*/
-
-
-#include "login.h"
+#include "common.h"
#include "options.h"
#include <ctype.h>
#include <unistd.h>
+// LDAP stuff
#define LDAP_DEPRECATED 1 // Required to use ldap_simple_bind_s
#include <ldap.h>
+// MySQL stuff
+#undef _GNU_SOURCE // HACK to silence compiler warning on redefinition in my_global.h
+#include <my_global.h>
+#include <mysql.h>
+
+
+
+
+
+/**
+ * Attempt to login by searching a MySQL database
+ * @param user - Username
+ * @param pass - Password
+ * @param db_host - Host running the DataBase
+ * @param db_user - User to search the database as
+ * @param db_pass - Password for the database user
+ * @param db_name - Name of the database to use
+ * @param db_table - Table to search in
+ * @returns Privelage level of the user or USER_UNAUTH for failure to authenticate
+ */
+UserType Login_MySQL(const char * user, const char * pass,
+ const char * db_host, const char * db_user, const char * db_pass, const char * db_name, const char * db_table)
+{
+ MYSQL * con = mysql_init(NULL);
+ if (con == NULL)
+ {
+ Log(LOGERR, "mysql_init failed - %s", mysql_error(con));
+ return USER_UNAUTH;
+ }
+
+ if (mysql_real_connect(con, db_host, db_user, db_pass, NULL, 0, NULL, 0) == NULL)
+ {
+ Log(LOGERR, "mysql_real_connect failed - %s", mysql_error(con));
+ mysql_close(con);
+ return USER_UNAUTH;
+ }
+
+ char buffer[BUFSIZ];
+
+ // Select the database
+ sprintf(buffer, "USE %s;", db_name);
+ if (mysql_query(con, buffer))
+ {
+ Log(LOGERR, "mysql_query failed - %s", mysql_error(con));
+ mysql_close(con);
+ return USER_UNAUTH;
+ }
+
+ // Search for the user
+ sprintf(buffer, "SELECT password FROM %s WHERE user_name = \"%s\";", db_table, user);
+ if (mysql_query(con, buffer))
+ {
+ Log(LOGERR, "mysql_query failed - %s", mysql_error(con));
+ mysql_close(con);
+ return USER_UNAUTH;
+ }
+
+ // Process the result
+ MYSQL_RES * result = mysql_store_result(con);
+ if (result == NULL)
+ {
+ Log(LOGERR, "mysql_store_result failed - %s", mysql_error(con));
+ mysql_close(con);
+ return USER_UNAUTH;
+ }
+
+ int num_fields = mysql_num_fields(result);
+ if (num_fields != 1)
+ {
+ Log(LOGERR, "The database may be corrupt; %d fields found, expected %d", num_fields, 1);
+ mysql_close(con);
+ return USER_UNAUTH;
+ }
+
+ UserType user_type = USER_UNAUTH;
+ MYSQL_ROW row;
+
+ // Get first row
+ if ((row = mysql_fetch_row(result)))
+ {
+ if (strcmp(crypt(pass, row[0]), row[0]) == 0)
+ {
+ user_type = USER_NORMAL;
+ }
+
+ // There should only be one row. Through a hissy fit if we see any more.
+ if ((row = mysql_fetch_row(result)))
+ {
+ Log(LOGERR, "Too many rows found.");
+ user_type = USER_UNAUTH;
+ }
+ }
+ else
+ {
+ Log(LOGERR, "No user matching %s", user);
+ }
+
+ //TODO: Handle administrator users somehow better than this
+ // UserCake stores the permission level in a seperate table to the username/password, which is annoying
+ if (user_type != USER_UNAUTH && strcmp(user, "admin") == 0)
+ {
+ user_type = USER_ADMIN;
+ }
+ mysql_free_result(result);
+ mysql_close(con);
+ return user_type;
+}
+
/**
* Attempt to login using a file formatted like /etc/shadow
- * This is here for horrible hack purposes
+ * This is here... because all better options have been exhausted
* @param user - The username
* @param pass - The password
- * @returns True if the login was successful, false otherwise
+ * @param shadow - The file to use
+ * @returns Privelage level of the user or USER_UNAUTH for failure to authenticate
*/
-bool Login_Shadow(const char * user, const char * pass, const char * shadow)
+UserType Login_Shadow(const char * user, const char * pass, const char * shadow)
{
if (strlen(user) + strlen(pass) >= BUFSIZ-1)
{
Log(LOGERR, "User/Password too long!\n");
- return false;
+ return USER_UNAUTH;
}
FILE * f = fopen(shadow, "r");
if (f == NULL)
{
Log(LOGERR,"Can't open %s - %s\n", shadow, strerror(errno));
- return false;
+ return USER_UNAUTH;
}
char buffer[BUFSIZ];
while (fgets(buffer, BUFSIZ, f) != NULL) // NOTE: Restrict username+password strings to BUFSIZ... what could possibly go wrong?
