OpengateM - MAC address authentication system
module for Authentication of User
+this file includes the code for main control and pop3/ftp auth.
+other authentication protocols are coded in other files.
+
Copyright (C) 1999 Opengate Project Team
Written by Yoshiaki Watanabe
This program is free software; you can redistribute it and/or
get userid from anywhere (cookie/env/postdata)
if not get, send back auth page.
language indicates the one for web description
+
+return value: TRUE(1)=sccess/FALSE(0)=fail
+requestStr: (input) string sended with http-POST
+userId,extraId: (output) entered as 'userId@extraId'
+language: (input) html description language(ja/en/..)
+userType: (input) auth as ADMINUSER(1) or NORMALUSER(0)
+cgiName: (input) the cgi to which the auth page sends data
+mailDefault: (output) initial value of user mail address
+redirectedUrl: (input) url before redirection (return to this after processing)
****************************************/
int getUserId(char* requestStr, char* userId, char* extraId, char* language, int userType, char* cgiName, char* mailDefault, char* redirectedUrl){
int authResult=DENY;
/***** try to get uid from environment variables(shibboleth/httpbasic) *****/
if(authResult==DENY){
- /* search shibboleth / httpbasic auth setting in conf */
+ /* search shibboleth / httpbasic auth settings in conf */
ResetAuthServerPointer();
while(SelectNextAuthServer()){
if( (strcmp(GetConfValue("AuthServer/UserType"), "admin")!=0)
&& (userType==ADMINUSER) ) continue;
- /* if the server setting is not (shibboleth or httpbasic), skip it */
+ /* if the server setting is not shibboleth and not httpbasic, skip it */
if(strcmp(GetConfValue("AuthServer/Protocol"), "shibboleth")!=0
&& strcmp(GetConfValue("AuthServer/Protocol"), "httpbasic")!=0) continue;
- /* if reached to this(=shibboleth/httpbasic), get userid from env var */
+ /* if reached to this line(=shibboleth/httpbasic), get userid from env var */
if(GetUserIdFromEnv(useridfull)){
/* split user@extra to user and extra. then search conf extra set */
SplitId(useridfull, userId, extraId);
SetupConfExtra(userId, extraId);
- /* if the user is found in accept user list, accept him, else deny */
+ /* if the user is found in accept user list, accept user, else deny */
+ /* the user list (defined in conf file) restricts users (if accept all, remove the list) */
if(IsUserIdFoundInAcceptUsersList(userId)){
authResult=ACCEPT;
MakeMailDefault(userId, extraId, mailDefault);
return FALSE;
}
- /* reaching this line means that userid is in request string */
+ /* reaching this line means that userid is found in request string */
/* split user@extra to user and extra. then search conf extra set */
SplitId(useridfull, userId, extraId);
SetupConfExtra(userId, extraId);
if((authResult=AuthenticateUser(userId, password))==DENY) continue;
/* if userid is not found in the user list in conf, goto next server */
- if(!IsUserIdFoundInAcceptUsersList(userId)){
+ /* the user list (defined in conf file) restricts users (if accept all, remove the list) */
+ if(!IsUserIdFoundInAcceptUsersList(userId)){
authResult=DENY;
continue;
}
/**************************************
if accept users are listed in conf file,
-find the userid in the list
+ find the userid in the list
if no list is indicated, return true
**************************************/
int isUserIdFoundInAcceptUsersList(char* userId){
char userIdPattern[WORDMAXLN];
/* get accept users list. if not exist, return true(accept all users) */
- strncpy(usersList,GetConfValue("AuthServer/AcceptUsers"),BUFFMAXLN);
+ strlcpy(usersList,GetConfValue("AuthServer/AcceptUsers"),BUFFMAXLN);
if(isNull(usersList)) return TRUE;
/* if userid is found in the usersList, return true */
/* example of usersList is [user1 user2 user3 user4] */
/* regular expression matched to "(^| )userid( |$)" */
- /* meaning is [(head or space) userid-string (space or tail)] */
- /* last-arg 0 of RegEx means ignore-case */
- strncpy(userIdPattern, "(^| )", WORDMAXLN);
- strncat(userIdPattern, userId, WORDMAXLN);
- strncat(userIdPattern, "( |$)", WORDMAXLN);
+ /* it means that [(head or space) userid-string (space or tail)] */
+ /* last-arg 0 of RegExMatch means ignore-case */
