Browse Source

[mod_authn_sasl] SASL auth (new) (fixes #2275)

(experimental)

HTTP Basic authentication using saslauthd

server.modules += ( "mod_auth" )
server.modules += ( "mod_authn_sasl" )
auth.backend = "sasl"
auth.backend.sasl.opts = ( "pwcheck_method" => "saslauthd" ) # default

x-ref:
  "SASL auth like libapache2-mod-authn-sasl"
  https://redmine.lighttpd.net/issues/2275
personal/stbuehler/1.4.48-mod-proxy-fix
Glenn Strauss 4 years ago
parent
commit
d61714dd0d
  1. 10
      SConstruct
  2. 43
      configure.ac
  3. 2
      meson.build
  4. 5
      meson_options.txt
  5. 17
      src/CMakeLists.txt
  6. 8
      src/Makefile.am
  7. 3
      src/SConscript
  8. 19
      src/meson.build
  9. 283
      src/mod_authn_sasl.c

10
SConstruct

@ -247,6 +247,7 @@ vars.AddVariables(
BoolVariable('with_openssl', 'enable openssl support', 'no'),
PackageVariable('with_pcre', 'enable pcre support', 'yes'),
PackageVariable('with_pgsql', 'enable pgsql support', 'no'),
PackageVariable('with_sasl', 'enable SASL support', 'no'),
BoolVariable('with_sqlite3', 'enable sqlite3 support (required for webdav props)', 'no'),
BoolVariable('with_uuid', 'enable uuid support (required for webdav locks)', 'no'),
# with_valgrind not supported
@ -325,6 +326,7 @@ if 1:
LIBMYSQL = '',
LIBPCRE = '',
LIBPGSQL = '',
LIBSASL = '',
LIBSQLITE3 = '',
LIBSSL = '',
LIBUUID = '',
@ -583,6 +585,14 @@ if 1:
fail("Couldn't find libpq")
autoconf.env.Append(CPPFLAGS = [ '-DHAVE_PGSQL_H', '-DHAVE_LIBPGSQL' ])
if env['with_sasl']:
if not autoconf.CheckLibWithHeader('sasl2', 'sasl/sasl.h', 'C'):
fail("Couldn't find libsasl2")
autoconf.env.Append(
CPPFLAGS = [ '-DHAVE_SASL' ],
LIBSASL = 'sasl2',
)
if env['with_sqlite3']:
if not autoconf.CheckLibWithHeader('sqlite3', 'sqlite3.h', 'C'):
fail("Couldn't find sqlite3")

43
configure.ac

@ -328,8 +328,8 @@ DBI_LIBS=
if test "$WITH_DBI" != no; then
if test "$WITH_DBI" != yes; then
DBI_CFLAGS="-I$WITH_LIBDBI/include"
DBI_LIBS="-L$WITH_LIBDBI/lib -ldbi"
DBI_CFLAGS="-I$WITH_DBI/include"
DBI_LIBS="-L$WITH_DBI/lib -ldbi"
else
AC_CHECK_HEADERS([dbi/dbi.h],
[AC_CHECK_LIB([dbi], [dbi_version],
@ -350,6 +350,45 @@ AM_CONDITIONAL([BUILD_WITH_DBI], [test "$WITH_DBI" != no])
AC_SUBST([DBI_LIBS])
AC_SUBST([DBI_CFLAGS])
dnl Checks for libsasl2 library
AC_MSG_NOTICE([----------------------------------------])
AC_MSG_CHECKING([for LibSASL support])
AC_ARG_WITH([sasl],
[AC_HELP_STRING([--with-sasl@<:@=PATH@:>@],
[Include SASL support in PATH/include/sasl/sasl.h and PATH/lib]
)],
[WITH_SASL=$withval],
[WITH_SASL=no]
)
AC_MSG_RESULT([$WITH_SASL])
SASL_INCLUDE=
SASL_LIBS=
if test "$WITH_SASL" != no; then
if test "$WITH_SASL" != yes; then
SASL_CFLAGS="-I$WITH_SASL/include"
SASL_LIBS="-L$WITH_SASL/lib -lsasl2"
else
AC_CHECK_HEADERS([sasl/sasl.h],
[AC_CHECK_LIB([sasl2], [sasl_server_init],
[
SASL_CFLAGS=
SASL_LIBS="-lsasl2"
],
[AC_MSG_ERROR([libsasl2 not found])]
)],
[AC_MSG_ERROR([SASL header not found])]
)
fi
AC_DEFINE([HAVE_SASL], [1], [LibSASL support])
fi
AM_CONDITIONAL([BUILD_WITH_SASL], [test "$WITH_SASL" != no])
AC_SUBST([SASL_LIBS])
AC_SUBST([SASL_CFLAGS])
dnl Check for LDAP
AC_MSG_NOTICE([----------------------------------------])

