| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
eurephiadm is now able to authenticate, login and logout a user.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
This is to restrict the eurephia-admin database user to only be
allowed to update a few fields of the eurephia_adminlog table.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
| |
statment
Without this break, this function would return an error that the web or console
admin interface were invalid.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
| |
This is used to add a single char value to the prepared arguments stack.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
Aslo moved one query from the "plugin section" to the "admin section" where
it belongs.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
| |
This will parse the database result value as a boolean value and
return (int) 1 if the value is 't' (true in PostgreSQL). Otherwise
the function will return (int) 0.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rewrote the loading of prepared statements to be able to switch
which statements are loaded, based on the eurephia context type.
This ensures that the database connection for the OpenVPN connection
will not have any prepared statements related to the administration
queries.
With this change, it also made sense to replace the
ePGprepStatementGetID() function with ePGprepGetStatement() which
returns a pointer directly to related statement, instead of looking
up the "slot ID" for the requested statement.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
| |
Moved all SQL statements out of each function and into a const
struct which is loaded at startup.
Implemented a safer way of handling parameters to these prepared
statements as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
| |
This is a working implementation of the PostgreSQL driver, where only the
driver functions needed by OpenVPN for authentication are implemented.
There are still more enhancements to be done, but this is usable.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If this function is found declared in the database driver, it
will be used instead of eDBdisconnect() when forking the firewall
thread. This is to avoid disconnecting some databases in the wrong
way.
This new function is fully optional to implement if the database
driver works fine with calling eDBdisconnect().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
This allows the eurephia-auth user to only update the columns
in the lastlog which it is supposed to update.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
The macaddr_history table was declared with a too small field for
storing session keys.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
| |
PostgreSQL have a better data type for storing session duration.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
None of the tables used by the edb-pgsql driver uses the
'openvpn_' prefix
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
| |
It's not ideal to let the eurephia-auth user have write access to the
users table. This view will allow the eurephia-auth user only to touch
users.last_accessed; and this value will be enforced to be CURRENT_TIMESTAMP.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
| |
Generic local PostgreSQL functions were prefixed with 'PG'. As this
is too close to the prefix PostgreSQL uses, these functions where changed
to 'ePG'.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
| |
Added a generic error reporting function, to stream line this process.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
| |
eDBblacklist_check()
PGgetValue() will return NULL if the database field is NULL, which is
expected several places in the eDBblacklist_check() function.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
This is far from production ready, but is the first step. Only
tested with initialisation and startup of OpenVPN so far.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
overwritten
When commit 85ad4bbb21e478b5b3699dfa14c97dccfd336f10 was added, it was
missing a break statement at the end of the 'case ft_PASSWD' block. This resulted
in a corrupted password hash when initialising the database or changing the password
for users - as it would be overwritten by the following boolean parsing.
I'd like to thank Colin Ryan for catching this bug.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
| |
This is to enable an improved logging feature in OpenVPN v2.3 and newer.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
This enables setting authentication plug-in and the alternative
authentication username for user-certificate links.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This implements a authentication plug-in framework which can be
used to do username/password authentication against another backend
per user/certificate.
Conflicts:
database/eurephiadb.c
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| | |
Seems delta-2 was already "taken" in master.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| | |
This enables plug-in support management via the eDBadminPlugins() function,
used by eurephiadm.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| | |
This function will be used by the admin interface to configure
eurephia plug-ins.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| | |
This field type ensures boolean values will be predictable when
working in the database driver layer.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The field mapping id changed to unsigned long long in
commit 60800a7030c7aa3a9e1a1b6155abc4079a0e34f1. This function
needs to support that as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| | |
This will enable the database plug-ins and eurephiadm to manipulate
this table.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| | |
This will enable the database plug-ins and eurephiadm to manipulate
this table.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| | |
This slightly changes the eDBmappingGetValue() function to reuse
some of the same look-up logic for eDBmappingSetValue()
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| | |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| | |
This is needed to provide config data to a configured plug-in when it is loaded
and initialised.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
memset() and free_nullsafe() was performed on a NULL pointer before
it would be used.
Also make uicid be 0 on generic database issues, not triggering a
logging of a log-in attempt. A database error is hardly a user problem,
and logging the log-in attempt may even fail as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the configured authentication plug-in was disabled, edb-sqlite
would still insist on using the plug-in as authentication method.
This patch changes the behaviour to use the internal eurephia
database for authentication if the authentication plug-in is
disabled.
The code also was modified slighly so that the internal eurephia
database will be the fallback method if any other checks are
skipped.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the needed functions the eurephia framework requires to
retrieve a list of all configured plug-ins - eDBget_plugins(). And
it includes eDBauth_GetAuthMethod() which is used to lookup what
kind of authentication method a specific user account/certificate
combination should use. If the authentication backend requires
a different username for this, that can also be configured in
this user account/certification setup.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
framework
This enables using an external authentication plug-in if a user
account/certification link is configured to make user of it.
This change ensures that all configured authentiaction plug-ins are
loaded and is available when eurephia is initialised.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| | |
As the lastlog table doesn't contain MAC or IP addresses of the VPN client any more,
make the lastlog extraction gather the data from the vpnaddr_history table instead.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This retrieves the accessprofile ID field from the database for a
given uid/certid combination. This is useful when logging which
firewall profile was used for a certain session.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
function
This will save the access profile in the lastlog table. However, it will not save
the VPN IP address and netmask any more. This should be saved in the vpnaddr_history
table, using the eDBregister_vpnclientaddr() function.
eDBregister_login() is now just a wrapper around the eDBregister_login2(), ignoring
the access profile id and VPN addresses. This exists purely as a compatibility layer
if the updated driver is used against an older eurephia-auth.so plug-in.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
By passing '0' as certid, the lookup will only be done against the user table.
Any other values will consider the user-certification links as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
Using /var/lib is more appropriate for the kind of database file eurephia uses
and will also avoid other security restrictions on hardened installations as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
| |
Made all SELECT queries which is used for reports to use the new 'locdt' SQL
function on timestamp fields. This converts the UTC/GMT timestamps stored in
the database to the correct timezone of the running admin client.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
localtime
All CURRENT_TIMESTAMP calls are returned in UTC/GMT, and this value is stored in the
database. When using eurephiadm to look at these datetime fields the UTC/GMT value
is used, and needs to be taken in consideration when looking at the reports. This
patch is the first step to handle the local time zone better.
This patch also fixes the 'debug' program in sqlite.c, making use of the
eurephia_log_init() and eurephia_log_close() calls for log preparations.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit implements the eDBregister_vpnclientaddr() needed by the
newer eurephia-auth plug-in. This is needed to improve the tun support
in eurephia.
In addition, this also updates the SQL schema to include IPv4 and in
the future IPv6 addresses in the lastlog and VPN address history
(openvpn_vpnaddr_history). The old openvpn_macaddr_history table
is deprecated.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
| |
correct
This skips looking up all the eDBadmin*() functions if the context is unprivileged
or the database interface is initialised by the OpenVPN plug-in
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
