[moira.git] / server / mr_sauth.c

/* $Id$
 *
 * Handle server side of authentication
 *
 * Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
 * For copying and distribution information, please see the file
 * <mit-copyright.h>.
 *
 */

#include <mit-copyright.h>
#include "mr_server.h"

#include <sys/types.h>

#include <arpa/inet.h>
#include <netinet/in.h>

#include <stdlib.h>
#include <string.h>

RCSID("$Header$");

extern char *whoami, *host;
extern int proxy_acl;

static int set_client(client *cl, char *kname,
		      char *name, char *inst, char *realm);

typedef struct _replay_cache {
  KTEXT_ST auth;
  time_t expires;
  struct _replay_cache *next;
} replay_cache;

replay_cache *rcache = NULL;

/*
 * Handle a MOIRA_AUTH RPC request.
 *
 * argv[0] is a kerberos authenticator.  Decompose it, and if
 * successful, store the name the user authenticated to in
 * cl->cl_name.
 */

void do_auth(client *cl)
{
  KTEXT_ST auth;
  AUTH_DAT ad;
  int status;
  replay_cache *rc, *rcnew;
  time_t now;

  auth.length = cl->req.mr_argl[0];
  memcpy(auth.dat, cl->req.mr_argv[0], auth.length);
  auth.mbz = 0;

  if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
			   cl->haddr.sin_addr.s_addr, &ad, "")))
    {
      status += ERROR_TABLE_BASE_krb;
      client_reply(cl, status);
      com_err(whoami, status, " (authentication failed)");
      return;
    }

  if (!rcache)
    {
      rcache = xmalloc(sizeof(replay_cache));
      memset(rcache, 0, sizeof(replay_cache));
    }

  /* scan replay cache */
  for (rc = rcache->next; rc; rc = rc->next)
    {
      if (auth.length == rc->auth.length &&
	  !memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
	{
	  com_err(whoami, 0,
		  "Authenticator replay from %s using authenticator for %s",
		  inet_ntoa(cl->haddr.sin_addr),
		  kname_unparse(ad.pname, ad.pinst, ad.prealm));
	  com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
	  client_reply(cl, KE_RD_AP_REPEAT);
	  return;
	}
    }

  /* add new entry */
  time(&now);
  rcnew = xmalloc(sizeof(replay_cache));
  memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
  rcnew->expires = now + 2 * CLOCK_SKEW;
  rcnew->next = rcache->next;
  rcache->next = rcnew;

  /* clean cache */
  for (rc = rcnew; rc->next; )
    {
      if (rc->next->expires < now)
	{
	  rcnew = rc->next;
	  rc->next = rc->next->next;
	  free(rcnew);
	}
      else
	rc = rc->next;
    }

  status = set_client(cl, kname_unparse(ad.pname, ad.pinst, ad.prealm),
		      ad.pname, ad.pinst, ad.prealm);

  strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
  cl->entity[sizeof(cl->entity) - 1] = 0;

  memset(&ad, 0, sizeof(ad));	/* Clean up session key, etc. */

  com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
	  cl->clname, cl->entity, cl->users_id, cl->client_id);

  if (status != MR_SUCCESS || cl->users_id != 0)
    client_reply(cl, status);
  else
    client_reply(cl, MR_USER_AUTH);
}

void do_proxy(client *cl)
{
  char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
  char kname[MAX_K_NAME_SZ];

  if (cl->proxy_id)
    {
      com_err(whoami, MR_PERM, "Cannot re-proxy");
      client_reply(cl, MR_PERM);
      return;
    }

  if (kname_parse(name, inst, realm, cl->req.mr_argv[0]) != KSUCCESS)
    {
      com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s",
	      cl->req.mr_argv);
      client_reply(cl, KE_KNAME_FMT);
      return;
    }

  if (!*realm)
    {
      strcpy(realm, krb_realm);
      sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm);
    }
  else
    strcpy(kname, cl->req.mr_argv[0]);
    
  if (find_member("LIST", proxy_acl, cl))
    {
      cl->proxy_id = cl->client_id;
      set_client(cl, kname, name, inst, realm);
      com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s",
	      kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]);
      client_reply(cl, MR_SUCCESS);
    }
  else
    {
      com_err(whoami, MR_PERM, "Proxy authentication denied");
      client_reply(cl, MR_PERM);
    }
}

static int set_client(client *cl, char *kname,
		      char *name, char *inst, char *realm)
{
  int ok;

  strncpy(cl->clname, kname, sizeof(cl->clname));
  cl->clname[sizeof(cl->clname) - 1] = '\0';

