summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2017-11-05 18:52:09 -0500
committerGlenn Strauss <gstrauss@gluelogic.com>2017-11-05 20:11:07 -0500
commitd61714dd0de1acd75ffe3dab7dc109a73926a49a (patch)
tree47ba9f94faaaf1c099daa9c2eaf6ef23017c5351
parentfdc4c324c4df38e04c858a2f8c2081c872c50ba5 (diff)
downloadlighttpd1.4-d61714dd0de1acd75ffe3dab7dc109a73926a49a.tar.gz
lighttpd1.4-d61714dd0de1acd75ffe3dab7dc109a73926a49a.zip
[mod_authn_sasl] SASL auth (new) (fixes #2275)
(experimental) HTTP Basic authentication using saslauthd server.modules += ( "mod_auth" ) server.modules += ( "mod_authn_sasl" ) auth.backend = "sasl" auth.backend.sasl.opts = ( "pwcheck_method" => "saslauthd" ) # default x-ref: "SASL auth like libapache2-mod-authn-sasl" https://redmine.lighttpd.net/issues/2275
-rw-r--r--SConstruct10
-rw-r--r--configure.ac43
-rw-r--r--meson.build2
-rw-r--r--meson_options.txt5
-rw-r--r--src/CMakeLists.txt17
-rw-r--r--src/Makefile.am8
-rw-r--r--src/SConscript3
-rw-r--r--src/meson.build19
-rw-r--r--src/mod_authn_sasl.c283
9 files changed, 387 insertions, 3 deletions
diff --git a/SConstruct b/SConstruct
index 693fb008..6aa1cafe 100644
--- a/SConstruct
+++ b/SConstruct
@@ -247,6 +247,7 @@ vars.AddVariables(
BoolVariable('with_openssl', 'enable openssl support', 'no'),
PackageVariable('with_pcre', 'enable pcre support', 'yes'),
PackageVariable('with_pgsql', 'enable pgsql support', 'no'),
+ PackageVariable('with_sasl', 'enable SASL support', 'no'),
BoolVariable('with_sqlite3', 'enable sqlite3 support (required for webdav props)', 'no'),
BoolVariable('with_uuid', 'enable uuid support (required for webdav locks)', 'no'),
# with_valgrind not supported
@@ -325,6 +326,7 @@ if 1:
LIBMYSQL = '',
LIBPCRE = '',
LIBPGSQL = '',
+ LIBSASL = '',
LIBSQLITE3 = '',
LIBSSL = '',
LIBUUID = '',
@@ -583,6 +585,14 @@ if 1:
fail("Couldn't find libpq")
autoconf.env.Append(CPPFLAGS = [ '-DHAVE_PGSQL_H', '-DHAVE_LIBPGSQL' ])
+ if env['with_sasl']:
+ if not autoconf.CheckLibWithHeader('sasl2', 'sasl/sasl.h', 'C'):
+ fail("Couldn't find libsasl2")
+ autoconf.env.Append(
+ CPPFLAGS = [ '-DHAVE_SASL' ],
+ LIBSASL = 'sasl2',
+ )
+
if env['with_sqlite3']:
if not autoconf.CheckLibWithHeader('sqlite3', 'sqlite3.h', 'C'):
fail("Couldn't find sqlite3")
diff --git a/configure.ac b/configure.ac
index 1f616d13..5383cec5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -328,8 +328,8 @@ DBI_LIBS=
if test "$WITH_DBI" != no; then
if test "$WITH_DBI" != yes; then
- DBI_CFLAGS="-I$WITH_LIBDBI/include"
- DBI_LIBS="-L$WITH_LIBDBI/lib -ldbi"
+ DBI_CFLAGS="-I$WITH_DBI/include"
+ DBI_LIBS="-L$WITH_DBI/lib -ldbi"
else
AC_CHECK_HEADERS([dbi/dbi.h],
[AC_CHECK_LIB([dbi], [dbi_version],
@@ -350,6 +350,45 @@ AM_CONDITIONAL([BUILD_WITH_DBI], [test "$WITH_DBI" != no])
AC_SUBST([DBI_LIBS])
AC_SUBST([DBI_CFLAGS])
+dnl Checks for libsasl2 library
+AC_MSG_NOTICE([----------------------------------------])
+AC_MSG_CHECKING([for LibSASL support])
+AC_ARG_WITH([sasl],
+ [AC_HELP_STRING([--with-sasl@<:@=PATH@:>@],
+ [Include SASL support in PATH/include/sasl/sasl.h and PATH/lib]
+ )],
