1 /*
2  * mod_authn_pam - PAM backend for lighttpd HTTP auth
3  *
4  * Copyright(c) 2018 Glenn Strauss gstrauss()gluelogic.com  All rights reserved
5  * License: BSD 3-clause (same as lighttpd)
6  */
7 #include "first.h"
8 
9 /* mod_authn_pam
10  *
11  * FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS:
12  * - database response is not cached
13  *   TODO: db response caching (for limited time) to reduce load on db
14  *     (only cache successful logins to prevent cache bloat?)
15  *     (or limit number of entries (size) of cache)
16  *     (maybe have negative cache (limited size) of names not found in database)
17  * - database query is synchronous and blocks waiting for response
18  */
19 
20 #include <stdlib.h>
21 #include <string.h>
22 
23 #include <security/pam_appl.h>
24 
25 #include "mod_auth_api.h"
26 #include "base.h"
27 #include "log.h"
28 #include "plugin.h"
29 
30 typedef struct {
31     const char *service;
32 } plugin_config;
33 
34 typedef struct {
35     PLUGIN_DATA;
36     plugin_config defaults;
37     plugin_config conf;
38 } plugin_data;
39 
40 static handler_t mod_authn_pam_basic(request_st *r, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
41 
INIT_FUNC(mod_authn_pam_init)42 INIT_FUNC(mod_authn_pam_init) {
43     static http_auth_backend_t http_auth_backend_pam =
44       { "pam", mod_authn_pam_basic, NULL, NULL };
45     plugin_data *p = calloc(1, sizeof(*p));
46 
47     /* register http_auth_backend_pam */
48     http_auth_backend_pam.p_d = p;
49     http_auth_backend_set(&http_auth_backend_pam);
50 
51     return p;
52 }
53 
mod_authn_pam_merge_config_cpv(plugin_config * const pconf,const config_plugin_value_t * const cpv)54 static void mod_authn_pam_merge_config_cpv(plugin_config * const pconf, const config_plugin_value_t * const cpv) {
55     switch (cpv->k_id) { /* index into static config_plugin_keys_t cpk[] */
56       case 0: /* auth.backend.pam.opts */
57         if (cpv->vtype == T_CONFIG_LOCAL)
58             pconf->service = cpv->v.v;
59         break;
60       default:/* should not happen */
61         return;
62     }
63 }
64 
mod_authn_pam_merge_config(plugin_config * const pconf,const config_plugin_value_t * cpv)65 static void mod_authn_pam_merge_config(plugin_config * const pconf, const config_plugin_value_t *cpv) {
66     do {
67         mod_authn_pam_merge_config_cpv(pconf, cpv);
68     } while ((++cpv)->k_id != -1);
69 }
70 
mod_authn_pam_patch_config(request_st * const r,plugin_data * const p)71 static void mod_authn_pam_patch_config(request_st * const r, plugin_data * const p) {
72     p->conf = p->defaults; /* copy small struct instead of memcpy() */
73     /*memcpy(&p->conf, &p->defaults, sizeof(plugin_config));*/
74     for (int i = 1, used = p->nconfig; i < used; ++i) {
75         if (config_check_cond(r, (uint32_t)p->cvlist[i].k_id))
76             mod_authn_pam_merge_config(&p->conf,
77                                         p->cvlist + p->cvlist[i].v.u2[0]);
78     }
79 }
80 
SETDEFAULTS_FUNC(mod_authn_pam_set_defaults)81 SETDEFAULTS_FUNC(mod_authn_pam_set_defaults) {
82     static const config_plugin_keys_t cpk[] = {
83       { CONST_STR_LEN("auth.backend.pam.opts"),
84         T_CONFIG_ARRAY_KVSTRING,
85         T_CONFIG_SCOPE_CONNECTION }
86      ,{ NULL, 0,
87         T_CONFIG_UNSET,
88         T_CONFIG_SCOPE_UNSET }
89     };
90 
91     plugin_data * const p = p_d;
92     if (!config_plugin_values_init(srv, p, cpk, "mod_authn_pam"))
93         return HANDLER_ERROR;
94 
95     /* process and validate config directives
96      * (init i to 0 if global context; to 1 to skip empty global context) */
97     for (int i = !p->cvlist[0].v.u2[1]; i < p->nconfig; ++i) {
98         config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
99         for (; -1 != cpv->k_id; ++cpv) {
100             switch (cpv->k_id) {
