Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 86512dd152587ccde44349a496076e35ad20d608 / . / src / auth.c
blob: a88e6b2d5ca9c688fb72681383aa6e0edee7ad42 [file] [log] [blame]
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]1/*
2 * User authentication & authorization
3 *
4 * Copyright 2010 Krzysztof Piotr Oledzki <ole@ans.pl>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
Willy Tarreaue5733232019-05-22 19:24:06 +0200[diff] [blame]13#ifdef USE_LIBCRYPT
Willy Tarreau890a33e2010-03-04 19:10:14 +0100[diff] [blame]14/* This is to have crypt() defined on Linux */
15#define _GNU_SOURCE
16
Willy Tarreaue5733232019-05-22 19:24:06 +0200[diff] [blame]17#ifdef USE_CRYPT_H
Willy Tarreau890a33e2010-03-04 19:10:14 +0100[diff] [blame]18/* some platforms such as Solaris need this */
19#include <crypt.h>
20#endif
Willy Tarreaue5733232019-05-22 19:24:06 +0200[diff] [blame]21#endif /* USE_LIBCRYPT */
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]22
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27
Willy Tarreau4c7e4b72020-05-27 12:58:42 +0200[diff] [blame]28#include <haproxy/api.h>
Willy Tarreaub2551052020-06-09 09:07:15 +0200[diff] [blame]29#include <haproxy/auth-t.h>
Willy Tarreau8d366972020-05-27 16:10:29 +0200[diff] [blame]30#include <haproxy/errors.h>
Willy Tarreaub2551052020-06-09 09:07:15 +0200[diff] [blame]31#include <haproxy/global.h>
Willy Tarreau225a90a2020-06-04 15:06:28 +0200[diff] [blame]32#include <haproxy/pattern-t.h>
Willy Tarreau36979d92020-06-05 17:27:29 +0200[diff] [blame]33#include <haproxy/sample-t.h>
Willy Tarreau3f567e42020-05-28 15:29:19 +0200[diff] [blame]34#include <haproxy/thread.h>
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]35
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]36struct userlist *userlist = NULL; /* list of all existing userlists */
37
Willy Tarreaue5733232019-05-22 19:24:06 +0200[diff] [blame]38#ifdef USE_LIBCRYPT
Victor Kislovec002512020-08-06 19:21:39 +0300[diff] [blame]39#define CRYPT_STATE_MSG "yes"
Willy Tarreau943e7ec2018-10-29 19:16:27 +0100[diff] [blame]40#ifdef HA_HAVE_CRYPT_R
41/* context for crypt_r() */
42static THREAD_LOCAL struct crypt_data crypt_data = { .initialized = 0 };
43#else
44/* lock for crypt() */
Willy Tarreauaf613e82020-06-05 08:40:51 +0200[diff] [blame]45__decl_thread(static HA_SPINLOCK_T auth_lock);
Willy Tarreau34d4b522018-10-29 18:02:54 +0100[diff] [blame]46#endif
Victor Kislovec002512020-08-06 19:21:39 +0300[diff] [blame]47#else /* USE_LIBCRYPT */
48#define CRYPT_STATE_MSG "no"
Willy Tarreau943e7ec2018-10-29 19:16:27 +0100[diff] [blame]49#endif
Willy Tarreau34d4b522018-10-29 18:02:54 +0100[diff] [blame]50
David Carlier6c00eba2019-09-01 14:59:10 +0100[diff] [blame]51/* find targets for selected groups. The function returns pointer to
Ilya Shipitsinb8888ab2021-01-06 21:20:16 +0500[diff] [blame]52 * the userlist struct or NULL if name is NULL/empty or unresolvable.
