Merge c0de69f into d4ed13d

Yubico · Dec 7, 2020 · 1d98e5f · 1d98e5f
2 parents d4ed13d + c0de69f
commit 1d98e5f
Show file tree

Hide file tree

Showing 11 changed files with 441 additions and 19 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -32,7 +32,7 @@ jobs:
       run: |
         sudo apt update
         sudo apt install -y libykclient-dev libykpers-1-dev libyubikey-dev \
-          libpam-dev help2man asciidoc-base
+          libpam-dev help2man asciidoc-base libmysqlclient-dev
         autoreconf --install
         ./configure
         make

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -8,7 +8,7 @@ on:
 env:
   SCAN_IMG:
     yubico-yes-docker-local.jfrog.io/static-code-analysis/c:v1
-  COMPILE_DEPS: "libykclient-dev libykpers-1-dev libyubikey-dev"
+  COMPILE_DEPS: "libykclient-dev libykpers-1-dev libyubikey-dev libmysqlclient-dev"
 
 jobs:
   build:

diff --git a/.travis.yml b/.travis.yml
@@ -1,4 +1,3 @@
-sudo: required
 language: c
 os:
   - linux
@@ -7,13 +6,14 @@ compiler:
   - gcc
   - clang
 env:
-  - CONFIGURE_ARGS="" EXTRA="libldap2-dev libykpers-1-dev libnet-ldap-server-perl"
-  - CONFIGURE_ARGS="--without-ldap" EXTRA="libykpers-1-dev"
-  - CONFIGURE_ARGS="--without-cr" EXTRA="libldap2-dev libnet-ldap-server-perl"
-  - CONFIGURE_ARGS="--without-ldap --without-cr"
+  - CONFIGURE_ARGS="" EXTRA="libldap2-dev libykpers-1-dev libnet-ldap-server-perl libmysqlclient-dev"
+  - CONFIGURE_ARGS="--without-ldap" EXTRA="libykpers-1-dev libmysqlclient-dev"
+  - CONFIGURE_ARGS="--without-cr" EXTRA="libldap2-dev libnet-ldap-server-perl libmysqlclient-dev"
+  - CONFIGURE_ARGS="--without-ldap --without-cr" EXTRA="libmysqlclient-dev"
 script: tests/aux/build-and-test.sh
-matrix:
+jobs:
+  install: travis_wait 30 mvn install
   include:
     - compiler: gcc
       os: linux
-      env: COVERAGE="--enable-coverage" EXTRA="libldap2-dev libykpers-1-dev libnet-ldap-server-perl lcov"
+      env: COVERAGE="--enable-coverage" EXTRA="libldap2-dev libykpers-1-dev libnet-ldap-server-perl lcov libmysqlclient-dev"
diff --git a/Makefile.am b/Makefile.am
@@ -45,7 +45,12 @@ pam_yubico_la_LDFLAGS = -module -avoid-version
 
 noinst_LTLIBRARIES = libpam_util.la libpam_real.la
 libpam_util_la_SOURCES = util.c util.h
-libpam_util_la_LIBADD = @LTLIBYUBIKEY@ @YKPERS_LIBS@
+libpam_util_la_LIBADD = @LTLIBYUBIKEY@ @YKPERS_LIBS@ 
+
+# if MYSQL_SUPPORT
+AM_CFLAGS += @MYSQL_CFLAGS@
+libpam_util_la_LIBADD += @MYSQL_LIBS@
+# endif
 
