lighttpd 1.4.x https://www.lighttpd.net/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

284 lines
9.0 KiB

#include "first.h"
/* mod_authn_sasl
*
* FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS:
* - database response is not cached
* TODO: db response caching (for limited time) to reduce load on db
* (only cache successful logins to prevent cache bloat?)
* (or limit number of entries (size) of cache)
* (maybe have negative cache (limited size) of names not found in database)
* - database query is synchronous and blocks waiting for response
*/
#include <sasl/sasl.h>
#include "base.h"
#include "http_auth.h"
#include "log.h"
#include "plugin.h"
#include <sys/utsname.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
typedef struct {
array *opts;
const char *service;
const char *fqdn;
const buffer *pwcheck_method;
const buffer *sasldb_path;
} plugin_config;
typedef struct {
PLUGIN_DATA;
plugin_config **config_storage;
plugin_config conf;
buffer *fqdn;
int initonce;
} plugin_data;
static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
INIT_FUNC(mod_authn_sasl_init) {
static http_auth_backend_t http_auth_backend_sasl =
{ "sasl", mod_authn_sasl_basic, NULL, NULL };
plugin_data *p = calloc(1, sizeof(*p));
/* register http_auth_backend_sasl */
http_auth_backend_sasl.p_d = p;
http_auth_backend_set(&http_auth_backend_sasl);
return p;
}
FREE_FUNC(mod_authn_sasl_free) {
plugin_data *p = p_d;
if (!p) return HANDLER_GO_ON;
if (p->initonce) sasl_done();
if (p->config_storage) {
for (size_t i = 0; i < srv->config_context->used; ++i) {
plugin_config *s = p->config_storage[i];
if (NULL == s) continue;
array_free(s->opts);
free(s);
}
free(p->config_storage);
}
buffer_free(p->fqdn);
free(p);
UNUSED(srv);
return HANDLER_GO_ON;
}
SETDEFAULTS_FUNC(mod_authn_sasl_set_defaults) {
plugin_data *p = p_d;
size_t i;
config_values_t cv[] = {
{ "auth.backend.sasl.opts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
};
p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
for (i = 0; i < srv->config_context->used; i++) {
data_config const *config = (data_config const*)srv->config_context->data[i];
data_string *ds;
plugin_config *s = calloc(1, sizeof(plugin_config));
s->opts = array_init();
cv[0].destination = s->opts;
p->config_storage[i] = s;
if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
return HANDLER_ERROR;
}
if (0 == s->opts->used) continue;
ds = (data_string *)
array_get_element_klen(s->opts, CONST_STR_LEN("service"));
s->service = (NULL != ds) ? ds->value->ptr : "http";
ds = (data_string *)
array_get_element_klen(s->opts, CONST_STR_LEN("fqdn"));
if (NULL != ds) s->fqdn = ds->value->ptr;
if (NULL == s->fqdn) {
if (NULL == p->fqdn) {
struct utsname uts;
if (0 != uname(&uts)) {
log_error_write(srv, __FILE__, __LINE__, "ss",
"uname():", strerror(errno));
return HANDLER_ERROR;
}
p->fqdn = buffer_init_string(uts.nodename);
}
s->fqdn = p->fqdn->ptr;
}
ds = (data_string *)
array_get_element_klen(s->opts, CONST_STR_LEN("pwcheck_method"));
if (NULL != ds) {
s->pwcheck_method = ds->value;
if (!buffer_is_equal_string(ds->value, CONST_STR_LEN("saslauthd"))
&& !buffer_is_equal_string(ds->value, CONST_STR_LEN("auxprop"))
&& !buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))){
log_error_write(srv, __FILE__, __LINE__, "sb",
"sasl pwcheck_method must be one of saslauthd, "
"sasldb, or auxprop, not:", ds->value);
return HANDLER_ERROR;
}
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))) {
/* Cyrus libsasl2 expects "auxprop" instead of "sasldb"
* (mod_authn_sasl_cb_getopt auxprop_plugin returns "sasldb") */
buffer_copy_string_len(ds->value, CONST_STR_LEN("auxprop"));
}
}
ds = (data_string *)
