lighttpd 1.4.x
https://www.lighttpd.net/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
558 lines
18 KiB
558 lines
18 KiB
#include "first.h" |
|
|
|
#include <ldap.h> |
|
|
|
#include <errno.h> |
|
#include <string.h> |
|
#include <stdlib.h> |
|
|
|
#include "base.h" |
|
#include "http_vhostdb.h" |
|
#include "log.h" |
|
#include "plugin.h" |
|
|
|
/* |
|
* virtual host plugin using LDAP for domain to directory lookups |
|
*/ |
|
|
|
typedef struct { |
|
LDAP *ldap; |
|
const buffer *filter; |
|
server *srv; |
|
|
|
const char *attr; |
|
const char *host; |
|
const char *basedn; |
|
const char *binddn; |
|
const char *bindpw; |
|
const char *cafile; |
|
unsigned short starttls; |
|
} vhostdb_config; |
|
|
|
typedef struct { |
|
void *vdata; |
|
array *options; |
|
} plugin_config; |
|
|
|
typedef struct { |
|
PLUGIN_DATA; |
|
plugin_config **config_storage; |
|
plugin_config conf; |
|
} plugin_data; |
|
|
|
static void mod_vhostdb_dbconf_free (void *vdata) |
|
{ |
|
vhostdb_config *dbconf = (vhostdb_config *)vdata; |
|
if (!dbconf) return; |
|
if (NULL != dbconf->ldap) ldap_unbind_ext_s(dbconf->ldap, NULL, NULL); |
|
free(dbconf); |
|
} |
|
|
|
/*(copied from mod_authn_ldap.c)*/ |
|
static void mod_vhostdb_dbconf_add_scheme (server *srv, buffer *host) |
|
{ |
|
if (!buffer_string_is_empty(host)) { |
|
/* reformat hostname(s) as LDAP URIs (scheme://host:port) */ |
|
static const char *schemes[] = { |
|
"ldap://", "ldaps://", "ldapi://", "cldap://" |
|
}; |
|
char *b, *e = host->ptr; |
|
buffer_clear(srv->tmp_buf); |
|
while (*(b = e)) { |
|
unsigned int j; |
|
while (*b==' '||*b=='\t'||*b=='\r'||*b=='\n'||*b==',') ++b; |
|
if (*b == '\0') break; |
|
e = b; |
|
while (*e!=' '&&*e!='\t'&&*e!='\r'&&*e!='\n'&&*e!=','&&*e!='\0') |
|
++e; |
|
if (!buffer_string_is_empty(srv->tmp_buf)) |
|
buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN(",")); |
|
for (j = 0; j < sizeof(schemes)/sizeof(char *); ++j) { |
|
if (buffer_eq_icase_ssn(b, schemes[j], strlen(schemes[j]))) { |
|
break; |
|
} |
|
} |
|
if (j == sizeof(schemes)/sizeof(char *)) |
|
buffer_append_string_len(srv->tmp_buf, |
|
CONST_STR_LEN("ldap://")); |
|
buffer_append_string_len(srv->tmp_buf, b, (size_t)(e - b)); |
|
} |
|
buffer_copy_buffer(host, srv->tmp_buf); |
|
} |
|
} |
|
|
|
static int mod_vhostdb_dbconf_setup (server *srv, array *opts, void **vdata) |
|
{ |
|
const buffer *filter = NULL; |
|
const char *attr = "documentRoot"; |
|
const char *basedn=NULL,*binddn=NULL,*bindpw=NULL,*host=NULL,*cafile=NULL; |
|
unsigned short starttls = 0; |
|
|
|
for (size_t i = 0; i < opts->used; ++i) { |
|
data_string *ds = (data_string *)opts->data[i]; |
|
if (ds->type == TYPE_STRING) { |
|
if (buffer_is_equal_caseless_string(&ds->key, CONST_STR_LEN("filter"))) { |
|
filter = &ds->value; |
|
} else if (buffer_is_equal_caseless_string(&ds->key, CONST_STR_LEN("attr"))) { |
|
if (!buffer_string_is_empty(&ds->value)) attr = ds->value.ptr; |
