diff options
Diffstat (limited to 'plugin')
-rw-r--r-- | plugin/eurephia.c | 117 |
1 files changed, 113 insertions, 4 deletions
diff --git a/plugin/eurephia.c b/plugin/eurephia.c index e41a0dc..c169dc7 100644 --- a/plugin/eurephia.c +++ b/plugin/eurephia.c @@ -1,6 +1,6 @@ /* eurephia.c -- Main functions for the eurephia authentication module * - * GPLv2 only - Copyright (C) 2008 - 2012 + * GPLv2 only - Copyright (C) 2008 - 2013 * David Sommerseth <dazo@users.sourceforge.net> * * This program is free software; you can redistribute it and/or @@ -35,15 +35,20 @@ #include <sys/mman.h> #include <string.h> #include <getopt.h> +#include <unistd.h> #include <assert.h> #include <errno.h> #define EUREPHIA_FWINTF /**< Include the proper eurephiaFWINTF declaration in eurephiaCTX */ #include <eurephiafw_struct.h> #include <eurephia_context.h> +#include <eurephia_context.h> +#include <eurephia_authplugin_driver.h> +#include <eurephia_authplugin_context.h> +#include <eurephia_authplugin_func.h> #include <eurephia_nullsafe.h> -#include <eurephiadb.h> #include <eurephiadb_driver.h> +#include <eurephiadb.h> #include <eurephiafw.h> #include <eurephia_values.h> #include <eurephiadb_session_common.h> @@ -145,7 +150,7 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp) " (David Sommerseth (C) 2008-2012 GPLv2)"); // Load the database driver - if( (error == 0) && eDBlink_init(ctx, dbi, 3) ) { + if( (error == 0) && eDBlink_init(ctx, dbi, 4) ) { // Connect to the database if( !eDBconnect(ctx, dbargc, dbargv) ) { eurephia_log(ctx, LOG_PANIC, 0, "Could not connect to the database"); @@ -204,6 +209,10 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp) ctx->eurephia_fw_intf = NULL; } + // Initialise authentication plug-ins. If no authentication plug-ins have been enabled, + // the authplugs context will be NULL. + ctx->authplugs = eAuthPlugin_Init(ctx); + // Prepare an empty disconnected list. // This one is used to track all clients IP addresses and their corresponding eurephia session ID // when they disconnect. This is especially needed in TUN mode, the eurephia_learn_address() @@ -241,6 +250,10 @@ int eurephiaShutdown(eurephiaCTX *ctx) eFW_unload(ctx); } + if( ctx->authplugs != NULL ) { + eAuthPlugin_Close(ctx, ctx->authplugs); + } + if( (ctx->dbc != NULL) && (ctx->dbc->dbhandle != NULL) ) { eDBdisconnect(ctx); } @@ -345,6 +358,9 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str int eurephia_userauth(eurephiaCTX *ctx, const char **env) { eurephiaSESSION *authsess = NULL; + eDBauthMethodResult *authmeth = NULL; + eAuthPlugin *authplug = NULL; + eAuthResult *authres = NULL; int result = 0, certid = 0; char *cname, *remport, *ipaddr = NULL; char *tls_digest = NULL, *tls_id = NULL, *username = NULL; @@ -453,7 +469,100 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) // If we do not have a valid password cached, check against the user database chk_pwd: - result = eDBauth_user(ctx, certid, username, passwd); + authmeth = eDBauth_GetAuthMethod(ctx, certid, username); + if( authmeth == NULL ) { + eurephia_log(ctx, LOG_ERROR, 0, + "Failed to identify authentication method for user '%s' with" + "certid %i", username, certid); + result = 0; + goto exit; + } + + switch (authmeth->method) { + case eAM_INTERNDB: + /* Authenticate against the internal eurephia database */ + result = eDBauth_user(ctx, certid, username, passwd); + break; + + case eAM_PLUGIN: + authplug = eAuthPlugin_Get(ctx->authplugs, authmeth->authplugid); + if( authplug == NULL ) { + eurephia_log(ctx, LOG_ERROR, 0, + "Failed to find authentication plug-in %i to authenticate" + "user '%s' with certid %i", + authmeth->authplugid, username, certid); + result = 0; + goto exit; + } + + /* Authenticate the user via the auth plug-in */ + authres = authplug->AuthenticateUser(ctx, authmeth->username, passwd); + if( authres == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, + "Invalid response from authentication plug-in %i", + authmeth->authplugid); + result = 0; + goto exit; + } + + /* Parse the authentication result */ + switch( authres->status ) { + case eAUTH_FAILED: + eurephia_log(ctx, LOG_WARNING, 0,"Authentication failed for user '%s': %s", + username, authres->msg); + sleep(2); + result = -1; + break; + + case eAUTH_PLGERROR: + eurephia_log(ctx, LOG_ERROR, 0, + "Authentication plug-in %i returned with an internal error " + "while authenticating user '%s' (uicid: %i): %s", + authmeth->authplugid, + authmeth->username, + authmeth->uicid, + authres->msg); + result = 0; + goto exit; + + case eAUTH_SUCCESS: + result = authmeth->uicid; + if( authres->msg != NULL ) { + eurephia_log(ctx, LOG_INFO, 1, + "Authentication plug-in (%i) success response " + "for user '%s' (uicid: %i): %s", + authmeth->authplugid, + authmeth->username, + result, + authres->msg); + } + break; + + default: + eurephia_log(ctx, LOG_FATAL, 0, + "Invalid response from authentication plug-in %i when " + "authenticating user '%s': %i", + authmeth->authplugid, authmeth->username, authres->status); + result = 0; + break; + } + break; + + case eAM_BLACKLISTED: + case eAM_INACTIVE: + result = -1; + break; + + default: + eurephia_log(ctx, LOG_FATAL, 0, + "Invalid authentication method attempted (%i) for " + "user '%s' with certid %i", + authmeth->method, username, certid); + break; + } + eDBauth_FreeAuthMethodResult(ctx, authmeth); + + /* If the authentication failed, register the failed attempt */ if( result < 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); |