 libpam_real_la_SOURCES = pam_yubico.c
 

diff --git a/ax_compare_version.m4 b/ax_compare_version.m4
@@ -0,0 +1,164 @@
+dnl (from http://autoconf-archive.cryp.to/ax_compare_version.m4 )
+dnl
+dnl @synopsis AX_COMPARE_VERSION(VERSION_A, OP, VERSION_B, [ACTION-IF-TRUE], [ACTION-IF-FALSE])
+dnl
+dnl This macro compares two version strings. It is used heavily in the
+dnl macro _AX_PATH_BDB for library checking. Due to the various number
+dnl of minor-version numbers that can exist, and the fact that string
+dnl comparisons are not compatible with numeric comparisons, this is
+dnl not necessarily trivial to do in a autoconf script. This macro
+dnl makes doing these comparisons easy.
+dnl
+dnl The six basic comparisons are available, as well as checking
+dnl equality limited to a certain number of minor-version levels.
+dnl
+dnl The operator OP determines what type of comparison to do, and can
+dnl be one of:
+dnl
+dnl  eq  - equal (test A == B)
+dnl  ne  - not equal (test A != B)
+dnl  le  - less than or equal (test A <= B)
+dnl  ge  - greater than or equal (test A >= B)
+dnl  lt  - less than (test A < B)
+dnl  gt  - greater than (test A > B)
+dnl
+dnl Additionally, the eq and ne operator can have a number after it to
+dnl limit the test to that number of minor versions.
+dnl
+dnl  eq0 - equal up to the length of the shorter version
+dnl  ne0 - not equal up to the length of the shorter version
+dnl  eqN - equal up to N sub-version levels
+dnl  neN - not equal up to N sub-version levels
+dnl
+dnl When the condition is true, shell commands ACTION-IF-TRUE are run,
+dnl otherwise shell commands ACTION-IF-FALSE are run. The environment
+dnl variable 'ax_compare_version' is always set to either 'true' or
+dnl 'false' as well.
+dnl
+dnl Examples:
+dnl
+dnl   AX_COMPARE_VERSION([3.15.7],[lt],[3.15.8])
+dnl   AX_COMPARE_VERSION([3.15],[lt],[3.15.8])
+dnl
+dnl would both be true.
+dnl
+dnl   AX_COMPARE_VERSION([3.15.7],[eq],[3.15.8])
+dnl   AX_COMPARE_VERSION([3.15],[gt],[3.15.8])
+dnl
+dnl would both be false.
+dnl
+dnl   AX_COMPARE_VERSION([3.15.7],[eq2],[3.15.8])
+dnl
+dnl would be true because it is only comparing two minor versions.
+dnl
+dnl   AX_COMPARE_VERSION([3.15.7],[eq0],[3.15])
+dnl
+dnl would be true because it is only comparing the lesser number of
+dnl minor versions of the two values.
+dnl
+dnl Note: The characters that separate the version numbers do not
+dnl matter. An empty string is the same as version 0. OP is evaluated
+dnl by autoconf, not configure, so must be a string, not a variable.
+dnl
+dnl The author would like to acknowledge Guido Draheim whose advice
+dnl about the m4_case and m4_ifvaln functions make this macro only
+dnl include the portions necessary to perform the specific comparison
+dnl specified by the OP argument in the final configure script.
+dnl
+dnl @category Misc
+dnl @author Tim Toolan <toolan@ele.uri.edu>
+dnl @version 2004-03-01
+dnl @license GPLWithACException
+
+dnl #########################################################################
+AC_DEFUN([AX_COMPARE_VERSION], [
+  # Used to indicate true or false condition
+  ax_compare_version=false
+
+  # Convert the two version strings to be compared into a format that
+  # allows a simple string comparison.  The end result is that a version
+  # string of the form 1.12.5-r617 will be converted to the form
+  # 0001001200050617.  In other words, each number is zero padded to four
+  # digits, and non digits are removed.
+  AS_VAR_PUSHDEF([A],[ax_compare_version_A])
+  A=`echo "$1" | sed -e 's/\([[0-9]]*\)/Z\1Z/g' \
+                     -e 's/Z\([[0-9]]\)Z/Z0\1Z/g' \
+                     -e 's/Z\([[0-9]][[0-9]]\)Z/Z0\1Z/g' \
+                     -e 's/Z\([[0-9]][[0-9]][[0-9]]\)Z/Z0\1Z/g' \
+                     -e 's/[[^0-9]]//g'`
+
+  AS_VAR_PUSHDEF([B],[ax_compare_version_B])
+  B=`echo "$3" | sed -e 's/\([[0-9]]*\)/Z\1Z/g' \
+                     -e 's/Z\([[0-9]]\)Z/Z0\1Z/g' \
+                     -e 's/Z\([[0-9]][[0-9]]\)Z/Z0\1Z/g' \
+                     -e 's/Z\([[0-9]][[0-9]][[0-9]]\)Z/Z0\1Z/g' \
+                     -e 's/[[^0-9]]//g'`
+
+  dnl # In the case of le, ge, lt, and gt, the strings are sorted as necessary
+  dnl # then the first line is used to determine if the condition is true.
+  dnl # The sed right after the echo is to remove any indented white space.
+  m4_case(m4_tolower($2),
+  [lt],[
+    ax_compare_version=`echo "x$A
+x$B" | sed 's/^ *//' | sort -r | sed "s/x${A}/false/;s/x${B}/true/;1q"`
+  ],
+  [gt],[
+    ax_compare_version=`echo "x$A
+x$B" | sed 's/^ *//' | sort | sed "s/x${A}/false/;s/x${B}/true/;1q"`
+  ],
+  [le],[
+    ax_compare_version=`echo "x$A
+x$B" | sed 's/^ *//' | sort | sed "s/x${A}/true/;s/x${B}/false/;1q"`
+  ],
+  [ge],[
+    ax_compare_version=`echo "x$A
+x$B" | sed 's/^ *//' | sort -r | sed "s/x${A}/true/;s/x${B}/false/;1q"`
+  ],[
+    dnl Split the operator from the subversion count if present.
+    m4_bmatch(m4_substr($2,2),
+    [0],[
+      # A count of zero means use the length of the shorter version.
+      # Determine the number of characters in A and B.
+      ax_compare_version_len_A=`echo "$A" | awk '{print(length)}'`
+      ax_compare_version_len_B=`echo "$B" | awk '{print(length)}'`
+
+      # Set A to no more than B's length and B to no more than A's length.
+      A=`echo "$A" | sed "s/\(.\{$ax_compare_version_len_B\}\).*/\1/"`
+      B=`echo "$B" | sed "s/\(.\{$ax_compare_version_len_A\}\).*/\1/"`
+    ],
+    [[0-9]+],[
+      # A count greater than zero means use only that many subversions
+      A=`echo "$A" | sed "s/\(\([[0-9]]\{4\}\)\{m4_substr($2,2)\}\).*/\1/"`
+      B=`echo "$B" | sed "s/\(\([[0-9]]\{4\}\)\{m4_substr($2,2)\}\).*/\1/"`
+    ],
+    [.+],[
+      AC_WARNING(
+        [illegal OP numeric parameter: $2])
+    ],[])
+
+    # Pad zeros at end of numbers to make same length.
+    ax_compare_version_tmp_A="$A`echo $B | sed 's/./0/g'`"
+    B="$B`echo $A | sed 's/./0/g'`"
+    A="$ax_compare_version_tmp_A"
+
+    # Check for equality or inequality as necessary.
+    m4_case(m4_tolower(m4_substr($2,0,2)),
+    [eq],[
+      test "x$A" = "x$B" && ax_compare_version=true
+    ],
+    [ne],[
+      test "x$A" != "x$B" && ax_compare_version=true
+    ],[
+      AC_WARNING([illegal OP parameter: $2])
+    ])
+  ])
+
+  AS_VAR_POPDEF([A])dnl
+  AS_VAR_POPDEF([B])dnl
+
+  dnl # Execute ACTION-IF-TRUE / ACTION-IF-FALSE.
+  if test "$ax_compare_version" = "true" ; then
+    m4_ifvaln([$4],[$4],[:])dnl
+    m4_ifvaln([$5],[else $5])dnl
+  fi
+]) dnl AX_COMPARE_VERSION
diff --git a/configure.ac b/configure.ac
@@ -75,6 +75,20 @@ AC_ARG_WITH([ldap],
                  [libldap not found, will not be compiled (--without-ldap to disable ldap support)])],
               [])])
 
