From b2abb387a3a526e85ad7303346087640ff3c017c Mon Sep 17 00:00:00 2001 From: Frank Ueberschar Date: Sun, 14 Oct 2018 12:30:39 +0200 Subject: [PATCH] pam: enabled "User" to have a console config - the resource name "User" can now be used to declare config parameters the same way as a "Console", this is intended to specify ACL - renamed some function names - renamed some variable names - reworked the authentication program-flow on failure states --- core/src/dird/auth_pam.cc | 2 +- core/src/dird/auth_pam.h | 2 +- core/src/dird/authenticate.cc | 74 ++++++++++++++++++----------------- core/src/dird/dird_conf.cc | 1 + 4 files changed, 41 insertions(+), 38 deletions(-) diff --git a/core/src/dird/auth_pam.cc b/core/src/dird/auth_pam.cc index 89701b35020..dc29a9a3e06 100644 --- a/core/src/dird/auth_pam.cc +++ b/core/src/dird/auth_pam.cc @@ -137,7 +137,7 @@ static int PamConversionCallback(int num_msg, const struct pam_message **msgm, return PAM_SUCCESS; } -bool PamAuthenticateUseragent(BareosSocket *UA_sock, +bool PamAuthenticateUser(BareosSocket *UA_sock, const std::string &username_in, const std::string &password_in, std::string& authenticated_username) diff --git a/core/src/dird/auth_pam.h b/core/src/dird/auth_pam.h index ef13209a708..41dc191b8fc 100644 --- a/core/src/dird/auth_pam.h +++ b/core/src/dird/auth_pam.h @@ -25,7 +25,7 @@ #include class BareosSocket; -bool PamAuthenticateUseragent(BareosSocket *UA_sock, +bool PamAuthenticateUser(BareosSocket *UA_sock, const std::string &username, const std::string &passwd, std::string& authenticated_username); diff --git a/core/src/dird/authenticate.cc b/core/src/dird/authenticate.cc index ae266c9b465..68e5196ef35 100644 --- a/core/src/dird/authenticate.cc +++ b/core/src/dird/authenticate.cc @@ -58,7 +58,7 @@ static char OKhello[] = "3000 OK Hello\n"; static char FDOKhello[] = "2000 OK Hello\n"; static char FDOKnewHello[] = "2000 OK Hello %d\n"; -static char Dir_sorry[] = "1999 You are not authorized.\n"; +static char dir_not_authorized_message[] = "1999 You are not authorized.\n"; bool AuthenticateWithStorageDaemon(BareosSocket* sd, JobControlRecord *jcr, StorageResource *store) { @@ -205,7 +205,7 @@ bool AuthenticateFileDaemon(BareosSocket *fd, char *client_name) * Authorization Completed */ if (!auth_success) { - fd->fsend("%s", _(Dir_sorry)); + fd->fsend("%s", _(dir_not_authorized_message)); Emsg4(M_ERROR, 0, _("Unable to authenticate client \"%s\" at %s:%s:%d.\n"), client_name, fd->who(), fd->host(), fd->port()); sleep(5); @@ -244,10 +244,10 @@ static bool GetConsoleName(BareosSocket *ua_sock, std::string &name) return true; } -static void SendErrorMessage(std::string name_console, UaContext *ua) +static void SendErrorMessage(std::string console_name, UaContext *ua) { - ua->UA_sock->fsend("%s", _(Dir_sorry)); - Emsg4(M_ERROR, 0, _("Unable to authenticate console \"%s\" at %s:%s:%d.\n"), name_console.c_str(), + ua->UA_sock->fsend("%s", _(dir_not_authorized_message)); + Emsg4(M_ERROR, 0, _("Unable to authenticate console \"%s\" at %s:%s:%d.\n"), console_name.c_str(), ua->UA_sock->who(), ua->UA_sock->host(), ua->UA_sock->port()); sleep(5); } @@ -257,47 +257,48 @@ static void SendOkMessage(UaContext *ua) ua->UA_sock->fsend(_("1000 OK: %s Version: %s (%s)\n"), my_name, VERSION, BDATE); } -static bool TryAuthenticateRootConsole(std::string name_console, UaContext *ua, bool &auth_success) +static bool OptionalAuthenticateRootConsole(std::string console_name, UaContext *ua, bool &auth_success) { - const std::string name_root_console { "*UserAgent*" }; - if (name_console == name_root_console) { - auth_success = ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", name_root_console.c_str(), me->password, me); - return true; + const std::string root_console_name { "*UserAgent*" }; + if (console_name != root_console_name) { + return false; /* no need to evaluate auth_success */ } - return false; + auth_success = ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", root_console_name.c_str(), me->password, me); + return true; } -static bool TryAuthenticateNamedConsole(std::string name_console, UaContext *ua, bool &auth_success) +static void AuthenticateNamedConsole(std::string console_name, UaContext *ua, bool &auth_success) { ConsoleResource *cons; - cons = (ConsoleResource *)my_config->GetResWithName(R_CONSOLE, name_console.c_str()); - if (cons) { - if (!ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", name_console.c_str(), cons->password, cons)) { - ua->cons = nullptr; - auth_success = false; - } else { - ua->cons = cons; - auth_success = true; - } - return true; + cons = (ConsoleResource *)my_config->GetResWithName(R_CONSOLE, console_name.c_str()); + if (!cons) { /* if console resource cannot be obtained is treated as an error */ + auth_success = false; + return; + } + if (!ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", console_name.c_str(), cons->password, cons)) { + ua->cons = nullptr; + auth_success = false; + } else { + ua->cons = cons; + auth_success = true; } - return false; } -static bool TryAuthenticatePamConsole(std::string name_console, UaContext *ua, bool &auth_success) +static bool OptionalAuthenticatePamUser(std::string console_name, UaContext *ua, bool &auth_success) { - ConsoleResource *cons = (ConsoleResource *)my_config->GetResWithName(R_CONSOLE, name_console.c_str()); + ConsoleResource *cons = (ConsoleResource *)my_config->GetResWithName(R_CONSOLE, console_name.c_str()); - if (!cons) { + if (!cons) { /* if console resource cannot be obtained is treated as an error */ auth_success = false; return true; } + /* no need to evaluate auth_success if no pam is required */ if (!cons->use_pam_authentication_) { return false; } #if defined(HAVE_PAM) std::string authenticated_username; - if (!PamAuthenticateUseragent(ua->UA_sock, std::string(), std::string(), authenticated_username)) { + if (!PamAuthenticateUser(ua->UA_sock, std::string(), std::string(), authenticated_username)) { ua->cons = nullptr; auth_success = false; } else { @@ -316,36 +317,37 @@ static bool TryAuthenticatePamConsole(std::string name_console, UaContext *ua, b bool AuthenticateUserAgent(UaContext *ua) { - std::string name_console; - if (!GetConsoleName(ua->UA_sock, name_console)) { + std::string console_name; + if (!GetConsoleName(ua->UA_sock, console_name)) { return false; } if (NumberOfConsoleConnectionsExceeded()) { - ua->UA_sock->fsend("%s", _(Dir_sorry)); + ua->UA_sock->fsend("%s", _(dir_not_authorized_message)); Emsg0(M_ERROR, 0, _("Number of console connections exceeded MaximumConsoleConnections\n")); return false; } bool auth_success = false; - if (TryAuthenticateRootConsole(name_console, ua, auth_success)) { + if (OptionalAuthenticateRootConsole(console_name, ua, auth_success)) { if (!auth_success) { - SendErrorMessage(name_console, ua); + SendErrorMessage(console_name, ua); return false; } else { SendOkMessage(ua); } - } else if (TryAuthenticateNamedConsole(name_console, ua, auth_success)) { + } else { + AuthenticateNamedConsole(console_name, ua, auth_success); if (!auth_success) { - SendErrorMessage(name_console, ua); + SendErrorMessage(console_name, ua); return false; } else { SendOkMessage(ua); } - if (TryAuthenticatePamConsole(name_console, ua, auth_success)) { + if (OptionalAuthenticatePamUser(console_name, ua, auth_success)) { if (!auth_success) { - SendErrorMessage(name_console, ua); + SendErrorMessage(console_name, ua); return false; } } diff --git a/core/src/dird/dird_conf.cc b/core/src/dird/dird_conf.cc index 94e02d00499..3620ebc7900 100644 --- a/core/src/dird/dird_conf.cc +++ b/core/src/dird/dird_conf.cc @@ -593,6 +593,7 @@ static ResourceTable resources[] = { { "Counter", counter_items, R_COUNTER, sizeof(CounterResource) }, { "Profile", profile_items, R_PROFILE, sizeof(ProfileResource) }, { "Console", con_items, R_CONSOLE, sizeof(ConsoleResource), [] (void *res){ return new((ConsoleResource *) res) ConsoleResource(); } }, + { "User", con_items, R_CONSOLE, sizeof(ConsoleResource), [] (void *res){ return new((ConsoleResource *) res) ConsoleResource(); } }, { "Device", NULL, R_DEVICE, sizeof(DeviceResource) }, /* info obtained from SD */ { NULL, NULL, 0, 0, nullptr } };