[MINOR] acl: add http_auth and http_auth_group
Add two acls to match http auth data:
acl <name> http_auth(userlist)
acl <name> http_auth_hroup(userlist) group1 group2 (...)
diff --git a/include/proto/acl.h b/include/proto/acl.h
index ec9963d..488d75a 100644
--- a/include/proto/acl.h
+++ b/include/proto/acl.h
@@ -100,6 +100,12 @@
*/
struct acl *cond_find_require(const struct acl_cond *cond, unsigned int require);
+/*
+ * Find targets for userlist and groups in acl. Function returns the number
+ * of errors or OK if everything is fine.
+ */
+int acl_find_targets(struct proxy *p);
+
/* Return a pointer to the ACL <name> within the list starting at <head>, or
* NULL if not found.
*/
@@ -147,6 +153,9 @@
/* Parse a string. It is allocated and duplicated. */
int acl_parse_str(const char **text, struct acl_pattern *pattern, int *opaque);
+/* Parse and concatenate strings into one. It is allocated and duplicated. */
+int acl_parse_strcat(const char **text, struct acl_pattern *pattern, int *opaque);
+
/* Parse a regex. It is allocated. */
int acl_parse_reg(const char **text, struct acl_pattern *pattern, int *opaque);
diff --git a/include/types/acl.h b/include/types/acl.h
index fad3761..390db80 100644
--- a/include/types/acl.h
+++ b/include/types/acl.h
@@ -26,6 +26,7 @@
#include <common/config.h>
#include <common/mini-clist.h>
+#include <types/auth.h>
#include <types/proxy.h>
#include <types/session.h>
@@ -209,6 +210,7 @@
struct in_addr mask;
} ipv4; /* IPv4 address */
struct acl_time time; /* valid hours and days */
+ unsigned int group_mask;
} val; /* direct value */
union {
void *ptr; /* any data */
@@ -291,6 +293,7 @@
struct acl_keyword *kw; /* back-reference to the keyword */
union { /* optional argument of the subject (eg: header or cookie name) */
char *str;
+ struct userlist *ul;
} arg;
int arg_len; /* optional argument length */
struct list patterns; /* list of acl_patterns */
diff --git a/include/types/proto_http.h b/include/types/proto_http.h
index 3d38d57..18fbc26 100644
--- a/include/types/proto_http.h
+++ b/include/types/proto_http.h
@@ -235,6 +235,13 @@
HTTP_METH_OTHER,
} http_meth_t;
+enum {
+ HTTP_AUTH_WRONG = -1, /* missing or unknown */
+ HTTP_AUTH_UNKNOWN = 0,
+ HTTP_AUTH_BASIC,
+ HTTP_AUTH_DIGEST,
+};
+
/* This is an HTTP message, as described in RFC2616. It can be either a request
* message or a response message.
*
@@ -285,6 +292,12 @@
char **cap; /* array of captured headers (may be NULL) */
};
+struct http_auth_data {
+ int method; /* one of HTTP_AUTH_* */
+ struct chunk method_data; /* points to the creditial part from 'Authorization:' header */
+ char *user, *pass; /* extracted username & password */
+};
+
/* This is an HTTP transaction. It contains both a request message and a
* response message (which can be empty).
*/
@@ -303,6 +316,7 @@
char *sessid; /* the appsession id, if found in the request or in the response */
struct chunk auth_hdr; /* points to 'Authorization:' header */
+ struct http_auth_data auth; /* HTTP auth data */
};
/* This structure is used by http_find_header() to return values of headers.
diff --git a/src/acl.c b/src/acl.c
index eb75b0e..6605094 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -19,6 +19,7 @@
#include <common/standard.h>
#include <proto/acl.h>
+#include <proto/auth.h>
#include <proto/log.h>
/* The capabilities of filtering hooks describe the type of information
@@ -332,6 +333,29 @@
return 1;
}
+/* Parse and concatenate all further strings into one. */
+int
+acl_parse_strcat(const char **text, struct acl_pattern *pattern, int *opaque)
+{
+
+ int len = 0, i;
+ char *s;
+
+ for (i = 0; *text[i]; i++)
+ len += strlen(text[i])+1;
+
+ pattern->ptr.str = s = calloc(1, len);
+ if (!pattern->ptr.str)
+ return 0;
+
+ for (i = 0; *text[i]; i++)
+ s += sprintf(s, i?" %s":"%s", text[i]);
+
+ pattern->len = len;
+
+ return i;
+}
+
/* Free data allocated by acl_parse_reg */
static void acl_free_reg(void *ptr) {
@@ -627,7 +651,7 @@
{
free_pattern_list(&expr->patterns);
LIST_INIT(&expr->patterns);
- if (expr->arg.str)
+ if (expr->arg_len && expr->arg.str)
free(expr->arg.str);
expr->kw->use_cnt--;
return expr;
@@ -1169,6 +1193,74 @@
return NULL;
}
+/*
+ * Find targets for userlist and groups in acl. Function returns the number
+ * of errors or OK if everything is fine.
