2016-03-19 15:14:35 +00:00
|
|
|
#include "first.h"
|
|
|
|
|
|
2020-05-24 16:21:13 +00:00
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
#include "sys-crypto-md.h" /* USE_LIB_CRYPTO */
|
|
|
|
|
|
2018-03-25 07:45:05 +00:00
|
|
|
#include "base.h"
|
2009-10-11 14:31:42 +00:00
|
|
|
#include "plugin.h"
|
|
|
|
|
#include "http_auth.h"
|
2018-09-09 05:50:33 +00:00
|
|
|
#include "http_header.h"
|
2009-10-11 14:31:42 +00:00
|
|
|
#include "log.h"
|
2005-02-20 14:27:00 +00:00
|
|
|
|
|
|
|
|
/**
|
2016-09-16 20:04:39 +00:00
|
|
|
* auth framework
|
2005-02-20 14:27:00 +00:00
|
|
|
*/
|
|
|
|
|
|
2016-08-18 17:54:53 +00:00
|
|
|
typedef struct {
|
2019-11-07 00:37:11 +00:00
|
|
|
const http_auth_backend_t *auth_backend;
|
|
|
|
|
const array *auth_require;
|
|
|
|
|
unsigned int auth_extern_authn;
|
2016-09-16 20:04:39 +00:00
|
|
|
} plugin_config;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
|
|
|
|
typedef struct {
|
2019-11-07 00:37:11 +00:00
|
|
|
PLUGIN_DATA;
|
|
|
|
|
plugin_config defaults;
|
|
|
|
|
plugin_config conf;
|
2016-09-16 20:04:39 +00:00
|
|
|
} plugin_data;
|
|
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
static handler_t mod_auth_check_basic(request_st *r, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
|
|
|
|
|
static handler_t mod_auth_check_digest(request_st *r, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
|
|
|
|
|
static handler_t mod_auth_check_extern(request_st *r, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2005-02-20 14:27:00 +00:00
|
|
|
INIT_FUNC(mod_auth_init) {
|
2016-09-16 20:04:39 +00:00
|
|
|
static const http_auth_scheme_t http_auth_scheme_basic = { "basic", mod_auth_check_basic, NULL };
|
|
|
|
|
static const http_auth_scheme_t http_auth_scheme_digest = { "digest", mod_auth_check_digest, NULL };
|
|
|
|
|
static const http_auth_scheme_t http_auth_scheme_extern = { "extern", mod_auth_check_extern, NULL };
|
|
|
|
|
plugin_data *p;
|
2006-10-04 13:26:23 +00:00
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
/* register http_auth_scheme_* */
|
|
|
|
|
http_auth_scheme_set(&http_auth_scheme_basic);
|
|
|
|
|
http_auth_scheme_set(&http_auth_scheme_digest);
|
|
|
|
|
http_auth_scheme_set(&http_auth_scheme_extern);
|
2006-10-04 13:26:23 +00:00
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
p = calloc(1, sizeof(*p));
|
2006-10-04 13:26:23 +00:00
|
|
|
|
2005-02-20 14:27:00 +00:00
|
|
|
return p;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-19 08:39:40 +00:00
|
|
|
FREE_FUNC(mod_auth_free) {
|
|
|
|
|
plugin_data * const p = p_d;
|
2019-11-07 00:37:11 +00:00
|
|
|
if (NULL == p->cvlist) return;
|
|
|
|
|
/* (init i to 0 if global context; to 1 to skip empty global context) */
|
|
|
|
|
for (int i = !p->cvlist[0].v.u2[1], used = p->nconfig; i < used; ++i) {
|
|
|
|
|
config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
|
|
|
|
|
for (; -1 != cpv->k_id; ++cpv) {
|
|
|
|
|
if (cpv->vtype != T_CONFIG_LOCAL || NULL == cpv->v.v) continue;
|
|
|
|
|
switch (cpv->k_id) {
|
|
|
|
|
case 1: /* auth.require */
|
|
|
|
|
array_free(cpv->v.v);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-10-04 13:26:23 +00:00
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
/* data type for mod_auth structured data
|
|
|
|
|
* (parsed from auth.require array of strings) */
|
|
|
|
|
typedef struct {
|
|
|
|
|
DATA_UNSET;
|
|
|
|
|
http_auth_require_t *require;
|
|
|
|
|
} data_auth;
|
|
|
|
|
|
|
|
|
|
static void data_auth_free(data_unset *d)
|
|
|
|
|
{
|
|
|
|
|
data_auth * const dauth = (data_auth *)d;
|
2019-10-13 07:37:59 +00:00
|
|
|
free(dauth->key.ptr);
|
2016-09-16 20:04:39 +00:00
|
|
|
http_auth_require_free(dauth->require);
|
|
|
|
|
free(dauth);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static data_auth *data_auth_init(void)
