search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[mod_openssl] remove erroneous SSL_set_shutdown()
[lighttpd.git] / src / mod_vhostdb_ldap.c
blob98f7c0725ea53735c3cbf6371a3e98bb6ea47c56
1 #include "first.h"
2
3 #include <ldap.h>
4
5 #include <errno.h>
6 #include <string.h>
7 #include <stdlib.h>
8
9 #include "base.h"
10 #include "http_vhostdb.h"
11 #include "log.h"
12 #include "plugin.h"
13
14 /*
15 * virtual host plugin using LDAP for domain to directory lookups
16 */
17
18 typedef struct {
19 LDAP *ldap;
20 buffer *filter;
21
22 const char *attr;
23 const char *host;
24 const char *basedn;
25 const char *binddn;
26 const char *bindpw;
27 const char *cafile;
28 unsigned short starttls;
29 } vhostdb_config;
30
31 typedef struct {
32 void *vdata;
33 array *options;
34 } plugin_config;
35
36 typedef struct {
37 PLUGIN_DATA;
38 plugin_config **config_storage;
39 plugin_config conf;
40 } plugin_data;
41
42 static void mod_vhostdb_dbconf_free (void *vdata)
43 {
44 vhostdb_config *dbconf = (vhostdb_config *)vdata;
45 if (!dbconf) return;
46 if (NULL != dbconf->ldap) ldap_unbind_ext_s(dbconf->ldap, NULL, NULL);
47 free(dbconf);
48 }
49
50 static int mod_vhostdb_dbconf_setup (server *srv, array *opts, void **vdata)
51 {
52 buffer *filter = NULL;
53 const char *attr = "documentRoot";
54 const char *basedn=NULL,*binddn=NULL,*bindpw=NULL,*host=NULL,*cafile=NULL;
55 unsigned short starttls = 0;
56
57 for (size_t i = 0; i < opts->used; ++i) {
58 const data_string *ds = (data_string *)opts->data[i];
59 if (ds->type == TYPE_STRING) {
60 if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("filter"))) {
61 filter = ds->value;
62 } else if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("attr"))) {
63 if (!buffer_string_is_empty(ds->value)) attr = ds->value->ptr;
64 } else if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("host"))) {
65 host = ds->value->ptr;
66 } else if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("base-dn"))) {
67 if (!buffer_string_is_empty(ds->value)) basedn = ds->value->ptr;
68 } else if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("bind-dn"))) {
69 if (!buffer_string_is_empty(ds->value)) binddn = ds->value->ptr;
70 } else if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("bind-pw"))) {
71 bindpw = ds->value->ptr;
72 } else if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("ca-file"))) {
73 if (!buffer_string_is_empty(ds->value)) cafile = ds->value->ptr;
74 } else if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("starttls"))) {
75 starttls = !buffer_is_equal_string(ds->value, CONST_STR_LEN("disable"))
76 && !buffer_is_equal_string(ds->value, CONST_STR_LEN("0"));
77 }
78 }
79 }
80
81 /* required:
82 * - host
83 * - filter (LDAP query)
84 * - base-dn
85 *
86 * optional:
87 * - attr (LDAP attribute with docroot; default "documentRoot")
88 * - bind-dn
89 * - bind-pw
90 * - ca-file
91 * - starttls
92 */
93
94 if (!buffer_string_is_empty(filter) && NULL != host && NULL != basedn) {
95 vhostdb_config *dbconf;
96
97 if (NULL == strchr(filter->ptr, '?')) {
98 log_error_write(srv, __FILE__, __LINE__, "s",
99 "ldap: filter is missing a replace-operator '?'");
100 return -1;
101 }
102
103 /* openldap sets FD_CLOEXEC on database socket descriptors
104 * (still race between creation of socket and fcntl FD_CLOEXEC)
105 * (YMMV with other LDAP client libraries) */
106
107 dbconf = (vhostdb_config *)calloc(1, sizeof(*dbconf));
108 dbconf->ldap = NULL;
109 dbconf->filter = filter;
110 dbconf->attr = attr;
111 dbconf->host = host;
112 dbconf->basedn = basedn;
113 dbconf->binddn = binddn;
114 dbconf->bindpw = bindpw;
115 dbconf->cafile = cafile;
116 dbconf->starttls = starttls;
117 *vdata = dbconf;
118 }
119 return 0;
120 }
121
122 /*
123 * Note: a large portion of the LDAP code is copied verbatim from mod_authn_ldap
124 * with only changes being use of vhostdb_config instead of plugin_config struct
125 * and (const char *) strings in vhostdb_config instead of (buffer *).
