141 lines
5.0 KiB
C
141 lines
5.0 KiB
C
#pragma once
|
|
/*
|
|
* Copyright (c) 2016 MariaDB Corporation Ab
|
|
*
|
|
* Use of this software is governed by the Business Source License included
|
|
* in the LICENSE.TXT file and at www.mariadb.com/bsl.
|
|
*
|
|
* Change Date: 2019-07-01
|
|
*
|
|
* On the date above, in accordance with the Business Source License, use
|
|
* of this software will be governed by version 2 or later of the General
|
|
* Public License.
|
|
*/
|
|
|
|
/**
|
|
* @file gw_authenticator.h
|
|
*
|
|
* The authenticator module interface definitions for MaxScale
|
|
*
|
|
* @verbatim
|
|
* Revision History
|
|
*
|
|
* Date Who Description
|
|
* 17/02/16 Martin Brampton Initial implementation
|
|
*
|
|
* @endverbatim
|
|
*/
|
|
|
|
#include <maxscale/cdefs.h>
|
|
#include <maxscale/buffer.h>
|
|
#include <openssl/crypto.h>
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/dh.h>
|
|
|
|
MXS_BEGIN_DECLS
|
|
|
|
/** Maximum number of authenticator options */
|
|
#define AUTHENTICATOR_MAX_OPTIONS 256
|
|
|
|
struct dcb;
|
|
struct server;
|
|
struct session;
|
|
struct servlistener;
|
|
|
|
/**
|
|
* @verbatim
|
|
* The operations that can be performed on the descriptor
|
|
*
|
|
* initialize Initialize the authenticator instance. The return value
|
|
* of this function will be given to the `create` entry point.
|
|
* If a module does not implement this entry point, the value
|
|
* given to the `create` is NULL.
|
|
*
|
|
* create Create a data structure unique to this DCB, stored in
|
|
* `dcb->authenticator_data`. If a module does not implement
|
|
* this entry point, `dcb->authenticator_data` will be set to NULL.
|
|
*
|
|
* extract Extract the data from a buffer and place in a structure
|
|
* shared at the session level, stored in `dcb->data`
|
|
*
|
|
* connectSSL Determine whether the connection can support SSL
|
|
*
|
|
* authenticate Carry out the authentication
|
|
*
|
|
* free Free extracted data. This is only called for the client
|
|
* side authenticators so backend authenticators should not
|
|
* implement it.
|
|
*
|
|
* destroy Destroy the unique DCB data returned by the `create`
|
|
* entry point.
|
|
*
|
|
* loadusers Load or update authenticator user data
|
|
* @endverbatim
|
|
*
|
|
* This forms the "module object" for authenticator modules within the gateway.
|
|
*
|
|
* @see load_module
|
|
*/
|
|
typedef struct gw_authenticator
|
|
{
|
|
void* (*initialize)(char **options);
|
|
void* (*create)(void* instance);
|
|
int (*extract)(struct dcb *, GWBUF *);
|
|
bool (*connectssl)(struct dcb *);
|
|
int (*authenticate)(struct dcb *);
|
|
void (*free)(struct dcb *);
|
|
void (*destroy)(void *);
|
|
int (*loadusers)(struct servlistener *);
|
|
} GWAUTHENTICATOR;
|
|
|
|
/** Return values for extract and authenticate entry points */
|
|
#define MXS_AUTH_SUCCEEDED 0 /**< Authentication was successful */
|
|
#define MXS_AUTH_FAILED 1 /**< Authentication failed */
|
|
#define MXS_AUTH_FAILED_DB 2 /**< Authentication failed, database not found */
|
|
#define MXS_AUTH_FAILED_SSL 3 /**< SSL authentication failed */
|
|
#define MXS_AUTH_INCOMPLETE 4 /**< Authentication is not yet complete */
|
|
#define MXS_AUTH_SSL_INCOMPLETE 5 /**< SSL connection is not yet complete */
|
|
#define MXS_AUTH_NO_SESSION 6
|
|
|
|
/** Return values for the loadusers entry point */
|
|
#define MXS_AUTH_LOADUSERS_OK 0 /**< Users loaded successfully */
|
|
#define MXS_AUTH_LOADUSERS_ERROR 1 /**< Temporary error, service is started */
|
|
#define MXS_AUTH_LOADUSERS_FATAL 2 /**< Fatal error, service is not started */
|
|
|
|
/**
|
|
* Authentication states
|
|
*
|
|
* The state usually goes from INIT to CONNECTED and alternates between
|
|
* MESSAGE_READ and RESPONSE_SENT until ending up in either FAILED or COMPLETE.
|
|
*
|
|
* If the server immediately rejects the connection, the state ends up in
|
|
* HANDSHAKE_FAILED. If the connection creation would block, instead of going to
|
|
* the CONNECTED state, the connection will be in PENDING_CONNECT state until
|
|
* the connection can be created.
|
|
*/
|
|
typedef enum
|
|
{
|
|
MXS_AUTH_STATE_INIT, /**< Initial authentication state */
|
|
MXS_AUTH_STATE_PENDING_CONNECT,/**< Connection creation is underway */
|
|
MXS_AUTH_STATE_CONNECTED, /**< Network connection to server created */
|
|
MXS_AUTH_STATE_MESSAGE_READ, /**< Read a authentication message from the server */
|
|
MXS_AUTH_STATE_RESPONSE_SENT, /**< Responded to the read authentication message */
|
|
MXS_AUTH_STATE_FAILED, /**< Authentication failed */
|
|
MXS_AUTH_STATE_HANDSHAKE_FAILED, /**< Authentication failed immediately */
|
|
MXS_AUTH_STATE_COMPLETE /**< Authentication is complete */
|
|
} mxs_auth_state_t;
|
|
|
|
/**
|
|
* The GWAUTHENTICATOR version data. The following should be updated whenever
|
|
* the GWAUTHENTICATOR structure is changed. See the rules defined in modinfo.h
|
|
* that define how these numbers should change.
|
|
*/
|
|
#define GWAUTHENTICATOR_VERSION {1, 1, 0}
|
|
|
|
|
|
bool authenticator_init(void **instance, const char *authenticator, const char *options);
|
|
const char* get_default_authenticator(const char *protocol);
|
|
|
|
MXS_END_DECLS
|