diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2013-05-29 19:51:19 +0200 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2013-05-29 19:51:19 +0200 |
commit | efac24b10ee1df25d2e9db35b26d848d8ffc9e6c (patch) | |
tree | 519891f4d6f4c5bcf5b275b00827a381a584d46f | |
parent | 522e8fbd46334a4187c73c03bdd051bf2cc7c01b (diff) | |
download | eurephia-efac24b10ee1df25d2e9db35b26d848d8ffc9e6c.tar.gz eurephia-efac24b10ee1df25d2e9db35b26d848d8ffc9e6c.tar.xz eurephia-efac24b10ee1df25d2e9db35b26d848d8ffc9e6c.zip |
eurephiadm/usercerts: Add support for setting up auth-plugins
This enables setting authentication plug-in and the alternative
authentication username for user-certificate links.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
-rw-r--r-- | database/eurephiadb_mapping.h | 3 | ||||
-rw-r--r-- | database/sqlite/administration/usercerts.c | 14 | ||||
-rw-r--r-- | database/sqlite/fieldmapping.h | 2 | ||||
-rw-r--r-- | eurephiadm/commands/usercerts.c | 105 | ||||
-rw-r--r-- | xslt/eurephiadm/usercerts.xsl | 19 |
5 files changed, 107 insertions, 36 deletions
diff --git a/database/eurephiadb_mapping.h b/database/eurephiadb_mapping.h index 8afeb34..ba077be 100644 --- a/database/eurephiadb_mapping.h +++ b/database/eurephiadb_mapping.h @@ -138,6 +138,7 @@ extern const char *SESSION_STATUS[]; #define FIELD_TYPE 0x10000000LL #define FIELD_FILE 0x20000000LL #define FIELD_CONFIG 0x40000000LL +#define FIELD_PLUGIN 0x80000000LL /** * @} */ @@ -226,6 +227,8 @@ static eDBfieldMap eTblMap_usercerts[] = { {TABLE_USERCERTS, NULL, FIELD_UID, ft_INT, flt_EQ, "uid", NULL, NULL}, {TABLE_USERCERTS, NULL, FIELD_CERTID, ft_INT, flt_EQ, "certid", NULL, NULL}, {TABLE_USERCERTS, NULL, FIELD_ACCPROFILE, ft_INT, flt_EQ, "accessprofile", NULL, NULL}, + {TABLE_USERCERTS, NULL, FIELD_PLUGIN, ft_INT, flt_EQ, "authplugin", NULL, NULL}, + {TABLE_USERCERTS, NULL, FIELD_UNAME, ft_STRING,flt_EQ,"authusername", NULL, NULL}, {TABLE_USERCERTS, NULL, FIELD_REGISTERED, ft_INT, flt_EQ, "registered", NULL, NULL}, {TABLE_USERCERTS, NULL, FIELD_RECID, ft_INT, flt_EQ, "uicid", NULL, NULL}, {0, NULL, FIELD_NONE, ft_UNDEF, flt_NOTSET, NULL, NULL, NULL} diff --git a/database/sqlite/administration/usercerts.c b/database/sqlite/administration/usercerts.c index d6f8721..581514a 100644 --- a/database/sqlite/administration/usercerts.c +++ b/database/sqlite/administration/usercerts.c @@ -84,11 +84,13 @@ xmlDoc *usercerts_search(eurephiaCTX *ctx, eDBfieldMap *where_m, const char *sor "SELECT uicid, ucs.uid AS uid, certid, locdt(ucs.registered) AS registered," " ucs.accessprofile AS accessprofile, access_descr," " username, " - " common_name, organisation, email, lower(digest), depth " + " common_name, organisation, email, lower(digest), depth, " + " authplugin, plgname, authusername" " FROM openvpn_usercerts ucs" " LEFT JOIN openvpn_certificates USING(certid)" " LEFT JOIN openvpn_accesses acc ON(ucs.accessprofile = acc.accessprofile)" - " LEFT JOIN openvpn_users u ON(u.uid = ucs.uid)", + " LEFT JOIN openvpn_users u ON(u.uid = ucs.uid)" + " LEFT JOIN eurephia_plugins plg ON(ucs.authplugin = plg.plgid)", NULL, // values (not used for SELECT) where_m, // fields and values for the WHERE clause dbsort); @@ -130,6 +132,14 @@ xmlDoc *usercerts_search(eurephiaCTX *ctx, eDBfieldMap *where_m, const char *sor tmp_n = sqlite_xml_value(link_n, XML_NODE, "access_profile", res, i, 5); sqlite_xml_value(tmp_n, XML_ATTR, "accessprofile", res, i, 4); + + // Add optional authentication plug-in info + if( atoi_nullsafe(sqlite_get_value(res, i, 12)) > 0 ) { + tmp_n = xmlNewChild(link_n, NULL, (xmlChar *) "authplugin", NULL); + sqlite_xml_value(tmp_n, XML_ATTR, "authplugid", res, i, 12); + sqlite_xml_value(tmp_n, XML_NODE, "description", res, i, 13); + sqlite_xml_value(tmp_n, XML_NODE, "auth_username", res, i, 