From: Krzysztof Piotr Oledzki Date: Fri, 29 Jan 2010 18:26:18 +0000 (+0100) Subject: [MINOR] acl: add http_auth and http_auth_group X-Git-Tag: v1.4-rc1~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9423ae43a42d8ae485af70159f4a536b8730a25;p=thirdparty%2Fhaproxy.git [MINOR] acl: add http_auth and http_auth_group Add two acls to match http auth data: acl http_auth(userlist) acl http_auth_hroup(userlist) group1 group2 (...) --- diff --git a/include/proto/acl.h b/include/proto/acl.h index ec9963d501..488d75aa8c 100644 --- a/include/proto/acl.h +++ b/include/proto/acl.h @@ -100,6 +100,12 @@ int acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, v */ struct acl *cond_find_require(const struct acl_cond *cond, unsigned int require); +/* + * Find targets for userlist and groups in acl. Function returns the number + * of errors or OK if everything is fine. + */ +int acl_find_targets(struct proxy *p); + /* Return a pointer to the ACL within the list starting at , or * NULL if not found. */ @@ -147,6 +153,9 @@ int acl_parse_range(const char **text, struct acl_pattern *pattern, int *opaque) /* Parse a string. It is allocated and duplicated. */ int acl_parse_str(const char **text, struct acl_pattern *pattern, int *opaque); +/* Parse and concatenate strings into one. It is allocated and duplicated. */ +int acl_parse_strcat(const char **text, struct acl_pattern *pattern, int *opaque); + /* Parse a regex. It is allocated. */ int acl_parse_reg(const char **text, struct acl_pattern *pattern, int *opaque); diff --git a/include/types/acl.h b/include/types/acl.h index fad3761054..390db807dc 100644 --- a/include/types/acl.h +++ b/include/types/acl.h @@ -26,6 +26,7 @@ #include #include +#include #include #include @@ -209,6 +210,7 @@ struct acl_pattern { struct in_addr mask; } ipv4; /* IPv4 address */ struct acl_time time; /* valid hours and days */ + unsigned int group_mask; } val; /* direct value */ union { void *ptr; /* any data */ @@ -291,6 +293,7 @@ struct acl_expr { struct acl_keyword *kw; /* back-reference to the keyword */ union { /* optional argument of the subject (eg: header or cookie name) */ char *str; + struct userlist *ul; } arg; int arg_len; /* optional argument length */ struct list patterns; /* list of acl_patterns */ diff --git a/include/types/proto_http.h b/include/types/proto_http.h index 3d38d57b21..18fbc26651 100644 --- a/include/types/proto_http.h +++ b/include/types/proto_http.h @@ -235,6 +235,13 @@ typedef enum { HTTP_METH_OTHER, } http_meth_t; +enum { + HTTP_AUTH_WRONG = -1, /* missing or unknown */ + HTTP_AUTH_UNKNOWN = 0, + HTTP_AUTH_BASIC, + HTTP_AUTH_DIGEST, +}; + /* This is an HTTP message, as described in RFC2616. It can be either a request * message or a response message. * @@ -285,6 +292,12 @@ struct http_msg { char **cap; /* array of captured headers (may be NULL) */ }; +struct http_auth_data { + int method; /* one of HTTP_AUTH_* */ + struct chunk method_data; /* points to the creditial part from 'Authorization:' header */ + char *user, *pass; /* extracted username & password */ +}; + /* This is an HTTP transaction. It contains both a request message and a * response message (which can be empty). */ @@ -303,6 +316,7 @@ struct http_txn { char *sessid; /* the appsession id, if found in the request or in the response */ struct chunk auth_hdr; /* points to 'Authorization:' header */ + struct http_auth_data auth; /* HTTP auth data */ }; /* This structure is used by http_find_header() to return values of headers. diff --git a/src/acl.c b/src/acl.c index eb75b0ee62..66050943b7 100644 --- a/src/acl.c +++ b/src/acl.c @@ -19,6 +19,7 @@ #include #include +#include #include /* The capabilities of filtering hooks describe the type of information @@ -332,6 +333,29 @@ int acl_parse_str(const char **text, struct acl_pattern *pattern, int *opaque) return 1; } +/* Parse and concatenate all further strings into one. */ +int +acl_parse_strcat(const char **text, struct acl_pattern *pattern, int *opaque) +{ + + int len = 0, i; + char *s; + + for (i = 0; *text[i]; i++) + len += strlen(text[i])+1; + + pattern->ptr.str = s = calloc(1, len); + if (!pattern->ptr.str) + return 0; + + for (i = 0; *text[i]; i++) + s += sprintf(s, i?" %s":"%s", text[i]); + + pattern->len = len; + + return i; +} + /* Free data allocated by acl_parse_reg */ static void acl_free_reg(void *ptr) { @@ -627,7 +651,7 @@ static struct acl_expr *prune_acl_expr(struct acl_expr *expr) { free_pattern_list(&expr->patterns); LIST_INIT(&expr->patterns); - if (expr->arg.str) + if (expr->arg_len && expr->arg.str) free(expr->arg.str); expr->kw->use_cnt--; return expr; @@ -1169,6 +1193,74 @@ struct acl *cond_find_require(const struct acl_cond *cond, unsigned int require) return NULL; } +/* + * Find targets for userlist and groups in acl. Function returns the number + * of errors or OK if everything is fine. + */ +int +acl_find_targets(struct proxy *p) +{ + + struct acl *acl; + struct acl_expr *expr; + struct acl_pattern *pattern; + struct userlist *ul; + int cfgerr = 0; + + list_for_each_entry(acl, &p->acl, list) { + list_for_each_entry(expr, &acl->expr, list) { + if (strstr(expr->kw->kw, "http_auth") == expr->kw->kw) { + + if (!expr->arg.str || !*expr->arg.str) { + Alert("proxy %s: acl %s %s(): missing userlist name.\n", + p->id, acl->name, expr->kw->kw); + cfgerr++; + continue; + } + + ul = auth_find_userlist(expr->arg.str); + + if (!ul) { + Alert("proxy %s: acl %s %s(%s): unable to find userlist.\n", + p->id, acl->name, expr->kw->kw, expr->arg.str); + cfgerr++; + continue; + } + + expr->arg_len = 0; + expr->arg.ul = ul; + } + + + if (!strcmp(expr->kw->kw, "http_auth_group")) { + + if (LIST_ISEMPTY(&expr->patterns)) { + Alert("proxy %s: acl %s %s(): no groups specified.\n", + p->id, acl->name, expr->kw->kw); + cfgerr++; + continue; + } + + list_for_each_entry(pattern, &expr->patterns, list) { + pattern->val.group_mask = auth_resolve_groups(expr->arg.ul, pattern->ptr.str); + + free(pattern->ptr.str); + pattern->ptr.str = NULL; + pattern->len = 0; + + if (!pattern->val.group_mask) { + Alert("proxy %s: acl %s %s(): invalid group(s).\n", + p->id, acl->name, expr->kw->kw); + cfgerr++; + continue; + } + } + } + } + } + + return cfgerr; +} /************************************************************************/ /* All supported keywords must be declared here. */ diff --git a/src/auth.c b/src/auth.c index 58fc5bea8a..3bce7c1838 100644 --- a/src/auth.c +++ b/src/auth.c @@ -239,3 +239,23 @@ check_user(struct userlist *ul, unsigned int group_mask, const char *user, const else return 0; } + +int +acl_match_auth(struct acl_test *test, struct acl_pattern *pattern) +{ + + struct userlist *ul = test->ctx.a[0]; + char *user = test->ctx.a[1]; + char *pass = test->ctx.a[2]; + unsigned int group_mask; + + if (pattern) + group_mask = pattern->val.group_mask; + else + group_mask = 0; + + if (check_user(ul, group_mask, user, pass)) + return ACL_PAT_PASS; + else + return ACL_PAT_FAIL; +} diff --git a/src/cfgparse.c b/src/cfgparse.c index ef34760fd9..7f218db1ff 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4691,6 +4691,8 @@ int check_config_validity() } } + cfgerr += acl_find_targets(curproxy); + if ((curproxy->mode == PR_MODE_TCP || curproxy->mode == PR_MODE_HTTP) && (((curproxy->cap & PR_CAP_FE) && !curproxy->timeout.client) || ((curproxy->cap & PR_CAP_BE) && (curproxy->srv) && diff --git a/src/proto_http.c b/src/proto_http.c index 59952a4358..37af539546 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -24,6 +24,7 @@ #include #include +#include #include #include #include @@ -39,6 +40,7 @@ #include #include +#include #include #include #include @@ -1473,6 +1475,77 @@ const char *http_parse_reqline(struct http_msg *msg, const char *msg_buf, return NULL; } +/* + * Returns the data from Authorization header. Function may be called more + * than once so data is stored in txn->auth_data. When no header is found + * or auth method is unknown auth_method is set to HTTP_AUTH_WRONG to avoid + * searching again for something we are unable to find anyway. + */ + +char get_http_auth_buff[BUFSIZE]; + +int +get_http_auth(struct session *s) +{ + + struct http_txn *txn = &s->txn; + struct