Index: server/common/oursrc/mod_auth_sslcert/mod_auth_sslcert.c
===================================================================
--- server/common/oursrc/mod_auth_sslcert/mod_auth_sslcert.c	(revision 54)
+++ server/common/oursrc/mod_auth_sslcert/mod_auth_sslcert.c	(revision 54)
@@ -0,0 +1,145 @@
+/* mod_auth_sslcert
+ * version 1.0, released 2006-01-04
+ * Anders Kaseorg <anders@kaseorg.com>
+ *
+ * This module does authentication based on SSL client certificates:
+ *   AuthType SSLCert
+ *   AuthSSLCertVar SSL_CLIENT_S_DN_Email
+ *   AuthSSLCertStripSuffix "@MIT.EDU"
+ */
+
+#include "apr_strings.h"
+#define APR_WANT_STRFUNC        /* for strcasecmp */
+#include "apr_want.h"
+
+#include "ap_config.h"
+#include "httpd.h"
+#include "http_config.h"
+#include "http_core.h"
+#include "http_log.h"
+
+#include "mod_auth.h"
+#include "mod_ssl.h"
+
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *ssl_var_lookup;
+
+typedef struct {
+    char *dir;
+    int authoritative;
+    char *var;
+    char *strip_suffix;
+} auth_sslcert_config_rec;
+
+static void *create_auth_sslcert_dir_config(apr_pool_t *p, char *d)
+{
+    auth_sslcert_config_rec *conf = apr_pcalloc(p, sizeof(*conf));
+
+    conf->dir = d;
+    /* Any failures are fatal. */
+    conf->authoritative = 1;
+    conf->var = NULL;
+    conf->strip_suffix = NULL;
+
+    return conf;
+}
+
+static const command_rec auth_sslcert_cmds[] =
+{
+    AP_INIT_FLAG("AuthSSLCertAuthoritative", ap_set_flag_slot,
+                 (void *)APR_OFFSETOF(auth_sslcert_config_rec, authoritative),
+                 OR_AUTHCFG,
+                 "Set to 'Off' to allow access control to be passed along to "
+                 "lower modules if the UserID is not known to this module"),
+    AP_INIT_TAKE1("AuthSSLCertVar", ap_set_string_slot,
+		  (void*)APR_OFFSETOF(auth_sslcert_config_rec, var),
+		  OR_AUTHCFG,
+		  "SSL variable to use as the username"),
+    AP_INIT_TAKE1("AuthSSLCertStripSuffix", ap_set_string_slot,
+		  (void*)APR_OFFSETOF(auth_sslcert_config_rec, strip_suffix),
+		  OR_AUTHCFG,
+		  "An optional suffix to strip from the username"),
+    {NULL}
+};
+
+module AP_MODULE_DECLARE_DATA auth_sslcert_module;
+
+static int authenticate_sslcert_user(request_rec *r)
+{
+    auth_sslcert_config_rec *conf = ap_get_module_config(r->per_dir_config,
+							 &auth_sslcert_module);
+    const char *current_auth;
+
+    /* Are we configured to be SSLCert auth? */
+    current_auth = ap_auth_type(r);
+    if (!current_auth || strcasecmp(current_auth, "SSLCert") != 0) {
+        return DECLINED;
+    }
+
+    r->ap_auth_type = "SSLCert";
+
+    if (strcasecmp((char *)ssl_var_lookup(r->pool, r->server, r->connection, r,
+					  "SSL_CLIENT_VERIFY"),
+		   "SUCCESS") == 0) {
+	if (conf->var == NULL) {
+	    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+			  "AuthSSLCertVar is not set: \"%s\"", r->uri);
+	    return HTTP_INTERNAL_SERVER_ERROR;
+	}
+	char *user = (char *)ssl_var_lookup(r->pool, r->server, r->connection, r,
+					    conf->var);
+	if (user != NULL && user[0] != '\0') {
+	    if (conf->strip_suffix != NULL) {
+		int i = strlen(user) - strlen(conf->strip_suffix);
+		if (i >= 0 && strcasecmp(user + i, conf->strip_suffix) == 0) {
+		    r->user = apr_pstrmemdup(r->pool, user, i);
+		    return OK;
+		} else {
+		    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+				  "SSL username for \"%s\" has wrong suffix: \"%s\"",
+				  r->uri, r->user);
+		}
+	    } else {
+		r->user = user;
+		return OK;
+	    }
+	} else {
+	    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+			  "no SSL username for \"%s\"", r->uri);
+	}
+    } else {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+		      "SSL client not verified for \"%s\"", r->uri);
+    }
+
+    /* If we're not authoritative, then any error is ignored. */
+    if (!conf->authoritative) {
+	return DECLINED;
+    }
+
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+		  "SSLCert authentication failure for \"%s\"",
+		  r->uri);
+    return HTTP_UNAUTHORIZED;
+}
+
+static void import_ssl_var_lookup()
+{
+    ssl_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+}
+
+static void register_hooks(apr_pool_t *p)
+{
+    ap_hook_check_user_id(authenticate_sslcert_user,NULL,NULL,APR_HOOK_MIDDLE);
+    ap_hook_optional_fn_retrieve(import_ssl_var_lookup,NULL,NULL,APR_HOOK_MIDDLE);
+}
+
+module AP_MODULE_DECLARE_DATA auth_sslcert_module =
+{
+    STANDARD20_MODULE_STUFF,
+    create_auth_sslcert_dir_config,  /* dir config creater */
+    NULL,                            /* dir merger --- default is to override */
+    NULL,                            /* server config */
+    NULL,                            /* merge server config */
+    auth_sslcert_cmds,               /* command apr_table_t */
+    register_hooks                   /* register hooks */
+};
Index: server/common/oursrc/mod_authz_afsgroup/mod_authz_afsgroup.c
===================================================================
--- server/common/oursrc/mod_authz_afsgroup/mod_authz_afsgroup.c	(revision 54)
+++ server/common/oursrc/mod_authz_afsgroup/mod_authz_afsgroup.c	(revision 54)
@@ -0,0 +1,165 @@
+/* mod_authz_afsgroup
+ * version 1.0, released 2006-01-04
+ * Anders Kaseorg <anders@kaseorg.com>
+ *
+ * This module does authorization based on AFS groups:
+ *   Require afsgroup system:administrators
+ *
+ * It currently works by parsing the output of `pts membership
+ * <group>`.
