Archives/falk-werner_webfuse
1
0
Fork 0
mirror of https://github.com/falk-werner/webfuse synced 2024-10-27 20:34:10 +00:00
Code Issues Releases Wiki Activity

use stdin to provide authentication token to authenticator rather than command line option

Browse Source
This commit is contained in:
Falk Werner 2023-02-04 15:48:17 +01:00
parent 1cbdfac3cc
commit 6f1841e610
5 changed files with 45 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/authentication.md
View File

@ -19,12 +19,7 @@ operation, the credentials are queried via `getcreds`request.
## Authenticator ## Authenticator
An authenticator is an executable or script used for token-based An authenticator is an executable or script used for token-based
authentication. During HTTP handshake, webfuse will scan for the authentication. Credentials are passed to the authenticator via `stdin`.
configured HTTP header and invoke the authenticator.
authenticator TOKEN
The provided `token` contains the contents of the HTTP header.
## Header restrictions ## Header restrictions

57
example/authenticator/pam/src/main.cpp
View File

@ -133,54 +133,47 @@ bool authenticate(std::string const & username, std::string const & password)
int main(int argc, char* argv[]) int main(int argc, char* argv[])
{ {
int exit_code = EXIT_FAILURE; int exit_code = EXIT_FAILURE;
bool print_usage = true;
if (argc == 2) if (argc == 1)
{ {
std::string const token = argv[1]; std::string token;
if (("-h" != token) && ("--help" != token)) std::getline(std::cin, token);
openlog("webfuse_pam_auth", 0, LOG_AUTH);
std::string username;
std::string password;
auto const decode_valid = decode(token, username, password);
if (decode_valid)
{ {
print_usage = false; auto const is_authenticated = authenticate(username, password);
if (is_authenticated)
openlog("webfuse_pam_auth", 0, LOG_AUTH);
std::string username;
std::string password;
auto const decode_valid = decode(token, username, password);
if (decode_valid)
{ {
auto const is_authenticated = authenticate(username, password); syslog(LOG_AUTH, "authenticate user \"%s\"", username.c_str());
if (is_authenticated) exit_code = EXIT_SUCCESS;
{
syslog(LOG_AUTH, "authenticate user \"%s\"", username.c_str());
exit_code = EXIT_SUCCESS;
}
else
{
syslog(LOG_AUTH, "failed to authenticate user \"%s\"", username.c_str());
}
} }
else else
{ {
syslog(LOG_AUTH, "failed to decode authentication token"); syslog(LOG_AUTH, "failed to authenticate user \"%s\"", username.c_str());
} }
closelog();
} }
closelog();
} }
else
if (print_usage)
{ {
std::cout << R"(webfuse_pam_authenticator, (c) 2023 Falk Werner std::cout << R"(webfuse_pam_authenticator, (c) 2023 Falk Werner
webfuse PAM authenticator webfuse PAM authenticator
Usage: Usage:
webfuse_pam_authenticator <token> webfuse_pam_authenticator [-h]
Arguments: Options:
<token> token used for authentication --help, -h print this message and exit
token := base64(<username> ":" <password>)
Credentials:
Credentials are passed as based64-encoded token via stdin:
token := base64(<username> ":" <password>)
)"; )";
} }

2
example/authenticator/simple/authenticator.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/bash #!/usr/bin/bash
AUTH_TOKEN="$1" read AUTH_TOKEN
if [[ "$AUTH_TOKEN" == "simple_token" ]] if [[ "$AUTH_TOKEN" == "simple_token" ]]
then then

2
example/provider/python/webfuse_provider.py
View File

@ -577,7 +577,7 @@ class FilesystemProvider:
writer.write_u64(buffer.f_namemax) writer.write_u64(buffer.f_namemax)
def getcreds(self, _, writer): def getcreds(self, _, writer):
credentials = self.token if self.token != "" else getpass.getpass(prompt="credentials: ") credentials = self.token if self.token != None and self.token != "" else getpass.getpass(prompt="credentials: ")
writer.write_str(credentials) writer.write_str(credentials)
def main(): def main():

21
src/webfuse/util/authenticator.cpp
View File

@ -17,23 +17,35 @@ bool authenticator::authenticate(std::string const & token)
{ {
bool result = false; bool result = false;
int fds[2];
int const rc = pipe(fds);
if (0 != rc)
{
return false;
}
pid_t const pid = fork(); pid_t const pid = fork();
if (pid == 0) if (pid == 0)
{ {
// child // child
close(STDIN_FILENO);
dup2(fds[0], STDIN_FILENO);
// prepare file descriptors // prepare file descriptors
closefrom(0); closefrom(1);
open("/dev/null", O_RDONLY);
open("/dev/null", O_WRONLY); open("/dev/null", O_WRONLY);
dup2(STDOUT_FILENO, STDERR_FILENO); dup2(STDOUT_FILENO, STDERR_FILENO);
execl(app_.c_str(), app_.c_str(), token.c_str(), nullptr); execl(app_.c_str(), app_.c_str(), nullptr);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
else if (pid > 0) else if (pid > 0)
{ {
write(fds[1], reinterpret_cast<void const*>(token.c_str()), token.size());
close(fds[1]);
// parent // parent
int exit_status = EXIT_FAILURE; int exit_status = EXIT_FAILURE;
@ -44,7 +56,8 @@ bool authenticator::authenticate(std::string const & token)
exit_status = WEXITSTATUS(status); exit_status = WEXITSTATUS(status);
} }
result = (exit_status == EXIT_SUCCESS); close(fds[0]);
result = (exit_status == EXIT_SUCCESS);
} }
return result; return result;