From 1b15efef7242e53e6408daf4d3b7f0500052e290 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:03:49 +0300 Subject: [PATCH 01/30] add support of mdb-iamproxy authentication --- sources/CMakeLists.txt | 3 +- sources/auth.c | 71 ++++++++++++++++ sources/mdb_iamproxy.c | 184 +++++++++++++++++++++++++++++++++++++++++ sources/mdb_iamproxy.h | 14 ++++ 4 files changed, 271 insertions(+), 1 deletion(-) create mode 100644 sources/mdb_iamproxy.c create mode 100644 sources/mdb_iamproxy.h diff --git a/sources/CMakeLists.txt b/sources/CMakeLists.txt index f1c6729ee..14137272a 100644 --- a/sources/CMakeLists.txt +++ b/sources/CMakeLists.txt @@ -49,7 +49,8 @@ set(od_src hashmap.c hba.c hba_reader.c - hba_rule.c) + hba_rule.c + mdb_iamproxy.c) if (PAM_FOUND) list(APPEND od_src pam.c) diff --git a/sources/auth.c b/sources/auth.c index d627cd270..be8abead8 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -646,6 +646,72 @@ static inline int od_auth_frontend_cert(od_client_t *client) return -1; } + +static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) { + od_instance_t *instance = client->global->instance; + od_route_t *route = client->route; + + machine_msg_t *msg; + msg = kiwi_be_write_authentication_clear_text(NULL); + if (msg == NULL) + return -1; + int rc; + rc = od_write(&client->io, msg); + if (rc == -1) { + od_error(&instance->logger, "auth", client, NULL, + "write error: %s", od_io_error(&client->io)); + return -1; + } + + /* wait for password response */ + while (1) { + msg = od_read(&client->io, UINT32_MAX); + if (msg == NULL) { + od_error(&instance->logger, "auth", client, NULL, + "read error: %s", od_io_error(&client->io)); + return -1; + } + kiwi_fe_type_t type = *(char *)machine_msg_data(msg); + od_debug(&instance->logger, "auth", client, NULL, "%s", + kiwi_fe_type_to_string(type)); + if (type == KIWI_FE_PASSWORD_MESSAGE) + break; + machine_msg_free(msg); + } + + /* read password message */ + kiwi_password_t client_token; + kiwi_password_init(&client_token); + + rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), + &client_token); + if (rc == -1) { + od_error(&instance->logger, "auth", client, NULL, + "password read error"); + od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, + "bad password message"); + kiwi_password_free(&client_token); + machine_msg_free(msg); + return -1; + } + + int authenticate_result = mdb_iamproxy_authenticate_user( + client->startup.user.value, client_token.password, instance, client); + kiwi_password_free(&client_token); + machine_msg_free(msg); + if (authenticate_result == OK_RESPONSE) { + return OK_RESPONSE; + } + goto auth_failed; + +auth_failed: + od_log(&instance->logger, "auth", client, NULL, + "user '%s.%s' incorrect password", + client->startup.database.value, client->startup.user.value); + od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); + return NOT_OK_RESPONSE; +} + static inline int od_auth_frontend_block(od_client_t *client) { od_instance_t *instance = client->global->instance; @@ -696,6 +762,11 @@ int od_auth_frontend(od_client_t *client) return -1; case OD_RULE_AUTH_NONE: break; + case OD_RULE_AUTH_MDB_IAMPROXY: + rc = od_auth_frontend_mdb_iamproxy(client); + if (rc == -1) + return -1; + break; default: assert(0); break; diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c new file mode 100644 index 000000000..562900ea5 --- /dev/null +++ b/sources/mdb_iamproxy.c @@ -0,0 +1,184 @@ + +/* + * Odyssey. + * + * Scalable PostgreSQL connection pooler. + */ + +#include +#include +#include +#include + +/*CONNECTION CALLBACK TYPES*/ +#define MDB_IAMPROXY_CONN_ERROR -1 +#define MDB_IAMPROXY_CONN_TIMEOUT -1 +#define MDB_IAMPROXY_CONN_ACCEPTED 0 +#define MDB_IAMPROXY_CONN_DENIED -1 + +#define MDB_IAMPROXY_RES_ERROR -1 +#define MDB_IAMPROXY_RES_OK 0 + +/*AUTHENTICATION TIMEOUT LIMIT*/ +#define MDB_IAMPROXY_BYTE_SIZE 8 +#define MDB_IAMPROXY_DEFAULT_HEADER_SIZE 8 +#define MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS 1 + +#define MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT 1000 +#define MDB_IAMPROXY_DEFAULT_RECEIVING_TIMEOUT 1000 + +/*PAM SOCKET FILE*/ +#define MDB_IAMPROXY_DEFAULT_SOCKET_FILE \ + "/var/run/iam-auth-proxy/iam-auth-proxy.sock" // PAM SOCKET FILE place + +int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) { + /*GET COMMON MSG INFO AND ALLOCATE RESOURCES*/ + int64_t recv_result = MDB_IAMPROXY_CONN_ACCEPTED; + uint64_t body_size = 0; + unsigned char header_byte; + + /*RECIEVE HEADER*/ + for (int i = 0; i < MDB_IAMPROXY_BYTE_SIZE; ++i) { + if (recv(socket_fd, &header_byte, sizeof(header_byte), 0) < 0) { // error during recieve msg header byte + recv_result = MDB_IAMPROXY_CONN_ERROR; + goto free_start; + } + body_size = (body_size | (((unsigned)header_byte) << (MDB_IAMPROXY_BYTE_SIZE * i))); + } + + /*RECIEVE BODY*/ + if (recv(socket_fd, msg_body, body_size, 0) < 0) { // error during recieing nsg body + recv_result = MDB_IAMPROXY_CONN_ERROR; + goto free_end; + } + +free_start: +free_end: + return recv_result; +} + +int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) { + /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ + int32_t send_result = MDB_IAMPROXY_RES_OK; + uint64_t body_size = strlen(send_msg) + 1; // stores size of message (add one byte for 'c\0') + uint64_t current_body_size = body_size; + uint64_t msg_size = sizeof(body_size) + body_size; + char *msg = (char *)calloc(msg_size, sizeof(*msg)); // allocate memory for msg buffer + if (msg == NULL) { // error during allocating memory for msg buffer + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } + + /*COPY ALL DATA TO BUFFER FOR SENDING*/ + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { // coping header to msg buffer + msg[i] = (current_body_size & 0xFF); + current_body_size >>= MDB_IAMPROXY_BYTE_SIZE; + } + memcpy(msg + sizeof(body_size), send_msg, body_size); // coping body to msg buffer + + /*SEND TO SOCKET*/ + if (send(socket_fd, msg, msg_size, 0) < 0) { // error during sending data + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_start; + } + +free_start: + free(msg); +free_end: + return send_result; +} + +int mdb_iamproxy_authenticate_user(const char *username, const char *token, od_instance_t *instance, od_client_t *client) { + char auth_status = 0; // auth_status stores one byte if it's 0 => not authenticated + char external_user[512]; // store subject_id of authenticated client + int32_t authentication_result = MDB_IAMPROXY_CONN_DENIED; // stores authenticate status for user (default value: CONN_DENIED) + int32_t correct_sending = MDB_IAMPROXY_CONN_ACCEPTED; // stores stutus of sending data to iam-auth-proxy + int32_t correct_recieving = MDB_IAMPROXY_CONN_ACCEPTED; // store status of recieving data from iam-auth-proxy + int64_t socket_fd; // stores file descripotor for DEFAULT_SOCKET_FILE + int64_t poll_result = 1; // stores return value of poll() function + + /*SOCKET SETUP*/ + struct sockaddr_un exchange_socket; // socket for interprocceses connection + memset(&exchange_socket, 0, sizeof(exchange_socket)); + exchange_socket.sun_family = AF_UNIX; + strcpy(exchange_socket.sun_path, MDB_IAMPROXY_DEFAULT_SOCKET_FILE); + + /*GET SOCKET FILE DESCRIPTOR*/ + socket_fd = socket(AF_UNIX, SOCK_STREAM, 0); // get socket file descriptor + if (socket_fd < 0) { // error during getting socket file descriptor + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_end; + } + + /*SET SOCKET FLAGS AND WRITE SOCKET_FD to fds*/ + fcntl(socket_fd, F_SETFL, O_NONBLOCK); // set non block flag for connection + struct pollfd fds; // stores info about socket_fd and it's (socket_fd) status + fds.fd = socket_fd; // set socket_value + fds.events = POLLOUT; // waiting for write + + /*CONNECT TO SOCKET*/ + connect(socket_fd, (struct sockaddr *)&exchange_socket, sizeof(exchange_socket)); + + /*WAIT FOR CONNECTION*/ + poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); + if (poll_result == -1) { // error during connecting to socket + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_start; + } else if (poll_result == 0) { // reach timeout shile waiting for socket + authentication_result = MDB_IAMPROXY_CONN_TIMEOUT; + goto free_start; + } + + /*COMMUNICATE WITH SOCKET*/ + correct_sending = mdb_iamproxy_send_to_socket(socket_fd, username); // send USERNAME to socket + if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket + authentication_result = correct_sending; + goto free_start; + } + correct_sending = mdb_iamproxy_send_to_socket(socket_fd, token); // send TOKEN to socket + if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket + authentication_result = correct_sending; + goto free_start; + } + + /*WAIT FOR IAM-PROXY RESPONSE*/ + fds.events = POLLIN; + poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, MDB_IAMPROXY_DEFAULT_RECEIVING_TIMEOUT); + if (poll_result == -1) { // error during waiting for reading from socket + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_start; + } else if (poll_result == 0) { // reach timeout while waiting for socket + authentication_result = MDB_IAMPROXY_CONN_TIMEOUT; + goto free_start; + } + + /*COMMUNUCATE WITH SOCKET*/ + correct_recieving = mdb_iamproxy_recv_from_socket(socket_fd, &auth_status); // recieve auth_status from socket + if (correct_recieving != MDB_IAMPROXY_CONN_ACCEPTED) { // recieving is not completed successfully + authentication_result = correct_recieving; + goto free_start; + } + + if ((unsigned)auth_status) { + authentication_result = MDB_IAMPROXY_CONN_ACCEPTED; + } else { + authentication_result = MDB_IAMPROXY_CONN_DENIED; + } + + correct_recieving = mdb_iamproxy_recv_from_socket(socket_fd, external_user); // recieve subject_id from socket + if (correct_recieving != MDB_IAMPROXY_CONN_ACCEPTED) { // recieveing is not completed successfully + authentication_result = correct_recieving; + goto free_start; + } + + od_log(&instance->logger, "auth", client, NULL, + "user '%s.%s' was authenticated with subject_id: %s", + client->startup.database.value, client->startup.user.value, external_user); + + /*FREE RESOURCES*/ +free_start: + close(socket_fd); +free_end: + /*RETURN RESULT*/ + return authentication_result; +} diff --git a/sources/mdb_iamproxy.h b/sources/mdb_iamproxy.h new file mode 100644 index 000000000..84617b54b --- /dev/null +++ b/sources/mdb_iamproxy.h @@ -0,0 +1,14 @@ +#ifndef ODYSSEY_IAMPROXY_H +#define ODYSSEY_IAMPROXY_H + +/* + * Odyssey. + * + * Scalable PostgreSQL connection pooler. + */ + +int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body); +int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg); +int mdb_iamproxy_authenticate_user(const char *username, const char *token, od_instance_t *instance, od_client_t *client); + +#endif /* ODYSSEY_IAMPROXy_H */ From b55ca49eac49e43a4dd209bcfb633b25029a1ad5 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:09:48 +0300 Subject: [PATCH 02/30] remove some functions from mdb_iamproxy header file --- sources/auth.c | 2 +- sources/mdb_iamproxy.h | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index be8abead8..6daf75eec 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -761,7 +761,7 @@ int od_auth_frontend(od_client_t *client) od_auth_frontend_block(client); return -1; case OD_RULE_AUTH_NONE: - break; + break; case OD_RULE_AUTH_MDB_IAMPROXY: rc = od_auth_frontend_mdb_iamproxy(client); if (rc == -1) diff --git a/sources/mdb_iamproxy.h b/sources/mdb_iamproxy.h index 84617b54b..f0d37907f 100644 --- a/sources/mdb_iamproxy.h +++ b/sources/mdb_iamproxy.h @@ -7,8 +7,6 @@ * Scalable PostgreSQL connection pooler. */ -int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body); -int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg); int mdb_iamproxy_authenticate_user(const char *username, const char *token, od_instance_t *instance, od_client_t *client); #endif /* ODYSSEY_IAMPROXy_H */ From 326cbecf59715fdbf048d97f297c83940f3df7ec Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:14:31 +0300 Subject: [PATCH 03/30] fix tabs in auth.c --- sources/auth.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index 6daf75eec..ea70cbee0 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -762,11 +762,11 @@ int od_auth_frontend(od_client_t *client) return -1; case OD_RULE_AUTH_NONE: break; - case OD_RULE_AUTH_MDB_IAMPROXY: - rc = od_auth_frontend_mdb_iamproxy(client); - if (rc == -1) - return -1; - break; + case OD_RULE_AUTH_MDB_IAMPROXY: + rc = od_auth_frontend_mdb_iamproxy(client); + if (rc == -1) + return -1; + break; default: assert(0); break; From fbfc91d27826a881d375830d6ec3e0f2f561edec Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:16:46 +0300 Subject: [PATCH 04/30] fix tabs in auth.c (2) --- sources/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources/auth.c b/sources/auth.c index ea70cbee0..02d71094a 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -761,7 +761,7 @@ int od_auth_frontend(od_client_t *client) od_auth_frontend_block(client); return -1; case OD_RULE_AUTH_NONE: - break; + break; case OD_RULE_AUTH_MDB_IAMPROXY: rc = od_auth_frontend_mdb_iamproxy(client); if (rc == -1) From 21e6a8da0b626ea4e4bdaf7b0e7726f94b3fe8af Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:18:56 +0300 Subject: [PATCH 05/30] fix tabs in sources --- sources/auth.c | 668 ++++++++++++++++++++--------------------- sources/mdb_iamproxy.c | 272 ++++++++--------- 2 files changed, 470 insertions(+), 470 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index 02d71094a..b8db91c40 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -23,7 +23,7 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -32,12 +32,12 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); + "read error: %s", od_io_error(&client->io)); return -1; } kiwi_fe_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); + kiwi_fe_type_to_string(type)); if (type == KIWI_FE_PASSWORD_MESSAGE) break; machine_msg_free(msg); @@ -48,12 +48,12 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) kiwi_password_init(&client_token); rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), - &client_token); + &client_token); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "password read error"); + "password read error"); od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, - "bad password message"); + "bad password message"); kiwi_password_free(&client_token); machine_msg_free(msg); return -1; @@ -62,7 +62,7 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) if (route->rule->enable_password_passthrough) { kiwi_password_copy(&client->received_password, &client_token); od_debug(&instance->logger, "auth", client, NULL, - "saved user password to perform backend auth"); + "saved user password to perform backend auth"); } od_extention_t *extentions = client->global->extentions; @@ -70,8 +70,8 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) #ifdef LDAP_FOUND if (client->rule->ldap_endpoint_name) { od_debug(&instance->logger, "auth", client, NULL, - "checking passwd against ldap endpoint %s", - client->rule->ldap_endpoint_name); + "checking passwd against ldap endpoint %s", + client->rule->ldap_endpoint_name); rc = od_auth_ldap(client, &client_token); kiwi_password_free(&client_token); @@ -106,11 +106,11 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) /* support PAM authentication */ if (client->rule->auth_pam_service) { od_pam_convert_passwd(client->rule->auth_pam_data, - client_token.password); + client_token.password); rc = od_pam_auth(client->rule->auth_pam_service, - client->startup.user.value, - client->rule->auth_pam_data, client->io.io); + client->startup.user.value, + client->rule->auth_pam_data, client->io.io); kiwi_password_free(&client_token); machine_msg_free(msg); if (rc == -1) { @@ -126,15 +126,15 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) char peer[128]; od_getpeername(client->io.io, peer, sizeof(peer), 1, 0); od_debug(&instance->logger, "auth", client, NULL, - "running auth_query for peer %s", peer); + "running auth_query for peer %s", peer); rc = od_auth_query(client, peer); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "failed to make auth_query"); + "failed to make auth_query"); od_frontend_error( - client, - KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "failed to make auth query"); + client, + KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "failed to make auth query"); kiwi_password_free(&client_token); machine_msg_free(msg); return NOT_OK_RESPONSE; @@ -143,11 +143,11 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) // TODO: consider support for empty password case. if (client->password.password == NULL) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect user from %s", - client->startup.database.value, - client->startup.user.value, peer); + "user '%s.%s' incorrect user from %s", + client->startup.database.value, + client->startup.user.value, peer); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect user"); + "incorrect user"); kiwi_password_free(&client_token); machine_msg_free(msg); return NOT_OK_RESPONSE; @@ -170,8 +170,8 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) auth_failed: od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, client->startup.user.value); + "user '%s.%s' incorrect password", + client->startup.database.value, client->startup.user.value); od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); return NOT_OK_RESPONSE; } @@ -193,7 +193,7 @@ static inline int od_auth_frontend_md5(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -202,12 +202,12 @@ static inline int od_auth_frontend_md5(od_client_t *client) msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); + "read error: %s", od_io_error(&client->io)); return -1; } kiwi_fe_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); + kiwi_fe_type_to_string(type)); if (type == KIWI_FE_PASSWORD_MESSAGE) break; machine_msg_free(msg); @@ -217,12 +217,12 @@ static inline int od_auth_frontend_md5(od_client_t *client) kiwi_password_t client_token; kiwi_password_init(&client_token); rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), - &client_token); + &client_token); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "password read error"); + "password read error"); od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, - "bad password message"); + "bad password message"); kiwi_password_free(&client_token); machine_msg_free(msg); return -1; @@ -241,11 +241,11 @@ static inline int od_auth_frontend_md5(od_client_t *client) rc = od_auth_query(client, peer); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "failed to make auth_query"); + "failed to make auth_query"); od_frontend_error( - client, - KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "failed to make auth query"); + client, + KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "failed to make auth query"); kiwi_password_free(&client_token); kiwi_password_free(&query_password); machine_msg_free(msg); @@ -255,11 +255,11 @@ static inline int od_auth_frontend_md5(od_client_t *client) // TODO: consider support for empty password case. if (client->password.password == NULL) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect user from %s", - client->startup.database.value, - client->startup.user.value, peer); + "user '%s.%s' incorrect user from %s", + client->startup.database.value, + client->startup.user.value, peer); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect user"); + "incorrect user"); kiwi_password_free(&client_token); machine_msg_free(msg); return -1; @@ -275,19 +275,19 @@ static inline int od_auth_frontend_md5(od_client_t *client) #ifdef LDAP_FOUND if (client->rule->ldap_endpoint) { od_debug(&instance->logger, "auth", client, NULL, - "checking passwd against ldap endpoint %s", - client->rule->ldap_endpoint_name); + "checking passwd against ldap endpoint %s", + client->rule->ldap_endpoint_name); rc = od_auth_ldap(client, &client_token); kiwi_password_free(&client_token); machine_msg_free(msg); if (rc != OK_RESPONSE) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, - client->startup.user.value); + "user '%s.%s' incorrect password", + client->startup.database.value, + client->startup.user.value); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect password"); + "incorrect password"); return NOT_OK_RESPONSE; } return OK_RESPONSE; @@ -296,12 +296,12 @@ static inline int od_auth_frontend_md5(od_client_t *client) /* prepare password hash */ rc = kiwi_password_md5(&client_password, client->startup.user.value, - client->startup.user.value_len - 1, - query_password.password, - query_password.password_len, (char *)&salt); + client->startup.user.value_len - 1, + query_password.password, + query_password.password_len, (char *)&salt); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "memory allocation error"); + "memory allocation error"); kiwi_password_free(&client_password); kiwi_password_free(&client_token); if (client->rule->auth_query) @@ -318,11 +318,11 @@ static inline int od_auth_frontend_md5(od_client_t *client) if (!check) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, - client->startup.user.value); + "user '%s.%s' incorrect password", + client->startup.database.value, + client->startup.user.value); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect password"); + "incorrect password"); return -1; } @@ -351,7 +351,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) int rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -361,7 +361,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); + "read error: %s", od_io_error(&client->io)); return -1; } @@ -369,7 +369,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) kiwi_fe_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); + kiwi_fe_type_to_string(type)); if (type == KIWI_FE_PASSWORD_MESSAGE) break; @@ -382,22 +382,22 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) char *auth_data; size_t auth_data_size; rc = kiwi_be_read_authentication_sasl_initial(machine_msg_data(msg), - machine_msg_size(msg), - &mechanism, &auth_data, - &auth_data_size); + machine_msg_size(msg), + &mechanism, &auth_data, + &auth_data_size); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed SASLInitialResponse message"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed SASLInitialResponse message"); machine_msg_free(msg); return -1; } if (strcmp(mechanism, "SCRAM-SHA-256") != 0 && - strcmp(mechanism, "SCRAM-SHA-256-PLUS") != 0) { + strcmp(mechanism, "SCRAM-SHA-256-PLUS") != 0) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: unsupported SASL authorization mechanism"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: unsupported SASL authorization mechanism"); machine_msg_free(msg); return -1; } @@ -412,11 +412,11 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) rc = od_auth_query(client, peer); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "frontend auth: failed to make auth_query"); + "frontend auth: failed to make auth_query"); od_frontend_error( - client, - KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: failed to make auth query"); + client, + KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: failed to make auth query"); kiwi_password_free(&query_password); machine_msg_free(msg); return -1; @@ -425,11 +425,11 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) // TODO: consider support for empty password case. if (client->password.password == NULL) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect user from %s", - client->startup.database.value, - client->startup.user.value, peer); + "user '%s.