diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2013-03-03 01:00:43 +0100 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2013-03-03 01:00:43 +0100 |
commit | 277f2b549666be424eb5bd6f560e7f50da98d979 (patch) | |
tree | 0bdf62d952e00320d9f461ed3da8c892a0408ab4 | |
parent | 25e5147c7d3e16ec96713c214dc28e398b3be10c (diff) | |
download | eurephia-277f2b549666be424eb5bd6f560e7f50da98d979.tar.gz eurephia-277f2b549666be424eb5bd6f560e7f50da98d979.tar.xz eurephia-277f2b549666be424eb5bd6f560e7f50da98d979.zip |
auth plug-in: Implemented the authentication plug-in into the core eurephia framework
This enables using an external authentication plug-in if a user
account/certification link is configured to make user of it.
This change ensures that all configured authentiaction plug-ins are
loaded and is available when eurephia is initialised.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
-rw-r--r-- | database/eurephiadb.c | 26 | ||||
-rw-r--r-- | database/eurephiadb.h | 3 | ||||
-rw-r--r-- | database/eurephiadb_driver.h | 49 | ||||
-rw-r--r-- | plugin/eurephia.c | 117 |
4 files changed, 188 insertions, 7 deletions
diff --git a/database/eurephiadb.c b/database/eurephiadb.c index 322e394..701b8d1 100644 --- a/database/eurephiadb.c +++ b/database/eurephiadb.c @@ -1,6 +1,6 @@ /* eurephiadb.c -- Loads and initialises the database driver * - * GPLv2 only - Copyright (C) 2008 - 2012 + * GPLv2 only - Copyright (C) 2008 - 2013 * David Sommerseth <dazo@users.sourceforge.net> * * This program is free software; you can redistribute it and/or @@ -29,6 +29,7 @@ */ #include <stdio.h> +#include <string.h> #include <dlfcn.h> #include "eurephia_nullsafe.h" @@ -113,6 +114,11 @@ int eDBlink_init(eurephiaCTX *ctx, const char *dbdriver, const int minver) eurephia_log(ctx, LOG_WARNING, 0, "eurephia database driver API is newer than the running eurephia version. Consider " "to upgrade eurephia to take advantage of newer features in the driver."); + + case 4: + eDBauth_GetAuthMethod = eGetSym(ctx, ctx->eurephia_driver, "eDBauth_GetAuthMethod"); + eDBget_plugins = eGetSym(ctx, ctx->eurephia_driver, "eDBget_plugins"); + case 3: eDBregister_vpnclientaddr = eGetSym(ctx, ctx->eurephia_driver, "eDBregister_vpnclientaddr"); @@ -176,3 +182,21 @@ int eDBlink_init(eurephiaCTX *ctx, const char *dbdriver, const int minver) } return 1; } + + +/** + * Frees the memory allocated by the eDBauth_GetAuthMethod() function + * + * @param eurephiaCTX* Pointer to the global eurephia context + * @param eDBauthMethodResult* Pointer to the result to be freed + * + */ +void eDBauth_FreeAuthMethodResult(eurephiaCTX *ctx, eDBauthMethodResult *res) +{ + if( res == NULL ) { + return; + } + free_nullsafe(ctx, res->username); + memset(res, 0, sizeof(eDBauthMethodResult)); + free_nullsafe(ctx, res); +} diff --git a/database/eurephiadb.h b/database/eurephiadb.h index e8c7e84..ea59ece 100644 --- a/database/eurephiadb.h +++ b/database/eurephiadb.h @@ -1,6 +1,6 @@ /* eurephiadb.h -- Database driver setup * - * GPLv2 only - Copyright (C) 2008 - 2012 + * GPLv2 only - Copyright (C) 2008 - 2013 * David Sommerseth <dazo@users.sourceforge.net> * * This program is free software; you can redistribute it and/or @@ -38,4 +38,5 @@ int eDBlink_init(eurephiaCTX *, const char *, const int); int eDBlink_close(eurephiaCTX *); +void eDBauth_FreeAuthMethodResult(eurephiaCTX *, eDBauthMethodResult *); #endif diff --git a/database/eurephiadb_driver.h b/database/eurephiadb_driver.h index 8384ad2..fef6499 100644 --- a/database/eurephiadb_driver.h +++ b/database/eurephiadb_driver.h @@ -1,6 +1,6 @@ /* eurephiadb_driver.h -- API provided by the database driver * - * GPLv2 only - Copyright (C) 2008 - 2012 + * GPLv2 only - Copyright (C) 2008 - 2013 * David Sommerseth <dazo@users.sourceforge.net> * * This program is free software; you can redistribute it and/or @@ -54,6 +54,27 @@ #define USERINFO_blacklist 0x10 /**< flag for extracting information from blacklist log */ /** + * Defines