Exemple #1
0
static char *get_hash(request_rec *r, char *user, char *auth_pwfile)
{
    configfile_t *f;
    char l[MAX_STRING_LEN];
    const char *rpw;
    char *w, *x;

    if (!(f = ap_pcfg_openfile(r->pool, auth_pwfile))) {
	ap_log_error(APLOG_MARK, APLOG_ERR, r->server,
		    "Could not open password file: %s", auth_pwfile);
	return NULL;
    }
    while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
	if ((l[0] == '#') || (!l[0]))
	    continue;
	rpw = l;
	w = ap_getword(r->pool, &rpw, ':');
	x = ap_getword(r->pool, &rpw, ':');

	if (x && w && !strcmp(user, w) && !strcmp(ap_auth_name(r), x)) {
	    ap_cfg_closefile(f);
	    return ap_pstrdup(r->pool, rpw);
	}
    }
    ap_cfg_closefile(f);
    return NULL;
}
Exemple #2
0
static char *get_pw(request_rec *r, char *user, char *auth_pwfile)
{
    ap_configfile_t *f;
    char l[MAX_STRING_LEN];
    const char *rpw, *w;
    apr_status_t status;

    if ((status = ap_pcfg_openfile(&f, r->pool, auth_pwfile)) != APR_SUCCESS) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
                      "Could not open password file: %s", auth_pwfile);
        return NULL;
    }
    while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
        if ((l[0] == '#') || (!l[0])) {
            continue;
        }
        rpw = l;
        w = ap_getword(r->pool, &rpw, ':');

        if (!strcmp(user, w)) {
            ap_cfg_closefile(f);
            return ap_getword(r->pool, &rpw, ':');
        }
    }
    ap_cfg_closefile(f);
    return NULL;
}
Exemple #3
0
static authn_status check_password(request_rec *r, const char *user,
                                   const char *password)
{
#ifndef APACHE2NGINX
    authn_file_config_rec *conf = ap_get_module_config(r->per_dir_config,
                                                       &authn_file_module);
    ap_configfile_t *f;
    char l[MAX_STRING_LEN];
    apr_status_t status;
    char *file_password = NULL;

    if (!conf->pwfile) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                      "AuthUserFile not specified in the configuration");
        return AUTH_GENERAL_ERROR;
    }

    status = ap_pcfg_openfile(&f, r->pool, conf->pwfile);

    if (status != APR_SUCCESS) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
                      "Could not open password file: %s", conf->pwfile);
        return AUTH_GENERAL_ERROR;
    }

    while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
        const char *rpw, *w;

        /* Skip # or blank lines. */
        if ((l[0] == '#') || (!l[0])) {
            continue;
        }

        rpw = l;
        w = ap_getword(r->pool, &rpw, ':');

        if (!strcmp(user, w)) {
            file_password = ap_getword(r->pool, &rpw, ':');
            break;
        }
    }
    ap_cfg_closefile(f);

    if (!file_password) {
        return AUTH_USER_NOT_FOUND;
    }

    status = apr_password_validate(password, file_password);
    if (status != APR_SUCCESS) {
        return AUTH_DENIED;
    }

#endif
    return AUTH_GRANTED;
}
Exemple #4
0
static authn_status get_realm_hash(request_rec *r, const char *user,
                                   const char *realm, char **rethash)
{
#ifndef APACHE2NGINX
    authn_file_config_rec *conf = ap_get_module_config(r->per_dir_config,
                                                       &authn_file_module);
    ap_configfile_t *f;
    char l[MAX_STRING_LEN];
    apr_status_t status;
    char *file_hash = NULL;

    if (!conf->pwfile) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                      "AuthUserFile not specified in the configuration");
        return AUTH_GENERAL_ERROR;
    }

    status = ap_pcfg_openfile(&f, r->pool, conf->pwfile);

    if (status != APR_SUCCESS) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
                      "Could not open password file: %s", conf->pwfile);
        return AUTH_GENERAL_ERROR;
    }

    while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
        const char *rpw, *w, *x;

