/*
* simple_auth.c : Simple SASL-based authentication, used in case
* Cyrus SASL isn't available.
*
* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*/
#include "svn_private_config.h"
#define APR_WANT_STRFUNC
#include <apr_want.h>
#include <apr_general.h>
#include <apr_strings.h>
#include "svn_types.h"
#include "svn_string.h"
#include "svn_error.h"
#include "svn_ra.h"
#include "svn_ra_svn.h"
#include "ra_svn.h"
svn_boolean_t svn_ra_svn__find_mech(const apr_array_header_t *mechlist,
const char *mech)
{
int i;
svn_ra_svn_item_t *elt;
for (i = 0; i < mechlist->nelts; i++)
{
elt = &APR_ARRAY_IDX(mechlist, i, svn_ra_svn_item_t);
if (elt->kind == SVN_RA_SVN_WORD && strcmp(elt->u.word, mech) == 0)
return TRUE;
}
return FALSE;
}
/* Read the "success" response to ANONYMOUS or EXTERNAL authentication. */
static svn_error_t *read_success(svn_ra_svn_conn_t *conn, apr_pool_t *pool)
{
const char *status, *arg;
SVN_ERR(svn_ra_svn_read_tuple(conn, pool, "w(?c)", &status, &arg));
if (strcmp(status, "failure") == 0 && arg)
return svn_error_createf(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
_("Authentication error from server: %s"), arg);
else if (strcmp(status, "success") != 0 || arg)
return svn_error_create(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
_("Unexpected server response to authentication"));
return SVN_NO_ERROR;
}
svn_error_t *
svn_ra_svn__do_internal_auth(svn_ra_svn__session_baton_t *sess,
const apr_array_header_t *mechlist,
const char *realm, apr_pool_t *pool)
{
svn_ra_svn_conn_t *conn = sess->conn;
const char *realmstring, *user, *password, *msg;
svn_auth_iterstate_t *iterstate;
void *creds;
realmstring = apr_psprintf(pool, "%s %s", sess->realm_prefix, realm);
if (sess->is_tunneled && svn_ra_svn__find_mech(mechlist, "EXTERNAL"))
{
/* Ask the server to use the tunnel connection environment (on
* Unix, that means uid) to determine the authentication name. */
SVN_ERR(svn_ra_svn__auth_response(conn, pool, "EXTERNAL", ""));
return read_success(conn, pool);
}
else if (svn_ra_svn__find_mech(mechlist, "ANONYMOUS"))
{
SVN_ERR(svn_ra_svn__auth_response(conn, pool, "ANONYMOUS", ""));
return read_success(conn, pool);
}
else if (svn_ra_svn__find_mech(mechlist, "CRAM-MD5"))
{
SVN_ERR(svn_auth_first_credentials(&creds, &iterstate,
SVN_AUTH_CRED_SIMPLE, realmstring,
sess->callbacks->auth_baton, pool));
if (!creds)
return svn_error_create(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
_("Can't get password"));
while (creds)
{
user = ((svn_auth_cred_simple_t *) creds)->username;
password = ((svn_auth_cred_simple_t *) creds)->password;
SVN_ERR(svn_ra_svn__auth_response(conn, pool, "CRAM-MD5", NULL));
SVN_ERR(svn_ra_svn__cram_client(conn, pool, user, password, &msg));
if (!msg)
break;
SVN_ERR(svn_auth_next_credentials(&creds, iterstate, pool));
}
if (!creds)
return svn_error_createf(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
_("Authentication error from server: %s"),
msg);
SVN_ERR(svn_auth_save_credentials(iterstate, pool));
return SVN_NO_ERROR;
}
else
return svn_error_create(SVN_ERR_RA_SVN_NO_MECHANISMS, NULL, NULL);
}