+ */
+
+#include "apr_strings.h"
+
+#include "ap_config.h"
+#include "httpd.h"
+#include "http_config.h"
+#include "http_core.h"
+#include "http_log.h"
+#include "http_protocol.h"
+#include "http_request.h"
+
+#include <unistd.h>
+#include <stdio.h>
+
+typedef struct {
+    int authoritative;
+} authz_afsgroup_config_rec;
+
+static void *create_authz_afsgroup_dir_config(apr_pool_t *p, char *d)
+{
+    authz_afsgroup_config_rec *conf = apr_palloc(p, sizeof(*conf));
+
+    conf->authoritative = 1;
+    return conf;
+}
+
+static const command_rec authz_afsgroup_cmds[] =
+{
+    AP_INIT_FLAG("AuthzAFSGroupAuthoritative", ap_set_flag_slot,
+                 (void *)APR_OFFSETOF(authz_afsgroup_config_rec, authoritative),
+                 OR_AUTHCFG,
+                 "Set to 'Off' to allow access control to be passed along to "
+                 "lower modules if the 'require afsgroup' statement is not "
+                 "met. (default: On)."),
+    {NULL}
+};
+
+module AP_MODULE_DECLARE_DATA authz_afsgroup_module;
+
+static int check_afsgroup_access(request_rec *r)
+{
+    authz_afsgroup_config_rec *conf = ap_get_module_config(r->per_dir_config,
+							   &authz_afsgroup_module);
+    char *user = r->user;
+    int m = r->method_number;
+    int required_afsgroup = 0;
+    register int x;
+    const char *t, *w;
+    const apr_array_header_t *reqs_arr = ap_requires(r);
+    require_line *reqs;
+
+    if (!reqs_arr) {
+        return DECLINED;
+    }
+    reqs = (require_line *)reqs_arr->elts;
+
+    for (x = 0; x < reqs_arr->nelts; x++) {
+
+        if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
+            continue;
+        }
+
+        t = reqs[x].requirement;
+        w = ap_getword_white(r->pool, &t);
+        if (!strcasecmp(w, "afsgroup")) {
+            required_afsgroup = 1;
+            while (t[0]) {
+		int pfd[2];
+		pid_t cpid;
+		FILE *fp;
+		char *line = NULL;
+		char buf[256];
+		size_t len = 0;
+		ssize_t read;
+                w = ap_getword_conf(r->pool, &t);
+		if (pipe(pfd) == -1) {
+		    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+				  "pipe() failed!");
+		    return HTTP_INTERNAL_SERVER_ERROR;
+		}
+		cpid = fork();
+		if (cpid == -1) {
+		    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+				  "fork() failed!");
+		    return HTTP_INTERNAL_SERVER_ERROR;
+		}
+		if (cpid == 0) {
+		    close(pfd[0]);
+		    dup2(pfd[1], STDOUT_FILENO);
+		    execve("/usr/bin/pts",
+			   (char *const[]) {
+			       "pts", "membership", "-nameorid", w, NULL
+			   },
+			   NULL);
+		    _exit(1);
+		}
+		close(pfd[1]);
+		fp = fdopen(pfd[0], "r");
+		if (fp == NULL) {
+		    close(pfd[0]);
+		    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+				  "fdopen() failed!");
+		    return HTTP_INTERNAL_SERVER_ERROR;
+		}
+		if (snprintf(buf, sizeof(buf), "  %s\n", user) >= sizeof(buf)) {
+		    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+				  "access to %s failed, reason: username '%s' "
+				  "is too long!",
+				  r->uri, user);
+		    continue;
+		}
+		while ((read = getline(&line, &len, fp)) != -1) {
+		    if (strcmp(line, buf) == 0) {
+			return OK;
+		    }
+		}
+		if (line)
+		    free(line);
+		fclose(fp);
+            }
+        }
+    }
+
+    if (!required_afsgroup) {
+        return DECLINED;
+    }
+
+    if (!conf->authoritative) {
+        return DECLINED;
+    }
+
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                  "access to %s failed, reason: user '%s' does not meet "
+                  "'require'ments for afsgroup to be allowed access",
+                  r->uri, user);
+
+    ap_note_auth_failure(r);
+    return HTTP_FORBIDDEN;
+}
+
+static void register_hooks(apr_pool_t *p)
+{
+    ap_hook_auth_checker(check_afsgroup_access, NULL, NULL, APR_HOOK_MIDDLE);
+}
+
+module AP_MODULE_DECLARE_DATA authz_afsgroup_module =
+{
+    STANDARD20_MODULE_STUFF,
+    create_authz_afsgroup_dir_config, /* dir config creater */
+    NULL,                             /* dir merger --- default is to override */
+    NULL,                             /* server config */
+    NULL,                             /* merge server config */
+    authz_afsgroup_cmds,              /* command apr_table_t */
+    register_hooks                    /* register hooks */
+};