supported authentication methods or account restrictions + */ +typedef enum { eAM_UNDEF, /**< Unknown/undefined/unsupported method */ + eAM_BLACKLISTED, /**< Account has been blacklisted, no auth allowed */ + eAM_INACTIVE, /**< Account is not active, no auth allowed */ + eAM_INTERNDB, /**< Use the eurephia database for password authentication */ + eAM_PLUGIN /**< Use an auth plug-in for password authentication */ +} eDBauthMethod; + +/** + * Result structure from eDBauth_GetAuthMethod() + */ +typedef struct __eDBauthMethodResult { + eDBauthMethod method; /**< Authentication method */ + char *username; /**< Username to use with external methods */ + unsigned int authplugid; /**< Authentication plug-in ID for external methods */ + int uicid; /**< User account/certificate link ID */ +} eDBauthMethodResult; + + +/** * Mandatory function. Retrieves driver version information * * @return Returns string (const char *) containing driver version information. @@ -114,6 +135,21 @@ int EUREPHIA_DRIVERAPI_FUNC(eDBauth_TLS)(eurephiaCTX *ctx, const char *org, cons const char *digest, const unsigned int depth); /** + * Retrieves authentication method for a specific user name and certificate ID + * + * @version API version level 1 + * @param ctx eurephiaCTX + * @param certid certificate ID to the user being authenticated + * @param username username to be authenticated + * + * @return Returns a pointer to a eDBauthMethodResult struct which defines how + * to authenticate this user. On system failure, NULL is returned. + */ +eDBauthMethodResult * EUREPHIA_DRIVERAPI_FUNC(eDBauth_GetAuthMethod)(eurephiaCTX *ctx, + const int certid, + const char *username); + +/** * Authenticates a client against the database, with users certificate ID, username and password. * * @version API version level 1 @@ -274,6 +310,17 @@ char * EUREPHIA_DRIVERAPI_FUNC(eDBget_firewall_profile) (eurephiaCTX *ctx, eurep */ eurephiaVALUES * EUREPHIA_DRIVERAPI_FUNC(eDBget_blacklisted_ip)(eurephiaCTX *ctx); +/** + * Retrieve a list of additional configured eurephia plug-ins of a certain plug-in type + * + * @version API version level 4 + * @param ctx eurephiaCTX + * @param plgtype Plug-in category type (string value, null terminated) + * + * @return Returns an eurephiaVALUES chain with all plug-ins configured, otherwise NULL is returned + */ +eurephiaVALUES * EUREPHIA_DRIVERAPI_FUNC(eDBget_plugins)(eurephiaCTX *ctx, const char *plgtype); + /* The following functions is also declared in eurephia_session_values.c - for local internal usage. */ /** * Retrieve a unique session key based on a session seed. diff --git a/plugin/eurephia.c b/plugin/eurephia.c index e41a0dc..c169dc7 100644 --- a/plugin/eurephia.c +++ b/plugin/eurephia.c @@ -1,6 +1,6 @@ /* eurephia.c -- Main functions for the eurephia authentication module * - * GPLv2 only - Copyright (C) 2008 - 2012 + * GPLv2 only - Copyright (C) 2008 - 2013 * David Sommerseth <dazo@users.sourceforge.net> * * This program is free software; you can redistribute it and/or @@ -35,15 +35,20 @@ #include <sys/mman.h> #include <string.h> #include <getopt.h> +#include <unistd.h> #include <assert.h> #include <errno.h> #define EUREPHIA_FWINTF /**< Include the proper eurephiaFWINTF declaration in eurephiaCTX */ #include <eurephiafw_struct.h> #include <eurephia_context.h> +#include <eurephia_context.h> +#include <eurephia_authplugin_driver.h> +#include <eurephia_authplugin_context.h> +#include <eurephia_authplugin_func.h> #include <eurephia_nullsafe.h> -#include <eurephiadb.h> #include <eurephiadb_driver.h> +#include <eurephiadb.h> #include <eurephiafw.h> #include <eurephia_values.h> #include <eurephiadb_session_common.h> @@ -145,7 +150,7 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp) " (David Sommerseth (C) 2008-2012 GPLv2)"); // Load the database driver - if( (error == 0) && eDBlink_init(ctx, dbi, 3) ) { + if( (error == 0) && eDBlink_init(ctx, dbi, 4) ) { // Connect to the database