summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Sommerseth <dazo@users.sourceforge.net>2013-03-03 01:00:43 +0100
committerDavid Sommerseth <dazo@users.sourceforge.net>2013-03-03 01:00:43 +0100
commit277f2b549666be424eb5bd6f560e7f50da98d979 (patch)
tree0bdf62d952e00320d9f461ed3da8c892a0408ab4
parent25e5147c7d3e16ec96713c214dc28e398b3be10c (diff)
downloadeurephia-277f2b549666be424eb5bd6f560e7f50da98d979.tar.gz
eurephia-277f2b549666be424eb5bd6f560e7f50da98d979.tar.xz
eurephia-277f2b549666be424eb5bd6f560e7f50da98d979.zip
auth plug-in: Implemented the authentication plug-in into the core eurephia framework
This enables using an external authentication plug-in if a user account/certification link is configured to make user of it. This change ensures that all configured authentiaction plug-ins are loaded and is available when eurephia is initialised. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Diffstat
-rw-r--r--database/eurephiadb.c26
-rw-r--r--database/eurephiadb.h3
-rw-r--r--database/eurephiadb_driver.h49
-rw-r--r--plugin/eurephia.c117
4 files changed, 188 insertions, 7 deletions
diff --git a/database/eurephiadb.c b/database/eurephiadb.c
index 322e394..701b8d1 100644
--- a/database/eurephiadb.c
+++ b/database/eurephiadb.c
@@ -1,6 +1,6 @@
/* eurephiadb.c -- Loads and initialises the database driver
*
- * GPLv2 only - Copyright (C) 2008 - 2012
+ * GPLv2 only - Copyright (C) 2008 - 2013
* David Sommerseth <dazo@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or
@@ -29,6 +29,7 @@
*/
#include <stdio.h>
+#include <string.h>
#include <dlfcn.h>
#include "eurephia_nullsafe.h"
@@ -113,6 +114,11 @@ int eDBlink_init(eurephiaCTX *ctx, const char *dbdriver, const int minver)
eurephia_log(ctx, LOG_WARNING, 0,
"eurephia database driver API is newer than the running eurephia version. Consider "
"to upgrade eurephia to take advantage of newer features in the driver.");
+
+ case 4:
+ eDBauth_GetAuthMethod = eGetSym(ctx, ctx->eurephia_driver, "eDBauth_GetAuthMethod");
+ eDBget_plugins = eGetSym(ctx, ctx->eurephia_driver, "eDBget_plugins");
+
case 3:
eDBregister_vpnclientaddr = eGetSym(ctx, ctx->eurephia_driver, "eDBregister_vpnclientaddr");
@@ -176,3 +182,21 @@ int eDBlink_init(eurephiaCTX *ctx, const char *dbdriver, const int minver)
}
return 1;
}
+
+
+/**
+ * Frees the memory allocated by the eDBauth_GetAuthMethod() function
+ *
+ * @param eurephiaCTX* Pointer to the global eurephia context
+ * @param eDBauthMethodResult* Pointer to the result to be freed
+ *
+ */
+void eDBauth_FreeAuthMethodResult(eurephiaCTX *ctx, eDBauthMethodResult *res)
+{
+ if( res == NULL ) {
+ return;
+ }
+ free_nullsafe(ctx, res->username);
+ memset(res, 0, sizeof(eDBauthMethodResult));
+ free_nullsafe(ctx, res);
+}
diff --git a/database/eurephiadb.h b/database/eurephiadb.h
index e8c7e84..ea59ece 100644
--- a/database/eurephiadb.h
+++ b/database/eurephiadb.h
@@ -1,6 +1,6 @@
/* eurephiadb.h -- Database driver setup
*
- * GPLv2 only - Copyright (C) 2008 - 2012
+ * GPLv2 only - Copyright (C) 2008 - 2013
* David Sommerseth <dazo@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or
@@ -38,4 +38,5 @@
int eDBlink_init(eurephiaCTX *, const char *, const int);
int eDBlink_close(eurephiaCTX *);
+void eDBauth_FreeAuthMethodResult(eurephiaCTX *, eDBauthMethodResult *);
#endif
diff --git a/database/eurephiadb_driver.h b/database/eurephiadb_driver.h
index 8384ad2..fef6499 100644
--- a/database/eurephiadb_driver.h
+++ b/database/eurephiadb_driver.h
@@ -1,6 +1,6 @@
/* eurephiadb_driver.h -- API provided by the database driver
*
- * GPLv2 only - Copyright (C) 2008 - 2012
+ * GPLv2 only - Copyright (C) 2008 - 2013
* David Sommerseth <dazo@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or
@@ -54,6 +54,27 @@
#define USERINFO_blacklist 0x10 /**< flag for extracting information from blacklist log */
/**
+ * Defines supported authentication methods or account restrictions
+ */
+typedef enum { eAM_UNDEF, /**< Unknown/undefined/unsupported method */
+ eAM_BLACKLISTED, /**< Account has been blacklisted, no auth allowed */
+ eAM_INACTIVE, /**< Account is not active, no auth allowed */
+ eAM_INTERNDB, /**< Use the eurephia database for password authentication */
+ eAM_PLUGIN /**< Use an auth plug-in for password authentication */
+} eDBauthMethod;
+
+/**
+ * Result structure from eDBauth_GetAuthMethod()
+ */
+typedef struct __eDBauthMethodResult {
+ eDBauthMethod method; /**< Authentication method */
+ char *username; /**< Username to use with external methods */
+ unsigned int authplugid; /**< Authentication plug-in ID for external methods */
+ int uicid; /**< User account/certificate link ID */
+} eDBauthMethodResult;
+
+
+/**
* Mandatory function. Retrieves driver version information
*
* @return Returns string (const char *) containing driver version information.
