[MINOR] acl: add http_auth and http_auth_group

Add two acls to match http auth data:
 acl <name> http_auth(userlist)
 acl <name> http_auth_hroup(userlist) group1 group2 (...)

include/proto/acl.h

@@ -100,6 +100,12 @@ int acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, v
  */
 struct acl *cond_find_require(const struct acl_cond *cond, unsigned int require);
 
+/*
+ * Find targets for userlist and groups in acl. Function returns the number
+ * of errors or OK if everything is fine.
+ */
+int acl_find_targets(struct proxy *p);
+
 /* Return a pointer to the ACL <name> within the list starting at <head>, or
  * NULL if not found.
  */
@@ -147,6 +153,9 @@ int acl_parse_range(const char **text, struct acl_pattern *pattern, int *opaque)
 /* Parse a string. It is allocated and duplicated. */
 int acl_parse_str(const char **text, struct acl_pattern *pattern, int *opaque);
 
+/* Parse and concatenate strings into one. It is allocated and duplicated. */
+int acl_parse_strcat(const char **text, struct acl_pattern *pattern, int *opaque);
+
 /* Parse a regex. It is allocated. */
 int acl_parse_reg(const char **text, struct acl_pattern *pattern, int *opaque);
 

include/types/acl.h

@@ -26,6 +26,7 @@
 #include <common/config.h>
 #include <common/mini-clist.h>
 
+#include <types/auth.h>
 #include <types/proxy.h>
 #include <types/session.h>
 
@@ -209,6 +210,7 @@ struct acl_pattern {
 			struct in_addr mask;
 		} ipv4;                         /* IPv4 address */
 		struct acl_time time;           /* valid hours and days */
+		unsigned int group_mask;
 	} val;                                  /* direct value */
 	union {
 		void *ptr;              /* any data */
@@ -291,6 +293,7 @@ struct acl_expr {
 	struct acl_keyword *kw;     /* back-reference to the keyword */
 	union {                     /* optional argument of the subject (eg: header or cookie name) */
 		char *str;
+		struct userlist *ul;
 	} arg;
 	int arg_len;                /* optional argument length */
 	struct list patterns;       /* list of acl_patterns */

include/types/proto_http.h

@@ -235,6 +235,13 @@ typedef enum {
 	HTTP_METH_OTHER,
 } http_meth_t;
 
+enum {
+	HTTP_AUTH_WRONG		= -1,		/* missing or unknown */
+	HTTP_AUTH_UNKNOWN	= 0,
+	HTTP_AUTH_BASIC,
+	HTTP_AUTH_DIGEST,
+};
+
 /* This is an HTTP message, as described in RFC2616. It can be either a request
  * message or a response message.
  *
@@ -285,6 +292,12 @@ struct http_msg {
 	char **cap;                            /* array of captured headers (may be NULL) */
 };
 
+struct http_auth_data {
+	int method;			/* one of HTTP_AUTH_* */
+	struct chunk method_data;	/* points to the creditial part from 'Authorization:' header */
+	char *user, *pass;		/* extracted username & password */
+};
+
 /* This is an HTTP transaction. It contains both a request message and a
  * response message (which can be empty).
  */
@@ -303,6 +316,7 @@ struct http_txn {
 	char *sessid;                   /* the appsession id, if found in the request or in the response */
 
 	struct chunk auth_hdr;          /* points to 'Authorization:' header */
+	struct http_auth_data auth;	/* HTTP auth data */
 };
 
 /* This structure is used by http_find_header() to return values of headers.

src/acl.c

@@ -19,6 +19,7 @@
 #include <common/standard.h>
 
 #include <proto/acl.h>
+#include <proto/auth.h>
 #include <proto/log.h>
 
 /* The capabilities of filtering hooks describe the type of information
@@ -332,6 +333,29 @@ int acl_parse_str(const char **text, struct acl_pattern *pattern, int *opaque)
 	return 1;
 }
 