+ [WITH_SASL=$withval],
+ [WITH_SASL=no]
+)
+AC_MSG_RESULT([$WITH_SASL])
+
+SASL_INCLUDE=
+SASL_LIBS=
+
+if test "$WITH_SASL" != no; then
+ if test "$WITH_SASL" != yes; then
+ SASL_CFLAGS="-I$WITH_SASL/include"
+ SASL_LIBS="-L$WITH_SASL/lib -lsasl2"
+ else
+ AC_CHECK_HEADERS([sasl/sasl.h],
+ [AC_CHECK_LIB([sasl2], [sasl_server_init],
+ [
+ SASL_CFLAGS=
+ SASL_LIBS="-lsasl2"
+ ],
+ [AC_MSG_ERROR([libsasl2 not found])]
+ )],
+ [AC_MSG_ERROR([SASL header not found])]
+ )
+ fi
+
+ AC_DEFINE([HAVE_SASL], [1], [LibSASL support])
+fi
+AM_CONDITIONAL([BUILD_WITH_SASL], [test "$WITH_SASL" != no])
+
+AC_SUBST([SASL_LIBS])
+AC_SUBST([SASL_CFLAGS])
+
dnl Check for LDAP
AC_MSG_NOTICE([----------------------------------------])
diff --git a/meson.build b/meson.build
index 19a9f381..62ef32f6 100644
--- a/meson.build
+++ b/meson.build
@@ -10,7 +10,7 @@ subdir('tests')
# $ ninja
# full build:
-# $ meson configure -D build_extra_warnings=true -D with_bzip=true -D with_dbi=true -D with_fam=true -D with_gdbm=true -D with_geoip=true -D with_krb5=true -D with_ldap=true -D with_libev=true -D with_libunwind=true -D with_lua=true -D with_memcached=true -D with_mysql=true -D with_openssl=true -D with_pcre=true -D with_pgsql=true -D with_webdav_locks=true -D with_webdav_props=true -D with_xattr=true -D with_zlib=true
+# $ meson configure -D build_extra_warnings=true -D with_bzip=true -D with_dbi=true -D with_fam=true -D with_gdbm=true -D with_geoip=true -D with_krb5=true -D with_ldap=true -D with_libev=true -D with_libunwind=true -D with_lua=true -D with_memcached=true -D with_mysql=true -D with_openssl=true -D with_pcre=true -D with_pgsql=true -D with_sasl=true -D with_webdav_locks=true -D with_webdav_props=true -D with_xattr=true -D with_zlib=true
# optimized build:
# $ meson configure -D b_lto=true -D buildtype=debugoptimized
diff --git a/meson_options.txt b/meson_options.txt
index 6fde5ea2..188f4d33 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -73,6 +73,11 @@ option('with_pgsql',
value: false,
description: 'with postgres-support for mod_vhostdb_pgsql [default: off]',
)
+option('with_sasl',
+ type: 'boolean',
+ value: false,
+ description: 'with SASL support for mod_authn_sasl [default: off]',
+)
#option('with_valgrind',
# type: 'boolean',
# value: false,
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index c36de51e..20a68842 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -33,6 +33,7 @@ option(WITH_MEMCACHED "memcached storage for mod_trigger_b4_dl [default: off]")
option(WITH_LIBEV "libev support for fdevent handlers [default: off]")
option(WITH_LIBUNWIND "with libunwind to print backtraces in asserts [default: off]")
option(WITH_GEOIP "with GeoIP-support mod_geoip [default: off]")
+option(WITH_SASL "with SASL-support for mod_authn_sasl [default: off]")
if(CMAKE_C_COMPILER_ID MATCHES "GNU" OR CMAKE_C_COMPILER_ID MATCHES "Clang")
option(BUILD_EXTRA_WARNINGS "extra warnings")
@@ -351,6 +352,16 @@ else()
unset(HAVE_LIBPCRE)
endif()
+if(WITH_SASL)
+ check_include_files(sasl/sasl.h HAVE_SASL_SASL_H)
+ if(HAVE_SASL_SASL_H)
