[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
/*****************************************************************************/
/*
AuthAgent.c
THE GNU GENERAL PUBLIC LICENSE APPLIES DOUBLY TO ANYTHING TO DO WITH
AUTHENTICATION AND AUTHORIZATION!
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License, or any later
version.
> This package is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
This module interfaces with an authentication agent script. These are CGIplus
scripts that perform a username/password validation role (authentication) or a
group membership role (authorization by virtue of group membership). In this
environment the script has basically all the resources available to a CGIplus
script and must communicate with the server (to pass back the authorization
results) using "escaped" CGIplus data (see the DCL module for further detail).
See AUTH.C for overall detail on the WASD authorization environment.
The name of the script to be activated is derived from the realm or group name
(passed as 'AgentName') and the script directory contained in 'AUTH_AGENT_PATH'
(currently "/cgiauth-bin/", and could be remapped using HTTPD$MAP of course).
The WATCH facility is a valuable adjunct in understanding/debugging agent
script behaviour.
AUTHENTICATING A USERNAME/PASSWORD
----------------------------------
The transaction details are found in the following CGI variables.
WWW_AUTH_AGENT .................. "REALM" or other parameter
WWW_AUTH_PASSWORD ............... user supplied case-sensitive password
WWW_AUTH_REALM .................. realm name (same as agent name)
WWW_AUTH_REALM_DESCRIPTION ...... realm description user is prompted with
WWW_REMOTE_USER ................. case-sensitive username
Valid responses (digits and 'access' are mandatory, other text is optional):
'000 any text' ........... ignored by the server, provides WATCHable trace info
'100 AUTHAGENT-CALLOUT' .. ignored by the server, DCL.C will barf on this
'100 BODY' ............... transfer the request body to the agent
'100 LIFETIME integer' ... set script's CGIplus lifetime (zero makes infinite)
'100 NOCACHE' ............ do not cache the results of this authorization
'100 NOTICED text' ....... 'error' noticed (a la ErrorNoticed())
'100 OPCOM text' ......... send 'text' to [OpcomAuthorization] and server log
'100 REASON any text' .... reason authentication was denied
'100 REMOTE-USER name .... provide user name (authenticated some non-401 way)
'100 SCRIPT-META text' ... CGI-like variable
'100 SET-COOKIE cookie' .. RFC2109 cookie (generates "Set-Cookie:" header)
'100 USER any text' ...... provide user details (only after 200 response)
'100 VMS-USER name ....... this username is a VMS username (see note below)
'200 access' ............. username/password verified
access: "READ", "WRITE", "READ+WRITE", "FULL"
'302 location ............ redirect to specified location
e.g. http://the.host.name/the/path
//the.host.name/the/path
///the/path
'401 reason' ............. username/password did not verify
'401 "any-text"' ......... (quoted) used as the browser authorization prompt
'403 reason' ............. access is forbidden
'500 description' ........ script error to be reported via server
VMS-USER issues: when a VMS-USER is passed back to the server the username
undergoes all VMS authorization processing (e.g. ID, prime days, etc) - except
password checking, it is assumed the agent has authenticated the username. The
access level (R, R+W, etc.) is derived from the SYSUAF information - unless the
agent *subsequently* provides a "200 access" callout. The user details come
from the SYSUAF - unless the agent *subsequently* provides a "100 USER details"
callout.
ESTABLISHING GROUP MEMBERSHIP
-----------------------------
The transaction details are found in the following CGI variables.
WWW_AUTH_AGENT .................. "GROUP"
WWW_AUTH_GROUP .................. name of group
WWW_REMOTE_USER ................. case-sensitive username
Valid responses (digits are mandatory, other text is optional):
'000 any text' ........... ignored by the server, provides WATCHable trace info
'100 BODY' ............... transfer the request body to the agent
'100 LIFETIME integer' ... set script's CGIplus lifetime (zero makes infinite)
'100 NOCACHE' ............ do not cache the results of this authorization
'100 SET-COOKIE cookie' .. RFC2109 cookie (generates "Set-Cookie:" header)
'200 any text' ........... indicates group membership
'302 location ............ redirect to specified location
e.g. http://the.host.name/the/path
//the.host.name/the/path
///the/path
'403 reason' ............. indicates not a group member
'500 description' ........ script error to be reported via server
REQUEST REDACTION
-----------------
In common with DCL.C callout processing an authentication agent may redact
(completely rewrite and restart) a request. Note the trailing colons.