126 */
127
128 static void mod_authn_ldap_err(server *srv, const char *file, unsigned long line, const char *fn, int err)
129 {
130 log_error_write(srv,file,line,"sSss","ldap:",fn,":",ldap_err2string(err));
131 }
132
133 static void mod_authn_ldap_opt_err(server *srv, const char *file, unsigned long line, const char *fn, LDAP *ld)
134 {
135 int err;
136 ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err);
137 mod_authn_ldap_err(srv, file, line, fn, err);
138 }
139
140 static void mod_authn_append_ldap_filter_escape(buffer * const filter, const buffer * const raw) {
141 /* [RFC4515] 3. String Search Filter Definition
142 *
143 * [...]
144 *
145 * The <valueencoding> rule ensures that the entire filter string is a
146 * valid UTF-8 string and provides that the octets that represent the
147 * ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
148 * 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
149 * backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
150 * representing the value of the encoded octet.
151 *
152 * [...]
153 *
154 * As indicated by the <valueencoding> rule, implementations MUST escape
155 * all octets greater than 0x7F that are not part of a valid UTF-8
156 * encoding sequence when they generate a string representation of a
157 * search filter. Implementations SHOULD accept as input strings that
158 * are not valid UTF-8 strings. This is necessary because RFC 2254 did
159 * not clearly define the term "string representation" (and in
160 * particular did not mention that the string representation of an LDAP
161 * search filter is a string of UTF-8-encoded Unicode characters).
162 *
163 *
164 * https://www.ldap.com/ldap-filters
165 * Although not required, you may escape any other characters that you want
166 * in the assertion value (or substring component) of a filter. This may be
167 * accomplished by prefixing the hexadecimal representation of each byte of
168 * the UTF-8 encoding of the character to escape with a backslash character.
169 */
170 const char * const b = raw->ptr;
171 const size_t rlen = buffer_string_length(raw);
172 for (size_t i = 0; i < rlen; ++i) {
173 size_t len = i;
174 char *f;
175 do {
176 /* encode all UTF-8 chars with high bit set
177 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
178 if (((unsigned char *)b)[len] > 0x7f)
179 break;
180 switch (b[len]) {
181 default:
182 continue;
183 case '\0': case '(': case ')': case '*': case '\\':
184 break;
185 }
186 break;
187 } while (++len < rlen);
188 len -= i;
189
190 if (len) {
191 buffer_append_string_len(filter, b+i, len);
192 if ((i += len) == rlen) break;
193 }
194
195 /* escape * ( ) \ NUL ('\0') (and all UTF-8 chars with high bit set) */
196 buffer_string_prepare_append(filter, 3);
197 f = filter->ptr + buffer_string_length(filter);
198 f[0] = '\\';
199 f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf];
200 f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf];
201 buffer_commit(filter, 3);
202 }
203 }
204
205 static LDAP * mod_authn_ldap_host_init(server *srv, vhostdb_config *s) {
206 LDAP *ld;
207 int ret;
208
209 ld = ldap_init(s->host, LDAP_PORT);
210 if (NULL == ld) {
211 log_error_write(srv, __FILE__, __LINE__, "sss", "ldap:", "ldap_init():",
212 strerror(errno));
213 return NULL;
214 }
215
216 ret = LDAP_VERSION3;
217 ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ret);
218 if (LDAP_OPT_SUCCESS != ret) {
219 mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_set_options()", ret);
220 ldap_memfree(ld);
221 return NULL;
222 }
223
224 if (s->starttls) {
225 /* if no CA file is given, it is ok, as we will use encryption
226 * if the server requires a CAfile it will tell us */
227 if (s->cafile) {
228 ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, s->cafile);
229 if (LDAP_OPT_SUCCESS != ret) {
230 mod_authn_ldap_err(srv, __FILE__, __LINE__,
231 "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)",
232 ret);
233 ldap_memfree(ld);
234 return NULL;
235 }
236 }
237
238 ret = ldap_start_tls_s(ld, NULL, NULL);
