fallback to reuse client token to backend auth

odyssey-dev.conf

@@ -146,7 +146,7 @@ database "postgres2" {
 		authentication "clear_text"
 
 		storage "postgres_server"
-		storage_password "lolol"
+#		storage_password "lolol"
 		pool "session"
 		
                 ldap_pool_size 1
@@ -230,7 +230,7 @@ database "postgres" {
 		authentication "clear_text"
 
 		storage "postgres_server"
-		storage_password "1"
+#		storage_password "1"
 		pool "session"
 		pool_size 1
 

sources/auth.c

@@ -12,6 +12,7 @@
 static inline int od_auth_frontend_cleartext(od_client_t *client)
 {
 	od_instance_t *instance = client->global->instance;
+	od_route_t *route = client->route;
 
 	/* AuthenticationCleartextPassword */
 	machine_msg_t *msg;
@@ -58,6 +59,12 @@ static inline int od_auth_frontend_cleartext(od_client_t *client)
 		return -1;
 	}
 
+	if (route->rule->reuse_client_passwd) {
+		kiwi_password_copy(&client->received_password, &client_token);
+		od_debug(&instance->logger, "auth", client, NULL,
+			 "saved user password to perform backend auth");
+	}
+
 	od_extention_t *extentions = client->global->extentions;
 
 #ifdef LDAP_FOUND
@@ -709,13 +716,16 @@ static inline int od_auth_backend_cleartext(od_server_t *server,
 
 	if (client != NULL && client->password.password != NULL) {
 		password = client->password.password;
-		password_len = client->password.password_len - 1;
+		password_len = client->password.password_len - /* NULL */ 1;
 	} else if (route->rule->storage_password) {
 		password = route->rule->storage_password;
 		password_len = route->rule->storage_password_len;
 	} else if (route->rule->password) {
 		password = route->rule->password;
 		password_len = route->rule->password_len;
+	} else if (client->received_password.password != NULL) {
+		password = client->received_password.password;
+		password_len = client->received_password.password_len - 1;
 	} else {
 		od_error(&instance->logger, "auth", NULL, server,
 			 "password required for route '%s.%s'",
@@ -767,13 +777,16 @@ static inline int od_auth_backend_md5(od_server_t *server, char salt[4],
 	int password_len;
 	if (client != NULL && client->password.password != NULL) {
 		password = client->password.password;
-		password_len = client->password.password_len - 1;
+		password_len = client->password.password_len - /* NULL */ 1;
 	} else if (route->rule->storage_password) {
 		password = route->rule->storage_password;
 		password_len = route->rule->storage_password_len;
 	} else if (route->rule->password) {
 		password = route->rule->password;
 		password_len = route->rule->password_len;
+	} else if (client->received_password.password != NULL) {
+		password = client->received_password.password;
+		password_len = client->received_password.password_len - 1;
 	} else {
 		od_error(&instance->logger, "auth", NULL, server,
 			 "password required for route '%s.%s'",
@@ -834,7 +847,8 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client)
 		 "requested SASL authentication");
 
 	if (!route->rule->storage_password && !route->rule->password &&
-	    (client == NULL || client->password.password == NULL)) {
+	    (client == NULL || client->password.password == NULL) &&
+	    client->received_password.password == NULL) {
 		od_error(&instance->logger, "auth", NULL, server,
 			 "password required for route '%s.%s'",
 			 route->rule->db_name, route->rule->user_name);
@@ -862,6 +876,7 @@ static inline int od_auth_backend_sasl(od_server_t *server, od_client_t *client)
 
 	return 0;
 }
+
 static inline int od_auth_backend_sasl_continue(od_server_t *server,
 						char *auth_data,
 						size_t auth_data_size,
@@ -902,6 +917,8 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server,
 		password = route->rule->storage_password;
 	} else if (route->rule->password) {
 		password = route->rule->password;
+	} else if (client->received_password.password) {
+		password = client->received_password.password;
 	} else {
 		od_error(&instance->logger, "auth", NULL, server,
 			 "password required for route '%s.%s'",

sources/client.h

@@ -43,7 +43,10 @@ struct od_client {
 	kiwi_key_t key;
 	od_server_t *server;
 	void *route;
+	/* passwd from config rule */
 	kiwi_password_t password;
+	/* user - proveded passwd, fallback to use this when no other option is available*/
+	kiwi_password_t received_password;
 	od_global_t *global;
 	od_list_t link_pool;
 	od_list_t link;
@@ -70,6 +73,7 @@ static inline void od_client_init(od_client_t *client)
 	od_io_init(&client->io);
 	od_relay_init(&client->relay, &client->io);
 	kiwi_password_init(&client->password);
+	kiwi_password_init(&client->received_password);
 	od_list_init(&client->link_pool);
 	od_list_init(&client->link);
 }
@@ -90,6 +94,7 @@ static inline void od_client_free(od_client_t *client)
 	if (client->cond)
 		machine_cond_free(client->cond);
 	kiwi_password_free(&client->password);
+	kiwi_password_free(&client->received_password);
 	free(client);
 }
 

sources/rules.c

@@ -202,6 +202,8 @@ od_rule_t *od_rules_add(od_rules_t *rules)
 	rule->ldap_endpoint_name = NULL;
 	rule->ldap_endpoint = NULL;
 #endif
+	/* maybe some configuration here in future */
+	rule->reuse_client_passwd = 1;
 	od_list_init(&rule->auth_common_names);
 	od_list_init(&rule->link);
 	od_list_append(&rules->rules, &rule->link);

sources/rules.h

@@ -129,6 +129,7 @@ struct od_rule {
 	int client_max;
 	int log_debug;
 	int log_query;
+	int reuse_client_passwd;
 	double *quantiles;
 	int quantiles_count;
 	uint64_t server_lifetime_us;

third_party/kiwi/kiwi/password.h

@@ -20,6 +20,17 @@ static inline void kiwi_password_init(kiwi_password_t *pw)
 	pw->password_len = 0;
 }
 
+static inline void kiwi_password_copy(kiwi_password_t *dst_pw,
+				      const kiwi_password_t *src_pw)
+{
+	assert(dst_pw->password_len == 0);
+	assert(dst_pw->password == NULL);
+
+	dst_pw->password_len = src_pw->password_len;
+	dst_pw->password = (char *)malloc(sizeof(char) * src_pw->password_len);
+	strncpy(dst_pw->password, src_pw->password, src_pw->password_len);
+}
+
 static inline void kiwi_password_free(kiwi_password_t *pw)
 {
 	if (pw->password)