diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2013-03-03 01:06:00 +0100 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2013-03-03 15:37:22 +0100 |
commit | 8da942bbd9c7f75d865137822552e9c2f7640325 (patch) | |
tree | c5df77eae29211106e40fb18af5dc4bce0131140 | |
parent | 277f2b549666be424eb5bd6f560e7f50da98d979 (diff) | |
download | eurephia-8da942bbd9c7f75d865137822552e9c2f7640325.tar.gz eurephia-8da942bbd9c7f75d865137822552e9c2f7640325.tar.xz eurephia-8da942bbd9c7f75d865137822552e9c2f7640325.zip |
sqlite: Implemented needed functions to enable authentication plug-ins
This adds the needed functions the eurephia framework requires to
retrieve a list of all configured plug-ins - eDBget_plugins(). And
it includes eDBauth_GetAuthMethod() which is used to lookup what
kind of authentication method a specific user account/certificate
combination should use. If the authentication backend requires
a different username for this, that can also be configured in
this user account/certification setup.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
-rw-r--r-- | database/sqlite/CMakeLists.txt | 6 | ||||
-rw-r--r-- | database/sqlite/edb-sqlite.c | 127 | ||||
-rw-r--r-- | database/sqlite/sql-schema-delta-2.sql | 37 | ||||
-rw-r--r-- | database/sqlite/sql-schema.sql | 14 |
4 files changed, 178 insertions, 6 deletions
diff --git a/database/sqlite/CMakeLists.txt b/database/sqlite/CMakeLists.txt index a0a2dc8..878868c 100644 --- a/database/sqlite/CMakeLists.txt +++ b/database/sqlite/CMakeLists.txt @@ -1,6 +1,6 @@ # cmake rules for eurephia - SQLite3 database driver # -# GPLv2 only - Copyright (C) 2008 - 2012 +# GPLv2 only - Copyright (C) 2008 - 2013 # David Sommerseth <dazo@users.sourceforge.net> # # This program is free software; you can redistribute it and/or @@ -45,6 +45,8 @@ SET(edb_sqlite_SRC sqlite.c edb-sqlite.c ../../common/eurephiadb_session_common.c + ../../auth/eurephia_authplugin.c + ../../auth/eurephia_authplugin_driver.c ) IF(ADMIN_ENABLED) @@ -63,7 +65,7 @@ ENDIF(ADMIN_ENABLED) # Compiler settings ADD_DEFINITIONS(-D_GNU_SOURCE) -INCLUDE_DIRECTORIES(BEFORE ../../common/ ../../plugin/ ../../plugin/firewall ../) +INCLUDE_DIRECTORIES(BEFORE ../../common/ ../../auth/ ../../plugin/ ../../plugin/firewall ../) # # Build instructions diff --git a/database/sqlite/edb-sqlite.c b/database/sqlite/edb-sqlite.c index bd0d905..8e3f25c 100644 --- a/database/sqlite/edb-sqlite.c +++ b/database/sqlite/edb-sqlite.c @@ -1,7 +1,7 @@ /* edb-sqlite.c -- Main driver for eurephia authentication plugin for OpenVPN * This is the SQLite database driver * - * GPLv2 only - Copyright (C) 2008 - 2012 + * GPLv2 only - Copyright (C) 2008 - 2013 * David Sommerseth <dazo@users.sourceforge.net> * * This program is free software; you can redistribute it and/or @@ -37,9 +37,9 @@ #include <unistd.h> #include <assert.h> -#define DRIVERVERSION "1.3" /**< Defines the software version of this driver */ +#define DRIVERVERSION "1.4" /**< Defines the software version of this driver */ #ifndef DRIVERAPIVERSION -# define DRIVERAPIVERSION 3 /**< Sets the API version level of this driver */ +# define DRIVERAPIVERSION 4 /**< Sets the API version level of this driver */ #endif #include <sqlite3.h> @@ -274,6 +274,93 @@ int eDBauth_TLS(eurephiaCTX *ctx, const char *org, const char *cname, const char /** + * @copydoc eDBauth_GetAuthMethod() + */ +eDBauthMethodResult * eDBauth_GetAuthMethod(eurephiaCTX *ctx, + const int certid, const char *username) +{ + dbresult *dbr = NULL; + eDBauthMethodResult *ret = NULL; + + DEBUG(ctx, 20, "Function