        /* Skip # or blank lines. */
        if ((l[0] == '#') || (!l[0])) {
            continue;
        }

        rpw = l;
        w = ap_getword(r->pool, &rpw, ':');
        x = ap_getword(r->pool, &rpw, ':');

        if (x && w && !strcmp(user, w) && !strcmp(realm, x)) {
            /* Remember that this is a md5 hash of user:realm:password.  */
            file_hash = ap_getword(r->pool, &rpw, ':');
            break;
        }
    }
    ap_cfg_closefile(f);

    if (!file_hash) {
        return AUTH_USER_NOT_FOUND;
    }

    *rethash = file_hash;
#endif

    return AUTH_USER_FOUND;
}
Exemple #5
0
/*
 * selinux_lookup_mapfile
 *
 *   It lookups a matched entry from the given configuration file,
 *   and returns 1 with a copied cstring, if found. Otherwise, it returns 0.
 */
static int
selinux_lookup_mapfile(request_rec *r, const char *filename, char **domain)
{
    const char *white_space = " \t\r\n";
    ap_configfile_t *filp;
    char buffer[MAX_STRING_LEN];
    apr_status_t status;
    char *user, *context, *pos;
    int lineno = 0;

    status = ap_pcfg_openfile(&filp, r->pool, filename);
    if (status != APR_SUCCESS) {
        ap_log_rerror(APLOG_MARK, LOG_WARNING, status, r,
                      "Unable to open: %s", filename);
        return -1;
    }

    while (ap_cfg_getline(buffer, sizeof(buffer), filp) == 0) {
        lineno++;

        /* skip empty line */
        pos = strchr(buffer, '#');
        if (pos)
            *pos = '\0';

        user = strtok_r(buffer, white_space, &pos);
        if (!user)
            continue;
        context = strtok_r(NULL, white_space, &pos);
        if (!context || strtok_r(NULL, white_space, &pos)) {
            ap_log_rerror(APLOG_MARK, LOG_WARNING, 0, r,
                          "syntax error at %s:%d", filename, lineno);
            continue;
        }

        if (!strcmp(user, "*") ||
            (r->user && !strcmp(user, r->user)) ||
            (!r->user && !strcmp(user, "__anonymous__")))
        {
            *domain = apr_pstrdup(r->pool, context);
            ap_cfg_closefile(filp);

            return 1;
        }
    }
    /* not found */
    ap_cfg_closefile(filp);
    return 0;
}
static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile,
                                    apr_table_t ** out)
{
    ap_configfile_t *f;
    apr_table_t *grps = apr_table_make(p, 15);
    apr_pool_t *sp;
    struct ap_varbuf vb;
    const char *group_name, *ll, *w;
    apr_status_t status;
    apr_size_t group_len;

    if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) {
        return status ;
    }

    apr_pool_create(&sp, p);
    ap_varbuf_init(p, &vb, VARBUF_INIT_LEN);

    while (!(ap_varbuf_cfg_getline(&vb, f, VARBUF_MAX_LEN))) {
        if ((vb.buf[0] == '#') || (!vb.buf[0])) {
            continue;
        }
        ll = vb.buf;
        apr_pool_clear(sp);

        group_name = ap_getword(sp, &ll, ':');
        group_len = strlen(group_name);

        while (group_len && apr_isspace(*(group_name + group_len - 1))) {
            --group_len;
        }

        while (ll[0]) {
            w = ap_getword_conf(sp, &ll);
            if (!strcmp(w, user)) {
                apr_table_setn(grps, apr_pstrmemdup(p, group_name, group_len),
                               "in");
                break;
            }
        }
    }
    ap_cfg_closefile(f);
    apr_pool_destroy(sp);
    ap_varbuf_free(&vb);

    *out = grps;
    return APR_SUCCESS;
}
static char *getSharedKey(request_rec *r,char *filename, char **static_pw) {
		ap_regmatch_t regmatch[AP_MAX_REG_MATCH];
    char l[MAX_STRING_LEN];
		char *sharedKey = 0L;
		apr_status_t status;
    ap_configfile_t *f;

		authn_google_config_rec *conf = ap_get_module_config(r->per_dir_config, &authn_google_module);
    status = ap_pcfg_openfile(&f, r->pool, filename);
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"OPENING FILENAME %s",filename);

    if (status != APR_SUCCESS) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
                      "check_password: Couldn't open password file: %s", filename);
        return 0L;
    }

    while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {

				/* If we have a password entry - return it, if the caller has asked for it */

				if ((static_pw) && (!ap_regexec(passwd_regexp, l, AP_MAX_REG_MATCH, regmatch, 0))) {
					*static_pw  = ap_pregsub(r->pool, "$1", l,AP_MAX_REG_MATCH,regmatch);

if (conf->debugLevel) 
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
           "Using static password \"%s\"",*static_pw);
				}