if( !eDBconnect(ctx, dbargc, dbargv) ) { eurephia_log(ctx, LOG_PANIC, 0, "Could not connect to the database"); @@ -204,6 +209,10 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp) ctx->eurephia_fw_intf = NULL; } + // Initialise authentication plug-ins. If no authentication plug-ins have been enabled, + // the authplugs context will be NULL. + ctx->authplugs = eAuthPlugin_Init(ctx); + // Prepare an empty disconnected list. // This one is used to track all clients IP addresses and their corresponding eurephia session ID // when they disconnect. This is especially needed in TUN mode, the eurephia_learn_address() @@ -241,6 +250,10 @@ int eurephiaShutdown(eurephiaCTX *ctx) eFW_unload(ctx); } + if( ctx->authplugs != NULL ) { + eAuthPlugin_Close(ctx, ctx->authplugs); + } + if( (ctx->dbc != NULL) && (ctx->dbc->dbhandle != NULL) ) { eDBdisconnect(ctx); } @@ -345,6 +358,9 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str int eurephia_userauth(eurephiaCTX *ctx, const char **env) { eurephiaSESSION *authsess = NULL; + eDBauthMethodResult *authmeth = NULL; + eAuthPlugin *authplug = NULL; + eAuthResult *authres = NULL; int result = 0, certid = 0; char *cname, *remport, *ipaddr = NULL; char *tls_digest = NULL, *tls_id = NULL, *username = NULL; @@ -453,7 +469,100 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) // If we do not have a valid password cached, check against the user database chk_pwd: - result = eDBauth_user(ctx, certid, username, passwd); + authmeth = eDBauth_GetAuthMethod(ctx, certid, username); + if( authmeth == NULL ) { + eurephia_log(ctx, LOG_ERROR, 0, + "Failed to identify authentication method for user '%s' with" + "certid %i", username, certid); + result = 0; + goto exit; + } + + switch (authmeth->method) { + case eAM_INTERNDB: + /* Authenticate against the internal eurephia database */ + result = eDBauth_user(ctx, certid, username, passwd); + break; + + case eAM_PLUGIN: + authplug = eAuthPlugin_Get(ctx->authplugs, authmeth->authplugid); + if( authplug == NULL ) { + eurephia_log(ctx, LOG_ERROR, 0, + "Failed to find authentication plug-in %i to authenticate" + "user '%s' with certid %i", + authmeth->authplugid, username, certid); + result = 0; + goto exit; + } + + /* Authenticate the user via the auth plug-in */ + authres = authplug->AuthenticateUser(ctx, authmeth->username, passwd); + if( authres == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, + "Invalid response from authentication plug-in %i", + authmeth->authplugid); + result = 0; + goto exit; + } + + /* Parse the authentication result */ + switch( authres->status ) { + case eAUTH_FAILED: + eurephia_log(ctx, LOG_WARNING, 0,"Authentication failed for user '%s': %s", + username, authres->msg); + sleep(2); + result = -1; + break; + + case eAUTH_PLGERROR: + eurephia_log(ctx, LOG_ERROR, 0, + "Authentication plug-in %i returned with an internal error " + "while authenticating user '%s' (uicid: %i): %s", + authmeth->authplugid, + authmeth->username, + authmeth->uicid, + authres->msg); + result = 0; + goto exit; + + case eAUTH_SUCCESS: + result = authmeth->uicid; + if( authres->msg != NULL ) { + eurephia_log(ctx, LOG_INFO, 1, + "Authentication plug-in (%i) success response " + "for user '%s' (uicid: %i): %s", + authmeth->authplugid, + authmeth->username, + result, + authres->msg); + } + break; + + default: + eurephia_log(ctx, LOG_FATAL, 0, + "Invalid response from authentication plug-in %i when " + "authenticating user '%s': %i", + authmeth->authplugid, authmeth->username, authres->status); + result = 0; + break; + } + break; + + case eAM_BLACKLISTED: + case eAM_INACTIVE: + result = -1; + break; + + default: + eurephia_log(ctx, LOG_FATAL, 0, + "Invalid authentication method attempted (%i) for " + "user '%s' with certid %i", + authmeth->method, username, certid); + break; + } + eDBauth_FreeAuthMethodResult(ctx, authmeth); + + /* If the authentication failed, register the failed attempt */ if( result < 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); |