aboutsummaryrefslogtreecommitdiff
path: root/src/ctl.c
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org.ua>2015-12-16 14:58:07 +0200
committerSergey Poznyakoff <gray@gnu.org.ua>2015-12-16 14:58:07 +0200
commit6bb908898b833ec69c66e918de732af5bad68934 (patch)
treedd715a052f67849d38aedaa25eafa93241e938df /src/ctl.c
parent9cb7455b12462a3679ed5208540793d802570481 (diff)
downloadpies-6bb908898b833ec69c66e918de732af5bad68934.tar.gz
pies-6bb908898b833ec69c66e918de732af5bad68934.tar.bz2
Implement authentication on control socket.
* Makefile.am (SUBDIRS): Add src. * configure.ac: Check for crypt.h and PAM Build ident/Makefile * grecs: Update. * ident/Makefile.am: New file. * ident/ident.c: New file. * ident/ident.h: New file. * ident/identity.h: New file. * ident/pam.c: New file. * ident/provider.c: New file. * ident/system.c: New file. * lib/Makefile.am: Add arraymember.c * lib/arraymember.c: New file. * lib/libpies.h (is_array_member): New proto. * src/Makefile.am (LDADD): Add libident.a and @PAM_LIBS@ * src/acl.c (acl_entry): Remove groups. Add new members: names and name_match. (pies_acl_create): Deep copy the locus. Set free_entry function for the list. (pies_acl_free): Free locus. (_parse_from): Set free_entry function for the list. (_parse_group): Parse the "user" construct. (parse_acl_line): Deep copy the locus. Allow for null value. (acl_keywords): Update docstrings. (_acl_check): Rewrite identity checks. * src/acl.h (acl_input)<user,groups>: Remove. <identity>: New member. (pies_acl_free): New proto. * src/ctl.c (identity): New global. (cmdtab): New command: auth (ctlio) <addr,addrlen>: New members. (ctlio_create): Start from authenticated state only if no identity_providers are configured. (cmd_auth): New function. (cmd_help): Print only commands that are available in the current state. (ctl_accept): Initialize io->addr and io->addrlen. * src/inetd-bi.c: Change call to check_acl * src/pies.c: Include identity.h (control_keywords): New statement "identity-acl" (pies_keywords): New statement "identity-provider" (config_init): Register identity mechanisms. (config_parse): New function. (config_help): Print help on identity-provider statements. (main): Use config_parse to parse grecs-style configurations. * src/pies.h: Include identity.h (check_acl): Change argument list. All callers changed. (control): Remove acl. Add conn_acl and id_acl instead. * src/progman.c (check_acl): Change argument list. Take identity as the 3rd argument.
Diffstat (limited to 'src/ctl.c')
-rw-r--r--src/ctl.c68
1 files changed, 63 insertions, 5 deletions
diff --git a/src/ctl.c b/src/ctl.c
index f9f2d76..20c16e1 100644
--- a/src/ctl.c
+++ b/src/ctl.c
@@ -19,2 +19,3 @@
#include "xvasprintf.h"
+#include "identity.h"
@@ -24,2 +25,4 @@ struct control control;
+pies_identity_t identity;
+
@@ -109,2 +112,3 @@ struct ctlio;
+static void cmd_auth (struct ctlio *, size_t, char **);
static void cmd_quit (struct ctlio *, size_t, char **);
@@ -131,2 +135,4 @@ struct ctlio_command
static struct ctlio_command cmdtab[] = {
+ { "auth", "authenticate",
+ CTL_INITIAL_STATE, 3, 3, cmd_auth },
{ "noop", "no operation",
@@ -169,2 +175,4 @@ struct ctlio
{
+ union pies_sockaddr_storage addr;
+ socklen_t addrlen;
int state;
@@ -183,3 +191,4 @@ ctlio_create (void)
io = xmalloc (sizeof (*io));
- io->state = CTL_AUTHENTICATED_STATE; //FIXME CTL_INITIAL_STATE;
+ io->state = identity_provider_list
+ ? CTL_INITIAL_STATE : CTL_AUTHENTICATED_STATE;
io->action = ACTION_CONT;
@@ -310,3 +319,2 @@ ctlio_initial_reply (struct ctlio *io)
ctlio_printf (io, "220 %s", instance);
- ctlio_printf (io, " <%s>", "foobarbaz");
//FIXME: auth mechanisms
@@ -316,2 +324,47 @@ ctlio_initial_reply (struct ctlio *io)
static void
+cmd_auth (struct ctlio *io, size_t argc, char **argv)
+{
+ struct grecs_list_entry *ep;
+ pies_identity_t id = pies_identity_create (argv[1]);
+ int auth = 0;
+
+ for (ep = identity_provider_list->head; ep; ep = ep->next)
+ {
+ pies_identity_provider_t provider = ep->data;
+ char const *pname = pies_identity_provider_name (provider);
+
+ debug(1, ("trying %s...", pname));
+ if (pies_authenticate (provider, id, argv[2]) == 0)
+ {
+ if (check_acl (control.id_acl,
+ (struct sockaddr *)&io->addr, io->addrlen, id))
+ {
+ logmsg (LOG_AUTH, "%s authenticated via %s, but failed ACL check",
+ argv[1], pname);
+ auth = 0;
+ }
+ else
+ {
+ logmsg (LOG_AUTH, "%s authenticated via %s",
+ argv[1], pname);
+ auth = 1;
+ }
+ break;
+ }
+ }
+
+ if (auth)
+ {
+ ctlio_reply (io, "230", "authentication successful");
+ identity = id;
+ io->state = CTL_AUTHENTICATED_STATE;
+ }
+ else
+ {
+ pies_identity_destroy (id);
+ ctlio_reply (io, "531", "access denied");
+ }
+}
+
+static void
cmd_noop (struct ctlio *io, size_t argc, char **argv)
@@ -349,4 +402,7 @@ cmd_help (struct ctlio *io, size_t argc, char **argv)
{
- ctlio_printf (io, "%-9s%s", cp->verb, cp->descr);
- ctlio_eol (io);
+ if (cp->states & io->state)
+ {
+ ctlio_printf (io, "%-9s%s", cp->verb, cp->descr);
+ ctlio_eol (io);
+ }
}
@@ -1002,3 +1058,3 @@ ctl_accept (int socket, void *data)
- if (check_acl (control.acl, (struct sockaddr *)&addr, addrlen))
+ if (check_acl (control.conn_acl, (struct sockaddr *)&addr, addrlen, NULL))
{
@@ -1010,2 +1066,4 @@ ctl_accept (int socket, void *data)
io = ctlio_create ();
+ io->addr = addr;
+ io->addrlen = addrlen;
ctlio_initial_reply (io);

Return to:

Send suggestions and report system problems to the System administrator.