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]53 */
54
55struct userlist *
56auth_find_userlist(char *name)
57{
58 struct userlist *l;
59
60 if (!name || !*name)
61 return NULL;
62
63 for (l = userlist; l; l = l->next)
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100[diff] [blame]64 if (strcmp(l->name, name) == 0)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]65 return l;
66
67 return NULL;
68}
69
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]70int check_group(struct userlist *ul, char *name)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]71{
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]72 struct auth_groups *ag;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]73
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]74 for (ag = ul->groups; ag; ag = ag->next)
75 if (strcmp(name, ag->name) == 0)
76 return 1;
77 return 0;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]78}
79
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]80void
81userlist_free(struct userlist *ul)
82{
83 struct userlist *tul;
84 struct auth_users *au, *tau;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]85 struct auth_groups_list *agl, *tagl;
86 struct auth_groups *ag, *tag;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]87
88 while (ul) {
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]89 /* Free users. */
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]90 au = ul->users;
91 while (au) {
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]92 /* Free groups that own current user. */
93 agl = au->u.groups;
94 while (agl) {
95 tagl = agl;
96 agl = agl->next;
97 free(tagl);
98 }
99
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]100 tau = au;
101 au = au->next;
102 free(tau->user);
103 free(tau->pass);
104 free(tau);
105 }
106
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]107 /* Free grouplist. */
108 ag = ul->groups;
109 while (ag) {
110 tag = ag;
111 ag = ag->next;
112 free(tag->name);
113 free(tag);
114 }
115
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]116 tul = ul;
117 ul = ul->next;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]118 free(tul->name);
119 free(tul);
120 };
121}
122
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]123int userlist_postinit()
124{
125 struct userlist *curuserlist = NULL;
126
127 /* Resolve usernames and groupnames. */
128 for (curuserlist = userlist; curuserlist; curuserlist = curuserlist->next) {
129 struct auth_groups *ag;
130 struct auth_users *curuser;
131 struct auth_groups_list *grl;
132
133 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
134 char *group = NULL;
135 struct auth_groups_list *groups = NULL;
136
137 if (!curuser->u.groups_names)
138 continue;
139
140 while ((group = strtok(group?NULL:curuser->u.groups_names, ","))) {
141 for (ag = curuserlist->groups; ag; ag = ag->next) {
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100[diff] [blame]142 if (strcmp(ag->name, group) == 0)
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]143 break;
144 }
145
146 if (!ag) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100[diff] [blame]147 ha_alert("userlist '%s': no such group '%s' specified in user '%s'\n",
148 curuserlist->name, group, curuser->user);
Dirkjan Bussink07fcaaa2014-04-28 22:57:16 +0000[diff] [blame]149 free(groups);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]150 return ERR_ALERT | ERR_FATAL;
151 }
152
153 /* Add this group at the group userlist. */
154 grl = calloc(1, sizeof(*grl));
155 if (!grl) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100[diff] [blame]156 ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
157 curuserlist->name);
Dirkjan Bussink07fcaaa2014-04-28 22:57:16 +0000[diff] [blame]158 free(groups);
159 return ERR_ALERT | ERR_FATAL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]160 }
161
162 grl->group = ag;
163 grl->next = groups;
164 groups = grl;
165 }
166
167 free(curuser->u.groups);
168 curuser->u.groups = groups;
169 }
170
171 for (ag = curuserlist->groups; ag; ag = ag->next) {
172 char *user = NULL;
173
174 if (!ag->groupusers)
175 continue;
176
177 while ((user = strtok(user?NULL:ag->groupusers, ","))) {
178 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100[diff] [blame]179 if (strcmp(curuser->user, user) == 0)
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]180 break;
181 }
182
183 if (!curuser) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100[diff] [blame]184 ha_alert("userlist '%s': no such user '%s' specified in group '%s'\n",
185 curuserlist->name, user, ag->name);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]186 return ERR_ALERT | ERR_FATAL;
187 }
188
189 /* Add this group at the group userlist. */
190 grl = calloc(1, sizeof(*grl));
191 if (!grl) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100[diff] [blame]192 ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
193 curuserlist->name);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]194 return ERR_ALERT | ERR_FATAL;
195 }
196
197 grl->group = ag;
198 grl->next = curuser->u.groups;
199 curuser->u.groups = grl;
200 }
201
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100[diff] [blame]202 ha_free(&ag->groupusers);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]203 }
204
205#ifdef DEBUG_AUTH
206 for (ag = curuserlist->groups; ag; ag = ag->next) {
207 struct auth_groups_list *agl;
208
209 fprintf(stderr, "group %s, id %p, users:", ag->name, ag);
210 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
211 for (agl = curuser->u.groups; agl; agl = agl->next) {
212 if (agl->group == ag)
213 fprintf(stderr, " %s", curuser->user);
214 }
215 }
216 fprintf(stderr, "\n");
217 }
218#endif
219 }
220
221 return ERR_NONE;
222}
223
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]224/*
225 * Authenticate and authorize user; return 1 if OK, 0 if case of error.