+ check_library_exists(sasl2 sasl_server_init "" HAVE_SASL)
+ endif()
+else()
+ unset(HAVE_SASL_SASL_H)
+ unset(HAVE_SASL)
+endif()
+
if(WITH_XML)
xconfig(xml2-config XML2_INCDIR XML2_LIBDIR XML2_LDFLAGS XML2_CFLAGS)
@@ -757,6 +768,12 @@ if(WITH_LDAP)
target_link_libraries(mod_vhostdb_ldap ${L_MOD_AUTHN_LDAP})
endif()
+if(WITH_SASL)
+ add_and_install_library(mod_authn_sasl "mod_authn_sasl.c")
+ set(L_MOD_AUTHN_SASL ${L_MOD_AUTHN_SASL} sasl2)
+ target_link_libraries(mod_authn_sasl ${L_MOD_AUTHN_SASL})
+endif()
+
if(HAVE_ZLIB_H)
if(HAVE_BZLIB_H)
target_link_libraries(mod_compress ${ZLIB_LIBRARY} bz2)
diff --git a/src/Makefile.am b/src/Makefile.am
index ec73d768..8b2828b6 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -337,6 +337,14 @@ mod_authn_mysql_la_LIBADD = $(CRYPT_LIB) $(MYSQL_LIBS) $(common_libadd)
mod_authn_mysql_la_CPPFLAGS = $(MYSQL_INCLUDE)
endif
+if BUILD_WITH_SASL
+lib_LTLIBRARIES += mod_authn_sasl.la
+mod_authn_sasl_la_SOURCES = mod_authn_sasl.c
+mod_authn_sasl_la_LDFLAGS = $(common_module_ldflags)
+mod_authn_sasl_la_LIBADD = $(SASL_LIBS) $(common_libadd)
+mod_authn_sasl_la_CPPFLAGS = $(SASL_CFLAGS)
+endif
+
if BUILD_WITH_OPENSSL
lib_LTLIBRARIES += mod_openssl.la
mod_openssl_la_SOURCES = mod_openssl.c
diff --git a/src/SConscript b/src/SConscript
index c2ec0f54..a518b8b5 100644
--- a/src/SConscript
+++ b/src/SConscript
@@ -157,6 +157,9 @@ if env['with_pgsql']:
if env['with_dbi']:
modules['mod_vhostdb_dbi'] = { 'src' : [ 'mod_vhostdb_dbi.c' ], 'lib' : [ env['LIBDBI'] ] }
+if env['with_sasl']:
+ modules['mod_authn_sasl'] = { 'src' : [ 'mod_authn_sasl.c' ], 'lib' : [ env['LIBSASL'] ] }
+
if env['with_openssl']:
modules['mod_openssl'] = { 'src' : [ 'mod_openssl.c' ], 'lib' : [ env['LIBSSL'], env['LIBCRYPTO'] ] }
diff --git a/src/meson.build b/src/meson.build
index 8e084edc..57b66d8f 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -400,6 +400,19 @@ if get_option('with_pgsql')
conf_data.set('HAVE_PGSQL', true)
endif
+if get_option('with_sasl')
+ libsasl = dependency('sasl2', required: false)
+ if libsasl.found()
+ libsasl = [ libsasl2 ]
+ else
+ libsasl = [ compiler.find_library('sasl2') ]
+ if not(compiler.has_function('sasl_server_init', args: defs, dependencies: libsasl, prefix: '#include <sasl/sasl.h>'))
+ error('Couldn\'t find sasl/sasl.h or sasl_server_init in libsasl2')
+ endif
+ endif
+ conf_data.set('HAVE_SASL', true)
+endif
+
#if get_option('with_valgrind')
#endif
@@ -799,6 +812,12 @@ if get_option('with_openssl')
]
endif
+if get_option('with_sasl')
+ modules += [
+ [ 'mod_authn_sasl', [ 'mod_authn_sasl.c' ], libsasl2 ],
+ ]
+endif
+
foreach mod: modules
mod_name = mod.get(0)
mod_sources = mod.get(1)
diff --git a/src/mod_authn_sasl.c b/src/mod_authn_sasl.c
new file mode 100644
index 00000000..4bfae02b
--- /dev/null
+++ b/src/mod_authn_sasl.c
@@ -0,0 +1,283 @@
+#include "first.h"
+
+/* mod_authn_sasl
+ *
+ * FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS:
+ * - database response is not cached
+ * TODO: db response caching (for limited time) to reduce load on db
+ * (only cache successful logins to prevent cache bloat?)