+ */
+int
+acl_find_targets(struct proxy *p)
+{
+
+ struct acl *acl;
+ struct acl_expr *expr;
+ struct acl_pattern *pattern;
+ struct userlist *ul;
+ int cfgerr = 0;
+
+ list_for_each_entry(acl, &p->acl, list) {
+ list_for_each_entry(expr, &acl->expr, list) {
+ if (strstr(expr->kw->kw, "http_auth") == expr->kw->kw) {
+
+ if (!expr->arg.str || !*expr->arg.str) {
+ Alert("proxy %s: acl %s %s(): missing userlist name.\n",
+ p->id, acl->name, expr->kw->kw);
+ cfgerr++;
+ continue;
+ }
+
+ ul = auth_find_userlist(expr->arg.str);
+
+ if (!ul) {
+ Alert("proxy %s: acl %s %s(%s): unable to find userlist.\n",
+ p->id, acl->name, expr->kw->kw, expr->arg.str);
+ cfgerr++;
+ continue;
+ }
+
+ expr->arg_len = 0;
+ expr->arg.ul = ul;
+ }
+
+
+ if (!strcmp(expr->kw->kw, "http_auth_group")) {
+
+ if (LIST_ISEMPTY(&expr->patterns)) {
+ Alert("proxy %s: acl %s %s(): no groups specified.\n",
+ p->id, acl->name, expr->kw->kw);
+ cfgerr++;
+ continue;
+ }
+
+ list_for_each_entry(pattern, &expr->patterns, list) {
+ pattern->val.group_mask = auth_resolve_groups(expr->arg.ul, pattern->ptr.str);
+
+ free(pattern->ptr.str);
+ pattern->ptr.str = NULL;
+ pattern->len = 0;
+
+ if (!pattern->val.group_mask) {
+ Alert("proxy %s: acl %s %s(): invalid group(s).\n",
+ p->id, acl->name, expr->kw->kw);
+ cfgerr++;
+ continue;
+ }
+ }
+ }
+ }
+ }
+
+ return cfgerr;
+}
/************************************************************************/
/* All supported keywords must be declared here. */
diff --git a/src/auth.c b/src/auth.c
index 58fc5be..3bce7c1 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -239,3 +239,23 @@
else
return 0;
}
+
+int
+acl_match_auth(struct acl_test *test, struct acl_pattern *pattern)
+{
+
+ struct userlist *ul = test->ctx.a[0];
+ char *user = test->ctx.a[1];
+ char *pass = test->ctx.a[2];
+ unsigned int group_mask;
+
+ if (pattern)
+ group_mask = pattern->val.group_mask;
+ else
+ group_mask = 0;
+
+ if (check_user(ul, group_mask, user, pass))
+ return ACL_PAT_PASS;
+ else
+ return ACL_PAT_FAIL;
+}
diff --git a/src/cfgparse.c b/src/cfgparse.c
index ef34760..7f218db 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4691,6 +4691,8 @@
}
}
+ cfgerr += acl_find_targets(curproxy);
+
if ((curproxy->mode == PR_MODE_TCP || curproxy->mode == PR_MODE_HTTP) &&
(((curproxy->cap & PR_CAP_FE) && !curproxy->timeout.client) ||
((curproxy->cap & PR_CAP_BE) && (curproxy->srv) &&
diff --git a/src/proto_http.c b/src/proto_http.c
index 59952a4..37af539 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -24,6 +24,7 @@
#include <sys/types.h>
#include <common/appsession.h>
+#include <common/base64.h>
#include <common/compat.h>
#include <common/config.h>
#include <common/debug.h>
@@ -39,6 +40,7 @@
#include <types/global.h>
#include <proto/acl.h>
+#include <proto/auth.h>
#include <proto/backend.h>
#include <proto/buffers.h>
#include <proto/checks.h>
@@ -1473,6 +1475,77 @@
return NULL;
}
+/*
+ * Returns the data from Authorization header. Function may be called more
+ * than once so data is stored in txn->auth_data. When no header is found
+ * or auth method is unknown auth_method is set to HTTP_AUTH_WRONG to avoid
+ * searching again for something we are unable to find anyway.
