Krzysztof Piotr Oledzki | 9610504 | 2010-01-29 17:50:44 +0100 | [diff] [blame] | 1 | /* |
| 2 | * User authentication & authorization |
| 3 | * |
| 4 | * Copyright 2010 Krzysztof Piotr Oledzki <ole@ans.pl> |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public License |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | */ |
| 12 | |
Willy Tarreau | 890a33e | 2010-03-04 19:10:14 +0100 | [diff] [blame] | 13 | #ifdef CONFIG_HAP_CRYPT |
| 14 | /* This is to have crypt() defined on Linux */ |
| 15 | #define _GNU_SOURCE |
| 16 | |
| 17 | #ifdef NEED_CRYPT_H |
| 18 | /* some platforms such as Solaris need this */ |
| 19 | #include <crypt.h> |
| 20 | #endif |
| 21 | #endif /* CONFIG_HAP_CRYPT */ |
Krzysztof Piotr Oledzki | 9610504 | 2010-01-29 17:50:44 +0100 | [diff] [blame] | 22 | |
| 23 | #include <stdio.h> |
| 24 | #include <stdlib.h> |
| 25 | #include <string.h> |
| 26 | #include <unistd.h> |
| 27 | |
| 28 | #include <common/config.h> |
| 29 | |
| 30 | #include <proto/acl.h> |
| 31 | #include <proto/log.h> |
| 32 | |
| 33 | #include <types/auth.h> |
| 34 | |
| 35 | struct userlist *userlist = NULL; /* list of all existing userlists */ |
| 36 | |
| 37 | /* find targets for selected gropus. The function returns pointer to |
| 38 | * the userlist struct ot NULL if name is NULL/empty or unresolvable. |
| 39 | */ |
| 40 | |
| 41 | struct userlist * |
| 42 | auth_find_userlist(char *name) |
| 43 | { |
| 44 | struct userlist *l; |
| 45 | |
| 46 | if (!name || !*name) |
| 47 | return NULL; |
| 48 | |
| 49 | for (l = userlist; l; l = l->next) |
| 50 | if (!strcmp(l->name, name)) |
| 51 | return l; |
| 52 | |
| 53 | return NULL; |
| 54 | } |
| 55 | |
| 56 | /* find group_mask for selected gropus. The function returns 1 if OK or nothing to do, |
| 57 | * 0 if case of unresolved groupname. |
| 58 | * WARING: the function destroys the list (strtok), so it can only be used once. |
| 59 | */ |
| 60 | |
| 61 | unsigned int |
| 62 | auth_resolve_groups(struct userlist *l, char *groups) |
| 63 | { |
| 64 | |
| 65 | char *group = NULL; |
| 66 | unsigned int g, group_mask = 0; |
| 67 | |
| 68 | if (!groups || !*groups) |
| 69 | return 0; |
| 70 | |
| 71 | while ((group = strtok(group?NULL:groups," "))) { |
| 72 | for (g = 0; g < l->grpcnt; g++) |
| 73 | if (!strcmp(l->groups[g], group)) |
| 74 | break; |
| 75 | |
| 76 | if (g == l->grpcnt) { |
| 77 | Alert("No such group '%s' in userlist '%s'.\n", |
| 78 | group, l->name); |
| 79 | return 0; |
| 80 | } |
| 81 | |
| 82 | group_mask |= (1 << g); |
| 83 | } |
| 84 | |
| 85 | return group_mask; |
| 86 | } |
| 87 | |
Krzysztof Piotr Oledzki | 9610504 | 2010-01-29 17:50:44 +0100 | [diff] [blame] | 88 | void |
| 89 | userlist_free(struct userlist *ul) |
| 90 | { |
| 91 | struct userlist *tul; |
| 92 | struct auth_users *au, *tau; |
| 93 | int i; |
| 94 | |
| 95 | while (ul) { |
| 96 | au = ul->users; |
| 97 | while (au) { |
| 98 | tau = au; |
