sqlite: Implemented needed functions to enable authentication plug-ins

This adds the needed functions the eurephia framework requires to
retrieve a list of all configured plug-ins - eDBget_plugins().  And
it includes eDBauth_GetAuthMethod() which is used to lookup what
kind of authentication method a specific user account/certificate
combination should use.  If the authentication backend requires
a different username for this, that can also be configured in
this user account/certification setup.

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>

4 files changed, 178 insertions, 6 deletions

diff --git a/database/sqlite/CMakeLists.txt b/database/sqlite/CMakeLists.txt
index a0a2dc8..878868c 100644
--- a/database/sqlite/CMakeLists.txt
+++ b/database/sqlite/CMakeLists.txt
@@ -1,6 +1,6 @@
 #  cmake rules for eurephia - SQLite3 database driver
 #
-#  GPLv2 only - Copyright (C) 2008 - 2012
+#  GPLv2 only - Copyright (C) 2008 - 2013
 #               David Sommerseth <dazo@users.sourceforge.net>
 #
 #  This program is free software; you can redistribute it and/or
@@ -45,6 +45,8 @@ SET(edb_sqlite_SRC
 	sqlite.c
 	edb-sqlite.c
         ../../common/eurephiadb_session_common.c
+        ../../auth/eurephia_authplugin.c
+        ../../auth/eurephia_authplugin_driver.c
 )
 
 IF(ADMIN_ENABLED)
@@ -63,7 +65,7 @@ ENDIF(ADMIN_ENABLED)
 
 # Compiler settings
 ADD_DEFINITIONS(-D_GNU_SOURCE)
-INCLUDE_DIRECTORIES(BEFORE ../../common/ ../../plugin/ ../../plugin/firewall ../)
+INCLUDE_DIRECTORIES(BEFORE ../../common/ ../../auth/ ../../plugin/ ../../plugin/firewall ../)
 
 #
 # Build instructions
diff --git a/database/sqlite/edb-sqlite.c b/database/sqlite/edb-sqlite.c
index bd0d905..8e3f25c 100644
--- a/database/sqlite/edb-sqlite.c
+++ b/database/sqlite/edb-sqlite.c
@@ -1,7 +1,7 @@
 /*  edb-sqlite.c  --  Main driver for eurephia authentication plugin for OpenVPN
  *                    This is the SQLite database driver
  *
- *  GPLv2 only - Copyright (C) 2008 - 2012
+ *  GPLv2 only - Copyright (C) 2008 - 2013
  *               David Sommerseth <dazo@users.sourceforge.net>
  *
  *  This program is free software; you can redistribute it and/or
@@ -37,9 +37,9 @@
 #include <unistd.h>
 #include <assert.h>
 
-#define DRIVERVERSION "1.3"     /**< Defines the software version of this driver */
+#define DRIVERVERSION "1.4"     /**< Defines the software version of this driver */
 #ifndef DRIVERAPIVERSION
-# define DRIVERAPIVERSION 3     /**< Sets the API version level of this driver */
+# define DRIVERAPIVERSION 4     /**< Sets the API version level of this driver */
 #endif
 
 #include <sqlite3.h>
@@ -274,6 +274,93 @@ int eDBauth_TLS(eurephiaCTX *ctx, const char *org, const char *cname, const char
 