+AC_ARG_WITH([mysql],
+            [AS_HELP_STRING([--without-mysql],
+              [disable support for mysql])],
+            [],
+            [with_mysql=yes])
+AS_IF([test "x$with_mysql" != xno],
+  [
+    PKG_CHECK_MODULES([MYSQL], [mysqlclient])
+    AC_DEFINE([HAVE_MYSQL], [1],[Define if you have mysqlclient])
+  ],
+  [
+    AC_DEFINE([HAVE_MYSQL], [0],[Define if you have mysqlclient])
+  ])
+AM_CONDITIONAL(MYSQL_SUPPORT,test "x$with_mysql" != xno)
 
 AC_LIB_HAVE_LINKFLAGS([ykclient],, [#include <ykclient.h>],
                       [ykclient_set_proxy(0, 0)])
@@ -194,4 +208,4 @@ AC_MSG_NOTICE([Summary of build options:
   Library types:      Shared=${enable_shared}, Static=${enable_static}
   LDAP:               ${with_ldap}
   Challenge-Response: ${with_cr}
-])
+])
diff --git a/pam_yubico.8.txt b/pam_yubico.8.txt
@@ -116,6 +116,18 @@ CA certitificate file for the LDAP connection.
 *chalresp_path*=_path_::
 Path of a system-wide directory where challenge-response files can be found for users. Default location is `$HOME/.yubico/`.
 
