diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c index 6df34e4e..35d6ffa8 100644 --- a/src/sec-mod-auth.c +++ b/src/sec-mod-auth.c @@ -217,7 +217,7 @@ static int check_user_group_status(sec_mod_st * sec, client_entry_st * e, snprintf(e->username, sizeof(e->username), "%s", cert_user); - if (cert_groups_size > 0 && sec->config->cert_group_oid != NULL) + if (cert_groups_size > 0 && sec->config->cert_group_oid != NULL && e->groupname[0] == 0) snprintf(e->groupname, sizeof(e->groupname), "%s", cert_groups[0]); } else { @@ -473,7 +473,7 @@ int handle_sec_auth_init(sec_mod_st * sec, const SecAuthInitMsg * req) } e->status = PS_AUTH_INIT; - seclog(LOG_DEBUG, "auth init for user '%s' from '%s'", e->username, req->ip); + seclog(LOG_DEBUG, "auth init for user '%s' (group: '%s') from '%s'", e->username, e->groupname, req->ip); if (sec->config->auth_types & AUTH_TYPE_USERNAME_PASS) { ret = ERR_AUTH_CONTINUE; diff --git a/src/worker-auth.c b/src/worker-auth.c index dc3869ae..16f83328 100644 --- a/src/worker-auth.c +++ b/src/worker-auth.c @@ -61,50 +61,30 @@ static const char ocv3_success_msg_head[] = "\n"; -static const char oc_login_msg_user_start[] = +static const char oc_login_msg_start[] = "\n" "\n" VERSION_MSG "\n" - "Please enter your username\n" - "
\n" - "\n"; + "%s\n" + "\n"; -static const char oc_login_msg_user_end[] = +static const char oc_login_msg_end[] = "
\n" ""; -static const char oc_login_msg_no_user_start[] = - "\n" - "\n" - VERSION_MSG - "\n" - ""; - -static const char oc_login_msg_no_user_end[] = - "\n" - "
\n" - "\n" - "
\n"; - -static const char ocv3_login_msg_user_start[] = - "\n" - "\n" - "Please enter your username\n" - "
\n" +static const char login_msg_user[] = "\n"; -static const char ocv3_login_msg_user_end[] = - "
\n"; +static const char login_msg_password[] = + "\n"; -static const char ocv3_login_msg_no_user_start[] = +static const char ocv3_login_msg_start[] = "\n" "\n" - ""; + "%s\n" + "
\n"; -static const char ocv3_login_msg_no_user_end[] = - "\n" - "\n" - "\n" +static const char ocv3_login_msg_end[] = "
\n"; static int get_cert_info(worker_st * ws); @@ -158,24 +138,18 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg) { int ret; char context[BASE64_LENGTH(SID_SIZE) + 1]; - char temp[128]; + char temp[256]; unsigned int i, j; str_st str; - const char *login_msg_user_start; - const char *login_msg_user_end; - const char *login_msg_no_user_start; - const char *login_msg_no_user_end; + const char *login_msg_start; + const char *login_msg_end; if (ws->req.user_agent_type == AGENT_OPENCONNECT_V3) { - login_msg_user_start = ocv3_login_msg_user_start; - login_msg_user_end = ocv3_login_msg_user_end; - login_msg_no_user_start = ocv3_login_msg_no_user_start; - login_msg_no_user_end = ocv3_login_msg_no_user_end; + login_msg_start = ocv3_login_msg_start; + login_msg_end = ocv3_login_msg_end; } else { - login_msg_user_start = oc_login_msg_user_start; - login_msg_user_end = oc_login_msg_user_end; - login_msg_no_user_start = oc_login_msg_no_user_start; - login_msg_no_user_end = oc_login_msg_no_user_end; + login_msg_start = oc_login_msg_start; + login_msg_end = oc_login_msg_end; } str_init(&str, ws); @@ -214,19 +188,20 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg) if (pmsg == NULL) pmsg = "Please enter your password."; - ret = str_append_str(&str, login_msg_no_user_start); + snprintf(temp, sizeof(temp), login_msg_start, pmsg); + ret = str_append_str(&str, temp); if (ret < 0) { ret = -1; goto cleanup; } - ret = str_append_str(&str, pmsg); + ret = str_append_str(&str, login_msg_password); if (ret < 0) { ret = -1; goto cleanup; } - ret = str_append_str(&str, login_msg_no_user_end); + ret = str_append_str(&str, login_msg_end); if (ret < 0) { ret = -1; goto cleanup; @@ -234,12 +209,21 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg) } else { /* ask for username and groups */ - ret = str_append_str(&str, login_msg_user_start); + snprintf(temp, sizeof(temp), login_msg_start, "Please enter your username"); + ret = str_append_str(&str, temp); if (ret < 0) { ret = -1; goto cleanup; } + if (ws->config->auth_types & AUTH_TYPE_USERNAME_PASS) { + ret = str_append_str(&str, login_msg_user); + if (ret < 0) { + ret = -1; + goto cleanup; + } + } + if (ws->config->auth_types & AUTH_TYPE_CERTIFICATE && ws->cert_auth_ok != 0) { ret = get_cert_info(ws); if (ret < 0) { @@ -325,7 +309,7 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg) } } - ret = str_append_str(&str, login_msg_user_end); + ret = str_append_str(&str, login_msg_end); if (ret < 0) { ret = -1; goto cleanup; @@ -1074,27 +1058,28 @@ int post_auth_handler(worker_st * ws, unsigned http_ver) if (ws->auth_state == S_AUTH_INACTIVE) { SecAuthInitMsg ireq = SEC_AUTH_INIT_MSG__INIT; - if (ws->config->auth_types & AUTH_TYPE_USERNAME_PASS) { + ret = parse_reply(ws, req->body, req->body_length, + GROUPNAME_FIELD, sizeof(GROUPNAME_FIELD)-1, + GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1, + &groupname); + if (ret < 0) { ret = parse_reply(ws, req->body, req->body_length, - GROUPNAME_FIELD, sizeof(GROUPNAME_FIELD)-1, + GROUPNAME_FIELD2, sizeof(GROUPNAME_FIELD2)-1, GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1, &groupname); - if (ret < 0) { - ret = parse_reply(ws, req->body, req->body_length, - GROUPNAME_FIELD2, sizeof(GROUPNAME_FIELD2)-1, - GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1, - &groupname); - } + } - if (ret < 0) { - oclog(ws, LOG_DEBUG, "failed reading groupname"); - } else if (ws->config->default_select_group == NULL || - strcmp(groupname, ws->config->default_select_group) != 0) { - snprintf(ws->groupname, sizeof(ws->groupname), "%s", - groupname); - ireq.group_name = ws->groupname; - } - talloc_free(groupname); + if (ret < 0) { + oclog(ws, LOG_DEBUG, "failed reading groupname"); + } else if (ws->config->default_select_group == NULL || + strcmp(groupname, ws->config->default_select_group) != 0) { + snprintf(ws->groupname, sizeof(ws->groupname), "%s", + groupname); + ireq.group_name = ws->groupname; + } + talloc_free(groupname); + + if (ws->config->auth_types & AUTH_TYPE_USERNAME_PASS) { ret = parse_reply(ws, req->body, req->body_length, USERNAME_FIELD, sizeof(USERNAME_FIELD)-1, @@ -1127,6 +1112,11 @@ int post_auth_handler(worker_st * ws, unsigned http_ver) goto auth_fail; } + if (ws->cert_groups_size > 0 && ws->groupname[0] == 0) { + oclog(ws, LOG_DEBUG, "user haven't selected group"); + goto ask_auth; + } + ireq.tls_auth_ok = 1; ireq.cert_user_name = ws->cert_username; ireq.cert_group_names = ws->cert_groups;