blob: 646c0109eb8f07e336eae7368d3d8edc377762a2 [file] [log] [blame]
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +01001/*
2 * User authentication & authorization
3 *
4 * Copyright 2010 Krzysztof Piotr Oledzki <ole@ans.pl>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
Willy Tarreaue5733232019-05-22 19:24:06 +020013#ifdef USE_LIBCRYPT
Willy Tarreau890a33e2010-03-04 19:10:14 +010014/* This is to have crypt() defined on Linux */
15#define _GNU_SOURCE
16
Willy Tarreaue5733232019-05-22 19:24:06 +020017#ifdef USE_CRYPT_H
Willy Tarreau890a33e2010-03-04 19:10:14 +010018/* some platforms such as Solaris need this */
19#include <crypt.h>
20#endif
Willy Tarreaue5733232019-05-22 19:24:06 +020021#endif /* USE_LIBCRYPT */
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010022
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27
Willy Tarreauac13aea2020-06-04 10:36:03 +020028#include <haproxy/auth-t.h>
Willy Tarreau4c7e4b72020-05-27 12:58:42 +020029#include <haproxy/api.h>
Willy Tarreauf268ee82020-06-04 17:05:57 +020030#include <haproxy/global.h>
Willy Tarreau8d366972020-05-27 16:10:29 +020031#include <haproxy/errors.h>
Willy Tarreauaeed4a82020-06-04 22:01:04 +020032#include <haproxy/log.h>
Willy Tarreau225a90a2020-06-04 15:06:28 +020033#include <haproxy/pattern-t.h>
Willy Tarreau3f567e42020-05-28 15:29:19 +020034#include <haproxy/thread.h>
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010035
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010036struct userlist *userlist = NULL; /* list of all existing userlists */
37
Willy Tarreaue5733232019-05-22 19:24:06 +020038#ifdef USE_LIBCRYPT
Willy Tarreau943e7ec2018-10-29 19:16:27 +010039#ifdef HA_HAVE_CRYPT_R
40/* context for crypt_r() */
41static THREAD_LOCAL struct crypt_data crypt_data = { .initialized = 0 };
42#else
43/* lock for crypt() */
Willy Tarreauaf613e82020-06-05 08:40:51 +020044__decl_thread(static HA_SPINLOCK_T auth_lock);
Willy Tarreau34d4b522018-10-29 18:02:54 +010045#endif
Willy Tarreau943e7ec2018-10-29 19:16:27 +010046#endif
Willy Tarreau34d4b522018-10-29 18:02:54 +010047
David Carlier6c00eba2019-09-01 14:59:10 +010048/* find targets for selected groups. The function returns pointer to
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010049 * the userlist struct ot NULL if name is NULL/empty or unresolvable.
50 */
51
52struct userlist *
53auth_find_userlist(char *name)
54{
55 struct userlist *l;
56
57 if (!name || !*name)
58 return NULL;
59
60 for (l = userlist; l; l = l->next)
61 if (!strcmp(l->name, name))
62 return l;
63
64 return NULL;
65}
66
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010067int check_group(struct userlist *ul, char *name)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010068{
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010069 struct auth_groups *ag;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010070
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010071 for (ag = ul->groups; ag; ag = ag->next)
72 if (strcmp(name, ag->name) == 0)
73 return 1;
74 return 0;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010075}
76
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010077void
78userlist_free(struct userlist *ul)
79{
80 struct userlist *tul;
81 struct auth_users *au, *tau;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010082 struct auth_groups_list *agl, *tagl;
83 struct auth_groups *ag, *tag;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010084
85 while (ul) {
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010086 /* Free users. */
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010087 au = ul->users;
88 while (au) {
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010089 /* Free groups that own current user. */
90 agl = au->u.groups;
91 while (agl) {
92 tagl = agl;
93 agl = agl->next;
94 free(tagl);
95 }
96
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010097 tau = au;
98 au = au->next;
99 free(tau->user);
100 free(tau->pass);
101 free(tau);
102 }
103
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100104 /* Free grouplist. */
105 ag = ul->groups;
106 while (ag) {
107 tag = ag;
108 ag = ag->next;
109 free(tag->name);
110 free(tag);
111 }
112
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100113 tul = ul;
114 ul = ul->next;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100115 free(tul->name);
116 free(tul);
117 };
118}
119
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100120int userlist_postinit()
121{
122 struct userlist *curuserlist = NULL;
123
124 /* Resolve usernames and groupnames. */
125 for (curuserlist = userlist; curuserlist; curuserlist = curuserlist->next) {
126 struct auth_groups *ag;
127 struct auth_users *curuser;
128 struct auth_groups_list *grl;
129
130 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
131 char *group = NULL;
132 struct auth_groups_list *groups = NULL;
133
134 if (!curuser->u.groups_names)
135 continue;
136
137 while ((group = strtok(group?NULL:curuser->u.groups_names, ","))) {
138 for (ag = curuserlist->groups; ag; ag = ag->next) {
139 if (!strcmp(ag->name, group))
140 break;
141 }
142
143 if (!ag) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100144 ha_alert("userlist '%s': no such group '%s' specified in user '%s'\n",
145 curuserlist->name, group, curuser->user);
Dirkjan Bussink07fcaaa2014-04-28 22:57:16 +0000146 free(groups);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100147 return ERR_ALERT | ERR_FATAL;
148 }
149
150 /* Add this group at the group userlist. */
151 grl = calloc(1, sizeof(*grl));
152 if (!grl) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100153 ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
154 curuserlist->name);
Dirkjan Bussink07fcaaa2014-04-28 22:57:16 +0000155 free(groups);
156 return ERR_ALERT | ERR_FATAL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100157 }
158
159 grl->group = ag;
160 grl->next = groups;
