[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
[0817]
[0818]
[0819]
[0820]
[0821]
[0822]
[0823]
[0824]
[0825]
[0826]
[0827]
[0828]
[0829]
[0830]
[0831]
[0832]
[0833]
[0834]
[0835]
[0836]
[0837]
[0838]
[0839]
[0840]
[0841]
[0842]
[0843]
[0844]
[0845]
[0846]
[0847]
[0848]
[0849]
[0850]
[0851]
[0852]
[0853]
[0854]
[0855]
[0856]
[0857]
[0858]
[0859]
[0860]
[0861]
[0862]
[0863]
[0864]
[0865]
[0866]
[0867]
[0868]
[0869]
[0870]
[0871]
[0872]
[0873]
[0874]
[0875]
[0876]
[0877]
[0878]
[0879]
[0880]
[0881]
[0882]
[0883]
[0884]
[0885]
[0886]
[0887]
[0888]
[0889]
[0890]
[0891]
[0892]
[0893]
[0894]
[0895]
[0896]
[0897]
[0898]
[0899]
[0900]
[0901]
[0902]
[0903]
[0904]
[0905]
[0906]
[0907]
[0908]
[0909]
[0910]
[0911]
[0912]
[0913]
[0914]
[0915]
[0916]
[0917]
[0918]
[0919]
[0920]
[0921]
[0922]
[0923]
[0924]
[0925]
[0926]
[0927]
[0928]
[0929]
[0930]
[0931]
[0932]
[0933]
[0934]
[0935]
[0936]
[0937]
[0938]
[0939]
[0940]
[0941]
[0942]
[0943]
[0944]
[0945]
[0946]
[0947]
[0948]
[0949]
[0950]
[0951]
[0952]
[0953]
[0954]
[0955]
[0956]
[0957]
[0958]
[0959]
[0960]
[0961]
[0962]
[0963]
[0964]
[0965]
[0966]
[0967]
[0968]
[0969]
[0970]
[0971]
[0972]
[0973]
[0974]
[0975]
[0976]
[0977]
[0978]
[0979]
[0980]
[0981]
[0982]
[0983]
[0984]
[0985]
[0986]
[0987]
[0988]
[0989]
[0990]
[0991]
[0992]
[0993]
[0994]
[0995]
[0996]
[0997]
[0998]
[0999]
[1000]
[1001]
[1002]
[1003]
[1004]
[1005]
[1006]
[1007]
[1008]
[1009]
[1010]
[1011]
[1012]
[1013]
[1014]
[1015]
[1016]
[1017]
[1018]
[1019]
[1020]
[1021]
[1022]
[1023]
[1024]
[1025]
[1026]
[1027]
[1028]
[1029]
[1030]
[1031]
[1032]
[1033]
[1034]
[1035]
[1036]
[1037]
[1038]
[1039]
[1040]
[1041]
[1042]
[1043]
[1044]
[1045]
[1046]
[1047]
[1048]
[1049]
[1050]
[1051]
[1052]
[1053]
[1054]
[1055]
[1056]
[1057]
[1058]
[1059]
[1060]
[1061]
[1062]
[1063]
[1064]
[1065]
[1066]
[1067]
[1068]
[1069]
[1070]
[1071]
[1072]
[1073]
[1074]
[1075]
[1076]
[1077]
[1078]
[1079]
[1080]
[1081]
[1082]
[1083]
[1084]
[1085]
[1086]
[1087]
[1088]
[1089]
[1090]
[1091]
[1092]
[1093]
[1094]
[1095]
[1096]
[1097]
[1098]
[1099]
[1100]
[1101]
[1102]
[1103]
[1104]
[1105]
[1106]
[1107]
[1108]
[1109]
[1110]
[1111]
[1112]
[1113]
[1114]
[1115]
[1116]
[1117]
[1118]
[1119]
[1120]
[1121]
[1122]
[1123]
[1124]
[1125]
[1126]
[1127]
[1128]
[1129]
[1130]
[1131]
[1132]
[1133]
[1134]
[1135]
[1136]
[1137]
[1138]
[1139]
[1140]
[1141]
[1142]
[1143]
[1144]
[1145]
[1146]
[1147]
[1148]
[1149]
[1150]
[1151]
[1152]
[1153]
[1154]
[1155]
[1156]
[1157]
[1158]
[1159]
[1160]
[1161]
[1162]
[1163]
[1164]
[1165]
[1166]
[1167]
[1168]
[1169]
[1170]
[1171]
[1172]
[1173]
[1174]
[1175]
[1176]
[1177]
[1178]
[1179]
[1180]
[1181]
[1182]
[1183]
[1184]
[1185]
[1186]
[1187]
[1188]
[1189]
[1190]
[1191]
[1192]
[1193]
[1194]
[1195]
[1196]
[1197]
[1198]
[1199]
[1200]
[1201]
[1202]
[1203]
[1204]
[1205]
[1206]
[1207]
[1208]
[1209]
[1210]
[1211]
[1212]
[1213]
[1214]
[1215]
[1216]
[1217]
[1218]
[1219]
[1220]
[1221]
[1222]
[1223]
[1224]
[1225]
[1226]
[1227]
[1228]
[1229]
[1230]
[1231]
[1232]
[1233]
[1234]
[1235]
[1236]
[1237]
[1238]
[1239]
[1240]
[1241]
[1242]
[1243]
[1244]
[1245]
[1246]
[1247]
[1248]
[1249]
[1250]
[1251]
[1252]
[1253]
[1254]
[1255]
[1256]
[1257]
[1258]
[1259]
[1260]
[1261]
[1262]
[1263]
[1264]
[1265]
[1266]
[1267]
[1268]
[1269]
[1270]
[1271]
[1272]
[1273]
[1274]
[1275]
[1276]
[1277]
[1278]
[1279]
[1280]
[1281]
[1282]
[1283]
[1284]
[1285]
[1286]
[1287]
[1288]
[1289]
[1290]
[1291]
[1292]
[1293]
[1294]
[1295]
[1296]
[1297]
[1298]
[1299]
[1300]
[1301]
[1302]
[1303]
[1304]
[1305]
[1306]
[1307]
[1308]
[1309]
[1310]
[1311]
[1312]
[1313]
[1314]
[1315]
[1316]
[1317]
[1318]
[1319]
[1320]
[1321]
[1322]
[1323]
[1324]
[1325]
[1326]
[1327]
[1328]
[1329]
[1330]
[1331]
[1332]
[1333]
[1334]
[1335]
[1336]
[1337]
[1338]
[1339]
[1340]
[1341]
[1342]
[1343]
[1344]
[1345]
[1346]
[1347]
[1348]
[1349]
[1350]
[1351]
[1352]
[1353]
[1354]
[1355]
[1356]
[1357]
[1358]
[1359]
[1360]
[1361]
[1362]
[1363]
[1364]
[1365]
[1366]
[1367]
[1368]
[1369]
[1370]
[1371]
[1372]
[1373]
[1374]
[1375]
[1376]
[1377]
[1378]
[1379]
[1380]
[1381]
[1382]
[1383]
[1384]
[1385]
[1386]
[1387]
[1388]
[1389]
[1390]
[1391]
[1392]
[1393]
[1394]
[1395]
[1396]
[1397]
[1398]
[1399]
[1400]
[1401]
[1402]
[1403]
[1404]
[1405]
[1406]
[1407]
[1408]
[1409]
[1410]
[1411]
[1412]
[1413]
[1414]
[1415]
[1416]
[1417]
[1418]
[1419]
[1420]
[1421]
[1422]
[1423]
[1424]
[1425]
[1426]
[1427]
[1428]
[1429]
[1430]
[1431]
[1432]
[1433]
[1434]
[1435]
[1436]
[1437]
[1438]
[1439]
[1440]
[1441]
[1442]
[1443]
[1444]
[1445]
[1446]
[1447]
[1448]
[1449]
[1450]
[1451]
[1452]
[1453]
[1454]
[1455]
[1456]
[1457]
[1458]
[1459]
[1460]
[1461]
[1462]
[1463]
[1464]
[1465]
[1466]
[1467]
[1468]
[1469]
[1470]
[1471]
[1472]
[1473]
[1474]
[1475]
[1476]
[1477]
[1478]
[1479]
[1480]
[1481]
[1482]
[1483]
[1484]
[1485]
[1486]
[1487]
[1488]
[1489]
[1490]
[1491]
[1492]
[1493]
[1494]
[1495]
[1496]
[1497]
[1498]
[1499]
[1500]
[1501]
[1502]
[1503]
[1504]
[1505]
[1506]
[1507]
[1508]
[1509]
[1510]
[1511]
[1512]
[1513]
[1514]
[1515]
[1516]
[1517]
[1518]
[1519]
[1520]
[1521]
[1522]
[1523]
[1524]
[1525]
[1526]
[1527]
[1528]
[1529]
[1530]
[1531]
[1532]
[1533]
[1534]
[1535]
[1536]
[1537]
[1538]
[1539]
[1540]
[1541]
[1542]
[1543]
[1544]
[1545]
[1546]
[1547]
[1548]
[1549]
[1550]
[1551]
[1552]
[1553]
[1554]
[1555]
[1556]
[1557]
[1558]
[1559]
[1560]
[1561]
[1562]
[1563]
[1564]
[1565]
[1566]
[1567]
[1568]
[1569]
[1570]
[1571]
[1572]
[1573]
[1574]
[1575]
[1576]
[1577]
[1578]
[1579]
[1580]
[1581]
[1582]
[1583]
[1584]
[1585]
[1586]
[1587]
[1588]
[1589]
[1590]
[1591]
[1592]
[1593]
[1594]
[1595]
[1596]
[1597]
[1598]
[1599]
[1600]
[1601]
[1602]
[1603]
[1604]
[1605]
[1606]
[1607]
[1608]
[1609]
[1610]
[1611]
[1612]
[1613]
[1614]
[1615]
[1616]
[1617]
[1618]
[1619]
[1620]
[1621]
[1622]
[1623]
[1624]
[1625]
[1626]
[1627]
[1628]
[1629]
[1630]
[1631]
[1632]
[1633]
[1634]
[1635]
[1636]
[1637]
[1638]
[1639]
[1640]
[1641]
[1642]
[1643]
[1644]
[1645]
[1646]
[1647]
[1648]
[1649]
[1650]
[1651]
[1652]
[1653]
[1654]
[1655]
[1656]
[1657]
[1658]
[1659]
[1660]
[1661]
[1662]
[1663]
[1664]
[1665]
[1666]
[1667]
[1668]
[1669]
[1670]
[1671]
[1672]
[1673]
[1674]
[1675]
[1676]
[1677]
[1678]
[1679]
[1680]
[1681]
[1682]
[1683]
[1684]
[1685]
[1686]
[1687]
[1688]
[1689]
[1690]
[1691]
[1692]
[1693]
[1694]
[1695]
[1696]
[1697]
[1698]
[1699]
[1700]
[1701]
[1702]
[1703]
[1704]
[1705]
[1706]
[1707]
[1708]
[1709]
[1710]
[1711]
[1712]
[1713]
[1714]
[1715]
[1716]
[1717]
[1718]
[1719]
[1720]
[1721]
[1722]
[1723]
[1724]
[1725]
[1726]
[1727]
[1728]
[1729]
[1730]
[1731]
[1732]
[1733]
[1734]
[1735]
[1736]
[1737]
[1738]
[1739]
[1740]
[1741]
[1742]
[1743]
[1744]
[1745]
[1746]
[1747]
[1748]
[1749]
[1750]
[1751]
[1752]
[1753]
[1754]
[1755]
[1756]
[1757]
[1758]
[1759]
[1760]
[1761]
[1762]
[1763]
[1764]
[1765]
[1766]
[1767]
[1768]
[1769]
[1770]
[1771]
[1772]
[1773]
[1774]
[1775]
[1776]
[1777]
[1778]
[1779]
[1780]
[1781]
[1782]
[1783]
[1784]
[1785]
[1786]
[1787]
[1788]
[1789]
[1790]
[1791]
[1792]
[1793]
[1794]
[1795]
[1796]
[1797]
[1798]
[1799]
[1800]
[1801]
[1802]
[1803]
[1804]
[1805]
[1806]
[1807]
[1808]
[1809]
[1810]
[1811]
[1812]
[1813]
[1814]
[1815]
[1816]
[1817]
[1818]
[1819]
[1820]
[1821]
[1822]
[1823]
[1824]
[1825]
[1826]
[1827]
[1828]
[1829]
[1830]
[1831]
[1832]
[1833]
[1834]
[1835]
[1836]
[1837]
[1838]
[1839]
[1840]
[1841]
[1842]
[1843]
[1844]
[1845]
[1846]
[1847]
[1848]
[1849]
[1850]
[1851]
[1852]
[1853]
[1854]
[1855]
[1856]
[1857]
[1858]
[1859]
[1860]
[1861]
[1862]
[1863]
[1864]
[1865]
[1866]
[1867]
[1868]
[1869]
[1870]
[1871]
[1872]
[1873]
[1874]
[1875]
[1876]
[1877]
[1878]
[1879]
[1880]
[1881]
[1882]
[1883]
[1884]
[1885]
[1886]
[1887]
[1888]
[1889]
[1890]
[1891]
[1892]
[1893]
[1894]
[1895]
[1896]
[1897]
[1898]
[1899]
[1900]
[1901]
[1902]
[1903]
[1904]
[1905]
[1906]
[1907]
[1908]
[1909]
[1910]
[1911]
[1912]
[1913]
[1914]
[1915]
[1916]
[1917]
[1918]
[1919]
[1920]
[1921]
[1922]
[1923]
[1924]
[1925]
[1926]
[1927]
[1928]
[1929]
[1930]
[1931]
[1932]
[1933]
[1934]
[1935]
[1936]
[1937]
[1938]
[1939]
[1940]
[1941]
[1942]
[1943]
[1944]
[1945]
[1946]
[1947]
[1948]
[1949]
[1950]
[1951]
[1952]
[1953]
[1954]
[1955]
[1956]
[1957]
[1958]
[1959]
[1960]
[1961]
[1962]
[1963]
[1964]
[1965]
[1966]
[1967]
[1968]
[1969]
[1970]
[1971]
[1972]
[1973]
[1974]
[1975]
[1976]
[1977]
[1978]
[1979]
[1980]
[1981]
[1982]
[1983]
[1984]
[1985]
[1986]
[1987]
[1988]
[1989]
[1990]
[1991]
[1992]
[1993]
[1994]
[1995]
[1996]
[1997]
[1998]
[1999]
[2000]
[2001]
[2002]
[2003]
[2004]
[2005]
[2006]
[2007]
[2008]
[2009]
[2010]
[2011]
[2012]
[2013]
[2014]
[2015]
[2016]
[2017]
[2018]
[2019]
[2020]
[2021]
[2022]
[2023]
[2024]
[2025]
[2026]
[2027]
[2028]
[2029]
[2030]
[2031]
[2032]
[2033]
[2034]
[2035]
[2036]
[2037]
[2038]
[2039]
[2040]
[2041]
[2042]
[2043]
[2044]
[2045]
[2046]
[2047]
[2048]
[2049]
[2050]
[2051]
[2052]
[2053]
[2054]
[2055]
[2056]
[2057]
[2058]
[2059]
[2060]
[2061]
[2062]
[2063]
[2064]
[2065]
[2066]
[2067]
[2068]
[2069]
[2070]
[2071]
[2072]
[2073]
[2074]
[2075]
[2076]
[2077]
[2078]
[2079]
[2080]
[2081]
[2082]
[2083]
[2084]
[2085]
[2086]
[2087]
[2088]
[2089]
[2090]
[2091]
[2092]
[2093]
[2094]
[2095]
[2096]
[2097]
[2098]
[2099]
[2100]
[2101]
[2102]
[2103]
[2104]
[2105]
[2106]
[2107]
[2108]
[2109]
[2110]
[2111]
[2112]
[2113]
[2114]
[2115]
[2116]
[2117]
[2118]
[2119]
[2120]
[2121]
[2122]
[2123]
[2124]
[2125]
[2126]
[2127]
[2128]
[2129]
[2130]
[2131]
[2132]
[2133]
[2134]
[2135]
[2136]
[2137]
[2138]
[2139]
[2140]
[2141]
[2142]
[2143]
[2144]
[2145]
[2146]
[2147]
[2148]
[2149]
[2150]
[2151]
[2152]
[2153]
[2154]
[2155]
[2156]
[2157]
[2158]
[2159]
[2160]
[2161]
[2162]
[2163]
[2164]
[2165]
[2166]
[2167]
[2168]
[2169]
[2170]
[2171]
[2172]
[2173]
[2174]
[2175]
[2176]
[2177]
[2178]
[2179]
[2180]
[2181]
[2182]
[2183]
[2184]
[2185]
[2186]
[2187]
[2188]
[2189]
[2190]
[2191]
[2192]
[2193]
[2194]
[2195]
[2196]
[2197]
[2198]
[2199]
[2200]
[2201]
[2202]
[2203]
[2204]
[2205]
[2206]
[2207]
[2208]
[2209]
[2210]
[2211]
[2212]
[2213]
[2214]
[2215]
[2216]
[2217]
[2218]
[2219]
[2220]
[2221]
[2222]
[2223]
[2224]
[2225]
[2226]
[2227]
[2228]
[2229]
[2230]
[2231]
[2232]
[2233]
[2234]
[2235]
[2236]
[2237]
[2238]
[2239]
[2240]
[2241]
[2242]
[2243]
[2244]
[2245]
[2246]
[2247]
[2248]
[2249]
[2250]
[2251]
[2252]
[2253]
[2254]
[2255]
[2256]
[2257]
[2258]
[2259]
[2260]
[2261]
[2262]
[2263]
[2264]
[2265]
[2266]
[2267]
[2268]
[2269]
[2270]
[2271]
[2272]
[2273]
[2274]
[2275]
[2276]
[2277]
[2278]
[2279]
[2280]
[2281]
[2282]
[2283]
[2284]
[2285]
[2286]
[2287]
[2288]
[2289]
[2290]
[2291]
[2292]
[2293]
[2294]
[2295]
[2296]
[2297]
[2298]
[2299]
[2300]
[2301]
[2302]
[2303]
[2304]
[2305]
[2306]
[2307]
[2308]
[2309]
[2310]
[2311]
[2312]
[2313]
[2314]
[2315]
[2316]
[2317]
[2318]
[2319]
[2320]
[2321]
[2322]
[2323]
[2324]
[2325]
[2326]
[2327]
[2328]
[2329]
[2330]
[2331]
[2332]
[2333]
[2334]
[2335]
[2336]
[2337]
[2338]
[2339]
[2340]
[2341]
[2342]
[2343]
[2344]
[2345]
[2346]
[2347]
[2348]
[2349]
[2350]
[2351]
[2352]
[2353]
[2354]
[2355]
[2356]
[2357]
[2358]
[2359]
[2360]
[2361]
[2362]
[2363]
[2364]
[2365]
[2366]
[2367]
[2368]
[2369]
[2370]
[2371]
[2372]
[2373]
[2374]
[2375]
[2376]
[2377]
[2378]
[2379]
[2380]
[2381]
[2382]
[2383]
[2384]
[2385]
[2386]
[2387]
[2388]
[2389]
[2390]
[2391]
[2392]
[2393]
[2394]
[2395]
[2396]
[2397]
[2398]
[2399]
[2400]
[2401]
[2402]
[2403]
[2404]
[2405]
[2406]
[2407]
[2408]
[2409]
[2410]
[2411]
[2412]
[2413]
[2414]
[2415]
[2416]
[2417]
[2418]
[2419]
[2420]
[2421]
[2422]
[2423]
[2424]
[2425]
[2426]
[2427]
[2428]
[2429]
[2430]
[2431]
[2432]
[2433]
[2434]
[2435]
[2436]
[2437]
[2438]
[2439]
[2440]
[2441]
[2442]
[2443]
[2444]
[2445]
[2446]
[2447]
[2448]
[2449]
[2450]
[2451]
[2452]
[2453]
[2454]
[2455]
[2456]
[2457]
[2458]
[2459]
[2460]
[2461]
[2462]
[2463]
[2464]
[2465]
[2466]
[2467]
[2468]
[2469]
[2470]
[2471]
[2472]
[2473]
[2474]
[2475]
[2476]
[2477]
[2478]
[2479]
[2480]
[2481]
[2482]
[2483]
[2484]
[2485]
[2486]
[2487]
[2488]
[2489]
[2490]
[2491]
[2492]
[2493]
[2494]
[2495]
[2496]
[2497]
[2498]
[2499]
[2500]
[2501]
[2502]
[2503]
[2504]
[2505]
[2506]
[2507]
[2508]
[2509]
[2510]
[2511]
[2512]
[2513]
[2514]
[2515]
[2516]
[2517]
[2518]
[2519]
[2520]
[2521]
[2522]
[2523]
[2524]
[2525]
[2526]
[2527]
[2528]
[2529]
[2530]
[2531]
[2532]
[2533]
[2534]
[2535]
[2536]
[2537]
[2538]
[2539]
[2540]
[2541]
[2542]
[2543]
[2544]
[2545]
[2546]
[2547]
[2548]
[2549]
[2550]
[2551]
[2552]
[2553]
[2554]
[2555]
[2556]
[2557]
[2558]
[2559]
[2560]
[2561]
[2562]
[2563]
[2564]
[2565]
[2566]
[2567]
[2568]
[2569]
[2570]
[2571]
[2572]
[2573]
[2574]
[2575]
[2576]
[2577]
[2578]
[2579]
[2580]
[2581]
[2582]
[2583]
[2584]
[2585]
[2586]
[2587]
[2588]
[2589]
[2590]
[2591]
[2592]
[2593]
[2594]
[2595]
[2596]
[2597]
[2598]
[2599]
[2600]
[2601]
[2602]
[2603]
[2604]
[2605]
[2606]
[2607]
[2608]
[2609]
[2610]
[2611]
[2612]
[2613]
[2614]
[2615]
[2616]
[2617]
[2618]
[2619]
[2620]
[2621]
[2622]
[2623]
[2624]
[2625]
[2626]
[2627]
[2628]
[2629]
[2630]
[2631]
[2632]
[2633]
[2634]
[2635]
[2636]
[2637]
[2638]
[2639]
[2640]
[2641]
[2642]
[2643]
[2644]
[2645]
[2646]
[2647]
[2648]
[2649]
[2650]
[2651]
[2652]
[2653]
[2654]
[2655]
[2656]
[2657]
[2658]
[2659]
[2660]
[2661]
[2662]
[2663]
[2664]
[2665]
[2666]
[2667]
[2668]
[2669]
[2670]
[2671]
[2672]
[2673]
[2674]
[2675]
[2676]
[2677]
[2678]
[2679]
[2680]
[2681]
[2682]
[2683]
[2684]
[2685]
[2686]
[2687]
[2688]
[2689]
[2690]
[2691]
[2692]
[2693]
[2694]
[2695]
[2696]
[2697]
[2698]
[2699]
[2700]
[2701]
[2702]
[2703]
[2704]
[2705]
[2706]
[2707]
[2708]
[2709]
[2710]
[2711]
[2712]
[2713]
[2714]
[2715]
[2716]
[2717]
[2718]
[2719]
[2720]
[2721]
[2722]
[2723]
[2724]
[2725]
[2726]
[2727]
[2728]
[2729]
[2730]
[2731]
[2732]
[2733]
[2734]
[2735]
[2736]
[2737]
[2738]
[2739]
[2740]
[2741]
[2742]
[2743]
[2744]
[2745]
[2746]
[2747]
[2748]
[2749]
[2750]
[2751]
[2752]
[2753]
[2754]
[2755]
[2756]
[2757]
[2758]
[2759]
[2760]
[2761]
[2762]
[2763]
[2764]
[2765]
[2766]
[2767]
[2768]
[2769]
[2770]
[2771]
[2772]
[2773]
[2774]
[2775]
[2776]
[2777]
[2778]
[2779]
[2780]
[2781]
[2782]
[2783]
[2784]
[2785]
[2786]
[2787]
[2788]
[2789]
[2790]
[2791]
[2792]
[2793]
[2794]
[2795]
[2796]
[2797]
[2798]
[2799]
[2800]
[2801]
[2802]
[2803]
[2804]
[2805]
[2806]
[2807]
[2808]
[2809]
[2810]
[2811]
[2812]
[2813]
[2814]
[2815]
[2816]
[2817]
[2818]
[2819]
[2820]
[2821]
[2822]
[2823]
