Enabled SSL in vault

agroal · May 14, 2024 · 692bb80 · 692bb80
1 parent 57d4160
commit 692bb80
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 23 deletions.
diff --git a/src/include/management.h b/src/include/management.h
@@ -113,7 +113,7 @@ pgagroal_management_get_password(SSL* ssl, int socket, char* username, char* pas
  * @return 0 upon success, otherwise 1
  */
 int
-pgagroal_management_write_get_password(int socket, char* password);
+pgagroal_management_write_get_password(SSL* ssl, int socket, char* password);
 
 /**
  * Read the management header

diff --git a/src/libpgagroal/management.c b/src/libpgagroal/management.c
@@ -489,6 +489,7 @@ pgagroal_management_get_password(SSL* ssl, int fd, char* username, char* pass)
    char buf[4];
    int* password_length = NULL;
    char password[MAX_PASSWORD_LENGTH];
+   char buffer[strlen(username) + 4];
 
    password_length = (int*)malloc(sizeof(int));
    if (!password_length)
@@ -503,15 +504,13 @@ pgagroal_management_get_password(SSL* ssl, int fd, char* username, char* pass)
       goto error;
    }
 
-   pgagroal_write_int32(&buf, strlen(username));
-   if (write_complete(ssl, fd, &buf, sizeof(buf)))
-   {
-      pgagroal_log_warn("pgagroal_management_get_password: write: %d %s", fd, strerror(errno));
-      errno = 0;
-      goto error;
-   }
+   pgagroal_write_int32(&buf, (int32_t)strlen(username));
+   memset(buffer, 0, sizeof(buffer));
+   memcpy(buffer, buf, 4);
+   memcpy(buffer + 4, username, strlen(username));
 
-   if (write_complete(ssl, fd, username, strlen(username)))
+   // write username to the management port
+   if (write_complete(ssl, fd, buffer, strlen(username) + 4))
    {
       pgagroal_log_warn("pgagroal_management_get_password: write: %d %s", fd, strerror(errno));
       errno = 0;
@@ -1284,15 +1283,15 @@ pgagroal_management_write_isalive(int socket, bool gracefully)
 }
 
 int
-pgagroal_management_write_get_password(int socket, char* password)
+pgagroal_management_write_get_password(SSL* ssl, int socket, char* password)
 {
    char buffer[MAX_PASSWORD_LENGTH + 4]; // first 4 bytes contains the length of the password
    memset(buffer, 0, sizeof(buffer));
 
    pgagroal_write_int32(&buffer, strlen(password));
    memcpy(buffer + 4, password, strlen(password));
 
-   if (write_complete(NULL, socket, buffer, strlen(password) + 4))
+   if (write_complete(ssl, socket, buffer, strlen(password) + 4))
    {
       pgagroal_log_warn("pgagroal_management_write_get_password: write: %d %s\n", socket, strerror(errno));
       errno = 0;

diff --git a/src/main.c b/src/main.c
@@ -1570,7 +1570,7 @@ accept_mgt_cb(struct ev_loop* loop, struct ev_io* watcher, int revents)
          }
 
          // Send password to the vault
-         pgagroal_management_write_get_password(client_fd, frontend_password);
+         pgagroal_management_write_get_password(NULL, client_fd, frontend_password);
          pgagroal_disconnect(client_fd);
          return;
       }

diff --git a/src/vault.c b/src/vault.c
@@ -62,11 +62,11 @@
 static void accept_vault_cb(struct ev_loop* loop, struct ev_io* watcher, int revents);
 static void shutdown_cb(struct ev_loop* loop, ev_signal* w, int revents);
 static bool accept_fatal(int error);
-static int connect_pgagroal(struct vault_configuration* config, char* username, char* password, SSL* s_ssl, int* client_socket);
-static void route_users(int client_fd, char* username, char** response);
+static int connect_pgagroal(struct vault_configuration* config, char* username, char* password, SSL** s_ssl, int* client_socket);
+static void route_users(char* username, char** response, SSL* s_ssl, int client_fd);
 static void route_not_found(char** response);
 static void route_found(char** response, char* password);
-static int router(int client_fd, SSL* ssl);
+static int router(SSL* ssl, int client_fd);
 
