Implement authentication on control socket.

* Makefile.am (SUBDIRS): Add src.
* configure.ac: Check for crypt.h and PAM
Build ident/Makefile
* grecs: Update.

* ident/Makefile.am: New file.
* ident/ident.c: New file.
* ident/ident.h: New file.
* ident/identity.h: New file.
* ident/pam.c: New file.
* ident/provider.c: New file.
* ident/system.c: New file.

* lib/Makefile.am: Add arraymember.c
* lib/arraymember.c: New file.
* lib/libpies.h (is_array_member): New proto.

* src/Makefile.am (LDADD): Add libident.a and @PAM_LIBS@
* src/acl.c (acl_entry): Remove groups. Add new members:
names and name_match.
(pies_acl_create): Deep copy the locus.
Set free_entry function for the list.
(pies_acl_free): Free locus.
(_parse_from): Set free_entry function for the list.
(_parse_group): Parse the "user" construct.
(parse_acl_line): Deep copy the locus.
Allow for null value.
(acl_keywords): Update docstrings.
(_acl_check): Rewrite identity checks.
* src/acl.h (acl_input)<user,groups>: Remove.
<identity>: New member.
(pies_acl_free): New proto.
* src/ctl.c (identity): New global.
(cmdtab): New command: auth
(ctlio) <addr,addrlen>: New members.
(ctlio_create): Start from authenticated state
only if no identity_providers are configured.
(cmd_auth): New function.
(cmd_help): Print only commands that are available
in the current state.
(ctl_accept): Initialize io->addr and io->addrlen.
* src/inetd-bi.c: Change call to check_acl
* src/pies.c: Include identity.h
(control_keywords): New statement "identity-acl"
(pies_keywords): New statement "identity-provider"
(config_init): Register identity mechanisms.
(config_parse): New function.
(config_help): Print help on identity-provider
statements.
(main): Use config_parse to parse grecs-style configurations.
* src/pies.h: Include identity.h
(check_acl): Change argument list.  All callers changed.
(control): Remove acl. Add conn_acl and id_acl instead.
* src/progman.c (check_acl): Change argument list.  Take
identity as the 3rd argument.

21 files changed, 1053 insertions, 78 deletions

diff --git a/Makefile.am b/Makefile.am
index 63fdb48..0358e8c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -16,7 +16,7 @@
 
 ACLOCAL_AMFLAGS = -I m4 -I am -I grecs/am -I imprimatur
 
-SUBDIRS=gnu grecs lib src imprimatur doc po 
+SUBDIRS=gnu grecs lib ident src imprimatur doc po 
 
 dist-hook:
         @PATCHLEV=`echo "$(PACKAGE_VERSION)" | \
diff --git a/configure.ac b/configure.ac
index 92ffbbd..8fb1eac 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 # This file is part of GNU Pies.  -*- autoconf -*-
-# Copyright (C) 2009-2014 Sergey Poznyakoff
+# Copyright (C) 2009-2015 Sergey Poznyakoff
 #
 # GNU Pies is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -33,9 +33,12 @@ AC_PROG_YACC
 AC_PROG_LEX
 
 # Checks for libraries.
+AC_CHECK_LIB(crypt, crypt)
 
 # Checks for header files.
-AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdint.h stdlib.h string.h sys/socket.h sys/time.h syslog.h unistd.h utmp.h utmpx.h])
+AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdint.h stdlib.h\
+ string.h sys/socket.h sys/time.h syslog.h unistd.h utmp.h utmpx.h\
+ crypt.h shadow.h])
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_TYPE_UID_T
@@ -80,6 +83,41 @@ AM_ICONV
 AM_GNU_GETTEXT([external], [need-formatstring-macros])
 AM_GNU_GETTEXT_VERSION([0.18])
 