{
- Log(LOGDEBUG,"Scanning %d: %s", strlen(buffer), buffer);
+ //Log(LOGDEBUG,"Scanning %d: %s", strlen(buffer), buffer);
- for (int i = 0; i < BUFSIZ-1; ++i)
+ for (int i = 0; i < BUFSIZ-1 && buffer[i] != '\0'; ++i)
{
if (buffer[i] == ':')
{
if (strcmp(user,buffer) == 0)
{
- Log(LOGDEBUG,"User matches! %s\n", buffer);
+ //Log(LOGDEBUG,"User matches! %s\n", buffer);
break;
}
passwd_index = -1;
}
+ fclose(f);
+
if (passwd_index <= 0)
{
- Log(LOGDEBUG,"No user found matching %s\n", user);
- return false;
+ //Log(LOGDEBUG,"No user found matching %s\n", user);
+ return USER_UNAUTH;
}
- for (int i = passwd_index; i < BUFSIZ-1; ++i)
+ int gid_index = -1;
+ for (int i = passwd_index; i < BUFSIZ-1 && buffer[i] != '\0'; ++i)
{
- if (buffer[i] == ':' || buffer[i] == '\n')
+ if (buffer[i] == ':')
{
+ gid_index = i+1;
buffer[i] = '\0';
-
+ }
+ if (buffer[i] == '\n')
+ buffer[i] = '\0';
+ }
+ char * end = buffer+gid_index;
+ UserType user_type = USER_NORMAL;
+ if (gid_index > passwd_index && gid_index < BUFSIZ-1)
+ {
+ int gid = strtol(buffer+gid_index, &end,10);
+ Log(LOGDEBUG, "Usertype %d %s", gid, buffer+gid_index);
+ if (*end == '\0' && gid == 0)
+ {
+ Log(LOGDEBUG, "Admin");
+ user_type = USER_ADMIN;
}
}
break;
}
- Log(LOGDEBUG,"Salted Entry: %s\n", buffer+passwd_index);
- Log(LOGDEBUG,"Salted Attempt: %s\n", crypt(pass, salt));
+// Log(LOGDEBUG,"Salted Entry: %s\n", buffer+passwd_index);
+// Log(LOGDEBUG,"Salted Attempt: %s\n", crypt(pass, salt));
- return (strcmp(crypt(pass, salt), buffer+passwd_index) == 0);
+ if (strcmp(crypt(pass, salt), buffer+passwd_index) == 0)
+ {
+ return user_type;
+ }
+ return USER_UNAUTH;
}
/**
void Logout_Handler(FCGIContext * context, char * params)
{
FCGI_ReleaseControl(context);
- FCGI_AcceptJSON(context, "Logged out", "0");
+ FCGI_SendControlCookie(context, false); //Unset the cookie
+ FCGI_AcceptJSON(context, "Logged out");
}
/**
* Handle a Login Request
* @param context - The context
- * @param params - Parameter string, should contain username and password
+ * @param params - Parameter string, should contain username and password.
+ * NOTE: Care should be taken when using params, as it is
+ * completely unescaped. Do not log or use it without
+ * suitable escaping.
