package Apache::AuthzSSL;

use strict;
use Apache::Constants qw(:common);
use Text::ParseWords  qw(quotewords);

sub handler {
    my $r = shift;
    return OK unless $r->is_main;

    my $requires = $r->requires;
    return DECLINED unless $requires;

    my $subr = $r->lookup_uri($r->uri);
    my $dn = $subr->subprocess_env('SSL_CLIENT_S_DN');
    return DECLINED unless $dn;
    my(%dn) = $dn =~ m{/([^=]+)=([^/]+)}g;

  REQUIRES:
    for my $entry (@$requires) {
 	my($field, @values) = quotewords('\s+', 0, $entry->{requirement});
	foreach (@values) {
	    next REQUIRES if $dn{$field} eq $_;
        }
        $r->log_reason("user $dn{CN}: not authorized", $r->filename);
        return FORBIDDEN;
    }
    # if we get here, then we passed all the requirements
    return OK;
}

1;
__END__