2 * Sub-authentication Daemon: Commands
4 * (c) 2017 Martin Mares <mj@ucw.cz>
16 static void NONRET cmd_error(struct client *c, const char *err, ...)
21 vsnprintf(msg, sizeof(msg), err, args);
22 json_object_set(c->reply, "error", json_new_string(c->json, msg));
23 trans_throw("adhoc", NULL, "Error caught");
27 static void cmd_ok(struct client *c)
29 json_object_set(c->reply, "error", json_new_string_ref(c->json, ""));
32 const char *get_string(struct json_node *n, const char *key)
34 struct json_node *s = json_object_get(n, key);
35 if (s && s->type == JSON_STRING)
41 bool get_uint(struct json_node *n, const char *key, uint *dest)
43 struct json_node *s = json_object_get(n, key);
44 if (s && s->type == JSON_NUMBER)
46 uint u = (uint) s->number;
47 if ((double) u == s->number)
57 struct json_node **get_array(struct json_node *n, const char *key)
59 struct json_node *s = json_object_get(n, key);
60 if (s && s->type == JSON_ARRAY)
66 struct json_node *get_object(struct json_node *n, const char *key)
68 struct json_node *s = json_object_get(n, key);
69 if (s && s->type == JSON_OBJECT)
75 static const char *cmd_need_string(struct client *c, const char *key)
77 const char *val = get_string(c->request, key);
79 cmd_error(c, "Missing %s", key);
83 static struct auth_zone *cmd_need_zone(struct client *c)
85 const char *name = cmd_need_string(c, "zone");
86 struct auth_zone *az = auth_find_zone(name);
88 cmd_error(c, "No such zone");
92 static bool cmd_is_admin(struct client *c)
99 static void cmd_require_admin(struct client *c)
101 if (!cmd_is_admin(c))
102 cmd_error(c, "Permission denied");
105 static const char *cmd_need_target_login(struct client *c)
107 const char *l = get_string(c->request, "login");
110 cmd_require_admin(c);
115 struct passwd *pw = getpwuid(c->uid);
117 cmd_error(c, "You do not exist");
118 return json_strdup(c->json, pw->pw_name);
122 static struct auth_acct *cmd_need_target_acct(struct client *c)
124 const char *login = cmd_need_target_login(c);
125 struct auth_zone *az = cmd_need_zone(c);
127 struct auth_user *au = auth_find_user(login, 0);
128 struct auth_acct *aa = au ? auth_find_acct(au, az, 0) : NULL;
132 if (!az->auto_create_acct)
133 cmd_error(c, "No such account");
137 msg(L_INFO, "Automatically creating user: login=<%s>", login);
138 au = auth_find_user(login, 1);
140 msg(L_INFO, "Automatically creating account: login=<%s> zone=<%s>", login, az->name);
141 return auth_find_acct(au, az, 1);
144 static void cmd_nop(struct client *c)
149 static void cmd_create_acct(struct client *c)
151 cmd_require_admin(c);
153 const char *login = get_string(c->request, "login");
155 cmd_error(c, "Login required");
157 struct auth_zone *az = cmd_need_zone(c);
158 struct auth_user *au = auth_find_user(login, 1);
159 if (!auth_find_acct(au, az, 0))
161 msg(L_INFO, "Creating account: login=<%s> zone=<%s>", login, az->name);
162 auth_find_acct(au, az, 1);
169 static void cmd_delete_acct(struct client *c)
171 cmd_require_admin(c);
173 const char *login = get_string(c->request, "login");
175 cmd_error(c, "Login required");
176 const char *zone_name = get_string(c->request, "zone");
178 struct auth_user *au = auth_find_user(login, 0);
182 if (zone_name && !strcmp(zone_name, "*"))
184 msg(L_INFO, "Deleting user: login=<%s>", login);
185 auth_delete_user(au);
189 struct auth_zone *az = cmd_need_zone(c);
190 struct auth_acct *aa = auth_find_acct(au, az, 0);
193 msg(L_INFO, "Deleting account: login=<%s> zone=<%s>", login, az->name);
194 auth_delete_acct(aa);
195 if (!clist_head(&au->accounts))
197 msg(L_INFO, "Deleting user with no accounts: login=<%s>", login);
198 auth_delete_user(au);
206 static void cmd_set_passwd(struct client *c)
208 struct auth_acct *aa = cmd_need_target_acct(c);
209 const char *passwd = cmd_need_string(c, "passwd");
211 if (!aa->zone->allow_passwd)
212 cmd_error(c, "This zone does not allow authentication by password");
214 if (strchr(passwd, '-'))
215 cmd_error(c, "The minus sign is forbidden in passwords");
217 msg(L_INFO, "Set password: login=<%s> zone=<%s>", aa->user->login, aa->zone->name);
219 struct auth_token *at_old = auth_find_token_passwd(aa);
221 auth_delete_token(at_old);
