MXS-1662 Move PAM authentication function into maxbase

The same code can be used for REST-API authentication.
2019-04-04 13:59:39 +03:00 · 2019-04-04 13:59:39 +03:00 · 74634abc80
commit 74634abc80
parent ffd2d80ea0
7 changed files with 239 additions and 158 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -45,6 +45,7 @@ find_package(SQLite)
 find_package(ASAN)
 find_package(TSAN)
 find_package(CURL)
+find_package(PAM)

 # Build PCRE2 so we always know the version
 # Read BuildPCRE2 for details about how to add pcre2 as a dependency to a target
--- a/maxutils/maxbase/include/maxbase/pam_utils.hh
+++ b/maxutils/maxbase/include/maxbase/pam_utils.hh
@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2018 MariaDB Corporation Ab
+ *
+ * Use of this software is governed by the Business Source License included
+ * in the LICENSE.TXT file and at www.mariadb.com/bsl11.
+ *
+ * Change Date: 2022-01-01
+ *
+ * On the date above, in accordance with the Business Source License, use
+ * of this software will be governed by version 2 or later of the General
+ * Public License.
+ */
+#pragma once
+
+#include <maxbase/ccdefs.hh>
+#include <string>
+
+namespace maxbase
+{
+    class PamResult
+    {
+    public:
+        enum class Result
+        {
+            SUCCESS,
+            WRONG_USER_PW,      /**< Username or password was wrong */
+            ACCOUNT_INVALID,    /**< pam_acct_mgmt returned error */
+            MISC_ERROR          /**< Miscellaneous error */
+        };
+
+        Result      type {Result::MISC_ERROR};
+        std::string error;
+    };
+
+    /**
+     * Check if the user & password can log into the given PAM service. This function will block until the
+     * operation completes.
+     *
+     * @param user Username
+     * @param password Password
+     * @param service Which PAM service is the user logging to
+     * @param expected_msg The first expected message from the PAM authentication system.
+     * Typically "Password: ", which is also the default value. If set to empty, the message is not checked.
+     * @return A result struct with the result and an error message.
+     */
+    PamResult pam_authenticate(const std::string& user, const std::string& password,
+                               const std::string& service, const std::string& expected_msg = "Password: ");
+}
--- a/maxutils/maxbase/src/CMakeLists.txt
+++ b/maxutils/maxbase/src/CMakeLists.txt
@ -8,6 +8,7 @@ add_library(maxbase STATIC
  logger.cc
  maxbase.cc
  messagequeue.cc
+  pam_utils.cc
  semaphore.cc
  stopwatch.cc
  string.cc
@ -23,7 +24,5 @@ target_link_libraries(maxbase systemd)
 endif()

