Changes of Revision 236
| [-] | Changed | nginx.spec |
|
x 1 2 BuildRequires: gd-devel3 BuildRequires: GeoIP-devel4 BuildRequires: libatomic_ops-devel 5 +<<<<<<< ./nginx.spec.mine6 +BuildRequires: openldap-devel7 +=======8 BuildRequires: openldap-devel9 +>>>>>>> ./nginx.spec.r23010 11 Requires: pcre12 Requires: zlib13 |
||
| [+] | Added | nginx-auth-ldap.tar.gz/LICENSE ^ |
| @@ -0,0 +1,27 @@ +/** + * Copyright (C) 2011-2013 Valery Komarov <komarov@valerka.net> + * Copyright (C) 2013 Jiri Hruska <jirka@fud.cz> + * Copyright (C) 2015-2016 Victor Hahn Castell <victor.hahn@flexoptix.net> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ | ||
| [+] | Added | nginx-auth-ldap.tar.gz/README.md ^ |
| @@ -0,0 +1,132 @@ +# LDAP Authentication module for nginx +LDAP module for nginx which supports authentication against multiple LDAP servers. + +# How to install + +## FreeBSD + +```bash +cd /usr/ports/www/nginx && make config install clean +``` + +Check HTTP_AUTH_LDAP options + + +``` +[*] HTTP_AUTH_LDAP 3rd party http_auth_ldap module +``` + +## Linux + +```bash +cd ~ && git clone https://github.com/kvspb/nginx-auth-ldap.git +``` + +in nginx source folder + +```bash +./configure --add-module=path_to_http_auth_ldap_module +make install +``` + +# Example configuration +Define list of your LDAP servers with required user/group requirements: + +```bash + http { + ldap_server test1 { + url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person); + binddn "TEST\\LDAPUSER"; + binddn_passwd LDAPPASSWORD; + group_attribute uniquemember; + group_attribute_is_dn on; + require valid_user; + } + + ldap_server test2 { + url ldap://192.168.0.2:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person); + binddn "TEST\\LDAPUSER"; + binddn_passwd LDAPPASSWORD; + group_attribute uniquemember; + group_attribute_is_dn on; + require valid_user; + } + } +``` + +And add required servers in correct order into your location/server directive: +```bash + server { + listen 8000; + server_name localhost; + + auth_ldap "Forbidden"; + auth_ldap_servers test1; + auth_ldap_servers test2; + + location / { + root html; + index index.html index.htm; + } + + } +``` + +# Available config parameters + +## url +expected value: string + +Available URL schemes: ldap://, ldaps:// + +## binddn +expected value: string + +## binddn_passwd +expected value: string + +## group_attribute +expected value: string + +## group_attribute_is_dn +expected value: on or off, default off + +## require +expected value: valid_user, user, group + +## satisfy +expected value: all, any + +## connections +expected value: a number greater than 0 + +## ssl_check_cert +expected value: on or off, default off + +Verify the remote certificate for LDAPs connections. If disabled, any remote certificate will be +accepted which exposes you to possible man-in-the-middle attacks. Note that the server's +certificate will need to be signed by a proper CA trusted by your system if this is enabled. +See below how to trust CAs without installing them system-wide. + +This options needs OpenSSL >= 1.0.2; it is unavailable if compiled with older versions. + +## ssl_ca_file +expected value: file path + +Trust the CA certificate in this file (see ssl_check_cert above). + +## ssl_ca_dir +expected value: directory path + +Trust all CA certificates in this directory (see ssl_check_cert above). + +Note that you need to provide hash-based symlinks in the directory for this to work; +you'll basically need to run OpenSSL's c_rehash command in this directory. + +## referral +expected value: on, off + +LDAP library default is on. This option disables usage of referral messages from +LDAP server. Usefull for authenticating against read only AD server without access +to read write. + | ||
| [+] | Added | nginx-auth-ldap.tar.gz/config ^ |
| @@ -0,0 +1,23 @@ +ngx_addon_name=ngx_http_auth_ldap_module + +LDAP_REQUIRED_LIBS="-lldap" + +case "$NGX_PLATFORM" in + Darwin:*|FreeBSD:*|Linux:*|SunOS:*) + LDAP_REQUIRED_LIBS="$LDAP_REQUIRED_LIBS -llber" + ;; +esac + +if test -n "$ngx_module_link"; then + ngx_module_type=HTTP + ngx_module_name=ngx_http_auth_ldap_module + ngx_module_incs= + ngx_module_deps= + ngx_module_srcs="$ngx_addon_dir/ngx_http_auth_ldap_module.c" + ngx_module_libs="$LDAP_REQUIRED_LIBS" + . auto/module +else + HTTP_MODULES="$HTTP_MODULES ngx_http_auth_ldap_module" + NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_auth_ldap_module.c" + CORE_LIBS="$CORE_LIBS $LDAP_REQUIRED_LIBS" +fi | ||
| [+] | Added | nginx-auth-ldap.tar.gz/example.conf ^ |
| @@ -0,0 +1,58 @@ +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + sendfile on; + keepalive_timeout 65; + + # define ldap server + ldap_server ad_1 { + # user search base. + url "ldap://<YOUR LDAP SERVER>:3268/OU=Offices,DC=company,DC=com?sAMAccountName?sub?(objectClass=person)"; + # bind as + binddn "CN=Operator,OU=Service Accounts,DC=company,DC=com"; + # bind pw + binddn_passwd <PUT Operator's PASSWORD HERE>; + # group attribute name which contains member object + group_attribute member; + # search for full DN in member object + group_attribute_is_dn on; + # matching algorithm (any / all) + satisfy any; + # list of allowed groups + require group "CN=Admins,OU=My Security Groups,DC=company,DC=com"; + require group "CN=New York Users,OU=My Security Groups,DC=company,DC=com"; + # list of allowed users + # require 'valid_user' cannot be used together with 'user' as valid user is a superset + # require valid_user; + require user "CN=Batman,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com"; + require user "CN=Robocop,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com"; + } + +} + +server { + listen 8081; + server_name localhost; + + location / { + # adding ldap authentication + auth_ldap "Closed content"; + auth_ldap_servers ad_1; + + root html; + index index.html index.htm; + } + + error_page 500 502 503 504 /50x.html; + + location = /50x.html { + root html; + } +} | ||
| [+] | Added | nginx-auth-ldap.tar.gz/ngx_http_auth_ldap_module.c ^ |
| @@ -0,0 +1,2237 @@ +/** + * Copyright (C) 2011-2013 Valery Komarov <komarov@valerka.net> + * Copyright (C) 2013 Jiri Hruska <jirka@fud.cz> + * Copyright (C) 2015-2016 Victor Hahn Castell <victor.hahn@flexoptix.net> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <ngx_config.h> +#include <ngx_core.h> +#include <ngx_http.h> +#include <ngx_md5.h> +#include <ldap.h> + +// used for manual warnings +#define XSTR(x) STR(x) +#define STR(x) #x +#pragma GCC diagnostic warning "-Wcpp" + + +#ifndef LDAP_PROTO_EXT +/* Some OpenLDAP headers are accidentally missing ldap_init_fd() etc. */ + +#define LDAP_PROTO_TCP 1 /* ldap:// */ +#define LDAP_PROTO_UDP 2 /* reserved */ +#define LDAP_PROTO_IPC 3 /* ldapi:// */ +#define LDAP_PROTO_EXT 4 /* user-defined socket/sockbuf */ + +extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url, LDAP **ld); +#endif + +#define OUTCOME_ERROR -1 /* Some error occured in the process */ +#define OUTCOME_DENY 0 +#define OUTCOME_ALLOW 1 +#define OUTCOME_CACHED_DENY 2 /* Cached results */ +#define OUTCOME_CACHED_ALLOW 3 +#define OUTCOME_UNCERTAIN 4 /* Not yet decided */ + +#define NGX_HTTP_AUTH_LDAP_MAX_SERVERS_SIZE 7 + + +typedef struct { + LDAPURLDesc *ludpp; + ngx_str_t url; + ngx_url_t parsed_url; + ngx_str_t alias; + + ngx_str_t bind_dn; + ngx_str_t bind_dn_passwd; + + ngx_str_t group_attribute; + ngx_flag_t group_attribute_dn; + + ngx_flag_t ssl_check_cert; + ngx_str_t ssl_ca_dir; + ngx_str_t ssl_ca_file; + + ngx_array_t *require_group; /* array of ngx_http_complex_value_t */ + ngx_array_t *require_user; /* array of ngx_http_complex_value_t */ + ngx_flag_t require_valid_user; + ngx_http_complex_value_t require_valid_user_dn; + ngx_flag_t satisfy_all; + ngx_flag_t referral; + + ngx_uint_t connections; + ngx_msec_t connect_timeout; + ngx_msec_t reconnect_timeout; + ngx_msec_t bind_timeout; + ngx_msec_t request_timeout; + ngx_queue_t free_connections; + ngx_queue_t waiting_requests; +} ngx_http_auth_ldap_server_t; + +typedef struct { + ngx_array_t *servers; /* array of ngx_http_auth_ldap_server_t */ + ngx_flag_t cache_enabled; + ngx_msec_t cache_expiration_time; + size_t cache_size; + ngx_int_t servers_size; +#if (NGX_OPENSSL) + ngx_ssl_t ssl; +#endif +} ngx_http_auth_ldap_main_conf_t; + +typedef struct { + ngx_str_t realm; + ngx_array_t *servers; /* array of ngx_http_auth_ldap_server_t* */ +} ngx_http_auth_ldap_loc_conf_t; + +typedef struct { + uint32_t small_hash; /* murmur2 hash of username ^ &server */ + uint32_t outcome; /* OUTCOME_DENY or OUTCOME_ALLOW */ + ngx_msec_t time; /* ngx_current_msec when created */ + u_char big_hash[16]; /* md5 hash of (username, server, password) */ +} ngx_http_auth_ldap_cache_elt_t; + +typedef struct { + ngx_http_auth_ldap_cache_elt_t *buckets; + ngx_uint_t num_buckets; + ngx_uint_t elts_per_bucket; + ngx_msec_t expiration_time; +} ngx_http_auth_ldap_cache_t; + +typedef enum { + PHASE_START, + PHASE_SEARCH, + PHASE_CHECK_USER, + PHASE_CHECK_GROUP, + PHASE_CHECK_BIND, + PHASE_REBIND, + PHASE_NEXT +} ngx_http_auth_ldap_request_phase_t; + +typedef struct { + ngx_http_request_t *r; + ngx_uint_t server_index; + ngx_http_auth_ldap_server_t *server; + ngx_http_auth_ldap_request_phase_t phase; + unsigned int iteration; + int outcome; + + struct ngx_http_auth_ldap_connection *c; + ngx_queue_t queue; + int replied; + int error_code; + ngx_str_t error_msg; + ngx_str_t dn; + + ngx_http_auth_ldap_cache_elt_t *cache_bucket; + u_char cache_big_hash[16]; + uint32_t cache_small_hash; +} ngx_http_auth_ldap_ctx_t; + +typedef enum { + STATE_DISCONNECTED, + STATE_INITIAL_BINDING, + STATE_CONNECTING, + STATE_READY, + STATE_BINDING, + STATE_SEARCHING, + STATE_COMPARING +} ngx_http_auth_ldap_connection_state_t; + +typedef struct ngx_http_auth_ldap_connection { + ngx_log_t *log; + ngx_http_auth_ldap_server_t *server; + ngx_peer_connection_t conn; + ngx_event_t reconnect_event; + +#if (NGX_OPENSSL) + ngx_pool_t *pool; + ngx_ssl_t *ssl; +#endif + + ngx_queue_t queue; + ngx_http_auth_ldap_ctx_t *rctx; + + LDAP* ld; + ngx_http_auth_ldap_connection_state_t state; + int msgid; +} ngx_http_auth_ldap_connection_t; + +static char * ngx_http_auth_ldap_ldap_server_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char * ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf); +static char * ngx_http_auth_ldap(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char * ngx_http_auth_ldap_servers(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char * ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); +static char * ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); +static char * ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); +static char * ngx_http_auth_ldap_parse_referral(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); +static void * ngx_http_auth_ldap_create_main_conf(ngx_conf_t *cf); +static char * ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent); +static void * ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *); +static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *); +static ngx_int_t ngx_http_auth_ldap_init_worker(ngx_cycle_t *cycle); +static ngx_int_t ngx_http_auth_ldap_init(ngx_conf_t *cf); +static ngx_int_t ngx_http_auth_ldap_init_cache(ngx_cycle_t *cycle); +static void ngx_http_auth_ldap_close_connection(ngx_http_auth_ldap_connection_t *c); +static void ngx_http_auth_ldap_read_handler(ngx_event_t *rev); +static ngx_int_t ngx_http_auth_ldap_init_connections(ngx_cycle_t *cycle); +static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r); +static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx, + ngx_http_auth_ldap_loc_conf_t *conf); +static ngx_int_t ngx_http_auth_ldap_search(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +static ngx_int_t ngx_http_auth_ldap_check_user(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +static ngx_int_t ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +static ngx_int_t ngx_http_auth_ldap_check_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +static ngx_int_t ngx_http_auth_ldap_recover_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +#if (NGX_OPENSSL) +static ngx_int_t ngx_http_auth_ldap_restore_handlers(ngx_connection_t *conn); +#endif + +ngx_http_auth_ldap_cache_t ngx_http_auth_ldap_cache; + +static ngx_command_t ngx_http_auth_ldap_commands[] = { + { + ngx_string("ldap_server"), + NGX_HTTP_MAIN_CONF | NGX_CONF_BLOCK | NGX_CONF_TAKE1, + ngx_http_auth_ldap_ldap_server_block, + NGX_HTTP_MAIN_CONF_OFFSET, + 0, + NULL + }, + { + ngx_string("auth_ldap_cache_enabled"), + NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, + ngx_conf_set_flag_slot, + NGX_HTTP_MAIN_CONF_OFFSET, + offsetof(ngx_http_auth_ldap_main_conf_t, cache_enabled), + NULL + }, + { + ngx_string("auth_ldap_cache_expiration_time"), + NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, + ngx_conf_set_msec_slot, + NGX_HTTP_MAIN_CONF_OFFSET, + offsetof(ngx_http_auth_ldap_main_conf_t, cache_expiration_time), + NULL + }, + { + ngx_string("auth_ldap_cache_size"), + NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, + ngx_conf_set_size_slot, + NGX_HTTP_MAIN_CONF_OFFSET, + offsetof(ngx_http_auth_ldap_main_conf_t, cache_size), + NULL + }, + { + ngx_string("auth_ldap_servers_size"), + NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_MAIN_CONF_OFFSET, + offsetof(ngx_http_auth_ldap_main_conf_t, servers_size), + NULL + }, + { + ngx_string("auth_ldap"), + NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_TAKE1, + ngx_http_auth_ldap, + NGX_HTTP_LOC_CONF_OFFSET, + 0, + NULL + }, + { + ngx_string("auth_ldap_servers"), + NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_ANY, + ngx_http_auth_ldap_servers, + NGX_HTTP_LOC_CONF_OFFSET, + 0, + NULL + }, + ngx_null_command +}; + +static ngx_http_module_t ngx_http_auth_ldap_module_ctx = { + NULL, /* preconfiguration */ + ngx_http_auth_ldap_init, /* postconfiguration */ + ngx_http_auth_ldap_create_main_conf, /* create main configuration */ + ngx_http_auth_ldap_init_main_conf, /* init main configuration */ + NULL, /* create server configuration */ + NULL, /* merge server configuration */ + ngx_http_auth_ldap_create_loc_conf, /* create location configuration */ + ngx_http_auth_ldap_merge_loc_conf /* merge location configuration */ +}; + +ngx_module_t ngx_http_auth_ldap_module = { + NGX_MODULE_V1, + &ngx_http_auth_ldap_module_ctx, /* module context */ + ngx_http_auth_ldap_commands, /* module directives */ + NGX_HTTP_MODULE, /* module type */ + NULL, /* init master */ + NULL, /* init module */ + ngx_http_auth_ldap_init_worker, /* init process */ + NULL, /* init thread */ + NULL, /* exit thread */ + NULL, /* exit process */ + NULL, /* exit master */ + NGX_MODULE_V1_PADDING +}; + + +/*** Configuration and initialization ***/ + +/** + * Reads ldap_server block and sets ngx_http_auth_ldap_ldap_server as a handler of each conf value + */ +static char * +ngx_http_auth_ldap_ldap_server_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + char *rv; + ngx_str_t *value, name; + ngx_conf_t save; + ngx_http_auth_ldap_server_t *server; + ngx_http_auth_ldap_main_conf_t *cnf = conf; + + value = cf->args->elts; + + name = value[1]; + + if (ngx_strlen(name.data) == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Missing server name in ldap_server"); + return NGX_CONF_ERROR; + } + + if (cnf->servers == NULL) { + if (cnf->servers_size == NGX_CONF_UNSET) { + cnf->servers_size = NGX_HTTP_AUTH_LDAP_MAX_SERVERS_SIZE; + } + cnf->servers = ngx_array_create(cf->pool, cnf->servers_size, sizeof(ngx_http_auth_ldap_server_t)); + if (cnf->servers == NULL) { + return NGX_CONF_ERROR; + } + } + + server = ngx_array_push(cnf->servers); + if (server == NULL) { + return NGX_CONF_ERROR; + } + + ngx_memzero(server, sizeof(*server)); + server->connect_timeout = 10000; + server->reconnect_timeout = 10000; + server->bind_timeout = 5000; + server->request_timeout = 10000; + server->alias = name; + server->referral = 1; + + save = *cf; + cf->handler = ngx_http_auth_ldap_ldap_server; + cf->handler_conf = conf; + rv = ngx_conf_parse(cf, NULL); + *cf = save; + + if (rv != NGX_CONF_OK) { + return rv; + } + + return NGX_CONF_OK; +} + +#define CONF_MSEC_VALUE(cf,value,server,x) \ +if (ngx_strcmp(value[0].data, #x) == 0) { \ + ngx_msec_t _i = ngx_parse_time(&value[1], 0); \ + if (_i == (ngx_msec_t) NGX_ERROR || _i == 0) { \ + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: '" #x "' value has to be a valid time unit greater than 0"); \ + return NGX_CONF_ERROR; \ + } \ + server->x = _i; \ + } +/** + * Called for every variable inside ldap_server block + */ +static char * +ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf) +{ + char *rv; + ngx_str_t *value; + ngx_http_auth_ldap_server_t *server; + ngx_http_auth_ldap_main_conf_t *cnf = conf; + ngx_int_t i; + + /* It should be safe to just use latest server from array */ + server = ((ngx_http_auth_ldap_server_t *) cnf->servers->elts + (cnf->servers->nelts - 1)); + + value = cf->args->elts; + + /* TODO: Add more validation */ + if (ngx_strcmp(value[0].data, "url") == 0) { + return ngx_http_auth_ldap_parse_url(cf, server); + } else if (ngx_strcmp(value[0].data, "binddn") == 0) { + server->bind_dn = value[1]; + } else if (ngx_strcmp(value[0].data, "binddn_passwd") == 0) { + server->bind_dn_passwd = value[1]; + } else if (ngx_strcmp(value[0].data, "group_attribute") == 0) { + server->group_attribute = value[1]; + } else if (ngx_strcmp(value[0].data, "group_attribute_is_dn") == 0 && ngx_strcmp(value[1].data, "on") == 0) { + server->group_attribute_dn = 1; + } else if (ngx_strcmp(value[0].data, "require") == 0) { + return ngx_http_auth_ldap_parse_require(cf, server); + } else if (ngx_strcmp(value[0].data, "satisfy") == 0) { + return ngx_http_auth_ldap_parse_satisfy(cf, server); + } else if (ngx_strcmp(value[0].data, "referral") == 0) { + return ngx_http_auth_ldap_parse_referral(cf, server); + } else if (ngx_strcmp(value[0].data, "connections") == 0) { + i = ngx_atoi(value[1].data, value[1].len); + if (i == NGX_ERROR || i == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: 'connections' value has to be a number greater than 0"); + return NGX_CONF_ERROR; + } + server->connections = i; + } else if (ngx_strcmp(value[0].data, "ssl_check_cert") == 0 && ngx_strcmp(value[1].data, "on") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10002000 + server->ssl_check_cert = 1; + #else + #warning "http_auth_ldap: Compiling with OpenSSL < 1.0.2, certificate verification will be unavailable. OPENSSL_VERSION_NUMBER == " XSTR(OPENSSL_VERSION_NUMBER) + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "http_auth_ldap: 'ssl_cert_check': cannot verify remote certificate's domain name because " + "your version of OpenSSL is too old. " + "Please install OpenSSL >= 1.02 and recompile nginx."); + #endif + } else if (ngx_strcmp(value[0].data, "ssl_ca_dir") == 0) { + server->ssl_ca_dir = value[1]; + } else if (ngx_strcmp(value[0].data, "ssl_ca_file") == 0) { + server->ssl_ca_file = value[1]; + } + else CONF_MSEC_VALUE(cf,value,server,connect_timeout) + else CONF_MSEC_VALUE(cf,value,server,reconnect_timeout) + else CONF_MSEC_VALUE(cf,value,server,bind_timeout) + else CONF_MSEC_VALUE(cf,value,server,request_timeout) + else if (ngx_strcmp(value[0].data, "include") == 0) { + return ngx_conf_include(cf, dummy, conf); + } + + rv = NGX_CONF_OK; + + return rv; +} + +/** + * Parse auth_ldap directive + */ +static char * +ngx_http_auth_ldap(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_str_t *value = cf->args->elts; + ngx_http_auth_ldap_loc_conf_t *cnf = conf; + u_char *p; + + if (ngx_strcmp(value[1].data, "off") == 0) { + ngx_str_set(&cnf->realm, ""); + return NGX_CONF_OK; + } + + cnf->realm.len = sizeof("Basic realm=\"") - 1 + value[1].len + 1; + cnf->realm.data = ngx_pcalloc(cf->pool, cnf->realm.len); + if (cnf->realm.data == NULL) { + return NGX_CONF_ERROR; + } + + p = ngx_cpymem(cnf->realm.data, "Basic realm=\"", sizeof("Basic realm=\"") - 1); + p = ngx_cpymem(p, value[1].data, value[1].len); + *p = '"'; + + return NGX_CONF_OK; +} + +/** + * Parse auth_ldap_servers directive + */ +static char * +ngx_http_auth_ldap_servers(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_http_auth_ldap_loc_conf_t *cnf; + ngx_http_auth_ldap_main_conf_t *mconf; + ngx_http_auth_ldap_server_t *server, *s, **target; + ngx_str_t *value; + ngx_uint_t i, j; + + cnf = conf; + mconf = ngx_http_conf_get_module_main_conf(cf, ngx_http_auth_ldap_module); + + for (i = 1; i < cf->args->nelts; i++) { + value = &((ngx_str_t *) cf->args->elts)[i]; + server = NULL; + + if (mconf->servers == NULL) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Using \"auth_ldap_servers\" when no \"ldap_server\" has been previously defined" + " (make sure that \"auth_ldap_servers\" goes after \"ldap_server\"s in your configuration file)", value); + return NGX_CONF_ERROR; + } + + for (j = 0; j < mconf->servers->nelts; j++) { + s = &((ngx_http_auth_ldap_server_t *) mconf->servers->elts)[j]; + if (s->alias.len == value->len && ngx_memcmp(s->alias.data, value->data, s->alias.len) == 0) { + server = s; + break; + } + } + + if (server == NULL) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Server \"%V\" has not been defined", value); + return NGX_CONF_ERROR; + } + + + if (cnf->servers == NGX_CONF_UNSET_PTR) { + cnf->servers = ngx_array_create(cf->pool, 4, sizeof(ngx_http_auth_ldap_server_t *)); + if (cnf->servers == NULL) { + return NGX_CONF_ERROR; + } + } + + target = (ngx_http_auth_ldap_server_t **) ngx_array_push(cnf->servers); + if (target == NULL) { + return NGX_CONF_ERROR; + } + + *target = server; + } + + return NGX_CONF_OK; +} + +/** + * Parse URL conf parameter + */ +static char * +ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) +{ + ngx_str_t *value; + u_char *p; + + value = cf->args->elts; + + int rc = ldap_url_parse((const char *) value[1].data, &server->ludpp); + if (rc != LDAP_SUCCESS) { + switch (rc) { + case LDAP_URL_ERR_MEM: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Cannot allocate memory space."); + break; + + case LDAP_URL_ERR_PARAM: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid parameter."); + break; + + case LDAP_URL_ERR_BADSCHEME: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: URL doesnt begin with \"ldap[s]://\"."); + break; + + case LDAP_URL_ERR_BADENCLOSURE: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: URL is missing trailing \">\"."); + break; + + case LDAP_URL_ERR_BADURL: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid URL."); + break; + + case LDAP_URL_ERR_BADHOST: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Host port is invalid."); + break; + + case LDAP_URL_ERR_BADATTRS: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid or missing attributes."); + break; + + case LDAP_URL_ERR_BADSCOPE: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid or missing scope string."); + break; + + case LDAP_URL_ERR_BADFILTER: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid or missing filter."); + break; + + case LDAP_URL_ERR_BADEXTS: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid or missing extensions."); + break; + } + return NGX_CONF_ERROR; + } + + if (server->ludpp->lud_attrs == NULL) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: No user attribute specified in auth_ldap_url."); + return NGX_CONF_ERROR; + } + + server->url.data = ngx_palloc(cf->pool, ngx_strlen(server->ludpp->lud_scheme) + sizeof("://") - 1 + + ngx_strlen(server->ludpp->lud_host) + sizeof(":65535")); + p = ngx_sprintf(server->url.data, "%s://%s:%d%Z", server->ludpp->lud_scheme, server->ludpp->lud_host, + server->ludpp->lud_port); + server->url.len = p - server->url.data - 1; + + ngx_memzero(&server->parsed_url, sizeof(ngx_url_t)); + server->parsed_url.url.data = (u_char *) server->ludpp->lud_host; + server->parsed_url.url.len = ngx_strlen(server->ludpp->lud_host); + server->parsed_url.default_port = server->ludpp->lud_port; + if (ngx_parse_url(cf->pool, &server->parsed_url) != NGX_OK) { + if (server->parsed_url.err) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: %s in LDAP hostname \"%V\"", + server->parsed_url.err, &server->parsed_url.url); + } + return NGX_CONF_ERROR; + } + + if (ngx_strcmp(server->ludpp->lud_scheme, "ldap") == 0) { + return NGX_CONF_OK; +#if (NGX_OPENSSL) + } else if (ngx_strcmp(server->ludpp->lud_scheme, "ldaps") == 0) { + ngx_http_auth_ldap_main_conf_t *halmcf = + ngx_http_conf_get_module_main_conf(cf, ngx_http_auth_ldap_module); + ngx_uint_t protos = NGX_SSL_SSLv2 | NGX_SSL_SSLv3 | + NGX_SSL_TLSv1 | NGX_SSL_TLSv1_1 | NGX_SSL_TLSv1_2; + if (halmcf->ssl.ctx == NULL && ngx_ssl_create(&halmcf->ssl, protos, halmcf) != NGX_OK) { + return NGX_CONF_ERROR; + } + return NGX_CONF_OK; +#endif + } else { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Protocol \"%s://\" is not supported.", + server->ludpp->lud_scheme); + return NGX_CONF_ERROR; + } +} + +/** + * Parse "require" conf parameter + */ +static char * +ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) +{ + ngx_str_t *value; + ngx_http_complex_value_t* target = NULL; + ngx_http_compile_complex_value_t ccv; + + value = cf->args->elts; + ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, "http_auth_ldap: parse_require"); + + if (ngx_strcmp(value[1].data, "valid_user") == 0) { + server->require_valid_user = 1; + if (cf->args->nelts < 3) { + return NGX_CONF_OK; + } + if (server->require_valid_user_dn.value.data != NULL) { + return "is duplicate"; + } + target = &server->require_valid_user_dn; + } else if (ngx_strcmp(value[1].data, "user") == 0) { + if (server->require_user == NULL) { + server->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_http_complex_value_t)); + if (server->require_user == NULL) { + return NGX_CONF_ERROR; + } + } + target = ngx_array_push(server->require_user); + } else if (ngx_strcmp(value[1].data, "group") == 0) { + ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, "http_auth_ldap: Setting group"); + if (server->require_group == NULL) { + server->require_group = ngx_array_create(cf->pool, 4, sizeof(ngx_http_complex_value_t)); + if (server->require_group == NULL) { + return NGX_CONF_ERROR; + } + } + target = ngx_array_push(server->require_group); + } + + if (target == NULL) { + return NGX_CONF_ERROR; + } + + ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); + ccv.cf = cf; + ccv.value = &value[2]; + ccv.complex_value = target; + if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { + return NGX_CONF_ERROR; + } + + return NGX_CONF_OK; +} + +/** + * Parse "satisfy" conf parameter + */ +static char * +ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) +{ + ngx_str_t *value; + value = cf->args->elts; + + if (ngx_strcmp(value[1].data, "all") == 0) { + ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, "http_auth_ldap: Setting satisfy all"); + server->satisfy_all = 1; + return NGX_CONF_OK; + } + + if (ngx_strcmp(value[1].data, "any") == 0) { + server->satisfy_all = 0; + return NGX_CONF_OK; + } + + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Incorrect value for auth_ldap_satisfy"); + return NGX_CONF_ERROR; +} + +/** + * Parse "referral" conf parameter + */ +static char * +ngx_http_auth_ldap_parse_referral(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) +{ + ngx_str_t *value; + value = cf->args->elts; + + if (ngx_strcmp(value[1].data, "on") == 0) { + server->referral = 1; + return NGX_CONF_OK; + } + + if (ngx_strcmp(value[1].data, "off") == 0) { + server->referral = 0; + return NGX_CONF_OK; + } + + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Incorrect value for referral"); + return NGX_CONF_ERROR; +} + +/** + * Create main config which will store ldap_servers array + */ +static void * +ngx_http_auth_ldap_create_main_conf(ngx_conf_t *cf) +{ + ngx_http_auth_ldap_main_conf_t *conf; + + conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_ldap_main_conf_t)); + if (conf == NULL) { + return NULL; + } + + conf->cache_enabled = NGX_CONF_UNSET; + conf->cache_expiration_time = NGX_CONF_UNSET_MSEC; + conf->cache_size = NGX_CONF_UNSET_SIZE; + conf->servers_size = NGX_CONF_UNSET; + + return conf; +} + +static char * +ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent) +{ + ngx_http_auth_ldap_main_conf_t *conf = parent; + + if (conf->cache_enabled == NGX_CONF_UNSET) { + conf->cache_enabled = 0; + } + if (conf->cache_enabled == 0) { + return NGX_CONF_OK; + } + + if (conf->cache_size == NGX_CONF_UNSET_SIZE) { + conf->cache_size = 100; + } + if (conf->cache_size < 100) { + ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_size cannot be smaller than 100 entries."); + return NGX_CONF_ERROR; + } + + if (conf->cache_expiration_time == NGX_CONF_UNSET_MSEC) { + conf->cache_expiration_time = 10000; + } + if (conf->cache_expiration_time < 1000) { + ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_expiration_time cannot be smaller than 1000 ms."); + return NGX_CONF_ERROR; + } + + return NGX_CONF_OK; +} + +/** + * Create location conf + */ +static void * +ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *cf) +{ + ngx_http_auth_ldap_loc_conf_t *conf; + conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_ldap_loc_conf_t)); + if (conf == NULL) { + return NULL; + } + conf->servers = NGX_CONF_UNSET_PTR; + + return conf; +} + +/** + * Merge location conf + */ +static char * +ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) +{ + ngx_http_auth_ldap_loc_conf_t *prev = parent; + ngx_http_auth_ldap_loc_conf_t *conf = child; + + if (conf->realm.data == NULL) { + conf->realm = prev->realm; + } + ngx_conf_merge_ptr_value(conf->servers, prev->servers, NULL); + + return NGX_CONF_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_init_worker(ngx_cycle_t *cycle) +{ + ngx_int_t rc; + + if (ngx_process != NGX_PROCESS_SINGLE && ngx_process != NGX_PROCESS_WORKER) { + return NGX_OK; + } + + rc = ngx_http_auth_ldap_init_cache(cycle); + if (rc != NGX_OK) { + return rc; + } + + rc = ngx_http_auth_ldap_init_connections(cycle); + if (rc != NGX_OK) { + return rc; + } + + return NGX_OK; +} + +/** + * Init module and add ldap auth handler to NGX_HTTP_ACCESS_PHASE + */ +static ngx_int_t +ngx_http_auth_ldap_init(ngx_conf_t *cf) +{ + ngx_http_handler_pt *h; + ngx_http_core_main_conf_t *cmcf; + + cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); + + h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); + if (h == NULL) { + return NGX_ERROR; + } + + *h = ngx_http_auth_ldap_handler; + return NGX_OK; +} + + +/*** Authentication cache ***/ + +static ngx_int_t +ngx_http_auth_ldap_init_cache(ngx_cycle_t *cycle) +{ + ngx_http_auth_ldap_main_conf_t *conf; + ngx_uint_t want, count, i; + ngx_http_auth_ldap_cache_t *cache; + static const uint16_t primes[] = { + 13, 53, 101, 151, 199, 263, 317, 383, 443, 503, + 577, 641, 701, 769, 839, 911, 983, 1049, 1109 + }; + + conf = (ngx_http_auth_ldap_main_conf_t *) ngx_http_cycle_get_module_main_conf(cycle, ngx_http_auth_ldap_module); + if (conf == NULL || !conf->cache_enabled) { + return NGX_OK; + } + + want = (conf->cache_size + 7) / 8; + count = 0; + for (i = 0; i < sizeof(primes)/sizeof(primes[0]); i++) { + count = primes[i]; + if (count >= want) { + break; + } + } + + cache = &ngx_http_auth_ldap_cache; + cache->expiration_time = conf->cache_expiration_time; + cache->num_buckets = count; + cache->elts_per_bucket = 8; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, cycle->log, 0, "http_auth_ldap: Allocating %ud bytes of LDAP cache.", + cache->num_buckets * cache->elts_per_bucket * sizeof(ngx_http_auth_ldap_cache_elt_t)); + + cache->buckets = (ngx_http_auth_ldap_cache_elt_t *) ngx_calloc(count * 8 * sizeof(ngx_http_auth_ldap_cache_elt_t), cycle->log); + if (cache->buckets == NULL) { + ngx_log_error(NGX_LOG_ERR, cycle->log, 0, "http_auth_ldap: Unable to allocate memory for LDAP cache."); + return NGX_ERROR; + } + + return NGX_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_check_cache(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx, + ngx_http_auth_ldap_cache_t *cache, ngx_http_auth_ldap_server_t *server) +{ + ngx_http_auth_ldap_cache_elt_t *elt; + ngx_md5_t md5ctx; + ngx_msec_t time_limit; + ngx_uint_t i; + + ctx->cache_small_hash = ngx_murmur_hash2(r->headers_in.user.data, r->headers_in.user.len) ^ (uint32_t) (ngx_uint_t) server; + + ngx_md5_init(&md5ctx); + ngx_md5_update(&md5ctx, r->headers_in.user.data, r->headers_in.user.len); + ngx_md5_update(&md5ctx, server, offsetof(ngx_http_auth_ldap_server_t, free_connections)); + ngx_md5_update(&md5ctx, r->headers_in.passwd.data, r->headers_in.passwd.len); + ngx_md5_final(ctx->cache_big_hash, &md5ctx); + + ctx->cache_bucket = &cache->buckets[ctx->cache_small_hash % cache->num_buckets]; + + elt = ctx->cache_bucket; + time_limit = ngx_current_msec - cache->expiration_time; + for (i = 0; i < cache->elts_per_bucket; i++, elt++) { + if (elt->small_hash == ctx->cache_small_hash && + elt->time > time_limit && + memcmp(elt->big_hash, ctx->cache_big_hash, 16) == 0) { + return elt->outcome; + } + } + + return -1; +} + +static void +ngx_http_auth_ldap_update_cache(ngx_http_auth_ldap_ctx_t *ctx, + ngx_http_auth_ldap_cache_t *cache, ngx_flag_t outcome) +{ + ngx_http_auth_ldap_cache_elt_t *elt, *oldest_elt; + ngx_uint_t i; + + elt = ctx->cache_bucket; + oldest_elt = elt; + for (i = 1; i < cache->elts_per_bucket; i++, elt++) { + if (elt->time < oldest_elt->time) { + oldest_elt = elt; + } + } + + oldest_elt->time = ngx_current_msec; + oldest_elt->outcome = outcome; + oldest_elt->small_hash = ctx->cache_small_hash; + ngx_memcpy(oldest_elt->big_hash, ctx->cache_big_hash, 16); +} + + +/*** OpenLDAP SockBuf implementation over nginx socket functions ***/ + +static int +ngx_http_auth_ldap_sb_setup(Sockbuf_IO_Desc *sbiod, void *arg) +{ + sbiod->sbiod_pvt = arg; + return 0; +} + +static int +ngx_http_auth_ldap_sb_remove(Sockbuf_IO_Desc *sbiod) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_remove()"); + (void)c; /* 'c' would be left unused on debug builds */ + + sbiod->sbiod_pvt = NULL; + return 0; +} + +static int +ngx_http_auth_ldap_sb_close(Sockbuf_IO_Desc *sbiod) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_close()"); + + if (!c->conn.connection->read->error && !c->conn.connection->read->eof) { + if (ngx_shutdown_socket(c->conn.connection->fd, SHUT_RDWR) == -1) { + ngx_connection_error(c->conn.connection, ngx_socket_errno, ngx_shutdown_socket_n " failed"); + ngx_http_auth_ldap_close_connection(c); + return -1; + } + } + + return 0; +} + +static int +ngx_http_auth_ldap_sb_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_ctrl(opt=%d)", opt); + + switch (opt) { + case LBER_SB_OPT_DATA_READY: + if (c->conn.connection->read->ready) { + return 1; + } + return 0; + } + + return 0; +} + +static ber_slen_t +ngx_http_auth_ldap_sb_read(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + ber_slen_t ret; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_read(len=%d)", len); + + ret = c->conn.connection->recv(c->conn.connection, buf, len); + if (ret < 0) { + errno = (ret == NGX_AGAIN) ? NGX_EAGAIN : NGX_ECONNRESET; + return -1; + } + + return ret; +} + +static ber_slen_t +ngx_http_auth_ldap_sb_write(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + ber_slen_t ret; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_write(len=%d)", len); + + ret = c->conn.connection->send(c->conn.connection, buf, len); + if (ret < 0) { + errno = (ret == NGX_AGAIN) ? NGX_EAGAIN : NGX_ECONNRESET; + return 0; + } + + return ret; +} + +static Sockbuf_IO ngx_http_auth_ldap_sbio = +{ + ngx_http_auth_ldap_sb_setup, + ngx_http_auth_ldap_sb_remove, + ngx_http_auth_ldap_sb_ctrl, + ngx_http_auth_ldap_sb_read, + ngx_http_auth_ldap_sb_write, + ngx_http_auth_ldap_sb_close +}; + + +/*** Asynchronous LDAP connection handling ***/ + +static void +ngx_http_auth_ldap_close_connection(ngx_http_auth_ldap_connection_t *c) +{ + ngx_queue_t *q; + + if (c->ld) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Unbinding from the server \"%V\")", + &c->server->url); + ldap_unbind_ext(c->ld, NULL, NULL); + /* Unbind is always synchronous, even though the function name does not end with an '_s'. */ + c->ld = NULL; + } + + if (c->conn.connection) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Closing connection (fd=%d)", + c->conn.connection->fd); + +#if (NGX_OPENSSL) + if (c->conn.connection->ssl) { + c->conn.connection->ssl->no_wait_shutdown = 1; + (void) ngx_ssl_shutdown(c->conn.connection); + } +#endif + + ngx_close_connection(c->conn.connection); + c->conn.connection = NULL; + } + + q = ngx_queue_head(&c->server->free_connections); + while (q != ngx_queue_sentinel(&c->server->free_connections)) { + if (q == &c->queue) { + ngx_queue_remove(q); + break; + } + q = ngx_queue_next(q); + } + + c->rctx = NULL; + if (c->state != STATE_DISCONNECTED) { + c->state = STATE_DISCONNECTED; + ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Connection scheduled for reconnection in %d ms", c->server->reconnect_timeout); + } +} + +static void +ngx_http_auth_ldap_wake_request(ngx_http_request_t *r) +{ + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Waking authentication request \"%V\"", + &r->request_line); + ngx_http_core_run_phases(r); +} + +static int +ngx_http_auth_ldap_get_connection(ngx_http_auth_ldap_ctx_t *ctx) +{ + ngx_http_auth_ldap_server_t *server; + ngx_queue_t *q; + ngx_http_auth_ldap_connection_t *c; + + /* + * If we already have a connection, just say we got them one. + */ + if (ctx->c != NULL) + return 1; + + server = ctx->server; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "http_auth_ldap: Wants a free connection to \"%V\"", + &server->alias); + + if (!ngx_queue_empty(&server->free_connections)) { + q = ngx_queue_last(&server->free_connections); + ngx_queue_remove(q); + c = ngx_queue_data(q, ngx_http_auth_ldap_connection_t, queue); + c->rctx = ctx; + ctx->c = c; + ctx->replied = 0; + return 1; + } + + q = ngx_queue_next(&server->waiting_requests); + while (q != ngx_queue_sentinel(&server->waiting_requests)) { + if (q == &ctx->queue) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "http_auth_ldap: Tried to insert a same request"); + return 0; + } + q = ngx_queue_next(q); + } + ngx_queue_insert_head(&server->waiting_requests, &ctx->queue); + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "http_auth_ldap: No connection available at the moment, waiting..."); + return 0; +} + +static void +ngx_http_auth_ldap_return_connection(ngx_http_auth_ldap_connection_t *c) +{ + ngx_queue_t *q; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Marking the connection to \"%V\" as free", + &c->server->alias); + + if (c->rctx != NULL) { + c->rctx->c = NULL; + c->rctx = NULL; + c->msgid = -1; + c->state = STATE_READY; + } + + ngx_queue_insert_head(&c->server->free_connections, &c->queue); + if (!ngx_queue_empty(&c->server->waiting_requests)) { + q = ngx_queue_last(&c->server->waiting_requests); + ngx_queue_remove(q); + ngx_http_auth_ldap_wake_request((ngx_queue_data(q, ngx_http_auth_ldap_ctx_t, queue))->r); + } +} + +static void +ngx_http_auth_ldap_reply_connection(ngx_http_auth_ldap_connection_t *c, int error_code, char* error_msg) +{ + ngx_http_auth_ldap_ctx_t *ctx = c->rctx; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: LDAP request to \"%V\" has finished", + &c->server->alias); + + ctx->replied = 1; + ctx->error_code = error_code; + if (error_msg) { + ctx->error_msg.len = ngx_strlen(error_msg); + ctx->error_msg.data = ngx_palloc(ctx->r->pool, ctx->error_msg.len); + ngx_memcpy(ctx->error_msg.data, error_msg, ctx->error_msg.len); + } else { + ctx->error_msg.len = 0; + ctx->error_msg.data = NULL; + } + + ngx_http_auth_ldap_wake_request(ctx->r); +} + +static void +ngx_http_auth_ldap_dummy_write_handler(ngx_event_t *wev) +{ + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, wev->log, 0, "http_auth_ldap: Dummy write handler"); + + if (ngx_handle_write_event(wev, 0) != NGX_OK) { + ngx_http_auth_ldap_close_connection(((ngx_connection_t *) wev->data)->data); + } +} + + +#if (NGX_OPENSSL) +/* Make sure the event handlers are activated. */ +static ngx_int_t +ngx_http_auth_ldap_restore_handlers(ngx_connection_t *conn) +{ + ngx_int_t rc; + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, conn->log, 0, "http_auth_ldap: Restoring event handlers. read=%d write=%d", conn->read->active, conn->write->active); + + if (!conn->read->active) { + rc = ngx_add_event(conn->read, NGX_READ_EVENT, 0); + if (rc != NGX_OK) { + return rc; + } + } + + if (!conn->write->active && + (conn->write->handler != ngx_http_auth_ldap_dummy_write_handler)) { + rc = ngx_add_event(conn->write, NGX_WRITE_EVENT, 0); + if (rc != NGX_OK) { + return rc; + } + } + + return NGX_OK; +} +#endif + +static void +ngx_http_auth_ldap_connection_established(ngx_http_auth_ldap_connection_t *c) +{ + ngx_connection_t *conn; + Sockbuf *sb; + ngx_int_t rc; + struct berval cred; + + conn = c->conn.connection; + ngx_del_timer(conn->read); + conn->write->handler = ngx_http_auth_ldap_dummy_write_handler; + + + /* Initialize OpenLDAP on the connection */ + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Initializing connection using URL \"%V\"", &c->server->url); + + rc = ldap_init_fd(c->conn.connection->fd, LDAP_PROTO_EXT, (const char *) c->server->url.data, &c->ld); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, errno, "http_auth_ldap: ldap_init_fd() failed (%d: %s)", rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + + if (c->server->referral == 0) { + rc = ldap_set_option(c->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + if (rc != LDAP_OPT_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_set_option() failed (%d: %s)", rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + } + + rc = ldap_get_option(c->ld, LDAP_OPT_SOCKBUF, (void *) &sb); + if (rc != LDAP_OPT_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_get_option() failed (%d: %s)", rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + + ber_sockbuf_add_io(sb, &ngx_http_auth_ldap_sbio, LBER_SBIOD_LEVEL_PROVIDER, (void *) c); + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Connection initialized"); + + + /* Perform initial bind to the server */ + + cred.bv_val = (char *) c->server->bind_dn_passwd.data; + cred.bv_len = c->server->bind_dn_passwd.len; + rc = ldap_sasl_bind(c->ld, (const char *) c->server->bind_dn.data, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &c->msgid); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)", + rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ldap_sasl_bind() -> msgid=%d", c->msgid); + + c->state = STATE_INITIAL_BINDING; + ngx_add_timer(c->conn.connection->read, c->server->bind_timeout); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: bind_timeout=%d", c->server->bind_timeout); +} + +#if (NGX_OPENSSL) +static void +ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn, ngx_flag_t validate) +{ + ngx_http_auth_ldap_connection_t *c; + c = conn->data; + + if (conn->ssl->handshaked) { + #if OPENSSL_VERSION_NUMBER >= 0x10002000 + if (validate) { // verify remote certificate if requested + X509 *cert = SSL_get_peer_certificate(conn->ssl->connection); + long chain_verified = SSL_get_verify_result(conn->ssl->connection); + + int addr_verified; + char *hostname = c->server->ludpp->lud_host; + addr_verified = X509_check_host(cert, hostname, 0, 0, 0); + + if (!addr_verified) { // domain not in cert? try IP + size_t len; // get IP length + if (conn->sockaddr->sa_family == 4) len = 4; + else if (conn->sockaddr->sa_family == 6) len = 16; + else { // very unlikely indeed + ngx_http_auth_ldap_close_connection(c); + return; + } + addr_verified = X509_check_ip(cert, (const unsigned char*)conn->sockaddr->sa_data, len, 0); + } + + // Find anything fishy? + if ( !(cert && addr_verified && chain_verified == X509_V_OK) ) { + if (!addr_verified) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "http_auth_ldap: Remote side presented invalid SSL certificate: " + "does not match address (neither server's domain nor IP in certificate's CN or SAN)"); + fprintf(stderr, "DEBUG: SSL cert domain mismatch\n"); fflush(stderr); + } else { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "http_auth_ldap: Remote side presented invalid SSL certificate: error %l, %s", + chain_verified, X509_verify_cert_error_string(chain_verified)); + } + ngx_http_auth_ldap_close_connection(c); + return; + } + } + #endif + + // handshaked validation successful -- or not required in the first place + conn->read->handler = &ngx_http_auth_ldap_read_handler; + ngx_http_auth_ldap_restore_handlers(conn); + ngx_http_auth_ldap_connection_established(c); + return; + } + else { // handshake failed + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed"); + ngx_http_auth_ldap_close_connection(c); + } +} + +static void +ngx_http_auth_ldap_ssl_handshake_validating_handler(ngx_connection_t *conn) +{ ngx_http_auth_ldap_ssl_handshake_handler(conn, 1); } + +static void +ngx_http_auth_ldap_ssl_handshake_non_validating_handler(ngx_connection_t *conn) +{ ngx_http_auth_ldap_ssl_handshake_handler(conn, 0); } + +typedef void (*ngx_http_auth_ldap_ssl_callback)(ngx_connection_t *conn); + +static void +ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c) +{ + ngx_int_t rc; + + c->conn.connection->pool = c->pool; + rc = ngx_ssl_create_connection(c->ssl, c->conn.connection, NGX_SSL_BUFFER | NGX_SSL_CLIENT); + if (rc != NGX_OK) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL initialization failed"); + ngx_http_auth_ldap_close_connection(c); + return; + } + + c->log->action = "SSL handshaking to LDAP server"; + ngx_connection_t *transport = c->conn.connection; + + ngx_http_auth_ldap_ssl_callback callback; + if (c->server->ssl_check_cert) { + // load CA certificates: custom ones if specified, default ones instead + if (c->server->ssl_ca_file.data || c->server->ssl_ca_dir.data) { + int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx, + (char*)(c->server->ssl_ca_file.data), (char*)(c->server->ssl_ca_dir.data)); + if (setcode != 1) { + unsigned long error_code = ERR_get_error(); + char *error_msg = ERR_error_string(error_code, NULL); + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "http_auth_ldap: SSL initialization failed. Could not set custom CA certificate location. " + "Error: %lu, %s", error_code, error_msg); + } + } + int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx); + if (setcode != 1) { + unsigned long error_code = ERR_get_error(); + char *error_msg = ERR_error_string(error_code, NULL); + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "http_auth_ldap: SSL initialization failed. Could not use default CA certificate location. " + "Error: %lu, %s", error_code, error_msg); + } + + // use validating version of next function + callback = &ngx_http_auth_ldap_ssl_handshake_validating_handler; + } else { + // use non-validating version of next function + callback = &ngx_http_auth_ldap_ssl_handshake_non_validating_handler; + } + + rc = ngx_ssl_handshake(transport); + if (rc == NGX_AGAIN) { + transport->ssl->handler = callback; + return; + } + + (*callback)(transport); + return; +} +#endif + +static void +ngx_http_auth_ldap_connect_handler(ngx_event_t *wev) +{ + ngx_connection_t *conn; + ngx_http_auth_ldap_connection_t *c; + int keepalive; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, wev->log, 0, "http_auth_ldap: Connect handler"); + + conn = wev->data; + c = conn->data; + + if (ngx_handle_write_event(wev, 0) != NGX_OK) { + ngx_http_auth_ldap_close_connection(c); + return; + } + + keepalive = 1; + if (setsockopt(conn->fd, SOL_SOCKET, SO_KEEPALIVE, (const void *) &keepalive, sizeof(int)) == -1) + { + ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno, "http_auth_ldap: setsockopt(SO_KEEPALIVE) failed"); + } + +#if (NGX_OPENSSL) + if (ngx_strcmp(c->server->ludpp->lud_scheme, "ldaps") == 0) { + ngx_http_auth_ldap_ssl_handshake(c); + return; + } +#endif + + ngx_http_auth_ldap_connection_established(c); +} + +static void +ngx_http_auth_ldap_read_handler(ngx_event_t *rev) +{ + ngx_connection_t *conn; + ngx_http_auth_ldap_connection_t *c; + ngx_int_t rc; + struct timeval timeout = {0, 0}; + LDAPMessage *result; + int error_code; + char *error_msg; + char *dn; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0, "http_auth_ldap: Read handler"); + + conn = rev->data; + c = conn->data; + + if (c->ld == NULL) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: Could not connect"); + ngx_http_auth_ldap_close_connection(c); + return; + } + + if (rev->timedout) { + ngx_log_error(NGX_LOG_ERR, c->log, NGX_ETIMEDOUT, "http_auth_ldap: Request timed out (state=%d)", c->state); + conn->timedout = 1; + ngx_http_auth_ldap_close_connection(c); + return; + } + + c->log->action = "reading response from LDAP"; + + for (;;) { + rc = ldap_result(c->ld, LDAP_RES_ANY, 0, &timeout, &result); + if (rc < 0) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_result() failed (%d: %s)", + rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + if (rc == 0) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ldap_result() -> rc=0"); + break; + } + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ldap_result() -> rc=%d, msgid=%d, msgtype=%d", + rc, ldap_msgid(result), ldap_msgtype(result)); + + if (ldap_msgid(result) != c->msgid) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Message with unknown ID received, ignoring."); + ldap_msgfree(result); + continue; + } + + rc = ldap_parse_result(c->ld, result, &error_code, NULL, &error_msg, NULL, NULL, 0); + if (rc == LDAP_NO_RESULTS_RETURNED) { + error_code = LDAP_NO_RESULTS_RETURNED; + error_msg = NULL; + } else if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_parse_result() failed (%d: %s)", + rc, ldap_err2string(rc)); + ldap_msgfree(result); + ngx_http_auth_ldap_close_connection(c); + return; + } + + switch (c->state) { + case STATE_INITIAL_BINDING: + if (ldap_msgtype(result) != LDAP_RES_BIND) { + break; + } + ngx_del_timer(conn->read); + if (error_code == LDAP_SUCCESS) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Initial bind successful"); + c->state = STATE_READY; + ngx_http_auth_ldap_return_connection(c); + } else { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: Initial bind failed (%d: %s [%s])", + error_code, ldap_err2string(error_code), error_msg ? error_msg : "-"); + ldap_memfree(error_msg); + ldap_msgfree(result); + ngx_http_auth_ldap_close_connection(c); + return; + } + break; + + case STATE_BINDING: + if (ldap_msgtype(result) != LDAP_RES_BIND) { + break; + } + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Received bind response (%d: %s [%s])", + error_code, ldap_err2string(error_code), error_msg ? error_msg : "-"); + ngx_http_auth_ldap_reply_connection(c, error_code, error_msg); + break; + + case STATE_SEARCHING: + if (ldap_msgtype(result) == LDAP_RES_SEARCH_ENTRY) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Received a search entry"); + if (c->rctx->dn.data == NULL) { + dn = ldap_get_dn(c->ld, result); + if (dn != NULL) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Found entry with DN \"%s\"", dn); + c->rctx->dn.len = ngx_strlen(dn); + c->rctx->dn.data = (u_char *) ngx_palloc(c->rctx->r->pool, c->rctx->dn.len + 1); + ngx_memcpy(c->rctx->dn.data, dn, c->rctx->dn.len + 1); + ldap_memfree(dn); + } + } + } else if (ldap_msgtype(result) == LDAP_RES_SEARCH_RESULT) { + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Received search result (%d: %s [%s])", + error_code, ldap_err2string(error_code), error_msg ? error_msg : "-"); + ngx_http_auth_ldap_reply_connection(c, error_code, error_msg); + } + break; + + case STATE_COMPARING: + if (ldap_msgtype(result) != LDAP_RES_COMPARE) { + break; + } + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Received comparison result (%d: %s [%s])", + error_code, ldap_err2string(error_code), error_msg ? error_msg : "-"); + ngx_http_auth_ldap_reply_connection(c, error_code, error_msg); + break; + + default: + break; + } + + ldap_memfree(error_msg); + ldap_msgfree(result); + } + + if (ngx_handle_read_event(rev, 0) != NGX_OK) { + ngx_http_auth_ldap_close_connection(c); + return; + } +} + +static void +ngx_http_auth_ldap_connect(ngx_http_auth_ldap_connection_t *c) +{ + ngx_peer_connection_t *pconn; + ngx_connection_t *conn; + ngx_addr_t *addr; + ngx_int_t rc; + + addr = &c->server->parsed_url.addrs[ngx_random() % c->server->parsed_url.naddrs]; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Connecting to LDAP server \"%V\".", + &addr->name); + + pconn = &c->conn; + pconn->sockaddr = addr->sockaddr; + pconn->socklen = addr->socklen; + pconn->name = &addr->name; + pconn->get = ngx_event_get_peer; + pconn->log = c->log; + pconn->log_error = NGX_ERROR_ERR; + + rc = ngx_event_connect_peer(pconn); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ngx_event_connect_peer() -> %d.", rc); + if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: Unable to connect to LDAP server \"%V\".", + &addr->name); + ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout); + return; + } + + conn = pconn->connection; + conn->data = c; +#if (NGX_OPENSSL) + conn->pool = c->pool; +#endif + conn->write->handler = ngx_http_auth_ldap_connect_handler; + conn->read->handler = ngx_http_auth_ldap_read_handler; + ngx_add_timer(conn->read, c->server->connect_timeout); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: connect_timeout=%d.", c->server->connect_timeout); + + + c->state = STATE_CONNECTING; +} + +static void +ngx_http_auth_ldap_connection_cleanup(void *data) +{ + ngx_http_auth_ldap_close_connection((ngx_http_auth_ldap_connection_t *) data); +} + +static void +ngx_http_auth_ldap_reconnect_handler(ngx_event_t *ev) +{ + ngx_connection_t *conn = ev->data; + ngx_http_auth_ldap_connection_t *c = conn->data; + ngx_http_auth_ldap_connect(c); +} + +static ngx_int_t +ngx_http_auth_ldap_init_connections(ngx_cycle_t *cycle) +{ + ngx_http_auth_ldap_connection_t *c; + ngx_http_auth_ldap_main_conf_t *halmcf; + ngx_http_auth_ldap_server_t *server; + ngx_pool_cleanup_t *cleanup; + ngx_connection_t *dummy_conn; + ngx_uint_t i, j; + int option; + + halmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_auth_ldap_module); + if (halmcf == NULL || halmcf->servers == NULL) { + return NGX_OK; + } + + option = LDAP_VERSION3; + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &option); + + for (i = 0; i < halmcf->servers->nelts; i++) { + server = &((ngx_http_auth_ldap_server_t *) halmcf->servers->elts)[i]; + ngx_queue_init(&server->free_connections); + ngx_queue_init(&server->waiting_requests); + if (server->connections <= 1) { + server->connections = 1; + } + + for (j = 0; j < server->connections; j++) { + c = ngx_pcalloc(cycle->pool, sizeof(ngx_http_auth_ldap_connection_t)); + cleanup = ngx_pool_cleanup_add(cycle->pool, 0); + dummy_conn = ngx_pcalloc(cycle->pool, sizeof(ngx_connection_t)); + if (c == NULL || cleanup == NULL || dummy_conn == NULL) { + return NGX_ERROR; + } + + cleanup->handler = &ngx_http_auth_ldap_connection_cleanup; + cleanup->data = c; + + c->log = cycle->log; + c->server = server; + c->state = STATE_DISCONNECTED; + + /* Various debug logging around timer management assume that the field + 'data' in ngx_event_t is a pointer to ngx_connection_t, therefore we + have a dummy such structure around so that it does not crash etc. */ + dummy_conn->data = c; + c->reconnect_event.log = c->log; + c->reconnect_event.data = dummy_conn; + c->reconnect_event.handler = ngx_http_auth_ldap_reconnect_handler; + +#if (NGX_OPENSSL) + c->pool = cycle->pool; + c->ssl = &halmcf->ssl; +#endif + + ngx_http_auth_ldap_connect(c); + } + } + + return NGX_OK; +} + + + +/*** Per-request authentication processing ***/ + +/** + * Respond with "403 Forbidden" and add correct headers + */ +static ngx_int_t +ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) +{ + r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); + if (r->headers_out.www_authenticate == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + r->headers_out.www_authenticate->hash = 1; + r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; + r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; + r->headers_out.www_authenticate->value = *realm; + + return NGX_HTTP_UNAUTHORIZED; +} + +/** + * LDAP Authentication handler + */ +static ngx_int_t +ngx_http_auth_ldap_handler(ngx_http_request_t *r) +{ + ngx_http_auth_ldap_loc_conf_t *alcf; + ngx_http_auth_ldap_ctx_t *ctx; + int rc; + + alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_ldap_module); + if (alcf->realm.len == 0) { + return NGX_DECLINED; + } + + ctx = ngx_http_get_module_ctx(r, ngx_http_auth_ldap_module); + if (ctx == NULL) { + rc = ngx_http_auth_basic_user(r); + if (rc == NGX_DECLINED) { + return ngx_http_auth_ldap_set_realm(r, &alcf->realm); + } + if (rc == NGX_ERROR) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Username is \"%V\"", + &r->headers_in.user); + if (r->headers_in.passwd.len == 0) + { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Password is empty"); + return ngx_http_auth_ldap_set_realm(r, &alcf->realm); + } + + ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_auth_ldap_ctx_t)); + if (ctx == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + ctx->r = r; + /* Other fields have been initialized to zero/NULL */ + ngx_http_set_ctx(r, ctx, ngx_http_auth_ldap_module); + } + + return ngx_http_auth_ldap_authenticate(r, ctx, alcf); +} + +/** + * Iteratively handle all phases of the authentication process, might be called many times + */ +static ngx_int_t +ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx, + ngx_http_auth_ldap_loc_conf_t *conf) +{ + ngx_int_t rc; + + if (r->connection->write->timedout) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: Authentication timed out"); + if (ctx->c != NULL) { + ngx_http_auth_ldap_return_connection(ctx->c); + } + return NGX_ERROR; + } + + /* + * If we are not starting up a request (ctx->phase != PHASE_START) and we actually already + * sent a request (ctx->iteration > 0) and didn't receive a reply yet (!ctx->replied) we + * ask to be called again at a later time when we hopefully have received a reply. + * + * It is quite possible that we reach this if while not having sent a request yet (ctx->iteration == 0) - + * this happens when we are trying to get an LDAP connection but all of them are busy right now. + */ + if (ctx->iteration > 0 && !ctx->replied && ctx->phase != PHASE_START) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: The LDAP operation did not finish yet"); + return NGX_AGAIN; + } + + for (;;) { + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Authentication loop (phase=%d, iteration=%d)", + ctx->phase, ctx->iteration); + + switch (ctx->phase) { + case PHASE_START: + ctx->server = ((ngx_http_auth_ldap_server_t **) conf->servers->elts)[ctx->server_index]; + ctx->outcome = OUTCOME_UNCERTAIN; + + ngx_add_timer(r->connection->write, ctx->server->request_timeout); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: request_timeout=%d",ctx->server->request_timeout); + + + /* Check cache if enabled */ + if (ngx_http_auth_ldap_cache.buckets != NULL) { + rc = ngx_http_auth_ldap_check_cache(r, ctx, &ngx_http_auth_ldap_cache, ctx->server); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Using cached outcome %d", rc); + if (rc == OUTCOME_DENY || rc == OUTCOME_ALLOW) { + ctx->outcome = (rc == OUTCOME_DENY ? OUTCOME_CACHED_DENY : OUTCOME_CACHED_ALLOW); + ctx->phase = PHASE_NEXT; + break; + } + } + + if (ctx->server->require_valid_user_dn.value.data != NULL) { + /* Construct user DN */ + if (ngx_http_complex_value(r, &ctx->server->require_valid_user_dn, &ctx->dn) != NGX_OK) { + ngx_del_timer(r->connection->write); + return NGX_ERROR; + } + ctx->phase = PHASE_CHECK_USER; + break; + } + + ctx->phase = PHASE_SEARCH; + ctx->iteration = 0; + break; + + case PHASE_SEARCH: + /* Search the directory to retrieve full user DN */ + rc = ngx_http_auth_ldap_search(r, ctx); + if (rc == NGX_AGAIN) { + /* LDAP operation in progress, wait for the results */ + return NGX_AGAIN; + } + if (rc != NGX_OK) { + /* Search failed, try next server */ + ctx->phase = PHASE_NEXT; + break; + } + + /* User DN has been found, check user next */ + ctx->phase = PHASE_CHECK_USER; + break; + + case PHASE_CHECK_USER: + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: User DN is \"%V\"", + &ctx->dn); + + if (ctx->server->require_user != NULL) { + rc = ngx_http_auth_ldap_check_user(r, ctx); + if (rc != NGX_OK) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Not ok", &ctx->dn); + /* User check failed, try next server */ + ctx->phase = PHASE_NEXT; + break; + } + } + + /* User not yet fully authenticated, check group next */ + if ((ctx->outcome == OUTCOME_UNCERTAIN) && + (ctx->server->require_group != NULL)) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Moving to group check", &ctx->dn); + ctx->phase = PHASE_CHECK_GROUP; + ctx->iteration = 0; + break; + } + + /* No groups to validate, try binding next */ + ctx->phase = PHASE_CHECK_BIND; + ctx->iteration = 0; + break; + + case PHASE_CHECK_GROUP: + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "Checking group", &ctx->dn); + rc = ngx_http_auth_ldap_check_group(r, ctx); + if (rc == NGX_AGAIN) { + /* LDAP operation in progress, wait for the results */ + return NGX_AGAIN; + } + if (rc != NGX_OK) { + /* Group check failed, try next server */ + ctx->phase = PHASE_NEXT; + break; + } + + /* Groups validated, try binding next */ + ctx->phase = PHASE_CHECK_BIND; + ctx->iteration = 0; + break; + + case PHASE_CHECK_BIND: + + if (ctx->outcome == OUTCOME_UNCERTAIN) { + /* If we're still uncertain when satisfy is 'any' and there + * is at least one require user/group rule, it means no + * rule has matched. + */ + if ((ctx->server->satisfy_all == 0) && ( + (ctx->server->require_user != NULL) || + (ctx->server->require_group != NULL))){ + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: no requirement satisfied"); + ctx->outcome = OUTCOME_DENY; + ctx->phase = PHASE_NEXT; + /*rc = NGX_DECLINED;*/ + break; + } else { + /* So far so good */ + ctx->outcome = OUTCOME_ALLOW; + } + } + + /* Initiate bind using the found DN and request password */ + rc = ngx_http_auth_ldap_check_bind(r, ctx); + if (rc == NGX_AGAIN) { + /* LDAP operation in progress, wait for the result */ + return NGX_AGAIN; + } + + /* All steps done, finish the processing */ + ctx->phase = PHASE_REBIND; + ctx->iteration = 0; + break; + + case PHASE_REBIND: + /* Initiate bind using the found DN and request password */ + rc = ngx_http_auth_ldap_recover_bind(r, ctx); + if (rc == NGX_AGAIN) { + /* LDAP operation in progress, wait for the result */ + return NGX_AGAIN; + } + + /* All steps done, finish the processing */ + ctx->phase = PHASE_NEXT; + break; + + case PHASE_NEXT: + if (r->connection->write->timer_set) { + ngx_del_timer(r->connection->write); + } + + if (ctx->c != NULL) { + ngx_http_auth_ldap_return_connection(ctx->c); + } + + if (ngx_http_auth_ldap_cache.buckets != NULL && + (ctx->outcome == OUTCOME_DENY || ctx->outcome == OUTCOME_ALLOW)) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Caching outcome %d", ctx->outcome); + ngx_http_auth_ldap_update_cache(ctx, &ngx_http_auth_ldap_cache, ctx->outcome); + } + + if (ctx->outcome == OUTCOME_ALLOW || ctx->outcome == OUTCOME_CACHED_ALLOW) { + return NGX_OK; + } + + ctx->server_index++; + if (ctx->server_index >= conf->servers->nelts) { + return ngx_http_auth_ldap_set_realm(r, &conf->realm); + } + + ctx->phase = PHASE_START; + break; + } + } +} + +static ngx_int_t +ngx_http_auth_ldap_search(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + LDAPURLDesc *ludpp; + u_char *filter; + char *attrs[2]; + ngx_int_t rc; + + /* On the first call, initiate the LDAP search operation */ + if (ctx->iteration == 0) { + if (!ngx_http_auth_ldap_get_connection(ctx)) { + return NGX_AGAIN; + } + + ludpp = ctx->server->ludpp; + filter = ngx_pcalloc( + r->pool, + (ludpp->lud_filter != NULL ? ngx_strlen(ludpp->lud_filter) : ngx_strlen("(objectClass=*)")) + + ngx_strlen("(&(=))") + ngx_strlen(ludpp->lud_attrs[0]) + r->headers_in.user.len + 1); + ngx_sprintf(filter, "(&%s(%s=%V))%Z", + ludpp->lud_filter != NULL ? ludpp->lud_filter : "(objectClass=*)", + ludpp->lud_attrs[0], &r->headers_in.user); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Search filter is \"%s\"", + (const char *) filter); + + attrs[0] = LDAP_NO_ATTRS; + attrs[1] = NULL; + + rc = ldap_search_ext(ctx->c->ld, ludpp->lud_dn, ludpp->lud_scope, (const char *) filter, attrs, 0, NULL, NULL, NULL, 0, &ctx->c->msgid); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_search_ext() failed (%d, %s)", + rc, ldap_err2string(rc)); + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: ldap_search_ext() -> msgid=%d", + ctx->c->msgid); + ctx->c->state = STATE_SEARCHING; + ctx->iteration++; + return NGX_AGAIN; + } + + /* On the second call, handle the search results */ + if (ctx->error_code != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_search_ext() request failed (%d: %s)", + ctx->error_code, ldap_err2string(ctx->error_code)); + return NGX_ERROR; + } + + if (ctx->dn.data == NULL) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: Could not find user DN"); + return NGX_ERROR; + } + + return NGX_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_check_user(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + ngx_http_complex_value_t *values; + ngx_uint_t i; + + values = ctx->server->require_user->elts; + for (i = 0; i < ctx->server->require_user->nelts; i++) { + ngx_str_t val; + if (ngx_http_complex_value(r, &values[i], &val) != NGX_OK) { + ctx->outcome = OUTCOME_ERROR; + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Comparing user DN with \"%V\"", &val); + if (val.len == ctx->dn.len && ngx_memcmp(val.data, ctx->dn.data, val.len) == 0) { + if (ctx->server->satisfy_all == 0) { + ctx->outcome = OUTCOME_ALLOW; + return NGX_OK; + } + } else { + if (ctx->server->satisfy_all == 1) { + ctx->outcome = OUTCOME_DENY; + return NGX_DECLINED; + } + } + } + + return NGX_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + ngx_http_complex_value_t *values; + struct berval bvalue; + ngx_int_t rc; + + /* Handle result of the comparison started during previous call */ + if (ctx->iteration > 0) { + if (ctx->error_code == LDAP_COMPARE_TRUE) { + if (ctx->server->satisfy_all == 0) { + ctx->outcome = OUTCOME_ALLOW; + return NGX_OK; + } + } else if (ctx->error_code == LDAP_COMPARE_FALSE || ctx->error_code == LDAP_NO_SUCH_ATTRIBUTE || ctx->error_code == LDAP_NO_SUCH_OBJECT) { + if (ctx->server->satisfy_all == 1) { + ctx->outcome = OUTCOME_DENY; + return NGX_DECLINED; + } + } else { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_compare_ext() request failed (%d: %s)", + ctx->error_code, ldap_err2string(ctx->error_code)); + return NGX_ERROR; + } + } + + /* Check next group */ + if (ctx->iteration >= ctx->server->require_group->nelts) { + /* No more groups */ + return NGX_OK; + } + + if (!ngx_http_auth_ldap_get_connection(ctx)) { + return NGX_AGAIN; + } + + ngx_str_t val; + values = ctx->server->require_group->elts; + if (ngx_http_complex_value(r, &values[ctx->iteration], &val) != NGX_OK) { + ctx->outcome = OUTCOME_ERROR; + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + if (ctx->server->group_attribute_dn == 1) { + bvalue.bv_val = (char*) ctx->dn.data; + bvalue.bv_len = ctx->dn.len; + } else { + bvalue.bv_val = (char*) r->headers_in.user.data; + bvalue.bv_len = r->headers_in.user.len; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Comparing user group with \"%V\"", &val); + + if (ctx->server->group_attribute.data == NULL) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: group_attribute.data is \"%V\" so calling a failure here", &ctx->server->group_attribute.data); + rc = !LDAP_SUCCESS; + } else { + rc = ldap_compare_ext(ctx->c->ld, (const char *) val.data, (const char *) ctx->server->group_attribute.data, + &bvalue, NULL, NULL, &ctx->c->msgid); + } + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_compare_ext() failed (%d: %s)", + rc, ldap_err2string(rc)); + ctx->outcome = OUTCOME_ERROR; + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: ldap_compare_ext() -> msgid=%d", + ctx->c->msgid); + ctx->c->state = STATE_COMPARING; + ctx->iteration++; + return NGX_AGAIN; +} + +/** + * Initiate and handle a bind operation using the authentication parameters + */ +static ngx_int_t +ngx_http_auth_ldap_check_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + struct berval cred; + ngx_int_t rc; + + /* On the first call, initiate the bind LDAP operation */ + if (ctx->iteration == 0) { + if (!ngx_http_auth_ldap_get_connection(ctx)) { + return NGX_AGAIN; + } + + cred.bv_val = (char *) r->headers_in.passwd.data; + cred.bv_len = r->headers_in.passwd.len; + rc = ldap_sasl_bind(ctx->c->ld, (const char *) ctx->dn.data, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &ctx->c->msgid); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)", + rc, ldap_err2string(rc)); + ctx->outcome = OUTCOME_ERROR; + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() -> msgid=%d", + ctx->c->msgid); + ctx->c->state = STATE_BINDING; + ctx->iteration++; + + return NGX_AGAIN; + } + + /* On the second call, process the operation result */ + if (ctx->error_code != