diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2013-05-28 16:08:38 +0200 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2013-05-28 16:08:38 +0200 |
commit | fc4958f6e957acd72e3ec6f9a546811cdf70f4d3 (patch) | |
tree | 8bf6d050baf35c1603f64e70bedc08c2d424924d /plugin | |
parent | bfe23dd4341de02e7981fbdbd87550cdc19d6830 (diff) | |
parent | d4383e6b96e36120669cc6de2f2cec49aeee90f4 (diff) | |
download | eurephia-fc4958f6e957acd72e3ec6f9a546811cdf70f4d3.tar.gz eurephia-fc4958f6e957acd72e3ec6f9a546811cdf70f4d3.tar.xz eurephia-fc4958f6e957acd72e3ec6f9a546811cdf70f4d3.zip |
Merge auth-plugin work
This implements a authentication plug-in framework which can be
used to do username/password authentication against another backend
per user/certificate.
Conflicts:
database/eurephiadb.c
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Diffstat (limited to 'plugin')
-rw-r--r-- | plugin/CMakeLists.txt | 6 | ||||
-rw-r--r-- | plugin/eurephia.c | 135 |
2 files changed, 135 insertions, 6 deletions
diff --git a/plugin/CMakeLists.txt b/plugin/CMakeLists.txt index 0a52bd6..38b0076 100644 --- a/plugin/CMakeLists.txt +++ b/plugin/CMakeLists.txt @@ -1,6 +1,6 @@ # cmake rules for eurephia - OpenVPN authentication plugin # -# GPLv2 only - Copyright (C) 2008 - 2012 +# GPLv2 only - Copyright (C) 2008 - 2013 # David Sommerseth <dazo@users.sourceforge.net> # # This program is free software; you can redistribute it and/or @@ -65,7 +65,7 @@ ENDIF(NOT HAVE_RT_MQ_OPEN OR NOT HAVE_RT_MQ_CLOSE OR NOT HAVE_RT_MQ_UNLINK OR NO # Compiler settings -INCLUDE_DIRECTORIES(../common ../database ./firewall .) +INCLUDE_DIRECTORIES(../common ../auth ../database ./firewall .) # Do build in subdirs, if some extra modules are enabled @@ -96,6 +96,8 @@ ADD_LIBRARY(eurephia-auth MODULE firewall/eurephiafw.c firewall/eurephiafw_helpers.c ../common/eurephiadb_session_common.c + ../auth/eurephia_authplugin.c + ../auth/eurephia_authplugin_driver.c ) SET_TARGET_PROPERTIES(eurephia-auth PROPERTIES PREFIX "") diff --git a/plugin/eurephia.c b/plugin/eurephia.c index 620e6e6..946422f 100644 --- a/plugin/eurephia.c +++ b/plugin/eurephia.c @@ -1,6 +1,6 @@ /* eurephia.c -- Main functions for the eurephia authentication module * - * GPLv2 only - Copyright (C) 2008 - 2012 + * GPLv2 only - Copyright (C) 2008 - 2013 * David Sommerseth <dazo@users.sourceforge.net> * * This program is free software; you can redistribute it and/or @@ -35,15 +35,20 @@ #include <sys/mman.h> #include <string.h> #include <getopt.h> +#include <unistd.h> #include <assert.h> #include <errno.h> #define EUREPHIA_FWINTF /**< Include the proper eurephiaFWINTF declaration in eurephiaCTX */ #include <eurephiafw_struct.h> #include <eurephia_context.h> +#include <eurephia_context.h> +#include <eurephia_authplugin_driver.h> +#include <eurephia_authplugin_context.h> +#include <eurephia_authplugin_func.h> #include <eurephia_nullsafe.h> -#include <eurephiadb.h> #include <eurephiadb_driver.h> +#include <eurephiadb.h> #include <eurephiafw.h> #include <eurephia_values.h> #include <eurephiadb_session_common.h> @@ -204,6 +209,11 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp) ctx->eurephia_fw_intf = NULL; } + // Initialise authentication plug-ins. If no authentication plug-ins have been enabled, + // the authplugs context will be NULL. + ctx->authplugs = eAuthPlugin_Init(ctx); + ctx->nointernalauth = atoi_nullsafe(eGet_value(ctx->dbc->config, "auth_disable_internal")) > 0; + // Prepare an empty disconnected list. // This one is used to track all clients IP addresses and their corresponding eurephia session ID // when they disconnect. This is especially needed in TUN mode, the eurephia_learn_address() @@ -241,6 +251,10 @@ int eurephiaShutdown(eurephiaCTX *ctx) eFW_unload(ctx); } + if( ctx->authplugs != NULL ) { + eAuthPlugin_Close(ctx, ctx->authplugs); + } + if( (ctx->dbc != NULL) && (ctx->dbc->dbhandle != NULL) ) { eDBdisconnect(ctx); } @@ -345,6 +359,9 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str int eurephia_userauth(eurephiaCTX *ctx, const char **env) { eurephiaSESSION *authsess = NULL; + eDBauthMethodResult *authmeth = NULL; + eAuthPlugin *authplug = NULL; + eAuthResult *authres = NULL; int result = 0, certid = 0; char *cname, *remport, *ipaddr = NULL; char *tls_digest = NULL, *tls_id = NULL, *username = NULL; @@ -453,8 +470,118 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) // If we do not have a valid password cached, check against the user database chk_pwd: - result = eDBauth_user(ctx, certid, username, passwd); - if( result < 1 ) { + authmeth = eDBauth_GetAuthMethod(ctx, certid, username); + if( authmeth == NULL ) { + eurephia_log(ctx, LOG_ERROR, 0, + "Failed to identify authentication method for user '%s' with" + "certid %i", username, certid); + result = 0; + goto exit; + } + + switch (authmeth->method) { + case eAM_INTERNDB: + DEBUG(ctx, 12, "Using internal authentication for user '%s'/certid %i", + username, certid); + if( ctx->nointernalauth == 0 ) { + /* Authenticate against the internal eurephia database */ + result = eDBauth_user(ctx, certid, username, passwd); + } else { + eurephia_log(ctx, LOG_WARNING, 0, + "Internal authentication has been disabled. Enable " + "authentication plug-in for user '%s' with certid %i", + username, certid); + result = 0; + } + break; + + case eAM_PLUGIN: + authplug = eAuthPlugin_Get(ctx->authplugs, authmeth->authplugid); + if( authplug == NULL ) { + eurephia_log(ctx, LOG_ERROR, 0, + "Failed to find authentication plug-in %i to authenticate" + "user '%s' with certid %i", + authmeth->authplugid, username, certid); + result = 0; + goto exit; + } + DEBUG(ctx, 12, "Using authentication plugin %i for user '%s'/certid %i", + authmeth->authplugid, username, certid); + + /* Authenticate the user via the auth plug-in */ + authres = authplug->AuthenticateUser(ctx, authmeth->username, passwd); + if( authres == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, + "Invalid response from authentication plug-in %i", + authmeth->authplugid); + result = 0; + goto exit; + } + + /* Parse the authentication result */ + switch( authres->status ) { + case eAUTH_FAILED: + eurephia_log(ctx, LOG_WARNING, 0,"Authentication failed for user '%s': %s", + username, authres->msg); + sleep(2); + result = -1; + break; + + case eAUTH_PLGERROR: + eurephia_log(ctx, LOG_ERROR, 0, + "Authentication plug-in %i returned with an internal error " + "while authenticating user '%s' (uicid: %i): %s", + authmeth->authplugid, + authmeth->username, + authmeth->uicid, + authres->msg); + result = 0; + goto exit; + + case eAUTH_SUCCESS: + result = authmeth->uicid; + if( authres->msg != NULL ) { + eurephia_log(ctx, LOG_INFO, 1, + "Authentication plug-in (%i) success response " + "for user '%s' (uicid: %i): %s", + authmeth->authplugid, + authmeth->username, + result, + authres->msg); + } + break; + + default: + eurephia_log(ctx, LOG_FATAL, 0, + "Invalid response from authentication plug-in %i when " + "authenticating user '%s': %i", + authmeth->authplugid, authmeth->username, authres->status); + result = 0; + break; + } + break; + + case eAM_BLACKLISTED: + DEBUG(ctx, 12, "User '%s'/certid %i is blacklisted", username, certid); + result = -1; + break; + + case eAM_INACTIVE: + DEBUG(ctx, 12, "User '%s' is not activated", username); + result = -1; + break; + + default: + eurephia_log(ctx, LOG_FATAL, 0, + "Invalid authentication method attempted (%i) for " + "user '%s' with certid %i", + authmeth->method, username, certid); + break; + } + eDBauth_FreeAuthMethodResult(ctx, authmeth); + + /* If the authentication failed, register the failed attempt */ + if( result < 0 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_REGISTER, username); |