MXS-1220: Add HTTP BA authentication

The admin interface now supports Basic Access authentication. This is not
a secure method of authentication and it should not be used without
unencrypted connections.

Made the admin interface port, authentication, username and password
configurable.

server/core/admin.cc

@@ -21,15 +21,12 @@
 #include <maxscale/debug.h>
 #include <maxscale/thread.h>
 #include <maxscale/utils.h>
+#include <maxscale/config.h>
+#include <maxscale/hk_heartbeat.h>
 
 #include "maxscale/admin.hh"
-#include "maxscale/hk_heartbeat.h"
 #include "maxscale/resource.hh"
 
-#define DEFAULT_ADMIN_HOST "127.0.0.1"
-#define DEFAULT_ADMIN_PORT 8080
-#define DEFAULT_ADMIN_AUTH HTTP_AUTH_NONE
-
 static struct MHD_Daemon* http_daemon = NULL;
 
 int handle_client(void *cls,
@@ -42,6 +39,26 @@ int handle_client(void *cls,
                   void **con_cls)
 
 {
+    const char *admin_user = config_get_global_options()->admin_user;
+    const char *admin_pw = config_get_global_options()->admin_password;
+    bool admin_auth = config_get_global_options()->admin_auth;
+
+    char* pw = NULL;
+    char* user = MHD_basic_auth_get_username_password(connection, &pw);
+
+    if (admin_auth && (!user || !pw || strcmp(user, admin_user) || strcmp(pw, admin_pw)))
+    {
+        static char error_resp[] = "Access denied\r\n";
+        struct MHD_Response *resp;
+
+        resp = MHD_create_response_from_buffer(sizeof (error_resp) - 1, error_resp,
+                                               MHD_RESPMEM_PERSISTENT);
+
+        MHD_queue_basic_auth_fail_response(connection, "maxscale", resp);
+        MHD_destroy_response(resp);
+        return MHD_YES;
+    }
+
     string verb(method);
     json_t* json = NULL;
 
@@ -77,8 +94,10 @@ int handle_client(void *cls,
 bool mxs_admin_init()
 {
     http_daemon = MHD_start_daemon(MHD_USE_EPOLL_INTERNALLY | MHD_USE_DUAL_STACK,
-                                   DEFAULT_ADMIN_PORT, NULL, NULL,
-                                   handle_client, NULL, MHD_OPTION_END);
+                                   config_get_global_options()->admin_port,
+                                   NULL, NULL,
+                                   handle_client, NULL,
+                                   MHD_OPTION_END);
     return http_daemon != NULL;
 
 }

server/core/adminusers.cc

@@ -62,9 +62,6 @@ static const int LINELEN = 80;
 static const char LINUX_USERS_FILE_NAME[] = "maxadmin-users";
 static const char INET_USERS_FILE_NAME[]  = "passwd";
 
-static const char INET_DEFAULT_USERNAME[] = "admin";
-static const char INET_DEFAULT_PASSWORD[] = "mariadb";
-
 /**
  * Admin Users initialisation
  */

server/core/config.cc

@@ -59,6 +59,7 @@
 #include <set>
 #include <string>
 
+#include <maxscale/adminusers.h>
 #include <maxscale/alloc.h>
 #include <maxscale/housekeeper.h>
 #include <maxscale/limits.h>
@@ -1458,6 +1459,22 @@ handle_global_item(const char *name, const char *value)
             MXS_FREE(v);
         }
     }
+    else if (strcmp(name, "admin_user") == 0)
+    {
+        strcpy(gateway.admin_user, value);
+    }
+    else if (strcmp(name, "admin_password") == 0)
+    {
+        strcpy(gateway.admin_password, value);
+    }
+    else if (strcmp(name, "admin_port") == 0)
+    {
+        gateway.admin_port = atoi(value);
+    }
+    else if (strcmp(name, "admin_auth") == 0)
+    {
+        gateway.admin_auth = config_truth_value(value);
+    }
     else
     {
         for (i = 0; lognames[i].name; i++)
@@ -1678,6 +1695,11 @@ global_defaults()
     gateway.auth_read_timeout = DEFAULT_AUTH_READ_TIMEOUT;
     gateway.auth_write_timeout = DEFAULT_AUTH_WRITE_TIMEOUT;
     gateway.skip_permission_checks = false;
+    gateway.admin_port = DEFAULT_ADMIN_HTTP_PORT;
+    gateway.admin_auth = false;
+    strcpy(gateway.admin_user, INET_DEFAULT_USERNAME);
+    strcpy(gateway.admin_password, INET_DEFAULT_PASSWORD);
+
     if (version_string != NULL)
     {
         gateway.version_string = MXS_STRDUP_A(version_string);