%s' incorrect user from %s", + client->startup.database.value, + client->startup.user.value, peer); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect user"); + "incorrect user"); machine_msg_free(msg); return -1; } @@ -445,49 +445,49 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) /* try to parse authentication data */ rc = od_scram_read_client_first_message(&scram_state, auth_data, - auth_data_size); + auth_data_size); machine_msg_free(msg); switch (rc) { - case 0: - break; + case 0: + break; - case -1: - return -1; + case -1: + return -1; - case -2: - od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed SASLInitialResponse message"); - return -1; + case -2: + od_frontend_error( + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed SASLInitialResponse message"); + return -1; - case -3: - od_frontend_error( - client, KIWI_FEATURE_NOT_SUPPORTED, - "frontend auth: doesn't support channel binding at the moment"); - return -1; + case -3: + od_frontend_error( + client, KIWI_FEATURE_NOT_SUPPORTED, + "frontend auth: doesn't support channel binding at the moment"); + return -1; - case -4: - od_frontend_error( - client, KIWI_FEATURE_NOT_SUPPORTED, - "frontend auth: doesn't support authorization identity at the moment"); - return -1; + case -4: + od_frontend_error( + client, KIWI_FEATURE_NOT_SUPPORTED, + "frontend auth: doesn't support authorization identity at the moment"); + return -1; - case OD_SASL_ERROR_MANDATORY_EXT: - od_frontend_error( - client, KIWI_FEATURE_NOT_SUPPORTED, - "frontend auth: doesn't support mandatory extensions at the moment"); - return -1; + case OD_SASL_ERROR_MANDATORY_EXT: + od_frontend_error( + client, KIWI_FEATURE_NOT_SUPPORTED, + "frontend auth: doesn't support mandatory extensions at the moment"); + return -1; } rc = od_scram_parse_verifier(&scram_state, query_password.password); if (rc == -1) rc = od_scram_init_from_plain_password(&scram_state, - query_password.password); + query_password.password); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: invalid user password or SCRAM secret, check your config"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: invalid user password or SCRAM secret, check your config"); return -1; } @@ -503,7 +503,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -515,7 +515,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); + "read error: %s", od_io_error(&client->io)); return -1; } @@ -523,7 +523,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) kiwi_fe_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); + kiwi_fe_type_to_string(type)); if (type == KIWI_FE_PASSWORD_MESSAGE) break; @@ -533,13 +533,13 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) /* read the SASLResponse */ rc = kiwi_be_read_authentication_sasl(machine_msg_data(msg), - machine_msg_size(msg), &auth_data, - &auth_data_size); + machine_msg_size(msg), &auth_data, + &auth_data_size); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed client SASLResponse"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed client SASLResponse"); machine_msg_free(msg); return -1; @@ -549,13 +549,13 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) size_t final_nonce_size; char *client_proof; rc = od_scram_read_client_final_message(client->io.io, &scram_state, - auth_data, auth_data_size, - &final_nonce, &final_nonce_size, - &client_proof); + auth_data, auth_data_size, + &final_nonce, &final_nonce_size, + &client_proof); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed client SASLResponse"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed client SASLResponse"); machine_msg_free(msg); return -1; @@ -563,11 +563,11 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) /* verify signatures */ rc = od_scram_verify_final_nonce(&scram_state, final_nonce, - final_nonce_size); + final_nonce_size); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed client SASLResponse: nonce doesn't match"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed client SASLResponse: nonce doesn't match"); machine_msg_free(msg); return -1; @@ -576,8 +576,8 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) rc = od_scram_verify_client_proof(&scram_state, client_proof); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: password authentication failed"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: password authentication failed"); machine_msg_free(msg); return -1; @@ -596,7 +596,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -611,10 +611,10 @@ static inline int od_auth_frontend_cert(od_client_t *client) od_instance_t *instance = client->global->instance; if (!client->startup.is_ssl_request) { od_error(&instance->logger, "auth", client, NULL, - "TLS connection required"); + "TLS connection required"); od_frontend_error(client, - KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "TLS connection required"); + KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "TLS connection required"); return -1; } @@ -640,91 +640,91 @@ static inline int od_auth_frontend_cert(od_client_t *client) } od_error(&instance->logger, "auth", client, NULL, - "TLS certificate common name mismatch"); + "TLS certificate common name mismatch"); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "TLS certificate common name mismatch"); + "TLS certificate common name mismatch"); return -1; } static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) { - od_instance_t *instance = client->global->instance; - od_route_t *route = client->route; - - machine_msg_t *msg; - msg = kiwi_be_write_authentication_clear_text(NULL); - if (msg == NULL) - return -1; - int rc; - rc = od_write(&client->io, msg); - if (rc == -1) { - od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); - return -1; - } - - /* wait for password response */ - while (1) { - msg = od_read(&client->io, UINT32_MAX); - if (msg == NULL) { - od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); - return -1; - } - kiwi_fe_type_t type = *(char *)machine_msg_data(msg); - od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); - if (type == KIWI_FE_PASSWORD_MESSAGE) - break; - machine_msg_free(msg); - } - - /* read password message */ - kiwi_password_t client_token; - kiwi_password_init(&client_token); - - rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), - &client_token); - if (rc == -1) { - od_error(&instance->logger, "auth", client, NULL, - "password read error"); - od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, - "bad password message"); - kiwi_password_free(&client_token); - machine_msg_free(msg); - return -1; - } - - int authenticate_result = mdb_iamproxy_authenticate_user( - client->startup.user.value, client_token.password, instance, client); - kiwi_password_free(&client_token); - machine_msg_free(msg); - if (authenticate_result == OK_RESPONSE) { - return OK_RESPONSE; - } - goto auth_failed; + od_instance_t *instance = client->global->instance; + od_route_t *route = client->route; + + machine_msg_t *msg; + msg = kiwi_be_write_authentication_clear_text(NULL); + if (msg == NULL) + return -1; + int rc; + rc = od_write(&client->io, msg); + if (rc == -1) { + od_error(&instance->logger, "auth", client, NULL, + "write error: %s", od_io_error(&client->io)); + return -1; + } + + /* wait for password response */ + while (1) { + msg = od_read(&client->io, UINT32_MAX); + if (msg == NULL) { + od_error(&instance->logger, "auth", client, NULL, + "read error: %s", od_io_error(&client->io)); + return -1; + } + kiwi_fe_type_t type = *(char *)machine_msg_data(msg); + od_debug(&instance->logger, "auth", client, NULL, "%s", + kiwi_fe_type_to_string(type)); + if (type == KIWI_FE_PASSWORD_MESSAGE) + break; + machine_msg_free(msg); + } + + /* read password message */ + kiwi_password_t client_token; + kiwi_password_init(&client_token); + + rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), + &client_token); + if (rc == -1) { + od_error(&instance->logger, "auth", client, NULL, + "password read error"); + od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, + "bad password message"); + kiwi_password_free(&client_token); + machine_msg_free(msg); + return -1; + } + + int authenticate_result = mdb_iamproxy_authenticate_user( + client->startup.user.value, client_token.password, instance, client); + kiwi_password_free(&client_token); + machine_msg_free(msg); + if (authenticate_result == OK_RESPONSE) { + return OK_RESPONSE; + } + goto auth_failed; auth_failed: - od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, client->startup.user.value); - od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); - return NOT_OK_RESPONSE; + od_log(&instance->logger, "auth", client, NULL, + "user '%s.%s' incorrect password", + client->startup.database.value, client->startup.user.value); + od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); + return NOT_OK_RESPONSE; } static inline int od_auth_frontend_block(od_client_t *client) { od_instance_t *instance = client->global->instance; od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' is blocked", client->startup.database.value, - client->startup.user.value); + "user '%s.%s' is blocked", client->startup.database.value, + client->startup.user.value); od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "user blocked: %s %s", - client->rule->db_is_default ? "(unknown database)" : - client->startup.database.value, - client->rule->user_is_default ? "(unknown user)" : - client->startup.user.value); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "user blocked: %s %s", + client->rule->db_is_default ? "(unknown database)" : + client->startup.database.value, + client->rule->user_is_default ? "(unknown user)" : + client->startup.user.value); return 0; } @@ -735,41 +735,41 @@ int od_auth_frontend(od_client_t *client) /* authentication mode */ int rc; switch (client->rule->auth_mode) { - case OD_RULE_AUTH_CLEAR_TEXT: - rc = od_auth_frontend_cleartext(client); - if (rc == -1) - return -1; - break; - case OD_RULE_AUTH_MD5: - rc = od_auth_frontend_md5(client); - if (rc == -1) - return -1; - break; + case OD_RULE_AUTH_CLEAR_TEXT: + rc = od_auth_frontend_cleartext(client); + if (rc == -1) + return -1; + break; + case OD_RULE_AUTH_MD5: + rc = od_auth_frontend_md5(client); + if (rc == -1) + return -1; + break; #ifdef USE_SCRAM - case OD_RULE_AUTH_SCRAM_SHA_256: - rc = od_auth_frontend_scram_sha_256(client); - if (rc == -1) - return -1; - break; + case OD_RULE_AUTH_SCRAM_SHA_256: + rc = od_auth_frontend_scram_sha_256(client); + if (rc == -1) + return -1; + break; #endif - case OD_RULE_AUTH_CERT: - rc = od_auth_frontend_cert(client); - if (rc == -1) - return -1; - break; - case OD_RULE_AUTH_BLOCK: - od_auth_frontend_block(client); - return -1; - case OD_RULE_AUTH_NONE: - break; - case OD_RULE_AUTH_MDB_IAMPROXY: - rc = od_auth_frontend_mdb_iamproxy(client); - if (rc == -1) + case OD_RULE_AUTH_CERT: + rc = od_auth_frontend_cert(client); + if (rc == -1) + return -1; + break; + case OD_RULE_AUTH_BLOCK: + od_auth_frontend_block(client); return -1; - break; - default: - assert(0); - break; + case OD_RULE_AUTH_NONE: + break; + case OD_RULE_AUTH_MDB_IAMPROXY: + rc = od_auth_frontend_mdb_iamproxy(client); + if (rc == -1) + return -1; + break; + default: + assert(0); + break; } /* pass */ @@ -780,21 +780,21 @@ int od_auth_frontend(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } return 0; } static inline int od_auth_backend_cleartext(od_server_t *server, - od_client_t *client) + od_client_t *client) { od_instance_t *instance = server->global->instance; od_route_t *route = server->route; assert(route != NULL); od_debug(&instance->logger, "auth", NULL, server, - "requested clear-text authentication"); + "requested clear-text authentication"); /* use storage or user password */ char *password; @@ -810,13 +810,13 @@ static inline int od_auth_backend_cleartext(od_server_t *server, password = route->rule->password; password_len = route->rule->password_len; } else if (client != NULL && - client->received_password.password != NULL) { + client->received_password.password != NULL) { password = client->received_password.password; password_len = client->received_password.password_len - 1; } else { od_error(&instance->logger, "auth", NULL, server, - "password required for route '%s.%s'", - route->rule->db_name, route->rule->user_name); + "password required for route '%s.%s'", + route->rule->db_name, route->rule->user_name); return -1; } #ifdef LDAP_FOUND @@ -830,28 +830,28 @@ static inline int od_auth_backend_cleartext(od_server_t *server, msg = kiwi_fe_write_password(NULL, password, password_len + 1); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "memory allocation error"); + "memory allocation error"); return -1; } int rc; rc = od_write(&server->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "write error: %s", od_io_error(&server->io)); + "write error: %s", od_io_error(&server->io)); return -1; } return 0; } static inline int od_auth_backend_md5(od_server_t *server, char salt[4], - od_client_t *client) + od_client_t *client) { od_instance_t *instance = server->global->instance; od_route_t *route = server->route; assert(route != NULL); od_debug(&instance->logger, "auth", NULL, server, - "requested md5 authentication"); + "requested md5 authentication"); /* use storage user or route user */ char *user; @@ -877,13 +877,13 @@ static inline int od_auth_backend_md5(od_server_t *server, char salt[4], password = route->rule->password; password_len = route->rule->password_len; } else if (client != NULL && - client->received_password.password != NULL) { + client->received_password.password != NULL) { password = client->received_password.password; password_len = client->received_password.password_len - 1; } else { od_error(&instance->logger, "auth", NULL, server, - "password required for route '%s.%s'", - route->rule->db_name, route->rule->user_name); + "password required for route '%s.%s'", + route->rule->db_name, route->rule->user_name); return -1; } #ifdef LDAP_FOUND @@ -899,10 +899,10 @@ static inline int od_auth_backend_md5(od_server_t *server, char salt[4], kiwi_password_init(&client_password); int rc; rc = kiwi_password_md5(&client_password, user, user_len, password, - password_len, salt); + password_len, salt); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "memory allocation error"); + "memory allocation error"); kiwi_password_free(&client_password); return -1; } @@ -910,17 +910,17 @@ static inline int od_auth_backend_md5(od_server_t *server, char salt[4], /* PasswordMessage */ machine_msg_t *msg; msg = kiwi_fe_write_password(NULL, client_password.password, - client_password.password_len); + client_password.password_len); kiwi_password_free(&client_password); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "memory allocation error"); + "memory allocation error"); return -1; } rc = od_write(&server->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "write error: %s", od_io_error(&server->io)); + "write error: %s", od_io_error(&server->io)); return -1; } return 0; @@ -937,21 +937,21 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client) if (server->scram_state.client_nonce != NULL) { od_error( - &instance->logger, "auth", NULL, server, - "unexpected message: AuthenticationSASL was already received"); + &instance->logger, "auth", NULL, server, + "unexpected message: AuthenticationSASL was already received"); return -1; } od_debug(&instance->logger, "auth", NULL, server, - "requested SASL authentication"); + "requested SASL authentication"); if (!route->rule->storage_password && !route->rule->password && - (client == NULL || client->password.password == NULL) && - client->received_password.password == NULL) { + (client == NULL || client->password.password == NULL) && + client->received_password.password == NULL) { od_error(&instance->logger, "auth", NULL, server, - "password required for route '%s.%s'", - route->rule->db_name, route->rule->user_name); + "password required for route '%s.%s'", + route->rule->db_name, route->rule->user_name); return -1; } @@ -961,7 +961,7 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client) od_scram_create_client_first_message(&server->scram_state); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "memory allocation error"); + "memory allocation error"); return -1; } @@ -969,7 +969,7 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client) int rc = od_write(&server->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "write error: %s", od_io_error(&server->io)); + "write error: %s", od_io_error(&server->io)); return -1; } @@ -978,9 +978,9 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client) } static inline int od_auth_backend_sasl_continue(od_server_t *server, - char *auth_data, - size_t auth_data_size, - od_client_t *client) + char *auth_data, + size_t auth_data_size, + od_client_t *client) { od_instance_t *instance = server->global->instance; od_route_t *route = server->route; @@ -989,16 +989,16 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, if (server->scram_state.client_nonce == NULL) { od_error(&instance->logger, "auth", NULL, server, - "unexpected message: AuthenticationSASL is missing"); + "unexpected message: AuthenticationSASL is missing"); return -1; } if (server->scram_state.server_first_message != NULL) { od_error( - &instance->logger, "auth", NULL, server, - "unexpected message: AuthenticationSASLContinue was already " - "received"); + &instance->logger, "auth", NULL, server, + "unexpected message: AuthenticationSASLContinue was already " + "received"); return -1; } @@ -1008,9 +1008,9 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, if (client != NULL && client->password.password != NULL) { od_error( - &instance->logger, "auth", NULL, server, - "cannot authenticate with SCRAM secret from auth_query", - route->rule->db_name, route->rule->user_name); + &instance->logger, "auth", NULL, server, + "cannot authenticate with SCRAM secret from auth_query", + route->rule->db_name, route->rule->user_name); return -1; } else if (route->rule->storage_password) { @@ -1021,8 +1021,8 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, password = client->received_password.password; } else { od_error(&instance->logger, "auth", NULL, server, - "password required for route '%s.%s'", - route->rule->db_name, route->rule->user_name); + "password required for route '%s.%s'", + route->rule->db_name, route->rule->user_name); return -1; } @@ -1032,14 +1032,14 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, } #endif od_debug(&instance->logger, "auth", NULL, server, - "continue SASL authentication using password %s", password); + "continue SASL authentication using password %s", password); /* SASLResponse Message */ machine_msg_t *msg = od_scram_create_client_final_message( - &server->scram_state, password, auth_data, auth_data_size); + &server->scram_state, password, auth_data, auth_data_size); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "malformed SASLResponse message"); + "malformed SASLResponse message"); return -1; } @@ -1047,7 +1047,7 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, int rc = od_write(&server->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "write error: %s", od_io_error(&server->io)); + "write error: %s", od_io_error(&server->io)); return -1; } @@ -1056,8 +1056,8 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, } static inline int od_auth_backend_sasl_final(od_server_t *server, - char *auth_data, - size_t auth_data_size) + char *auth_data, + size_t auth_data_size) { od_instance_t *instance = server->global->instance; @@ -1065,20 +1065,20 @@ static inline int od_auth_backend_sasl_final(od_server_t *server, if (server->scram_state.server_first_message == NULL) { od_error( - &instance->logger, "auth", NULL, server, - "unexpected message: AuthenticationSASLContinue is missing"); + &instance->logger, "auth", NULL, server, + "unexpected message: AuthenticationSASLContinue is missing"); return -1; } od_debug(&instance->logger, "auth", NULL, server, - "finishing SASL authentication"); + "finishing SASL authentication"); int rc = od_scram_verify_server_signature(&server->scram_state, - auth_data, auth_data_size); + auth_data, auth_data_size); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "server verify failed: invalid signature"); + "server verify failed: invalid signature"); return -1; } @@ -1091,7 +1091,7 @@ static inline int od_auth_backend_sasl_final(od_server_t *server, #endif int od_auth_backend(od_server_t *server, machine_msg_t *msg, - od_client_t *client) + od_client_t *client) { od_instance_t *instance = server->global->instance; assert(*(char *)machine_msg_data(msg) == KIWI_BE_AUTHENTICATION); @@ -1102,52 +1102,52 @@ int od_auth_backend(od_server_t *server, machine_msg_t *msg, size_t auth_data_size = 0; int rc; rc = kiwi_fe_read_auth(machine_msg_data(msg), machine_msg_size(msg), - &auth_type, salt, &auth_data, &auth_data_size); + &auth_type, salt, &auth_data, &auth_data_size); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "failed to parse authentication message"); + "failed to parse authentication message"); return -1; } od_debug(&instance->logger, "auth", NULL, server, - "recieved msg type %u", auth_type); + "recieved msg type %u", auth_type); msg = NULL; switch (auth_type) { - /* AuthenticationOk */ - case 0: - return 0; - /* AuthenticationCleartextPassword */ - case 3: - rc = od_auth_backend_cleartext(server, client); - if (rc == -1) - return -1; - break; - /* AuthenticationMD5Password */ - case 5: - rc = od_auth_backend_md5(server, salt, client); - if (rc == -1) - return -1; - break; + /* AuthenticationOk */ + case 0: + return 0; + /* AuthenticationCleartextPassword */ + case 3: + rc = od_auth_backend_cleartext(server, client); + if (rc == -1) + return -1; + break; + /* AuthenticationMD5Password */ + case 5: + rc = od_auth_backend_md5(server, salt, client); + if (rc == -1) + return -1; + break; #ifdef USE_SCRAM - /* AuthenticationSASL */ - case 10: - return od_auth_backend_sasl(server, client); - /* AuthenticationSASLContinue */ - case 11: - return od_auth_backend_sasl_continue(server, auth_data, - auth_data_size, client); - /* AuthenticationSASLContinue */ - case 12: - return od_auth_backend_sasl_final(server, auth_data, - auth_data_size); + /* AuthenticationSASL */ + case 10: + return od_auth_backend_sasl(server, client); + /* AuthenticationSASLContinue */ + case 11: + return od_auth_backend_sasl_continue(server, auth_data, + auth_data_size, client); + /* AuthenticationSASLContinue */ + case 12: + return od_auth_backend_sasl_final(server, auth_data, + auth_data_size); #endif - /* unsupported */ - default: - od_error(&instance->logger, "auth", NULL, server, - "unsupported authentication method"); - return -1; + /* unsupported */ + default: + od_error(&instance->logger, "auth", NULL, server, + "unsupported authentication method"); + return -1; } /* wait for authentication response */ @@ -1155,41 +1155,41 @@ int od_auth_backend(od_server_t *server, machine_msg_t *msg, msg = od_read(&server->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "read error: %s", od_io_error(&server->io)); + "read error: %s", od_io_error(&server->io)); return -1; } kiwi_be_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", NULL, server, "%s", - kiwi_be_type_to_string(type)); + kiwi_be_type_to_string(type)); switch (type) { - case KIWI_BE_AUTHENTICATION: - rc = kiwi_fe_read_auth(machine_msg_data(msg), - machine_msg_size(msg), - &auth_type, salt, NULL, NULL); - machine_msg_free(msg); - if (rc == -1) { - od_error( - &instance->logger, "auth", NULL, server, - "failed to parse authentication message"); - return -1; - } - if (auth_type != 0) { - od_error(&instance->logger, "auth", NULL, - server, - "incorrect authentication flow"); + case KIWI_BE_AUTHENTICATION: + rc = kiwi_fe_read_auth(machine_msg_data(msg), + machine_msg_size(msg), + &auth_type, salt, NULL, NULL); + machine_msg_free(msg); + if (rc == -1) { + od_error( + &instance->logger, "auth", NULL, server, + "failed to parse authentication message"); + return -1; + } + if (auth_type != 0) { + od_error(&instance->logger, "auth", NULL, + server, + "incorrect authentication flow"); + return 0; + } return 0; - } - return 0; - case KIWI_BE_ERROR_RESPONSE: - od_backend_error(server, "auth", machine_msg_data(msg), - machine_msg_size(msg)); - /* save error to fwd it to client */ - server->error_connect = msg; - return -1; - default: - machine_msg_free(msg); - break; + case KIWI_BE_ERROR_RESPONSE: + od_backend_error(server, "auth", machine_msg_data(msg), + machine_msg_size(msg)); + /* save