14); + } } sqlite_free_results(res); diff --git a/database/sqlite/fieldmapping.h b/database/sqlite/fieldmapping.h index 2f25b87..64ea65d 100644 --- a/database/sqlite/fieldmapping.h +++ b/database/sqlite/fieldmapping.h @@ -64,6 +64,8 @@ static eDBfieldMap tbl_sqlite_usercerts[] = { {TABLE_USERCERTS, NULL, FIELD_UID, ft_INT, flt_NOTSET, "uid", NULL, NULL}, {TABLE_USERCERTS, NULL, FIELD_CERTID, ft_INT, flt_NOTSET, "certid", NULL, NULL}, {TABLE_USERCERTS, NULL, FIELD_ACCPROFILE, ft_INT, flt_NOTSET, "accessprofile", NULL, NULL}, + {TABLE_USERCERTS, NULL, FIELD_PLUGIN, ft_INT, flt_NOTSET, "authplugin", NULL, NULL}, + {TABLE_USERCERTS, NULL, FIELD_UNAME, ft_STRING,flt_NOTSET,"authusername", NULL, NULL}, {TABLE_USERCERTS, NULL, FIELD_REGISTERED, ft_INT, flt_NOTSET, "registered", NULL, NULL}, {TABLE_USERCERTS, NULL, FIELD_RECID, ft_INT, flt_NOTSET, "uicid", NULL, NULL}, {0, NULL, FIELD_NONE, ft_UNDEF, flt_NOTSET, NULL, NULL, NULL} diff --git a/eurephiadm/commands/usercerts.c b/eurephiadm/commands/usercerts.c index 2da7a25..d670a26 100644 --- a/eurephiadm/commands/usercerts.c +++ b/eurephiadm/commands/usercerts.c @@ -69,9 +69,12 @@ void display_usercerts_help(int page) { #ifdef FIREWALL " -a | --accessprofile Firewall profile ID to use for this access\n" #endif + " -p | --auth-plugin Authentication plug-in to use for this user\n" + " -U | --auth-username Alternative username to send to the authentication plug-in\n" "\n" ); break; + case 'D': printf("The delete mode will delete a link between a user account and a certificate.\n" "\n" @@ -82,6 +85,8 @@ void display_usercerts_help(int page) { #ifdef FIREWALL " -a | --accessprofile Firewall profile ID\n" #endif + " -p | --auth-plugin Authentication plug-in to use for this user\n" + " -U | --auth-username Alternative username to send to the authentication plug-in\n" "\n" ); break; @@ -95,24 +100,23 @@ void display_usercerts_help(int page) { ); break; -#ifdef FIREWALL - case 'S': - printf("The set-fwprofile mode will update the firewall access profile for " - "a given user-cert link\n\n" - "Options: (both required)\n" + case 'M': + printf("The modify mode will update a given user-cert link\n\n" + "Options:\n" " -n | --uicid Unique record id of certificate and user account link\n" +#ifdef FIREWALL " -a | --accessprofile Firewall profile ID\n" +#endif + " -p | --auth-plugin Authentication plug-in to use for this user\n" + " -U | --auth-username Alternative username to send to the authentication plug-in\n" "\n"); break; -#endif default: printf("Available modes for the usercerts command are:\n\n" " -A | --add Register a new certificate and user-cert link\n" " -D | --delete Delete a certificate and user-cert link\n" -#ifdef FIREWALL - " -S | --set-fwprofile Sets the firewall access profile for a user-cert link \n" -#endif + " -M | --modify Modifies a user-cert link \n" " -l | --list List all registered user-cert links\n" " -h | --help <mode> Help about a specific mode\n\n"); break; @@ -144,9 +148,7 @@ int help_UserCerts2(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg {"--list", "-l", 0}, {"--add", "-A", 0}, {"--delete", "-D", 0}, -#ifdef FIREWALL - {"--set-fwprofile", "-S", 0}, -#endif + {"--modify", "-M", 0}, {NULL, NULL, 0} }; @@ -196,7 +198,7 @@ int list_usercerts(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, // Parse arguments for( i = 1; i < argc; i++ ) { switch( eurephia_getopt(&i, argc, argv, listargs) ) { - case 'S': + case 'M': xmlNewChild(srch_n, NULL, (xmlChar *) "sortfields", (xmlChar *)optargs[0]); break; @@ -217,7 +219,6 @@ int list_usercerts(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, fprintf(stderr, "%s: Error retrieving user/certificate link list\n", MODULE); return 1; } - xslt_print_xmldoc(stdout, cfg, list_xml, "usercerts.xsl", xsltparams); xmlFreeDoc(list_xml); return 