+/* Parse and concatenate all further strings into one. */
+int
+acl_parse_strcat(const char **text, struct acl_pattern *pattern, int *opaque)
+{
+
+	int len = 0, i;
+	char *s;
+
+	for (i = 0; *text[i]; i++)
+		len += strlen(text[i])+1;
+
+	pattern->ptr.str = s = calloc(1, len);
+	if (!pattern->ptr.str)
+		return 0;
+
+	for (i = 0; *text[i]; i++)
+		s += sprintf(s, i?" %s":"%s", text[i]);
+
+	pattern->len = len;
+
+	return i;
+}
+
 /* Free data allocated by acl_parse_reg */
 static void acl_free_reg(void *ptr) {
 
@@ -627,7 +651,7 @@ static struct acl_expr *prune_acl_expr(struct acl_expr *expr)
 {
 	free_pattern_list(&expr->patterns);
 	LIST_INIT(&expr->patterns);
-	if (expr->arg.str)
+	if (expr->arg_len && expr->arg.str)
 		free(expr->arg.str);
 	expr->kw->use_cnt--;
 	return expr;
@@ -1169,6 +1193,74 @@ struct acl *cond_find_require(const struct acl_cond *cond, unsigned int require)
 	return NULL;
 }
 
+/*
+ * Find targets for userlist and groups in acl. Function returns the number
+ * of errors or OK if everything is fine.
+ */
+int
+acl_find_targets(struct proxy *p)
+{
+
+	struct acl *acl;
+	struct acl_expr *expr;
+	struct acl_pattern *pattern;
+	struct userlist *ul;
+	int cfgerr = 0;
+
+	list_for_each_entry(acl, &p->acl, list) {
+		list_for_each_entry(expr, &acl->expr, list) {
+			if (strstr(expr->kw->kw, "http_auth") == expr->kw->kw) {
+
+				if (!expr->arg.str || !*expr->arg.str) {
+					Alert("proxy %s: acl %s %s(): missing userlist name.\n",
+						p->id, acl->name, expr->kw->kw);
+					cfgerr++;
+					continue;
+				}
+
+				ul = auth_find_userlist(expr->arg.str);
+
+				if (!ul) {
+					Alert("proxy %s: acl %s %s(%s): unable to find userlist.\n",
+						p->id, acl->name, expr->kw->kw, expr->arg.str);
+					cfgerr++;
+					continue;
+				}
+
+				expr->arg_len = 0;
+				expr->arg.ul  = ul;
+			}
+
+
+			if (!strcmp(expr->kw->kw, "http_auth_group")) {
+
+				if (LIST_ISEMPTY(&expr->patterns)) {
+					Alert("proxy %s: acl %s %s(): no groups specified.\n",
+						p->id, acl->name, expr->kw->kw);
+					cfgerr++;
+					continue;
+				}
+
+				list_for_each_entry(pattern, &expr->patterns, list) {
+					pattern->val.group_mask = auth_resolve_groups(expr->arg.ul, pattern->ptr.str);
+
+					free(pattern->ptr.str);
+					pattern->ptr.str = NULL;
+					pattern->len = 0;
+
+					if (!pattern->val.group_mask) {
+						Alert("proxy %s: acl %s %s(): invalid group(s).\n",
+							p->id, acl->name, expr->kw->kw);
+						cfgerr++;
+						continue;
+					}
+				}
+			}
+		}
+	}
+
+	return cfgerr;
+}
 
