Bug#689227: cyrus-sasl2: ability to test by client remote address in sql auxprop plugin
Andreas Hrubak
yazzy.reg at citromail.hu
Sun Sep 30 14:53:32 UTC 2012
Package: cyrus-sasl2
Version: 2.1.25
Severity: wishlist
Dear libsasl2 maintainer team,
here is a little patch for sql auxprop plugin. Sasl authentication result can
be influenced
by client's IP address.
Eg. I configured subversion with sasl support authenticating users by sql
query:
SELECT password FROM svn_user, svn_repo, svn_ref WHERE username='%u' AND
realm='%r' AND svn_user.uid=svn_ref.uid AND svn_repo.rid=svn_ref.rid AND '%a'
LIKE '10.0.0.%'
'%a' macro being replaced by remote ip + port supplied by svnserve.
--- a/plugins/sql.c 2009-12-03 20:07:02.000000000 +0100
+++ b/plugins/sql.c 2012-09-30 16:11:21.000000000 +0200
@@ -642,6 +642,7 @@
** %p = prop
** %r = realm
** %v = value of prop
+** %a = remote IP address;port
** e.g select %p from auth where user = %u and domain = %r;
** Note: calling function must free memory.
**
@@ -650,12 +651,13 @@
static char *sql_create_statement(const char *statement, const char *prop,
const char *user, const char *realm,
const char *value,
+ const char *remoteaddrport,
const sasl_utils_t *utils)
{
const char *ptr, *line_ptr;
char *buf, *buf_ptr;
int filtersize;
- int ulen, plen, rlen, vlen;
+ int ulen, plen, rlen, vlen , alen ;
int numpercents=0;
int biggest;
size_t i;
@@ -665,6 +667,7 @@
rlen = (int)strlen(realm);
plen = (int)strlen(prop);
vlen = (int)sql_len(value);
+ alen = (int)sql_len(remoteaddrport);
/* what if we have multiple %foo occurrences in the input query? */
for (i = 0; i < strlen(statement); i++) {
@@ -701,6 +704,10 @@
buf_ptr[0] = '%';
buf_ptr++;
break;
+ case 'a':
+ memcpy(buf_ptr, remoteaddrport, alen);
+ buf_ptr += alen;
+ break;
case 'u':
memcpy(buf_ptr, user, ulen);
buf_ptr += ulen;
@@ -905,6 +912,7 @@
char *query = NULL;
char *escap_userid = NULL;
char *escap_realm = NULL;
+ char *remoteaddrport = NULL;
sql_settings_t *settings;
int verify_against_hashed_password;
int saw_user_password = 0;
@@ -954,6 +962,8 @@
goto done;
}
+ remoteaddrport = sparams->ipremoteport;
+
/*************************************/
/* find out what we need to get */
@@ -1027,8 +1037,9 @@
/* create a statement that we will use */
query = sql_create_statement(settings->sql_select,
- realname,escap_userid,
+ realname, escap_userid,
escap_realm, NULL,
+ remoteaddrport,
sparams->utils);
if (query == NULL) {
ret = SASL_NOMEM;
@@ -1084,6 +1095,7 @@
escap_userid,
escap_realm,
NULL,
+ remoteaddrport,
sparams->utils);
if (query == NULL) {
ret = SASL_NOMEM;
@@ -1226,6 +1238,7 @@
statement = sql_create_statement(settings->sql_select,
SQL_WILDCARD, escap_userid,
escap_realm, NULL,
+ NULL,
sparams->utils);
if (!settings->sql_engine->sql_exec(conn, statement, NULL, 0, NULL,
sparams->utils)) {
@@ -1242,6 +1255,7 @@
escap_realm,
cur->values && cur->values[0] ?
cur->values[0] : SQL_NULL_VALUE,
+ NULL,
sparams->utils);
{
@@ -1251,6 +1265,7 @@
escap_realm,
cur->values && cur->values[0] ?
"<omitted>" : SQL_NULL_VALUE,
+ NULL,
sparams->utils);
sparams->utils->log(NULL, SASL_LOG_DEBUG,
"sql plugin doing statement %s\n",
--
Sincerely,
Andreas
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.4.0tuxy (SMP w/1 CPU core)
Locale: LANG=hu_HU.UTF-8, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list