101               case 0: /* auth.backend.pam.opts */
102                 if (cpv->v.a->used) {
103                     const data_string *ds = (const data_string *)
104                       array_get_element_klen(cpv->v.a,CONST_STR_LEN("service"));
105                     *(const void **)&cpv->v.v =
106                       (NULL != ds) ? ds->value.ptr : "http";
107                     cpv->vtype = T_CONFIG_LOCAL;
108                 }
109                 break;
110               default:/* should not happen */
111                 break;
112             }
113         }
114     }
115 
116     p->defaults.service = "http";
117 
118     /* initialize p->defaults from global config context */
119     if (p->nconfig > 0 && p->cvlist->v.u2[1]) {
120         const config_plugin_value_t *cpv = p->cvlist + p->cvlist->v.u2[0];
121         if (-1 != cpv->k_id)
122             mod_authn_pam_merge_config(&p->defaults, cpv);
123     }
124 
125     return HANDLER_GO_ON;
126 }
127 
mod_authn_pam_fn_conv(int num_msg,const struct pam_message ** msg,struct pam_response ** resp,void * appdata_ptr)128 static int mod_authn_pam_fn_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)  {
129     const char * const pw = (char *)appdata_ptr;
130     struct pam_response * const pr = *resp =
131       (struct pam_response *)malloc(num_msg * sizeof(struct pam_response));
132     for (int i = 0; i < num_msg; ++i) {
133         const int style = msg[i]->msg_style;
134         pr[i].resp_retcode = 0;
135         pr[i].resp = (style==PAM_PROMPT_ECHO_OFF || style==PAM_PROMPT_ECHO_ON)
136           ? strdup(pw)
137           : NULL;
138     }
139     return PAM_SUCCESS;
140 }
141 
mod_authn_pam_query(request_st * const r,void * p_d,const buffer * const username,const char * const realm,const char * const pw)142 static handler_t mod_authn_pam_query(request_st * const r, void *p_d, const buffer * const username, const char * const realm, const char * const pw) {
143     plugin_data *p = (plugin_data *)p_d;
144     pam_handle_t *pamh = NULL;
145     struct pam_conv conv = { mod_authn_pam_fn_conv, NULL };
146     const int flags = PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK;
147     int rc;
148     UNUSED(realm);
149     *(const char **)&conv.appdata_ptr = pw; /*(cast away const)*/
150 
151     mod_authn_pam_patch_config(r, p);
152 
153     const char * const addrstr = r->con->dst_addr_buf.ptr;
154     rc = pam_start(p->conf.service, username->ptr, &conv, &pamh);
155     if (PAM_SUCCESS != rc
156      || PAM_SUCCESS !=(rc = pam_set_item(pamh, PAM_RHOST, addrstr))
157      || PAM_SUCCESS !=(rc = pam_authenticate(pamh, flags))
158      || PAM_SUCCESS !=(rc = pam_acct_mgmt(pamh, flags)))
159         log_error(r->conf.errh, __FILE__, __LINE__,
160           "pam: %s", pam_strerror(pamh, rc));
161     pam_end(pamh, rc);
162     return (PAM_SUCCESS == rc) ? HANDLER_GO_ON : HANDLER_ERROR;
163 }
164 
mod_authn_pam_basic(request_st * const r,void * p_d,const http_auth_require_t * const require,const buffer * const username,const char * const pw)165 static handler_t mod_authn_pam_basic(request_st * const r, void *p_d, const http_auth_require_t * const require, const buffer * const username, const char * const pw) {
166     char *realm = require->realm->ptr;
167     handler_t rc = mod_authn_pam_query(r, p_d, username, realm, pw);
168     if (HANDLER_GO_ON != rc) return rc;
169     return http_auth_match_rules(require, username->ptr, NULL, NULL)
170       ? HANDLER_GO_ON  /* access granted */
171       : HANDLER_ERROR;
172 }
173 
174 int mod_authn_pam_plugin_init(plugin *p);
mod_authn_pam_plugin_init(plugin * p)175 int mod_authn_pam_plugin_init(plugin *p) {
176     p->version     = LIGHTTPD_VERSION_ID;
177     p->name        = "authn_pam";
178     p->init        = mod_authn_pam_init;
179     p->set_defaults= mod_authn_pam_set_defaults;
180 
181     return 0;
182 }
183