0; @@ -240,7 +241,8 @@ int add_del_usercert(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cf xmlNode *usercert_n = NULL; eurephiaRESULT *res = NULL; int i = 0, rc = 0, actmode = 0; - char *certid = NULL, *uid = NULL, *username = NULL, *uicid = NULL, *actmode_str = NULL, *accessprofile = NULL; + char *certid = NULL, *uid = NULL, *username = NULL, *uicid = NULL, + *actmode_str = NULL, *accessprofile = NULL, *authplugin = NULL, *authusername = NULL; char uid_lookup[18]; e_options addargs[] = { @@ -251,6 +253,8 @@ int add_del_usercert(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cf #ifdef FIREWALL {"--accessprofile", "-a", 1}, #endif + {"--auth-plugin", "-p", 1}, + {"--auth-username", "-U", 1}, {"--help", "-h", 0}, {NULL, NULL, 0} }; @@ -326,6 +330,20 @@ int add_del_usercert(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cf break; + case 'p': + if( atoi_nullsafe(optargs[0]) < 1 ) { + fprintf(stderr, "%s: Authentication plug-in ID must be a positive number (>0)\n", + MODULE); + rc = 1; + goto exit; + } + authplugin = optargs[0]; + break; + + case 'U': + authusername = optargs[0]; + break; + case 'h': display_usercerts_help(actmode); rc = 0; @@ -345,9 +363,9 @@ int add_del_usercert(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cf } if( (actmode == 'D') && (certid == NULL) && (uid == NULL) && (username == NULL) - && (uicid == NULL) && (accessprofile == NULL)) { + && (uicid == NULL) && (accessprofile == NULL) && (authplugin == NULL) && (authusername == NULL)) { fprintf(stderr, "%s: You must provide at least --uid, --username, " - "--certid, --uicid or --accessprofile\n", MODULE); + "--certid, --uicid, --accessprofile, --auth-plugin or --auth-username\n", MODULE); rc = 1; goto exit; } @@ -391,6 +409,13 @@ int add_del_usercert(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cf xmlNewChild(usercert_n, NULL, (xmlChar *) "accessprofile", (xmlChar *) accessprofile); } #endif + if( authusername != NULL ) { + xmlNewChild(usercert_n, NULL, (xmlChar *) "authusername", (xmlChar *) authusername); + } + + if( authplugin != NULL ) { + xmlNewChild(usercert_n, NULL, (xmlChar *) "authplugin", (xmlChar *) authplugin); + } resxml = eDBadminUserCertsLink(ctx, usercert_xml); if( resxml == NULL ) { @@ -421,9 +446,8 @@ int add_del_usercert(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cf } -#ifdef FIREWALL /** - * usercerts set-fwprofile mode. Changes the firewall profile for a specific user-certs link + * usercerts modify mode. Modifies a specific user-certs link * * @param ctx eurephiaCTX * @param sess eurephiaSESSION of the current logged in user @@ -433,15 +457,19 @@ int add_del_usercert(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cf * * @return returns 0 on success, otherwise 1. */ -int set_fwprofile(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, int argc, char **argv) { +int modify_usercert(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, int argc, char **argv) { xmlDoc *usercert_xml = NULL, *res_xml = NULL; xmlNode *usercert_n = NULL, *fmap_n = NULL; int rc = 0, i = 0; - int accprf = 0, uicid = 0; + int reqargs = 0, uicid = 0; e_options updateargs[] = { {"--uicid", "-n", 1}, +#ifdef FIREWALL {"--accessprofile", "-a", 1}, +#endif + {"--auth-plugin", "-p", 1}, + {"--auth-username", "-U", 1}, {"--help", "-h", 0}, {NULL, NULL, 0} }; @@ -457,6 +485,7 @@ int set_fwprofile(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, // Parse arguments for( i = 1; i < argc; i++ ) { switch( eurephia_getopt(&i, argc, argv, updateargs) ) { +#ifdef FIREWALL case 'a': if( atoi_nullsafe(optargs[0]) < 1 ) { fprintf(stderr, "%s: Firewall profile ID must be a positive number (>0)\n", @@ -465,9 +494,9 @@ int set_fwprofile(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, goto