Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
pam: enabled "User" to have a console config
- the resource name "User" can now be used to declare config parameters
  the same way as a "Console", this is intended to specify ACL
- renamed some function names
- renamed some variable names
- reworked the authentication program-flow on failure states
  • Loading branch information
franku committed Oct 30, 2018
1 parent 0bc514b commit 210c8eb
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 38 deletions.
2 changes: 1 addition & 1 deletion core/src/dird/auth_pam.cc
Expand Up @@ -137,7 +137,7 @@ static int PamConversionCallback(int num_msg, const struct pam_message **msgm,
return PAM_SUCCESS;
}

bool PamAuthenticateUseragent(BareosSocket *UA_sock,
bool PamAuthenticateUser(BareosSocket *UA_sock,
const std::string &username_in,
const std::string &password_in,
std::string& authenticated_username)
Expand Down
2 changes: 1 addition & 1 deletion core/src/dird/auth_pam.h
Expand Up @@ -25,7 +25,7 @@
#include <string>

class BareosSocket;
bool PamAuthenticateUseragent(BareosSocket *UA_sock,
bool PamAuthenticateUser(BareosSocket *UA_sock,
const std::string &username,
const std::string &passwd,
std::string& authenticated_username);
Expand Down
74 changes: 38 additions & 36 deletions core/src/dird/authenticate.cc
Expand Up @@ -58,7 +58,7 @@ static char OKhello[] = "3000 OK Hello\n";
static char FDOKhello[] = "2000 OK Hello\n";
static char FDOKnewHello[] = "2000 OK Hello %d\n";

static char Dir_sorry[] = "1999 You are not authorized.\n";
static char dir_not_authorized_message[] = "1999 You are not authorized.\n";

bool AuthenticateWithStorageDaemon(BareosSocket* sd, JobControlRecord *jcr, StorageResource *store)
{
Expand Down Expand Up @@ -205,7 +205,7 @@ bool AuthenticateFileDaemon(BareosSocket *fd, char *client_name)
* Authorization Completed
*/
if (!auth_success) {
fd->fsend("%s", _(Dir_sorry));
fd->fsend("%s", _(dir_not_authorized_message));
Emsg4(M_ERROR, 0, _("Unable to authenticate client \"%s\" at %s:%s:%d.\n"), client_name, fd->who(),
fd->host(), fd->port());
sleep(5);
Expand Down Expand Up @@ -244,10 +244,10 @@ static bool GetConsoleName(BareosSocket *ua_sock, std::string &name)
return true;
}

static void SendErrorMessage(std::string name_console, UaContext *ua)
static void SendErrorMessage(std::string console_name, UaContext *ua)
{
ua->UA_sock->fsend("%s", _(Dir_sorry));
Emsg4(M_ERROR, 0, _("Unable to authenticate console \"%s\" at %s:%s:%d.\n"), name_console.c_str(),
ua->UA_sock->fsend("%s", _(dir_not_authorized_message));
Emsg4(M_ERROR, 0, _("Unable to authenticate console \"%s\" at %s:%s:%d.\n"), console_name.c_str(),
ua->UA_sock->who(), ua->UA_sock->host(), ua->UA_sock->port());
sleep(5);
}
Expand All @@ -257,47 +257,48 @@ static void SendOkMessage(UaContext *ua)
ua->UA_sock->fsend(_("1000 OK: %s Version: %s (%s)\n"), my_name, VERSION, BDATE);
}

static bool TryAuthenticateRootConsole(std::string name_console, UaContext *ua, bool &auth_success)
static bool OptionalAuthenticateRootConsole(std::string console_name, UaContext *ua, bool &auth_success)
{
const std::string name_root_console { "*UserAgent*" };
if (name_console == name_root_console) {
auth_success = ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", name_root_console.c_str(), me->password, me);
return true;
const std::string root_console_name { "*UserAgent*" };
if (console_name != root_console_name) {
return false; /* no need to evaluate auth_success */
}
return false;
auth_success = ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", root_console_name.c_str(), me->password, me);
return true;
}

