modular auth

3 files changed, 37 insertions, 8 deletions

diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py
index be94c07a..d2007f7d 100644
--- a/kvmd/apps/__init__.py
+++ b/kvmd/apps/__init__.py
@@ -129,6 +129,15 @@ def _as_string_list(values: Union[str, Sequence]) -> List[str]:
     return list(map(str, values))
 
 
+def _as_auth_type(auth_type: str) -> str:
+    if not isinstance(auth_type, str):
+        raise ValueError("Invalid auth type")
+    auth_type = str(auth_type).strip()
+    if auth_type not in ["basic"]:
+        raise ValueError("Invalid auth type")
+    return auth_type
+
+
 def _get_config_scheme() -> Dict:
     return {
         "kvmd": {
@@ -144,7 +153,10 @@ def _get_config_scheme() -> Dict:
             },
 
             "auth": {
-                "htpasswd": Option("/etc/kvmd/htpasswd", type=_as_path, rename="htpasswd_path"),
+                "type": Option("basic", type=_as_auth_type, rename="auth_type"),
+                "basic": {
+                    "htpasswd": Option("/etc/kvmd/htpasswd", type=_as_path, rename="htpasswd_path"),
+                },
             },
 
             "info": {
diff --git a/kvmd/apps/htpasswd/__init__.py b/kvmd/apps/htpasswd/__init__.py
index 50b3d26b..bc77c0e8 100644
--- a/kvmd/apps/htpasswd/__init__.py
+++ b/kvmd/apps/htpasswd/__init__.py
@@ -38,9 +38,15 @@ from .. import init
 
 
 # =====
+def _get_htpasswd_path(config: Section) -> str:
+    if config.kvmd.auth.auth_type != "basic":
+        print("Warning: KVMD does not use basic auth", file=sys.stderr)
+    return config.kvmd.auth.basic.htpasswd
+
+
 @contextlib.contextmanager
 def _get_htpasswd_for_write(config: Section) -> Generator[passlib.apache.HtpasswdFile, None, None]:
-    path = config.kvmd.auth.htpasswd
+    path = _get_htpasswd_path(config)
     (tmp_fd, tmp_path) = tempfile.mkstemp(
         prefix=".%s." % (os.path.basename(path)),
         dir=os.path.dirname(path),
@@ -72,7 +78,7 @@ def _valid_user(user: str) -> str:
 
 # ====
 def _cmd_list(config: Section, _: argparse.Namespace) -> None:
-    for user in passlib.apache.HtpasswdFile(config.kvmd.auth.htpasswd).users():
+    for user in passlib.apache.HtpasswdFile(_get_htpasswd_path(config)).users():
         print(user)
 
 
@@ -97,7 +103,7 @@ def main() -> None:
     (parent_parser, argv, config) = init(add_help=False)
     parser = argparse.ArgumentParser(
         prog="kvmd-htpasswd",
-        description="Manage KVMD users",
+        description="Manage KVMD users (basic auth only)",
         parents=[parent_parser],
     )
     parser.set_defaults(cmd=(lambda *_: parser.print_help()))
diff --git a/kvmd/apps/kvmd/auth.py b/kvmd/apps/kvmd/auth.py
index cb69458d..8c1b188e 100644
--- a/kvmd/apps/kvmd/auth.py
+++ b/kvmd/apps/kvmd/auth.py
@@ -32,13 +32,14 @@ from ...logging import get_logger
 
 # =====
 class AuthManager:
-    def __init__(self, htpasswd_path: str) -> None:
-        self.__htpasswd_path = htpasswd_path
+    def __init__(self, auth_type: str, basic: Dict) -> None:
+        self.__login = {
+            "basic": lambda: _BasicLogin(**basic),
+        }[auth_type]().login
         self.__tokens: Dict[str, str] = {}  # {token: user}
 
     def login(self, user: str, passwd: str) -> Optional[str]:
-        htpasswd = passlib.apache.HtpasswdFile(self.__htpasswd_path)
-        if htpasswd.check_password(user, passwd):
+        if self.__login(user, passwd):
             for (token, token_user) in self.__tokens.items():
                 if user == token_user:
                     return token
@@ -57,3 +58,13 @@ class AuthManager:
 
     def check(self, token: str) -> Optional[str]:
         return self.__tokens.get(token)
+
+
+class _BasicLogin:
+    def __init__(self, htpasswd_path: str) -> None:
+        get_logger().info("Using basic auth %r", htpasswd_path)
+        self.__htpasswd_path = htpasswd_path
+
+    def login(self, user: str, passwd: str) -> bool:
+        htpasswd = passlib.apache.HtpasswdFile(self.__htpasswd_path)
+        return htpasswd.check_password(user, passwd)