+ * (or limit number of entries (size) of cache)
+ * (maybe have negative cache (limited size) of names not found in database)
+ * - database query is synchronous and blocks waiting for response
+ */
+
+#include <sasl/sasl.h>
+
+#include "base.h"
+#include "http_auth.h"
+#include "log.h"
+#include "plugin.h"
+
+#include <sys/utsname.h>
+#include <errno.h>
+#include <string.h>
+
+typedef struct {
+ array *opts;
+ const char *service;
+ const char *fqdn;
+ const buffer *pwcheck_method;
+ const buffer *sasldb_path;
+} plugin_config;
+
+typedef struct {
+ PLUGIN_DATA;
+ plugin_config **config_storage;
+ plugin_config conf;
+ buffer *fqdn;
+ int initonce;
+} plugin_data;
+
+static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
+
+INIT_FUNC(mod_authn_sasl_init) {
+ static http_auth_backend_t http_auth_backend_sasl =
+ { "sasl", mod_authn_sasl_basic, NULL, NULL };
+ plugin_data *p = calloc(1, sizeof(*p));
+
+ /* register http_auth_backend_sasl */
+ http_auth_backend_sasl.p_d = p;
+ http_auth_backend_set(&http_auth_backend_sasl);
+
+ return p;
+}
+
+FREE_FUNC(mod_authn_sasl_free) {
+ plugin_data *p = p_d;
+ if (!p) return HANDLER_GO_ON;
+
+ if (p->initonce) sasl_done();
+
+ if (p->config_storage) {
+ for (size_t i = 0; i < srv->config_context->used; ++i) {
+ plugin_config *s = p->config_storage[i];
+ if (NULL == s) continue;
+ array_free(s->opts);
+ free(s);
+ }
+ free(p->config_storage);
+ }
+ buffer_free(p->fqdn);
+ free(p);
+ UNUSED(srv);
+ return HANDLER_GO_ON;
+}
+
+SETDEFAULTS_FUNC(mod_authn_sasl_set_defaults) {
+ plugin_data *p = p_d;
+ size_t i;
+ config_values_t cv[] = {
+ { "auth.backend.sasl.opts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },
+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
+ };
+
+ p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
+
+ for (i = 0; i < srv->config_context->used; i++) {
+ data_config const *config = (data_config const*)srv->config_context->data[i];
+ data_string *ds;
+ plugin_config *s = calloc(1, sizeof(plugin_config));
+ s->opts = array_init();
+
+ cv[0].destination = s->opts;
+
+ p->config_storage[i] = s;
+
+ if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
+ return HANDLER_ERROR;
+ }
+
+ if (0 == s->opts->used) continue;
+
+ ds = (data_string *)
+ array_get_element_klen(s->opts, CONST_STR_LEN("service"));
+ s->service = (NULL != ds) ? ds->value->ptr : "http";
+
+ ds = (data_string *)
+ array_get_element_klen(s->opts, CONST_STR_LEN("fqdn"));
+ if (NULL != ds) s->fqdn = ds->value->ptr;
+ if (NULL == s->fqdn) {
+ if (NULL == p->fqdn) {
+ struct utsname uts;
+ if (0 != uname(&uts)) {
+ log_error_write(srv, __FILE__, __LINE__, "ss",
+ "uname():", strerror(errno));
+ return HANDLER_ERROR;
+ }
+ p->fqdn = buffer_init_string(uts.nodename);
+ }
+ s->fqdn = p->fqdn->ptr;
+ }
+
+ ds = (data_string *)
+ array_get_element_klen(s->opts, CONST_STR_LEN("pwcheck_method"));
+ if (NULL != ds) {
+ s->pwcheck_method = ds->value;
+ if (!buffer_is_equal_string(ds->value, CONST_STR_LEN("saslauthd"))
+ && !buffer_is_equal_string(ds->value, CONST_STR_LEN("auxprop"))
+ && !buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))){
+ log_error_write(srv, __FILE__, __LINE__, "sb",
+ "sasl pwcheck_method must be one of saslauthd, "
+ "sasldb, or auxprop, not:", ds->value);
+ return HANDLER_ERROR;
+ }
+ if (buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))) {
+ /* Cyrus libsasl2 expects "auxprop" instead of "sasldb"
+ * (mod_authn_sasl_cb_getopt auxprop_plugin returns "sasldb") */
+ buffer_copy_string_len(ds->value, CONST_STR_LEN("auxprop"));
+ }
+ }
+
+ ds = (data_string *)
+ array_get_element_klen(s->opts, CONST_STR_LEN("sasldb_path"));
+ if (NULL != ds) s->sasldb_path = ds->value;
+ }
+
+ return HANDLER_GO_ON;
+}
+
+#define PATCH(x) \
