diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-12-16 14:58:07 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-12-16 14:58:07 +0200 |
commit | 6bb908898b833ec69c66e918de732af5bad68934 (patch) | |
tree | dd715a052f67849d38aedaa25eafa93241e938df /src/ctl.c | |
parent | 9cb7455b12462a3679ed5208540793d802570481 (diff) | |
download | pies-6bb908898b833ec69c66e918de732af5bad68934.tar.gz pies-6bb908898b833ec69c66e918de732af5bad68934.tar.bz2 |
Implement authentication on control socket.
* Makefile.am (SUBDIRS): Add src.
* configure.ac: Check for crypt.h and PAM
Build ident/Makefile
* grecs: Update.
* ident/Makefile.am: New file.
* ident/ident.c: New file.
* ident/ident.h: New file.
* ident/identity.h: New file.
* ident/pam.c: New file.
* ident/provider.c: New file.
* ident/system.c: New file.
* lib/Makefile.am: Add arraymember.c
* lib/arraymember.c: New file.
* lib/libpies.h (is_array_member): New proto.
* src/Makefile.am (LDADD): Add libident.a and @PAM_LIBS@
* src/acl.c (acl_entry): Remove groups. Add new members:
names and name_match.
(pies_acl_create): Deep copy the locus.
Set free_entry function for the list.
(pies_acl_free): Free locus.
(_parse_from): Set free_entry function for the list.
(_parse_group): Parse the "user" construct.
(parse_acl_line): Deep copy the locus.
Allow for null value.
(acl_keywords): Update docstrings.
(_acl_check): Rewrite identity checks.
* src/acl.h (acl_input)<user,groups>: Remove.
<identity>: New member.
(pies_acl_free): New proto.
* src/ctl.c (identity): New global.
(cmdtab): New command: auth
(ctlio) <addr,addrlen>: New members.
(ctlio_create): Start from authenticated state
only if no identity_providers are configured.
(cmd_auth): New function.
(cmd_help): Print only commands that are available
in the current state.
(ctl_accept): Initialize io->addr and io->addrlen.
* src/inetd-bi.c: Change call to check_acl
* src/pies.c: Include identity.h
(control_keywords): New statement "identity-acl"
(pies_keywords): New statement "identity-provider"
(config_init): Register identity mechanisms.
(config_parse): New function.
(config_help): Print help on identity-provider
statements.
(main): Use config_parse to parse grecs-style configurations.
* src/pies.h: Include identity.h
(check_acl): Change argument list. All callers changed.
(control): Remove acl. Add conn_acl and id_acl instead.
* src/progman.c (check_acl): Change argument list. Take
identity as the 3rd argument.
Diffstat (limited to 'src/ctl.c')
-rw-r--r-- | src/ctl.c | 68 |
1 files changed, 63 insertions, 5 deletions
@@ -19,2 +19,3 @@ #include "xvasprintf.h" +#include "identity.h" @@ -24,2 +25,4 @@ struct control control; +pies_identity_t identity; + @@ -109,2 +112,3 @@ struct ctlio; +static void cmd_auth (struct ctlio *, size_t, char **); static void cmd_quit (struct ctlio *, size_t, char **); @@ -131,2 +135,4 @@ struct ctlio_command static struct ctlio_command cmdtab[] = { + { "auth", "authenticate", + CTL_INITIAL_STATE, 3, 3, cmd_auth }, { "noop", "no operation", @@ -169,2 +175,4 @@ struct ctlio { + union pies_sockaddr_storage addr; + socklen_t addrlen; int state; @@ -183,3 +191,4 @@ ctlio_create (void) io = xmalloc (sizeof (*io)); - io->state = CTL_AUTHENTICATED_STATE; //FIXME CTL_INITIAL_STATE; + io->state = identity_provider_list + ? CTL_INITIAL_STATE : CTL_AUTHENTICATED_STATE; io->action = ACTION_CONT; @@ -310,3 +319,2 @@ ctlio_initial_reply (struct ctlio *io) ctlio_printf (io, "220 %s", instance); - ctlio_printf (io, " <%s>", "foobarbaz"); //FIXME: auth mechanisms @@ -316,2 +324,47 @@ ctlio_initial_reply (struct ctlio *io) static void +cmd_auth (struct ctlio *io, size_t argc, char **argv) +{ + struct grecs_list_entry *ep; + pies_identity_t id = pies_identity_create (argv[1]); + int auth = 0; + + for (ep = identity_provider_list->head; ep; ep = ep->next) + { + pies_identity_provider_t provider = ep->data; + char const *pname = pies_identity_provider_name (provider); + + debug(1, ("trying %s...", pname)); + if (pies_authenticate (provider, id, argv[2]) == 0) + { + if (check_acl (control.id_acl, + (struct sockaddr *)&io->addr, io->addrlen, id)) + { + logmsg (LOG_AUTH, "%s authenticated via %s, but failed ACL check", + argv[1], pname); + auth = 0; + } + else + { + logmsg (LOG_AUTH, "%s authenticated via %s", + argv[1], pname); + auth = 1; + } + break; + } + } + + if (auth) + { + ctlio_reply (io, "230", "authentication successful"); + identity = id; + io->state = CTL_AUTHENTICATED_STATE; + } + else + { + pies_identity_destroy (id); + ctlio_reply (io, "531", "access denied"); + } +} + +static void cmd_noop (struct ctlio *io, size_t argc, char **argv) @@ -349,4 +402,7 @@ cmd_help (struct ctlio *io, size_t argc, char **argv) { - ctlio_printf (io, "%-9s%s", cp->verb, cp->descr); - ctlio_eol (io); + if (cp->states & io->state) + { + ctlio_printf (io, "%-9s%s", cp->verb, cp->descr); + ctlio_eol (io); + } } @@ -1002,3 +1058,3 @@ ctl_accept (int socket, void *data) - if (check_acl (control.acl, (struct sockaddr *)&addr, addrlen)) + if (check_acl (control.conn_acl, (struct sockaddr *)&addr, addrlen, NULL)) { @@ -1010,2 +1066,4 @@ ctl_accept (int socket, void *data) io = ctlio_create (); + io->addr = addr; + io->addrlen = addrlen; ctlio_initial_reply (io); |