|
|
|
|
|
{
|
2018-09-23 02:12:51 +00:00
|
|
|
static const struct data_methods fn = {
|
|
|
|
|
NULL, /* copy must not be called on this data */
|
|
|
|
|
data_auth_free,
|
|
|
|
|
NULL, /* insert_dup must not be called on this data */
|
|
|
|
|
NULL /* print must not be called on this data */
|
|
|
|
|
};
|
2016-09-16 20:04:39 +00:00
|
|
|
data_auth * const dauth = calloc(1, sizeof(*dauth));
|
|
|
|
|
force_assert(NULL != dauth);
|
|
|
|
|
dauth->type = TYPE_OTHER;
|
2018-09-23 02:12:51 +00:00
|
|
|
dauth->fn = &fn;
|
2016-09-16 20:04:39 +00:00
|
|
|
|
|
|
|
|
dauth->require = http_auth_require_init();
|
|
|
|
|
|
|
|
|
|
return dauth;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-06 03:31:41 +00:00
|
|
|
static int mod_auth_algorithm_parse(http_auth_info_t *ai, const char *s) {
|
|
|
|
|
size_t len;
|
|
|
|
|
if (NULL == s) {
|
|
|
|
|
ai->dalgo = HTTP_AUTH_DIGEST_MD5;
|
|
|
|
|
ai->dlen = HTTP_AUTH_DIGEST_MD5_BINLEN;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
len = strlen(s);
|
|
|
|
|
if (len > 5
|
|
|
|
|
&& (s[len-5] ) == '-'
|
|
|
|
|
&& (s[len-4] | 0x20) == 's'
|
|
|
|
|
&& (s[len-3] | 0x20) == 'e'
|
|
|
|
|
&& (s[len-2] | 0x20) == 's'
|
|
|
|
|
&& (s[len-1] | 0x20) == 's') {
|
|
|
|
|
ai->dalgo = HTTP_AUTH_DIGEST_SESS;
|
|
|
|
|
len -= 5;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
ai->dalgo = HTTP_AUTH_DIGEST_NONE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (3 == len
|
|
|
|
|
&& 'm' == (s[0] | 0x20)
|
|
|
|
|
&& 'd' == (s[1] | 0x20)
|
|
|
|
|
&& '5' == (s[2] )) {
|
|
|
|
|
ai->dalgo |= HTTP_AUTH_DIGEST_MD5;
|
|
|
|
|
ai->dlen = HTTP_AUTH_DIGEST_MD5_BINLEN;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2020-02-25 05:39:23 +00:00
|
|
|
#ifdef USE_LIB_CRYPTO
|
2019-03-06 03:31:41 +00:00
|
|
|
else if (len >= 7
|
|
|
|
|
&& 's' == (s[0] | 0x20)
|
|
|
|
|
&& 'h' == (s[1] | 0x20)
|
|
|
|
|
&& 'a' == (s[2] | 0x20)
|
|
|
|
|
&& '-' == (s[3] )) {
|
|
|
|
|
if (len == 7 && s[4] == '2' && s[5] == '5' && s[6] == '6') {
|
|
|
|
|
ai->dalgo |= HTTP_AUTH_DIGEST_SHA256;
|
|
|
|
|
ai->dlen = HTTP_AUTH_DIGEST_SHA256_BINLEN;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2020-05-24 16:21:13 +00:00
|
|
|
#ifdef USE_LIB_CRYPTO_SHA512_256
|
2019-03-06 03:31:41 +00:00
|
|
|
if (len == 11 && 0 == memcmp(s+4, "512-256", 7)) {
|
|
|
|
|
ai->dalgo |= HTTP_AUTH_DIGEST_SHA512_256;
|
|
|
|
|
ai->dlen = HTTP_AUTH_DIGEST_SHA512_256_BINLEN;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
return 0; /*(error)*/
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int mod_auth_algorithms_parse(int *algorithm, buffer *algos) {
|
|
|
|
|
for (char *s = algos->ptr, *p; s; s = p ? p+1 : NULL) {
|
|
|
|
|
http_auth_info_t ai;
|
|
|
|
|
int rc;
|
|
|
|
|
p = strchr(s, '|');
|
|
|
|
|
if (p) *p = '\0';
|
|
|
|
|
rc = mod_auth_algorithm_parse(&ai, s);
|
|
|
|
|
if (p) *p = '|';
|
|
|
|
|
if (!rc) return 0;
|
|
|
|
|
*algorithm |= ai.dalgo;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-05 04:01:41 +00:00
|
|
|
static int mod_auth_require_parse (http_auth_require_t * const require, const buffer *b, log_error_st *errh)
|
2016-09-16 20:04:39 +00:00
|
|
|
{
|
|
|
|
|
/* user=name1|user=name2|group=name3|host=name4 */
|
|
|
|
|
|
|
|
|
|
const char *str = b->ptr;
|
|
|
|
|
const char *p;
|
|
|
|
|
|
|
|
|
|
if (buffer_is_equal_string(b, CONST_STR_LEN("valid-user"))) {
|
|
|
|
|
require->valid_user = 1;
|
|
|
|
|
return 1; /* success */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
const char *eq;
|
|
|
|
|
size_t len;
|
|
|
|
|
p = strchr(str, '|');
|
|
|
|
|
len = NULL != p ? (size_t)(p - str) : strlen(str);
|
|
|
|
|
eq = memchr(str, '=', len);
|
|
|
|
|
if (NULL == eq) {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"error parsing auth.require 'require' field: missing '=' "