+ */
+
+char get_http_auth_buff[BUFSIZE];
+
+int
+get_http_auth(struct session *s)
+{
+
+ struct http_txn *txn = &s->txn;
+ struct chunk auth_method;
+ struct hdr_ctx ctx;
+ char *h, *p;
+ int len;
+
+#ifdef DEBUG_AUTH
+ printf("Auth for session %p: %d\n", s, txn->auth.method);
+#endif
+
+ if (txn->auth.method == HTTP_AUTH_WRONG)
+ return 0;
+
+ if (txn->auth.method)
+ return 1;
+
+ txn->auth.method = HTTP_AUTH_WRONG;
+
+ ctx.idx = 0;
+ if (!http_find_header("Authorization", txn->req.sol, &txn->hdr_idx, &ctx))
+ return 0;
+
+ h = ctx.line + ctx.val;
+
+ p = memchr(h, ' ', ctx.vlen);
+ if (!p || p == h)
+ return 0;
+
+ chunk_initlen(&auth_method, h, 0, p-h);
+ chunk_initlen(&txn->auth.method_data, p+1, 0, ctx.vlen-(p-h)-1);
+
+ if (!strncasecmp("Basic", auth_method.str, auth_method.len)) {
+
+ len = base64dec(txn->auth.method_data.str, txn->auth.method_data.len,
+ get_http_auth_buff, BUFSIZE - 1);
+
+ if (len < 0)
+ return 0;
+
+
+ get_http_auth_buff[len] = '\0';
+
+ p = strchr(get_http_auth_buff, ':');
+
+ if (!p)
+ return 0;
+
+ txn->auth.user = get_http_auth_buff;
+ *p = '\0';
+ txn->auth.pass = p+1;
+
+ txn->auth.method = HTTP_AUTH_BASIC;
+ return 1;
+ }
+
+ return 0;
+}
+
/*
* This function parses an HTTP message, either a request or a response,
@@ -6480,6 +6553,8 @@
txn->rsp.hdr_content_len = 0LL;
txn->req.msg_state = HTTP_MSG_RQBEFORE; /* at the very beginning of the request */
txn->rsp.msg_state = HTTP_MSG_RPBEFORE; /* at the very beginning of the response */
+
+ txn->auth.method = HTTP_AUTH_UNKNOWN;
chunk_reset(&txn->auth_hdr);
txn->req.err_pos = txn->rsp.err_pos = -2; /* block buggy requests/responses */
@@ -6506,6 +6581,7 @@
pool_free2(pool2_capture, txn->cli_cookie);
pool_free2(pool2_capture, txn->srv_cookie);
pool_free2(apools.sessid, txn->sessid);
+
txn->sessid = NULL;
txn->uri = NULL;
txn->srv_cookie = NULL;
@@ -7172,6 +7248,25 @@
return 1;
}
+static int
+acl_fetch_http_auth(struct proxy *px, struct session *s, void *l7, int dir,
+ struct acl_expr *expr, struct acl_test *test)
+{
+
+ if (!s)
+ return 0;
+
+ if (!get_http_auth(s))
+ return 0;
+
+ test->ctx.a[0] = expr->arg.ul;
+ test->ctx.a[1] = s->txn.auth.user;
+ test->ctx.a[2] = s->txn.auth.pass;
+
+ test->flags |= ACL_TEST_F_READ_ONLY | ACL_TEST_F_NULL_MATCH;
+
+ return 1;
+}
/************************************************************************/
/* All supported keywords must be declared here. */
@@ -7227,8 +7322,6 @@
{ "path_dir", acl_parse_str, acl_fetch_path, acl_match_dir, ACL_USE_L7REQ_VOLATILE },
{ "path_dom", acl_parse_str, acl_fetch_path, acl_match_dom, ACL_USE_L7REQ_VOLATILE },
- { NULL, NULL, NULL, NULL },
-
#if 0
{ "line", acl_parse_str, acl_fetch_line, acl_match_str },
{ "line_reg", acl_parse_reg, acl_fetch_line, acl_match_reg },
@@ -7246,13 +7339,11 @@
{ "cook_dir", acl_parse_str, acl_fetch_cook, acl_match_dir },
{ "cook_dom", acl_parse_str, acl_fetch_cook, acl_match_dom },
{ "cook_pst", acl_parse_none, acl_fetch_cook, acl_match_pst },
+#endif
- { "auth_user", acl_parse_str, acl_fetch_user, acl_match_str },
- { "auth_regex", acl_parse_reg, acl_fetch_user, acl_match_reg },
- { "auth_clear", acl_parse_str, acl_fetch_auth, acl_match_str },
- { "auth_md5", acl_parse_str, acl_fetch_auth, acl_match_md5 },
+ { "http_auth", acl_parse_nothing, acl_fetch_http_auth, acl_match_auth },
+ { "http_auth_group", acl_parse_strcat, acl_fetch_http_auth, acl_match_auth },
{ NULL, NULL, NULL, NULL },
-#endif
}};
diff --git a/src/session.c b/src/session.c
index 36fe50d..cd521d9 100644
--- a/src/session.c
+++ b/src/session.c
@@ -830,6 +830,9 @@
//DPRINTF(stderr, "%s:%d: cs=%d ss=%d(%d) rqf=0x%08x rpf=0x%08x\n", __FUNCTION__, __LINE__,
// s->si[0].state, s->si[1].state, s->si[1].err_type, s->req->flags, s->rep->flags);
+ /* this data may be no longer valid, clear it */
+ memset(&s->txn.auth, 0, sizeof(s->txn.auth));
+
/* This flag must explicitly be set every time */
s->req->flags &= ~BF_READ_NOEXP;