hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move all authenticators into separate subdirectories

Browse Source
This commit is contained in:
Johan Wikman
2016-12-01 15:41:15 +02:00
parent aef6c7b099
commit 1707684992
20 changed files with 54 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
server/modules/authenticator/GSSAPI/GSSAPIBackendAuth/CMakeLists.txt Normal file
View File

@ -0,0 +1,4 @@
add_library(GSSAPIBackendAuth SHARED gssapi_backend_auth.c ../gssapi_auth_common.c)
target_link_libraries(GSSAPIBackendAuth maxscale-common ${GSSAPI_LIBS} MySQLCommon)
set_target_properties(GSSAPIBackendAuth PROPERTIES VERSION "1.0.0")
install_module(GSSAPIBackendAuth core)

309
server/modules/authenticator/GSSAPI/GSSAPIBackendAuth/gssapi_backend_auth.c Normal file
View File

@ -0,0 +1,309 @@
/*
* Copyright (c) 2016 MariaDB Corporation Ab
*
* Use of this software is governed by the Business Source License included
* in the LICENSE.TXT file and at www.mariadb.com/bsl.
*
* Change Date: 2019-07-01
*
* On the date above, in accordance with the Business Source License, use
* of this software will be governed by version 2 or later of the General
* Public License.
*/
#include <maxscale/gw_authenticator.h>
#include <maxscale/alloc.h>
#include <maxscale/dcb.h>
#include <maxscale/log_manager.h>
#include <maxscale/protocol/mysql.h>
#include "../gssapi_auth.h"
/**
* @file gssapi_backend_auth.c - GSSAPI backend authenticator
*/
void* gssapi_backend_auth_alloc(void *instance)
{
gssapi_auth_t* rval = MXS_MALLOC(sizeof(gssapi_auth_t));
if (rval)
{
rval->state = GSSAPI_AUTH_INIT;
rval->principal_name = NULL;
rval->principal_name_len = 0;
rval->sequence = 0;
}
return rval;
}
void gssapi_backend_auth_free(void *data)
{
if (data)
{
gssapi_auth_t *auth = (gssapi_auth_t*)data;
MXS_FREE(auth->principal_name);
MXS_FREE(auth);
}
}
/**
* @brief Create a new GSSAPI token
* @param dcb Backend DCB
* @return True on success, false on error
*/
static bool send_new_auth_token(DCB *dcb)
{
bool rval = false;
OM_uint32 major = 0, minor = 0;
gss_ctx_id_t handle = NULL;
gss_buffer_desc in = {0, 0};
gss_buffer_desc out = {0, 0};
gss_buffer_desc target = {0, 0};
gss_name_t princ = GSS_C_NO_NAME;
gssapi_auth_t *auth = (gssapi_auth_t*)dcb->authenticator_data;
/** The service principal name is sent by the backend server */
target.value = auth->principal_name;
target.length = auth->principal_name_len + 1;
/** Convert the name into GSSAPI format */
major = gss_import_name(&minor, &target, GSS_C_NT_USER_NAME, &princ);
if (GSS_ERROR(major))
{
report_error(major, minor);
}
/** Request the token for the service */
major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL,
&handle, princ, GSS_C_NO_OID, 0, 0,
GSS_C_NO_CHANNEL_BINDINGS, &in, NULL, &out, 0, 0);
if (GSS_ERROR(major))
{
report_error(major, minor);
}
else
{
/** We successfully requested the token, send it to the backend server */
GWBUF *buffer = gwbuf_alloc(MYSQL_HEADER_LEN + out.length);
if (buffer)
{
uint8_t *data = (uint8_t*)GWBUF_DATA(buffer);
gw_mysql_set_byte3(data, out.length);
data += 3;
*data++ = ++auth->sequence;
memcpy(data, out.value, out.length);
if (dcb_write(dcb, buffer))
{
rval = true;
}
}
major = gss_delete_sec_context(&minor, &handle, &in);
if (GSS_ERROR(major))
{
report_error(major, minor);
}
major = gss_release_name(&minor, &princ);
if (GSS_ERROR(major))
{
report_error(major, minor);
}
}
return rval;
}
/**
* @brief Extract the principal name from the AuthSwitchRequest packet
*
* @param dcb Backend DCB
* @param buffer Buffer containing an AuthSwitchRequest packet
* @return True on success, false on error
*/
bool extract_principal_name(DCB *dcb, GWBUF *buffer)
{
bool rval = false;
size_t buflen = gwbuf_length(buffer) - MYSQL_HEADER_LEN;
uint8_t databuf[buflen];
uint8_t *data = databuf;
gssapi_auth_t *auth = (gssapi_auth_t*)dcb->authenticator_data;