[2824]
[2825]
[2826]
[2827]
[2828]
[2829]
[2830]
[2831]
[2832]
[2833]
[2834]
[2835]
[2836]
[2837]
[2838]
[2839]
[2840]
[2841]
[2842]
[2843]
[2844]
[2845]
[2846]
[2847]
[2848]
[2849]
[2850]
[2851]
[2852]
[2853]
[2854]
[2855]
[2856]
[2857]
[2858]
[2859]
[2860]
[2861]
[2862]
[2863]
[2864]
[2865]
[2866]
[2867]
[2868]
[2869]
[2870]
[2871]
[2872]
[2873]
[2874]
[2875]
[2876]
[2877]
[2878]
[2879]
[2880]
[2881]
[2882]
[2883]
[2884]
[2885]
[2886]
[2887]
[2888]
[2889]
[2890]
[2891]
[2892]
[2893]
[2894]
[2895]
[2896]
[2897]
[2898]
[2899]
[2900]
[2901]
[2902]
[2903]
[2904]
[2905]
[2906]
[2907]
[2908]
[2909]
[2910]
[2911]
[2912]
[2913]
[2914]
[2915]
[2916]
[2917]
[2918]
[2919]
[2920]
[2921]
[2922]
[2923]
[2924]
[2925]
[2926]
[2927]
[2928]
[2929]
[2930]
[2931]
[2932]
[2933]
[2934]
[2935]
[2936]
[2937]
[2938]
[2939]
[2940]
[2941]
[2942]
[2943]
[2944]
[2945]
[2946]
[2947]
[2948]
[2949]
[2950]
[2951]
[2952]
[2953]
[2954]
[2955]
[2956]
[2957]
[2958]
[2959]
[2960]
[2961]
[2962]
[2963]
[2964]
[2965]
[2966]
[2967]
[2968]
[2969]
[2970]
[2971]
[2972]
[2973]
[2974]
[2975]
[2976]
[2977]
[2978]
[2979]
[2980]
[2981]
[2982]
[2983]
[2984]
[2985]
[2986]
[2987]
[2988]
[2989]
[2990]
[2991]
[2992]
[2993]
[2994]
[2995]
[2996]
[2997]
[2998]
[2999]
[3000]
[3001]
[3002]
[3003]
[3004]
[3005]
[3006]
[3007]
[3008]
[3009]
[3010]
[3011]
[3012]
[3013]
[3014]
[3015]
[3016]
[3017]
[3018]
[3019]
[3020]
[3021]
[3022]
[3023]
[3024]
[3025]
[3026]
[3027]
[3028]
[3029]
[3030]
[3031]
[3032]
[3033]
[3034]
[3035]
[3036]
[3037]
[3038]
[3039]
[3040]
[3041]
[3042]
[3043]
[3044]
[3045]
[3046]
[3047]
[3048]
[3049]
[3050]
[3051]
[3052]
[3053]
[3054]
[3055]
[3056]
[3057]
[3058]
[3059]
[3060]
[3061]
[3062]
[3063]
[3064]
[3065]
[3066]
[3067]
[3068]
[3069]
[3070]
[3071]
[3072]
[3073]
[3074]
[3075]
[3076]
[3077]
[3078]
[3079]
[3080]
[3081]
[3082]
[3083]
[3084]
[3085]
[3086]
[3087]
[3088]
[3089]
[3090]
[3091]
[3092]
[3093]
[3094]
[3095]
[3096]
[3097]
[3098]
[3099]
[3100]
[3101]
[3102]
[3103]
[3104]
[3105]
[3106]
[3107]
[3108]
[3109]
[3110]
[3111]
[3112]
[3113]
[3114]
[3115]
[3116]
[3117]
[3118]
[3119]
[3120]
[3121]
[3122]
[3123]
[3124]
[3125]
[3126]
[3127]
[3128]
[3129]
[3130]
[3131]
[3132]
[3133]
[3134]
[3135]
[3136]
[3137]
[3138]
[3139]
[3140]
[3141]
[3142]
[3143]
[3144]
[3145]
[3146]
[3147]
[3148]
[3149]
[3150]
[3151]
[3152]
[3153]
[3154]
[3155]
[3156]
[3157]
[3158]
[3159]
[3160]
[3161]
[3162]
[3163]
[3164]
[3165]
[3166]
[3167]
[3168]
[3169]
[3170]
[3171]
[3172]
[3173]
[3174]
[3175]
[3176]
[3177]
[3178]
[3179]
[3180]
[3181]
[3182]
[3183]
[3184]
[3185]
[3186]
[3187]
[3188]
[3189]
[3190]
[3191]
[3192]
[3193]
[3194]
[3195]
[3196]
[3197]
[3198]
[3199]
[3200]
[3201]
[3202]
[3203]
[3204]
[3205]
[3206]
[3207]
[3208]
[3209]
[3210]
[3211]
[3212]
[3213]
[3214]
[3215]
[3216]
[3217]
[3218]
[3219]
[3220]
[3221]
[3222]
[3223]
[3224]
[3225]
[3226]
[3227]
[3228]
[3229]
[3230]
[3231]
[3232]
[3233]
[3234]
[3235]
[3236]
[3237]
[3238]
[3239]
[3240]
[3241]
[3242]
[3243]
[3244]
[3245]
[3246]
[3247]
[3248]
[3249]
[3250]
[3251]
[3252]
[3253]
[3254]
[3255]
[3256]
[3257]
[3258]
[3259]
[3260]
[3261]
[3262]
[3263]
[3264]
[3265]
[3266]
[3267]
[3268]
[3269]
[3270]
[3271]
[3272]
[3273]
[3274]
[3275]
[3276]
[3277]
[3278]
[3279]
[3280]
[3281]
[3282]
[3283]
[3284]
[3285]
[3286]
[3287]
[3288]
[3289]
[3290]
[3291]
[3292]
[3293]
[3294]
[3295]
[3296]
[3297]
[3298]
[3299]
[3300]
[3301]
[3302]
[3303]
[3304]
[3305]
[3306]
[3307]
[3308]
[3309]
[3310]
[3311]
[3312]
[3313]
[3314]
[3315]
[3316]
[3317]
[3318]
[3319]
[3320]
[3321]
[3322]
[3323]
[3324]
[3325]
[3326]
[3327]
[3328]
[3329]
[3330]
[3331]
[3332]
[3333]
[3334]
[3335]
[3336]
[3337]
[3338]
[3339]
[3340]
[3341]
[3342]
[3343]
[3344]
[3345]
[3346]
[3347]
[3348]
[3349]
[3350]
[3351]
[3352]
[3353]
[3354]
[3355]
[3356]
[3357]
[3358]
[3359]
[3360]
[3361]
[3362]
[3363]
[3364]
[3365]
[3366]
[3367]
[3368]
[3369]
[3370]
[3371]
[3372]
[3373]
[3374]
[3375]
[3376]
[3377]
[3378]
[3379]
[3380]
[3381]
[3382]
[3383]
[3384]
[3385]
[3386]
[3387]
[3388]
[3389]
[3390]
[3391]
[3392]
[3393]
[3394]
[3395]
[3396]
[3397]
[3398]
[3399]
[3400]
[3401]
[3402]
[3403]
[3404]
[3405]
[3406]
[3407]
[3408]
[3409]
[3410]
[3411]
[3412]
[3413]
[3414]
[3415]
[3416]
[3417]
[3418]
[3419]
[3420]
[3421]
[3422]
[3423]
[3424]
[3425]
[3426]
[3427]
[3428]
[3429]
[3430]
[3431]
[3432]
[3433]
[3434]
[3435]
[3436]
[3437]
[3438]
[3439]
[3440]
[3441]
[3442]
[3443]
[3444]
[3445]
[3446]
[3447]
[3448]
[3449]
[3450]
[3451]
[3452]
[3453]
[3454]
[3455]
[3456]
[3457]
[3458]
[3459]
[3460]
[3461]
[3462]
[3463]
[3464]
[3465]
[3466]
[3467]
[3468]
[3469]
[3470]
[3471]
[3472]
[3473]
[3474]
[3475]
[3476]
[3477]
[3478]
[3479]
[3480]
[3481]
[3482]
[3483]
[3484]
[3485]
[3486]
[3487]
[3488]
[3489]
[3490]
[3491]
[3492]
[3493]
[3494]
[3495]
[3496]
[3497]
[3498]
[3499]
[3500]
[3501]
[3502]
[3503]
[3504]
[3505]
[3506]
[3507]
[3508]
[3509]
[3510]
[3511]
[3512]
[3513]
[3514]
[3515]
[3516]
[3517]
[3518]
[3519]
[3520]
[3521]
[3522]
[3523]
[3524]
[3525]
[3526]
[3527]
[3528]
[3529]
[3530]
[3531]
[3532]
[3533]
[3534]
[3535]
[3536]
[3537]
[3538]
[3539]
[3540]
[3541]
[3542]
[3543]
[3544]
[3545]
[3546]
[3547]
[3548]
[3549]
[3550]
[3551]
[3552]
[3553]
[3554]
[3555]
[3556]
[3557]
[3558]
[3559]
[3560]
[3561]
[3562]
[3563]
[3564]
[3565]
[3566]
[3567]
[3568]
[3569]
[3570]
[3571]
[3572]
[3573]
[3574]
[3575]
[3576]
[3577]
[3578]
[3579]
[3580]
[3581]
[3582]
[3583]
[3584]
[3585]
[3586]
[3587]
[3588]
[3589]
[3590]
[3591]
[3592]
[3593]
[3594]
[3595]
[3596]
[3597]
[3598]
[3599]
[3600]
[3601]
[3602]
[3603]
[3604]
[3605]
[3606]
[3607]
[3608]
[3609]
[3610]
[3611]
[3612]
[3613]
[3614]
[3615]
[3616]
[3617]
[3618]
[3619]
[3620]
[3621]
[3622]
[3623]
[3624]
[3625]
[3626]
[3627]
[3628]
[3629]
[3630]
[3631]
[3632]
[3633]
[3634]
[3635]
[3636]
[3637]
[3638]
[3639]
[3640]
[3641]
[3642]
[3643]
[3644]
[3645]
[3646]
[3647]
[3648]
[3649]
[3650]
[3651]
[3652]
[3653]
[3654]
[3655]
[3656]
[3657]
[3658]
[3659]
[3660]
[3661]
[3662]
[3663]
[3664]
[3665]
[3666]
[3667]
[3668]
[3669]
[3670]
[3671]
[3672]
[3673]
[3674]
[3675]
[3676]
[3677]
[3678]
[3679]
[3680]
[3681]
[3682]
[3683]
[3684]
[3685]
[3686]
[3687]
[3688]
[3689]
[3690]
[3691]
[3692]
[3693]
[3694]
[3695]
[3696]
[3697]
[3698]
[3699]
[3700]
[3701]
[3702]
[3703]
[3704]
[3705]
[3706]
[3707]
[3708]
[3709]
[3710]
[3711]
[3712]
[3713]
[3714]
[3715]
[3716]
[3717]
[3718]
[3719]
[3720]
[3721]
[3722]
[3723]
[3724]
[3725]
[3726]
[3727]
[3728]
[3729]
[3730]
[3731]
[3732]
[3733]
[3734]
[3735]
[3736]
[3737]
[3738]
[3739]
[3740]
[3741]
[3742]
[3743]
[3744]
[3745]
[3746]
[3747]
[3748]
[3749]
[3750]
[3751]
[3752]
[3753]
[3754]
[3755]
[3756]
[3757]
[3758]
[3759]
[3760]
[3761]
[3762]
[3763]
[3764]
[3765]
[3766]
[3767]
[3768]
[3769]
[3770]
[3771]
[3772]
[3773]
[3774]
[3775]
[3776]
[3777]
[3778]
[3779]
[3780]
[3781]
[3782]
[3783]
[3784]
[3785]
[3786]
[3787]
[3788]
[3789]
[3790]
[3791]
[3792]
[3793]
[3794]
[3795]
[3796]
[3797]
[3798]
[3799]
[3800]
[3801]
[3802]
[3803]
[3804]
[3805]
[3806]
[3807]
[3808]
[3809]
[3810]
[3811]
[3812]
[3813]
[3814]
[3815]
[3816]
[3817]
[3818]
[3819]
[3820]
[3821]
[3822]
[3823]
[3824]
[3825]
[3826]
[3827]
[3828]
[3829]
[3830]
[3831]
[3832]
[3833]
[3834]
[3835]
[3836]
[3837]
[3838]
[3839]
[3840]
[3841]
[3842]
[3843]
[3844]
[3845]
[3846]
[3847]
[3848]
[3849]
[3850]
[3851]
[3852]
[3853]
[3854]
[3855]
[3856]
[3857]
[3858]
[3859]
[3860]
[3861]
[3862]
[3863]
[3864]
[3865]
[3866]
[3867]
[3868]
[3869]
[3870]
[3871]
[3872]
[3873]
[3874]
[3875]
[3876]
[3877]
[3878]
[3879]
[3880]
[3881]
[3882]
[3883]
[3884]
[3885]
[3886]
[3887]
[3888]
[3889]
[3890]
[3891]
[3892]
[3893]
[3894]
[3895]
[3896]
[3897]
[3898]
[3899]
[3900]
[3901]
[3902]
[3903]
[3904]
[3905]
[3906]
[3907]
[3908]
[3909]
[3910]
[3911]
[3912]
[3913]
[3914]
[3915]
[3916]
[3917]
[3918]
[3919]
[3920]
[3921]
[3922]
[3923]
[3924]
[3925]
[3926]
[3927]
[3928]
[3929]
[3930]
[3931]
[3932]
[3933]
[3934]
[3935]
[3936]
[3937]
[3938]
[3939]
[3940]
[3941]
[3942]
[3943]
[3944]
[3945]
[3946]
[3947]
[3948]
[3949]
[3950]
[3951]
[3952]
[3953]
[3954]
[3955]
[3956]
[3957]
[3958]
[3959]
[3960]
[3961]
[3962]
[3963]
[3964]
[3965]
[3966]
[3967]
[3968]
[3969]
[3970]
[3971]
[3972]
[3973]
[3974]
[3975]
[3976]
[3977]
[3978]
[3979]
[3980]
[3981]
[3982]
[3983]
[3984]
[3985]
[3986]
[3987]
[3988]
[3989]
[3990]
[3991]
[3992]
[3993]
[3994]
[3995]
[3996]
[3997]
[3998]
[3999]
[4000]
[4001]
[4002]
[4003]
[4004]
[4005]
[4006]
[4007]
[4008]
[4009]
[4010]
[4011]
[4012]
[4013]
[4014]
[4015]
[4016]
[4017]
[4018]
[4019]
[4020]
[4021]
[4022]
[4023]
[4024]
[4025]
[4026]
[4027]
[4028]
[4029]
[4030]
[4031]
[4032]
[4033]
[4034]
[4035]
[4036]
[4037]
[4038]
[4039]
[4040]
[4041]
[4042]
[4043]
[4044]
[4045]
[4046]
[4047]
[4048]
[4049]
[4050]
[4051]
[4052]
[4053]
[4054]
[4055]
[4056]
[4057]
[4058]
[4059]
[4060]
[4061]
[4062]
[4063]
[4064]
[4065]
[4066]
[4067]
[4068]
[4069]
[4070]
[4071]
[4072]
[4073]
[4074]
[4075]
[4076]
[4077]
[4078]
[4079]
[4080]
[4081]
[4082]
[4083]
[4084]
[4085]
[4086]
[4087]
[4088]
[4089]
[4090]
[4091]
[4092]
[4093]
[4094]
[4095]
[4096]
[4097]
[4098]
[4099]
[4100]
[4101]
[4102]
[4103]
[4104]
[4105]
[4106]
[4107]
[4108]
[4109]
[4110]
[4111]
[4112]
[4113]
[4114]
[4115]
[4116]
[4117]
[4118]
[4119]
[4120]
[4121]
[4122]
[4123]
[4124]
[4125]
[4126]
[4127]
[4128]
[4129]
[4130]
[4131]
[4132]
[4133]
[4134]
[4135]
[4136]
[4137]
[4138]
[4139]
[4140]
[4141]
[4142]
[4143]
[4144]
[4145]
[4146]
[4147]
[4148]
[4149]
[4150]
[4151]
[4152]
[4153]
[4154]
[4155]
[4156]
[4157]
[4158]
[4159]
[4160]
[4161]
[4162]
[4163]
[4164]
[4165]
[4166]
[4167]
[4168]
[4169]
[4170]
[4171]
[4172]
[4173]
[4174]
[4175]
[4176]
[4177]
[4178]
[4179]
[4180]
[4181]
[4182]
[4183]
[4184]
[4185]
[4186]
[4187]
[4188]
[4189]
[4190]
[4191]
[4192]
[4193]
[4194]
[4195]
[4196]
[4197]
[4198]
[4199]
[4200]
[4201]
[4202]
[4203]
[4204]
[4205]
[4206]
[4207]
[4208]
[4209]
[4210]
[4211]
[4212]
[4213]
[4214]
[4215]
[4216]
[4217]
[4218]
[4219]
[4220]
[4221]
[4222]
[4223]
[4224]
[4225]
[4226]
[4227]
[4228]
[4229]
[4230]
[4231]
[4232]
[4233]
[4234]
[4235]
[4236]
[4237]
[4238]
[4239]
[4240]
[4241]
[4242]
[4243]
[4244]
[4245]
[4246]
[4247]
[4248]
[4249]
[4250]
[4251]
[4252]
[4253]
[4254]
[4255]
[4256]
[4257]
[4258]
[4259]
[4260]
[4261]
[4262]
[4263]
[4264]
[4265]
[4266]
[4267]
[4268]
[4269]
[4270]
[4271]
[4272]
[4273]
[4274]
[4275]
[4276]
[4277]
[4278]
[4279]
[4280]
[4281]
[4282]
[4283]
[4284]
[4285]
[4286]
[4287]
/*****************************************************************************/
/*
Auth.c
THE GNU GENERAL PUBLIC LICENSE APPLIES DOUBLY TO ANYTHING TO DO WITH
AUTHENTICATION AND AUTHORIZATION!
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 3 of the License, or any later
version.
> This package is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
OVERVIEW
--------
This is "path"-based authorization/authentication. That is, access is
controlled according to the path specified in the request. A path can have
capabilities, or access controls, allowing any combination of DELETE, GET,
HEAD, POST and PUT method capabilities. The world can have capabilities
against a path. An authenticated user also can have capabilities. The request
capability is the logical AND of the path and world/user capabilities, meaning
the request gets the minimum of the path and user's access. There are no
access-control files in any data directory. It is all under the control of the
HTTPd server manager.
AUTHORIZATION IS ALWAYS PERFORMED AGAINST THE REQUEST'S PATHINFO STRING (the
string parsed from the original request path), NOT AGAINST ANY RE-MAPPED PATH.
THERE SHOULD BE NO AMBIGUITY ABOUT WHAT IS BEING AUTHORIZED!
When a request contains a controlled path the authorization for access to that
path is made against a password database for the authentication "realm" the
path belongs to. A realm (or group) name is a 1 to 31 character string
describing the collection of one or more paths for purposes of authenticating
against a common password file. A realm/group name should contain only alpha-
numeric, underscore and hyphen characters. See below for a description of the
difference between realms and groups. REITERATION: THE REALM NAME IS WHAT
THE USER-SUPPLIED PASSWORD IS CHECKED AGAINST.
The following realm names are reserved:
o "ACME" authenticated by th VMS ACME service using SYS$ACM()
the realm name indicate the Domain of Interpretation (DOI)
used by the ACME service (non-VAX, VMS V7.3 and later)
o "EXTERNAL" scripts authenticating their own realm, group,
user names and plain-text password are available
to the script for it's own authorization processing
(a little like OPAQUE but server generates the challenge)
o "NONE" any request, is not authenticated,
all authorization details are left empty
o "OPAQUE" a script generating it's own challenge/response and
does all it's own "Authorization:" field processing
(a little like EXTERNAL but server does nothing)
o "PROMISCUOUS" only ever mapped when /PROMISCUOUS in use
o "RFC1413" 'authentication' via the "identification protocol"
described in RFC1413
o "SKELKEY" only applies if skeleton-key authentication is active
if not active a 403 (forbidden) is returned
o "TOKEN" a short-lived token issued in one authorisation space
is used to authorise access in another
o "VMS" SYSUAF authentication,
via the SYSUAF, or restricted to accounts with identifiers
prime/secondary days & hours will restrict
o "WORLD" any request, is not authenticated,
both the realm and username are set to "WORLD"
o "X509" X509 client certificate available when requesting
via SSL (see SESOLA.C for detail)
Note that VMS can have one or more synonym realm names which can be used to
disguise the fact SYSUAF authentication is in use. Just specify the synonym
name followed immediately by "=VMS", as in the following example: "TESTING=VMS"
A plain-text description can also be associated with a realm name, providing
a more informative message to the browser user during the username/password
dialog. This must be specified as a double-quote enclosed string preceding the
realm name. Here are a couple of examples:
["the server system's SYSUAF"=VMS]
["just a contrived example"=VMS]
Also see the topics "SYSUAF-authentication by WASD Identifier" and
"SYSUAF-authentication by non-WASD Identifier" below.