error to fwd it to client */ + server->error_connect = msg; + return -1; + default: + machine_msg_free(msg); + break; } } return 0; diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 562900ea5..297898c0b 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -29,156 +29,156 @@ /*PAM SOCKET FILE*/ #define MDB_IAMPROXY_DEFAULT_SOCKET_FILE \ - "/var/run/iam-auth-proxy/iam-auth-proxy.sock" // PAM SOCKET FILE place + "/var/run/iam-auth-proxy/iam-auth-proxy.sock" // PAM SOCKET FILE place int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) { - /*GET COMMON MSG INFO AND ALLOCATE RESOURCES*/ - int64_t recv_result = MDB_IAMPROXY_CONN_ACCEPTED; - uint64_t body_size = 0; - unsigned char header_byte; - - /*RECIEVE HEADER*/ - for (int i = 0; i < MDB_IAMPROXY_BYTE_SIZE; ++i) { - if (recv(socket_fd, &header_byte, sizeof(header_byte), 0) < 0) { // error during recieve msg header byte - recv_result = MDB_IAMPROXY_CONN_ERROR; - goto free_start; - } - body_size = (body_size | (((unsigned)header_byte) << (MDB_IAMPROXY_BYTE_SIZE * i))); - } - - /*RECIEVE BODY*/ - if (recv(socket_fd, msg_body, body_size, 0) < 0) { // error during recieing nsg body - recv_result = MDB_IAMPROXY_CONN_ERROR; - goto free_end; - } + /*GET COMMON MSG INFO AND ALLOCATE RESOURCES*/ + int64_t recv_result = MDB_IAMPROXY_CONN_ACCEPTED; + uint64_t body_size = 0; + unsigned char header_byte; + + /*RECIEVE HEADER*/ + for (int i = 0; i < MDB_IAMPROXY_BYTE_SIZE; ++i) { + if (recv(socket_fd, &header_byte, sizeof(header_byte), 0) < 0) { // error during recieve msg header byte + recv_result = MDB_IAMPROXY_CONN_ERROR; + goto free_start; + } + body_size = (body_size | (((unsigned)header_byte) << (MDB_IAMPROXY_BYTE_SIZE * i))); + } + + /*RECIEVE BODY*/ + if (recv(socket_fd, msg_body, body_size, 0) < 0) { // error during recieing nsg body + recv_result = MDB_IAMPROXY_CONN_ERROR; + goto free_end; + } free_start: free_end: - return recv_result; + return recv_result; } int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) { - /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ - int32_t send_result = MDB_IAMPROXY_RES_OK; - uint64_t body_size = strlen(send_msg) + 1; // stores size of message (add one byte for 'c\0') - uint64_t current_body_size = body_size; - uint64_t msg_size = sizeof(body_size) + body_size; - char *msg = (char *)calloc(msg_size, sizeof(*msg)); // allocate memory for msg buffer - if (msg == NULL) { // error during allocating memory for msg buffer - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_end; - } - - /*COPY ALL DATA TO BUFFER FOR SENDING*/ - for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { // coping header to msg buffer - msg[i] = (current_body_size & 0xFF); - current_body_size >>= MDB_IAMPROXY_BYTE_SIZE; - } - memcpy(msg + sizeof(body_size), send_msg, body_size); // coping body to msg buffer - - /*SEND TO SOCKET*/ - if (send(socket_fd, msg, msg_size, 0) < 0) { // error during sending data - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_start; - } + /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ + int32_t send_result = MDB_IAMPROXY_RES_OK; + uint64_t body_size = strlen(send_msg) + 1; // stores size of message (add one byte for 'c\0') + uint64_t current_body_size = body_size; + uint64_t msg_size = sizeof(body_size) + body_size; + char *msg = (char *)calloc(msg_size, sizeof(*msg)); // allocate memory for msg buffer + if (msg == NULL) { // error during allocating memory for msg buffer + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } + + /*COPY ALL DATA TO BUFFER FOR SENDING*/ + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { // coping header to msg buffer + msg[i] = (current_body_size & 0xFF); + current_body_size >>= MDB_IAMPROXY_BYTE_SIZE; + } + memcpy(msg + sizeof(body_size), send_msg, body_size); // coping body to msg buffer + + /*SEND TO SOCKET*/ + if (send(socket_fd, msg, msg_size, 0) < 0) { // error during sending data + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_start; + } free_start: - free(msg); + free(msg); free_end: - return send_result; + return send_result; } int mdb_iamproxy_authenticate_user(const char *username, const char *token, od_instance_t *instance, od_client_t *client) { - char auth_status = 0; // auth_status stores one byte if it's 0 => not authenticated - char external_user[512]; // store subject_id of authenticated client - int32_t authentication_result = MDB_IAMPROXY_CONN_DENIED; // stores authenticate status for user (default value: CONN_DENIED) - int32_t correct_sending = MDB_IAMPROXY_CONN_ACCEPTED; // stores stutus of sending data to iam-auth-proxy - int32_t correct_recieving = MDB_IAMPROXY_CONN_ACCEPTED; // store status of recieving data from iam-auth-proxy - int64_t socket_fd; // stores file descripotor for DEFAULT_SOCKET_FILE - int64_t poll_result = 1; // stores return value of poll() function - - /*SOCKET SETUP*/ - struct sockaddr_un exchange_socket; // socket for interprocceses connection - memset(&exchange_socket, 0, sizeof(exchange_socket)); - exchange_socket.sun_family = AF_UNIX; - strcpy(exchange_socket.sun_path, MDB_IAMPROXY_DEFAULT_SOCKET_FILE); - - /*GET SOCKET FILE DESCRIPTOR*/ - socket_fd = socket(AF_UNIX, SOCK_STREAM, 0); // get socket file descriptor - if (socket_fd < 0) { // error during getting socket file descriptor - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_end; - } - - /*SET SOCKET FLAGS AND WRITE SOCKET_FD to fds*/ - fcntl(socket_fd, F_SETFL, O_NONBLOCK); // set non block flag for connection - struct pollfd fds; // stores info about socket_fd and it's (socket_fd) status - fds.fd = socket_fd; // set socket_value - fds.events = POLLOUT; // waiting for write - - /*CONNECT TO SOCKET*/ - connect(socket_fd, (struct sockaddr *)&exchange_socket, sizeof(exchange_socket)); - - /*WAIT FOR CONNECTION*/ - poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); - if (poll_result == -1) { // error during connecting to socket - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_start; - } else if (poll_result == 0) { // reach timeout shile waiting for socket - authentication_result = MDB_IAMPROXY_CONN_TIMEOUT; - goto free_start; - } - - /*COMMUNICATE WITH SOCKET*/ - correct_sending = mdb_iamproxy_send_to_socket(socket_fd, username); // send USERNAME to socket - if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket - authentication_result = correct_sending; - goto free_start; - } - correct_sending = mdb_iamproxy_send_to_socket(socket_fd, token); // send TOKEN to socket - if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket - authentication_result = correct_sending; - goto free_start; - } - - /*WAIT FOR IAM-PROXY RESPONSE*/ - fds.events = POLLIN; - poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, MDB_IAMPROXY_DEFAULT_RECEIVING_TIMEOUT); - if (poll_result == -1) { // error during waiting for reading from socket - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_start; - } else if (poll_result == 0) { // reach timeout while waiting for socket - authentication_result = MDB_IAMPROXY_CONN_TIMEOUT; - goto free_start; - } - - /*COMMUNUCATE WITH SOCKET*/ - correct_recieving = mdb_iamproxy_recv_from_socket(socket_fd, &auth_status); // recieve auth_status from socket - if (correct_recieving != MDB_IAMPROXY_CONN_ACCEPTED) { // recieving is not completed successfully - authentication_result = correct_recieving; - goto free_start; - } - - if ((unsigned)auth_status) { - authentication_result = MDB_IAMPROXY_CONN_ACCEPTED; - } else { - authentication_result = MDB_IAMPROXY_CONN_DENIED; - } - - correct_recieving = mdb_iamproxy_recv_from_socket(socket_fd, external_user); // recieve subject_id from socket - if (correct_recieving != MDB_IAMPROXY_CONN_ACCEPTED) { // recieveing is not completed successfully - authentication_result = correct_recieving; - goto free_start; - } - - od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' was authenticated with subject_id: %s", - client->startup.database.value, client->startup.user.value, external_user); - - /*FREE RESOURCES*/ + char auth_status = 0; // auth_status stores one byte if it's 0 => not authenticated + char external_user[512]; // store subject_id of authenticated client + int32_t authentication_result = MDB_IAMPROXY_CONN_DENIED; // stores authenticate status for user (default value: CONN_DENIED) + int32_t correct_sending = MDB_IAMPROXY_CONN_ACCEPTED; // stores stutus of sending data to iam-auth-proxy + int32_t correct_recieving = MDB_IAMPROXY_CONN_ACCEPTED; // store status of recieving data from iam-auth-proxy + int64_t socket_fd; // stores file descripotor for DEFAULT_SOCKET_FILE + int64_t poll_result = 1; // stores return value of poll() function + + /*SOCKET SETUP*/ + struct sockaddr_un exchange_socket; // socket for interprocceses connection + memset(&exchange_socket, 0, sizeof(exchange_socket)); + exchange_socket.sun_family = AF_UNIX; + strcpy(exchange_socket.sun_path, MDB_IAMPROXY_DEFAULT_SOCKET_FILE); + + /*GET SOCKET FILE DESCRIPTOR*/ + socket_fd = socket(AF_UNIX, SOCK_STREAM, 0); // get socket file descriptor + if (socket_fd < 0) { // error during getting socket file descriptor + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_end; + } + + /*SET SOCKET FLAGS AND WRITE SOCKET_FD to fds*/ + fcntl(socket_fd, F_SETFL, O_NONBLOCK); // set non block flag for connection + struct pollfd fds; // stores info about socket_fd and it's (socket_fd) status + fds.fd = socket_fd; // set socket_value + fds.events = POLLOUT; // waiting for write + + /*CONNECT TO SOCKET*/ + connect(socket_fd, (struct sockaddr *)&exchange_socket, sizeof(exchange_socket)); + + /*WAIT FOR CONNECTION*/ + poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); + if (poll_result == -1) { // error during connecting to socket + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_start; + } else if (poll_result == 0) { // reach timeout shile waiting for socket + authentication_result = MDB_IAMPROXY_CONN_TIMEOUT; + goto free_start; + } + + /*COMMUNICATE WITH SOCKET*/ + correct_sending = mdb_iamproxy_send_to_socket(socket_fd, username); // send USERNAME to socket + if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket + authentication_result = correct_sending; + goto free_start; + } + correct_sending = mdb_iamproxy_send_to_socket(socket_fd, token); // send TOKEN to socket + if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket + authentication_result = correct_sending; + goto free_start; + } + + /*WAIT FOR IAM-PROXY RESPONSE*/ + fds.events = POLLIN; + poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, MDB_IAMPROXY_DEFAULT_RECEIVING_TIMEOUT); + if (poll_result == -1) { // error during waiting for reading from socket + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_start; + } else if (poll_result == 0) { // reach timeout while waiting for socket + authentication_result = MDB_IAMPROXY_CONN_TIMEOUT; + goto free_start; + } + + /*COMMUNUCATE WITH SOCKET*/ + correct_recieving = mdb_iamproxy_recv_from_socket(socket_fd, &auth_status); // recieve auth_status from socket + if (correct_recieving != MDB_IAMPROXY_CONN_ACCEPTED) { // recieving is not completed successfully + authentication_result = correct_recieving; + goto free_start; + } + + if ((unsigned)auth_status) { + authentication_result = MDB_IAMPROXY_CONN_ACCEPTED; + } else { + authentication_result = MDB_IAMPROXY_CONN_DENIED; + } + + correct_recieving = mdb_iamproxy_recv_from_socket(socket_fd, external_user); // recieve subject_id from socket + if (correct_recieving != MDB_IAMPROXY_CONN_ACCEPTED) { // recieveing is not completed successfully + authentication_result = correct_recieving; + goto free_start; + } + + od_log(&instance->logger, "auth", client, NULL, + "user '%s.%s' was authenticated with subject_id: %s", + client->startup.database.value, client->startup.user.value, external_user); + + /*FREE RESOURCES*/ free_start: - close(socket_fd); + close(socket_fd); free_end: - /*RETURN RESULT*/ - return authentication_result; + /*RETURN RESULT*/ + return authentication_result; } From 1013886f606415e8865a9b879b08ed7a59fd7e76 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:27:57 +0300 Subject: [PATCH 06/30] remove tabs from auth.c --- sources/auth.c | 673 +++++++++++++++++++++++++------------------------ 1 file changed, 339 insertions(+), 334 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index b8db91c40..f9178dede 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -23,7 +23,7 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -32,12 +32,12 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); + "read error: %s", od_io_error(&client->io)); return -1; } kiwi_fe_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); + kiwi_fe_type_to_string(type)); if (type == KIWI_FE_PASSWORD_MESSAGE) break; machine_msg_free(msg); @@ -48,12 +48,12 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) kiwi_password_init(&client_token); rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), - &client_token); + &client_token); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "password read error"); + "password read error"); od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, - "bad password message"); + "bad password message"); kiwi_password_free(&client_token); machine_msg_free(msg); return -1; @@ -62,7 +62,7 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) if (route->rule->enable_password_passthrough) { kiwi_password_copy(&client->received_password, &client_token); od_debug(&instance->logger, "auth", client, NULL, - "saved user password to perform backend auth"); + "saved user password to perform backend auth"); } od_extention_t *extentions = client->global->extentions; @@ -70,8 +70,8 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) #ifdef LDAP_FOUND if (client->rule->ldap_endpoint_name) { od_debug(&instance->logger, "auth", client, NULL, - "checking passwd against ldap endpoint %s", - client->rule->ldap_endpoint_name); + "checking passwd against ldap endpoint %s", + client->rule->ldap_endpoint_name); rc = od_auth_ldap(client, &client_token); kiwi_password_free(&client_token); @@ -106,11 +106,11 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) /* support PAM authentication */ if (client->rule->auth_pam_service) { od_pam_convert_passwd(client->rule->auth_pam_data, - client_token.password); + client_token.password); rc = od_pam_auth(client->rule->auth_pam_service, - client->startup.user.value, - client->rule->auth_pam_data, client->io.io); + client->startup.user.value, + client->rule->auth_pam_data, client->io.io); kiwi_password_free(&client_token); machine_msg_free(msg); if (rc == -1) { @@ -126,15 +126,15 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) char peer[128]; od_getpeername(client->io.io, peer, sizeof(peer), 1, 0); od_debug(&instance->logger, "auth", client, NULL, - "running auth_query for peer %s", peer); + "running auth_query for peer %s", peer); rc = od_auth_query(client, peer); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "failed to make auth_query"); + "failed to make auth_query"); od_frontend_error( - client, - KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "failed to make auth query"); + client, + KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "failed to make auth query"); kiwi_password_free(&client_token); machine_msg_free(msg); return NOT_OK_RESPONSE; @@ -143,11 +143,11 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) // TODO: consider support for empty password case. if (client->password.password == NULL) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect user from %s", - client->startup.database.value, - client->startup.user.value, peer); + "user '%s.%s' incorrect user from %s", + client->startup.database.value, + client->startup.user.value, peer); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect user"); + "incorrect user"); kiwi_password_free(&client_token); machine_msg_free(msg); return NOT_OK_RESPONSE; @@ -170,8 +170,8 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) auth_failed: od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, client->startup.user.value); + "user '%s.%s' incorrect password", + client->startup.database.value, client->startup.user.value); od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); return NOT_OK_RESPONSE; } @@ -193,7 +193,7 @@ static inline int od_auth_frontend_md5(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -202,12 +202,12 @@ static inline int od_auth_frontend_md5(od_client_t *client) msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); + "read error: %s", od_io_error(&client->io)); return -1; } kiwi_fe_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); + kiwi_fe_type_to_string(type)); if (type == KIWI_FE_PASSWORD_MESSAGE) break; machine_msg_free(msg); @@ -217,12 +217,12 @@ static inline int od_auth_frontend_md5(od_client_t *client) kiwi_password_t client_token; kiwi_password_init(&client_token); rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), - &client_token); + &client_token); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "password read error"); + "password read error"); od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, - "bad password message"); + "bad password message"); kiwi_password_free(&client_token); machine_msg_free(msg); return -1; @@ -241,11 +241,11 @@ static inline int od_auth_frontend_md5(od_client_t *client) rc = od_auth_query(client, peer); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "failed to make auth_query"); + "failed to make auth_query"); od_frontend_error( - client, - KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "failed to make auth query"); + client, + KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "failed to make auth query"); kiwi_password_free(&client_token); kiwi_password_free(&query_password); machine_msg_free(msg); @@ -255,11 +255,11 @@ static inline int od_auth_frontend_md5(od_client_t *client) // TODO: consider support for empty password case. if (client->password.password == NULL) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect user from %s", - client->startup.database.value, - client->startup.user.value, peer); + "user '%s.%s' incorrect user from %s", + client->startup.database.value, + client->startup.user.value, peer); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect user"); + "incorrect user"); kiwi_password_free(&client_token); machine_msg_free(msg); return -1; @@ -275,19 +275,19 @@ static inline int od_auth_frontend_md5(od_client_t *client) #ifdef LDAP_FOUND if (client->rule->ldap_endpoint) { od_debug(&instance->logger, "auth", client, NULL, - "checking passwd against ldap endpoint %s", - client->rule->ldap_endpoint_name); + "checking passwd against ldap endpoint %s", + client->rule->ldap_endpoint_name); rc = od_auth_ldap(client, &client_token); kiwi_password_free(&client_token); machine_msg_free(msg); if (rc != OK_RESPONSE) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, - client->startup.user.value); + "user '%s.%s' incorrect password", + client->startup.database.value, + client->startup.user.value); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect password"); + "incorrect password"); return NOT_OK_RESPONSE; } return OK_RESPONSE; @@ -296,12 +296,12 @@ static inline int od_auth_frontend_md5(od_client_t *client) /* prepare password hash */ rc = kiwi_password_md5(&client_password, client->startup.user.value, - client->startup.user.value_len - 1, - query_password.password, - query_password.password_len, (char *)&salt); + client->startup.user.value_len - 1, + query_password.password, + query_password.password_len, (char *)&salt); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "memory allocation error"); + "memory allocation error"); kiwi_password_free(&client_password); kiwi_password_free(&client_token); if (client->rule->auth_query) @@ -318,11 +318,11 @@ static inline int od_auth_frontend_md5(od_client_t *client) if (!check) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, - client->startup.user.value); + "user '%s.%s' incorrect password", + client->startup.database.value, + client->startup.user.value); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect password"); + "incorrect password"); return -1; } @@ -351,7 +351,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) int rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -361,7 +361,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); + "read error: %s", od_io_error(&client->io)); return -1; } @@ -369,7 +369,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) kiwi_fe_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); + kiwi_fe_type_to_string(type)); if (type == KIWI_FE_PASSWORD_MESSAGE) break; @@ -382,22 +382,22 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) char *auth_data; size_t auth_data_size; rc = kiwi_be_read_authentication_sasl_initial(machine_msg_data(msg), - machine_msg_size(msg), - &mechanism, &auth_data, - &auth_data_size); + machine_msg_size(msg), + &mechanism, &auth_data, + &auth_data_size); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed SASLInitialResponse message"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed SASLInitialResponse message"); machine_msg_free(msg); return -1; } if (strcmp(mechanism, "SCRAM-SHA-256") != 0 && - strcmp(mechanism, "SCRAM-SHA-256-PLUS") != 0) { + strcmp(mechanism, "SCRAM-SHA-256-PLUS") != 0) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: unsupported SASL authorization mechanism"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: unsupported SASL authorization mechanism"); machine_msg_free(msg); return -1; } @@ -412,11 +412,11 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) rc = od_auth_query(client, peer); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "frontend auth: failed to make auth_query"); + "frontend auth: failed to make auth_query"); od_frontend_error( - client, - KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: failed to make auth query"); + client, + KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: failed to make auth query"); kiwi_password_free(&query_password); machine_msg_free(msg); return -1; @@ -425,11 +425,11 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) // TODO: consider support for empty password case. if (client->password.password == NULL) { od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect user from %s", - client->startup.database.value, - client->startup.user.value, peer); + "user '%s.