call: eDBauth_GetAuthMethod(ctx, %i, '%s')", certid, username); + + dbr = sqlite_query(ctx, + "SELECT uicid, authplugin, authusername, activated, deactivated, " + " bl1.blid, bl2.blid" + " FROM openvpn_usercerts uc" + " JOIN openvpn_users ou USING (uid)" + " LEFT JOIN openvpn_blacklist bl1 ON( ou.username = bl1.username) " + " LEFT JOIN (SELECT blid, certid " + " FROM openvpn_certificates " + " JOIN openvpn_blacklist USING(digest)) bl2 " + " ON (uc.certid = bl2.certid)" + " WHERE ou.username = '%q' AND uc.certid = '%i'", + username, certid); + + if (dbr == NULL) { + eurephia_log(ctx, LOG_FATAL, 0, + "Failed to query eurephia database for authentication methods for" + "user '%s' with certid '%i'", username, certid); + return NULL; + } + + ret = malloc_nullsafe(ctx, sizeof(eDBauthMethodResult)+2); + if (ret == NULL) { + eurephia_log(ctx, LOG_FATAL, 0, + "Failed to allocate memory fir auth method results"); + return NULL; + } + + /* Some sane and restrictive default values */ + ret->method = eAM_UNDEF; + ret->username = NULL; + ret->authplugid = 0; + ret->uicid = 0; + + if (sqlite_get_numtuples(dbr) == 1) { + char *auplgid = sqlite_get_value(dbr, 0, 1); + char *auuname = sqlite_get_value(dbr, 0, 2); + + if( sqlite_get_value(dbr, 0, 5) != NULL ) { + eurephia_log(ctx, LOG_WARNING, 0, "User account is BLACKLISTED (%s)", + username); + ret->method = eAM_BLACKLISTED; + } else if( sqlite_get_value(dbr, 0, 6) != NULL ) { + eurephia_log(ctx, LOG_WARNING, 0, + "User account linked with a BLACKLISTED certificate " + "(%s) - certid: %s", + username, certid); + ret->method = eAM_BLACKLISTED; + } else if( sqlite_get_value(dbr, 0, 3) == NULL ) { + eurephia_log(ctx, LOG_WARNING, 0, "User account is not activated (%s)", + username); + ret->method = eAM_INACTIVE; + } else if( sqlite_get_value(dbr, 0, 4) != NULL ) { + eurephia_log(ctx, LOG_WARNING, 0, "User account is deactivated (%s)", + username); + ret->method = eAM_INACTIVE; + } else if (auplgid == NULL) { + /* If no authentication plug-in is defined, use internal eurephia auth */ + ret->method = eAM_INTERNDB; + ret->username = strdup_nullsafe(username); + ret->authplugid = 0; + } else { + /* If an authentication plug-in is defined. Use a different auth name + * if configured as well. + */ + ret->method = eAM_PLUGIN; + ret->username = strdup_nullsafe((auuname != NULL ? auuname : username)); + ret->authplugid = atoi_nullsafe(auplgid); + ret->uicid = atoi_nullsafe(sqlite_get_value(dbr, 0, 0)); + } + } + + sqlite_free_results(dbr); + return ret; +} + + +/** * @copydoc eDBauth_user() */ int eDBauth_user(eurephiaCTX *ctx, const int certid, const char *username, const char *passwd) @@ -1187,3 +1274,37 @@ eurephiaVALUES *eDBget_blacklisted_ip(eurephiaCTX *ctx) { return ret; } + +/** + * @copydoc eDBget_plugins() + */ +eurephiaVALUES *eDBget_plugins(eurephiaCTX *ctx, const char *plgtype) { + eurephiaVALUES *ret = NULL; + dbresult *res = NULL; + int i = 0; + char *plgdso = NULL; + + DEBUG(ctx, 20, "Function call eDBget_plugins(ctx, '%s')", plgtype); + + res = sqlite_query(ctx, + "SELECT plgid, plgdsofile" + " FROM eurephia_plugins" + " WHERE plgenabled = 't' " + " AND plgtype = '%q'", plgtype); + if( sqlite_query_status(res) == dbSUCCESS ) { + ret = eCreate_value_space(ctx, 21); + for( i = 0; i < sqlite_get_numtuples(res); i++ ) { + if( ( plgdso = sqlite_get_value(res, i, 1)) != NULL ) { + eAdd_value(ctx, ret, sqlite_get_value(res, i, 0), plgdso); + } + } + } else { + eurephia_log(ctx, LOG_FATAL, 0, + "Failed to retrieve additional eurephia