2
meson.build

@ -10,7 +10,7 @@ subdir('tests')
# $ ninja
# full build:
# $ meson configure -D build_extra_warnings=true -D with_bzip=true -D with_dbi=true -D with_fam=true -D with_gdbm=true -D with_geoip=true -D with_krb5=true -D with_ldap=true -D with_libev=true -D with_libunwind=true -D with_lua=true -D with_memcached=true -D with_mysql=true -D with_openssl=true -D with_pcre=true -D with_pgsql=true -D with_webdav_locks=true -D with_webdav_props=true -D with_xattr=true -D with_zlib=true
# $ meson configure -D build_extra_warnings=true -D with_bzip=true -D with_dbi=true -D with_fam=true -D with_gdbm=true -D with_geoip=true -D with_krb5=true -D with_ldap=true -D with_libev=true -D with_libunwind=true -D with_lua=true -D with_memcached=true -D with_mysql=true -D with_openssl=true -D with_pcre=true -D with_pgsql=true -D with_sasl=true -D with_webdav_locks=true -D with_webdav_props=true -D with_xattr=true -D with_zlib=true
# optimized build:
# $ meson configure -D b_lto=true -D buildtype=debugoptimized

5
meson_options.txt

@ -73,6 +73,11 @@ option('with_pgsql',
value: false,
description: 'with postgres-support for mod_vhostdb_pgsql [default: off]',
)
option('with_sasl',
type: 'boolean',
value: false,
description: 'with SASL support for mod_authn_sasl [default: off]',
)
#option('with_valgrind',
# type: 'boolean',
# value: false,

17
src/CMakeLists.txt

@ -33,6 +33,7 @@ option(WITH_MEMCACHED "memcached storage for mod_trigger_b4_dl [default: off]")
option(WITH_LIBEV "libev support for fdevent handlers [default: off]")
option(WITH_LIBUNWIND "with libunwind to print backtraces in asserts [default: off]")
option(WITH_GEOIP "with GeoIP-support mod_geoip [default: off]")
option(WITH_SASL "with SASL-support for mod_authn_sasl [default: off]")
if(CMAKE_C_COMPILER_ID MATCHES "GNU" OR CMAKE_C_COMPILER_ID MATCHES "Clang")
option(BUILD_EXTRA_WARNINGS "extra warnings")
@ -351,6 +352,16 @@ else()
unset(HAVE_LIBPCRE)
endif()
if(WITH_SASL)
check_include_files(sasl/sasl.h HAVE_SASL_SASL_H)
if(HAVE_SASL_SASL_H)
check_library_exists(sasl2 sasl_server_init "" HAVE_SASL)
endif()
else()
unset(HAVE_SASL_SASL_H)
unset(HAVE_SASL)
endif()
if(WITH_XML)
xconfig(xml2-config XML2_INCDIR XML2_LIBDIR XML2_LDFLAGS XML2_CFLAGS)
@ -757,6 +768,12 @@ if(WITH_LDAP)
target_link_libraries(mod_vhostdb_ldap ${L_MOD_AUTHN_LDAP})
endif()
if(WITH_SASL)
add_and_install_library(mod_authn_sasl "mod_authn_sasl.c")
set(L_MOD_AUTHN_SASL ${L_MOD_AUTHN_SASL} sasl2)
target_link_libraries(mod_authn_sasl ${L_MOD_AUTHN_SASL})
endif()
if(HAVE_ZLIB_H)
if(HAVE_BZLIB_H)
target_link_libraries(mod_compress ${ZLIB_LIBRARY} bz2)