*/
void Login_Handler(FCGIContext * context, char * params)
{
user[i] = '\0';
- bool authenticated = true;
+ UserType user_type = USER_UNAUTH;
switch (g_options.auth_method)
{
case AUTH_LDAP:
{
- if (strlen(pass) <= 0)
+ if (*pass == '\0')
{
FCGI_RejectJSON(context, "No password supplied.");
return;
//TODO: Generate the DN in some sane way
char dn[BUFSIZ];
+
+
// On a simple LDAP server:
- int len = sprintf(dn, "uid=%s,%s", user, g_options.ldap_base_dn);
+ //int len = sprintf(dn, "uid=%s,%s", user, g_options.auth_options);
// At UWA (hooray)
- //char * user_type = (user[0] != '0') : "Students" ? "Staff";
- //int len = sprintf(dn, "cn=%s,ou=%s", user, user_type, g_options.ldap_dn_base);
+ char * user_group = "Students";
+ if (user[0] == '0')
+ user_group = "Staff";
+ int len = sprintf(dn, "cn=%s,ou=%s,%s", user, user_group, g_options.auth_options);
if (len >= BUFSIZ)
return;
}
- authenticated = (Login_LDAP_Bind(g_options.auth_uri, dn, pass) == LDAP_SUCCESS);
+ if (Login_LDAP_Bind(g_options.auth_uri, dn, pass) == LDAP_SUCCESS)
+ {
+ if (user[0] == '0')
+ user_type = USER_ADMIN;
+ else
+ user_type = USER_NORMAL;
+ }
break;
}
case AUTH_SHADOW:
{
- authenticated = Login_Shadow(user, pass, g_options.auth_uri);
+ user_type = Login_Shadow(user, pass, g_options.auth_uri);
+ break;
+ }
+ case AUTH_MYSQL:
+ {
+ //WARNING: C string manipulation code approaching!
+ // Non reentrent; uses strsep and modifies g_options.auth_options
+ // If problems happen, try strdup first ...
+ static char * db_opts[] = {"root", "", "users", "uc_users"};
+ static bool db_init_opts = false;
+ if (!db_init_opts)
+ {
+ db_init_opts = true;
+ db_opts[0] = (char*)g_options.auth_options;
+ for (int i = 1; i < sizeof(db_opts)/sizeof(char*); ++i)
+ {
+ char * def = db_opts[i];
+ db_opts[i] = db_opts[i-1];
+
+ strsep(db_opts+i, ",");
+ if (db_opts[i] == NULL)
+ {
+ db_opts[i] = def;
+ break;
+ }
+ }
+ //Log(LOGDEBUG, "MySQL: user %s pass %s name %s table %s", db_opts[0], db_opts[1], db_opts[2], db_opts[3]);
+ }
+
+ user_type = Login_MySQL(user, pass, g_options.auth_uri, db_opts[0],db_opts[1], db_opts[2], db_opts[3]);
break;
}
default:
{
Log(LOGWARN, "No authentication!");
+ user_type = USER_ADMIN;
break;
}
}
// error check
- if (!authenticated)
+ if (user_type == USER_UNAUTH)
{
+ Log(LOGDEBUG, "Authentication failure for %s", user);
FCGI_RejectJSONEx(context, STATUS_UNAUTHORIZED, "Authentication failure.");
}
else
{
- if (FCGI_LockControl(context, false))
+ // Try and gain control over the system
+ if (FCGI_LockControl(context, user, user_type))
{
- //Todo: change this to something better than the username if using LDAP.
- snprintf(context->friendly_name, 31, "%s", user);
- FCGI_EscapeText(context->friendly_name); //Don't break javascript pls
-
+ FCGI_EscapeText(context->user_name); //Don't break javascript pls
// Give the user a cookie
- FCGI_AcceptJSON(context, "Logged in", context->control_key);
+ FCGI_SendControlCookie(context, true); //Send the control key
+ FCGI_AcceptJSON(context, "Logged in");
+ Log(LOGDEBUG, "Successful authentication for %s", user);
}
else
{
- FCGI_RejectJSON(context, "Someone else is already logged in");
+ Log(LOGDEBUG, "%s successfully authenticated but system was in use by %s", user, context->user_name);
+ FCGI_RejectJSON(context, "Someone else is already logged in (and you are not an admin)");
}
}
}
git.ucc.asn.au / matches / MCTX3420.git / blobdiff
UCC git Repository :: git.ucc.asn.au