 
 /**
+ * @copydoc eDBauth_GetAuthMethod()
+ */
+eDBauthMethodResult * eDBauth_GetAuthMethod(eurephiaCTX *ctx,
+                                            const int certid, const char *username)
+{
+        dbresult *dbr = NULL;
+        eDBauthMethodResult *ret = NULL;
+
+        DEBUG(ctx, 20, "Function call: eDBauth_GetAuthMethod(ctx, %i, '%s')", certid, username);
+
+        dbr = sqlite_query(ctx,
+                           "SELECT uicid, authplugin, authusername, activated, deactivated, "
+                           "       bl1.blid, bl2.blid"
+                           "  FROM openvpn_usercerts uc"
+                           "  JOIN openvpn_users ou USING (uid)"
+                           "  LEFT JOIN openvpn_blacklist bl1 ON( ou.username = bl1.username) "
+                           "  LEFT JOIN (SELECT blid, certid "
+                           "               FROM openvpn_certificates "
+                           "               JOIN openvpn_blacklist USING(digest)) bl2 "
+                           "         ON (uc.certid = bl2.certid)"
+                           " WHERE ou.username = '%q' AND uc.certid = '%i'",
+                           username, certid);
+
+        if (dbr == NULL) {
+                eurephia_log(ctx, LOG_FATAL, 0,
+                             "Failed to query eurephia database for authentication methods for"
+                             "user '%s' with certid '%i'", username, certid);
+                return NULL;
+        }
+
+        ret = malloc_nullsafe(ctx, sizeof(eDBauthMethodResult)+2);
+        if (ret == NULL) {
+                eurephia_log(ctx, LOG_FATAL, 0,
+                             "Failed to allocate memory fir auth method results");
+                return NULL;
+        }
+
+        /* Some sane and restrictive default values */
+        ret->method = eAM_UNDEF;
+        ret->username = NULL;
+        ret->authplugid = 0;
+        ret->uicid = 0;
+
+        if (sqlite_get_numtuples(dbr) == 1) {
+                char *auplgid = sqlite_get_value(dbr, 0, 1);
+                char *auuname = sqlite_get_value(dbr, 0, 2);
+
+                if( sqlite_get_value(dbr, 0, 5) != NULL ) {
+                        eurephia_log(ctx, LOG_WARNING, 0, "User account is BLACKLISTED (%s)",
+                                     username);
+                        ret->method = eAM_BLACKLISTED;
+                } else if( sqlite_get_value(dbr, 0, 6) != NULL ) {
+                        eurephia_log(ctx, LOG_WARNING, 0,
+                                     "User account linked with a BLACKLISTED certificate "
+                                     "(%s) - certid: %s",
+                                     username, certid);
+                        ret->method = eAM_BLACKLISTED;
+                } else if( sqlite_get_value(dbr, 0, 3) == NULL ) {
+                        eurephia_log(ctx, LOG_WARNING, 0, "User account is not activated (%s)",
+                                     username);
+                        ret->method = eAM_INACTIVE;
+                } else if( sqlite_get_value(dbr, 0, 4) != NULL ) {
+                        eurephia_log(ctx, LOG_WARNING, 0, "User account is deactivated (%s)",
+                                     username);
+                        ret->method = eAM_INACTIVE;
+                } else if (auplgid == NULL) {
+                        /* If no authentication plug-in is defined, use internal eurephia auth */
+                        ret->method = eAM_INTERNDB;
+                        ret->username = strdup_nullsafe(username);
+                        ret->authplugid = 0;
+                } else {
+                        /* If an authentication plug-in is defined.  Use a different auth name
+                         * if configured as well.
+                         */
+                        ret->method = eAM_PLUGIN;
+                        ret->username = strdup_nullsafe((auuname != NULL ? auuname : username));
+                        ret->authplugid = atoi_nullsafe(auplgid);
+                        ret->uicid = atoi_nullsafe(sqlite_get_value(dbr, 0, 0));
+                }
+        }
+
+        sqlite_free_results(dbr);
+        return ret;
+}
+
+
+/**
  * @copydoc eDBauth_user()
  */
 int eDBauth_user(eurephiaCTX *ctx, const int certid, const char *username, const char *passwd) 
@@ -1187,3 +1274,37 @@ eurephiaVALUES *eDBget_blacklisted_ip(eurephiaCTX *ctx) {
         return ret;
 }
 