A path specification begins at the root and usually continues down to an
asterisk indicating a match against any path beginning with that string. Paths
may overlap. That is a parent directory may have subdirectory trees that
differ in access controls. The same path specification may not belong to more
than one realm at a time :^)
The [IncludeFile] directive takes a VMS file name as a parameter. It then
attempts to read and insert any directives contained in that file into the
current point in the authorization configuration. Files may be nested one deep
(i.e. a main configuration file allowed to include other files, but the other
file not allowed in include yet more).
USER "LOGOUT" FROM AUTHENTICATION
---------------------------------
A user may cancel authentication for any path by submitting a request using
that path and a query string of "?httpd=logout" (or "?httpd=cancel").
An authentication username/password dialog will be presented by the browser.
The user should clear both username and password fields and submit. The same
dialog will be represented at which time it should be cancelled resulting in an
authentication failure report. The browser should have recognised this and
removed the path's cached authentication information.
More usefully, if using a revalidation period via [AuthRevalidateUserMinutes]
or 'SET auth=revalidate=' (perhaps set to something like 23:59:00, or one day),
when the logout query string is supplied the server resets the last access
(way, way back into the past) forcing any future access to require
revalidation. A successful logout message is then generated, circumventing the
need for the username/password dialog carry-on described earlier.
Also when using a revalidation period a redirection URL may be appended to the
logout query string. It then redirects to the supplied URL, again
circumventing the need for the username/password dialog carry-on. It is
important that the redirection is returned to the browser and not handled
internally by WASD. Normal WASD redirection functionality applies.
?httpd=logout&goto=/// redirects to the local home page
?httpd=logout&goto=///help/logout.html to a specific local page
?httpd=logout&goto=http://the.host.name/ to a specific remote server
BREAK-IN EVASION AND FAILURE REPORTS
------------------------------------
The configuration directives
[AuthFailureLimit] equivalent to LGI_BRK_LIM
[AuthFailurePeriod] LGI_BRK_TMO
[AuthFailureTimeout] LGI_HID_TIM
provide a similar break-in detection and evasion as with VMS. A single
authentication failure marks the particular username in the particular realm as
suspect. Repeated failures up to [AuthFailureLimit] attempts within the
[AuthFailurePeriodSeconds] period puts it into break-in evasion mode after
which the period [AuthFailureTimeoutSeconds] must expire before further
attempts have authentication performed and so have any chance to succeed.
(This is a change in behaviour to versions earlier than 8.3.) If any of the
above three parameters are not specified they default to the corresponding
SYSGEN parameter.
Authentication failures are reported to the process log.
Four messages can be generated.
1. %HTTPD-W-AUTHFAIL, if the request is not authenticated due to there
being no such user or a password mismatch. Isolated instances of this
are only of moderate interest. Consecutive instances may indicate a
user thrashing about for the correct password, but they usually give up
before a dozen attempts.
2. %HTTPD-I-AUTHFAILOK (informational), occurs if there has been at least
one failed attempt to authenticate before a successful attempt.
3. %HTTPD-W-AUTHFAILIM, is of greater concern and occurs if the total
number of failed attempts exceeds the configuration limit (such repeated
attempts will always continue to fail for if this limit is reached
successive attempts are automatically failed).
4. %HTTPD-I-AUTHFAILEXP, where the failure limit reaches the configuration
limit (of 3 above) each failure represents one minute of a period before
expiry of the evasion occurs. A sucessful authentication after expiry
of this period results in one of these messages.
CONFIGURATION
-------------
A collection of paths is controlled by a "realm" authentication source, against
which the request username/password is verified, and optionally one or two
"group" sources, from which the username's capabilities are determined (what
HTTP methods the username can apply against the path).
Authentication sources:
o system SYSUAF account
o ACME authentication (includes SYSUAF)
o HTA database (WASD-specific, non-plain-text file)
o simple, plain-text list of names and unencrypted passwords
o agent (CGIplus script)
o RFC1413 identification protocol
o token
o X.509 client certificate (SSL only)
Authorization sources:
o account possession of specified VMS rights identifiers
(only for SYSUAF authenticated requests)
o HTA database
o host or group of hosts
o simple list
o agent (CGIplus script)
A single file contains authorization configuration directives.
The realm directive comprises the authentication source and zero, one or two
grouping sources, in the following format:
[authentication-source;full-access-group;read-only-group]
Optional method or access keywords (e.g. GET, POST, R+W) may be appended to
specify default access for any paths belonging to the realm. Multiple "realm"
directives for the same realm name may be included, each with its own trailing
paths. These multiple declarations just accumulate.
All paths specified after a "realm" directive, up until the next "realm"
directive will belong to that realm and use the specified authentication
source. Paths are specified with a leading slash (i.e. from the root) down to
either the last character or a wildcard asterisk.
HTTP method keywords, or the generic "READ", "R", "READ+WRITE", "R+W", "WRITE"
and "W", control access to the path (in combination with user access methods).
The method keywords are "CONNECT", "DELETE", "GET" (implying "HEAD"), "HEAD"
"PUT" and "POST". These keywords are optionally supplied following a path. If
none are supplied the realm defaults are applied. The generic keyword "none"
sets all access permissions off, including realm defaults. It is an error not
to supply either. Multiple method keywords may be separated by commas or
spaces. Method keywords are applied in two groups. First the group keywords.
Second, an optional set for controlling world access. These are delimited from
the path keywords by a semi-colon.
As part of the path access control a list of comma-separated elements may
optionally be supplied. These elements may be numeric or alphabetic IP host
addresses (with or without asterisk wildcarding allowing wildcard matching of
domains), authenticated username(s) or the request scheme (protocol, "http:" or
"https:"). If supplied this list restricts access to those matching. For
example:
*.wasd.dsto.gov.au would forbid any host outside the WASD subdomain
131.185.250.* similarly, but specifying using numeric notation
*.wasd.dsto.gov.au,~daniel
https:,*.131.185.250.* limited to a subnet requesting via SSL service
The keyword "localhost", or used as "#localhost", refers to the system the
server is executing on. In this way various functions can be restricted to
browsers executing only on that same system.
The keyword "nocache" prevents caching of authentication information, forcing
each request to be revalidated (this adds significant processing overhead).
The keyword "profile" enables the SYSUAF security profile for that path (see
/PROFILE below).
The keyword "scriptas" results in DCL and DECnet scripts being executed using a
SYSUAF authenticated username (providing the /PERSONA qualifier in is place).
The keyword "final" concludes authorization rule processing as if there was no
matching rule encountered and so acts to prevent further processing at any
point (or even single '*' matching all paths, perhaps for a specific virtual
server).
A network mask may be provided in lieu of a host string. The mask is a
dotted-decimal network address, a slash, then a dotted-decimal mask. For
example "131.185.250.0/255.255.255.192". This has a 6 bit subnet. It operates
by bitwise-ANDing the client host address with the mask, bitwise-ANDing the
network address supplied with the mask, then comparing the two results for
equality. Using the above example the host 131.185.250.250 would be accepted,
but 131.185.250.50 would be rejected. A VLSM (variable-length subnet mask)
style can also be used, where "131.185.250.0/26" would mask the same 6 bit
subnet as above.
Realm names, paths, IP addresses, usernames and access method keywords are all
case insensistive.
Virtual server syntax is the same as for path mapping rules,
[[virtual-host]] (all ports of host) or [[virtual-host:virtual-port]] (
matching specified port of host) for a specific host and [[*]] to resume rules
for all virtual hosts.
Comments may be included by prefixing the line with a "#" characters. Blank
lines are ignored. Directives may span multiple lines by ensuring the last
character on any line to be continued is a backslash ("\").
Misconfigured paths, that might otherwise be left without access control, are
reported during server startup, loaded into the configuration and marked
"fail"ed, and will always deny access. This does not however guarantee that
access control will always work the way intended!!
An example configuration file:
|[WASD;CONFIDENTIAL]
|/web/confidential/* get
|/web/confidential/submissions/* https:,get,post;get
|/web/authors/* get
|
|# realm-context access default
|[WASD] get,head
|/web/pub/*
|/web/pub/submit/* ;get
|
|# realm plus full-access and read-only groups
|[VMS;FULL=LIST;READ=LIST]
|/web/project/jin/* r+w
|
|[WORLD]
|/web/anyone-can-post-here/* post
|/web/example/alpha/* *.wasd.dsto.gov.au,read
|/web/example/numeric/* \
| 131.185.250.*,read
|
|[EXTERNAL]
|/cgi-bin/footypix*
HTA DATABASES
-------------
WASD authentication/authorization databases (which have the extension .$HTA
accounting for their generic name) are binary-content content files with fixed
512 byte records. They may only be administered via the server administration
menu. They provide for encrypted storage of passwords and can also be used to
store groups of usernames for determining group membership. All HTA databases
must be located in the directory specified by the logical HT_AUTH:
HTA databases are the default for realm and group names.
For example: [VMS;ADMIN;USER]
SIMPLE LISTS
------------
Plain-text files may also be used to store collections of usernames. This is
primarily intended as a simple yet effective means of collecting together names
for full-access and read-only access group membership. The file should contain
one username at the beginning of each line. Blank and comment lines are
ignored. White-space delimited text following the username is ignored (with
the exception noted below). The format for each line is
"username other text if required ...". Simple lists have the extension .$HTL
and must be stored in the directory specified by the logical name HT_AUTH: The
free-form 'other text if required' is considered the authenticated user
details and supplied to scripts as 'AUTH_USER' CGI variable.
Although it is better to use another, more secure authentication database,
these lists may have have plain-text "passwords" associated with the usernames.
As these are unencrypted they should not be used for any security-sensitive
purpose, but may suffice for ad hoc or other simple uses. The format for
specifying a password is "username=password other text if required ...".
Simple lists are indicated by appending "=LIST" to the realm or group name.
For example: [VMS;ADMIN=LIST;USER=LIST]
A simple list by default is located in the HT_AUTH: directory. It is possible
to specify an alternate location using an authorization rule containing
'param=/DIRECTORY=DEVICE:[DIRECTORY]'. In this way the authorization list can
be devolved to someone other than the site administrator.
***** CAUTION: DO NOT PLACE THESE IN WEB-SPACE! *****
HOST OR GROUP OF HOSTS
----------------------
A group name (write and read-only grouping - not authentication realms) can be
specified as a host or group of hosts via a network mask. This will serve to
control access via the IP address of the client system. Note that as IP
addresses can be spoofed (impersonated) this is not a guaranteed authorization
control and should be deployed with that in mind.
Groups of hosts may be useful with such authentication schemes as RFC1413 and
X.509 certification. Paths within a realm and host group specifications are
all controlled by the host specification, unlike with the access restriction
host/network mask which applies on a per-path basis.
For example: [RFC1413;131.185.250.*;]
[RFC1413;131.185.250.0/24;]
[RFC1413;131.185.0.0/255.255.0.0]
VMS IDENTIFIERS
---------------
The qualifier /SYSUAF=ID directs the server to allow SYSUAF authentication only
when the VMS account possesses a specified identifier. NO IDENTIFIER, NO
ACCESS, NO MATTER HOW MANY CORRECT PASSWORDS SUPPLIED. An excellent
combination is /SYSUAF=(ID,SSL)!
VMS identifiers may be used to control who may authenticate using the SYSUAF,
who is a member of a full-access group, and who is a member of a read-only
group. These may be any existing or web-specific VMS identifier name possessed
by a given account. Standard [realm;group-r+w;group-r] syntax is employed,
with a trailing "=ID..." indicating it is an identifier.
For example: [VMS;JIN_PROJECT=ID;JIN_LIBRARIAN=ID]
For a realm specification without group membership requirements (i.e.
[realm;;]) full-access is granted to the username (this is of course adjusted
according to the path specified access level). When used for determining group
membership, holding the identifier specified in the full-access group (i.e.
[realm;GROUP-R+W;group-r]) provides full read and write access. If the
full-access identifier is not held by the user but the read-only one is (i.e.
[realm;group-r+w;GROUP-R]) the username receives read access.
NOTE: VMS Identifier identifiers may only be used for specifying group
membership for realms authenticated using the SYSUAF. Specifying an identifier
group for any other authentication source results in an authorization
configuration error.
Identifier names may contain 1 to 31 characters.
The following examples should help clarify this description (note that the
identifier names are completely arbitrary).
[JIN_PROJECT=ID]
# If an account holds the JIN_PROJECT identifier that username and
# password may be used for authentication for this realm's paths.
# Note that this account gets read and write access against the username,
# subject to the path's access specification (also read+write in this case).
/web/project/jin/* r+w
[JIN_PROJECT=ID;JIN_LIBRARIAN=ID;JIN_USER=ID]
# If an account is a holder of the JIN_PROJECT identifier then the account
# password may be used for server authentication for this realm's paths.
# If the account also holds the JIN_LIBRARIAN will it be allowed write
# access, if JIN_USER then read access, to the realm's paths.
/web/project/jin/library/* r+w
[JIN_PROJECT=ID;JIN_CODE=ID]
# Only if the account possesses both the JIN_PROJECT and JIN_CODE
# identifiers will the username get read+write access to realm's paths.
[LOCAL=VMS;JIN_PROJECT=ID]
# If an account holds the WASD_VMS_R or the WASD_VMS_RE then the username
# can authenticate against the SYSUAF. However, only if the account also
# holds the JIN_PROJECT identifier can they access this realm's paths.
# Read and/or write depends on the "WASD_VMS_..." identifier held and
# the path access specification (read-only in this case).
/web/project/jin/* r
[JIN_PROJECT=ID;FELIX]
# If an account is a holder of the JIN_PROJECT identifier then account
# password may be used for server authentication for this realm's paths.
# Only if the account also has the WASD_VMS__FELIX identifier will it be
# allowed to access the realm's paths.
/web/project/jin/* r+w
SPECIAL-PURPOSE IDENTIFIERS
---------------------------
Three special-purpose identifiers allow supplementary capabilities. These do
not have to be used or exist, even though if the server is configured to use
rights identifiers, at startup, it will warn of their absence.
WASD_HTTPS_ONLY ........ the account may SYSUAF authenticate only via a
secure (SSL) connection
WASD_NIL_ACCESS ........ allows nil-access account (with restrictions from
any/all sources and/or days/hours) to authenticate
WASD_PASSWORD_CHANGE ... allows the account to change it's SYSUAF primary
password via the server
WASD_PROXY_ACCESS ...... allows a mapping from non-SYSUAF username to SYSUAF
username as if authenticated via the SYSUAF
ACME SERVICE
------------
On non-VAX platforms running VMS V7.3 or later the Authentication and
Credentials Management Extensions (ACME) subsystem provides authentication and
persona-based credential services. Applications use these services to enforce
authentication policies defined by ACME agents running in the context of the
ACME_SERVER process. The ACME server currently (V7.3-2) supports a VMS
(SYSUAF) and a NT Lan Manager domain agent. Third-party and local agents re
also possible.
The Domain Of Interpretation (DOI) is specified as the realm name. If "VMS" is
used, or a string beginning "VMS-" or "VMS_", the ACME service authentications
from the SYSUAF. This provides all of the facilities and restrictions
available when using the "VMS" realm. If another string is used as the realm
name it needs to be a DOI (agent) available for the site's particular ACME
service.
["ACME Coyote"=VMS=ACME;JIN_PROJECT=id]
/a/path/* r+w,https:
The above example authenticates the path against the SYSUAF using the ACME
service. Access to the path is further restricted to users holding the
JIN_PROJECT rights identifier.
["Hypothetical Agent"=HYPOAUTH=ACME]
/a/path/* read,https:
The example above authenticates the path against the hypothetical ACME agent
accessable via the DOI of "HYPOAUTH".
TOKEN
-----
Reflect the authorisation applied in one environment to another using a
short-lived token supplied as a cookie. Originally devised to allow controlled
access to very large datasets without the overhead of SSL in the transmission
but with the access credentials supplied in the privacy of an SSL connection.
The cookie contains NO CREDENTIAL data at all and the agent manages an internal
database (in global memory) of these so it can determine whether any supplied
token is valid and when that token has expired. By default (and commonly)
token authorisation occurs in non-SSL space (http:) and the credential
authorisation in SSL space (https:) although it is possible to have the two
differentiated by port only.
See description in AUTHTOKEN.C
AUTHENTICATION AGENT SCRIPTS
----------------------------
An authentication agent script is a CGIplus script that can be activated during
the authorization process to perform the actual authentication/authorization
and return results to the server for access or denial. Agents may be used with
realm specifications (for authentication) or with group specifications (for
authorization via group membership).
They are provided so that sites may provide a customized authentication
mechanism (perhaps in addition to the WASD standard ones) or for authentication
via some sort of potentially highly-latent source such as LDAP. It allows
these authorization mechanisms to be relatively easily built, using a CGI-like
environment, and without the rigors of building in an AST-driven environment.
See implementation comments in AUTHAGENT.C and example(s) provided in the
[SRC.CGIPLUS] directory.
An agent specification used for authentication might look something like:
["a remote database"=REMOTE=agent]
/path/authorized/by/remote/database/*
The following script would need to be mapped and present:
/cgiauth-bin/remote.exe
A parameter (any string, enclose in double or single quotes if necessary) may
be passed to the agent. This parameter appears in the CGI variable
"WWW_AUTH_AGENT" and overrides both "REALM" and "GROUP" authorization passed by
default. If a specific parameter is passed the agent should take on the role
of fully authenticating and authorizing the request, returning a response as if
authorizing a realm. The parameter should be placed in the restriction list
text as illustrated here.
["a remote database"=REMOTE=agent]
/path/authorized/by/remote/database/* param="HT_ROOT:[LOCAL]LIST.TXT"
Generally an agent can use the username/password data automatically generated
by the server using 401/WWW-Authorize: response and Authorization: request
header transaction. However some authentication/authorization schemes may not
require the username/password data, obtaining this data outside of the
client/server transaction (examples internally implemented by this server are
X.509 certificates and RFC1413 ident protocol). To suppress the server's
automatic generation of the username/password browser dialog is to add
"+OPAQUE" to the 'agent', as in the following example.
["a remote database"=REMOTE=agent+opaque]
/path/authorized/by/remote/database/*
An alternative is to make the leading portion of the realm parameter string
"/NO401". The agent will need to ignore this if other parameters are passed as
well.
SYSUAF-AUTHENTICATION BY WASD IDENTIFIER
----------------------------------------
*** THIS FUNCTIONALITY IS DEPRECATED! ***
Use the more generalized form described in "VMS Identifiers" above.
In addition to general identifiers, other "hard-wired" identifiers may be used
to control access to and of VMS accounts. If a username has been authenticated
using using one of the read or write "hard-wired" identifiers then any group
membership must be determined using the "hard-wired" WASD_VMS__<group>
identifier. Only a realm and one grouping is allowed.
o WASD_VMS_R .......... account has read access
o WASD_VMS_RW ......... account has read and write access
o WASD_VMS__<group> ... account must possess identifier to access
o WASD_VMS_HTTPS ...... account can only SYSUAF authenticate via SSL
o WASD_VMS_PWD ........ account can change it's SYSUAF password
SYSUAF-AUTHENTICATION AND VMS SECURITY PROFILE
----------------------------------------------
The ability to be able to authenticate using the system's SYSUAF is controlled
by the server /SYSUAF qualifier. By default it is disabled. (This qualifier
was introduced in v4.4 as a result of creeping paranoia :^)
As of v4.4 it has become possible to control access to files and directories
based on the security profile of a SYSUAF-authenticated remote user. This
feature is controlled using the server /PROFILE qualifier. By default it is
disabled. The /PROFILE=BYRULE variant only applies this profile to rules that
contain the "profile" keyword.
A security-profile is created using sys$create_user_profile() and stored in
the authentication cache. This cached profile is the most efficient method of
implementing this as it obviously removes the need of creating a user profile
each time a resource is checked. If this profile exists in the cache it is
attached to each request structure authenticated via the cache.
When this profile is attached to a request all accesses to files and
directories are first assessed against that user profile using
sys$check_access(). If the user can access the resource (regardless of whether
that is because it is WORLD accessable, or because it is owned by, or
otherwise accessable to the user) SYSPRV is always enabled before accessing
the file/directory. This ensures that the authenticated user is always given
access to the resource (provided the SYSTEM permissions allow it!)
Of course, this functionality only provides access for the server, IT DOES NOT
PROPAGATE TO ANY SCRIPT ACCESS. If scripts must have a similar ability they
should implement their own sys$check_access() (which is not too difficult)
based on the WWW_AUTH_REALM which would be "VMS" indicating
SYSUAF-authentication, and the authenticated name in WWW_REMOTE_USER.
Note: the sys$assume_persona(), et.al., which might seem a more thorough
approach to this functionality, was not possible due to the "independently"
executing script processes associated with the server that might be adversely
affected by such an abrupt change in identity!
PROXY MAPPING NON-SYSUAF USERNAMES TO SYSUAF USERNAMES
------------------------------------------------------
An authentication realm can have it's usernames mapped into VMS usernames and
the VMS username used as if it had been authenticated from the SYSUAF. This is
a TYPE OF PROXY access. CAUTION - this is an extremely powerful mechanism and
as a consequence requires enabling on the command-line at server startup using
the /SYSUAF=PROXY qualifier and keyword. If identifiers are used to control
SYSUAF authentication (i.e. /SYSUAF=ID) then any account mapped by proxy access
must hold the WASD_PROXY_ACCESS identifier described above (and server startup
would be something like "/SYSUAF=(ID,PROXY)").
For each realm a different collection of mappings can be applied. Proxy
entries are strings containing no white space on lines begining with
[AuthProxy]. There are three basic variations, each with an optional host or
network mask component.
[AuthProxy] remote[@host|@network/mask]=SYSUAF
[AuthProxy] *[@host|@network/mask]=SYSUAF
[AuthProxy] *=*[@host|@network/mask]
The 'SYSUAF' is the VMS username being mapped to. The 'remote' is the remote
username (CGI variable WWW_REMOTE_USER). The first variation maps a matching
remote username (and optional host/network) onto the specific SYSUAF username.
The second maps all remote usernames (and optional host/network) to the one
SYSUAF username (useful as a final mapping). The third maps all remote
usernames (optionally on the remote host/network) into the same SYSUAF
username (again useful as a final mapping if there is a one-to-one equivalence
between the systems).
Proxy mappings are processed sequentially from first to last until a matching
rule is encountered. If none is found authorization is denied. Match-all and
default mappings can be specified. The following is an example.