chunk auth_method; + struct hdr_ctx ctx; + char *h, *p; + int len; + +#ifdef DEBUG_AUTH + printf("Auth for session %p: %d\n", s, txn->auth.method); +#endif + + if (txn->auth.method == HTTP_AUTH_WRONG) + return 0; + + if (txn->auth.method) + return 1; + + txn->auth.method = HTTP_AUTH_WRONG; + + ctx.idx = 0; + if (!http_find_header("Authorization", txn->req.sol, &txn->hdr_idx, &ctx)) + return 0; + + h = ctx.line + ctx.val; + + p = memchr(h, ' ', ctx.vlen); + if (!p || p == h) + return 0; + + chunk_initlen(&auth_method, h, 0, p-h); + chunk_initlen(&txn->auth.method_data, p+1, 0, ctx.vlen-(p-h)-1); + + if (!strncasecmp("Basic", auth_method.str, auth_method.len)) { + + len = base64dec(txn->auth.method_data.str, txn->auth.method_data.len, + get_http_auth_buff, BUFSIZE - 1); + + if (len < 0) + return 0; + + + get_http_auth_buff[len] = '\0'; + + p = strchr(get_http_auth_buff, ':'); + + if (!p) + return 0; + + txn->auth.user = get_http_auth_buff; + *p = '\0'; + txn->auth.pass = p+1; + + txn->auth.method = HTTP_AUTH_BASIC; + return 1; + } + + return 0; +} + /* * This function parses an HTTP message, either a request or a response, @@ -6480,6 +6553,8 @@ void http_init_txn(struct session *s) txn->rsp.hdr_content_len = 0LL; txn->req.msg_state = HTTP_MSG_RQBEFORE; /* at the very beginning of the request */ txn->rsp.msg_state = HTTP_MSG_RPBEFORE; /* at the very beginning of the response */ + + txn->auth.method = HTTP_AUTH_UNKNOWN; chunk_reset(&txn->auth_hdr); txn->req.err_pos = txn->rsp.err_pos = -2; /* block buggy requests/responses */ @@ -6506,6 +6581,7 @@ void http_end_txn(struct session *s) pool_free2(pool2_capture, txn->cli_cookie); pool_free2(pool2_capture, txn->srv_cookie); pool_free2(apools.sessid, txn->sessid); + txn->sessid = NULL; txn->uri = NULL; txn->srv_cookie = NULL; @@ -7172,6 +7248,25 @@ acl_fetch_proto_http(struct proxy *px, struct session *s, void *l7, int dir, return 1; } +static int +acl_fetch_http_auth(struct proxy *px, struct session *s, void *l7, int dir, + struct acl_expr *expr, struct acl_test *test) +{ + + if (!s) + return 0; + + if (!get_http_auth(s)) + return 0; + + test->ctx.a[0] = expr->arg.ul; + test->ctx.a[1] = s->txn.auth.user; + test->ctx.a[2] = s->txn.auth.pass; + + test->flags |= ACL_TEST_F_READ_ONLY | ACL_TEST_F_NULL_MATCH; + + return 1; +} /************************************************************************/ /* All supported keywords must be declared here. */ @@ -7227,8 +7322,6 @@ static struct acl_kw_list acl_kws = {{ },{ { "path_dir", acl_parse_str, acl_fetch_path, acl_match_dir, ACL_USE_L7REQ_VOLATILE }, { "path_dom", acl_parse_str, acl_fetch_path, acl_match_dom, ACL_USE_L7REQ_VOLATILE }, - { NULL, NULL, NULL, NULL }, - #if 0 { "line", acl_parse_str, acl_fetch_line, acl_match_str }, { "line_reg", acl_parse_reg, acl_fetch_line, acl_match_reg }, @@ -7246,13 +7339,11 @@ static struct acl_kw_list acl_kws = {{ },{ { "cook_dir", acl_parse_str, acl_fetch_cook, acl_match_dir }, { "cook_dom", acl_parse_str, acl_fetch_cook, acl_match_dom }, { "cook_pst", acl_parse_none, acl_fetch_cook, acl_match_pst }, +#endif - { "auth_user", acl_parse_str, acl_fetch_user, acl_match_str }, - { "auth_regex", acl_parse_reg, acl_fetch_user, acl_match_reg }, - { "auth_clear", acl_parse_str, acl_fetch_auth, acl_match_str }, - { "auth_md5", acl_parse_str, acl_fetch_auth, acl_match_md5 }, + { "http_auth", acl_parse_nothing, acl_fetch_http_auth, acl_match_auth }, + { "http_auth_group", acl_parse_strcat, acl_fetch_http_auth, acl_match_auth }, { NULL, NULL, NULL, NULL }, -#endif }}; diff --git a/src/session.c b/src/session.c index 36fe50de91..cd521d98f2 100644 --- a/src/session.c +++ b/src/session.c @@ -830,6 +830,9 @@ struct task *process_session(struct task *t) //DPRINTF(stderr, "%s:%d: cs=%d ss=%d(%d) rqf=0x%08x rpf=0x%08x\n", __FUNCTION__, __LINE__, // s->si[0].state, s->si[1].state, s->si[1].err_type, s->req->flags, s->rep->flags); + /* this data may be no longer valid, clear it */ + memset(&s->txn.auth, 0, sizeof(s->txn.auth)); + /* This flag must explicitly be set every time */ s->req->flags &= ~BF_READ_NOEXP;