static char *get_hash(request_rec *r, char *user, char *auth_pwfile)
{
configfile_t *f;
char l[MAX_STRING_LEN];
const char *rpw;
char *w, *x;
if (!(f = ap_pcfg_openfile(r->pool, auth_pwfile))) {
ap_log_error(APLOG_MARK, APLOG_ERR, r->server,
"Could not open password file: %s", auth_pwfile);
return NULL;
}
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
if ((l[0] == '#') || (!l[0]))
continue;
rpw = l;
w = ap_getword(r->pool, &rpw, ':');
x = ap_getword(r->pool, &rpw, ':');
if (x && w && !strcmp(user, w) && !strcmp(ap_auth_name(r), x)) {
ap_cfg_closefile(f);
return ap_pstrdup(r->pool, rpw);
}
}
ap_cfg_closefile(f);
return NULL;
}
static char *get_pw(request_rec *r, char *user, char *auth_pwfile)
{
ap_configfile_t *f;
char l[MAX_STRING_LEN];
const char *rpw, *w;
apr_status_t status;
if ((status = ap_pcfg_openfile(&f, r->pool, auth_pwfile)) != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"Could not open password file: %s", auth_pwfile);
return NULL;
}
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
if ((l[0] == '#') || (!l[0])) {
continue;
}
rpw = l;
w = ap_getword(r->pool, &rpw, ':');
if (!strcmp(user, w)) {
ap_cfg_closefile(f);
return ap_getword(r->pool, &rpw, ':');
}
}
ap_cfg_closefile(f);
return NULL;
}
static authn_status check_password(request_rec *r, const char *user,
const char *password)
{
#ifndef APACHE2NGINX
authn_file_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authn_file_module);
ap_configfile_t *f;
char l[MAX_STRING_LEN];
apr_status_t status;
char *file_password = NULL;
if (!conf->pwfile) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"AuthUserFile not specified in the configuration");
return AUTH_GENERAL_ERROR;
}
status = ap_pcfg_openfile(&f, r->pool, conf->pwfile);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"Could not open password file: %s", conf->pwfile);
return AUTH_GENERAL_ERROR;
}
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
const char *rpw, *w;
/* Skip # or blank lines. */
if ((l[0] == '#') || (!l[0])) {
continue;
}
rpw = l;
w = ap_getword(r->pool, &rpw, ':');
if (!strcmp(user, w)) {
file_password = ap_getword(r->pool, &rpw, ':');
break;
}
}
ap_cfg_closefile(f);
if (!file_password) {
return AUTH_USER_NOT_FOUND;
}
status = apr_password_validate(password, file_password);
if (status != APR_SUCCESS) {
return AUTH_DENIED;
}
#endif
return AUTH_GRANTED;
}
static authn_status get_realm_hash(request_rec *r, const char *user,
const char *realm, char **rethash)
{
#ifndef APACHE2NGINX
authn_file_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authn_file_module);
ap_configfile_t *f;
char l[MAX_STRING_LEN];
apr_status_t status;
char *file_hash = NULL;
if (!conf->pwfile) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"AuthUserFile not specified in the configuration");
return AUTH_GENERAL_ERROR;
}
status = ap_pcfg_openfile(&f, r->pool, conf->pwfile);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"Could not open password file: %s", conf->pwfile);
return AUTH_GENERAL_ERROR;
}
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
const char *rpw, *w, *x;
/* Skip # or blank lines. */
if ((l[0] == '#') || (!l[0])) {
continue;
}
rpw = l;
w = ap_getword(r->pool, &rpw, ':');
x = ap_getword(r->pool, &rpw, ':');
if (x && w && !strcmp(user, w) && !strcmp(realm, x)) {
/* Remember that this is a md5 hash of user:realm:password. */
file_hash = ap_getword(r->pool, &rpw, ':');
break;
}
}
ap_cfg_closefile(f);
if (!file_hash) {
return AUTH_USER_NOT_FOUND;
}
*rethash = file_hash;
#endif
return AUTH_USER_FOUND;
}
/*
* selinux_lookup_mapfile
*
* It lookups a matched entry from the given configuration file,
* and returns 1 with a copied cstring, if found. Otherwise, it returns 0.