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: User bind failed (%d: %s)", + ctx->error_code, ldap_err2string(ctx->error_code)); + ctx->outcome = OUTCOME_DENY; + } else { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: User bind successful"); + ctx->outcome = OUTCOME_ALLOW; + } + return NGX_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_recover_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + struct berval cred; + ngx_int_t rc; + + /* On the first call, initiate the bind LDAP operation */ + if (ctx->iteration == 0) { + if (!ngx_http_auth_ldap_get_connection(ctx)) { + return NGX_AGAIN; + } + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Rebinding to binddn"); + cred.bv_val = (char *) ctx->server->bind_dn_passwd.data; + cred.bv_len = ctx->server->bind_dn_passwd.len; + rc = ldap_sasl_bind(ctx->c->ld, (const char *) ctx->server->bind_dn.data, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &ctx->c->msgid); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)", + rc, ldap_err2string(rc)); + ctx->outcome = OUTCOME_ERROR; + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() -> msgid=%d", + ctx->c->msgid); + ctx->c->state = STATE_BINDING; + ctx->iteration++; + return NGX_AGAIN; + } + + /* On the second call, process the operation result */ + if (ctx->error_code != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: binddn bind failed (%d: %s)", + ctx->error_code, ldap_err2string(ctx->error_code)); + } else { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: binddn bind successful"); + } + return NGX_OK; +} | ||
| [+] | Added | nginx-auth-ldap.tar.gz/ngx_http_auth_ldap_module.c~ ^ |
| @@ -0,0 +1,2245 @@ +/** + * Copyright (C) 2011-2013 Valery Komarov <komarov@valerka.net> + * Copyright (C) 2013 Jiri Hruska <jirka@fud.cz> + * Copyright (C) 2015-2016 Victor Hahn Castell <victor.hahn@flexoptix.net> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <ngx_config.h> +#include <ngx_core.h> +#include <ngx_http.h> +#include <ngx_md5.h> +#include <ldap.h> + +// used for manual warnings +#define XSTR(x) STR(x) +#define STR(x) #x +// make sure manual warnings don't get escalated to errors +#ifdef __clang__ +#pragma clang diagnostic warning "-W#warnings" +#else +#ifdef __GNUC__ +#pragma GCC diagnostic warning "-Wcpp" +#endif +#endif +// TODO: do the same stuff for MSVC and/or other compilers + + +#ifndef LDAP_PROTO_EXT +/* Some OpenLDAP headers are accidentally missing ldap_init_fd() etc. */ + +#define LDAP_PROTO_TCP 1 /* ldap:// */ +#define LDAP_PROTO_UDP 2 /* reserved */ +#define LDAP_PROTO_IPC 3 /* ldapi:// */ +#define LDAP_PROTO_EXT 4 /* user-defined socket/sockbuf */ + +extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url, LDAP **ld); +#endif + +#define OUTCOME_ERROR -1 /* Some error occured in the process */ +#define OUTCOME_DENY 0 +#define OUTCOME_ALLOW 1 +#define OUTCOME_CACHED_DENY 2 /* Cached results */ +#define OUTCOME_CACHED_ALLOW 3 +#define OUTCOME_UNCERTAIN 4 /* Not yet decided */ + +#define NGX_HTTP_AUTH_LDAP_MAX_SERVERS_SIZE 7 + + +typedef struct { + LDAPURLDesc *ludpp; + ngx_str_t url; + ngx_url_t parsed_url; + ngx_str_t alias; + + ngx_str_t bind_dn; + ngx_str_t bind_dn_passwd; + + ngx_str_t group_attribute; + ngx_flag_t group_attribute_dn; + + ngx_flag_t ssl_check_cert; + ngx_str_t ssl_ca_dir; + ngx_str_t ssl_ca_file; + + ngx_array_t *require_group; /* array of ngx_http_complex_value_t */ + ngx_array_t *require_user; /* array of ngx_http_complex_value_t */ + ngx_flag_t require_valid_user; + ngx_http_complex_value_t require_valid_user_dn; + ngx_flag_t satisfy_all; + ngx_flag_t referral; + + ngx_uint_t connections; + ngx_msec_t connect_timeout; + ngx_msec_t reconnect_timeout; + ngx_msec_t bind_timeout; + ngx_msec_t request_timeout; + ngx_queue_t free_connections; + ngx_queue_t waiting_requests; +} ngx_http_auth_ldap_server_t; + +typedef struct { + ngx_array_t *servers; /* array of ngx_http_auth_ldap_server_t */ + ngx_flag_t cache_enabled; + ngx_msec_t cache_expiration_time; + size_t cache_size; + ngx_int_t servers_size; +#if (NGX_OPENSSL) + ngx_ssl_t ssl; +#endif +} ngx_http_auth_ldap_main_conf_t; + +typedef struct { + ngx_str_t realm; + ngx_array_t *servers; /* array of ngx_http_auth_ldap_server_t* */ +} ngx_http_auth_ldap_loc_conf_t; + +typedef struct { + uint32_t small_hash; /* murmur2 hash of username ^ &server */ + uint32_t outcome; /* OUTCOME_DENY or OUTCOME_ALLOW */ + ngx_msec_t time; /* ngx_current_msec when created */ + u_char big_hash[16]; /* md5 hash of (username, server, password) */ +} ngx_http_auth_ldap_cache_elt_t; + +typedef struct { + ngx_http_auth_ldap_cache_elt_t *buckets; + ngx_uint_t num_buckets; + ngx_uint_t elts_per_bucket; + ngx_msec_t expiration_time; +} ngx_http_auth_ldap_cache_t; + +typedef enum { + PHASE_START, + PHASE_SEARCH, + PHASE_CHECK_USER, + PHASE_CHECK_GROUP, + PHASE_CHECK_BIND, + PHASE_REBIND, + PHASE_NEXT +} ngx_http_auth_ldap_request_phase_t; + +typedef struct { + ngx_http_request_t *r; + ngx_uint_t server_index; + ngx_http_auth_ldap_server_t *server; + ngx_http_auth_ldap_request_phase_t phase; + unsigned int iteration; + int outcome; + + struct ngx_http_auth_ldap_connection *c; + ngx_queue_t queue; + int replied; + int error_code; + ngx_str_t error_msg; + ngx_str_t dn; + + ngx_http_auth_ldap_cache_elt_t *cache_bucket; + u_char cache_big_hash[16]; + uint32_t cache_small_hash; +} ngx_http_auth_ldap_ctx_t; + +typedef enum { + STATE_DISCONNECTED, + STATE_INITIAL_BINDING, + STATE_CONNECTING, + STATE_READY, + STATE_BINDING, + STATE_SEARCHING, + STATE_COMPARING +} ngx_http_auth_ldap_connection_state_t; + +typedef struct ngx_http_auth_ldap_connection { + ngx_log_t *log; + ngx_http_auth_ldap_server_t *server; + ngx_peer_connection_t conn; + ngx_event_t reconnect_event; + +#if (NGX_OPENSSL) + ngx_pool_t *pool; + ngx_ssl_t *ssl; +#endif + + ngx_queue_t queue; + ngx_http_auth_ldap_ctx_t *rctx; + + LDAP* ld; + ngx_http_auth_ldap_connection_state_t state; + int msgid; +} ngx_http_auth_ldap_connection_t; + +static char * ngx_http_auth_ldap_ldap_server_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char * ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf); +static char * ngx_http_auth_ldap(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char * ngx_http_auth_ldap_servers(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char * ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); +static char * ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); +static char * ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); +static char * ngx_http_auth_ldap_parse_referral(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); +static void * ngx_http_auth_ldap_create_main_conf(ngx_conf_t *cf); +static char * ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent); +static void * ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *); +static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *); +static ngx_int_t ngx_http_auth_ldap_init_worker(ngx_cycle_t *cycle); +static ngx_int_t ngx_http_auth_ldap_init(ngx_conf_t *cf); +static ngx_int_t ngx_http_auth_ldap_init_cache(ngx_cycle_t *cycle); +static void ngx_http_auth_ldap_close_connection(ngx_http_auth_ldap_connection_t *c); +static void ngx_http_auth_ldap_read_handler(ngx_event_t *rev); +static ngx_int_t ngx_http_auth_ldap_init_connections(ngx_cycle_t *cycle); +static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r); +static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx, + ngx_http_auth_ldap_loc_conf_t *conf); +static ngx_int_t ngx_http_auth_ldap_search(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +static ngx_int_t ngx_http_auth_ldap_check_user(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +static ngx_int_t ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +static ngx_int_t ngx_http_auth_ldap_check_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +static ngx_int_t ngx_http_auth_ldap_recover_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx); +#if (NGX_OPENSSL) +static ngx_int_t ngx_http_auth_ldap_restore_handlers(ngx_connection_t *conn); +#endif + +ngx_http_auth_ldap_cache_t ngx_http_auth_ldap_cache; + +static ngx_command_t ngx_http_auth_ldap_commands[] = { + { + ngx_string("ldap_server"), + NGX_HTTP_MAIN_CONF | NGX_CONF_BLOCK | NGX_CONF_TAKE1, + ngx_http_auth_ldap_ldap_server_block, + NGX_HTTP_MAIN_CONF_OFFSET, + 0, + NULL + }, + { + ngx_string("auth_ldap_cache_enabled"), + NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, + ngx_conf_set_flag_slot, + NGX_HTTP_MAIN_CONF_OFFSET, + offsetof(ngx_http_auth_ldap_main_conf_t, cache_enabled), + NULL + }, + { + ngx_string("auth_ldap_cache_expiration_time"), + NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, + ngx_conf_set_msec_slot, + NGX_HTTP_MAIN_CONF_OFFSET, + offsetof(ngx_http_auth_ldap_main_conf_t, cache_expiration_time), + NULL + }, + { + ngx_string("auth_ldap_cache_size"), + NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, + ngx_conf_set_size_slot, + NGX_HTTP_MAIN_CONF_OFFSET, + offsetof(ngx_http_auth_ldap_main_conf_t, cache_size), + NULL + }, + { + ngx_string("auth_ldap_servers_size"), + NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_MAIN_CONF_OFFSET, + offsetof(ngx_http_auth_ldap_main_conf_t, servers_size), + NULL + }, + { + ngx_string("auth_ldap"), + NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_TAKE1, + ngx_http_auth_ldap, + NGX_HTTP_LOC_CONF_OFFSET, + 0, + NULL + }, + { + ngx_string("auth_ldap_servers"), + NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_ANY, + ngx_http_auth_ldap_servers, + NGX_HTTP_LOC_CONF_OFFSET, + 0, + NULL + }, + ngx_null_command +}; + +static ngx_http_module_t ngx_http_auth_ldap_module_ctx = { + NULL, /* preconfiguration */ + ngx_http_auth_ldap_init, /* postconfiguration */ + ngx_http_auth_ldap_create_main_conf, /* create main configuration */ + ngx_http_auth_ldap_init_main_conf, /* init main configuration */ + NULL, /* create server configuration */ + NULL, /* merge server configuration */ + ngx_http_auth_ldap_create_loc_conf, /* create location configuration */ + ngx_http_auth_ldap_merge_loc_conf /* merge location configuration */ +}; + +ngx_module_t ngx_http_auth_ldap_module = { + NGX_MODULE_V1, + &ngx_http_auth_ldap_module_ctx, /* module context */ + ngx_http_auth_ldap_commands, /* module directives */ + NGX_HTTP_MODULE, /* module type */ + NULL, /* init master */ + NULL, /* init module */ + ngx_http_auth_ldap_init_worker, /* init process */ + NULL, /* init thread */ + NULL, /* exit thread */ + NULL, /* exit process */ + NULL, /* exit master */ + NGX_MODULE_V1_PADDING +}; + + +/*** Configuration and initialization ***/ + +/** + * Reads ldap_server block and sets ngx_http_auth_ldap_ldap_server as a handler of each conf value + */ +static char * +ngx_http_auth_ldap_ldap_server_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + char *rv; + ngx_str_t *value, name; + ngx_conf_t save; + ngx_http_auth_ldap_server_t *server; + ngx_http_auth_ldap_main_conf_t *cnf = conf; + + value = cf->args->elts; + + name = value[1]; + + if (ngx_strlen(name.data) == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Missing server name in ldap_server"); + return NGX_CONF_ERROR; + } + + if (cnf->servers == NULL) { + if (cnf->servers_size == NGX_CONF_UNSET) { + cnf->servers_size = NGX_HTTP_AUTH_LDAP_MAX_SERVERS_SIZE; + } + cnf->servers = ngx_array_create(cf->pool, cnf->servers_size, sizeof(ngx_http_auth_ldap_server_t)); + if (cnf->servers == NULL) { + return NGX_CONF_ERROR; + } + } + + server = ngx_array_push(cnf->servers); + if (server == NULL) { + return NGX_CONF_ERROR; + } + + ngx_memzero(server, sizeof(*server)); + server->connect_timeout = 10000; + server->reconnect_timeout = 10000; + server->bind_timeout = 5000; + server->request_timeout = 10000; + server->alias = name; + server->referral = 1; + + save = *cf; + cf->handler = ngx_http_auth_ldap_ldap_server; + cf->handler_conf = conf; + rv = ngx_conf_parse(cf, NULL); + *cf = save; + + if (rv != NGX_CONF_OK) { + return rv; + } + + return NGX_CONF_OK; +} + +#define CONF_MSEC_VALUE(cf,value,server,x) \ +if (ngx_strcmp(value[0].data, #x) == 0) { \ + ngx_msec_t _i = ngx_parse_time(&value[1], 0); \ + if (_i == (ngx_msec_t) NGX_ERROR || _i == 0) { \ + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: '" #x "' value has to be a valid time unit greater than 0"); \ + return NGX_CONF_ERROR; \ + } \ + server->x = _i; \ + } +/** + * Called for every variable inside ldap_server block + */ +static char * +ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf) +{ + char *rv; + ngx_str_t *value; + ngx_http_auth_ldap_server_t *server; + ngx_http_auth_ldap_main_conf_t *cnf = conf; + ngx_int_t i; + + /* It should be safe to just use latest server from array */ + server = ((ngx_http_auth_ldap_server_t *) cnf->servers->elts + (cnf->servers->nelts - 1)); + + value = cf->args->elts; + + /* TODO: Add more validation */ + if (ngx_strcmp(value[0].data, "url") == 0) { + return ngx_http_auth_ldap_parse_url(cf, server); + } else if (ngx_strcmp(value[0].data, "binddn") == 0) { + server->bind_dn = value[1]; + } else if (ngx_strcmp(value[0].data, "binddn_passwd") == 0) { + server->bind_dn_passwd = value[1]; + } else if (ngx_strcmp(value[0].data, "group_attribute") == 0) { + server->group_attribute = value[1]; + } else if (ngx_strcmp(value[0].data, "group_attribute_is_dn") == 0 && ngx_strcmp(value[1].data, "on") == 0) { + server->group_attribute_dn = 1; + } else if (ngx_strcmp(value[0].data, "require") == 0) { + return ngx_http_auth_ldap_parse_require(cf, server); + } else if (ngx_strcmp(value[0].data, "satisfy") == 0) { + return ngx_http_auth_ldap_parse_satisfy(cf, server); + } else if (ngx_strcmp(value[0].data, "referral") == 0) { + return ngx_http_auth_ldap_parse_referral(cf, server); + } else if (ngx_strcmp(value[0].data, "connections") == 0) { + i = ngx_atoi(value[1].data, value[1].len); + if (i == NGX_ERROR || i == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: 'connections' value has to be a number greater than 0"); + return NGX_CONF_ERROR; + } + server->connections = i; + } else if (ngx_strcmp(value[0].data, "ssl_check_cert") == 0 && ngx_strcmp(value[1].data, "on") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10002000 + server->ssl_check_cert = 1; + #else + #warning "http_auth_ldap: Compiling with OpenSSL < 1.0.2, certificate verification will be unavailable. OPENSSL_VERSION_NUMBER == " XSTR(OPENSSL_VERSION_NUMBER) + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "http_auth_ldap: 'ssl_cert_check': cannot verify remote certificate's domain name because " + "your version of OpenSSL is too old. " + "Please install OpenSSL >= 1.02 and recompile nginx."); + #endif + } else if (ngx_strcmp(value[0].data, "ssl_ca_dir") == 0) { + server->ssl_ca_dir = value[1]; + } else if (ngx_strcmp(value[0].data, "ssl_ca_file") == 0) { + server->ssl_ca_file = value[1]; + } + else CONF_MSEC_VALUE(cf,value,server,connect_timeout) + else CONF_MSEC_VALUE(cf,value,server,reconnect_timeout) + else CONF_MSEC_VALUE(cf,value,server,bind_timeout) + else CONF_MSEC_VALUE(cf,value,server,request_timeout) + else if (ngx_strcmp(value[0].data, "include") == 0) { + return ngx_conf_include(cf, dummy, conf); + } + + rv = NGX_CONF_OK; + + return rv; +} + +/** + * Parse auth_ldap directive + */ +static char * +ngx_http_auth_ldap(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_str_t *value = cf->args->elts; + ngx_http_auth_ldap_loc_conf_t *cnf = conf; + u_char *p; + + if (ngx_strcmp(value[1].data, "off") == 0) { + ngx_str_set(&cnf->realm, ""); + return NGX_CONF_OK; + } + + cnf->realm.len = sizeof("Basic realm=\"") - 1 + value[1].len + 1; + cnf->realm.data = ngx_pcalloc(cf->pool, cnf->realm.len); + if (cnf->realm.data == NULL) { + return NGX_CONF_ERROR; + } + + p = ngx_cpymem(cnf->realm.data, "Basic realm=\"", sizeof("Basic realm=\"") - 1); + p = ngx_cpymem(p, value[1].data, value[1].len); + *p = '"'; + + return NGX_CONF_OK; +} + +/** + * Parse auth_ldap_servers directive + */ +static char * +ngx_http_auth_ldap_servers(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_http_auth_ldap_loc_conf_t *cnf; + ngx_http_auth_ldap_main_conf_t *mconf; + ngx_http_auth_ldap_server_t *server, *s, **target; + ngx_str_t *value; + ngx_uint_t i, j; + + cnf = conf; + mconf = ngx_http_conf_get_module_main_conf(cf, ngx_http_auth_ldap_module); + + for (i = 1; i < cf->args->nelts; i++) { + value = &((ngx_str_t *) cf->args->elts)[i]; + server = NULL; + + if (mconf->servers == NULL) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Using \"auth_ldap_servers\" when no \"ldap_server\" has been previously defined" + " (make sure that \"auth_ldap_servers\" goes after \"ldap_server\"s in your configuration file)", value); + return NGX_CONF_ERROR; + } + + for (j = 0; j < mconf->servers->nelts; j++) { + s = &((ngx_http_auth_ldap_server_t *) mconf->servers->elts)[j]; + if (s->alias.len == value->len && ngx_memcmp(s->alias.data, value->data, s->alias.len) == 0) { + server = s; + break; + } + } + + if (server == NULL) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Server \"%V\" has not been defined", value); + return NGX_CONF_ERROR; + } + + + if (cnf->servers == NGX_CONF_UNSET_PTR) { + cnf->servers = ngx_array_create(cf->pool, 4, sizeof(ngx_http_auth_ldap_server_t *)); + if (cnf->servers == NULL) { + return NGX_CONF_ERROR; + } + } + + target = (ngx_http_auth_ldap_server_t **) ngx_array_push(cnf->servers); + if (target == NULL) { + return NGX_CONF_ERROR; + } + + *target = server; + } + + return NGX_CONF_OK; +} + +/** + * Parse URL conf parameter + */ +static char * +ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) +{ + ngx_str_t *value; + u_char *p; + + value = cf->args->elts; + + int rc = ldap_url_parse((const char *) value[1].data, &server->ludpp); + if (rc != LDAP_SUCCESS) { + switch (rc) { + case LDAP_URL_ERR_MEM: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Cannot allocate memory space."); + break; + + case LDAP_URL_ERR_PARAM: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid parameter."); + break; + + case LDAP_URL_ERR_BADSCHEME: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: URL doesnt begin with \"ldap[s]://\"."); + break; + + case LDAP_URL_ERR_BADENCLOSURE: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: URL is missing trailing \">\"."); + break; + + case LDAP_URL_ERR_BADURL: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid URL."); + break; + + case LDAP_URL_ERR_BADHOST: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Host port is invalid."); + break; + + case LDAP_URL_ERR_BADATTRS: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid or missing attributes."); + break; + + case LDAP_URL_ERR_BADSCOPE: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid or missing scope string."); + break; + + case LDAP_URL_ERR_BADFILTER: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid or missing filter."); + break; + + case LDAP_URL_ERR_BADEXTS: + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Invalid or missing extensions."); + break; + } + return NGX_CONF_ERROR; + } + + if (server->ludpp->lud_attrs == NULL) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: No user attribute specified in auth_ldap_url."); + return NGX_CONF_ERROR; + } + + server->url.data = ngx_palloc(cf->pool, ngx_strlen(server->ludpp->lud_scheme) + sizeof("://") - 1 + + ngx_strlen(server->ludpp->lud_host) + sizeof(":65535")); + p = ngx_sprintf(server->url.data, "%s://%s:%d%Z", server->ludpp->lud_scheme, server->ludpp->lud_host, + server->ludpp->lud_port); + server->url.len = p - server->url.data - 1; + + ngx_memzero(&server->parsed_url, sizeof(ngx_url_t)); + server->parsed_url.url.data = (u_char *) server->ludpp->lud_host; + server->parsed_url.url.len = ngx_strlen(server->ludpp->lud_host); + server->parsed_url.default_port = server->ludpp->lud_port; + if (ngx_parse_url(cf->pool, &server->parsed_url) != NGX_OK) { + if (server->parsed_url.err) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: %s in LDAP hostname \"%V\"", + server->parsed_url.err, &server->parsed_url.url); + } + return NGX_CONF_ERROR; + } + + if (ngx_strcmp(server->ludpp->lud_scheme, "ldap") == 0) { + return NGX_CONF_OK; +#if (NGX_OPENSSL) + } else if (ngx_strcmp(server->ludpp->lud_scheme, "ldaps") == 0) { + ngx_http_auth_ldap_main_conf_t *halmcf = + ngx_http_conf_get_module_main_conf(cf, ngx_http_auth_ldap_module); + ngx_uint_t protos = NGX_SSL_SSLv2 | NGX_SSL_SSLv3 | + NGX_SSL_TLSv1 | NGX_SSL_TLSv1_1 | NGX_SSL_TLSv1_2; + if (halmcf->ssl.ctx == NULL && ngx_ssl_create(&halmcf->ssl, protos, halmcf) != NGX_OK) { + return NGX_CONF_ERROR; + } + return NGX_CONF_OK; +#endif + } else { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Protocol \"%s://\" is not supported.", + server->ludpp->lud_scheme); + return NGX_CONF_ERROR; + } +} + +/** + * Parse "require" conf parameter + */ +static char * +ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) +{ + ngx_str_t *value; + ngx_http_complex_value_t* target = NULL; + ngx_http_compile_complex_value_t ccv; + + value = cf->args->elts; + ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, "http_auth_ldap: parse_require"); + + if (ngx_strcmp(value[1].data, "valid_user") == 0) { + server->require_valid_user = 1; + if (cf->args->nelts < 3) { + return NGX_CONF_OK; + } + if (server->require_valid_user_dn.value.data != NULL) { + return "is duplicate"; + } + target = &server->require_valid_user_dn; + } else if (ngx_strcmp(value[1].data, "user") == 0) { + if (server->require_user == NULL) { + server->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_http_complex_value_t)); + if (server->require_user == NULL) { + return NGX_CONF_ERROR; + } + } + target = ngx_array_push(server->require_user); + } else if (ngx_strcmp(value[1].data, "group") == 0) { + ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, "http_auth_ldap: Setting group"); + if (server->require_group == NULL) { + server->require_group = ngx_array_create(cf->pool, 4, sizeof(ngx_http_complex_value_t)); + if (server->require_group == NULL) { + return NGX_CONF_ERROR; + } + } + target = ngx_array_push(server->require_group); + } + + if (target == NULL) { + return NGX_CONF_ERROR; + } + + ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); + ccv.cf = cf; + ccv.value = &value[2]; + ccv.complex_value = target; + if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { + return NGX_CONF_ERROR; + } + + return NGX_CONF_OK; +} + +/** + * Parse "satisfy" conf parameter + */ +static char * +ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) +{ + ngx_str_t *value; + value = cf->args->elts; + + if (ngx_strcmp(value[1].data, "all") == 0) { + ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, "http_auth_ldap: Setting satisfy all"); + server->satisfy_all = 1; + return NGX_CONF_OK; + } + + if (ngx_strcmp(value[1].data, "any") == 0) { + server->satisfy_all = 0; + return NGX_CONF_OK; + } + + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Incorrect value for auth_ldap_satisfy"); + return NGX_CONF_ERROR; +} + +/** + * Parse "referral" conf parameter + */ +static char * +ngx_http_auth_ldap_parse_referral(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) +{ + ngx_str_t *value; + value = cf->args->elts; + + if (ngx_strcmp(value[1].data, "on") == 0) { + server->referral = 1; + return NGX_CONF_OK; + } + + if (ngx_strcmp(value[1].data, "off") == 0) { + server->referral = 0; + return NGX_CONF_OK; + } + + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Incorrect value for referral"); + return NGX_CONF_ERROR; +} + +/** + * Create main config which will store ldap_servers array + */ +static void * +ngx_http_auth_ldap_create_main_conf(ngx_conf_t *cf) +{ + ngx_http_auth_ldap_main_conf_t *conf; + + conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_ldap_main_conf_t)); + if (conf == NULL) { + return NULL; + } + + conf->cache_enabled = NGX_CONF_UNSET; + conf->cache_expiration_time = NGX_CONF_UNSET_MSEC; + conf->cache_size = NGX_CONF_UNSET_SIZE; + conf->servers_size = NGX_CONF_UNSET; + + return conf; +} + +static char * +ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent) +{ + ngx_http_auth_ldap_main_conf_t *conf = parent; + + if (conf->cache_enabled == NGX_CONF_UNSET) { + conf->cache_enabled = 0; + } + if (conf->cache_enabled == 0) { + return NGX_CONF_OK; + } + + if (conf->cache_size == NGX_CONF_UNSET_SIZE) { + conf->cache_size = 100; + } + if (conf->cache_size < 100) { + ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_size cannot be smaller than 100 entries."); + return NGX_CONF_ERROR; + } + + if (conf->cache_expiration_time == NGX_CONF_UNSET_MSEC) { + conf->cache_expiration_time = 10000; + } + if (conf->cache_expiration_time < 1000) { + ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_expiration_time cannot be smaller than 1000 ms."); + return NGX_CONF_ERROR; + } + + return NGX_CONF_OK; +} + +/** + * Create location conf + */ +static void * +ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *cf) +{ + ngx_http_auth_ldap_loc_conf_t *conf; + conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_ldap_loc_conf_t)); + if (conf == NULL) { + return NULL; + } + conf->servers = NGX_CONF_UNSET_PTR; + + return conf; +} + +/** + * Merge location conf + */ +static char * +ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) +{ + ngx_http_auth_ldap_loc_conf_t *prev = parent; + ngx_http_auth_ldap_loc_conf_t *conf = child; + + if (conf->realm.data == NULL) { + conf->realm = prev->realm; + } + ngx_conf_merge_ptr_value(conf->servers, prev->servers, NULL); + + return NGX_CONF_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_init_worker(ngx_cycle_t *cycle) +{ + ngx_int_t rc; + + if (ngx_process != NGX_PROCESS_SINGLE && ngx_process != NGX_PROCESS_WORKER) { + return NGX_OK; + } + + rc = ngx_http_auth_ldap_init_cache(cycle); + if (rc != NGX_OK) { + return rc; + } + + rc = ngx_http_auth_ldap_init_connections(cycle); + if (rc != NGX_OK) { + return rc; + } + + return NGX_OK; +} + +/** + * Init module and add ldap auth handler to NGX_HTTP_ACCESS_PHASE + */ +static ngx_int_t +ngx_http_auth_ldap_init(ngx_conf_t *cf) +{ + ngx_http_handler_pt *h; + ngx_http_core_main_conf_t *cmcf; + + cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); + + h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); + if (h == NULL) { + return NGX_ERROR; + } + + *h = ngx_http_auth_ldap_handler; + return NGX_OK; +} + + +/*** Authentication cache ***/ + +static ngx_int_t +ngx_http_auth_ldap_init_cache(ngx_cycle_t *cycle) +{ + ngx_http_auth_ldap_main_conf_t *conf; + ngx_uint_t want, count, i; + ngx_http_auth_ldap_cache_t *cache; + static const uint16_t primes[] = { + 13, 53, 101, 151, 199, 263, 317, 383, 443, 503, + 577, 641, 701, 769, 839, 911, 983, 1049, 1109 + }; + + conf = (ngx_http_auth_ldap_main_conf_t *) ngx_http_cycle_get_module_main_conf(cycle, ngx_http_auth_ldap_module); + if (conf == NULL || !conf->cache_enabled) { + return NGX_OK; + } + + want = (conf->cache_size + 7) / 8; + count = 0; + for (i = 0; i < sizeof(primes)/sizeof(primes[0]); i++) { + count = primes[i]; + if (count >= want) { + break; + } + } + + cache = &ngx_http_auth_ldap_cache; + cache->expiration_time = conf->cache_expiration_time; + cache->num_buckets = count; + cache->elts_per_bucket = 8; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, cycle->log, 0, "http_auth_ldap: Allocating %ud bytes of LDAP cache.", + cache->num_buckets * cache->elts_per_bucket * sizeof(ngx_http_auth_ldap_cache_elt_t)); + + cache->buckets = (ngx_http_auth_ldap_cache_elt_t *) ngx_calloc(count * 8 * sizeof(ngx_http_auth_ldap_cache_elt_t), cycle->log); + if (cache->buckets == NULL) { + ngx_log_error(NGX_LOG_ERR, cycle->log, 0, "http_auth_ldap: Unable to allocate memory for LDAP cache."); + return NGX_ERROR; + } + + return NGX_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_check_cache(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx, + ngx_http_auth_ldap_cache_t *cache, ngx_http_auth_ldap_server_t *server) +{ + ngx_http_auth_ldap_cache_elt_t *elt; + ngx_md5_t md5ctx; + ngx_msec_t time_limit; + ngx_uint_t i; + + ctx->cache_small_hash = ngx_murmur_hash2(r->headers_in.user.data, r->headers_in.user.len) ^ (uint32_t) (ngx_uint_t) server; + + ngx_md5_init(&md5ctx); + ngx_md5_update(&md5ctx, r->headers_in.user.data, r->headers_in.user.len); + ngx_md5_update(&md5ctx, server, offsetof(ngx_http_auth_ldap_server_t, free_connections)); + ngx_md5_update(&md5ctx, r->headers_in.passwd.data, r->headers_in.passwd.len); + ngx_md5_final(ctx->cache_big_hash, &md5ctx); + + ctx->cache_bucket = &cache->buckets[ctx->cache_small_hash % cache->num_buckets]; + + elt = ctx->cache_bucket; + time_limit = ngx_current_msec - cache->expiration_time; + for (i = 0; i < cache->elts_per_bucket; i++, elt++) { + if (elt->small_hash == ctx->cache_small_hash && + elt->time > time_limit && + memcmp(elt->big_hash, ctx->cache_big_hash, 16) == 0) { + return elt->outcome; + } + } + + return -1; +} + +static void +ngx_http_auth_ldap_update_cache(ngx_http_auth_ldap_ctx_t *ctx, + ngx_http_auth_ldap_cache_t *cache, ngx_flag_t outcome) +{ + ngx_http_auth_ldap_cache_elt_t *elt, *oldest_elt; + ngx_uint_t i; + + elt = ctx->cache_bucket; + oldest_elt = elt; + for (i = 1; i < cache->elts_per_bucket; i++, elt++) { + if (elt->time < oldest_elt->time) { + oldest_elt = elt; + } + } + + oldest_elt->time = ngx_current_msec; + oldest_elt->outcome = outcome; + oldest_elt->small_hash = ctx->cache_small_hash; + ngx_memcpy(oldest_elt->big_hash, ctx->cache_big_hash, 16); +} + + +/*** OpenLDAP SockBuf implementation over nginx socket functions ***/ + +static int +ngx_http_auth_ldap_sb_setup(Sockbuf_IO_Desc *sbiod, void *arg) +{ + sbiod->sbiod_pvt = arg; + return 0; +} + +static int +ngx_http_auth_ldap_sb_remove(Sockbuf_IO_Desc *sbiod) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_remove()"); + (void)c; /* 'c' would be left unused on debug builds */ + + sbiod->sbiod_pvt = NULL; + return 0; +} + +static int +ngx_http_auth_ldap_sb_close(Sockbuf_IO_Desc *sbiod) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_close()"); + + if (!c->conn.connection->read->error && !c->conn.connection->read->eof) { + if (ngx_shutdown_socket(c->conn.connection->fd, SHUT_RDWR) == -1) { + ngx_connection_error(c->conn.connection, ngx_socket_errno, ngx_shutdown_socket_n " failed"); + ngx_http_auth_ldap_close_connection(c); + return -1; + } + } + + return 0; +} + +static int +ngx_http_auth_ldap_sb_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_ctrl(opt=%d)", opt); + + switch (opt) { + case LBER_SB_OPT_DATA_READY: + if (c->conn.connection->read->ready) { + return 1; + } + return 0; + } + + return 0; +} + +static ber_slen_t +ngx_http_auth_ldap_sb_read(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + ber_slen_t ret; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_read(len=%d)", len); + + ret = c->conn.connection->recv(c->conn.connection, buf, len); + if (ret < 0) { + errno = (ret == NGX_AGAIN) ? NGX_EAGAIN : NGX_ECONNRESET; + return -1; + } + + return ret; +} + +static ber_slen_t +ngx_http_auth_ldap_sb_write(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) +{ + ngx_http_auth_ldap_connection_t *c = (ngx_http_auth_ldap_connection_t *)sbiod->sbiod_pvt; + ber_slen_t ret; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "ngx_http_auth_ldap_sb_write(len=%d)", len); + + ret = c->conn.connection->send(c->conn.connection, buf, len); + if (ret < 0) { + errno = (ret == NGX_AGAIN) ? NGX_EAGAIN : NGX_ECONNRESET; + return 0; + } + + return ret; +} + +static Sockbuf_IO ngx_http_auth_ldap_sbio = +{ + ngx_http_auth_ldap_sb_setup, + ngx_http_auth_ldap_sb_remove, + ngx_http_auth_ldap_sb_ctrl, + ngx_http_auth_ldap_sb_read, + ngx_http_auth_ldap_sb_write, + ngx_http_auth_ldap_sb_close +}; + + +/*** Asynchronous LDAP connection handling ***/ + +static void +ngx_http_auth_ldap_close_connection(ngx_http_auth_ldap_connection_t *c) +{ + ngx_queue_t *q; + + if (c->ld) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Unbinding from the server \"%V\")", + &c->server->url); + ldap_unbind_ext(c->ld, NULL, NULL); + /* Unbind is always synchronous, even though the function name does not end with an '_s'. */ + c->ld = NULL; + } + + if (c->conn.connection) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Closing connection (fd=%d)", + c->conn.connection->fd); + +#if (NGX_OPENSSL) + if (c->conn.connection->ssl) { + c->conn.connection->ssl->no_wait_shutdown = 1; + (void) ngx_ssl_shutdown(c->conn.connection); + } +#endif + + ngx_close_connection(c->conn.connection); + c->conn.connection = NULL; + } + + q = ngx_queue_head(&c->server->free_connections); + while (q != ngx_queue_sentinel(&c->server->free_connections)) { + if (q == &c->queue) { + ngx_queue_remove(q); + break; + } + q = ngx_queue_next(q); + } + + c->rctx = NULL; + if (c->state != STATE_DISCONNECTED) { + c->state = STATE_DISCONNECTED; + ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Connection