%s' incorrect user from %s", + client->startup.database.value, + client->startup.user.value, peer); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "incorrect user"); + "incorrect user"); machine_msg_free(msg); return -1; } @@ -445,49 +445,49 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) /* try to parse authentication data */ rc = od_scram_read_client_first_message(&scram_state, auth_data, - auth_data_size); + auth_data_size); machine_msg_free(msg); switch (rc) { - case 0: - break; + case 0: + break; - case -1: - return -1; + case -1: + return -1; - case -2: - od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed SASLInitialResponse message"); - return -1; + case -2: + od_frontend_error( + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed SASLInitialResponse message"); + return -1; - case -3: - od_frontend_error( - client, KIWI_FEATURE_NOT_SUPPORTED, - "frontend auth: doesn't support channel binding at the moment"); - return -1; + case -3: + od_frontend_error( + client, KIWI_FEATURE_NOT_SUPPORTED, + "frontend auth: doesn't support channel binding at the moment"); + return -1; - case -4: - od_frontend_error( - client, KIWI_FEATURE_NOT_SUPPORTED, - "frontend auth: doesn't support authorization identity at the moment"); - return -1; + case -4: + od_frontend_error( + client, KIWI_FEATURE_NOT_SUPPORTED, + "frontend auth: doesn't support authorization identity at the moment"); + return -1; - case OD_SASL_ERROR_MANDATORY_EXT: - od_frontend_error( - client, KIWI_FEATURE_NOT_SUPPORTED, - "frontend auth: doesn't support mandatory extensions at the moment"); - return -1; + case OD_SASL_ERROR_MANDATORY_EXT: + od_frontend_error( + client, KIWI_FEATURE_NOT_SUPPORTED, + "frontend auth: doesn't support mandatory extensions at the moment"); + return -1; } rc = od_scram_parse_verifier(&scram_state, query_password.password); if (rc == -1) rc = od_scram_init_from_plain_password(&scram_state, - query_password.password); + query_password.password); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: invalid user password or SCRAM secret, check your config"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: invalid user password or SCRAM secret, check your config"); return -1; } @@ -503,7 +503,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -515,7 +515,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); + "read error: %s", od_io_error(&client->io)); return -1; } @@ -523,7 +523,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) kiwi_fe_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); + kiwi_fe_type_to_string(type)); if (type == KIWI_FE_PASSWORD_MESSAGE) break; @@ -533,13 +533,13 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) /* read the SASLResponse */ rc = kiwi_be_read_authentication_sasl(machine_msg_data(msg), - machine_msg_size(msg), &auth_data, - &auth_data_size); + machine_msg_size(msg), &auth_data, + &auth_data_size); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed client SASLResponse"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed client SASLResponse"); machine_msg_free(msg); return -1; @@ -549,13 +549,13 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) size_t final_nonce_size; char *client_proof; rc = od_scram_read_client_final_message(client->io.io, &scram_state, - auth_data, auth_data_size, - &final_nonce, &final_nonce_size, - &client_proof); + auth_data, auth_data_size, + &final_nonce, &final_nonce_size, + &client_proof); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed client SASLResponse"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed client SASLResponse"); machine_msg_free(msg); return -1; @@ -563,11 +563,11 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) /* verify signatures */ rc = od_scram_verify_final_nonce(&scram_state, final_nonce, - final_nonce_size); + final_nonce_size); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: malformed client SASLResponse: nonce doesn't match"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: malformed client SASLResponse: nonce doesn't match"); machine_msg_free(msg); return -1; @@ -576,8 +576,8 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) rc = od_scram_verify_client_proof(&scram_state, client_proof); if (rc == -1) { od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "frontend auth: password authentication failed"); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "frontend auth: password authentication failed"); machine_msg_free(msg); return -1; @@ -596,7 +596,7 @@ static inline int od_auth_frontend_scram_sha_256(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } @@ -611,10 +611,10 @@ static inline int od_auth_frontend_cert(od_client_t *client) od_instance_t *instance = client->global->instance; if (!client->startup.is_ssl_request) { od_error(&instance->logger, "auth", client, NULL, - "TLS connection required"); + "TLS connection required"); od_frontend_error(client, - KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "TLS connection required"); + KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "TLS connection required"); return -1; } @@ -640,91 +640,96 @@ static inline int od_auth_frontend_cert(od_client_t *client) } od_error(&instance->logger, "auth", client, NULL, - "TLS certificate common name mismatch"); + "TLS certificate common name mismatch"); od_frontend_error(client, KIWI_INVALID_PASSWORD, - "TLS certificate common name mismatch"); + "TLS certificate common name mismatch"); return -1; } static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) { - od_instance_t *instance = client->global->instance; - od_route_t *route = client->route; - - machine_msg_t *msg; - msg = kiwi_be_write_authentication_clear_text(NULL); - if (msg == NULL) - return -1; - int rc; - rc = od_write(&client->io, msg); - if (rc == -1) { - od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); - return -1; - } - - /* wait for password response */ - while (1) { - msg = od_read(&client->io, UINT32_MAX); - if (msg == NULL) { - od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); - return -1; - } - kiwi_fe_type_t type = *(char *)machine_msg_data(msg); - od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); - if (type == KIWI_FE_PASSWORD_MESSAGE) - break; - machine_msg_free(msg); - } - - /* read password message */ - kiwi_password_t client_token; - kiwi_password_init(&client_token); - - rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), - &client_token); - if (rc == -1) { - od_error(&instance->logger, "auth", client, NULL, - "password read error"); - od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, - "bad password message"); - kiwi_password_free(&client_token); - machine_msg_free(msg); - return -1; - } - - int authenticate_result = mdb_iamproxy_authenticate_user( - client->startup.user.value, client_token.password, instance, client); - kiwi_password_free(&client_token); - machine_msg_free(msg); - if (authenticate_result == OK_RESPONSE) { - return OK_RESPONSE; - } - goto auth_failed; + FILE *fptr = fopen("/tmp/some_shit", "a"); + fprintf(fptr, "was in mdb_iamproxy\n"); + od_instance_t *instance = client->global->instance; + od_route_t *route = client->route; + + machine_msg_t *msg; + msg = kiwi_be_write_authentication_clear_text(NULL); + if (msg == NULL) + return -1; + int rc; + rc = od_write(&client->io, msg); + if (rc == -1) { + od_error(&instance->logger, "auth", client, NULL, + "write error: %s", od_io_error(&client->io)); + return -1; + } + + /* wait for password response */ + while (1) { + msg = od_read(&client->io, UINT32_MAX); + if (msg == NULL) { + od_error(&instance->logger, "auth", client, NULL, + "read error: %s", od_io_error(&client->io)); + return -1; + } + kiwi_fe_type_t type = *(char *)machine_msg_data(msg); + od_debug(&instance->logger, "auth", client, NULL, "%s", + kiwi_fe_type_to_string(type)); + if (type == KIWI_FE_PASSWORD_MESSAGE) + break; + machine_msg_free(msg); + } + + /* read password message */ + kiwi_password_t client_token; + kiwi_password_init(&client_token); + + rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), + &client_token); + if (rc == -1) { + od_error(&instance->logger, "auth", client, NULL, + "password read error"); + od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, + "bad password message"); + kiwi_password_free(&client_token); + machine_msg_free(msg); + return -1; + } + + fprintf(fptr, "user: %s, password: %s\n", client->startup.user.value, client_token.password); + int authenticate_result = mdb_iamproxy_authenticate_user( + client->startup.user.value, client_token.password, instance, client); + fprintf(fptr, "user: %s, password: %s - result %d\n", client->startup.user.value, client_token.password, authenticate_result); + kiwi_password_free(&client_token); + machine_msg_free(msg); + fclose(fptr); + if (authenticate_result == OK_RESPONSE) { + return OK_RESPONSE; + } + goto auth_failed; auth_failed: - od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, client->startup.user.value); - od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); - return NOT_OK_RESPONSE; + od_log(&instance->logger, "auth", client, NULL, + "user '%s.%s' incorrect password", + client->startup.database.value, client->startup.user.value); + od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); + return NOT_OK_RESPONSE; } static inline int od_auth_frontend_block(od_client_t *client) { od_instance_t *instance = client->global->instance; od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' is blocked", client->startup.database.value, - client->startup.user.value); + "user '%s.%s' is blocked", client->startup.database.value, + client->startup.user.value); od_frontend_error( - client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, - "user blocked: %s %s", - client->rule->db_is_default ? "(unknown database)" : - client->startup.database.value, - client->rule->user_is_default ? "(unknown user)" : - client->startup.user.value); + client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, + "user blocked: %s %s", + client->rule->db_is_default ? "(unknown database)" : + client->startup.database.value, + client->rule->user_is_default ? "(unknown user)" : + client->startup.user.value); return 0; } @@ -735,41 +740,41 @@ int od_auth_frontend(od_client_t *client) /* authentication mode */ int rc; switch (client->rule->auth_mode) { - case OD_RULE_AUTH_CLEAR_TEXT: - rc = od_auth_frontend_cleartext(client); - if (rc == -1) - return -1; - break; - case OD_RULE_AUTH_MD5: - rc = od_auth_frontend_md5(client); - if (rc == -1) - return -1; - break; + case OD_RULE_AUTH_CLEAR_TEXT: + rc = od_auth_frontend_cleartext(client); + if (rc == -1) + return -1; + break; + case OD_RULE_AUTH_MD5: + rc = od_auth_frontend_md5(client); + if (rc == -1) + return -1; + break; #ifdef USE_SCRAM - case OD_RULE_AUTH_SCRAM_SHA_256: - rc = od_auth_frontend_scram_sha_256(client); - if (rc == -1) - return -1; - break; + case OD_RULE_AUTH_SCRAM_SHA_256: + rc = od_auth_frontend_scram_sha_256(client); + if (rc == -1) + return -1; + break; #endif - case OD_RULE_AUTH_CERT: - rc = od_auth_frontend_cert(client); - if (rc == -1) - return -1; - break; - case OD_RULE_AUTH_BLOCK: - od_auth_frontend_block(client); + case OD_RULE_AUTH_CERT: + rc = od_auth_frontend_cert(client); + if (rc == -1) return -1; - case OD_RULE_AUTH_NONE: - break; - case OD_RULE_AUTH_MDB_IAMPROXY: - rc = od_auth_frontend_mdb_iamproxy(client); - if (rc == -1) - return -1; - break; - default: - assert(0); - break; + break; + case OD_RULE_AUTH_BLOCK: + od_auth_frontend_block(client); + return -1; + case OD_RULE_AUTH_NONE: + break; + case OD_RULE_AUTH_MDB_IAMPROXY: + rc = od_auth_frontend_mdb_iamproxy(client); + if (rc == -1) + return -1; + break; + default: + assert(0); + break; } /* pass */ @@ -780,21 +785,21 @@ int od_auth_frontend(od_client_t *client) rc = od_write(&client->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); + "write error: %s", od_io_error(&client->io)); return -1; } return 0; } static inline int od_auth_backend_cleartext(od_server_t *server, - od_client_t *client) + od_client_t *client) { od_instance_t *instance = server->global->instance; od_route_t *route = server->route; assert(route != NULL); od_debug(&instance->logger, "auth", NULL, server, - "requested clear-text authentication"); + "requested clear-text authentication"); /* use storage or user password */ char *password; @@ -810,13 +815,13 @@ static inline int od_auth_backend_cleartext(od_server_t *server, password = route->rule->password; password_len = route->rule->password_len; } else if (client != NULL && - client->received_password.password != NULL) { + client->received_password.password != NULL) { password = client->received_password.password; password_len = client->received_password.password_len - 1; } else { od_error(&instance->logger, "auth", NULL, server, - "password required for route '%s.%s'", - route->rule->db_name, route->rule->user_name); + "password required for route '%s.%s'", + route->rule->db_name, route->rule->user_name); return -1; } #ifdef LDAP_FOUND @@ -830,28 +835,28 @@ static inline int od_auth_backend_cleartext(od_server_t *server, msg = kiwi_fe_write_password(NULL, password, password_len + 1); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "memory allocation error"); + "memory allocation error"); return -1; } int rc; rc = od_write(&server->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "write error: %s", od_io_error(&server->io)); + "write error: %s", od_io_error(&server->io)); return -1; } return 0; } static inline int od_auth_backend_md5(od_server_t *server, char salt[4], - od_client_t *client) + od_client_t *client) { od_instance_t *instance = server->global->instance; od_route_t *route = server->route; assert(route != NULL); od_debug(&instance->logger, "auth", NULL, server, - "requested md5 authentication"); + "requested md5 authentication"); /* use storage user or route user */ char *user; @@ -877,13 +882,13 @@ static inline int od_auth_backend_md5(od_server_t *server, char salt[4], password = route->rule->password; password_len = route->rule->password_len; } else if (client != NULL && - client->received_password.password != NULL) { + client->received_password.password != NULL) { password = client->received_password.password; password_len = client->received_password.password_len - 1; } else { od_error(&instance->logger, "auth", NULL, server, - "password required for route '%s.%s'", - route->rule->db_name, route->rule->user_name); + "password required for route '%s.%s'", + route->rule->db_name, route->rule->user_name); return -1; } #ifdef LDAP_FOUND @@ -899,10 +904,10 @@ static inline int od_auth_backend_md5(od_server_t *server, char salt[4], kiwi_password_init(&client_password); int rc; rc = kiwi_password_md5(&client_password, user, user_len, password, - password_len, salt); + password_len, salt); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "memory allocation error"); + "memory allocation error"); kiwi_password_free(&client_password); return -1; } @@ -910,17 +915,17 @@ static inline int od_auth_backend_md5(od_server_t *server, char salt[4], /* PasswordMessage */ machine_msg_t *msg; msg = kiwi_fe_write_password(NULL, client_password.password, - client_password.password_len); + client_password.password_len); kiwi_password_free(&client_password); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "memory allocation error"); + "memory allocation error"); return -1; } rc = od_write(&server->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "write error: %s", od_io_error(&server->io)); + "write error: %s", od_io_error(&server->io)); return -1; } return 0; @@ -937,21 +942,21 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client) if (server->scram_state.client_nonce != NULL) { od_error( - &instance->logger, "auth", NULL, server, - "unexpected message: AuthenticationSASL was already received"); + &instance->logger, "auth", NULL, server, + "unexpected message: AuthenticationSASL was already received"); return -1; } od_debug(&instance->logger, "auth", NULL, server, - "requested SASL authentication"); + "requested SASL authentication"); if (!route->rule->storage_password && !route->rule->password && - (client == NULL || client->password.password == NULL) && - client->received_password.password == NULL) { + (client == NULL || client->password.password == NULL) && + client->received_password.password == NULL) { od_error(&instance->logger, "auth", NULL, server, - "password required for route '%s.%s'", - route->rule->db_name, route->rule->user_name); + "password required for route '%s.%s'", + route->rule->db_name, route->rule->user_name); return -1; } @@ -961,7 +966,7 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client) od_scram_create_client_first_message(&server->scram_state); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "memory allocation error"); + "memory allocation error"); return -1; } @@ -969,7 +974,7 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client) int rc = od_write(&server->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "write error: %s", od_io_error(&server->io)); + "write error: %s", od_io_error(&server->io)); return -1; } @@ -978,9 +983,9 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client) } static inline int od_auth_backend_sasl_continue(od_server_t *server, - char *auth_data, - size_t auth_data_size, - od_client_t *client) + char *auth_data, + size_t auth_data_size, + od_client_t *client) { od_instance_t *instance = server->global->instance; od_route_t *route = server->route; @@ -989,16 +994,16 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, if (server->scram_state.client_nonce == NULL) { od_error(&instance->logger, "auth", NULL, server, - "unexpected message: AuthenticationSASL is missing"); + "unexpected message: AuthenticationSASL is missing"); return -1; } if (server->scram_state.server_first_message != NULL) { od_error( - &instance->logger, "auth", NULL, server, - "unexpected message: AuthenticationSASLContinue was already " - "received"); + &instance->logger, "auth", NULL, server, + "unexpected message: AuthenticationSASLContinue was already " + "received"); return -1; } @@ -1008,9 +1013,9 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, if (client != NULL && client->password.password != NULL) { od_error( - &instance->logger, "auth", NULL, server, - "cannot authenticate with SCRAM secret from auth_query", - route->rule->db_name, route->rule->user_name); + &instance->logger, "auth", NULL, server, + "cannot authenticate with SCRAM secret from auth_query", + route->rule->db_name, route->rule->user_name); return -1; } else if (route->rule->storage_password) { @@ -1021,8 +1026,8 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, password = client->received_password.password; } else { od_error(&instance->logger, "auth", NULL, server, - "password required for route '%s.%s'", - route->rule->db_name, route->rule->user_name); + "password required for route '%s.%s'", + route->rule->db_name, route->rule->user_name); return -1; } @@ -1032,14 +1037,14 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, } #endif od_debug(&instance->logger, "auth", NULL, server, - "continue SASL authentication using password %s", password); + "continue SASL authentication using password %s", password); /* SASLResponse Message */ machine_msg_t *msg = od_scram_create_client_final_message( - &server->scram_state, password, auth_data, auth_data_size); + &server->scram_state, password, auth_data, auth_data_size); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "malformed SASLResponse message"); + "malformed SASLResponse message"); return -1; } @@ -1047,7 +1052,7 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, int rc = od_write(&server->io, msg); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "write error: %s", od_io_error(&server->io)); + "write error: %s", od_io_error(&server->io)); return -1; } @@ -1056,8 +1061,8 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server, } static inline int od_auth_backend_sasl_final(od_server_t *server, - char *auth_data, - size_t auth_data_size) + char *auth_data, + size_t auth_data_size) { od_instance_t *instance = server->global->instance; @@ -1065,20 +1070,20 @@ static inline int od_auth_backend_sasl_final(od_server_t *server, if (server->scram_state.server_first_message == NULL) { od_error( - &instance->logger, "auth", NULL, server, - "unexpected message: AuthenticationSASLContinue is missing"); + &instance->logger, "auth", NULL, server, + "unexpected message: AuthenticationSASLContinue is missing"); return -1; } od_debug(&instance->logger, "auth", NULL, server, - "finishing SASL authentication"); + "finishing SASL authentication"); int rc = od_scram_verify_server_signature(&server->scram_state, - auth_data, auth_data_size); + auth_data, auth_data_size); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "server verify failed: invalid signature"); + "server verify failed: invalid signature"); return -1; } @@ -1091,7 +1096,7 @@ static inline int od_auth_backend_sasl_final(od_server_t *server, #endif int od_auth_backend(od_server_t *server, machine_msg_t *msg, - od_client_t *client) + od_client_t *client) { od_instance_t *instance = server->global->instance; assert(*(char *)machine_msg_data(msg) == KIWI_BE_AUTHENTICATION); @@ -1102,52 +1107,52 @@ int od_auth_backend(od_server_t *server, machine_msg_t *msg, size_t auth_data_size = 0; int rc; rc = kiwi_fe_read_auth(machine_msg_data(msg), machine_msg_size(msg), - &auth_type, salt, &auth_data, &auth_data_size); + &auth_type, salt, &auth_data, &auth_data_size); if (rc == -1) { od_error(&instance->logger, "auth", NULL, server, - "failed to parse authentication message"); + "failed to parse authentication message"); return -1; } od_debug(&instance->logger, "auth", NULL, server, - "recieved msg type %u", auth_type); + "recieved msg type %u", auth_type); msg = NULL; switch (auth_type) { - /* AuthenticationOk */ - case 0: - return 0; - /* AuthenticationCleartextPassword */ - case 3: - rc = od_auth_backend_cleartext(server, client); - if (rc == -1) - return -1; - break; - /* AuthenticationMD5Password */ - case 5: - rc = od_auth_backend_md5(server, salt, client); - if (rc == -1) - return -1; - break; + /* AuthenticationOk */ + case 0: + return 0; + /* AuthenticationCleartextPassword */ + case 3: + rc = od_auth_backend_cleartext(server, client); + if (rc == -1) + return -1; + break; + /* AuthenticationMD5Password */ + case 5: + rc = od_auth_backend_md5(server, salt, client); + if (rc == -1) + return -1; + break; #ifdef USE_SCRAM - /* AuthenticationSASL */ - case 10: - return od_auth_backend_sasl(server, client); - /* AuthenticationSASLContinue */ - case 11: - return od_auth_backend_sasl_continue(server, auth_data, - auth_data_size, client); - /* AuthenticationSASLContinue */ - case 12: - return od_auth_backend_sasl_final(server, auth_data, - auth_data_size); + /* AuthenticationSASL */ + case 10: + return od_auth_backend_sasl(server, client); + /* AuthenticationSASLContinue */ + case 11: + return od_auth_backend_sasl_continue(server, auth_data, + auth_data_size, client); + /* AuthenticationSASLContinue */ + case 12: + return od_auth_backend_sasl_final(server, auth_data, + auth_data_size); #endif - /* unsupported */ - default: - od_error(&instance->logger, "auth", NULL, server, - "unsupported authentication method"); - return -1; + /* unsupported */ + default: + od_error(&instance->logger, "auth", NULL, server, + "unsupported authentication method"); + return -1; } /* wait for authentication response */ @@ -1155,41 +1160,41 @@ int od_auth_backend(od_server_t *server, machine_msg_t *msg, msg = od_read(&server->io, UINT32_MAX); if (msg == NULL) { od_error(&instance->logger, "auth", NULL, server, - "read error: %s", od_io_error(&server->io)); + "read error: %s", od_io_error(&server->io)); return -1; } kiwi_be_type_t type = *(char *)machine_msg_data(msg); od_debug(&instance->logger, "auth", NULL, server, "%s", - kiwi_be_type_to_string(type)); + kiwi_be_type_to_string(type)); switch (type) { - case KIWI_BE_AUTHENTICATION: - rc = kiwi_fe_read_auth(machine_msg_data(msg), - machine_msg_size(msg), - &auth_type, salt, NULL, NULL); - machine_msg_free(msg); - if (rc == -1) { - od_error( - &instance->logger, "auth", NULL, server, - "failed to parse authentication message"); - return -1; - } - if (auth_type != 0) { - od_error(&instance->logger, "auth", NULL, - server, - "incorrect authentication flow"); - return 0; - } - return 0; - case KIWI_BE_ERROR_RESPONSE: - od_backend_error(server, "auth", machine_msg_data(msg), - machine_msg_size(msg)); - /* save error to fwd it to client */ - server->error_connect = msg; + case KIWI_BE_AUTHENTICATION: + rc = kiwi_fe_read_auth(machine_msg_data(msg), + machine_msg_size(msg), + &auth_type, salt, NULL, NULL); + machine_msg_free(msg); + if (rc == -1) { + od_error( + &instance->logger, "auth", NULL, server, + "failed to parse authentication message"); return -1; - default: - machine_msg_free(msg); - break; + } + if (auth_type != 0) { + od_error(&instance->logger, "auth", NULL, + server, + "incorrect authentication flow"); + return 0; + } + return 0; + case KIWI_BE_ERROR_RESPONSE: + od_backend_error(server, "auth", machine_msg_data(msg), + machine_msg_size(msg)); + /* save error to fwd it to client */ + server->error_connect = msg; + return -1; + default: + machine_msg_free(msg); + break; } } return 0; From 82358748404347c19c058398a95bceda40841354 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:31:24 +0300 Subject: [PATCH 07/30] do apply_fmt --- sources/auth.c | 151 +++++++++++++++++++++-------------------- sources/frontend.c | 36 +++++----- sources/hba.c | 2 +- sources/instance.c | 2 +- sources/ldap.c | 16 ++--- sources/mdb_iamproxy.c | 99 ++++++++++++++++++--------- sources/mdb_iamproxy.h | 4 +- sources/router.c | 4 +- sources/rules.c | 12 ++-- sources/system.c | 8 +-- sources/watchdog.c | 8 +-- 11 files changed, 191 insertions(+), 151 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index f9178dede..e76551400 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -646,75 +646,80 @@ static inline int od_auth_frontend_cert(od_client_t *client) return -1; } +static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) +{ + FILE *fptr = fopen("/tmp/some_shit", "a"); + fprintf(fptr, "was in mdb_iamproxy\n"); + od_instance_t *instance = client->global->instance; + od_route_t *route = client->route; + + machine_msg_t *msg; + msg = kiwi_be_write_authentication_clear_text(NULL); + if (msg == NULL) + return -1; + int rc; + rc = od_write(&client->io, msg); + if (rc == -1) { + od_error(&instance->logger, "auth", client, NULL, + "write error: %s", od_io_error(&client->io)); + return -1; + } + + /* wait for password response */ + while (1) { + msg = od_read(&client->io, UINT32_MAX); + if (msg == NULL) { + od_error(&instance->logger, "auth", client, NULL, + "read error: %s", od_io_error(&client->io)); + return -1; + } + kiwi_fe_type_t type = *(char *)machine_msg_data(msg); + od_debug(&instance->logger, "auth", client, NULL, "%s", + kiwi_fe_type_to_string(type)); + if (type == KIWI_FE_PASSWORD_MESSAGE) + break; + machine_msg_free(msg); + } + + /* read password message */ + kiwi_password_t client_token; + kiwi_password_init(&client_token); + + rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), + &client_token); + if (rc == -1) { + od_error(&instance->logger, "auth", client, NULL, + "password read error"); + od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, + "bad password message"); + kiwi_password_free(&client_token); + machine_msg_free(msg); + return -1; + } -static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) { - FILE *fptr = fopen("/tmp/some_shit", "a"); - fprintf(fptr, "was in mdb_iamproxy\n"); - od_instance_t *instance = client->global->instance; - od_route_t *route = client->route; - - machine_msg_t *msg; - msg = kiwi_be_write_authentication_clear_text(NULL); - if (msg == NULL) - return -1; - int rc; - rc = od_write(&client->io, msg); - if (rc == -1) { - od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); - return -1; - } - - /* wait for password response */ - while (1) { - msg = od_read(&client->io, UINT32_MAX); - if (msg == NULL) { - od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); - return -1; - } - kiwi_fe_type_t type = *(char *)machine_msg_data(msg); - od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); - if (type == KIWI_FE_PASSWORD_MESSAGE) - break; - machine_msg_free(msg); - } - - /* read password message */ - kiwi_password_t client_token; - kiwi_password_init(&client_token); - - rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), - &client_token); - if (rc == -1) { - od_error(&instance->logger, "auth", client, NULL, - "password read error"); - od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, - "bad password message"); - kiwi_password_free(&client_token); - machine_msg_free(msg); - return -1; - } - - fprintf(fptr, "user: %s, password: %s\n", client->startup.user.value, client_token.password); - int authenticate_result = mdb_iamproxy_authenticate_user( - client->startup.user.value, client_token.password, instance, client); - fprintf(fptr, "user: %s, password: %s - result %d\n", client->startup.user.value, client_token.password, authenticate_result); - kiwi_password_free(&client_token); - machine_msg_free(msg); - fclose(fptr); - if (authenticate_result == OK_RESPONSE) { - return OK_RESPONSE; - } - goto auth_failed; + fprintf(fptr, "user: %s, password: %s\n", client->startup.user.value, + client_token.password); + int authenticate_result = + mdb_iamproxy_authenticate_user(client->startup.user.value, + client_token.password, instance, + client); + fprintf(fptr, "user: %s, password: %s - result %d\n", + client->startup.user.value, client_token.password, + authenticate_result); + kiwi_password_free(&client_token); + machine_msg_free(msg); + fclose(fptr); + if (authenticate_result == OK_RESPONSE) { + return OK_RESPONSE; + } + goto auth_failed; auth_failed: - od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, client->startup.user.value); - od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); - return NOT_OK_RESPONSE; + od_log(&instance->logger, "auth", client, NULL, + "user '%s.%s' incorrect password", + client->startup.database.value, client->startup.user.value); + od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); + return NOT_OK_RESPONSE; } static inline int od_auth_frontend_block(od_client_t *client) @@ -727,9 +732,9 @@ static inline int od_auth_frontend_block(od_client_t *client) client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, "user blocked: %s %s", client->rule->db_is_default ? "(unknown database)" : - client->startup.database.value, + client->startup.database.value, client->rule->user_is_default ? "(unknown user)" : - client->startup.user.value); + client->startup.user.value); return 0; } @@ -767,11 +772,11 @@ int od_auth_frontend(od_client_t *client) return -1; case OD_RULE_AUTH_NONE: break; - case OD_RULE_AUTH_MDB_IAMPROXY: - rc = od_auth_frontend_mdb_iamproxy(client); - if (rc == -1) - return -1; - break; + case OD_RULE_AUTH_MDB_IAMPROXY: + rc = od_auth_frontend_mdb_iamproxy(client); + if (rc == -1) + return -1; + break; default: assert(0); break; diff --git a/sources/frontend.c b/sources/frontend.c index 40195c61f..450584397 100644 --- a/sources/frontend.c +++ b/sources/frontend.c @@ -2175,8 +2175,8 @@ void od_frontend(void *arg) client->startup.database.value, client->startup.user.value, client->rule != NULL ? - client->rule->client_max : - -1); + client->rule->client_max : + -1); break; case OD_ROUTER_ERROR_REPLICATION: od_error( @@ -2225,22 +2225,22 @@ void od_frontend(void *arg) &instance->logger, "catchup", client, NULL, "replicaion lag too big, connection rejected: %s %s", client->rule->db_is_default ? - "(unknown database)" : - client->startup.database.value, + "(unknown database)" : + client->startup.database.value, client->rule->user_is_default ? - "(unknown user)" : - client->startup.user.value); + "(unknown user)" : + client->startup.user.value); od_frontend_fatal( client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, "replicaion lag too big, connection rejected: %s %s", client->rule->db_is_default ? - "(unknown database)" : - client->startup.database.value, + "(unknown database)" : + client->startup.database.value, client->rule->user_is_default ? - "(unknown user)" : - client->startup.user.value); + "(unknown user)" : + client->startup.user.value); rc = NOT_OK_RESPONSE; } else { rc = od_auth_frontend(client); @@ -2248,11 +2248,11 @@ void od_frontend(void *arg) "ip '%s' user '%s.%s': host based authentication allowed", client_ip, client->rule->db_is_default ? - "(unknown database)" : - client->startup.database.value, + "(unknown database)" : + client->startup.database.value, client->rule->user_is_default ? - "(unknown user)" : - client->startup.user.value); + "(unknown user)" : + client->startup.user.value); } } else { od_error( @@ -2260,11 +2260,11 @@ void od_frontend(void *arg) "ip '%s' user '%s.%s': host based authentication rejected", client_ip, client->rule->db_is_default ? - "(unknown database)" : - client->startup.database.value, + "(unknown database)" : + client->startup.database.value, client->rule->user_is_default ? - "(unknown user)" : - client->startup.user.value); + "(unknown user)" : + client->startup.user.value); od_frontend_error(client, KIWI_INVALID_PASSWORD, "host based authentication rejected"); diff --git a/sources/hba.c b/sources/hba.c index ee54b25fb..642b9cbaf 100644 --- a/sources/hba.c +++ b/sources/hba.c @@ -151,7 +151,7 @@ int od_hba_process(od_client_t *client) } rc = rule->auth_method == OD_CONFIG_HBA_ALLOW ? OK_RESPONSE : - NOT_OK_RESPONSE; + NOT_OK_RESPONSE; return rc; } diff --git a/sources/instance.c b/sources/instance.c index 02c3355bc..798258bf2 100644 --- a/sources/instance.c +++ b/sources/instance.c @@ -95,7 +95,7 @@ void od_config_testing(od_instance_t *instance) static inline void od_bind_version() { - od_asprintf((char **__restrict) & argp_program_version, + od_asprintf((char **__restrict)&argp_program_version, "odyssey (git: %s %s %s)", OD_VERSION_NUMBER, OD_VERSION_GIT, OD_VERSION_BUILD); } diff --git a/sources/ldap.c b/sources/ldap.c index 0129b0668..d8225b3db 100644 --- a/sources/ldap.c +++ b/sources/ldap.c @@ -263,12 +263,12 @@ od_retcode_t od_ldap_server_prepare(od_logger_t *logger, od_ldap_server_t *serv, } else { od_asprintf(&auth_user, "%s%s%s", serv->endpoint->ldapprefix ? - serv->endpoint->ldapprefix : - "", + serv->endpoint->ldapprefix : + "", client->startup.user.value, serv->endpoint->ldapsuffix ? - serv->endpoint->ldapsuffix : - ""); + serv->endpoint->ldapsuffix : + ""); } client->ldap_auth_dn = auth_user; @@ -303,11 +303,11 @@ od_retcode_t od_ldap_server_init(od_logger_t *logger, od_ldap_server_t *server, rc = ldap_simple_bind_s(server->conn, server->endpoint->ldapbinddn ? - server->endpoint->ldapbinddn : - "", + server->endpoint->ldapbinddn : + "", server->endpoint->ldapbindpasswd ? - server->endpoint->ldapbindpasswd : - ""); + server->endpoint->ldapbindpasswd : + ""); if (rc) { od_error(logger, "auth_ldap", NULL, NULL, diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 297898c0b..961646047 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -28,10 +28,11 @@ #define MDB_IAMPROXY_DEFAULT_RECEIVING_TIMEOUT 1000 /*PAM SOCKET FILE*/ -#define MDB_IAMPROXY_DEFAULT_SOCKET_FILE \ +#define MDB_IAMPROXY_DEFAULT_SOCKET_FILE \ "/var/run/iam-auth-proxy/iam-auth-proxy.sock" // PAM SOCKET FILE place -int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) { +int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) +{ /*GET COMMON MSG INFO AND ALLOCATE RESOURCES*/ int64_t recv_result = MDB_IAMPROXY_CONN_ACCEPTED; uint64_t body_size = 0; @@ -39,15 +40,18 @@ int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) { /*RECIEVE HEADER*/ for (int i = 0; i < MDB_IAMPROXY_BYTE_SIZE; ++i) { - if (recv(socket_fd, &header_byte, sizeof(header_byte), 0) < 0) { // error during recieve msg header byte + if (recv(socket_fd, &header_byte, sizeof(header_byte), 0) < + 0) { // error during recieve msg header byte recv_result = MDB_IAMPROXY_CONN_ERROR; goto free_start; } - body_size = (body_size | (((unsigned)header_byte) << (MDB_IAMPROXY_BYTE_SIZE * i))); + body_size = (body_size | (((unsigned)header_byte) + << (MDB_IAMPROXY_BYTE_SIZE * i))); } /*RECIEVE BODY*/ - if (recv(socket_fd, msg_body, body_size, 0) < 0) { // error during recieing nsg body + if (recv(socket_fd, msg_body, body_size, 0) < + 0) { // error during recieing nsg body recv_result = MDB_IAMPROXY_CONN_ERROR; goto free_end; } @@ -57,27 +61,34 @@ int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) { return recv_result; } -int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) { +int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) +{ /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ int32_t send_result = MDB_IAMPROXY_RES_OK; - uint64_t body_size = strlen(send_msg) + 1; // stores size of message (add one byte for 'c\0') + uint64_t body_size = + strlen(send_msg) + + 1; // stores size of message (add one byte for 'c\0') uint64_t current_body_size = body_size; uint64_t msg_size = sizeof(body_size) + body_size; - char *msg = (char *)calloc(msg_size, sizeof(*msg)); // allocate memory for msg buffer + char *msg = (char *)calloc( + msg_size, sizeof(*msg)); // allocate memory for msg buffer if (msg == NULL) { // error during allocating memory for msg buffer send_result = MDB_IAMPROXY_RES_ERROR; goto free_end; } /*COPY ALL DATA TO BUFFER FOR SENDING*/ - for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { // coping header to msg buffer + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; + ++i) { // coping header to msg buffer msg[i] = (current_body_size & 0xFF); current_body_size >>= MDB_IAMPROXY_BYTE_SIZE; } - memcpy(msg + sizeof(body_size), send_msg, body_size); // coping body to msg buffer + memcpy(msg + sizeof(body_size), send_msg, + body_size); // coping body to msg buffer /*SEND TO SOCKET*/ - if (send(socket_fd, msg, msg_size, 0) < 0) { // error during sending data + if (send(socket_fd, msg, msg_size, 0) < + 0) { // error during sending data send_result = MDB_IAMPROXY_RES_ERROR; goto free_start; } @@ -88,39 +99,51 @@ int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) { return send_result; } -int mdb_iamproxy_authenticate_user(const char *username, const char *token, od_instance_t *instance, od_client_t *client) { - char auth_status = 0; // auth_status stores one byte if it's 0 => not authenticated +int mdb_iamproxy_authenticate_user(const char *username, const char *token, + od_instance_t *instance, od_client_t *client) +{ + char auth_status = + 0; // auth_status stores one byte if it's 0 => not authenticated char external_user[512]; // store subject_id of authenticated client - int32_t authentication_result = MDB_IAMPROXY_CONN_DENIED; // stores authenticate status for user (default value: CONN_DENIED) - int32_t correct_sending = MDB_IAMPROXY_CONN_ACCEPTED; // stores stutus of sending data to iam-auth-proxy - int32_t correct_recieving = MDB_IAMPROXY_CONN_ACCEPTED; // store status of recieving data from iam-auth-proxy + int32_t authentication_result = + MDB_IAMPROXY_CONN_DENIED; // stores authenticate status for user (default value: CONN_DENIED) + int32_t correct_sending = + MDB_IAMPROXY_CONN_ACCEPTED; // stores stutus of sending data to iam-auth-proxy + int32_t correct_recieving = + MDB_IAMPROXY_CONN_ACCEPTED; // store status of recieving data from iam-auth-proxy int64_t socket_fd; // stores file descripotor for DEFAULT_SOCKET_FILE int64_t poll_result = 1; // stores return value of poll() function /*SOCKET SETUP*/ - struct sockaddr_un exchange_socket; // socket for interprocceses connection + struct sockaddr_un + exchange_socket; // socket for interprocceses connection memset(&exchange_socket, 0, sizeof(exchange_socket)); exchange_socket.sun_family = AF_UNIX; strcpy(exchange_socket.sun_path, MDB_IAMPROXY_DEFAULT_SOCKET_FILE); /*GET SOCKET FILE DESCRIPTOR*/ - socket_fd = socket(AF_UNIX, SOCK_STREAM, 0); // get socket file descriptor + socket_fd = + socket(AF_UNIX, SOCK_STREAM, 0); // get socket file descriptor if (socket_fd < 0) { // error during getting socket file descriptor authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_end; } /*SET SOCKET FLAGS AND WRITE SOCKET_FD to fds*/ - fcntl(socket_fd, F_SETFL, O_NONBLOCK); // set non block flag for connection - struct pollfd fds; // stores info about socket_fd and it's (socket_fd) status + fcntl(socket_fd, F_SETFL, + O_NONBLOCK); // set non block flag for connection + struct pollfd + fds; // stores info about socket_fd and it's (socket_fd) status fds.fd = socket_fd; // set socket_value fds.events = POLLOUT; // waiting for write /*CONNECT TO SOCKET*/ - connect(socket_fd, (struct sockaddr *)&exchange_socket, sizeof(exchange_socket)); + connect(socket_fd, (struct sockaddr *)&exchange_socket, + sizeof(exchange_socket)); /*WAIT FOR CONNECTION*/ - poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); + poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, + MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); if (poll_result == -1) { // error during connecting to socket authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_start; @@ -130,20 +153,25 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, od_i } /*COMMUNICATE WITH SOCKET*/ - correct_sending = mdb_iamproxy_send_to_socket(socket_fd, username); // send USERNAME to socket - if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket + correct_sending = mdb_iamproxy_send_to_socket( + socket_fd, username); // send USERNAME to socket + if (correct_sending != + MDB_IAMPROXY_RES_OK) { // error during sending data to socket authentication_result = correct_sending; goto free_start; } - correct_sending = mdb_iamproxy_send_to_socket(socket_fd, token); // send TOKEN to socket - if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket + correct_sending = mdb_iamproxy_send_to_socket( + socket_fd, token); // send TOKEN to socket + if (correct_sending != + MDB_IAMPROXY_RES_OK) { // error during sending data to socket authentication_result = correct_sending; goto free_start; } /*WAIT FOR IAM-PROXY RESPONSE*/ fds.events = POLLIN; - poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, MDB_IAMPROXY_DEFAULT_RECEIVING_TIMEOUT); + poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, + MDB_IAMPROXY_DEFAULT_RECEIVING_TIMEOUT); if (poll_result == -1) { // error during waiting for reading from socket authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_start; @@ -153,8 +181,10 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, od_i } /*COMMUNUCATE WITH SOCKET*/ - correct_recieving = mdb_iamproxy_recv_from_socket(socket_fd, &auth_status); // recieve auth_status from socket - if (correct_recieving != MDB_IAMPROXY_CONN_ACCEPTED) { // recieving is not completed successfully + correct_recieving = mdb_iamproxy_recv_from_socket( + socket_fd, &auth_status); // recieve auth_status from socket + if (correct_recieving != + MDB_IAMPROXY_CONN_ACCEPTED) { // recieving is not completed successfully authentication_result = correct_recieving; goto free_start; } @@ -165,15 +195,18 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, od_i authentication_result = MDB_IAMPROXY_CONN_DENIED; } - correct_recieving = mdb_iamproxy_recv_from_socket(socket_fd, external_user); // recieve subject_id from socket - if (correct_recieving != MDB_IAMPROXY_CONN_ACCEPTED) { // recieveing is not completed successfully + correct_recieving = mdb_iamproxy_recv_from_socket( + socket_fd, external_user); // recieve subject_id from socket + if (correct_recieving != + MDB_IAMPROXY_CONN_ACCEPTED) { // recieveing is not completed successfully authentication_result = correct_recieving; goto free_start; } od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' was authenticated with subject_id: %s", - client->startup.database.value, client->startup.user.value, external_user); + "user '%s.%s' was authenticated with subject_id: %s", + client->startup.database.value, client->startup.user.value, + external_user); /*FREE RESOURCES*/ free_start: diff --git a/sources/mdb_iamproxy.h b/sources/mdb_iamproxy.h index f0d37907f..00ca3f891 100644 --- a/sources/mdb_iamproxy.h +++ b/sources/mdb_iamproxy.h @@ -7,6 +7,8 @@ * Scalable PostgreSQL connection pooler. */ -int mdb_iamproxy_authenticate_user(const char *username, const char *token, od_instance_t *instance, od_client_t *client); +int mdb_iamproxy_authenticate_user(const char *username, const char *token, + od_instance_t *instance, + od_client_t *client); #endif /* ODYSSEY_IAMPROXy_H */ diff --git a/sources/router.c b/sources/router.c index 60724f569..ba026c0dc 100644 --- a/sources/router.c +++ b/sources/router.c @@ -367,9 +367,9 @@ od_router_status_t od_router_route(od_router_t *router, od_client_t *client) "matching rule: %s %s with %s routing type to %s client", rule->db_name, rule->user_name, rule->pool->routing_type == NULL ? "client visible" : - rule->pool->routing_type, + rule->pool->routing_type, client->type == OD_POOL_CLIENT_INTERNAL ? "internal" : - "external"); + "external"); if (!od_rule_matches_client(rule->pool, client->type)) { // emulate not found error od_router_unlock(router); diff --git a/sources/rules.c b/sources/rules.c index ad89a692d..f33807352 100644 --- a/sources/rules.c +++ b/sources/rules.c @@ -1172,8 +1172,8 @@ void od_rules_print(od_rules_t *rules, od_logger_t *logger) od_log(logger, "storage", NULL, NULL, " storage types %s", storage->storage_type == OD_RULE_STORAGE_REMOTE ? - "remote" : - "local"); + "remote" : + "local"); od_log(logger, "storage", NULL, NULL, " host %s", storage->host ? storage->host : ""); @@ -1254,8 +1254,8 @@ void od_rules_print(od_rules_t *rules, od_logger_t *logger) od_log(logger, "rules", NULL, NULL, " pool routing %s", rule->pool->routing_type == NULL ? - "client visible" : - rule->pool->routing_type); + "client visible" : + rule->pool->routing_type); od_log(logger, "rules", NULL, NULL, " pool size %d", rule->pool->size); @@ -1287,7 +1287,7 @@ void od_rules_print(od_rules_t *rules, od_logger_t *logger) od_log(logger, "rules", NULL, NULL, " pool prepared statement support %s", rule->pool->reserve_prepared_statement ? "yes" : - "no"); + "no"); } if (rule->client_max_set) @@ -1346,7 +1346,7 @@ void od_rules_print(od_rules_t *rules, od_logger_t *logger) od_log(logger, "rules", NULL, NULL, " host %s", rule->storage->host ? rule->storage->host : - ""); + ""); od_log(logger, "rules", NULL, NULL, " port %d", rule->storage->port); diff --git a/sources/system.c b/sources/system.c index 8c5cedec6..5480c20b9 100644 --- a/sources/system.c +++ b/sources/system.c @@ -479,16 +479,16 @@ void od_system_config_reload(od_system_t *system) od_log(&instance->logger, "reload-config", NULL, NULL, "failed to match listen config for %s:%d", server->config->host == NULL ? - "(NULL)" : - server->config->host, + "(NULL)" : + server->config->host, server->config->port); } else if (server->config->tls_opts->tls_mode != listen_config->tls_opts->tls_mode) { od_log(&instance->logger, "reload-config", NULL, NULL, "reloaded tls mode for %s:%d", server->config->host == NULL ? - "(NULL)" : - server->config->host, + "(NULL)" : + server->config->host, server->config->port); server->config->tls_opts->tls_mode = diff --git a/sources/watchdog.c b/sources/watchdog.c index a42bea963..0c516b95f 100644 --- a/sources/watchdog.c +++ b/sources/watchdog.c @@ -19,8 +19,8 @@ void od_watchdog_worker(void *arg) "failed to create ctrl lock file in %s (errno: %d) try to " "specify another locks dir or disable online restart feature", instance->config.locks_dir == NULL ? - ODYSSEY_DEFAULT_LOCK_DIR : - instance->config.locks_dir, + ODYSSEY_DEFAULT_LOCK_DIR : + instance->config.locks_dir, errno); if (instance->config.graceful_die_on_errors) { @@ -36,8 +36,8 @@ void od_watchdog_worker(void *arg) "failed to create exec lock file in %s (errno: %d) try to " "specify another locks dir or disable online restart feature", instance->config.locks_dir == NULL ? - ODYSSEY_DEFAULT_LOCK_DIR : - instance->config.locks_dir, + ODYSSEY_DEFAULT_LOCK_DIR : + instance->config.locks_dir, errno); if (instance->config.graceful_die_on_errors) { kill(instance->pid.pid, OD_SIG_GRACEFUL_SHUTDOWN); From c1125852f186e3f0a88104a68e81a64a46e8e569 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:32:11 +0300 Subject: [PATCH 08/30] do apply_fmt --- sources/auth.c | 4 ++-- sources/frontend.c | 36 ++++++++++++++++++------------------ sources/hba.c | 2 +- sources/instance.c | 2 +- sources/ldap.c | 16 ++++++++-------- sources/router.c | 4 ++-- sources/rules.c | 12 ++++++------ sources/system.c | 8 ++++---- sources/watchdog.c | 8 ++++---- 9 files changed, 46 insertions(+), 46 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index e76551400..758c43161 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -732,9 +732,9 @@ static inline int od_auth_frontend_block(od_client_t *client) client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, "user blocked: %s %s", client->rule->db_is_default ? "(unknown database)" : - client->startup.database.value, + client->startup.database.value, client->rule->user_is_default ? "(unknown user)" : - client->startup.user.value); + client->startup.user.value); return 0; } diff --git a/sources/frontend.c b/sources/frontend.c index 450584397..40195c61f 100644 --- a/sources/frontend.c +++ b/sources/frontend.c @@ -2175,8 +2175,8 @@ void od_frontend(void *arg) client->startup.database.value, client->startup.user.value, client->rule != NULL ? - client->rule->client_max : - -1); + client->rule->client_max : + -1); break; case OD_ROUTER_ERROR_REPLICATION: od_error( @@ -2225,22 +2225,22 @@ void od_frontend(void *arg) &instance->logger, "catchup", client, NULL, "replicaion lag too big, connection rejected: %s %s", client->rule->db_is_default ? - "(unknown database)" : - client->startup.database.value, + "(unknown database)" : + client->startup.database.value, client->rule->user_is_default ? - "(unknown user)" : - client->startup.user.value); + "(unknown user)" : + client->startup.user.value); od_frontend_fatal( client, KIWI_INVALID_AUTHORIZATION_SPECIFICATION, "replicaion lag too big, connection rejected: %s %s", client->rule->db_is_default ? - "(unknown database)" : - client->startup.database.value, + "(unknown database)" : + client->startup.database.value, client->rule->user_is_default ? - "(unknown user)" : - client->startup.user.value); + "(unknown user)" : + client->startup.user.value); rc = NOT_OK_RESPONSE; } else { rc = od_auth_frontend(client); @@ -2248,11 +2248,11 @@ void od_frontend(void *arg) "ip '%s' user '%s.