223 struct auth_token *at = auth_create_token(aa);
224 auth_set_token_passwd(at, passwd);
230 static void cmd_create_token(struct client *c)
232 struct auth_acct *aa = cmd_need_target_acct(c);
234 if (!aa->zone->allow_tokens)
235 cmd_error(c, "This zone does not allow authentication by tokens");
237 if (clist_size(&aa->tokens) >= aa->zone->allow_tokens)
238 cmd_error(c, "Maximum number of tokens was reached");
240 struct auth_token *at = auth_create_token(aa);
241 char *tok = auth_set_token_generated(at, get_string(c->request, "comment"));
242 json_object_set(c->reply, "token", json_new_string(c->json, tok));
245 msg(L_INFO, "Created token: login=<%s> zone=<%s> id=<%s>", aa->user->login, aa->zone->name, at->ident);
251 static void cmd_login_fake(struct client *c, const char *passwd)
253 auth_check_token(auth_fake_token, passwd);
254 cmd_error(c, "Invalid password");
257 static void cmd_login(struct client *c)
259 struct auth_zone *az = cmd_need_zone(c);
260 const char *given_passwd = cmd_need_string(c, "passwd");
262 // Split password string to token ident and the password proper
263 char passbuf[strlen(given_passwd) + 1];
264 strcpy(passbuf, given_passwd);
265 char *ident, *passwd;
266 char *sep = strchr(passbuf, '-');
279 const char *login = cmd_need_string(c, "login");
280 struct auth_user *au = auth_find_user(login, 0);
283 msg(L_INFO, "Login failed: No user=<%s>", login);
284 return cmd_login_fake(c, passwd);
287 struct auth_acct *aa = auth_find_acct(au, az, 0);
290 msg(L_INFO, "Login failed: No account user=<%s> zone=<%s>", login, az->name);
291 return cmd_login_fake(c, passwd);
294 struct auth_token *at;
296 at = auth_find_token_generated(aa, ident);
298 at = auth_find_token_passwd(aa);
301 msg(L_INFO, "Login failed: No token user=<%s> zone=<%s> ident=<%s>", login, az->name, (ident ? : ""));
302 return cmd_login_fake(c, passwd);
305 if (!auth_check_token(at, passwd))
307 msg(L_INFO, "Login failed: Wrong password for user=<%s> zone=<%s> ident=<%s>", login, az->name, (ident ? : ""));
308 cmd_error(c, "Invalid password");
311 msg(L_INFO, "Login successful: user=<%s> zone=<%s> ident=<%s>", login, az->name, (ident ? : ""));
315 static void cmd_list(struct client *c)
317 const char *login = cmd_need_target_login(c);
319 struct auth_user *au = auth_find_user(login, 0);
321 cmd_error(c, "No such user");
323 struct json_context *js = c->json;
324 json_object_set(c->reply, "login", json_new_string(js, au->login));
325 struct json_node *jas = json_new_array(js);
326 json_object_set(c->reply, "accounts", jas);
328 CLIST_FOR_EACH(struct auth_acct *, aa, au->accounts)
330 struct json_node *ja = json_new_object(js);
331 json_array_append(jas, ja);
332 json_object_set(ja, "zone", json_new_string(js, aa->zone->name));
334 struct json_node *jts = json_new_array(js);
335 json_object_set(ja, "tokens", jts);
337 CLIST_FOR_EACH(struct auth_token *, at, aa->tokens)
339 struct json_node *jt = json_new_object(js);
340 json_array_append(jts, jt);
345 case TOKEN_PASSWORD: type = "passwd"; break;
346 case TOKEN_GENERATED: type = "token"; break;
347 default: type = "unknown"; break;
349 json_object_set(jt, "type", json_new_string(js, type));
352 json_object_set(jt, "ident", json_new_string(js, at->ident));
354 json_object_set(jt, "comment", json_new_string(js, at->comment));
355 json_object_set(jt, "lastmod", json_new_number(js, at->last_modified));
364 void (*handler)(struct client *c);
367 static const struct command command_table[] = {
369 { "create-acct", cmd_create_acct },
370 { "delete-acct", cmd_delete_acct },
371 { "create-token", cmd_create_token },
372 { "set-passwd", cmd_set_passwd },
373 { "login", cmd_login },
374 { "list", cmd_list },
377 void cmd_dispatch(struct client *c)
379 struct json_node *rq = c->request;
382 if (rq->type != JSON_OBJECT || !(cmd = get_string(rq, "cmd")))
384 json_object_set(c->reply, "error", json_new_string_ref(c->json, "Malformed request"));
388 const struct command *command = NULL;
389 for (uint i=0; i < ARRAY_SIZE(command_table); i++)
390 if (!strcmp(cmd, command_table[i].cmd))
392 command = &command_table[i];
397 json_object_set(c->reply, "error", json_new_string_ref(c->json, "No such command"));