/* ====================================================================
 * Copyright (c) 1995 The Apache Group.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the Apache Group
 *    for use in the Apache HTTP server project (http://www.apache.org/)."
 *
 * 4. The names "Apache Server" and "Apache Group" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission.
 *
 * 5. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the Apache Group
 *    for use in the Apache HTTP server project (http://www.apache.org/)."
 *
 * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE APACHE GROUP OR
 * IT'S CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Group and was originally based
 * on public domain software written at the National Center for
 * Supercomputing Applications, University of Illinois, Urbana-Champaign.
 * For more information on the Apache Group and the Apache HTTP server
 * project, please see <http://www.apache.org/>.
 *
 */


/*
 * http_auth: authentication
 * 
 * Dirk.vanGulik@jrc.it
 *
 * Very quick and dirty hack to get NIS working; can be
 * improved a lot as we do all the reading/opening every
 * time, rather than caching it decently !
 *
 * SHADOW assumes old/new style passwords, see getpwnam() and getspnam()
 *
 * Note that some systems are quite picky in letting non root user access
 * the data; i.e. if you run apache as its default 'nobody'.
 *
 * And of course we all KNOW that the passwords go plaintext over the wire !
 *
 * updated for apache 1.3. 
 *
 * Just put this file in
 *
 *        ../apache-1.3.x/src/modules/extra 
 *
 * And, assuming you are using sh, do something
 *
 *      ./configure --add-module=src/modules/extra/mod_auth_nis.c
 */

#include <pwd.h>

#define SHADOW 

/*
 * #define MULTITREADING 
 */

#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"

typedef struct auth_nis_config_struct {
    int auth_nis;       /* contains true/false */
} auth_config_rec;

void *create_nis_auth_dir_config (pool *p, char *d)
{
    return ap_pcalloc (p, sizeof(auth_config_rec));
}

command_rec auth_nis_cmds[] = {
{ "AuthUserNis", ap_set_flag_slot,
    (void*)XtOffsetOf(auth_config_rec,auth_nis), OR_AUTHCFG, FLAG, 
        "NIS/YP/passwd checking on/off"
 },
{ NULL }
};

module auth_nis_module;
char *get_nis_pw(request_rec *r, char *user)
{
#ifdef MULTITREADING
    struct passwd *result;
    struct passwd tmp;
    char buff[MAX_STRING_LEN];

#ifdef SHADOW
    result=getspnam_r(user,tmp,buff,MAX_STRING_LEN);
#else
    result=getpwnam_r(user,tmp,buff,MAX_STRING_LEN);
#endif

#else
    struct passwd *result;

#ifdef SHADOW
    result=getspnam(user);
#else
    result=getpwnam(user);
#endif
#endif
    /* success ? */

    if (!result) {
        if (errno) 
           ap_log_reason ("Problem with NIS: %s", strerror(errno), r);

        return NULL;
        };
    if (!result->pw_passwd) {
#ifndef SHADOW
        ap_log_reason ("No NIS password for %s (Are you using shadow)", user, r);
#endif
        return NULL;
        };
    
    return ap_pstrdup (r->pool, result->pw_passwd);
}


/* These functions return 0 if client is OK, and proper error status
 * if not... either AUTH_REQUIRED, if we made a check, and it failed, or
 * SERVER_ERROR, if things are so totally confused that we couldn't
 * figure out how to tell if the client is authorized or not.
 *
 * If they return DECLINED, and all other modules also decline, that's
 * treated by the server core as a configuration error, logged and
 * reported as such.
 */

/* Determine user ID, and check if it really is that user, for HTTP
 * basic authentication...
 */

int authenticate_nis_basic_user (request_rec *r)
{
    auth_config_rec *sec =
      (auth_config_rec *)ap_get_module_config (r->per_dir_config, &auth_nis_module);
    conn_rec *c = r->connection;
    char *sent_pw, *real_pw;
    char errstr[MAX_STRING_LEN];
    int res;
    
    if ((res = ap_get_basic_auth_pw (r, &sent_pw))) return res;
    
    if(!sec->auth_nis) 
        return DECLINED;
        
    if (!(real_pw = get_nis_pw(r, c->user))) {
        snprintf(errstr,MAX_STRING_LEN-1,"user %s not found",c->user);
        ap_log_reason (errstr, r->uri, r);
        ap_note_basic_auth_failure (r);
        return AUTH_REQUIRED;
    }
    /* anyone know where the prototype for crypt is? */
    if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
        snprintf(errstr,MAX_STRING_LEN-1,"user %s: password mismatch",c->user);
        ap_log_reason (errstr, r->uri, r);
        ap_note_basic_auth_failure (r);
        return AUTH_REQUIRED;
    }
    return OK;
}

module auth_nis_module = {
   STANDARD_MODULE_STUFF,
   NULL,                        /* initializer */
   create_nis_auth_dir_config,  /* dir config creater */
   NULL,                        /* dir merger --- default is to override */
   NULL,                        /* server config */
   NULL,                        /* merge server config */
   auth_nis_cmds,               /* command table */
   NULL,                        /* handlers */
   NULL,                        /* filename translation */
   authenticate_nis_basic_user, /* check_user_id */
   NULL,                        /* check auth */
   NULL,                        /* check access */
   NULL,                        /* type_checker */
   NULL,                        /* fixups */
   NULL                         /* logger */
};