upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-03-24 19:33:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 14
haproxy/src/auth.c
Willy Tarreau f268ee8795 REORG: include: split global.h into haproxy/global{,-t}.h 
global.h was one of the messiest files, it has accumulated tons of
implicit dependencies and declares many globals that make almost all
other file include it. It managed to silence a dependency loop between
server.h and proxy.h by being well placed to pre-define the required
structs, forcing struct proxy and struct server to be forward-declared
in a significant number of files.

It was split in to, one which is the global struct definition and the
few macros and flags, and the rest containing the functions prototypes.

The UNIX_MAX_PATH definition was moved to compat.h.
2020-06-11 10:18:58 +02:00

315 lines
6.8 KiB
C
Raw Blame History

/*
* User authentication & authorization
*
* Copyright 2010 Krzysztof Piotr Oledzki <ole@ans.pl>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
#ifdef USE_LIBCRYPT
/* This is to have crypt() defined on Linux */
#define _GNU_SOURCE
#ifdef USE_CRYPT_H
/* some platforms such as Solaris need this */
#include <crypt.h>
#endif
#endif /* USE_LIBCRYPT */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <haproxy/auth-t.h>
#include <haproxy/api.h>
#include <haproxy/global.h>
#include <haproxy/errors.h>
#include <haproxy/pattern-t.h>
#include <haproxy/thread.h>
#include <proto/acl.h>
#include <proto/log.h>
struct userlist *userlist = NULL; /* list of all existing userlists */
#ifdef USE_LIBCRYPT
#ifdef HA_HAVE_CRYPT_R
/* context for crypt_r() */
static THREAD_LOCAL struct crypt_data crypt_data = { .initialized = 0 };
#else
/* lock for crypt() */
__decl_thread(static HA_SPINLOCK_T auth_lock);
#endif
#endif
/* find targets for selected groups. The function returns pointer to
* the userlist struct ot NULL if name is NULL/empty or unresolvable.
*/
struct userlist *
auth_find_userlist(char *name)
{
struct userlist *l;
if (!name || !*name)
return NULL;
for (l = userlist; l; l = l->next)
if (!strcmp(l->name, name))
return l;
return NULL;
}
int check_group(struct userlist *ul, char *name)
{
struct auth_groups *ag;
for (ag = ul->groups; ag; ag = ag->next)
if (strcmp(name, ag->name) == 0)
return 1;
return 0;
}
void
userlist_free(struct userlist *ul)
{
struct userlist *tul;
struct auth_users *au, *tau;
struct auth_groups_list *agl, *tagl;
struct auth_groups *ag, *tag;
while (ul) {
/* Free users. */
au = ul->users;
while (au) {
/* Free groups that own current user. */
agl = au->u.groups;
while (agl) {
tagl = agl;
agl = agl->next;
free(tagl);
}
tau = au;
au = au->next;
free(tau->user);
free(tau->pass);
free(tau);
}
/* Free grouplist. */
ag = ul->groups;
while (ag) {
tag = ag;
ag = ag->next;
free(tag->name);
free(tag);
}
tul = ul;
ul = ul->next;
free(tul->name);
free(tul);
};
}
int userlist_postinit()
{
struct userlist *curuserlist = NULL;
/* Resolve usernames and groupnames. */
for (curuserlist = userlist; curuserlist; curuserlist = curuserlist->next) {
struct auth_groups *ag;
struct auth_users *curuser;
struct auth_groups_list *grl;
for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
char *group = NULL;
struct auth_groups_list *groups = NULL;
if (!curuser->u.groups_names)
continue;
while ((group = strtok(group?NULL:curuser->u.groups_names, ","))) {
for (ag = curuserlist->groups; ag; ag = ag->next) {
if (!strcmp(ag->name, group))
break;
}
if (!ag) {
ha_alert("userlist '%s': no such group '%s' specified in user '%s'\n",