@@ -114,6 +135,21 @@ int EUREPHIA_DRIVERAPI_FUNC(eDBauth_TLS)(eurephiaCTX *ctx, const char *org, cons
const char *digest, const unsigned int depth);
/**
+ * Retrieves authentication method for a specific user name and certificate ID
+ *
+ * @version API version level 1
+ * @param ctx eurephiaCTX
+ * @param certid certificate ID to the user being authenticated
+ * @param username username to be authenticated
+ *
+ * @return Returns a pointer to a eDBauthMethodResult struct which defines how
+ * to authenticate this user. On system failure, NULL is returned.
+ */
+eDBauthMethodResult * EUREPHIA_DRIVERAPI_FUNC(eDBauth_GetAuthMethod)(eurephiaCTX *ctx,
+ const int certid,
+ const char *username);
+
+/**
* Authenticates a client against the database, with users certificate ID, username and password.
*
* @version API version level 1
@@ -274,6 +310,17 @@ char * EUREPHIA_DRIVERAPI_FUNC(eDBget_firewall_profile) (eurephiaCTX *ctx, eurep
*/
eurephiaVALUES * EUREPHIA_DRIVERAPI_FUNC(eDBget_blacklisted_ip)(eurephiaCTX *ctx);
+/**
+ * Retrieve a list of additional configured eurephia plug-ins of a certain plug-in type
+ *
+ * @version API version level 4
+ * @param ctx eurephiaCTX
+ * @param plgtype Plug-in category type (string value, null terminated)
+ *
+ * @return Returns an eurephiaVALUES chain with all plug-ins configured, otherwise NULL is returned
+ */
+eurephiaVALUES * EUREPHIA_DRIVERAPI_FUNC(eDBget_plugins)(eurephiaCTX *ctx, const char *plgtype);
+
/* The following functions is also declared in eurephia_session_values.c - for local internal usage. */
/**
* Retrieve a unique session key based on a session seed.
diff --git a/plugin/eurephia.c b/plugin/eurephia.c
index e41a0dc..c169dc7 100644
--- a/plugin/eurephia.c
+++ b/plugin/eurephia.c
@@ -1,6 +1,6 @@
/* eurephia.c -- Main functions for the eurephia authentication module
*
- * GPLv2 only - Copyright (C) 2008 - 2012
+ * GPLv2 only - Copyright (C) 2008 - 2013
* David Sommerseth <dazo@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or
@@ -35,15 +35,20 @@
#include <sys/mman.h>
#include <string.h>
#include <getopt.h>
+#include <unistd.h>
#include <assert.h>
#include <errno.h>
#define EUREPHIA_FWINTF /**< Include the proper eurephiaFWINTF declaration in eurephiaCTX */
#include <eurephiafw_struct.h>
#include <eurephia_context.h>
+#include <eurephia_context.h>
+#include <eurephia_authplugin_driver.h>
+#include <eurephia_authplugin_context.h>
+#include <eurephia_authplugin_func.h>
#include <eurephia_nullsafe.h>
-#include <eurephiadb.h>
#include <eurephiadb_driver.h>
+#include <eurephiadb.h>
#include <eurephiafw.h>
#include <eurephia_values.h>
#include <eurephiadb_session_common.h>
@@ -145,7 +150,7 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp)
" (David Sommerseth (C) 2008-2012 GPLv2)");
// Load the database driver
- if( (error == 0) && eDBlink_init(ctx, dbi, 3) ) {
+ if( (error == 0) && eDBlink_init(ctx, dbi, 4) ) {
// Connect to the database
if( !eDBconnect(ctx, dbargc, dbargv) ) {
eurephia_log(ctx, LOG_PANIC, 0, "Could not connect to the database");
@@ -204,6 +209,10 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp)
ctx->eurephia_fw_intf = NULL;
}
+ // Initialise authentication plug-ins. If no authentication plug-ins have been enabled,
+ // the authplugs context will be NULL.
