2 * Sub-authentication Daemon: Commands
4 * (c) 2017 Martin Mares <mj@ucw.cz>
16 static void set_string(struct client *c, struct json_node *n, const char *key, const char *val)
19 json_object_set(n, key, json_new_string(c->json, val));
22 static void set_uint(struct client *c, struct json_node *n, const char *key, uint val)
24 json_object_set(n, key, json_new_number(c->json, val));
27 static void NONRET cmd_error(struct client *c, const char *err, ...)
32 vsnprintf(msg, sizeof(msg), err, args);
33 set_string(c, c->reply, "error", msg);
34 trans_throw("adhoc", NULL, "Error caught");
38 static void cmd_ok(struct client *c)
40 set_string(c, c->reply, "error", "");
43 const char *get_string(struct json_node *n, const char *key)
45 struct json_node *s = json_object_get(n, key);
46 if (s && s->type == JSON_STRING)
52 bool get_uint(struct json_node *n, const char *key, uint *dest)
54 struct json_node *s = json_object_get(n, key);
55 if (s && s->type == JSON_NUMBER)
57 uint u = (uint) s->number;
58 if ((double) u == s->number)
68 struct json_node **get_array(struct json_node *n, const char *key)
70 struct json_node *s = json_object_get(n, key);
71 if (s && s->type == JSON_ARRAY)
77 struct json_node *get_object(struct json_node *n, const char *key)
79 struct json_node *s = json_object_get(n, key);
80 if (s && s->type == JSON_OBJECT)
86 static const char *cmd_need_string(struct client *c, const char *key)
88 const char *val = get_string(c->request, key);
90 cmd_error(c, "Missing %s", key);
94 static struct auth_zone *cmd_need_zone(struct client *c)
96 const char *name = cmd_need_string(c, "zone");
97 struct auth_zone *az = auth_find_zone(name);
99 cmd_error(c, "No such zone");
103 static bool cmd_is_admin(struct client *c)
105 return (c->uid == 0);
108 static void cmd_require_admin(struct client *c)
110 if (!cmd_is_admin(c))
111 cmd_error(c, "Permission denied");
114 static const char *cmd_need_target_login(struct client *c)
116 const char *l = get_string(c->request, "login");
119 cmd_require_admin(c);
124 struct passwd *pw = getpwuid(c->uid);
126 cmd_error(c, "You do not exist");
127 return json_strdup(c->json, pw->pw_name);
131 static struct auth_acct *cmd_need_target_acct(struct client *c)
133 const char *login = cmd_need_target_login(c);
134 struct auth_zone *az = cmd_need_zone(c);
136 struct auth_user *au = auth_find_user(login, 0);
137 struct auth_acct *aa = au ? auth_find_acct(au, az, 0) : NULL;
141 if (!az->auto_create_acct)
142 cmd_error(c, "No such account");
146 msg(L_INFO, "Automatically creating user: login=<%s>", login);
147 au = auth_find_user(login, 1);
149 msg(L_INFO, "Automatically creating account: login=<%s> zone=<%s>", login, az->name);
150 return auth_find_acct(au, az, 1);
153 static void cmd_nop(struct client *c)
158 static void cmd_create_acct(struct client *c)
160 cmd_require_admin(c);
162 const char *login = get_string(c->request, "login");
164 cmd_error(c, "Login required");
166 struct auth_zone *az = cmd_need_zone(c);
167 struct auth_user *au = auth_find_user(login, 1);
168 if (!auth_find_acct(au, az, 0))
170 msg(L_INFO, "Creating account: login=<%s> zone=<%s>", login, az->name);
171 auth_find_acct(au, az, 1);
178 static void cmd_delete_acct(struct client *c)
180 cmd_require_admin(c);
182 const char *login = get_string(c->request, "login");
184 cmd_error(c, "Login required");
185 const char *zone_name = get_string(c->request, "zone");
187 struct auth_user *au = auth_find_user(login, 0);
191 if (zone_name && !strcmp(zone_name, "*"))
193 msg(L_INFO, "Deleting user: login=<%s>", login);
194 auth_delete_user(au);
198 struct auth_zone *az = cmd_need_zone(c);
199 struct auth_acct *aa = auth_find_acct(au, az, 0);
202 msg(L_INFO, "Deleting account: login=<%s> zone=<%s>", login, az->name);
203 auth_delete_acct(aa);
204 if (!clist_head(&au->accounts))
206 msg(L_INFO, "Deleting user with no accounts: login=<%s>", login);
207 auth_delete_user(au);
215 static void cmd_set_passwd(struct client *c)
217 struct auth_acct *aa = cmd_need_target_acct(c);
218 const char *passwd = cmd_need_string(c, "passwd");