+
+/**
+ * @copydoc eDBget_plugins()
+ */
+eurephiaVALUES *eDBget_plugins(eurephiaCTX *ctx, const char *plgtype) {
+        eurephiaVALUES *ret = NULL;
+        dbresult *res = NULL;
+        int i = 0;
+        char *plgdso = NULL;
+
+        DEBUG(ctx, 20, "Function call eDBget_plugins(ctx, '%s')", plgtype);
+
+        res = sqlite_query(ctx,
+                           "SELECT plgid, plgdsofile"
+                           "  FROM eurephia_plugins"
+                           " WHERE plgenabled = 't' "
+                           "       AND plgtype = '%q'", plgtype);
+        if( sqlite_query_status(res) == dbSUCCESS ) {
+                ret = eCreate_value_space(ctx, 21);
+                for( i = 0; i < sqlite_get_numtuples(res); i++ ) {
+                        if( ( plgdso = sqlite_get_value(res, i, 1)) != NULL ) {
+                                eAdd_value(ctx, ret, sqlite_get_value(res, i, 0), plgdso);
+                        }
+                }
+        } else {
+                eurephia_log(ctx, LOG_FATAL, 0,
+                             "Failed to retrieve additional eurephia plug-ins");
+                sqlite_log_error(ctx, res);
+                ret = NULL;
+        }
+        sqlite_free_results(res);
+
+        return ret;
+}
diff --git a/database/sqlite/sql-schema-delta-2.sql b/database/sqlite/sql-schema-delta-2.sql
new file mode 100644
index 0000000..f767a5d
--- /dev/null
+++ b/database/sqlite/sql-schema-delta-2.sql
@@ -0,0 +1,37 @@
+--
+-- eurephia database schema for SQLite3
+--
+-- This SQL scripts updates the previous SQL schema to the
+-- new schema needed by edb-sqlite v1.4
+--
+-- GPLv2 only - Copyright (C) 2013
+--              David Sommerseth <dazo@users.sourceforge.net>
+--
+--  This program is free software; you can redistribute it and/or
+--  modify it under the terms of the GNU General Public License
+--  as published by the Free Software Foundation; version 2
+--  of the License.
+--
+--  This program is distributed in the hope that it will be useful,
+--  but WITHOUT ANY WARRANTY; without even the implied warranty of
+--  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--  GNU General Public License for more details.
+--
+--  You should have received a copy of the GNU General Public License
+--  along with this program; if not, write to the Free Software
+--  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+--
+
+-- eurephia_plugins - Defines loadable eurephia plug-ins
+-- This table is parsed upon start-up of OpenVPN/eurephia
+CREATE TABLE eurephia_plugins (
+       plgname        varchar(32) NOT NULL, -- short name of the plug-in module
+       plgtype        varchar(16) NOT NULL, -- plug-in type (auth, firewall, etc)
+       plgdsofile     text        NOT NULL, -- full path to the plug-in DSO file
+       plgenabled     boolean     NOT NULL, -- Enable/disable the plug-in
+       plgid          integer     PRIMARY KEY AUTOINCREMENT
+);
+CREATE INDEX eurephia_plugins_name_type ON eurephia_plugins (plgname, plgtype);
+
+ALTER TABLE openvpn_usercerts ADD COLUMN authplugin integer;
+ALTER TABLE openvpn_usercerts ADD COLUMN authusername text;
diff --git a/database/sqlite/sql-schema.sql b/database/sqlite/sql-schema.sql
index 6d2befb..2e21605 100644
--- a/database/sqlite/sql-schema.sql
+++ b/database/sqlite/sql-schema.sql
@@ -1,7 +1,7 @@
 --
 -- eurephia database schema for SQLite3
 --
--- GPLv2 only - Copyright (C) 2008 - 2012
+-- GPLv2 only - Copyright (C) 2008 - 2013
 --              David Sommerseth <dazo@users.sourceforge.net>
 --
 --  This program is free software; you can redistribute it and/or
@@ -19,6 +19,16 @@
 --  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 --
 
+-- eurephia_plugins - Defines loadable eurephia plug-ins
+-- This table is parsed upon start-up of OpenVPN/eurephia
+CREATE TABLE eurephia_plugins (
+       plgname        varchar(32) NOT NULL, -- short name of the plug-in module
+       plgtype        varchar(16) NOT NULL, -- plug-in type (auth, firewall, etc)
+       plgdsofile     text        NOT NULL, -- full path to the plug-in DSO file
+       plgenabled     boolean     NOT NULL, -- Enable/disable the plug-in
+       plgid          integer     PRIMARY KEY AUTOINCREMENT
+);
+CREATE INDEX eurephia_plugins_name_type ON eurephia_plugins (plgname, plgtype);
 
 -- openvpn_certificates - contains mainly X.509 information from SSL certificates
 CREATE TABLE openvpn_certificates (
@@ -49,6 +59,8 @@ CREATE TABLE openvpn_usercerts (
        uid           integer      NOT NULL,  -- Must be found in openvpn_users
        certid        integer      NOT NULL,  -- Must be found in openvpn_certificates
        accessprofile integer      ,          -- If not null, it must be found in openvpn_accesses
+       authplugin    integer      ,          -- optional, must match eurephia_plugins.plgid if used
+       authusername  text         ,          -- optional, alternative username through plug-ins
        registered    timestamp    DEFAULT CURRENT_TIMESTAMP,
        uicid         integer      PRIMARY KEY AUTOINCREMENT -- Unique ID
 );