|
} else if (buffer_is_equal_caseless_string(&ds->key, CONST_STR_LEN("host"))) { |
|
mod_vhostdb_dbconf_add_scheme(srv, &ds->value); |
|
host = ds->value.ptr; |
|
} else if (buffer_is_equal_caseless_string(&ds->key, CONST_STR_LEN("base-dn"))) { |
|
if (!buffer_string_is_empty(&ds->value)) basedn = ds->value.ptr; |
|
} else if (buffer_is_equal_caseless_string(&ds->key, CONST_STR_LEN("bind-dn"))) { |
|
if (!buffer_string_is_empty(&ds->value)) binddn = ds->value.ptr; |
|
} else if (buffer_is_equal_caseless_string(&ds->key, CONST_STR_LEN("bind-pw"))) { |
|
bindpw = ds->value.ptr; |
|
} else if (buffer_is_equal_caseless_string(&ds->key, CONST_STR_LEN("ca-file"))) { |
|
if (!buffer_string_is_empty(&ds->value)) cafile = ds->value.ptr; |
|
} else if (buffer_is_equal_caseless_string(&ds->key, CONST_STR_LEN("starttls"))) { |
|
starttls = !buffer_is_equal_string(&ds->value, CONST_STR_LEN("disable")) |
|
&& !buffer_is_equal_string(&ds->value, CONST_STR_LEN("0")); |
|
} |
|
} |
|
} |
|
|
|
/* required: |
|
* - host |
|
* - filter (LDAP query) |
|
* - base-dn |
|
* |
|
* optional: |
|
* - attr (LDAP attribute with docroot; default "documentRoot") |
|
* - bind-dn |
|
* - bind-pw |
|
* - ca-file |
|
* - starttls |
|
*/ |
|
|
|
if (!buffer_string_is_empty(filter) && NULL != host && NULL != basedn) { |
|
vhostdb_config *dbconf; |
|
|
|
if (NULL == strchr(filter->ptr, '?')) { |
|
log_error_write(srv, __FILE__, __LINE__, "s", |
|
"ldap: filter is missing a replace-operator '?'"); |
|
return -1; |
|
} |
|
|
|
/* openldap sets FD_CLOEXEC on database socket descriptors |
|
* (still race between creation of socket and fcntl FD_CLOEXEC) |
|
* (YMMV with other LDAP client libraries) */ |
|
|
|
dbconf = (vhostdb_config *)calloc(1, sizeof(*dbconf)); |
|
dbconf->ldap = NULL; |
|
dbconf->filter = filter; |
|
dbconf->attr = attr; |
|
dbconf->host = host; |
|
dbconf->basedn = basedn; |
|
dbconf->binddn = binddn; |
|
dbconf->bindpw = bindpw; |
|
dbconf->cafile = cafile; |
|
dbconf->starttls = starttls; |
|
*vdata = dbconf; |
|
} |
|
return 0; |
|
} |
|
|
|
/* |
|
* Note: a large portion of the LDAP code is copied verbatim from mod_authn_ldap |
|
* with only changes being use of vhostdb_config instead of plugin_config struct |
|
* and (const char *) strings in vhostdb_config instead of (buffer *). |
|
*/ |
|
|
|
static void mod_authn_ldap_err(server *srv, const char *file, unsigned long line, const char *fn, int err) |
|
{ |
|
log_error_write(srv,file,line,"sSss","ldap:",fn,":",ldap_err2string(err)); |
|
} |
|
|
|
static void mod_authn_ldap_opt_err(server *srv, const char *file, unsigned long line, const char *fn, LDAP *ld) |
|
{ |
|
int err; |
|
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); |
|
mod_authn_ldap_err(srv, file, line, fn, err); |
|
} |
|
|
|
static void mod_authn_append_ldap_filter_escape(buffer * const filter, const buffer * const raw) { |
|
/* [RFC4515] 3. String Search Filter Definition |
|
* |
|
