Merge pull request #26 from Castaglia/proxy-user-credentials

Support overriding backend server credentials
Castaglia · Aug 5, 2015 · 98bd30a · 98bd30a
2 parents b5292ef + 1339755
commit 98bd30a
Show file tree

Hide file tree

Showing 24 changed files with 1,698 additions and 284 deletions.
diff --git a/doc/NOTES.proxy-auth b/doc/NOTES.proxy-auth
diff --git a/doc/NOTES.tests b/doc/NOTES.tests
@@ -0,0 +1,9 @@
+
+Note that to run the API tests for mod_proxy, you must:
+
+  $ ./configure --enable-tests ...
+
+Then:
+
+  $ cd contrib/mod_proxy/t/
+  $ make api-tests
diff --git a/include/proxy/conn.h b/include/proxy/conn.h
@@ -31,6 +31,8 @@
 
 struct proxy_conn;
 
+void proxy_conn_clear_username(struct proxy_conn *pconn);
+void proxy_conn_clear_password(struct proxy_conn *pconn);
 int proxy_conn_connect_timeout_cb(CALLBACK_FRAME);
 struct proxy_conn *proxy_conn_create(pool *p, const char *uri);
 pr_netaddr_t *proxy_conn_get_addr(struct proxy_conn *, array_header **);
@@ -40,6 +42,8 @@ int proxy_conn_get_port(struct proxy_conn *pconn);
 conn_t *proxy_conn_get_server_conn(pool *p, struct proxy_session *proxy_sess,
   pr_netaddr_t *remote_addr);
 const char *proxy_conn_get_uri(struct proxy_conn *pconn);
+const char *proxy_conn_get_username(struct proxy_conn *pconn);
+const char *proxy_conn_get_password(struct proxy_conn *pconn);
 int proxy_conn_send_proxy(pool *p, conn_t *conn);
 
 #endif /* MOD_PROXY_CONN_H */
diff --git a/include/proxy/uri.h b/include/proxy/uri.h
@@ -28,6 +28,6 @@
 #define MOD_PROXY_URI_H
 
 int proxy_uri_parse(pool *p, const char *uri, char **scheme, char **host,
-  unsigned int *port);
+  unsigned int *port, char **username, char **password);
 
 #endif /* MOD_PROXY_URI_H */
diff --git a/lib/proxy/conn.c b/lib/proxy/conn.c
@@ -39,6 +39,13 @@ struct proxy_conn {
   const char *pconn_hostport;
   int pconn_port;
 
+  /* Note that these are deliberately NOT 'const', so that they can be
+   * scrubbed in the per-session memory space, once backend authentication
+   * has occurred.
+   */
+  char *pconn_username;
+  char *pconn_password;
+
   pr_netaddr_t *pconn_addr;
   array_header *pconn_addrs;
 };
@@ -92,12 +99,19 @@ int proxy_conn_connect_timeout_cb(CALLBACK_FRAME) {
 
 struct proxy_conn *proxy_conn_create(pool *p, const char *uri) {
   int res;
-  char hostport[512], *proto, *remote_host;
+  char hostport[512], *proto, *remote_host, *username = NULL, *password = NULL;
   unsigned int remote_port;
   struct proxy_conn *pconn;
   pool *pconn_pool;
 
-  res = proxy_uri_parse(p, uri, &proto, &remote_host, &remote_port);
+  if (p == NULL ||
+      uri == NULL) {
+    errno = EINVAL;
+    return NULL;
+  }
+
+  res = proxy_uri_parse(p, uri, &proto, &remote_host, &remote_port, &username,
+    &password);
   if (res < 0) {
     return NULL;
   }
@@ -122,6 +136,12 @@ struct proxy_conn *proxy_conn_create(pool *p, const char *uri) {
   pconn->pconn_hostport = pstrdup(pconn_pool, hostport);
   pconn->pconn_uri = pstrdup(pconn_pool, uri);
   pconn->pconn_proto = pstrdup(pconn_pool, proto);
+  if (username != NULL) {
+    pconn->pconn_username = pstrdup(pconn_pool, username);
+  }
+  if (password != NULL) {
+    pconn->pconn_password = pstrdup(pconn_pool, password);
+  }
 
   pconn->pconn_addr = pr_netaddr_get_addr(pconn_pool, remote_host,
     &(pconn->pconn_addrs));
@@ -186,6 +206,56 @@ int proxy_conn_get_port(struct proxy_conn *pconn) {
   return pconn->pconn_port;
 }
 