|
|
|
|
|
"(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\"). "
|
|
|
|
|
"error value: %s error near: %s", b->ptr, str);
|
2016-09-16 20:04:39 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
2019-02-10 23:18:31 +00:00
|
|
|
if (eq[1] == '|' || eq[1] == '\0') {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"error parsing auth.require 'require' field: "
|
|
|
|
|
"missing token after '=' "
|
|
|
|
|
"(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\"). "
|
|
|
|
|
"error value: %s error near: %s", b->ptr, str);
|
2016-09-16 20:04:39 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch ((int)(eq - str)) {
|
|
|
|
|
case 4:
|
|
|
|
|
if (0 == memcmp(str, CONST_STR_LEN("user"))) {
|
2018-09-21 20:56:08 +00:00
|
|
|
/*("user=" is 5)*/
|
2019-11-22 05:22:01 +00:00
|
|
|
array_set_key_value(&require->user, str+5, len-5, CONST_STR_LEN(""));
|
2016-09-16 20:04:39 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
else if (0 == memcmp(str, CONST_STR_LEN("host"))) {
|
2018-09-21 20:56:08 +00:00
|
|
|
/*("host=" is 5)*/
|
2019-11-22 05:22:01 +00:00
|
|
|
array_set_key_value(&require->host, str+5, len-5, CONST_STR_LEN(""));
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"warning parsing auth.require 'require' field: "
|
|
|
|
|
"'host' not implemented; field value: %s", b->ptr);
|
2016-09-16 20:04:39 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break; /* to error */
|
|
|
|
|
case 5:
|
|
|
|
|
if (0 == memcmp(str, CONST_STR_LEN("group"))) {
|
2018-09-21 20:56:08 +00:00
|
|
|
/*("group=" is 6)*/
|
2019-11-22 05:22:01 +00:00
|
|
|
array_set_key_value(&require->group, str+6, len-6, CONST_STR_LEN(""));
|
2017-01-10 03:45:57 +00:00
|
|
|
#if 0/*(supported by mod_authn_ldap, but not all other backends)*/
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"warning parsing auth.require 'require' field: "
|
|
|
|
|
"'group' not implemented; field value: %s", b->ptr);
|
2017-01-10 03:45:57 +00:00
|
|
|
#endif
|
2016-09-16 20:04:39 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break; /* to error */
|
|
|
|
|
case 10:
|
|
|
|
|
if (0 == memcmp(str, CONST_STR_LEN("valid-user"))) {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"error parsing auth.require 'require' field: "
|
|
|
|
|
"valid user can not be combined with other require rules "
|
|
|
|
|
"(expecting \"valid-user\" or "
|
|
|
|
|
"\"user=a|user=b|group=g|host=h\"). error value: %s", b->ptr);
|
2016-09-16 20:04:39 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
break; /* to error */
|
|
|
|
|
default:
|
|
|
|
|
break; /* to error */
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"error parsing auth.require 'require' field: "
|
|
|
|
|
"invalid/unsupported token "
|
|
|
|
|
"(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\"). "
|
|
|
|
|
"error value: %s error near: %s", b->ptr, str);
|
2016-09-16 20:04:39 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
} while (p && *((str = p+1)));
|
|
|
|
|
|
|
|
|
|
return 1; /* success */
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-05 04:01:41 +00:00
|
|
|
static handler_t mod_auth_require_parse_array(const array *value, array * const auth_require, log_error_st *errh)
|
2019-11-07 00:37:11 +00:00
|
|
|
{
|
|
|
|
|
for (uint32_t n = 0; n < value->used; ++n) {
|
2016-09-16 20:04:39 +00:00
|
|
|
size_t m;
|
2019-11-07 00:37:11 +00:00
|
|
|
data_array *da_file = (data_array *)value->data[n];
|
2016-09-16 20:04:39 +00:00
|
|
|
const buffer *method = NULL, *realm = NULL, *require = NULL;
|
2020-02-04 02:08:34 +00:00
|
|
|
const buffer *nonce_secret = NULL;
|
2016-09-16 20:04:39 +00:00
|
|
|
const http_auth_scheme_t *auth_scheme;
|
2019-03-06 03:31:41 +00:00
|
|
|
buffer *algos = NULL;
|
|
|
|
|
int algorithm = HTTP_AUTH_DIGEST_SESS;
|