exit; } xmlNewChild(fmap_n, NULL, (xmlChar *) "accessprofile", (xmlChar *) optargs[0]); - accprf = 1; // Access profile is set + reqargs++; // Required argument is given break; - +#endif case 'n': // The uicid value must not be used as a value in the <fieldMapping> tag, but // must be an uucid attribute in the <usercerts> tag. This is the @@ -482,8 +511,23 @@ int set_fwprofile(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, xmlNewProp(usercert_n, (xmlChar *) "uicid", (xmlChar *) optargs[0]); break; + case 'p': + if( strlen_nullsafe(optargs[0]) < 1 ) { + // If 0 or less, interpret it as we want to disable the auth-plugin + xmlNewChild(fmap_n, NULL, (xmlChar *) "authplugin", NULL); + } else { + xmlNewChild(fmap_n, NULL, (xmlChar *) "authplugin", (xmlChar *) optargs[0]); + } + reqargs++; // Required argument is given + break; + + case 'U': + xmlNewChild(fmap_n, NULL, (xmlChar *) "authusername", (xmlChar *) optargs[0]); + reqargs++; // Required argument is given + break; + case 'h': - display_usercerts_help('S'); + display_usercerts_help('M'); rc = 0; goto exit; @@ -493,7 +537,7 @@ int set_fwprofile(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, } } - if( (uicid < 1) || (accprf != 1) ) { + if( (uicid < 1) || (reqargs == 0) ) { fprintf(stderr, "%s: You must provide --uicid and --accessprofile\n", MODULE); rc = 1; goto exit; @@ -520,7 +564,6 @@ int set_fwprofile(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, xmlFreeDoc(usercert_xml); return rc; } -#endif /** @@ -543,9 +586,7 @@ int cmd_UserCerts(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, {"--list", "-l", 0}, {"--add", "-A", 0}, {"--delete", "-D", 0}, -#ifdef FIREWALL - {"--set-fwprofile", "-S", 0}, -#endif + {"--modify", "-M", 0}, {"--help", "-h", 0}, {NULL, NULL, 0} }; @@ -570,11 +611,9 @@ int cmd_UserCerts(eurephiaCTX *ctx, eurephiaSESSION *sess, eurephiaVALUES *cfg, mode_fnc = add_del_usercert; break; -#ifdef FIREWALL - case 'S': - mode_fnc = set_fwprofile; + case 'M': + mode_fnc = modify_usercert; break; -#endif default: break; diff --git a/xslt/eurephiadm/usercerts.xsl b/xslt/eurephiadm/usercerts.xsl index 42defd4..17a05d5 100644 --- a/xslt/eurephiadm/usercerts.xsl +++ b/xslt/eurephiadm/usercerts.xsl @@ -29,11 +29,12 @@ <xsl:template match="/eurephia/usercerts"> <xsl:text> UICID - Registered </xsl:text> - <xsl:text> U: [uid] Username </xsl:text> + <xsl:text> U: [uid] Username (Alt. auth username) </xsl:text> <xsl:text> C: [certid] Common name/Organisation (cert.depth) </xsl:text> <xsl:if test="$firewall = '1'"> <xsl:text> A: [accessprofile] Access profile name </xsl:text> </xsl:if> + <xsl:text> P: [auth-plugin] Auth plug-in descr </xsl:text> <xsl:text> ------------------------------------------------------------------------------ </xsl:text> <xsl:apply-templates select="usercert_link"/> <xsl:text> ------------------------------------------------------------------------------ </xsl:text> @@ -58,6 +59,11 @@ <xsl:when test="username != ''"><xsl:value-of select="username"/></xsl:when> <xsl:otherwise>(Unknown user account)</xsl:otherwise> </xsl:choose> + <xsl:if test="authplugin/auth_username"> + <xsl:text> (</xsl:text> + <xsl:value-of select="authplugin/auth_username"/> + <xsl:text>)</xsl:text> + </xsl:if> <xsl:text> C: [</xsl:text> <xsl:call-template name="right-align"> @@ -84,6 +90,17 @@ <xsl:text> </xsl:text> </xsl:if> + <xsl:if test="authplugin"> + <xsl:text> P: [</xsl:text> + <xsl:call-template name="right-align"> + <xsl:with-param name="value" select="authplugin/@authplugid"/> + <xsl:with-param name="width" select="3"/> + </xsl:call-template> + <xsl:text>] </xsl:text> + <xsl:value-of select="authplugin/description"/> + <xsl:text> </xsl:text> + </xsl:if> + <xsl:if test="last() > position()"> <xsl:text> </xsl:text> </xsl:if> |