use stdin to provide authentication token to authenticator rather than command line option

1 year ago · 6f1841e610
parent 1cbdfac3cc
commit 6f1841e610
5 changed files with 44 additions and 43 deletions
--- a/doc/authentication.md
+++ b/doc/authentication.md
@ -19,12 +19,7 @@ operation, the credentials are queried via `getcreds`request.
 ## Authenticator
 An authenticator is an executable or script used for token-based
-authentication. During HTTP handshake, webfuse will scan for the
+authentication. Credentials are passed to the authenticator via `stdin`.
 configured HTTP header and invoke the authenticator.
    authenticator TOKEN
 The provided `token` contains the contents of the HTTP header.
 ## Header restrictions
--- a/example/authenticator/pam/src/main.cpp
+++ b/example/authenticator/pam/src/main.cpp
@ -133,54 +133,47 @@ bool authenticate(std::string const & username, std::string const & password)
 int main(int argc, char* argv[])
 {
    int exit_code = EXIT_FAILURE;
    bool print_usage = true;
-    if (argc == 2)
+    if (argc == 1)
    {
-        std::string const token = argv[1];
+        std::string token;
-        if (("-h" != token) && ("--help" != token))
+        std::getline(std::cin, token);
        {
            print_usage = false;
-            openlog("webfuse_pam_auth", 0, LOG_AUTH);
+        openlog("webfuse_pam_auth", 0, LOG_AUTH);
-            std::string username;
+        std::string username;
-            std::string password;
+        std::string password;
-            auto const decode_valid = decode(token, username, password);
+        auto const decode_valid = decode(token, username, password);
-            if (decode_valid)
+        if (decode_valid)
        {
            auto const is_authenticated = authenticate(username, password);
            if (is_authenticated)
            {
-                auto const is_authenticated = authenticate(username, password);
+                syslog(LOG_AUTH, "authenticate user \"%s\"", username.c_str());
-                if (is_authenticated)
+                exit_code = EXIT_SUCCESS;
                {
                    syslog(LOG_AUTH, "authenticate user \"%s\"", username.c_str());
                    exit_code = EXIT_SUCCESS;
                }
                else
                {
                    syslog(LOG_AUTH, "failed to authenticate user \"%s\"", username.c_str());
                }
            }
            else
            {
-                syslog(LOG_AUTH, "failed to decode authentication token");
+                syslog(LOG_AUTH, "failed to authenticate user \"%s\"", username.c_str());
            }
            closelog();
        }
    }
-
+        closelog();
-    if (print_usage)
+    }
    else
    {
        std::cout << R"(webfuse_pam_authenticator, (c) 2023 Falk Werner
 webfuse PAM authenticator
 Usage:
-    webfuse_pam_authenticator <token>
+    webfuse_pam_authenticator [-h]
 Options:
    --help, -h      print this message and exit
-Arguments:
+Credentials:
-    <token> token used for authentication
+    Credentials are passed as based64-encoded token via stdin:
-            token := base64(<username> ":" <password>)
+        token := base64(<username> ":" <password>)
 )";
    }
--- a/example/authenticator/simple/authenticator.sh
+++ b/example/authenticator/simple/authenticator.sh
@ -1,6 +1,6 @@
 #!/usr/bin/bash
-AUTH_TOKEN="$1"
+read AUTH_TOKEN
 if [[ "$AUTH_TOKEN" == "simple_token" ]]
 then
--- a/example/provider/python/webfuse_provider.py
+++ b/example/provider/python/webfuse_provider.py
@ -577,7 +577,7 @@ class FilesystemProvider:
        writer.write_u64(buffer.f_namemax)
    def getcreds(self, _, writer):
-        credentials = self.token if self.token != "" else getpass.getpass(prompt="credentials: ")
+        credentials = self.token if self.token != None and self.token != "" else getpass.getpass(prompt="credentials: ")
        writer.write_str(credentials)
 def main():
--- a/src/webfuse/util/authenticator.cpp
+++ b/src/webfuse/util/authenticator.cpp
@ -17,23 +17,35 @@ bool authenticator::authenticate(std::string const & token)
 {
    bool result = false;
    int fds[2];
    int const rc = pipe(fds);
    if (0 != rc)
    {
        return false;
    }
    pid_t const pid = fork();
    if (pid == 0)
    {
        // child
        close(STDIN_FILENO);
        dup2(fds[0], STDIN_FILENO);
        // prepare file descriptors
-        closefrom(0);
+        closefrom(1);
        open("/dev/null", O_RDONLY);
        open("/dev/null", O_WRONLY);
        dup2(STDOUT_FILENO, STDERR_FILENO);
-        execl(app_.c_str(), app_.c_str(), token.c_str(), nullptr);
+        execl(app_.c_str(), app_.c_str(), nullptr);
        exit(EXIT_FAILURE);
    }
    else if (pid > 0)
    {
        write(fds[1], reinterpret_cast<void const*>(token.c_str()), token.size());
        close(fds[1]);
        // parent
        int exit_status = EXIT_FAILURE;
@ -44,7 +56,8 @@ bool authenticator::authenticate(std::string const & token)
            exit_status = WEXITSTATUS(status);
        }
-        result = (exit_status == EXIT_SUCCESS);
+        close(fds[0]);
        result = (exit_status == EXIT_SUCCESS);        
    }
    return result;