diff options
Diffstat (limited to 'xlators/protocol/auth')
-rw-r--r-- | xlators/protocol/auth/addr/src/addr.c | 392 | ||||
-rw-r--r-- | xlators/protocol/auth/login/src/login.c | 214 |
2 files changed, 315 insertions, 291 deletions
diff --git a/xlators/protocol/auth/addr/src/addr.c b/xlators/protocol/auth/addr/src/addr.c index 3b326715e..21dfa5e58 100644 --- a/xlators/protocol/auth/addr/src/addr.c +++ b/xlators/protocol/auth/addr/src/addr.c @@ -1,20 +1,20 @@ /* - Copyright (c) 2007-2010 Gluster, Inc. <http://www.gluster.com> - This file is part of GlusterFS. - - GlusterFS is free software; you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published - by the Free Software Foundation; either version 3 of the License, - or (at your option) any later version. - - GlusterFS is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Affero General Public License for more details. - - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see - <http://www.gnu.org/licenses/>. + Copyright (c) 2007-2010 Gluster, Inc. <http://www.gluster.com> + This file is part of GlusterFS. + + GlusterFS is free software; you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation; either version 3 of the License, + or (at your option) any later version. + + GlusterFS is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see + <http://www.gnu.org/licenses/>. */ @@ -43,189 +43,189 @@ typedef struct peer_info { char identifier[UNIX_PATH_MAX]; }peer_info_t; -auth_result_t +auth_result_t gf_auth (dict_t *input_params, dict_t *config_params) { - int ret = 0; - char *name = NULL; - char *searchstr = NULL; - char peer_addr[UNIX_PATH_MAX]; - data_t *peer_info_data = NULL; - peer_info_t *peer_info = NULL; - data_t *allow_addr = NULL, *reject_addr = NULL; - char is_inet_sdp = 0; - - name = data_to_str (dict_get (input_params, "remote-subvolume")); - if (!name) { - gf_log ("authenticate/addr", - GF_LOG_ERROR, - "remote-subvolume not specified"); - return AUTH_DONT_CARE; - } - - ret = asprintf (&searchstr, "auth.addr.%s.allow", name); - if (-1 == ret) { - gf_log ("auth/addr", GF_LOG_ERROR, - "asprintf failed while setting search string"); - return AUTH_DONT_CARE; - } - allow_addr = dict_get (config_params, - searchstr); - free (searchstr); - - ret = asprintf (&searchstr, "auth.addr.%s.reject", name); - if (-1 == ret) { - gf_log ("auth/addr", GF_LOG_ERROR, - "asprintf failed while setting search string"); - return AUTH_DONT_CARE; - } - reject_addr = dict_get (config_params, - searchstr); - free (searchstr); - - if (!allow_addr) { - /* TODO: backword compatibility */ - ret = asprintf (&searchstr, "auth.ip.%s.allow", name); - if (-1 == ret) { - gf_log ("auth/addr", GF_LOG_ERROR, - "asprintf failed while setting search string"); - return AUTH_DONT_CARE; - } - allow_addr = dict_get (config_params, searchstr); - free (searchstr); - } - - if (!(allow_addr || reject_addr)) { - gf_log ("auth/addr", GF_LOG_DEBUG, - "none of the options auth.addr.%s.allow or " - "auth.addr.%s.reject specified, returning auth_dont_care", - name, name); - return AUTH_DONT_CARE; - } - - peer_info_data = dict_get (input_params, "peer-info"); - if (!peer_info_data) { - gf_log ("authenticate/addr", - GF_LOG_ERROR, - "peer-info not present"); - return AUTH_DONT_CARE; - } - - peer_info = data_to_ptr (peer_info_data); - - switch (((struct sockaddr *) &peer_info->sockaddr)->sa_family) - { - case AF_INET_SDP: - is_inet_sdp = 1; - ((struct sockaddr *) &peer_info->sockaddr)->sa_family = AF_INET; - - case AF_INET: - case AF_INET6: - { - char *service; - uint16_t peer_port; - strcpy (peer_addr, peer_info->identifier); - service = strrchr (peer_addr, ':'); - *service = '\0'; - service ++; - - if (is_inet_sdp) { - ((struct sockaddr *) &peer_info->sockaddr)->sa_family = AF_INET_SDP; - } - - peer_port = atoi (service); - if (peer_port >= PRIVILEGED_PORT_CEILING) { - gf_log ("auth/addr", GF_LOG_ERROR, - "client is bound