239 if (LDAP_OPT_SUCCESS != ret) {
240 mod_authn_ldap_err(srv,__FILE__,__LINE__,"ldap_start_tls_s()",ret);
241 ldap_memfree(ld);
242 return NULL;
243 }
244 }
245
246 return ld;
247 }
248
249 static int mod_authn_ldap_bind(server *srv, LDAP *ld, const char *dn, const char *pw) {
250 #if 0
251 struct berval creds;
252 int ret;
253
254 if (NULL != pw) {
255 *((const char **)&creds.bv_val) = pw; /*(cast away const)*/
256 creds.bv_len = strlen(pw);
257 } else {
258 creds.bv_val = NULL;
259 creds.bv_len = 0;
260 }
261
262 /* RFE: add functionality: LDAP_SASL_EXTERNAL (or GSS-SPNEGO, etc.) */
263
264 ret = ldap_sasl_bind_s(ld,dn,LDAP_SASL_SIMPLE,&creds,NULL,NULL,NULL);
265 if (ret != LDAP_SUCCESS) {
266 mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_sasl_bind_s()", ret);
267 }
268 #else
269 int ret = ldap_simple_bind_s(ld, dn, pw);
270 if (ret != LDAP_SUCCESS) {
271 mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_simple_bind_s()",ret);
272 }
273 #endif
274
275 return ret;
276 }
277
278 static LDAPMessage * mod_authn_ldap_search(server *srv, vhostdb_config *s, char *base, char *filter) {
279 LDAPMessage *lm = NULL;
280 char *attrs[] = { LDAP_NO_ATTRS, NULL };
281 int ret;
282
283 /*
284 * 1. connect anonymously (if not already connected)
285 * (ldap connection is kept open unless connection-level error occurs)
286 * 2. issue search using filter
287 */
288
289 if (s->ldap != NULL) {
290 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
291 attrs, 0, NULL, NULL, NULL, 0, &lm);
292 if (LDAP_SUCCESS == ret) {
293 return lm;
294 } else if (LDAP_SERVER_DOWN != ret) {
295 /* try again (or initial request);
296 * ldap lib sometimes fails for the first call but reconnects */
297 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
298 attrs, 0, NULL, NULL, NULL, 0, &lm);
299 if (LDAP_SUCCESS == ret) {
300 return lm;
301 }
302 }
303
304 ldap_unbind_ext_s(s->ldap, NULL, NULL);
305 }
306
307 s->ldap = mod_authn_ldap_host_init(srv, s);
308 if (NULL == s->ldap) {
309 return NULL;
310 }
311
312 ret = mod_authn_ldap_bind(srv, s->ldap, s->binddn, s->bindpw);
313 if (LDAP_SUCCESS != ret) {
314 ldap_memfree(s->ldap);
315 s->ldap = NULL;
316 return NULL;
317 }
318
319 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
320 attrs, 0, NULL, NULL, NULL, 0, &lm);
321 if (LDAP_SUCCESS != ret) {
322 log_error_write(srv, __FILE__, __LINE__, "sSss",
323 "ldap:", ldap_err2string(ret), "; filter:", filter);
324 ldap_unbind_ext_s(s->ldap, NULL, NULL);
325 s->ldap = NULL;
326 return NULL;
327 }
328
329 return lm;
330 }
331
332 static void mod_vhostdb_patch_connection (server *srv, connection *con, plugin_data *p);
333
334 static int mod_vhostdb_ldap_query(server *srv, connection *con, void *p_d, buffer *docroot)
335 {
336 plugin_data *p = (plugin_data *)p_d;
337 vhostdb_config *dbconf;
338 LDAP *ld;
339 LDAPMessage *lm, *first;
340 struct berval **vals;
341 int count;
342 char *basedn;
343 buffer *template;
344
345 /*(reuse buffer for ldap query before generating docroot result)*/
346 buffer *filter = docroot;
347 buffer_string_set_length(filter, 0); /*(also resets docroot (alias))*/
348
349 mod_vhostdb_patch_connection(srv, con, p);
350 if (NULL == p->conf.vdata) return 0; /*(after resetting docroot)*/
351 dbconf = (vhostdb_config *)p->conf.vdata;
352
353 template = dbconf->filter;
354 for (char *b = template->ptr, *d; *b; b = d+1) {
355 if (NULL != (d = strchr(b, '?'))) {
356 buffer_append_string_len(filter, b, (size_t)(d - b));
357 mod_authn_append_ldap_filter_escape(filter, con->uri.authority);
358 } else {
359 d = template->ptr + buffer_string_length(template);
360 buffer_append_string_len(filter, b, (size_t)(d - b));
361 break;
362 }
363 }
364
365 /* (cast away const for poor LDAP ldap_search_ext_s() prototype) */
366 *(const char **)&basedn = dbconf->basedn;
367
368 /* ldap_search (synchronous; blocking) */
369 lm = mod_authn_ldap_search(srv, dbconf, basedn, filter->ptr);
370 if (NULL == lm) {
371 return -1;
372 }
373
374 /*(must be after mod_authn_ldap_search(); might reconnect)*/