'100 REDACT:<opaque>' ........
'100 REDACT-SIZE:integer' ....
VERSION HISTORY
---------------
27-MAY-2021 MGD using v12... agent functionality
!CGI: and !DICT: callouts
07-FEB-2011 MGD callout BODY implemented (finally, for PAPI)
20-NOV-2007 MGD callout REDACT: and REDACT-SIZE: (notice the colons)
callout SCRIPT-META
callout NOTICED
callout OPCOM
11-MAY-2007 MGD AUTHAGENT-CALLOUT belt and braces
15-JUL-2006 MGD buffer browser-supplied username in AUTH_REMOTE_USER
when VMS-USER or REMOTE-USER are called-out
08-MAR-2003 MGD add '100 REASON any text'
04-AUG-2001 MGD support module WATCHing
02-AUG-2001 MGD bugfix; allow agent to accept 'CGIPLUS:' directive
07-DEC-2000 MGD agent can now '100 SET-COOKIE rfc2109-cookie'
27-NOV-2000 MGD bugfix; ensure a mapping rule exists for the agent
09-JUN-2000 MGD allow "302 location" redirection response
28-AUG-1999 MGD initial, for v6.1
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
/* standard C header files */
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
/* VMS related header files */
#include <descrip.h>
#include <ssdef.h>
#include <stsdef.h>
/* application related header files */
#include "wasd.h"
#define WASD_MODULE "AUTHAGENT"
#if WATCH_MOD
#define FI_NOLI WASD_MODULE, __LINE__
#else
/* in production let's keep the exact line to ourselves! */
#define FI_NOLI WASD_MODULE, 0
#endif
/********************/
/* external storage */
/********************/
extern int OpcomMessages;
extern char ErrorSanityCheck[];
extern ACCOUNTING_STRUCT *AccountingPtr;
extern MSG_STRUCT Msgs;
extern WATCH_STRUCT Watch;
/*****************************************************************************/
/*
Initiate an authenication agent script. After calling this function all
authentication processing occurs asynchronously.
*/
void AuthAgentBegin
(
REQUEST_STRUCT *rqptr,
char *AgentName,
REQUEST_AST AgentCalloutFunction
)
{
char *cptr;
char AgentFileName [ODS_MAX_FILE_NAME_LENGTH+1],
AgentScriptName [SCRIPT_NAME_SIZE+1],
Scratch [256];
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthAgentBegin() !&Z !&X",
AgentName, AgentCalloutFunction);
/* after calling this function authorization completes asynchronously! */
rqptr->rqAuth.AstFunction = rqptr->rqAuth.AstFunctionBuffer;
rqptr->rqAuth.FinalStatus = AUTH_PENDING;
strcpy (Scratch, AUTH_AGENT_PATH);
strcat (Scratch, AgentName);
AgentFileName[0] = AgentScriptName[0] = '\0';
cptr = MapUrl_Map (Scratch, 0,
NULL, 0,
AgentScriptName, sizeof(AgentScriptName),
AgentFileName, sizeof(AgentFileName),
NULL, 0,
NULL, rqptr, NULL);
if (AgentScriptName[0] == '+') AgentScriptName[0] = '/';
if ((!cptr[0] && cptr[1]) || !AgentScriptName[0] || !AgentFileName[0])
{
/* either mapping error or no rule to map the agent */
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_AGENT_MAPPING), FI_LI);
SysDclAst (AgentCalloutFunction, rqptr);
return;
}
/* this is a v12... agent */
rqptr->AgentRequestPtr = "*";
DclBegin (rqptr, AgentCalloutFunction, NULL,
AgentScriptName, NULL, AgentFileName, NULL, &AuthAgentCallout);
}
/*****************************************************************************/
/*
This is the function called each time the agent script outputs escaped data to
the server. It must check for beginning and end of agent processing (indicated
by various states of the the 'OutputPtr' and 'OutputCount' storage), and
appropriately process the status responses output by the agent.
