Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / e2d4ff4579634cbf952089ade8cd7e3883120e20 / . / src / auth.c
blob: 9a988a160e261eda51670a0fb09bac9f1b879e69 [file] [log] [blame]
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]1/*
2 * User authentication & authorization
3 *
4 * Copyright 2010 Krzysztof Piotr Oledzki <ole@ans.pl>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
Willy Tarreau890a33e2010-03-04 19:10:14 +0100[diff] [blame]13#ifdef CONFIG_HAP_CRYPT
14/* This is to have crypt() defined on Linux */
15#define _GNU_SOURCE
16
17#ifdef NEED_CRYPT_H
18/* some platforms such as Solaris need this */
19#include <crypt.h>
20#endif
21#endif /* CONFIG_HAP_CRYPT */
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]22
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27
28#include <common/config.h>
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]29#include <common/errors.h>
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]30
31#include <proto/acl.h>
32#include <proto/log.h>
33
34#include <types/auth.h>
Thierry FOURNIERa65b3432013-11-28 18:22:00 +0100[diff] [blame]35#include <types/pattern.h>
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]36
37struct userlist *userlist = NULL; /* list of all existing userlists */
38
39/* find targets for selected gropus. The function returns pointer to
40 * the userlist struct ot NULL if name is NULL/empty or unresolvable.
41 */
42
43struct userlist *
44auth_find_userlist(char *name)
45{
46 struct userlist *l;
47
48 if (!name || !*name)
49 return NULL;
50
51 for (l = userlist; l; l = l->next)
52 if (!strcmp(l->name, name))
53 return l;
54
55 return NULL;
56}
57
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]58int check_group(struct userlist *ul, char *name)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]59{
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]60 struct auth_groups *ag;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]61
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]62 for (ag = ul->groups; ag; ag = ag->next)
63 if (strcmp(name, ag->name) == 0)
64 return 1;
65 return 0;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]66}
67
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]68void
69userlist_free(struct userlist *ul)
70{
71 struct userlist *tul;
72 struct auth_users *au, *tau;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]73 struct auth_groups_list *agl, *tagl;
74 struct auth_groups *ag, *tag;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]75
76 while (ul) {
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]77 /* Free users. */
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]78 au = ul->users;
79 while (au) {
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]80 /* Free groups that own current user. */
81 agl = au->u.groups;
82 while (agl) {
83 tagl = agl;
84 agl = agl->next;
85 free(tagl);
86 }
87
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]88 tau = au;
89 au = au->next;
90 free(tau->user);
91 free(tau->pass);
92 free(tau);
93 }
94
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]95 /* Free grouplist. */
96 ag = ul->groups;
97 while (ag) {
98 tag = ag;
99 ag = ag->next;
100 free(tag->name);
101 free(tag);
102 }
103
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]104 tul = ul;
105 ul = ul->next;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]106 free(tul->name);
107 free(tul);
108 };
109}
110
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]111int userlist_postinit()
112{
113 struct userlist *curuserlist = NULL;
114
115 /* Resolve usernames and groupnames. */
116 for (curuserlist = userlist; curuserlist; curuserlist = curuserlist->next) {
117 struct auth_groups *ag;
118 struct auth_users *curuser;
119 struct auth_groups_list *grl;
120
121 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
122 char *group = NULL;
123 struct auth_groups_list *groups = NULL;
124
125 if (!curuser->u.groups_names)
126 continue;
127
128 while ((group = strtok(group?NULL:curuser->u.groups_names, ","))) {
129 for (ag = curuserlist->groups; ag; ag = ag->next) {
130 if (!strcmp(ag->name, group))
131 break;
132 }
133
134 if (!ag) {
135 Alert("userlist '%s': no such group '%s' specified in user '%s'\n",
136 curuserlist->name, group, curuser->user);
Dirkjan Bussink07fcaaa2014-04-28 22:57:16 +0000[diff] [blame]137 free(groups);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]138 return ERR_ALERT | ERR_FATAL;
139 }
140
141 /* Add this group at the group userlist. */
142 grl = calloc(1, sizeof(*grl));
143 if (!grl) {
144 Alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
145 curuserlist->name);
Dirkjan Bussink07fcaaa2014-04-28 22:57:16 +0000[diff] [blame]146 free(groups);
147 return ERR_ALERT | ERR_FATAL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]148 }
149
150 grl->group = ag;
151 grl->next = groups;
152 groups = grl;
153 }
154
155 free(curuser->u.groups);
156 curuser->u.groups = groups;
157 }
158
159 for (ag = curuserlist->groups; ag; ag = ag->next) {
