Minor code formatting cleanup

main
Jiri Hruska 11 years ago
parent 1b6ee8e0c1
commit 16c3452ec0
  1. 116
      ngx_http_auth_ldap_module.c

@ -62,10 +62,10 @@ typedef struct {
} ngx_http_auth_ldap_loc_conf_t; } ngx_http_auth_ldap_loc_conf_t;
typedef struct { typedef struct {
uint32_t small_hash; /* murmur2 hash of username ^ &server */ uint32_t small_hash; /* murmur2 hash of username ^ &server */
uint32_t outcome; /* 0 = authentication failed, 1 = succeeded */ uint32_t outcome; /* 0 = authentication failed, 1 = succeeded */
ngx_msec_t time; /* ngx_current_msec when created */ ngx_msec_t time; /* ngx_current_msec when created */
u_char big_hash[16]; /* md5 hash of (username, server, password) */ u_char big_hash[16]; /* md5 hash of (username, server, password) */
} ngx_http_auth_ldap_cache_elt_t; } ngx_http_auth_ldap_cache_elt_t;
typedef struct { typedef struct {
@ -240,31 +240,30 @@ ngx_http_auth_ldap_ldap_server_block(ngx_conf_t *cf, ngx_command_t *cmd, void *c
static char * static char *
ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf) ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
{ {
char *rv; char *rv;
ngx_str_t *value; ngx_str_t *value;
ngx_http_auth_ldap_server_t *server;
ngx_http_auth_ldap_server_t *server;
ngx_http_auth_ldap_main_conf_t *cnf = conf; ngx_http_auth_ldap_main_conf_t *cnf = conf;
// It should be safe to just use latest server from array /* It should be safe to just use latest server from array */
server = ((ngx_http_auth_ldap_server_t*)cnf->servers->elts + (cnf->servers->nelts - 1)); server = ((ngx_http_auth_ldap_server_t *) cnf->servers->elts + (cnf->servers->nelts - 1));
value = cf->args->elts; value = cf->args->elts;
// TODO: Add more validation /* TODO: Add more validation */
if (ngx_strcmp(value[0].data, "url") == 0) { if (ngx_strcmp(value[0].data, "url") == 0) {
return ngx_http_auth_ldap_parse_url(cf, server); return ngx_http_auth_ldap_parse_url(cf, server);
} else if(ngx_strcmp(value[0].data, "binddn") == 0) { } else if (ngx_strcmp(value[0].data, "binddn") == 0) {
server->bind_dn = value[1]; server->bind_dn = value[1];
} else if(ngx_strcmp(value[0].data, "binddn_passwd") == 0) { } else if (ngx_strcmp(value[0].data, "binddn_passwd") == 0) {
server->bind_dn_passwd = value[1]; server->bind_dn_passwd = value[1];
} else if(ngx_strcmp(value[0].data, "group_attribute") == 0) { } else if (ngx_strcmp(value[0].data, "group_attribute") == 0) {
server->group_attribute = value[1]; server->group_attribute = value[1];
} else if(ngx_strcmp(value[0].data, "group_attribute_is_dn") == 0 && ngx_strcmp(value[1].data, "on") == 0) { } else if (ngx_strcmp(value[0].data, "group_attribute_is_dn") == 0 && ngx_strcmp(value[1].data, "on") == 0) {
server->group_attribute_dn = 1; server->group_attribute_dn = 1;
} else if(ngx_strcmp(value[0].data, "require") == 0) { } else if (ngx_strcmp(value[0].data, "require") == 0) {
return ngx_http_auth_ldap_parse_require(cf, server); return ngx_http_auth_ldap_parse_require(cf, server);
} else if(ngx_strcmp(value[0].data, "satisfy") == 0) { } else if (ngx_strcmp(value[0].data, "satisfy") == 0) {
return ngx_http_auth_ldap_parse_satisfy(cf, server); return ngx_http_auth_ldap_parse_satisfy(cf, server);
} }
@ -277,8 +276,8 @@ ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
* Parse auth_ldap directive * Parse auth_ldap directive
*/ */
static char * static char *
ngx_http_auth_ldap(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_auth_ldap(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_str_t *value = cf->args->elts; ngx_str_t *value = cf->args->elts;
ngx_http_auth_ldap_loc_conf_t *cnf = conf; ngx_http_auth_ldap_loc_conf_t *cnf = conf;
u_char *p; u_char *p;
@ -305,8 +304,8 @@ ngx_http_auth_ldap(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
* Parse auth_ldap_servers directive * Parse auth_ldap_servers directive
*/ */
static char * static char *
ngx_http_auth_ldap_servers(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_auth_ldap_servers(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_http_auth_ldap_loc_conf_t *cnf; ngx_http_auth_ldap_loc_conf_t *cnf;
ngx_http_auth_ldap_main_conf_t *mconf; ngx_http_auth_ldap_main_conf_t *mconf;