220 if (!aa->zone->allow_passwd)
221 cmd_error(c, "This zone does not allow authentication by password");
223 if (strchr(passwd, '-'))
224 cmd_error(c, "The minus sign is forbidden in passwords");
226 msg(L_INFO, "Set password: login=<%s> zone=<%s>", aa->user->login, aa->zone->name);
228 struct auth_token *at_old = auth_find_token_passwd(aa);
230 auth_delete_token(at_old);
232 struct auth_token *at = auth_create_token(aa);
233 auth_set_token_passwd(at, passwd);
239 static void cmd_delete_passwd(struct client *c)
241 struct auth_acct *aa = cmd_need_target_acct(c);
242 struct auth_token *at = auth_find_token_passwd(aa);
244 cmd_error(c, "No password set");
246 msg(L_INFO, "Deleted password: login=<%s> zone=<%s>", aa->user->login, aa->zone->name);
247 auth_delete_token(at);
253 static void cmd_create_token(struct client *c)
255 struct auth_acct *aa = cmd_need_target_acct(c);
257 if (!aa->zone->allow_tokens)
258 cmd_error(c, "This zone does not allow authentication by tokens");
260 if (clist_size(&aa->tokens) >= aa->zone->allow_tokens)
261 cmd_error(c, "Maximum number of tokens was reached");
263 const char *comment = get_string(c->request, "comment");
264 if (comment && strlen(comment) > max_comment_size)
265 cmd_error(c, "Comment too long");
267 struct auth_token *at = auth_create_token(aa);
268 char *tok = auth_set_token_generated(at, comment, c->pool);
269 set_string(c, c->reply, "token", tok);
271 msg(L_INFO, "Created token: login=<%s> zone=<%s> id=<%s>", aa->user->login, aa->zone->name, at->ident);
277 static void cmd_delete_token(struct client *c)
279 struct auth_acct *aa = cmd_need_target_acct(c);
280 const char *ident = cmd_need_string(c, "ident");
281 bool all = !strcmp(ident, "*");
284 struct auth_token *tmp;
285 CLIST_FOR_EACH_DELSAFE(struct auth_token *, at, aa->tokens, tmp)
286 if (at->type == TOKEN_GENERATED && (all || !strcmp(at->ident, ident)))
289 msg(L_INFO, "Deleted token: login=<%s> zone=<%s> id=<%s>", aa->user->login, aa->zone->name, at->ident);
290 auth_delete_token(at);
293 if (!all && !matched)
294 cmd_error(c, "No such token");
300 static void cmd_change_token(struct client *c)
302 struct auth_acct *aa = cmd_need_target_acct(c);
303 const char *ident = cmd_need_string(c, "ident");
304 struct auth_token *at = auth_find_token_generated(aa, ident);
306 cmd_error(c, "No such token");
308 const char *comment = get_string(c->request, "comment");
309 if (comment && !strcmp(comment, ""))
311 auth_change_token_comment(at, comment);
313 msg(L_INFO, "Changed token: login=<%s> zone=<%s> id=<%s>", aa->user->login, aa->zone->name, at->ident);
319 static void cmd_create_temp(struct client *c)
321 struct auth_acct *aa = cmd_need_target_acct(c);
324 if (!get_uint(c->request, "validity", &validity))
325 cmd_error(c, "Validity must be given");
327 if (!aa->zone->max_temp_validity)
328 cmd_error(c, "This zone does not allow temporary tokens");
330 if (validity > aa->zone->max_temp_validity)
331 cmd_error(c, "This zone limits temporary token validity to %d seconds", aa->zone->max_temp_validity);
333 char *tok = temp_generate(aa->zone->name, aa->user->login, validity, c->pool);
334 set_string(c, c->reply, "token", tok);
336 const char *shortened = temp_shorten(tok, c->pool);
338 msg(L_INFO, "Created temp token: login=<%s> zone=<%s> temp=<%s> validity=%u", aa->user->login, aa->zone->name, shortened, validity);
343 static void cmd_login_fake(struct client *c, const char *passwd)
345 auth_check_token(auth_fake_token, passwd);
346 cmd_error(c, "Invalid password");
349 static void cmd_login_by_temp(struct client *c, struct auth_zone *az, const char *given_passwd)
351 const char *login = cmd_need_string(c, "login");
352 const char *shortened = temp_shorten(given_passwd, c->pool);
354 const char *reason = temp_check(az->name, login, given_passwd, c->pool);
357 msg(L_INFO, "Login failed: %s user=<%s> zone=<%s> temp=<%s>", reason, login, az->name, shortened);
362 * The following checks test for improbable things like user
363 * disappearing since the token has been issued.
