RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-31 02:22:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
1e56f92693
haproxy/src/auth.c
Willy Tarreau aeed4a85d6 REORG: include: move log.h to haproxy/log{,-t}.h 
The current state of the logging is a real mess. The main problem is
that almost all files include log.h just in order to have access to
the alert/warning functions like ha_alert() etc, and don't care about
logs. But log.h also deals with real logging as well as log-format and
depends on stream.h and various other things. As such it forces a few
heavy files like stream.h to be loaded early and to hide missing
dependencies depending where it's loaded. Among the missing ones is
syslog.h which was often automatically included resulting in no less
than 3 users missing it.

Among 76 users, only 5 could be removed, and probably 70 don't need the
full set of dependencies.

A good approach would consist in splitting that file in 3 parts:
  - one for error output ("errors" ?).
  - one for log_format processing
  - and one for actual logging.
2020-06-11 10:18:58 +02:00

314 lines
6.8 KiB
C
Raw Blame History

/*
* User authentication & authorization
*
* Copyright 2010 Krzysztof Piotr Oledzki <ole@ans.pl>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
#ifdef USE_LIBCRYPT
/* This is to have crypt() defined on Linux */
#define _GNU_SOURCE
#ifdef USE_CRYPT_H
/* some platforms such as Solaris need this */
#include <crypt.h>
#endif
#endif /* USE_LIBCRYPT */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <haproxy/auth-t.h>
#include <haproxy/api.h>
#include <haproxy/global.h>
#include <haproxy/errors.h>
#include <haproxy/log.h>
#include <haproxy/pattern-t.h>
#include <haproxy/thread.h>
struct userlist *userlist = NULL; /* list of all existing userlists */
#ifdef USE_LIBCRYPT
#ifdef HA_HAVE_CRYPT_R
/* context for crypt_r() */
static THREAD_LOCAL struct crypt_data crypt_data = { .initialized = 0 };
#else
/* lock for crypt() */
__decl_thread(static HA_SPINLOCK_T auth_lock);
#endif
#endif
/* find targets for selected groups. The function returns pointer to
* the userlist struct ot NULL if name is NULL/empty or unresolvable.
*/
struct userlist *
auth_find_userlist(char *name)
{
struct userlist *l;
if (!name || !*name)
return NULL;
for (l = userlist; l; l = l->next)
if (!strcmp(l->name, name))
return l;
return NULL;
}
int check_group(struct userlist *ul, char *name)
{
struct auth_groups *ag;
for (ag = ul->groups; ag; ag = ag->next)
if (strcmp(name, ag->name) == 0)
return 1;
return 0;
}
void
userlist_free(struct userlist *ul)
{
struct userlist *tul;
struct auth_users *au, *tau;
struct auth_groups_list *agl, *tagl;
struct auth_groups *ag, *tag;
while (ul) {
/* Free users. */
au = ul->users;
while (au) {
/* Free groups that own current user. */
agl = au->u.groups;
while (agl) {
tagl = agl;
agl = agl->next;
free(tagl);
}
tau = au;
au = au->next;
free(tau->user);
free(tau->pass);
free(tau);
}
/* Free grouplist. */
ag = ul->groups;
while (ag) {
tag = ag;
ag = ag->next;
free(tag->name);
free(tag);
}
tul = ul;
ul = ul->next;
free(tul->name);
free(tul);
};
}
int userlist_postinit()
{
struct userlist *curuserlist = NULL;
/* Resolve usernames and groupnames. */
for (curuserlist = userlist; curuserlist; curuserlist = curuserlist->next) {
struct auth_groups *ag;
struct auth_users *curuser;
struct auth_groups_list *grl;
for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
char *group = NULL;
struct auth_groups_list *groups = NULL;
if (!curuser->u.groups_names)
continue;
while ((group = strtok(group?NULL:curuser->u.groups_names, ","))) {
for (ag = curuserlist->groups; ag; ag = ag->next) {
