MAJOR: auth: Change the internal authentication system.
This patch remove the limit of 32 groups. It also permit to use standard
"pat_parse_str()" function in place of "pat_parse_strcat()". The
"pat_parse_strcat()" is no longer used and its removed. Before this
patch, the groups are stored in a bitfield, now they are stored in a
list of strings. The matching is slower, but the number of groups is
low and generally the list of allowed groups is short.
The fetch function "smp_fetch_http_auth_grp()" used with the name
"http_auth_group" return valid username. It can be used as string for
displaying the username or with the acl "http_auth_group" for checking
the group of the user.
Maybe the names of the ACL and fetch methods are no longer suitable, but
I keep the current names for conserving the compatibility with existing
configurations.
The function "userlist_postinit()" is created from verification code
stored in the big function "check_config_validity()". The code is
adapted to the new authentication storage system and it is moved in the
"src/auth.c" file. This function is used to check the validity of the
users declared in groups and to check the validity of groups declared
on the "user" entries.
This resolve function is executed before the check of all proxy because
many acl needs solved users and groups.
diff --git a/src/acl.c b/src/acl.c
index abfd04c..8ce49a9 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -1053,18 +1053,13 @@
continue;
}
+ /* For each pattern, check if the group exists. */
list_for_each_entry(pattern, &expr->pat.patterns, list) {
- /* this keyword only has one argument */
- pattern->val.group_mask = auth_resolve_groups(expr->smp->arg_p->data.usr, pattern->ptr.str);
-
- if (!pattern->val.group_mask) {
+ if (!check_group(expr->smp->arg_p->data.usr, pattern->ptr.str)) {
Alert("proxy %s: acl %s %s(): invalid group '%s'.\n",
p->id, acl->name, expr->kw, pattern->ptr.str);
cfgerr++;
}
- free(pattern->ptr.str);
- pattern->ptr.str = NULL;
- pattern->len = 0;
}
}
}
diff --git a/src/auth.c b/src/auth.c
index 203b5aa..961c288 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -26,6 +26,7 @@
#include <unistd.h>
#include <common/config.h>
+#include <common/errors.h>
#include <proto/acl.h>
#include <proto/log.h>
@@ -54,36 +55,14 @@
return NULL;
}
-/* find group_mask for selected gropus. The function returns 1 if OK or nothing to do,
- * 0 if case of unresolved groupname.
- * WARING: the function destroys the list (strtok), so it can only be used once.
- */
-
-unsigned int
-auth_resolve_groups(struct userlist *l, char *groups)
+int check_group(struct userlist *ul, char *name)
{
-
- char *group = NULL;
- unsigned int g, group_mask = 0;
-
- if (!groups || !*groups)
- return 0;
-
- while ((group = strtok(group?NULL:groups," "))) {
- for (g = 0; g < l->grpcnt; g++)
- if (!strcmp(l->groups[g], group))
- break;
-
- if (g == l->grpcnt) {
- Alert("No such group '%s' in userlist '%s'.\n",
- group, l->name);
- return 0;
- }
-
- group_mask |= (1 << g);
- }
+ struct auth_groups *ag;
- return group_mask;
+ for (ag = ul->groups; ag; ag = ag->next)
+ if (strcmp(name, ag->name) == 0)
