mirror of
https://github.com/falk-werner/webfuse
synced 2024-10-27 20:34:10 +00:00
use stdin to provide authentication token to authenticator rather than command line option
This commit is contained in:
parent
1cbdfac3cc
commit
6f1841e610
doc
example
src/webfuse/util
@ -19,12 +19,7 @@ operation, the credentials are queried via `getcreds`request.
|
||||
## Authenticator
|
||||
|
||||
An authenticator is an executable or script used for token-based
|
||||
authentication. During HTTP handshake, webfuse will scan for the
|
||||
configured HTTP header and invoke the authenticator.
|
||||
|
||||
authenticator TOKEN
|
||||
|
||||
The provided `token` contains the contents of the HTTP header.
|
||||
authentication. Credentials are passed to the authenticator via `stdin`.
|
||||
|
||||
## Header restrictions
|
||||
|
||||
|
@ -133,54 +133,47 @@ bool authenticate(std::string const & username, std::string const & password)
|
||||
int main(int argc, char* argv[])
|
||||
{
|
||||
int exit_code = EXIT_FAILURE;
|
||||
bool print_usage = true;
|
||||
|
||||
if (argc == 2)
|
||||
if (argc == 1)
|
||||
{
|
||||
std::string const token = argv[1];
|
||||
if (("-h" != token) && ("--help" != token))
|
||||
std::string token;
|
||||
std::getline(std::cin, token);
|
||||
|
||||
openlog("webfuse_pam_auth", 0, LOG_AUTH);
|
||||
|
||||
std::string username;
|
||||
std::string password;
|
||||
auto const decode_valid = decode(token, username, password);
|
||||
if (decode_valid)
|
||||
{
|
||||
print_usage = false;
|
||||
|
||||
openlog("webfuse_pam_auth", 0, LOG_AUTH);
|
||||
|
||||
std::string username;
|
||||
std::string password;
|
||||
auto const decode_valid = decode(token, username, password);
|
||||
if (decode_valid)
|
||||
auto const is_authenticated = authenticate(username, password);
|
||||
if (is_authenticated)
|
||||
{
|
||||
auto const is_authenticated = authenticate(username, password);
|
||||
if (is_authenticated)
|
||||
{
|
||||
syslog(LOG_AUTH, "authenticate user \"%s\"", username.c_str());
|
||||
exit_code = EXIT_SUCCESS;
|
||||
}
|
||||
else
|
||||
{
|
||||
syslog(LOG_AUTH, "failed to authenticate user \"%s\"", username.c_str());
|
||||
}
|
||||
syslog(LOG_AUTH, "authenticate user \"%s\"", username.c_str());
|
||||
exit_code = EXIT_SUCCESS;
|
||||
}
|
||||
else
|
||||
{
|
||||
syslog(LOG_AUTH, "failed to decode authentication token");
|
||||
syslog(LOG_AUTH, "failed to authenticate user \"%s\"", username.c_str());
|
||||
}
|
||||
|
||||
closelog();
|
||||
}
|
||||
|
||||
closelog();
|
||||
}
|
||||
|
||||
|
||||
if (print_usage)
|
||||
else
|
||||
{
|
||||
std::cout << R"(webfuse_pam_authenticator, (c) 2023 Falk Werner
|
||||
webfuse PAM authenticator
|
||||
|
||||
Usage:
|
||||
webfuse_pam_authenticator <token>
|
||||
webfuse_pam_authenticator [-h]
|
||||
|
||||
Arguments:
|
||||
<token> token used for authentication
|
||||
token := base64(<username> ":" <password>)
|
||||
Options:
|
||||
--help, -h print this message and exit
|
||||
|
||||
Credentials:
|
||||
Credentials are passed as based64-encoded token via stdin:
|
||||
token := base64(<username> ":" <password>)
|
||||
)";
|
||||
}
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/usr/bin/bash
|
||||
|
||||
AUTH_TOKEN="$1"
|
||||
read AUTH_TOKEN
|
||||
|
||||
if [[ "$AUTH_TOKEN" == "simple_token" ]]
|
||||
then
|
||||
|
@ -577,7 +577,7 @@ class FilesystemProvider:
|
||||
writer.write_u64(buffer.f_namemax)
|
||||
|
||||
def getcreds(self, _, writer):
|
||||
credentials = self.token if self.token != "" else getpass.getpass(prompt="credentials: ")
|
||||
credentials = self.token if self.token != None and self.token != "" else getpass.getpass(prompt="credentials: ")
|
||||
writer.write_str(credentials)
|
||||
|
||||
def main():
|
||||
|
@ -17,23 +17,35 @@ bool authenticator::authenticate(std::string const & token)
|
||||
{
|
||||
bool result = false;
|
||||
|
||||
int fds[2];
|
||||
int const rc = pipe(fds);
|
||||
if (0 != rc)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
pid_t const pid = fork();
|
||||
|
||||
if (pid == 0)
|
||||
{
|
||||
// child
|
||||
|
||||
close(STDIN_FILENO);
|
||||
dup2(fds[0], STDIN_FILENO);
|
||||
|
||||
// prepare file descriptors
|
||||
closefrom(0);
|
||||
open("/dev/null", O_RDONLY);
|
||||
closefrom(1);
|
||||
open("/dev/null", O_WRONLY);
|
||||
dup2(STDOUT_FILENO, STDERR_FILENO);
|
||||
|
||||
execl(app_.c_str(), app_.c_str(), token.c_str(), nullptr);
|
||||
execl(app_.c_str(), app_.c_str(), nullptr);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
else if (pid > 0)
|
||||
{
|
||||
write(fds[1], reinterpret_cast<void const*>(token.c_str()), token.size());
|
||||
close(fds[1]);
|
||||
|
||||
// parent
|
||||
int exit_status = EXIT_FAILURE;
|
||||
|
||||
@ -44,7 +56,8 @@ bool authenticator::authenticate(std::string const & token)
|
||||
exit_status = WEXITSTATUS(status);
|
||||
}
|
||||
|
||||
result = (exit_status == EXIT_SUCCESS);
|
||||
close(fds[0]);
|
||||
result = (exit_status == EXIT_SUCCESS);
|
||||
}
|
||||
|
||||
return result;
|
||||
|
Loading…
Reference in New Issue
Block a user