 set_target_properties(maxbase PROPERTIES VERSION "1.0.0" LINK_FLAGS -Wl,-z,defs)
-target_link_libraries(maxbase
-  ${CURL_LIBRARIES}
-)
+target_link_libraries(maxbase ${CURL_LIBRARIES} ${PAM_LIBRARIES})
 add_subdirectory(test)
--- a/maxutils/maxbase/src/pam_utils.cc
+++ b/maxutils/maxbase/src/pam_utils.cc
@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 2019 MariaDB Corporation Ab
+ *
+ * Use of this software is governed by the Business Source License included
+ * in the LICENSE.TXT file and at www.mariadb.com/bsl11.
+ *
+ * Change Date: 2025-01-01
+ *
+ * On the date above, in accordance with the Business Source License, use
+ * of this software will be governed by version 2 or later of the General
+ * Public License.
+ */
+
+#include <maxbase/pam_utils.hh>
+
+#include <security/pam_appl.h>
+#include <maxbase/alloc.h>
+#include <maxbase/log.hh>
+#include <maxbase/format.hh>
+
+using std::string;
+
+namespace
+{
+
+const char GENERAL_ERRMSG[] = "Only simple password-based PAM authentication with one call "
+                              "to the conversation function is supported.";
+
+/** Used by the PAM conversation function */
+class ConversationData
+{
+public:
+    string m_client;
+    string m_password;
+    int m_counter {0};
+    string m_expected_msg;
+
+    ConversationData(const string& client, const string& password, const string& expected_msg)
+        : m_client(client)
+        , m_password(password)
+        , m_expected_msg(expected_msg)
+    {
+    }
+};
+
+/**
+ * PAM conversation function. The implementation "cheats" by not actually doing
+ * I/O with the client. This should only be called once per client when
+ * authenticating. See
+ * http://www.linux-pam.org/Linux-PAM-html/adg-interface-of-app-expected.html#adg-pam_conv
+ * for more information.
+ */
+int conversation_func(int num_msg,
+                      const struct pam_message** msg,
+                      struct pam_response** resp_out,
+                      void* appdata_ptr)
+{
+    MXB_DEBUG("Entering PAM conversation function.");
+    int rval = PAM_CONV_ERR;
+    ConversationData* data = static_cast<ConversationData*>(appdata_ptr);
+    if (data->m_counter > 1)
+    {
+        MXB_ERROR("Multiple calls to conversation function for client '%s'. %s",
+                  data->m_client.c_str(), GENERAL_ERRMSG);
+    }
+    else if (num_msg == 1)
+    {
+        pam_message first = *msg[0];
+        // Check that the first message from the PAM system is as expected.
+        if ((first.msg_style == PAM_PROMPT_ECHO_OFF || first.msg_style == PAM_PROMPT_ECHO_ON)
+            && (data->m_expected_msg.empty() || data->m_expected_msg == first.msg))
+        {
+            pam_response* response = static_cast<pam_response*>(MXS_MALLOC(sizeof(pam_response)));
+            if (response)
+            {
+                response->resp_retcode = 0;
+                response->resp = MXS_STRDUP(data->m_password.c_str());
+                *resp_out = response;
+                rval = PAM_SUCCESS;
+            }
+        }
+        else
+        {
+            MXB_ERROR("Unexpected PAM message: type='%d', contents='%s'", first.msg_style, first.msg);
+        }
+    }
+    else
+    {
+        MXB_ERROR("Conversation function received '%d' messages from API. Only singular messages are "
+                  "supported.", num_msg);
+    }
+    data->m_counter++;
+    return rval;
+}
+
+}
+
+namespace maxbase
+{
+
+PamResult pam_authenticate(const string& user, const string& password, const string& service,
+                           const string& expected_msg)
+{
+    const char PAM_START_ERR_MSG[] = "Failed to start PAM authentication for user '%s': '%s'.";