array_get_element_klen(s->opts, CONST_STR_LEN("sasldb_path"));
if (NULL != ds) s->sasldb_path = ds->value;
}
return HANDLER_GO_ON;
}
#define PATCH(x) \
p->conf.x = s->x;
static int mod_authn_sasl_patch_connection(server *srv, connection *con, plugin_data *p) {
plugin_config *s = p->config_storage[0];
PATCH(service);
PATCH(fqdn);
PATCH(pwcheck_method);
PATCH(sasldb_path);
/* skip the first, the global context */
for (size_t i = 1; i < srv->config_context->used; ++i) {
data_config *dc = (data_config *)srv->config_context->data[i];
/* condition didn't match */
if (!config_check_cond(srv, con, dc)) continue;
/* merge config */
s = p->config_storage[i];
for (size_t j = 0; j < dc->value->used; ++j) {
data_unset *du = dc->value->data[j];
if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.sasl.opts"))) {
PATCH(service);
PATCH(fqdn);
PATCH(pwcheck_method);
PATCH(sasldb_path);
}
}
}
return 0;
}
#undef PATCH
static int mod_authn_sasl_cb_getopt(void *p_d, const char *plugin_name, const char *opt, const char **res, unsigned *len) {
plugin_data *p = (plugin_data *)p_d;
size_t sz;
if (0 == strcmp(opt, "pwcheck_method")) {
if (!buffer_string_is_empty(p->conf.pwcheck_method)) {
*res = p->conf.pwcheck_method->ptr;
sz = buffer_string_length(p->conf.pwcheck_method);
}
else { /* default */
*res = "saslauthd";
sz = sizeof("saslauthd")-1;
}
}
else if (0 == strcmp(opt, "sasldb_path")
&& !buffer_string_is_empty(p->conf.sasldb_path)) {
*res = p->conf.sasldb_path->ptr;
sz = buffer_string_length(p->conf.sasldb_path);
}
else if (0 == strcmp(opt, "auxprop_plugin")) {
*res = "sasldb";
sz = sizeof("sasldb")-1;
}
else {
UNUSED(plugin_name);
return SASL_FAIL;
}
if (len) *len = (unsigned int)sz;
return SASL_OK;
}
static int mod_authn_sasl_cb_log(void *vsrv, int level, const char *message) {
switch (level) {
#if 0
case SASL_LOG_NONE:
case SASL_LOG_NOTE:
case SASL_LOG_DEBUG:
case SASL_LOG_TRACE:
case SASL_LOG_PASS:
#endif
default:
break;
case SASL_LOG_ERR:
case SASL_LOG_FAIL:
case SASL_LOG_WARN: /* (might omit SASL_LOG_WARN if too noisy in logs) */
log_error_write((server *)vsrv, __FILE__, __LINE__, "s", message);
break;
}
return SASL_OK;
}
static handler_t mod_authn_sasl_query(server *srv, connection *con, void *p_d, const buffer *username, const char *realm, const char *pw) {
plugin_data *p = (plugin_data *)p_d;
sasl_conn_t *sc;
sasl_callback_t const cb[] = {
{ SASL_CB_GETOPT, (int(*)())mod_authn_sasl_cb_getopt, (void *) p },
{ SASL_CB_LOG, (int(*)())mod_authn_sasl_cb_log, (void *) srv },
{ SASL_CB_LIST_END, NULL, NULL }
};
int rc;
mod_authn_sasl_patch_connection(srv, con, p);
if (!p->initonce) {
/* must be done once, but after fork() if multiple lighttpd workers */
rc = sasl_server_init(cb, NULL);
if (SASL_OK != rc) return HANDLER_ERROR;
p->initonce = 1;
}
rc = sasl_server_new(p->conf.service, p->conf.fqdn,
realm, NULL, NULL, cb, 0, &sc);
if (SASL_OK == rc) {
rc = sasl_checkpass(sc, CONST_BUF_LEN(username), pw, strlen(pw));
sasl_dispose(&sc);
}
return (SASL_OK == rc) ? HANDLER_GO_ON : HANDLER_ERROR;
}
static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw) {
char *realm = require->realm->ptr;
handler_t rc = mod_authn_sasl_query(srv, con, p_d, username, realm, pw);
if (HANDLER_GO_ON != rc) return rc;
return http_auth_match_rules(require, username->ptr, NULL, NULL)
? HANDLER_GO_ON /* access granted */
: HANDLER_ERROR;
}
int mod_authn_sasl_plugin_init(plugin *p);
int mod_authn_sasl_plugin_init(plugin *p) {
p->version = LIGHTTPD_VERSION_ID;
p->name = buffer_init_string("authn_sasl");
p->init = mod_authn_sasl_init;
p->set_defaults= mod_authn_sasl_set_defaults;
p->cleanup = mod_authn_sasl_free;
p->data = NULL;
return 0;
}