        /* Skip comment or blank lines. */
        if ((l[0] == '"') || (!l[0])) {
            continue;
        }

				if (!sharedKey) {
					sharedKey = apr_pstrdup(r->pool,l);
				}

				/* Scratch codes to follow */
    }
    ap_cfg_closefile(f);
		return sharedKey;
}
Exemple #8
0
static apr_table_t *groups_for_user(request_rec *r, char *user, char *grpfile)
{
    apr_pool_t *p = r->pool;
    ap_configfile_t *f;
    apr_table_t *grps = apr_table_make(p, 15);
    apr_pool_t *sp;
    char l[MAX_STRING_LEN];
    const char *group_name, *ll, *w;
    apr_status_t status;

    if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
                       "Could not open group file: %s", grpfile);
        return NULL;
    }

    apr_pool_create(&sp, p);

    while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
        if ((l[0] == '#') || (!l[0])) {
            continue;
        }
        ll = l;
        apr_pool_clear(sp);

        group_name = ap_getword(sp, &ll, ':');

        while (ll[0]) {
            w = ap_getword_conf(sp, &ll);
            if (!strcmp(w, user)) {
                apr_table_setn(grps, apr_pstrdup(p, group_name), "in");
                break;
            }
        }
    }
    ap_cfg_closefile(f);
    apr_pool_destroy(sp);
    return grps;
}
static const char *proxylist_read(cmd_parms *cmd, void *cfg,
                                  const char *filename)
{
    char lbuf[MAX_STRING_LEN];
    char *arg;
    const char *args;
    const char *errmsg;
    ap_configfile_t *cfp;
    apr_status_t rv;

    filename = ap_server_root_relative(cmd->temp_pool, filename);
    rv = ap_pcfg_openfile(&cfp, cmd->temp_pool, filename);
    if (rv != APR_SUCCESS) {
        return apr_psprintf(cmd->pool, "%s: Could not open file %s: %s",
                            cmd->cmd->name, filename,
                            apr_strerror(rv, lbuf, sizeof(lbuf)));
    }

    while (!(ap_cfg_getline(lbuf, MAX_STRING_LEN, cfp))) {
        args = lbuf;
        while (*(arg = ap_getword_conf(cmd->temp_pool, &args)) != '\0') {
            if (*arg == '#') {
                break;
            }
            errmsg = proxies_set(cmd, cfg, arg);
            if (errmsg) {
                ap_cfg_closefile(cfp);
                errmsg = apr_psprintf(cmd->pool, "%s at line %d of %s",
                                      errmsg, cfp->line_number, filename);
                return errmsg;
            }
        }
    }

    ap_cfg_closefile(cfp);
    return NULL;
}
Exemple #10
0
static table *groups_for_user(pool *p, char *user, char *grpfile)
{
    configfile_t *f;
    table *grps = ap_make_table(p, 15);
    pool *sp;
    char l[MAX_STRING_LEN];
    const char *group_name, *ll, *w;

    if (!(f = ap_pcfg_openfile(p, grpfile))) {
/*add?	aplog_error(APLOG_MARK, APLOG_ERR, NULL,
		    "Could not open group file: %s", grpfile);*/
	return NULL;
    }

    sp = ap_make_sub_pool(p);

    while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
	if ((l[0] == '#') || (!l[0]))
	    continue;
	ll = l;
	ap_clear_pool(sp);

	group_name = ap_getword(sp, &ll, ':');