[RFC1413]
[AuthProxy] bloggs@131.185.250.1=fred
[AuthProxy] doe@131.185.250.1=john
[AuthProxy] system=-
[AuthProxy] *@131.185.252.0/24=*
[AuthProxy] *=GUEST
In this example the username 'bloggs' on system '131.185.250.1' can access as
if the request had been authenticated via the SYSUAF using the username and
password of 'FRED', although of course no SYSUAF username or password needs to
be supplied. The same applies to the second mapping, 'doe' on the remote
system to 'JOHN' on the VMS system. The third mapping disallows a 'system'
account ever being mapped to it's VMS equivalent. The fourth, wildcard
mapping, maps all accounts on all systems in '131.185.250.0' network to the
same VMS username on the server system. The fifth mapping provides a default
username for all remote usernames (and like this would terminate further
mapping).
Note that multiple, space-separated proxy entries may be placed on a single
line. In this case they are processed from left to right and first to last.
This example show a host group being used to confine all the proxy mappings to
the hosts in one particular subnet.
[RFC1413;131.185.250.0/24]
[AuthProxy] bloggs=fred doe=john
[AuthProxy] system=- *=GUEST
Proxy mapping rules apply should be placed after a realm specification and
before any authorization path rules in that realm. In this way the mappings
will apply to all rules in that realm. It is possible to change the mappings
between rules. Just insert the new mappings before the (first) rule they apply
to. This cancels any previous mappings and starts a new set. To cancel all
mappings use [AuthProxy] (with no following mapping detail). This
is an example.
[RFC1413]
[AuthProxy] bloggs@131.185.250.1=fred
[AuthProxy] doe@131.185.250.1=john
/fred/and/johns/path/* r+w
[AuthProxy] *=GUEST
/other/path/* read
REMEMBER - proxy processing can be observed using the WATCH facility.
PROTECT MAPPING RULE
--------------------
The WASD_CONFIG_MAP configuration file PROTECT rule stores an authorization
string matching the corresponding path. Two strings can be stored, one for the
full path (or script component), the second for any resulting path derived
after a script component has been resolved. The string has the following
format and components.
"Realm Description"=<realm>=<type>:<access>:<restriction>
where
o "Realm Description" optional browser username/password dialog
o <realm> mandatory source of the authentication
o <type> mandatory type of authentication source
o <access[,access]> mandatory 'r' or 'r+w' access (optional world access)
o <restriction> optional restriction list
As can be seen these components parallel those found in HTTPD$AUTH
functionality. The following examples illustrate such PROTECT rules.
PROTECT /path/* "Just an Example"=WASD_VMS_RW=id:r+w
PROTECT /nuther/path/* "Second Example"=LOCAL=hta:read
PROTECT /third/path/* "Last Example"=THESE=list:read+write:~fred,~ginger
CONTROLLING SERVER WRITE ACCESS
-------------------------------
Write access by the server into VMS directories should be controlled using VMS
ACLs. World write access should not be given to any server accessed directory.
This is in addition to the path authorization of the server itself of course!
The requirement to have an ACL on the directory prevents inadvertant
mapping/authorization path being able to be written to. Two different ACLs
control two different grades of access.
1. If the ACL grants CONTROL access to the server account then only
VMS-authenticated usernames with security profiles can potentially write to
the directory, potentially, because a further check is made to assess whether
that VMS account has write access.
This example show a suitable ACL that stays only on the original directory:
$ SET SECURITY directory.DIR -
/ACL=(IDENT=HTTP$SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL)
This example shows setting an ACL that will propagate to created
subdirectories:
$ SET SECURITY directory.DIR -
/ACL=((IDENT=HTTP$SERVER,OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL), -
(IDENT=HTTP$SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL))
2. If the ACL grants WRITE access then the directory can be written into by
any authenticated username for the authorized path.
This example show a suitable ACL that stays only on the original directory:
$ SET SECURITY directory.DIR -
/ACL=(IDENT=HTTP$SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE)
This example shows setting an ACL that will propagate to created
subdirectories:
$ SET SECURITY directory.DIR -
/ACL=((IDENT=HTTP$SERVER,OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE+DELETE), -
(IDENT=HTTP$SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE))
IMPLEMENTATION
--------------
A linked-list, binary tree (using the the LIB$..._TREE routines) is used to
store authentication records. When a request with an "Authorization:" header
line encounters a point where authentication is required this binary tree is
checked for an existing record. If one does not exist a new one is entered
into the binary tree, with an empty password field. The password in the
authorization line is checked against the password in the record. If it
matches the request is authenticated.
If a binary tree record is not found the SYSUAF or REALM-based password is
checked. If the hashed password matches, the plain password is copied into the
record and used for future authentications. If not, the authentication fails.
Once a user name is authenticated from the password database, for a limited
period (currently 60 minutes), further requests are authenticated directly
from the binary tree. This improves performance and reduces file system
references for authentication. After that period expires the password and any
group access database is again explicitlty checked. The internal, binary tree
database can be explicitly listed, flushed or re-loaded as required.
A request's authorization flags (->AuthRequestCan) governs what can and can't be
done using authorization. These are arrived at by bit-wise ANDing of flags
from two sources ...
o 'AuthGroupCan' flags associated with the authorization realm and path
o 'AuthUserCan' flags associated with the authenticated user
... this ensuring that the minimum of actions permitted by either path or user
capabilities is reflected in the request capabilities.
SKELETON-KEY AUTHENTICATION
---------------------------
Provides a 'special' username and password that is authenticated from data
placed into the global common (i.e. in memory). The username and password
expire (become non-effective) after one hour by default or after an interval
specified at setup.
It's a method for allowing ad hoc authenticated access to the server, primarily
intended for non-configured access to the Administration Menu. All the site
admin needs to do is deposit the skeleton key username and password and
hey-presto, the admin can access the Admin Menu (see AUTHCONFIG.C for special
skeleton-key processing). A skeleton-key authenticated request IS subject
to all other authorization processing (i.e. access restrictions, etc.), and can
be controlled using the likes of '~_*', etc.
The site administrator uses the command line directive
$ HTTPD /DO=AUTH=SKELKEY=_<username>:<password>[:<period>]
to set the username/password, and optionally the period in minutes. This
authentication credential can be cancelled at any time using
$ HTTPD /DO=AUTH=SKELKEY=0
The username must begin with an underscore and be a minimum of 6 characters.
The password is delimited by a colon and must be at least 8 characters. The
optional period in minutes can be from 1 to 10080 (one week). If not supplied
it defaults to 60 (one hour). After the period expires the skeleton key no
longer works until reset.
The (with skeleton-key) authentication process goes like this.
1) Is a skeleton-key set? If not continue on with authentication as usual.
2) If set then check the request username leading character for an underscore.
If not then continue on with normal authentication. Skeleton-key usernames must
always begin with an underscore so as to reduce the chances of clashing with a
legitimate username.
3) If it begins with an underscore then match the request and skeleton-key
usernames. If they do not match then continue with normal authentication.
4) If the usernames match then compare the request and skeleton-key passwords.
If they match then it's authenticated. If they don't then it becomes an
authentication failure.
EMPTY LOGIN PROMPTS
-------------------
Consecutive browser authentication dialogs can occur if a cache entry exists
for the realm/username with a user revalidation timer expired but in the
interim the user has closed the browser and so submits the initial request with
no request header authorization field at all. This is bounced straight back
and when valid credentials are entered and accessed the cached entry indicates
there need to be revalidation resulting in an immediate browser reprompt for
the same resource ... mighty irritating! Access to required authorisations if
missing are counted (using rqptr->AuthRevalidateCount) and if registered the
revalidation prompt is not induced. (This takes the place of the obsoleted
pre-v10.2.1 "revalidate login cookie".)
VERSION HISTORY
---------------
03-OCT-2020 MGD AuthParseAuthorization() return AUTH_DENIED_BY_LOGIN
if unknown scheme allowing 401 response rather than 403
07-JAN-2019 MGD bugfix; AuthCompleted() and AuthNotComplete() to address
AST delivery following request end and rundown
17-MAY-2017 MGD Authorize() move AuthorizeGuaranteeAccess() up-front to
ensure access to guaranteed paths not only with failure
07-NOV-2013 MGD AuthCacheNeedsReval() so multiple cache entries for the
same credentials do not trigger multiple revalidations
25-MAY-2013 MGD [AuthRevalidateLoginCookie] obsolete (in favour of ...)
rqptr->AuthRevalidateCount to track empty authentication
prompts preceding potential redundant revalidation prompt
05-MAY-2013 MGD read-only group can be specified as "*" for everyone else
bugfix; AuthClientHostGroup() wildcard match result reversed
09-SEP-2012 MGD TOKEN authentication
28-AUG-2012 MGD bugfix; AuthorizeResponse() digest scheme
bugfix; AuthParseAuthorization() digest no user password
bugfix; disable digest depending on source realm
01-JUL-2012 MGD bugfix; (at least improve) caching of group write/read
28-NOV-2009 MGD AuthorizeResponse() allow agent reason for 403
10-OCT-2009 MGD AuthRestrictAny() single set of restricted days/hours
retrieved by AuthVmsGetUai() as optionally specified
by [AuthSYSUAFlogonType] and/or 'param="logon=.."'
(default is still NETWORK)
24-NOV-2007 MGD add AGENT/OPAQUE
force ACME on VMS V7.3 and later
bugfix; agent mappings nocache
15-MAR-2007 MGD bugfix; agent mappings using VMS-USER: not being cached
24-NOV-2005 MGD OPAQUE realm to allow a script to completely generate it's
own authentication challenge and process the authorization
31-JUL-2005 MGD refine data provided with authorization failure logging
11-JUN-2005 MGD bugfix; prevent expired SYSUAF password from being cached
05-JAN-2005 MGD bugfix; AuthorizeRealm() check for login cookie before
revalidating new cache record credentials (jpp@esme.fr)
16-OCT-2004 MGD bugfix; AuthReadSimpleList() group member password check
24-SEP-2004 MGD revalidation periods and '?httpd=logout&goto=...'
22-JUL-2004 MGD bugfix; TcpIpNetMask() result in AuthRestrictList()
18-MAR-2004 MGD ACME authentication
26-AUG-2003 MGD service directory located authorization databases
27-JUL-2003 MGD massage remote username to comply with VMS requirements,
suppress digest auth challenge except for HTA and external
15-MAY-2003 MGD rework break-in detection and processing
(configuration defaults to LGI sysgen parameters and now
operates in the same way as described for general VMS)
03-MAY-2003 MGD /SYSUAF=(VMS,ID) allows both VMS and ID authorization
(rules with =VMS and =ID can be concurrently deployed)
26-MAR-2003 MGD refine rule failure handling and reporting,
SKELKEY authorization realm
15-MAR-2003 MGD script as SYSUAF username via rule 'scriptas'
30-JAN-2003 MGD authentication profile can be requested via rule 'profile'
07-DEC-2002 MGD skeleton key authentication,
bugfix; -I-FAILOK messages
16-NOV-2002 MGD implement path SET auth=all (path must be subject to
authorization or be fobidden)
10-AUG-2002 MGD bugfix; always revalidate X509 and RFC1413
(for path authorization after script)
22-JAN-2002 MGD allow /NO401 parameter to suppress server generated
challenge to allow external agent to response (e.g. PHP)
20-OCT-2001 MGD instance support requires locking around global
authorization cache access
04-AUG-2001 MGD support module WATCHing
20-APR-2001 MGD more efficiently support RFC1413 and X509 authentication
05-APR-2001 MGD bugfix; restriction list network mask processing
18-MAR-2001 MGD bugfix; BETA2 cached VMS user profile
08-MAR-2001 MGD bugfix (again); propagate cache NOCACHE!
22-FEB-2001 MGD add AuthWatchCheck()
write and read-only groupings as a host or network mask
/NO401 agent processing (no username/password required),
bugfix; restriction network mask, refine nocache
bugfix; final status at write group/no read group check
15-FEB-2001 MGD bugfix; AuthGenerateHashPassword() force upper-case
13-FEB-2001 MGD authentication via "identification protocol" RFC1413
24-JAN-2001 MGD bugfix; memory leak with user details
12-DEC-2000 MGD X509 client certificate authorization
03-DEC-2000 MGD bugfix; final forbidden requires 403
01-SEP-2000 MGD generalize authorization to take a path parameter
11-JUN-2000 MGD add network-mask to authorization restriction list,
allow agent "302 location" redirection response
06-MAY-2000 MGD proxy authorization
08-APR-2000 MGD bugfix; update cache NoCache flag after authentication
28-MAR-2000 MGD AuthRestrictAny() check only if cache entry is authenticated
06-JAN-2000 MGD bugfix; user restriction list pass (broken in 6.1)
24-DEC-1999 MGD break-in evasion period with expiry
20-NOV-1999 MGD add nil-access identifier to bypass hour restrictions
28-AUG-1999 MGD AUTH.C split into more manageable modules,
asynchronous "agent" authentication,
usernames and passwords stored case-sensitive,
authenticated user details
05-AUG-1999 MGD authentication cancellation via "?httpd=logout",
check UAI_NETWORK/REMOTE_ACCESS_x for access restrictions,
identifier enabled access allows CAPTIVE and RESTRICTED,
bugfix; check for "SSL only" after authorization cache hit,
bugfix; revalidate user minutes update
20-FEB-1999 MGD extend authentication/authorization use of VMS identifiers,
refine authorization with [realm;group-r+w;group-r],
ALL paths with problems of any sort load, then always FAIL!
19-DEC-1998 MGD refine authorization WATCH information
07-NOV-1998 MGD WATCH facility
17-OCT-1998 MGD [realm-name=VMS] synonym hiding the fact it's SYSUAF,
virtual services via "[[virtual-host:virtual-port]]"
29-AUG-1998 MGD move authorization path processing into AuthPathLine(),
report authentication failures in process log,
change in behaviour: after cache minutes expires request
revalidation by the user via browser dialog
16-JUL-1998 MGD /SYSUAF=ID, authentication with possession of an identifier,
AUTH_DENIED_BY_OTHER indicates non-authentication forbidden
11-MAR-1998 MGD added local redirection kludge ('^'),
configurable SYSUAF authentication of privileged accounts,
bugfix; alpha-numeric hosts in access-restriction lists
rejected as "unknown HTTP method"
08-FEB-1998 MGD provide SSL-only for SYSUAF and authorization in general,
provide SSL-only for authorized paths (via "https:" or
"http:" in path access restriction list),
removed full method descriptions from user auth report
17-AUG-1997 MGD message database,
SYSUAF-authenticated users security-profile
16-JUL-1997 MGD fixed design flaw with WORLD realm and access restriction
01-FEB-1997 MGD HTTPd version 4
01-JUL-1996 MGD path/realm-based authorization/authentication
15-MAR-1996 MGD bugfix; some ErrorGeneral() not passing the request pointer
01-DEC-1995 MGD HTTPd version 3
01-APR-1995 MGD initial development for local (SYSUAF) authentication
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
/* standard C header files */
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
/* VMS related header files */
#include <descrip.h>
#include <libdef.h>
#include <ssdef.h>
#include <stsdef.h>
#include <uaidef.h>
/* not defined VAX C 3.2 <uaidef.h> (probably unnecessary now 11-MAY-2005) */
#ifndef UAI$C_PURDY_S
#define UAI$C_PURDY_S 3
#endif
/* application related header files */
#include "wasd.h"
#define WASD_MODULE "AUTH"
#if WATCH_MOD
#define FI_NOLI WASD_MODULE, __LINE__
#else
/* in production let's keep the exact line to ourselves! */
#define FI_NOLI WASD_MODULE, 0
#endif
/* NO reset after 401 HTTP status, authorization challenge needs the realm */
#define AUTH_RESET_REQUEST { \
rqptr->RemoteUser[0] = \
rqptr->RemoteUserPassword[0] = '\0'; \
rqptr->rqAuth.GroupReadPtr = \
rqptr->rqAuth.GroupRestrictListPtr = \
rqptr->rqAuth.GroupWritePtr = \
rqptr->rqAuth.RealmPtr = \
rqptr->rqAuth.RealmDescrPtr = \
rqptr->rqAuth.PathParameterPtr = \
rqptr->rqAuth.WorldRestrictListPtr = ""; \
rqptr->rqAuth.GroupCan = \
rqptr->rqAuth.GroupReadStatus = \
rqptr->rqAuth.GroupWriteStatus = \
rqptr->rqAuth.PathParameterLength = \
rqptr->rqAuth.Scheme = \
rqptr->rqAuth.SourceGroupWrite = \
rqptr->rqAuth.SourceGroupRead = \
rqptr->rqAuth.SourceRealm = \
rqptr->rqAuth.WorldCan = 0; }
/******************/
/* global storage */
/******************/
/* explicit storage so that the address can be used for comparison */
char AuthAgentParamGroup [] = "GROUP",
AuthAgentParamRealm [] = "REALM";
/********************/
/* external storage */
/********************/
#ifdef DBUG
extern BOOL Debug;
#else
#define Debug 0
#endif
extern BOOL AuthorizationEnabled,
AuthConfigACME,
AuthConfigSysUafUseACME,
AuthPolicyAuthorizedOnly,
AuthPolicySslOnly,
AuthPolicySysUafProxy,
AuthPolicySysUafSslOnly,
AuthPromiscuous,
AuthProtectRule,
AuthSysUafEnabled,
AuthSysUafPromiscuous,
AuthVmsUserProfileEnabled,
DclAgentPre12;
extern BOOL InstanceMutexHeld[];
extern int AuthFailureLimit, /* LGI_BRK_LIM */
AuthFailurePeriodSeconds, /* LGI_BRK_TMO */
AuthFailureTimeoutSeconds, /* LGI_HID_TIM */
HttpdDayOfWeek,
HttpdTickSecond,
OpcomMessages,
ServerPort;
extern int ToLowerCase[],
ToUpperCase[];
extern unsigned long AuthHttpsOnlyVmsIdentifier,
AuthWasdPwdVmsIdentifier,
AuthWasdHttpsVmsIdentifier,
AuthWasdReadVmsIdentifier,
AuthWasdWriteVmsIdentifier;
extern char *AuthConfigHtaDirectory,
*AuthPromiscuousPwdPtr;
extern char ErrorSanityCheck[],
ServerHostPort[],
SoftwareID[];
extern ACCOUNTING_STRUCT *AccountingPtr;
extern CONFIG_STRUCT Config;
extern HTTPD_GBLSEC *HttpdGblSecPtr;
extern MSG_STRUCT Msgs;
extern WATCH_STRUCT Watch;
/*****************************************************************************/
/*
This function is pivotal to the HTTPd's authorization and authentication. All
requests should call this function before proceding.
The results of the authorization must always be determined from
'rqptr->rqAuth.FinalStatus'. A success status indicates the request may
proceed, any other status (usually errors, including AUTH_DENIED_... pseudo
statuses) indicate not authorized, and the request should be ended.
Authorization challenges, access denied and error reports, etc., generated
during authorization will be delivered as the request is run down.
This function CAN complete asynchronously and calling code should be prepared
for this. It can, and often does, complete synchronously and THEREFORE DOES
NOT ALWAYS DELIVER the AST. If an authorization needs to be completed
asynchronously the 'rqptr->rqAuth.FinalStatus' is set to AUTH_PENDING and
the calling routine after detecting this should just 'return;'. Upon
completion of the authorization the AST function will be called, when the
results can be ascertained from 'rqptr->rqAuth.FinalStatus' in the normal
manner. If completing synchronously the calling routine should immediately
call the AST function directly.
*/
void Authorize
(
REQUEST_STRUCT *rqptr,
char *PathBeingAuthorized,
int PathBeingAuthorizedLength,
char *ProtectRulePtr,
int ProtectRuleLength,
REQUEST_AST AuthorizeAstFunction
)
/*
{
int status;
Debug = 1;
status = Authorize_ (rqptr);
Debug = 0;
return status;
}
Authorize_
*/
{
BOOL WatchThisOne;
int status,
VerifyPeer;
unsigned short Length;
char *cptr, *sptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "Authorize() !&Z !&Z",
PathBeingAuthorized, ProtectRulePtr);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThisOne = true;
else
WatchThisOne = false;
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"PATH !AZ", PathBeingAuthorized[0] ?
PathBeingAuthorized : "(none)");
/* buffer the completion AST address in case we need it later */
rqptr->rqAuth.AstFunctionBuffer = AuthorizeAstFunction;
rqptr->rqAuth.AstFunction = NULL;
/* always start with this status denying access, allow by changing */
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
if (!AuthPromiscuous &&
((!AuthorizationEnabled &&
!AuthPolicyAuthorizedOnly) ||
(!Config.cfAuth.BasicEnabled &&
!Config.cfAuth.DigestEnabled)))
{
/********************************************/
/* no authorization is mapped, use defaults */
/********************************************/
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "DISABLED");
AUTH_RESET_REQUEST
rqptr->rqAuth.GroupCan =
rqptr->rqAuth.RequestCan =
rqptr->rqAuth.UserCan =
rqptr->rqAuth.WorldCan = AUTH_READONLY_ACCESS;
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
/****************************/
/* authorization is enabled */
/****************************/
if (AuthPolicySslOnly && rqptr->ServicePtr->RequestScheme != SCHEME_HTTPS)
{
/***********************************************/
/* policy ... authorization only when "https:" */
/***********************************************/
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"POLICY https: (SSL) ONLY");
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
/**************/
/* check path */
/**************/
status = AuthorizeGuaranteeAccess (rqptr, PathBeingAuthorized);
if (VMSnok (status))
status = AuthConfigSearch (rqptr, PathBeingAuthorized);
if (status == SS$_ABORT)
{
/* hmmm, severe configuration error */
rqptr->rqAuth.FinalStatus = status;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
}
if (VMSnok (status))
{
/* not a controlled path */
if (ProtectRulePtr)
{
/****************/
/* mapping rule */
/****************/
sptr = AuthConfigParseProtectRule (rqptr,
ProtectRulePtr,
ProtectRuleLength);
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"PROTECT \'!AZ\'!&? ERROR: \r\r!-!AZ",
ProtectRulePtr, sptr);
if (sptr)
{
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
status = SS$_NORMAL;
}
}
if (VMSnok (status))
{
/*************************/
/* not a controlled path */
/*************************/
if (AuthPolicyAuthorizedOnly)
{
/******************************************/
/* policy: no authorization ... no access */
/******************************************/
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"POLICY authorized paths ONLY");
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
if (rqptr->rqPathSet.AuthorizeAll)
{
/****************************************/
/* path: no authorization ... no access */
/****************************************/
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"PATH set authorized ALL");
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
/**********************/
/* use default access */
/**********************/
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "NONE applies");
/*
If there is already a source realm set then this has been from
authorization applied to the script portion of a script request.