161 groups = grl;
162 }
163
164 free(curuser->u.groups);
165 curuser->u.groups = groups;
166 }
167
168 for (ag = curuserlist->groups; ag; ag = ag->next) {
169 char *user = NULL;
170
171 if (!ag->groupusers)
172 continue;
173
174 while ((user = strtok(user?NULL:ag->groupusers, ","))) {
175 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
176 if (!strcmp(curuser->user, user))
177 break;
178 }
179
180 if (!curuser) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100181 ha_alert("userlist '%s': no such user '%s' specified in group '%s'\n",
182 curuserlist->name, user, ag->name);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100183 return ERR_ALERT | ERR_FATAL;
184 }
185
186 /* Add this group at the group userlist. */
187 grl = calloc(1, sizeof(*grl));
188 if (!grl) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100189 ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
190 curuserlist->name);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100191 return ERR_ALERT | ERR_FATAL;
192 }
193
194 grl->group = ag;
195 grl->next = curuser->u.groups;
196 curuser->u.groups = grl;
197 }
198
199 free(ag->groupusers);
200 ag->groupusers = NULL;
201 }
202
203#ifdef DEBUG_AUTH
204 for (ag = curuserlist->groups; ag; ag = ag->next) {
205 struct auth_groups_list *agl;
206
207 fprintf(stderr, "group %s, id %p, users:", ag->name, ag);
208 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
209 for (agl = curuser->u.groups; agl; agl = agl->next) {
210 if (agl->group == ag)
211 fprintf(stderr, " %s", curuser->user);
212 }
213 }
214 fprintf(stderr, "\n");
215 }
216#endif
217 }
218
219 return ERR_NONE;
220}
221
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100222/*
223 * Authenticate and authorize user; return 1 if OK, 0 if case of error.
224 */
225int
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100226check_user(struct userlist *ul, const char *user, const char *pass)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100227{
228
229 struct auth_users *u;
CJ Ess6eac32e2015-05-02 16:35:24 -0400230#ifdef DEBUG_AUTH
231 struct auth_groups_list *agl;
232#endif
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100233 const char *ep;
234
235#ifdef DEBUG_AUTH
CJ Ess6eac32e2015-05-02 16:35:24 -0400236 fprintf(stderr, "req: userlist=%s, user=%s, pass=%s\n",
237 ul->name, user, pass);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100238#endif
239
240 for (u = ul->users; u; u = u->next)
241 if (!strcmp(user, u->user))
242 break;
243
244 if (!u)
245 return 0;
246
247#ifdef DEBUG_AUTH
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100248 fprintf(stderr, "cfg: user=%s, pass=%s, flags=%X, groups=",
249 u->user, u->pass, u->flags);
250 for (agl = u->u.groups; agl; agl = agl->next)
251 fprintf(stderr, " %s", agl->group->name);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100252#endif
253
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100254 if (!(u->flags & AU_O_INSECURE)) {
Willy Tarreaue5733232019-05-22 19:24:06 +0200255#ifdef USE_LIBCRYPT
Willy Tarreau943e7ec2018-10-29 19:16:27 +0100256#ifdef HA_HAVE_CRYPT_R
257 ep = crypt_r(pass, u->pass, &crypt_data);
258#else
Willy Tarreau34d4b522018-10-29 18:02:54 +0100259 HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100260 ep = crypt(pass, u->pass);
Willy Tarreau34d4b522018-10-29 18:02:54 +0100261 HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);
Willy Tarreau943e7ec2018-10-29 19:16:27 +0100262#endif
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100263#else
264 return 0;
265#endif
266 } else
267 ep = pass;
268
269#ifdef DEBUG_AUTH
270 fprintf(stderr, ", crypt=%s\n", ep);
271#endif
272
Cyril Bontéc82279c2014-08-29 20:20:01 +0200273 if (ep && strcmp(ep, u->pass) == 0)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100274 return 1;
275 else
276 return 0;
277}
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100278
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100279struct pattern *
280pat_match_auth(struct sample *smp, struct pattern_expr *expr, int fill)
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100281{
Willy Tarreau37406352012-04-23 16:16:37 +0200282 struct userlist *ul = smp->ctx.a[0];
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100283 struct pattern_list *lst;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100284 struct auth_users *u;
285 struct auth_groups_list *agl;
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100286 struct pattern *pattern;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100287
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100288 /* Check if the userlist is present in the context data. */
289 if (!ul)
Willy Tarreau86e0fc12014-04-29 19:52:16 +0200290 return NULL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100291
292 /* Browse the userlist for searching user. */
293 for (u = ul->users; u; u = u->next) {
Willy Tarreau843b7cb2018-07-13 10:54:26 +0200294 if (strcmp(smp->data.u.str.area, u->user) == 0)
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100295 break;
296 }
297 if (!u)
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100298 return NULL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100299
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100300 /* Browse each pattern. */
301 list_for_each_entry(lst, &expr->patterns, list) {
302 pattern = &lst->pat;
303
304 /* Browse each group for searching group name that match the pattern. */
305 for (agl = u->u.groups; agl; agl = agl->next) {
306 if (strcmp(agl->group->name, pattern->ptr.str) == 0)
307 return pattern;
308 }
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100309 }
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100310 return NULL;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100311}
Willy Tarreaue8692b42016-12-21 19:36:25 +0100312
Willy Tarreau80713382018-11-26 10:19:54 +0100313REGISTER_BUILD_OPTS("Encrypted password support via crypt(3): yes");