diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-12-16 14:58:07 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-12-16 14:58:07 +0200 |
commit | 6bb908898b833ec69c66e918de732af5bad68934 (patch) | |
tree | dd715a052f67849d38aedaa25eafa93241e938df /ident | |
parent | 9cb7455b12462a3679ed5208540793d802570481 (diff) | |
download | pies-6bb908898b833ec69c66e918de732af5bad68934.tar.gz pies-6bb908898b833ec69c66e918de732af5bad68934.tar.bz2 |
Implement authentication on control socket.
* Makefile.am (SUBDIRS): Add src.
* configure.ac: Check for crypt.h and PAM
Build ident/Makefile
* grecs: Update.
* ident/Makefile.am: New file.
* ident/ident.c: New file.
* ident/ident.h: New file.
* ident/identity.h: New file.
* ident/pam.c: New file.
* ident/provider.c: New file.
* ident/system.c: New file.
* lib/Makefile.am: Add arraymember.c
* lib/arraymember.c: New file.
* lib/libpies.h (is_array_member): New proto.
* src/Makefile.am (LDADD): Add libident.a and @PAM_LIBS@
* src/acl.c (acl_entry): Remove groups. Add new members:
names and name_match.
(pies_acl_create): Deep copy the locus.
Set free_entry function for the list.
(pies_acl_free): Free locus.
(_parse_from): Set free_entry function for the list.
(_parse_group): Parse the "user" construct.
(parse_acl_line): Deep copy the locus.
Allow for null value.
(acl_keywords): Update docstrings.
(_acl_check): Rewrite identity checks.
* src/acl.h (acl_input)<user,groups>: Remove.
<identity>: New member.
(pies_acl_free): New proto.
* src/ctl.c (identity): New global.
(cmdtab): New command: auth
(ctlio) <addr,addrlen>: New members.
(ctlio_create): Start from authenticated state
only if no identity_providers are configured.
(cmd_auth): New function.
(cmd_help): Print only commands that are available
in the current state.
(ctl_accept): Initialize io->addr and io->addrlen.
* src/inetd-bi.c: Change call to check_acl
* src/pies.c: Include identity.h
(control_keywords): New statement "identity-acl"
(pies_keywords): New statement "identity-provider"
(config_init): Register identity mechanisms.
(config_parse): New function.
(config_help): Print help on identity-provider
statements.
(main): Use config_parse to parse grecs-style configurations.
* src/pies.h: Include identity.h
(check_acl): Change argument list. All callers changed.
(control): Remove acl. Add conn_acl and id_acl instead.
* src/progman.c (check_acl): Change argument list. Take
identity as the 3rd argument.
Diffstat (limited to 'ident')
-rw-r--r-- | ident/Makefile.am | 35 | ||||
-rw-r--r-- | ident/ident.c | 74 | ||||
-rw-r--r-- | ident/ident.h | 51 | ||||
-rw-r--r-- | ident/identity.h | 39 | ||||
-rw-r--r-- | ident/pam.c | 230 | ||||
-rw-r--r-- | ident/provider.c | 161 | ||||
-rw-r--r-- | ident/system.c | 137 |
7 files changed, 727 insertions, 0 deletions
diff --git a/ident/Makefile.am b/ident/Makefile.am new file mode 100644 index 0000000..65ac145 --- /dev/null +++ b/ident/Makefile.am | |||
@@ -0,0 +1,35 @@ | |||
1 | # This file is part of GNU Pies. | ||
2 | # Copyright (C) 2015 Sergey Poznyakoff | ||
3 | # | ||
4 | # GNU Pies is free software; you can redistribute it and/or modify | ||
5 | # it under the terms of the GNU General Public License as published by | ||
6 | # the Free Software Foundation; either version 3, or (at your option) | ||
7 | # any later version. | ||
8 | # | ||
9 | # GNU Pies is distributed in the hope that it will be useful, | ||
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
12 | # GNU General Public License for more details. | ||
13 | # | ||
14 | # You should have received a copy of the GNU General Public License | ||
15 | # along with GNU Pies. If not, see <http://www.gnu.org/licenses/>. */ | ||
16 | |||
17 | noinst_LIBRARIES = libident.a | ||
18 | noinst_HEADERS = ident.h identity.h | ||
19 | |||
20 | libident_a_SOURCES = \ | ||
21 | provider.c\ | ||
22 | ident.c\ | ||
