crates/nonstick: src/handle.rs comparison

comparison src/handle.rs @ 103:dfcd96a74ac4 default tip

write a truly prodigious amount of documentation adds a bunch of links to the OpenPAM man pages and the XSSO spec as well as just a bunch of prose and stuff.

author	Paul Fisher <paul@pfish.zone>
date	Wed, 25 Jun 2025 00:59:24 -0400
parents	3f11b8d30f63
children

comparison

equal deleted inserted replaced

-:94eb11cb1798
+:dfcd96a74ac4
 use crate::constants::{Flags, Result};
 use crate::conv::Conversation;
 use crate::environ::{EnvironMap, EnvironMapMut};
 use crate::logging::Level;
+use crate::{_guide, _linklist, _man7, _manbsd, _stdlinks};
 macro_rules! trait_item {
 ($(#[$md:meta])* get = $getter:ident, item = $item:literal $(, see = $see:path)?) => {
 $(#[$md])*
 #[doc = ""]
 ///
 /// Returns a reference to the item's value, owned by PAM.
 /// The item is assumed to be valid UTF-8 text.
 /// If it is not, `ConversationError` is returned.
 ///
-/// See the [`pam_get_item`][man] manual page,
+/// # References
-/// [`pam_get_item` in the Module Writers' Guide][mwg], or
+///
-/// [`pam_get_item` in the Application Developers' Guide][adg].
+#[doc = _linklist!(pam_get_item: mwg, adg, _std)]
 ///
-/// [man]: https://www.man7.org/linux/man-pages/man3/pam_get_item.3.html
+#[doc = _guide!(adg: "adg-interface-by-app-expected.html#adg-pam_get_item")]
-/// [adg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/adg-interface-by-app-expected.html#adg-pam_get_item
+#[doc = _guide!(mwg: "mwg-expected-by-module-item.html#mwg-pam_get_item")]
-/// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-by-module-item.html#mwg-pam_get_item
+#[doc = _stdlinks!(3 pam_get_item)]
 fn $getter(&self) -> Result<Option<String>>;
 };
 ($(#[$md:meta])* set = $setter:ident, item = $item:literal $(, see = $see:path)?) => {
 $(#[$md])*
+#[doc = ""]
 #[doc = concat!("Sets the `", $item, "` from the PAM handle.")]
 $(
 #[doc = concat!("See [`", stringify!($see), "`].")]
 )?
 ///
 /// Sets the item's value. PAM copies the string's contents.
 /// If the string contains a null byte, this will return
 /// a `ConversationError`.
 ///
-/// See the [`pam_set_item`][man] manual page,
+/// # References
-/// [`pam_set_item` in the Module Writers' Guide][mwg], or
+///
-/// [`pam_set_item` in the Application Developers' Guide][adg].
+#[doc = _linklist!(pam_set_item: mwg, adg, _std)]
 ///
-/// [man]: https://www.man7.org/linux/man-pages/man3/pam_set_item.3.html
+#[doc = _guide!(adg: "adg-interface-by-app-expected.html#adg-pam_set_item")]
-/// [adg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/adg-interface-by-app-expected.html#adg-pam_set_item
+#[doc = _guide!(mwg: "mwg-expected-by-module-item.html#mwg-pam_set_item")]
-/// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-by-module-item.html#mwg-pam_set_item
+#[doc = _stdlinks!(3 pam_set_item)]
 fn $setter(&mut self, value: Option<&str>) -> Result<()>;
 };
 }
 /// Functionality for both PAM applications and PAM modules.
 /// to test PAM modules and applications.
 pub trait PamShared {
 /// Logs something via this PAM handle.
 ///
 /// You probably want to use one of the logging macros,
-/// like [`error!`], [`warning!`], [`info!`], or [`debug!`].
+/// like [`error!`](crate::error!),
+/// [`warn!`](crate::warn!),
+/// [`info!`](crate::info!),
+/// or [`debug!`](crate::debug!).
 ///
 /// In most PAM implementations, this will go to syslog.
+/// See [Linux-PAM's `pam_syslog`][man7] or
+/// [OpenPAM's `openpam_log`][manbsd] for more details.
 ///
 /// # Example
 ///
 /// ```no_run
 /// # use nonstick::{PamShared};
 /// nonstick::debug!(pam_hdl, "sending GET request to {url}");
 /// // But if you really want to, you can call this yourself:
 /// pam_hdl.log(Level::Warning, "this is unnecessarily verbose");
 /// # }
 /// ```
+#[doc = _man7!(3 pam_syslog)]
+#[doc = _manbsd!(3 openpam_log)]
 fn log(&self, level: Level, entry: &str);
 /// Retrieves the name of the user who is authenticating or logging in.
 ///
 /// If the username has previously been obtained, this uses that username;
 ///
 ///  1. The prompt string passed to this function.
 ///  2. The string returned by `get_user_prompt_item`.
 ///  3. The default prompt, `login: `.
 ///
-/// See the [`pam_get_user` manual page][man]
+/// # References
-/// or [`pam_get_user` in the Module Writer's Guide][mwg].
+#[doc = _linklist!(pam_get_user: mwg, _std)]
 ///
 /// # Example
 ///
 /// ```no_run
 /// # use nonstick::PamShared;
 /// // both user and user_2 would have the same value.
 /// let user_2 = handle.username(Some("who ARE you even???"))?;
 /// # Ok(())
 /// # }
 /// ```
-///
+#[doc = _stdlinks!(3 pam_get_user)]
-/// [man]: https://www.man7.org/linux/man-pages/man3/pam_get_user.3.html
+#[doc = _guide!(mwg: "mwg-expected-by-module-item.html#mwg-pam_get_user")]
-/// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-by-module-item.html#mwg-pam_get_user