366 if (!az->max_temp_validity)
368 msg(L_INFO, "Login failed: Temporary tokens no longer accepted for zone=<%s>", az->name);
372 struct auth_user *au = auth_find_user(login, 0);
375 msg(L_INFO, "Login failed: No user=<%s> temp=<%s>", login, shortened);
379 struct auth_acct *aa = auth_find_acct(au, az, 0);
382 msg(L_INFO, "Login failed: No account user=<%s> zone=<%s> temp=<%s>", login, az->name, shortened);
386 msg(L_INFO, "Login successful: user=<%s> zone=<%s> temp=<%s>", login, az->name, shortened);
391 cmd_error(c, "Temporary token refused");
394 static void cmd_login(struct client *c)
396 struct auth_zone *az = cmd_need_zone(c);
397 const char *given_passwd = cmd_need_string(c, "passwd");
399 // Split password string to token ident and the password proper
400 char passbuf[strlen(given_passwd) + 1];
401 strcpy(passbuf, given_passwd);
402 char *ident, *passwd;
403 char *sep = strchr(passbuf, '-');
416 if (ident && !strcmp(ident, "t"))
417 return cmd_login_by_temp(c, az, given_passwd);
419 const char *login = cmd_need_string(c, "login");
420 struct auth_user *au = auth_find_user(login, 0);
423 msg(L_INFO, "Login failed: No user=<%s>", login);
424 return cmd_login_fake(c, passwd);
427 struct auth_acct *aa = auth_find_acct(au, az, 0);
430 msg(L_INFO, "Login failed: No account user=<%s> zone=<%s>", login, az->name);
431 return cmd_login_fake(c, passwd);
434 struct auth_token *at;
436 at = auth_find_token_generated(aa, ident);
438 at = auth_find_token_passwd(aa);
441 msg(L_INFO, "Login failed: No token user=<%s> zone=<%s> ident=<%s>", login, az->name, (ident ? : ""));
442 return cmd_login_fake(c, passwd);
445 if (!auth_check_token(at, passwd))
447 msg(L_INFO, "Login failed: Wrong password for user=<%s> zone=<%s> ident=<%s>", login, az->name, (ident ? : ""));
448 cmd_error(c, "Invalid password");
451 msg(L_INFO, "Login successful: user=<%s> zone=<%s> ident=<%s>", login, az->name, (ident ? : ""));
455 static void cmd_list_accts(struct client *c)
457 const char *login = cmd_need_target_login(c);
459 struct json_context *js = c->json;
460 set_string(c, c->reply, "login", login);
461 struct json_node *jas = json_new_array(js);
462 json_object_set(c->reply, "accounts", jas);
464 struct auth_user *au = auth_find_user(login, 0);
471 CLIST_FOR_EACH(struct auth_acct *, aa, au->accounts)
473 struct json_node *ja = json_new_object(js);
474 json_array_append(jas, ja);
475 set_string(c, ja, "zone", aa->zone->name);
477 struct json_node *jts = json_new_array(js);
478 json_object_set(ja, "tokens", jts);
480 CLIST_FOR_EACH(struct auth_token *, at, aa->tokens)
482 struct json_node *jt = json_new_object(js);
483 json_array_append(jts, jt);
488 case TOKEN_PASSWORD: type = "passwd"; break;
489 case TOKEN_GENERATED: type = "token"; break;
490 default: type = "unknown"; break;
492 set_string(c, jt, "type", type);
494 set_string(c, jt, "ident", at->ident);
495 set_string(c, jt, "comment", at->comment);
496 set_uint(c, jt, "lastmod", at->last_modified);
503 static void cmd_list_zones(struct client *c)
505 struct json_context *js = c->json;
507 struct json_node *jzs = json_new_array(js);
508 json_object_set(c->reply, "zones", jzs);
510 CLIST_FOR_EACH(struct auth_zone *, az, zone_list)
512 struct json_node *jz = json_new_object(js);
513 json_array_append(jzs, jz);
514 set_string(c, jz, "name", az->name);
515 set_string(c, jz, "desc", az->desc);
516 set_uint(c, jz, "allow-passwd", az->allow_passwd);
517 set_uint(c, jz, "allow-tokens", az->allow_tokens);
518 set_uint(c, jz, "max-temp-validity", az->max_temp_validity);
526 void (*handler)(struct client *c);
529 static const struct command command_table[] = {
531 { "create-acct", cmd_create_acct },
532 { "delete-acct", cmd_delete_acct },
533 { "create-token", cmd_create_token },
534 { "delete-token", cmd_delete_token },
535 { "change-token", cmd_change_token },
536 { "set-passwd", cmd_set_passwd },
537 { "delete-passwd", cmd_delete_passwd },
538 { "create-temp", cmd_create_temp },
539 { "login", cmd_login },
540 { "list-accts", cmd_list_accts },
541 { "list-zones", cmd_list_zones },
544 void cmd_dispatch(struct client *c)
546 struct json_node *rq = c->request;
549 if (rq->type != JSON_OBJECT || !(cmd = get_string(rq, "cmd")))
551 set_string(c, c->reply, "error", "Malformed request");
555 const struct command *command = NULL;
556 for (uint i=0; i < ARRAY_SIZE(command_table); i++)
557 if (!strcmp(cmd, command_table[i].cmd))
559 command = &command_table[i];
564 set_string(c, c->reply, "error", "No such command");