MAJOR: auth: Change the internal authentication system.
This patch remove the limit of 32 groups. It also permit to use standard
"pat_parse_str()" function in place of "pat_parse_strcat()". The
"pat_parse_strcat()" is no longer used and its removed. Before this
patch, the groups are stored in a bitfield, now they are stored in a
list of strings. The matching is slower, but the number of groups is
low and generally the list of allowed groups is short.
The fetch function "smp_fetch_http_auth_grp()" used with the name
"http_auth_group" return valid username. It can be used as string for
displaying the username or with the acl "http_auth_group" for checking
the group of the user.
Maybe the names of the ACL and fetch methods are no longer suitable, but
I keep the current names for conserving the compatibility with existing
configurations.
The function "userlist_postinit()" is created from verification code
stored in the big function "check_config_validity()". The code is
adapted to the new authentication storage system and it is moved in the
"src/auth.c" file. This function is used to check the validity of the
users declared in groups and to check the validity of groups declared
on the "user" entries.
This resolve function is executed before the check of all proxy because
many acl needs solved users and groups.
diff --git a/include/proto/auth.h b/include/proto/auth.h
index 711b2f8..a960613 100644
--- a/include/proto/auth.h
+++ b/include/proto/auth.h
@@ -20,9 +20,11 @@
struct userlist *auth_find_userlist(char *name);
unsigned int auth_resolve_groups(struct userlist *l, char *groups);
+int userlist_postinit();
void userlist_free(struct userlist *ul);
enum pat_match_res pat_match_auth(struct sample *smp, struct pattern *pattern);
-int check_user(struct userlist *ul, unsigned int group_mask, const char *user, const char *pass);
+int check_user(struct userlist *ul, const char *user, const char *pass);
+int check_group(struct userlist *ul, char *name);
#endif /* _PROTO_AUTH_H */
diff --git a/include/types/auth.h b/include/types/auth.h
index e60d363..964f29b 100644
--- a/include/types/auth.h
+++ b/include/types/auth.h
@@ -18,17 +18,26 @@
#include <types/auth.h>
-#define MAX_AUTH_GROUPS (unsigned int)(sizeof(int)*8)
-
#define AU_O_INSECURE 0x00000001 /* insecure, unencrypted password */
+struct auth_groups {
+ struct auth_groups *next;
+ char *name;
+ char *groupusers; /* Just used during the configuration parsing. */
+};
+
+struct auth_groups_list {
+ struct auth_groups_list *next;
+ struct auth_groups *group;
+};
+
struct auth_users {
struct auth_users *next;
unsigned int flags;
char *user, *pass;
union {
- char *groups;
- unsigned int group_mask;
+ char *groups_names; /* Just used during the configuration parsing. */
+ struct auth_groups_list *groups;
} u;
};
@@ -36,9 +45,7 @@
struct userlist *next;
char *name;
struct auth_users *users;
- int grpcnt;
- char *groups[MAX_AUTH_GROUPS];
- char **groupusers;
+ struct auth_groups *groups;
};
#endif /* _TYPES_AUTH_H */
diff --git a/include/types/pattern.h b/include/types/pattern.h
index 4e89372..93ee297 100644
--- a/include/types/pattern.h
+++ b/include/types/pattern.h
@@ -138,7 +138,6 @@
unsigned char mask; /* number of bits */
} ipv6; /* IPv6 address/mask */
struct pat_time time; /* valid hours and days */
- unsigned int group_mask;
struct eb_root *tree; /* tree storing all values if any */
} val; /* direct value */
union {