Do not reset this as in the absence of authorization on the
"file" portion it defines the level of access for that request.
*/
if (!rqptr->rqAuth.SourceRealm)
{
AUTH_RESET_REQUEST
rqptr->rqAuth.GroupCan =
rqptr->rqAuth.RequestCan =
rqptr->rqAuth.UserCan =
rqptr->rqAuth.WorldCan = AUTH_READONLY_ACCESS;
}
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
/*********************************/
/* controlled path, authorize it */
/*********************************/
if (PathBeingAuthorizedLength <= 0)
PathBeingAuthorizedLength = strlen(PathBeingAuthorized);
rqptr->rqAuth.PathBeingAuthorizedPtr =
VmGetHeap (rqptr, PathBeingAuthorizedLength+1);
/* including the terminating null */
memcpy (rqptr->rqAuth.PathBeingAuthorizedPtr,
PathBeingAuthorized,
PathBeingAuthorizedLength+1);
rqptr->rqAuth.PathBeingAuthorizedLength = PathBeingAuthorizedLength;
rqptr->rqAuth.RevalidateTimeout = rqptr->rqPathSet.AuthRevalidateTimeout;
if (!rqptr->rqAuth.RevalidateTimeout)
rqptr->rqAuth.RevalidateTimeout = Config.cfAuth.RevalidateUserMinutes;
if (WATCH_CAT && WatchThisOne)
{
BOOL ShowRealmDescription = rqptr->rqAuth.RealmDescrPtr &&
rqptr->rqAuth.RealmDescrPtr[0] &&
rqptr->rqAuth.RealmDescrPtr !=
rqptr->rqAuth.RealmPtr;
BOOL ShowRealmParam = rqptr->rqAuth.RealmParamPtr &&
rqptr->rqAuth.RealmParamPtr[0];
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"!&?REALM-PROBLEM \r\r!&?PATH-PROBLEM \r\r\
[!AZ!AZ!AZ!AZ!AZ!AZ!AZ!AZ;!AZ!AZ;!AZ!AZ] !AZ !AZ ; \
!AZ !AZ!&? PROFILE\r\r!&? NOCACHE\r\r",
rqptr->rqAuth.RealmProblem, rqptr->rqAuth.PathProblem,
ShowRealmDescription ? "\"" : "",
ShowRealmDescription ? (char*)rqptr->rqAuth.RealmDescrPtr : "",
ShowRealmDescription ? "\"=" : "",
rqptr->rqAuth.RealmPtr[0] ? (char*)rqptr->rqAuth.RealmPtr : "-",
AuthSourceString (rqptr->rqAuth.RealmPtr, rqptr->rqAuth.SourceRealm),
ShowRealmParam ? "+\"" : "",
ShowRealmParam ? (char*)rqptr->rqAuth.RealmParamPtr : "",
ShowRealmParam ? "\"" : "",
rqptr->rqAuth.GroupWritePtr[0] ? (char*)rqptr->rqAuth.GroupWritePtr : "-",
AuthSourceString (rqptr->rqAuth.GroupWritePtr,
rqptr->rqAuth.SourceGroupWrite),
rqptr->rqAuth.GroupReadPtr[0] ? (char*)rqptr->rqAuth.GroupReadPtr : "-",
AuthSourceString (rqptr->rqAuth.GroupReadPtr,
rqptr->rqAuth.SourceGroupRead),
rqptr->rqAuth.GroupRestrictListPtr[0] ?
(char*)rqptr->rqAuth.GroupRestrictListPtr : "-",
AuthCanString (rqptr->rqAuth.GroupCan, AUTH_CAN_FORMAT_SHORT),
rqptr->rqAuth.WorldRestrictListPtr[0] ?
(char*)rqptr->rqAuth.WorldRestrictListPtr : "-",
AuthCanString (rqptr->rqAuth.WorldCan, AUTH_CAN_FORMAT_SHORT),
rqptr->rqAuth.VmsUserProfile,
rqptr->rqAuth.NoCache);
if (rqptr->rqAuth.PathParameterPtr &&
rqptr->rqAuth.PathParameterPtr[0])
WatchData (rqptr->rqAuth.PathParameterPtr,
rqptr->rqAuth.PathParameterLength);
}
if (rqptr->rqAuth.RealmProblem ||
rqptr->rqAuth.PathProblem)
{
/*************************************************/
/* problem with the configuration, default fail! */
/*************************************************/
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_NONE)
{
/******************/
/* the NONE realm */
/******************/
/*
The purpose of the "NONE" realm is to set the '->AuthRealmSource'
so that the server knows it's passed through authorization, without
actually requiring any authorization, etc. Supports the use of
'AuthPolicyAuthorizedOnly' for reducing the possibility of
inadvertant resource access.
*/
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
AUTH_RESET_REQUEST
return;
}
if (rqptr->rqHeader.Method & rqptr->rqAuth.WorldCan)
{
/**********************/
/* world capabilities */
/**********************/
if (rqptr->rqAuth.WorldRestrictListPtr[0])
{
/***********************************************/
/* check access against world restriction list */
/***********************************************/
status = AuthRestrictList (rqptr, rqptr->rqAuth.WorldRestrictListPtr);
if (VMSnok (status))
{
rqptr->rqAuth.FinalStatus = status;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
}
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACCESS world:!AZ",
AuthCanString (rqptr->rqAuth.WorldCan, AUTH_CAN_FORMAT_SHORT));
rqptr->rqAuth.RequestCan = rqptr->rqAuth.WorldCan;
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_EXTERNAL)
{
/**********************************/
/* externally (script) authorized */
/**********************************/
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACCESS external:!AZ",
AuthCanString (rqptr->rqAuth.GroupCan, AUTH_CAN_FORMAT_SHORT));
status = AuthParseAuthorization (rqptr);
if (!rqptr->rqAuth.PathParameterPtr ||
!strsame (rqptr->rqAuth.PathParameterPtr, "/NO401", 6))
{
if (VMSnok (status))
{
/* error from parse of authorization field */
rqptr->rqAuth.FinalStatus = status;
AuthorizeResponse (rqptr);
return;
}
}
rqptr->rqAuth.RequestCan = rqptr->rqAuth.GroupCan;
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_OPAQUE)
{
/************************************/
/* opaquely (don't care) authorized */
/************************************/
if (WATCH_CAT && WatchThisOne)
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "ACCESS opaque:N/A");
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_VMS ||
rqptr->rqAuth.SourceRealm == AUTH_SOURCE_ID ||
rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WASD_ID)
{
if (!AuthSysUafEnabled ||
(AuthPolicySysUafSslOnly &&
rqptr->ServicePtr->RequestScheme != SCHEME_HTTPS))
{
/**********************/
/* SYSUAF not allowed */
/**********************/
/* SYSUAF-authentication is disabled, or disabled for non-"https:" */
if (WATCH_CAT && WatchThisOne)
{
if (AuthPolicySysUafSslOnly)
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"SYSUAF SSL only");
else
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"SYSUAF disabled");
}
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_PROMISCUOUS &&
!AuthPromiscuous)
{
/***************************/
/* promiscuous not allowed */
/***************************/
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_SKELKEY &&
!HttpdGblSecPtr->AuthSkelKeyHttpdTickSecond)
{
/***************************/
/* skeleton key not active */
/***************************/
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
if (rqptr->rqAuth.GroupRestrictListPtr[0])
{
/*****************************************/
/* check access against restriction list */
/*****************************************/
status = AuthRestrictList (rqptr, rqptr->rqAuth.GroupRestrictListPtr);
/* denied by username is reported as authentication, not access, fail */
if (status == AUTH_DENIED_BY_FAIL ||
status == AUTH_DENIED_BY_HOSTNAME ||
status == AUTH_DENIED_BY_PROTOCOL)
{
rqptr->rqAuth.FinalStatus = status;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WORLD)
{
/********************************************/
/* the WORLD realm (i.e. no authentication) */
/********************************************/
strcpy (rqptr->RemoteUser, AUTH_REALM_WORLD);
rqptr->rqAuth.RequestCan = rqptr->rqAuth.UserCan = rqptr->rqAuth.GroupCan;
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
rqptr->rqAuth.ResolvedRemoteUser = false;
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_RFC1413)
{
/***************************/
/* identification protocol */
/***************************/
rqptr->rqAuth.Scheme = AUTH_SCHEME_RFC1413;
strcpy (rqptr->rqAuth.Type, "RFC1413");
rqptr->rqAuth.ResolvedRemoteUser = true;
/* it will *always* be handled asynchronously! */
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
AuthIdentBegin (rqptr, &AuthorizeRealm);
if (rqptr->rqAuth.FinalStatus == AUTH_PENDING) return;
}
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_TOKEN)
{
/*********/
/* token */
/*********/
rqptr->rqAuth.Scheme = AUTH_SCHEME_TOKEN;
strcpy (rqptr->rqAuth.Type, "TOKEN");
/* cannot be cached, the scheme must be invoked each time */
rqptr->rqAuth.NoCache = true;
/* conjure up a unique identifier (username) for this request */
strcpy (rqptr->RemoteUser, "(TOKEN)");
rqptr->RemoteUserLength = 7;
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
}
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_X509)
{
/********************/
/* X509 certificate */
/********************/
if (rqptr->ServicePtr->RequestScheme != SCHEME_HTTPS)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL X509 not possible unless SSL");
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_PROTOCOL;
rqptr->rqResponse.HttpStatus = 403;
if (!rqptr->rqResponse.ErrorReportPtr)
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return;
}
if (rqptr->rqHeader.QueryStringLength &&
TOLO(rqptr->rqHeader.QueryStringPtr[0]) == 'h' &&
(strsame (rqptr->rqHeader.QueryStringPtr, "httpd=cancel", 12) ||
strsame (rqptr->rqHeader.QueryStringPtr, "httpd=logout", 12)))
VerifyPeer = SESOLA_VERIFY_PEER_NONE;
else
VerifyPeer = SESOLA_VERIFY_PEER_AUTH;
rqptr->rqAuth.Scheme = AUTH_SCHEME_X509;
strcpy (rqptr->rqAuth.Type, "X509");
rqptr->rqAuth.ResolvedRemoteUser = true;
/* it *may* be handled asynchronously! */
status = SesolaClientCert (rqptr, VerifyPeer, &AuthorizeRealm);
if (VMSnok (status)) return;
if (rqptr->rqAuth.FinalStatus == AUTH_PENDING) return;
}
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_AGENT_OPAQUE)
{
/***********************************************/
/* opaque agent handles any required challenge */
/***********************************************/
/* cannot be cached, the agent must be invoked each time */
rqptr->rqAuth.NoCache = true;
/* conjure up a unique identifier (username) for this request */
strcpy (rqptr->RemoteUser, "(AGENT+OPAQUE)");
rqptr->RemoteUserLength = 14;
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
}
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_AGENT &&
rqptr->rqAuth.PathParameterPtr &&
strsame (rqptr->rqAuth.PathParameterPtr, "/NO401", 6))
{
/************************************************/
/* agent/NO401 does not use a username/password */
/************************************************/
rqptr->rqAuth.Scheme = AUTH_SCHEME_NO401;
strcpy (rqptr->rqAuth.Type, "AGENT/NO401");
/* cannot be cached, the agent must be invoked each time */
rqptr->rqAuth.NoCache = true;
/* conjure up a unique identifier (username) for this request */
strcpy (rqptr->RemoteUser, "(AGENT/NO401)");
rqptr->RemoteUserLength = 13;
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
}
else
{
/*****************************/
/* "Authorize:" header field */
/*****************************/
/* parse "Authorization:" request header field */
rqptr->rqAuth.FinalStatus = AuthParseAuthorization (rqptr);
}
AuthorizeRealm (rqptr);
}
/*****************************************************************************/
/*
Look for an authentication record with the realm and username in the linked-
list, binary tree. If one doesn't exists create a new one. Check the supplied
password against the one in the record. If it matches then authentication has
succeeded. If not, the check the supplied password against the database. If
it matches then copy the supplied password into the authentication record and
the authentication succeeds. If it doesn't match then the authentication
fails. Return AUTH_DENIED_BY_LOGIN to indicate authentication failure,
SS$_NORMAL indicating authentication success, or any other error status
indicating any other error.
*/
void AuthorizeRealm (REQUEST_STRUCT *rqptr)
{
BOOL HttpdLogout;
int status;
char *cptr, *sptr;
AUTH_CREC *acrptr,
*acsrptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthorizeRealm() !&F !&S",
&AuthorizeRealm, rqptr->rqAuth.FinalStatus);
if (VMSnok (rqptr->rqAuth.FinalStatus))
{
AuthorizeResponse (rqptr);
return;
}
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"AUTHENTICATE user:!AZ realm:!AZ!AZ!AZ",
rqptr->RemoteUser, rqptr->rqAuth.RealmPtr,
AuthSourceString (rqptr->rqAuth.RealmPtr,
rqptr->rqAuth.SourceRealm),
rqptr->rqAuth.NoCache ? " NOCACHE!" : "");
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_VMS ||
rqptr->rqAuth.SourceRealm == AUTH_SOURCE_ID ||
rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WASD_ID)
{
/* massage remote-username to comply with SYSUAF/VMS requirements */
for (cptr = sptr = rqptr->RemoteUser; *cptr; cptr++)
if (isalnum(*cptr) || *cptr == '_' || *cptr == '$')
*sptr++ = TOUP(*cptr);
*sptr = '\0';
rqptr->RemoteUserLength = sptr - rqptr->RemoteUser;
}
if (rqptr->rqHeader.QueryStringLength &&
TOLO(rqptr->rqHeader.QueryStringPtr[0]) == 'h' &&
(strsame (rqptr->rqHeader.QueryStringPtr, "httpd=cancel", 12) ||
strsame (rqptr->rqHeader.QueryStringPtr, "httpd=logout", 12)))
HttpdLogout = true;
else
HttpdLogout = false;
/* create record of request authorization data */
AuthCacheRequestRecord (rqptr, &acsrptr);
rqptr->rqAuth.CacheSearchRecordPtr = acsrptr;
/* need to lock it to access the authorization cache extensively */
if (!InstanceMutexHeld[INSTANCE_MUTEX_AUTH_CACHE])
InstanceMutexLock (INSTANCE_MUTEX_AUTH_CACHE);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "AuthRevalidateCount !UL",
rqptr->AuthRevalidateCount);
/*********************/
/* lookup the record */
/*********************/
status = AuthCacheFindRecord (acsrptr, &acrptr);
if (VMSok (status))
{
/*******************/
/* existing record */
/*******************/
if (WATCHING (rqptr, WATCH_AUTH))
{
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"CACHE [!AZ!AZ;!AZ!AZ;!AZ!AZ] \
user:!AZ remote:!AZ proxy:!AZ failures:!UL accesses:!UL seconds-ago:!UL!AZ",
acrptr->Realm[0] ? (char*)acrptr->Realm : "-",
AuthSourceString (acrptr->Realm, acrptr->SourceRealm),
acrptr->GroupWrite[0] ? (char*)acrptr->GroupWrite : "-",
AuthSourceString (acrptr->GroupWrite, acrptr->SourceGroupWrite),
acrptr->GroupRead[0] ? (char*)acrptr->GroupRead : "-",
AuthSourceString (acrptr->GroupRead, acrptr->SourceGroupRead),
acrptr->UserName,
acrptr->RemoteUser[0] ? acrptr->RemoteUser : "-",
acrptr->ProxyUserName[0] ? acrptr->ProxyUserName : "-",
acrptr->FailureCount, acrptr->AccessCount,
acrptr->LastAccessSecondsAgo, acrptr->NoCache ? " NOCACHE!" : "");
}
}
if (VMSok (status) &&
!rqptr->rqAuth.NoCache &&
!acrptr->NoCache)
{
if (VMSnok (status = AuthRestrictAny (rqptr, acrptr)))
{
/****************/
/* restrictions */
/****************/
rqptr->rqAuth.FinalStatus = status;
AuthorizeFinal (rqptr);
return;
}
if (acrptr->FailureCount >= AuthFailureLimit)
{
/***********************************/
/* LGI_BRK_LIM equivalent exceeded */
/***********************************/
if (acrptr->LastAccessSecondsAgo > AuthFailureTimeoutSeconds)
{
/**********************************/
/* LGI_HID_TIM equivalent expired */
/**********************************/
FaoToStdout (
"%HTTPD-I-AUTHFAILEXP, !20%D, !UL seconds, !UL failure!%s\n\
-AUTHFAILEXP-I-SERVICE, !AZ//!AZ\n\
-AUTHFAILEXP-I-CLIENT, !AZ\n\
-AUTHFAILEXP-I-USERNAME, \"!AZ\" in \"!AZ\"\n\
-AUTHFAILEXP-I-URI, !AZ !AZ\n",
0, acrptr->LastAccessSecondsAgo, acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName,
rqptr->rqHeader.RequestUriPtr);
if (OpcomMessages & OPCOM_AUTHORIZATION)
FaoToOpcom (
"%HTTPD-I-AUTHFAILEXP, !UL seconds, !UL failure!%s\r\n\
-AUTHFAILEXP-I-SERVICE, !AZ//!AZ\r\n\
-AUTHFAILEXP-I-CLIENT, !AZ\r\n\
-AUTHFAILEXP-I-USERNAME, \"!AZ\" in \"!AZ\"\r\n\
-AUTHFAILEXP-I-URI, !AZ !AZ",
acrptr->LastAccessSecondsAgo, acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"EXPIRY break-in evasion after !UL seconds and !UL failure!%s",
acrptr->LastAccessSecondsAgo, acrptr->FailureCount);
acrptr->FailureCount = 0;
}
else
{
/*******************************************/
/* within LGI_HID_TIM fail unconditionally */
/*******************************************/
acrptr->FailureCount++;
acrptr->Password[0] = acrptr->DigestResponse[0] = '\0';
acrptr->GroupReadStatus = acrptr->GroupWriteStatus = 0;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL break-in evasion !UL failure!%s exceeds limit of !UL",
acrptr->FailureCount, AuthFailureLimit);
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
AuthorizeFinal (rqptr);
return;
}
}
if (acrptr->FailureCount)
{
/* at least one failure, but less than maximum */
acrptr->Password[0] = acrptr->DigestResponse[0] = '\0';
acrptr->GroupReadStatus = acrptr->GroupWriteStatus = 0;
if (acrptr->LastAccessSecondsAgo > AuthFailurePeriodSeconds)
{
/* LGI_BRK_TMO equivalent period expired */
acrptr->FailureCount = 0;
}
/* drop through to recheck authentication */
}
if (rqptr->rqAuth.RevalidateTimeout)
{
/********************/
/* revalidate user? */
/********************/
/*
User validation only lasts for a limited period (< 24 hours).
Check how long ago was the last authorization attempt, if that is
exceeded force the user to reenter via browser dialog.