to port %d which is not privileged", - peer_port); - return AUTH_DONT_CARE; - } - break; - - case AF_UNIX: - strcpy (peer_addr, peer_info->identifier); - break; - - default: - gf_log ("authenticate/addr", GF_LOG_ERROR, - "unknown address family %d", - ((struct sockaddr *) &peer_info->sockaddr)->sa_family); - return AUTH_DONT_CARE; - } - } - - if (reject_addr) { - char *addr_str = NULL; - char *tmp; - char *addr_cpy = strdup (reject_addr->data); - - addr_str = strtok_r (addr_cpy, ADDR_DELIMITER, &tmp); - - while (addr_str) { - char negate = 0, match =0; - gf_log (name, GF_LOG_DEBUG, - "rejected = \"%s\", received addr = \"%s\"", - addr_str, peer_addr); - if (addr_str[0] == '!') { - negate = 1; - addr_str++; - } - - match = fnmatch (addr_str, - peer_addr, - 0); - if (negate ? match : !match) { - free (addr_cpy); - return AUTH_REJECT; - } - addr_str = strtok_r (NULL, ADDR_DELIMITER, &tmp); - } - free (addr_cpy); - } - - if (allow_addr) { - char *addr_str = NULL; - char *tmp; - char *addr_cpy = strdup (allow_addr->data); - - addr_str = strtok_r (addr_cpy, ADDR_DELIMITER, &tmp); - - while (addr_str) { - char negate = 0, match = 0; - gf_log (name, GF_LOG_DEBUG, - "allowed = \"%s\", received addr = \"%s\"", - addr_str, peer_addr); - if (addr_str[0] == '!') { - negate = 1; - addr_str++; - } - - match = fnmatch (addr_str, - peer_addr, - 0); - - if (negate ? match : !match) { - free (addr_cpy); - return AUTH_ACCEPT; - } - addr_str = strtok_r (NULL, ADDR_DELIMITER, &tmp); - } - free (addr_cpy); - } - - return AUTH_DONT_CARE; + auth_result_t result = AUTH_DONT_CARE; + int ret = 0; + char *name = NULL; + char *searchstr = NULL; + peer_info_t *peer_info = NULL; + data_t *peer_info_data = NULL; + data_t *allow_addr = NULL; + data_t *reject_addr = NULL; + char *addr_str = NULL; + char *tmp = NULL; + char *addr_cpy = NULL; + char *service = NULL; + uint16_t peer_port = 0; + char is_inet_sdp = 0; + char negate = 0; + char match = 0; + char peer_addr[UNIX_PATH_MAX]; + + name = data_to_str (dict_get (input_params, "remote-subvolume")); + if (!name) { + gf_log ("authenticate/addr", GF_LOG_DEBUG, + "remote-subvolume not specified"); + goto out; + } + + ret = gf_asprintf (&searchstr, "auth.addr.%s.allow", name); + if (-1 == ret) { + gf_log ("auth/addr", GF_LOG_DEBUG, + "asprintf failed while setting search string"); + goto out; + } + + allow_addr = dict_get (config_params, searchstr); + GF_FREE (searchstr); + + ret = gf_asprintf (&searchstr, "auth.addr.%s.reject", name); + if (-1 == ret) { + gf_log ("auth/addr", GF_LOG_ERROR, + "asprintf failed while setting search string"); + goto out; + } + reject_addr = dict_get (config_params, searchstr); + GF_FREE (searchstr); + + if (!allow_addr) { + /* TODO: backword compatibility */ + ret = gf_asprintf (&searchstr, "auth.ip.%s.allow", name); + if (-1 == ret) { + gf_log ("auth/addr", GF_LOG_ERROR, + "asprintf failed while setting search string"); + goto out; + } + allow_addr = dict_get (config_params, searchstr); + GF_FREE (searchstr); + } + + if (!(allow_addr || reject_addr)) { + gf_log ("auth/addr", GF_LOG_DEBUG, + "none of the options auth.addr.%s.allow or " + "auth.addr.%s.reject specified, returning auth_dont_care", + name, name); + goto out; + } + + peer_info_data = dict_get (input_params, "peer-info"); + if (!peer_info_data) { + gf_log ("auth/addr", GF_LOG_ERROR, + "peer-info not present"); + goto out; + } + + peer_info = data_to_ptr (peer_info_data); + + switch (((struct sockaddr *) &peer_info->sockaddr)->sa_family) + { + case AF_INET_SDP: + is_inet_sdp = 1; + ((struct sockaddr *) &peer_info->sockaddr)->sa_family = AF_INET; + + case AF_INET: + case AF_INET6: + { + strcpy (peer_addr, peer_info->identifier); + service = strrchr (peer_addr, ':'); + *service = '\0'; + service ++; + + if (is_inet_sdp) { + ((struct sockaddr *) &peer_info->sockaddr)->sa_family = AF_INET_SDP; + } + + peer_port = atoi (service); + if (peer_port >= PRIVILEGED_PORT_CEILING) { + gf_log ("auth/addr", GF_LOG_ERROR, + "client is bound to port %d which is not privileged", + peer_port); + goto out; + } + break; + + case AF_UNIX: + strcpy (peer_addr, peer_info->identifier); + break; + + default: + gf_log ("authenticate/addr", GF_LOG_ERROR, + "unknown address family %d", + ((struct sockaddr *) &peer_info->sockaddr)->sa_family); + goto out; + } + } + + if (reject_addr) { + addr_cpy = gf_strdup (reject_addr->data); + if (!addr_cpy) + goto out; + + addr_str = strtok_r (addr_cpy, ADDR_DELIMITER, &tmp); + + while (addr_str) { + gf_log (name, GF_LOG_DEBUG, + "rejected = \"%s\", received addr = \"%s\"", + addr_str, peer_addr); + if (addr_str[0] == '!') { + negate = 1; + addr_str++; + } + + match = fnmatch (addr_str, peer_addr, 0); + if (negate ? match : !match) { + result = AUTH_REJECT; + goto out; + } + addr_str = strtok_r (NULL, ADDR_DELIMITER, &tmp); + } + GF_FREE (addr_cpy); + } + + if (allow_addr) { + addr_cpy = gf_strdup (allow_addr->data); + if (!addr_cpy) + goto out; + + addr_str = strtok_r (addr_cpy, ADDR_DELIMITER, &tmp); + + while (addr_str) { + gf_log (name, GF_LOG_DEBUG, + "allowed = \"%s\", received addr = \"%s\"", + addr_str, peer_addr); + if (addr_str[0] == '!') { + negate = 1; + addr_str++; + } + + match = fnmatch (addr_str, peer_addr, 0); + if (negate ? match : !match) { + result = AUTH_ACCEPT; + goto out; + } + addr_str = strtok_r (NULL, ADDR_DELIMITER, &tmp); + } + } + +out: + if (addr_cpy) + GF_FREE (addr_cpy); + + return result; } struct volume_options options[] = { - { .key = {"auth.addr.*.allow"}, - .type = GF_OPTION_TYPE_ANY - }, - { .key = {"auth.addr.*.reject"}, - .type = GF_OPTION_TYPE_ANY - }, - /* Backword compatibility */ - { .key = {"auth.ip.*.allow"}, - .type = GF_OPTION_TYPE_ANY - }, - { .key = {NULL} } + { .key = {"auth.addr.*.allow"}, + .type = GF_OPTION_TYPE_ANY + }, + { .key = {"auth.addr.*.reject"}, + .type = GF_OPTION_TYPE_ANY + }, + /* Backword compatibility */ + { .key = {"auth.ip.*.allow"}, + .type = GF_OPTION_TYPE_ANY + }, + { .key = {NULL} } }; diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c index 8127277e1..81b8efa05 100644 --- a/xlators/protocol/auth/login/src/login.c +++ b/xlators/protocol/auth/login/src/login.c @@ -1,20 +1,20 @@ /* - Copyright (c) 2007-2010 Gluster, Inc. <http://www.gluster.com> - This file is part of GlusterFS. - - GlusterFS is free software; you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published - by the Free Software Foundation; either version 3 of the License, - or (at your option) any later version. - - GlusterFS is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Affero General Public License for more details. - - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see - <http://www.gnu.org/licenses/>. + Copyright (c) 2007-2010 Gluster, Inc. <http://www.gluster.com> + This file is part of GlusterFS. + + GlusterFS is free software; you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation; either version 3 of the License, + or (at your option) any later version. + + GlusterFS is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see + <http://www.gnu.org/licenses/>. */ #ifndef _CONFIG_H @@ -27,88 +27,112 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params) { - int ret = 0; - char *username = NULL, *password = NULL; - data_t *allow_user = NULL, *username_data = NULL, *password_data = NULL; - int32_t result = AUTH_DONT_CARE; - char *brick_name = NULL, *searchstr = NULL; - - username_data = dict_get (input_params, "username"); - if (!username_data) - return AUTH_DONT_CARE; - - username = data_to_str (username_data); - - password_data = dict_get (input_params, "password"); - if (!password_data) - return AUTH_DONT_CARE; - - password = data_to_str (password_data); - - brick_name = data_to_str (dict_get (input_params, "remote-subvolume")); - if (!brick_name) { - gf_log ("auth/login", - GF_LOG_ERROR, - "remote-subvolume not specified"); - return AUTH_REJECT; - } - - ret = asprintf (&searchstr, "auth.login.