1 /*
2 BAREOS® - Backup Archiving REcovery Open Sourced
3
4 Copyright (C) 2001-2008 Free Software Foundation Europe e.V.
5 Copyright (C) 2011-2012 Planets Communications B.V.
6 Copyright (C) 2013-2020 Bareos GmbH & Co. KG
7
8 This program is Free Software; you can redistribute it and/or
9 modify it under the terms of version three of the GNU Affero General Public
10 License as published by the Free Software Foundation and included
11 in the file LICENSE.
12
13 This program is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Affero General Public License for more details.
17
18 You should have received a copy of the GNU Affero General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
21 02110-1301, USA.
22 */
23 /*
24 * Kern Sibbald, May MMI
25 */
26 /**
27 * @file
28 * handles authorization of Consoles, Storage and File daemons.
29 *
30 * This routine runs as a thread and must be thread reentrant.
31 */
32
33 #include "include/bareos.h"
34 #include "dird.h"
35 #include "dird/authenticate.h"
36 #if defined(HAVE_PAM)
37 #include "dird/auth_pam.h"
38 #endif
39 #include "dird/fd_cmds.h"
40 #include "dird/client_connection_handshake_mode.h"
41 #include "dird/dird_globals.h"
42 #include "dird/jcr_private.h"
43 #include "lib/bnet.h"
44 #include "lib/qualified_resource_name_type_converter.h"
45 #include "lib/bstringlist.h"
46 #include "lib/parse_conf.h"
47 #include "lib/util.h"
48
49 #include <array>
50
51 namespace directordaemon {
52
53 static const int debuglevel = 50;
54
55 /*
56 * Commands sent to Storage daemon and File daemon and received from the User
57 * Agent
58 */
59 static char hello[] = "Hello Director %s calling\n";
60
61 /*
62 * Response from Storage daemon
63 */
64 static char OKhello[] = "3000 OK Hello\n";
65 static char FDOKhello[] = "2000 OK Hello\n";
66 static char FDOKnewHello[] = "2000 OK Hello %d\n";
67
68 static char dir_not_authorized_message[] = "1999 You are not authorized.\n";
69
AuthenticateWithStorageDaemon(BareosSocket * sd,JobControlRecord * jcr,StorageResource * store)70 bool AuthenticateWithStorageDaemon(BareosSocket* sd,
71 JobControlRecord* jcr,
72 StorageResource* store)
73 {
74 char dirname[MAX_NAME_LENGTH];
75 bstrncpy(dirname, me->resource_name_, sizeof(dirname));
76 BashSpaces(dirname);
77
78 sd->InitBnetDump(my_config->CreateOwnQualifiedNameForNetworkDump());
79 if (!sd->fsend(hello, dirname)) {
80 Dmsg1(debuglevel, _("Error sending Hello to Storage daemon. ERR=%s\n"),
81 BnetStrerror(sd));
82 Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to Storage daemon. ERR=%s\n"),
83 BnetStrerror(sd));
84 return false;
85 }
86
87 bool auth_success = false;
88 auth_success = sd->AuthenticateOutboundConnection(
89 jcr, my_config->CreateOwnQualifiedNameForNetworkDump(), dirname,
90 store->password_, store);
91 if (!auth_success) {
92 Dmsg2(debuglevel,
93 "Director unable to authenticate with Storage daemon at \"%s:%d\"\n",
94 sd->host(), sd->port());
95 Jmsg(jcr, M_FATAL, 0,
96 _("Director unable to authenticate with Storage daemon at \"%s:%d\". "
97 "Possible causes:\n"
98 "Passwords or names not the same or\n"
99 "TLS negotiation problem or\n"
100 "Maximum Concurrent Jobs exceeded on the SD or\n"
101 "SD networking messed up (restart daemon).\n"),
102 sd->host(), sd->port());
103 return false;
104 }
105
106 Dmsg1(116, ">stored: %s", sd->msg);
107 if (sd->recv() <= 0) {
108 Jmsg3(jcr, M_FATAL, 0,
109 _("dir<stored: \"%s:%s\" bad response to Hello command: ERR=%s\n"),
110 sd->who(), sd->host(), sd->bstrerror());
111 return false;
112 }
113
114 Dmsg1(110, "<stored: %s", sd->msg);
115 if (!bstrncmp(sd->msg, OKhello, sizeof(OKhello))) {
116 Dmsg0(debuglevel, _("Storage daemon rejected Hello command\n"));
117 Jmsg2(jcr, M_FATAL, 0,
