package Apache2::AuthzNIS;

use warnings;
use strict;
use Net::NIS;
use mod_perl2;

BEGIN {
    require Apache2::Const;
    require Apache2::Access;
    require Apache2::Connection;
    require Apache2::Log;
    require Apache2::RequestRec;
    require Apache2::RequestUtil;
    Apache2::Const->import(
        '-compile' => 'HTTP_UNAUTHORIZED',
                      'OK', 'HTTP_INTERNAL_SERVER_ERROR'
    );
}

=head1 NAME

Apache2::AuthzNIS - mod_perl2 NIS Group Authorization module

=cut

our $VERSION = '0.13';


=head1 SYNOPSIS

    <Directory /foo/bar>
    # This is the standard authentication stuff
    AuthName "Foo Bar Authentication"
    AuthType Basic

    # The following is actually only needed when you will authenticate
    # via NIS passwd as well as authorize via NIS group.
    # Apache2::AuthenNIS is a separate module.
    PerlAuthenHandler Apache2::AuthenNIS

    # Standard require stuff, NIS users or groups, and
    # "valid-user" all work OK
    require user username1 username2 ...
    require group groupname1 groupname2 ...
    require valid-user

    PerlAuthzHandler Apache2::AuthzNIS

    </Directory>

    These directives can also be used in the <Location> directive or in
    an .htaccess file.

=head1 DESCRIPTION

This perl module is designed to work with mod_perl, the Net::NIS module by
Rik Haris (B<rik.harris@fulcrum.com.au>), and the Apache2::AuthenNIS module.
Version 0.11 of Apache::AuthzNIS was renamed and modified to use mod_perl2.
That module was a direct adaptation of Michael Parker's
(B<parker@austx.tandem.com>) Apache::AuthenSmb module (which also included
an authorization routine).

The module calls B<Net::NIS::yp_match> using each of the B<require group>
elements as keys to the the B<group.byname> map, until a match with the
(already authenticated) B<user> is found.

For completeness, the module also handles B<require user> and B<require
valid-user> directives.

=head2 Apache2::AuthenNIS vs. Apache2::AuthzNIS

The following comments are from Apache::AuthzNIS.

I've taken "authentication" to be meaningful only in terms of a user and
password combination, not group membership.  This means that you can use
Apache::AuthenNIS with the B<require user> and B<require valid-user>
directives.  In the NIS context I consider B<require group> to be an
"authorization" concern.  I.e., Group authorization consists of
establishing whether the already authenticated user is a member of one of
the indicated groups in the B<require group> directive.  This process may
be handled by B<Apache::AuthzNIS>.


=head2 Functions

=over 4

=item handler

This is the mod_perl2 handler function.

=cut

sub handler {
    my $r = shift;
    my $requires = $r->requires;
    return Apache2::Const::OK unless $requires;

    my $name = $r->user;

    for my $req ( @$requires ) {
        my( $require, @list ) = split /\s+/, $req->{'requirement'};

        #ok if user is one of these users
        if ( $require eq 'user' ) {
            return Apache2::Const::OK if grep $name eq $_, @list;
        }
        #ok if user is simply authenticated
        elsif ( $require eq 'valid-user' ) {
            return Apache2::Const::OK;
        }
        elsif ( $require eq 'group' ) {
            my $domain = Net::NIS::yp_get_default_domain();
            unless ( $domain ) {
                $r->note_basic_auth_failure;
                $r->log_error( __PACKAGE__, " - cannot obtain NIS domain", $r->uri );
                return Apache2::Const::HTTP_INTERNAL_SERVER_ERROR;
            }
            foreach my $thisgroup ( @list ) {
                my( $status, $entry )
                    = Net::NIS::yp_match( $domain, "group.byname", $thisgroup );
                if ( $status ) {
                    my $error_msg = Net::NIS::yperr_string( $status );
                    $r->note_basic_auth_failure;
                    $r->log_error( __PACKAGE__,
                        " - group: $thisgroup: yp_match status $status, ",
                        $error_msg, $r->uri
                    );
                    return Apache2::Const::HTTP_INTERNAL_SERVER_ERROR;
                }
                my @names = split /\,/, $entry;
                $names[0] =~ s/^.*:.*:.*://;
                foreach my $oneuser ( @names ) {
                    if ( $oneuser eq $name ) {
                        return Apache2::Const::OK;
                    }
                }
            }
        }
    }

    $r->note_basic_auth_failure;
    $r->log_error( __PACKAGE__, " - user $name: not authorized", $r->uri );
    return Apache2::Const::HTTP_UNAUTHORIZED;
}

=back


=head1 INSTALLATION

To install this module, run the following commands:

    perl Build.PL
    ./Build
    ./Build test
    ./Build install


=head1 AUTHOR

Demetrios E. Paneras C<< <dep at media.mit.edu> >>

Ported to mod_perl by Shannon Eric Peevey C<< <speeves at unt.edu> >>

Ported to mod_perl2 by Nguon Hao Ching C<< <hao at iteaha.us> >>

=head1 BUGS

Please report any bugs or feature requests to C<bug-apache2-authznis at rt.cpan.org>, or through
the web interface at L<http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Apache2-AuthzNIS>.  I will be notified, and then you'll
automatically be notified of progress on your bug as I make changes.


=head1 SUPPORT & DOCUMENTATION

You can find documentation for this module with the perldoc command.

    perldoc Apache2::AuthzNIS


You can also look for information at:

=over 4

=item * RT: CPAN's request tracker

L<http://rt.cpan.org/NoAuth/Bugs.html?Dist=Apache2-AuthzNIS>

=item * AnnoCPAN: Annotated CPAN documentation

L<http://annocpan.org/dist/Apache2-AuthzNIS>

=item * CPAN Ratings

L<http://cpanratings.perl.org/d/Apache2-AuthzNIS>

=item * Search CPAN

L<http://search.cpan.org/dist/Apache2-AuthzNIS>

=back


=head1 COPYRIGHT & LICENSE

Copyright (c) 1998 Demetrios E. Paneras, MIT Media Laboratory.

This program is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.


=cut

1; # End of Apache2::AuthzNIS