curuserlist->name, group, curuser->user);
free(groups);
return ERR_ALERT | ERR_FATAL;
}
/* Add this group at the group userlist. */
grl = calloc(1, sizeof(*grl));
if (!grl) {
ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
curuserlist->name);
free(groups);
return ERR_ALERT | ERR_FATAL;
}
grl->group = ag;
grl->next = groups;
groups = grl;
}
free(curuser->u.groups);
curuser->u.groups = groups;
}
for (ag = curuserlist->groups; ag; ag = ag->next) {
char *user = NULL;
if (!ag->groupusers)
continue;
while ((user = strtok(user?NULL:ag->groupusers, ","))) {
for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
if (!strcmp(curuser->user, user))
break;
}
if (!curuser) {
ha_alert("userlist '%s': no such user '%s' specified in group '%s'\n",
curuserlist->name, user, ag->name);
return ERR_ALERT | ERR_FATAL;
}
/* Add this group at the group userlist. */
grl = calloc(1, sizeof(*grl));
if (!grl) {
ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
curuserlist->name);
return ERR_ALERT | ERR_FATAL;
}
grl->group = ag;
grl->next = curuser->u.groups;
curuser->u.groups = grl;
}
free(ag->groupusers);
ag->groupusers = NULL;
}
#ifdef DEBUG_AUTH
for (ag = curuserlist->groups; ag; ag = ag->next) {
struct auth_groups_list *agl;
fprintf(stderr, "group %s, id %p, users:", ag->name, ag);
for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
for (agl = curuser->u.groups; agl; agl = agl->next) {
if (agl->group == ag)
fprintf(stderr, " %s", curuser->user);
}
}
fprintf(stderr, "\n");
}
#endif
}
return ERR_NONE;
}
/*
* Authenticate and authorize user; return 1 if OK, 0 if case of error.
*/
int
check_user(struct userlist *ul, const char *user, const char *pass)
{
struct auth_users *u;
#ifdef DEBUG_AUTH
struct auth_groups_list *agl;
#endif
const char *ep;
#ifdef DEBUG_AUTH
fprintf(stderr, "req: userlist=%s, user=%s, pass=%s\n",
ul->name, user, pass);
#endif
for (u = ul->users; u; u = u->next)
if (!strcmp(user, u->user))
break;
if (!u)
return 0;
#ifdef DEBUG_AUTH
fprintf(stderr, "cfg: user=%s, pass=%s, flags=%X, groups=",
u->user, u->pass, u->flags);
for (agl = u->u.groups; agl; agl = agl->next)
fprintf(stderr, " %s", agl->group->name);
#endif
if (!(u->flags & AU_O_INSECURE)) {
#ifdef USE_LIBCRYPT
#ifdef HA_HAVE_CRYPT_R
ep = crypt_r(pass, u->pass, &crypt_data);
#else
HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);
ep = crypt(pass, u->pass);
HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);
#endif
#else
return 0;
#endif
} else
ep = pass;
#ifdef DEBUG_AUTH
fprintf(stderr, ", crypt=%s\n", ep);
#endif
if (ep && strcmp(ep, u->pass) == 0)
return 1;
else
return 0;
}
struct pattern *
pat_match_auth(struct sample *smp, struct pattern_expr *expr, int fill)
{
struct userlist *ul = smp->ctx.a[0];
struct pattern_list *lst;
struct auth_users *u;
struct auth_groups_list *agl;
struct pattern *pattern;
/* Check if the userlist is present in the context data. */
if (!ul)
return NULL;
/* Browse the userlist for searching user. */
for (u = ul->users; u; u = u->next) {
if (strcmp(smp->data.u.str.area, u->user) == 0)
break;
}
if (!u)
return NULL;
/* Browse each pattern. */
list_for_each_entry(lst, &expr->patterns, list) {
pattern = &lst->pat;
/* Browse each group for searching group name that match the pattern. */
for (agl = u->u.groups; agl; agl = agl->next) {
if (strcmp(agl->group->name, pattern->ptr.str) == 0)
return pattern;
}
}
return NULL;
}
REGISTER_BUILD_OPTS("Encrypted password support via crypt(3): yes");
Reference in a new issue View git blame Copy permalink