RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-02-07 14:01:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
b4be12952a
haproxy/src/auth.c

287 lines
6.1 KiB
C
Raw Normal View History

[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
/*
* User authentication & authorization
*
* Copyright 2010 Krzysztof Piotr Oledzki <ole@ans.pl>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
[BUILD] fix platform-dependant build issues related to crypt() Holger Just and Ross West reported build issues on FreeBSD and Solaris that were initially caused by the definition of _XOPEN_SOURCE at the top of auth.c, which was required on Linux to avoid a build warning. Krzysztof Oledzki found that using _GNU_SOURCE instead also worked on Linux and did not cause any issue on several versions of FreeBSD. Solaris still reported a warning this time, which was fixed by including <crypt.h>, which itself is not present on FreeBSD nor on all Linux toolchains. So by adding a new build option (NEED_CRYPT_H), we can get Solaris to get crypt() working and stop complaining at the same time, without impacting other platforms. This fix was tested at least on several linux toolchains (at least uclibc, glibc 2.2.5, 2.3.6 and 2.7), on FreeBSD 4 to 8, Solaris 8 (which needs crypt.h), and AIX 5.3 (without crypt.h). Every time it builds without a warning.
2010-03-04 18:10:14 +00:00
#ifdef CONFIG_HAP_CRYPT
/* This is to have crypt() defined on Linux */
#define _GNU_SOURCE
#ifdef NEED_CRYPT_H
/* some platforms such as Solaris need this */
#include <crypt.h>
#endif
#endif /* CONFIG_HAP_CRYPT */
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <common/config.h>
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
#include <common/errors.h>
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
#include <proto/acl.h>
#include <proto/log.h>
#include <types/auth.h>
MEDIUM: pattern: rename "acl" prefix to "pat" This patch just renames functions, types and enums. No code was changed. A significant number of files were touched, especially the ACL arrays, so it is likely that some external patches will not apply anymore. One important thing is that we had to split ACL_PAT_* into two groups : - ACL_TEST_{PASS|MISS|FAIL} - PAT_{MATCH|UNMATCH} A future patch will enforce enums on all these places to avoid confusion.
2013-11-28 17:22:00 +00:00
#include <types/pattern.h>
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
struct userlist *userlist = NULL; /* list of all existing userlists */
/* find targets for selected gropus. The function returns pointer to
* the userlist struct ot NULL if name is NULL/empty or unresolvable.
*/
struct userlist *
auth_find_userlist(char *name)
{
struct userlist *l;
if (!name || !*name)
return NULL;
for (l = userlist; l; l = l->next)
if (!strcmp(l->name, name))
return l;
return NULL;
}
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
int check_group(struct userlist *ul, char *name)
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
{
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
struct auth_groups *ag;
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
for (ag = ul->groups; ag; ag = ag->next)
if (strcmp(name, ag->name) == 0)
return 1;
return 0;
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
}
void
userlist_free(struct userlist *ul)
{
struct userlist *tul;
struct auth_users *au, *tau;
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
struct auth_groups_list *agl, *tagl;
struct auth_groups *ag, *tag;
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
while (ul) {
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
/* Free users. */
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
au = ul->users;
while (au) {
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
/* Free groups that own current user. */
agl = au->u.groups;
while (agl) {
tagl = agl;
agl = agl->next;
free(tagl);
}
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
tau = au;
au = au->next;
free(tau->user);
free(tau->pass);
free(tau);
}
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
/* Free grouplist. */
ag = ul->groups;
while (ag) {
tag = ag;
ag = ag->next;
free(tag->name);
free(tag);
}
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
tul = ul;
ul = ul->next;
free(tul->name);
free(tul);
};
}
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
int userlist_postinit()
{
struct userlist *curuserlist = NULL;
/* Resolve usernames and groupnames. */
for (curuserlist = userlist; curuserlist; curuserlist = curuserlist->next) {
struct auth_groups *ag;
struct auth_users *curuser;
struct auth_groups_list *grl;
for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
char *group = NULL;
struct auth_groups_list *groups = NULL;
if (!curuser->u.groups_names)
continue;
while ((group = strtok(group?NULL:curuser->u.groups_names, ","))) {
for (ag = curuserlist->groups; ag; ag = ag->next) {
if (!strcmp(ag->name, group))
break;
}
if (!ag) {
Alert("userlist '%s': no such group '%s' specified in user '%s'\n",
curuserlist->name, group, curuser->user);
return ERR_ALERT | ERR_FATAL;
}
/* Add this group at the group userlist. */
grl = calloc(1, sizeof(*grl));
if (!grl) {
Alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
curuserlist->name);
return ERR_ALERT | ERR_FATAL;
}
grl->group = ag;
grl->next = groups;
groups = grl;
}
free(curuser->u.groups);
curuser->u.groups = groups;
}
for (ag = curuserlist->groups; ag; ag = ag->next) {
char *user = NULL;
if (!ag->groupusers)
continue;
while ((user = strtok(user?NULL:ag->groupusers, ","))) {
for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
if (!strcmp(curuser->user, user))
break;
}
if (!curuser) {
Alert("userlist '%s': no such user '%s' specified in group '%s'\n",
curuserlist->name, user, ag->name);
return ERR_ALERT | ERR_FATAL;
}
/* Add this group at the group userlist. */
grl = calloc(1, sizeof(*grl));
if (!grl) {
Alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
curuserlist->name);
return ERR_ALERT | ERR_FATAL;
}
grl->group = ag;
grl->next = curuser->u.groups;
curuser->u.groups = grl;
}
free(ag->groupusers);
ag->groupusers = NULL;
}
#ifdef DEBUG_AUTH
for (ag = curuserlist->groups; ag; ag = ag->next) {
struct auth_groups_list *agl;
fprintf(stderr, "group %s, id %p, users:", ag->name, ag);
for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
for (agl = curuser->u.groups; agl; agl = agl->next) {
if (agl->group == ag)
fprintf(stderr, " %s", curuser->user);
}
}
fprintf(stderr, "\n");
}
#endif
}
return ERR_NONE;
}
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
/*
* Authenticate and authorize user; return 1 if OK, 0 if case of error.