*/
void AuthAgentCallout (REQUEST_STRUCT *rqptr)
{
int idx,
status,
CgiPlusLifeTime,
Length,
OutputCount;
char *cptr, *sptr, *zptr,
*OutputPtr;
char Scratch [1024];
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthAgentCallout() !&Z",
rqptr->rqAuth.PathParameterPtr);
OutputPtr = rqptr->rqCgi.CalloutOutputPtr;
OutputCount = rqptr->rqCgi.CalloutOutputCount;
if (!OutputPtr && OutputCount == -1)
{
/***************/
/* agent begin */
/***************/
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"CALLOUT \"!AZ\" begin", rqptr->rqAuth.PathParameterPtr);
return;
}
if (!OutputPtr && OutputCount == 0)
{
/*************/
/* agent end */
/*************/
if (WATCHPNT(rqptr) &&
WATCH_CATEGORY(WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"CALLOUT \"!AZ\" end", rqptr->rqAuth.PathParameterPtr);
/* always ensure any authentication agent information is cancelled! */
rqptr->rqAuth.PathParameterPtr = "";
rqptr->rqAuth.PathParameterLength = 0;
return;
}
/**************/
/* agent data */
/**************/
if (WATCHPNT(rqptr) &&
WATCH_CATEGORY(WATCH_AUTH))
{
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"CALLOUT \"!AZ\" !UL bytes",
rqptr->rqAuth.PathParameterPtr, OutputCount);
WatchDataDump (OutputPtr, OutputCount);
/* if it's trace information then provide it slightly more readably */
if (!strncmp (OutputPtr, "000 ", 4)) WatchData (OutputPtr, OutputCount);
}
if (strsame (OutputPtr, "!CGIPLUS:", 9))
{
/************/
/* cgiplus: */
/************/
for (cptr = OutputPtr+9; *cptr && isspace(*cptr); cptr++);
if (strsame (cptr, "STRUCT", 6))
rqptr->DclTaskPtr->CgiPlusVarStruct = true;
else
if (strsame (cptr, "RECORD", 6))
rqptr->DclTaskPtr->CgiPlusVarStruct = false;
else
AuthAgentCalloutResponseError (rqptr);
return;
}
if (strsame (OutputPtr, "!AGENT-BEGIN:", 13))
{
/****************/
/* AGENT-BEGIN: */
/****************/
if (!rqptr->AgentRequestPtr) AuthAgentCalloutResponseError (rqptr);
return;
}
if (strsame (OutputPtr, "!AGENT-END:", 11))
{
/**************/
/* AGENT-END: */
/**************/
if (!rqptr->AgentRequestPtr) AuthAgentCalloutResponseError (rqptr);
rqptr->AgentResponsePtr = rqptr->AgentRequestPtr;
return;
}
cptr = NULL;
if (strsame (OutputPtr, "!CGI:", 5))
{
/********/
/* CGI: */
/********/
zptr = (sptr = Scratch) + sizeof(Scratch)-1;
*sptr++ = DICT_TYPE_CONFIG[0];
for (cptr = OutputPtr+5; *cptr && isspace(*cptr); cptr++);
if (*cptr == '!') *sptr++ = '!';
for (cptr = "cgi_"; *cptr; *sptr++ = *cptr++);
for (cptr = OutputPtr+5; *cptr && isspace(*cptr); cptr++);
if (*cptr == '!') cptr++;
}
else
if (strsame (OutputPtr, "!DICT:", 6))
{
/*********/
/* DICT: */
/*********/
zptr = (sptr = Scratch) + sizeof(Scratch)-1;
*sptr++ = DICT_TYPE_CONFIG[0];
for (cptr = OutputPtr+6; *cptr && isspace(*cptr); cptr++);
}
if (cptr)
{
/*****************/
/* DICT: or CGI: */
/*****************/
/* bit too clever, or prudent, I wonder? */
if (!*cptr) return;
while (*cptr && sptr < zptr) *sptr++ = *cptr++;
*sptr = '\0';
MetaConDictionary (rqptr, Scratch);
if (WATCHPNT(rqptr) && (WATCH_CATEGORY(WATCH_AUTH) &&
WATCH_CATEGORY(WATCH_INTERNAL)))
DictWatch (rqptr->rqDictPtr, DICT_TYPE_CONFIG, "*");
return;
}
/******************/
/* agent response */
/******************/
if (OutputCount <= 4 ||