375 ld = dbconf->ldap;
376
377 count = ldap_count_entries(ld, lm);
378 if (count > 1) {
379 log_error_write(srv, __FILE__, __LINE__, "ssb",
380 "ldap:", "more than one record returned. "
381 "you might have to refine the filter:", filter);
382 }
383
384 buffer_string_set_length(docroot, 0); /*(reset buffer to store result)*/
385
386 if (0 == count) { /*(no entries found)*/
387 ldap_msgfree(lm);
388 return 0;
389 }
390
391 if (NULL == (first = ldap_first_entry(ld, lm))) {
392 mod_authn_ldap_opt_err(srv,__FILE__,__LINE__,"ldap_first_entry()",ld);
393 ldap_msgfree(lm);
394 return -1;
395 }
396
397 if (NULL != (vals = ldap_get_values_len(ld, first, dbconf->attr))) {
398 buffer_copy_string_len(docroot, vals[0]->bv_val, vals[0]->bv_len);
399 ldap_value_free_len(vals);
400 }
401
402 ldap_msgfree(lm);
403 return 0;
404 }
405
406
407
408
409 INIT_FUNC(mod_vhostdb_init) {
410 static http_vhostdb_backend_t http_vhostdb_backend_ldap =
411 { "ldap", mod_vhostdb_ldap_query, NULL };
412 plugin_data *p = calloc(1, sizeof(*p));
413
414 /* register http_vhostdb_backend_ldap */
415 http_vhostdb_backend_ldap.p_d = p;
416 http_vhostdb_backend_set(&http_vhostdb_backend_ldap);
417
418 return p;
419 }
420
421 FREE_FUNC(mod_vhostdb_cleanup) {
422 plugin_data *p = p_d;
423 if (!p) return HANDLER_GO_ON;
424
425 if (p->config_storage) {
426 for (size_t i = 0; i < srv->config_context->used; i++) {
427 plugin_config *s = p->config_storage[i];
428 if (!s) continue;
429 mod_vhostdb_dbconf_free(s->vdata);
430 array_free(s->options);
431 free(s);
432 }
433 free(p->config_storage);
434 }
435 free(p);
436
437 UNUSED(srv);
438 return HANDLER_GO_ON;
439 }
440
441 SETDEFAULTS_FUNC(mod_vhostdb_set_defaults) {
442 plugin_data *p = p_d;
443
444 config_values_t cv[] = {
445 { "vhostdb.ldap", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },
446 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
447 };
448
449 p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));
450
451 for (size_t i = 0; i < srv->config_context->used; ++i) {
452 data_config const *config = (data_config const*)srv->config_context->data[i];
453 plugin_config *s = calloc(1, sizeof(plugin_config));
454
455 s->options = array_init();
456 cv[0].destination = s->options;
457
458 p->config_storage[i] = s;
459
460 if (config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
461 return HANDLER_ERROR;
462 }
463
464 if (!array_is_kvstring(s->options)) {
465 log_error_write(srv, __FILE__, __LINE__, "s",
466 "unexpected value for vhostdb.ldap; expected list of \"option\" => \"value\"");
467 return HANDLER_ERROR;
468 }
469
470 if (s->options->used
471 && 0 != mod_vhostdb_dbconf_setup(srv, s->options, &s->vdata)) {
472 return HANDLER_ERROR;
473 }
474 }
475
476 return HANDLER_GO_ON;
477 }
478
479 #define PATCH(x) \
480 p->conf.x = s->x;
481 static void mod_vhostdb_patch_connection (server *srv, connection *con, plugin_data *p)
482 {
483 plugin_config *s = p->config_storage[0];
484 PATCH(vdata);
485
486 /* skip the first, the global context */
487 for (size_t i = 1; i < srv->config_context->used; ++i) {
488 data_config *dc = (data_config *)srv->config_context->data[i];
489 s = p->config_storage[i];
490
491 /* condition didn't match */
492 if (!config_check_cond(srv, con, dc)) continue;
493
494 /* merge config */
495 for (size_t j = 0; j < dc->value->used; ++j) {
496 data_unset *du = dc->value->data[j];
497
498 if (buffer_is_equal_string(du->key,CONST_STR_LEN("vhostdb.ldap"))) {
499 PATCH(vdata);
500 }
501 }
502 }
503 }
504 #undef PATCH
505
506 /* this function is called at dlopen() time and inits the callbacks */
507 int mod_vhostdb_ldap_plugin_init (plugin *p);
508 int mod_vhostdb_ldap_plugin_init (plugin *p)
509 {
510 p->version = LIGHTTPD_VERSION_ID;
511 p->name = buffer_init_string("vhostdb_ldap");
512
513 p->init = mod_vhostdb_init;
514 p->cleanup = mod_vhostdb_cleanup;
515 p->set_defaults = mod_vhostdb_set_defaults;
516
517 return 0;
518 }
A fast webserver with minimal memory-footprint (lighttpd)