*/
int
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
check_user(struct userlist *ul, const char *user, const char *pass)
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
{
struct auth_users *u;
const char *ep;
#ifdef DEBUG_AUTH
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
fprintf(stderr, "req: userlist=%s, user=%s, pass=%s, group=%s\n",
ul->name, user, pass, group);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
#endif
for (u = ul->users; u; u = u->next)
if (!strcmp(user, u->user))
break;
if (!u)
return 0;
#ifdef DEBUG_AUTH
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
fprintf(stderr, "cfg: user=%s, pass=%s, flags=%X, groups=",
u->user, u->pass, u->flags);
for (agl = u->u.groups; agl; agl = agl->next)
fprintf(stderr, " %s", agl->group->name);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 16:50:44 +00:00
#endif
if (!(u->flags & AU_O_INSECURE)) {
#ifdef CONFIG_HAP_CRYPT
ep = crypt(pass, u->pass);
#else
return 0;
#endif
} else
ep = pass;
#ifdef DEBUG_AUTH
fprintf(stderr, ", crypt=%s\n", ep);
#endif
if (!strcmp(ep, u->pass))
return 1;
else
return 0;
}
[MINOR] acl: add http_auth and http_auth_group Add two acls to match http auth data: acl <name> http_auth(userlist) acl <name> http_auth_hroup(userlist) group1 group2 (...)
2010-01-29 18:26:18 +00:00
MINOR: acl/pattern: use types different from int to clarify who does what. We now have the following enums and all related functions return them and consume them : enum pat_match_res { PAT_NOMATCH = 0, /* sample didn't match any pattern */ PAT_MATCH = 3, /* sample matched at least one pattern */ }; enum acl_test_res { ACL_TEST_FAIL = 0, /* test failed */ ACL_TEST_MISS = 1, /* test may pass with more info */ ACL_TEST_PASS = 3, /* test passed */ }; enum acl_cond_pol { ACL_COND_NONE, /* no polarity set yet */ ACL_COND_IF, /* positive condition (after 'if') */ ACL_COND_UNLESS, /* negative condition (after 'unless') */ }; It's just in order to avoid doubts when reading some code.
2013-11-28 21:21:02 +00:00
enum pat_match_res
MEDIUM: pattern: rename "acl" prefix to "pat" This patch just renames functions, types and enums. No code was changed. A significant number of files were touched, especially the ACL arrays, so it is likely that some external patches will not apply anymore. One important thing is that we had to split ACL_PAT_* into two groups : - ACL_TEST_{PASS|MISS|FAIL} - PAT_{MATCH|UNMATCH} A future patch will enforce enums on all these places to avoid confusion.
2013-11-28 17:22:00 +00:00
pat_match_auth(struct sample *smp, struct pattern *pattern)
[MINOR] acl: add http_auth and http_auth_group Add two acls to match http auth data: acl <name> http_auth(userlist) acl <name> http_auth_hroup(userlist) group1 group2 (...)
2010-01-29 18:26:18 +00:00
{
MAJOR: acl: make use of the new sample struct and get rid of acl_test This change is invasive in lines of code but not much in terms of functionalities as it's mainly a replacement of struct acl_test with struct sample.
2012-04-23 14:16:37 +00:00
struct userlist *ul = smp->ctx.a[0];
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
struct auth_users *u;
struct auth_groups_list *agl;
[MINOR] acl: add http_auth and http_auth_group Add two acls to match http auth data: acl <name> http_auth(userlist) acl <name> http_auth_hroup(userlist) group1 group2 (...)
2010-01-29 18:26:18 +00:00
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
/* Check if the userlist is present in the context data. */
if (!ul)
return PAT_NOMATCH;
/* Browse the userlist for searching user. */
for (u = ul->users; u; u = u->next) {
if (strcmp(smp->data.str.str, u->user) == 0)
break;
}
if (!u)
return 0;
/* Browse each group for searching group name that match the pattern. */
for (agl = u->u.groups; agl; agl = agl->next) {
if (strcmp(agl->group->name, pattern->ptr.str) == 0)
break;
}
if (!agl)
MEDIUM: pattern: rename "acl" prefix to "pat" This patch just renames functions, types and enums. No code was changed. A significant number of files were touched, especially the ACL arrays, so it is likely that some external patches will not apply anymore. One important thing is that we had to split ACL_PAT_* into two groups : - ACL_TEST_{PASS|MISS|FAIL} - PAT_{MATCH|UNMATCH} A future patch will enforce enums on all these places to avoid confusion.
2013-11-28 17:22:00 +00:00
return PAT_NOMATCH;
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 17:38:02 +00:00
return PAT_MATCH;
[MINOR] acl: add http_auth and http_auth_group Add two acls to match http auth data: acl <name> http_auth(userlist) acl <name> http_auth_hroup(userlist) group1 group2 (...)
2010-01-29 18:26:18 +00:00
}
Reference in New Issue Copy Permalink