+ ctx->authplugs = eAuthPlugin_Init(ctx);
+
// Prepare an empty disconnected list.
// This one is used to track all clients IP addresses and their corresponding eurephia session ID
// when they disconnect. This is especially needed in TUN mode, the eurephia_learn_address()
@@ -241,6 +250,10 @@ int eurephiaShutdown(eurephiaCTX *ctx)
eFW_unload(ctx);
}
+ if( ctx->authplugs != NULL ) {
+ eAuthPlugin_Close(ctx, ctx->authplugs);
+ }
+
if( (ctx->dbc != NULL) && (ctx->dbc->dbhandle != NULL) ) {
eDBdisconnect(ctx);
}
@@ -345,6 +358,9 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str
int eurephia_userauth(eurephiaCTX *ctx, const char **env)
{
eurephiaSESSION *authsess = NULL;
+ eDBauthMethodResult *authmeth = NULL;
+ eAuthPlugin *authplug = NULL;
+ eAuthResult *authres = NULL;
int result = 0, certid = 0;
char *cname, *remport, *ipaddr = NULL;
char *tls_digest = NULL, *tls_id = NULL, *username = NULL;
@@ -453,7 +469,100 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
// If we do not have a valid password cached, check against the user database
chk_pwd:
- result = eDBauth_user(ctx, certid, username, passwd);
+ authmeth = eDBauth_GetAuthMethod(ctx, certid, username);
+ if( authmeth == NULL ) {
+ eurephia_log(ctx, LOG_ERROR, 0,
+ "Failed to identify authentication method for user '%s' with"
+ "certid %i", username, certid);
+ result = 0;
+ goto exit;
+ }
+
+ switch (authmeth->method) {
+ case eAM_INTERNDB:
+ /* Authenticate against the internal eurephia database */
+ result = eDBauth_user(ctx, certid, username, passwd);
+ break;
+
+ case eAM_PLUGIN:
+ authplug = eAuthPlugin_Get(ctx->authplugs, authmeth->authplugid);
+ if( authplug == NULL ) {
+ eurephia_log(ctx, LOG_ERROR, 0,
+ "Failed to find authentication plug-in %i to authenticate"
+ "user '%s' with certid %i",
+ authmeth->authplugid, username, certid);
+ result = 0;
+ goto exit;
+ }
+
+ /* Authenticate the user via the auth plug-in */
+ authres = authplug->AuthenticateUser(ctx, authmeth->username, passwd);
+ if( authres == NULL ) {
+ eurephia_log(ctx, LOG_FATAL, 0,
+ "Invalid response from authentication plug-in %i",
+ authmeth->authplugid);
+ result = 0;
+ goto exit;
+ }
+
+ /* Parse the authentication result */
+ switch( authres->status ) {
+ case eAUTH_FAILED:
+ eurephia_log(ctx, LOG_WARNING, 0,"Authentication failed for user '%s': %s",
+ username, authres->msg);
+ sleep(2);
+ result = -1;
+ break;
+
+ case eAUTH_PLGERROR:
+ eurephia_log(ctx, LOG_ERROR, 0,
+ "Authentication plug-in %i returned with an internal error "
+ "while authenticating user '%s' (uicid: %i): %s",
+ authmeth->authplugid,
+ authmeth->username,
+ authmeth->uicid,
+ authres->msg);
+ result = 0;
+ goto exit;
+
+ case eAUTH_SUCCESS:
+ result = authmeth->uicid;
+ if( authres->msg != NULL ) {
+ eurephia_log(ctx, LOG_INFO, 1,
+ "Authentication plug-in (%i) success response "
+ "for user '%s' (uicid: %i): %s",
+ authmeth->authplugid,
+ authmeth->username,
+ result,
+ authres->msg);
+ }
+ break;
+
+ default:
+ eurephia_log(ctx, LOG_FATAL, 0,
+ "Invalid response from authentication plug-in %i when "
+ "authenticating user '%s': %i",
+ authmeth->authplugid, authmeth->username, authres->status);
+ result = 0;
+ break;
+ }
+ break;
+
+ case eAM_BLACKLISTED:
+ case eAM_INACTIVE:
+ result = -1;
+ break;
+
+ default:
+ eurephia_log(ctx, LOG_FATAL, 0,
+ "Invalid authentication method attempted (%i) for "
+ "user '%s' with certid %i",
+ authmeth->method, username, certid);
+ break;
+ }
+ eDBauth_FreeAuthMethodResult(ctx, authmeth);
+
+ /* If the authentication failed, register the failed attempt */
if( result < 1 ) {
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest);
generated by cgit (git 2.34.1) at 2024-05-05 02:58:44 +0000