* [...] |
|
* |
|
* The <valueencoding> rule ensures that the entire filter string is a |
|
* valid UTF-8 string and provides that the octets that represent the |
|
* ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII |
|
* 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a |
|
* backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits |
|
* representing the value of the encoded octet. |
|
* |
|
* [...] |
|
* |
|
* As indicated by the <valueencoding> rule, implementations MUST escape |
|
* all octets greater than 0x7F that are not part of a valid UTF-8 |
|
* encoding sequence when they generate a string representation of a |
|
* search filter. Implementations SHOULD accept as input strings that |
|
* are not valid UTF-8 strings. This is necessary because RFC 2254 did |
|
* not clearly define the term "string representation" (and in |
|
* particular did not mention that the string representation of an LDAP |
|
* search filter is a string of UTF-8-encoded Unicode characters). |
|
* |
|
* |
|
* https://www.ldap.com/ldap-filters |
|
* Although not required, you may escape any other characters that you want |
|
* in the assertion value (or substring component) of a filter. This may be |
|
* accomplished by prefixing the hexadecimal representation of each byte of |
|
* the UTF-8 encoding of the character to escape with a backslash character. |
|
*/ |
|
const char * const b = raw->ptr; |
|
const size_t rlen = buffer_string_length(raw); |
|
for (size_t i = 0; i < rlen; ++i) { |
|
size_t len = i; |
|
char *f; |
|
do { |
|
/* encode all UTF-8 chars with high bit set |
|
* (instead of validating UTF-8 and escaping only invalid UTF-8) */ |
|
if (((unsigned char *)b)[len] > 0x7f) |
|
break; |
|
switch (b[len]) { |
|
default: |
|
continue; |
|
case '\0': case '(': case ')': case '*': case '\\': |
|
break; |
|
} |
|
break; |
|
} while (++len < rlen); |
|
len -= i; |
|
|
|
if (len) { |
|
buffer_append_string_len(filter, b+i, len); |
|
if ((i += len) == rlen) break; |
|
} |
|
|
|
/* escape * ( ) \ NUL ('\0') (and all UTF-8 chars with high bit set) */ |
|
buffer_string_prepare_append(filter, 3); |
|
f = filter->ptr + buffer_string_length(filter); |
|
f[0] = '\\'; |
|
f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf]; |
|
f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf]; |
|
buffer_commit(filter, 3); |
|
} |
|
} |
|
|
|
static LDAP * mod_authn_ldap_host_init(server *srv, vhostdb_config *s) { |
|
LDAP *ld; |
|
int ret; |
|
|
|
ret = ldap_initialize(&ld, s->host); |
|
if (LDAP_SUCCESS != ret) { |
|
log_error_write(srv, __FILE__, __LINE__, "sss", "ldap:", |
|
"ldap_initialize():", strerror(errno)); |
|
return NULL; |
|
} |
|
|
|
ret = LDAP_VERSION3; |
|
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ret); |
|
if (LDAP_OPT_SUCCESS != ret) { |
|
mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_set_options()", ret); |
|
ldap_destroy(ld); |
|
return NULL; |
|
} |
|
|
|
