# UCDavisAuthZ.pm
#   for Apache 1.3 (UNIX)
#   Brian Donnelly <bdonnelly@ucdavis.edu>
#   
#   $Revision: 1.0 $
#   $Log: UCDavisAuthZ.pm,v $
#  
# To configure this module for use with Apache you must perform the
# following steps:
#
# 1) install mod_perl for apache.  Nah...  I'm not going to tell you how.
#
#    Hints: http://perl.apache.org
#
#    For Win32, download the complete package that contains perl and
#    apache already working together from
#    ftp://theoryx5.uwinnipeg.ca/pub/other/.  It's the easiest way to
#    get everything working.
#
# 2) Turn on mod_perl on your web server if you didn't do this in step 1.
#    It probably means having these lines in your httpd.conf file:
#
#       LoadModule perl_module        modules/libperl.so
#       AddModule mod_perl.c
#
#    Win32:  You only need the first line, and it should look like:
#
#       LoadModule perl_module        modules/ApacheModulePerl.dll
#
#       If you got the complete win32 package from the ftp site
#       described above, this has already been done for you.
#
# 3) Put this module in ~www/lib/perl/Apache/UCDavisAuthZ.pm.  This
#    location will differ from site to site.  Under a RH linux
#    rpm-installed apache and mod_perl, it should go into
#    /etc/httpd/lib/perl/Apache/UCDavisAuthZ.pm for instance.
#
#    win32: It should be installed in
#    C:/Apache/lib/perl/Apache/UCDavisAuthZ.pm.  Note that you'll have to
#    create some of those directories (probably everything from
#    C:/Apache/lib and down)
#
# 4) In your httpd.conf file add (the bottom of the file is fine):
#       PerlModule Apache::UCDavisAuthZ
#
# 5) The configuration of the module is different for each mode:
# 
# 5a) User List Authorization
#    In your access.conf file, use a directive set like:
#
#       <Location /secure-docs>
#         PerlAuthzHandler Apache::UCDavisAuthZ
#         PerlOptions +GlobalRequest
#         PerlSetVar user_list "FILE1, FILE2, ..."
#       </Location>
#
#      The user_list variable can be set as follows:
#
#      user_list "FILE1, FILE2, ..."
#            A list of files that should contain campus login names
#            for the people you want this site restricted to.  With
#            this directive in place, only the people found in this
#            file will be allow to see the contents of the page in
#            question.
#
#         default: Anyone can see the pages.
#
#	   !!!IMPORTANT NOTE!!!
#	   This module is designed only to implement the additional 
#	   authorization features provided by the Distauth Apache clients. 
#	   It does not provide authentication. You will need to install and 
#	   configure a CAS client module in order to use the user-list feature.
#
# 5b) IP Access Restriction
#    In your access.conf file, use a directive set like:
#
#       <Location /secure-docs>
#         PerlAccessHandler Apache::UCDavisAuthZ
#         PerlOptions +GlobalRequest
#         PerlSetVar allow_ucd_ip 1
#       </Location>
#
#      The variables that can be set are:
#  
#      allow_ucd_ip 1
#            This will allow ucd specific IP Addresses through without
#            having authenticated with their kerberos password first.
#
#          default: off (0).
#
#      allow_ucd_ip_addrs 169.237.,128.120.,152.79.
#            This allows you to override the default list of
#            ipaddresses that are considered to be on campus and
#            accepted without authentication when the allow_ucd_ip
#            variable is set to 1 (see above).
#            
#            Note: You should make sure the trailing period is in
#            place for proper subnet checks, otherwise 152.12 will
#            match 152.12 *and* 152.120, 152.121...
#
#          default: 169.237.,128.120.,152.79.
#
# 6) Restart apache any time you modify the defaults you set in your
#    .conf files.
#

package Apache::UCDavisAuthZ;

use strict ();
use Apache::Constants qw(:common FORBIDDEN HTTP_UNAUTHORIZED);
use Apache::URI ();
use CGI qw(:standard);
use CGI::Cookie ();

sub handler {
    my $r = shift;
    Apache->request($r);
    
    # XXX: allow_ucd_ip type handling inside here?
    my $userheader = $r->dir_config('user_header') || 'CAS-User';
    my $authfiles = $r->dir_config('user_list');
    my $allowucdip = $r->dir_config('allow_ucd_ip');
    my $allowucdipaddrs = $r->dir_config('allow_ucd_ip_addrs') || "128.120.,169.237.,152.79.";
    my $ipaddress = $r->connection->remote_ip;
    my $user = $r->headers_in->{$userheader} || '';

    if ($allowucdip > 0) {
		my @allowed_nets = split(/,\s*/,$allowucdipaddrs);
		foreach my $network (@allowed_nets) {
		    if ( $ipaddress =~ /^$network/ ) {
			return OK;
		    }
		}
		return FORBIDDEN;
    }

    if ($authfiles) {
    	return HTTP_UNAUTHORIZED if(!$user);

		my @files = split(/,\s*/, $authfiles);
		my ($ok,$i) = (0);
		foreach $i (@files) {
	    	open(I,$i);
	    	while(<I>) {
				if (/^$user$/) {
		    		$r->user($user);
		    		return OK;
				}
	    	}
	    	close(I);
		}
		return HTTP_UNAUTHORIZED if (!$ok);
    }
    return OK;
}
1;