diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2017-11-05 18:52:09 -0500 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2017-11-05 20:11:07 -0500 |
commit | d61714dd0de1acd75ffe3dab7dc109a73926a49a (patch) | |
tree | 47ba9f94faaaf1c099daa9c2eaf6ef23017c5351 | |
parent | fdc4c324c4df38e04c858a2f8c2081c872c50ba5 (diff) | |
download | lighttpd-git-d61714dd0de1acd75ffe3dab7dc109a73926a49a.tar.gz |
[mod_authn_sasl] SASL auth (new) (fixes #2275)
(experimental)
HTTP Basic authentication using saslauthd
server.modules += ( "mod_auth" )
server.modules += ( "mod_authn_sasl" )
auth.backend = "sasl"
auth.backend.sasl.opts = ( "pwcheck_method" => "saslauthd" ) # default
x-ref:
"SASL auth like libapache2-mod-authn-sasl"
https://redmine.lighttpd.net/issues/2275
-rw-r--r-- | SConstruct | 10 | ||||
-rw-r--r-- | configure.ac | 43 | ||||
-rw-r--r-- | meson.build | 2 | ||||
-rw-r--r-- | meson_options.txt | 5 | ||||
-rw-r--r-- | src/CMakeLists.txt | 17 | ||||
-rw-r--r-- | src/Makefile.am | 8 | ||||
-rw-r--r-- | src/SConscript | 3 | ||||
-rw-r--r-- | src/meson.build | 19 | ||||
-rw-r--r-- | src/mod_authn_sasl.c | 283 |
9 files changed, 387 insertions, 3 deletions
@@ -247,6 +247,7 @@ vars.AddVariables( BoolVariable('with_openssl', 'enable openssl support', 'no'), PackageVariable('with_pcre', 'enable pcre support', 'yes'), PackageVariable('with_pgsql', 'enable pgsql support', 'no'), + PackageVariable('with_sasl', 'enable SASL support', 'no'), BoolVariable('with_sqlite3', 'enable sqlite3 support (required for webdav props)', 'no'), BoolVariable('with_uuid', 'enable uuid support (required for webdav locks)', 'no'), # with_valgrind not supported @@ -325,6 +326,7 @@ if 1: LIBMYSQL = '', LIBPCRE = '', LIBPGSQL = '', + LIBSASL = '', LIBSQLITE3 = '', LIBSSL = '', LIBUUID = '', @@ -583,6 +585,14 @@ if 1: fail("Couldn't find libpq") autoconf.env.Append(CPPFLAGS = [ '-DHAVE_PGSQL_H', '-DHAVE_LIBPGSQL' ]) + if env['with_sasl']: + if not autoconf.CheckLibWithHeader('sasl2', 'sasl/sasl.h', 'C'): + fail("Couldn't find libsasl2") + autoconf.env.Append( + CPPFLAGS = [ '-DHAVE_SASL' ], + LIBSASL = 'sasl2', + ) + if env['with_sqlite3']: if not autoconf.CheckLibWithHeader('sqlite3', 'sqlite3.h', 'C'): fail("Couldn't find sqlite3") diff --git a/configure.ac b/configure.ac index 1f616d13..5383cec5 100644 --- a/configure.ac +++ b/configure.ac @@ -328,8 +328,8 @@ DBI_LIBS= if test "$WITH_DBI" != no; then if test "$WITH_DBI" != yes; then - DBI_CFLAGS="-I$WITH_LIBDBI/include" - DBI_LIBS="-L$WITH_LIBDBI/lib -ldbi" + DBI_CFLAGS="-I$WITH_DBI/include" + DBI_LIBS="-L$WITH_DBI/lib -ldbi" else AC_CHECK_HEADERS([dbi/dbi.h], [AC_CHECK_LIB([dbi], [dbi_version], @@ -350,6 +350,45 @@ AM_CONDITIONAL([BUILD_WITH_DBI], [test "$WITH_DBI" != no]) AC_SUBST([DBI_LIBS]) AC_SUBST([DBI_CFLAGS]) +dnl Checks for libsasl2 library +AC_MSG_NOTICE([----------------------------------------]) +AC_MSG_CHECKING([for LibSASL support]) +AC_ARG_WITH([sasl], + [AC_HELP_STRING([--with-sasl@<:@=PATH@:>@], + [Include SASL support in PATH/include/sasl/sasl.h and PATH/lib] + )], + [WITH_SASL=$withval], + [WITH_SASL=no] +) +AC_MSG_RESULT([$WITH_SASL]) + +SASL_INCLUDE= +SASL_LIBS= + +if test "$WITH_SASL" != no; then + if test "$WITH_SASL" != yes; then + SASL_CFLAGS="-I$WITH_SASL/include" + SASL_LIBS="-L$WITH_SASL/lib -lsasl2" + else + AC_CHECK_HEADERS([sasl/sasl.h], + [AC_CHECK_LIB([sasl2], [sasl_server_init], + [ + SASL_CFLAGS= + SASL_LIBS="-lsasl2" + ], + [AC_MSG_ERROR([libsasl2 not found])] + )], + [AC_MSG_ERROR([SASL header not found])] + ) + fi + + AC_DEFINE([HAVE_SASL], [1], [LibSASL support]) +fi +AM_CONDITIONAL([BUILD_WITH_SASL], [test "$WITH_SASL" != no]) + +AC_SUBST([SASL_LIBS]) +AC_SUBST([SASL_CFLAGS]) + dnl Check for LDAP AC_MSG_NOTICE([----------------------------------------]) diff --git a/meson.build b/meson.build index 19a9f381..62ef32f6 100644 --- a/meson.build +++ b/meson.build @@ -10,7 +10,7 @@ subdir('tests') # $ ninja # full build: -# $ meson configure -D build_extra_warnings=true -D with_bzip=true -D with_dbi=true -D with_fam=true -D with_gdbm=true -D with_geoip=true -D with_krb5=true -D with_ldap=true -D with_libev=true -D with_libunwind=true -D with_lua=true -D with_memcached=true -D with_mysql=true -D with_openssl=true -D with_pcre=true -D with_pgsql=true -D with_webdav_locks=true -D with_webdav_props=true -D with_xattr=true -D with_zlib=true +# $ meson configure -D build_extra_warnings=true -D with_bzip=true -D with_dbi=true -D with_fam=true -D with_gdbm=true -D with_geoip=true -D with_krb5=true -D with_ldap=true -D with_libev=true -D with_libunwind=true -D with_lua=true -D with_memcached=true -D with_mysql=true -D with_openssl=true -D with_pcre=true -D with_pgsql=true -D with_sasl=true -D with_webdav_locks=true -D with_webdav_props=true -D with_xattr=true -D with_zlib=true # optimized build: # $ meson configure -D b_lto=true -D buildtype=debugoptimized diff --git a/meson_options.txt b/meson_options.txt index 6fde5ea2..188f4d33 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -73,6 +73,11 @@ option('with_pgsql', value: false, description: 'with postgres-support for mod_vhostdb_pgsql [default: off]', ) +option('with_sasl', + type: 'boolean', + value: false, + description: 'with SASL support for mod_authn_sasl [default: off]', +) #option('with_valgrind', # type: 'boolean', # value: false, diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index c36de51e..20a68842 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -33,6 +33,7 @@ option(WITH_MEMCACHED "memcached storage for mod_trigger_b4_dl [default: off]") option(WITH_LIBEV "libev support for fdevent handlers [default: off]") option(WITH_LIBUNWIND "with libunwind to print backtraces in asserts [default: off]") option(WITH_GEOIP "with GeoIP-support mod_geoip [default: off]") +option(WITH_SASL "with SASL-support for mod_authn_sasl [default: off]") if(CMAKE_C_COMPILER_ID MATCHES "GNU" OR CMAKE_C_COMPILER_ID MATCHES "Clang") option(BUILD_EXTRA_WARNINGS "extra warnings") @@ -351,6 +352,16 @@ else() unset(HAVE_LIBPCRE) endif() +if(WITH_SASL) + check_include_files(sasl/sasl.h HAVE_SASL_SASL_H) + if(HAVE_SASL_SASL_H) + check_library_exists(sasl2 sasl_server_init "" HAVE_SASL) + endif() +else() + unset(HAVE_SASL_SASL_H) + unset(HAVE_SASL) +endif() + if(WITH_XML) xconfig(xml2-config XML2_INCDIR XML2_LIBDIR XML2_LDFLAGS XML2_CFLAGS) @@ -757,6 +768,12 @@ if(WITH_LDAP) target_link_libraries(mod_vhostdb_ldap ${L_MOD_AUTHN_LDAP}) endif() +if(WITH_SASL) + add_and_install_library(mod_authn_sasl "mod_authn_sasl.c") + set(L_MOD_AUTHN_SASL ${L_MOD_AUTHN_SASL} sasl2) + target_link_libraries(mod_authn_sasl ${L_MOD_AUTHN_SASL}) +endif() + if(HAVE_ZLIB_H) if(HAVE_BZLIB_H) target_link_libraries(mod_compress ${ZLIB_LIBRARY} bz2) diff --git a/src/Makefile.am b/src/Makefile.am index ec73d768..8b2828b6 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -337,6 +337,14 @@ mod_authn_mysql_la_LIBADD = $(CRYPT_LIB) $(MYSQL_LIBS) $(common_libadd) mod_authn_mysql_la_CPPFLAGS = $(MYSQL_INCLUDE) endif +if BUILD_WITH_SASL +lib_LTLIBRARIES += mod_authn_sasl.la +mod_authn_sasl_la_SOURCES = mod_authn_sasl.c +mod_authn_sasl_la_LDFLAGS = $(common_module_ldflags) +mod_authn_sasl_la_LIBADD = $(SASL_LIBS) $(common_libadd) +mod_authn_sasl_la_CPPFLAGS = $(SASL_CFLAGS) +endif + if BUILD_WITH_OPENSSL lib_LTLIBRARIES += mod_openssl.la mod_openssl_la_SOURCES = mod_openssl.c diff --git a/src/SConscript b/src/SConscript index c2ec0f54..a518b8b5 100644 --- a/src/SConscript +++ b/src/SConscript @@ -157,6 +157,9 @@ if env['with_pgsql']: if env['with_dbi']: modules['mod_vhostdb_dbi'] = { 'src' : [ 'mod_vhostdb_dbi.c' ], 'lib' : [ env['LIBDBI'] ] } +if env['with_sasl']: + modules['mod_authn_sasl'] = { 'src' : [ 'mod_authn_sasl.c' ], 'lib' : [ env['LIBSASL'] ] } + if env['with_openssl']: modules['mod_openssl'] = { 'src' : [ 'mod_openssl.c' ], 'lib' : [ env['LIBSSL'], env['LIBCRYPTO'] ] } diff --git a/src/meson.build b/src/meson.build index 8e084edc..57b66d8f 100644 --- a/src/meson.build +++ b/src/meson.build @@ -400,6 +400,19 @@ if get_option('with_pgsql') conf_data.set('HAVE_PGSQL', true) endif +if get_option('with_sasl') + libsasl = dependency('sasl2', required: false) + if libsasl.found() + libsasl = [ libsasl2 ] + else + libsasl = [ compiler.find_library('sasl2') ] + if not(compiler.has_function('sasl_server_init', args: defs, dependencies: libsasl, prefix: '#include <sasl/sasl.h>')) + error('Couldn\'t find sasl/sasl.h or sasl_server_init in libsasl2') + endif + endif + conf_data.set('HAVE_SASL', true) +endif + #if get_option('with_valgrind') #endif @@ -799,6 +812,12 @@ if get_option('with_openssl') ] endif +if get_option('with_sasl') + modules += [ + [ 'mod_authn_sasl', [ 'mod_authn_sasl.c' ], libsasl2 ], + ] +endif + foreach mod: modules mod_name = mod.get(0) mod_sources = mod.get(1) diff --git a/src/mod_authn_sasl.c b/src/mod_authn_sasl.c new file mode 100644 index 00000000..4bfae02b --- /dev/null +++ b/src/mod_authn_sasl.c @@ -0,0 +1,283 @@ +#include "first.h" + +/* mod_authn_sasl + * + * FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS: + * - database response is not cached + * TODO: db response caching (for limited time) to reduce load on db + * (only cache successful logins to prevent cache bloat?) + * (or limit number of entries (size) of cache) + * (maybe have negative cache (limited size) of names not found in database) + * - database query is synchronous and blocks waiting for response + */ + +#include <sasl/sasl.h> + +#include "base.h" +#include "http_auth.h" +#include "log.h" +#include "plugin.h" + +#include <sys/utsname.h> +#include <errno.h> +#include <string.h> + +typedef struct { + array *opts; + const char *service; + const char *fqdn; + const buffer *pwcheck_method; + const buffer *sasldb_path; +} plugin_config; + +typedef struct { + PLUGIN_DATA; + plugin_config **config_storage; + plugin_config conf; + buffer *fqdn; + int initonce; +} plugin_data; + +static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw); + +INIT_FUNC(mod_authn_sasl_init) { + static http_auth_backend_t http_auth_backend_sasl = + { "sasl", mod_authn_sasl_basic, NULL, NULL }; + plugin_data *p = calloc(1, sizeof(*p)); + + /* register http_auth_backend_sasl */ + http_auth_backend_sasl.p_d = p; + http_auth_backend_set(&http_auth_backend_sasl); + + return p; +} + +FREE_FUNC(mod_authn_sasl_free) { + plugin_data *p = p_d; + if (!p) return HANDLER_GO_ON; + + if (p->initonce) sasl_done(); + + if (p->config_storage) { + for (size_t i = 0; i < srv->config_context->used; ++i) { + plugin_config *s = p->config_storage[i]; + if (NULL == s) continue; + array_free(s->opts); + free(s); + } + free(p->config_storage); + } + buffer_free(p->fqdn); + free(p); + UNUSED(srv); + return HANDLER_GO_ON; +} + +SETDEFAULTS_FUNC(mod_authn_sasl_set_defaults) { + plugin_data *p = p_d; + size_t i; + config_values_t cv[] = { + { "auth.backend.sasl.opts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, + { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } + }; + + p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *)); + + for (i = 0; i < srv->config_context->used; i++) { + data_config const *config = (data_config const*)srv->config_context->data[i]; + data_string *ds; + plugin_config *s = calloc(1, sizeof(plugin_config)); + s->opts = array_init(); + + cv[0].destination = s->opts; + + p->config_storage[i] = s; + + if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) { + return HANDLER_ERROR; + } + + if (0 == s->opts->used) continue; + + ds = (data_string *) + array_get_element_klen(s->opts, CONST_STR_LEN("service")); + s->service = (NULL != ds) ? ds->value->ptr : "http"; + + ds = (data_string *) + array_get_element_klen(s->opts, CONST_STR_LEN("fqdn")); + if (NULL != ds) s->fqdn = ds->value->ptr; + if (NULL == s->fqdn) { + if (NULL == p->fqdn) { + struct utsname uts; + if (0 != uname(&uts)) { + log_error_write(srv, __FILE__, __LINE__, "ss", + "uname():", strerror(errno)); + return HANDLER_ERROR; + } + p->fqdn = buffer_init_string(uts.nodename); + } + s->fqdn = p->fqdn->ptr; + } + + ds = (data_string *) + array_get_element_klen(s->opts, CONST_STR_LEN("pwcheck_method")); + if (NULL != ds) { + s->pwcheck_method = ds->value; + if (!buffer_is_equal_string(ds->value, CONST_STR_LEN("saslauthd")) + && !buffer_is_equal_string(ds->value, CONST_STR_LEN("auxprop")) + && !buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))){ + log_error_write(srv, __FILE__, __LINE__, "sb", + "sasl pwcheck_method must be one of saslauthd, " + "sasldb, or auxprop, not:", ds->value); + return HANDLER_ERROR; + } + if (buffer_is_equal_string(ds->value, CONST_STR_LEN("sasldb"))) { + /* Cyrus libsasl2 expects "auxprop" instead of "sasldb" + * (mod_authn_sasl_cb_getopt auxprop_plugin returns "sasldb") */ + buffer_copy_string_len(ds->value, CONST_STR_LEN("auxprop")); + } + } + + ds = (data_string *) + array_get_element_klen(s->opts, CONST_STR_LEN("sasldb_path")); + if (NULL != ds) s->sasldb_path = ds->value; + } + + return HANDLER_GO_ON; +} + +#define PATCH(x) \ + p->conf.x = s->x; +static int mod_authn_sasl_patch_connection(server *srv, connection *con, plugin_data *p) { + plugin_config *s = p->config_storage[0]; + PATCH(service); + PATCH(fqdn); + PATCH(pwcheck_method); + PATCH(sasldb_path); + + /* skip the first, the global context */ + for (size_t i = 1; i < srv->config_context->used; ++i) { + data_config *dc = (data_config *)srv->config_context->data[i]; + + /* condition didn't