 fn username(&mut self, prompt: Option<&str>) -> Result<String>;
 /// The contents of the environment to set, read-only.
 fn environ(&self) -> impl EnvironMap;
 /// to perform authentication.
 get = service,
 item = "PAM_SERVICE"
 );
 trait_item!(
-/// The service name, which identifies the PAM stack which is used
+/// Sets the service name. It's probably a bad idea to change this.
-/// to perform authentication. It's probably a bad idea to change this.
 set = set_service,
 item = "PAM_SERVICE",
 see = Self::service
 );
 trait_item!(
 /// If set, the identity of the remote user logging in.
 ///
 /// This is only as trustworthy as the application calling PAM.
-/// Also see [`remote_host`](Self::remote_host).
 get = remote_user,
-item = "PAM_RUSER"
+item = "PAM_RUSER",
+see = Self::remote_host
 );
 trait_item!(
 /// Sets the identity of the remote user logging in.
 ///
 /// This may be set by the application before making calls
 /// into a PAM transaction.
 set = set_remote_user,
-item = "PAM_RUSER"
+item = "PAM_RUSER",
+see = Self::remote_user
 );
 trait_item!(
 /// If set, the remote location where the user is coming from.
 ///
 /// with `remote_user@remote_host`.
 ///
 /// If unset, "it is unclear where the authentication request
 /// is originating from."
 get = remote_host,
-item = "PAM_RHOST"
+item = "PAM_RHOST",
+see = Self::remote_user
 );
 trait_item!(
 /// Sets the location where the user is coming from.
 ///
 /// This may be set by the application before making calls
 see = PamHandleModule::authtok_item
 );
 trait_item!(
 /// Sets the user's "old authentication token" when changing passwords.
-//
+///
 /// This is usually set automatically by PAM.
 set = set_old_authtok_item,
 item = "PAM_OLDAUTHTOK",
 see = PamHandleModule::old_authtok_item
 );
 ///
 /// Like [`PamShared`], this is intended to allow creating mock implementations
 /// of PAM for testing PAM applications.
 pub trait PamHandleApplication: PamShared {
 /// Starts the authentication process for the user.
+///
+/// The application calls this to find out who the user is, and verify that
+/// they are really that person. If authentication is successful,
+/// this will return an `Ok(())` [`Result`].
+///
+/// A PAM module may change the caller's [username](PamShared::username)
+/// as part of the login process, so be sure to check it after making
+/// any PAM application call.
+///
+/// # References
+#[doc = _linklist!(pam_authenticate: adg, _std)]
+///
+#[doc = _guide!(adg: "adg-interface-by-app-expected.html#adg-pam_authenticate")]
+#[doc = _stdlinks!(3 pam_authenticate)]
 fn authenticate(&mut self, flags: Flags) -> Result<()>;
-/// Does "account management".
+/// Verifies the validity of the user's account (and other stuff).
+///
+/// After [authentication](Self::authenticate), an application should call
+/// this to ensure that the user's account is still valid. This may check
+/// for token expiration or that the user's account is not locked.
+///
+/// # References
+#[doc = _linklist!(pam_acct_mgmt: adg, _std)]
+///
+#[doc = _guide!(adg: "adg-interface-by-app-expected.html#adg-pam_acct_mgmt")]
+#[doc = _stdlinks!(3 pam_acct_mgmt)]
 fn account_management(&mut self, flags: Flags) -> Result<()>;
 /// Changes the authentication token.
+///
+/// # References
+#[doc = _linklist!(pam_chauthtok: adg, _std)]
+///
+#[doc = _guide!(adg: "adg-interface-by-app-expected.html#adg-pam_chauthtok")]
+#[doc = _stdlinks!(3 pam_chauthtok)]
 fn change_authtok(&mut self, flags: Flags) -> Result<()>;
 }
 /// Functionality of a PAM handle that can be expected by a PAM module.
 ///
 /// of PAM for testing PAM modules.
 pub trait PamHandleModule: Conversation + PamShared {
 /// Retrieves the authentication token from the user.
 ///
 /// This should only be used by *authentication* and *password-change*
-/// PAM modules.
+/// PAM modules. This is an extension provided by
-///
+/// both Linux-PAM and OpenPAM.
-/// See the [`pam_get_authtok` manual page][man]
+///
-/// or [`pam_get_item` in the Module Writer's Guide][mwg].
+/// # References
+///
+#[doc = _linklist!(pam_get_authtok: man7, manbsd)]
 ///
 /// # Example
 ///
 /// ```no_run
 /// # use nonstick::handle::PamHandleModule;
 /// // Get the user's password using a custom prompt.
 /// let pass = handle.authtok(Some("Reveal your secrets!"))?;
 /// Ok(())
 /// # }
 /// ```
-///
+#[doc = _man7!(3 pam_get_authtok)]
-/// [man]: https://www.man7.org/linux/man-pages/man3/pam_get_authtok.3.html
+#[doc = _manbsd!(3 pam_get_authtok)]
-/// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-by-module-item.html#mwg-pam_get_item
 fn authtok(&mut self, prompt: Option<&str>) -> Result<String>;
 trait_item!(
 /// Gets the user's authentication token (e.g., password).
 ///

Mercurial > crates > nonstick

comparison src/handle.rs @ 103:dfcd96a74ac4 default tip