2016-09-16 20:04:39 +00:00
|
|
|
|
2019-10-13 21:06:05 +00:00
|
|
|
if (!array_is_kvstring(&da_file->value)) {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"unexpected value for auth.require; expected "
|
|
|
|
|
"auth.require = ( \"urlpath\" => ( \"option\" => \"value\" ) )");
|
2016-09-16 20:04:39 +00:00
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-13 21:06:05 +00:00
|
|
|
for (m = 0; m < da_file->value.used; m++) {
|
|
|
|
|
if (da_file->value.data[m]->type == TYPE_STRING) {
|
|
|
|
|
data_string *ds = (data_string *)da_file->value.data[m];
|
2019-10-13 07:37:59 +00:00
|
|
|
if (buffer_is_equal_string(&ds->key, CONST_STR_LEN("method"))) {
|
2019-10-13 08:59:57 +00:00
|
|
|
method = &ds->value;
|
2019-10-13 07:37:59 +00:00
|
|
|
} else if (buffer_is_equal_string(&ds->key, CONST_STR_LEN("realm"))) {
|
2019-10-13 08:59:57 +00:00
|
|
|
realm = &ds->value;
|
2019-10-13 07:37:59 +00:00
|
|
|
} else if (buffer_is_equal_string(&ds->key, CONST_STR_LEN("require"))) {
|
2019-10-13 08:59:57 +00:00
|
|
|
require = &ds->value;
|
2019-10-13 07:37:59 +00:00
|
|
|
} else if (buffer_is_equal_string(&ds->key, CONST_STR_LEN("algorithm"))) {
|
2019-10-13 08:59:57 +00:00
|
|
|
algos = &ds->value;
|
2020-02-04 02:08:34 +00:00
|
|
|
} else if (buffer_is_equal_string(&ds->key, CONST_STR_LEN("nonce_secret"))) {
|
|
|
|
|
nonce_secret = &ds->value;
|
2016-09-16 20:04:39 +00:00
|
|
|
} else {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"the field is unknown in: "
|
|
|
|
|
"auth.require = ( \"...\" => ( ..., -> \"%s\" <- => \"...\" ) )",
|
|
|
|
|
da_file->value.data[m]->key.ptr);
|
2016-09-16 20:04:39 +00:00
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"a string was expected for: "
|
|
|
|
|
"auth.require = ( \"...\" => ( ..., -> \"%s\" <- => \"...\" ) )",
|
|
|
|
|
da_file->value.data[m]->key.ptr);
|
2016-09-16 20:04:39 +00:00
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (buffer_string_is_empty(method)) {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"the method field is missing or blank in: "
|
|
|
|
|
"auth.require = ( \"...\" => ( ..., \"method\" => \"...\" ) )");
|
2016-09-16 20:04:39 +00:00
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
} else {
|
|
|
|
|
auth_scheme = http_auth_scheme_get(method);
|
|
|
|
|
if (NULL == auth_scheme) {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"unknown method %s (e.g. \"basic\", \"digest\" or \"extern\") in "
|
|
|
|
|
"auth.require = ( \"...\" => ( ..., \"method\" => \"...\") )", method->ptr);
|
2016-09-16 20:04:39 +00:00
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (buffer_is_empty(realm)) {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"the realm field is missing in: "
|
|
|
|
|
"auth.require = ( \"...\" => ( ..., \"realm\" => \"...\" ) )");
|
2016-09-16 20:04:39 +00:00
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (buffer_string_is_empty(require)) {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"the require field is missing or blank in: "
|
|
|
|
|
"auth.require = ( \"...\" => ( ..., \"require\" => \"...\" ) )");
|
2016-09-16 20:04:39 +00:00
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-06 03:31:41 +00:00
|
|
|
if (buffer_string_is_empty(algos)) {
|
|
|
|
|
algorithm |= HTTP_AUTH_DIGEST_MD5;
|
|
|
|
|
} else if (!mod_auth_algorithms_parse(&algorithm, algos)) {
|
2019-12-05 04:01:41 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"invalid algorithm in: "
|
|
|
|
|
"auth.require = ( \"...\" => ( ..., \"algorithm\" => \"...\" ) )");
|
2019-03-06 03:31:41 +00:00
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2016-10-16 05:34:40 +00:00
|
|
|
if (require) { /*(always true at this point)*/
|
2016-09-16 20:04:39 +00:00
|
|
|
data_auth * const dauth = data_auth_init();
|
2019-10-13 07:37:59 +00:00