/* restart ldap functions if interrupted by a signal, e.g. SIGCHLD */ |
|
ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON); |
|
|
|
if (s->starttls) { |
|
/* if no CA file is given, it is ok, as we will use encryption |
|
* if the server requires a CAfile it will tell us */ |
|
if (s->cafile) { |
|
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, s->cafile); |
|
if (LDAP_OPT_SUCCESS != ret) { |
|
mod_authn_ldap_err(srv, __FILE__, __LINE__, |
|
"ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", |
|
ret); |
|
ldap_destroy(ld); |
|
return NULL; |
|
} |
|
} |
|
|
|
ret = ldap_start_tls_s(ld, NULL, NULL); |
|
if (LDAP_OPT_SUCCESS != ret) { |
|
mod_authn_ldap_err(srv,__FILE__,__LINE__,"ldap_start_tls_s()",ret); |
|
ldap_destroy(ld); |
|
return NULL; |
|
} |
|
} |
|
|
|
return ld; |
|
} |
|
|
|
static int mod_authn_ldap_bind(server *srv, LDAP *ld, const char *dn, const char *pw) { |
|
struct berval creds; |
|
int ret; |
|
|
|
if (NULL != pw) { |
|
*((const char **)&creds.bv_val) = pw; /*(cast away const)*/ |
|
creds.bv_len = strlen(pw); |
|
} else { |
|
creds.bv_val = NULL; |
|
creds.bv_len = 0; |
|
} |
|
|
|
/* RFE: add functionality: LDAP_SASL_EXTERNAL (or GSS-SPNEGO, etc.) */ |
|
|
|
ret = ldap_sasl_bind_s(ld,dn,LDAP_SASL_SIMPLE,&creds,NULL,NULL,NULL); |
|
if (ret != LDAP_SUCCESS) { |
|
mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_sasl_bind_s()", ret); |
|
} |
|
|
|
return ret; |
|
} |
|
|
|
static int mod_authn_ldap_rebind_proc (LDAP *ld, LDAP_CONST char *url, ber_tag_t ldap_request, ber_int_t msgid, void *params) { |
|
vhostdb_config *s = (vhostdb_config *)params; |
|
UNUSED(url); |
|
UNUSED(ldap_request); |
|
UNUSED(msgid); |
|
return mod_authn_ldap_bind(s->srv, ld, s->binddn, s->bindpw); |
|
} |
|
|
|
static LDAPMessage * mod_authn_ldap_search(server *srv, vhostdb_config *s, char *base, char *filter) { |
|
LDAPMessage *lm = NULL; |
|
char *attrs[] = { LDAP_NO_ATTRS, NULL }; |
|
int ret; |
|
|
|
/* |
|
* 1. connect anonymously (if not already connected) |
|
* (ldap connection is kept open unless connection-level error occurs) |
|
* 2. issue search using filter |
|
*/ |
|
|
|
if (s->ldap != NULL) { |
|
ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter, |
|
attrs, 0, NULL, NULL, NULL, 0, &lm); |
|
if (LDAP_SUCCESS == ret) { |
|
return lm; |
|
} else if (LDAP_SERVER_DOWN != ret) { |
|
/* try again (or initial request); |
|
* ldap lib sometimes fails for the first call but reconnects */ |
|
ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter, |
|
attrs, 0, NULL, NULL, NULL, 0, &lm); |
|
if (LDAP_SUCCESS == ret) { |
|
return lm; |
|
} |
|
} |
|
|
|
ldap_unbind_ext_s(s->ldap, NULL, NULL); |
|
} |
|
|
|
s->ldap = mod_authn_ldap_host_init(srv, s); |
|
if (NULL == s->ldap) { |
|
return NULL; |
|
} |
|
|
|
ldap_set_rebind_proc(s->ldap, mod_authn_ldap_rebind_proc, s); |
|
ret = mod_authn_ldap_bind(srv, s->ldap, s->binddn, s->bindpw); |
|
if (LDAP_SUCCESS != ret) { |
|