+void proxy_conn_clear_username(struct proxy_conn *pconn) {
+  size_t len;
+
+  if (pconn == NULL) {
+    return;
+  }
+
+  if (pconn->pconn_username == NULL) {
+    return;
+  }
+
+  len = strlen(pconn->pconn_username);
+  pr_memscrub(pconn->pconn_username, len);
+  pconn->pconn_username = NULL;
+}
+
+const char *proxy_conn_get_username(struct proxy_conn *pconn) {
+  if (pconn == NULL) {
+    errno = EINVAL;
+    return NULL;
+  }
+
+  return pconn->pconn_username;
+}
+
+void proxy_conn_clear_password(struct proxy_conn *pconn) {
+  size_t len;
+
+  if (pconn == NULL) {
+    return;
+  }
+
+  if (pconn->pconn_password == NULL) {
+    return;
+  }
+
+  len = strlen(pconn->pconn_password);
+  pr_memscrub(pconn->pconn_password, len);
+  pconn->pconn_password = NULL;
+}
+
+const char *proxy_conn_get_password(struct proxy_conn *pconn) {
+  if (pconn == NULL) {
+    errno = EINVAL;
+    return NULL;
+  }
+
+  return pconn->pconn_password;
+}
+
 conn_t *proxy_conn_get_server_conn(pool *p, struct proxy_session *proxy_sess,
     pr_netaddr_t *remote_addr) {
   pr_netaddr_t *bind_addr = NULL, *local_addr = NULL;

diff --git a/lib/proxy/db.c b/lib/proxy/db.c
@@ -38,6 +38,11 @@ int proxy_db_exec_stmt(pool *p, const char *stmt, const char **errstr) {
   char *ptr = NULL;
   unsigned int nretries = 0;
 
+  if (stmt == NULL) {
+    errno = EINVAL;
+    return -1;
+  }
+
   res = sqlite3_exec(proxy_dbh, stmt, NULL, NULL, &ptr);
   while (res != SQLITE_OK) {
     if (res == SQLITE_BUSY) {
@@ -357,7 +362,8 @@ array_header *proxy_db_exec_prepared_stmt(pool *p, const char *stmt,
 int proxy_db_open(pool *p, const char *table_path) {
   int res;
 
-  if (table_path == NULL) {
+  if (p == NULL ||
+      table_path == NULL) {
     errno = EINVAL;
     return -1;
   }
@@ -426,8 +432,8 @@ int proxy_db_open(pool *p, const char *table_path) {
     NULL);
   if (res != SQLITE_OK) {
     pr_trace_msg(trace_channel, 2,
-      "error setting MEMORY journal mode on SQLite database '%s': %s", table_path,
-      sqlite3_errmsg(proxy_dbh));
+      "error setting MEMORY journal mode on SQLite database '%s': %s",
+      table_path, sqlite3_errmsg(proxy_dbh));
   }
 
   prepared_stmts = pr_table_nalloc(db_pool, 0, 4);
@@ -479,18 +485,30 @@ int proxy_db_close(pool *p) {
 }
 
 int proxy_db_init(pool *p) {
+  const char *version;
+
+  if (p == NULL) {
+    errno = EINVAL;
+    return -1;
+  }
+
+  if (db_pool != NULL) {
+    return 0;
+  }
+
   /* Check that the SQLite headers used match the version of the SQLite
    * library used.
    *
    * For now, we only log if there is a difference.
    */
-  if (strcmp(sqlite3_libversion(), SQLITE_VERSION) != 0) {
+  version = sqlite3_libversion();
+  if (strcmp(version, SQLITE_VERSION) != 0) {
     (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
       "compiled using SQLite version '%s' headers, but linked to "
-      "SQLite version '%s' library", SQLITE_VERSION, sqlite3_libversion());
+      "SQLite version '%s' library", SQLITE_VERSION, version);
   }
 
-  pr_trace_msg(trace_channel, 9, "using SQLite %s", sqlite3_libversion());
+  pr_trace_msg(trace_channel, 9, "using SQLite %s", version);
 
   db_pool = make_sub_pool(p);
   pr_pool_tag(db_pool, "Proxy Database Pool");