118 _("Storage daemon at \"%s:%d\" rejected Hello command\n"), sd->host(),
119 sd->port());
120 return false;
121 }
122
123 return true;
124 }
125
AuthenticateWithFileDaemon(JobControlRecord * jcr)126 bool AuthenticateWithFileDaemon(JobControlRecord* jcr)
127 {
128 if (jcr->authenticated) { return true; }
129
130 BareosSocket* fd = jcr->file_bsock;
131 ClientResource* client = jcr->impl->res.client;
132
133 if (jcr->impl->connection_handshake_try_ ==
134 ClientConnectionHandshakeMode::kTlsFirst) {
135 std::string qualified_resource_name;
136 if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(
137 me->resource_name_, my_config->r_own_, qualified_resource_name)) {
138 Dmsg0(
139 100,
140 "Could not generate qualified resource name for a client resource\n");
141 return false;
142 }
143
144 if (!fd->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, client, false,
145 qualified_resource_name.c_str(),
146 client->password_.value, jcr)) {
147 Dmsg0(100, "Could not DoTlsHandshake() with a file daemon\n");
148 return false;
149 }
150 }
151
152 char dirname[MAX_NAME_LENGTH];
153 bstrncpy(dirname, me->resource_name_, sizeof(dirname));
154 BashSpaces(dirname);
155
156 fd->InitBnetDump(my_config->CreateOwnQualifiedNameForNetworkDump());
157 if (!fd->fsend(hello, dirname)) {
158 Jmsg(jcr, M_FATAL, 0,
159 _("Error sending Hello to File daemon at \"%s:%d\". ERR=%s\n"),
160 fd->host(), fd->port(), fd->bstrerror());
161 return false;
162 }
163 Dmsg1(debuglevel, "Sent: %s", fd->msg);
164
165 bool auth_success;
166 auth_success = fd->AuthenticateOutboundConnection(
167 jcr, my_config->CreateOwnQualifiedNameForNetworkDump(), dirname,
168 client->password_, client);
169
170 if (!auth_success) {
171 std::array<char, 1024> msg;
172 const char* fmt =
173 _("Unable to authenticate with File daemon at \"%s:%d\"\n");
174 snprintf(msg.data(), msg.size(), fmt, fd->host(), fd->port());
175 Dmsg0(debuglevel, msg.data());
176 Jmsg(jcr, M_FATAL, 0, msg.data());
177 return false;
178 }
179
180 Dmsg1(116, ">filed: %s", fd->msg);
181 if (fd->recv() <= 0) {
182 Dmsg1(debuglevel,
183 _("Bad response from File daemon to Hello command: ERR=%s\n"),
184 BnetStrerror(fd));
185 Jmsg(jcr, M_FATAL, 0,
186 _("Bad response from File daemon at \"%s:%d\" to Hello command: "
187 "ERR=%s\n"),
188 fd->host(), fd->port(), fd->bstrerror());
189 return false;
190 }
191
192 Dmsg1(110, "<filed: %s", fd->msg);
193 jcr->impl->FDVersion = 0;
194 if (!bstrncmp(fd->msg, FDOKhello, sizeof(FDOKhello)) &&
195 sscanf(fd->msg, FDOKnewHello, &jcr->impl->FDVersion) != 1) {
196 Dmsg0(debuglevel, _("File daemon rejected Hello command\n"));
197 Jmsg(jcr, M_FATAL, 0,
198 _("File daemon at \"%s:%d\" rejected Hello command\n"), fd->host(),
199 fd->port());
200 return false;
201 }
202
203 return true;
204 }
205
AuthenticateFileDaemon(BareosSocket * fd,char * client_name)206 bool AuthenticateFileDaemon(BareosSocket* fd, char* client_name)
207 {
208 ClientResource* client;
209 bool auth_success = false;
210
211 UnbashSpaces(client_name);
212 client = (ClientResource*)my_config->GetResWithName(R_CLIENT, client_name);
213 if (client) {
214 if (IsConnectFromClientAllowed(client)) {
215 auth_success = fd->AuthenticateInboundConnection(
216 NULL, my_config, client_name, client->password_, client);
217 }
218 }
219
220 /*
221 * Authorization Completed
222 */
223 if (!auth_success) {
224 fd->fsend("%s", _(dir_not_authorized_message));
225 Emsg4(M_ERROR, 0, _("Unable to authenticate client \"%s\" at %s:%s:%d.\n"),
226 client_name, fd->who(), fd->host(), fd->port());
227 sleep(5);
228 return false;
229 }
230 fd->fsend("1000 OK: %s Version: %s (%s)\n", my_name,
231 kBareosVersionStrings.Full, kBareosVersionStrings.Date);
232
233 return true;
234 }
235 } /* namespace directordaemon */
236