	while (ll[0]) {
	    w = ap_getword_conf(sp, &ll);
	    if (!strcmp(w, user)) {
		ap_table_setn(grps, ap_pstrdup(p, group_name), "in");
		break;
	    }
	}
    }
    ap_cfg_closefile(f);
    ap_destroy_pool(sp);
    return grps;
}
/* This provides a simple UI for accessing the key database 
 * used to grant access to users owning a yubikey or not.
 *
 * This is primarily a web version of htaccess.
 */
static int authn_yubikey_handler(request_rec *r)
{
    ap_configfile_t *f;
    char l[MAX_STRING_LEN];
    apr_status_t status;
    char *file_password = NULL;
    char *yubiKeyId = NULL;
    char *realName = NULL;
    apr_file_t *dbFormFile = NULL;
    yubiauth_dir_cfg *cfg = ap_get_module_config(r->per_dir_config, &authn_yubikey_module);

    if (strcmp(r->handler, "authn_yubikey")) {
        return DECLINED;
    }
    r->content_type = "text/html";

    /* Post back */
    if (r->method_number == M_POST) {
      const char *postbackContent = NULL;
      char *tmp = NULL;
      char buffer[1024];
      //Read the POST data sent from the client
      ap_setup_client_block(r, REQUEST_CHUNKED_DECHUNK);

      if ( ap_should_client_block(r) == 1 ) {
              while ( ap_get_client_block(r, buffer, 1024) > 0 ) {
		postbackContent = apr_pstrcat(r->pool, buffer, tmp, NULL);
		//tmp = apr_pstrdup(r->pool, postbackContent);
	          }
      }
      else {
	        ap_rputs("No POST data available",r);
      }
      //We have the data now, now process it and save it into the db
      

      ap_set_content_type(r, "text/plain;");
      ap_rprintf(r, "Postback content: %s", postbackContent);

      return OK;
    }

    /* Serve content if it's a GET request */
    if (!r->header_only) {
      ap_rputs("<html><head><title>YubiAuth user management</title></head><body>", r);
      ap_rputs("<h1>Welcome to the YubiAuth user Mgmt.</h1><br>", r);
      ap_rputs("The following users could be found inside the database:<br>", r);
      //Open userDb file for looped output
      status = ap_pcfg_openfile(&f, r->pool, cfg->userAuthDbFilename);
      if (status != APR_SUCCESS) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
                      LOG_PREFIX "Could not open YubiAuthUserDb file: %s", 
		      cfg->userAuthDbFilename);
        return HTTP_INTERNAL_SERVER_ERROR;
      }
      ap_rputs("<table><thead><tr><th>TokenId</th><th>Real Name</th></tr></thead><tbody>\n", r);
      while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
        const char *rpw, *w;

        /* Skip # or blank lines. */
        if ((l[0] == '#') || (!l[0])) {
	  continue;
        }

        rpw = l;
        w = ap_getword(r->pool, &rpw, ':');
	//yubiKeyId = apr_pstrndup(r->pool, password, (apr_size_t) 12);
        //realName = ap_getword(r->pool, &rpw, ':');
	ap_rputs("<tr>", r);
	ap_rprintf(r, "<td>%s</td>", w);
	ap_rprintf(r, "<td>%s</td>\n", rpw);
	ap_rputs("</tr>", r);
      }
      ap_cfg_closefile(f);
      ap_rputs("</tbody></table>", r);
      ap_rputs("<h1>Want to add a user?</h1>.", r);
      ap_rputs("<form name=\"addUser\" method=\"POST\" action=\"/authme\">", r);
      ap_rputs("<input type=\"text\" name=\"tokenId\">", r);
      ap_rputs("<input type=\"text\" name=\"realUser\">", r);
      ap_rputs("<input type=\"submit\" value=\"Add User\">", r);
      ap_rputs("</form>", r);
      ap_rputs("</body></html>", r);
    }