8
src/Makefile.am

@ -337,6 +337,14 @@ mod_authn_mysql_la_LIBADD = $(CRYPT_LIB) $(MYSQL_LIBS) $(common_libadd)
mod_authn_mysql_la_CPPFLAGS = $(MYSQL_INCLUDE)
endif
if BUILD_WITH_SASL
lib_LTLIBRARIES += mod_authn_sasl.la
mod_authn_sasl_la_SOURCES = mod_authn_sasl.c
mod_authn_sasl_la_LDFLAGS = $(common_module_ldflags)
mod_authn_sasl_la_LIBADD = $(SASL_LIBS) $(common_libadd)
mod_authn_sasl_la_CPPFLAGS = $(SASL_CFLAGS)
endif
if BUILD_WITH_OPENSSL
lib_LTLIBRARIES += mod_openssl.la
mod_openssl_la_SOURCES = mod_openssl.c

3
src/SConscript

@ -157,6 +157,9 @@ if env['with_pgsql']:
if env['with_dbi']:
modules['mod_vhostdb_dbi'] = { 'src' : [ 'mod_vhostdb_dbi.c' ], 'lib' : [ env['LIBDBI'] ] }
if env['with_sasl']:
modules['mod_authn_sasl'] = { 'src' : [ 'mod_authn_sasl.c' ], 'lib' : [ env['LIBSASL'] ] }
if env['with_openssl']:
modules['mod_openssl'] = { 'src' : [ 'mod_openssl.c' ], 'lib' : [ env['LIBSSL'], env['LIBCRYPTO'] ] }

19
src/meson.build

@ -400,6 +400,19 @@ if get_option('with_pgsql')
conf_data.set('HAVE_PGSQL', true)
endif
if get_option('with_sasl')
libsasl = dependency('sasl2', required: false)
if libsasl.found()
libsasl = [ libsasl2 ]
else
libsasl = [ compiler.find_library('sasl2') ]
if not(compiler.has_function('sasl_server_init', args: defs, dependencies: libsasl, prefix: '#include <sasl/sasl.h>'))
error('Couldn\'t find sasl/sasl.h or sasl_server_init in libsasl2')
endif
endif
conf_data.set('HAVE_SASL', true)
endif
#if get_option('with_valgrind')
#endif
@ -799,6 +812,12 @@ if get_option('with_openssl')
]
endif
if get_option('with_sasl')
modules += [
[ 'mod_authn_sasl', [ 'mod_authn_sasl.c' ], libsasl2 ],
]
endif
foreach mod: modules
mod_name = mod.get(0)
mod_sources = mod.get(1)