ngx_http_auth_ldap_server_t *server, *s, **target; ngx_http_auth_ldap_server_t *server, *s, **target;
@ -356,14 +355,14 @@ ngx_http_auth_ldap_servers(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
* Parse URL conf parameter * Parse URL conf parameter
*/ */
static char * static char *
ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) { ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server)
{
ngx_str_t *value; ngx_str_t *value;
u_char *p; u_char *p;
value = cf->args->elts;
server->url = *value; value = cf->args->elts;
int rc = ldap_url_parse((const char*) value[1].data, &server->ludpp); int rc = ldap_url_parse((const char *) value[1].data, &server->ludpp);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
switch (rc) { switch (rc) {
case LDAP_URL_ERR_MEM: case LDAP_URL_ERR_MEM:
@ -414,7 +413,7 @@ ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
server->url.len = ngx_strlen(server->ludpp->lud_scheme) + ngx_strlen(server->ludpp->lud_host) + 11; // 11 = len("://:/") + len("65535") + len("\0") server->url.len = ngx_strlen(server->ludpp->lud_scheme) + ngx_strlen(server->ludpp->lud_host) + 11; /* 11 = len("://:/") + len("65535") + len("\0") */
server->url.data = ngx_pcalloc(cf->pool, server->url.len); server->url.data = ngx_pcalloc(cf->pool, server->url.len);
p = ngx_sprintf(server->url.data, "%s://%s:%d/", (const char*) server->ludpp->lud_scheme, p = ngx_sprintf(server->url.data, "%s://%s:%d/", (const char*) server->ludpp->lud_scheme,
(const char*) server->ludpp->lud_host, server->ludpp->lud_port); (const char*) server->ludpp->lud_host, server->ludpp->lud_port);
@ -427,8 +426,8 @@ ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server
* Parse "require" conf parameter * Parse "require" conf parameter
*/ */
static char * static char *
ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) { ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server)
{
ngx_str_t *value; ngx_str_t *value;
ngx_http_complex_value_t* target = NULL; ngx_http_complex_value_t* target = NULL;
ngx_http_compile_complex_value_t ccv; ngx_http_compile_complex_value_t ccv;
@ -481,7 +480,8 @@ ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *se
* Parse "satisfy" conf parameter * Parse "satisfy" conf parameter
*/ */
static char * static char *
ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server) { ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server)
{
ngx_str_t *value; ngx_str_t *value;
value = cf->args->elts; value = cf->args->elts;
@ -495,7 +495,7 @@ ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *se
return NGX_CONF_OK; return NGX_CONF_OK;
} }
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "Incorrect value for auth_ldap_satisfy "); ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "Incorrect value for auth_ldap_satisfy");
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
@ -554,7 +554,8 @@ ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent)
* Create location conf * Create location conf
*/ */
static void * static void *
ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *cf) { ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *cf)
{
ngx_http_auth_ldap_loc_conf_t *conf; ngx_http_auth_ldap_loc_conf_t *conf;
conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_ldap_loc_conf_t)); conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_ldap_loc_conf_t));
if (conf == NULL) { if (conf == NULL) {
@ -569,7 +570,8 @@ ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *cf) {
* Merge location conf * Merge location conf
*/ */
static char * static char *
ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) { ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
{
ngx_http_auth_ldap_loc_conf_t *prev = parent; ngx_http_auth_ldap_loc_conf_t *prev = parent;
ngx_http_auth_ldap_loc_conf_t *conf = child; ngx_http_auth_ldap_loc_conf_t *conf = child;
@ -601,7 +603,9 @@ ngx_http_auth_ldap_init_worker(ngx_cycle_t *cycle)
/** /**
* Init module and add ldap auth handler to NGX_HTTP_ACCESS_PHASE * Init module and add ldap auth handler to NGX_HTTP_ACCESS_PHASE
*/ */
static ngx_int_t ngx_http_auth_ldap_init(ngx_conf_t *cf) { static ngx_int_t