!isdigit(OutputPtr[0]) ||
!isdigit(OutputPtr[1]) ||
!isdigit(OutputPtr[2]) ||
OutputPtr[3] != ' ')
{
/* agent response error */
AuthAgentCalloutResponseError (rqptr);
return;
}
if (!strcmp (rqptr->rqAuth.PathParameterPtr, "GROUP"))
{
if (!strncmp (OutputPtr, "200 ", 4))
{
/* a group member */
if (rqptr->rqAuth.FinalStatus != STS$K_ERROR)
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
if (!strncmp (OutputPtr, "403 ", 4))
{
/* not a group member */
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_GROUP;
return;
}
}
if (!strncmp (OutputPtr, "000 ", 4))
{
/* just WATCHable debug information */
return;
}
if (!strncmp (OutputPtr, "100 ", 4))
{
/* informational */
if (strsame (OutputPtr+4, "AUTHAGENT-CALLOUT", 17))
{
/* avoid auth agents being run as scripts, DCL.C will barf on this */
return;
}
if (strsame (OutputPtr+4, "BODY", 4))
{
if (rqptr->rqHeader.Method == HTTP_METHOD_PUT ||
rqptr->rqHeader.Method == HTTP_METHOD_POST)
{
/* transfer the body of the request to the agent */
BodyReadBegin (rqptr, &DclHttpInput, NULL);
rqptr->DclTaskPtr->QueuedClientRead++;
}
else
AuthAgentCalloutResponseError (rqptr);
return;
}
if (strsame (OutputPtr+4, "LIFETIME ", 9))
{
/* set lifetime of agent script */
for (cptr = OutputPtr+13; *cptr && !isdigit(*cptr); cptr++);
if (isdigit(*cptr))
{
/* zero makes the script immune to supervisor purging */
if ((CgiPlusLifeTime = atoi(cptr)) == 0)
CgiPlusLifeTime = DCL_DO_NOT_DISTURB;
rqptr->DclTaskPtr->LifeTimeSecond = CgiPlusLifeTime;
return;
}
}
if (strsame (OutputPtr+4, "NOCACHE", 7))
{
/* do not cache this authorization */
rqptr->rqAuth.NoCache = true;
return;
}
if (strsame (OutputPtr+4, "NOTICED ", 8))
{
/* 'error' noticed by agent */
for (cptr = OutputPtr+12; *cptr && ISLWS(*cptr); cptr++);
for (sptr = cptr; *sptr && NOTEOL(*sptr); sptr++);
*sptr = '\0';
ErrorNoticed (rqptr, 0, cptr, FI_LI);
return;
}
if (strsame (OutputPtr+4, "OPCOM ", 6))
{
for (cptr = OutputPtr+10; *cptr && ISLWS(*cptr); cptr++);
for (sptr = cptr; *sptr && NOTEOL(*sptr); sptr++);
*sptr = '\0';
FaoToStdout (
"%HTTPD-W-AUTHOPCOM, !20%D, !AZ\n\
-AUTHOPCOM-I-SERVICE, !AZ//!AZ\n\
-AUTHOPCOM-I-CLIENT, !AZ\n\
-AUTHOPCOM-I-USERNAME, \"!AZ\" in \"!AZ\"\n\
-AUTHOPCOM-I-URI, !AZ !AZ\n",
0, cptr,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
if (OpcomMessages & OPCOM_AUTHORIZATION)
FaoToOpcom (
"%HTTPD-W-AUTHOPCOM, !AZ\r\n\
-AUTHOPCOM-I-SERVICE, !AZ//!AZ\r\n\
-AUTHOPCOM-I-CLIENT, !AZ\r\n\
-AUTHOPCOM-I-USERNAME, \"!AZ\" in \"!AZ\"\r\n\
-AUTHOPCOM-I-URI, !AZ !AZ",
cptr,
rqptr->ServicePtr->RequestSchemeNamePtr,
rqptr->ServicePtr->ServerHostPort,
ClientHostString(rqptr),
rqptr->RemoteUser, rqptr->rqAuth.RealmDescrPtr,
rqptr->rqHeader.MethodName, rqptr->rqHeader.RequestUriPtr);
return;
}
if (strsame (OutputPtr+4, "REASON ", 7))
{
/* reason for authentication failure (included in message) */
for (cptr = OutputPtr+11; *cptr && ISLWS(*cptr); cptr++);
for (sptr = cptr; *sptr && NOTEOL(*sptr); sptr++);
*sptr = '\0';
rqptr->rqAuth.ReasonLength = Length = sptr - cptr + 1;
rqptr->rqAuth.ReasonPtr = VmGetHeap (rqptr, Length);
strcpy (rqptr->rqAuth.ReasonPtr, cptr);
return;
}
if (strsame (OutputPtr+4, "REDACT:", 7))
{
RequestRedact (rqptr, OutputPtr+4, OutputCount-4, false);
return;