    //If we receive a POST to this location, we probably want to update the userdb
    //be sure to check if there is a user set and that this user is allowed to change information
    // inside the userdb, we cn authenticate the user with the OTP token here too.
    //We should make the administrative user configurable, by specifying the token which is allowed
    // access ...
    return OK;
}
static int isUserValid(const char *user, 
		       const char *password, 
		       yubiauth_dir_cfg *cfg, 
		       request_rec *r)
{

    ap_configfile_t *f;
    char l[MAX_STRING_LEN];
    apr_status_t status;
    char *file_password = NULL;
    char *yubiKeyId = NULL;
    char *userPassword = NULL;
    apr_size_t passwordLength = 0;
    char *realName = NULL;
    int userWasFound = FALSE;
    /* This is TRUE when we store a combination of yubikeyId:username:password,
     * we then have a two factor authentication.
     */
    int tokenHasPassword = FALSE;

    status = ap_pcfg_openfile(&f, r->pool, cfg->userAuthDbFilename);

    if (status != APR_SUCCESS) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
                      LOG_PREFIX "Could not open AuthYkUserFile file: %s", 
		      cfg->userAuthDbFilename);
        return FALSE;
    }

    /* Do length check of at least the password part,
     * to be a yubikey token, it has to have at least 44
     * characters from where the first 12 are the ID of the user.
     */
    if (strlen(password) < YUBIKEY_TOKEN_LENGTH) {
      ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
		    LOG_PREFIX "The entered password cannot be a yubikey generated token");
      ap_cfg_closefile(f);
      return FALSE;
    }

    

    /* If the password is bigger then 44 characters, then we have an additional password
     * set into the field, since the produced token by the yubikey is 44 characters long
     */
    passwordLength = (apr_size_t) strlen(password) - YUBIKEY_TOKEN_LENGTH;
    ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
		  LOG_PREFIX "The length of the entered password is: %d", passwordLength);

    /* We have to distinct between a 44 character string which is the
     * toke output only and a longer string, which would contain a
     * password at its beginning
     */
    if (strlen(password) > YUBIKEY_TOKEN_LENGTH) {
	/* copy off the password part from the password string */
	userPassword = apr_pstrndup(r->pool, password, passwordLength);
	ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
		  LOG_PREFIX "The entered password is: %s", userPassword);
    }

    /* Now move the password pointer forward the number of calculatd characters for the userPassword,
     * we move the pointer beyond the last read character (not -1), to start reading the real stuff
     */
     yubiKeyId = apr_pstrndup(r->pool, &password[passwordLength], (apr_size_t) YUBIKEY_ID_LENGTH);
     ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
		  LOG_PREFIX "The calculated YubiKey ID is: %s", yubiKeyId);

    /* Find the TokenID/UN:PW solution in the file */
    while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
        const char *rpw, *w;
	char *unPw = NULL;

        /* Skip # or blank lines. */
        if ((l[0] == '#') || (!l[0])) {
            continue;
        }

        rpw = l;
        w = ap_getword(r->pool, &rpw, ':');
        
	/* The first 12 chars are the ID which must be available in this file
	 * else the user might be a yubikey user, but possibly a user we don't
	 * want.
	 */
        if (!strncmp(yubiKeyId, w, 12)) {
	  /* This would fetch the real username,
	   * after the ID could be located
	   */
	  ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
			LOG_PREFIX "Could find the ID: %s", w);
	  /* remember, since we are working with the passwd
	   * utility, this realName is hashed
	   */
          realName = ap_getword(r->pool, &rpw, '\n');
          apr_table_set(r->headers_in, HDR_YK_AUTH_TYPE, YK_AUTH_TYPE_OF);
	  ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
			LOG_PREFIX "The looked up realname is: %s", realName);
	  ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
			LOG_PREFIX "The looked up userPassword is: %s", userPassword);
	  /* this results in username:password as it should be entered in the install dialog */
	  if (userPassword) {
	    unPw = apr_pstrcat(r->pool, user, ":", userPassword, NULL);
	    apr_table_set(r->headers_in, HDR_YK_AUTH_TYPE, YK_AUTH_TYPE_TF);
	    ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
			LOG_PREFIX "The built un:pw combo is: %s", unPw);
	  }
	  /* If there is a password set, use the username:password combo,
	   * else just compare the username
	   */
	  status = apr_password_validate(userPassword?unPw:user, realName);

	  if (status == APR_SUCCESS) {
	    ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
			    LOG_PREFIX "Could map ID %s to User: %s", w, user);
	    userWasFound = TRUE;
	    break;
	  }   
        }	
    }
    ap_cfg_closefile(f);

    return userWasFound;
}