scheduled for reconnection in %d ms", c->server->reconnect_timeout); + } +} + +static void +ngx_http_auth_ldap_wake_request(ngx_http_request_t *r) +{ + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Waking authentication request \"%V\"", + &r->request_line); + ngx_http_core_run_phases(r); +} + +static int +ngx_http_auth_ldap_get_connection(ngx_http_auth_ldap_ctx_t *ctx) +{ + ngx_http_auth_ldap_server_t *server; + ngx_queue_t *q; + ngx_http_auth_ldap_connection_t *c; + + /* + * If we already have a connection, just say we got them one. + */ + if (ctx->c != NULL) + return 1; + + server = ctx->server; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "http_auth_ldap: Wants a free connection to \"%V\"", + &server->alias); + + if (!ngx_queue_empty(&server->free_connections)) { + q = ngx_queue_last(&server->free_connections); + ngx_queue_remove(q); + c = ngx_queue_data(q, ngx_http_auth_ldap_connection_t, queue); + c->rctx = ctx; + ctx->c = c; + ctx->replied = 0; + return 1; + } + + q = ngx_queue_next(&server->waiting_requests); + while (q != ngx_queue_sentinel(&server->waiting_requests)) { + if (q == &ctx->queue) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "http_auth_ldap: Tried to insert a same request"); + return 0; + } + q = ngx_queue_next(q); + } + ngx_queue_insert_head(&server->waiting_requests, &ctx->queue); + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "http_auth_ldap: No connection available at the moment, waiting..."); + return 0; +} + +static void +ngx_http_auth_ldap_return_connection(ngx_http_auth_ldap_connection_t *c) +{ + ngx_queue_t *q; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Marking the connection to \"%V\" as free", + &c->server->alias); + + if (c->rctx != NULL) { + c->rctx->c = NULL; + c->rctx = NULL; + c->msgid = -1; + c->state = STATE_READY; + } + + ngx_queue_insert_head(&c->server->free_connections, &c->queue); + if (!ngx_queue_empty(&c->server->waiting_requests)) { + q = ngx_queue_last(&c->server->waiting_requests); + ngx_queue_remove(q); + ngx_http_auth_ldap_wake_request((ngx_queue_data(q, ngx_http_auth_ldap_ctx_t, queue))->r); + } +} + +static void +ngx_http_auth_ldap_reply_connection(ngx_http_auth_ldap_connection_t *c, int error_code, char* error_msg) +{ + ngx_http_auth_ldap_ctx_t *ctx = c->rctx; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: LDAP request to \"%V\" has finished", + &c->server->alias); + + ctx->replied = 1; + ctx->error_code = error_code; + if (error_msg) { + ctx->error_msg.len = ngx_strlen(error_msg); + ctx->error_msg.data = ngx_palloc(ctx->r->pool, ctx->error_msg.len); + ngx_memcpy(ctx->error_msg.data, error_msg, ctx->error_msg.len); + } else { + ctx->error_msg.len = 0; + ctx->error_msg.data = NULL; + } + + ngx_http_auth_ldap_wake_request(ctx->r); +} + +static void +ngx_http_auth_ldap_dummy_write_handler(ngx_event_t *wev) +{ + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, wev->log, 0, "http_auth_ldap: Dummy write handler"); + + if (ngx_handle_write_event(wev, 0) != NGX_OK) { + ngx_http_auth_ldap_close_connection(((ngx_connection_t *) wev->data)->data); + } +} + + +#if (NGX_OPENSSL) +/* Make sure the event handlers are activated. */ +static ngx_int_t +ngx_http_auth_ldap_restore_handlers(ngx_connection_t *conn) +{ + ngx_int_t rc; + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, conn->log, 0, "http_auth_ldap: Restoring event handlers. read=%d write=%d", conn->read->active, conn->write->active); + + if (!conn->read->active) { + rc = ngx_add_event(conn->read, NGX_READ_EVENT, 0); + if (rc != NGX_OK) { + return rc; + } + } + + if (!conn->write->active && + (conn->write->handler != ngx_http_auth_ldap_dummy_write_handler)) { + rc = ngx_add_event(conn->write, NGX_WRITE_EVENT, 0); + if (rc != NGX_OK) { + return rc; + } + } + + return NGX_OK; +} +#endif + +static void +ngx_http_auth_ldap_connection_established(ngx_http_auth_ldap_connection_t *c) +{ + ngx_connection_t *conn; + Sockbuf *sb; + ngx_int_t rc; + struct berval cred; + + conn = c->conn.connection; + ngx_del_timer(conn->read); + conn->write->handler = ngx_http_auth_ldap_dummy_write_handler; + + + /* Initialize OpenLDAP on the connection */ + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Initializing connection using URL \"%V\"", &c->server->url); + + rc = ldap_init_fd(c->conn.connection->fd, LDAP_PROTO_EXT, (const char *) c->server->url.data, &c->ld); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, errno, "http_auth_ldap: ldap_init_fd() failed (%d: %s)", rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + + if (c->server->referral == 0) { + rc = ldap_set_option(c->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + if (rc != LDAP_OPT_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_set_option() failed (%d: %s)", rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + } + + rc = ldap_get_option(c->ld, LDAP_OPT_SOCKBUF, (void *) &sb); + if (rc != LDAP_OPT_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_get_option() failed (%d: %s)", rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + + ber_sockbuf_add_io(sb, &ngx_http_auth_ldap_sbio, LBER_SBIOD_LEVEL_PROVIDER, (void *) c); + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Connection initialized"); + + + /* Perform initial bind to the server */ + + cred.bv_val = (char *) c->server->bind_dn_passwd.data; + cred.bv_len = c->server->bind_dn_passwd.len; + rc = ldap_sasl_bind(c->ld, (const char *) c->server->bind_dn.data, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &c->msgid); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)", + rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ldap_sasl_bind() -> msgid=%d", c->msgid); + + c->state = STATE_INITIAL_BINDING; + ngx_add_timer(c->conn.connection->read, c->server->bind_timeout); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: bind_timeout=%d", c->server->bind_timeout); +} + +#if (NGX_OPENSSL) +static void +ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn, ngx_flag_t validate) +{ + ngx_http_auth_ldap_connection_t *c; + c = conn->data; + + if (conn->ssl->handshaked) { + #if OPENSSL_VERSION_NUMBER >= 0x10002000 + if (validate) { // verify remote certificate if requested + X509 *cert = SSL_get_peer_certificate(conn->ssl->connection); + long chain_verified = SSL_get_verify_result(conn->ssl->connection); + + int addr_verified; + char *hostname = c->server->ludpp->lud_host; + addr_verified = X509_check_host(cert, hostname, 0, 0, 0); + + if (!addr_verified) { // domain not in cert? try IP + size_t len; // get IP length + if (conn->sockaddr->sa_family == 4) len = 4; + else if (conn->sockaddr->sa_family == 6) len = 16; + else { // very unlikely indeed + ngx_http_auth_ldap_close_connection(c); + return; + } + addr_verified = X509_check_ip(cert, (const unsigned char*)conn->sockaddr->sa_data, len, 0); + } + + // Find anything fishy? + if ( !(cert && addr_verified && chain_verified == X509_V_OK) ) { + if (!addr_verified) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "http_auth_ldap: Remote side presented invalid SSL certificate: " + "does not match address (neither server's domain nor IP in certificate's CN or SAN)"); + fprintf(stderr, "DEBUG: SSL cert domain mismatch\n"); fflush(stderr); + } else { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "http_auth_ldap: Remote side presented invalid SSL certificate: error %l, %s", + chain_verified, X509_verify_cert_error_string(chain_verified)); + } + ngx_http_auth_ldap_close_connection(c); + return; + } + } + #endif + + // handshaked validation successful -- or not required in the first place + conn->read->handler = &ngx_http_auth_ldap_read_handler; + ngx_http_auth_ldap_restore_handlers(conn); + ngx_http_auth_ldap_connection_established(c); + return; + } + else { // handshake failed + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed"); + ngx_http_auth_ldap_close_connection(c); + } +} + +static void +ngx_http_auth_ldap_ssl_handshake_validating_handler(ngx_connection_t *conn) +{ ngx_http_auth_ldap_ssl_handshake_handler(conn, 1); } + +static void +ngx_http_auth_ldap_ssl_handshake_non_validating_handler(ngx_connection_t *conn) +{ ngx_http_auth_ldap_ssl_handshake_handler(conn, 0); } + +typedef void (*ngx_http_auth_ldap_ssl_callback)(ngx_connection_t *conn); + +static void +ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c) +{ + ngx_int_t rc; + + c->conn.connection->pool = c->pool; + rc = ngx_ssl_create_connection(c->ssl, c->conn.connection, NGX_SSL_BUFFER | NGX_SSL_CLIENT); + if (rc != NGX_OK) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL initialization failed"); + ngx_http_auth_ldap_close_connection(c); + return; + } + + c->log->action = "SSL handshaking to LDAP server"; + ngx_connection_t *transport = c->conn.connection; + + ngx_http_auth_ldap_ssl_callback callback; + if (c->server->ssl_check_cert) { + // load CA certificates: custom ones if specified, default ones instead + if (c->server->ssl_ca_file.data || c->server->ssl_ca_dir.data) { + int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx, + (char*)(c->server->ssl_ca_file.data), (char*)(c->server->ssl_ca_dir.data)); + if (setcode != 1) { + unsigned long error_code = ERR_get_error(); + char *error_msg = ERR_error_string(error_code, NULL); + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "http_auth_ldap: SSL initialization failed. Could not set custom CA certificate location. " + "Error: %lu, %s", error_code, error_msg); + } + } + int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx); + if (setcode != 1) { + unsigned long error_code = ERR_get_error(); + char *error_msg = ERR_error_string(error_code, NULL); + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "http_auth_ldap: SSL initialization failed. Could not use default CA certificate location. " + "Error: %lu, %s", error_code, error_msg); + } + + // use validating version of next function + callback = &ngx_http_auth_ldap_ssl_handshake_validating_handler; + } else { + // use non-validating version of next function + callback = &ngx_http_auth_ldap_ssl_handshake_non_validating_handler; + } + + rc = ngx_ssl_handshake(transport); + if (rc == NGX_AGAIN) { + transport->ssl->handler = callback; + return; + } + + (*callback)(transport); + return; +} +#endif + +static void +ngx_http_auth_ldap_connect_handler(ngx_event_t *wev) +{ + ngx_connection_t *conn; + ngx_http_auth_ldap_connection_t *c; + int keepalive; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, wev->log, 0, "http_auth_ldap: Connect handler"); + + conn = wev->data; + c = conn->data; + + if (ngx_handle_write_event(wev, 0) != NGX_OK) { + ngx_http_auth_ldap_close_connection(c); + return; + } + + keepalive = 1; + if (setsockopt(conn->fd, SOL_SOCKET, SO_KEEPALIVE, (const void *) &keepalive, sizeof(int)) == -1) + { + ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno, "http_auth_ldap: setsockopt(SO_KEEPALIVE) failed"); + } + +#if (NGX_OPENSSL) + if (ngx_strcmp(c->server->ludpp->lud_scheme, "ldaps") == 0) { + ngx_http_auth_ldap_ssl_handshake(c); + return; + } +#endif + + ngx_http_auth_ldap_connection_established(c); +} + +static void +ngx_http_auth_ldap_read_handler(ngx_event_t *rev) +{ + ngx_connection_t *conn; + ngx_http_auth_ldap_connection_t *c; + ngx_int_t rc; + struct timeval timeout = {0, 0}; + LDAPMessage *result; + int error_code; + char *error_msg; + char *dn; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0, "http_auth_ldap: Read handler"); + + conn = rev->data; + c = conn->data; + + if (c->ld == NULL) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: Could not connect"); + ngx_http_auth_ldap_close_connection(c); + return; + } + + if (rev->timedout) { + ngx_log_error(NGX_LOG_ERR, c->log, NGX_ETIMEDOUT, "http_auth_ldap: Request timed out (state=%d)", c->state); + conn->timedout = 1; + ngx_http_auth_ldap_close_connection(c); + return; + } + + c->log->action = "reading response from LDAP"; + + for (;;) { + rc = ldap_result(c->ld, LDAP_RES_ANY, 0, &timeout, &result); + if (rc < 0) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_result() failed (%d: %s)", + rc, ldap_err2string(rc)); + ngx_http_auth_ldap_close_connection(c); + return; + } + if (rc == 0) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ldap_result() -> rc=0"); + break; + } + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ldap_result() -> rc=%d, msgid=%d, msgtype=%d", + rc, ldap_msgid(result), ldap_msgtype(result)); + + if (ldap_msgid(result) != c->msgid) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Message with unknown ID received, ignoring."); + ldap_msgfree(result); + continue; + } + + rc = ldap_parse_result(c->ld, result, &error_code, NULL, &error_msg, NULL, NULL, 0); + if (rc == LDAP_NO_RESULTS_RETURNED) { + error_code = LDAP_NO_RESULTS_RETURNED; + error_msg = NULL; + } else if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_parse_result() failed (%d: %s)", + rc, ldap_err2string(rc)); + ldap_msgfree(result); + ngx_http_auth_ldap_close_connection(c); + return; + } + + switch (c->state) { + case STATE_INITIAL_BINDING: + if (ldap_msgtype(result) != LDAP_RES_BIND) { + break; + } + ngx_del_timer(conn->read); + if (error_code == LDAP_SUCCESS) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Initial bind successful"); + c->state = STATE_READY; + ngx_http_auth_ldap_return_connection(c); + } else { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: Initial bind failed (%d: %s [%s])", + error_code, ldap_err2string(error_code), error_msg ? error_msg : "-"); + ldap_memfree(error_msg); + ldap_msgfree(result); + ngx_http_auth_ldap_close_connection(c); + return; + } + break; + + case STATE_BINDING: + if (ldap_msgtype(result) != LDAP_RES_BIND) { + break; + } + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Received bind response (%d: %s [%s])", + error_code, ldap_err2string(error_code), error_msg ? error_msg : "-"); + ngx_http_auth_ldap_reply_connection(c, error_code, error_msg); + break; + + case STATE_SEARCHING: + if (ldap_msgtype(result) == LDAP_RES_SEARCH_ENTRY) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Received a search entry"); + if (c->rctx->dn.data == NULL) { + dn = ldap_get_dn(c->ld, result); + if (dn != NULL) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Found entry with DN \"%s\"", dn); + c->rctx->dn.len = ngx_strlen(dn); + c->rctx->dn.data = (u_char *) ngx_palloc(c->rctx->r->pool, c->rctx->dn.len + 1); + ngx_memcpy(c->rctx->dn.data, dn, c->rctx->dn.len + 1); + ldap_memfree(dn); + } + } + } else if (ldap_msgtype(result) == LDAP_RES_SEARCH_RESULT) { + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Received search result (%d: %s [%s])", + error_code, ldap_err2string(error_code), error_msg ? error_msg : "-"); + ngx_http_auth_ldap_reply_connection(c, error_code, error_msg); + } + break; + + case STATE_COMPARING: + if (ldap_msgtype(result) != LDAP_RES_COMPARE) { + break; + } + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Received comparison result (%d: %s [%s])", + error_code, ldap_err2string(error_code), error_msg ? error_msg : "-"); + ngx_http_auth_ldap_reply_connection(c, error_code, error_msg); + break; + + default: + break; + } + + ldap_memfree(error_msg); + ldap_msgfree(result); + } + + if (ngx_handle_read_event(rev, 0) != NGX_OK) { + ngx_http_auth_ldap_close_connection(c); + return; + } +} + +static void +ngx_http_auth_ldap_connect(ngx_http_auth_ldap_connection_t *c) +{ + ngx_peer_connection_t *pconn; + ngx_connection_t *conn; + ngx_addr_t *addr; + ngx_int_t rc; + + addr = &c->server->parsed_url.addrs[ngx_random() % c->server->parsed_url.naddrs]; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Connecting to LDAP server \"%V\".", + &addr->name); + + pconn = &c->conn; + pconn->sockaddr = addr->sockaddr; + pconn->socklen = addr->socklen; + pconn->name = &addr->name; + pconn->get = ngx_event_get_peer; + pconn->log = c->log; + pconn->log_error = NGX_ERROR_ERR; + + rc = ngx_event_connect_peer(pconn); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ngx_event_connect_peer() -> %d.", rc); + if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: Unable to connect to LDAP server \"%V\".", + &addr->name); + ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout); + return; + } + + conn = pconn->connection; + conn->data = c; +#if (NGX_OPENSSL) + conn->pool = c->pool; +#endif + conn->write->handler = ngx_http_auth_ldap_connect_handler; + conn->read->handler = ngx_http_auth_ldap_read_handler; + ngx_add_timer(conn->read, c->server->connect_timeout); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: connect_timeout=%d.", c->server->connect_timeout); + + + c->state = STATE_CONNECTING; +} + +static void +ngx_http_auth_ldap_connection_cleanup(void *data) +{ + ngx_http_auth_ldap_close_connection((ngx_http_auth_ldap_connection_t *) data); +} + +static void +ngx_http_auth_ldap_reconnect_handler(ngx_event_t *ev) +{ + ngx_connection_t *conn = ev->data; + ngx_http_auth_ldap_connection_t *c = conn->data; + ngx_http_auth_ldap_connect(c); +} + +static ngx_int_t +ngx_http_auth_ldap_init_connections(ngx_cycle_t *cycle) +{ + ngx_http_auth_ldap_connection_t *c; + ngx_http_auth_ldap_main_conf_t *halmcf; + ngx_http_auth_ldap_server_t *server; + ngx_pool_cleanup_t *cleanup; + ngx_connection_t *dummy_conn; + ngx_uint_t i, j; + int option; + + halmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_auth_ldap_module); + if (halmcf == NULL || halmcf->servers == NULL) { + return NGX_OK; + } + + option = LDAP_VERSION3; + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &option); + + for (i = 0; i < halmcf->servers->nelts; i++) { + server = &((ngx_http_auth_ldap_server_t *) halmcf->servers->elts)[i]; + ngx_queue_init(&server->free_connections); + ngx_queue_init(&server->waiting_requests); + if (server->connections <= 1) { + server->connections = 1; + } + + for (j = 0; j < server->connections; j++) { + c = ngx_pcalloc(cycle->pool, sizeof(ngx_http_auth_ldap_connection_t)); + cleanup = ngx_pool_cleanup_add(cycle->pool, 0); + dummy_conn = ngx_pcalloc(cycle->pool, sizeof(ngx_connection_t)); + if (c == NULL || cleanup == NULL || dummy_conn == NULL) { + return NGX_ERROR; + } + + cleanup->handler = &ngx_http_auth_ldap_connection_cleanup; + cleanup->data = c; + + c->log = cycle->log; + c->server = server; + c->state = STATE_DISCONNECTED; + + /* Various debug logging around timer management assume that the field + 'data' in ngx_event_t is a pointer to ngx_connection_t, therefore we + have a dummy such structure around so that it does not crash etc. */ + dummy_conn->data = c; + c->reconnect_event.log = c->log; + c->reconnect_event.data = dummy_conn; + c->reconnect_event.handler = ngx_http_auth_ldap_reconnect_handler; + +#if (NGX_OPENSSL) + c->pool = cycle->pool; + c->ssl = &halmcf->ssl; +#endif + + ngx_http_auth_ldap_connect(c); + } + } + + return NGX_OK; +} + + + +/*** Per-request authentication processing ***/ + +/** + * Respond with "403 Forbidden" and add correct headers + */ +static ngx_int_t +ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) +{ + r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); + if (r->headers_out.www_authenticate == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + r->headers_out.www_authenticate->hash = 1; + r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; + r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; + r->headers_out.www_authenticate->value = *realm; + + return NGX_HTTP_UNAUTHORIZED; +} + +/** + * LDAP Authentication handler + */ +static ngx_int_t +ngx_http_auth_ldap_handler(ngx_http_request_t *r) +{ + ngx_http_auth_ldap_loc_conf_t *alcf; + ngx_http_auth_ldap_ctx_t *ctx; + int rc; + + alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_ldap_module); + if (alcf->realm.len == 0) { + return NGX_DECLINED; + } + + ctx = ngx_http_get_module_ctx(r, ngx_http_auth_ldap_module); + if (ctx == NULL) { + rc = ngx_http_auth_basic_user(r); + if (rc == NGX_DECLINED) { + return ngx_http_auth_ldap_set_realm(r, &alcf->realm); + } + if (rc == NGX_ERROR) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Username is \"%V\"", + &r->headers_in.user); + if (r->headers_in.passwd.len == 0) + { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Password is empty"); + return ngx_http_auth_ldap_set_realm(r, &alcf->realm); + } + + ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_auth_ldap_ctx_t)); + if (ctx == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + ctx->r = r; + /* Other fields have been initialized to zero/NULL */ + ngx_http_set_ctx(r, ctx, ngx_http_auth_ldap_module); + } + + return ngx_http_auth_ldap_authenticate(r, ctx, alcf); +} + +/** + * Iteratively handle all phases of the authentication process, might be called many times + */ +static ngx_int_t +ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx, + ngx_http_auth_ldap_loc_conf_t *conf) +{ + ngx_int_t rc; + + if (r->connection->write->timedout) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: Authentication timed out"); + if (ctx->c != NULL) { + ngx_http_auth_ldap_return_connection(ctx->c); + } + return NGX_ERROR; + } + + /* + * If we are not starting up a request (ctx->phase != PHASE_START) and we actually already + * sent a request (ctx->iteration > 0) and didn't receive a reply yet (!ctx->replied) we + * ask to be called again at a later time when we hopefully have received a reply. + * + * It is quite possible that we reach this if while not having sent a request yet (ctx->iteration == 0) - + * this happens when we are trying to get an LDAP connection but all of them are busy right now. + */ + if (ctx->iteration > 0 && !ctx->replied && ctx->phase != PHASE_START) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: The LDAP operation did not finish yet"); + return NGX_AGAIN; + } + + for (;;) { + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Authentication loop (phase=%d, iteration=%d)", + ctx->phase, ctx->iteration); + + switch (ctx->phase) { + case PHASE_START: + ctx->server = ((ngx_http_auth_ldap_server_t **) conf->servers->elts)[ctx->server_index]; + ctx->outcome = OUTCOME_UNCERTAIN; + + ngx_add_timer(r->connection->write, ctx->server->request_timeout); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: request_timeout=%d",ctx->server->request_timeout); + + + /* Check cache if enabled */ + if (ngx_http_auth_ldap_cache.buckets != NULL) { + rc = ngx_http_auth_ldap_check_cache(r, ctx, &ngx_http_auth_ldap_cache, ctx->server); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Using cached outcome %d", rc); + if (rc == OUTCOME_DENY || rc == OUTCOME_ALLOW) { + ctx->outcome = (rc == OUTCOME_DENY ? OUTCOME_CACHED_DENY : OUTCOME_CACHED_ALLOW); + ctx->phase = PHASE_NEXT; + break; + } + } + + if (ctx->server->require_valid_user_dn.value.data != NULL) { + /* Construct user DN */ + if (ngx_http_complex_value(r, &ctx->server->require_valid_user_dn, &ctx->dn) != NGX_OK) { + ngx_del_timer(r->connection->write); + return NGX_ERROR; + } + ctx->phase = PHASE_CHECK_USER; + break; + } + + ctx->phase = PHASE_SEARCH; + ctx->iteration = 0; + break; + + case PHASE_SEARCH: + /* Search the directory to retrieve full user DN */ + rc = ngx_http_auth_ldap_search(r, ctx); + if (rc == NGX_AGAIN) { + /* LDAP operation in progress, wait for the results */ + return NGX_AGAIN; + } + if (rc != NGX_OK) { + /* Search failed, try next server */ + ctx->phase = PHASE_NEXT; + break; + } + + /* User DN has been found, check user next */ + ctx->phase = PHASE_CHECK_USER; + break; + + case PHASE_CHECK_USER: + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: User DN is \"%V\"", + &ctx->dn); + + if (ctx->server->require_user != NULL) { + rc = ngx_http_auth_ldap_check_user(r, ctx); + if (rc != NGX_OK) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Not ok", &ctx->dn); + /* User check failed, try next server */ + ctx->phase = PHASE_NEXT; + break; + } + } + + /* User not yet fully authenticated, check group next */ + if ((ctx->outcome == OUTCOME_UNCERTAIN) && + (ctx->server->require_group != NULL)) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Moving to group check", &ctx->dn); + ctx->phase = PHASE_CHECK_GROUP; + ctx->iteration = 0; + break; + } + + /* No groups to validate, try binding next */ + ctx->phase = PHASE_CHECK_BIND; + ctx->iteration = 0; + break; + + case PHASE_CHECK_GROUP: + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "Checking group", &ctx->dn); + rc = ngx_http_auth_ldap_check_group(r, ctx); + if (rc == NGX_AGAIN) { + /* LDAP operation in progress, wait for the results */ + return NGX_AGAIN; + } + if (rc != NGX_OK) { + /* Group check failed, try next server */ + ctx->phase = PHASE_NEXT; + break; + } + + /* Groups validated, try binding next */ + ctx->phase = PHASE_CHECK_BIND; + ctx->iteration = 0; + break; + + case PHASE_CHECK_BIND: + + if (ctx->outcome == OUTCOME_UNCERTAIN) { + /* If we're still uncertain when satisfy is 'any' and there + * is at least one require user/group rule, it means no + * rule has matched. + */ + if ((ctx->server->satisfy_all == 0) && ( + (ctx->server->require_user != NULL) || + (ctx->server->require_group != NULL))){ + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: no requirement satisfied"); + ctx->outcome = OUTCOME_DENY; + ctx->phase = PHASE_NEXT; + /*rc = NGX_DECLINED;*/ + break; + } else { + /* So far so good */ + ctx->outcome = OUTCOME_ALLOW; + } + } + + /* Initiate bind using the found DN and request password */ + rc = ngx_http_auth_ldap_check_bind(r, ctx); + if (rc == NGX_AGAIN) { + /* LDAP operation in progress, wait for the result */ + return NGX_AGAIN; + } + + /* All steps done, finish the processing */ + ctx->phase = PHASE_REBIND; + ctx->iteration = 0; + break; + + case PHASE_REBIND: + /* Initiate bind using the found DN and request password */ + rc = ngx_http_auth_ldap_recover_bind(r, ctx); + if (rc == NGX_AGAIN) { + /* LDAP operation in progress, wait for the result */ + return NGX_AGAIN; + } + + /* All steps done, finish the processing */ + ctx->phase = PHASE_NEXT; + break; + + case PHASE_NEXT: + if (r->connection->write->timer_set) { + ngx_del_timer(r->connection->write); + } + + if (ctx->c != NULL) { + ngx_http_auth_ldap_return_connection(ctx->c); + } + + if (ngx_http_auth_ldap_cache.buckets != NULL && + (ctx->outcome == OUTCOME_DENY || ctx->outcome == OUTCOME_ALLOW)) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Caching outcome %d", ctx->outcome); + ngx_http_auth_ldap_update_cache(ctx, &ngx_http_auth_ldap_cache, ctx->outcome); + } + + if (ctx->outcome == OUTCOME_ALLOW || ctx->outcome == OUTCOME_CACHED_ALLOW) { + return NGX_OK; + } + + ctx->server_index++; + if (ctx->server_index >= conf->servers->nelts) { + return ngx_http_auth_ldap_set_realm(r, &conf->realm); + } + + ctx->phase = PHASE_START; + break; + } + } +} + +static ngx_int_t +ngx_http_auth_ldap_search(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + LDAPURLDesc *ludpp; + u_char *filter; + char *attrs[2]; + ngx_int_t rc; + + /* On the first call, initiate the LDAP search operation */ + if (ctx->iteration == 0) { + if (!ngx_http_auth_ldap_get_connection(ctx)) { + return NGX_AGAIN; + } + + ludpp = ctx->server->ludpp; + filter = ngx_pcalloc( + r->pool, + (ludpp->lud_filter != NULL ? ngx_strlen(ludpp->lud_filter) : ngx_strlen("(objectClass=*)")) + + ngx_strlen("(&(=))") + ngx_strlen(ludpp->lud_attrs[0]) + r->headers_in.user.len + 1); + ngx_sprintf(filter, "(&%s(%s=%V))%Z", + ludpp->lud_filter != NULL ? ludpp->lud_filter : "(objectClass=*)", + ludpp->lud_attrs[0], &r->headers_in.user); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Search filter is \"%s\"", + (const char *) filter); + + attrs[0] = LDAP_NO_ATTRS; + attrs[1] = NULL; + + rc = ldap_search_ext(ctx->c->ld, ludpp->lud_dn, ludpp->lud_scope, (const char *) filter, attrs, 0, NULL, NULL, NULL, 0, &ctx->c->msgid); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_search_ext() failed (%d, %s)", + rc, ldap_err2string(rc)); + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: ldap_search_ext() -> msgid=%d", + ctx->c->msgid); + ctx->c->state = STATE_SEARCHING; + ctx->iteration++; + return NGX_AGAIN; + } + + /* On the second call, handle the search results */ + if (ctx->error_code != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_search_ext() request failed (%d: %s)", + ctx->error_code, ldap_err2string(ctx->error_code)); + return NGX_ERROR; + } + + if (ctx->dn.data == NULL) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: Could not find user DN"); + return NGX_ERROR; + } + + return NGX_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_check_user(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + ngx_http_complex_value_t *values; + ngx_uint_t i; + + values = ctx->server->require_user->elts; + for (i = 0; i < ctx->server->require_user->nelts; i++) { + ngx_str_t val; + if (ngx_http_complex_value(r, &values[i], &val) != NGX_OK) { + ctx->outcome = OUTCOME_ERROR; + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Comparing user DN with \"%V\"", &val); + if (val.len == ctx->dn.len && ngx_memcmp(val.data, ctx->dn.data, val.len) == 0) { + if (ctx->server->satisfy_all == 0) { + ctx->outcome = OUTCOME_ALLOW; + return NGX_OK; + } + } else { + if (ctx->server->satisfy_all == 1) { + ctx->outcome = OUTCOME_DENY; + return NGX_DECLINED; + } + } + } + + return NGX_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + ngx_http_complex_value_t *values; + struct berval bvalue; + ngx_int_t rc; + + /* Handle result of the comparison started during previous call */ + if (ctx->iteration > 0) { + if (ctx->error_code == LDAP_COMPARE_TRUE) { + if (ctx->server->satisfy_all == 0) { + ctx->outcome = OUTCOME_ALLOW; + return NGX_OK; + } + } else if (ctx->error_code == LDAP_COMPARE_FALSE || ctx->error_code == LDAP_NO_SUCH_ATTRIBUTE || ctx->error_code == LDAP_NO_SUCH_OBJECT) { + if (ctx->server->satisfy_all == 1) { + ctx->outcome = OUTCOME_DENY; + return NGX_DECLINED; + } + } else { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_compare_ext() request failed (%d: %s)", + ctx->error_code, ldap_err2string(ctx->error_code)); + return NGX_ERROR; + } + } + + /* Check next group */ + if (ctx->iteration >= ctx->server->require_group->nelts) { + /* No more groups */ + return NGX_OK; + } + + if (!ngx_http_auth_ldap_get_connection(ctx)) { + return NGX_AGAIN; + } + + ngx_str_t val; + values = ctx->server->require_group->elts; + if (ngx_http_complex_value(r, &values[ctx->iteration], &val) != NGX_OK) { + ctx->outcome = OUTCOME_ERROR; + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + if (ctx->server->group_attribute_dn == 1) { + bvalue.bv_val = (char*) ctx->dn.data; + bvalue.bv_len = ctx->dn.len; + } else { + bvalue.bv_val = (char*) r->headers_in.user.data; + bvalue.bv_len = r->headers_in.user.len; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Comparing user group with \"%V\"", &val); + + if (ctx->server->group_attribute.data == NULL) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: group_attribute.data is \"%V\" so calling a failure here", &ctx->server->group_attribute.data); + rc = !LDAP_SUCCESS; + } else { + rc = ldap_compare_ext(ctx->c->ld, (const char *) val.data, (const char *) ctx->server->group_attribute.data, + &bvalue, NULL, NULL, &ctx->c->msgid); + } + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_compare_ext() failed (%d: %s)", + rc, ldap_err2string(rc)); + ctx->outcome = OUTCOME_ERROR; + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: ldap_compare_ext() -> msgid=%d", + ctx->c->msgid); + ctx->c->state = STATE_COMPARING; + ctx->iteration++; + return NGX_AGAIN; +} + +/** + * Initiate and handle a bind operation using the authentication parameters + */ +static ngx_int_t +ngx_http_auth_ldap_check_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + struct berval cred; + ngx_int_t rc; + + /* On the first call, initiate the bind LDAP operation */ + if (ctx->iteration == 0) { + if (!ngx_http_auth_ldap_get_connection(ctx)) { + return NGX_AGAIN; + } + + cred.bv_val = (char *) r->headers_in.passwd.data; + cred.bv_len = r->headers_in.passwd.len; + rc = ldap_sasl_bind(ctx->c->ld, (const char *) ctx->dn.data, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &ctx->c->msgid); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)", + rc, ldap_err2string(rc)); + ctx->outcome = OUTCOME_ERROR; + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() -> msgid=%d", + ctx->c->msgid); + ctx->c->state = STATE_BINDING; + ctx->iteration++; + + return NGX_AGAIN; + } + + /* On the second call, process the operation result */ + if (ctx->error_code != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: User bind failed (%d: %s)", + ctx->error_code, ldap_err2string(ctx->error_code)); + ctx->outcome = OUTCOME_DENY; + } else { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: User bind successful"); + ctx->outcome = OUTCOME_ALLOW; + } + return NGX_OK; +} + +static ngx_int_t +ngx_http_auth_ldap_recover_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx) +{ + struct berval cred; + ngx_int_t rc; + + /* On the first call, initiate the bind LDAP operation */ + if (ctx->iteration == 0) { + if (!ngx_http_auth_ldap_get_connection(ctx)) { + return NGX_AGAIN; + } + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Rebinding to binddn"); + cred.bv_val = (char *) ctx->server->bind_dn_passwd.data; + cred.bv_len = ctx->server->bind_dn_passwd.len; + rc = ldap_sasl_bind(ctx->c->ld, (const char *) ctx->server->bind_dn.data, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &ctx->c->msgid); + if (rc != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)", + rc, ldap_err2string(rc)); + ctx->outcome = OUTCOME_ERROR; + ngx_http_auth_ldap_return_connection(ctx->c); + return NGX_ERROR; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() -> msgid=%d", + ctx->c->msgid); + ctx->c->state = STATE_BINDING; + ctx->iteration++; + return NGX_AGAIN; + } + + /* On the second call, process the operation result */ + if (ctx->error_code != LDAP_SUCCESS) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: binddn bind failed (%d: %s)", + ctx->error_code, ldap_err2string(ctx->error_code)); + } else { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: binddn bind successful"); + } + return NGX_OK; +} | ||