|
|
|
buffer_copy_buffer(&dauth->key, &da_file->key);
|
2016-09-16 20:04:39 +00:00
|
|
|
dauth->require->scheme = auth_scheme;
|
2019-03-06 03:31:41 +00:00
|
|
|
dauth->require->algorithm = algorithm;
|
2019-11-22 05:22:01 +00:00
|
|
|
dauth->require->realm = realm;
|
2020-02-04 02:08:34 +00:00
|
|
|
dauth->require->nonce_secret = nonce_secret; /*(NULL is ok)*/
|
2019-12-05 04:01:41 +00:00
|
|
|
if (!mod_auth_require_parse(dauth->require, require, errh)) {
|
2018-09-23 02:12:51 +00:00
|
|
|
dauth->fn->free((data_unset *)dauth);
|
2016-09-16 20:04:39 +00:00
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
2019-11-07 00:37:11 +00:00
|
|
|
array_insert_unique(auth_require, (data_unset *)dauth);
|
2016-09-16 20:04:39 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
static void mod_auth_merge_config_cpv(plugin_config * const pconf, const config_plugin_value_t * const cpv) {
|
|
|
|
|
switch (cpv->k_id) { /* index into static config_plugin_keys_t cpk[] */
|
|
|
|
|
case 0: /* auth.backend */
|
|
|
|
|
if (cpv->vtype == T_CONFIG_LOCAL)
|
|
|
|
|
pconf->auth_backend = cpv->v.v;
|
|
|
|
|
break;
|
|
|
|
|
case 1: /* auth.require */
|
|
|
|
|
if (cpv->vtype == T_CONFIG_LOCAL)
|
|
|
|
|
pconf->auth_require = cpv->v.v;
|
|
|
|
|
break;
|
|
|
|
|
case 2: /* auth.extern-authn */
|
|
|
|
|
pconf->auth_extern_authn = cpv->v.u;
|
|
|
|
|
default:/* should not happen */
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void mod_auth_merge_config(plugin_config * const pconf, const config_plugin_value_t *cpv) {
|
|
|
|
|
do {
|
|
|
|
|
mod_auth_merge_config_cpv(pconf, cpv);
|
|
|
|
|
} while ((++cpv)->k_id != -1);
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
static void mod_auth_patch_config(request_st * const r, plugin_data * const p) {
|
2020-01-11 16:07:43 +00:00
|
|
|
p->conf = p->defaults; /* copy small struct instead of memcpy() */
|
|
|
|
|
/*memcpy(&p->conf, &p->defaults, sizeof(plugin_config));*/
|
2019-11-07 00:37:11 +00:00
|
|
|
for (int i = 1, used = p->nconfig; i < used; ++i) {
|
2020-01-13 02:51:12 +00:00
|
|
|
if (config_check_cond(r, (uint32_t)p->cvlist[i].k_id))
|
2019-11-07 00:37:11 +00:00
|
|
|
mod_auth_merge_config(&p->conf, p->cvlist + p->cvlist[i].v.u2[0]);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SETDEFAULTS_FUNC(mod_auth_set_defaults) {
|
|
|
|
|
static const config_plugin_keys_t cpk[] = {
|
|
|
|
|
{ CONST_STR_LEN("auth.backend"),
|
|
|
|
|
T_CONFIG_STRING,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.require"),
|
2019-12-08 00:15:55 +00:00
|
|
|
T_CONFIG_ARRAY_KVARRAY,
|
2019-11-07 00:37:11 +00:00
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.extern-authn"),
|
|
|
|
|
T_CONFIG_BOOL,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ NULL, 0,
|
|
|
|
|
T_CONFIG_UNSET,
|
|
|
|
|
T_CONFIG_SCOPE_UNSET }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
plugin_data * const p = p_d;
|
|
|
|
|
if (!config_plugin_values_init(srv, p, cpk, "mod_auth"))
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
|
|
|
|
|
/* process and validate config directives
|
|
|
|
|
* (init i to 0 if global context; to 1 to skip empty global context) */
|
|
|
|
|
for (int i = !p->cvlist[0].v.u2[1]; i < p->nconfig; ++i) {
|
|
|
|
|
config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
|
|
|
|
|
for (; -1 != cpv->k_id; ++cpv) {
|
|
|
|
|
switch (cpv->k_id) {
|
|
|
|
|
case 0: /* auth.backend */
|
|
|
|
|
if (!buffer_string_is_empty(cpv->v.b)) {
|
|
|
|
|
const http_auth_backend_t * const auth_backend =
|
|
|
|
|
http_auth_backend_get(cpv->v.b);
|
|
|
|
|
if (NULL == auth_backend) {
|
|
|
|
|
log_error(srv->errh, __FILE__, __LINE__,
|
|
|
|
|
"auth.backend not supported: %s", cpv->v.b->ptr);
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
*(const http_auth_backend_t **)&cpv->v.v = auth_backend;