+ strlcpy(userIdPattern, "(^| )", WORDMAXLN);
+ strlcat(userIdPattern, userId, WORDMAXLN);
+ strlcat(userIdPattern, "( |$)", WORDMAXLN);
return RegExMatch(usersList, userIdPattern, 0);
}
/*******************************************************/
/* Authenticate user by accessing to ftp server */
-/* userid : user to auth */
+/* userid : user to auth (short form(omit @extraid)) */
/* password : password for the user */
/*******************************************************/
int authenticateUser(char *userid, char *passwd)
int authResult=DENY;
int timeout;
- /* authserver get timeout value */
+ /* get timeout value of authserver reply from conf */
timeout=atoi(GetConfValue("AuthServer/Timeout"));
/* set auth server reply timeout */
EnableAlarm();
}
- /* get Protocol for authentication */
+ /* get authentication protocol from conf */
proto=GetConfValue("AuthServer/Protocol");
+ /* authenticate by ftp access */
if(strcmp(proto, "ftp")==0){
- /* authenticate by ftp access */
authResult=AuthFtp(userid, passwd);
+ }
- }else if(strcmp(proto, "pop3")==0){
- /* authenticate by pop3 access */
+ /* authenticate by pop3 access */
+ else if(strcmp(proto, "pop3")==0){
authResult=AuthPop3(userid, passwd);
+ }
- }else if(strcmp(proto, "pam")==0){
- /* authenticate by pam */
+ /* authenticate by pam */
+ else if(strcmp(proto, "pam")==0){
authResult=AuthPam(userid, passwd);
+ }
- }else if(strcmp(proto, "radius")==0){
- /* authenticate by radius */
+ /* authenticate by radius */
+ else if(strcmp(proto, "radius")==0){
authResult=AuthRadius(userid, passwd);
+ }
- }else if(strcmp(proto, "pop3s")==0){
- /* authenticate by pop3s */
+ /* authenticate by pop3s */
+ else if(strcmp(proto, "pop3s")==0){
authResult=AuthPop3s(userid, passwd);
+ }
- }else if(strcmp(proto, "ldap")==0){
- /* authenticate by ldap */
+ /* authenticate by ldap */
+ else if(strcmp(proto, "ldap")==0){
authResult=AuthLdap(userid, passwd);
+ }
- }else if(strcmp(proto, "ftpse")==0){
- /* authenticate by ftps-explicit */
+ /* authenticate by ftps-explicit */
+ else if(strcmp(proto, "ftpse")==0){
authResult=AuthFtpse(userid, passwd);
+ }
- }else if(strcmp(proto, "ftpsi")==0){
- /* authenticate by ftps-implicit */
+ /* authenticate by ftps-implicit */
+ else if(strcmp(proto, "ftpsi")==0){
authResult=AuthFtpsi(userid, passwd);
+ }
- }else if(strcmp(proto, "shibboleth")==0){
- /* deny all request */
- /* if shibboleth auth is accepted, cannot reach at this point */
+ /* authenticate by shibboleth */
+ /* in this case, auth request cannot reach to this line */
+ else if(strcmp(proto, "shibboleth")==0){
authResult=DENY;
+ }
- }else if(strcmp(proto, "httpbasic")==0){
- /* deny all request */
- /* if httpbasic auth is accepted, cannot reach at this point */
+ /* authenticate by httpbasic */
+ /* in this case, auth request cannot reach to this line */
+ else if(strcmp(proto, "httpbasic")==0){
authResult=DENY;
-
- }else if(strcmp(proto, "deny")==0){
- /* deny all request */
+ }
+
+ /* deny all users */
+ else if(strcmp(proto, "deny")==0){
authResult=DENY;
+ }
- }else if(strcmp(proto, "accept")==0){
- /* accept all request */
+ /* accept all users */
+ else if(strcmp(proto, "accept")==0){
authResult=ACCEPT;
- }else{
+ }
+
+ /* show splash page and auth is passed */
+ else if(strcmp(proto, "splash")==0){
+ authResult=ACCEPT;
+ }
+
+ /* unknown request */
+ else{
err_msg("ERR at %s#%d: Unknown protocol:%s",__FILE__,__LINE__,proto);
authResult=DENY;
}
char* markPnt=NULL;
- strncpy(useridSave, useridfull, USERMAXLN);
+ strlcpy(useridSave, useridfull, USERMAXLN);
- /* separate extraId from userid */
+ /* separate extraId from userid (UserIdSeparator is '@') */
markPnt=strchr(useridSave, *GetConfValue("UserIdSeparator"));
if(markPnt==NULL){
- /* separator mark not found */
- strncpy(extraId,"",USERMAXLN);
- strncpy(userId,useridSave,USERMAXLN);
+ /* separator mark is not found. no extraId */
+ strlcpy(extraId,"",USERMAXLN);
+ strlcpy(userId,useridSave,USERMAXLN);
}else{
- /* pick up extraId */
+ /* separator is found. pick up extraId */
*markPnt='\0';
- strncpy(extraId,markPnt+1,USERMAXLN);
- strncpy(userId,useridSave,USERMAXLN);
+ strlcpy(extraId,markPnt+1,USERMAXLN);