+    const char PAM_AUTH_ERR_MSG[] = "PAM authentication for user '%s' failed: '%s'.";
+    const char PAM_ACC_ERR_MSG[] = "PAM account check for user '%s' failed: '%s'.";
+
+    ConversationData appdata(user, password, expected_msg);
+    pam_conv conv_struct = {conversation_func, &appdata};
+
+    PamResult result;
+    bool authenticated = false;
+    pam_handle_t* pam_handle = NULL;
+
+    int pam_status = pam_start(service.c_str(), user.c_str(), &conv_struct, &pam_handle);
+    if (pam_status == PAM_SUCCESS)
+    {
+        pam_status = pam_authenticate(pam_handle, 0);
+        switch (pam_status)
+        {
+            case PAM_SUCCESS:
+                authenticated = true;
+                MXB_DEBUG("pam_authenticate returned success.");
+                break;
+
+            case PAM_USER_UNKNOWN:
+            case PAM_AUTH_ERR:
+                // Normal failure, username or password was wrong.
+                result.type = PamResult::Result::WRONG_USER_PW;
+                result.error = mxb::string_printf(PAM_AUTH_ERR_MSG,
+                                                  user.c_str(), pam_strerror(pam_handle, pam_status));
+                break;
+
+            default:
+                // More exotic error
+                result.type = PamResult::Result::MISC_ERROR;
+                result.error = mxb::string_printf(PAM_AUTH_ERR_MSG,
+                                                  user.c_str(), pam_strerror(pam_handle, pam_status));
+                break;
+        }
+    }
+    else
+    {
+        result.type = PamResult::Result::MISC_ERROR;
+        result.error = mxb::string_printf(PAM_START_ERR_MSG,
+                                          user.c_str(), pam_strerror(pam_handle, pam_status));
+    }
+
+    if (authenticated)
+    {
+        pam_status = pam_acct_mgmt(pam_handle, 0);
+        switch (pam_status)
+        {
+            case PAM_SUCCESS:
+                result.type = PamResult::Result::SUCCESS;
+                break;
+
+            default:
+                // Credentials have already been checked to be ok, so this is a somewhat unexpected error.
+                result.type = PamResult::Result::ACCOUNT_INVALID;
+                result.error = mxb::string_printf(PAM_ACC_ERR_MSG,
+                                                  user.c_str(), pam_strerror(pam_handle, pam_status));
+                break;
+        }
+    }
+    pam_end(pam_handle, pam_status);
+    return result;
+}
+
+}
--- a/server/modules/authenticator/PAM/CMakeLists.txt
+++ b/server/modules/authenticator/PAM/CMakeLists.txt
@ -1,8 +1,3 @@
-find_package(PAM)
-if (PAM_FOUND AND SQLITE_FOUND)
-    include_directories(${SQLITE_INCLUDE_DIR})
-    add_subdirectory(PAMAuth)
-    add_subdirectory(PAMBackendAuth)
-else()
-    message(STATUS "No PAM libraries or SQLite found, not building PAM authenticator.")
-endif()
+include_directories(${SQLITE_INCLUDE_DIR})
+add_subdirectory(PAMAuth)
+add_subdirectory(PAMBackendAuth)
--- a/server/modules/authenticator/PAM/PAMAuth/CMakeLists.txt
+++ b/server/modules/authenticator/PAM/PAMAuth/CMakeLists.txt
@ -1,4 +1,4 @@
 add_library(pamauth SHARED pam_auth.cc ../pam_auth_common.cc pam_client_session.cc pam_instance.cc)
-target_link_libraries(pamauth maxscale-common ${PAM_LIBRARIES} ${SQLITE_LIBRARIES} mysqlcommon)
+target_link_libraries(pamauth maxscale-common ${SQLITE_LIBRARIES} mysqlcommon)
 set_target_properties(pamauth PROPERTIES VERSION "1.0.0" LINK_FLAGS -Wl,-z,defs)
 install_module(pamauth core)
--- a/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc
+++ b/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc
@ -14,7 +14,7 @@
 #include "pam_client_session.hh"