 /************************************************************************/
 /*             All supported keywords must be declared here.            */

src/auth.c

@@ -239,3 +239,23 @@ check_user(struct userlist *ul, unsigned int group_mask, const char *user, const
 	else
 		return 0;
 }
+
+int
+acl_match_auth(struct acl_test *test, struct acl_pattern *pattern)
+{
+
+	struct userlist *ul = test->ctx.a[0];
+	char *user = test->ctx.a[1];
+	char *pass = test->ctx.a[2];
+	unsigned int group_mask;
+
+	if (pattern)
+		group_mask = pattern->val.group_mask;
+	else
+		group_mask = 0;
+
+	if (check_user(ul, group_mask, user, pass))
+		return ACL_PAT_PASS;
+	else
+		return ACL_PAT_FAIL;
+}

src/cfgparse.c

@@ -4691,6 +4691,8 @@ int check_config_validity()
 			}
 		}
 
+		cfgerr += acl_find_targets(curproxy);
+
 		if ((curproxy->mode == PR_MODE_TCP || curproxy->mode == PR_MODE_HTTP) &&
 		    (((curproxy->cap & PR_CAP_FE) && !curproxy->timeout.client) ||
 		     ((curproxy->cap & PR_CAP_BE) && (curproxy->srv) &&

src/proto_http.c

@@ -24,6 +24,7 @@
 #include <sys/types.h>
 
 #include <common/appsession.h>
+#include <common/base64.h>
 #include <common/compat.h>
 #include <common/config.h>
 #include <common/debug.h>
@@ -39,6 +40,7 @@
 #include <types/global.h>
 
 #include <proto/acl.h>
+#include <proto/auth.h>
 #include <proto/backend.h>
 #include <proto/buffers.h>
 #include <proto/checks.h>
@@ -1473,6 +1475,77 @@ const char *http_parse_reqline(struct http_msg *msg, const char *msg_buf,
 	return NULL;
 }
 
+/*
+ * Returns the data from Authorization header. Function may be called more
+ * than once so data is stored in txn->auth_data. When no header is found
+ * or auth method is unknown auth_method is set to HTTP_AUTH_WRONG to avoid
+ * searching again for something we are unable to find anyway.
+ */
+
+char get_http_auth_buff[BUFSIZE];
+
+int
+get_http_auth(struct session *s)
+{
+
+	struct http_txn *txn = &s->txn;
+	struct chunk auth_method;
+	struct hdr_ctx ctx;
+	char *h, *p;
+	int len;
+
+#ifdef DEBUG_AUTH
+	printf("Auth for session %p: %d\n", s, txn->auth.method);
+#endif
+
+	if (txn->auth.method == HTTP_AUTH_WRONG)
+		return 0;
+
+	if (txn->auth.method)
+		return 1;
+
+	txn->auth.method = HTTP_AUTH_WRONG;
+
+	ctx.idx = 0;
+	if (!http_find_header("Authorization", txn->req.sol, &txn->hdr_idx, &ctx))
+		return 0;
+
+	h = ctx.line + ctx.val;
+
+	p = memchr(h, ' ', ctx.vlen);
+	if (!p || p == h)
+		return 0;
+
+	chunk_initlen(&auth_method, h, 0, p-h);
+	chunk_initlen(&txn->auth.method_data, p+1, 0, ctx.vlen-(p-h)-1);
+
+	if (!strncasecmp("Basic", auth_method.str, auth_method.len)) {
+
+		len = base64dec(txn->auth.method_data.str, txn->auth.method_data.len,
+				get_http_auth_buff, BUFSIZE - 1);
+
+		if (len < 0)
+			return 0;
+
+
+		get_http_auth_buff[len] = '\0';
+
+		p = strchr(get_http_auth_buff, ':');
+
+		if (!p)
+			return 0;
+
+		txn->auth.user = get_http_auth_buff;
+		*p = '\0';
+		txn->auth.pass = p+1;
+
+		txn->auth.method = HTTP_AUTH_BASIC;
+		return 1;
+	}
+
+	return 0;
+}
+
 