23 | system.c | ||
24 | |||
25 | if PAM_COND | ||
26 | libident_a_SOURCES += pam.c | ||
27 | endif | ||
28 | |||
29 | AM_CPPFLAGS=\ | ||
30 | -I$(top_srcdir)/lib\ | ||
31 | -I.\ | ||
32 | -I$(top_srcdir)/gnu\ | ||
33 | -I$(top_builddir)/gnu\ | ||
34 | @GRECS_INCLUDES@ | ||
35 | |||
diff --git a/ident/ident.c b/ident/ident.c new file mode 100644 index 0000000..38ae1a8 --- /dev/null +++ b/ident/ident.c | |||
@@ -0,0 +1,74 @@ | |||
1 | /* This file is part of GNU Pies. | ||
2 | Copyright (C) 2015 Sergey Poznyakoff | ||
3 | |||
4 | GNU Pies is free software; you can redistribute it and/or modify | ||
5 | it under the terms of the GNU General Public License as published by | ||
6 | the Free Software Foundation; either version 3, or (at your option) | ||
7 | any later version. | ||
8 | |||
9 | GNU Pies is distributed in the hope that it will be useful, | ||
10 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
12 | GNU General Public License for more details. | ||
13 | |||
14 | You should have received a copy of the GNU General Public License | ||
15 | along with GNU Pies. If not, see <http://www.gnu.org/licenses/>. */ | ||
16 | |||
17 | #include "ident.h" | ||
18 | |||
19 | pies_identity_t | ||
20 | pies_identity_create (char const *user) | ||
21 | { | ||
22 | pies_identity_t id = xmalloc (sizeof (*id)); | ||
23 | id->provider = NULL; | ||
24 | id->username = xstrdup (user); | ||
25 | id->data = NULL; | ||
26 | return id; | ||
27 | } | ||
28 | |||
29 | int | ||
30 | pies_authenticate (pies_identity_provider_t pr, pies_identity_t id, | ||
31 | char const *passwd) | ||
32 | { | ||
33 | if (!pr || !id) | ||
34 | return -1; | ||
35 | |||
36 | if (pr->mech->authenticate (pr, id, passwd) == 0) | ||
37 | { | ||
38 | id->provider = pr; | ||
39 | return 0; | ||
40 | } | ||
41 | return 1; | ||
42 | } | ||
43 | |||
44 | int | ||
45 | pies_identity_is_user (pies_identity_t id, char * const * users) | ||
46 | { | ||
47 | if (!id) | ||
48 | return 0; | ||
49 | return is_array_member (users, id->username); | ||
50 | } | ||
51 | |||
52 | int | ||
53 | pies_identity_is_group_member (pies_identity_t id, char * const * groups) | ||
54 | { | ||
55 | pies_identity_provider_t provider; | ||
56 | if (!id) | ||
57 | return 0; | ||
58 | provider = id->provider; | ||
59 | if (!provider) | ||
60 | return 0; | ||
61 | return provider->mech->is_group_member (provider, id, groups); | ||
62 | } | ||
63 | |||
64 | void | ||
65 | pies_identity_destroy (pies_identity_t id) | ||
66 | { | ||
67 | pies_identity_provider_t provider = id->provider; | ||
68 | if (provider && provider->mech->destroy_identity) | ||
69 | provider->mech->destroy_identity (provider, id); | ||
70 | free (id); | ||
71 | } | ||
72 | |||
73 | |||
74 | |||
diff --git a/ident/ident.h b/ident/ident.h new file mode 100644 index 0000000..313926c --- /dev/null +++ b/ident/ident.h | |||
@@ -0,0 +1,51 @@ | |||
1 | /* This file is part of GNU Pies. | ||
2 | Copyright (C) 2015 Sergey Poznyakoff | ||
3 | |||
4 | GNU Pies is free software; you can redistribute it and/or modify | ||
5 | it under the terms of the GNU General Public License as published by | ||
6 | the Free Software Foundation; either version 3, or (at your option) | ||
7 | any later version. | ||
8 | |||
9 | GNU Pies is distributed in the hope that it will be useful, | ||
10 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
12 | GNU General Public License for more details. | ||
13 | |||
14 | You should have received a copy of the GNU General Public License | ||
15 | along with GNU Pies. If not, see <http://www.gnu.org/licenses/>. */ | ||
16 | |||
17 | #include <config.h> | ||
18 | #include "xalloc.h" | ||
19 | #include "libpies.h" | ||
20 | #include "grecs.h" | ||
21 | #include "identity.h" | ||
22 | |||
23 | struct pies_identity | ||
24 | { | ||
25 | pies_identity_provider_t provider; | ||