 #include <sstream>
-#include <security/pam_appl.h>
+#include <maxbase/pam_utils.hh>
 #include <maxscale/event.hh>

 using maxscale::Buffer;
@ -75,145 +75,6 @@ int user_services_cb(void* data, int columns, char** column_vals, char** column_
    return 0;
 }

-/** Used by the PAM conversation function */
-struct ConversationData
-{
-    DCB*   m_client;
-    int    m_counter;
-    string m_password;
-
-    ConversationData(DCB* client, int counter, const string& password)
-        : m_client(client)
-        , m_counter(counter)
-        , m_password(password)
-    {
-    }
-};
-
-/**
- * PAM conversation function. The implementation "cheats" by not actually doing
- * I/O with the client. This should only be called once per client when
- * authenticating. See
- * http://www.linux-pam.org/Linux-PAM-html/adg-interface-of-app-expected.html#adg-pam_conv
- * for more information.
- */
-int conversation_func(int num_msg,
-                      const struct pam_message** msg,
-                      struct pam_response** resp_out,
-                      void* appdata_ptr)
-{
-    MXS_DEBUG("Entering PAM conversation function.");
-    int rval = PAM_CONV_ERR;
-    ConversationData* data = static_cast<ConversationData*>(appdata_ptr);
-    if (data->m_counter > 1)
-    {
-        MXS_ERROR("Multiple calls to conversation function for client '%s'. %s",
-                  data->m_client->user,
-                  GENERAL_ERRMSG);
-    }
-    else if (num_msg == 1)
-    {
-        pam_message first = *msg[0];
-        if ((first.msg_style != PAM_PROMPT_ECHO_OFF && first.msg_style != PAM_PROMPT_ECHO_ON)
-            || PASSWORD != first.msg)
-        {
-            MXS_ERROR("Unexpected PAM message: type='%d', contents='%s'",
-                      first.msg_style,
-                      first.msg);
-        }
-        else
-        {
-            pam_response* response = static_cast<pam_response*>(MXS_MALLOC(sizeof(pam_response)));
-            if (response)
-            {
-                response->resp_retcode = 0;
-                response->resp = MXS_STRDUP(data->m_password.c_str());
-                *resp_out = response;
-                rval = PAM_SUCCESS;
-            }
-        }
-    }
-    else
-    {
-        MXS_ERROR("Conversation function received '%d' messages from API. Only "
-                  "singular messages are supported.",
-                  num_msg);
-    }
-    data->m_counter++;
-    return rval;
-}
-
-/**
- * @brief Check if the client password is correct for the service
- *
- * @param user Username
- * @param password Password
- * @param service Which PAM service is the user logging to
- * @param client Client DCB
- * @return True if username & password are ok
- */
-bool validate_pam_password(const string& user, const string& password, const string& service, DCB* client)
-{
-    const char PAM_START_ERR_MSG[] = "Failed to start PAM authentication for user '%s': '%s'.";
-    const char PAM_AUTH_ERR_MSG[] = "Pam authentication for user '%s' failed: '%s'.";
-    const char PAM_ACC_ERR_MSG[] = "Pam account check for user '%s' failed: '%s'.";
-    ConversationData appdata(client, 0, password);
-    pam_conv conv_struct = {conversation_func, &appdata};
-    bool authenticated = false;
-    bool account_ok = false;
-    pam_handle_t* pam_handle = NULL;
-    int pam_status = pam_start(service.c_str(), user.c_str(), &conv_struct, &pam_handle);
-    if (pam_status == PAM_SUCCESS)
-    {
-        pam_status = pam_authenticate(pam_handle, 0);
-        switch (pam_status)
-        {
-        case PAM_SUCCESS:
-            authenticated = true;
-            MXS_DEBUG("pam_authenticate returned success.");
-            break;
-
-        case PAM_USER_UNKNOWN:
-        case PAM_AUTH_ERR:
-            // Normal failure, username or password was wrong.
-            MXS_LOG_EVENT(maxscale::event::AUTHENTICATION_FAILURE,
-                          PAM_AUTH_ERR_MSG,
-                          user.c_str(),
-                          pam_strerror(pam_handle, pam_status));
-            break;
-
-        default:
-            // More exotic error
-            MXS_LOG_EVENT(maxscale::event::AUTHENTICATION_FAILURE,
-                          PAM_AUTH_ERR_MSG,
-                          user.c_str(),
-                          pam_strerror(pam_handle, pam_status));
-            break;
-        }
-    }
-    else
-    {
-        MXS_ERROR(PAM_START_ERR_MSG, user.c_str(), pam_strerror(pam_handle, pam_status));
-    }
-
-    if (authenticated)
-    {
-        pam_status = pam_acct_mgmt(pam_handle, 0);
-        switch (pam_status)
-        {
-        case PAM_SUCCESS:
-            account_ok = true;
-            break;
-
-        default:
-            // Credentials have already been checked to be ok, so this is again a bit of an exotic error.
-            MXS_ERROR(PAM_ACC_ERR_MSG, user.c_str(), pam_strerror(pam_handle, pam_status));
-            break;
-        }
-    }
-    pam_end(pam_handle, pam_status);
-    return account_ok;
-}
 }

 PamClientSession::PamClientSession(sqlite3* dbhandle, const PamInstance& instance)
@ -404,20 +265,27 @@ int PamClientSession::authenticate(DCB* dcb)
                    }
                    if (try_validate)
                    {
-                        for (StringVector::iterator iter = services.begin();
-                             iter != services.end() && !authenticated;
-                             iter++)
+                        for (auto iter = services.begin(); iter != services.end() && !authenticated; ++iter)
                        {
+                            string service = *iter;
                            // The server PAM plugin uses "mysql" as the default service when authenticating
                            // a user with no service.
-                            if (iter->empty())
+                            if (service.empty())
                            {
-                                *iter = "mysql";
+                                service = "mysql";
                            }
-                            if (validate_pam_password(ses->user, password, *iter, dcb))
+
+                            mxb::PamResult res = mxb::pam_authenticate(ses->user, password, service,
+                                                                       PASSWORD);
+                            if (res.type == mxb::PamResult::Result::SUCCESS)
                            {
                                authenticated = true;
                            }
+                            else
+                            {
+                                MXS_LOG_EVENT(maxscale::event::AUTHENTICATION_FAILURE, "%s",
+                                              res.error.c_str());
+                            }
                        }
                    }
                }