+# PAM
+status_pam=maybe
+AC_ARG_ENABLE([pam],
+              AC_HELP_STRING([--enable-pam],
+                             [enable PAM]),
+              [
+case "${enableval}" in
+  yes) status_pam=yes ;;
+  no)  status_pam=no ;;
+  *)   AC_MSG_ERROR([bad value ${enableval} for --enable-pam]) ;;
+esac],[status_pam=maybe])
+
+AC_SUBST(PAM_LIBS,-lpam)
+if test "$status_pam" != "no"; then
+  pam=$status_pam
+  AC_CHECK_HEADERS(security/pam_appl.h)
+  if test "$ac_cv_header_security_pam_appl_h" = "yes"; then
+    AC_CHECK_LIB(dl, dlopen, [PAM_LIBS="$PAM_LIBS -ldl"])
+    AC_CHECK_LIB(pam, pam_start,
+                 [status_pam=yes],
+                 [status_pam=no], $PAM_LIBS)
+  else
+    status_pam=no
+  fi
+  if test $pam = yes && test $pam != $status_pam; then
+      AC_MSG_ERROR([required module PAM cannot be built because of missing prerequisites])
+  fi
+fi
+
+AM_CONDITIONAL([PAM_COND], [test $status_pam = yes])
+if test $status_pam = yes; then
+    AC_DEFINE_UNQUOTED(WITH_PAM, 1, [PAM support enabled])
+fi    
+
+# Build inetd
 AC_ARG_ENABLE([inetd],
               AC_HELP_STRING([--enable-inetd],
                              [build and install a replacement for SBINDIR/inetd]),
@@ -100,6 +138,7 @@ AC_CONFIG_FILES([Makefile
                  gnu/Makefile
                  lib/Makefile
                  src/Makefile
+                 ident/Makefile
                  doc/Makefile
                  po/Makefile.in])
 AC_OUTPUT
diff --git a/grecs b/grecs
-Subproject e71c1a855797de245105494a05623753e32844a
+Subproject 9e978b089268e6bfc4b8fcdf9ef721f6fa92c11
diff --git a/ident/Makefile.am b/ident/Makefile.am
new file mode 100644
index 0000000..65ac145
--- /dev/null
+++ b/ident/Makefile.am
@@ -0,0 +1,35 @@
+# This file is part of GNU Pies.
+# Copyright (C) 2015 Sergey Poznyakoff
+#
+# GNU Pies is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3, or (at your option)
+# any later version.
+#
+# GNU Pies is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GNU Pies.  If not, see <http://www.gnu.org/licenses/>. */
+
+noinst_LIBRARIES = libident.a
+noinst_HEADERS = ident.h identity.h
+
+libident_a_SOURCES = \
+ provider.c\
+ ident.c\
+ system.c
+
+if PAM_COND
+  libident_a_SOURCES += pam.c
+endif
+
+AM_CPPFLAGS=\
+ -I$(top_srcdir)/lib\
+ -I.\
+ -I$(top_srcdir)/gnu\
+ -I$(top_builddir)/gnu\
+ @GRECS_INCLUDES@ 
+
diff --git a/ident/ident.c b/ident/ident.c
new file mode 100644
index 0000000..38ae1a8
--- /dev/null
+++ b/ident/ident.c
@@ -0,0 +1,74 @@
+/* This file is part of GNU Pies.
+   Copyright (C) 2015 Sergey Poznyakoff
+
+   GNU Pies is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3, or (at your option)
+   any later version.
+
+   GNU Pies is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with GNU Pies.  If not, see <http://www.gnu.org/licenses/>. */
+
+#include "ident.h"
+
+pies_identity_t
+pies_identity_create (char const *user)
+{
+  pies_identity_t id = xmalloc (sizeof (*id));
+  id->provider = NULL;
+  id->username = xstrdup (user);
+  id->data = NULL;
+  return id;
+}
+    
+int
+pies_authenticate (pies_identity_provider_t pr, pies_identity_t id,
+                   char const *passwd)
+{
+  if (!pr || !id)
+    return -1;
+
+  if (pr->mech->authenticate (pr, id, passwd) == 0)
+    {
+      id->provider = pr;
+      return 0;
+    }
+  return 1;
+}
+
+int
+pies_identity_is_user (pies_identity_t id, char * const * users)
+{
+  if (!id)
+    return 0;
+  return is_array_member (users, id->username);
+}
+
+int
+pies_identity_is_group_member (pies_identity_t id, char * const * groups)
+{
+  pies_identity_provider_t provider;
+  if (!id)
+    return 0;
+  provider = id->provider;
+  if (!provider)
+    return 0;
+  return provider->mech->is_group_member (provider, id, groups);
+}
+
+void
+pies_identity_destroy (pies_identity_t id)
+{
+  pies_identity_provider_t provider = id->provider;
+  if (provider && provider->mech->destroy_identity)
+    provider->mech->destroy_identity (provider, id);
+  free (id);
+}
+