pam auth module

4 files changed, 193 insertions, 0 deletions

diff --git a/PKGBUILD b/PKGBUILD
index b5a1d763..300b92aa 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -38,6 +38,7 @@ depends=(
 	python-dbus
 	python-pygments
 	python-pyghmi
+	python-pam
 	v4l-utils
 	nginx-mainline
 	openssl
diff --git a/kvmd/plugins/auth/pam.py b/kvmd/plugins/auth/pam.py
new file mode 100644
index 00000000..bb364c8c
--- /dev/null
+++ b/kvmd/plugins/auth/pam.py
@@ -0,0 +1,99 @@
+# ========================================================================== #
+#                                                                            #
+#    KVMD - The main Pi-KVM daemon.                                          #
+#                                                                            #
+#    Copyright (C) 2018  Maxim Devaev <[email protected]>                    #
+#                                                                            #
+#    This program is free software: you can redistribute it and/or modify    #
+#    it under the terms of the GNU General Public License as published by    #
+#    the Free Software Foundation, either version 3 of the License, or       #
+#    (at your option) any later version.                                     #
+#                                                                            #
+#    This program is distributed in the hope that it will be useful,         #
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
+#    GNU General Public License for more details.                            #
+#                                                                            #
+#    You should have received a copy of the GNU General Public License       #
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
+#                                                                            #
+# ========================================================================== #
+
+
+import asyncio
+import pwd
+
+from typing import List
+from typing import Dict
+
+import pam
+
+from ...yamlconf import Option
+
+from ...validators.basic import valid_number
+from ...validators.auth import valid_users_list
+
+from ...logging import get_logger
+
+from ... import aiotools
+
+from . import BaseAuthService
+
+
+# =====
+class Plugin(BaseAuthService):
+    def __init__(  # pylint: disable=super-init-not-called
+        self,
+        service: str,
+        allow_users: List[str],
+        deny_users: List[str],
+        allow_uids_at: int,
+    ) -> None:
+
+        self.__service = service
+        self.__allow_users = allow_users
+        self.__deny_users = deny_users
+        self.__allow_uids_at = allow_uids_at
+
+        self.__lock = asyncio.Lock()
+
+    @classmethod
+    def get_plugin_options(cls) -> Dict:
+        return {
+            "service":       Option("login"),
+            "allow_users":   Option([], type=valid_users_list),
+            "deny_users":    Option([], type=valid_users_list),
+            "allow_uids_at": Option(0, type=(lambda arg: valid_number(arg, min=0))),
+        }
+
+    async def authorize(self, user: str, passwd: str) -> bool:
+        async with self.__lock:
+            return (await aiotools.run_async(self.__inner_authorize, user, passwd))
+
+    def __inner_authorize(self, user: str, passwd: str) -> bool:
+        if self.__allow_users and user not in self.__allow_users:
+            get_logger().error("User %r not in allow-list", user)
+            return False
+
+        if self.__deny_users and user in self.__deny_users:
+            get_logger().error("User %r in deny-list", user)
+            return False
+
+        if self.__allow_uids_at > 0:
+            try:
+                uid = pwd.getpwnam(user).pw_uid
+            except Exception:
+                get_logger().exception("Can't find UID of user %r", user)
+                return False
+            else:
+                if uid < self.__allow_uids_at:
+                    get_logger().error("Unallowed UID of user %r: uid=%d < allow_uids_at=%d",
+                                       user, uid, self.__allow_uids_at)
+                    return False
+
+        pam_obj = pam.pam()
+        if not pam_obj.authenticate(user, passwd, service=self.__service):
+            get_logger().error("Can't authorize user %r using PAM: code=%d; reason=%s",
+                               user, pam_obj.code, pam_obj.reason)
+            return False
+        return True
diff --git a/testenv/requirements.txt b/testenv/requirements.txt
index 5ba03e57..b3c121a4 100644
--- a/testenv/requirements.txt
+++ b/testenv/requirements.txt
@@ -8,3 +8,4 @@ pyserial
 setproctitle
 pygments
 pyghmi
+python-pam
diff --git a/testenv/tests/plugins/auth/test_pam.py b/testenv/tests/plugins/auth/test_pam.py
new file mode 100644
index 00000000..e4171d35
--- /dev/null
+++ b/testenv/tests/plugins/auth/test_pam.py
@@ -0,0 +1,92 @@
+# ========================================================================== #
+#                                                                            #
+#    KVMD - The main Pi-KVM daemon.                                          #
+#                                                                            #
+#    Copyright (C) 2018  Maxim Devaev <[email protected]>                    #
+#                                                                            #
+#    This program is free software: you can redistribute it and/or modify    #
+#    it under the terms of the GNU General Public License as published by    #
+#    the Free Software Foundation, either version 3 of the License, or       #
+#    (at your option) any later version.                                     #
+#                                                                            #
+#    This program is distributed in the hope that it will be useful,         #
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
+#    GNU General Public License for more details.                            #
+#                                                                            #
+#    You should have received a copy of the GNU General Public License       #
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
+#                                                                            #
+# ========================================================================== #
+
+
+import asyncio
+import signal
+import pwd
+
+from typing import Dict
+from typing import AsyncGenerator
+from typing import Optional
+
+import pytest
+
+from . import get_configured_auth_service
+
+
+# =====
+_UID = 1500
+_USER = "foobar"
+_PASSWD = "query"
+
+
+# =====
+async def _run_process(cmd: str, input: Optional[str]=None) -> None:  # pylint: disable=redefined-builtin
+    proc = await asyncio.create_subprocess_exec(
+        *cmd.split(" "),
+        stdin=(asyncio.subprocess.PIPE if input is not None else None),
+        preexec_fn=(lambda: signal.signal(signal.SIGINT, signal.SIG_IGN)),
+    )
+    await proc.communicate(input.encode() if input is not None else None)
+    assert proc.returncode == 0
+
+
[email protected](name="test_user")
+async def _test_user() -> AsyncGenerator[None, None]:
+    with pytest.raises(KeyError):
+        pwd.getpwnam(_USER)
+    await _run_process(f"useradd -u {_UID} -s /bin/bash {_USER}")
+    await _run_process("chpasswd", input=f"{_USER}:{_PASSWD}\n")
+
+    assert pwd.getpwnam(_USER).pw_uid == _UID
+
+    try:
+        yield
+    finally:
+        await _run_process(f"userdel -r {_USER}")
+        with pytest.raises(KeyError):
+            pwd.getpwnam(_USER)
+
+
+# =====
[email protected]
[email protected]("kwargs", [
+    {},
+    {"allow_users": [_USER]},
+    {"allow_uids_at": _UID},
+])
+async def test_ok(test_user, kwargs: Dict) -> None:  # type: ignore
+    async with get_configured_auth_service("pam", **kwargs) as service:
+        assert not (await service.authorize(_USER, "invalid_password"))
+        assert (await service.authorize(_USER, _PASSWD))
+
+
[email protected]
[email protected]("kwargs", [
+    {"allow_users": ["root"]},
+    {"deny_users": [_USER]},
+    {"allow_uids_at": _UID + 1},
+])
+async def test_fail(test_user, kwargs: Dict) -> None:  # type: ignore
+    async with get_configured_auth_service("pam", **kwargs) as service:
+        assert not (await service.authorize(_USER, "invalid_password"))
+        assert not (await service.authorize(_USER, _PASSWD))