*/
static int
selinux_lookup_mapfile(request_rec *r, const char *filename, char **domain)
{
const char *white_space = " \t\r\n";
ap_configfile_t *filp;
char buffer[MAX_STRING_LEN];
apr_status_t status;
char *user, *context, *pos;
int lineno = 0;
status = ap_pcfg_openfile(&filp, r->pool, filename);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, LOG_WARNING, status, r,
"Unable to open: %s", filename);
return -1;
}
while (ap_cfg_getline(buffer, sizeof(buffer), filp) == 0) {
lineno++;
/* skip empty line */
pos = strchr(buffer, '#');
if (pos)
*pos = '\0';
user = strtok_r(buffer, white_space, &pos);
if (!user)
continue;
context = strtok_r(NULL, white_space, &pos);
if (!context || strtok_r(NULL, white_space, &pos)) {
ap_log_rerror(APLOG_MARK, LOG_WARNING, 0, r,
"syntax error at %s:%d", filename, lineno);
continue;
}
if (!strcmp(user, "*") ||
(r->user && !strcmp(user, r->user)) ||
(!r->user && !strcmp(user, "__anonymous__")))
{
*domain = apr_pstrdup(r->pool, context);
ap_cfg_closefile(filp);
return 1;
}
}
/* not found */
ap_cfg_closefile(filp);
return 0;
}
static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile,
apr_table_t ** out)
{
ap_configfile_t *f;
apr_table_t *grps = apr_table_make(p, 15);
apr_pool_t *sp;
struct ap_varbuf vb;
const char *group_name, *ll, *w;
apr_status_t status;
apr_size_t group_len;
if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) {
return status ;
}
apr_pool_create(&sp, p);
ap_varbuf_init(p, &vb, VARBUF_INIT_LEN);
while (!(ap_varbuf_cfg_getline(&vb, f, VARBUF_MAX_LEN))) {
if ((vb.buf[0] == '#') || (!vb.buf[0])) {
continue;
}
ll = vb.buf;
apr_pool_clear(sp);
group_name = ap_getword(sp, &ll, ':');
group_len = strlen(group_name);
while (group_len && apr_isspace(*(group_name + group_len - 1))) {
--group_len;
}
while (ll[0]) {
w = ap_getword_conf(sp, &ll);
if (!strcmp(w, user)) {
apr_table_setn(grps, apr_pstrmemdup(p, group_name, group_len),
"in");
break;
}
}
}
ap_cfg_closefile(f);
apr_pool_destroy(sp);
ap_varbuf_free(&vb);
*out = grps;
return APR_SUCCESS;
}
static char *getSharedKey(request_rec *r,char *filename, char **static_pw) {
ap_regmatch_t regmatch[AP_MAX_REG_MATCH];
char l[MAX_STRING_LEN];
char *sharedKey = 0L;
apr_status_t status;
ap_configfile_t *f;
authn_google_config_rec *conf = ap_get_module_config(r->per_dir_config, &authn_google_module);
status = ap_pcfg_openfile(&f, r->pool, filename);
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"OPENING FILENAME %s",filename);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"check_password: Couldn't open password file: %s", filename);
return 0L;
}
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
/* If we have a password entry - return it, if the caller has asked for it */
if ((static_pw) && (!ap_regexec(passwd_regexp, l, AP_MAX_REG_MATCH, regmatch, 0))) {
*static_pw = ap_pregsub(r->pool, "$1", l,AP_MAX_REG_MATCH,regmatch);
if (conf->debugLevel)
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Using static password \"%s\"",*static_pw);
}
/* Skip comment or blank lines. */
if ((l[0] == '"') || (!l[0])) {
continue;
}
if (!sharedKey) {
sharedKey = apr_pstrdup(r->pool,l);
}
/* Scratch codes to follow */
}
ap_cfg_closefile(f);
return sharedKey;
}
static apr_table_t *groups_for_user(request_rec *r, char *user, char *grpfile)
{
apr_pool_t *p = r->pool;
ap_configfile_t *f;
apr_table_t *grps = apr_table_make(p, 15);
apr_pool_t *sp;
char l[MAX_STRING_LEN];
const char *group_name, *ll, *w;
apr_status_t status;
if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"Could not open group file: %s", grpfile);
return NULL;
}
apr_pool_create(&sp, p);
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
if ((l[0] == '#') || (!l[0])) {
continue;
}
ll = l;
apr_pool_clear(sp);
group_name = ap_getword(sp, &ll, ':');
while (ll[0]) {
w = ap_getword_conf(sp, &ll);
if (!strcmp(w, user)) {
apr_table_setn(grps, apr_pstrdup(p, group_name), "in");
break;
}
}
}
ap_cfg_closefile(f);
apr_pool_destroy(sp);
return grps;
}
static const char *proxylist_read(cmd_parms *cmd, void *cfg,
const char *filename)
{
char lbuf[MAX_STRING_LEN];
char *arg;
const char *args;
const char *errmsg;
ap_configfile_t *cfp;
apr_status_t rv;
filename = ap_server_root_relative(cmd->temp_pool, filename);