ngx_http_auth_ldap_init(ngx_conf_t *cf)
{
ngx_http_handler_pt *h; ngx_http_handler_pt *h;
ngx_http_core_main_conf_t *cmcf; ngx_http_core_main_conf_t *cmcf;
@ -669,7 +673,7 @@ ngx_http_auth_ldap_check_cache(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *
ngx_msec_t time_limit; ngx_msec_t time_limit;
ngx_uint_t i; ngx_uint_t i;
ctx->cache_small_hash = ngx_murmur_hash2(r->headers_in.user.data, r->headers_in.user.len) ^ (uint32_t)(ngx_uint_t)server; ctx->cache_small_hash = ngx_murmur_hash2(r->headers_in.user.data, r->headers_in.user.len) ^ (uint32_t) (ngx_uint_t) server;
ngx_md5_init(&md5ctx); ngx_md5_init(&md5ctx);
ngx_md5_update(&md5ctx, r->headers_in.user.data, r->headers_in.user.len); ngx_md5_update(&md5ctx, r->headers_in.user.data, r->headers_in.user.len);
@ -719,7 +723,9 @@ ngx_http_auth_ldap_update_cache(ngx_http_auth_ldap_ctx_t *ctx,
/** /**
* Respond with "403 Forbidden" and add correct headers * Respond with "403 Forbidden" and add correct headers
*/ */
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) { static ngx_int_t
ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm)
{
r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers);
if (r->headers_out.www_authenticate == NULL) { if (r->headers_out.www_authenticate == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
@ -736,7 +742,9 @@ static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *
/** /**
* LDAP Authentication handler * LDAP Authentication handler
*/ */
static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r) { static ngx_int_t
ngx_http_auth_ldap_handler(ngx_http_request_t *r)
{
ngx_http_auth_ldap_loc_conf_t *alcf; ngx_http_auth_ldap_loc_conf_t *alcf;
ngx_http_auth_ldap_ctx_t *ctx; ngx_http_auth_ldap_ctx_t *ctx;
int rc; int rc;
@ -756,7 +764,8 @@ static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r) {
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
} }
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP username: %V", &r->headers_in.user); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP username: %V",
&r->headers_in.user);
if (r->headers_in.passwd.len == 0) if (r->headers_in.passwd.len == 0)
{ {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP password is empty"); ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP password is empty");
@ -776,9 +785,10 @@ static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r) {
/** /**
* Read user credentials from request, set LDAP parameters and call authentication against required servers * Read user credentials from request, set LDAP parameters and call authentication against required servers
*/ */
static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx, static ngx_int_t
ngx_http_auth_ldap_loc_conf_t *conf) { ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx,
ngx_http_auth_ldap_loc_conf_t *conf)
{
ngx_http_auth_ldap_server_t *server; ngx_http_auth_ldap_server_t *server;
int rc; int rc;
ngx_uint_t i; ngx_uint_t i;
@ -787,7 +797,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
int reqcert = LDAP_OPT_X_TLS_ALLOW; int reqcert = LDAP_OPT_X_TLS_ALLOW;
struct timeval timeOut = { 10, 0 }; struct timeval timeOut = { 10, 0 };
/// Set LDAP version to 3 and set connection timeout. /* Set LDAP version to 3 and set connection timeout. */
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version); ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &timeOut); ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &timeOut);
@ -832,8 +842,8 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
* Actual authentication against LDAP server * Actual authentication against LDAP server
*/ */
static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server, static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server,
ngx_http_auth_ldap_loc_conf_t *conf) { ngx_http_auth_ldap_loc_conf_t *conf)
{
LDAPURLDesc *ludpp = server->ludpp; LDAPURLDesc *ludpp = server->ludpp;
int rc; int rc;
LDAP *ld; LDAP *ld;
@ -861,25 +871,25 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
} }
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL);
/// Bind to the server /* Bind to the server */