  if (inst[0] == 0 && !strcmp(realm, krb_realm))
    ok = 1;
  else
    ok = 0;
  /* this is in a separate function because it accesses the database */
  return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id);
}
Commit	Line	Data
7ac48069	1	/* $Id$
	2	*
	3	* Handle server side of authentication
a3cf6921	4	*
7ac48069	5	* Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
	6	* For copying and distribution information, please see the file
	7	* <mit-copyright.h>.
a3cf6921	8	*
a3cf6921	9	*/
a3cf6921	10
c801de4c	11	#include <mit-copyright.h>
d548a4e7	12	#include "mr_server.h"
a3cf6921	13
7ac48069	14	#include <sys/types.h>
a3cf6921	15
7ac48069	16	#include <arpa/inet.h>
	17	#include <netinet/in.h>
	18
	19	#include <stdlib.h>
	20	#include <string.h>
	21
	22	RCSID("$Header$");
	23
	24	extern char whoami, host;
ed00e35e	25	extern int proxy_acl;
	26
	27	static int set_client(client cl, char kname,
	28	char name, char inst, char *realm);
c1665e6d	29
3d0d0f07	30	typedef struct _replay_cache {
	31	KTEXT_ST auth;
	32	time_t expires;
	33	struct _replay_cache *next;
	34	} replay_cache;
	35
	36	replay_cache *rcache = NULL;
	37
a3cf6921	38	/*
d548a4e7	39	* Handle a MOIRA_AUTH RPC request.
a3cf6921	40	*
a3cf6921	41	* argv[0] is a kerberos authenticator. Decompose it, and if
5eaef520	42	* successful, store the name the user authenticated to in
a3cf6921	43	* cl->cl_name.
	44	*/
	45
8691463b	46	void do_auth(client *cl)
a3cf6921	47	{
5eaef520	48	KTEXT_ST auth;
5eaef520	49	AUTH_DAT ad;
ed00e35e	50	int status;
5eaef520	51	replay_cache rc, rcnew;
	52	time_t now;
	53
8691463b	54	auth.length = cl->req.mr_argl[0];
8691463b	55	memcpy(auth.dat, cl->req.mr_argv[0], auth.length);
5eaef520	56	auth.mbz = 0;
5eaef520	57
85330553	58	if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
85330553	59	cl->haddr.sin_addr.s_addr, &ad, "")))
5eaef520	60	{
5eaef520	61	status += ERROR_TABLE_BASE_krb;
85330553	62	client_reply(cl, status);
85330553	63	com_err(whoami, status, " (authentication failed)");
5eaef520	64	return;
	65	}
	66
	67	if (!rcache)
	68	{
e688520a	69	rcache = xmalloc(sizeof(replay_cache));
5eaef520	70	memset(rcache, 0, sizeof(replay_cache));
	71	}
	72
	73	/* scan replay cache */
	74	for (rc = rcache->next; rc; rc = rc->next)
	75	{
	76	if (auth.length == rc->auth.length &&
	77	!memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
	78	{
	79	com_err(whoami, 0,
	80	"Authenticator replay from %s using authenticator for %s",
	81	inet_ntoa(cl->haddr.sin_addr),
	82	kname_unparse(ad.pname, ad.pinst, ad.prealm));
	83	com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
85330553	84	client_reply(cl, KE_RD_AP_REPEAT);
5eaef520	85	return;
3d0d0f07	86	}
5eaef520	87	}
	88
	89	/* add new entry */
	90	time(&now);
e688520a	91	rcnew = xmalloc(sizeof(replay_cache));
5eaef520	92	memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
	93	rcnew->expires = now + 2 * CLOCK_SKEW;
	94	rcnew->next = rcache->next;
	95	rcache->next = rcnew;
	96
	97	/* clean cache */
	98	for (rc = rcnew; rc->next; )
	99	{
	100	if (rc->next->expires < now)
	101	{
	102	rcnew = rc->next;
	103	rc->next = rc->next->next;
	104	free(rcnew);
060e9c63	105	}
5eaef520	106	else
	107	rc = rc->next;
	108	}
	109
ed00e35e	110	status = set_client(cl, kname_unparse(ad.pname, ad.pinst, ad.prealm),
ed00e35e	111	ad.pname, ad.pinst, ad.prealm);
5eaef520	112
ed00e35e	113	strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
ed00e35e	114	cl->entity[sizeof(cl->entity) - 1] = 0;
85330553	115
5eaef520	116	memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */
5eaef520	117
85330553	118	com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
	119	cl->clname, cl->entity, cl->users_id, cl->client_id);
	120
	121	if (status != MR_SUCCESS \|\| cl->users_id != 0)
	122	client_reply(cl, status);
	123	else
	124	client_reply(cl, MR_USER_AUTH);
a3cf6921	125	}
ed00e35e	126
	127	void do_proxy(client *cl)
	128	{
	129	char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
	130	char kname[MAX_K_NAME_SZ];
	131
	132	if (cl->proxy_id)
	133	{
	134	com_err(whoami, MR_PERM, "Cannot re-proxy");
	135	client_reply(cl, MR_PERM);
	136	return;
	137	}
	138
	139	if (kname_parse(name, inst, realm, cl->req.mr_argv[0]) != KSUCCESS)
	140	{
	141	com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s",
	142	cl->req.mr_argv);
	143	client_reply(cl, KE_KNAME_FMT);
	144	return;
	145	}
	146
	147	if (!*realm)
	148	{
	149	strcpy(realm, krb_realm);
	150	sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm);
	151	}
	152	else
	153	strcpy(kname, cl->req.mr_argv[0]);
	154
	155	if (find_member("LIST", proxy_acl, cl))
	156	{
	157	cl->proxy_id = cl->client_id;
	158	set_client(cl, kname, name, inst, realm);
	159	com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s",
	160	kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]);
	161	client_reply(cl, MR_SUCCESS);
	162	}
	163	else
	164	{
	165	com_err(whoami, MR_PERM, "Proxy authentication denied");
	166	client_reply(cl, MR_PERM);
	167	}
	168	}
	169
	170	static int set_client(client cl, char kname,
	171	char name, char inst, char *realm)
	172	{
	173	int ok;
	174
	175	strncpy(cl->clname, kname, sizeof(cl->clname));
	176	cl->clname[sizeof(cl->clname) - 1] = '\0';
	177
	178	if (inst[0] == 0 && !strcmp(realm, krb_realm))
	179	ok = 1;
	180	else
	181	ok = 0;
	182	/* this is in a separate function because it accesses the database */
	183	return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id);
	184	}