static bool TryAuthenticateNamedConsole(std::string name_console, UaContext *ua, bool &auth_success)
static void AuthenticateNamedConsole(std::string console_name, UaContext *ua, bool &auth_success)
{
ConsoleResource *cons;
cons = (ConsoleResource *)my_config->GetResWithName(R_CONSOLE, name_console.c_str());
if (cons) {
if (!ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", name_console.c_str(), cons->password, cons)) {
ua->cons = nullptr;
auth_success = false;
} else {
ua->cons = cons;
auth_success = true;
}
return true;
cons = (ConsoleResource *)my_config->GetResWithName(R_CONSOLE, console_name.c_str());
if (!cons) { /* if console resource cannot be obtained is treated as an error */
auth_success = false;
return;
}
if (!ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", console_name.c_str(), cons->password, cons)) {
ua->cons = nullptr;
auth_success = false;
} else {
ua->cons = cons;
auth_success = true;
}
return false;
}

static bool TryAuthenticatePamConsole(std::string name_console, UaContext *ua, bool &auth_success)
static bool OptionalAuthenticatePamUser(std::string console_name, UaContext *ua, bool &auth_success)
{
ConsoleResource *cons = (ConsoleResource *)my_config->GetResWithName(R_CONSOLE, name_console.c_str());
ConsoleResource *cons = (ConsoleResource *)my_config->GetResWithName(R_CONSOLE, console_name.c_str());

if (!cons) {
if (!cons) { /* if console resource cannot be obtained is treated as an error */
auth_success = false;
return true;
}

/* no need to evaluate auth_success if no pam is required */
if (!cons->use_pam_authentication_) { return false; }

#if defined(HAVE_PAM)
std::string authenticated_username;
if (!PamAuthenticateUseragent(ua->UA_sock, std::string(), std::string(), authenticated_username)) {
if (!PamAuthenticateUser(ua->UA_sock, std::string(), std::string(), authenticated_username)) {
ua->cons = nullptr;
auth_success = false;
} else {
Expand All @@ -316,36 +317,37 @@ static bool TryAuthenticatePamConsole(std::string name_console, UaContext *ua, b

bool AuthenticateUserAgent(UaContext *ua)
{
std::string name_console;
if (!GetConsoleName(ua->UA_sock, name_console)) {
std::string console_name;
if (!GetConsoleName(ua->UA_sock, console_name)) {
return false;
}

if (NumberOfConsoleConnectionsExceeded()) {
ua->UA_sock->fsend("%s", _(Dir_sorry));
ua->UA_sock->fsend("%s", _(dir_not_authorized_message));
Emsg0(M_ERROR, 0, _("Number of console connections exceeded MaximumConsoleConnections\n"));
return false;
}

bool auth_success = false;

if (TryAuthenticateRootConsole(name_console, ua, auth_success)) {
if (OptionalAuthenticateRootConsole(console_name, ua, auth_success)) {
if (!auth_success) {
SendErrorMessage(name_console, ua);
SendErrorMessage(console_name, ua);
return false;
} else {
SendOkMessage(ua);
}
} else if (TryAuthenticateNamedConsole(name_console, ua, auth_success)) {
} else {
AuthenticateNamedConsole(console_name, ua, auth_success);
if (!auth_success) {
SendErrorMessage(name_console, ua);
SendErrorMessage(console_name, ua);
return false;
} else {
SendOkMessage(ua);
}
if (TryAuthenticatePamConsole(name_console, ua, auth_success)) {
if (OptionalAuthenticatePamUser(console_name, ua, auth_success)) {
if (!auth_success) {
SendErrorMessage(name_console, ua);
SendErrorMessage(console_name, ua);
return false;
}
}
Expand Down
1 change: 1 addition & 0 deletions core/src/dird/dird_conf.cc
Expand Up @@ -593,6 +593,7 @@ static ResourceTable resources[] = {
{ "Counter", counter_items, R_COUNTER, sizeof(CounterResource) },
{ "Profile", profile_items, R_PROFILE, sizeof(ProfileResource) },
{ "Console", con_items, R_CONSOLE, sizeof(ConsoleResource), [] (void *res){ return new((ConsoleResource *) res) ConsoleResource(); } },
{ "User", con_items, R_CONSOLE, sizeof(ConsoleResource), [] (void *res){ return new((ConsoleResource *) res) ConsoleResource(); } },
{ "Device", NULL, R_DEVICE, sizeof(DeviceResource) }, /* info obtained from SD */
{ NULL, NULL, 0, 0, nullptr }
};
Expand Down

0 comments on commit 210c8eb

Please sign in to comment.