From: Radosław Korzeniewski <radoslaw@korzeniewski.net>
Date: Tue, 13 Oct 2020 11:49:27 +0000 (+0200)
Subject: Update error handling in BPAM framework.
X-Git-Tag: Release-11.3.2~923
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d866bca42b5baf7cfde3b099dd6ecccb71ad8b1;p=thirdparty%2Fbacula.git

Update error handling in BPAM framework.
---

diff --git a/bacula/src/console/authenticate.c b/bacula/src/console/authenticate.c
index 4157a2a63..0e2cb7700 100644
--- a/bacula/src/console/authenticate.c
+++ b/bacula/src/console/authenticate.c
@@ -146,6 +146,12 @@ bool ConsoleAuthenticate::ClientAuthenticate(CONRES *cons, const char *password)
                return false;
             }
 
+            // early check if auth interaction finish
+            if (dir->msg[0] == UA_AUTH_INTERACTIVE_FINISH){
+               // break the loop
+               break;
+            }
+
             pm_strcpy(msg, NULL);
             pm_strcpy(msg, dir->msg + 1);
             strip_trailing_junk(msg.c_str());
@@ -167,7 +173,7 @@ bool ConsoleAuthenticate::ClientAuthenticate(CONRES *cons, const char *password)
 
                   // now we should return it to director
                   strip_trailing_junk(buf.c_str());
-                  dir->fsend("%s", buf.c_str());
+                  dir->fsend("%c%s", UA_AUTH_INTERACTIVE_RESPONSE, buf.c_str());
                   break;
 
                case UA_AUTH_INTERACTIVE_HIDDEN:
@@ -184,7 +190,7 @@ bool ConsoleAuthenticate::ClientAuthenticate(CONRES *cons, const char *password)
                   bstrncpy(buf.c_str(), passwd, buf.size());
 #endif
                   // now we should get a hidden response at `buf` class, return it to director
-                  dir->fsend("%s", buf.c_str());
+                  dir->fsend("%c%s", UA_AUTH_INTERACTIVE_RESPONSE, buf.c_str());
                   break;
 
                case UA_AUTH_INTERACTIVE_MESSAGE:
@@ -193,13 +199,28 @@ bool ConsoleAuthenticate::ClientAuthenticate(CONRES *cons, const char *password)
                   break;
 
                case UA_AUTH_INTERACTIVE_FINISH:
-                  return true;
+                  // well it is not possible that we will reach this code, so report insanity
+                  return false;
 
                default:
                   bmicrosleep(5, 0); // original cram_md5_respond() wait for 5s here
                   return false;
             }
          }
+
+         // now check if authorized
+         if (bsock->wait_data(180) <= 0 || bsock->recv() <= 0) {
+            Dmsg1(1, "Receive auth confirmation failed. ERR=%s\n", bsock->bstrerror());
+            bmicrosleep(5, 0);
+            return false;
+         }
+         if (strcmp(bsock->msg, "1000 OK auth\n") == 0) {
+            // authorization ok
+            return true;
+         }
+         Dmsg1(1, "Received bad response: %s\n", bsock->msg);
+         bmicrosleep(5, 0);
+         return false;
       }
    }
 
@@ -239,7 +260,7 @@ int ConsoleAuthenticate::authenticate_director(DIRRES *director, CONRES *cons)
    }
 
    /* Timeout Hello after 15 secs */
-   StartAuthTimeout(15);
+   StartAuthTimeout(1500);
 
    dir->fsend(hello, bashed_name, UA_VERSION, tlspsk_local_need);
 
diff --git a/bacula/src/dird/authenticate.c b/bacula/src/dird/authenticate.c
index e40fdf49b..27a62470f 100644
--- a/bacula/src/dird/authenticate.c
+++ b/bacula/src/dird/authenticate.c
@@ -336,6 +336,7 @@ int UAAuthenticate::authenticate_user_agent()
          legacy_auth = false;
          Dmsg1(dbglvl, "authenticate with Plugin=%s\n", cons->authenticationplugin);
          if (ua_version < UA_VERSION_PLUGINAUTH || !authenticate_with_plugin(cons)){
+            auth_success = false;
             goto auth_done;
          }
       }
@@ -429,8 +430,11 @@ bool UAAuthenticate::authenticate_with_plugin(CONRES * cons)
    }
 
    if (dir_authplugin_authenticate(uac->jcr, bsock, authData->name) != bRC_OK){
+      bsock->fsend(_("1999 Authorization failed !!!.\n"));
+      bmicrosleep(5, 0);
       return false;
    }
 
+   bsock->fsend("1000 OK auth\n");
    return true;
 }
\ No newline at end of file
diff --git a/bacula/src/dird/dir_authplugin.c b/bacula/src/dird/dir_authplugin.c
index 105c52514..72c725b05 100644
--- a/bacula/src/dird/dir_authplugin.c
+++ b/bacula/src/dird/dir_authplugin.c
@@ -233,9 +233,16 @@ static bRC dir_authplugin_handle_response(JCR *jcr, BSOCK *bsock, const char *pl
       return bRC_Error;
    }
 
+   // check if it is a response packet
+   if (bsock->msg[0] != UA_AUTH_INTERACTIVE_RESPONSE){
+      Dmsg1(dbglvl, "Receive auth response packet error. Sig=%d\n", (int)bsock->msg[0]);
+      bmicrosleep(5, 0);
+      return bRC_Error;
+   }
+
    // forward response to plugin
    value.seqdata = seqdata;
-   value.response = bsock->msg;
+   value.response = bsock->msg + 1;    // we have to omit a first character which is a packet mark
    return dir_authplugin_generate_plugin_event(jcr, pluginname, bDirEventAuthenticationResponse, (void*)&value);
 }