226 */
227int
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]228check_user(struct userlist *ul, const char *user, const char *pass)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]229{
230
231 struct auth_users *u;
CJ Ess6eac32e2015-05-02 16:35:24 -0400[diff] [blame]232#ifdef DEBUG_AUTH
233 struct auth_groups_list *agl;
234#endif
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]235 const char *ep;
236
237#ifdef DEBUG_AUTH
CJ Ess6eac32e2015-05-02 16:35:24 -0400[diff] [blame]238 fprintf(stderr, "req: userlist=%s, user=%s, pass=%s\n",
239 ul->name, user, pass);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]240#endif
241
242 for (u = ul->users; u; u = u->next)
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100[diff] [blame]243 if (strcmp(user, u->user) == 0)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]244 break;
245
246 if (!u)
247 return 0;
248
249#ifdef DEBUG_AUTH
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]250 fprintf(stderr, "cfg: user=%s, pass=%s, flags=%X, groups=",
251 u->user, u->pass, u->flags);
252 for (agl = u->u.groups; agl; agl = agl->next)
253 fprintf(stderr, " %s", agl->group->name);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]254#endif
255
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]256 if (!(u->flags & AU_O_INSECURE)) {
Willy Tarreaue5733232019-05-22 19:24:06 +0200[diff] [blame]257#ifdef USE_LIBCRYPT
Willy Tarreau943e7ec2018-10-29 19:16:27 +0100[diff] [blame]258#ifdef HA_HAVE_CRYPT_R
259 ep = crypt_r(pass, u->pass, &crypt_data);
260#else
Willy Tarreau34d4b522018-10-29 18:02:54 +0100[diff] [blame]261 HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]262 ep = crypt(pass, u->pass);
Willy Tarreau34d4b522018-10-29 18:02:54 +0100[diff] [blame]263 HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);
Willy Tarreau943e7ec2018-10-29 19:16:27 +0100[diff] [blame]264#endif
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]265#else
266 return 0;
267#endif
268 } else
269 ep = pass;
270
271#ifdef DEBUG_AUTH
272 fprintf(stderr, ", crypt=%s\n", ep);
273#endif
274
Cyril Bontéc82279c2014-08-29 20:20:01 +0200[diff] [blame]275 if (ep && strcmp(ep, u->pass) == 0)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]276 return 1;
277 else
278 return 0;
279}
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]280
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]281struct pattern *
282pat_match_auth(struct sample *smp, struct pattern_expr *expr, int fill)
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]283{
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]284 struct userlist *ul = smp->ctx.a[0];
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]285 struct pattern_list *lst;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]286 struct auth_users *u;
287 struct auth_groups_list *agl;
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]288 struct pattern *pattern;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]289
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]290 /* Check if the userlist is present in the context data. */
291 if (!ul)
Willy Tarreau86e0fc12014-04-29 19:52:16 +0200[diff] [blame]292 return NULL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]293
294 /* Browse the userlist for searching user. */
295 for (u = ul->users; u; u = u->next) {
Willy Tarreau843b7cb2018-07-13 10:54:26 +0200[diff] [blame]296 if (strcmp(smp->data.u.str.area, u->user) == 0)
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]297 break;
298 }
299 if (!u)
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]300 return NULL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]301
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]302 /* Browse each pattern. */
303 list_for_each_entry(lst, &expr->patterns, list) {
304 pattern = &lst->pat;
305
306 /* Browse each group for searching group name that match the pattern. */
307 for (agl = u->u.groups; agl; agl = agl->next) {
308 if (strcmp(agl->group->name, pattern->ptr.str) == 0)
309 return pattern;
310 }
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]311 }
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]312 return NULL;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]313}
Willy Tarreaue8692b42016-12-21 19:36:25 +0100[diff] [blame]314
Victor Kislovec002512020-08-06 19:21:39 +0300[diff] [blame]315REGISTER_BUILD_OPTS("Encrypted password support via crypt(3): "CRYPT_STATE_MSG);