| 99 | au = au->next; |
| 100 | free(tau->user); |
| 101 | free(tau->pass); |
| 102 | free(tau); |
| 103 | } |
| 104 | |
| 105 | tul = ul; |
| 106 | ul = ul->next; |
| 107 | |
| 108 | for (i = 0; i < tul->grpcnt; i++) |
| 109 | free(tul->groups[i]); |
| 110 | |
| 111 | free(tul->name); |
| 112 | free(tul); |
| 113 | }; |
| 114 | } |
| 115 | |
Krzysztof Piotr Oledzki | 9610504 | 2010-01-29 17:50:44 +0100 | [diff] [blame] | 116 | /* |
| 117 | * Authenticate and authorize user; return 1 if OK, 0 if case of error. |
| 118 | */ |
| 119 | int |
| 120 | check_user(struct userlist *ul, unsigned int group_mask, const char *user, const char *pass) |
| 121 | { |
| 122 | |
| 123 | struct auth_users *u; |
| 124 | const char *ep; |
| 125 | |
| 126 | #ifdef DEBUG_AUTH |
| 127 | fprintf(stderr, "req: userlist=%s, user=%s, pass=%s, group_mask=%u\n", |
| 128 | ul->name, user, pass, group_mask); |
| 129 | #endif |
| 130 | |
| 131 | for (u = ul->users; u; u = u->next) |
| 132 | if (!strcmp(user, u->user)) |
| 133 | break; |
| 134 | |
| 135 | if (!u) |
| 136 | return 0; |
| 137 | |
| 138 | #ifdef DEBUG_AUTH |
| 139 | fprintf(stderr, "cfg: user=%s, pass=%s, group_mask=%u, flags=%X", |
| 140 | u->user, u->pass, u->group_mask, u->flags); |
| 141 | #endif |
| 142 | |
| 143 | /* |
| 144 | * if user matches but group does not, |
| 145 | * it makes no sens to check passwords |
| 146 | */ |
Willy Tarreau | b4c06b7 | 2010-02-02 11:28:20 +0100 | [diff] [blame] | 147 | if (group_mask && !(group_mask & u->u.group_mask)) |
Krzysztof Piotr Oledzki | 9610504 | 2010-01-29 17:50:44 +0100 | [diff] [blame] | 148 | return 0; |
| 149 | |
| 150 | if (!(u->flags & AU_O_INSECURE)) { |
| 151 | #ifdef CONFIG_HAP_CRYPT |
| 152 | ep = crypt(pass, u->pass); |
| 153 | #else |
| 154 | return 0; |
| 155 | #endif |
| 156 | } else |
| 157 | ep = pass; |
| 158 | |
| 159 | #ifdef DEBUG_AUTH |
| 160 | fprintf(stderr, ", crypt=%s\n", ep); |
| 161 | #endif |
| 162 | |
| 163 | if (!strcmp(ep, u->pass)) |
| 164 | return 1; |
| 165 | else |
| 166 | return 0; |
| 167 | } |
Krzysztof Piotr Oledzki | f9423ae | 2010-01-29 19:26:18 +0100 | [diff] [blame] | 168 | |
| 169 | int |
Willy Tarreau | 3740635 | 2012-04-23 16:16:37 +0200 | [diff] [blame] | 170 | acl_match_auth(struct sample *smp, struct acl_pattern *pattern) |
Krzysztof Piotr Oledzki | f9423ae | 2010-01-29 19:26:18 +0100 | [diff] [blame] | 171 | { |
| 172 | |
Willy Tarreau | 3740635 | 2012-04-23 16:16:37 +0200 | [diff] [blame] | 173 | struct userlist *ul = smp->ctx.a[0]; |
| 174 | char *user = smp->ctx.a[1]; |
| 175 | char *pass = smp->ctx.a[2]; |
Willy Tarreau | 8f7406e | 2012-04-20 18:16:26 +0200 | [diff] [blame] | 176 | unsigned int group_mask = pattern->val.group_mask; |
Krzysztof Piotr Oledzki | f9423ae | 2010-01-29 19:26:18 +0100 | [diff] [blame] | 177 | |
| 178 | if (check_user(ul, group_mask, user, pass)) |
| 179 | return ACL_PAT_PASS; |
| 180 | else |
| 181 | return ACL_PAT_FAIL; |
| 182 | } |