+*mysql_server*=_mysqlserver_::
+Hostname/Adress of mysql server. Example 10.0.0.1
+
+*mysql_user*=_mysqluser_::
+User for accessing to the database. Strongly recommended to use a specific user with read only access.
+
+*mysql_password*=_mysqlpassword_::
+Mysql password associated to the user.
+
+*mysql_database*=_mysqldatabase_::
+the name of the database. Example : otp
+
 == EXAMPLES
 
   auth sufficient pam_yubico.so id=16 debug

diff --git a/pam_yubico.c b/pam_yubico.c
@@ -134,6 +134,11 @@ struct cfg
   const char *user_attr;
   const char *yubi_attr;
   const char *yubi_attr_prefix;
+  const char *mysql_server;
+  const char *mysql_user;
+  const char *mysql_password;
+  const char *mysql_database;
+
   unsigned int token_id_length;
   enum key_mode mode;
   const char *chalresp_path;
@@ -164,8 +169,19 @@ authorize_user_token (struct cfg *cfg,
 		      pam_handle_t *pamh)
 {
   int retval = AUTH_ERROR;
-
-  if (cfg->auth_file)
+  if (cfg->mysql_server)
+    {
+      #if HAVE_MYSQL
+        /* Administrator had configured the database and specified is name
+          as an argument for this module.
+        */
+      DBG ("Using Mariadb or Mysql Database");
+      retval = check_user_token_mysql(cfg->mysql_server, cfg->mysql_user, cfg->mysql_password, cfg->mysql_database, username, otp_id, cfg->debug, cfg->debug_file);
+      #else
+        DBG (("Trying to use MYSQL, but this function is not compiled in pam_yubico!!"));
+      #endif
+    }
+  else if (cfg->auth_file)
     {
       /* Administrator had configured the file and specified is name
          as an argument for this module.
@@ -874,6 +890,16 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
 	cfg->mode = CLIENT;
       if (strncmp (argv[i], "chalresp_path=", 14) == 0)
 	cfg->chalresp_path = argv[i] + 14;
+    //Mysql
+      if (strncmp (argv[i], "mysql_server=", 13) == 0)
+	cfg->mysql_server = argv[i] + 13;
+       if (strncmp (argv[i], "mysql_user=", 11) == 0)
+	cfg->mysql_user = argv[i] + 11;
+       if (strncmp (argv[i], "mysql_password=", 15) == 0)
+	cfg->mysql_password = argv[i] + 15;
+      if (strncmp (argv[i], "mysql_database=", 15) == 0)
+	cfg->mysql_database = argv[i] + 15;
+
       if (strncmp (argv[i], "debug_file=", 11) == 0)
         {
           const char *filename = argv[i] + 11;
@@ -939,6 +965,9 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
   DBG ("token_id_length=%u", cfg->token_id_length);
   DBG ("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" );
   DBG ("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)");
+  DBG ("mysql_server=%s", cfg->mysql_server ? cfg->mysql_server : "(null)");
+  DBG ("mysql_user=%s", cfg->mysql_user ? cfg->mysql_user : "(null)");
+  DBG ("mysql_database=%s", cfg->mysql_database ? cfg->mysql_database : "(null)");
 
   if (fd != -1)
     close(fd);

diff --git a/tests/aux/build-and-test.sh b/tests/aux/build-and-test.sh
@@ -7,7 +7,7 @@ autoreconf -i
 if [ "x$TRAVIS_OS_NAME" != "xosx" ]; then
     sudo add-apt-repository -y ppa:yubico/stable
     sudo apt-get update -qq || true
-    sudo apt-get install -qq -y --no-install-recommends libykclient-dev libpam0g-dev libyubikey-dev asciidoc docbook-xsl xsltproc libxml2-utils $EXTRA
+    sudo apt-get install -qq -y --no-install-recommends libykclient-dev libpam0g-dev libyubikey-dev asciidoc docbook-xsl xsltproc libxml2-utils libmysqlclient-dev $EXTRA
 else
     brew update
     brew install pkg-config
@@ -17,6 +17,7 @@ else
     brew install libyubikey
     brew install ykclient
     brew install ykpers
+    brew install mysql-connector-c #Mysql
     cpanp install Net::LDAP::Server
 
     # this is required so asciidoc can find the xml catalog