From 74634abc80c3f0dbeefac18ccfc1f11e2bad138c Mon Sep 17 00:00:00 2001 From: Esa Korhonen Date: Thu, 4 Apr 2019 13:59:39 +0300 Subject: [PATCH] MXS-1662 Move PAM authentication function into maxbase The same code can be used for REST-API authentication. --- CMakeLists.txt | 1 + maxutils/maxbase/include/maxbase/pam_utils.hh | 48 +++++ maxutils/maxbase/src/CMakeLists.txt | 5 +- maxutils/maxbase/src/pam_utils.cc | 170 ++++++++++++++++++ .../modules/authenticator/PAM/CMakeLists.txt | 11 +- .../authenticator/PAM/PAMAuth/CMakeLists.txt | 2 +- .../PAM/PAMAuth/pam_client_session.cc | 160 ++--------------- 7 files changed, 239 insertions(+), 158 deletions(-) create mode 100644 maxutils/maxbase/include/maxbase/pam_utils.hh create mode 100644 maxutils/maxbase/src/pam_utils.cc diff --git a/CMakeLists.txt b/CMakeLists.txt index f7b4f7b1e..9514b8d22 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -45,6 +45,7 @@ find_package(SQLite) find_package(ASAN) find_package(TSAN) find_package(CURL) +find_package(PAM) # Build PCRE2 so we always know the version # Read BuildPCRE2 for details about how to add pcre2 as a dependency to a target diff --git a/maxutils/maxbase/include/maxbase/pam_utils.hh b/maxutils/maxbase/include/maxbase/pam_utils.hh new file mode 100644 index 000000000..9b007a3fb --- /dev/null +++ b/maxutils/maxbase/include/maxbase/pam_utils.hh @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2018 MariaDB Corporation Ab + * + * Use of this software is governed by the Business Source License included + * in the LICENSE.TXT file and at www.mariadb.com/bsl11. + * + * Change Date: 2022-01-01 + * + * On the date above, in accordance with the Business Source License, use + * of this software will be governed by version 2 or later of the General + * Public License. + */ +#pragma once + +#include +#include + +namespace maxbase +{ + class PamResult + { + public: + enum class Result + { + SUCCESS, + WRONG_USER_PW, /**< Username or password was wrong */ + ACCOUNT_INVALID, /**< pam_acct_mgmt returned error */ + MISC_ERROR /**< Miscellaneous error */ + }; + + Result type {Result::MISC_ERROR}; + std::string error; + }; + + /** + * Check if the user & password can log into the given PAM service. This function will block until the + * operation completes. + * + * @param user Username + * @param password Password + * @param service Which PAM service is the user logging to + * @param expected_msg The first expected message from the PAM authentication system. + * Typically "Password: ", which is also the default value. If set to empty, the message is not checked. + * @return A result struct with the result and an error message. + */ + PamResult pam_authenticate(const std::string& user, const std::string& password, + const std::string& service, const std::string& expected_msg = "Password: "); +} diff --git a/maxutils/maxbase/src/CMakeLists.txt b/maxutils/maxbase/src/CMakeLists.txt index 42303c82a..835209e10 100644 --- a/maxutils/maxbase/src/CMakeLists.txt +++ b/maxutils/maxbase/src/CMakeLists.txt @@ -8,6 +8,7 @@ add_library(maxbase STATIC logger.cc maxbase.cc messagequeue.cc + pam_utils.cc semaphore.cc stopwatch.cc string.cc @@ -23,7 +24,5 @@ target_link_libraries(maxbase systemd) endif() set_target_properties(maxbase PROPERTIES VERSION "1.0.0" LINK_FLAGS -Wl,-z,defs) -target_link_libraries(maxbase - ${CURL_LIBRARIES} -) +target_link_libraries(maxbase ${CURL_LIBRARIES} ${PAM_LIBRARIES}) add_subdirectory(test) diff --git a/maxutils/maxbase/src/pam_utils.cc b/maxutils/maxbase/src/pam_utils.cc new file mode 100644 index 000000000..ce851f09b --- /dev/null +++ b/maxutils/maxbase/src/pam_utils.cc @@ -0,0 +1,170 @@ +/* + * Copyright (c) 2019 MariaDB Corporation Ab + * + * Use