+ return 1;
+ return 0;
}
void
@@ -91,11 +70,21 @@
{
struct userlist *tul;
struct auth_users *au, *tau;
- int i;
+ struct auth_groups_list *agl, *tagl;
+ struct auth_groups *ag, *tag;
while (ul) {
+ /* Free users. */
au = ul->users;
while (au) {
+ /* Free groups that own current user. */
+ agl = au->u.groups;
+ while (agl) {
+ tagl = agl;
+ agl = agl->next;
+ free(tagl);
+ }
+
tau = au;
au = au->next;
free(tau->user);
@@ -103,30 +92,135 @@
free(tau);
}
+ /* Free grouplist. */
+ ag = ul->groups;
+ while (ag) {
+ tag = ag;
+ ag = ag->next;
+ free(tag->name);
+ free(tag);
+ }
+
tul = ul;
ul = ul->next;
-
- for (i = 0; i < tul->grpcnt; i++)
- free(tul->groups[i]);
-
free(tul->name);
free(tul);
};
}
+int userlist_postinit()
+{
+ struct userlist *curuserlist = NULL;
+
+ /* Resolve usernames and groupnames. */
+ for (curuserlist = userlist; curuserlist; curuserlist = curuserlist->next) {
+ struct auth_groups *ag;
+ struct auth_users *curuser;
+ struct auth_groups_list *grl;
+
+ for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
+ char *group = NULL;
+ struct auth_groups_list *groups = NULL;
+
+ if (!curuser->u.groups_names)
+ continue;
+
+ while ((group = strtok(group?NULL:curuser->u.groups_names, ","))) {
+ for (ag = curuserlist->groups; ag; ag = ag->next) {
+ if (!strcmp(ag->name, group))
+ break;
+ }
+
+ if (!ag) {
+ Alert("userlist '%s': no such group '%s' specified in user '%s'\n",
+ curuserlist->name, group, curuser->user);
+ return ERR_ALERT | ERR_FATAL;
+ }
+
+ /* Add this group at the group userlist. */
+ grl = calloc(1, sizeof(*grl));
+ if (!grl) {
+ Alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
+ curuserlist->name);
+ return ERR_ALERT | ERR_FATAL;
+ }
+
+ grl->group = ag;
+ grl->next = groups;
+ groups = grl;
+ }
+
+ free(curuser->u.groups);
+ curuser->u.groups = groups;
+ }
+
+ for (ag = curuserlist->groups; ag; ag = ag->next) {
+ char *user = NULL;
+
+ if (!ag->groupusers)
+ continue;
+
+ while ((user = strtok(user?NULL:ag->groupusers, ","))) {
+ for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
+ if (!strcmp(curuser->user, user))
+ break;
+ }
+
+ if (!curuser) {
+ Alert("userlist '%s': no such user '%s' specified in group '%s'\n",
+ curuserlist->name, user, ag->name);
+ return ERR_ALERT | ERR_FATAL;
+ }
+
+ /* Add this group at the group userlist. */
+ grl = calloc(1, sizeof(*grl));
+ if (!grl) {
+ Alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
+ curuserlist->name);
+ return ERR_ALERT | ERR_FATAL;
+ }
+
+ grl->group = ag;
+ grl->next = curuser->u.groups;
+ curuser->u.groups = grl;
+ }
+
+ free(ag->groupusers);
+ ag->groupusers = NULL;
+ }
+
+#ifdef DEBUG_AUTH
+ for (ag = curuserlist->groups; ag; ag = ag->next) {
+ struct auth_groups_list *agl;
+
+ fprintf(stderr, "group %s, id %p, users:", ag->name, ag);
+ for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
+ for (agl = curuser->u.groups; agl; agl = agl->next) {
+ if (agl->group == ag)
+ fprintf(stderr, " %s", curuser->user);
+ }
+ }
+ fprintf(stderr, "\n");
+ }
+#endif
+ }
+
+ return ERR_NONE;
+}
+
/*
* Authenticate and authorize user; return 1 if OK, 0 if case of error.