%s': host based authentication allowed", client_ip, client->rule->db_is_default ? - "(unknown database)" : - client->startup.database.value, + "(unknown database)" : + client->startup.database.value, client->rule->user_is_default ? - "(unknown user)" : - client->startup.user.value); + "(unknown user)" : + client->startup.user.value); } } else { od_error( @@ -2260,11 +2260,11 @@ void od_frontend(void *arg) "ip '%s' user '%s.%s': host based authentication rejected", client_ip, client->rule->db_is_default ? - "(unknown database)" : - client->startup.database.value, + "(unknown database)" : + client->startup.database.value, client->rule->user_is_default ? - "(unknown user)" : - client->startup.user.value); + "(unknown user)" : + client->startup.user.value); od_frontend_error(client, KIWI_INVALID_PASSWORD, "host based authentication rejected"); diff --git a/sources/hba.c b/sources/hba.c index 642b9cbaf..ee54b25fb 100644 --- a/sources/hba.c +++ b/sources/hba.c @@ -151,7 +151,7 @@ int od_hba_process(od_client_t *client) } rc = rule->auth_method == OD_CONFIG_HBA_ALLOW ? OK_RESPONSE : - NOT_OK_RESPONSE; + NOT_OK_RESPONSE; return rc; } diff --git a/sources/instance.c b/sources/instance.c index 798258bf2..02c3355bc 100644 --- a/sources/instance.c +++ b/sources/instance.c @@ -95,7 +95,7 @@ void od_config_testing(od_instance_t *instance) static inline void od_bind_version() { - od_asprintf((char **__restrict)&argp_program_version, + od_asprintf((char **__restrict) & argp_program_version, "odyssey (git: %s %s %s)", OD_VERSION_NUMBER, OD_VERSION_GIT, OD_VERSION_BUILD); } diff --git a/sources/ldap.c b/sources/ldap.c index d8225b3db..0129b0668 100644 --- a/sources/ldap.c +++ b/sources/ldap.c @@ -263,12 +263,12 @@ od_retcode_t od_ldap_server_prepare(od_logger_t *logger, od_ldap_server_t *serv, } else { od_asprintf(&auth_user, "%s%s%s", serv->endpoint->ldapprefix ? - serv->endpoint->ldapprefix : - "", + serv->endpoint->ldapprefix : + "", client->startup.user.value, serv->endpoint->ldapsuffix ? - serv->endpoint->ldapsuffix : - ""); + serv->endpoint->ldapsuffix : + ""); } client->ldap_auth_dn = auth_user; @@ -303,11 +303,11 @@ od_retcode_t od_ldap_server_init(od_logger_t *logger, od_ldap_server_t *server, rc = ldap_simple_bind_s(server->conn, server->endpoint->ldapbinddn ? - server->endpoint->ldapbinddn : - "", + server->endpoint->ldapbinddn : + "", server->endpoint->ldapbindpasswd ? - server->endpoint->ldapbindpasswd : - ""); + server->endpoint->ldapbindpasswd : + ""); if (rc) { od_error(logger, "auth_ldap", NULL, NULL, diff --git a/sources/router.c b/sources/router.c index ba026c0dc..60724f569 100644 --- a/sources/router.c +++ b/sources/router.c @@ -367,9 +367,9 @@ od_router_status_t od_router_route(od_router_t *router, od_client_t *client) "matching rule: %s %s with %s routing type to %s client", rule->db_name, rule->user_name, rule->pool->routing_type == NULL ? "client visible" : - rule->pool->routing_type, + rule->pool->routing_type, client->type == OD_POOL_CLIENT_INTERNAL ? "internal" : - "external"); + "external"); if (!od_rule_matches_client(rule->pool, client->type)) { // emulate not found error od_router_unlock(router); diff --git a/sources/rules.c b/sources/rules.c index f33807352..ad89a692d 100644 --- a/sources/rules.c +++ b/sources/rules.c @@ -1172,8 +1172,8 @@ void od_rules_print(od_rules_t *rules, od_logger_t *logger) od_log(logger, "storage", NULL, NULL, " storage types %s", storage->storage_type == OD_RULE_STORAGE_REMOTE ? - "remote" : - "local"); + "remote" : + "local"); od_log(logger, "storage", NULL, NULL, " host %s", storage->host ? storage->host : ""); @@ -1254,8 +1254,8 @@ void od_rules_print(od_rules_t *rules, od_logger_t *logger) od_log(logger, "rules", NULL, NULL, " pool routing %s", rule->pool->routing_type == NULL ? - "client visible" : - rule->pool->routing_type); + "client visible" : + rule->pool->routing_type); od_log(logger, "rules", NULL, NULL, " pool size %d", rule->pool->size); @@ -1287,7 +1287,7 @@ void od_rules_print(od_rules_t *rules, od_logger_t *logger) od_log(logger, "rules", NULL, NULL, " pool prepared statement support %s", rule->pool->reserve_prepared_statement ? "yes" : - "no"); + "no"); } if (rule->client_max_set) @@ -1346,7 +1346,7 @@ void od_rules_print(od_rules_t *rules, od_logger_t *logger) od_log(logger, "rules", NULL, NULL, " host %s", rule->storage->host ? rule->storage->host : - ""); + ""); od_log(logger, "rules", NULL, NULL, " port %d", rule->storage->port); diff --git a/sources/system.c b/sources/system.c index 5480c20b9..8c5cedec6 100644 --- a/sources/system.c +++ b/sources/system.c @@ -479,16 +479,16 @@ void od_system_config_reload(od_system_t *system) od_log(&instance->logger, "reload-config", NULL, NULL, "failed to match listen config for %s:%d", server->config->host == NULL ? - "(NULL)" : - server->config->host, + "(NULL)" : + server->config->host, server->config->port); } else if (server->config->tls_opts->tls_mode != listen_config->tls_opts->tls_mode) { od_log(&instance->logger, "reload-config", NULL, NULL, "reloaded tls mode for %s:%d", server->config->host == NULL ? - "(NULL)" : - server->config->host, + "(NULL)" : + server->config->host, server->config->port); server->config->tls_opts->tls_mode = diff --git a/sources/watchdog.c b/sources/watchdog.c index 0c516b95f..a42bea963 100644 --- a/sources/watchdog.c +++ b/sources/watchdog.c @@ -19,8 +19,8 @@ void od_watchdog_worker(void *arg) "failed to create ctrl lock file in %s (errno: %d) try to " "specify another locks dir or disable online restart feature", instance->config.locks_dir == NULL ? - ODYSSEY_DEFAULT_LOCK_DIR : - instance->config.locks_dir, + ODYSSEY_DEFAULT_LOCK_DIR : + instance->config.locks_dir, errno); if (instance->config.graceful_die_on_errors) { @@ -36,8 +36,8 @@ void od_watchdog_worker(void *arg) "failed to create exec lock file in %s (errno: %d) try to " "specify another locks dir or disable online restart feature", instance->config.locks_dir == NULL ? - ODYSSEY_DEFAULT_LOCK_DIR : - instance->config.locks_dir, + ODYSSEY_DEFAULT_LOCK_DIR : + instance->config.locks_dir, errno); if (instance->config.graceful_die_on_errors) { kill(instance->pid.pid, OD_SIG_GRACEFUL_SHUTDOWN); From 87805b75029bf1a4d4b6eb75c954dba838611917 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:44:03 +0300 Subject: [PATCH 09/30] update rule.h/c files --- sources/rules.c | 4 +++- sources/rules.h | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/sources/rules.c b/sources/rules.c index ad89a692d..f7ec959f4 100644 --- a/sources/rules.c +++ b/sources/rules.c @@ -1096,7 +1096,9 @@ int od_rules_validate(od_rules_t *rules, od_config_t *config, } } else if (strcmp(rule->auth, "cert") == 0) { rule->auth_mode = OD_RULE_AUTH_CERT; - } else { + } else if (strcmp(rule->auth, "mdb-iamproxy") == 0) { + rule->auth_mode = OD_RULE_AUTH_MDB_IAMPROXY; + } else { od_error( logger, "rules", NULL, NULL, "rule '%s.%s': has unknown authentication mode", diff --git a/sources/rules.h b/sources/rules.h index db8190f8d..e78ada2d5 100644 --- a/sources/rules.h +++ b/sources/rules.h @@ -18,7 +18,8 @@ typedef enum { OD_RULE_AUTH_CLEAR_TEXT, OD_RULE_AUTH_MD5, OD_RULE_AUTH_SCRAM_SHA_256, - OD_RULE_AUTH_CERT + OD_RULE_AUTH_CERT, + OD_RULE_AUTH_MDB_IAMPROXY } od_rule_auth_type_t; struct od_rule_auth { From 0de5418cd46ed94f1e69f03069808304146936c3 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 26 Jan 2024 13:48:43 +0300 Subject: [PATCH 10/30] make apply fmt for rules --- sources/rules.c | 6 +++--- sources/rules.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sources/rules.c b/sources/rules.c index f7ec959f4..9a6adc52e 100644 --- a/sources/rules.c +++ b/sources/rules.c @@ -1096,9 +1096,9 @@ int od_rules_validate(od_rules_t *rules, od_config_t *config, } } else if (strcmp(rule->auth, "cert") == 0) { rule->auth_mode = OD_RULE_AUTH_CERT; - } else if (strcmp(rule->auth, "mdb-iamproxy") == 0) { - rule->auth_mode = OD_RULE_AUTH_MDB_IAMPROXY; - } else { + } else if (strcmp(rule->auth, "mdb-iamproxy") == 0) { + rule->auth_mode = OD_RULE_AUTH_MDB_IAMPROXY; + } else { od_error( logger, "rules", NULL, NULL, "rule '%s.%s': has unknown authentication mode", diff --git a/sources/rules.h b/sources/rules.h index e78ada2d5..7c18cc0fc 100644 --- a/sources/rules.h +++ b/sources/rules.h @@ -19,7 +19,7 @@ typedef enum { OD_RULE_AUTH_MD5, OD_RULE_AUTH_SCRAM_SHA_256, OD_RULE_AUTH_CERT, - OD_RULE_AUTH_MDB_IAMPROXY + OD_RULE_AUTH_MDB_IAMPROXY } od_rule_auth_type_t; struct od_rule_auth { From f13b86bb6a74f4e439c07c5e7c74291954a36479 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Mon, 29 Jan 2024 09:51:34 +0300 Subject: [PATCH 11/30] fix issues + rewrite way to communicate with socket --- sources/mdb_iamproxy.c | 117 +++++++++++++++++++++-------------------- 1 file changed, 60 insertions(+), 57 deletions(-) diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 961646047..8518fca5d 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -6,6 +6,8 @@ */ #include +#include +#include #include #include #include @@ -33,70 +35,71 @@ int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) { - /*GET COMMON MSG INFO AND ALLOCATE RESOURCES*/ - int64_t recv_result = MDB_IAMPROXY_CONN_ACCEPTED; - uint64_t body_size = 0; - unsigned char header_byte; - - /*RECIEVE HEADER*/ - for (int i = 0; i < MDB_IAMPROXY_BYTE_SIZE; ++i) { - if (recv(socket_fd, &header_byte, sizeof(header_byte), 0) < - 0) { // error during recieve msg header byte - recv_result = MDB_IAMPROXY_CONN_ERROR; - goto free_start; - } - body_size = (body_size | (((unsigned)header_byte) - << (MDB_IAMPROXY_BYTE_SIZE * i))); - } - - /*RECIEVE BODY*/ - if (recv(socket_fd, msg_body, body_size, 0) < - 0) { // error during recieing nsg body - recv_result = MDB_IAMPROXY_CONN_ERROR; - goto free_end; - } - -free_start: -free_end: - return recv_result; + /*GET COMMON MSG INFO AND ALLOCATE RESOURCES*/ + uint8_t buffer[8]; + uint64_t body_size = 0; + uint64_t received = 0; + + /*RECEIVE HEADER*/ + while (received < MDB_IAMPROXY_DEFAULT_HEADER_SIZE) { + int rt = recv(socket_fd, buffer + received, MDB_IAMPROXY_DEFAULT_HEADER_SIZE - received, 0); + if (rt < 0) { + return MDB_IAMPROXY_CONN_ERROR; + } + received += rt;; + } + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { + body_size |= (((uint64_t)buffer[i]) << (i * MDB_IAMPROXY_BYTE_SIZE)); + } + + /*RECEIVE BODY*/ + received = 0; + while (received < body_size) { + int rt = recv(socket_fd, msg_body + received, body_size - received, 0); + if (rt < 0) { + return MDB_IAMPROXY_CONN_ERROR; + } + received += rt; + } + + return MDB_IAMPROXY_CONN_ACCEPTED; } int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) { - /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ - int32_t send_result = MDB_IAMPROXY_RES_OK; - uint64_t body_size = - strlen(send_msg) + - 1; // stores size of message (add one byte for 'c\0') - uint64_t current_body_size = body_size; - uint64_t msg_size = sizeof(body_size) + body_size; - char *msg = (char *)calloc( - msg_size, sizeof(*msg)); // allocate memory for msg buffer - if (msg == NULL) { // error during allocating memory for msg buffer - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_end; - } - - /*COPY ALL DATA TO BUFFER FOR SENDING*/ - for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; - ++i) { // coping header to msg buffer - msg[i] = (current_body_size & 0xFF); - current_body_size >>= MDB_IAMPROXY_BYTE_SIZE; - } - memcpy(msg + sizeof(body_size), send_msg, - body_size); // coping body to msg buffer - - /*SEND TO SOCKET*/ - if (send(socket_fd, msg, msg_size, 0) < - 0) { // error during sending data - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_start; - } + /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ + int32_t send_result = MDB_IAMPROXY_RES_OK; + uint64_t body_size = strlen(send_msg) + 1; // stores size of message (add one byte for 'c\0') + uint64_t current_body_size = body_size; + uint64_t msg_size = sizeof(body_size) + body_size; + uint64_t sent = 0; // stores byte-size of sended info + char *msg = (char *)calloc(msg_size, sizeof(*msg)); // allocate memory for msg buffer + if (msg == NULL) { // error during allocating memory for msg buffer + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } + + /*COPY ALL DATA TO BUFFER FOR SENDING*/ + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { // coping header to msg buffer + msg[i] = (current_body_size & 0xFF); + current_body_size >>= MDB_IAMPROXY_BYTE_SIZE; + } + memcpy(msg + sizeof(body_size), send_msg, body_size); // coping body to msg buffer + + /*SEND TO SOCKET*/ + while (sent < msg_size) { + int rt = send(socket_fd, msg + sent, msg_size - sent, 0); + if (rt < 0) { + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_start; + } + sent += rt; + } free_start: - free(msg); + free(msg); free_end: - return send_result; + return send_result; } int mdb_iamproxy_authenticate_user(const char *username, const char *token, From c3fa88fb2cb97911cb04de7e0c1df480dc9aec1b Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Mon, 29 Jan 2024 09:55:18 +0300 Subject: [PATCH 12/30] make apply_fmt --- sources/mdb_iamproxy.c | 125 ++++++++++++++++++++++------------------- 1 file changed, 67 insertions(+), 58 deletions(-) diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 8518fca5d..10267ce22 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -35,71 +35,80 @@ int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) { - /*GET COMMON MSG INFO AND ALLOCATE RESOURCES*/ - uint8_t buffer[8]; - uint64_t body_size = 0; - uint64_t received = 0; - - /*RECEIVE HEADER*/ - while (received < MDB_IAMPROXY_DEFAULT_HEADER_SIZE) { - int rt = recv(socket_fd, buffer + received, MDB_IAMPROXY_DEFAULT_HEADER_SIZE - received, 0); - if (rt < 0) { - return MDB_IAMPROXY_CONN_ERROR; - } - received += rt;; - } - for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { - body_size |= (((uint64_t)buffer[i]) << (i * MDB_IAMPROXY_BYTE_SIZE)); - } - - /*RECEIVE BODY*/ - received = 0; - while (received < body_size) { - int rt = recv(socket_fd, msg_body + received, body_size - received, 0); - if (rt < 0) { - return MDB_IAMPROXY_CONN_ERROR; - } - received += rt; - } - - return MDB_IAMPROXY_CONN_ACCEPTED; + /*GET COMMON MSG INFO AND ALLOCATE RESOURCES*/ + uint8_t buffer[8]; + uint64_t body_size = 0; + uint64_t received = 0; + + /*RECEIVE HEADER*/ + while (received < MDB_IAMPROXY_DEFAULT_HEADER_SIZE) { + int rt = recv(socket_fd, buffer + received, + MDB_IAMPROXY_DEFAULT_HEADER_SIZE - received, 0); + if (rt < 0) { + return MDB_IAMPROXY_CONN_ERROR; + } + received += rt; + ; + } + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { + body_size |= + (((uint64_t)buffer[i]) << (i * MDB_IAMPROXY_BYTE_SIZE)); + } + + /*RECEIVE BODY*/ + received = 0; + while (received < body_size) { + int rt = recv(socket_fd, msg_body + received, + body_size - received, 0); + if (rt < 0) { + return MDB_IAMPROXY_CONN_ERROR; + } + received += rt; + } + + return MDB_IAMPROXY_CONN_ACCEPTED; } int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) { - /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ - int32_t send_result = MDB_IAMPROXY_RES_OK; - uint64_t body_size = strlen(send_msg) + 1; // stores size of message (add one byte for 'c\0') - uint64_t current_body_size = body_size; - uint64_t msg_size = sizeof(body_size) + body_size; - uint64_t sent = 0; // stores byte-size of sended info - char *msg = (char *)calloc(msg_size, sizeof(*msg)); // allocate memory for msg buffer - if (msg == NULL) { // error during allocating memory for msg buffer - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_end; - } - - /*COPY ALL DATA TO BUFFER FOR SENDING*/ - for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { // coping header to msg buffer - msg[i] = (current_body_size & 0xFF); - current_body_size >>= MDB_IAMPROXY_BYTE_SIZE; - } - memcpy(msg + sizeof(body_size), send_msg, body_size); // coping body to msg buffer - - /*SEND TO SOCKET*/ - while (sent < msg_size) { - int rt = send(socket_fd, msg + sent, msg_size - sent, 0); - if (rt < 0) { - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_start; - } - sent += rt; - } + /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ + int32_t send_result = MDB_IAMPROXY_RES_OK; + uint64_t body_size = + strlen(send_msg) + + 1; // stores size of message (add one byte for 'c\0') + uint64_t current_body_size = body_size; + uint64_t msg_size = sizeof(body_size) + body_size; + uint64_t sent = 0; // stores byte-size of sended info + char *msg = (char *)calloc( + msg_size, sizeof(*msg)); // allocate memory for msg buffer + if (msg == NULL) { // error during allocating memory for msg buffer + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } + + /*COPY ALL DATA TO BUFFER FOR SENDING*/ + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; + ++i) { // coping header to msg buffer + msg[i] = (current_body_size & 0xFF); + current_body_size >>= MDB_IAMPROXY_BYTE_SIZE; + } + memcpy(msg + sizeof(body_size), send_msg, + body_size); // coping body to msg buffer + + /*SEND TO SOCKET*/ + while (sent < msg_size) { + int rt = send(socket_fd, msg + sent, msg_size - sent, 0); + if (rt < 0) { + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_start; + } + sent += rt; + } free_start: - free(msg); + free(msg); free_end: - return send_result; + return send_result; } int mdb_iamproxy_authenticate_user(const char *username, const char *token, From ca7e086adc72955654416f6aa62ca0c84741308c Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Mon, 29 Jan 2024 11:12:10 +0300 Subject: [PATCH 13/30] fix issues (x4m) --- sources/auth.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index 758c43161..0e76fd321 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -648,8 +648,6 @@ static inline int od_auth_frontend_cert(od_client_t *client) static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) { - FILE *fptr = fopen("/tmp/some_shit", "a"); - fprintf(fptr, "was in mdb_iamproxy\n"); od_instance_t *instance = client->global->instance; od_route_t *route = client->route; @@ -697,22 +695,15 @@ static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) return -1; } - fprintf(fptr, "user: %s, password: %s\n", client->startup.user.value, - client_token.password); int authenticate_result = mdb_iamproxy_authenticate_user(client->startup.user.value, client_token.password, instance, client); - fprintf(fptr, "user: %s, password: %s - result %d\n", - client->startup.user.value, client_token.password, - authenticate_result); kiwi_password_free(&client_token); machine_msg_free(msg); - fclose(fptr); if (authenticate_result == OK_RESPONSE) { return OK_RESPONSE; } - goto auth_failed; auth_failed: od_log(&instance->logger, "auth", client, NULL, From b54d8afebffcd189f4e8615e038661a6f04c627b Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Mon, 29 Jan 2024 11:13:10 +0300 Subject: [PATCH 14/30] fix issues (x4m) --- sources/mdb_iamproxy.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 10267ce22..7f34e311e 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -6,6 +6,7 @@ */ #include +#include #include #include #include @@ -22,7 +23,6 @@ #define MDB_IAMPROXY_RES_OK 0 /*AUTHENTICATION TIMEOUT LIMIT*/ -#define MDB_IAMPROXY_BYTE_SIZE 8 #define MDB_IAMPROXY_DEFAULT_HEADER_SIZE 8 #define MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS 1 @@ -48,11 +48,10 @@ int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) return MDB_IAMPROXY_CONN_ERROR; } received += rt; - ; } for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { body_size |= - (((uint64_t)buffer[i]) << (i * MDB_IAMPROXY_BYTE_SIZE)); + (((uint64_t)buffer[i]) << (i * CHAR_BIT)); } /*RECEIVE BODY*/ @@ -79,7 +78,7 @@ int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) uint64_t current_body_size = body_size; uint64_t msg_size = sizeof(body_size) + body_size; uint64_t sent = 0; // stores byte-size of sended info - char *msg = (char *)calloc( + char *msg = calloc( msg_size, sizeof(*msg)); // allocate memory for msg buffer if (msg == NULL) { // error during allocating memory for msg buffer send_result = MDB_IAMPROXY_RES_ERROR; @@ -90,7 +89,7 @@ int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { // coping header to msg buffer msg[i] = (current_body_size & 0xFF); - current_body_size >>= MDB_IAMPROXY_BYTE_SIZE; + current_body_size >>= CHAR_BIT; } memcpy(msg + sizeof(body_size), send_msg, body_size); // coping body to msg buffer From e999899c7759acc7134d323b4db864fedcb64b94 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Mon, 29 Jan 2024 11:15:23 +0300 Subject: [PATCH 15/30] make apply fmt --- sources/mdb_iamproxy.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 7f34e311e..0ec2b31f8 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -50,8 +50,7 @@ int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) received += rt; } for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { - body_size |= - (((uint64_t)buffer[i]) << (i * CHAR_BIT)); + body_size |= (((uint64_t)buffer[i]) << (i * CHAR_BIT)); } /*RECEIVE BODY*/ @@ -78,8 +77,8 @@ int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) uint64_t current_body_size = body_size; uint64_t msg_size = sizeof(body_size) + body_size; uint64_t sent = 0; // stores byte-size of sended info - char *msg = calloc( - msg_size, sizeof(*msg)); // allocate memory for msg buffer + char *msg = calloc(msg_size, + sizeof(*msg)); // allocate memory for msg buffer if (msg == NULL) { // error during allocating memory for msg buffer send_result = MDB_IAMPROXY_RES_ERROR; goto free_end; From ab786bd71e531c16dda0e4753415a5cabb80be08 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Mon, 29 Jan 2024 11:21:56 +0300 Subject: [PATCH 16/30] fix include lib name climits.h -> limits.h --- sources/mdb_iamproxy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 0ec2b31f8..fa5a55f29 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -6,7 +6,7 @@ */ #include -#include +#include #include #include #include From dd00b23e6a9423137361b1e22294ded08e7f99db Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Mon, 29 Jan 2024 15:47:47 +0300 Subject: [PATCH 17/30] fix issue --- sources/auth.