mirror of
				https://github.com/falk-werner/webfuse
				synced 2025-06-13 12:54:15 +00:00 
			
		
		
		
	use stdin to provide authentication token to authenticator rather than command line option
This commit is contained in:
		
							parent
							
								
									1cbdfac3cc
								
							
						
					
					
						commit
						6f1841e610
					
				| @ -19,12 +19,7 @@ operation, the credentials are queried via `getcreds`request. | ||||
| ## Authenticator | ||||
| 
 | ||||
| An authenticator is an executable or script used for token-based | ||||
| authentication. During HTTP handshake, webfuse will scan for the | ||||
| configured HTTP header and invoke the authenticator. | ||||
| 
 | ||||
|     authenticator TOKEN | ||||
| 
 | ||||
| The provided `token` contains the contents of the HTTP header. | ||||
| authentication. Credentials are passed to the authenticator via `stdin`. | ||||
| 
 | ||||
| ## Header restrictions | ||||
| 
 | ||||
|  | ||||
| @ -133,14 +133,11 @@ bool authenticate(std::string const & username, std::string const & password) | ||||
| int main(int argc, char* argv[]) | ||||
| { | ||||
|     int exit_code = EXIT_FAILURE; | ||||
|     bool print_usage = true; | ||||
| 
 | ||||
|     if (argc == 2) | ||||
|     if (argc == 1) | ||||
|     { | ||||
|         std::string const token = argv[1]; | ||||
|         if (("-h" != token) && ("--help" != token)) | ||||
|         { | ||||
|             print_usage = false; | ||||
|         std::string token; | ||||
|         std::getline(std::cin, token); | ||||
| 
 | ||||
|         openlog("webfuse_pam_auth", 0, LOG_AUTH); | ||||
| 
 | ||||
| @ -160,26 +157,22 @@ int main(int argc, char* argv[]) | ||||
|                 syslog(LOG_AUTH, "failed to authenticate user \"%s\"", username.c_str()); | ||||
|             } | ||||
|         } | ||||
|             else | ||||
|             { | ||||
|                 syslog(LOG_AUTH, "failed to decode authentication token"); | ||||
|             } | ||||
| 
 | ||||
|         closelog(); | ||||
|     } | ||||
|     } | ||||
| 
 | ||||
| 
 | ||||
|     if (print_usage) | ||||
|     else | ||||
|     { | ||||
|         std::cout << R"(webfuse_pam_authenticator, (c) 2023 Falk Werner | ||||
| webfuse PAM authenticator | ||||
| 
 | ||||
| Usage: | ||||
|     webfuse_pam_authenticator <token> | ||||
|     webfuse_pam_authenticator [-h] | ||||
| 
 | ||||
| Arguments: | ||||
|     <token> token used for authentication | ||||
| Options: | ||||
|     --help, -h      print this message and exit | ||||
| 
 | ||||
| Credentials: | ||||
|     Credentials are passed as based64-encoded token via stdin: | ||||
|         token := base64(<username> ":" <password>) | ||||
| )"; | ||||
|     } | ||||
|  | ||||
| @ -1,6 +1,6 @@ | ||||
| #!/usr/bin/bash | ||||
| 
 | ||||
| AUTH_TOKEN="$1" | ||||
| read AUTH_TOKEN | ||||
| 
 | ||||
| if [[ "$AUTH_TOKEN" == "simple_token" ]] | ||||
| then | ||||
|  | ||||
| @ -577,7 +577,7 @@ class FilesystemProvider: | ||||
|         writer.write_u64(buffer.f_namemax) | ||||
| 
 | ||||
|     def getcreds(self, _, writer): | ||||
|         credentials = self.token if self.token != "" else getpass.getpass(prompt="credentials: ") | ||||
|         credentials = self.token if self.token != None and self.token != "" else getpass.getpass(prompt="credentials: ") | ||||
|         writer.write_str(credentials) | ||||
| 
 | ||||
| def main(): | ||||
|  | ||||
| @ -17,23 +17,35 @@ bool authenticator::authenticate(std::string const & token) | ||||
| { | ||||
|     bool result = false; | ||||
| 
 | ||||
|     int fds[2]; | ||||
|     int const rc = pipe(fds); | ||||
|     if (0 != rc) | ||||
|     { | ||||
|         return false; | ||||
|     } | ||||
| 
 | ||||
|     pid_t const pid = fork(); | ||||
| 
 | ||||
|     if (pid == 0) | ||||
|     { | ||||
|         // child
 | ||||
| 
 | ||||
|         close(STDIN_FILENO); | ||||
|         dup2(fds[0], STDIN_FILENO); | ||||
| 
 | ||||
|         // prepare file descriptors
 | ||||
|         closefrom(0); | ||||
|         open("/dev/null", O_RDONLY); | ||||
|         closefrom(1); | ||||
|         open("/dev/null", O_WRONLY); | ||||
|         dup2(STDOUT_FILENO, STDERR_FILENO); | ||||
| 
 | ||||
|         execl(app_.c_str(), app_.c_str(), token.c_str(), nullptr); | ||||
|         execl(app_.c_str(), app_.c_str(), nullptr); | ||||
|         exit(EXIT_FAILURE); | ||||
|     } | ||||
|     else if (pid > 0) | ||||
|     { | ||||
|         write(fds[1], reinterpret_cast<void const*>(token.c_str()), token.size()); | ||||
|         close(fds[1]); | ||||
| 
 | ||||
|         // parent
 | ||||
|         int exit_status = EXIT_FAILURE; | ||||
| 
 | ||||
| @ -44,6 +56,7 @@ bool authenticator::authenticate(std::string const & token) | ||||
|             exit_status = WEXITSTATUS(status); | ||||
|         } | ||||
| 
 | ||||
|         close(fds[0]); | ||||
|         result = (exit_status == EXIT_SUCCESS);         | ||||
|     } | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user