ldap_destroy(s->ldap); |
|
s->ldap = NULL; |
|
return NULL; |
|
} |
|
|
|
ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter, |
|
attrs, 0, NULL, NULL, NULL, 0, &lm); |
|
if (LDAP_SUCCESS != ret) { |
|
log_error_write(srv, __FILE__, __LINE__, "sSss", |
|
"ldap:", ldap_err2string(ret), "; filter:", filter); |
|
ldap_unbind_ext_s(s->ldap, NULL, NULL); |
|
s->ldap = NULL; |
|
return NULL; |
|
} |
|
|
|
return lm; |
|
} |
|
|
|
static void mod_vhostdb_patch_connection (server *srv, connection *con, plugin_data *p); |
|
|
|
static int mod_vhostdb_ldap_query(server *srv, connection *con, void *p_d, buffer *docroot) |
|
{ |
|
plugin_data *p = (plugin_data *)p_d; |
|
vhostdb_config *dbconf; |
|
LDAP *ld; |
|
LDAPMessage *lm, *first; |
|
struct berval **vals; |
|
int count; |
|
char *basedn; |
|
const buffer *template; |
|
|
|
/*(reuse buffer for ldap query before generating docroot result)*/ |
|
buffer *filter = docroot; |
|
buffer_clear(filter); /*(also resets docroot (alias))*/ |
|
|
|
mod_vhostdb_patch_connection(srv, con, p); |
|
if (NULL == p->conf.vdata) return 0; /*(after resetting docroot)*/ |
|
dbconf = (vhostdb_config *)p->conf.vdata; |
|
dbconf->srv = srv; |
|
|
|
template = dbconf->filter; |
|
for (char *b = template->ptr, *d; *b; b = d+1) { |
|
if (NULL != (d = strchr(b, '?'))) { |
|
buffer_append_string_len(filter, b, (size_t)(d - b)); |
|
mod_authn_append_ldap_filter_escape(filter, con->uri.authority); |
|
} else { |
|
d = template->ptr + buffer_string_length(template); |
|
buffer_append_string_len(filter, b, (size_t)(d - b)); |
|
break; |
|
} |
|
} |
|
|
|
/* (cast away const for poor LDAP ldap_search_ext_s() prototype) */ |
|
*(const char **)&basedn = dbconf->basedn; |
|
|
|
/* ldap_search (synchronous; blocking) */ |
|
lm = mod_authn_ldap_search(srv, dbconf, basedn, filter->ptr); |
|
if (NULL == lm) { |
|
return -1; |
|
} |
|
|
|
/*(must be after mod_authn_ldap_search(); might reconnect)*/ |
|
ld = dbconf->ldap; |
|
|
|
count = ldap_count_entries(ld, lm); |
|
if (count > 1) { |
|
log_error_write(srv, __FILE__, __LINE__, "ssb", |
|
"ldap:", "more than one record returned. " |
|
"you might have to refine the filter:", filter); |
|
} |
|
|
|
buffer_clear(docroot); /*(reset buffer to store result)*/ |
|
|
|
if (0 == count) { /*(no entries found)*/ |
|
ldap_msgfree(lm); |
|
return 0; |
|
} |
|
|
|
if (NULL == (first = ldap_first_entry(ld, lm))) { |
|
mod_authn_ldap_opt_err(srv,__FILE__,__LINE__,"ldap_first_entry()",ld); |
|
ldap_msgfree(lm); |
|
return -1; |
|
} |
|
|
|
if (NULL != (vals = ldap_get_values_len(ld, first, dbconf->attr))) { |
|
buffer_copy_string_len(docroot, vals[0]->bv_val, vals[0]->bv_len); |
|
ldap_value_free_len(vals); |
|
} |
|
|
|
ldap_msgfree(lm); |
|
return 0; |
|
} |
|
|
|
|
|
|
|
|
|
INIT_FUNC(mod_vhostdb_init) { |
|
static http_vhostdb_backend_t http_vhostdb_backend_ldap = |
|
{ "ldap", mod_vhostdb_ldap_query, NULL }; |
|
plugin_data *p = calloc(1, sizeof(*p)); |