plug-ins"); + sqlite_log_error(ctx, res); + ret = NULL; + } + sqlite_free_results(res); + + return ret; +} diff --git a/database/sqlite/sql-schema-delta-2.sql b/database/sqlite/sql-schema-delta-2.sql new file mode 100644 index 0000000..f767a5d --- /dev/null +++ b/database/sqlite/sql-schema-delta-2.sql @@ -0,0 +1,37 @@ +-- +-- eurephia database schema for SQLite3 +-- +-- This SQL scripts updates the previous SQL schema to the +-- new schema needed by edb-sqlite v1.4 +-- +-- GPLv2 only - Copyright (C) 2013 +-- David Sommerseth <dazo@users.sourceforge.net> +-- +-- This program is free software; you can redistribute it and/or +-- modify it under the terms of the GNU General Public License +-- as published by the Free Software Foundation; version 2 +-- of the License. +-- +-- This program is distributed in the hope that it will be useful, +-- but WITHOUT ANY WARRANTY; without even the implied warranty of +-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-- GNU General Public License for more details. +-- +-- You should have received a copy of the GNU General Public License +-- along with this program; if not, write to the Free Software +-- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +-- + +-- eurephia_plugins - Defines loadable eurephia plug-ins +-- This table is parsed upon start-up of OpenVPN/eurephia +CREATE TABLE eurephia_plugins ( + plgname varchar(32) NOT NULL, -- short name of the plug-in module + plgtype varchar(16) NOT NULL, -- plug-in type (auth, firewall, etc) + plgdsofile text NOT NULL, -- full path to the plug-in DSO file + plgenabled boolean NOT NULL, -- Enable/disable the plug-in + plgid integer PRIMARY KEY AUTOINCREMENT +); +CREATE INDEX eurephia_plugins_name_type ON eurephia_plugins (plgname, plgtype); + +ALTER TABLE openvpn_usercerts ADD COLUMN authplugin integer; +ALTER TABLE openvpn_usercerts ADD COLUMN authusername text; diff --git a/database/sqlite/sql-schema.sql b/database/sqlite/sql-schema.sql index 6d2befb..2e21605 100644 --- a/database/sqlite/sql-schema.sql +++ b/database/sqlite/sql-schema.sql @@ -1,7 +1,7 @@ -- -- eurephia database schema for SQLite3 -- --- GPLv2 only - Copyright (C) 2008 - 2012 +-- GPLv2 only - Copyright (C) 2008 - 2013 -- David Sommerseth <dazo@users.sourceforge.net> -- -- This program is free software; you can redistribute it and/or @@ -19,6 +19,16 @@ -- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -- +-- eurephia_plugins - Defines loadable eurephia plug-ins +-- This table is parsed upon start-up of OpenVPN/eurephia +CREATE TABLE eurephia_plugins ( + plgname varchar(32) NOT NULL, -- short name of the plug-in module + plgtype varchar(16) NOT NULL, -- plug-in type (auth, firewall, etc) + plgdsofile text NOT NULL, -- full path to the plug-in DSO file + plgenabled boolean NOT NULL, -- Enable/disable the plug-in + plgid integer PRIMARY KEY AUTOINCREMENT +); +CREATE INDEX eurephia_plugins_name_type ON eurephia_plugins (plgname, plgtype); -- openvpn_certificates - contains mainly X.509 information from SSL certificates CREATE TABLE openvpn_certificates ( @@ -49,6 +59,8 @@ CREATE TABLE openvpn_usercerts ( uid integer NOT NULL, -- Must be found in openvpn_users certid integer NOT NULL, -- Must be found in openvpn_certificates accessprofile integer , -- If not null, it must be found in openvpn_accesses + authplugin integer , -- optional, must match eurephia_plugins.plgid if used + authusername text , -- optional, alternative username through plug-ins registered timestamp DEFAULT CURRENT_TIMESTAMP, uicid integer PRIMARY KEY AUTOINCREMENT -- Unique ID ); |