|
|
|
|
|
cpv->vtype = T_CONFIG_LOCAL;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case 1: /* auth.require */
|
2019-12-08 00:15:55 +00:00
|
|
|
{
|
2019-11-22 05:57:48 +00:00
|
|
|
array * const a = array_init(4);
|
2019-11-07 00:37:11 +00:00
|
|
|
if (HANDLER_GO_ON !=
|
2019-12-05 04:01:41 +00:00
|
|
|
mod_auth_require_parse_array(cpv->v.a, a, srv->errh)) {
|
2019-11-07 00:37:11 +00:00
|
|
|
array_free(a);
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
cpv->v.a = a;
|
|
|
|
|
cpv->vtype = T_CONFIG_LOCAL;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case 2: /* auth.extern-authn */
|
|
|
|
|
break;
|
|
|
|
|
default:/* should not happen */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* initialize p->defaults from global config context */
|
|
|
|
|
if (p->nconfig > 0 && p->cvlist->v.u2[1]) {
|
|
|
|
|
const config_plugin_value_t *cpv = p->cvlist + p->cvlist->v.u2[0];
|
|
|
|
|
if (-1 != cpv->k_id)
|
|
|
|
|
mod_auth_merge_config(&p->defaults, cpv);
|
|
|
|
|
}
|
2006-10-04 13:26:23 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
return HANDLER_GO_ON;
|
2005-02-20 14:27:00 +00:00
|
|
|
}
|
|
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
static handler_t mod_auth_uri_handler(request_st * const r, void *p_d) {
|
2016-09-16 20:04:39 +00:00
|
|
|
plugin_data *p = p_d;
|
2018-09-16 21:27:54 +00:00
|
|
|
data_auth *dauth;
|
2016-08-14 17:18:11 +00:00
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
mod_auth_patch_config(r, p);
|
2016-08-14 17:18:11 +00:00
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
if (p->conf.auth_require == NULL) return HANDLER_GO_ON;
|
2016-08-14 17:18:11 +00:00
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
/* search auth directives for first prefix match against URL path */
|
2018-09-16 21:27:54 +00:00
|
|
|
/* if we have a case-insensitive FS we have to lower-case the URI here too */
|
2020-01-13 02:51:12 +00:00
|
|
|
dauth = (!r->conf.force_lowercase_filenames)
|
|
|
|
|
? (data_auth *)array_match_key_prefix(p->conf.auth_require, &r->uri.path)
|
|
|
|
|
: (data_auth *)array_match_key_prefix_nc(p->conf.auth_require, &r->uri.path);
|
2018-09-16 21:27:54 +00:00
|
|
|
if (NULL == dauth) return HANDLER_GO_ON;
|
2016-08-14 17:18:11 +00:00
|
|
|
|
2018-09-16 21:27:54 +00:00
|
|
|
{
|
2016-09-16 20:04:39 +00:00
|
|
|
const http_auth_scheme_t * const scheme = dauth->require->scheme;
|
2016-12-22 08:10:38 +00:00
|
|
|
if (p->conf.auth_extern_authn) {
|
2020-01-13 02:51:12 +00:00
|
|
|
const buffer *vb = http_header_env_get(r, CONST_STR_LEN("REMOTE_USER"));
|
2018-09-09 05:50:33 +00:00
|
|
|
if (NULL != vb && http_auth_match_rules(dauth->require, vb->ptr, NULL, NULL)) {
|
2016-12-22 08:10:38 +00:00
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-01-13 02:51:12 +00:00
|
|
|
return scheme->checkfn(r, scheme->p_d, dauth->require, p->conf.auth_backend);
|
2016-09-16 20:04:39 +00:00
|
|
|
}
|
|
|
|
|
}
|
2016-08-14 17:18:11 +00:00
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
int mod_auth_plugin_init(plugin *p);
|
|
|
|
|
int mod_auth_plugin_init(plugin *p) {
|
|
|
|
|
p->version = LIGHTTPD_VERSION_ID;
|
2019-10-19 04:30:54 +00:00
|
|
|
p->name = "auth";
|
2016-09-16 20:04:39 +00:00
|
|
|
p->init = mod_auth_init;
|
|
|
|
|
p->set_defaults = mod_auth_set_defaults;
|
|
|
|
|
p->handle_uri_clean = mod_auth_uri_handler;
|
|
|
|
|
p->cleanup = mod_auth_free;
|
2016-08-14 17:18:11 +00:00
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
2016-08-14 17:18:11 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
/*
|
|
|
|
|
* auth schemes (basic, digest, extern)
|
|
|
|
|
*
|
|
|
|
|
* (could be in separate file from mod_auth.c as long as registration occurs)
|
|
|
|
|
*/
|
2016-08-14 17:18:11 +00:00
|
|
|
|
