From c9f890a5545ae044d0ccfa14b08461302de2affd Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 11 May 2014 12:59:28 +0000
Subject: [PATCH] implement sharded services (client side)
---
pam/auth_client.c | 6 +++++-
pam/auth_client.h | 3 ++-
pam/auth_client_test.cc | 10 +++++-----
pam/pam_authclient.c | 5 ++++-
4 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/pam/auth_client.c b/pam/auth_client.c
index ff1617f..dab6226 100644
--- a/pam/auth_client.c
+++ b/pam/auth_client.c
@@ -192,7 +192,8 @@ int auth_client_authenticate(auth_client_t ac,
const char *username,
const char *password,
const char *otp_token,
- const char *source_ip) {
+ const char *source_ip,
+ const char *shard) {
struct curl_slist *headers = NULL;
struct cbuf form;
struct cbuf responsebuf;
@@ -212,6 +213,9 @@ int auth_client_authenticate(auth_client_t ac,
if (source_ip) {
post_field_add(&form, "source_ip", source_ip);
}
+ if (shard) {
+ post_field_add(&form, "shard", shard);
+ }
curl_easy_setopt(ac->c, CURLOPT_POSTFIELDS, form.buf);
// Set request headers.
diff --git a/pam/auth_client.h b/pam/auth_client.h
index 8228bb0..a7bfa53 100644
--- a/pam/auth_client.h
+++ b/pam/auth_client.h
@@ -27,6 +27,7 @@ int auth_client_authenticate(auth_client_t ac,
const char *username,
const char *password,
const char *otp_token,
- const char *source_ip);
+ const char *source_ip,
+ const char *shard);
#endif
diff --git a/pam/auth_client_test.cc b/pam/auth_client_test.cc
index da49a47..b8251e4 100644
--- a/pam/auth_client_test.cc
+++ b/pam/auth_client_test.cc
@@ -54,7 +54,7 @@ TEST_F(AuthClientTest, AuthOK) {
result = auth_client_set_certificate(ac, ssl_ca, ssl_cert, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
- result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+ result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1", NULL);
EXPECT_EQ(AC_OK, result) << "authenticate() error: " << auth_client_strerror(result)
<< ", server=" << server;
}
@@ -65,7 +65,7 @@ TEST_F(AuthClientTest, AuthFail) {
result = auth_client_set_certificate(ac, ssl_ca, ssl_cert, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
- result = auth_client_authenticate(ac, "user", "bad_password", NULL, "127.0.0.1");
+ result = auth_client_authenticate(ac, "user", "bad_password", NULL, "127.0.0.1", NULL);
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail"
<< ", server=" << server;
}
@@ -82,7 +82,7 @@ TEST_F(AuthClientTest, SSLFailsWithBadCertificate) {
result = auth_client_set_certificate(ac, ssl_ca, ssl_ca, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
- result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+ result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1", NULL);
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}
@@ -93,7 +93,7 @@ TEST_F(AuthClientTest, SSLFailsWithBadCAClientSide) {
result = auth_client_set_certificate(ac, ssl_bad_ca, ssl_cert, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
- result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+ result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1", NULL);
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}
@@ -104,7 +104,7 @@ TEST_F(AuthClientTest, SSLFailsWithBadCAServerSide) {
result = auth_client_set_certificate(ac, ssl_ca, ssl_bad_cert, ssl_bad_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
- result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+ result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1", NULL);
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}
diff --git a/pam/pam_authclient.c b/pam/pam_authclient.c
index 506eb02..27eca19 100644
--- a/pam/pam_authclient.c
+++ b/pam/pam_authclient.c
@@ -55,6 +55,7 @@ struct cfg {
char *ssl_crt;
char *ssl_key;
char *ca_file;
+ char *shard;
};
static void parse_cfg(int argc, const char **argv, struct cfg *cfg) {
@@ -76,6 +77,8 @@ static void parse_cfg(int argc, const char **argv, struct cfg *cfg) {
cfg->ssl_key = (char *)(argv[i] + 8);
} else if (!strncmp(argv[i], "ca=", 3)) {
cfg->ca_file = (char *)(argv[i] + 3);
+ } else if (!strncmp(argv[i], "shard=", 6)) {
+ cfg->shard = (char *)(argv[i] + 6);
}
}
}
@@ -155,7 +158,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
// Allow two authentication attempts in case we receive an
// OTP_REQUIRED response from the server.
for (i = 0; i < 2; i++) {
- int ac_err = auth_client_authenticate(ac, username, password, otp_token, source_ip);
+ int ac_err = auth_client_authenticate(ac, username, password, otp_token, source_ip, cfg.shard);
if (ac_err == AC_OK) {
retval = PAM_SUCCESS;
} else if (ac_err == AC_ERR_OTP_REQUIRED) {
--
GitLab