*/
if (acrptr->LastAccessMinutesAgo >= rqptr->rqAuth.RevalidateTimeout)
{
if (AuthCacheNeedsReval (rqptr, acrptr))
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL !UL exceeds user revalidate timeout !UL",
acrptr->LastAccessMinutesAgo,
rqptr->rqAuth.RevalidateTimeout);
acrptr->Password[0] = acrptr->DigestResponse[0] = '\0';
acrptr->GroupReadStatus = acrptr->GroupWriteStatus = 0;
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
AuthorizeFinal (rqptr);
return;
}
}
}
/*********************/
/* revalidate cache? */
/*********************/
if (acrptr->LastAccessMinutesAgo >= rqptr->rqAuth.RevalidateTimeout)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL !UL exceeds cache revalidate timeout !UL",
acrptr->LastAccessMinutesAgo,
rqptr->rqAuth.RevalidateTimeout);
acrptr->Password[0] = acrptr->DigestResponse[0] = '\0';
acrptr->GroupReadStatus = acrptr->GroupWriteStatus = 0;
/* drop through to recheck authentication */
}
rqptr->AuthRevalidateCount = 0;
/************************/
/* check authentication */
/************************/
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_BASIC ||
rqptr->rqAuth.Scheme == AUTH_SCHEME_DIGEST)
{
if (HttpdLogout)
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGOUT;
else
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_BASIC)
{
if (acrptr->Password[0] &&
!strcmp (rqptr->RemoteUserPassword, acrptr->Password))
{
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
acrptr->AccessCount++;
}
else
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
}
else
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_DIGEST)
{
if (acrptr->DigestResponse[0] &&
!strcmp (acrptr->DigestResponse,
rqptr->rqAuth.DigestResponsePtr))
{
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
acrptr->AccessCount++;
}
else
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
}
else
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
if (VMSok (rqptr->rqAuth.FinalStatus))
{
/*****************/
/* authenticated */
/*****************/
/* propagate authorization data from cache to request */
rqptr->rqAuth.CaseLess = acrptr->CaseLess;
if (!rqptr->rqAuth.NoCache) rqptr->rqAuth.NoCache = acrptr->NoCache;
rqptr->rqAuth.SysUafCanChangePwd = acrptr->SysUafCanChangePwd;
rqptr->rqAuth.SysUafAuthenticated = acrptr->SysUafAuthenticated;
rqptr->rqAuth.SysUafNilAccess = acrptr->SysUafNilAccess;
rqptr->rqAuth.SysUafLogonType = acrptr->SysUafLogonType;
rqptr->rqAuth.SourceRealm = acrptr->SourceRealm;
rqptr->rqAuth.SourceGroupRead = acrptr->SourceGroupRead;
rqptr->rqAuth.GroupReadStatus = acrptr->GroupReadStatus;
rqptr->rqAuth.SourceGroupWrite = acrptr->SourceGroupWrite;
rqptr->rqAuth.GroupWriteStatus = acrptr->GroupWriteStatus;
rqptr->rqAuth.UserCan = acrptr->AuthUserCan;
if (rqptr->rqAuth.RemoteUserLength = acrptr->AuthRemoteUserLength)
{
/* if an agent has substituted a VMS-USER: username */
strcpy (rqptr->rqAuth.RemoteUser, acrptr->AuthRemoteUser);
rqptr->RemoteUserLength = acrptr->RemoteUserLength;
strcpy (rqptr->RemoteUser, acrptr->RemoteUser);
}
if (rqptr->rqAuth.UserDetailsLength = acrptr->UserDetailsLength)
{
rqptr->rqAuth.UserDetailsPtr =
VmGetHeap (rqptr, acrptr->UserDetailsLength);
memcpy (rqptr->rqAuth.UserDetailsPtr,
acrptr->UserDetails,
acrptr->UserDetailsLength);
}
else
rqptr->rqAuth.UserDetailsPtr = NULL;
if (rqptr->rqAuth.VmsUserProfileLength =
acrptr->VmsUserProfileLength)
{
rqptr->rqAuth.VmsUserProfilePtr =
VmGetHeap (rqptr, acrptr->VmsUserProfileLength);
memcpy (rqptr->rqAuth.VmsUserProfilePtr,
acrptr->VmsUserProfilePtr,
acrptr->VmsUserProfileLength);
}
else
rqptr->rqAuth.VmsUserProfilePtr = NULL;
if (rqptr->rqAuth.SourceGroupWrite)
{
/* there is at least one group following the realm */
AuthorizeGroupWrite (rqptr);
return;
}
AuthorizeFinal (rqptr);
return;
}
}
else
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_NO401)
{
acrptr->AccessCount++;
if (rqptr->rqAuth.SourceGroupWrite)
{
/* there is at least one group following the realm */
rqptr->rqAuth.GroupReadStatus = acrptr->GroupReadStatus;
rqptr->rqAuth.GroupWriteStatus = acrptr->GroupWriteStatus;
AuthorizeGroupWrite (rqptr);
return;
}
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
AuthorizeFinal (rqptr);
return;
}
else
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_RFC1413)
{
if (rqptr->rqAuth.ResolvedRemoteUser)
acrptr->DataBaseCount++;
else
acrptr->AccessCount++;
if (rqptr->rqAuth.SourceGroupWrite)
{
/* there is at least one group following the realm */
rqptr->rqAuth.GroupReadStatus = acrptr->GroupReadStatus;
rqptr->rqAuth.GroupWriteStatus = acrptr->GroupWriteStatus;
AuthorizeGroupWrite (rqptr);
return;
}
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
AuthorizeFinal (rqptr);
return;
}
else
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_TOKEN)
{
if (rqptr->rqAuth.ResolvedRemoteUser)
acrptr->DataBaseCount++;
else
acrptr->AccessCount++;
if (rqptr->rqAuth.SourceGroupWrite)
{
/* there is at least one group following the realm */
rqptr->rqAuth.GroupReadStatus = acrptr->GroupReadStatus;
rqptr->rqAuth.GroupWriteStatus = acrptr->GroupWriteStatus;
AuthorizeGroupWrite (rqptr);
return;
}
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
AuthorizeFinal (rqptr);
return;
}
else
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_X509)
{
if (rqptr->rqAuth.ResolvedRemoteUser)
acrptr->DataBaseCount++;
else
acrptr->AccessCount++;
if (rqptr->rqAuth.SourceGroupWrite)
{
/* there is at least one group following the realm */
rqptr->rqAuth.GroupReadStatus = acrptr->GroupReadStatus;
rqptr->rqAuth.GroupWriteStatus = acrptr->GroupWriteStatus;
AuthorizeGroupWrite (rqptr);
return;
}
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
AuthorizeFinal (rqptr);
return;
}
else
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
/*********************/
/* not authenticated */
/*********************/
}
else
if (status == SS$_ITEMNOTFOUND)
{
/*****************************/
/* record not found, add one */
/*****************************/
status = AuthCacheAddRecord (acsrptr, &acrptr);
/* if revalidation timeout applicable ensure there is always one 401 */
if (rqptr->rqAuth.RevalidateTimeout)
{
if (AuthCacheNeedsReval (rqptr, acrptr))
{
acrptr->Password[0] = rqptr->RemoteUserPassword[0] = '\0';
acrptr->GroupReadStatus = acrptr->GroupWriteStatus = 0;
}
}
}
/* last modification to authorization cache entries in this function */
if (InstanceMutexHeld[INSTANCE_MUTEX_AUTH_CACHE])
InstanceMutexUnLock (INSTANCE_MUTEX_AUTH_CACHE);
if (VMSnok (status))
{
/* some other error, report it */
rqptr->rqResponse.ErrorTextPtr = MsgFor(rqptr,MSG_AUTH_USER);
ErrorVmsStatus (rqptr, status, FI_LI);
rqptr->rqAuth.FinalStatus = status;
return;
}
/**********************************************/
/* get authentication from appropriate source */
/**********************************************/
acrptr->DataBaseCount++;
if (HttpdLogout)
{
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGOUT;
AuthorizeFinal (rqptr);
return;
}
if (AuthPromiscuous)
{
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
if (AuthPromiscuousPwdPtr)
if (!strsame (rqptr->RemoteUserPassword, AuthPromiscuousPwdPtr, -1))
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
/* allow the user to do any/everything */
if (VMSok (rqptr->rqAuth.FinalStatus))
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
AuthorizeRealmCheck (rqptr);
return;
}
if (HttpdGblSecPtr->AuthSkelKeyHttpdTickSecond)
{
if (HttpdGblSecPtr->AuthSkelKeyHttpdTickSecond < HttpdTickSecond)
{
/* skeleton key details have expired */
InstanceMutexLock (INSTANCE_MUTEX_HTTPD);
memset (HttpdGblSecPtr->AuthSkelKeyUserName, 0,
sizeof(HttpdGblSecPtr->AuthSkelKeyUserName));
memset (HttpdGblSecPtr->AuthSkelKeyPassword, 0,
sizeof(HttpdGblSecPtr->AuthSkelKeyPassword));
HttpdGblSecPtr->AuthSkelKeyHttpdTickSecond = 0;
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "SKELETON-KEY has expired");
FaoToStdout ("%HTTPD-I-AUTHSKEL, !20%D, skeleton-key has expired\n", 0);
if (OpcomMessages & OPCOM_AUTHORIZATION)
FaoToOpcom ("%HTTPD-I-AUTHSKEL, skeleton-key has expired");
}
if (HttpdGblSecPtr->AuthSkelKeyHttpdTickSecond)
{
InstanceMutexLock (INSTANCE_MUTEX_HTTPD);
if (rqptr->RemoteUser[0] == '_' &&
strsame (rqptr->RemoteUser,
HttpdGblSecPtr->AuthSkelKeyUserName, -1))
{
if (strsame (rqptr->RemoteUserPassword,
HttpdGblSecPtr->AuthSkelKeyPassword, -1))
{
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
rqptr->rqAuth.NoCache = true;
rqptr->rqAuth.SkelKeyAuthenticated = true;
AccountingPtr->AuthSkelKeyCount++;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"SKELETON-KEY authenticated (!UL minute!%s left)",
(HttpdGblSecPtr->AuthSkelKeyHttpdTickSecond -
HttpdTickSecond) / 60);
}
else
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
AuthorizeRealmCheck (rqptr);
return;
}
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
}
}
switch (rqptr->rqAuth.SourceRealm)
{
case AUTH_SOURCE_AGENT :
case AUTH_SOURCE_AGENT_OPAQUE :
/* asynchronous check via agent */
InstanceGblSecIncrLong (&AccountingPtr->AuthAgentCount);
if (!rqptr->rqAuth.PathParameterPtr[0])
{
rqptr->rqAuth.PathParameterPtr = AuthAgentParamRealm;
rqptr->rqAuth.PathParameterLength = sizeof(AuthAgentParamRealm)-1;
}
/* after calling this function all will be asynchronous! */
AuthAgentBegin (rqptr, rqptr->rqAuth.RealmPtr, &AuthorizeRealmCheck);
/* ASYNCHRONOUS ... so now we return */
return;
case AUTH_SOURCE_ACME :
/* ACME authentication needs an unencoded password */
rqptr->rqAuth.ChallengeScheme = AUTH_SCHEME_BASIC;
if (AuthConfigACME)
{
InstanceGblSecIncrLong (&AccountingPtr->AuthAcmeCount);
/* after calling this function all will be ASYNCHRONOUS! */
AuthAcmeVerifyUser (rqptr);
return;
}
/* ACME authentication is not enabled! */
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
break;
case AUTH_SOURCE_VMS :
case AUTH_SOURCE_ID :
case AUTH_SOURCE_WASD_ID :
/* SYSUAF authentication needs an unencoded password */
rqptr->rqAuth.ChallengeScheme = AUTH_SCHEME_BASIC;
if (!AuthSysUafEnabled)
{
/* SYSUAF authentication is not enabled! */
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
}
else
if (AuthConfigSysUafUseACME)
{
/* ACME routines are the default on VMS V7.3 and later */
InstanceGblSecIncrLong (&AccountingPtr->AuthVmsCount);
rqptr->rqAuth.SysUafAuthenticated = true;
/* after calling this function all will be ASYNCHRONOUS! */
AuthAcmeVerifyUser (rqptr);
return;
}
else
{
/* config SYSUAF authenticate using WASD routines */
InstanceGblSecIncrLong (&AccountingPtr->AuthVmsCount);
rqptr->rqAuth.SysUafAuthenticated = true;
if (VMSok (status = AuthVmsGetUai (rqptr, rqptr->RemoteUser)))
{
/* check against SYSUAF */
if (VMSok (status = AuthVmsVerifyUser (rqptr)))
{
if (VMSok (status = AuthVmsVerifyPassword (rqptr)))
{
/* authenticated ... user can do anything (path allows!) */
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
}
}
}
rqptr->rqAuth.FinalStatus = status;
}
break;
case AUTH_SOURCE_HTA :
case AUTH_SOURCE_DIR_HTA :
/* check against per-service HTA database */
InstanceGblSecIncrLong (&AccountingPtr->AuthHtDatabaseCount);
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_HTA)
rqptr->rqAuth.DirectoryPtr = AuthConfigHtaDirectory;
else
rqptr->rqAuth.DirectoryPtr = rqptr->ConfigDirectory;
rqptr->rqAuth.FinalStatus =
AuthReadHtDatabase (rqptr, rqptr->rqAuth.RealmPtr, true);
rqptr->rqAuth.DirectoryPtr = NULL;
break;
case AUTH_SOURCE_HOST :
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
case AUTH_SOURCE_LIST :
case AUTH_SOURCE_DIR_LIST :
/* check against per-service simple list */
InstanceGblSecIncrLong (&AccountingPtr->AuthSimpleListCount);
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_LIST)
rqptr->rqAuth.DirectoryPtr = AuthConfigHtaDirectory;
else
rqptr->rqAuth.DirectoryPtr = rqptr->ConfigDirectory;
rqptr->rqAuth.FinalStatus =
AuthReadSimpleList (rqptr, rqptr->rqAuth.RealmPtr, true);
rqptr->rqAuth.DirectoryPtr = NULL;
/* if the list has the user name and corrrect password */
if (VMSok (rqptr->rqAuth.FinalStatus))
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
break;
case AUTH_SOURCE_RFC1413 :
InstanceGblSecIncrLong (&AccountingPtr->AuthOtherCount);
InstanceGblSecIncrLong (&AccountingPtr->AuthRFC1413Count);
break;
case AUTH_SOURCE_TOKEN :
InstanceGblSecIncrLong (&AccountingPtr->AuthOtherCount);
InstanceGblSecIncrLong (&AccountingPtr->AuthTokenCount);
AuthTokenProcess (rqptr);
break;
case AUTH_SOURCE_X509 :
InstanceGblSecIncrLong (&AccountingPtr->AuthOtherCount);
InstanceGblSecIncrLong (&AccountingPtr->AuthX509Count);
break;
case AUTH_SOURCE_PROMISCUOUS :
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
case AUTH_SOURCE_SKELKEY :
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
break;
default :
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
AuthorizeRealmCheck (rqptr);
}
/*****************************************************************************/
/*
Called directly or as an AST. Check the authorization status and if an error
call AuthorizeFinal() directly. If not an error check for restrictions to this
correctly authenticated access and call AuthorizeFinal() is any found. If no
restrictions check if there is a read/write group and if there is call
AuthorizeGroupWrite() to check against this, if none then call
AuthorizeFinal().
*/
void AuthorizeRealmCheck (REQUEST_STRUCT *rqptr)
{
int status;
AUTH_CREC *acrptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthorizeRealmCheck() !&F !&S",
&AuthorizeRealmCheck, rqptr->rqAuth.FinalStatus);
if (WATCHING (rqptr, WATCH_AUTH))
AuthWatchCheck (rqptr, "realm", FI_LI);
if (!DclAgentPre12 &&
rqptr->AgentRequestPtr &&
!rqptr->AgentResponsePtr)
{
/* for v12... an agent MUST provide a response callout */
rqptr->rqAuth.FinalStatus = SS$_BUGCHECK;
AuthorizeFinal (rqptr);
return;
}
if (VMSnok (rqptr->rqAuth.FinalStatus))
{
/* failure/error from realm authentication */
AuthorizeFinal (rqptr);
return;
}
if (!InstanceMutexHeld[INSTANCE_MUTEX_AUTH_CACHE])
InstanceMutexLock (INSTANCE_MUTEX_AUTH_CACHE);
status = AuthCacheFindRecord (rqptr->rqAuth.CacheSearchRecordPtr, &acrptr);
if (VMSnok (status))
{
/* cache record has been reused (probably) in the meantime! */
ErrorNoticed (rqptr, status, NULL, FI_LI);
rqptr->rqAuth.FinalStatus = status;
rqptr->rqResponse.ErrorTextPtr = MsgFor(rqptr,MSG_AUTH_DATABASE);
rqptr->rqResponse.ErrorOtherTextPtr = "(increase [AuthCacheEntriesMax])";
ErrorVmsStatus (rqptr, status, FI_LI);
AuthorizeResponse (rqptr);
return;
}
/* update the cache record with these flags */
acrptr->CaseLess = rqptr->rqAuth.CaseLess;
acrptr->HttpsOnly = rqptr->rqAuth.HttpsOnly;
acrptr->NoCache = rqptr->rqAuth.NoCache;
acrptr->SysUafAuthenticated = rqptr->rqAuth.SysUafAuthenticated;
acrptr->SysUafCanChangePwd = rqptr->rqAuth.SysUafCanChangePwd;
acrptr->SysUafLogonType = rqptr->rqAuth.SysUafLogonType;
acrptr->SysUafNilAccess = rqptr->rqAuth.SysUafNilAccess;
/* check for any non-path restrictions (e.g. "https:"-only, hours, etc.) */
rqptr->rqAuth.FinalStatus = AuthRestrictAny (rqptr, acrptr);
if (VMSnok (rqptr->rqAuth.FinalStatus))
{
/* yep, some restriction on user, end of assessment */
AuthorizeFinal (rqptr);
return;
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WASD_ID)
{
/* access is controlled by the (deprecated) WASD identifiers */
rqptr->rqAuth.FinalStatus = AuthorizeWasdId (rqptr);
AuthorizeFinal (rqptr);
return;
}
if (rqptr->rqAuth.SourceGroupWrite)
{
/* there is at least one group following the realm */
if (InstanceMutexHeld[INSTANCE_MUTEX_AUTH_CACHE])
InstanceMutexUnLock (INSTANCE_MUTEX_AUTH_CACHE);
AuthorizeGroupWrite (rqptr);
return;
}
/* otherwise we've reached the end of the assessment - successfully */
AuthorizeFinal (rqptr);
}
/*****************************************************************************/
/*
Deprecated WASD VMS identifiers control access. Make appropriate assessment.
*/
int AuthorizeWasdId (REQUEST_STRUCT *rqptr)
{
int status;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthorizeWasdId()");
status = AuthVmsHoldsIdentifier (rqptr, AUTH_WASD_WRITE_VMS_ID,
AuthWasdWriteVmsIdentifier);
/* if it has the full-access identifier */
if (VMSok (status))
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
else
if (status == 0)
{
/* did not hold the full-access identifier */
status = AuthVmsHoldsIdentifier (rqptr, AUTH_WASD_READ_VMS_ID,
AuthWasdReadVmsIdentifier);
/* if it has the read-only identifier */
if (VMSok (status))
rqptr->rqAuth.UserCan = AUTH_READONLY_ACCESS;
else
if (status == 0)
{
/* one or other of these MUST have allowed authentication! */
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
}
if (rqptr->rqAuth.SourceGroupWrite)
{
/*
Group membership specified. Check for possession of
a "WASD_VMS__groupname" identifier.
*/
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"CHECK group !AZ!AZ!AZ",
AUTH_WASD__GROUP_VMS_ID,
rqptr->rqAuth.GroupWritePtr,
AuthSourceString (rqptr->rqAuth.GroupWritePtr,
rqptr->rqAuth.SourceGroupWrite));
status = AuthVmsHoldsWasdGroupIdent (rqptr, rqptr->rqAuth.GroupWritePtr);
if (VMSnok (status))
{
/* doesn't hold the group identifier, no access */
rqptr->rqAuth.UserCan = 0;
status = AUTH_DENIED_BY_GROUP;
}
}
return (status);
}
/*****************************************************************************/
/*
Check for full-access (read+write) group membership.
*/
void AuthorizeGroupWrite (REQUEST_STRUCT *rqptr)
{
int status;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthorizeGroupWrite() !8XL",
rqptr->rqAuth.GroupWriteStatus);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"CHECK r+w group !AZ!AZ",
rqptr->rqAuth.GroupWritePtr,
AuthSourceString (rqptr->rqAuth.GroupWritePtr,
rqptr->rqAuth.SourceGroupWrite));
if (rqptr->rqAuth.GroupWriteStatus)
{
/* status already established (i.e. from authorisation cache) */
AuthorizeGroupWriteCheck (rqptr);
return;
}
switch (rqptr->rqAuth.SourceGroupWrite)
{
case AUTH_SOURCE_AGENT :
case AUTH_SOURCE_AGENT_OPAQUE :
InstanceGblSecIncrLong (&AccountingPtr->AuthAgentCount);
if (!rqptr->rqAuth.PathParameterPtr[0] ||
rqptr->rqAuth.PathParameterPtr == AuthAgentParamRealm)
{
rqptr->rqAuth.PathParameterPtr = AuthAgentParamGroup;
rqptr->rqAuth.PathParameterLength = sizeof(AuthAgentParamGroup)-1;
}
/* after calling this function all will be asynchronous! */
AuthAgentBegin (rqptr, rqptr->rqAuth.GroupWritePtr,
&AuthorizeGroupWriteCheck);
/* ASYNCHRONOUS ... so now we return */
return;
case AUTH_SOURCE_HTA :
case AUTH_SOURCE_DIR_HTA :
if (rqptr->rqAuth.SourceGroupWrite == AUTH_SOURCE_HTA)
rqptr->rqAuth.DirectoryPtr = AuthConfigHtaDirectory;
else
rqptr->rqAuth.DirectoryPtr = rqptr->ConfigDirectory;
rqptr->rqAuth.GroupWriteStatus =
AuthReadHtDatabase (rqptr, rqptr->rqAuth.GroupWritePtr, false);
rqptr->rqAuth.DirectoryPtr = NULL;
break;
case AUTH_SOURCE_HOST:
rqptr->rqAuth.GroupWriteStatus =
AuthClientHostGroup (rqptr, rqptr->rqAuth.GroupWritePtr);
break;
case AUTH_SOURCE_ID :
rqptr->rqAuth.GroupWriteStatus =
AuthVmsHoldsIdentifier (rqptr, rqptr->rqAuth.GroupWritePtr,
rqptr->rqAuth.GroupWriteVmsIdentifier);
break;
case AUTH_SOURCE_LIST :
case AUTH_SOURCE_DIR_LIST :
if (rqptr->rqAuth.SourceGroupWrite == AUTH_SOURCE_LIST)
rqptr->rqAuth.DirectoryPtr = AuthConfigHtaDirectory;
else
rqptr->rqAuth.DirectoryPtr = rqptr->ConfigDirectory;
rqptr->rqAuth.GroupWriteStatus =
AuthReadSimpleList (rqptr, rqptr->rqAuth.GroupWritePtr, false);
rqptr->rqAuth.DirectoryPtr = NULL;
break;
case AUTH_SOURCE_RFC1413 :
rqptr->rqAuth.GroupWriteStatus = AUTH_DENIED_BY_GROUP;
break;
case AUTH_SOURCE_TOKEN :
rqptr->rqAuth.GroupWriteStatus = AUTH_DENIED_BY_GROUP;
break;
case AUTH_SOURCE_X509 :
rqptr->rqAuth.GroupWriteStatus = AUTH_DENIED_BY_GROUP;
break;
default :
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
AuthorizeGroupWriteCheck (rqptr);
}
/*****************************************************************************/
/*
Called directly or as an AST. Check the outcome of the the full-access
(read+write) group membership assessment.
*/
void AuthorizeGroupWriteCheck (REQUEST_STRUCT *rqptr)
{
int status;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthorizeGroupWriteCheck() !&F !&S",
&AuthorizeGroupWriteCheck, rqptr->rqAuth.GroupWriteStatus);
if (WATCHING (rqptr, WATCH_AUTH))
AuthWatchCheck (rqptr, "r+w group", FI_LI);
if (!DclAgentPre12 &&
rqptr->AgentRequestPtr &&
!rqptr->AgentResponsePtr)
{
/* for v12... an agent MUST provide a response callout */
rqptr->rqAuth.FinalStatus = SS$_BUGCHECK;
AuthorizeFinal (rqptr);
return;
}
rqptr->rqAuth.FinalStatus = rqptr->rqAuth.GroupWriteStatus;
if (VMSok (rqptr->rqAuth.FinalStatus))
{
/* found in the full-access group and therefore has access */
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
AuthorizeFinal (rqptr);
return;
}
if (rqptr->rqAuth.SourceGroupRead)
{
/* there is a "read" group following the "write" group */
AuthorizeGroupRead (rqptr);
return;
}
/* not found in full-access group, no read-only group ... no access */
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_GROUP;
AuthorizeFinal (rqptr);
}
/*****************************************************************************/
/*
Check for read-only access (second of two) group membership.