%s.allow", brick_name); - if (-1 == ret) { - gf_log ("auth/login", GF_LOG_ERROR, - "asprintf failed while setting search string"); - return AUTH_DONT_CARE; - } - - allow_user = dict_get (config_params, - searchstr); - free (searchstr); - - if (allow_user) { - char *username_str = NULL; - char *tmp; - char *username_cpy = strdup (allow_user->data); - - username_str = strtok_r (username_cpy, " ,", &tmp); - - while (username_str) { - data_t *passwd_data = NULL; - if (!fnmatch (username_str, - username, - 0)) { - ret = asprintf (&searchstr, "auth.login.%s.password", username); + auth_result_t result = AUTH_DONT_CARE; + int ret = 0; + data_t *allow_user = NULL; + data_t *username_data = NULL; + data_t *passwd_data = NULL; + data_t *password_data = NULL; + char *username = NULL; + char *password = NULL; + char *brick_name = NULL; + char *searchstr = NULL; + char *username_str = NULL; + char *tmp = NULL; + char *username_cpy = NULL; + + username_data = dict_get (input_params, "username"); + if (!username_data) { + gf_log ("auth/login", GF_LOG_DEBUG, + "username not found, returning DONT-CARE"); + goto out; + } + + username = data_to_str (username_data); + + password_data = dict_get (input_params, "password"); + if (!password_data) { + gf_log ("auth/login", GF_LOG_WARNING, + "password not found, returning DONT-CARE"); + goto out; + } + + password = data_to_str (password_data); + + brick_name = data_to_str (dict_get (input_params, "remote-subvolume")); + if (!brick_name) { + gf_log ("auth/login", GF_LOG_ERROR, + "remote-subvolume not specified"); + result = AUTH_REJECT; + goto out; + } + + ret = gf_asprintf (&searchstr, "auth.login.%s.allow", brick_name); if (-1 == ret) { - gf_log ("auth/login", GF_LOG_ERROR, - "asprintf failed while setting search string"); - return AUTH_DONT_CARE; + gf_log ("auth/login", GF_LOG_WARNING, + "asprintf failed while setting search string, " + "returning DONT-CARE"); + goto out; + } + + allow_user = dict_get (config_params, searchstr); + GF_FREE (searchstr); + + if (allow_user) { + username_cpy = gf_strdup (allow_user->data); + if (!username_cpy) + goto out; + + username_str = strtok_r (username_cpy, " ,", &tmp); + + while (username_str) { + if (!fnmatch (username_str, username, 0)) { + ret = gf_asprintf (&searchstr, + "auth.login.%s.password", + username); + if (-1 == ret) { + gf_log ("auth/login", GF_LOG_WARNING, + "asprintf failed while setting search string"); + goto out; + } + passwd_data = dict_get (config_params, searchstr); + GF_FREE (searchstr); + + if (!passwd_data) { + gf_log ("auth/login", GF_LOG_ERROR, + "wrong username/password combination"); + result = AUTH_REJECT; + goto out; + } + + result = !((strcmp (data_to_str (passwd_data), + password)) ? + AUTH_ACCEPT : + AUTH_REJECT); + if (result == AUTH_REJECT) + gf_log ("auth/login", GF_LOG_ERROR, + "wrong password for user %s", + username); + + break; + } + username_str = strtok_r (NULL, " ,", &tmp); + } } - passwd_data = dict_get (config_params, searchstr); - FREE (searchstr); - - if (!passwd_data) { - gf_log ("auth/login", - GF_LOG_DEBUG, - "wrong username/password combination"); - result = AUTH_REJECT; - } - else - result = !strcmp (data_to_str (passwd_data), password) ? AUTH_ACCEPT : AUTH_REJECT; - break; - } - username_str = strtok_r (NULL, " ,", &tmp); - } - free (username_cpy); - } - - return result; + +out: + if (username_cpy) + GF_FREE (username_cpy); + + return result; } struct volume_options options[] = { - { .key = {"auth.login.*.allow"}, - .type = GF_OPTION_TYPE_ANY - }, - { .key = {"auth.login.*.password"}, - .type = GF_OPTION_TYPE_ANY - }, - { .key = {NULL} } + { .key = {"auth.login.*.allow"}, + .type = GF_OPTION_TYPE_ANY + }, + { .key = {"auth.login.*.password"}, + .type = GF_OPTION_TYPE_ANY + }, + { .key = {NULL} } }; |