174 lines
4.7 KiB
C++
174 lines
4.7 KiB
C++
/*
|
|
* Copyright (c) 2016 MariaDB Corporation Ab
|
|
*
|
|
* Use of this software is governed by the Business Source License included
|
|
* in the LICENSE.TXT file and at www.mariadb.com/bsl11.
|
|
*
|
|
* Change Date: 2020-01-01
|
|
*
|
|
* On the date above, in accordance with the Business Source License, use
|
|
* of this software will be governed by version 2 or later of the General
|
|
* Public License.
|
|
*/
|
|
#include"pam_auth.hh"
|
|
|
|
#include <maxscale/authenticator.h>
|
|
#include <maxscale/users.h>
|
|
|
|
#include "pam_instance.hh"
|
|
#include "pam_client_session.hh"
|
|
#include "../pam_auth_common.hh"
|
|
|
|
/**
|
|
* Initialize PAM authenticator
|
|
*
|
|
* @param options Listener options
|
|
*
|
|
* @return Authenticator instance, or NULL on error
|
|
*/
|
|
static void* pam_auth_init(char **options)
|
|
{
|
|
return PamInstance::create(options);
|
|
}
|
|
|
|
/**
|
|
* Allocate DCB-specific authenticator data (session)
|
|
*
|
|
* @param instance Authenticator instance the session should be connected to
|
|
*
|
|
* @return Authenticator session
|
|
*/
|
|
static void* pam_auth_alloc(void *instance)
|
|
{
|
|
PamInstance* inst = static_cast<PamInstance*>(instance);
|
|
return PamClientSession::create(*inst);
|
|
}
|
|
|
|
/**
|
|
* Free authenticator session
|
|
*
|
|
* @param data PAM session
|
|
*/
|
|
static void pam_auth_free(void *data)
|
|
{
|
|
delete static_cast<PamClientSession*>(data);
|
|
}
|
|
|
|
/**
|
|
* @brief Extract data from client response
|
|
*
|
|
* @param dcb Client DCB
|
|
* @param read_buffer Buffer containing the client's response
|
|
*
|
|
* @return True if authentication can continue, false if
|
|
* authentication failed
|
|
*/
|
|
static bool pam_auth_extract(DCB *dcb, GWBUF *read_buffer)
|
|
{
|
|
PamClientSession *pses = static_cast<PamClientSession*>(dcb->authenticator_data);
|
|
return pses->extract(dcb, read_buffer);
|
|
}
|
|
|
|
/**
|
|
* @brief Is the client SSL capable
|
|
*
|
|
* @param dcb Client DCB
|
|
*
|
|
* @return True if client supports SSL
|
|
*/
|
|
static bool pam_auth_connectssl(DCB *dcb)
|
|
{
|
|
MySQLProtocol *protocol = (MySQLProtocol*)dcb->protocol;
|
|
return protocol->client_capabilities & GW_MYSQL_CAPABILITIES_SSL;
|
|
}
|
|
|
|
/**
|
|
* @brief Authenticate the client. Should be called after pam_auth_extract().
|
|
*
|
|
* @param dcb Client DCB
|
|
*
|
|
* @return MXS_AUTH_INCOMPLETE if authentication is not yet complete. MXS_AUTH_SUCCEEDED
|
|
* if authentication was successfully completed. MXS_AUTH_FAILED if authentication
|
|
* has failed.
|
|
*/
|
|
static int pam_auth_authenticate(DCB *dcb)
|
|
{
|
|
PamClientSession* pses = static_cast<PamClientSession*>(dcb->authenticator_data);
|
|
return pses->authenticate(dcb);
|
|
}
|
|
|
|
/**
|
|
* Free general authenticator data from a DCB. This is data that is not specific
|
|
* to the client authenticator session and may be used by the backend authenticator
|
|
* session to log onto backends.
|
|
*
|
|
* @param dcb DCB to free data from
|
|
*/
|
|
static void pam_auth_free_data(DCB *dcb)
|
|
{
|
|
if (dcb->data)
|
|
{
|
|
MYSQL_session *ses = (MYSQL_session *)dcb->data;
|
|
MXS_FREE(ses->auth_token);
|
|
MXS_FREE(ses);
|
|
dcb->data = NULL;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @brief Load database users that use PAM authentication
|
|
*
|
|
* Loading the list of database users that use the 'pam' plugin allows us to
|
|
* give more precise error messages to the clients when authentication fails.
|
|
*
|
|
* @param listener Listener definition
|
|
*
|
|
* @return MXS_AUTH_LOADUSERS_OK on success, MXS_AUTH_LOADUSERS_ERROR on error
|
|
*/
|
|
static int pam_auth_load_users(SERV_LISTENER *listener)
|
|
{
|
|
PamInstance *inst = static_cast<PamInstance*>(listener->auth_instance);
|
|
return inst->load_users(listener->service);
|
|
}
|
|
|
|
MXS_BEGIN_DECLS
|
|
/**
|
|
* Module handle entry point
|
|
*/
|
|
MXS_MODULE* MXS_CREATE_MODULE()
|
|
{
|
|
static MXS_AUTHENTICATOR MyObject =
|
|
{
|
|
pam_auth_init, /* Initialize authenticator */
|
|
pam_auth_alloc, /* Allocate authenticator data */
|
|
pam_auth_extract, /* Extract data into structure */
|
|
pam_auth_connectssl, /* Check if client supports SSL */
|
|
pam_auth_authenticate, /* Authenticate user credentials */
|
|
pam_auth_free_data, /* Free the client data held in DCB */
|
|
pam_auth_free, /* Free authenticator data */
|
|
pam_auth_load_users, /* Load database users */
|
|
users_default_diagnostic, /* Default user diagnostic */
|
|
users_default_diagnostic_json, /* Default user diagnostic */
|
|
NULL /* No user reauthentication */
|
|
};
|
|
|
|
static MXS_MODULE info =
|
|
{
|
|
MXS_MODULE_API_AUTHENTICATOR,
|
|
MXS_MODULE_GA,
|
|
MXS_AUTHENTICATOR_VERSION,
|
|
"PAM authenticator",
|
|
"V1.0.0",
|
|
MXS_NO_MODULE_CAPABILITIES,
|
|
&MyObject,
|
|
NULL, /* Process init. */
|
|
NULL, /* Process finish. */
|
|
NULL, /* Thread init. */
|
|
NULL, /* Thread finish. */
|
|
{ { MXS_END_MODULE_PARAMS} }
|
|
};
|
|
|
|
return &info;
|
|
}
|
|
MXS_END_DECLS
|