*/
void AuthorizeGroupRead (REQUEST_STRUCT *rqptr)
{
int status;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthorizeGroupRead() !8XL",
rqptr->rqAuth.GroupReadStatus);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"CHECK r-only group !AZ!AZ",
rqptr->rqAuth.GroupReadPtr,
AuthSourceString (rqptr->rqAuth.GroupReadPtr,
rqptr->rqAuth.SourceGroupRead));
if (rqptr->rqAuth.GroupReadStatus)
{
/* status already established (i.e. from authorisation cache) */
AuthorizeGroupReadCheck (rqptr);
return;
}
/* reset this group name so the read-only group name is obvious to CGI.C */
rqptr->rqAuth.GroupWritePtr = "";
switch (rqptr->rqAuth.SourceGroupRead)
{
case AUTH_SOURCE_AGENT :
case AUTH_SOURCE_AGENT_OPAQUE :
InstanceGblSecIncrLong (&AccountingPtr->AuthAgentCount);
if (!rqptr->rqAuth.PathParameterPtr[0] ||
rqptr->rqAuth.PathParameterPtr == AuthAgentParamRealm)
{
rqptr->rqAuth.PathParameterPtr = AuthAgentParamGroup;
rqptr->rqAuth.PathParameterLength = sizeof(AuthAgentParamGroup)-1;
}
/* after calling this function all will be asynchronous! */
AuthAgentBegin (rqptr, rqptr->rqAuth.GroupReadPtr,
&AuthorizeGroupReadCheck);
/* ASYNCHRONOUS ... so now we return */
return;
case AUTH_SOURCE_HTA :
case AUTH_SOURCE_DIR_HTA :
if (rqptr->rqAuth.SourceGroupRead == AUTH_SOURCE_HTA)
rqptr->rqAuth.DirectoryPtr = AuthConfigHtaDirectory;
else
rqptr->rqAuth.DirectoryPtr = rqptr->ConfigDirectory;
rqptr->rqAuth.GroupReadStatus =
AuthReadHtDatabase (rqptr, rqptr->rqAuth.GroupReadPtr, false);
rqptr->rqAuth.DirectoryPtr = NULL;
break;
case AUTH_SOURCE_HOST:
rqptr->rqAuth.GroupReadStatus =
AuthClientHostGroup (rqptr, rqptr->rqAuth.GroupReadPtr);
break;
case AUTH_SOURCE_ID :
rqptr->rqAuth.GroupReadStatus =
AuthVmsHoldsIdentifier (rqptr, rqptr->rqAuth.GroupReadPtr,
rqptr->rqAuth.GroupReadVmsIdentifier);
break;
case AUTH_SOURCE_LIST :
case AUTH_SOURCE_DIR_LIST :
if (rqptr->rqAuth.SourceGroupRead == AUTH_SOURCE_LIST)
rqptr->rqAuth.DirectoryPtr = AuthConfigHtaDirectory;
else
rqptr->rqAuth.DirectoryPtr = rqptr->ConfigDirectory;
rqptr->rqAuth.GroupReadStatus =
AuthReadSimpleList (rqptr, rqptr->rqAuth.GroupReadPtr, false);
rqptr->rqAuth.DirectoryPtr = NULL;
break;
case AUTH_SOURCE_RFC1413 :
rqptr->rqAuth.GroupReadStatus = AUTH_DENIED_BY_GROUP;
break;
case AUTH_SOURCE_THEREST :
rqptr->rqAuth.GroupReadStatus = SS$_NORMAL;
break;
case AUTH_SOURCE_TOKEN :
rqptr->rqAuth.GroupReadStatus = AUTH_DENIED_BY_GROUP;
break;
case AUTH_SOURCE_X509 :
rqptr->rqAuth.GroupReadStatus = AUTH_DENIED_BY_GROUP;
break;
default :
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
AuthorizeGroupReadCheck (rqptr);
}
/*****************************************************************************/
/*
Called directly or as an AST. Check the outcome of the the read-only group
membership assessment.
*/
void AuthorizeGroupReadCheck (REQUEST_STRUCT *rqptr)
{
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthorizeGroupReadCheck() !&F !&S",
&AuthorizeGroupReadCheck, rqptr->rqAuth.GroupReadStatus);
if (!DclAgentPre12 &&
rqptr->AgentRequestPtr &&
!rqptr->AgentResponsePtr)
{
/* for v12... an agent MUST provide a response callout */
rqptr->rqAuth.FinalStatus = SS$_BUGCHECK;
AuthorizeFinal (rqptr);
return;
}
rqptr->rqAuth.FinalStatus = rqptr->rqAuth.GroupReadStatus;
if (WATCHING (rqptr, WATCH_AUTH))
AuthWatchCheck (rqptr, "r-only group", FI_LI);
/* if found in the read-only access group */
if (VMSok (rqptr->rqAuth.FinalStatus))
rqptr->rqAuth.UserCan = AUTH_READONLY_ACCESS;
else
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_GROUP;
AuthorizeFinal (rqptr);
}
/*****************************************************************************/
/*
Called directly or as an AST. Finish the authentication by updating the
authentication cache record with the results of the processing. Then call
AuthorizeResponse() to set access or generate an appropriate HTTP error
response.
*/
void AuthorizeFinal (REQUEST_STRUCT *rqptr)
{
int status;
AUTH_CREC *acrptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthorizeFinal() !&F !&S",
&AuthorizeFinal, rqptr->rqAuth.FinalStatus);
/* don't try to free either as they likely point to constants */
rqptr->AgentRequestPtr = rqptr->AgentResponsePtr = NULL;
/* may still be locked by some calling function */
if (!InstanceMutexHeld[INSTANCE_MUTEX_AUTH_CACHE])
InstanceMutexLock (INSTANCE_MUTEX_AUTH_CACHE);
status = AuthCacheFindRecord (rqptr->rqAuth.CacheSearchRecordPtr, &acrptr);
if (VMSnok (status))
{
/* cache record has been reused (probably) in the meantime! */
ErrorNoticed (rqptr, status, NULL, FI_LI);
rqptr->rqAuth.FinalStatus = status;
rqptr->rqResponse.ErrorTextPtr = MsgFor(rqptr,MSG_AUTH_DATABASE);
rqptr->rqResponse.ErrorOtherTextPtr = "(increase [AuthCacheEntriesMax])";
ErrorVmsStatus (rqptr, status, FI_LI);
AuthorizeResponse (rqptr);
return;
}
if (VMSok (rqptr->rqAuth.FinalStatus))
{
if (rqptr->rqAuth.ProxyStringLength)
{
/*****************/
/* map any proxy */
/*****************/
rqptr->rqAuth.FinalStatus = AuthConfigProxyMap (rqptr, acrptr);
}
else
if (AuthVmsUserProfileEnabled && rqptr->rqAuth.SysUafAuthenticated)
{
/******************/
/* create profile */
/******************/
rqptr->rqAuth.FinalStatus = AuthVmsCreateUserProfile (rqptr);
}
}
if (VMSok (rqptr->rqAuth.FinalStatus))
{
/*****************/
/* authenticated */
/*****************/
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_BASIC)
{
if (rqptr->rqAuth.SysUafPwdExpired)
acrptr->Password[0] = '\0';
else
strcpy (acrptr->Password, rqptr->RemoteUserPassword);
acrptr->BasicCount++;
}
else
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_DIGEST)
{
strzcpy (acrptr->DigestResponse,
rqptr->rqAuth.DigestResponsePtr,
sizeof(acrptr->DigestResponse));
acrptr->DigestCount++;
}
acrptr->AuthUserCan = rqptr->rqAuth.UserCan;
acrptr->GroupReadStatus = rqptr->rqAuth.GroupReadStatus;
acrptr->GroupWriteStatus = rqptr->rqAuth.GroupWriteStatus;
/* add (any) user detail and VMS profile data */
if (!acrptr->DetailsUpdated) AuthCacheAddRecordDetails (rqptr, acrptr);
if (acrptr->AuthRemoteUserLength = rqptr->rqAuth.RemoteUserLength)
{
/* if an agent has substituted a VMS-USER: username */
strcpy (acrptr->AuthRemoteUser, rqptr->rqAuth.RemoteUser);
acrptr->RemoteUserLength = rqptr->RemoteUserLength;
strcpy (acrptr->RemoteUser, rqptr->RemoteUser);
}
if (acrptr->FailureCount)
{
/* just let the log know the access finally succeeded */
FaoToStdout (
"%HTTPD-I-AUTHFAILOK, !20%D, !UL failure!%s\n\
-AUTHFAILOK-I-SERVICE, !AZ//!AZ\n\
-AUTHFAILOK-I-CLIENT, !AZ\n\
-AUTHFAILOK-I-USERNAME, \"!AZ\" in \"!AZ\"\n\
-AUTHFAILOK-I-URI, !AZ !AZ\n",
0, acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
if (OpcomMessages & OPCOM_AUTHORIZATION)
FaoToOpcom (
"%HTTPD-I-AUTHFAILOK, !UL failure!%s\r\n\
-AUTHFAILOK-I-SERVICE, !AZ//!AZ\r\n\
-AUTHFAILOK-I-CLIENT, !AZ\r\n\
-AUTHFAILOK-I-USERNAME, \"!AZ\" in \"!AZ\"\r\n\
-AUTHFAILOK-I-URI, !AZ !AZ",
acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
acrptr->FailureCount = 0;
}
}
else
{
/*********************/
/* not authenticated */
/*********************/
acrptr->FailureCount++;
rqptr->rqAuth.UserCan =
acrptr->GroupReadStatus =
acrptr->GroupWriteStatus = 0;
if (rqptr->rqAuth.FinalStatus == AUTH_DENIED_BY_LOGOUT)
{
if (rqptr->rqAuth.RevalidateTimeout)
{
/* make the last access back in the year dot */
acrptr->LastAccessTickSecond = 0;
}
FaoToStdout (
"%HTTPD-I-AUTHLOGOUT, !20%D, !UL failure!%s\n\
-AUTHLOGOUT-I-SERVICE, !AZ//!AZ\n\
-AUTHLOGOUT-I-CLIENT, !AZ\n\
-AUTHLOGOUT-I-USERNAME, \"!AZ\" in \"!AZ\"\n\
-AUTHLOGOUT-I-URI, !AZ !AZ\n",
0, acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
if (OpcomMessages & OPCOM_AUTHORIZATION)
FaoToOpcom (
"%HTTPD-I-AUTHLOGOUT, !UL failure!%s\r\n\
-AUTHLOGOUT-I-SERVICE, !AZ//!AZ\r\n\
-AUTHLOGOUT-I-CLIENT, !AZ\r\n\
-AUTHLOGOUT-I-USERNAME, \"!AZ\" in \"!AZ\"\r\n\
-AUTHLOGOUT-I-URI, !AZ !AZ",
acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
}
else
if (acrptr->FailureCount >= AuthFailureLimit)
{
FaoToStdout (
"%HTTPD-W-AUTHFAILIM, !20%D, !UL failure!%s\n\
-AUTHFAILIM-I-SERVICE, !AZ//!AZ\n\
-AUTHFAILIM-I-CLIENT, !AZ\n\
-AUTHFAILIM-I-USERNAME, \"!AZ\" in \"!AZ\"\n\
-AUTHFAILIM-I-URI, !AZ !AZ\n",
0, acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
if (OpcomMessages & OPCOM_AUTHORIZATION)
FaoToOpcom (
"%HTTPD-W-AUTHFAILIM, !UL failure!%s\r\n\
-AUTHFAILIM-I-SERVICE, !AZ//!AZ\r\n\
-AUTHFAILIM-I-CLIENT, !AZ\r\n\
-AUTHFAILIM-I-USERNAME, \"!AZ\" in \"!AZ\"\r\n\
-AUTHFAILIM-I-URI, !AZ !AZ",
acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
}
else
{
FaoToStdout (
"%HTTPD-W-AUTHFAIL, !20%D, !UL failure!%s\n\
-AUTHFAIL-I-SERVICE, !AZ//!AZ\n\
-AUTHFAIL-I-CLIENT, !AZ\n\
-AUTHFAIL-I-USERNAME, \"!AZ\" in \"!AZ\"\n\
-AUTHFAIL-I-URI, !AZ !AZ\n",
0, acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
if (OpcomMessages & OPCOM_AUTHORIZATION)
FaoToOpcom (
"%HTTPD-W-AUTHFAIL, !UL failure!%s\r\n\
-AUTHFAIL-I-SERVICE, !AZ//!AZ\r\n\
-AUTHFAIL-I-CLIENT, !AZ\r\n\
-AUTHFAIL-I-USERNAME, \"!AZ\" in \"!AZ\"\r\n\
-AUTHFAIL-I-URI, !AZ !AZ",
acrptr->FailureCount,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
}
}
AuthorizeResponse (rqptr);
}
/*****************************************************************************/
/*
If authenticated then set the request's level of access and resume processing
(either just return or declare an AST). The calling routine must check the
'rqptr->rqAuth.orizeStatus' to determine whether access was granted or not. A
normal status indicates yes, an error status no. If not then generate an HTTP
response appropriate to the reason for the denial and then resume processing.
*/
void AuthorizeResponse (REQUEST_STRUCT *rqptr)
{
int status;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthorizeResponse() !&S",
rqptr->rqAuth.FinalStatus);
/* last chance to unlock authorization (in case it wasn't done earlier) */
if (InstanceMutexHeld[INSTANCE_MUTEX_AUTH_CACHE])
InstanceMutexUnLock (INSTANCE_MUTEX_AUTH_CACHE);
/* we no longer want this hanging around our CGI variables */
rqptr->rqAuth.PathParameterPtr = "";
rqptr->rqAuth.PathParameterLength = 0;
if (rqptr->rqAuth.FinalStatus == AUTH_DENIED_BY_LOGIN)
{
/**************************/
/* authentication failure */
/**************************/
InstanceGblSecIncrLong (&AccountingPtr->AuthNotAuthenticatedCount);
if (!rqptr->rqAuth.ChallengeScheme)
{
/* ensure at least a BASIC challenge is generated if promiscuous */
if (Config.cfAuth.BasicEnabled || AuthPromiscuous)
rqptr->rqAuth.ChallengeScheme |= AUTH_SCHEME_BASIC;
if (Config.cfAuth.DigestEnabled)
rqptr->rqAuth.ChallengeScheme |= AUTH_SCHEME_DIGEST;
}
if (rqptr->rqAuth.ChallengeScheme & AUTH_SCHEME_DIGEST &&
rqptr->rqAuth.SourceRealm != AUTH_SOURCE_HTA &&
rqptr->rqAuth.SourceRealm != AUTH_SOURCE_EXTERNAL &&
rqptr->rqAuth.SourceRealm != AUTH_SOURCE_OPAQUE)
rqptr->rqAuth.ChallengeScheme &= ~AUTH_SCHEME_DIGEST;
if (!rqptr->rqAuth.ChallengeScheme)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_NO401)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_RFC1413)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_TOKEN)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_X509)
rqptr->rqResponse.HttpStatus = 403;
else
/* generate a "WWW-Authorize:" challenge */
if (rqptr->ServicePtr->ProxyAuthRequired)
rqptr->rqResponse.HttpStatus = 407;
else
rqptr->rqResponse.HttpStatus = 401;
if (rqptr->rqAuth.ReasonLength)
ErrorGeneral (rqptr, rqptr->rqAuth.ReasonPtr, FI_NOLI);
else
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_FAILED), FI_NOLI);
if (rqptr->rqAuth.AstFunction)
SysDclAst (rqptr->rqAuth.AstFunction, rqptr);
return;
}
if (rqptr->rqAuth.FinalStatus == AUTH_DENIED_BY_LOGOUT)
{
/******************************/
/* authentication user cancel */
/******************************/
InstanceGblSecIncrLong (&AccountingPtr->AuthNotAuthenticatedCount);
if (rqptr->rqAuth.RevalidateTimeout)
{
if (rqptr->rqHeader.QueryStringLength > 12 &&
strsame (rqptr->rqHeader.QueryStringPtr+12, "&goto=", 6))
ResponseLocation (rqptr, rqptr->rqHeader.QueryStringPtr+12+6, -1);
else
{
/* supply a success message (ensure it has sufficient detail) */
rqptr->rqPathSet.ReportType = ERROR_REPORT_DETAILED;
ReportSuccess (rqptr, MsgFor(rqptr,MSG_AUTH_LOGOUT));
}
}
else
{
/* otherwise generate an HTTP response */
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_NO401)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_RFC1413)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_TOKEN)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_X509)
rqptr->rqResponse.HttpStatus = 403;
else
/* generate a "WWW-Authorize:" challenge */
if (rqptr->ServicePtr->ProxyAuthRequired)
rqptr->rqResponse.HttpStatus = 407;
else
rqptr->rqResponse.HttpStatus = 401;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_NO_LOGOUT), FI_NOLI);
}
if (rqptr->rqAuth.AstFunction)
SysDclAst (rqptr->rqAuth.AstFunction, rqptr);
return;
}
if (rqptr->rqAuth.SourceRealm != AUTH_SOURCE_TOKEN)
{
/***************************/
/* NOT token authorisation */
/***************************/
if (rqptr->rqAuth.RealmParamPtr && rqptr->rqAuth.RealmParamPtr[0])
if (strsame (rqptr->rqAuth.RealmParamPtr, "TOKEN=", 6))
AuthTokenGenerate (rqptr);
}
if (rqptr->rqAuth.FinalStatus == AUTH_DENIED_BY_REDIRECT)
{
/***************/
/* redirection */
/***************/
/* either by agent or token or SYSUAF password expiry */
InstanceGblSecIncrLong (&AccountingPtr->AuthNotAuthenticatedCount);
if (rqptr->rqAuth.AstFunction)
SysDclAst (rqptr->rqAuth.AstFunction, rqptr);
return;
}
if (VMSnok (rqptr->rqAuth.FinalStatus))
{
/***************/
/* other error */
/***************/
/* if a non-specific error occured then always deny access */
rqptr->rqResponse.HttpStatus = 403;
if (rqptr->rqAuth.ReasonLength)
ErrorGeneral (rqptr, rqptr->rqAuth.ReasonPtr, FI_NOLI);
else
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
if (rqptr->rqAuth.AstFunction)
SysDclAst (rqptr->rqAuth.AstFunction, rqptr);
return;
}
if (rqptr->rqAuth.GroupRestrictListPtr[0])
{
/*****************************************/
/* check access against restriction list */
/*****************************************/
status = AuthRestrictList (rqptr, rqptr->rqAuth.GroupRestrictListPtr);
if (VMSnok (status))
{
rqptr->rqAuth.FinalStatus = status;
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WORLD ||
status == AUTH_DENIED_BY_FAIL ||
status == AUTH_DENIED_BY_HOSTNAME ||
status == AUTH_DENIED_BY_PROTOCOL)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.Scheme == AUTH_SCHEME_NO401)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_RFC1413)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_TOKEN)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_X509)
rqptr->rqResponse.HttpStatus = 403;
else
if (rqptr->ServicePtr->ProxyAuthRequired)
rqptr->rqResponse.HttpStatus = 407;
else
rqptr->rqResponse.HttpStatus = 401;
if (rqptr->rqAuth.ReasonLength)
ErrorGeneral (rqptr, rqptr->rqAuth.ReasonPtr, FI_NOLI);
else
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
if (rqptr->rqAuth.AstFunction)
SysDclAst (rqptr->rqAuth.AstFunction, rqptr);
return;
}
}
/**************************************/
/* set and check request capabilities */
/**************************************/
/* bit-wise AND of capabilities ensures minimum apply */
rqptr->rqAuth.RequestCan = rqptr->rqAuth.GroupCan & rqptr->rqAuth.UserCan;
if (WATCHING (rqptr, WATCH_AUTH))
{
if (rqptr->rqAuth.UserDetailsLength)
WatchData (rqptr->rqAuth.UserDetailsPtr,
rqptr->rqAuth.UserDetailsLength);
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"CAN group:!AZ(!4XL) user:!AZ(!4XL) request:!AZ(!4XL) profile:!UL",
AuthCanString (rqptr->rqAuth.GroupCan, AUTH_CAN_FORMAT_SHORT),
rqptr->rqAuth.GroupCan,
AuthCanString (rqptr->rqAuth.UserCan, AUTH_CAN_FORMAT_SHORT),
rqptr->rqAuth.UserCan,
AuthCanString (rqptr->rqAuth.RequestCan, AUTH_CAN_FORMAT_SHORT),
rqptr->rqAuth.RequestCan,
rqptr->rqAuth.VmsUserProfileLength);
}
if (rqptr->rqHeader.Method & rqptr->rqAuth.RequestCan)
{
/*************************/
/* authorized (finally!) */
/*************************/
InstanceGblSecIncrLong (&AccountingPtr->AuthAuthorizedCount);
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
if (rqptr->rqAuth.AstFunction)
SysDclAst (rqptr->rqAuth.AstFunction, rqptr);
return;
}
/*****************/
/* 403 forbidden */
/*****************/
InstanceGblSecIncrLong (&AccountingPtr->AuthNotAuthorizedCount);
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_OTHER;
rqptr->rqResponse.HttpStatus = 403;
if (rqptr->rqAuth.ReasonLength)
ErrorGeneral (rqptr, rqptr->rqAuth.ReasonPtr, FI_NOLI);
else
ErrorGeneral (rqptr, "Forbidden to !AZ <tt>!AZ</tt>",
rqptr->rqHeader.MethodName,
rqptr->rqAuth.PathBeingAuthorizedPtr,
FI_NOLI);
if (rqptr->rqAuth.AstFunction)
SysDclAst (rqptr->rqAuth.AstFunction, rqptr);
}
/*****************************************************************************/
/*
Parse the "Authorization:" HTTP request header line. Call appropriate function
to decode authorization field. Check information is complete.
*/
int AuthParseAuthorization (REQUEST_STRUCT *rqptr)
{
int status;
char *cptr, *sptr, *zptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthParseAuthorization() !&Z",
rqptr->rqAuth.RequestAuthorizationPtr);
if (!(cptr = rqptr->rqAuth.RequestAuthorizationPtr))
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL no request \"!AZ\"",
rqptr->ServicePtr->ProxyAuthRequired ?
"Proxy-Authorization:" : "Authorization:");
rqptr->AuthRevalidateCount++;
return (AUTH_DENIED_BY_LOGIN);
}
/***********************************/
/* get the HTTP authorization line */
/***********************************/
zptr = (sptr = rqptr->rqAuth.Type) + sizeof(rqptr->rqAuth.Type);
while (*cptr && !ISLWS(*cptr) && sptr < zptr) *sptr++ = TOUP(*cptr++);
if (sptr >= zptr)
{
if (rqptr->ServicePtr->ProxyAuthRequired)
rqptr->rqResponse.HttpStatus = 407;
else
rqptr->rqResponse.HttpStatus = 401;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_SCHEME), FI_LI);
return (STS$K_ERROR);
}
*sptr = '\0';
if (strsame (rqptr->rqAuth.Type, "BASIC", -1))
{
InstanceGblSecIncrLong (&AccountingPtr->AuthBasicCount);
if (VMSnok (status = BasicAuthorization (rqptr)))
return (status);
if (rqptr->RemoteUser[0] && rqptr->RemoteUserPassword[0])
return (SS$_NORMAL);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL authentication incomplete");
return (AUTH_DENIED_BY_LOGIN);
}
else
if (strsame (rqptr->rqAuth.Type, "DIGEST", -1))
{
InstanceGblSecIncrLong (&AccountingPtr->AuthDigestCount);
if (VMSnok (status = DigestAuthorization (rqptr)))
return (status);
if (rqptr->RemoteUser[0]) return (SS$_NORMAL);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL authentication incomplete");
return (AUTH_DENIED_BY_LOGIN);
}
if (rqptr->ServicePtr->ProxyAuthRequired)
rqptr->rqResponse.HttpStatus = 407;
else
rqptr->rqResponse.HttpStatus = 401;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_SCHEME), FI_LI);
if (Config.cfAuth.BasicEnabled || Config.cfAuth.DigestEnabled)
return (AUTH_DENIED_BY_LOGIN);
else
return (STS$K_ERROR);
}
/*****************************************************************************/
/*
Check for any access restrictions. SSL only. SYSUAF restrictions on hours.