rc = ldap_simple_bind_s(ld, (const char *) server->bind_dn.data, (const char *) server->bind_dn_passwd.data); rc = ldap_simple_bind_s(ld, (const char *) server->bind_dn.data, (const char *) server->bind_dn_passwd.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP [%s]: ldap_simple_bind_s error: %d, %s", server->url.data, rc, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP [%s]: ldap_simple_bind_s error: %d, %s", server->url.data, rc,
ldap_err2string(rc)); ldap_err2string(rc));
ldap_unbind_s(ld); ldap_unbind_s(ld);
// Do not throw 500 in case connection failure, multiple servers might be used for failover scenario /* Do not throw 500 in case connection failure, multiple servers might be used for failover scenario */
return 0; return 0;
} }
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Bind successful", NULL); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Bind successful", NULL);
if (server->require_valid_user_dn.value.data != NULL) { if (server->require_valid_user_dn.value.data != NULL) {
// Construct user DN /* Construct user DN */
if (ngx_http_complex_value(r, &server->require_valid_user_dn, &dn) != NGX_OK) { if (ngx_http_complex_value(r, &server->require_valid_user_dn, &dn) != NGX_OK) {
ldap_unbind_s(ld); ldap_unbind_s(ld);
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
} }
} else { } else {
/// Create filter for search users by uid /* Create filter for search users by uid */
filter = ngx_pcalloc( filter = ngx_pcalloc(
r->pool, r->pool,
(ludpp->lud_filter != NULL ? ngx_strlen(ludpp->lud_filter) : ngx_strlen("(objectClass=*)")) + (ludpp->lud_filter != NULL ? ngx_strlen(ludpp->lud_filter) : ngx_strlen("(objectClass=*)")) +
@ -891,7 +901,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
*p = 0; *p = 0;
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter);
/// Search the directory /* Search the directory */
rc = ldap_search_ext_s(ld, ludpp->lud_dn, ludpp->lud_scope, (const char*) filter, NULL, 0, NULL, NULL, &timeOut, 0, rc = ldap_search_ext_s(ld, ludpp->lud_dn, ludpp->lud_scope, (const char*) filter, NULL, 0, NULL, NULL, &timeOut, 0,
&searchResult); &searchResult);
@ -918,7 +928,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN %V", &dn); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN %V", &dn);
/// Check require user /* Check require user */
if (server->require_user != NULL) { if (server->require_user != NULL) {
value = server->require_user->elts; value = server->require_user->elts;
for (i = 0; i < server->require_user->nelts; i++) { for (i = 0; i < server->require_user->nelts; i++) {
@ -945,7 +955,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
} }
} }
/// Check require group /* Check require group */
if (server->require_group != NULL) { if (server->require_group != NULL) {
if (server->group_attribute_dn == 1) { if (server->group_attribute_dn == 1) {
bvalue.bv_val = (char*) dn.data; bvalue.bv_val = (char*) dn.data;
@ -965,7 +975,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
} }
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: group compare with: %V", &val); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: group compare with: %V", &val);
rc = ldap_compare_ext_s(ld, (const char*) val.data, (const char*) server->group_attribute.data, rc = ldap_compare_ext_s(ld, (const char *) val.data, (const char *) server->group_attribute.data,
&bvalue, NULL, NULL); &bvalue, NULL, NULL);
/*if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE && rc != LDAP_NO_SUCH_ATTRIBUTE) { /*if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE && rc != LDAP_NO_SUCH_ATTRIBUTE) {
@ -990,9 +1000,9 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
} }
} }
/// Check valid user /* Check valid user */
if (pass != 0 || (server->require_valid_user == 1 && server->satisfy_all == 0 && pass == 0)) { if (pass != 0 || (server->require_valid_user == 1 && server->satisfy_all == 0 && pass == 0)) {
/// Bind user to the server /* Bind user to the server */
rc = ldap_simple_bind_s(ld, (const char *) dn.data, (const char *) r->headers_in.passwd.data); rc = ldap_simple_bind_s(ld, (const char *) dn.data, (const char *) r->headers_in.passwd.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc,

Loading…
Cancel
Save