
|
ngx_conf_merge_ptr_value(conf->vars, prev->vars, NULL);
|
||
|
|
||
|
return NGX_CONF_OK;
|
||
|
}
|
||
|
|
||
|
|
||
|
static ngx_int_t
|
||
|
ngx_http_auth_request_init(ngx_conf_t *cf)
|
||
|
{
|
||
|
ngx_http_handler_pt *h;
|
||
|
ngx_http_core_main_conf_t *cmcf;
|
||
|
|
||
|
cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
|
||
|
|
||
|
h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers);
|
||
|
if (h == NULL) {
|
||
|
return NGX_ERROR;
|
||
|
}
|
||
|
|
||
|
*h = ngx_http_auth_request_handler;
|
||
|
|
||
|
return NGX_OK;
|
||
|
}
|
||
|
|
||
|
|
||
|
static char *
|
||
|
ngx_http_auth_request(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||
|
{
|
||
|
ngx_http_auth_request_conf_t *arcf = conf;
|
||
|
|
||
|
ngx_str_t *value;
|
||
|
|
||
|
if (arcf->uri.data != NULL) {
|
||
|
return "is duplicate";
|
||
|
}
|
||
|
|
||
|
value = cf->args->elts;
|
||
|
|
||
|
if (ngx_strcmp(value[1].data, "off") == 0) {
|
||
|
arcf->uri.len = 0;
|
||
|
arcf->uri.data = (u_char *) "";
|
||
|
|
||
|
return NGX_CONF_OK;
|
||
|
}
|
||
|
|
||
|
arcf->uri = value[1];
|
||
|
|
||
|
return NGX_CONF_OK;
|
||
|
}
|
||
|
|
||
|
|
||
|
static char *
|
||
|
ngx_http_auth_request_set(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||
|
{
|
||
|
ngx_http_auth_request_conf_t *arcf = conf;
|
||
|
|
||
|
ngx_str_t *value;
|
||
|
ngx_http_variable_t *v;
|
||
|
ngx_http_auth_request_variable_t *av;
|
||
|
ngx_http_compile_complex_value_t ccv;
|
||
|
|
||
|
value = cf->args->elts;
|
||
|
|
||
|
if (value[1].data[0] != '$') {
|
||
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||
|
"invalid variable name \"%V\"", &value[1]);
|
||
|
return NGX_CONF_ERROR;
|
||
|
}
|
||
|
|
||
|
value[1].len--;
|
||
|
value[1].data++;
|
||
|
|
||
|
if (arcf->vars == NGX_CONF_UNSET_PTR) {
|
||
|
arcf->vars = ngx_array_create(cf->pool, 1,
|
||
|
sizeof(ngx_http_auth_request_variable_t));
|
||
|
if (arcf->vars == NULL) {
|
||
|
return NGX_CONF_ERROR;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
av = ngx_array_push(arcf->vars);
|
||
|
if (av == NULL) {
|
||
|
return NGX_CONF_ERROR;
|
||
|
}
|
||
|
|
||
|
v = ngx_http_add_variable(cf, &value[1], NGX_HTTP_VAR_CHANGEABLE);
|
||
|
if (v == NULL) {
|
||
|
return NGX_CONF_ERROR;
|
||
|
}
|
||
|
|
||
|
av->index = ngx_http_get_variable_index(cf, &value[1]);
|
||
|
if (av->index == NGX_ERROR) {
|
||
|
return NGX_CONF_ERROR;
|
||
|
}
|
||
|
|
||
|
if (v->get_handler == NULL) {
|
||
|
v->get_handler = ngx_http_auth_request_variable;
|
||
|
v->data = (uintptr_t) av;
|
||
|
}
|
||
|
|
||
|
av->set_handler = v->set_handler;
|
||
|
|
||
|
ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
|
||
|
|
||
|
ccv.cf = cf;
|
||
|
ccv.value = &value[2];
|
||
|
ccv.complex_value = &av->value;
|
||
|
|
||
|
if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
|
||
|
return NGX_CONF_ERROR;
|
||
|
}
|
||
|
|
||
|
return NGX_CONF_OK;
|
||
|
}
|