283
src/mod_authn_sasl.c

@ -0,0 +1,283 @@
#include "first.h"
/* mod_authn_sasl
*
* FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS:
* - database response is not cached
* TODO: db response caching (for limited time) to reduce load on db
* (only cache successful logins to prevent cache bloat?)
* (or limit number of entries (size) of cache)
* (maybe have negative cache (limited size) of names not found in database)
* - database query is synchronous and blocks waiting for response
*/
#include <sasl/sasl.h>
#include "base.h"
#include "http_auth.h"
#include "log.h"
#include "plugin.h"
#include <sys/utsname.h>
#include <errno.h>
#include <string.h>
typedef struct {
array *opts;
const char *service;
const char *fqdn;
const buffer *pwcheck_method;
const buffer *sasldb_path;
} plugin_config;
typedef struct {
PLUGIN_DATA;
plugin_config **config_storage;
plugin_config conf;
buffer *fqdn;
int initonce;
} plugin_data;
static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
INIT_FUNC(mod_authn_sasl_init) {
static http_auth_backend_t http_auth_backend_sasl =
{ "sasl", mod_authn_sasl_basic, NULL, NULL };
plugin_data *p = calloc(1, sizeof(*p));
/* register http_auth_backend_sasl */
http_auth_backend_sasl.p_d = p;
http_auth_backend_set(&http_auth_backend_sasl);
return p;
}
FREE_FUNC(mod_authn_sasl_free) {
plugin_data *p = p_d;
if (!p) return HANDLER_GO_ON;
if (p->initonce) sasl_done();
if (p->config_storage) {
for (size_t i = 0; i < srv->config_context->used; ++i) {
plugin_config *s = p->config_storage[i];
if (NULL == s) continue;
array_free(s->opts);
free(s);
}
free(p->config_storage);
}
buffer_free(p->fqdn);
free(p);
UNUSED(srv);
return HANDLER_GO_ON;
}
SETDEFAULTS_FUNC(mod_authn_sasl_set_defaults) {
plugin_data *p = p_d;
size_t i;
config_values_t cv[] = {
{ "auth.backend.sasl.opts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
};
p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
for (i = 0; i < srv->config_context->used; i++) {
data_config const *config = (data_config const*)srv->config_context->data[i];
data_string *ds;
plugin_config *s = calloc(1, sizeof(plugin_config));
s->opts = array_init();
cv[0].destination = s->opts;
p->config_storage[i] = s;
if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
return HANDLER_ERROR;
}
if (0 == s->opts->used) continue;
ds = (data_string *)
array_get_element_klen(s->opts, CONST_STR_LEN("service"));
s->service = (NULL != ds) ? ds->value->ptr : "http";
ds = (data_string *)
array_get_element_klen(s->opts, CONST_STR_LEN("fqdn"));
if (NULL != ds) s->fqdn = ds->value->ptr;
if (NULL == s->fqdn) {
if (NULL == p->fqdn) {
struct utsname uts;
if (0 != uname(&uts)) {
log_error_write(srv, __FILE__, __LINE__, "ss",
"uname():", strerror(errno));
return HANDLER_ERROR;
}
p->fqdn = buffer_init_string(uts.nodename);
}
s->fqdn = p->fqdn->ptr;
}
ds = (data_string *)
array_get_element_klen(s->opts, CONST_STR_LEN("pwcheck_method"));
if (NULL != ds) {
s->pwcheck_method = ds->value;
if (!buffer_is_equal_string(ds->value, CONST_STR_LEN("saslauthd"))
&& !buffer_is_equal_string(ds->value, CONST_STR_LEN("auxprop"))
&& !buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))){
log_error_write(srv, __FILE__, __LINE__, "sb",
"sasl pwcheck_method must be one of saslauthd, "
"sasldb, or auxprop, not:", ds->value);
return HANDLER_ERROR;
}
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))) {
/* Cyrus libsasl2 expects "auxprop" instead of "sasldb"
* (mod_authn_sasl_cb_getopt auxprop_plugin returns "sasldb") */
buffer_copy_string_len(ds->value, CONST_STR_LEN("auxprop"));
}
}
ds = (data_string *)
array_get_element_klen(s->opts, CONST_STR_LEN("sasldb_path"));