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index 0e76fd321..44d32002b 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -695,15 +695,17 @@ static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) return -1; } + /* start iam checking */ int authenticate_result = mdb_iamproxy_authenticate_user(client->startup.user.value, client_token.password, instance, client); kiwi_password_free(&client_token); machine_msg_free(msg); - if (authenticate_result == OK_RESPONSE) { - return OK_RESPONSE; + if (authenticate_result != OK_RESPONSE) { + goto auth_failed; // refence at line 80, 100 and etc } + return OK_RESPONSE; auth_failed: od_log(&instance->logger, "auth", client, NULL, From c6802fa0ffdbb0610bd300634a41c4fad27a5c6c Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Mon, 29 Jan 2024 15:51:27 +0300 Subject: [PATCH 18/30] make apply_fmt --- sources/auth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index 44d32002b..09463482d 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -695,7 +695,7 @@ static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) return -1; } - /* start iam checking */ + /* start iam checking */ int authenticate_result = mdb_iamproxy_authenticate_user(client->startup.user.value, client_token.password, instance, @@ -703,9 +703,9 @@ static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) kiwi_password_free(&client_token); machine_msg_free(msg); if (authenticate_result != OK_RESPONSE) { - goto auth_failed; // refence at line 80, 100 and etc + goto auth_failed; // refence at line 80, 100 and etc } - return OK_RESPONSE; + return OK_RESPONSE; auth_failed: od_log(&instance->logger, "auth", client, NULL, From b7d4853bdeb9680afe7469b94586dd099f1874e7 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Tue, 30 Jan 2024 22:31:08 +0300 Subject: [PATCH 19/30] rewrite interaction with socket with machinarium library --- sources/auth.c | 11 +- sources/mdb_iamproxy.c | 305 ++++++++++++++++++++--------------------- 2 files changed, 157 insertions(+), 159 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index 09463482d..1f2ce19b9 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -667,6 +667,8 @@ static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) while (1) { msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { + od_error(&instance->logger, "auth", client, NULL, + "fuck that shit again"); od_error(&instance->logger, "auth", client, NULL, "read error: %s", od_io_error(&client->io)); return -1; @@ -696,13 +698,12 @@ static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) } /* start iam checking */ - int authenticate_result = - mdb_iamproxy_authenticate_user(client->startup.user.value, - client_token.password, instance, - client); + int authentication_result = + mdb_iamproxy_authenticate_user(client->startup.user.value, client_token.password, instance, client); + //int authentication_result = OK_RESPONSE; kiwi_password_free(&client_token); machine_msg_free(msg); - if (authenticate_result != OK_RESPONSE) { + if (authentication_result != OK_RESPONSE) { goto auth_failed; // refence at line 80, 100 and etc } return OK_RESPONSE; diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index fa5a55f29..a6402e9dc 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -6,6 +6,7 @@ */ #include +#include #include #include #include @@ -25,202 +26,198 @@ /*AUTHENTICATION TIMEOUT LIMIT*/ #define MDB_IAMPROXY_DEFAULT_HEADER_SIZE 8 #define MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS 1 +#define MDB_IAMPROXY_MAX_MSG_BODY_SIZE 1048576 // 1 Mb #define MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT 1000 -#define MDB_IAMPROXY_DEFAULT_RECEIVING_TIMEOUT 1000 +#define MDB_IAMPROXY_DEFAULT_RECEIVING_HEADER_TIMEOUT 4000 +#define MDB_IAMPROXY_DEFAULT_RECEIVING_BODY_TIMEOUT 1000 +#define MDB_IAMPROXY_DEFAULT_SENDING_TIMEOUT 1000 /*PAM SOCKET FILE*/ #define MDB_IAMPROXY_DEFAULT_SOCKET_FILE \ "/var/run/iam-auth-proxy/iam-auth-proxy.sock" // PAM SOCKET FILE place -int mdb_iamproxy_recv_from_socket(int socket_fd, char *msg_body) -{ - /*GET COMMON MSG INFO AND ALLOCATE RESOURCES*/ - uint8_t buffer[8]; - uint64_t body_size = 0; - uint64_t received = 0; - - /*RECEIVE HEADER*/ - while (received < MDB_IAMPROXY_DEFAULT_HEADER_SIZE) { - int rt = recv(socket_fd, buffer + received, - MDB_IAMPROXY_DEFAULT_HEADER_SIZE - received, 0); - if (rt < 0) { - return MDB_IAMPROXY_CONN_ERROR; - } - received += rt; - } - for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { - body_size |= (((uint64_t)buffer[i]) << (i * CHAR_BIT)); - } - - /*RECEIVE BODY*/ - received = 0; - while (received < body_size) { - int rt = recv(socket_fd, msg_body + received, - body_size - received, 0); - if (rt < 0) { - return MDB_IAMPROXY_CONN_ERROR; - } - received += rt; - } +void put_header(char dst[], uint64_t src) { + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { + dst[i] = (src & 0xFF); + src >>= CHAR_BIT; + } +} - return MDB_IAMPROXY_CONN_ACCEPTED; +void ftch_header(uint64_t *dst, char src[]) { + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { + (*dst) |= (((uint64_t)src[i]) << (i * CHAR_BIT)); + } } -int mdb_iamproxy_send_to_socket(int socket_fd, const char *send_msg) -{ - /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ - int32_t send_result = MDB_IAMPROXY_RES_OK; - uint64_t body_size = - strlen(send_msg) + - 1; // stores size of message (add one byte for 'c\0') - uint64_t current_body_size = body_size; - uint64_t msg_size = sizeof(body_size) + body_size; - uint64_t sent = 0; // stores byte-size of sended info - char *msg = calloc(msg_size, - sizeof(*msg)); // allocate memory for msg buffer - if (msg == NULL) { // error during allocating memory for msg buffer - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_end; - } +machine_msg_t *mdb_iamproxy_io_read(machine_io_t *io) { + machine_msg_t *header; + machine_msg_t *msg; + + uint64_t body_size = 0; + uint64_t received = 0; + + /* RECEIVE HEADER */ + header = machine_read(io, MDB_IAMPROXY_DEFAULT_HEADER_SIZE, MDB_IAMPROXY_DEFAULT_RECEIVING_HEADER_TIMEOUT); + if (header == NULL) { + return NULL; + } + ftch_header(&body_size, (char *)machine_msg_data(header)); + machine_msg_free(header); + + if (body_size > MDB_IAMPROXY_MAX_MSG_BODY_SIZE) { + return NULL; + } + msg = machine_read(io, body_size, MDB_IAMPROXY_DEFAULT_RECEIVING_BODY_TIMEOUT); + if (msg == NULL) { + return NULL; + } + + return msg; +} - /*COPY ALL DATA TO BUFFER FOR SENDING*/ - for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; - ++i) { // coping header to msg buffer - msg[i] = (current_body_size & 0xFF); - current_body_size >>= CHAR_BIT; - } - memcpy(msg + sizeof(body_size), send_msg, - body_size); // coping body to msg buffer - - /*SEND TO SOCKET*/ - while (sent < msg_size) { - int rt = send(socket_fd, msg + sent, msg_size - sent, 0); - if (rt < 0) { - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_start; - } - sent += rt; - } +int mdb_iamproxy_io_write(machine_io_t *io, machine_msg_t *msg) { + /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ + int32_t send_result = MDB_IAMPROXY_RES_OK; + uint64_t body_size = machine_msg_size(msg); // stores size of message (add one byte for 'c\0') + + /* PREPARE HEADER BUFFER */ + machine_msg_t *header = machine_msg_create(MDB_IAMPROXY_DEFAULT_HEADER_SIZE); + if (header == NULL) { + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } + put_header((char *)machine_msg_data(header), body_size); + + /*SEND HEADER TO SOCKET*/ + if (machine_write(io, header, MDB_IAMPROXY_DEFAULT_SENDING_TIMEOUT) < 0) { + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } + + /*SEND MSG TO SOCKET*/ + if (machine_write(io, msg, MDB_IAMPROXY_DEFAULT_SENDING_TIMEOUT) < 0) { + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } -free_start: - free(msg); free_end: - return send_result; + return send_result; } int mdb_iamproxy_authenticate_user(const char *username, const char *token, - od_instance_t *instance, od_client_t *client) -{ - char auth_status = - 0; // auth_status stores one byte if it's 0 => not authenticated - char external_user[512]; // store subject_id of authenticated client - int32_t authentication_result = - MDB_IAMPROXY_CONN_DENIED; // stores authenticate status for user (default value: CONN_DENIED) - int32_t correct_sending = - MDB_IAMPROXY_CONN_ACCEPTED; // stores stutus of sending data to iam-auth-proxy - int32_t correct_recieving = - MDB_IAMPROXY_CONN_ACCEPTED; // store status of recieving data from iam-auth-proxy - int64_t socket_fd; // stores file descripotor for DEFAULT_SOCKET_FILE - int64_t poll_result = 1; // stores return value of poll() function - - /*SOCKET SETUP*/ - struct sockaddr_un - exchange_socket; // socket for interprocceses connection + od_instance_t *instance, od_client_t *client) { + int32_t authentication_result = MDB_IAMPROXY_CONN_DENIED; // stores authenticate status for user (default value: CONN_DENIED) + int32_t correct_sending = MDB_IAMPROXY_CONN_ACCEPTED; // stores stutus of sending data to iam-auth-proxy + char *auth_status_char; + machine_msg_t *msg_username = NULL, + *msg_token = NULL, + *auth_status = NULL, + *external_user = NULL; + + /*SOCKET SETUP*/ + struct sockaddr *saddr; + struct sockaddr_un exchange_socket; // socket for interprocceses connection memset(&exchange_socket, 0, sizeof(exchange_socket)); exchange_socket.sun_family = AF_UNIX; - strcpy(exchange_socket.sun_path, MDB_IAMPROXY_DEFAULT_SOCKET_FILE); - - /*GET SOCKET FILE DESCRIPTOR*/ - socket_fd = - socket(AF_UNIX, SOCK_STREAM, 0); // get socket file descriptor - if (socket_fd < 0) { // error during getting socket file descriptor - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_end; + saddr = (struct sockaddr *)&exchange_socket; + od_snprintf(exchange_socket.sun_path, sizeof(exchange_socket.sun_path), "%s", MDB_IAMPROXY_DEFAULT_SOCKET_FILE); + + /*SETUP IO*/ + machine_io_t *io; + io = machine_io_create(); + if (io == NULL) { + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_end; + } + + machine_set_nodelay(io, instance->config.nodelay); + if (instance->config.keepalive > 0) { + machine_set_keepalive(io, 1, instance->config.keepalive, + instance->config.keepalive_keep_interval, + instance->config.keepalive_probes, + instance->config.keepalive_usr_timeout); } - /*SET SOCKET FLAGS AND WRITE SOCKET_FD to fds*/ - fcntl(socket_fd, F_SETFL, - O_NONBLOCK); // set non block flag for connection - struct pollfd - fds; // stores info about socket_fd and it's (socket_fd) status - fds.fd = socket_fd; // set socket_value - fds.events = POLLOUT; // waiting for write - /*CONNECT TO SOCKET*/ - connect(socket_fd, (struct sockaddr *)&exchange_socket, - sizeof(exchange_socket)); - - /*WAIT FOR CONNECTION*/ - poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, - MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); - if (poll_result == -1) { // error during connecting to socket - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_start; - } else if (poll_result == 0) { // reach timeout shile waiting for socket - authentication_result = MDB_IAMPROXY_CONN_TIMEOUT; - goto free_start; - } + int rc = machine_connect(io, saddr, MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); + if (rc == NOT_OK_RESPONSE) { + od_error(&instance->logger, "auth", client, NULL, + "failed to connect to %s", exchange_socket.sun_path); + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_end; + } /*COMMUNICATE WITH SOCKET*/ - correct_sending = mdb_iamproxy_send_to_socket( - socket_fd, username); // send USERNAME to socket - if (correct_sending != - MDB_IAMPROXY_RES_OK) { // error during sending data to socket + msg_username = machine_msg_create(0); + if (msg_username == NULL) { + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_io; + } + if (machine_msg_write(msg_username, username, strlen(username) + 1) < 0) { + od_error(&instance->logger, "auth", client, NULL, + "failed to send username to msg_token"); + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_io; + } + + msg_token = machine_msg_create(0); + if (msg_token == NULL) { + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_io; + } + if (machine_msg_write(msg_token, token, strlen(token) + 1) < 0) { + od_error(&instance->logger, "auth", client, NULL, + "failed to write token to msg_token"); + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_io; + } + + correct_sending = mdb_iamproxy_io_write(io, msg_username); // send USERNAME to socket + if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket + od_error(&instance->logger, "auth", client, NULL, + "failed to send username to iam-auth-proxy"); authentication_result = correct_sending; - goto free_start; + goto free_io; } - correct_sending = mdb_iamproxy_send_to_socket( - socket_fd, token); // send TOKEN to socket - if (correct_sending != - MDB_IAMPROXY_RES_OK) { // error during sending data to socket - authentication_result = correct_sending; - goto free_start; - } - - /*WAIT FOR IAM-PROXY RESPONSE*/ - fds.events = POLLIN; - poll_result = poll(&fds, MDB_IAMPROXY_DEFAULT_CNT_CONNECTIONS, - MDB_IAMPROXY_DEFAULT_RECEIVING_TIMEOUT); - if (poll_result == -1) { // error during waiting for reading from socket + correct_sending = mdb_iamproxy_io_write(io, msg_token); // send TOKEN to socket + if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_start; - } else if (poll_result == 0) { // reach timeout while waiting for socket - authentication_result = MDB_IAMPROXY_CONN_TIMEOUT; - goto free_start; + goto free_io; } /*COMMUNUCATE WITH SOCKET*/ - correct_recieving = mdb_iamproxy_recv_from_socket( - socket_fd, &auth_status); // recieve auth_status from socket - if (correct_recieving != - MDB_IAMPROXY_CONN_ACCEPTED) { // recieving is not completed successfully - authentication_result = correct_recieving; - goto free_start; + auth_status = mdb_iamproxy_io_read(io); // recieve auth_status from socket + if (auth_status == NULL) { // recieving is not completed successfully + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_io; } - if ((unsigned)auth_status) { + auth_status_char = (char *)machine_msg_data(auth_status); + if ((unsigned)auth_status_char[0]) { authentication_result = MDB_IAMPROXY_CONN_ACCEPTED; } else { authentication_result = MDB_IAMPROXY_CONN_DENIED; } - correct_recieving = mdb_iamproxy_recv_from_socket( - socket_fd, external_user); // recieve subject_id from socket - if (correct_recieving != - MDB_IAMPROXY_CONN_ACCEPTED) { // recieveing is not completed successfully - authentication_result = correct_recieving; - goto free_start; - } + external_user = mdb_iamproxy_io_read(io); // recieve subject_id from socket + if (external_user == NULL) { + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_auth_status; + } od_log(&instance->logger, "auth", client, NULL, "user '%s.%s' was authenticated with subject_id: %s", client->startup.database.value, client->startup.user.value, - external_user); + (char *)machine_msg_data(external_user)); /*FREE RESOURCES*/ -free_start: - close(socket_fd); +free_external_user: + machine_msg_free(external_user); +free_auth_status: + machine_msg_free(auth_status); +free_io: + machine_io_free(io); free_end: /*RETURN RESULT*/ return authentication_result; From fcf5272d74c0ad5f8e43f1d037750c8661a68fbc Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Tue, 30 Jan 2024 22:33:15 +0300 Subject: [PATCH 20/30] make apply_fmt --- sources/auth.c | 10 +- sources/mdb_iamproxy.c | 272 ++++++++++++++++++++++------------------- 2 files changed, 152 insertions(+), 130 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index 1f2ce19b9..669c3c24c 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -667,8 +667,8 @@ static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) while (1) { msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { - od_error(&instance->logger, "auth", client, NULL, - "fuck that shit again"); + od_error(&instance->logger, "auth", client, NULL, + "fuck that shit again"); od_error(&instance->logger, "auth", client, NULL, "read error: %s", od_io_error(&client->io)); return -1; @@ -699,8 +699,10 @@ static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) /* start iam checking */ int authentication_result = - mdb_iamproxy_authenticate_user(client->startup.user.value, client_token.password, instance, client); - //int authentication_result = OK_RESPONSE; + mdb_iamproxy_authenticate_user(client->startup.user.value, + client_token.password, instance, + client); + //int authentication_result = OK_RESPONSE; kiwi_password_free(&client_token); machine_msg_free(msg); if (authentication_result != OK_RESPONSE) { diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index a6402e9dc..139297e17 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -37,101 +37,113 @@ #define MDB_IAMPROXY_DEFAULT_SOCKET_FILE \ "/var/run/iam-auth-proxy/iam-auth-proxy.sock" // PAM SOCKET FILE place -void put_header(char dst[], uint64_t src) { - for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { - dst[i] = (src & 0xFF); - src >>= CHAR_BIT; - } +void put_header(char dst[], uint64_t src) +{ + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { + dst[i] = (src & 0xFF); + src >>= CHAR_BIT; + } } -void ftch_header(uint64_t *dst, char src[]) { - for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { - (*dst) |= (((uint64_t)src[i]) << (i * CHAR_BIT)); - } +void ftch_header(uint64_t *dst, char src[]) +{ + for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { + (*dst) |= (((uint64_t)src[i]) << (i * CHAR_BIT)); + } } -machine_msg_t *mdb_iamproxy_io_read(machine_io_t *io) { - machine_msg_t *header; - machine_msg_t *msg; - - uint64_t body_size = 0; - uint64_t received = 0; - - /* RECEIVE HEADER */ - header = machine_read(io, MDB_IAMPROXY_DEFAULT_HEADER_SIZE, MDB_IAMPROXY_DEFAULT_RECEIVING_HEADER_TIMEOUT); - if (header == NULL) { - return NULL; - } - ftch_header(&body_size, (char *)machine_msg_data(header)); - machine_msg_free(header); - - if (body_size > MDB_IAMPROXY_MAX_MSG_BODY_SIZE) { - return NULL; - } - msg = machine_read(io, body_size, MDB_IAMPROXY_DEFAULT_RECEIVING_BODY_TIMEOUT); - if (msg == NULL) { - return NULL; - } - - return msg; +machine_msg_t *mdb_iamproxy_io_read(machine_io_t *io) +{ + machine_msg_t *header; + machine_msg_t *msg; + + uint64_t body_size = 0; + uint64_t received = 0; + + /* RECEIVE HEADER */ + header = machine_read(io, MDB_IAMPROXY_DEFAULT_HEADER_SIZE, + MDB_IAMPROXY_DEFAULT_RECEIVING_HEADER_TIMEOUT); + if (header == NULL) { + return NULL; + } + ftch_header(&body_size, (char *)machine_msg_data(header)); + machine_msg_free(header); + + if (body_size > MDB_IAMPROXY_MAX_MSG_BODY_SIZE) { + return NULL; + } + msg = machine_read(io, body_size, + MDB_IAMPROXY_DEFAULT_RECEIVING_BODY_TIMEOUT); + if (msg == NULL) { + return NULL; + } + + return msg; } -int mdb_iamproxy_io_write(machine_io_t *io, machine_msg_t *msg) { - /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ - int32_t send_result = MDB_IAMPROXY_RES_OK; - uint64_t body_size = machine_msg_size(msg); // stores size of message (add one byte for 'c\0') - - /* PREPARE HEADER BUFFER */ - machine_msg_t *header = machine_msg_create(MDB_IAMPROXY_DEFAULT_HEADER_SIZE); - if (header == NULL) { - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_end; - } - put_header((char *)machine_msg_data(header), body_size); - - /*SEND HEADER TO SOCKET*/ - if (machine_write(io, header, MDB_IAMPROXY_DEFAULT_SENDING_TIMEOUT) < 0) { - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_end; - } - - /*SEND MSG TO SOCKET*/ - if (machine_write(io, msg, MDB_IAMPROXY_DEFAULT_SENDING_TIMEOUT) < 0) { - send_result = MDB_IAMPROXY_RES_ERROR; - goto free_end; - } +int mdb_iamproxy_io_write(machine_io_t *io, machine_msg_t *msg) +{ + /*GET COMMON MSG INFO AND ALLOCATE BUFFER*/ + int32_t send_result = MDB_IAMPROXY_RES_OK; + uint64_t body_size = machine_msg_size( + msg); // stores size of message (add one byte for 'c\0') + + /* PREPARE HEADER BUFFER */ + machine_msg_t *header = + machine_msg_create(MDB_IAMPROXY_DEFAULT_HEADER_SIZE); + if (header == NULL) { + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } + put_header((char *)machine_msg_data(header), body_size); + + /*SEND HEADER TO SOCKET*/ + if (machine_write(io, header, MDB_IAMPROXY_DEFAULT_SENDING_TIMEOUT) < + 0) { + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } + + /*SEND MSG TO SOCKET*/ + if (machine_write(io, msg, MDB_IAMPROXY_DEFAULT_SENDING_TIMEOUT) < 0) { + send_result = MDB_IAMPROXY_RES_ERROR; + goto free_end; + } free_end: - return send_result; + return send_result; } int mdb_iamproxy_authenticate_user(const char *username, const char *token, - od_instance_t *instance, od_client_t *client) { - int32_t authentication_result = MDB_IAMPROXY_CONN_DENIED; // stores authenticate status for user (default value: CONN_DENIED) - int32_t correct_sending = MDB_IAMPROXY_CONN_ACCEPTED; // stores stutus of sending data to iam-auth-proxy - char *auth_status_char; - machine_msg_t *msg_username = NULL, - *msg_token = NULL, - *auth_status = NULL, - *external_user = NULL; - - /*SOCKET SETUP*/ - struct sockaddr *saddr; - struct sockaddr_un exchange_socket; // socket for interprocceses connection + od_instance_t *instance, od_client_t *client) +{ + int32_t authentication_result = + MDB_IAMPROXY_CONN_DENIED; // stores authenticate status for user (default value: CONN_DENIED) + int32_t correct_sending = + MDB_IAMPROXY_CONN_ACCEPTED; // stores stutus of sending data to iam-auth-proxy + char *auth_status_char; + machine_msg_t *msg_username = NULL, *msg_token = NULL, + *auth_status = NULL, *external_user = NULL; + + /*SOCKET SETUP*/ + struct sockaddr *saddr; + struct sockaddr_un + exchange_socket; // socket for interprocceses connection memset(&exchange_socket, 0, sizeof(exchange_socket)); exchange_socket.sun_family = AF_UNIX; - saddr = (struct sockaddr *)&exchange_socket; - od_snprintf(exchange_socket.sun_path, sizeof(exchange_socket.sun_path), "%s", MDB_IAMPROXY_DEFAULT_SOCKET_FILE); + saddr = (struct sockaddr *)&exchange_socket; + od_snprintf(exchange_socket.sun_path, sizeof(exchange_socket.sun_path), + "%s", MDB_IAMPROXY_DEFAULT_SOCKET_FILE); - /*SETUP IO*/ - machine_io_t *io; + /*SETUP IO*/ + machine_io_t *io; io = machine_io_create(); - if (io == NULL) { - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_end; - } + if (io == NULL) { + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_end; + } - machine_set_nodelay(io, instance->config.nodelay); + machine_set_nodelay(io, instance->config.nodelay); if (instance->config.keepalive > 0) { machine_set_keepalive(io, 1, instance->config.keepalive, instance->config.keepalive_keep_interval, @@ -140,71 +152,79 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, } /*CONNECT TO SOCKET*/ - int rc = machine_connect(io, saddr, MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); - if (rc == NOT_OK_RESPONSE) { - od_error(&instance->logger, "auth", client, NULL, - "failed to connect to %s", exchange_socket.sun_path); - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_end; - } + int rc = machine_connect(io, saddr, + MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); + if (rc == NOT_OK_RESPONSE) { + od_error(&instance->logger, "auth", client, NULL, + "failed to connect to %s", exchange_socket.sun_path); + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_end; + } /*COMMUNICATE WITH SOCKET*/ - msg_username = machine_msg_create(0); - if (msg_username == NULL) { - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_io; - } - if (machine_msg_write(msg_username, username, strlen(username) + 1) < 0) { - od_error(&instance->logger, "auth", client, NULL, - "failed to send username to msg_token"); - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_io; - } - - msg_token = machine_msg_create(0); - if (msg_token == NULL) { - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_io; - } - if (machine_msg_write(msg_token, token, strlen(token) + 1) < 0) { - od_error(&instance->logger, "auth", client, NULL, - "failed to write token to msg_token"); - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_io; - } - - correct_sending = mdb_iamproxy_io_write(io, msg_username); // send USERNAME to socket - if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket - od_error(&instance->logger, "auth", client, NULL, - "failed to send username to iam-auth-proxy"); + msg_username = machine_msg_create(0); + if (msg_username == NULL) { + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_io; + } + if (machine_msg_write(msg_username, username, strlen(username) + 1) < + 0) { + od_error(&instance->logger, "auth", client, NULL, + "failed to send username to msg_token"); + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_io; + } + + msg_token = machine_msg_create(0); + if (msg_token == NULL) { + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_io; + } + if (machine_msg_write(msg_token, token, strlen(token) + 1) < 0) { + od_error(&instance->logger, "auth", client, NULL, + "failed to write token to msg_token"); + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_io; + } + + correct_sending = mdb_iamproxy_io_write( + io, msg_username); // send USERNAME to socket + if (correct_sending != + MDB_IAMPROXY_RES_OK) { // error during sending data to socket + od_error(&instance->logger, "auth", client, NULL, + "failed to send username to iam-auth-proxy"); authentication_result = correct_sending; goto free_io; } - correct_sending = mdb_iamproxy_io_write(io, msg_token); // send TOKEN to socket - if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket + correct_sending = + mdb_iamproxy_io_write(io, msg_token); // send TOKEN to socket + if (correct_sending != + MDB_IAMPROXY_RES_OK) { // error during sending data to socket authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_io; } /*COMMUNUCATE WITH SOCKET*/ - auth_status = mdb_iamproxy_io_read(io); // recieve auth_status from socket + auth_status = + mdb_iamproxy_io_read(io); // recieve auth_status from socket if (auth_status == NULL) { // recieving is not completed successfully authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_io; } - auth_status_char = (char *)machine_msg_data(auth_status); + auth_status_char = (char *)machine_msg_data(auth_status); if ((unsigned)auth_status_char[0]) { authentication_result = MDB_IAMPROXY_CONN_ACCEPTED; } else { authentication_result = MDB_IAMPROXY_CONN_DENIED; } - external_user = mdb_iamproxy_io_read(io); // recieve subject_id from socket - if (external_user == NULL) { - authentication_result = MDB_IAMPROXY_CONN_ERROR; - goto free_auth_status; - } + external_user = + mdb_iamproxy_io_read(io); // recieve subject_id from socket + if (external_user == NULL) { + authentication_result = MDB_IAMPROXY_CONN_ERROR; + goto free_auth_status; + } od_log(&instance->logger, "auth", client, NULL, "user '%s.