*/
int
-check_user(struct userlist *ul, unsigned int group_mask, const char *user, const char *pass)
+check_user(struct userlist *ul, const char *user, const char *pass)
{
struct auth_users *u;
const char *ep;
#ifdef DEBUG_AUTH
- fprintf(stderr, "req: userlist=%s, user=%s, pass=%s, group_mask=%u\n",
- ul->name, user, pass, group_mask);
+ fprintf(stderr, "req: userlist=%s, user=%s, pass=%s, group=%s\n",
+ ul->name, user, pass, group);
#endif
for (u = ul->users; u; u = u->next)
@@ -137,17 +231,12 @@
return 0;
#ifdef DEBUG_AUTH
- fprintf(stderr, "cfg: user=%s, pass=%s, group_mask=%u, flags=%X",
- u->user, u->pass, u->u.group_mask, u->flags);
+ fprintf(stderr, "cfg: user=%s, pass=%s, flags=%X, groups=",
+ u->user, u->pass, u->flags);
+ for (agl = u->u.groups; agl; agl = agl->next)
+ fprintf(stderr, " %s", agl->group->name);
#endif
- /*
- * if user matches but group does not,
- * it makes no sens to check passwords
- */
- if (group_mask && !(group_mask & u->u.group_mask))
- return 0;
-
if (!(u->flags & AU_O_INSECURE)) {
#ifdef CONFIG_HAP_CRYPT
ep = crypt(pass, u->pass);
@@ -170,14 +259,28 @@
enum pat_match_res
pat_match_auth(struct sample *smp, struct pattern *pattern)
{
-
struct userlist *ul = smp->ctx.a[0];
- char *user = smp->ctx.a[1];
- char *pass = smp->ctx.a[2];
- unsigned int group_mask = pattern->val.group_mask;
+ struct auth_users *u;
+ struct auth_groups_list *agl;
- if (check_user(ul, group_mask, user, pass))
- return PAT_MATCH;
- else
+ /* Check if the userlist is present in the context data. */
+ if (!ul)
+ return PAT_NOMATCH;
+
+ /* Browse the userlist for searching user. */
+ for (u = ul->users; u; u = u->next) {
+ if (strcmp(smp->data.str.str, u->user) == 0)
+ break;
+ }
+ if (!u)
+ return 0;
+
+ /* Browse each group for searching group name that match the pattern. */
+ for (agl = u->u.groups; agl; agl = agl->next) {
+ if (strcmp(agl->group->name, pattern->ptr.str) == 0)
+ break;
+ }
+ if (!agl)
return PAT_NOMATCH;
+ return PAT_MATCH;
}
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 5cbb9e2..10dfa89 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -6248,10 +6248,8 @@
goto out;
}
- newul->groupusers = calloc(MAX_AUTH_GROUPS, sizeof(char *));
newul->name = strdup(args[1]);
-
- if (!newul->groupusers | !newul->name) {
+ if (!newul->name) {
Alert("parsing [%s:%d]: out of memory.\n", file, linenum);
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
@@ -6261,8 +6259,9 @@
userlist = newul;
} else if (!strcmp(args[0], "group")) { /* new group */
- int cur_arg, i;
+ int cur_arg;
const char *err;
+ struct auth_groups *ag;
if (!*args[1]) {
Alert("parsing [%s:%d]: '%s' expects <name> as arguments.\n",
@@ -6279,26 +6278,33 @@
goto out;
}
- for(i = 0; i < userlist->grpcnt; i++)
- if (!strcmp(userlist->groups[i], args[1])) {
+ for (ag = userlist->groups; ag; ag = ag->next)
+ if (!strcmp(ag->name, args[1])) {
Warning("parsing [%s:%d]: ignoring duplicated group '%s' in userlist '%s'.\n",
file, linenum, args[1], userlist->name);
err_code |= ERR_ALERT;
goto out;
}
- if (userlist->grpcnt >= MAX_AUTH_GROUPS) {
- Alert("parsing [%s:%d]: too many groups (%u) in in userlist '%s' while adding group '%s'.\n",
- file, linenum, MAX_AUTH_GROUPS, userlist->name, args[1]);
- err_code |= ERR_ALERT | ERR_FATAL;
+ ag = calloc(1, sizeof(*ag));
+ if (!ag) {
+ Alert("parsing [%s:%d]: out of memory.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
+ ag->name = strdup(args[1]);
+ if (!ag) {
+ Alert("parsing [%s:%d]: out of memory.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_ABORT;
+ goto out;
+ }
+
cur_arg = 2;
while (*args[cur_arg]) {
if (!strcmp(args[cur_arg], "users")) {
- userlist->groupusers[userlist->grpcnt] = strdup(args[cur_arg + 1]);
+ ag->groupusers = strdup(args[cur_arg + 1]);
cur_arg += 2;
continue;
} else {
@@ -6309,7 +6315,9 @@
}
}
+ ag->next = userlist->groups;
+ userlist->groups = ag;
+
- userlist->groups[userlist->grpcnt++] = strdup(args[1]);
} else if (!strcmp(args[0], "user")) { /* new user */
struct auth_users *newuser;
int cur_arg;
@@ -6359,7 +6367,7 @@
cur_arg += 2;
continue;
} else if (!strcmp(args[cur_arg], "groups")) {
- newuser->u.groups = strdup(args[cur_arg + 1]);
+ newuser->u.groups_names = strdup(args[cur_arg + 1]);
cur_arg += 2;
continue;
} else {
@@ -6602,7 +6610,6 @@
int cfgerr = 0;
struct proxy *curproxy = NULL;
struct server *newsrv = NULL;
- struct userlist *curuserlist = NULL;
int err_code = 0;
unsigned int next_pxid = 1;
struct bind_conf *bind_conf;
@@ -6623,6 +6630,11 @@
pool2_capture = create_pool("capture", global.tune.cookie_len, MEM_F_SHARED);
+ /* Post initialisation of the users and groups lists. */
+ err_code = userlist_postinit();
+ if (err_code != ERR_NONE)
+ goto out;
+
/* first, we will invert the proxy list order */
curproxy = NULL;
while (proxy) {
@@ -7091,7 +7103,9 @@
curproxy->conf.args.line = 0;
}
- /* only now we can check if some args remain unresolved */
+ /* only now we can check if some args remain unresolved.