 /*
  * This function parses an HTTP message, either a request or a response,
@@ -6480,6 +6553,8 @@ void http_init_txn(struct session *s)
 	txn->rsp.hdr_content_len = 0LL;
 	txn->req.msg_state = HTTP_MSG_RQBEFORE; /* at the very beginning of the request */
 	txn->rsp.msg_state = HTTP_MSG_RPBEFORE; /* at the very beginning of the response */
+
+	txn->auth.method = HTTP_AUTH_UNKNOWN;
 	chunk_reset(&txn->auth_hdr);
 
 	txn->req.err_pos = txn->rsp.err_pos = -2; /* block buggy requests/responses */
@@ -6506,6 +6581,7 @@ void http_end_txn(struct session *s)
 	pool_free2(pool2_capture, txn->cli_cookie);
 	pool_free2(pool2_capture, txn->srv_cookie);
 	pool_free2(apools.sessid, txn->sessid);
+
 	txn->sessid = NULL;
 	txn->uri = NULL;
 	txn->srv_cookie = NULL;
@@ -7172,6 +7248,25 @@ acl_fetch_proto_http(struct proxy *px, struct session *s, void *l7, int dir,
 	return 1;
 }
 
+static int
+acl_fetch_http_auth(struct proxy *px, struct session *s, void *l7, int dir,
+		    struct acl_expr *expr, struct acl_test *test)
+{
+
+	if (!s)
+		return 0;
+
+	if (!get_http_auth(s))
+		return 0;
+
+	test->ctx.a[0] = expr->arg.ul;
+	test->ctx.a[1] = s->txn.auth.user;
+	test->ctx.a[2] = s->txn.auth.pass;
+
+	test->flags |= ACL_TEST_F_READ_ONLY | ACL_TEST_F_NULL_MATCH;
+
+	return 1;
+}
 
 /************************************************************************/
 /*             All supported keywords must be declared here.            */
@@ -7227,8 +7322,6 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "path_dir",   acl_parse_str,   acl_fetch_path,   acl_match_dir, ACL_USE_L7REQ_VOLATILE },
 	{ "path_dom",   acl_parse_str,   acl_fetch_path,   acl_match_dom, ACL_USE_L7REQ_VOLATILE },
 
-	{ NULL, NULL, NULL, NULL },
-
 #if 0
 	{ "line",       acl_parse_str,   acl_fetch_line,   acl_match_str   },
 	{ "line_reg",   acl_parse_reg,   acl_fetch_line,   acl_match_reg   },
@@ -7246,13 +7339,11 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "cook_dir",   acl_parse_str,   acl_fetch_cook,   acl_match_dir   },
 	{ "cook_dom",   acl_parse_str,   acl_fetch_cook,   acl_match_dom   },
 	{ "cook_pst",   acl_parse_none,  acl_fetch_cook,   acl_match_pst   },
-
-	{ "auth_user",  acl_parse_str,   acl_fetch_user,   acl_match_str   },
-	{ "auth_regex", acl_parse_reg,   acl_fetch_user,   acl_match_reg   },
-	{ "auth_clear", acl_parse_str,   acl_fetch_auth,   acl_match_str   },
-	{ "auth_md5",   acl_parse_str,   acl_fetch_auth,   acl_match_md5   },
-	{ NULL, NULL, NULL, NULL },
 #endif
+
+	{ "http_auth",       acl_parse_nothing, acl_fetch_http_auth, acl_match_auth },
+	{ "http_auth_group", acl_parse_strcat,  acl_fetch_http_auth, acl_match_auth },
+	{ NULL, NULL, NULL, NULL },
 }};
 
 

src/session.c

@@ -830,6 +830,9 @@ struct task *process_session(struct task *t)
 	//DPRINTF(stderr, "%s:%d: cs=%d ss=%d(%d) rqf=0x%08x rpf=0x%08x\n", __FUNCTION__, __LINE__,
 	//        s->si[0].state, s->si[1].state, s->si[1].err_type, s->req->flags, s->rep->flags);
 
+	/* this data may be no longer valid, clear it */
+	memset(&s->txn.auth, 0, sizeof(s->txn.auth));
+
 	/* This flag must explicitly be set every time */
 	s->req->flags &= ~BF_READ_NOEXP;