rv = ap_pcfg_openfile(&cfp, cmd->temp_pool, filename);
if (rv != APR_SUCCESS) {
return apr_psprintf(cmd->pool, "%s: Could not open file %s: %s",
cmd->cmd->name, filename,
apr_strerror(rv, lbuf, sizeof(lbuf)));
}
while (!(ap_cfg_getline(lbuf, MAX_STRING_LEN, cfp))) {
args = lbuf;
while (*(arg = ap_getword_conf(cmd->temp_pool, &args)) != '\0') {
if (*arg == '#') {
break;
}
errmsg = proxies_set(cmd, cfg, arg);
if (errmsg) {
ap_cfg_closefile(cfp);
errmsg = apr_psprintf(cmd->pool, "%s at line %d of %s",
errmsg, cfp->line_number, filename);
return errmsg;
}
}
}
ap_cfg_closefile(cfp);
return NULL;
}
static table *groups_for_user(pool *p, char *user, char *grpfile)
{
configfile_t *f;
table *grps = ap_make_table(p, 15);
pool *sp;
char l[MAX_STRING_LEN];
const char *group_name, *ll, *w;
if (!(f = ap_pcfg_openfile(p, grpfile))) {
/*add? aplog_error(APLOG_MARK, APLOG_ERR, NULL,
"Could not open group file: %s", grpfile);*/
return NULL;
}
sp = ap_make_sub_pool(p);
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
if ((l[0] == '#') || (!l[0]))
continue;
ll = l;
ap_clear_pool(sp);
group_name = ap_getword(sp, &ll, ':');
while (ll[0]) {
w = ap_getword_conf(sp, &ll);
if (!strcmp(w, user)) {
ap_table_setn(grps, ap_pstrdup(p, group_name), "in");
break;
}
}
}
ap_cfg_closefile(f);
ap_destroy_pool(sp);
return grps;
}
/* This provides a simple UI for accessing the key database
* used to grant access to users owning a yubikey or not.
*
* This is primarily a web version of htaccess.
*/
static int authn_yubikey_handler(request_rec *r)
{
ap_configfile_t *f;
char l[MAX_STRING_LEN];
apr_status_t status;
char *file_password = NULL;
char *yubiKeyId = NULL;
char *realName = NULL;
apr_file_t *dbFormFile = NULL;
yubiauth_dir_cfg *cfg = ap_get_module_config(r->per_dir_config, &authn_yubikey_module);
if (strcmp(r->handler, "authn_yubikey")) {
return DECLINED;
}
r->content_type = "text/html";
/* Post back */
if (r->method_number == M_POST) {
const char *postbackContent = NULL;
char *tmp = NULL;
char buffer[1024];
//Read the POST data sent from the client
ap_setup_client_block(r, REQUEST_CHUNKED_DECHUNK);
if ( ap_should_client_block(r) == 1 ) {
while ( ap_get_client_block(r, buffer, 1024) > 0 ) {
postbackContent = apr_pstrcat(r->pool, buffer, tmp, NULL);
//tmp = apr_pstrdup(r->pool, postbackContent);
}
}
else {
ap_rputs("No POST data available",r);
}
//We have the data now, now process it and save it into the db
ap_set_content_type(r, "text/plain;");
ap_rprintf(r, "Postback content: %s", postbackContent);
return OK;
}
/* Serve content if it's a GET request */
if (!r->header_only) {
ap_rputs("<html><head><title>YubiAuth user management</title></head><body>", r);
ap_rputs("<h1>Welcome to the YubiAuth user Mgmt.</h1><br>", r);
ap_rputs("The following users could be found inside the database:<br>", r);
//Open userDb file for looped output
status = ap_pcfg_openfile(&f, r->pool, cfg->userAuthDbFilename);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
LOG_PREFIX "Could not open YubiAuthUserDb file: %s",
cfg->userAuthDbFilename);
return HTTP_INTERNAL_SERVER_ERROR;
}
ap_rputs("<table><thead><tr><th>TokenId</th><th>Real Name</th></tr></thead><tbody>\n", r);
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
const char *rpw, *w;
/* Skip # or blank lines. */
if ((l[0] == '#') || (!l[0])) {
continue;
}
rpw = l;
w = ap_getword(r->pool, &rpw, ':');
//yubiKeyId = apr_pstrndup(r->pool, password, (apr_size_t) 12);
//realName = ap_getword(r->pool, &rpw, ':');
ap_rputs("<tr>", r);
ap_rprintf(r, "<td>%s</td>", w);
ap_rprintf(r, "<td>%s</td>\n", rpw);
ap_rputs("</tr>", r);
}
ap_cfg_closefile(f);
ap_rputs("</tbody></table>", r);
ap_rputs("<h1>Want to add a user?</h1>.", r);
ap_rputs("<form name=\"addUser\" method=\"POST\" action=\"/authme\">", r);
ap_rputs("<input type=\"text\" name=\"tokenId\">", r);
ap_rputs("<input type=\"text\" name=\"realUser\">", r);
ap_rputs("<input type=\"submit\" value=\"Add User\">", r);
ap_rputs("</form>", r);
ap_rputs("</body></html>", r);
}
//If we receive a POST to this location, we probably want to update the userdb
//be sure to check if there is a user set and that this user is allowed to change information
// inside the userdb, we cn authenticate the user with the OTP token here too.