*/
int AuthRestrictAny
(
REQUEST_STRUCT *rqptr,
AUTH_CREC *acrptr
)
{
int status;
unsigned long DayOfWeekBit,
HourOfDayBit;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthRestrictAny()");
/* can only use this authentication with "https:" (SSL)? */
if (acrptr->HttpsOnly &&
rqptr->ServicePtr->RequestScheme != SCHEME_HTTPS)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "FAIL restricted to SSL");
return (AUTH_DENIED_BY_PROTOCOL);
}
/* limited access? */
if (acrptr->SysUafAuthenticated &&
!acrptr->SysUafNilAccess)
{
DayOfWeekBit = 1 << (HttpdDayOfWeek - 1);
HourOfDayBit = 1 << rqptr->rqTime.BeginTime7[3];
if (acrptr->UaiAccessP == 0x00ffffff &&
acrptr->UaiAccessS == 0x00ffffff)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL not authorized to login from this source (!AZ)",
AuthSysUafLogonType(acrptr->SysUafLogonType));
return (AUTH_DENIED_BY_HOUR);
}
else
if (acrptr->UaiPrimeDays & DayOfWeekBit)
{
/* secondary day */
if (HourOfDayBit & acrptr->UaiAccessS)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL restricted SYSUAF secondary hours (!AZ)",
AuthSysUafLogonType(acrptr->SysUafLogonType));
return (AUTH_DENIED_BY_HOUR);
}
}
else
{
/* prime day */
if (HourOfDayBit & acrptr->UaiAccessP)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL restricted SYSUAF primary hours (!AZ)",
AuthSysUafLogonType(acrptr->SysUafLogonType));
return (AUTH_DENIED_BY_HOUR);
}
}
}
return (SS$_NORMAL);
}
/****************************************************************************/
/*
*/
char* AuthSysUafLogonType (int LogonType)
{
/*********/
/* begin */
/*********/
switch (LogonType)
{
case 0 :
return ("default");
case AUTH_LOGON_TYPE_NETWORK :
return ("NETWORK");
case AUTH_LOGON_TYPE_BATCH :
return ("BATCH");
case AUTH_LOGON_TYPE_LOCAL :
return ("LOCAL");
case AUTH_LOGON_TYPE_DIALUP :
return ("DIALUP");
case AUTH_LOGON_TYPE_REMOTE :
return ("REMOTE");
default :
return ("*ERROR*");
}
}
/*****************************************************************************/
/*
The list is a plain-text string of comma-separated elements, the presence of
which restricts the path to that element. The element can be an IP host
address (numeric or alphabetic, with or without asterisk wildcard) or an
authenticated username. IP addresses are recognised by either a leading digit
(for numeric host addresses), a leading asterisk (where hosts are wildcarded
across a domain), a leading "#" which forces an element to be compared to a
host name or address, "http:", "https:", or a leading "~" which indicates a
username.
*/
int AuthRestrictList
(
REQUEST_STRUCT *rqptr,
char *RestrictList
)
{
BOOL CheckedHost,
CheckedProtocol,
CheckedUser,
FoundHost,
FoundProtocol,
FoundUser,
RestrictedByFail,
RestrictedOnHost,
RestrictedOnProtocol,
RestrictedOnUser;
int status;
char *lptr, *cptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthRestrictList() !&Z", RestrictList);
RestrictedByFail = false;
RestrictedOnHost = RestrictedOnProtocol = RestrictedOnUser = true;
FoundHost = FoundProtocol = FoundUser = false;
lptr = RestrictList;
while (*lptr)
{
CheckedUser = CheckedHost = false;
while (*lptr && *lptr == ',') lptr++;
if (isdigit(*lptr) || (lptr[0] == '#' && isdigit(lptr[1])))
{
/* numeric IP address */
if (*lptr == '#') lptr++;
CheckedHost = FoundHost = true;
/* look ahead for a net-mask (e.g. "131.185.250.23/255.255.255.192") */
for (cptr = lptr; *cptr && (isdigit(*cptr) || *cptr == '.'); cptr++);
if (*cptr == '/')
{
/* yup, found a '/' so it has a trailing mask */
status = TcpIpNetMask (rqptr, WATCH_AUTH, &lptr,
&rqptr->ClientPtr->IpAddress);
if (status == SS$_NORMAL)
RestrictedOnHost = false;
else
if (status != SS$_UNREACHABLE)
{
/* there was a problem with the net-mask, automatic failure */
RestrictedByFail = true;
break;
}
continue;
}
/* just a numeric host string, drop through to comparison routine */
cptr = &rqptr->ClientPtr->IpAddressString;
}
else
if (*lptr == '~')
{
/* authenticated user name */
lptr++;
cptr = rqptr->RemoteUser;
CheckedUser = FoundUser = true;
/* drop through to the comparison routine */
}
else
if (TOLO(*lptr) == 'h' && strsame (lptr, "https:", 6))
{
CheckedProtocol = FoundProtocol = true;
if (rqptr->ServicePtr->RequestScheme == SCHEME_HTTPS)
RestrictedOnProtocol = false;
while (*lptr && *lptr != ',') lptr++;
continue;
}
else
if (TOLO(*lptr) == 'h' && strsame (lptr, "http:", 5))
{
CheckedProtocol = FoundProtocol = true;
if (rqptr->ServicePtr->RequestScheme == SCHEME_HTTP)
RestrictedOnProtocol = false;
while (*lptr && *lptr != ',') lptr++;
continue;
}
else
if (TOLO(*lptr) == 'l' &&
(strsame (lptr, "localhost", -1) ||
strsame (lptr, "localhost,", 10)))
{
/* check reserved-word, server against client host's IP address */
CheckedHost = FoundHost = true;
if (strsame (rqptr->ServicePtr->ServerIpAddressString,
&rqptr->ClientPtr->IpAddressString, -1))
RestrictedOnHost = false;
while (*lptr && *lptr != ',') lptr++;
continue;
}
else
{
/* by default, alpha-numeric IP host name */
if (*lptr == '#') lptr++;
cptr = rqptr->ClientPtr->Lookup.HostName;
CheckedHost = FoundHost = true;
/* drop through to the comparison routine */
}
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "!&Z !&Z", cptr, lptr);
while (*cptr && *lptr && *lptr != ',')
{
if (*lptr == '*')
{
while (*lptr == '*') lptr++;
while (*cptr && TOLO(*cptr) != TOLO(*lptr)) cptr++;
}
while (TOLO(*cptr) == TOLO(*lptr) && *cptr && *lptr)
{
lptr++;
cptr++;
}
if (*lptr != '*') break;
}
if (!*cptr && (!*lptr || *lptr == ','))
{
if (CheckedUser) RestrictedOnUser = false;
if (CheckedHost) RestrictedOnHost = false;
}
while (*lptr && *lptr != ',') lptr++;
}
if (WATCHING (rqptr, WATCH_AUTH))
{
char Scratch [32];
*(cptr = Scratch) = '\0';
if (FoundProtocol && RestrictedOnProtocol)
{
strcpy (cptr, "PROTOCOL");
cptr += 8;
}
if (FoundHost && RestrictedOnHost)
{
if (Scratch[0]) *cptr++ = '+';
strcpy (cptr, "HOST");
cptr += 4;
}
if (FoundUser && RestrictedOnUser)
{
if (Scratch[0]) *cptr++ = '+';
strcpy (cptr, "USER");
}
if (RestrictedByFail)
{
if (Scratch[0]) *cptr++ = '+';
strcpy (cptr, "NETMASK-PROBLEM");
}
if (Scratch[0])
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"RESTRICT \"!AZ\" on:!AZ", RestrictList, Scratch);
}
if (RestrictedByFail) return (AUTH_DENIED_BY_FAIL);
if (FoundProtocol && RestrictedOnProtocol) return (AUTH_DENIED_BY_PROTOCOL);
if (FoundHost && RestrictedOnHost) return (AUTH_DENIED_BY_HOSTNAME);
if (FoundUser && RestrictedOnUser) return (AUTH_DENIED_BY_USERNAME);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"RESTRICT \"!AZ\" none applies", RestrictList);
return (SS$_NORMAL);
}
/*****************************************************************************/
/*
Passed a string like "131.185.250.1", "131.185.250.*",
"131.185.250.0/255.255.255.0" or "131.185.250.0/24" determine whether the
request client host belongs in the group of hosts.
*/
int AuthClientHostGroup
(
REQUEST_STRUCT *rqptr,
char *HostGroup
)
{
int status;
char *cptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthClientHostGroup() !&Z", HostGroup);
/* backward-compatibility with kludge suggested on info-WASD */
if (HostGroup[0] == '$') return (SS$_NORMAL);
/* check if it looks like a wildcard host or network mask specification */
for (cptr = HostGroup; *cptr && *cptr != '/'; cptr++);
if (!*cptr)
{
/* wildcard string compare */
if (StringMatch (rqptr, rqptr->ClientPtr->Lookup.HostName, HostGroup))
return (SS$_NORMAL);
else
return (AUTH_DENIED_BY_GROUP);
}
status = TcpIpNetMask (rqptr, WATCH_AUTH, &HostGroup,
&rqptr->ClientPtr->IpAddress);
if (VMSok(status)) return (SS$_NORMAL);
if (status == SS$_UNREACHABLE) return (AUTH_DENIED_BY_GROUP);
/* a problem with the net-mask */
return (AUTH_DENIED_BY_FAIL);
}
/*****************************************************************************/
/*
Guarantee access to certain paths under certain conditions.
*/
AuthorizeGuaranteeAccess
(
REQUEST_STRUCT *rqptr,
char *PathBeingAuthorized
)
{
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthorizeGuaranteeAccess() !&Z", PathBeingAuthorized);
if (HttpdGblSecPtr->AuthSkelKeyHttpdTickSecond)
{
/**************************************/
/* skeleton-key authentication active */
/**************************************/
/* guarantee access to the administration menu */
if (!strsame (PathBeingAuthorized, HTTPD_ADMIN,
sizeof(HTTPD_ADMIN)-1) &&
!strsame (PathBeingAuthorized, WASD_ROOT_LOCAL,
sizeof(WASD_ROOT_LOCAL)-1) &&
!strsame (PathBeingAuthorized, HT_ROOT_LOCAL,
sizeof(HT_ROOT_LOCAL)-1))
return (STS$K_ERROR);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"SKELKEY guarantees access to !AZ", PathBeingAuthorized);
rqptr->rqAuth.RealmPtr =
rqptr->rqAuth.RealmDescrPtr = AUTH_REALM_SKELKEY;
rqptr->rqAuth.RealmLength = strlen(AUTH_REALM_SKELKEY);
rqptr->rqAuth.SourceRealm = AUTH_SOURCE_SKELKEY;
rqptr->rqAuth.GroupCan = AUTH_READWRITE_ACCESS;
}
else
if (AuthPromiscuous)
{
/********************/
/* promiscuous mode */
/********************/
/* guarantee access to the administration menu */
if (!strsame (PathBeingAuthorized, HTTPD_ADMIN,
sizeof(HTTPD_ADMIN)-1) &&
!strsame (PathBeingAuthorized, WASD_ROOT_LOCAL,
sizeof(WASD_ROOT_LOCAL)-1) &&
!strsame (PathBeingAuthorized, HT_ROOT_LOCAL,
sizeof(HT_ROOT_LOCAL)-1))
return (STS$K_ERROR);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"PROMISCUOUS guarantees access to !AZ",
PathBeingAuthorized);
rqptr->rqAuth.RealmPtr =
rqptr->rqAuth.RealmDescrPtr = AUTH_REALM_PROMISCUOUS;
rqptr->rqAuth.RealmLength = strlen(AUTH_REALM_PROMISCUOUS);
rqptr->rqAuth.SourceRealm = AUTH_SOURCE_PROMISCUOUS;
rqptr->rqAuth.GroupCan = AUTH_READWRITE_ACCESS;
}
else
return (STS$K_ERROR);
rqptr->rqAuth.PathParameterPtr =
rqptr->rqAuth.GroupReadPtr =
rqptr->rqAuth.GroupRestrictListPtr =
rqptr->rqAuth.GroupWritePtr =
rqptr->rqAuth.ProxyStringPtr =
rqptr->rqAuth.WorldRestrictListPtr = "";
rqptr->rqAuth.PathParameterLength =
rqptr->rqAuth.GroupReadLength =
rqptr->rqAuth.GroupWriteLength =
rqptr->rqAuth.GroupWriteVmsIdentifier =
rqptr->rqAuth.NoCache =
rqptr->rqAuth.ProxyStringLength =
rqptr->rqAuth.RealmVmsIdentifier =
rqptr->rqAuth.SourceGroupRead =
rqptr->rqAuth.SourceGroupWrite =
rqptr->rqAuth.VmsUserProfile =
rqptr->rqAuth.VmsUserScriptAs =
rqptr->rqAuth.WorldCan = 0;
return (SS$_NORMAL);
}
/****************************************************************************/
/*
Place the VMS-hashed password into the pointed to quadword. This CANNOT be
used to hash the UAF password as it does not use the UAF entry salt, etc.
Force both username and password to upper-case before hashing.
*/
AuthGenerateHashPassword
(
char *UserName,
char *Password,
unsigned long *HashedPwdPtr
)
{
static char PasswordUpperCase [AUTH_MAX_PASSWORD_LENGTH+1],
UserNameUpperCase [AUTH_MAX_USERNAME_LENGTH+1];
static $DESCRIPTOR (PasswordDsc, PasswordUpperCase);
static $DESCRIPTOR (UserNameDsc, UserNameUpperCase);
int status;
char *cptr, *sptr, *zptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_AUTH))
WatchThis (WATCHALL, WATCH_MOD_AUTH,
"AuthGenerateHashPassword() !&Z !#*",
UserName, strlen(Password));
zptr = (sptr = UserNameUpperCase) + sizeof(UserNameUpperCase)-1;
for (cptr = UserName; *cptr && sptr < zptr; *sptr++ = TOUP(*cptr++));
*sptr = '\0';
UserNameDsc.dsc$w_length = sptr - UserNameUpperCase;
zptr = (sptr = PasswordUpperCase) + sizeof(PasswordUpperCase)-1;
for (cptr = Password; *cptr && sptr < zptr; *sptr++ = TOUP(*cptr++));
*sptr = '\0';
PasswordDsc.dsc$w_length = sptr - PasswordUpperCase;
status = sys$hash_password (&PasswordDsc, UAI$C_PURDY_S, 0,
&UserNameDsc, HashedPwdPtr);
return (status);
}
/****************************************************************************/
/*
Place the MD5 Digest upper and lower case passwords into to pointed to
two 16-byte arrays. This is the 128 bit, binary digest, NOT the hexadecimal
version. See note on upper and lower case versions in program comments.
*/
AuthGenerateDigestPassword
(
char *DatabaseName,
char *UserName,
char *Password,
unsigned char *A1DigestLoCasePtr,
unsigned char *A1DigestUpCasePtr
)
{
int status;
char *cptr, *sptr, *zptr;
char PasswordUpCase [AUTH_MAX_PASSWORD_LENGTH+1],
PasswordLoCase [AUTH_MAX_PASSWORD_LENGTH+1],
UserNameUpCase [AUTH_MAX_PASSWORD_LENGTH+1],
UserNameLoCase [AUTH_MAX_PASSWORD_LENGTH+1];
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_AUTH))
WatchThis (WATCHALL, WATCH_MOD_AUTH,
"AuthGenerateDigestPassword() !&Z !&Z !UL",
DatabaseName, UserName, strlen(Password));
zptr = (sptr = PasswordUpCase) + sizeof(PasswordUpCase)-1;
for (cptr = Password; *cptr && sptr < zptr; *sptr++ = TOUP(*cptr++));
*sptr = '\0';
zptr = (sptr = PasswordLoCase) + sizeof(PasswordLoCase)-1;
for (cptr = Password; *cptr && sptr < zptr; *sptr++ = TOLO(*cptr++));
*sptr = '\0';
zptr = (sptr = UserNameUpCase) + sizeof(UserNameUpCase)-1;
for (cptr = UserName; *cptr && sptr < zptr; *sptr++ = TOUP(*cptr++));
*sptr = '\0';
zptr = (sptr = UserNameLoCase) + sizeof(UserNameLoCase)-1;
for (cptr = UserName; *cptr && sptr < zptr; *sptr++ = TOLO(*cptr++));
*sptr = '\0';
if (VMSok (status =
DigestA1 (UserNameUpCase, DatabaseName, PasswordUpCase,
A1DigestUpCasePtr)))
status = DigestA1 (UserNameLoCase, DatabaseName, PasswordLoCase,
A1DigestLoCasePtr);
if (WATCH_MODULE(WATCH_MOD_AUTH))
{
WatchDataDump (A1DigestUpCasePtr, 16);
WatchDataDump (A1DigestLoCasePtr, 16);
}
return (status);
}
/*****************************************************************************/
/*
Set string text according to capability vector in the in-memory authorization
information. These may be different to the bits in the on-disk database,
reported by HTAdminCanString().
*/
char* AuthCanString
(
unsigned long CanFlags,
int Format
)
{
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_AUTH))
WatchThis (WATCHALL, WATCH_MOD_AUTH,
"AuthCanString() !8XL !UL", CanFlags, Format);
if ((CanFlags & HTTP_METHOD_DELETE ||
CanFlags & HTTP_METHOD_POST ||
CanFlags & HTTP_METHOD_PUT) &&
CanFlags & HTTP_METHOD_GET)
{
if (Format == AUTH_CAN_FORMAT_HTML)
return ("read <b>+ write</b>");
else
if (Format == AUTH_CAN_FORMAT_LONG)
return ("READ+WRITE");
else
return ("R+W");
}
else
if ((CanFlags & HTTP_METHOD_DELETE ||
CanFlags & HTTP_METHOD_POST ||
CanFlags & HTTP_METHOD_PUT))
{
if (Format == AUTH_CAN_FORMAT_HTML)
return ("write-only");
else
if (Format == AUTH_CAN_FORMAT_LONG)
return ("WRITE");
else
return ("W");
}
else
if (CanFlags & HTTP_METHOD_GET)
{
if (Format == AUTH_CAN_FORMAT_HTML)
return ("read-only");
else
if (Format == AUTH_CAN_FORMAT_LONG)
return ("READ");
else
return ("R");
}
else
{
if (Format == AUTH_CAN_FORMAT_HTML)
return ("<i>none!</i>");
else
if (Format == AUTH_CAN_FORMAT_LONG)
return ("");
else
return ("-");
}
return ("*ERROR*");
}
/*****************************************************************************/
/*
*/
char* AuthSourceString
(
char *NamePtr,
unsigned long Value
)
{
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_AUTH))
WatchThis (WATCHALL, WATCH_MOD_AUTH,
"AuthSourceString() !&Z !UL", NamePtr, Value);
switch (Value)
{
case AUTH_SOURCE_ACME : return ("=ACME");
case AUTH_SOURCE_AGENT : return ("=agent");
case AUTH_SOURCE_AGENT_OPAQUE : return ("=agent+opaque");
case AUTH_SOURCE_EXTERNAL : return ("");
case AUTH_SOURCE_OPAQUE : return ("");
case AUTH_SOURCE_HTA : return ("=hta");
case AUTH_SOURCE_DIR_HTA : return ("=@hta");
case AUTH_SOURCE_HOST : return ("=host");
case AUTH_SOURCE_ID : return ("=id");
case AUTH_SOURCE_LIST : return ("=list");
case AUTH_SOURCE_DIR_LIST : return ("=@list");
case AUTH_SOURCE_NONE : return ("");
case AUTH_SOURCE_PROMISCUOUS : return ("");
case AUTH_SOURCE_SKELKEY : return ("");
case AUTH_SOURCE_VMS :
if (NamePtr && strsame (NamePtr, AUTH_REALM_VMS, -1)) return ("");
return ("=vms");
case AUTH_SOURCE_WASD_ID : return ("=wasd_id");
case AUTH_SOURCE_WORLD : return ("");
case AUTH_SOURCE_X509 : return ("");
case AUTH_SOURCE_RFC1413 : return ("");
case AUTH_SOURCE_TOKEN : return ("=token");
case AUTH_SOURCE_THEREST : return (""); /* read group only */
default :
if (NamePtr && NamePtr[0]) return ("=?");
return ("");
}
}
/*****************************************************************************/
/*
Used when category WATCHing.
*/
void AuthWatchCheck
(
REQUEST_STRUCT *rqptr,
char *Description,
char *SourceModuleName,
int SourceLineNumber
)
{
#if WATCH_CAT
char *cptr;
char Buffer [256];
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthWatchCheck()");
switch (rqptr->rqAuth.FinalStatus)
{
case AUTH_DENIED_BY_FAIL : cptr = "DENIED_BY_FAIL"; break;
case AUTH_DENIED_BY_GROUP : cptr = "DENIED_BY_GROUP"; break;
case AUTH_DENIED_BY_HOSTNAME : cptr = "DENIED_BY_HOSTNAME"; break;
case AUTH_DENIED_BY_HOUR : cptr = "DENIED_BY_HOUR"; break;
case AUTH_DENIED_BY_LOGIN : cptr = "DENIED_BY_LOGIN"; break;
case AUTH_DENIED_BY_LOGOUT : cptr = "DENIED_BY_LOGOUT"; break;
case AUTH_DENIED_BY_NOCACHE : cptr = "DENIED_BY_NOCACHE"; break;
case AUTH_DENIED_BY_OTHER : cptr = "DENIED_BY_OTHER"; break;
case AUTH_DENIED_BY_PROTOCOL : cptr = "DENIED_BY_PROTOCOL"; break;
case AUTH_DENIED_BY_USERNAME : cptr = "DENIED_BY_USERNAME"; break;
case AUTH_DENIED_BY_REDIRECT : cptr = "DENIED_BY_REDIRECT"; break;
case AUTH_PENDING : cptr = "AUTH_PENDING"; break;
default : FaoToBuffer (cptr = Buffer, sizeof(Buffer), NULL,
"%!&M", rqptr->rqAuth.FinalStatus);
}
WatchThis (WATCH_ITM(rqptr), SourceModuleName, SourceLineNumber, WATCH_AUTH,
"CHECK !AZ !&S !AZ",
Description, rqptr->rqAuth.FinalStatus, cptr);
#endif /* WATCH_CAT */
}
/*****************************************************************************/