 static volatile int keep_running = 1;
 static char** argv_ptr;
@@ -77,7 +77,7 @@ static int server_fds_length = -1;
 static int default_buffer_size = DEFAULT_BUFFER_SIZE;
 
 static int
-router(int client_fd, SSL* ssl)
+router(SSL* s_ssl, int client_fd)
 {
    int exit_code = 0;
    ssize_t bytes_read;
@@ -114,7 +114,7 @@ router(int client_fd, SSL* ssl)
          // Extract the username from the path
          sscanf(path, "/users/%128s", username);
          // Call the appropriate handler function with the username
-         route_users(client_fd, username, &response);
+         route_users(username, &response, s_ssl, client_fd);
       }
       else
       {
@@ -140,14 +140,14 @@ router(int client_fd, SSL* ssl)
 }
 
 static void
-route_users(int client_fd, char* username, char** response)
+route_users(char* username, char** response, SSL* s_ssl, int client_fd)
 {
    struct vault_configuration* config = (struct vault_configuration*)shmem;
    int client_pgagroal_fd = -1;
    char password[MAX_PASSWORD_LENGTH + 1];
 
    // Connect to pgagroal management port
-   if (connect_pgagroal(config, config->vault_server.user.username, config->vault_server.user.password, NULL, &client_pgagroal_fd)) // Change NULL to ssl
+   if (connect_pgagroal(config, config->vault_server.user.username, config->vault_server.user.password, &s_ssl, &client_pgagroal_fd)) // Change NULL to ssl
    {
       pgagroal_log_error("pgagroal-vault: Couldn't connect to %s:%d", config->vault_server.server.host, config->vault_server.server.port);
       // Send Error Response
@@ -158,7 +158,7 @@ route_users(int client_fd, char* username, char** response)
    memset(password, 0, MAX_PASSWORD_LENGTH);
 
    // Call GET_PASSWORD at management port
-   if (pgagroal_management_get_password(NULL, client_pgagroal_fd, username, password))
+   if (pgagroal_management_get_password(s_ssl, client_pgagroal_fd, username, password))
    {
       pgagroal_log_error("pgagroal-vault: Couldn't get password from the management");
       // Send Error Response
@@ -201,7 +201,7 @@ route_found(char** response, char* password)
 }
 
 static int
-connect_pgagroal(struct vault_configuration* config, char* username, char* password, SSL* s_ssl, int* client_socket)
+connect_pgagroal(struct vault_configuration* config, char* username, char* password, SSL** s_ssl, int* client_socket)
 {
    if (pgagroal_connect(config->vault_server.server.host, config->vault_server.server.port, client_socket, false, false, &default_buffer_size, false))
    {
@@ -222,14 +222,17 @@ connect_pgagroal(struct vault_configuration* config, char* username, char* passw
       }
    }
 
+   SSL* s = NULL;
    /* Authenticate */
-   if (pgagroal_remote_management_scram_sha256(username, password, *client_socket, &s_ssl) != AUTH_SUCCESS)
+   if (pgagroal_remote_management_scram_sha256(username, password, *client_socket, &s) != AUTH_SUCCESS)
    {
       pgagroal_log_debug("pgagroal-vault: Bad credentials for %s", username);
       pgagroal_disconnect(*client_socket);
       return 1;
    }
 
+   *s_ssl = s;
+
    return 0;
 }
 
@@ -476,6 +479,7 @@ accept_vault_cb(struct ev_loop* loop, struct ev_io* watcher, int revents)
    int client_fd;
    char address[INET6_ADDRSTRLEN];
    pid_t pid;
+   SSL* s_ssl = NULL;
    struct vault_configuration* config;
 
    if (EV_ERROR & revents)
@@ -547,7 +551,7 @@ accept_vault_cb(struct ev_loop* loop, struct ev_io* watcher, int revents)
       ev_loop_fork(loop);
       shutdown_vault_io();
 
-      if (router(client_fd, NULL))
+      if (router(s_ssl, client_fd))
       {
          pgagroal_log_error("Couldn't write to client");
          exit(1);