}
if (strsame (OutputPtr+4, "REDACT-SIZE:", 12))
{
RequestRedact (rqptr, OutputPtr+4, OutputCount-4, false);
return;
}
if (strsame (OutputPtr+4, "REMOTE-USER ", 12))
{
/* buffer the original remote user (the browser-supplied user id) */
strcpy (rqptr->rqAuth.RemoteUser, rqptr->RemoteUser);
rqptr->rqAuth.RemoteUserLength = rqptr->RemoteUserLength;
/* explicitly set the remote-user */
if (OutputPtr[OutputCount-1] == '\n') OutputPtr[--OutputCount] = '\0';
zptr = (sptr = rqptr->RemoteUser) + sizeof(rqptr->RemoteUser)-1;
for (cptr = OutputPtr+16; *cptr && ISLWS(*cptr); cptr++);
while (*cptr && !ISLWS(*cptr) && NOTEOL(*cptr) && sptr < zptr)
*sptr++ = *cptr++;
if (sptr >= zptr)
{
rqptr->RemoteUser[0] = '\0';
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
ErrorGeneralOverflow (rqptr, FI_LI);
return;
}
*sptr = '\0';
rqptr->RemoteUserLength = sptr - rqptr->RemoteUser;
return;
}
if (strsame (OutputPtr+4, "SCRIPT-META ", 12))
{
/* add a CGI-type variable <NAME>=<value> to any subsequent script */
if (OutputPtr[OutputCount-1] == '\n') OutputPtr[--OutputCount] = '\0';
for (cptr = OutputPtr+16; *cptr && ISLWS(*cptr); cptr++);
for (sptr = cptr; *sptr && NOTEOL(*sptr); sptr++);
*sptr = '\0';
Length = sptr - cptr;
rqptr->rqAuth.ScriptMetaPtr =
VmReallocHeap (rqptr, rqptr->rqAuth.ScriptMetaPtr,
rqptr->rqAuth.ScriptMetaLength+Length+2, FI_LI);
sptr = rqptr->rqAuth.ScriptMetaPtr + rqptr->rqAuth.ScriptMetaLength;
zptr = sptr + Length;
while (*cptr && sptr < zptr) *sptr++ = *cptr++;
*sptr++ = '\0';
rqptr->rqAuth.ScriptMetaLength = sptr - rqptr->rqAuth.ScriptMetaPtr;
/* terminating empty string */
*sptr = '\0';
return;
}
if (strsame (OutputPtr+4, "SET-COOKIE ", 11))
{
/* add a cookie to the header */
if (OutputPtr[OutputCount-1] == '\n') OutputPtr[--OutputCount] = '\0';
for (cptr = OutputPtr+15; *cptr && ISLWS(*cptr); cptr++);
for (sptr = cptr; *sptr && NOTEOL(*sptr); sptr++);
*sptr = '\0';
Length = sptr - cptr + 1;
for (idx = 0; idx < RESPONSE_COOKIE_MAX; idx++)
{
if (!rqptr->rqResponse.CookiePtr[idx])
{
rqptr->rqResponse.CookiePtr[idx] = VmGetHeap (rqptr, Length);
strcpy (rqptr->rqResponse.CookiePtr[idx], cptr);
return;
}
}
}
if (strsame (OutputPtr+4, "USER ", 5))
{
/* user details */
for (cptr = OutputPtr+9; *cptr && ISLWS(*cptr); cptr++);
for (sptr = cptr; *sptr && NOTEOL(*sptr); sptr++);
*sptr = '\0';
rqptr->rqAuth.UserDetailsLength = Length = sptr - cptr + 1;
rqptr->rqAuth.UserDetailsPtr = VmGetHeap (rqptr, Length);
strcpy (rqptr->rqAuth.UserDetailsPtr, cptr);
return;
}
if (strsame (OutputPtr+4, "VMS-USER ", 9))
{
/* buffer the original remote user (the browser-supplied user id) */
strcpy (rqptr->rqAuth.RemoteUser, rqptr->RemoteUser);
rqptr->rqAuth.RemoteUserLength = rqptr->RemoteUserLength;
/* now replace the remote user with that supplied by the agent */
zptr = (sptr = rqptr->RemoteUser) + sizeof(rqptr->RemoteUser)-1;
for (cptr = OutputPtr+13; *cptr && ISLWS(*cptr); cptr++);
while (*cptr && !ISLWS(*cptr) && NOTEOL(*cptr) && sptr < zptr)
*sptr++ = *cptr++;
if (sptr >= zptr)
{
rqptr->RemoteUser[0] = '\0';
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
ErrorGeneralOverflow (rqptr, FI_LI);
return;
}
*sptr = '\0';
rqptr->RemoteUserLength = sptr - rqptr->RemoteUser;