if (!strcmp(ag->name, group))
break;
}
if (!ag) {
ha_alert("userlist '%s': no such group '%s' specified in user '%s'\n",
curuserlist->name, group, curuser->user);
free(groups);
return ERR_ALERT | ERR_FATAL;
}
/* Add this group at the group userlist. */
grl = calloc(1, sizeof(*grl));
if (!grl) {
ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
curuserlist->name);
free(groups);
return ERR_ALERT | ERR_FATAL;
}
grl->group = ag;
grl->next = groups;
groups = grl;
}
free(curuser->u.groups);
curuser->u.groups = groups;
}
for (ag = curuserlist->groups; ag; ag = ag->next) {
char *user = NULL;
if (!ag->groupusers)
continue;
while ((user = strtok(user?NULL:ag->groupusers, ","))) {
for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
if (!strcmp(curuser->user, user))
break;
}
if (!curuser) {
ha_alert("userlist '%s': no such user '%s' specified in group '%s'\n",
curuserlist->name, user, ag->name);
return ERR_ALERT | ERR_FATAL;
}
/* Add this group at the group userlist. */
grl = calloc(1, sizeof(*grl));
if (!grl) {
ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
curuserlist->name);
return ERR_ALERT | ERR_FATAL;
}
grl->group = ag;
grl->next = curuser->u.groups;
curuser->u.groups = grl;
}
free(ag->groupusers);
ag->groupusers = NULL;
}
#ifdef DEBUG_AUTH
for (ag = curuserlist->groups; ag; ag = ag->next) {
struct auth_groups_list *agl;
fprintf(stderr, "group %s, id %p, users:", ag->name, ag);
for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
for (agl = curuser->u.groups; agl; agl = agl->next) {
if (agl->group == ag)
fprintf(stderr, " %s", curuser->user);
}
}
fprintf(stderr, "\n");
}
#endif
}
return ERR_NONE;
}
/*
* Authenticate and authorize user; return 1 if OK, 0 if case of error.
*/
int
check_user(struct userlist *ul, const char *user, const char *pass)
{
struct auth_users *u;
#ifdef DEBUG_AUTH
struct auth_groups_list *agl;
#endif
const char *ep;
#ifdef DEBUG_AUTH
fprintf(stderr, "req: userlist=%s, user=%s, pass=%s\n",
ul->name, user, pass);
#endif
for (u = ul->users; u; u = u->next)
if (!strcmp(user, u->user))
break;
if (!u)
return 0;
#ifdef DEBUG_AUTH
fprintf(stderr, "cfg: user=%s, pass=%s, flags=%X, groups=",
u->user, u->pass, u->flags);
for (agl = u->u.groups; agl; agl = agl->next)
fprintf(stderr, " %s", agl->group->name);
#endif
if (!(u->flags & AU_O_INSECURE)) {
#ifdef USE_LIBCRYPT
#ifdef HA_HAVE_CRYPT_R
ep = crypt_r(pass, u->pass, &crypt_data);
#else
HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);
ep = crypt(pass, u->pass);
HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);
#endif
#else
return 0;
#endif
} else
ep = pass;
#ifdef DEBUG_AUTH
fprintf(stderr, ", crypt=%s\n", ep);
#endif
if (ep && strcmp(ep, u->pass) == 0)
return 1;
else
return 0;
}
struct pattern *
pat_match_auth(struct sample *smp, struct pattern_expr *expr, int fill)
{
struct userlist *ul = smp->ctx.a[0];
struct pattern_list *lst;
struct auth_users *u;
struct auth_groups_list *agl;
struct pattern *pattern;
/* Check if the userlist is present in the context data. */
if (!ul)
return NULL;
/* Browse the userlist for searching user. */
for (u = ul->users; u; u = u->next) {
if (strcmp(smp->data.u.str.area, u->user) == 0)
break;
}
if (!u)
return NULL;
/* Browse each pattern. */
list_for_each_entry(lst, &expr->patterns, list) {
pattern = &lst->pat;
/* Browse each group for searching group name that match the pattern. */
for (agl = u->u.groups; agl; agl = agl->next) {
if (strcmp(agl->group->name, pattern->ptr.str) == 0)
return pattern;
}
}
return NULL;
}
REGISTER_BUILD_OPTS("Encrypted password support via crypt(3): yes");
Reference in New Issue View Git Blame Copy Permalink