+ * This must be done after the users and groups resolution.
+ */
cfgerr += smp_resolve_args(curproxy);
if (!cfgerr)
cfgerr += acl_find_targets(curproxy);
@@ -7678,78 +7692,6 @@
if (global.stats_fe && !global.stats_fe->bind_proc) {
Warning("stats socket will not work as expected in multi-process mode (nbproc > 1), you should force process binding using 'stats bind-process'.\n");
}
- }
-
- for (curuserlist = userlist; curuserlist; curuserlist = curuserlist->next) {
- struct auth_users *curuser;
- int g;
-
- for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
- unsigned int group_mask = 0;
- char *group = NULL;
-
- if (!curuser->u.groups)
- continue;
-
- while ((group = strtok(group?NULL:curuser->u.groups, ","))) {
-
- for (g = 0; g < curuserlist->grpcnt; g++)
- if (!strcmp(curuserlist->groups[g], group))
- break;
-
- if (g == curuserlist->grpcnt) {
- Alert("userlist '%s': no such group '%s' specified in user '%s'\n",
- curuserlist->name, group, curuser->user);
- err_code |= ERR_ALERT | ERR_FATAL;
- goto out;
- }
-
- group_mask |= (1 << g);
- }
-
- free(curuser->u.groups);
- curuser->u.group_mask = group_mask;
- }
-
- for (g = 0; g < curuserlist->grpcnt; g++) {
- char *user = NULL;
-
- if (!curuserlist->groupusers[g])
- continue;
-
- while ((user = strtok(user?NULL:curuserlist->groupusers[g], ","))) {
- for (curuser = curuserlist->users; curuser; curuser = curuser->next)
- if (!strcmp(curuser->user, user))
- break;
-
- if (!curuser) {
- Alert("userlist '%s': no such user '%s' specified in group '%s'\n",
- curuserlist->name, user, curuserlist->groups[g]);
- err_code |= ERR_ALERT | ERR_FATAL;
- goto out;
- }
-
- curuser->u.group_mask |= (1 << g);
- }
-
- free(curuserlist->groupusers[g]);
- }
-
- free(curuserlist->groupusers);
-
-#ifdef DEBUG_AUTH
- for (g = 0; g < curuserlist->grpcnt; g++) {
- fprintf(stderr, "group %s, id %d, mask %08X, users:", curuserlist->groups[g], g , 1 << g);
-
- for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
- if (curuser->u.group_mask & (1 << g))
- fprintf(stderr, " %s", curuser->user);
- }
-
- fprintf(stderr, "\n");
- }
-#endif
-
}
/* automatically compute fullconn if not set. We must not do it in the
diff --git a/src/pattern.c b/src/pattern.c
index 306b514..31df937 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -242,45 +242,6 @@
return !!parse_binary(*text, &pattern->ptr.str, &pattern->len, err);
}
-/* Parse and concatenate all further strings into one. */
-int
-pat_parse_strcat(const char **text, struct pattern *pattern, enum pat_usage usage, int *opaque, char **err)
-{
- int len = 0, i;
- char *s;
- struct chunk *trash;
-
- for (i = 0; *text[i]; i++)
- len += strlen(text[i])+1;
-
- pattern->type = SMP_T_CSTR;
- if (usage == PAT_U_COMPILE) {
- pattern->ptr.str = calloc(1, len);
- if (!pattern->ptr.str) {
- memprintf(err, "out of memory while loading pattern");
- return 0;
- }
- }
- else {
- trash = get_trash_chunk();
- if (trash->size < len) {
- memprintf(err, "no space avalaible in the buffer. expect %d, provides %d",
- len, trash->size);
- return 0;
- }
- pattern->ptr.str = trash->str;
- }
-
- s = pattern->ptr.str;
-
- for (i = 0; *text[i]; i++)
- s += sprintf(s, i?" %s":"%s", text[i]);
-
- pattern->len = len;
-
- return i;
-}
-
/* Parse a regex. It is allocated. */
int pat_parse_reg(const char **text, struct pattern *pattern, enum pat_usage usage, int *opaque, char **err)
{
diff --git a/src/proto_http.c b/src/proto_http.c
index 0c6a623..702ef22 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -1361,6 +1361,9 @@
* have the credentials overwritten by another session in parallel.