/** Copy the payload and the current packet sequence number */
gwbuf_copy_data(buffer, MYSQL_HEADER_LEN, buflen, databuf);
gwbuf_copy_data(buffer, MYSQL_SEQ_OFFSET, 1, &auth->sequence);
if (databuf[0] != MYSQL_REPLY_AUTHSWITCHREQUEST)
{
/** Server responded with something we did not expect. If it's an OK packet,
* it's possible that the server authenticated us as the anonymous user. This
* means that the server is not secure. */
MXS_ERROR("Server '%s' returned an unexpected authentication response.%s",
dcb->server->unique_name, databuf[0] == MYSQL_REPLY_OK ?
" Authentication was complete before it even started, "
"anonymous users might not be disabled." : "");
return false;
}
/**
* The AuthSwitchRequest packet
*
* 0xfe - Command byte
* string[NUL] - Auth plugin name
* string[EOF] - Auth plugin data
*
* Skip over the auth plugin name and copy the service principal name stored
* in the auth plugin data section.
*/
while (*data && data < databuf + buflen)
{
data++;
}
data++;
buflen -= data - databuf;
if (buflen > 0)
{
uint8_t *principal = MXS_MALLOC(buflen + 1);
if (principal)
{
/** Store the principal name for later when we request the token
* from the GSSAPI server */
memcpy(principal, data, buflen);
principal[buflen] = '\0';
auth->principal_name = principal;
auth->principal_name_len = buflen;
rval = true;
}
}
else
{
MXS_ERROR("Backend server did not send any auth plugin data.");
}
return rval;
}
/**
* @brief Extract data from a MySQL packet
* @param dcb Backend DCB
* @param buffer Buffer containing a complete packet
* @return MXS_AUTH_INCOMPLETE if authentication is ongoing, MXS_AUTH_SUCCEEDED
* if authentication is complete and MXS_AUTH_FAILED if authentication failed.
*/
static int gssapi_backend_auth_extract(DCB *dcb, GWBUF *buffer)
{
int rval = MXS_AUTH_FAILED;
gssapi_auth_t *auth = (gssapi_auth_t*)dcb->authenticator_data;
if (auth->state == GSSAPI_AUTH_INIT && extract_principal_name(dcb, buffer))
{
rval = MXS_AUTH_INCOMPLETE;
}
else if (auth->state == GSSAPI_AUTH_DATA_SENT)
{
/** Read authentication response */
if (mxs_mysql_is_ok_packet(buffer))
{
auth->state = GSSAPI_AUTH_OK;
rval = MXS_AUTH_SUCCEEDED;
}
}
return rval;
}
/**
* @brief Check whether the DCB supports SSL
* @param dcb Backend DCB
* @return True if DCB supports SSL
*/
static bool gssapi_backend_auth_connectssl(DCB *dcb)
{
return dcb->server->server_ssl != NULL;
}
/**
* @brief Authenticate the backend connection
* @param dcb Backend DCB
* @return MXS_AUTH_INCOMPLETE if authentication is ongoing, MXS_AUTH_SUCCEEDED
* if authentication is complete and MXS_AUTH_FAILED if authentication failed.
*/
static int gssapi_backend_auth_authenticate(DCB *dcb)
{
int rval = MXS_AUTH_FAILED;
gssapi_auth_t *auth = (gssapi_auth_t*)dcb->authenticator_data;
if (auth->state == GSSAPI_AUTH_INIT)
{
if (send_new_auth_token(dcb))
{
rval = MXS_AUTH_INCOMPLETE;
auth->state = GSSAPI_AUTH_DATA_SENT;
}
}
else if (auth->state == GSSAPI_AUTH_OK)
{
rval = MXS_AUTH_SUCCEEDED;
}
return rval;
}
/**
* Implementation of the authenticator module interface
*/
static GWAUTHENTICATOR MyObject =
{
NULL, /* No initialize entry point */
gssapi_backend_auth_alloc, /* Allocate authenticator data */
gssapi_backend_auth_extract, /* Extract data into structure */
gssapi_backend_auth_connectssl, /* Check if client supports SSL */
gssapi_backend_auth_authenticate, /* Authenticate user credentials */
NULL, /* Client plugin will free shared data */
gssapi_backend_auth_free, /* Free authenticator data */
NULL /* Load users from backend databases */
};
MODULE_INFO info =
{
MODULE_API_AUTHENTICATOR,
MODULE_GA,
GWAUTHENTICATOR_VERSION,
"GSSAPI backend authenticator"
};
static char *version_str = "V1.0.0";
/**
* Version string entry point
*/
char* version()
{
return version_str;
}
/**
* Module initialization entry point
*/
void ModuleInit()
{
}
/**
* Module handle entry point
*/
GWAUTHENTICATOR* GetModuleObject()
{
return &MyObject;
}