+ p->conf.x = s->x;
+static int mod_authn_sasl_patch_connection(server *srv, connection *con, plugin_data *p) {
+ plugin_config *s = p->config_storage[0];
+ PATCH(service);
+ PATCH(fqdn);
+ PATCH(pwcheck_method);
+ PATCH(sasldb_path);
+
+ /* skip the first, the global context */
+ for (size_t i = 1; i < srv->config_context->used; ++i) {
+ data_config *dc = (data_config *)srv->config_context->data[i];
+
+ /* condition didn't match */
+ if (!config_check_cond(srv, con, dc)) continue;
+
+ /* merge config */
+ s = p->config_storage[i];
+ for (size_t j = 0; j < dc->value->used; ++j) {
+ data_unset *du = dc->value->data[j];
+ if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.sasl.opts"))) {
+ PATCH(service);
+ PATCH(fqdn);
+ PATCH(pwcheck_method);
+ PATCH(sasldb_path);
+ }
+ }
+ }
+
+ return 0;
+}
+#undef PATCH
+
+static int mod_authn_sasl_cb_getopt(void *p_d, const char *plugin_name, const char *opt, const char **res, unsigned *len) {
+ plugin_data *p = (plugin_data *)p_d;
+ size_t sz;
+
+ if (0 == strcmp(opt, "pwcheck_method")) {
+ if (!buffer_string_is_empty(p->conf.pwcheck_method)) {
+ *res = p->conf.pwcheck_method->ptr;
+ sz = buffer_string_length(p->conf.pwcheck_method);
+ }
+ else { /* default */
+ *res = "saslauthd";
+ sz = sizeof("saslauthd")-1;
+ }
+ }
+ else if (0 == strcmp(opt, "sasldb_path")
+ && !buffer_string_is_empty(p->conf.sasldb_path)) {
+ *res = p->conf.sasldb_path->ptr;
+ sz = buffer_string_length(p->conf.sasldb_path);
+ }
+ else if (0 == strcmp(opt, "auxprop_plugin")) {
+ *res = "sasldb";
+ sz = sizeof("sasldb")-1;
+ }
+ else {
+ UNUSED(plugin_name);
+ return SASL_FAIL;
+ }
+
+ if (len) *len = (unsigned int)sz;
+ return SASL_OK;
+}
+
+static int mod_authn_sasl_cb_log(void *vsrv, int level, const char *message) {
+ switch (level) {
+ #if 0
+ case SASL_LOG_NONE:
+ case SASL_LOG_NOTE:
+ case SASL_LOG_DEBUG:
+ case SASL_LOG_TRACE:
+ case SASL_LOG_PASS:
+ #endif
+ default:
+ break;
+ case SASL_LOG_ERR:
+ case SASL_LOG_FAIL:
+ case SASL_LOG_WARN: /* (might omit SASL_LOG_WARN if too noisy in logs) */
+ log_error_write((server *)vsrv, __FILE__, __LINE__, "s", message);
+ break;
+ }
+ return SASL_OK;
+}
+
+static handler_t mod_authn_sasl_query(server *srv, connection *con, void *p_d, const buffer *username, const char *realm, const char *pw) {
+ plugin_data *p = (plugin_data *)p_d;
+ sasl_conn_t *sc;
+ sasl_callback_t const cb[] = {
+ { SASL_CB_GETOPT, (int(*)())mod_authn_sasl_cb_getopt, (void *) p },
+ { SASL_CB_LOG, (int(*)())mod_authn_sasl_cb_log, (void *) srv },
+ { SASL_CB_LIST_END, NULL, NULL }
+ };
+ int rc;
+
+ mod_authn_sasl_patch_connection(srv, con, p);
+
+ if (!p->initonce) {
+ /* must be done once, but after fork() if multiple lighttpd workers */
+ rc = sasl_server_init(cb, NULL);
+ if (SASL_OK != rc) return HANDLER_ERROR;
+ p->initonce = 1;
+ }
+
+ rc = sasl_server_new(p->conf.service, p->conf.fqdn,
+ realm, NULL, NULL, cb, 0, &sc);
+ if (SASL_OK == rc) {
+ rc = sasl_checkpass(sc, CONST_BUF_LEN(username), pw, strlen(pw));
+ sasl_dispose(&sc);
+ }
+
+ return (SASL_OK == rc) ? HANDLER_GO_ON : HANDLER_ERROR;
+}
+
+static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw) {
+ char *realm = require->realm->ptr;
+ handler_t rc = mod_authn_sasl_query(srv, con, p_d, username, realm, pw);
+ if (HANDLER_GO_ON != rc) return rc;
+ return http_auth_match_rules(require, username->ptr, NULL, NULL)
+ ? HANDLER_GO_ON /* access granted */
+ : HANDLER_ERROR;
+}
+
+int mod_authn_sasl_plugin_init(plugin *p);
+int mod_authn_sasl_plugin_init(plugin *p) {
+ p->version = LIGHTTPD_VERSION_ID;
+ p->name = buffer_init_string("authn_sasl");
+ p->init = mod_authn_sasl_init;
+ p->set_defaults= mod_authn_sasl_set_defaults;
+ p->cleanup = mod_authn_sasl_free;
+
+ p->data = NULL;
+
+ return 0;
+}