*/
+/* This bufffer is initialized in the file 'src/haproxy.c'. This length is
+ * set according to global.tune.bufsize.
+ */
char *get_http_auth_buff;
int
@@ -9630,7 +9633,7 @@
return 0;
smp->type = SMP_T_BOOL;
- smp->data.uint = check_user(args->data.usr, 0, l4->txn.auth.user, l4->txn.auth.pass);
+ smp->data.uint = check_user(args->data.usr, l4->txn.auth.user, l4->txn.auth.pass);
return 1;
}
@@ -9648,20 +9651,19 @@
if (!get_http_auth(l4))
return 0;
- /* pat_match_auth() will need several information at once */
- smp->ctx.a[0] = args->data.usr; /* user list */
- smp->ctx.a[1] = l4->txn.auth.user; /* user name */
- smp->ctx.a[2] = l4->txn.auth.pass; /* password */
-
/* if the user does not belong to the userlist or has a wrong password,
* report that it unconditionally does not match. Otherwise we return
- * a non-zero integer which will be ignored anyway since all the params
- * that pat_match_auth() will use are in test->ctx.a[0,1,2].
+ * a string containing the username.
*/
- smp->type = SMP_T_BOOL;
- smp->data.uint = check_user(args->data.usr, 0, l4->txn.auth.user, l4->txn.auth.pass);
- if (smp->data.uint)
- smp->type = SMP_T_UINT;
+ if (!check_user(args->data.usr, l4->txn.auth.user, l4->txn.auth.pass))
+ return 0;
+
+ /* pat_match_auth() will need the user list */
+ smp->ctx.a[0] = args->data.usr;
+
+ smp->type = SMP_T_CSTR;
+ smp->data.str.str = l4->txn.auth.user;
+ smp->data.str.len = strlen(l4->txn.auth.user);
return 1;
}
@@ -10371,7 +10373,7 @@
{ "hdr_reg", "req.hdr", pat_parse_reg, pat_match_reg },
{ "hdr_sub", "req.hdr", pat_parse_str, pat_match_sub },
- { "http_auth_group", NULL, pat_parse_strcat, pat_match_auth },
+ { "http_auth_group", NULL, pat_parse_str, pat_match_auth },
{ "method", NULL, pat_parse_meth, pat_match_meth },
@@ -10461,7 +10463,7 @@
{ "hdr_val", smp_fetch_hdr_val, ARG2(0,STR,SINT), val_hdr, SMP_T_UINT, SMP_USE_HRQHV },
{ "http_auth", smp_fetch_http_auth, ARG1(1,USR), NULL, SMP_T_BOOL, SMP_USE_HRQHV },
- { "http_auth_group", smp_fetch_http_auth_grp, ARG1(1,USR), NULL, SMP_T_BOOL, SMP_USE_HRQHV },
+ { "http_auth_group", smp_fetch_http_auth_grp, ARG1(1,USR), NULL, SMP_T_CSTR, SMP_USE_HRQHV },
{ "http_first_req", smp_fetch_http_first_req, 0, NULL, SMP_T_BOOL, SMP_USE_HRQHP },
{ "method", smp_fetch_meth, 0, NULL, SMP_T_UINT, SMP_USE_HRQHP },
{ "path", smp_fetch_path, 0, NULL, SMP_T_CSTR, SMP_USE_HRQHV },