diff options
author | MCApollo <34170230+MCApollo@users.noreply.github.com> | 2019-04-29 17:53:00 +0000 |
---|---|---|
committer | MCApollo <34170230+MCApollo@users.noreply.github.com> | 2019-04-29 17:53:00 +0000 |
commit | 59f5fd20e2f59ae186d5a461aef7782dd55e4e7b (patch) | |
tree | 10475faf0b6dcb812b64da679f4ae8ff01c45874 /data/lighttpd/lighttpd-1.4.53/src/mod_authn_sasl.c | |
parent | f06e297cd175cca39745f6d1970225ae88aa68f1 (diff) |
Updated lighttpd.
Diffstat (limited to 'data/lighttpd/lighttpd-1.4.53/src/mod_authn_sasl.c')
-rw-r--r-- | data/lighttpd/lighttpd-1.4.53/src/mod_authn_sasl.c | 284 |
1 files changed, 284 insertions, 0 deletions
diff --git a/data/lighttpd/lighttpd-1.4.53/src/mod_authn_sasl.c b/data/lighttpd/lighttpd-1.4.53/src/mod_authn_sasl.c new file mode 100644 index 000000000..d4c46e3a9 --- /dev/null +++ b/data/lighttpd/lighttpd-1.4.53/src/mod_authn_sasl.c @@ -0,0 +1,284 @@ +#include "first.h" + +/* mod_authn_sasl + * + * FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS: + * - database response is not cached + * TODO: db response caching (for limited time) to reduce load on db + * (only cache successful logins to prevent cache bloat?) + * (or limit number of entries (size) of cache) + * (maybe have negative cache (limited size) of names not found in database) + * - database query is synchronous and blocks waiting for response + */ + +#include <sasl/sasl.h> + +#include "base.h" +#include "http_auth.h" +#include "log.h" +#include "plugin.h" + +#include <sys/utsname.h> +#include <errno.h> +#include <stdlib.h> +#include <string.h> + +typedef struct { + array *opts; + const char *service; + const char *fqdn; + const buffer *pwcheck_method; + const buffer *sasldb_path; +} plugin_config; + +typedef struct { + PLUGIN_DATA; + plugin_config **config_storage; + plugin_config conf; + buffer *fqdn; + int initonce; +} plugin_data; + +static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw); + +INIT_FUNC(mod_authn_sasl_init) { + static http_auth_backend_t http_auth_backend_sasl = + { "sasl", mod_authn_sasl_basic, NULL, NULL }; + plugin_data *p = calloc(1, sizeof(*p)); + + /* register http_auth_backend_sasl */ + http_auth_backend_sasl.p_d = p; + http_auth_backend_set(&http_auth_backend_sasl); + + return p; +} + +FREE_FUNC(mod_authn_sasl_free) { + plugin_data *p = p_d; + if (!p) return HANDLER_GO_ON; + + if (p->initonce) sasl_done(); + + if (p->config_storage) { + for (size_t i = 0; i < srv->config_context->used; ++i) { + plugin_config *s = p->config_storage[i]; + if (NULL == s) continue; + array_free(s->opts); + free(s); + } + free(p->config_storage); + } + buffer_free(p->fqdn); + free(p); + UNUSED(srv); + return HANDLER_GO_ON; +} + +SETDEFAULTS_FUNC(mod_authn_sasl_set_defaults) { + plugin_data *p = p_d; + size_t i; + config_values_t cv[] = { + { "auth.backend.sasl.opts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, + { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } + }; + + p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *)); + + for (i = 0; i < srv->config_context->used; i++) { + data_config const *config = (data_config const*)srv->config_context->data[i]; + data_string *ds; + plugin_config *s = calloc(1, sizeof(plugin_config)); + s->opts = array_init(); + + cv[0].destination = s->opts; + + p->config_storage[i] = s; + + if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) { + return HANDLER_ERROR; + } + + if (0 == s->opts->used) continue; + + ds = (data_string *) + array_get_element_klen(s->opts, CONST_STR_LEN("service")); + s->service = (NULL != ds) ? ds->value->ptr : "http"; + + ds = (data_string *) + array_get_element_klen(s->opts, CONST_STR_LEN("fqdn")); + if (NULL != ds) s->fqdn = ds->value->ptr; + if (NULL == s->fqdn) { + if (NULL == p->fqdn) { + struct utsname uts; + if (0 != uname(&uts)) { + log_error_write(srv, __FILE__, __LINE__, "ss", + "uname():", strerror(errno)); + return HANDLER_ERROR; + } + p->fqdn = buffer_init_string(uts.nodename); + } + s->fqdn = p->fqdn->ptr; + } + + ds = (data_string *) + array_get_element_klen(s->opts, CONST_STR_LEN("pwcheck_method")); + if (NULL != ds) { + s->pwcheck_method = ds->value; + if (!buffer_is_equal_string(ds->value, CONST_STR_LEN("saslauthd")) + && !buffer_is_equal_string(ds->value, CONST_STR_LEN("auxprop")) + && !buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))){ + log_error_write(srv, __FILE__, __LINE__, "sb", + "sasl pwcheck_method must be one of saslauthd, " + "sasldb, or auxprop, not:", ds->value); + return HANDLER_ERROR; + } + if (buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))) { + /* Cyrus libsasl2 expects "auxprop" instead of "sasldb" + * (mod_authn_sasl_cb_getopt auxprop_plugin returns "sasldb") */ + buffer_copy_string_len(ds->value, CONST_STR_LEN("auxprop")); + } + } + + ds = (data_string *) + array_get_element_klen(s->opts, CONST_STR_LEN("sasldb_path")); + if (NULL != ds) s->sasldb_path = ds->value; + } + + return HANDLER_GO_ON; +} + +#define PATCH(x) \ + p->conf.x = s->x; +static int mod_authn_sasl_patch_connection(server *srv, connection *con, plugin_data *p) { + plugin_config *s = p->config_storage[0]; + PATCH(service); + PATCH(fqdn); + PATCH(pwcheck_method); + PATCH(sasldb_path); + + /* skip the first, the global context */ + for (size_t i = 1; i < srv->config_context->used; ++i) { + data_config *dc = (data_config *)srv->config_context->data[i]; + + /* condition didn't match */ + if (!config_check_cond(srv, con, dc)) continue; + + /* merge config */ + s = p->config_storage[i]; + for (size_t j = 0; j < dc->value->used; ++j) { + data_unset *du = dc->value->data[j]; + if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.sasl.opts"))) { + PATCH(service); + PATCH(fqdn); + PATCH(pwcheck_method); + PATCH(sasldb_path); + } + } + } + + return 0; +} +#undef PATCH + +static int mod_authn_sasl_cb_getopt(void *p_d, const char *plugin_name, const char *opt, const char **res, unsigned *len) { + plugin_data *p = (plugin_data *)p_d; + size_t sz; + + if (0 == strcmp(opt, "pwcheck_method")) { + if (!buffer_string_is_empty(p->conf.pwcheck_method)) { + *res = p->conf.pwcheck_method->ptr; + sz = buffer_string_length(p->conf.pwcheck_method); + } + else { /* default */ + *res = "saslauthd"; + sz = sizeof("saslauthd")-1; + } + } + else if (0 == strcmp(opt, "sasldb_path") + && !buffer_string_is_empty(p->conf.sasldb_path)) { + *res = p->conf.sasldb_path->ptr; + sz = buffer_string_length(p->conf.sasldb_path); + } + else if (0 == strcmp(opt, "auxprop_plugin")) { + *res = "sasldb"; + sz = sizeof("sasldb")-1; + } + else { + UNUSED(plugin_name); + return SASL_FAIL; + } + + if (len) *len = (unsigned int)sz; + return SASL_OK; +} + +static int mod_authn_sasl_cb_log(void *vsrv, int level, const char *message) { + switch (level) { + #if 0 + case SASL_LOG_NONE: + case SASL_LOG_NOTE: + case SASL_LOG_DEBUG: + case SASL_LOG_TRACE: + case SASL_LOG_PASS: + #endif + default: + break; + case SASL_LOG_ERR: + case SASL_LOG_FAIL: + case SASL_LOG_WARN: /* (might omit SASL_LOG_WARN if too noisy in logs) */ + log_error_write((server *)vsrv, __FILE__, __LINE__, "s", message); + break; + } + return SASL_OK; +} + +static handler_t mod_authn_sasl_query(server *srv, connection *con, void *p_d, const buffer *username, const char *realm, const char *pw) { + plugin_data *p = (plugin_data *)p_d; + sasl_conn_t *sc; + sasl_callback_t const cb[] = { + { SASL_CB_GETOPT, (int(*)())mod_authn_sasl_cb_getopt, (void *) p }, + { SASL_CB_LOG, (int(*)())mod_authn_sasl_cb_log, (void *) srv }, + { SASL_CB_LIST_END, NULL, NULL } + }; + int rc; + + mod_authn_sasl_patch_connection(srv, con, p); + + if (!p->initonce) { + /* must be done once, but after fork() if multiple lighttpd workers */ + rc = sasl_server_init(cb, NULL); + if (SASL_OK != rc) return HANDLER_ERROR; + p->initonce = 1; + } + + rc = sasl_server_new(p->conf.service, p->conf.fqdn, + realm, NULL, NULL, cb, 0, &sc); + if (SASL_OK == rc) { + rc = sasl_checkpass(sc, CONST_BUF_LEN(username), pw, strlen(pw)); + sasl_dispose(&sc); + } + + return (SASL_OK == rc) ? HANDLER_GO_ON : HANDLER_ERROR; +} + +static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw) { + char *realm = require->realm->ptr; + handler_t rc = mod_authn_sasl_query(srv, con, p_d, username, realm, pw); + if (HANDLER_GO_ON != rc) return rc; + return http_auth_match_rules(require, username->ptr, NULL, NULL) + ? HANDLER_GO_ON /* access granted */ + : HANDLER_ERROR; +} + +int mod_authn_sasl_plugin_init(plugin *p); +int mod_authn_sasl_plugin_init(plugin *p) { + p->version = LIGHTTPD_VERSION_ID; + p->name = buffer_init_string("authn_sasl"); + p->init = mod_authn_sasl_init; + p->set_defaults= mod_authn_sasl_set_defaults; + p->cleanup = mod_authn_sasl_free; + + p->data = NULL; + + return 0; +} |