From: Eric Bollengier Date: Fri, 3 Sep 2021 07:44:07 +0000 (+0200) Subject: Add console name to the authentication plugin framework X-Git-Tag: Beta-15.0.0~912 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2cad34d3b037974515f6328615a066570a59a5b;p=thirdparty%2Fbacula.git Add console name to the authentication plugin framework --- diff --git a/bacula/src/dird/authenticate.c b/bacula/src/dird/authenticate.c index 55c41ddcf..fa4087871 100644 --- a/bacula/src/dird/authenticate.c +++ b/bacula/src/dird/authenticate.c @@ -335,6 +335,7 @@ int UAAuthenticate::authenticate_user_agent() if (cons->authenticationplugin){ legacy_auth = false; Dmsg1(dbglvl, "authenticate with Plugin=%s\n", cons->authenticationplugin); + // TLS will be started during the plugin authentication process if (ua_version < UA_VERSION_PLUGINAUTH || !authenticate_with_plugin(cons)){ auth_success = false; goto auth_done; @@ -378,6 +379,8 @@ auth_done: * @brief This function perform user authentication procedure augmented with Auth Plugin API. * All bconsole network chatting and interaction is forwarded to dir_authplugins module * and we just provide a required framework and resources, i.e. jcr or bsock to ua. + * TLS is started before the authentication exchange. If TLS is not available, the + * authentication exchange is aborted. * * @param cons a Console resource required for auth plugin registration * @return true when authentication process finish with success and we can proceed next operations @@ -397,10 +400,9 @@ bool UAAuthenticate::authenticate_with_plugin(CONRES * cons) * 4. when all interactions were handled without problem then do authenticate with plugin * 5. if plugin return authentication OK? return true, Not? return false */ - bDirAuthenticationRegister *authData; - authData = (bDirAuthenticationRegister*) dir_authplugin_getauthenticationData(uac->jcr, cons->authenticationplugin); + authData = (bDirAuthenticationRegister*) dir_authplugin_getauthenticationData(uac->jcr, cons->hdr.name, cons->authenticationplugin); if (authData == NULL) { return false; @@ -411,9 +413,12 @@ bool UAAuthenticate::authenticate_with_plugin(CONRES * cons) { return false; } - + // We require to have TLS setup to use authentication plugins + if (!tls_started) { + Dmsg0(dbglvl, "Unable to use Plugin Authentication because TLS is not available\n"); + return false; + } // send auth plugin start packet and optional welcome string to console - Dmsg1(dbglvl, "send: auth interactive %s\n", NPRT(authData->welcome)); if (!bsock->fsend("auth interactive %s\n", NPRTB(authData->welcome))) { Dmsg1(dbglvl, "Send interactive start comm error. ERR=%s\n", bsock->bstrerror()); return false; diff --git a/bacula/src/dird/dir_authplugin.c b/bacula/src/dird/dir_authplugin.c index cc34a5161..27317c6ef 100644 --- a/bacula/src/dird/dir_authplugin.c +++ b/bacula/src/dird/dir_authplugin.c @@ -153,7 +153,7 @@ static bRC dir_authplugin_generate_plugin_event(JCR *jcr, const char * pluginnam * @return void* a `NULL` is returned on any error and a pointer to bDirAuthenticationRegister * struct (casted to void*) on success */ -void * dir_authplugin_getauthenticationData(JCR *jcr, const char * param) +void *dir_authplugin_getauthenticationData(JCR *jcr, const char *console, const char *param) { bpContext *plugin_ctx; Plugin *plugin; @@ -176,7 +176,7 @@ void * dir_authplugin_getauthenticationData(JCR *jcr, const char * param) continue; } - if (dirplug_func(plugin)->getPluginAuthenticationData(plugin_ctx, param, (void**)&data) != bRC_OK){ + if (dirplug_func(plugin)->getPluginAuthenticationData(plugin_ctx, console, param, (void**)&data) != bRC_OK){ // getting authdata operations failed return NULL; } diff --git a/bacula/src/dird/dir_authplugin.h b/bacula/src/dird/dir_authplugin.h index 2f9b601e9..de63af483 100644 --- a/bacula/src/dird/dir_authplugin.h +++ b/bacula/src/dird/dir_authplugin.h @@ -77,29 +77,29 @@ typedef enum { */ typedef struct s_bDirAuthenticationData { const bDirAuthenticationOperation operation; - const char * question; + const char *question; const uint32_t seqdata; } bDirAuthenticationData; typedef struct s_bDirAuthenticationRegister { - const char * name; - const char * welcome; - const uint32_t num; - const bDirAuthenticationData *data; - const int32_t nsTTL; + const char *name; + const char *welcome; + uint32_t num; + bDirAuthenticationData *data; + int32_t nsTTL; } bDirAuthenticationRegister; typedef struct s_bDirAuthenticationValue { union { - void * rawdata; // future extension - const bDirAuthenticationData * authdata; // a pointer to single bDirAuthenticationData as a dynamic operation + void *rawdata; // future extension + bDirAuthenticationData *authdata; // a pointer to single bDirAuthenticationData as a dynamic operation const char *response; }; uint32_t seqdata; } bDirAuthValue; typedef struct s_bDirAuthorizationACLRegister { - const char * name; + const char *name; // *TBD* - Incomplete const int32_t nsTTL; } bDirAuthorizationACLRegister; diff --git a/bacula/src/dird/dir_plugins.h b/bacula/src/dird/dir_plugins.h index f104b0d96..ea82c093a 100644 --- a/bacula/src/dird/dir_plugins.h +++ b/bacula/src/dird/dir_plugins.h @@ -155,7 +155,7 @@ typedef enum { #define DIR_PLUGIN_MAGIC "*DirPluginData*" -#define DIR_PLUGIN_INTERFACE_VERSION 1 +#define DIR_PLUGIN_INTERFACE_VERSION 2 typedef struct s_dirpluginInfo { uint32_t size; @@ -177,8 +177,8 @@ typedef struct s_dirpluginFuncs bRC (*getPluginValue)(bpContext *ctx, pDirVariable var, void *value); bRC (*setPluginValue)(bpContext *ctx, pDirVariable var, void *value); bRC (*handlePluginEvent)(bpContext *ctx, bDirEvent *event, void *value); - bRC (*getPluginAuthenticationData)(bpContext *ctx, const char *param, void **data); - bRC (*getPluginAuthorizationData)(bpContext *ctx, const char *param, void **data); + bRC (*getPluginAuthenticationData)(bpContext *ctx, const char *console, const char *param, void **data); + bRC (*getPluginAuthorizationData)(bpContext *ctx, const char *console, const char *param, void **data); } pDirFuncs; #define dirplug_func(plugin) ((pDirFuncs *)(plugin->pfuncs)) diff --git a/bacula/src/dird/protos.h b/bacula/src/dird/protos.h index 7644c326f..5d123942f 100644 --- a/bacula/src/dird/protos.h +++ b/bacula/src/dird/protos.h @@ -387,6 +387,6 @@ bool catreq_get_pool_info(JCR *jcr, BSOCK *bs); bool is_dedup_ref(DEV_RECORD *rec, bool lazy); /* dir_authplugins.c */ -void *dir_authplugin_getauthenticationData(JCR *jcr, const char *param); +void * dir_authplugin_getauthenticationData(JCR *jcr, const char *console, const char *param); bRC dir_authplugin_do_interaction(JCR *jcr, BSOCK *bsock, const char *pluginname, void *data, bool pluginall = false); bRC dir_authplugin_authenticate(JCR *jcr, BSOCK *bsock, const char *pluginname); diff --git a/bacula/src/plugins/dir/ldap/ldap-dir.c b/bacula/src/plugins/dir/ldap/ldap-dir.c index 6e66b9464..0c5bbb24e 100644 --- a/bacula/src/plugins/dir/ldap/ldap-dir.c +++ b/bacula/src/plugins/dir/ldap/ldap-dir.c @@ -63,8 +63,8 @@ extern "C" { static bRC newPlugin(bpContext *ctx); static bRC freePlugin(bpContext *ctx); static bRC handlePluginEvent(bpContext *ctx, bDirEvent *event, void *value); -static bRC getAuthenticationData(bpContext *ctx, const char *param, void **data); -static bRC getAuthorizationData(bpContext *ctx, const char *param, void **data); +static bRC getAuthenticationData(bpContext *ctx, const char *console, const char *param, void **data); +static bRC getAuthorizationData(bpContext *ctx, const char *console, const char *param, void **data); /* Pointers to Bacula functions */ bDirFuncs *bfuncs = NULL; @@ -146,14 +146,14 @@ static bRC handlePluginEvent(bpContext *ctx, bDirEvent *event, void *value) return self->handlePluginEvent(event, value); } -static bRC getAuthenticationData(bpContext *ctx, const char *param, void **data) +static bRC getAuthenticationData(bpContext *ctx, const char *console, const char *param, void **data) { DMSG(ctx, D1, "getAuthenticationData (%s)\n", param); BPAMLDAP *self = (BPAMLDAP*)ctx->pContext; return self->getAuthenticationData(param, data); } -static bRC getAuthorizationData(bpContext *ctx, const char *param, void **data) +static bRC getAuthorizationData(bpContext *ctx, const char *console, const char *param, void **data) { DMSG(ctx, D1, "getAuthorizationData (%s)\n", param); BPAMLDAP *self = (BPAMLDAP*)ctx->pContext; diff --git a/bacula/src/plugins/dir/test-authentication-api-dir.c b/bacula/src/plugins/dir/test-authentication-api-dir.c index 0eb933e15..0509bd8e2 100644 --- a/bacula/src/plugins/dir/test-authentication-api-dir.c +++ b/bacula/src/plugins/dir/test-authentication-api-dir.c @@ -42,8 +42,8 @@ static bRC freePlugin(bpContext *ctx); static bRC getPluginValue(bpContext *ctx, pDirVariable var, void *value); static bRC setPluginValue(bpContext *ctx, pDirVariable var, void *value); static bRC handlePluginEvent(bpContext *ctx, bDirEvent *event, void *value); -static bRC getAuthenticationData(bpContext *ctx, const char *param, void **data); -static bRC getAuthorizationData(bpContext *ctx, const char *param, void **data); +static bRC getAuthenticationData(bpContext *ctx, const char *console, const char *param, void **data); +static bRC getAuthorizationData(bpContext *ctx, const char *console, const char *param, void **data); /* Plugin compile time variables */ #define PLUGINPREFIX "authapi:" @@ -268,14 +268,14 @@ static bRC handlePluginEvent(bpContext *ctx, bDirEvent *event, void *value) return bRC_OK; } -static bRC getAuthenticationData(bpContext *ctx, const char *param, void **data) +static bRC getAuthenticationData(bpContext *ctx, const char *console, const char *param, void **data) { test_api *self = (test_api *)ctx->pContext; bDirAuthenticationRegister **padata = (bDirAuthenticationRegister **)data; self->mode = 0; // this is a default - DMSG1(ctx, DINFO, "registering with: %s\n", NPRT(param)); + DMSG2(ctx, DINFO, "registering with: console=%s %s\n", console, NPRT(param)); sscanf(param, PLUGIN_NAME ":%d", &self->mode); switch (self->mode) { @@ -292,7 +292,7 @@ static bRC getAuthenticationData(bpContext *ctx, const char *param, void **data) return bRC_OK; } -static bRC getAuthorizationData(bpContext *ctx, const char *param, void **data) +static bRC getAuthorizationData(bpContext *ctx, const char *console, const char *param, void **data) { return bRC_OK;