+ strlcpy(userId,useridSave,USERMAXLN);
}
}
char* concatUserId(char* useridfull, char* userId, char* extraId){
/* set full userid */
- strncpy(useridfull, userId,USERMAXLN);
+ strlcpy(useridfull, userId,USERMAXLN);
if(!isNull(extraId)){
- strncat(useridfull, GetConfValue("UserIdSeparator"), USERMAXLN);
- strncat(useridfull, extraId, USERMAXLN);
+ strlcat(useridfull, GetConfValue("UserIdSeparator"), USERMAXLN);
+ strlcat(useridfull, extraId, USERMAXLN);
}
return useridfull;
}
/* get auth server port */
port=GetConfValue("AuthServer/Port");
- /* FTP server connect */
+ /* FTP server connect (if port is not defined in conf, default is used) */
if(isNull(port)){
sockfd = Tcp_connect(serverAddr, "ftp");
}else{
return DENY;
}
- /* get [220 <host> FTP server ..]*/
+ /* get [220 <host> FTP server ..] */
if((n = readln(sockfd, recvline, BUFFMAXLN)) < 0) {
err_msg("ERR at %s#%d: Ftp server is not normal 1",__FILE__,__LINE__);
Close(sockfd);
/* put [user <userid>] */
Writefmt(sockfd, "user %s\r\n", userid);
- /* get [331 Password required ..] */
+ /* get [331 Password required ..] (greeting lines might exist before 331 request) */
if((n = readln(sockfd, recvline, BUFFMAXLN)) < 0) {
err_msg("ERR at %s#%d: Ftp server is not normal 3",__FILE__,__LINE__);
Close(sockfd);
/* put [pass <password>] */
Writefmt(sockfd, "pass %s\r\n", passwd);
- /* get [230 User <userid> logged in] */
+ /* get [230 User <userid> logged in] (the string means correct userid/passwd) */
if((n = readln(sockfd, recvline, BUFFMAXLN)) < 0) {
err_msg("ERR at %s#%d: Ftp server is not normal 5",__FILE__,__LINE__);
Close(sockfd);
/***************************************/
/* called at auth reply timeout */
+/* on timeout, read wait is cleared */
/***************************************/
void onAuthReplyAlarm(int signo)
{
/***********************************
check duplication of shibboleth / httpbasic auth server
-shibboleth/httpbasic cannot be used for both usertype
+shibboleth/httpbasic cannot be used for both usertype (admin and normal)
***********************************/
int isShibOrBasicAuthDuplicated(void){
int nShib=0;
return FALSE;
}
- /* if set mail attribute, mail from the env variable in attr */
+ /* if set MailAttribute, mail from the env variable set in MailAttribute */
+ /* (Shibboleth puts the user mail address into an env variable) */
if(!isNull(pMailAttribute)){
pMailAddr=getenvEx(pMailAttribute,TRUE,FALSE); /* var list is permitted */
if(!isNull(pMailAddr)){
- strncpy(mailDefault, pMailAddr, BUFFMAXLN);
+ strlcpy(mailDefault, pMailAddr, BUFFMAXLN);
return TRUE;
}else{
err_msg("ERR at %s#%d: Can't get mail attibute from environment variable.",__FILE__,__LINE__);
}
}
- /* if set mail domain, mail from userid+@+maildomain */
+ /* if set MailDomain, mail from userid+@+MailDomain */
if(!isNull(pMailDomain)){
- strncpy(mailDefault, userId, BUFFMAXLN);
- strncat(mailDefault, "@", BUFFMAXLN);
- strncat(mailDefault, pMailDomain, BUFFMAXLN);
+ strlcpy(mailDefault, userId, BUFFMAXLN);
+ strlcat(mailDefault, "@", BUFFMAXLN);
+ strlcat(mailDefault, pMailDomain, BUFFMAXLN);
return TRUE;
}else{
err_msg("ERR at %s#%d: Can't get mail domain string from conf file.",__FILE__,__LINE__);
return FALSE;
}
+/**********************************
+is AuthServer setting for normal user 'splash'
+**********************************/
+int isSplashOnlyManagement(void){
+ int splash=FALSE;
+
+ /* search AuthServer setting having Protocol=splash and UserType!=admin */
+ ResetAuthServerPointer();
+ while(SelectNextAuthServer()){
+ if((strcmp(GetConfValue("AuthServer/Protocol"), "splash")==0)&&
+ (strcmp(GetConfValue("AuthServer/UserType"), "admin")!=0) ){
+ splash=TRUE;
+ break;
+ }
+ }
+ ResetAuthServerPointer();
+ return splash;
+}
+
/**********************************/
/**********************************/
int GetUserId(char* requestStr, char* userId, char* extraId, char* language, int userType, char* cgiName, char* mailDefault, char* redirectedUrl){
return ret;
}
+
+int IsSplashOnlyManagement(void){
+ int ret;
+
+ if(debug>1) err_msg("DEBUG:=>isSplashOnlyManagement()");
+ ret=isSplashOnlyManagement();
+ if(debug>1) err_msg("DEBUG:(%d)<=isSplashOnlyManagement",ret);
+
+ return ret;
+}