160 char *user = NULL;
161
162 if (!ag->groupusers)
163 continue;
164
165 while ((user = strtok(user?NULL:ag->groupusers, ","))) {
166 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
167 if (!strcmp(curuser->user, user))
168 break;
169 }
170
171 if (!curuser) {
172 Alert("userlist '%s': no such user '%s' specified in group '%s'\n",
173 curuserlist->name, user, ag->name);
174 return ERR_ALERT | ERR_FATAL;
175 }
176
177 /* Add this group at the group userlist. */
178 grl = calloc(1, sizeof(*grl));
179 if (!grl) {
180 Alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
181 curuserlist->name);
182 return ERR_ALERT | ERR_FATAL;
183 }
184
185 grl->group = ag;
186 grl->next = curuser->u.groups;
187 curuser->u.groups = grl;
188 }
189
190 free(ag->groupusers);
191 ag->groupusers = NULL;
192 }
193
194#ifdef DEBUG_AUTH
195 for (ag = curuserlist->groups; ag; ag = ag->next) {
196 struct auth_groups_list *agl;
197
198 fprintf(stderr, "group %s, id %p, users:", ag->name, ag);
199 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
200 for (agl = curuser->u.groups; agl; agl = agl->next) {
201 if (agl->group == ag)
202 fprintf(stderr, " %s", curuser->user);
203 }
204 }
205 fprintf(stderr, "\n");
206 }
207#endif
208 }
209
210 return ERR_NONE;
211}
212
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]213/*
214 * Authenticate and authorize user; return 1 if OK, 0 if case of error.
215 */
216int
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]217check_user(struct userlist *ul, const char *user, const char *pass)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]218{
219
220 struct auth_users *u;
CJ Ess6eac32e2015-05-02 16:35:24 -0400[diff] [blame]221#ifdef DEBUG_AUTH
222 struct auth_groups_list *agl;
223#endif
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]224 const char *ep;
225
226#ifdef DEBUG_AUTH
CJ Ess6eac32e2015-05-02 16:35:24 -0400[diff] [blame]227 fprintf(stderr, "req: userlist=%s, user=%s, pass=%s\n",
228 ul->name, user, pass);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]229#endif
230
231 for (u = ul->users; u; u = u->next)
232 if (!strcmp(user, u->user))
233 break;
234
235 if (!u)
236 return 0;
237
238#ifdef DEBUG_AUTH
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]239 fprintf(stderr, "cfg: user=%s, pass=%s, flags=%X, groups=",
240 u->user, u->pass, u->flags);
241 for (agl = u->u.groups; agl; agl = agl->next)
242 fprintf(stderr, " %s", agl->group->name);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]243#endif
244
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]245 if (!(u->flags & AU_O_INSECURE)) {
246#ifdef CONFIG_HAP_CRYPT
247 ep = crypt(pass, u->pass);
248#else
249 return 0;
250#endif
251 } else
252 ep = pass;
253
254#ifdef DEBUG_AUTH
255 fprintf(stderr, ", crypt=%s\n", ep);
256#endif
257
Cyril Bontéc82279c2014-08-29 20:20:01 +0200[diff] [blame]258 if (ep && strcmp(ep, u->pass) == 0)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100[diff] [blame]259 return 1;
260 else
261 return 0;
262}
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]263
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]264struct pattern *
265pat_match_auth(struct sample *smp, struct pattern_expr *expr, int fill)
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]266{
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]267 struct userlist *ul = smp->ctx.a[0];
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]268 struct pattern_list *lst;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]269 struct auth_users *u;
270 struct auth_groups_list *agl;
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]271 struct pattern *pattern;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]272
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]273 /* Check if the userlist is present in the context data. */
274 if (!ul)
Willy Tarreau86e0fc12014-04-29 19:52:16 +0200[diff] [blame]275 return NULL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]276
277 /* Browse the userlist for searching user. */
278 for (u = ul->users; u; u = u->next) {
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200[diff] [blame]279 if (strcmp(smp->data.u.str.str, u->user) == 0)
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]280 break;
281 }
282 if (!u)
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]283 return NULL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]284
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]285 /* Browse each pattern. */
286 list_for_each_entry(lst, &expr->patterns, list) {
287 pattern = &lst->pat;
288
289 /* Browse each group for searching group name that match the pattern. */
290 for (agl = u->u.groups; agl; agl = agl->next) {
291 if (strcmp(agl->group->name, pattern->ptr.str) == 0)
292 return pattern;
293 }
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100[diff] [blame]294 }
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100[diff] [blame]295 return NULL;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]296}