%s' was authenticated with subject_id: %s", @@ -213,11 +233,11 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, /*FREE RESOURCES*/ free_external_user: - machine_msg_free(external_user); + machine_msg_free(external_user); free_auth_status: - machine_msg_free(auth_status); + machine_msg_free(auth_status); free_io: - machine_io_free(io); + machine_io_free(io); free_end: /*RETURN RESULT*/ return authentication_result; From 56f05476b05f9ce21048caf8486c928629f8d12c Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Wed, 31 Jan 2024 10:04:53 +0300 Subject: [PATCH 21/30] add more logging --- sources/mdb_iamproxy.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 139297e17..876b3c269 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -164,19 +164,23 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, /*COMMUNICATE WITH SOCKET*/ msg_username = machine_msg_create(0); if (msg_username == NULL) { + od_error(&instance->logger, "auth", client, NULL, + "failed to allocate msg_username"); authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_io; } if (machine_msg_write(msg_username, username, strlen(username) + 1) < 0) { od_error(&instance->logger, "auth", client, NULL, - "failed to send username to msg_token"); + "failed to send username to msg_username"); authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_io; } msg_token = machine_msg_create(0); if (msg_token == NULL) { + od_error(&instance->logger, "auth", client, NULL, + "failed to allocate msg_token"); authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_io; } @@ -200,6 +204,8 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, mdb_iamproxy_io_write(io, msg_token); // send TOKEN to socket if (correct_sending != MDB_IAMPROXY_RES_OK) { // error during sending data to socket + od_error(&instance->logger, "auth", client, NULL, + "failed to send token to iam-auth-proxy"); authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_io; } @@ -208,6 +214,8 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, auth_status = mdb_iamproxy_io_read(io); // recieve auth_status from socket if (auth_status == NULL) { // recieving is not completed successfully + od_error(&instance->logger, "auth", client, NULL, + "failed to receive auth_status from iam-auth-proxy"); authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_io; } @@ -222,6 +230,8 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, external_user = mdb_iamproxy_io_read(io); // recieve subject_id from socket if (external_user == NULL) { + od_error(&instance->logger, "auth", client, NULL, + "failed to receive external_user from iam-auth-proxy"); authentication_result = MDB_IAMPROXY_CONN_ERROR; goto free_auth_status; } From d4a9a18ad5320888269910c7df001c8899c349ab Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Thu, 1 Feb 2024 14:38:30 +0300 Subject: [PATCH 22/30] naming fix --- sources/mdb_iamproxy.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 876b3c269..7bd08cb4d 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -45,7 +45,7 @@ void put_header(char dst[], uint64_t src) } } -void ftch_header(uint64_t *dst, char src[]) +void fetch_header(uint64_t *dst, char src[]) { for (int i = 0; i < MDB_IAMPROXY_DEFAULT_HEADER_SIZE; ++i) { (*dst) |= (((uint64_t)src[i]) << (i * CHAR_BIT)); @@ -66,7 +66,7 @@ machine_msg_t *mdb_iamproxy_io_read(machine_io_t *io) if (header == NULL) { return NULL; } - ftch_header(&body_size, (char *)machine_msg_data(header)); + fetch_header(&body_size, (char *)machine_msg_data(header)); machine_msg_free(header); if (body_size > MDB_IAMPROXY_MAX_MSG_BODY_SIZE) { From aa37f9b87760819c6b3075d8b2ca9a69a57793c2 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Thu, 1 Feb 2024 15:16:16 +0300 Subject: [PATCH 23/30] fix issues --- sources/auth.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index 669c3c24c..fd0504789 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -667,8 +667,6 @@ static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) while (1) { msg = od_read(&client->io, UINT32_MAX); if (msg == NULL) { - od_error(&instance->logger, "auth", client, NULL, - "fuck that shit again"); od_error(&instance->logger, "auth", client, NULL, "read error: %s", od_io_error(&client->io)); return -1; From cdb01dab3378475dc3971786794ab45d8d6f8541 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Thu, 1 Feb 2024 21:50:25 +0300 Subject: [PATCH 24/30] rewrite auth.c and add new rules --- sources/auth.c | 88 ++++++----------------------------------- sources/config_reader.c | 24 +++++++++++ sources/rules.c | 4 +- sources/rules.h | 6 ++- 4 files changed, 43 insertions(+), 79 deletions(-) diff --git a/sources/auth.c b/sources/auth.c index fd0504789..c4675a992 100644 --- a/sources/auth.c +++ b/sources/auth.c @@ -67,6 +67,19 @@ static inline int od_auth_frontend_cleartext(od_client_t *client) od_extention_t *extentions = client->global->extentions; + /* support mdb_iamproxy authentication */ + if (client->rule->enable_mdb_iamproxy_auth) { + int authentication_result = mdb_iamproxy_authenticate_user( + client->startup.user.value, client_token.password, + instance, client); + kiwi_password_free(&client_token); + machine_msg_free(msg); + if (authentication_result != OK_RESPONSE) { + goto auth_failed; // refence at line 80, 100 and etc + } + return OK_RESPONSE; + } + #ifdef LDAP_FOUND if (client->rule->ldap_endpoint_name) { od_debug(&instance->logger, "auth", client, NULL, @@ -646,76 +659,6 @@ static inline int od_auth_frontend_cert(od_client_t *client) return -1; } -static inline int od_auth_frontend_mdb_iamproxy(od_client_t *client) -{ - od_instance_t *instance = client->global->instance; - od_route_t *route = client->route; - - machine_msg_t *msg; - msg = kiwi_be_write_authentication_clear_text(NULL); - if (msg == NULL) - return -1; - int rc; - rc = od_write(&client->io, msg); - if (rc == -1) { - od_error(&instance->logger, "auth", client, NULL, - "write error: %s", od_io_error(&client->io)); - return -1; - } - - /* wait for password response */ - while (1) { - msg = od_read(&client->io, UINT32_MAX); - if (msg == NULL) { - od_error(&instance->logger, "auth", client, NULL, - "read error: %s", od_io_error(&client->io)); - return -1; - } - kiwi_fe_type_t type = *(char *)machine_msg_data(msg); - od_debug(&instance->logger, "auth", client, NULL, "%s", - kiwi_fe_type_to_string(type)); - if (type == KIWI_FE_PASSWORD_MESSAGE) - break; - machine_msg_free(msg); - } - - /* read password message */ - kiwi_password_t client_token; - kiwi_password_init(&client_token); - - rc = kiwi_be_read_password(machine_msg_data(msg), machine_msg_size(msg), - &client_token); - if (rc == -1) { - od_error(&instance->logger, "auth", client, NULL, - "password read error"); - od_frontend_error(client, KIWI_PROTOCOL_VIOLATION, - "bad password message"); - kiwi_password_free(&client_token); - machine_msg_free(msg); - return -1; - } - - /* start iam checking */ - int authentication_result = - mdb_iamproxy_authenticate_user(client->startup.user.value, - client_token.password, instance, - client); - //int authentication_result = OK_RESPONSE; - kiwi_password_free(&client_token); - machine_msg_free(msg); - if (authentication_result != OK_RESPONSE) { - goto auth_failed; // refence at line 80, 100 and etc - } - return OK_RESPONSE; - -auth_failed: - od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' incorrect password", - client->startup.database.value, client->startup.user.value); - od_frontend_error(client, KIWI_INVALID_PASSWORD, "incorrect password"); - return NOT_OK_RESPONSE; -} - static inline int od_auth_frontend_block(od_client_t *client) { od_instance_t *instance = client->global->instance; @@ -766,11 +709,6 @@ int od_auth_frontend(od_client_t *client) return -1; case OD_RULE_AUTH_NONE: break; - case OD_RULE_AUTH_MDB_IAMPROXY: - rc = od_auth_frontend_mdb_iamproxy(client); - if (rc == -1) - return -1; - break; default: assert(0); break; diff --git a/sources/config_reader.c b/sources/config_reader.c index 997d5e220..f5066ac1c 100644 --- a/sources/config_reader.c +++ b/sources/config_reader.c @@ -115,6 +115,8 @@ typedef enum { OD_LAUTH_QUERY_USER, OD_LAUTH_LDAP_SERVICE, OD_LAUTH_PASSWORD_PASSTHROUGH, + OD_LAUTH_MDB_IAMPROXY_ENABLE, + OD_LAUTH_MDB_IAMPROXY_SOCKET_PATH, OD_LQUANTILES, OD_LMODULE, OD_LLDAP_ENDPOINT, @@ -275,6 +277,9 @@ static od_keyword_t od_config_keywords[] = { od_keyword("password_passthrough", OD_LAUTH_PASSWORD_PASSTHROUGH), od_keyword("load_module", OD_LMODULE), od_keyword("hba_file", OD_LHBA_FILE), + od_keyword("enable_mdb_iamproxy_auth", OD_LAUTH_MDB_IAMPROXY_ENABLE), + od_keyword("mdb_iamproxy_socket_path", + OD_LAUTH_MDB_IAMPROXY_SOCKET_PATH), /* ldap */ od_keyword("ldap_endpoint", OD_LLDAP_ENDPOINT), @@ -1205,6 +1210,7 @@ static int od_config_reader_rule_settings(od_config_reader_t *reader, od_extention_t *extentions, od_storage_watchdog_t *watchdog) { + rule->mdb_iamproxy_socket_path = NULL; for (;;) { od_token_t token; int rc; @@ -1293,6 +1299,24 @@ static int od_config_reader_rule_settings(od_config_reader_t *reader, &rule->auth_module)) return NOT_OK_RESPONSE; break; + /* mdb_iamproxy authentication */ + case OD_LAUTH_MDB_IAMPROXY_ENABLE: { + if (!od_config_reader_yes_no( + reader, &rule->enable_mdb_iamproxy_auth)) + return NOT_OK_RESPONSE; + if (rule->mdb_iamproxy_socket_path == NULL) + rule->mdb_iamproxy_socket_path = + "/var/run/iam-auth-proxy/iam-auth-proxy.sock"; + break; + } + case OD_LAUTH_MDB_IAMPROXY_SOCKET_PATH: { + if (rule->mdb_iamproxy_socket_path != NULL) + free(rule->mdb_iamproxy_socket_path); + if (!od_config_reader_string( + reader, &rule->mdb_iamproxy_socket_path)) + return NOT_OK_RESPONSE; + break; + } #ifdef PAM_FOUND /* auth_pam_service */ case OD_LAUTH_PAM_SERVICE: diff --git a/sources/rules.c b/sources/rules.c index 9a6adc52e..45090137a 100644 --- a/sources/rules.c +++ b/sources/rules.c @@ -200,6 +200,8 @@ void od_rules_rule_free(od_rule_t *rule) free(rule->storage_password); if (rule->pool) od_rule_pool_free(rule->pool); + if (rule->mdb_iamproxy_socket_path) + free(rule->mdb_iamproxy_socket_path); od_list_t *i, *n; od_list_foreach_safe(&rule->auth_common_names, i, n) @@ -1096,8 +1098,6 @@ int od_rules_validate(od_rules_t *rules, od_config_t *config, } } else if (strcmp(rule->auth, "cert") == 0) { rule->auth_mode = OD_RULE_AUTH_CERT; - } else if (strcmp(rule->auth, "mdb-iamproxy") == 0) { - rule->auth_mode = OD_RULE_AUTH_MDB_IAMPROXY; } else { od_error( logger, "rules", NULL, NULL, diff --git a/sources/rules.h b/sources/rules.h index 7c18cc0fc..7095c0c1e 100644 --- a/sources/rules.h +++ b/sources/rules.h @@ -18,8 +18,7 @@ typedef enum { OD_RULE_AUTH_CLEAR_TEXT, OD_RULE_AUTH_MD5, OD_RULE_AUTH_SCRAM_SHA_256, - OD_RULE_AUTH_CERT, - OD_RULE_AUTH_MDB_IAMPROXY + OD_RULE_AUTH_CERT } od_rule_auth_type_t; struct od_rule_auth { @@ -80,6 +79,9 @@ struct od_rule { od_list_t auth_common_names; int auth_common_names_count; + int enable_mdb_iamproxy_auth; + char *mdb_iamproxy_socket_path; + #ifdef PAM_FOUND /* PAM parametrs */ char *auth_pam_service; From 8797fbc66d271d0c781a82274baf923a600d8b57 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Thu, 1 Feb 2024 23:56:00 +0300 Subject: [PATCH 25/30] fix issues; add new field in od_client_t; remove no_delay and keep_alive for socket --- sources/client.h | 6 ++++++ sources/mdb_iamproxy.c | 14 ++++---------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/sources/client.h b/sources/client.h index 19ec4ed1f..e761cc479 100644 --- a/sources/client.h +++ b/sources/client.h @@ -72,6 +72,9 @@ struct od_client { int ldap_storage_password_len; char *ldap_auth_dn; #endif + + /* external username for logging additional info*/ + char *external_username; }; static const size_t OD_CLIENT_DEFAULT_HASHMAP_SZ = 420; @@ -108,6 +111,7 @@ static inline void od_client_init(od_client_t *client) client->ldap_storage_password_len = 0; client->ldap_auth_dn = NULL; #endif + client->external_username = NULL; kiwi_be_startup_init(&client->startup); kiwi_vars_init(&client->vars); @@ -140,6 +144,8 @@ static inline void od_client_free(od_client_t *client) od_io_free(&client->io); if (client->cond) machine_cond_free(client->cond); + if (client->external_username) + free(client->external_username); /* clear password if saved any */ kiwi_password_free(&client->password); kiwi_password_free(&client->received_password); diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 7bd08cb4d..45808e814 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -143,14 +143,6 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, goto free_end; } - machine_set_nodelay(io, instance->config.nodelay); - if (instance->config.keepalive > 0) { - machine_set_keepalive(io, 1, instance->config.keepalive, - instance->config.keepalive_keep_interval, - instance->config.keepalive_probes, - instance->config.keepalive_usr_timeout); - } - /*CONNECT TO SOCKET*/ int rc = machine_connect(io, saddr, MDB_IAMPROXY_DEFAULT_CONNECTION_TIMEOUT); @@ -236,10 +228,12 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, goto free_auth_status; } - od_log(&instance->logger, "auth", client, NULL, + client->external_username = calloc(machine_msg_size(external_user), sizeof(*(client->external_username))); + memcpy(client->external_username, (char *)machine_msg_data(external_user), machine_msg_size(external_user)); + od_log(&instance->logger, "auth", client, NULL, "user '%s.%s' was authenticated with subject_id: %s", client->startup.database.value, client->startup.user.value, - (char *)machine_msg_data(external_user)); + client->external_username); /*FREE RESOURCES*/ free_external_user: From 4c524482fe31ab01f604161ead264ad2f2660576 Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Thu, 1 Feb 2024 23:57:27 +0300 Subject: [PATCH 26/30] make apply_fmt --- sources/client.h | 10 +++++----- sources/mdb_iamproxy.c | 10 +++++++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/sources/client.h b/sources/client.h index e761cc479..15b378c7d 100644 --- a/sources/client.h +++ b/sources/client.h @@ -73,8 +73,8 @@ struct od_client { char *ldap_auth_dn; #endif - /* external username for logging additional info*/ - char *external_username; + /* external username for logging additional info*/ + char *external_username; }; static const size_t OD_CLIENT_DEFAULT_HASHMAP_SZ = 420; @@ -111,7 +111,7 @@ static inline void od_client_init(od_client_t *client) client->ldap_storage_password_len = 0; client->ldap_auth_dn = NULL; #endif - client->external_username = NULL; + client->external_username = NULL; kiwi_be_startup_init(&client->startup); kiwi_vars_init(&client->vars); @@ -144,8 +144,8 @@ static inline void od_client_free(od_client_t *client) od_io_free(&client->io); if (client->cond) machine_cond_free(client->cond); - if (client->external_username) - free(client->external_username); + if (client->external_username) + free(client->external_username); /* clear password if saved any */ kiwi_password_free(&client->password); kiwi_password_free(&client->received_password); diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 45808e814..45f1e519d 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -228,9 +228,13 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, goto free_auth_status; } - client->external_username = calloc(machine_msg_size(external_user), sizeof(*(client->external_username))); - memcpy(client->external_username, (char *)machine_msg_data(external_user), machine_msg_size(external_user)); - od_log(&instance->logger, "auth", client, NULL, + client->external_username = + calloc(machine_msg_size(external_user), + sizeof(*(client->external_username))); + memcpy(client->external_username, + (char *)machine_msg_data(external_user), + machine_msg_size(external_user)); + od_log(&instance->logger, "auth", client, NULL, "user '%s.%s' was authenticated with subject_id: %s", client->startup.database.value, client->startup.user.value, client->external_username); From 633b74ecfaa38bbeb776bf3cf17cf881a150f4df Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 2 Feb 2024 00:20:21 +0300 Subject: [PATCH 27/30] remove external_username field from od_client_t; and add more fileds in od_log at the end of mdb_iamproxy_authenticate_user --- sources/client.h | 6 ------ sources/mdb_iamproxy.c | 10 ++-------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/sources/client.h b/sources/client.h index 15b378c7d..19ec4ed1f 100644 --- a/sources/client.h +++ b/sources/client.h @@ -72,9 +72,6 @@ struct od_client { int ldap_storage_password_len; char *ldap_auth_dn; #endif - - /* external username for logging additional info*/ - char *external_username; }; static const size_t OD_CLIENT_DEFAULT_HASHMAP_SZ = 420; @@ -111,7 +108,6 @@ static inline void od_client_init(od_client_t *client) client->ldap_storage_password_len = 0; client->ldap_auth_dn = NULL; #endif - client->external_username = NULL; kiwi_be_startup_init(&client->startup); kiwi_vars_init(&client->vars); @@ -144,8 +140,6 @@ static inline void od_client_free(od_client_t *client) od_io_free(&client->io); if (client->cond) machine_cond_free(client->cond); - if (client->external_username) - free(client->external_username); /* clear password if saved any */ kiwi_password_free(&client->password); kiwi_password_free(&client->received_password); diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index 45f1e519d..b73b20ac9 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -228,16 +228,10 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, goto free_auth_status; } - client->external_username = - calloc(machine_msg_size(external_user), - sizeof(*(client->external_username))); - memcpy(client->external_username, - (char *)machine_msg_data(external_user), - machine_msg_size(external_user)); od_log(&instance->logger, "auth", client, NULL, - "user '%s.%s' was authenticated with subject_id: %s", + "user '%s.%s', with client_id: %s was authenticated by iam with subject_id: %s", client->startup.database.value, client->startup.user.value, - client->external_username); + client->id.id, (char *)machine_msg_data(external_user)); /*FREE RESOURCES*/ free_external_user: From 5264358852dc899fed98985c5365e87f393c4d1e Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 2 Feb 2024 13:50:55 +0300 Subject: [PATCH 28/30] add logging subject_id --- sources/client.h | 7 +++++++ sources/frontend.c | 2 +- sources/logger.c | 11 +++++++++++ sources/mdb_iamproxy.c | 6 +++++- 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/sources/client.h b/sources/client.h index 19ec4ed1f..68e49b2b2 100644 --- a/sources/client.h +++ b/sources/client.h @@ -72,6 +72,9 @@ struct od_client { int ldap_storage_password_len; char *ldap_auth_dn; #endif + + /* external_id for logging additional ifno about client */ + char *external_id; }; static const size_t OD_CLIENT_DEFAULT_HASHMAP_SZ = 420; @@ -108,6 +111,7 @@ static inline void od_client_init(od_client_t *client) client->ldap_storage_password_len = 0; client->ldap_auth_dn = NULL; #endif + client->external_id = NULL; kiwi_be_startup_init(&client->startup); kiwi_vars_init(&client->vars); @@ -146,6 +150,9 @@ static inline void od_client_free(od_client_t *client) if (client->prep_stmt_ids) { od_hashmap_free(client->prep_stmt_ids); } + if (client->external_id) { + free(client->external_id); + } free(client); } diff --git a/sources/frontend.c b/sources/frontend.c index 40195c61f..67e74609c 100644 --- a/sources/frontend.c +++ b/sources/frontend.c @@ -2338,4 +2338,4 @@ void od_frontend(void *arg) od_router_unroute(router, client); /* close frontend connection */ od_frontend_close(client); -} \ No newline at end of file +} diff --git a/sources/logger.c b/sources/logger.c index 1b5cbda98..6f0a9bf94 100644 --- a/sources/logger.c +++ b/sources/logger.c @@ -215,6 +215,17 @@ od_logger_format(od_logger_t *logger, od_logger_level_t level, char *context, if (od_unlikely(format_pos == format_end)) break; switch (*format_pos) { + /* external_id */ + case 'x': { + if (client && client->external_id != NULL) { + len = od_snprintf(dst_pos, + dst_end - dst_pos, + "(subject_id: %s)", + client->external_id); + dst_pos += len; + break; + } + } /* unixtime */ case 'n': { time_t tm = time(NULL); diff --git a/sources/mdb_iamproxy.c b/sources/mdb_iamproxy.c index b73b20ac9..acbb1b7b7 100644 --- a/sources/mdb_iamproxy.c +++ b/sources/mdb_iamproxy.c @@ -228,10 +228,14 @@ int mdb_iamproxy_authenticate_user(const char *username, const char *token, goto free_auth_status; } + client->external_id = malloc(machine_msg_size(external_user)); + memcpy(client->external_id, (char *)machine_msg_data(external_user), + machine_msg_size(external_user)); + od_log(&instance->logger, "auth", client, NULL, "user '%s.%s', with client_id: %s was authenticated by iam with subject_id: %s", client->startup.database.value, client->startup.user.value, - client->id.id, (char *)machine_msg_data(external_user)); + client->id.id, client->external_id); /*FREE RESOURCES*/ free_external_user: From bf1f05653e8fab7ee7a55a0d5827c4f912d8360e Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 2 Feb 2024 13:53:35 +0300 Subject: [PATCH 29/30] fix in log format --- sources/logger.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources/logger.c b/sources/logger.c index 6f0a9bf94..cbf881283 100644 --- a/sources/logger.c +++ b/sources/logger.c @@ -220,7 +220,7 @@ od_logger_format(od_logger_t *logger, od_logger_level_t level, char *context, if (client && client->external_id != NULL) { len = od_snprintf(dst_pos, dst_end - dst_pos, - "(subject_id: %s)", + "subject_id: %s", client->external_id); dst_pos += len; break; From 7a6afd4696ed3db61134795bd8e0724f2db17e1d Mon Sep 17 00:00:00 2001 From: Andrey Ovchinnikov Date: Fri, 2 Feb 2024 19:58:25 +0300 Subject: [PATCH 30/30] fix logging format --- sources/logger.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources/logger.c b/sources/logger.c index cbf881283..f4a1e2b51 100644 --- a/sources/logger.c +++ b/sources/logger.c @@ -220,7 +220,7 @@ od_logger_format(od_logger_t *logger, od_logger_level_t level, char *context, if (client && client->external_id != NULL) { len = od_snprintf(dst_pos, dst_end - dst_pos, - "subject_id: %s", + "%s", client->external_id); dst_pos += len; break;