2020-05-24 16:21:13 +00:00
|
|
|
#include "sys-crypto-md.h"
|
2016-09-16 20:04:39 +00:00
|
|
|
#include "base64.h"
|
2016-10-13 07:10:10 +00:00
|
|
|
#include "rand.h"
|
2018-09-09 05:50:33 +00:00
|
|
|
#include "http_header.h"
|
2016-08-14 17:18:11 +00:00
|
|
|
|
2019-11-25 06:54:08 +00:00
|
|
|
__attribute_cold__
|
2020-01-13 02:51:12 +00:00
|
|
|
static handler_t mod_auth_send_400_bad_request(request_st * const r) {
|
2016-08-18 17:54:53 +00:00
|
|
|
|
|
|
|
|
/* a field was missing or invalid */
|
2020-01-13 02:51:12 +00:00
|
|
|
r->http_status = 400; /* Bad Request */
|
|
|
|
|
r->handler_module = NULL;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
|
|
|
|
return HANDLER_FINISHED;
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
static handler_t mod_auth_send_401_unauthorized_basic(request_st * const r, const buffer * const realm) {
|
|
|
|
|
r->http_status = 401;
|
|
|
|
|
r->handler_module = NULL;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
buffer * const tb = r->tmp_buf;
|
2019-11-25 06:54:08 +00:00
|
|
|
buffer_copy_string_len(tb, CONST_STR_LEN("Basic realm=\""));
|
|
|
|
|
buffer_append_string_buffer(tb, realm);
|
|
|
|
|
buffer_append_string_len(tb, CONST_STR_LEN("\", charset=\"UTF-8\""));
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
http_header_response_set(r, HTTP_HEADER_OTHER, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(tb));
|
2016-08-18 17:54:53 +00:00
|
|
|
|
|
|
|
|
return HANDLER_FINISHED;
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
static handler_t mod_auth_check_basic(request_st * const r, void *p_d, const struct http_auth_require_t * const require, const struct http_auth_backend_t * const backend) {
|
|
|
|
|
const buffer *b = http_header_request_get(r, HTTP_HEADER_AUTHORIZATION, CONST_STR_LEN("Authorization"));
|
2016-09-16 20:04:39 +00:00
|
|
|
buffer *username;
|
|
|
|
|
char *pw;
|
|
|
|
|
handler_t rc = HANDLER_UNSET;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
UNUSED(p_d);
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-16 20:04:39 +00:00
|
|
|
if (NULL == backend) {
|
2020-01-13 02:51:12 +00:00
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, "auth.backend not configured for %s", r->uri.path.ptr);
|
|
|
|
|
r->http_status = 500;
|
|
|
|
|
r->handler_module = NULL;
|
2016-09-16 20:04:39 +00:00
|
|
|
return HANDLER_FINISHED;
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-09 05:50:33 +00:00
|
|
|
if (NULL == b) {
|
2020-01-13 02:51:12 +00:00
|
|
|
return mod_auth_send_401_unauthorized_basic(r, require->realm);
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
2016-08-14 17:18:11 +00:00
|
|
|
|
2019-06-06 05:49:38 +00:00
|
|
|
if (!buffer_eq_icase_ssn(b->ptr, CONST_STR_LEN("Basic "))) {
|
2020-01-13 02:51:12 +00:00
|
|
|
return mod_auth_send_401_unauthorized_basic(r, require->realm);
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
2017-08-12 19:39:12 +00:00
|
|
|
#ifdef __COVERITY__
|
2018-09-09 05:50:33 +00:00
|
|
|
if (buffer_string_length(b) < sizeof("Basic ")-1) {
|
2020-01-13 02:51:12 +00:00
|
|
|
return mod_auth_send_400_bad_request(r);
|
2017-08-12 19:39:12 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
2016-08-14 17:18:11 +00:00
|
|
|
|
|
|
|
|
username = buffer_init();
|
|
|
|
|
|
2016-09-23 09:46:01 +00:00
|
|
|
/* coverity[overflow_sink : FALSE] */
|
2016-09-16 20:04:39 +00:00
|
|
|
if (!buffer_append_base64_decode(username, b->ptr+sizeof("Basic ")-1, buffer_string_length(b)-(sizeof("Basic ")-1), BASE64_STANDARD)) {
|
2020-01-13 02:51:12 +00:00
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, "decoding base64-string failed %s", b->ptr+sizeof("Basic ")-1);
|
2016-08-14 17:18:11 +00:00
|
|
|
|
|
|
|
|
buffer_free(username);
|
2020-01-13 02:51:12 +00:00
|
|
|
return mod_auth_send_400_bad_request(r);