//We should make the administrative user configurable, by specifying the token which is allowed
// access ...
return OK;
}
static int isUserValid(const char *user,
const char *password,
yubiauth_dir_cfg *cfg,
request_rec *r)
{
ap_configfile_t *f;
char l[MAX_STRING_LEN];
apr_status_t status;
char *file_password = NULL;
char *yubiKeyId = NULL;
char *userPassword = NULL;
apr_size_t passwordLength = 0;
char *realName = NULL;
int userWasFound = FALSE;
/* This is TRUE when we store a combination of yubikeyId:username:password,
* we then have a two factor authentication.
*/
int tokenHasPassword = FALSE;
status = ap_pcfg_openfile(&f, r->pool, cfg->userAuthDbFilename);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
LOG_PREFIX "Could not open AuthYkUserFile file: %s",
cfg->userAuthDbFilename);
return FALSE;
}
/* Do length check of at least the password part,
* to be a yubikey token, it has to have at least 44
* characters from where the first 12 are the ID of the user.
*/
if (strlen(password) < YUBIKEY_TOKEN_LENGTH) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
LOG_PREFIX "The entered password cannot be a yubikey generated token");
ap_cfg_closefile(f);
return FALSE;
}
/* If the password is bigger then 44 characters, then we have an additional password
* set into the field, since the produced token by the yubikey is 44 characters long
*/
passwordLength = (apr_size_t) strlen(password) - YUBIKEY_TOKEN_LENGTH;
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The length of the entered password is: %d", passwordLength);
/* We have to distinct between a 44 character string which is the
* toke output only and a longer string, which would contain a
* password at its beginning
*/
if (strlen(password) > YUBIKEY_TOKEN_LENGTH) {
/* copy off the password part from the password string */
userPassword = apr_pstrndup(r->pool, password, passwordLength);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The entered password is: %s", userPassword);
}
/* Now move the password pointer forward the number of calculatd characters for the userPassword,
* we move the pointer beyond the last read character (not -1), to start reading the real stuff
*/
yubiKeyId = apr_pstrndup(r->pool, &password[passwordLength], (apr_size_t) YUBIKEY_ID_LENGTH);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The calculated YubiKey ID is: %s", yubiKeyId);
/* Find the TokenID/UN:PW solution in the file */
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
const char *rpw, *w;
char *unPw = NULL;
/* Skip # or blank lines. */
if ((l[0] == '#') || (!l[0])) {
continue;
}
rpw = l;
w = ap_getword(r->pool, &rpw, ':');
/* The first 12 chars are the ID which must be available in this file
* else the user might be a yubikey user, but possibly a user we don't
* want.
*/
if (!strncmp(yubiKeyId, w, 12)) {
/* This would fetch the real username,
* after the ID could be located
*/
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "Could find the ID: %s", w);
/* remember, since we are working with the passwd
* utility, this realName is hashed
*/
realName = ap_getword(r->pool, &rpw, '\n');
apr_table_set(r->headers_in, HDR_YK_AUTH_TYPE, YK_AUTH_TYPE_OF);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The looked up realname is: %s", realName);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The looked up userPassword is: %s", userPassword);
/* this results in username:password as it should be entered in the install dialog */
if (userPassword) {
unPw = apr_pstrcat(r->pool, user, ":", userPassword, NULL);
apr_table_set(r->headers_in, HDR_YK_AUTH_TYPE, YK_AUTH_TYPE_TF);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The built un:pw combo is: %s", unPw);
}
/* If there is a password set, use the username:password combo,
* else just compare the username
*/
status = apr_password_validate(userPassword?unPw:user, realName);
if (status == APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "Could map ID %s to User: %s", w, user);
userWasFound = TRUE;
break;
}
}
}
ap_cfg_closefile(f);
return userWasFound;
}