hcq/MaxScale
hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pass raw password to users_auth

Browse Source 
By passing the raw password deeper into the authentication code, it can be
used to verify the user can access some systems. Right now, this is not
required by the simple salted password comparison done in MaxScale.
This commit is contained in:
Markus Mäkelä 2018-09-10 15:28:37 +03:00
parent 40d73948a9
commit daf5f52c64
No known key found for this signature in database
GPG Key ID: 72D48FCE664F7B19
6 changed files with 23 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/maxscale/adminusers.h.in
View File

@ -76,7 +76,7 @@ const char* admin_add_inet_user(const char *uname, const char *password, enum us
const char* admin_remove_inet_user(const char* uname);
bool admin_inet_user_exists(const char *uname);
bool admin_verify_inet_user(const char *uname, const char *password);
bool admin_user_is_inet_admin(const char* username);
bool admin_user_is_inet_admin(const char* username, const char *password);
bool admin_user_is_unix_admin(const char* username);
bool admin_have_admin();
bool admin_is_last_admin(const char* user);

7
include/maxscale/users.h
View File

@ -100,12 +100,13 @@ bool users_find(USERS* users, const char* user);
/**
* Check if user is an administrator
*
* @param users The users table
* @param user User to check
* @param users The users table
* @param user User to check
* @param password Password of the user or NULL if password isn't available
*
* @return True if user is an administrator
*/
bool users_is_admin(USERS* users, const char* user);
bool users_is_admin(USERS* users, const char* user, const char* password);
/**
* Check how many admin account exists

2
server/core/admin.cc
View File

@ -192,7 +192,7 @@ bool Client::auth(MHD_Connection* connection, const char* url, const char* metho
send_auth_error(connection);
rval = false;
}
else if (!admin_user_is_inet_admin(user) && modifies_data(connection, method))
else if (!admin_user_is_inet_admin(user, pw) && modifies_data(connection, method))
{
if (config_get_global_options()->admin_log_auth_failures)
{

20
server/core/adminusers.cc
View File

@ -27,6 +27,7 @@
#include <maxscale/adminusers.h>
#include <maxscale/paths.h>
#include <maxscale/json_api.hh>
#include <maxscale/utils.hh>
/**
* @file adminusers.c - Administration user account management
@ -209,7 +210,7 @@ static std::string path_from_type(enum user_type type)
json_t* admin_user_to_json(const char* host, const char* user, enum user_type type)
{
user_account_type account = USER_ACCOUNT_BASIC;
if ((type == USER_TYPE_INET && admin_user_is_inet_admin(user))
if ((type == USER_TYPE_INET && admin_user_is_inet_admin(user, nullptr))
|| (type == USER_TYPE_UNIX && admin_user_is_unix_admin(user)))
{
account = USER_ACCOUNT_ADMIN;
@ -431,9 +432,8 @@ bool admin_linux_account_enabled(const char* uname)
*/
const char* admin_add_inet_user(const char* uname, const char* password, enum user_account_type type)
{
char cpassword[MXS_CRYPT_SIZE];
mxs_crypt(password, ADMIN_SALT, cpassword);
return admin_add_user(&inet_users, INET_USERS_FILE_NAME, uname, cpassword, type);
auto cpassword = mxs::crypt(password, ADMIN_SALT);
return admin_add_user(&inet_users, INET_USERS_FILE_NAME, uname, cpassword.c_str(), type);
}
/**
@ -482,21 +482,19 @@ bool admin_verify_inet_user(const char* username, const char* password)
if (inet_users)
{
char cpassword[MXS_CRYPT_SIZE];
mxs_crypt(password, ADMIN_SALT, cpassword);
rv = users_auth(inet_users, username, cpassword);
rv = users_auth(inet_users, username, password);
}
return rv;
}
bool admin_user_is_inet_admin(const char* username)
bool admin_user_is_inet_admin(const char* username, const char* password)
{
bool rval = false;
if (inet_users)
{
rval = users_is_admin(inet_users, username);
rval = users_is_admin(inet_users, username, password);
}
return rval;
@ -508,7 +506,7 @@ bool admin_user_is_unix_admin(const char* username)
if (linux_users)
{
rval = users_is_admin(linux_users, username);
rval = users_is_admin(linux_users, username, nullptr);
}
return rval;
@ -521,7 +519,7 @@ bool admin_have_admin()
bool admin_is_last_admin(const char* user)
{
return (admin_user_is_inet_admin(user) || admin_user_is_unix_admin(user))
return (admin_user_is_inet_admin(user, nullptr) || admin_user_is_unix_admin(user))
&& (users_admin_count(inet_users) + users_admin_count(linux_users)) == 1;
}

11
server/core/users.cc
View File

@ -20,6 +20,7 @@
#include <string>
#include <unordered_map>
#include <maxscale/adminusers.h>
#include <maxscale/users.h>
#include <maxscale/authenticator.hh>
#include <maxscale/jansson.hh>
@ -109,7 +110,9 @@ public:
return std::count_if(m_data.begin(), m_data.end(), is_admin);
}
bool check_permissions(std::string user, user_account_type perm) const
bool check_permissions(const std::string& user,
const std::string& password,
user_account_type perm) const
{
std::lock_guard<std::mutex> guard(m_lock);
UserMap::const_iterator it = m_data.find(user);
@ -295,16 +298,16 @@ bool users_auth(USERS* users, const char* user, const char* password)
if (u->get(user, &info))
{
rval = strcmp(password, info.password.c_str()) == 0;
rval = info.password == mxs::crypt(password, ADMIN_SALT);
}
return rval;
}
bool users_is_admin(USERS* users, const char* user)
bool users_is_admin(USERS* users, const char* user, const char* password)
{
Users* u = reinterpret_cast<Users*>(users);
return u->check_permissions(user, USER_ACCOUNT_ADMIN);
return u->check_permissions(user, password ? password : "", USER_ACCOUNT_ADMIN);
}
int users_admin_count(USERS* users)

2
server/modules/routing/debugcli/debugcmd.cc
View File

@ -2046,7 +2046,7 @@ static bool user_is_authorized(DCB* dcb)
}
else
{
if (!admin_user_is_inet_admin(dcb->user))
if (!admin_user_is_inet_admin(dcb->user, nullptr))
{
rval = false;
}