|
2016-08-14 17:18:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* r2 == user:password */
|
|
|
|
|
if (NULL == (pw = strchr(username->ptr, ':'))) {
|
2020-01-13 02:51:12 +00:00
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, "missing ':' in %s", username->ptr);
|
2016-08-14 17:18:11 +00:00
|
|
|
|
|
|
|
|
buffer_free(username);
|
2020-01-13 02:51:12 +00:00
|
|
|
return mod_auth_send_400_bad_request(r);
|
2016-08-14 17:18:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buffer_string_set_length(username, pw - username->ptr);
|
|
|
|
|
pw++;
|
|
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
rc = backend->basic(r, backend->p_d, require, username, pw);
|
2016-09-16 20:04:39 +00:00
|
|
|
switch (rc) {
|
2016-08-18 17:54:53 +00:00
|
|
|
case HANDLER_GO_ON:
|
2020-01-13 02:51:12 +00:00
|
|
|
http_auth_setenv(r, CONST_BUF_LEN(username), CONST_STR_LEN("Basic"));
|
2016-08-18 17:54:53 +00:00
|
|
|
break;
|
|
|
|
|
case HANDLER_WAIT_FOR_EVENT:
|
|
|
|
|
case HANDLER_FINISHED:
|
2016-09-16 20:04:39 +00:00
|
|
|
break;
|
2016-08-18 17:54:53 +00:00
|
|
|
case HANDLER_ERROR:
|
|
|
|
|
default:
|
2020-01-13 02:51:12 +00:00
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__,
|
2019-11-25 06:54:08 +00:00
|
|
|
"password doesn't match for %s username: %s IP: %s",
|
2020-01-13 02:51:12 +00:00
|
|
|
r->uri.path.ptr, username->ptr, r->con->dst_addr_buf->ptr);
|
|
|
|
|
r->keep_alive = 0; /*(disable keep-alive if bad password)*/
|
2016-09-16 20:04:39 +00:00
|
|
|
rc = HANDLER_UNSET;
|
|
|
|
|
break;
|
2016-08-14 17:18:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buffer_free(username);
|
2020-01-13 02:51:12 +00:00
|
|
|
return (HANDLER_UNSET != rc) ? rc : mod_auth_send_401_unauthorized_basic(r, require->realm);
|
2016-08-14 17:18:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-02-25 05:39:23 +00:00
|
|
|
#ifdef USE_LIB_CRYPTO
|
2019-03-06 03:31:41 +00:00
|
|
|
|
|
|
|
|
static void mod_auth_digest_mutate_sha256(http_auth_info_t *ai, const char *m, const char *uri, const char *nonce, const char *cnonce, const char *nc, const char *qop) {
|
|
|
|
|
SHA256_CTX ctx;
|
|
|
|
|
char a1[HTTP_AUTH_DIGEST_SHA256_BINLEN*2+1];
|
|
|
|
|
char a2[HTTP_AUTH_DIGEST_SHA256_BINLEN*2+1];
|
|
|
|
|
|
|
|
|
|
if (ai->dalgo & HTTP_AUTH_DIGEST_SESS) {
|
|
|
|
|
SHA256_Init(&ctx);
|
|
|
|
|
li_tohex(a1, sizeof(a1), (const char *)ai->digest, ai->dlen);
|
|
|
|
|
SHA256_Update(&ctx, (unsigned char *)a1, sizeof(a1)-1);
|
|
|
|
|
SHA256_Update(&ctx, CONST_STR_LEN(":"));
|
|
|
|
|
SHA256_Update(&ctx, (unsigned char *)nonce, strlen(nonce));
|
|
|
|
|
SHA256_Update(&ctx, CONST_STR_LEN(":"));
|
|
|
|
|
SHA256_Update(&ctx, (unsigned char *)cnonce, strlen(cnonce));
|
|
|
|
|
SHA256_Final(ai->digest, &ctx);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
li_tohex(a1, sizeof(a1), (const char *)ai->digest, ai->dlen);
|
|
|
|
|
|
|
|
|
|
/* calculate H(A2) */
|
|
|
|
|
SHA256_Init(&ctx);
|
|
|
|
|
SHA256_Update(&ctx, (unsigned char *)m, strlen(m));
|
|
|
|
|
SHA256_Update(&ctx, CONST_STR_LEN(":"));
|
|
|
|
|
SHA256_Update(&ctx, (unsigned char *)uri, strlen(uri));
|
|
|
|
|
#if 0
|
|
|
|
|
/* qop=auth-int not supported, already checked in caller */
|
2019-06-05 01:45:44 +00:00
|
|
|
if (qop && buffer_eq_icase_ss(qop, strlen(qop), CONST_STR_LEN("auth-int"))){
|
2019-03-06 03:31:41 +00:00
|
|
|
SHA256_Update(&ctx, CONST_STR_LEN(":"));
|
|
|
|
|
SHA256_Update(&ctx, (unsigned char *) [body checksum], ai->dlen*2);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
SHA256_Final(ai->digest, &ctx);
|
|
|
|
|
li_tohex(a2, sizeof(a2), (const char *)ai->digest, ai->dlen);
|
|
|
|
|
|
|
|
|
|
/* calculate response */
|
|
|
|
|
SHA256_Init(&ctx);
|
|
|
|
|
SHA256_Update(&ctx, (unsigned char *)a1, sizeof(a1)-1);
|
|
|