if (NULL != ds) s->sasldb_path = ds->value;
}
return HANDLER_GO_ON;
}
#define PATCH(x) \
p->conf.x = s->x;
static int mod_authn_sasl_patch_connection(server *srv, connection *con, plugin_data *p) {
plugin_config *s = p->config_storage[0];
PATCH(service);
PATCH(fqdn);
PATCH(pwcheck_method);
PATCH(sasldb_path);
/* skip the first, the global context */
for (size_t i = 1; i < srv->config_context->used; ++i) {
data_config *dc = (data_config *)srv->config_context->data[i];
/* condition didn't match */
if (!config_check_cond(srv, con, dc)) continue;
/* merge config */
s = p->config_storage[i];
for (size_t j = 0; j < dc->value->used; ++j) {
data_unset *du = dc->value->data[j];
if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.sasl.opts"))) {
PATCH(service);
PATCH(fqdn);
PATCH(pwcheck_method);
PATCH(sasldb_path);
}
}
}
return 0;
}
#undef PATCH
static int mod_authn_sasl_cb_getopt(void *p_d, const char *plugin_name, const char *opt, const char **res, unsigned *len) {
plugin_data *p = (plugin_data *)p_d;
size_t sz;
if (0 == strcmp(opt, "pwcheck_method")) {
if (!buffer_string_is_empty(p->conf.pwcheck_method)) {
*res = p->conf.pwcheck_method->ptr;
sz = buffer_string_length(p->conf.pwcheck_method);
}
else { /* default */
*res = "saslauthd";
sz = sizeof("saslauthd")-1;
}
}
else if (0 == strcmp(opt, "sasldb_path")
&& !buffer_string_is_empty(p->conf.sasldb_path)) {
*res = p->conf.sasldb_path->ptr;
sz = buffer_string_length(p->conf.sasldb_path);
}
else if (0 == strcmp(opt, "auxprop_plugin")) {
*res = "sasldb";
sz = sizeof("sasldb")-1;
}
else {
UNUSED(plugin_name);
return SASL_FAIL;
}
if (len) *len = (unsigned int)sz;
return SASL_OK;
}
static int mod_authn_sasl_cb_log(void *vsrv, int level, const char *message) {
switch (level) {
#if 0
case SASL_LOG_NONE:
case SASL_LOG_NOTE:
case SASL_LOG_DEBUG:
case SASL_LOG_TRACE:
case SASL_LOG_PASS:
#endif
default:
break;
case SASL_LOG_ERR:
case SASL_LOG_FAIL:
case SASL_LOG_WARN: /* (might omit SASL_LOG_WARN if too noisy in logs) */
log_error_write((server *)vsrv, __FILE__, __LINE__, "s", message);
break;
}
return SASL_OK;
}
static handler_t mod_authn_sasl_query(server *srv, connection *con, void *p_d, const buffer *username, const char *realm, const char *pw) {
plugin_data *p = (plugin_data *)p_d;
sasl_conn_t *sc;
sasl_callback_t const cb[] = {
{ SASL_CB_GETOPT, (int(*)())mod_authn_sasl_cb_getopt, (void *) p },
{ SASL_CB_LOG, (int(*)())mod_authn_sasl_cb_log, (void *) srv },
{ SASL_CB_LIST_END, NULL, NULL }
};
int rc;
mod_authn_sasl_patch_connection(srv, con, p);
if (!p->initonce) {
/* must be done once, but after fork() if multiple lighttpd workers */
rc = sasl_server_init(cb, NULL);
if (SASL_OK != rc) return HANDLER_ERROR;
p->initonce = 1;
}
rc = sasl_server_new(p->conf.service, p->conf.fqdn,
realm, NULL, NULL, cb, 0, &sc);
if (SASL_OK == rc) {
rc = sasl_checkpass(sc, CONST_BUF_LEN(username), pw, strlen(pw));
sasl_dispose(&sc);
}
return (SASL_OK == rc) ? HANDLER_GO_ON : HANDLER_ERROR;
}
static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw) {
char *realm = require->realm->ptr;
handler_t rc = mod_authn_sasl_query(srv, con, p_d, username, realm, pw);
if (HANDLER_GO_ON != rc) return rc;
return http_auth_match_rules(require, username->ptr, NULL, NULL)
? HANDLER_GO_ON /* access granted */
: HANDLER_ERROR;
}
int mod_authn_sasl_plugin_init(plugin *p);
int mod_authn_sasl_plugin_init(plugin *p) {
p->version = LIGHTTPD_VERSION_ID;
p->name = buffer_init_string("authn_sasl");
p->init = mod_authn_sasl_init;
p->set_defaults= mod_authn_sasl_set_defaults;
p->cleanup = mod_authn_sasl_free;
p->data = NULL;
return 0;
}
Loading…
Cancel
Save