|
|
|
/* register http_vhostdb_backend_ldap */ |
|
http_vhostdb_backend_ldap.p_d = p; |
|
http_vhostdb_backend_set(&http_vhostdb_backend_ldap); |
|
|
|
return p; |
|
} |
|
|
|
FREE_FUNC(mod_vhostdb_cleanup) { |
|
plugin_data *p = p_d; |
|
if (!p) return HANDLER_GO_ON; |
|
|
|
if (p->config_storage) { |
|
for (size_t i = 0; i < srv->config_context->used; i++) { |
|
plugin_config *s = p->config_storage[i]; |
|
if (!s) continue; |
|
mod_vhostdb_dbconf_free(s->vdata); |
|
array_free(s->options); |
|
free(s); |
|
} |
|
free(p->config_storage); |
|
} |
|
free(p); |
|
|
|
UNUSED(srv); |
|
return HANDLER_GO_ON; |
|
} |
|
|
|
SETDEFAULTS_FUNC(mod_vhostdb_set_defaults) { |
|
plugin_data *p = p_d; |
|
|
|
config_values_t cv[] = { |
|
{ "vhostdb.ldap", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, |
|
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } |
|
}; |
|
|
|
p->config_storage = calloc(srv->config_context->used, sizeof(plugin_config *)); |
|
|
|
for (size_t i = 0; i < srv->config_context->used; ++i) { |
|
data_config const *config = (data_config const*)srv->config_context->data[i]; |
|
plugin_config *s = calloc(1, sizeof(plugin_config)); |
|
|
|
s->options = array_init(); |
|
cv[0].destination = s->options; |
|
|
|
p->config_storage[i] = s; |
|
|
|
if (config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) { |
|
return HANDLER_ERROR; |
|
} |
|
|
|
if (!array_is_kvstring(s->options)) { |
|
log_error_write(srv, __FILE__, __LINE__, "s", |
|
"unexpected value for vhostdb.ldap; expected list of \"option\" => \"value\""); |
|
return HANDLER_ERROR; |
|
} |
|
|
|
if (s->options->used |
|
&& 0 != mod_vhostdb_dbconf_setup(srv, s->options, &s->vdata)) { |
|
return HANDLER_ERROR; |
|
} |
|
} |
|
|
|
return HANDLER_GO_ON; |
|
} |
|
|
|
#define PATCH(x) \ |
|
p->conf.x = s->x; |
|
static void mod_vhostdb_patch_connection (server *srv, connection *con, plugin_data *p) |
|
{ |
|
plugin_config *s = p->config_storage[0]; |
|
PATCH(vdata); |
|
|
|
/* skip the first, the global context */ |
|
for (size_t i = 1; i < srv->config_context->used; ++i) { |
|
if (!config_check_cond(con, i)) continue; /* condition not matched */ |
|
|
|
data_config *dc = (data_config *)srv->config_context->data[i]; |
|
s = p->config_storage[i]; |
|
|
|
/* merge config */ |
|
for (size_t j = 0; j < dc->value->used; ++j) { |
|
data_unset *du = dc->value->data[j]; |
|
|
|
if (buffer_is_equal_string(&du->key,CONST_STR_LEN("vhostdb.ldap"))) { |
|
PATCH(vdata); |
|
} |
|
} |
|
} |
|
} |
|
#undef PATCH |
|
|
|
/* this function is called at dlopen() time and inits the callbacks */ |
|
int mod_vhostdb_ldap_plugin_init (plugin *p); |
|
int mod_vhostdb_ldap_plugin_init (plugin *p) |
|
{ |
|
p->version = LIGHTTPD_VERSION_ID; |
|
p->name = buffer_init_string("vhostdb_ldap"); |
|
|
|
p->init = mod_vhostdb_init; |
|
p->cleanup = mod_vhostdb_cleanup; |
|
p->set_defaults = mod_vhostdb_set_defaults; |
|
|
|
return 0; |
|
}
|
|
|