of this software is governed by the Business Source License included + * in the LICENSE.TXT file and at www.mariadb.com/bsl11. + * + * Change Date: 2025-01-01 + * + * On the date above, in accordance with the Business Source License, use + * of this software will be governed by version 2 or later of the General + * Public License. + */ + +#include + +#include +#include +#include +#include + +using std::string; + +namespace +{ + +const char GENERAL_ERRMSG[] = "Only simple password-based PAM authentication with one call " + "to the conversation function is supported."; + +/** Used by the PAM conversation function */ +class ConversationData +{ +public: + string m_client; + string m_password; + int m_counter {0}; + string m_expected_msg; + + ConversationData(const string& client, const string& password, const string& expected_msg) + : m_client(client) + , m_password(password) + , m_expected_msg(expected_msg) + { + } +}; + +/** + * PAM conversation function. The implementation "cheats" by not actually doing + * I/O with the client. This should only be called once per client when + * authenticating. See + * http://www.linux-pam.org/Linux-PAM-html/adg-interface-of-app-expected.html#adg-pam_conv + * for more information. + */ +int conversation_func(int num_msg, + const struct pam_message** msg, + struct pam_response** resp_out, + void* appdata_ptr) +{ + MXB_DEBUG("Entering PAM conversation function."); + int rval = PAM_CONV_ERR; + ConversationData* data = static_cast(appdata_ptr); + if (data->m_counter > 1) + { + MXB_ERROR("Multiple calls to conversation function for client '%s'. %s", + data->m_client.c_str(), GENERAL_ERRMSG); + } + else if (num_msg == 1) + { + pam_message first = *msg[0]; + // Check that the first message from the PAM system is as expected. + if ((first.msg_style == PAM_PROMPT_ECHO_OFF || first.msg_style == PAM_PROMPT_ECHO_ON) + && (data->m_expected_msg.empty() || data->m_expected_msg == first.msg)) + { + pam_response* response = static_cast(MXS_MALLOC(sizeof(pam_response))); + if (response) + { + response->resp_retcode = 0; + response->resp = MXS_STRDUP(data->m_password.c_str()); + *resp_out = response; + rval = PAM_SUCCESS; + } + } + else + { + MXB_ERROR("Unexpected PAM message: type='%d', contents='%s'", first.msg_style, first.msg); + } + } + else + { + MXB_ERROR("Conversation function received '%d' messages from API. Only singular messages are " + "supported.", num_msg); + } + data->m_counter++; + return rval; +} + +} + +namespace maxbase +{ + +PamResult pam_authenticate(const string& user, const string& password, const string& service, + const string& expected_msg) +{ + const char PAM_START_ERR_MSG[] = "Failed to start PAM authentication for user '%s': '%s'."; + const char PAM_AUTH_ERR_MSG[] = "PAM authentication for user '%s' failed: '%s'."; + const char PAM_ACC_ERR_MSG[] = "PAM account check for user '%s' failed: '%s'."; + + ConversationData appdata(user, password, expected_msg); + pam_conv conv_struct = {conversation_func, &appdata}; + + PamResult result; + bool authenticated = false; + pam_handle_t* pam_handle = NULL; + + int pam_status = pam_start(service.c_str(), user.c_str(), &conv_struct, &pam_handle); + if (pam_status == PAM_SUCCESS) + { + pam_status = pam_authenticate(pam_handle, 0); + switch (pam_status) + { + case PAM_SUCCESS: + authenticated = true; + MXB_DEBUG("pam_authenticate returned success."); + break; + + case PAM_USER_UNKNOWN: + case PAM_AUTH_ERR: + // Normal failure, username or password was wrong. + result.type = PamResult::Result::WRONG_USER_PW; + result.error = mxb::string_printf(PAM_AUTH_ERR_MSG, + user.c_str(), pam_strerror(pam_handle, pam_status)); + break; + + default: + // More exotic error + result.type = PamResult::Result::MISC_ERROR; + result.error = mxb::string_printf(PAM_AUTH_ERR_MSG, + user.c_str(), pam_strerror(pam_handle, pam_status)); + break; + } + } + else + { + result.type = PamResult::Result::MISC_ERROR; + result.error = mxb::string_printf(PAM_START_ERR_MSG, + user.c_str(), pam_strerror(pam_handle, pam_status)); + } + + if (authenticated) + { + pam_status = pam_acct_mgmt(pam_handle, 0); + switch (pam_status) + { + case PAM_SUCCESS: + result.type = PamResult::Result::SUCCESS; + break; + + default: + // Credentials have already been checked to be ok, so this is a somewhat unexpected error. + result.type = PamResult::Result::ACCOUNT_INVALID; + result.error = mxb::string_printf(PAM_ACC_ERR_MSG, + user.c_str(), pam_strerror(pam_handle, pam_status)); + break; + } + } + pam_end(pam_handle, pam_status); + return result; +} + +} diff --git a/server/modules/authenticator/PAM/CMakeLists.txt b/server/modules/authenticator/PAM/CMakeLists.txt index 4bf2af87e..ae15808b9 100644 --- a/server/modules/authenticator/PAM/CMakeLists.txt +++ b/server/modules/authenticator/PAM/CMakeLists.txt @@ -1,8 +1,3 @@ -find_package(PAM) -if (PAM_FOUND AND SQLITE_FOUND) - include_directories(${SQLITE_INCLUDE_DIR}) - add_subdirectory(PAMAuth) - add_subdirectory(PAMBackendAuth) -else() - message(STATUS "No PAM libraries or SQLite found, not building PAM authenticator.") -endif() +include_directories(${SQLITE_INCLUDE_DIR}) +add_subdirectory(PAMAuth) +add_subdirectory(PAMBackendAuth) diff --git a/server/modules/authenticator/PAM/PAMAuth/CMakeLists.txt b/server/modules/authenticator/PAM/PAMAuth/CMakeLists.txt index de1481cbb..69d2c58d7 100644 --- a/server/modules/authenticator/PAM/PAMAuth/CMakeLists.txt +++ b/server/modules/authenticator/PAM/PAMAuth/CMakeLists.txt @@ -1,4 +1,4 @@ add_library(pamauth SHARED pam_auth.cc ../pam_auth_common.cc pam_client_session.cc pam_instance.cc) -target_link_libraries(pamauth maxscale-common ${PAM_LIBRARIES} ${SQLITE_LIBRARIES} mysqlcommon) +target_link_libraries(pamauth maxscale-common ${SQLITE_LIBRARIES} mysqlcommon) set_target_properties(pamauth PROPERTIES VERSION "1.0.0" LINK_FLAGS -Wl,-z,defs) install_module(pamauth core) diff --git a/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc b/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc index 28a37d787..bf2cb6340 100644 --- a/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc +++ b/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc @@ -14,7 +14,7 @@ #include "pam_client_session.hh" #include -#include +#include #include using maxscale::Buffer; @@ -75,145 +75,6 @@ int user_services_cb(void* data, int columns, char** column_vals, char** column_ return 0; } -/** Used by the PAM conversation function */ -struct ConversationData -{ - DCB* m_client; - int m_counter; - string m_password; - - ConversationData(DCB* client, int counter, const string& password) - : m_client(client) - , m_counter(counter) - , m_password(password) - { - } -}; - -/** - * PAM conversation function. The implementation "cheats" by not actually doing - * I/O with the client. This should only be called once per client when - * authenticating. See - * http://www.linux-pam.org/Linux-PAM-html/adg-interface-of-app-expected.html#adg-pam_conv - * for more information. - */ -int conversation_func(int num_msg, - const struct pam_message** msg, - struct pam_response** resp_out, - void* appdata_ptr) -{ - MXS_DEBUG("Entering PAM conversation function."); - int rval = PAM_CONV_ERR; - ConversationData* data = static_cast(appdata_ptr); - if (data->m_counter > 1) - { - MXS_ERROR("Multiple calls to conversation function for client '%s'. %s", - data->m_client->user, - GENERAL_ERRMSG); - } - else if (num_msg == 1) - { - pam_message first = *msg[0]; - if ((first.msg_style != PAM_PROMPT_ECHO_OFF && first.msg_style != PAM_PROMPT_ECHO_ON) - || PASSWORD != first.msg) - { - MXS_ERROR("Unexpected PAM message: type='%d', contents='%s'", - first.msg_style, - first.msg); - } - else - { - pam_response* response = static_cast(MXS_MALLOC(sizeof(pam_response))); - if (response) - { - response->resp_retcode = 0; - response->resp = MXS_STRDUP(data->m_password.c_str()); - *resp_out = response; - rval = PAM_SUCCESS; - } - } - } - else - { - MXS_ERROR("Conversation function received '%d' messages from API. Only " - "singular messages are supported.", - num_msg); - } - data->m_counter++; - return rval; -} - -/** - * @brief Check if the client password is correct for the service - * - * @param user Username - * @param password Password - * @param service Which PAM service is the user logging to - * @param client Client DCB - * @return True if username & password are ok - */ -bool validate_pam_password(const string& user, const string& password, const string& service, DCB* client) -{ - const char PAM_START_ERR_MSG[] = "Failed to start PAM authentication for user '%s': '%s'."; - const char PAM_AUTH_ERR_MSG[] = "Pam authentication for user '%s' failed: '%s'."; - const char PAM_ACC_ERR_MSG[] = "Pam account check for user '%s' failed: '%s'."; - ConversationData appdata(client, 0, password); - pam_conv conv_struct = {conversation_func, &appdata}; - bool authenticated = false; - bool account_ok = false; - pam_handle_t* pam_handle = NULL; - int pam_status = pam_start(service.c_str(), user.c_str(), &conv_struct, &pam_handle); - if (pam_status == PAM_SUCCESS) - { - pam_status = pam_authenticate(pam_handle, 0); - switch (pam_status) - { - case PAM_SUCCESS: - authenticated = true; - MXS_DEBUG("pam_authenticate returned success."); - break; - - case PAM_USER_UNKNOWN: - case PAM_AUTH_ERR: - // Normal failure, username or password was wrong. - MXS_LOG_EVENT(maxscale::event::AUTHENTICATION_FAILURE, - PAM_AUTH_ERR_MSG, - user.c_str(), - pam_strerror(pam_handle, pam_status)); - break; - - default: - // More exotic error - MXS_LOG_EVENT(maxscale::event::AUTHENTICATION_FAILURE, - PAM_AUTH_ERR_MSG, - user.c_str(), - pam_strerror(pam_handle, pam_status)); - break; - } - } - else - { - MXS_ERROR(PAM_START_ERR_MSG, user.c_str(), pam_strerror(pam_handle, pam_status)); - } - - if (authenticated) - { - pam_status = pam_acct_mgmt(pam_handle, 0); - switch (pam_status) - { - case PAM_SUCCESS: - account_ok = true; - break; - - default: - // Credentials have already been checked to be ok, so this is again a bit of an exotic error. - MXS_ERROR(PAM_ACC_ERR_MSG, user.c_str(), pam_strerror(pam_handle, pam_status)); - break; - } - } - pam_end(pam_handle, pam_status); - return account_ok; -} } PamClientSession::PamClientSession(sqlite3* dbhandle, const PamInstance& instance) @@ -404,20 +265,27 @@ int PamClientSession::authenticate(DCB* dcb) } if (try_validate) { - for (StringVector::iterator iter = services.begin(); - iter != services.end() && !authenticated; - iter++) + for (auto iter = services.begin(); iter != services.end() && !authenticated; ++iter) { + string service = *iter; // The server PAM plugin uses "mysql" as the default service when authenticating // a user with no service. - if (iter->empty()) + if (service.empty()) { - *iter = "mysql"; + service = "mysql"; } - if (validate_pam_password(ses->user, password, *iter, dcb)) + + mxb::PamResult res = mxb::pam_authenticate(ses->user, password, service, + PASSWORD); + if (res.type == mxb::PamResult::Result::SUCCESS) { authenticated = true; } + else + { + MXS_LOG_EVENT(maxscale::event::AUTHENTICATION_FAILURE, "%s", + res.error.c_str()); + } } } }