if (VMSok (status = AuthVmsGetUai (rqptr, rqptr->RemoteUser)))
{
if (VMSok (status = AuthVmsVerifyUser (rqptr)))
{
/* authenticated ... user can do anything (the path allows!) */
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
rqptr->rqAuth.SysUafAuthenticated = true;
}
}
rqptr->rqAuth.FinalStatus = status;
return;
}
AuthAgentCalloutResponseError (rqptr);
return;
}
if (!strncmp (OutputPtr, "200 ", 4))
{
/* authenticated */
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
if (strsame (OutputPtr+4, "FULL", 4))
{
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
if (rqptr->rqAuth.FinalStatus != STS$K_ERROR)
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
if (strsame (OutputPtr+4, "READ+WRITE", 10))
{
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
if (rqptr->rqAuth.FinalStatus != STS$K_ERROR)
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
if (strsame (OutputPtr+4, "READ", 4))
{
rqptr->rqAuth.UserCan = AUTH_READONLY_ACCESS;
if (rqptr->rqAuth.FinalStatus != STS$K_ERROR)
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
if (strsame (OutputPtr+4, "WRITE", 5))
{
rqptr->rqAuth.UserCan = AUTH_WRITEONLY_ACCESS;
if (rqptr->rqAuth.FinalStatus != STS$K_ERROR)
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
return;
}
AuthAgentCalloutResponseError (rqptr);
return;
}
if (!strncmp (OutputPtr, "302 ", 4))
{
/* redirection */
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_REDIRECT;
cptr = OutputPtr + 4;
while (*cptr && ISLWS(*cptr)) cptr++;
for (sptr = cptr; *sptr && NOTEOL(*sptr) && !ISLWS(*sptr); sptr++);
ResponseLocation (rqptr, cptr, sptr - cptr);
return;
}
if (!strncmp (OutputPtr, "401 ", 4))
{
/* not authenticated */
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
cptr = OutputPtr + 4;
while (*cptr && ISLWS(*cptr)) cptr++;
if (*cptr == '\"')
{
/* realm description */
for (sptr = cptr+1; *sptr && *sptr != '\"'; sptr++);
if (*sptr)
zptr = sptr + 1;
else
zptr = NULL;
*sptr = '\0';
rqptr->rqAuth.RealmDescrPtr = sptr = VmGetHeap (rqptr, sptr-cptr);
cptr++;
/* trim leading white-space */
while (*cptr && ISLWS(*cptr)) cptr++;
while (*cptr) *sptr++ = *cptr++;
*sptr = '\0';
/* trim trailing white-space */
if (sptr > rqptr->rqAuth.RealmDescrPtr) sptr--;
while (sptr > rqptr->rqAuth.RealmDescrPtr && ISLWS(*sptr)) sptr--;
}
return;
}
if (!strncmp (OutputPtr, "403 ", 4))
{
/* not authorized */
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_OTHER;
return;
}
if (!strncmp (OutputPtr, "500 ", 4))
{
/* report this error via the server */
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
if (OutputPtr[OutputCount-1] == '\n') OutputPtr[--OutputCount] = '\0';
ErrorGeneral (rqptr, OutputPtr+4, FI_LI);
return;
}
AuthAgentCalloutResponseError (rqptr);
}
/*****************************************************************************/
/*
Simple way to generate this particular error message from various points.
*/
void AuthAgentCalloutResponseError (REQUEST_STRUCT *rqptr)
{
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthAgentCalloutResponseError()\n");
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_AGENT_RESPONSE), FI_LI);
rqptr->rqAuth.FinalStatus = STS$K_ERROR;
}
/****************************************************************************/