Mercurial > crates > nonstick

comparison pam-http/src/lib.rs @ 20:734ca62159fb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Refactor exported endpoings into pam_hooks macro
author Anthony Nowell <anthony@algorithmia.com>
date Tue, 26 Sep 2017 01:51:39 -0600
parents d654aa0655e5
children 4263c1d83d5b
comparison
equal deleted inserted replaced
19:d654aa0655e5 20:734ca62159fb
1 extern crate pam; 1 #[macro_use] extern crate pam;
2 extern crate reqwest; 2 extern crate reqwest;
3 3
4 pub mod ffi; 4 use pam::module::PamHandle;
5 5 use pam::constants::{PamResultCode, PamFlag, PAM_PROMPT_ECHO_OFF};
6 use pam::module::{PamHandleT, get_item, get_user};
7 use pam::constants::{PamResultCode, PAM_PROMPT_ECHO_OFF};
8 use pam::conv::PamConv; 6 use pam::conv::PamConv;
7 use pam::hooks::PamHooks;
9 use std::collections::HashMap; 8 use std::collections::HashMap;
10 use std::time::Duration; 9 use std::time::Duration;
11 use reqwest::{Client, StatusCode}; 10 use reqwest::{Client, StatusCode};
11 use std::ffi::CStr;
12
12 13
13 macro_rules! pam_try { 14 macro_rules! pam_try {
14 ($e:expr) => ( 15 ($e:expr) => (
15 match $e { 16 match $e {
16 Ok(v) => v, 17 Ok(v) => v,
26 } 27 }
27 } 28 }
28 ); 29 );
29 } 30 }
30 31
31 // This function performs the task of authenticating the user. 32 struct PamHttp;
32 pub fn sm_authenticate(pamh: &PamHandleT, args: Vec<String>, silent: bool) -> PamResultCode { 33 pam_hooks!(PamHttp);
33 println!("Let's auth over HTTP");
34 34
35 let args: HashMap<&str, &str> = args.iter().map(|s| { 35 impl PamHooks for PamHttp {
36 let mut parts = s.splitn(2, "="); 36 // This function performs the task of authenticating the user.
37 (parts.next().unwrap(), parts.next().unwrap_or("")) 37 fn sm_authenticate(pamh: &PamHandle, args: Vec<&CStr>, _flags: PamFlag) -> PamResultCode {
38 }).collect(); 38 println!("Let's auth over HTTP");
39 39
40 let user = pam_try!(get_user(&pamh, None)); 40 let args: Vec<_> = args.iter().map(|s| s.to_string_lossy().to_owned() ).collect();
41 let args: HashMap<&str, &str> = args.iter().map(|s| {
42 let mut parts = s.splitn(2, "=");
43 (parts.next().unwrap(), parts.next().unwrap_or(""))
44 }).collect();
41 45
42 let url: &str = match args.get("url") { 46 let user = pam_try!(pamh.get_user(None));
43 Some(url) => url,
44 None => return PamResultCode::PAM_AUTH_ERR,
45 };
46 let ca_file = args.get("ca_file");
47 47
48 let conv = match get_item::<PamConv>(&pamh) { 48 let url: &str = match args.get("url") {
49 Ok(conv) => conv, 49 Some(url) => url,
50 Err(err) => { 50 None => return PamResultCode::PAM_AUTH_ERR,
51 println!("Couldn't get pam_conv"); 51 };
52 return err; 52 // let ca_file = args.get("ca_file");
53
54 let conv = match pamh.get_item::<PamConv>() {
55 Ok(conv) => conv,
56 Err(err) => {
57 println!("Couldn't get pam_conv");
58 return err;
59 }
60 };
61 let password = pam_try!(conv.send(PAM_PROMPT_ECHO_OFF, "Word, yo: "));
62 println!("Got a password {:?}", password);
63 let status = pam_try!(get_url(url, &user, password.as_ref().map(|p|&**p)), PamResultCode::PAM_AUTH_ERR);
64
65 if !status.is_success() {
66 println!("HTTP Error: {}", status);
67 return PamResultCode::PAM_AUTH_ERR;
53 } 68 }
54 };
55 let password = pam_try!(conv.send(PAM_PROMPT_ECHO_OFF, "Word, yo: "));
56 println!("Got a password {:?}", password);
57 let status = pam_try!(get_url(url, &user, password.as_ref().map(|p|&**p)), PamResultCode::PAM_AUTH_ERR);
58 69
59 if !status.is_success() { 70 PamResultCode::PAM_SUCCESS
60 println!("HTTP Error: {}", status);
61 return PamResultCode::PAM_AUTH_ERR;
62 } 71 }
63 72
64 PamResultCode::PAM_SUCCESS 73 fn sm_setcred(_pamh: &PamHandle, _args: Vec<&CStr>, _flags: PamFlag) -> PamResultCode {
74 println!("set credentials");
75 PamResultCode::PAM_SUCCESS
76 }
77
78 fn acct_mgmt(_pamh: &PamHandle, _args: Vec<&CStr>, _flags: PamFlag) -> PamResultCode {
79 println!("account management");
80 PamResultCode::PAM_SUCCESS
81 }
65 } 82 }
83
66 84
67 fn get_url(url: &str, user: &str, password: Option<&str>) -> reqwest::Result<StatusCode> { 85 fn get_url(url: &str, user: &str, password: Option<&str>) -> reqwest::Result<StatusCode> {
68 let client = Client::builder()?.timeout(Duration::from_secs(15)).build()?; 86 let client = Client::builder()?.timeout(Duration::from_secs(15)).build()?;
69 client.get(url)? 87 client.get(url)?
70 .basic_auth(user, password) 88 .basic_auth(user, password)
71 .send() 89 .send()
72 .map(|r| r.status()) 90 .map(|r| r.status())
73 } 91 }
74 92
75 // This function performs the task of altering the credentials of the user with respect to the
76 // corresponding authorization scheme. Generally, an authentication module may have access to more
77 // information about a user than their authentication token. This function is used to make such
78 // information available to the application. It should only be called after the user has been
79 // authenticated but before a session has been established.
80 pub fn sm_setcred(_pamh: &PamHandleT, _args: Vec<String>, _silent: bool) -> PamResultCode {
81 println!("set credentials");
82 PamResultCode::PAM_SUCCESS
83 }
84 93
85 // This function performs the task of establishing whether the user is permitted to gain access at
86 // this time. It should be understood that the user has previously been validated by an
87 // authentication module. This function checks for other things. Such things might be: the time of
88 // day or the date, the terminal line, remote hostname, etc. This function may also determine
89 // things like the expiration on passwords, and respond that the user change it before continuing.
90 pub fn acct_mgmt(_pamh: &PamHandleT, _args: Vec<String>, _silent: bool) -> PamResultCode {
91 println!("account management");
92 PamResultCode::PAM_SUCCESS
93 }