26 | char *username; | ||
27 | void *data; | ||
28 | }; | ||
29 | |||
30 | struct pies_identity_mechanism | ||
31 | { | ||
32 | char const *name; | ||
33 | int (*authenticate) (pies_identity_provider_t p, | ||
34 | pies_identity_t id, char const *passwd); | ||
35 | int (*is_group_member) (pies_identity_provider_t p, | ||
36 | pies_identity_t id, char * const * groups); | ||
37 | void (*destroy_identity) (pies_identity_provider_t p, | ||
38 | pies_identity_t id); | ||
39 | int (*configure)(struct grecs_node *, pies_identity_provider_t); | ||
40 | void (*confhelp) (void); | ||
41 | }; | ||
42 | |||
43 | struct pies_identity_provider | ||
44 | { | ||
45 | char *name; | ||
46 | pies_identity_mechanism_t mech; | ||
47 | struct grecs_locus locus; | ||
48 | void *data; | ||
49 | }; | ||
50 | |||
51 | |||
diff --git a/ident/identity.h b/ident/identity.h new file mode 100644 index 0000000..0ee129d --- /dev/null +++ b/ident/identity.h | |||
@@ -0,0 +1,39 @@ | |||
1 | /* This file is part of GNU Pies. | ||
2 | Copyright (C) 2015 Sergey Poznyakoff | ||
3 | |||
4 | GNU Pies is free software; you can redistribute it and/or modify | ||
5 | it under the terms of the GNU General Public License as published by | ||
6 | the Free Software Foundation; either version 3, or (at your option) | ||
7 | any later version. | ||
8 | |||
9 | GNU Pies is distributed in the hope that it will be useful, | ||
10 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
12 | GNU General Public License for more details. | ||
13 | |||
14 | You should have received a copy of the GNU General Public License | ||
15 | along with GNU Pies. If not, see <http://www.gnu.org/licenses/>. */ | ||
16 | |||
17 | typedef struct pies_identity *pies_identity_t; | ||
18 | typedef struct pies_identity_provider *pies_identity_provider_t; | ||
19 | typedef struct pies_identity_mechanism *pies_identity_mechanism_t; | ||
20 | |||
21 | pies_identity_t pies_identity_create (char const *user); | ||
22 | void pies_identity_destroy (pies_identity_t id); | ||
23 | |||
24 | int pies_authenticate (pies_identity_provider_t pr, pies_identity_t id, | ||
25 | char const *passwd); | ||
26 | int pies_identity_is_user (pies_identity_t id, char * const * users); | ||
27 | int pies_identity_is_group_member (pies_identity_t id, char * const * groups); | ||
28 | |||
29 | char const *pies_identity_provider_name (pies_identity_provider_t p); | ||
30 | |||
31 | int pies_identity_mechanism_register (pies_identity_mechanism_t mech); | ||
32 | void pies_config_identity_mechanisms_help (void); | ||
33 | int pies_config_provider (struct grecs_node *node); | ||
34 | |||
35 | extern struct pies_identity_mechanism system_identity_mechanism; | ||
36 | #ifdef WITH_PAM | ||
37 | extern struct pies_identity_mechanism pam_identity_mechanism; | ||
38 | #endif | ||
39 | extern struct grecs_list *identity_provider_list; | ||
diff --git a/ident/pam.c b/ident/pam.c new file mode 100644 index 0000000..ef32c4d --- /dev/null +++ b/ident/pam.c | |||
@@ -0,0 +1,230 @@ | |||
1 | /* This file is part of GNU Pies. | ||
2 | Copyright (C) 2015 Sergey Poznyakoff | ||
3 | |||
4 | GNU Pies is free software; you can redistribute it and/or modify | ||
5 | it under the terms of the GNU General Public License as published by | ||
6 | the Free Software Foundation; either version 3, or (at your option) | ||
7 | any later version. | ||
8 | |||
9 | GNU Pies is distributed in the hope that it will be useful, | ||
10 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
12 | GNU General Public License for more details. | ||
13 | |||
14 | You should have received a copy of the GNU General Public License | ||
15 | along with GNU Pies. If not, see <http://www.gnu.org/licenses/>. */ | ||
16 | |||
17 | #include "ident.h" | ||
18 | #include <grp.h> | ||
19 | #include <security/pam_appl.h> | ||
20 | |||
21 | struct pam_identi |