match */ + if (!config_check_cond(srv, con, dc)) continue; + + /* merge config */ + s = p->config_storage[i]; + for (size_t j = 0; j < dc->value->used; ++j) { + data_unset *du = dc->value->data[j]; + if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.sasl.opts"))) { + PATCH(service); + PATCH(fqdn); + PATCH(pwcheck_method); + PATCH(sasldb_path); + } + } + } + + return 0; +} +#undef PATCH + +static int mod_authn_sasl_cb_getopt(void *p_d, const char *plugin_name, const char *opt, const char **res, unsigned *len) { + plugin_data *p = (plugin_data *)p_d; + size_t sz; + + if (0 == strcmp(opt, "pwcheck_method")) { + if (!buffer_string_is_empty(p->conf.pwcheck_method)) { + *res = p->conf.pwcheck_method->ptr; + sz = buffer_string_length(p->conf.pwcheck_method); + } + else { /* default */ + *res = "saslauthd"; + sz = sizeof("saslauthd")-1; + } + } + else if (0 == strcmp(opt, "sasldb_path") + && !buffer_string_is_empty(p->conf.sasldb_path)) { + *res = p->conf.sasldb_path->ptr; + sz = buffer_string_length(p->conf.sasldb_path); + } + else if (0 == strcmp(opt, "auxprop_plugin")) { + *res = "sasldb"; + sz = sizeof("sasldb")-1; + } + else { + UNUSED(plugin_name); + return SASL_FAIL; + } + + if (len) *len = (unsigned int)sz; + return SASL_OK; +} + +static int mod_authn_sasl_cb_log(void *vsrv, int level, const char *message) { + switch (level) { + #if 0 + case SASL_LOG_NONE: + case SASL_LOG_NOTE: + case SASL_LOG_DEBUG: + case SASL_LOG_TRACE: + case SASL_LOG_PASS: + #endif + default: + break; + case SASL_LOG_ERR: + case SASL_LOG_FAIL: + case SASL_LOG_WARN: /* (might omit SASL_LOG_WARN if too noisy in logs) */ + log_error_write((server *)vsrv, __FILE__, __LINE__, "s", message); + break; + } + return SASL_OK; +} + +static handler_t mod_authn_sasl_query(server *srv, connection *con, void *p_d, const buffer *username, const char *realm, const char *pw) { + plugin_data *p = (plugin_data *)p_d; + sasl_conn_t *sc; + sasl_callback_t const cb[] = { + { SASL_CB_GETOPT, (int(*)())mod_authn_sasl_cb_getopt, (void *) p }, + { SASL_CB_LOG, (int(*)())mod_authn_sasl_cb_log, (void *) srv }, + { SASL_CB_LIST_END, NULL, NULL } + }; + int rc; + + mod_authn_sasl_patch_connection(srv, con, p); + + if (!p->initonce) { + /* must be done once, but after fork() if multiple lighttpd workers */ + rc = sasl_server_init(cb, NULL); + if (SASL_OK != rc) return HANDLER_ERROR; + p->initonce = 1; + } + + rc = sasl_server_new(p->conf.service, p->conf.fqdn, + realm, NULL, NULL, cb, 0, &sc); + if (SASL_OK == rc) { + rc = sasl_checkpass(sc, CONST_BUF_LEN(username), pw, strlen(pw)); + sasl_dispose(&sc); + } + + return (SASL_OK == rc) ? HANDLER_GO_ON : HANDLER_ERROR; +} + +static handler_t mod_authn_sasl_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw) { + char *realm = require->realm->ptr; + handler_t rc = mod_authn_sasl_query(srv, con, p_d, username, realm, pw); + if (HANDLER_GO_ON != rc) return rc; + return http_auth_match_rules(require, username->ptr, NULL, NULL) + ? HANDLER_GO_ON /* access granted */ + : HANDLER_ERROR; +} + +int mod_authn_sasl_plugin_init(plugin *p); +int mod_authn_sasl_plugin_init(plugin *p) { + p->version = LIGHTTPD_VERSION_ID; + p->name = buffer_init_string("authn_sasl"); + p->init = mod_authn_sasl_init; + p->set_defaults= mod_authn_sasl_set_defaults; + p->cleanup = mod_authn_sasl_free; + + p->data = NULL; + + return 0; +} |